Juniper Networks V10000 User Manual
Page 11
Copyright © 2010, Juniper Networks, Inc.
11
IMPLEMENTATION GUIDE - Juniper Networks SRX Series Services Gateways/Websense V10000
8. Create a Websense-specific security application definition for the Websense redirect protocol—TCP/15871.
admin@SRX# show applications
application webs-redirect {
protocol tcp;
destination-port 15871;
}
9. Add a security policy from user-lan to management only to the V10000 “C” port and only for the TCP/15871 traffic.
This step is necessary so that the user Web browser can be redirected to the V10000 “Block Page.” Normally User
LAN traffic should not be allowed to access the management security zone.
admin@SRX# show security policies
from-zone lanA to-zone management {
policy redirect-only {
match {
source-address local-hosts;
destination-address V10000-c;
application webs-redirect;
}
then {
permit;
}
}
}
10. Add any NAT necessary to support both web-redirect traffic as well as user-lan traffic out toward the public Internet.
admin@SRX# show security nat source
rule-set websense {
from zone web-redirect;
to zone public-inet;
rule ifnat-all {
match {
source-address 192.168.10.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set user-lan {
from zone user-lan;
to zone [ public-inet web-redirect ];
rule ifnet-all {
match {
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}