Knowledge Search


×
 

[SRX] IDP - Signature update when internet is reachable from Custom VR

  [KB32386] Show Article Properties


Summary:

 

  • Signature updates only work when connection to the server is sourced from default inet.
  • Signature updates will fail if internet is reachable​.
  • ​When internet is reachable via custom VR, we need to set it up in a way that connection to server is still sourced from default inet.

 

Symptoms:

Setup as follows:

Solution:
  • Configure loopback interface with IP address.
  • When the signature update is done, the connection will automatically source from loopback interface.

Requirements:
  1. Lo0 interface configured either with Private/Public IP and added to a security zone
  2. Internet route in default inet via table Custom-VR
  3. Lo0 interface routes in Custom-VR (using rib-group or policy options)
  4. Security policy allowing traffic (either intra-zone or inter-zone depending on which zone external and lo0 interface belong)
  5. Source nat (In case we have private address on lo0 interface)
 

I. Interface config:

root@lab# show interfaces ge-0/0/0
unit 0 {
    family inet {
        address 2.2.2.2/24;
    }
}
 
[edit]
root@lab#
 
[edit]
root@lab# show interfaces lo0
unit 0 {
    family inet {
        address 10.0.0.1/32;
    }
}
 

II. Security Zone

 
[edit]
root@lab# show security zones
security-zone trust {
    interfaces {
        lo0.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
    }
}
security-zone untrust {
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
    }
}
 

III. Security Policy

 
[edit]
root@lab# show security policies
from-zone trust to-zone untrust {
    policy test1 {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy test1 {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
 
 
IV. Routing
 
[edit]
root@lab# show routing-options
static {
    route 0.0.0.0/0 next-table Custom-VR.inet.0;
}
 
 
[edit]
root@lab# show policy-options
policy-statement test {
    from {
        instance master;
        protocol [ direct local ];
    }
    then accept;
}
 
{primary:node0}[edit]
root@lab#
 
{primary:node0}[edit]
root@lab# show routing-instances
Custom-VR {
    instance-type virtual-router;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 2.2.2.1;
        }
        instance-import test;
    }
}
 

V. NAT in case lo0 interface has private address

 
root@lab# show security nat
source {
    rule-set test {
        from routing-instance default;
        to routing-instance Custom-VR;
        rule 1 {
            match {
                source-address 10.0.0.1/32;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
 
 

Outputs:

root@lab# run show route
 
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
0.0.0.0/0          *[Static/5] 01:00:16
                      to table Custom-VR.inet.0
 
  
 
Custom-VR.inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
0.0.0.0/0          *[Static/5] 00:42:54
                    > to 2.2.2.1 via ge-0/0/0.0
                    [Static/5] 00:42:54
                      to table Custom-VR.inet.0
2.2.2.0/24         *[Direct/0] 00:42:54
                    > via ge-0/0/0.0
2.2.2.2/32         *[Local/0] 00:42:54
                      Local via ge-0/0/0.0
10.0.0.1/32        *[Direct/0] 00:42:54
                    > via lo0.0
 
 
[edit]
root@lab# run show security nat source rule all
node0:
--------------------------------------------------------------------------
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0
source NAT rule: 1                      Rule-set: test
  Rule-Id                    : 2
  Rule position              : 1
  From routing instance      : default
  To routing instance        : Custom-VR
  Match
    Source addresses         : 10.0.0.1        - 10.0.0.1
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 0
    Successful sessions      : 0
    Failed sessions          : 0
  Number of sessions         : 0
 
Related Links: