Configuring IPFIX on the SRX Branch Series

Junos 20.1r1 was released recently, and with it came a rather exciting feature – the ability to configure IPFIX flow export on the SRX Branch series! This update also includes the ability to support flow record exports in chassis clusters as well. This is a great feature to support traffic analysis through a myriad of tools, and even support basic Denial of Service Attack detection. With the addition of IPFIX we can also generate flow data for IPv6 traffic which previously was not supported on the SRX. Without further ado, let’s configure IPFIX!

(more…)

SRX Address-Set Membership Check – Part 2!

I wrote a script a few years ago that would check to see if address entries existed in the more than one address-set. It works well, but it was missing one key component – what happens if an address-set entry contains another address-set?

I’ve since updated the script with a little bit of logic to include tracking this very scenario, and I’ll explain the changes below. The script is still available on GitHub if you want to download a copy and use it for your operations!

(more…)

COVID-19 and Remote Access Questions

If you’ve been living under a rock recently, there have been more cases of COVID-19 becoming prevalent all around the world. With this comes a ton of questions regarding working from home, and general remote access. Is your infrastructure ready in the event that your organization requires the entire company to work from home? This blog post will describe some of the questions that you may want to ask to assess your self-readiness in the case of a long-term working from home scenario.

(more…)

Traffic Selectors on a Route-based VPN

This is an extremely long-overdue post, but I wanted to add a follow-up to the old blogpost Route-based VPN with Multiple Source/Destination Networks to a 3rd Party Device. While the previous method still works, it still had some drawbacks:

  • It required the use of ephemeral IP address, which can be a waste of IP space
  • It only worked if there was one destination network, as Next-Hop Tunnel Bindings (NHTBs) did not address which source network traffic came from

Traffic selectors were introduced as feature starting in Junos 12.1X46-D10 (SRX200, SRX1400, and SRX3k series) and Junos 17.3R1 (SRX300, SRX1500, SRX4k, and SRX5k series) for IKEv1. IKEv2 support was added in Junos 15.1X49-D100, meaning this is only available for the SRX300, SRX1500, SRX4k, and SRX5k series.

(more…)

SRX Address-Set Membership Check

One of the things I like to standardize in firewall configs is addresses and address-sets. I always recommend creating address-sets and binding address entries into the address-set. From there, we could reference the address-set inside the security policy configuration. This makes it easier to automate changes as we no longer have to hunt inside the security policies to add or remove entries.

Recently I had a situation where I needed to parse through several thousand lines of configuration in a SRX Firewall to determine if address book entries were bound to more than one address-set. In many environments it is very likely that an address book entry is bound to more than one address-set. When that happens there are often unintended consequences that affect traffic flow through the firewall. A host may fall victim to a blocking policy; or worse yet allow more permissive access to sensitive systems!

Since I needed a quick way to do this repeatedly I wrote a simple script in python to parse through a SRX configuration. Read on to see the script!

(more…)