Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[vSRX] 'set system default-address-selection' does not work for Enhanced Web Filtering (EWF) feature

0

0

Article ID: KB33381 KB Last Updated: 19 Sep 2019Version: 2.0
Summary:

Even though 'set system default-address-selection' is configured, the loopback interface IP is not used as the source IP to establish connectivity to the EWF or Websense servers cluster-k.cloud.threatseeker.com or rp.cloud.threatseeker.com. Instead, it uses the exit interface IP from the dataplane. Return traffic will fail if the exit interface does not have any public IP or if there is no other source NAT for the EWF traffic to translate the existing interface private IP into public IP.

Symptoms:

In deployments where:

  • ​Loopback interface is used as the source address for all locally generated IP packets,
  • ​​Loopback interface has a public IP to avoid any NAT issue communicating to the public cloud and
  • Exit interface doesn't have a public IP, the EWF server status shows DOWN.

Ping or telnet (to port 80) to the EWF severs looks fine. However, the status shows DOWN:

> show security utm web-filtering status
 UTM web-filtering status:
    Server status: Juniper Enhanced using Websense server DOWN

The 'show security flow session destination-prefix <server's IP address>' command shows "Pkts" in one direction only, and not bidirectional. It will also show the Source IP details of the exit interface.

Cause:

Loopback interface is considered as part of the RE and 'default-address-selection' is only supported on the RE and not on the PFE. However, the EWF traffic to the EWF/Websense server is initiated from the PFE in Junos OS version 15.1X49 and higher.

Therefore, when we initiate the PING/telnet manually, it's considered RE traffic, uses the public IP, and returns traffic works accordingly.
But for the actual device to EWF server communication, it uses the exit interface IP and return traffic fails as the exit interface has a private IP without any NAT activity.

Solution:

Source NAT can be configured from the junos-host zone to the exit interface zone to source NAT any traffic specific to the EWF/Websense servers cluster-k.cloud.threatseeker.com or rp.cloud.threatseeker.com.

Modification History:
2019-09-19: Minor, non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search