ProteusElite:HowTo. 2011 Proteus Networks Proteus Elite:HowTo Page 1



Similar documents
MIGRATING IPS SECURITY POLICY TO JUNIPER NETWORKS SRX SERIES SERVICES GATEWAYS

In this activity, you will complete the following objectives.

Document No. FO1101 Issue Date: Work Group: FibreOP Technical Team October 31, 2013 FINAL:

Implementation Guide. Juniper Networks SRX Series Services Gateways/ Websense V10000 G2 appliance. v7.6

How To Load balance traffic of Mail server hosted in the Internal network and redirect traffic over preferred Interface

Deployment Guide for SRX Series Services Gateways in Chassis Cluster Configuration

SRX High Availability Design Guide

Using VDOMs to host two FortiOS instances on a single FortiGate unit

1 Basic Configuration of Cisco 2600 Router. Basic Configuration Cisco 2600 Router

Using IPsec VPN to provide communication between offices

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Junos OS. Firewall User Authentication for Security Devices. Release 12.1X44-D10. Published: Copyright 2013, Juniper Networks, Inc.

Vocia MS-1 Network Considerations for VoIP. Vocia MS-1 and Network Port Configuration. VoIP Network Switch. Control Network Switch

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

Junos Switching Basics

Network Configuration Example

Network Configuration Example

APPLICATION NOTE. Copyright 2011, Juniper Networks, Inc. 1

Network Configuration Example

IP Filter/Firewall Setup

Configuring Dynamic VPN v2.1 (last updated 1/2011) Junos 10.4 and above

Configuring and Deploying the Dynamic VPN Feature Using SRX Series Services Gateways

ASA/PIX: Load balancing between two ISP - options

Monitoring Network Traffic Using sflow Technology on EX Series Ethernet Switches

MONITORING NETWORK TRAFFIC USING sflow TECHNOLOGY ON EX SERIES ETHERNET SWITCHES

Load Balancing ContentKeeper With RadWare

Application Note: Junos NAT Configuration Examples

FSM73xx GSM73xx GMS72xxR Shared access to the Internet across Multiple routing VLANs using a Prosafe Firewall

Layer 2 Networking. Overview. VLANs. Tech Note

WAN OPTIMIZATION AND IPSEC FOR THE BRANCH OFFICE

Chapter 4 Customizing Your Network Settings

Network Configuration Example

Junos OS. Layer 2 Bridging and Transparent Mode for Security Devices. Release 12.1X44-D10. Published:

Creating a VPN with overlapping subnets

How To Configure Syslog over VPN

Introduction...3. Scope...3. Design Considerations...3. Hardware Requirements...3. Software Requirements...3. Description and Deployment Scenario...

Juniper Networks Certified Associate Junos Bootcamp, IJOS and JRE (JNCIA-Junos BC)

Configuring Static IP for your Pace Devices

Setting the Management IP Address

JUNOS Secure Template

1Juniper. 2How Logtrust. works with Juniper? a security network solution for enterprises and service providers.

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Configuring the Juniper NetScreen Firewall Security Policies to support Avaya IP Telephony Issue 1.0

Junos OS. Firewall Filters Configuration Guide. Release Published: Copyright 2012, Juniper Networks, Inc.

JUNIPER JN0-332 EXAM QUESTIONS & ANSWERS

Network Configuration Example

Chapter 9 Monitoring System Performance

Quick Note 20. Configuring a GRE tunnel over an IPSec tunnel and using BGP to propagate routing information. (GRE over IPSec with BGP)

J-Flow on J Series Services Routers and Branch SRX Series Services Gateways

Junos OS. System Log Messages. Release Modified: Copyright 2015, Juniper Networks, Inc.

Application Description

Application Note. Failover through BGP route health injection

Firewall Filters Feature Guide for EX9200 Switches

Session Title: Exploring Packet Tracer v5.3 IP Telephony & CME. Scenario

Savvius Insight Initial Configuration

Chapter 4 Customizing Your Network Settings

Supporting Multiple Firewalled Subnets on SonicOS Enhanced

Chapter 3 LAN Configuration

Junos OS. Application Tracking Feature Guide for Security Devices. Release 12.1X46-D10. Published: Copyright 2014, Juniper Networks, Inc.

Best Practices: Pass-Through w/bypass (Bridge Mode)

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall

Lab Configuring Access Policies and DMZ Settings

1 PC to WX64 direction connection with crossover cable or hub/switch

Junos OS. Application Tracking. Release 12.1X44-D10. Published: Copyright 2014, Juniper Networks, Inc.

Junos OS for EX Series Ethernet Switches

Networking Basics for Automation Engineers

Abstract. Avaya Solution & Interoperability Test Lab

Juniper Networks and IPv6. Tim LeMaster Ipv6.juniper.net

EXINDA NETWORKS. Deployment Topologies

Junos OS. Processing Overview for Security Devices. Release 12.1X44-D10. Published: Copyright 2014, Juniper Networks, Inc.

GregSowell.com. Mikrotik Basics

Cisco AnyConnect Secure Mobility Solution Guide

MULTI WAN TECHNICAL OVERVIEW

Junos Space Security Director

How To Load Balance On A Libl Card On A S7503E With A Network Switch On A Server On A Network With A Pnet 2.5V2.5 (Vlan) On A Pbnet 2 (Vnet

Configuring a FortiGate unit as an L2TP/IPsec server

Junos OS. Firewall Filters Feature Guide for Routing Devices. Release Published: Copyright 2013, Juniper Networks, Inc.

Technical Note. Monitoring Ethernet Traffic with Tolomatic ACS & Managed Switch. Contents

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Troubleshooting for Yamaha router

SIP Internet Telephony Gateway

SURF Feed Connection Guide

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Common Application Guide

Load Balancing. Published: Copyright 2013, Juniper Networks, Inc.

SIP Trunking using Optimum Business SIP Trunk Adaptor and the Allworx 6x IP PBX

Enabling NAT and Routing in DGW v2.0 June 6, 2012

Mediatrix 4404 Step by Step Configuration Guide June 22, 2011

Smart Tips. Enabling WAN Load Balancing. Key Features. Network Diagram. Overview. Featured Products. WAN Failover. Enabling WAN Load Balancing Page 1

Knowledgebase Solution

Network setup and troubleshooting

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Network Configuration Example

CCNP SWITCH: Implementing High Availability and Redundancy in a Campus Network

Juniper Exam JN0-343 Juniper Networks Certified Internet Specialist (JNCIS-ENT) Version: 10.1 [ Total Questions: 498 ]

Juniper Secure Analytics

Junos OS. DHCP Relay Agent Feature Guide for Subscriber Management. Release Published: Copyright 2013, Juniper Networks, Inc.

DRO-210i LOAD BALANCING ROUTER. Review Package Contents

Load Balance Mechanism

INTEGRATING FIREWALL SERVICES IN THE DATA CENTER NETWORK ARCHITECTURE USING SRX SERIES SERVICES GATEWAY

Transcription:

Setting up an Out of Band Management Network on an SRX In this guide I describe one of the many methods of creating an out-of-band management network for the SRX Series Services Gateways. Background In Netscreen implementations there was no issue with the security policy logs and syslog traffic. Both could be sent to the same destination from the same port on the firewall. In the SRX Branch Office devices this remains the same. For the SRX data center devices a different management network must be created. The reason is based in the way traffic is handled in the high end SRX devices. In these devices the sessions are handled by the line card processors. The logs for that traffic are, by default, never seen by the routing engine. In the normal operation syslog traffic for alarms and other management traffic is generated by the RE and sent to the syslog server(s) identified in the system syslog stanza. The security log traffic on the high end SRXs is handled by the security log stanza. This means that the RE traffic port (syslog traffic) and a revenue port (security log traffic) have to be assigned to the management network. This of course causes problems because two interfaces from a router (SRX) can not be in the same subnet. There are a number of options that can be implemented that solve this dilemma. Option 1 Send security log traffic to the RE By changing the mode of the security log traffic from stream to event (set security log mode event) the RE receives these logs as an eventd message and processes them to the syslog server(s) as defined. The up side to this option is that dual interfaces and dual syslog stanzas are avoided. The down to this option is that the RE can quickly become over burdened with the traffic. JTAC warns that if this implementation is used the SRX should not support the Jweb GUI, multiple dynamic routing protocols or dynamic routing protocols with multiple areas. This warning should be enough to make you pause and think of other options. Option 2 Create a separate virtual router for security log traffic By creating a virtual router and installing the security log traffic interface in that router, the address conflict can be addressed. The source address setting in the security log stanza identifies the interface in the virtual router and a static route in the inet.0 table points to the virtual router. The upside of this approach is that it allows traffic to be sent to the same subnet for both RE syslog messages and PFE security log messages. The down side is that is adds complexity to the configuration and could cause a routing loop if return traffic is sent to the VR interface that is intended for the fxp0 interface. This option is explored in detail below. Options 3 Separate the logging servers and management servers on different subnets In this approach a duplicate address problem is solved by using different subnets for the different functions of the out of band network. In the SRX, the syslog server and the security log server can be the same box, but the subnet of the fxp0 port is different than the subnet of the security log port. The up side is that all default settings are used on the SRX. the down side is that a network design is being forced on the customer by the capabilities of the SRX. This option is explored in detail below. Procedure Option 2 In this approach we create a virtual router and house the security log port on that virtual router. This will allow both interfaces to be members of the same network and not create a routing problem in the SRX. In the following configuration steps can be used for this approach. In this example the syslog server and the security log server are on the same device. 2011 Proteus Networks Proteus Elite:HowTo Page 1

1. Create a virtual router for the security log interfaces routing-instances { VR_mgt { interface ge-1/1/2.0; routing-options { static { route 0.0.0.0/0 next-hop 10.1.1.1; ## gateway of the management network ### Figure 1 Virtual Router Configuration 2. Create a normal fxp0 interface and a syslog stanza pointing to a syslog server ( 10.1.1.10) fxp0 { address 10.1.1.3/24; syslog { user * { any emergency; host 10.1.1.10 { any any; Figure 2 SYSLOG Stanza 3. Create a security log interface and security log stanza point to the VR_mgt interface. interface { ge-1/1/2 { speed 1g; link-mode full-duplex; description "Security log Interface"; address 10.1.1.2/24 { primary; 2011 Proteus Networks Proteus Elite:HowTo Page 2

security { security-zone manage_syslog { ge-1/1/2.0; log { source-address 10.1.1.2; stream Security_log { severity info; category all; host { 10.1.1.10; Figure 3 Security and Interface Configuration Figure 4 Reference Diagram Option 3 In this approach we create a second management subnet that is used for security log traffic. The security log server is located on this subnet, while the syslog server and other management sevices (NSM) are located on the normal management network. In the following configuration steps can be used for this approach. 1. Create a normal fxp0 interface and a syslog stanza pointing to a syslog server ( 10.1.1.10) 2011 Proteus Networks Proteus Elite:HowTo Page 3

fxp0 { address 10.1.1.3/24; syslog { user * { any emergency; host 10.1.1.10 { any any; Figure 5 SYSLOG and Interface config ProteusElite:HowTo 2. Create a security log interface and security log stanza point to the security log server 10.2.1.10. interface { ge-1/1/2 { speed 1g; link-mode full-duplex; description "Security log Interface"; address 10.2.1.2/24 { primary; security { security-zone manage_syslog { ge-1/1/2.0; log { source-address 10.2.1.2; stream Security_log { severity info; category all; host { 10.2.1.10; 2011 Proteus Networks Proteus Elite:HowTo Page 4

Figure 6 Security Config Conclusion Figure 7 Option 3 Reference Diagram Due to the limitations of the architecture, an out-of-band management is a necessity for the high end SRX devices. There are many options that are available for setting up the OOB network and none are simple. This set of sets will allow you to determine which is right for your network. 2011 Proteus Networks Proteus Elite:HowTo Page 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information