Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] IDP - Signature update when internet is reachable from Custom VR

0

0

Article ID: KB32386 KB Last Updated: 28 Dec 2017Version: 1.0
Summary:

 

  • Signature updates only work when connection to the server is sourced from default inet.
  • Signature updates will fail if internet is reachable​.
  • ​When internet is reachable via custom VR, we need to set it up in a way that connection to server is still sourced from default inet.

 

Symptoms:

Setup as follows:

Solution:
  • Configure loopback interface with IP address.
  • When the signature update is done, the connection will automatically source from loopback interface.

Requirements:
  1. Lo0 interface configured either with Private/Public IP and added to a security zone
  2. Internet route in default inet via table Custom-VR
  3. Lo0 interface routes in Custom-VR (using rib-group or policy options)
  4. Security policy allowing traffic (either intra-zone or inter-zone depending on which zone external and lo0 interface belong)
  5. Source nat (In case we have private address on lo0 interface)
 

I. Interface config:

root@lab# show interfaces ge-0/0/0
unit 0 {
    family inet {
        address 2.2.2.2/24;
    }
}
 
[edit]
root@lab#
 
[edit]
root@lab# show interfaces lo0
unit 0 {
    family inet {
        address 10.0.0.1/32;
    }
}
 

II. Security Zone

 
[edit]
root@lab# show security zones
security-zone trust {
    interfaces {
        lo0.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
    }
}
security-zone untrust {
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
        }
    }
}
 

III. Security Policy

 
[edit]
root@lab# show security policies
from-zone trust to-zone untrust {
    policy test1 {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone untrust to-zone trust {
    policy test1 {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
 
 
IV. Routing
 
[edit]
root@lab# show routing-options
static {
    route 0.0.0.0/0 next-table Custom-VR.inet.0;
}
 
 
[edit]
root@lab# show policy-options
policy-statement test {
    from {
        instance master;
        protocol [ direct local ];
    }
    then accept;
}
 
{primary:node0}[edit]
root@lab#
 
{primary:node0}[edit]
root@lab# show routing-instances
Custom-VR {
    instance-type virtual-router;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 2.2.2.1;
        }
        instance-import test;
    }
}
 

V. NAT in case lo0 interface has private address

 
root@lab# show security nat
source {
    rule-set test {
        from routing-instance default;
        to routing-instance Custom-VR;
        rule 1 {
            match {
                source-address 10.0.0.1/32;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
 
 

Outputs:

root@lab# run show route
 
inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
0.0.0.0/0          *[Static/5] 01:00:16
                      to table Custom-VR.inet.0
 
  
 
Custom-VR.inet.0: 13 destinations, 14 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
 
0.0.0.0/0          *[Static/5] 00:42:54
                    > to 2.2.2.1 via ge-0/0/0.0
                    [Static/5] 00:42:54
                      to table Custom-VR.inet.0
2.2.2.0/24         *[Direct/0] 00:42:54
                    > via ge-0/0/0.0
2.2.2.2/32         *[Local/0] 00:42:54
                      Local via ge-0/0/0.0
10.0.0.1/32        *[Direct/0] 00:42:54
                    > via lo0.0
 
 
[edit]
root@lab# run show security nat source rule all
node0:
--------------------------------------------------------------------------
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0
source NAT rule: 1                      Rule-set: test
  Rule-Id                    : 2
  Rule position              : 1
  From routing instance      : default
  To routing instance        : Custom-VR
  Match
    Source addresses         : 10.0.0.1        - 10.0.0.1
  Action                        : interface
    Persistent NAT type         : N/A
    Persistent NAT mapping type : address-port-mapping
    Inactivity timeout          : 0
    Max session number          : 0
  Translation hits           : 0
    Successful sessions      : 0
    Failed sessions          : 0
  Number of sessions         : 0
 
Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search