Filter
Top Products
Copyright © 2010, Juniper Networks, Inc. 9
IMPLEMENTATION GUIDE - Juniper Networks SRX Series Services Gateways/Websense V10000
admin@SRX# show interfaces ge-0/0/1
description “To User LAN network”;
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
admin@SRX# show security zones
security-zone user-lan {
address-book {
address local-hosts 192.168.5.0/24;
}
interfaces {
ge-0/0/1.0;
}
}
4. Create an access control filter (called a “firewall filter” in Junos OS) to selectively identify the traffic to be redirected
to the V10000. For the purpose of this implementation guide example, this is HTTP and HTTPS traffic only. The
following firewall configuration has two terms. The first term matches on the target redirect traffic (HTTP/HTTPS)
and when found puts the traffic into the forwarding instance created in the prior step. That forwarding instance
determines one thing—it forwards the traffic to the V10000 P1 port. The second term accepts all other (non-
redirected) traffic. This term is very important, and if left out, all other traffic would be silently discarded. The reason
for that is that a firewall filter has an implicit “deny” as a last term rule.
admin@SRX# show rewall
family inet {
lter redirect-to-V10000-alpha {
term web-traic {
from {
protocol tcp;
port [ http https ];
}
then {
routing-instance to-P1-V10000-alpha;
}
}
term default {
then accept;
}
}
}
5. Attach the redirecting firewall-filter to the physical interface attached to the User LAN network segment. The filter
created in the prior step is added to the physical interface as highlighted.
admin@SRX# show interfaces ge-0/0/1
description “To User LAN network”;
unit 0 {
family inet {
lter {
input redirect-to-V10000-alpha;
}
}
}