Here is a quick overview of getting Sophos AV working on an SRX
Sophos is the Cloud based solution and so needs an active Internet connection to work. This means the AV database is not stored locally on the SRX like Kaspersky. The SRX uses DNS queries to the Sophos Cloud to perform AV queries. We'll see later how these work.
Sophos can also perform URI content checking over HTTP to detect malware.This is essentially a reputataion check and can be disabled if you wish.
The Sophos solution should put less load on the SRX, processor and memory wise due to not having to download a giant AV database and run checks against it though it does cache responses to improve lookup performance.
SRX VPN: Checkpoint to SRX Site-to-Site Policy Based.
Today we are going to take a look at a site to site VPN between a Checkpoint and an SRX.
We will focus more on configuration and testing rather than VPN theory as the Internet is full of great resources in that respect. No NAT in this one either to keep it more simple and just focused on the VPN side of things. We will do a seperate Blog for VPN troubleshooting.
Here is a layer 3 view of the network we will be using..
We will focus more on configuration and testing rather than VPN theory as the Internet is full of great resources in that respect. No NAT in this one either to keep it more simple and just focused on the VPN side of things. We will do a seperate Blog for VPN troubleshooting.
Here is a layer 3 view of the network we will be using..
SRX UTM: Antivirus - Kaspersky Full
There are currently 3 Antivirus solutions for the SRX all of which require a different license to activate:
* Kapersky
* Sophos
* Juniper Express
Briefly, some differences between the 3 options are:
Kaspersky
* Full file based AV
* Local signature database lookups. AV signatures downloaded as a package.
* Largest cpu performance impact
* Supports Intelligent Prescreening
Sophos
* Cloud based signature database which therefore requires..
* Constant Internet access needed for AV lookups.
* Moderate cpu perfomance impact
* No Prescreening
Juniper Express
* Less protection than the other 2 options
* Only protects against critical threats. Modified Kaspersky database.
* Does not reconstruct content prior to scanning
* Pattern matching based solution. No heuristics.
* No protection against polymorphic or metamorphic viruses
* Supports Intelligent Prescreening
SRX Trunk
After the epic that was STP, just a quickie today on a couple of points I recently came across when setting up a trunk between a Cisco switch and SRX.
The trunk will trunk VLANs 1,5 and 8. VLAN 1 is native on the Cisco
The Cisco side setup..
The trunk will trunk VLANs 1,5 and 8. VLAN 1 is native on the Cisco
The Cisco side setup..
SRX STP
In smaller sites when rolling out low end SRXs, it's not uncommon for them to be connected to Cisco switches that may be running multiple VLANs
How can we connect up our SRXs to Cisco switches without stuffing up spanning tree on the core Cisco switch and still prevent loops? Lets see what happens when we aim to work with that situation from a spanning tree (STP) perspective.
How can we connect up our SRXs to Cisco switches without stuffing up spanning tree on the core Cisco switch and still prevent loops? Lets see what happens when we aim to work with that situation from a spanning tree (STP) perspective.
SRX UTM: Enhanced Web Filtering - Redirect
Hi Folks,
I was recently asked in regards to Enhanced Web Filtering...
Is there any way to remove the "CATEGORY: Enhanced_Social_Networking_
And by the way to the person who posted that, your email shows up to me as noreply-comment@blogger.com. So doesn't show on the blog as a comment and I cant reply. Google "noreply-comment@blogger.com". You will find out how to fix.
I was recently asked in regards to Enhanced Web Filtering...
Is there any way to remove the "CATEGORY: Enhanced_Social_Networking_
And by the way to the person who posted that, your email shows up to me as noreply-comment@blogger.com. So doesn't show on the blog as a comment and I cant reply. Google "noreply-comment@blogger.com". You will find out how to fix.
Anyway the answer is yes! There is a way to solve the issue.
We will test 3 scenarios while trying to access Playboy.
SRX APPLICATION FIREWALL
Today we will look at running an Application Firewall (AppFW) on the SRX.
This is different to the normal firewalling in that we are not filtering based on TCP/UDP ports but instead filtering on application signatures that can detect applications whether or not they are not running on the standard ports expected.Further even when we are running on the standard ports, through the signatures we can detect and block access to specific services without you having to worry about blocking all access to a certain IP on a certain port. Eg. We could block access to Facebook Farmville without having to know the either the IP of Facebook or having to block all of Facebook. I will try and show some examples of this functionality.
This is different to the normal firewalling in that we are not filtering based on TCP/UDP ports but instead filtering on application signatures that can detect applications whether or not they are not running on the standard ports expected.Further even when we are running on the standard ports, through the signatures we can detect and block access to specific services without you having to worry about blocking all access to a certain IP on a certain port. Eg. We could block access to Facebook Farmville without having to know the either the IP of Facebook or having to block all of Facebook. I will try and show some examples of this functionality.
SRX ADSL - NZ
I recently installed an SRX in NZ so I though I'd put up here the working ADSL config for our cousins across the pond...
Telecom NZ - PPPOA
at-1/0/0 {
mtu 1540;
encapsulation atm-pvc;
atm-options {
vpi 0;
}
dsl-options {
operating-mode auto;
}
unit 0 {
encapsulation atm-ppp-vc-mux;
vci 0.100;
ppp-options {
pap {
default-password "!9$uQQhy76fg543es8XYoZGq.P5QF9A"; ## SECRET-DATA
local-name "whoareu.xadsl@xtra.co.nz";
local-password "%9$q.Qnkn8765sgvq8LVbs24aDi"; ## SECRET-DATA
passive;
}
}
family inet {
negotiate-address;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop at-1/0/0.0;
Telecom NZ - PPPOA
at-1/0/0 {
mtu 1540;
encapsulation atm-pvc;
atm-options {
vpi 0;
}
dsl-options {
operating-mode auto;
}
unit 0 {
encapsulation atm-ppp-vc-mux;
vci 0.100;
ppp-options {
pap {
default-password "!9$uQQhy76fg543es8XYoZGq.P5QF9A"; ## SECRET-DATA
local-name "whoareu.xadsl@xtra.co.nz";
local-password "%9$q.Qnkn8765sgvq8LVbs24aDi"; ## SECRET-DATA
passive;
}
}
family inet {
negotiate-address;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop at-1/0/0.0;
SRX GLOBAL ADDRESS BOOK
Lets have a look today at the issue of using the WebUI with the Global address book.
When I say Global address book, I mean using creating addresses on the SRX in this way...
root# set security address-book ?
Possible completions:
<book-name> Address book name
global Default global address book name
Example of address with the Global Address book..
security {
address-book {
global {
address aaaa 1.1.1.1/32;
address bbbb 2.2.2.2/32;
}
}
These Global addresses form a common address pool that should be available for use in any zone as opposed to the old way of creating separate address books under each zone.
When I say Global address book, I mean using creating addresses on the SRX in this way...
root# set security address-book ?
Possible completions:
<book-name> Address book name
global Default global address book name
Example of address with the Global Address book..
security {
address-book {
global {
address aaaa 1.1.1.1/32;
address bbbb 2.2.2.2/32;
}
}
These Global addresses form a common address pool that should be available for use in any zone as opposed to the old way of creating separate address books under each zone.
JUNOS ANNOTATE
A great way to add your own comments to any part of a Junos config.
Let say we have this DHCP config...
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.7;
}
https {
system-generated-certificate;
interface vlan.7;
}
}
dhcp {
pool 10.1.1.0/24 {
address-range low 10.1.1.101 high 10.1.1.254;
default-lease-time 86400;
domain-name company.com;
router {
10.1.1.1;
}
}
And we wish to place some kind of comment on the DHCP pool as there is no description statement associated with DHCP.
Let say we have this DHCP config...
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.7;
}
https {
system-generated-certificate;
interface vlan.7;
}
}
dhcp {
pool 10.1.1.0/24 {
address-range low 10.1.1.101 high 10.1.1.254;
default-lease-time 86400;
domain-name company.com;
router {
10.1.1.1;
}
}
And we wish to place some kind of comment on the DHCP pool as there is no description statement associated with DHCP.
Subscribe to:
Posts (Atom)