Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[WebappSecure/Mykonos] How to protect multiple applications located in different subnets in WebappSecure



Article ID: KB29596 KB Last Updated: 20 Nov 2014Version: 1.0
Before release 5.5.0-6 protected traffic and management traffic was handled by a single interface. From release 5.5.0-6 onwards, servers located in different subnets can be protected by WebappSecure by separating management and traffic interfaces.
Servers located in different subnets and need to separate management and protected traffic networks on WebappSecure

From version 5.5.0-6, there is an option to separate management traffic and backend server traffic and to add static routes.

If the requirement is to have a completely isolated out-of-band management network which doesn’t have access to backend servers, then the default gateway has to be on the backend server subnet ie., as below example:

Management traffic: eth0
IP address:
Management Gateway:

Backend Server(s) traffic: eth1
IP address:
Default gateway:

To achieve this, configure eth0 to be management-interface and configure a separate interface for example eth1 as noted in KB29594 for backend server subnets.

After configuring eth0 and eth1, the routing table on JWAS will show that by default eth0 is considered as the default gateway ie., will be shown as default gateway. So this causes JWAS to not reach the clients or internet or backend servers. The default gateway should always be such that it can reach *all* of the backend subnets and external clients or internet. To achieve this, remove the gateway from interface eth0 and set the gateway on eth1, in this example the default gateway should be So the config would be like below:

cli system unset interface eth0 gateway
cli system set interface eth1 gateway

with above config, the default gateway will be which is on the traffic subnet. If any static routes need to be added, it can be done using the route command with example syntax below

cli system set interface eth0 route via dev eth0

Thereafter restart services by running the command “cli system services restart”

[mykonos@JWAS-116 ~]$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface U 0 0 0 eth1 U 0 0 0 eth0 UG 0 0 0 eth0 U 1002 0 0 eth0 U 1003 0 0 eth1 UG 0 0 0 eth1

[mykonos@JWAS-116 ~]$ cli system show
"dns": {
"domain": "",
"nameserver": [
"search": ""
"hostname": "JWAS-116",
"interfaces": {
"eth0": {
"bootproto": "static",
"ipaddr": "",
"netmask": "",
"onboot": "yes",
"routes": [
" via dev eth0",
" via dev eth0"
"userctl": "yes"
"eth1": {
"bootproto": "static",
"gateway": "",
"ipaddr": "",
"netmask": "",
"onboot": "yes",
"userctl": "yes"
"management-interface": "eth0",
"mode": "standalone",
"proxy": null

Once the routing is sorted out, ie., once default gateway is able to reach all the multiple backend server subnets, configure multiple applications as needed. To configure multiple apps KB28842 can be referred.

NOTE: Only one of the interfaces should have the "gateway" set in the configuration.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search