SRX UTM: Antivirus - Sophos

Here is a quick overview of getting Sophos AV working on an SRX

Sophos is the Cloud based solution and so needs an active Internet connection to work. This means the AV database is not stored locally on the SRX like Kaspersky. The SRX uses DNS queries to the Sophos Cloud to perform AV queries. We'll see later how these work.

Sophos can also perform URI content checking over HTTP to detect malware.This is essentially a reputataion check and can be disabled if you wish.

The Sophos solution should put less load on the SRX, processor and memory wise due to not having to download a giant AV database and run checks against it though it does cache responses to improve lookup performance.

SRX VPN: Checkpoint to SRX Site-to-Site Policy Based.

Today we are going to take a look at a site to site VPN between a Checkpoint and an SRX.

We will focus more on configuration and testing rather than VPN theory as the Internet is full of great resources in that respect. No NAT in this one either to keep it more simple and just focused on the VPN side of things. We will do a seperate Blog for VPN troubleshooting.

Here is a layer 3 view of the network we will be using..

SRX UTM: Antivirus - Kaspersky Full

Today we are going to take a little look at Antivirus on the SRX and testing it to make sure its actually working.

There are currently 3 Antivirus solutions for the SRX all of which require a different license to activate:
* Kapersky
* Sophos
* Juniper Express

Briefly, some differences between the 3 options are:
* Full file based AV
* Local signature database lookups. AV signatures downloaded as a package.
* Largest cpu performance impact 
* Supports Intelligent Prescreening

* Cloud based signature database which therefore requires..
* Constant Internet access needed for AV lookups.
* Moderate cpu perfomance impact
* No Prescreening 

Juniper Express
* Less protection than the other 2 options 
* Only protects against critical threats. Modified Kaspersky database.
* Does not reconstruct content prior to scanning 
* Pattern matching based solution. No heuristics.
* No protection against polymorphic or metamorphic viruses
* Supports Intelligent Prescreening

* Least cpu performance impact and highest throughput.

SRX Trunk

After the epic that was STP, just a quickie today on a couple of points I recently came across when setting up a trunk between a Cisco switch and SRX.

The trunk will trunk VLANs 1,5 and 8. VLAN 1 is native on the Cisco

The Cisco side setup.. 


In smaller sites when rolling out low end SRXs, it's not uncommon for them to be connected to Cisco switches that may be running multiple VLANs

How can we connect up our SRXs to Cisco switches without stuffing up spanning tree on the core Cisco switch and still prevent loops? Lets see what happens when we aim to work with that situation from a spanning tree (STP) perspective.

SRX UTM: Enhanced Web Filtering - Redirect

Hi Folks,

I was recently asked in regards to Enhanced Web Filtering...

Is there any way to remove the "CATEGORY: Enhanced_Social_Networking_and_Personal_Sites REASON:BY_PRE_DEFINED" message?

And by the way to the person who posted that, your email shows up to me as So doesn't show on the blog as a comment and I cant reply. Google "". You will find out how to fix. 
Anyway the answer is yes! There is a way to solve the issue.
We will test 3 scenarios while trying to access Playboy.


Today we will look at running an Application Firewall (AppFW) on the SRX. 

This is different to the normal firewalling in that we are not filtering based on TCP/UDP ports but instead filtering on application signatures that can detect applications whether or not they are not running on the standard ports expected.Further even when we are running on the standard ports, through the signatures we can detect and block access to specific services without you having to worry about blocking all access to a certain IP on a certain port. Eg. We could block access to Facebook Farmville without having to know the either the IP of Facebook or having to block all of Facebook. I will try and show some examples of this functionality. 


I recently installed an SRX in NZ so I though I'd put up here the working ADSL config for our cousins across the pond...

Telecom NZ - PPPOA

at-1/0/0 {
        mtu 1540;
        encapsulation atm-pvc;
        atm-options {
            vpi 0;
        dsl-options {                  
            operating-mode auto;
        unit 0 {
            encapsulation atm-ppp-vc-mux;
            vci 0.100;
            ppp-options {
                pap {
                    default-password "!9$uQQhy76fg543es8XYoZGq.P5QF9A"; ## SECRET-DATA
                    local-name "";
                    local-password "%9$q.Qnkn8765sgvq8LVbs24aDi"; ## SECRET-DATA
            family inet {

routing-options {
    static {
        route next-hop at-1/0/0.0;


Lets have a look today at the issue of using the WebUI with the Global address book.

When I say Global address book, I mean using creating addresses on the SRX in this way...

root# set security address-book ?
Possible completions:
  <book-name>          Address book name
  global               Default global address book name

Example of address with the Global Address book..

security {
    address-book {
        global {                       
            address aaaa;
            address bbbb;

These Global addresses form a common address pool that should be available for use in any zone as opposed to the old way of creating separate address books under each zone.


A great way to add your own comments to any part of a Junos config.

Let say we have this DHCP config...

services {
        web-management {
            http {
                interface vlan.7;
            https {
                interface vlan.7;
        dhcp {
            pool {
                address-range low high;
                default-lease-time 86400;
                router {

And we wish to place some kind of comment on the DHCP pool as there is no description statement associated with DHCP.