Knowledge Search


×
 

[SRX] Example - Configuring TAP Mode Interface

  [KB34543] Show Article Properties


Summary:

The sniffer/tap mode interface is supported on SRX starting with Junos OS 18.2R1. It is also supported on SRX with UTM feature in Junos OS 19.1R1. For an overview, see SRX TAP Mode Support Overview.

  • Both C2S and S2C traffic will be directed to an SRX port by a switch mirror or fiber tap. In this mode, the SRX only receives packets from configured TAP interfaces.
  • All outgoing packets to the TAP interface will be dropped silently before leaving the SRX.
  • Except the configured TAP interface, other interfaces can be configured as normal so that can be used as a management interface or connected to outside server. SRX will generate security report/log according to incoming traffic.
This feature can be used to detect or log network traffic. This allows you to analyze and review traffic and the potential network security risk or threats with L3/L4 or advanced firewall feature or policy based features such as UTM and userFW etc .

Note: SRX in TAP mode, is only for detecting/logging on customer traffic. It will not affect the existing network security of the customer environment.
 
Solution:

A typical topology and configuration example is provided below:

Topology Diagram:

                           +------------------+
                           |                  |
                           |                  |
                           |      r0          |                       
                           |      SRX         |
                           |                  |
                           |                  |
                           |                  |
                           +--------+---------+
                                    | TAP interface
                                    |
                                    |
                                    |
                                    |mirror interface
                           +--------+---------+
                           |                  |
+--------+                 |                  +                     +--------+
|   h0   |       7001::1/64|      r1          |8001::1/64           |   h1   |
| client +-----------------+    switch        +---------------------+ Server |
|        |       1.1.1.1/24|                  |2.2.2.1/24           |        |
+--------+                 |                  +                     +--------+
7001::2/64                 |                  |                     8001::2/64
1.1.1.2/24                 +------------------+                     2.2.2.2/24



 

SRX Configuration:

(1) Interface configuration:

set interface ge-0/0/0 unit 0 family inet address 10.0.0.1/30
set interface ge-0/0/0 unit 0 family inet6 address 1001::1/126
set interfaces ge-0/0/0 promiscuous-mode
set security forwarding-options mode tap interface ge-0/0/0

(2) Routing instance, routing option and MAC configuration:

set routing-instances TAP-VR instance-type virtual-router
set routing-instances TAP-VR interface ge-0/0/0.0
set routing-instances TAP-VR routing-options static route 0.0.0.0/0 next-hop 10.0.0.2
set routing-instances TAP-VR routing-options rib inet6.0 static route 0/0 next-hop 1001::2
set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.1/30 arp 10.0.0.2 mac 00:0f:12:34:56:78
set interfaces ge-0/0/0 unit 0 family inet6 address 1001::1/126 ndp 1001::2 mac 00:0f:12:34:56:78

(3) Flow and log settings:

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check
set security log mode stream
set security log report

(4) Zone configuration:

set security zones security-zone tap-zone interfaces ge-0/0/0.0
set security zones security-zone tap-zone application-tracking

(5) Policy configuration:

set security policies from-zone tap-zone to-zone tap-zone policy tap-policy match source-address any
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy match destination -address any
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy match application any
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy then permit
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy then log session-init
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy then log session-close

(6) ALG

set security alg dns disable
set security alg msrpc disable
set security alg sunrpc disable
set security alg talk disable
set security alg tftp disable
set security alg pptp disable



Connected Switch Configured with Mirror Filter:

Sample config on QFX switch r1

root@switch_qfx# show | display set | match analyzer
set forwarding-options analyzer TAP-sniff input ingress interface xe-0/0/3:1.0
set forwarding-options analyzer TAP-sniff input ingress interface xe-0/0/3:2.0
set forwarding-options analyzer TAP-sniff output interface xe-0/0/11:2.0

 

TAP Status:

On SRX, TAP mode will be always enabled in flow status when there is a configured TAP interface:

root@srx-fw# run show security flow status
  Flow forwarding mode:
    Inet forwarding mode: flow based
    Inet6 forwarding mode: flow based
    MPLS forwarding mode: drop
    ISO forwarding mode: drop
    Tap mode: enabled
  Flow trace status
    Flow tracing status: off
  Flow session distribution
    Distribution mode: RR-based
    GTP-U distribution: Disabled
  Flow ipsec performance acceleration: off
  Flow packet ordering
    Ordering mode: Hardware


When FTP download of a file occurs from client to server, a sample session on the SRX looks like this:

root@srx-fw> show security flow session   
Session ID: 9, Policy name: tap-policy/6, Timeout: 1798, Valid
Resource information : FTP ALG, 1, 0
  In: 1.1.1.2/44485 --> 2.2.2.2/21;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 13, Bytes: 586,
  Out: 2.2.2.2/21 --> 1.1.1.2/44485;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 13, Bytes: 730,
Total sessions: 1

 

To disable this TAP mode, delete the TAP mode for the related interface. Then the packets will not be mirrored. The related zone and policy configuration should also be removed if this TAP interface will not be used anymore.

delete interfaces ge-0/0/0 promiscuous-mode
delete security forwarding-options mode tap interface ge-0/0/0

 
Related Links: