Juniper Networks V10000 Implementation Tasks, SRX Series Configuration Using Junos Automation

IMPLEMENTATION GUIDE -Juniper Networks SRX Series Services Gateways/Websense V10000

Implementation Tasks

The SRX Series administrator needs to perform the following configuration steps that are specific to creating an end- to-end solution with the Websense V10000 appliance.

1.Create the web-redirect security zone that provides access to the V10000 P1 port.

2.Create a FBF that is used to redirect specific traffic from the User LAN to the V10000 P1 port.

3.Add a security policy from user-lan to web-redirect. This step is necessary to allow any traffic to be redirected to the V10000. A separate access control filter list is used to explicitly specify which traffic is actually redirected.

4.Create an access control filter (called a “firewall filter” in Junos OS) to selectively identify the traffic to be redirected to the V10000. For the purpose of this implementation guide example, this is HTTP and HTTPS traffic only.

5.Attach the redirecting firewall-filter to the physical interface attached to the User LAN network segment.

6.Add a security policy from user-lan to public-inet. This step is necessary to allow traffic to the Internet that does not need to be processed by the Websense V10000.

7.Add the V10000 “C” port to the management security zone address book. This step is necessary so that the V10000 can redirect the user Web browser to the “C” port for blocked sites or Web protocols.

8.Create a Websense-specific security application definition for the Websense redirect protocol—TCP/15871.

9.Add a security policy from user-lan to management only to the V10000 “C” port and only for the TCP/15871 traffic. This step is necessary so that the user Web browser can be redirected to the V10000 “Block Page.” Normally User LAN traffic should not be allowed to access the management security zone.

10.Add any Network Address Translation (NAT) necessary to support both web-redirect traffic as well as user-lan traffic out toward the public Internet.

There are two general approaches for configuring Junos OS devices for solution integration with partner products. The first, and most common, is manually provisioning these steps. This implementation guide presents this detailed information in a step-by-step fashion. The second approach, which is significantly easier to deploy, is using Junos OS self- provisioning for Websense. This implementation guide presents an example of such self-provisioning in the next section.

SRX Series Configuration Using Junos Automation

Junos OS natively supports the ability to extend and customize the configuration and operational elements of the SRX Series using Junos automation capabilities. The key benefit of using Junos automation is that the network administrator is not required to manually provision the SRX Series with the specific Junos OS commands. Instead, the administrator needs only to provision the relevant V10000 information, and the SRX Series automatically creates the required configuration. By using this technique, the administrator can be assured that all required configurations steps are properly completed, thereby reducing errors and enabling a faster installation.

For example, in the reference network the following is known:

•The management security zone is attached to SRX Series interface ge-1/0/1.

•The web-redirect security zone is attached to SRX Series interface ge-2/0/1.

•The V10000 appliance:

-- The­ C port inet address is 172.25.44.19 -- The­ P1 port inet address is 192.168.10.12

•The User LAN:

-- The SRX Series inet address is 192.168.5.1. -- The­ User LAN network is 192.168.5.0 / 24.

-- The­ attached SRX Series interface is ge-0/0/1.

-- HTTP/HTTPS­traffic should be redirected to V10000.