Setting up a GRE Tunnel on a Juniper MX Router

In previous articles, we’ve explained how to set up a generic routing encapsulation (GRE) for Incapsula IP Protection on a Cisco router, and on an Ubuntu AWS Client. In this article, we’ll help you configure a GRE tunnel on a Juniper MX router.

Incapsula IP Protection secures multiple service types and protocols, in addition to protecting customers who don’t have an entire Class C subnet. When onboarding, customers receive a protected IP address from Incapsula, which is used to route incoming traffic so that it can be inspected and filtered by Incapsula servers. You need to establish a redundant, secure, two-way GRE tunnel to forward clean traffic to your origin IP and to return outbound traffic to your users.

After you’ve completed the onboarding process, the only way scrubbed, legitimate packets can reach your network servers from the Incapsula network is through the GRE tunnel. You’ll configure the GRE tunnel between Incapsula and your gateway devices. If you want more background on why Incapsula uses GRE tunnels, read Why Does Incapsula Use a GRE Tunnel?

Establish the GRE Tunnel Interfaces on the Juniper MX Router

Before you start configuring the GRE tunnel, note the following screenshot shows an example of each of the five IP addresses you’ll be working with. Incapsula provides you with three IPs labeled Incapsula Public IP, Customer Private IP, and Incapsula Private IP. You’ll use these addresses together with your assigned Customer Public IP to configure the GRE tunnel. The address labeled Incapsula Protected IP in this example is the new protected IP address from Incapsula that is allocated to your server to send and receive filtered traffic.

Please note that when you are configuring the router, you’ll need to replace the text in bold with the requisite addresses you received in your onboarding email from Incapsula.

First, configure your firewall device with the appropriate tunnel interfaces.

  1. Before we begin with the tunnel configuration, we need to make sure no ACL is blocking GRE protocol (47) from the Incapsula Public IP to the Customer Public IP. After this is done, we can proceed to configure your firewall device with the appropriate tunnel interfaces.
  2. Use the Juniper Junos command line interface (CLI) to access your router’s configuration mode.
  3. Enable the GRE service on the router.

Note: To configure a GRE tunnel on a Juniper network router, the router must be equipped with layer 2 service capabilities. These capabilities are native in MX, SRX, and J-series routers, and are available through a physical interface card (PIC) in M-series routers. When the required services are available on the router, you can create a pseudo-interface called gr-.

To enable the service, issue the following command:

root@mx# set chassis fpc x pic x tunnel-services

In this command, fpc x pic x points to the interface module (line card) whose resources we want to share for the purpose of tunneling.

  1. At your router’s (configuration) prompt, define a new tunnel interface. You’ll need to supply your own values for items in bold.


root@mx# set interfaces gr-0/0/0 unit 0 description GRE tunnel to Incapsula
root@mx# set interfaces gr-0/0/0 unit 0 tunnel source Customer Public IP
root@mx# set interfaces gr-0/0/0 unit 0 tunnel destination Incapsula Public IP
root@mx# set interfaces gr-0/0/0 unit 0 family inet address Customer Private IP/30


  • In each instance of gr-0/0/0 unit0, you can specify the unit number of the logical interface if other than 0.
  • description is free text you specify to help you more easily identify the interface.
  1. Make sure you can ping the Incapsula Private IP:
run ping Incapsula Private IP

Deploying IP Protection

Juniper MX routers do not support network address translation (NAT), and so we either need to configure the new IP on the server itself, or configure NAT on some other device along the route. Let’s look at how to configure the new IP on the server.

Configure a Static IP Address

We’ll configure the Incapsula Protected IP directly on your server and ensure that traffic is directed to it. Static routing sends traffic from the Incapsula Protected IP to a fixed address for your server.

  1. Configure the Incapsula Protected IP on your server.
  2. Configure your router with a static route to direct traffic toward it. The route’s next hop needs to point to an IP configured on your server. This IP is one that belongs to your local area network.

Command syntax

root@mx# set routing-options static route Incapsula Protected IP next-hop next-hop-IP


next-hop-IP is the address used to reach the server, which is usually among the IPs configured on your server’s NIC interface.


root@mx# set routing-options static route next-hop

(Optional) Configure Policy-based Routing

If you want to use symmetric routing, you must, as a final step, configure policy-based routing to ensure a symmetric flow. With symmetric routing, traffic directed to your network through the GRE interface must return through the same interface.

  1. Configure policy-based routing:
root@mx# set firewall family inet filter TO_GRE term 1 from source-address Incapsula Protected IP
root@mx# set firewall family inet filter TO_GRE term 1 then next-ip Incapsula Private IP
root@mx# set firewall family inet filter TO_GRE term 2 then accept


  • The purpose of term 1 is to match traffic from the new IP and direct it to the GRE tunnel.
  • The purpose of term 2 is to match all other traffic and route it normally by using the global routing table.
  1. Apply the firewall filter on the LAN interface:
root@mx# set interfaces ge-fpc/pic/port unit 0 family inet filter input TO_GRE


ge-fpc/pic/port is the Junos syntax for configuring a ge (gigabit Ethernet) device with a Flexible PIC Controller (fpc) address, a Juniper Physical Interface Card (pic) address, and a port number (port).
Example: ge-0/0/0.

This completes your configuration. From this point, you can ping the server and start seeing traffic routed through Incapsula. If you have any questions, please let me know in the comments below.

Further reading

Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.