[j-nsp] Anyone tried ThreatStop on Juniper integration?

Chuck Anderson cra at WPI.EDU
Mon Feb 15 12:43:18 EST 2016


On Fri, Jan 15, 2016 at 03:51:02PM -0500, Phil Shafer wrote:
> But most of these issues can be mitigated.  For example, they change
> config using "cat command-file | cli" which churns the change bits
> in the database even when nothing changes; using "load update" will
> solve that.  In addition, between JUNOS-12.1 and 15.1 we've done a
> lot with commit performance which will help.
> 
> Another fix would be the use of the ephemeral database, which keeps
> transient data away from human config, and allows us to avoid saving
> it in juniper.conf (and the expense of writing it on every commit).
> 
> I've sent ThreatStop an offer to help with the incorporation of
> these suggestions.  But if the bad-guys.list is available via http,
> then we can make an event script that downloads it and "load updates"
> it into the ephemeral database fairly easily.

The lists are distributed by DNS.  They use dig on the router to
download them.

I assume by "ephemeral" database, you mean "configure dynamic" to edit
the dynamic-db?  Unfortunately, it appears that dynamic-db only works
for BGP policies, not firewall filters.  Also, a bigger problem IMO is
that the dynamic database is not synchronized to the backup RE.

Do you have any clever workarounds for either of these two
limitations?

Thanks.


More information about the juniper-nsp mailing list