SRX

 View Only
last person joined: 13 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Transparent proxy

    Posted 03-10-2023 15:16
    Edited by Roberto 03-13-2023 04:47

    Hi, I'm trying to set up a transparent proxy on SRX 3xx.

    Client should be able to connect to the Internet knowing nothing about the proxy.

    It seems like secure web proxy may help me to achieve the goal, so I'm setting it up according to the linked article. The problem is that proxy configuration seems to be completely ignored.

    I'm trying to check how proxy works with the following command on the client:

    wget -v https://www.google.com

    On SRX I see that the traffic goes through the policy that applies web-proxy profile to the traffic - P-TO-ANY-PROXY-TEST. Except it applies nothing and goes directly to the Internet:

    # run show security flow session source-prefix 10.249.110.101 
    Session ID: 46178, Policy name: P-TO-ANY-PROXY-TEST/200, HA State: Stand-alone, Timeout: 2, Valid
      In: 10.249.110.101/46526 --> 142.250.185.196/443;tcp, Conn Tag: 0x0, If: irb.110, Pkts: 17, Bytes: 1652, 
      Out: 142.250.185.196/443 --> EXTERNAL-IP/1673;tcp, Conn Tag: 0x0, If: ge-0/0/6.0, Pkts: 24, Bytes: 21405, 

    Any ideas what am I doing wrong? I'm not familiar with the NGFW functionality, and it seems secure-proxy is part of it, so maybe I'm doing something completely wrong.

    My config looks like this (SNAT rules are omitted):

    security {
        policies {
            from-zone ZONE-LAN-1 to-zone ZONE-INET {
                policy P-TO-ANY-PROXY-TEST {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit {
                            application-services {
                                web-proxy {
                                    profile-name WP-SP-PROF-PROXY;
                                }
                            }
                        }
                    }
                }
            }
            global {
                /* Global policies permitting ZONE-LAN-1<->ZONE-LAN-2 and ZONE-LAN-2->ZONE-INET traffic */
            }
            default-policy {
                deny-all;
            }
        }
        zones {
            security-zone ZONE-INET {
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
                interfaces {
                    ge-0/0/6.0;
                }
            }
            security-zone ZONE-LAN-1 {      
                host-inbound-traffic {      
                    system-services {       
                        ping;               
                    }                       
                }                           
                interfaces {                
                    irb.110;                
                }                           
            }                               
            security-zone ZONE-LAN-2 {       
                host-inbound-traffic {      
                    system-services {       
                        ping;               
                    }                       
                }                           
                interfaces {                
                    irb.120;                
                }                           
            }
        }
    }
    services {
        /* Setting up no dynamic-web-application(-group) since I don't need any exclusions */
        web-proxy {
            secure-proxy {
                profile WP-SP-PROF-PROXY {
                    proxy-address WP-SP-PROXY {
                        ip 10.249.120.10/32;
                        port 3128;
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
              unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members [ VLAN-1 VLAN-2 ];
                    }
                }
            }
        }
        ge-0/0/6 {
            unit 0 {
                family inet {
                    address EXTERNAL-IP/24;
                }
            }
        }
        irb {
            unit 110 {
                family inet {               
                    address 10.249.110.1/24;
                }                           
            }                               
            unit 120 {                      
                family inet {               
                    address 10.249.120.1/24;
                }                           
            }
        }
    }
    vlans {
        VLAN-1 {
            vlan-id 110;
            l3-interface irb.110;
        }
       VLAN-2 {
            vlan-id 120;
            l3-interface irb.120;
        }
    }



    ------------------------------
    Roberto Pedrini
    ------------------------------



  • 2.  RE: Transparent proxy

    Posted 03-11-2023 12:44

    you will want to use forward ssl proxy feature (trust to unstrusted zone).  Here's UG SSL Proxy | Junos OS | Juniper Networks



    ------------------------------
    Jamie Graham
    ------------------------------



  • 3.  RE: Transparent proxy

    Posted 03-13-2023 04:45

    Not sure if SSL proxy helps. I need HTTP sessions and maybe some other traffic types too.



    ------------------------------
    Roberto Pedrini
    ------------------------------