[j-nsp] SRX 3k A/P and IDP

Ivan Ivanov ivanov.ivan at gmail.com
Sat Oct 2 07:11:47 EDT 2010 

Hi Will,

I have some but with A/A. We have some problems but we are not sure if this
is caused from IDP or from A/A misbehaver. We have open ticket and working
on that.

You need licenses on both nodes fist of all. Also the signature database
should be downloaded and update to each node. You need Internet access to do
that, but only first node is able to use the interfaces which are used for
forwarding data. So second node has no way to download the signature
database. We are using NSM and it succeeds to update the database on both
nodes. So I suppose that fxp0 could be used from both nodes to download it
from Internet, but I don't know how good idea is to provide Internet access
to the management interface.

Regarding the signatures tunning we are relying on Recommended set provided
from Juniper. These templates are also download from Internet.

Hope this helps!

regards,

On Fri, Oct 1, 2010 at 06:19, Will McLendon <wimclend at gmail.com> wrote:

> Aloha,
>
> does anyone out there have any experience deploying an SRX3k series (3400
> cluster strictly A/P), with IDP services?  Anyone know of any A/P
> IDP-specific gotchas?  or recommendations on running IDP in an A/P
> configuration?
>
> we are looking to deploy this setup for a customer in the next month or
> two, and just curious to hear some real-life deployment stories (horror or
> otherwise!).  Currently i'm looking at deploying the current JTAC
> recommended code of 10.1R3.
>
> We have our fair share of battle scars from last year with some of the
> branch boxes (9.5-9.6 timeframe) even without the hassle of UTM or IDP
> features.  Needless to say we've learned our lesson on selling a 'branch
> box' even though the stated speeds/feeds seem more than sufficient (ready
> for the SRX1400 to come out...).  i've read and heard that the 3k/5k are
> much more stable . . . here's to hoping!
>
> Thanks,
>
> Will
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
Best Regards!

Ivan Ivanov

More information about the juniper-nsp mailing list