Testing the SRX Series Integration Configuration

Purpose

To verify the configuration of the WebApp Secure portion of the SRX series integration, do the following

Action

  1. Create a profile by accessing the .htaccess file (explained in “Verify the Installation”).
  2. Navigate to the WebApp Secure web interface and find the newly created profile.
  3. Manually activate the Filter on SRX Counter Response.
  4. Log into the SRX series CLI, and run the command show configuration firewall (or show firewall if in ).

You should see a new filter created with the name you gave in configuration, and a new term within that filter called that you also named within configuration. It should appear similar to the following (depending on how you set up your filter and actions):

family inet {filter my_filter {term block {from {address {10.10.10.10/32;}}then {reject;}}
term default {then {accept;}}}}

In the example above, 10.10.10.10 is the IP of the profile you activated the Counter Response on. This is telling the SRX series to reject the IP of the profile at the gateway level. Note the default term below the block term which will act as an accept-all in the case that the block term's action has been changed to next term.

You can also verify the line with the IP address gets deleted when deactivating the Counter Response.

Note: When there are no IPs to block, the SRX series defaults to * or All Traffic. This would effectively block all traffic from that interface! To counter this, WebApp Secure changes the action from your configured entry to next term, essentially letting the next term within the filter deal with the traffic. Because you set up a default term to handle this case (see Configuration), the next term simply accepts all traffic.

This filter should now look as follows:

family inet {filter my_filter {term block {then next term;}term default {then {accept;}}}}

This is indicating that all traffic will be sent through this term, but the action is simply passing the packet onto the next term in the filter, which is our default term that will accept all traffic.

Related Documentation