On 01/15/2016 03:51 PM, Phil Shafer wrote:
Frank Sweetser writes:
(For the curious, they integrate by installing some shell scripts on the
underlying FreeBSD level. The scripts pull down customer specific lists of IP
addresses, and dynamically create slax scripts to update a set of prefix lists
in the local config to match.)
Very cool! I've never heard of them, but seems like a great service.
I do see a kb article warning about performance issues:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB25813&actp=search
I ran into that KB as well, and the issues documented there are part of why
I'm looking to do more research before we turn their shell scripts loose on
our precious routers. I realize that most of the problems there are centered
around lower end SRX devices, but it's still pretty clear that their
methodology is stressing the config in ways that are... well, let's just say
"atypical".
But most of these issues can be mitigated. For example, they change
config using "cat command-file | cli" which churns the change bits
in the database even when nothing changes; using "load update" will
solve that. In addition, between JUNOS-12.1 and 15.1 we've done a
lot with commit performance which will help.
Another fix would be the use of the ephemeral database, which keeps
transient data away from human config, and allows us to avoid saving
it in juniper.conf (and the expense of writing it on every commit).
I've sent ThreatStop an offer to help with the incorporation of
these suggestions. But if the bad-guys.list is available via http,
then we can make an event script that downloads it and "load updates"
it into the ephemeral database fairly easily.
Awesome! I'll reach out to the sales reps we've been talking with and let
them know that we *strongly* encourage them to take you up on your office.
Thanks very much!
Frank Sweetser fs at wpi.edu | For every problem, there is a solution that
Manager of Network Operations | is simple, elegant, and wrong.
Worcester Polytechnic Institute | - HL Mencken
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
