Quick Series 19 – SRX APPSECURE_SUITE – APPTRACK

1 Comment

Hi,

In my previous post i have covered installation of app-secure applications and license. This post would cover APP_TRACK , the tracker !

For installation of APP-SECURE ON VSRX, Follow the below URL

https://r2079.wordpress.com/2015/09/16/appsecure-suite-installing-license-evaluation-version-on-vsrx-firefly/

What is APP_TRACK – By the name itself, it is used to track Applications within the security-zones or type of application traffic traversing through SRX

So By know which sort of traffic is traversing the system, we can analyze and block if not necessary

Topology

topology_png

I have a syslog server running on Raspberry_Pi and Apple Ipad Trying to gain connectivity to internet.

First lets see, without any application-tracking, how does the syslog messages look like

1_without_any_appsecure

Let us enable APP-Track for security-zone internet. Please do remember, you have enable first-update as well if you need to see SESSION_INIT message, without this , you can only see SESSION_CLOSE messages only

2_enabling_track

Out of many types of traffic, let us see if we have any hits for Facebook and Apple.

3_matching_facebookandapple

Finally counter on APP-TRACK Stats

3.5_counters

Now, that we know what sort-of traffic is going through the firewall, we will block it in next-post via APP-TRACK Firewall

Regards

Rakesh M

Quick Series 12 – SOURCE-NAT – POOL-BASED NAT with Address-shifting

No Comments

Hi,

This is the 12th post in the Quick-Series and this is on SRX-SOURCE-NAT using Pool and make sure that address-shifting is in place for this pool

Requirement:

All Lan traffic (172.20.101.0/24) trying to reach to other-end router 11.0.0.2 should be natted to pool of 11.0.0.16/28 and make sure this pool is under address-shifting w.r.t to end-host IP.

https://www.juniper.net/documentation/en_US/junos12.2/topics/concept/nat-security-source-pool-address-shifting-understanding.html

Topology

1_topology

Interface Config and policies

3_secpolicies

Nat configuration and other details

2_natconfig

Verification

4_verification

I have enabled shifting from 172.20.101.0/24 for pool starting at 11.0.0.16/28, so appropriately 172.20.101.10 has been assigned with 11.0.0.26

5_verification

Regards

Rakesh M

Quick Series 10 – SOURCE-NAT – POOL-BASED NAT with NO-PORT-OVERLOAD / NO-PAT

No Comments

Hi,

This is the 10th post in the Quick-Series and this is on SRX-SOURCE-NAT using Pool and making sure that it does not Do PAT, as pool-based NAT by default does PAT or port-overloading.

Requirement

All Lan traffic (172.20.101.0/24) trying to reach to other-end router 11.0.0.2 should be natted to pool of 11.0.0.16/28 and make sure this Pool is not over-loaded.

Topology

1_topology

Initial Config of interfaces and policies

1_srx_zoneandintf

Nat-config

2_policy_and_natconfig

Final verification

final_verify

As we can see, this pool is not configured for overloading.

Regards

Rakesh M

Quick Series 9 – SOURCE-NAT – POOL-BASED NAT & Address-Persistance

No Comments

Hi,

This is the 9th post in the Quick-Series and this is on SRX-SOURCE-NAT using Pool and address-Persistence.

Requirement

All Lan traffic (172.20.101.0/24) trying to reach to other-end router 11.0.0.2 should be natted to pool of 11.0.0.16/28 address space and make sure host gets the same concurrent address for each session.

address-persistence – https://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swcmdref/address-persistent.html

Topology

1_topology

First let us review what happens without Address-Persistence, the below is the initial zone and interface-config

srx_config_1

srx_1.5_verification_without_per

Now lets enable Address-Persistence

srx_config_2

seeing the verification now

srx_3_verification

This is maintaining a same session IP. I should have also taken an address-persistence table output but overlooked it.

Regards

Rakesh M

Quick Series 8 – SOURCE-NAT – POOL-BASED NAT

No Comments

Hi,

This is the 8th post in the Quick-Series and this is on SRX-SOURCE-NAT using Pool.

Requirement

All Lan traffic (172.20.101.0/24) trying to reach to other-end router 11.0.0.2 should be natted to pool of 11.0.0.16/28 address space.

Topology

1_topology

Srx Zone and interface config

srx_zone and interfaceconfig

Srx Nat config

srx_2_policy_nat_config

Final Verification

srx_3_verification

Regards

Rakesh M

Close Bitnami banner
Bitnami