Showing posts with label Traceoptions. Show all posts
Showing posts with label Traceoptions. Show all posts

SRX UTM: Antivirus - Sophos

Here is a quick overview of getting Sophos AV working on an SRX

 Sophos is the Cloud based solution and so needs an active Internet connection to work. This means the AV database is not stored locally on the SRX like Kaspersky. The SRX uses DNS queries to the Sophos Cloud to perform AV queries. We'll see later how these work.

 Sophos can also perform URI content checking over HTTP to detect malware.This is essentially a reputataion check and can be disabled if you wish.

 The Sophos solution should put less load on the SRX, processor and memory wise due to not having to download a giant AV database and run checks against it though it does cache responses to improve lookup performance.
Read more »
Posted by at No comments:
Labels: , , ,

SRX Traceoptions: Security Flow

Following on from the last post lets quickly see how we go using TCPDUMP with reth interfaces;

Using the same methodology as in my last post...I.e having separate input and output filters and applying those filters on the reth interface, I find that the SRX generates 2 files, one for the reth and one for the (I assume active) physical interface.Eg.

-rw-r--r--  1 root  wheel  1878 Apr 27 18:15 dumptest.fe-0.0.2
-rw-r--r--  1 root  wheel  1298 Apr 27 18:15 dumptest.reth0

Looking at the 2 files we can capture what we want however each file only shows the traffic in one direction. So you need to look at both files to see everything that is going on. For sure not too handy.

At any rate in the Junos release notes (Branch SRX) they state..
                Sampling features like J-FLow, packet capture, and port mirror on the reth interface are not supported.
And thats from 12.1! So its not a limitation that will disappear soon if ever.

If your insistent and put the filters on the physical interface instead of the reth like this ..

fe-0/0/2 {
        fastether-options {
            redundant-parent reth0;
        }
        unit 0 {
            family inet {
                filter {
                    input INGRESS-TCPDUMP;
                    output EGRESS-TCPDUMP;
                }
            }
        }
   }

Well your out of luck there as that will again only show the one direction. Not recommended!

So Is there another way to see whats going on at a very raw level on the firewall?
Yup..Hello traceoptions.

Read more »
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)