To do a tap mode on the SRX is more than just what is in the user guide for security policies. I had to use this site to find out more.
First, set up your interface for promiscuity.
Next setup the tap mode under security forwarding-options
set security forwarding-options mode tap interface ge-0/0/0
You can then setup a routing instance if you need but I didn't worry about that. I set up my flow and log settings
set security flow tcp-session no-sequence-check
set security log mode stream
set security log report
After that was setting up the zone configuration
set security zones security-zone tap-zone application-tracking
Finally I setup the policy for testing.
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy match destination -address any
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy match application any
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy then permit
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy then log session-init
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy then log session-close
The switch was easier to setup for SPAN.
set forwarding-options analyzer SRX_SPAN input ingress interface xe-0/0/6.0
set forwarding-options analyzer SRX_SPAN input egress interface xe-0/0/6.0
set forwarding-options analyzer SRX_SPAN output interface xe-0/0/5.0
To verify TAP mode, use run show security flow status.
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
MPLS forwarding mode: drop
ISO forwarding mode: drop
Tap mode: enabled
Enhanced services mode: Disabled
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: Hash-based
GTP-U distribution: Disabled
SCTP distribution: Enabled
Flow ipsec performance acceleration: off
Flow gre performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Flow power mode: Enabled
Flow power mode IPsec: Enabled
Flow power mode IPsec QAT: Disabled
Fat core group status: off
Flow inline fpga crypto: Disabled
root@SRX03>
And to verify the flow is being seen with policies
Session ID: 1389, Policy name: tap-policy/5, Timeout: 60, Session State: Valid
In: 172.18.33.33/514 --> 10.1.1.100/514;udp, Conn Tag: 0x0, If: ge-0/0/10.0, Pkts: 3, Bytes: 3422,
Out: 10.1.1.100/514 --> 172.18.33.33/514;udp, Conn Tag: 0x0, If: ge-0/0/10.0, Pkts: 0, Bytes: 0,
Session ID: 1390, Policy name: tap-policy/5, Timeout: 4, Session State: Valid
In: 192.168.1.100/24 --> 10.1.1.10/12044;icmp, Conn Tag: 0x0, If: ge-0/0/10.0, Pkts: 1, Bytes: 84,
Out: 10.1.1.10/12044 --> 192.168.1.100/24;icmp, Conn Tag: 0x0, If: ge-0/0/10.0, Pkts: 0, Bytes: 0,
Now logging was not right either in the user guide. It missed the part of seeting the mode. After playing this was my final security log config.
set security log format sd-syslog
set security log report
set security log source-address 172.18.33.33
set security log stream trafficlogs severity debug
set security log stream trafficlogs host 10.1.1.100
No comments:
Post a Comment