Scribd
Upload
441 views

SRX Transparent Mode

1) The SRX firewall can operate in transparent mode to perform firewall functions without the connected devices being aware of it. 2) To configure transparent mode, the interfaces must be configured for bridge mode and assigned to the same VLAN. A bridge domain is then configured with that VLAN ID and the IRB interface is associated to provide routing. 3) Security zones matching each interface are defined and a policy allows traffic between the zones to pass the firewall transparently.

Uploaded by

Son Tran Hong Nam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
441 views

SRX Transparent Mode

1) The SRX firewall can operate in transparent mode to perform firewall functions without the connected devices being aware of it. 2) To configure transparent mode, the interfaces must be configured for bridge mode and assigned to the same VLAN. A bridge domain is then configured with that VLAN ID and the IRB interface is associated to provide routing. 3) Security zones matching each interface are defined and a policy allows traffic between the zones to pass the firewall transparently.

Uploaded by

Son Tran Hong Nam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

SRX Transparent Mode

SRX can also function as a firewall device when it is in layer 2 mode i.e
it can perform firewall functionality transparently.
As of now there are certain limitations on transparent mode. If not changed already;

You can either run the firewall in route mode or transparent mode but not mixed

NAT and IPSEC arent supported in this mode

Below I will try to show how you can convert an SRX firewall to transparent mode
and configure it. In our topology, we have two Linux servers each in the same VLAN
(282) and we will inspect traffic between these nodes without those Linux hosts are
being aware of SRX

First of all converting to transparent mode means putting the interface families
to bridge. There isnt any switch/knob by which you can convert to transparent.
You can start by deleting all interfaces config to start from scratch and configure
these two GE interfaces with interface mode access and vlan-ids. You also see an IRB
interface. We can think of this as a virtual interface on this vlan something like
vlan.282 when we are in L3 mode.
ge-0/0/1 {
unit 0 {
family bridge {
interface-mode access;

1
2
3
4
5
6

ge-0/0/1 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 282;
}

7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

}
}
ge-0/0/2 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 282;
}
}
}
irb {
unit 1 {
family inet {
address 5.5.5.254/24;
}
}
}
Then configure a bridge domain. Yeah but what is a bridge domain? Assume this isnt
an SRX device but an EX switch. By assigning ge-0/0/1 and ge-0/0/2 to vlan 282 we are creating
a broadcast segment and with the following config, we give BD282 name to
our new domain and assign irb.1 interface to this bridge domain to access the box i.e from any
device on this vlan you can connect to SRX through irb interface as long
as the security zone of the ingress interface has the necessary system-services allowed.
[edit]
root@branchE# show bridge-do
BD282 {
domain-type bridge;

1
2
3
4
5
6
7

[edit]
root@branchE# show bridge-domains
BD282 {
domain-type bridge;
vlan-id 282;
routing-interface irb.1;
}
If you commit after this configuration, you must be instructed to reboot which is required.
Now configure security zones and a simple security policy for testing.

[edit]
root@branchE# show security
security-zone INTERNET {
host-inbound-traffic {

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

[edit]
root@branchE# show security zones
security-zone INTERNET {
host-inbound-traffic {
system-services {
ssh;
ping;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone ZONE1 {
interfaces {
ge-0/0/1.0;
}
}
security-zone ZONE2 {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/2.0;
}
}
[edit]
root@branchE# show security
from-zone ZONE2 to-zone ZON
policy allow -all {

1
2
3
4
5
6
7

[edit]
root@branchE# show security policies
from-zone ZONE2 to-zone ZONE1 {
policy allow-all {
match {
source-address any;
destination-address any;

8
9
10
11
12
13
14

application any;
}
then {
permit;
}
}
}
Now we should be able to connect connect from hostP(5.5.5.3) to hostN(5.5.5.2). Let do SSH
and check session table and mac table on SRX
root@branchE> show security
Session ID: 60, Policy name: allo
In: 5.5.5.3/44289 --> 5.5.5.2/22
Out: 5.5.5.2/22 --> 5.5.5.3/442

1 root@branchE> show security flow session destination-port 22


2 Session ID: 60, Policy name: allow-all/4, Timeout: 1794, Valid
3 In: 5.5.5.3/44289 --> 5.5.5.2/22;tcp, If: ge-0/0/2.0, Pkts: 18, Bytes: 3435
4 Out: 5.5.5.2/22 --> 5.5.5.3/44289;tcp, If: ge-0/0/1.0, Pkts: 24, Bytes: 4399
root@branchE> show bridge m
MAC flags (S -static MAC, D -dy
SE -Statistics enabled, N

1
2
3
4
5
6
7
8
9
10
11
12

root@branchE> show bridge mac-table bridge-domain BD282


MAC flags (S -static MAC, D -dynamic MAC, L -locally learned
SE -Statistics enabled, NM -Non configured MAC, R -Remote PE MAC)
Routing instance : default-switch
Bridging domain : BD282, VLAN : 282
MAC
MAC
Logical
address
flags interface
00:0c:29:12:18:4b D
ge-0/0/2.0
00:0c:29:3c:68:83 D
ge-0/0/1.0
00:0c:29:dc:89:16 D
ge-0/0/0.0
Yes SRX has learned mac addresses and flow session is installed from 5.5.5.3 to 5.5.5.2
You can also configure interfaces on trunk mode. For more information better to
check SRX layer 2 bridging and switching document.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy