Netskope GRE with Juniper SRX

Netskope GRE with Juniper SRX

Netskope supports Generic Route Encapsulation (GRE) tunnels as a traffic steering method. GRE tunnels allow you to route web traffic (port 80 and 443) to Netskope using logical tunnel interfaces that terminate to a Netskope GRE gateway. When you create GRE tunnels in the Netskope UI, Netskope provides parameters for configuring the tunnels on your firewall. The GRE configuration below utilizes Junos OS commands and concepts. 

This guide illustrates how to configure GRE tunnels between Netskope and the Juniper vSRX virtual firewall running Junos OS version 15.1X49-D75.5. To learn more about the CLI steps in Junos OS, see the Juniper documentation.

Prerequisites

Before configuring GRE, review the guidelines and prerequisites.

Creating GRE Tunnels in Netskope

To create the GRE tunnels for Juniper SRX or vSRX in the Netskope UI:

  1. Go to Settings > Security Cloud Platform > GRE.
  2. Click New GRE Configuration.
  3. In the New GRE Configuration window:
    • Configuration Name: Enter a name for the GRE tunnel.
    • Tunnel Type: Select Default.
    • Source Peer: Enter the source peer IP address (i.e., exit public IP) of the Juniper firewall that Netskope will receive packets from. Netskope identifies traffic belonging to your organization through your router or firewall IP addresses.
    The New GRE Configuration window.
  4. Click Save and View POPs.
  5. In the Netskope POPs window, copy the GRE Gateway IP address of the two closest Netskope POPs. You need this information to establish the GRE tunnels on your Juniper firewalls. For optimal performance, Netskope recommends using the geographically closest POPs and configuring at least two tunnels for each egress location in your network.

    Note

    FedRAMP High POPs are different that those shown here. Your FedRAMP High tenant will show the available POPs.

    Netskope Points Of Presense POPs information in the Netskope POPs window.

Creating the GRE Tunnel Interfaces

On the Juniper SRX or vSRX firewall, enter the following commands. Replace the tunnel destination values with the GRE Gateway IP address of the primary and backup Netskope POPs you copied in Creating GRE Tunnels in Netskope.

set interfaces gr-0/0/0 unit 0 tunnel source 172.16.176.137
set interfaces gr-0/0/0 unit 0 tunnel destination 10.136.176.49
set interfaces gr-0/0/0 unit 0 family inet mtu 1476
set interfaces gr-0/0/0 unit 0 family inet address 10.100.100.1/24
set interfaces gr-0/0/0 unit 1 tunnel source 172.16.176.137
set interfaces gr-0/0/0 unit 1 tunnel destination 10.136.176.61
set interfaces gr-0/0/0 unit 1 family inet mtu 1476
set interfaces gr-0/0/0 unit 1 family inet address 10.100.200.1/24

Configuring the Real-Time Performance Monitoring Probes

Enter the following commands:

set services rpm probe icmp-gre test icmp probe-type icmp-ping
set services rpm probe icmp-gre test icmp target address 5.6.7.8
set services rpm probe icmp-gre test icmp probe-count 5
set services rpm probe icmp-gre test icmp probe-interval 5
set services rpm probe icmp-gre test icmp test-interval 10
set services rpm probe icmp-gre test icmp source-address 172.16.176.137
set services rpm probe icmp-gre test icmp thresholds successive-loss 5
set services rpm probe icmp-gre test icmp thresholds total-loss 5

Editing the Default-System Security Policy

Enter the following command:

set security policies default-policy permit-all

Creating the Security Zones

Enter the following commands:

set security zones security-zone all host-inbound-traffic system-services all
set security zones security-zone all host-inbound-traffic protocols all
set security zones security-zone all interfaces all

Configuring Static Routing

Enter the following commands:

set routing-options static route 0.0.0.0/0 next-hop 172.16.176.129
set routing-options static route 8.8.8.8/32 next-hop gr-0/0/0.0
set routing-options static route 8.8.8.8/32 next-hop gr-0/0/0.1
set routing-options static route 185.199.0.0/16 next-hop gr-0/0/0.0
set routing-options static route 185.199.0.0/16 next-hop gr-0/0/0.1
set routing-options static route 164.100.133.0/24 next-hop gr-0/0/0.0
set routing-options static route 164.100.133.0/24 next-hop gr-0/0/0.1
set routing-options static route 5.6.7.8/32 next-hop gr-0/0/0.1
set routing-options static route 5.6.7.8/32 next-hop gr-0/0/0.0
set routing-options static route 10.136.176.33/32 next-hop gr-0/0/0.0
set routing-options static route 10.136.176.33/32 next-hop gr-0/0/0.1

Configuring the GRE Keepalive Times

Enter the following commands:

set protocols oam gre-tunnel interface gr-0/0/0.0 keepalive-time 5
set protocols oam gre-tunnel interface gr-0/0/0.0 hold-time 10
set protocols oam gre-tunnel interface gr-0/0/0.1 keepalive-time 5
set protocols oam gre-tunnel interface gr-0/0/0.1 hold-time 10

Sample CLI Configuration

Below is a sample CLI GRE tunnel configuration for Juniper SRX firewalls:

set version 15.1X49-D75.5
set system root-authentication encrypted-password "1234567890"
set system name-server 172.16.254.11 source-address 172.16.176.137
set system services ssh
set services rpm probe icmp-gre test icmp probe-type icmp-ping
set services rpm probe icmp-gre test icmp target address 5.6.7.8
set services rpm probe icmp-gre test icmp probe-count 5
set services rpm probe icmp-gre test icmp probe-interval 5
set services rpm probe icmp-gre test icmp test-interval 10
set services rpm probe icmp-gre test icmp source-address 172.16.176.137
set services rpm probe icmp-gre test icmp thresholds successive-loss 5
set services rpm probe icmp-gre test icmp thresholds total-loss 5
set security policies default-policy permit-all
set security zones security-zone all host-inbound-traffic system-services all
set security zones security-zone all host-inbound-traffic protocols all
set security zones security-zone all interfaces all
set interfaces ge-0/0/0 unit 0 family inet address 172.16.176.137/26
set interfaces gr-0/0/0 unit 0 tunnel source 172.16.176.137
set interfaces gr-0/0/0 unit 0 tunnel destination 10.136.176.49
set interfaces gr-0/0/0 unit 0 family inet mtu 1476
set interfaces gr-0/0/0 unit 0 family inet address 10.100.100.1/24
set interfaces gr-0/0/0 unit 1 tunnel source 172.16.176.137
set interfaces gr-0/0/0 unit 1 tunnel destination 10.136.176.61
set interfaces gr-0/0/0 unit 1 family inet mtu 1476
set interfaces gr-0/0/0 unit 1 family inet address 10.100.200.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.176.204/26
set routing-options static route 0.0.0.0/0 next-hop 172.16.176.129
set routing-options static route 8.8.8.8/32 next-hop gr-0/0/0.0
set routing-options static route 8.8.8.8/32 next-hop gr-0/0/0.1
set routing-options static route 185.199.0.0/16 next-hop gr-0/0/0.0
set routing-options static route 185.199.0.0/16 next-hop gr-0/0/0.1
set routing-options static route 164.100.133.0/24 next-hop gr-0/0/0.0
set routing-options static route 164.100.133.0/24 next-hop gr-0/0/0.1
set routing-options static route 5.6.7.8/32 next-hop gr-0/0/0.1
set routing-options static route 5.6.7.8/32 next-hop gr-0/0/0.0
set routing-options static route 10.136.176.33/32 next-hop gr-0/0/0.0
set routing-options static route 10.136.176.33/32 next-hop gr-0/0/0.1
set protocols oam gre-tunnel interface gr-0/0/0.0 keepalive-time 5
set protocols oam gre-tunnel interface gr-0/0/0.0 hold-time 10
set protocols oam gre-tunnel interface gr-0/0/0.1 keepalive-time 5
set protocols oam gre-tunnel interface gr-0/0/0.1 hold-time 10
Share this Doc

Netskope GRE with Juniper SRX

Or copy link

In this topic ...