Frank Sweetser writes: >(For the curious, they integrate by installing some shell scripts on the >underlying FreeBSD level. The scripts pull down customer specific lists of IP >addresses, and dynamically create slax scripts to update a set of prefix lists >in the local config to match.)
Very cool! I've never heard of them, but seems like a great service. I do see a kb article warning about performance issues: https://kb.juniper.net/InfoCenter/index?page=content&id=KB25813&actp=search But most of these issues can be mitigated. For example, they change config using "cat command-file | cli" which churns the change bits in the database even when nothing changes; using "load update" will solve that. In addition, between JUNOS-12.1 and 15.1 we've done a lot with commit performance which will help. Another fix would be the use of the ephemeral database, which keeps transient data away from human config, and allows us to avoid saving it in juniper.conf (and the expense of writing it on every commit). I've sent ThreatStop an offer to help with the incorporation of these suggestions. But if the bad-guys.list is available via http, then we can make an event script that downloads it and "load updates" it into the ephemeral database fairly easily. Thanks, Phil _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
