• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 386
  • Last Modified:

mirror port on srx240

I have several srx240 and I'd like to monitor my WAN port with Wireshark. I am new to Juniper. So I am just wondering if anybody can provide some guidance in configuring the mirror port on my srx240.

This is what I intend to setup:
Internet <--ge-0/0/0-->srx240<--ge-0/0/1-->internal network
                                         |
                                 ge-0/0/2 (this is where my PC with Wireshark is connected to)

Thanks
0
leblanc
Asked:
leblanc
  • 2
2 Solutions
 
Fred MarshallPrincipalCommented:
Juniper Networks provides the configuration entries necessary to do this at:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21833
0
 
leblancAccountingAuthor Commented:
That looks complex. I see the Security section and I am not sure I understand the implication of it. My FW is in a production environment and I don't want to compromise the security. Does this section mean that it will allow everything to go through the FW?

security {
    policies {
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                all;

Open in new window

0
 
Fred MarshallPrincipalCommented:
In some sense, such is the structure of a JUNOS configuration.

You said you wanted to mirror the "WAN" port.  
That means you want to mirror the public side / a port in the untrust zone.
So, *of course* the firewall will let everything through because that's the essential port being firewalled otherwise.
That's what mirroring is supposed to do.
But this is not to say that the firewall will let everything from the Untrust zone to the Trust zone at all.

Perhaps we should talk about normal mirror ports.
Usually they are disconnected from all other ports.
Usually you would connect to them with a separate NIC that may have NO TCP/IP protocol installed because all you're going to do with it is *watch* the traffic and not interact with it.

I do essentially the same thing by mirroring the same port where it enters a switch.  Then I set up a mirror port on the switch.  It's a lot easier than dealing with JUNOS code.
0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now