The Psychotic Network Ferret @nuintari@mastodon.bsd.cafe
Public

let's see if I can format this correctly.

Dynamic Address lists in JunOS on an SRX firewall.

----------------------------
user@srx> show configuration security dynamic-address

feed-server <just-a-name> {
url http(s)://server.hostname
update-interval <seconds>;
hold-interval <more-seconds>;
feed-name feed-1 {
path /gets/appended/to/url;
}
feed-name feed-2 {
path /gets/appended/to/url;
}
address-name address-1 {
description <something-useful>
profile {
feed-name feed-1;
}
}
address-name address-2 {
description <something-useful>
profile {
feed-name feed-2;
}
}
-------------------------

You need a webserver that has files with CIDR formatted prefixes, one per line, eg:
192.0.2.1/32
192.0.2.16/28
192.0.2.128/25

------------------------

The SRX will fetch that file every update-interval, if it fails to get the file, it will hold the last good copy for the hold-interval before expiring it.

------------------------

see a list:
show security dynamic-address feed-name <feed-name>

force an update:
request security dynamic-address update address-name <address-name>

------------------------

once you have them loaded, they can be used just like address and address-set entries in firewall rules

Cool, huh?

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.bsd.cafe/users/nuintari/statuses/114495371249302862 on your instance and quote it. (Note that quoting is not supported in Mastodon.)