[j-nsp] Juniper SRX dynamic interface ACL via csv
Roger Wiklund
roger.wiklund at gmail.com
Wed Sep 9 04:59:21 EDT 2020
Hi
Are you referring to a stateless firewall filter on an interface? In that
case you need some sort of automation to populate this.
I would use Ansible to check if the CSV has been updated and then push the
new IPs to the device.
However as this is an SRX you should use stateful firewalling instead and
make use of Dynamic Address Groups.
For this you need Security Director and Policy Enforcer where you can
populate the DAG using entries from an external web server.
https://www.juniper.net/documentation/en_US/junos-space18.2/policy-enforcer/topics/task/configuration/junos-space-policy-enforcer-custom-feeds-infected-host-configure.html
If you're not using SD/PE you can just use the CLI to configure the same
stuff:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-policy-configuration.html#id-dynamic-address-groups-in-security-policies
Regards
Roger
On Tue, Sep 8, 2020 at 6:47 PM Kody Vicknair <kvicknair at reservetele.com>
wrote:
>
> Has anyone successfully deployed a dynamic interface ACL via a csv file
> updated regularly via the internet?
>
> We have a unique challenge where one of our vendors updates a csv for
> blacklisted IP's and I would prefer not to have to manually make a change
> to the acl in 2 places every time this list gets updated or a new "threat"
> is detected.
>
> I feel like we're playing whack-a-mole.
>
> Any thoughts?
>
> Thanks,
> -KV
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list