[j-nsp] SRX - tap mode?
sfouant at shortestpathfirst.net
Wed Sep 12 12:31:52 EDT 2012
You can always create your own 'tap mode' by simply configuring Filter Based Forwarding and shunting your selective traffic through your IDP. I did this all the time in my previous life when dealing with security devices that couldn't scale enough to place in-line.
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks
Follow us on Twitter @JuniperEducate
Sent from my iPad
On Sep 12, 2012, at 11:43 AM, William McLendon <wimclend at gmail.com> wrote:
> hi Tim,
> thanks for the response - but reading the description that sounds like the firewall itself still has to be inline, which i'm trying to avoid here.
> I guess what does the rest of the config have to look like for it to function correctly off a span port? ie there wouldn't be any routing or IP interfaces involved.
> On Sep 12, 2012, at 11:35 AM, Tim Eberhard wrote:
>> High end SRX's support tap mode. Branch as far as I know do not.
>> Hope this helps,
>> -Tim Eberhard
>> On Wed, Sep 12, 2012 at 10:33 AM, William McLendon <wimclend at gmail.com> wrote:
>>> hi everyone,
>>> do SRX firewalls support a "tap mode" installation? Really just looking at it for purposes of evaluation of IDP functionality where tap mode would be the least intrusive method to see data vs having to put it inline (and then deal with the inevitable "you put a device inline and now XYZ doesn't work!")
>>> I seem to recall that they do not, and they have to be installed in L3 mode or in Transparent mode, but was hoping I may have missed the feature in a release note somewhere.
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
> juniper-nsp mailing list juniper-nsp at puck.nether.net
More information about the juniper-nsp