Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

mirror port on srx240

Posted on 2015-01-07
3
Medium Priority
?
370 Views
Last Modified: 2015-01-18
I have several srx240 and I'd like to monitor my WAN port with Wireshark. I am new to Juniper. So I am just wondering if anybody can provide some guidance in configuring the mirror port on my srx240.

This is what I intend to setup:
Internet <--ge-0/0/0-->srx240<--ge-0/0/1-->internal network
                                         |
                                 ge-0/0/2 (this is where my PC with Wireshark is connected to)

Thanks
0
Comment
Question by:leblanc
  • 2
3 Comments
 
LVL 26

Accepted Solution

by:
Fred Marshall earned 2000 total points
ID: 40536960
Juniper Networks provides the configuration entries necessary to do this at:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21833
0
 
LVL 1

Author Comment

by:leblanc
ID: 40537005
That looks complex. I see the Security section and I am not sure I understand the implication of it. My FW is in a production environment and I don't want to compromise the security. Does this section mean that it will allow everything to go through the FW?

security {
    policies {
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                all;

Open in new window

0
 
LVL 26

Assisted Solution

by:Fred Marshall
Fred Marshall earned 2000 total points
ID: 40537070
In some sense, such is the structure of a JUNOS configuration.

You said you wanted to mirror the "WAN" port.  
That means you want to mirror the public side / a port in the untrust zone.
So, *of course* the firewall will let everything through because that's the essential port being firewalled otherwise.
That's what mirroring is supposed to do.
But this is not to say that the firewall will let everything from the Untrust zone to the Trust zone at all.

Perhaps we should talk about normal mirror ports.
Usually they are disconnected from all other ports.
Usually you would connect to them with a separate NIC that may have NO TCP/IP protocol installed because all you're going to do with it is *watch* the traffic and not interact with it.

I do essentially the same thing by mirroring the same port where it enters a switch.  Then I set up a mirror port on the switch.  It's a lot easier than dealing with JUNOS code.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question