Smartfren Roaming Firewall

• Overview

1 © Nokia Solutions and Networks 2015

Roaming Firewall
Architecture Topology

2 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX 5800
Front Layout

3 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX 5800
Back Layout

SRX 5800 Chassis Layout

Hot Air Exhaust

Primary 15amp power

O
I

I
connector !
Caution: To completely de-energize the system,
disconnect all power cordsets.

PEM Hot Air Exhaust

Secondary 15amp UP UP UP UP

power connector

PEM Zone 1
PEM Zone 0

PEM cooling Fans

AC DC PS AC DC PS AC DC PS AC DC PS
OK OK FAIL OK OK FAIL OK OK FAIL OK OK FAIL

PEM Lift and Lock PEM 0,1,2 and 3

Rear View

4 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX Firewall
High Availability

1. Component redundancy:
Power supplies will be in N+N redundancy.
2. Node redundancy:
Two SRX firewall nodes will form a redundant cluster.
3. Network link redundancy:
- Redundant Ethernet interfaces will be used.
- Link aggregation with LACP.
4. Forwarding plane independent failover:
Forwarding plane can fail over to the secondary cluster member independently of the control plane,
hence increasing the stability of the cluster.

5 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX Firewall
Chassis Cluster Functionality

• Redundancy group 0 is used to control Routing Engine failover;

• Redundancy group 1 will be used to control forwarding plane failover;
• Every SRX firewall cluster will have node 0 and node 1;
• Under normal conditions node 0 will be in Active state, node 1 will be in Backup state;
• Synchronisation of configuration and dynamic runtime objects and parameters between cluster
nodes;
• Monitoring of physical interfaces and trigger cluster failover if the failover parameters cross a
configured threshold;
• Dedicated data-plane fabric link between SRX cluster nodes proving 1Gbps bandwidth for SRX3600
and 10G for SRX5800. Monitoring of the fabric interface will be enabled;
• Cluster hello timers and thresholds will be set to defaults: hello interval is 1 sec, threshold is 3 secs

6 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX 5800
Control Link & Fabric Link

7 © Nokia Solutions and Networks 2015

<Change information classification in footer>
Roaming Firewall
Physical Connectivity

8 © Nokia Solutions and Networks 2015

<Change information classification in footer>
Roaming Firewall
Logical Connectivity

9 © Nokia Solutions and Networks 2015

<Change information classification in footer>
Roaming Firewall
Logical Interconnection

10 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX Chassis Cluster
Normal Condition

11 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX Chassis Cluster
Forwarding Plane Failover

12 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX Chassis Cluster
Control Plane Failover

13 © Nokia Solutions and Networks 2015

<Change information classification in footer>
 Smartfren DMZ Firewall
• Overview

14 © Nokia Solutions and Networks 2015

DMZ Firewall
Architecture Topology

15 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX 3600
Front Layout

16 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX 3600
Back Layout

17 © Nokia Solutions and Networks 2015

<Change information classification in footer>
SRX 3600
Control Link & Fabric Link

18 © Nokia Solutions and Networks 2015

<Change information classification in footer>
DMZ Firewall
Physical Connectivity

19 © Nokia Solutions and Networks 2015

<Change information classification in footer>
DMZ Firewall
Logical Connectivity

20 © Nokia Solutions and Networks 2015

<Change information classification in footer>
DMZ Firewall
Physical Topology with DNS

21 © Nokia Solutions and Networks 2015

<Change information classification in footer>
DMZ Firewall
Logical Topology with DNS

22 © Nokia Solutions and Networks 2015

<Change information classification in footer>
DMZ Firewall
Logical Interconnectivity

23 © Nokia Solutions and Networks 2015

<Change information classification in footer>
DMZ Firewall
DNS Cache Call Flow

24 © Nokia Solutions and Networks 2015

<Change information classification in footer>
 Roaming Firewall
• BGP & IPSec VPN

25 © Nokia Solutions and Networks 2015

Roaming Firewall
BGP Syneverse

26 © Nokia Solutions and Networks 2015

<Change information classification in footer>
Roaming Firewall
Citic IPSec VPN

27 © Nokia Solutions and Networks 2015

<Change information classification in footer>
Roaming Firewall
Apple IPSec VPN

28 © Nokia Solutions and Networks 2015

<Change information classification in footer>
Summary
How to setup new IPSec VPN?

•Configure ike parameter proposal, policy and gateway

•Configure ipsec parameter proposal, policy and gateway
•Configure security zone, policy from to prefix and protocol
•Configure static route to vpn gateway peer via internet
•Ensure defined static route advertised to the internet
•Ensure vpn ike (phase 1) and ipsec (phase 2) tunnel established
and client prefix could reach each other

29 © Nokia Solutions and Networks 2015

<Change information classification in footer>
THANK YOU!