Mailing List Archive

Juniper SRX dynamic interface ACL via csv
Has anyone successfully deployed a dynamic interface ACL via a csv file updated regularly via the internet?

We have a unique challenge where one of our vendors updates a csv for blacklisted IP's and I would prefer not to have to manually make a change to the acl in 2 places every time this list gets updated or a new "threat" is detected.

I feel like we're playing whack-a-mole.

Any thoughts?

Thanks,
-KV
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Juniper SRX dynamic interface ACL via csv [ In reply to ]
Hi Kody,

Looks like you need some on box script:
https://www.juniper.net/documentation/en_US/junos/topics/concept/junos-script-automation-python-scripts-overview.html
or out of box script.

The better way, I guess, in addition, to ask this quiestion also in this
group:
https://groups.google.com/u/1/g/junos-python-ez

---
Yev


??, 8 ????. 2020 ?. ? 19:47, Kody Vicknair <kvicknair@reservetele.com>:

>
> Has anyone successfully deployed a dynamic interface ACL via a csv file
> updated regularly via the internet?
>
> We have a unique challenge where one of our vendors updates a csv for
> blacklisted IP's and I would prefer not to have to manually make a change
> to the acl in 2 places every time this list gets updated or a new "threat"
> is detected.
>
> I feel like we're playing whack-a-mole.
>
> Any thoughts?
>
> Thanks,
> -KV
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Juniper SRX dynamic interface ACL via csv [ In reply to ]
Hi

Are you referring to a stateless firewall filter on an interface? In that
case you need some sort of automation to populate this.
I would use Ansible to check if the CSV has been updated and then push the
new IPs to the device.

However as this is an SRX you should use stateful firewalling instead and
make use of Dynamic Address Groups.
For this you need Security Director and Policy Enforcer where you can
populate the DAG using entries from an external web server.
https://www.juniper.net/documentation/en_US/junos-space18.2/policy-enforcer/topics/task/configuration/junos-space-policy-enforcer-custom-feeds-infected-host-configure.html

If you're not using SD/PE you can just use the CLI to configure the same
stuff:
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-policy-configuration.html#id-dynamic-address-groups-in-security-policies

Regards
Roger

On Tue, Sep 8, 2020 at 6:47 PM Kody Vicknair <kvicknair@reservetele.com>
wrote:

>
> Has anyone successfully deployed a dynamic interface ACL via a csv file
> updated regularly via the internet?
>
> We have a unique challenge where one of our vendors updates a csv for
> blacklisted IP's and I would prefer not to have to manually make a change
> to the acl in 2 places every time this list gets updated or a new "threat"
> is detected.
>
> I feel like we're playing whack-a-mole.
>
> Any thoughts?
>
> Thanks,
> -KV
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp