[prev in list] [next in list] [prev in thread] [next in thread] 

List:       juniper-nsp
Subject:    Re: [j-nsp] Juniper SRX dynamic interface ACL via csv
From:       Roger Wiklund <roger.wiklund () gmail ! com>
Date:       2020-09-09 8:59:21
Message-ID: CAC+aSK3GMXbrv5L-=dq=UDaY0R8zkeW3uN6npC092JcbZ-mNGA () mail ! gmail ! com
[Download RAW message or body]

Hi

Are you referring to a stateless firewall filter on an interface? In that
case you need some sort of automation to populate this.
I would use Ansible to check if the CSV has been updated and then push the
new IPs to the device.

However as this is an SRX you should use stateful firewalling instead and
make use of Dynamic Address Groups.
For this you need Security Director and Policy Enforcer where you can
populate the DAG using entries from an external web server.
https://www.juniper.net/documentation/en_US/junos-space18.2/policy-enforcer/topics/tas \
k/configuration/junos-space-policy-enforcer-custom-feeds-infected-host-configure.html

If you're not using SD/PE you can just use the CLI to configure the same
stuff:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-policy-configuration.html#id-dynamic-address-groups-in-security-policies


Regards
Roger

On Tue, Sep 8, 2020 at 6:47 PM Kody Vicknair <kvicknair@reservetele.com>
wrote:

> 
> Has anyone successfully deployed a dynamic interface ACL via a csv file
> updated regularly via the internet?
> 
> We have a unique challenge where one of our vendors updates a csv for
> blacklisted IP's and I would prefer not to have to manually make a change
> to the acl in 2 places every time this list gets updated or a new "threat"
> is detected.
> 
> I feel like we're playing whack-a-mole.
> 
> Any thoughts?
> 
> Thanks,
> -KV
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic