[j-nsp] SRX - tap mode?

Stefan Fouant sfouant at shortestpathfirst.net
Wed Sep 12 12:31:52 EDT 2012 

You can always create your own 'tap mode' by simply configuring Filter Based Forwarding and shunting your selective traffic through your IDP. I did this all the time in my previous life when dealing with security devices that couldn't scale enough to place in-line.

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

Sent from my iPad

On Sep 12, 2012, at 11:43 AM, William McLendon <wimclend at gmail.com> wrote:

> hi Tim,
> 
> thanks for the response - but reading the description that sounds like the firewall itself still has to be inline, which i'm trying to avoid here.
> 
> I guess what does the rest of the config have to look like for it to function correctly off a span port?  ie there wouldn't be any routing or IP interfaces involved.
> 
> Thanks,
> 
> Will
> 
> On Sep 12, 2012, at 11:35 AM, Tim Eberhard wrote:
> 
>> High end SRX's support tap mode. Branch as far as I know do not.
>> 
>> http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-45272.html
>> 
>> Hope this helps,
>> -Tim Eberhard
>> 
>> On Wed, Sep 12, 2012 at 10:33 AM, William McLendon <wimclend at gmail.com> wrote:
>>> hi everyone,
>>> 
>>> do SRX firewalls support a "tap mode" installation?  Really just looking at it for purposes of evaluation of IDP functionality where tap mode would be the least intrusive method to see data vs having to put it inline (and then deal with the inevitable "you put a device inline and now XYZ doesn't work!")
>>> 
>>> I seem to recall that they do not, and they have to be installed in L3 mode or in Transparent mode, but was hoping I may have missed the feature in a release note somewhere.
>>> 
>>> Thanks,
>>> 
>>> Will
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list