We are starting to provide preconfigured SRX100s to our clients to securely connect to our hosted datacenter over IPSEC.
We would like to isolate the networks on both sides from IP conflicts. We would also like to make all the configuration changes on the SRX100s if at all possible.
We have tried static NAT with limited success, possibly because attempts at working with a zone where the VPN terminates doesn't seem to work.
Does anyone have any suggestions for a configuration example? Does static NAT make sense, or should we try source and destination NAT?
Thanks!
...Ralph Johnston
↧
SRX VPN and NAT
↧
Simultaneous DHCP client & server on SRX
Hey folks,
In many use cases, people want to be running a DHCP client on a WAN interface & act as a DHCP server on the LAN. JunOS config terminology can be confusing on this, so to clear things up:
Old way:
- family inet dhcp
- system services dhcp
New way:
- family inet dhcp-client
- system services dhcp-local-server
The two do not interoperate; you must use either the old way or the new way. It's best to try the "new way" first as the code is more recent & more powerful, but if it doesn't work for your application perhaps the "old way" will (they don't use the same backend code).
BTW if anyone has figured out how to get branch SRX's dhcp-client to send Parameter-Request (DHCP option 55), big kudos if you can post it here. There's an old KB ( http://kb.juniper.net/InfoCenter/index?page=content&id=KB11608 ) stating that this was fixed way back in 8.5, but I certainly don't see it in either dhcp or dhcp-client's discover packets...
↧
↧
Enhanced Web Filtering (EWF) statistics via SNMP?
Hi,
Trying to figureout how to the the statistics that is accessible via CLI:
show security utm web-filtering statistics
--------------------------------------------------------------------------
UTM web-filtering statistics:
Total requests: 737500
white list hit: 0
Black list hit: 0
Queries to server: 180541
Server reply permit: 0
Server reply block: 12
Server reply quarantine: 4
Server reply quarantine block: 7
Server reply quarantine permit: 0
Custom category permit: 0
Custom category block: 0
Custom category quarantine: 0
Custom category qurantine block: 0
Custom category quarantine permit: 0
Site reputation permit: 737326
Site reputation block: 77
Site reputation quarantine: 6
Site reputation quarantine block: 0
Site reputation quarantine permit: 0
Site reputation by Category 0
Site reputation by Global 737409
Cache hit permit: 0
Cache hit block: 26
Cache hit quarantine: 7
Cache hit quarantine block: 19
Cache hit quarantine permit: 4
Safe-search redirect: 0
Web-filtering sessions in total: 64000
Web-filtering sessions in use: 55
Fallback: log-and-permit block
Default 12 0
Timeout 0 0
Connectivity 0 0
Too-many-requests 0 0
Would be nice to have these stats in a central monitoring portal.
But I cant find any MIB that points me in the correct direction. There is MIB for AV etc but not EWF.
The syslog can send real-time information when a site has been blocked, but its not the same thing really.
Any suggestions?
//Rob
↧
SRX5400 Host 0 Boot from alternate media
I have an SRX5400 that has a minor error syaing "Host 0 Boot from alternate media"
usually i'd just run "request system snapshot media internal slice alternate partition "
however on the SRX5400 I get:
root@fw1a> request system snapshot media internal slice alternate partition
error: command is not valid on the srx5400
We had some issues with this FW and had to recover it from a USB snapshot. It booted from USB then I was able to run a normal snapshot, but that looks to have gone to /dev/ad1s1a:
root@nyc2-fw1a> show system storage
node0:
--------------------------------------------------------------------------
Filesystem Size Used Avail Capacity Mounted on
/dev/ad1s1a 3.4G 1021M 2.4G 30% /
it should be /dev/ad0s1a
any thoughts on how to fix?
↧
SRX1400 - SRX1K-SYSIO-XGE - Interfaces won't come up/"device not found"/FPC stays "present"
Hello,
I have an SRX1400 with SRX1K-RE-12-10, SRX1K-SYSIO-XGE, an SRX3K-NPC and an SRX3k-SPC in it. I'm having a strange issue where the only interface on the SRX1K-SYSIO-XGE that will come up is the fxp0 interface. The SYSIO-XGE card stays in "Present" state as well.
Some output:
> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis BH2412XXXXXX SRX 1400 Midplane REV 03 711-031012 AAETXXXX SRX1k Backplane PEM 0 rev 03 740-032015 J027KDXXXXXXX AC Power Supply CB 0 REV 07 750-032544 AAERXXXX SRX1K-RE-12-10 Routing Engine BUILTIN BUILTIN Routing Engine CPP BUILTIN BUILTIN Central PFE Processor Mezz REV 09 710-021035 AAETXXXX SRX HD Mezzanine Card FPC 0 REV 19 750-031019 AAERXXXX SRX1k 10GE SYSIO FPC 1 REV 15 750-016077 AADNXXXX SRX3k SPC FPC 3 REV 19 750-017866 AAEZXXXX SRX3k NPC Fan Tray -N/A- -N/A- -N/A- SRX 1400 Fan Tray
root@p2> show chassis fpc
Temp CPU Utilization (%) Memory Utilization (%)
Slot State (C) Total Interrupt DRAM (MB) Heap Buffer
0 Present 29
1 Present 19
2 Empty
3 Present 19
root@p2> show chassis fpc detail
Slot 0 information:
State Present
Temperature 29
Total CPU DRAM 0 MB
Total RLDRAM 0 MB
Total DDR DRAM 0 MB
Max Power Consumption 0 Watts
Slot 1 information:
State Present
Temperature 19
Total CPU DRAM 0 MB
Total RLDRAM 0 MB
Total DDR DRAM 0 MB
Max Power Consumption 0 Watts
Slot 3 information:
State Present
Temperature 19
Total CPU DRAM 0 MB
Total RLDRAM 0 MB
Total DDR DRAM 0 MB
Max Power Consumption 0 Wattsroot@p2> show interfaces terse
Interface Admin Link Proto Local Remote
gr-0/0/0 up up
ip-0/0/0 up up
lt-0/0/0 up up
avs0 up up
avs1 up up
avs1.0 up up inet 254.0.0.254 --> 0/0
inet6 fe80::199
dsc up up
em0 up up
em0.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2
128.0.0.4/2
inet6 fe80::200:ff:fe00:4/64
fec0::a:0:0:4/64
tnp 0x4
em1 up up
em1.0 up up inet 10.0.0.1/8
10.0.0.4/8
128.0.0.1/2
128.0.0.4/2
inet6 fe80::200:1ff:fe00:4/64
fec0::a:0:0:4/64
tnp 0x4
fxp0 up up
fxp0.0 up up inet 172.16.0.247/16
172.31.0.247/16
192.168.52.247/24
gre up up
ipip up up
irb up up
lo0 up up
lo0.16384 up up inet 127.0.0.1 --> 0/0
lo0.16385 up up inet
lsi up up
mtun up up
pimd up up
pime up up
ppd0 up up
ppe0 up up
st0 up up
tap up uproot@p2> show interfaces ge-0/0/0 error: device ge-0/0/0 not found
root@p2> show configuration
## Last commit: 2016-03-21 23:05:44 UTC by root
version 12.1X44-D35.5;
system {
host-name p2;
root-authentication {
encrypted-password "$1$/8DJ.cHX$qaZkzKe6gYHA0BcWfUcvf0"; ## SECRET-DATA
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 172.31.0.247/16;
address 192.168.52.247/24;
address 172.16.0.247/16;
}
}
}
}
↧
↧
nvram: Invalid CRC on Saved Environment
Dear Juniper Team,
I have a problem with my SRX100H which is appear error message as below during issue the command commit:
=============
# commit
nvram: Invalid CRC on Saved Environment
============
Below are some information relate to the device:
=============
> show version
Hostname: RGH-IIG
Model: srx100h
JUNOS Software Release [11.4R7.5]
> show system snapshot media internal
Information for snapshot on internal (/dev/da0s1a) (primary)
Creation date: Dec 31 12:06:54 1999
JUNOS version on snapshot:
junos : 11.4R7.5-domestic
Information for snapshot on internal (/dev/da0s2a) (backup)
Creation date: Dec 31 12:08:06 1999
JUNOS version on snapshot:
junos : 11.4R7.5-domestic
=======================================
Please advise us any solution regarding this problem.
Best Regards,
Math
↧
2 isp and nat
Hello! I have new ISP and want to test it, so I configured routing instance and additional security zone. Everything seems fine so far, but I cant switch nat to second isp.
Security zone for second ISP
show security zones security-zone isp2
host-inbound-traffic {
system-services {
ping;
ssh;
ike;
}
}
interfaces {
fe-0/0/4.0;
}
show security policies from-zone trust to-zone isp2 Security policy for second ISP:
policy trust-to-isp2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}Source NAT rules:
pool default-ip {
address {
62.176.7.74/32;
}
}
pool MX {
address {
62.176.7.61/32;
}
}
pool cifra1 {
address {
79.134.86.54/32;
}
}
rule-set nsw_srcnat {
from zone trust;
to zone untrust;
rule MX {
match {
source-address 192.168.70.253/32;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
MX;
}
}
}
}
rule isp1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
default-ip;
}
}
}
}
}
inactive: rule-set isp2-nat {
from zone trust;
to zone isp2;
rule ALL-NAT {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
cifra1;
}
}
}
}
} If I switch default rule for nat from ISP1 to ISP2 users wont have access to internet. Whats wrong?
↧
PPPoE connecting, but no browsing (ping ok)
Hi everyone, I'm trying to configure my SRX210 to connect with PPPoE.. I went through the wizard and i see the connection being established. i can ping a website, however i cannot browse to the same website or any other website.. its either really slow or not working at all.. DNS works, i have my external IP address on the router and i see routing itself or NAT is going ok.. (also given ping is working..)
apply-macro Startup_Connection;
ppp-options {
chap {
default-chap-secret “blablabla/“; ## SECRET-DATA
local-name blablalogin;
passive;
}
pap {
local-name blablalogin;
local-password “blablasecret”; ## SECRET-DATA
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/0.0;
auto-reconnect 1;
}
family inet {
negotiate-address;
}
}
I tried a similar config with my SSG20, and that one works flawlessly.. so its not the connection itself.. nor user/pass error
Any hints??
↧
conversion from SSG config to SRX : p2-proposal with no-pfs
Given that the conversion tool ignores this completely, I am having trouble deciphering how to translate this line from my SSG.
basically I have this
set ike p2-proposal "nopfs-esp-aes256-sha" no-pfs esp aes256 sha-1 second 28800
which I'm guessing should translate to something like this on the SRX
proposal nopfs-esp-aes256-sha {
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}but what I am unsure of is how "no-pfs" enters the picture. I'm guessing with this command missing, that it just is a default of nothing? Has anyone encountered this? thanks for any help. Docomentation says nothing on the SRX about "NO" pfs so I am confused.
↧
↧
srx
hello guys,
i'm having difficultis getting support fee on srx5800...
is it in end of support? it is a very "young" firewall... it seems strange,
thanks a lot,
andrea
↧
Problem with SRX 5800
Hi everyone,
I am having a problem with a SRX 5800, we had a energy issue on site and now my cluster show OK but i cant see the status of one routing-engine... show me this error;
error: error communicating with node1
but its show ok on cluster;
Redundancy group: 0 , Failover count: 1
node0 200 primary no no
node1 100 secondary no no
Redundancy group: 1 , Failover count: 1
node0 200 primary yes no
node1 100 secondary yes no
Redundancy group: 2 , Failover count: 1
node0 200 primary yes no
node1 100 secondary yes no
Redundancy group: 3 , Failover count: 1
node0 200 primary yes no
node1 100 secondary yes no
Redundancy group: 4 , Failover count: 1
node0 200 primary yes no
node1 100 secondary yes no
my question is, my routing-engine is dead or i can do something to recovery this??? i am using version 11.4R5.5, there a way to login in the other node??? others jumiper i have i can do request routing-engine login, but this one dont show the command.
↧
SRX Power Button
Hi,
Is it possible to disble the power button at all branch models (SRX 100, 210, 220, 240)?
Thanks
↧
sd-syslog timestamp format
Hi,
I'm struggling with timestamp on sd-syslog message. It seems they are using ISO8601 timestamp format but the timezone indication is missing. I have timestamp like this :
2016-03-24T14:41:24.806
But since I'm in GMT+1 timezone, that time is not correctly interpreted by my logging system. According to ISO8601 I should have the possibility to add timezone indication like this
2016-03-24T14:41:24.806+01:00 or 2016-03-24T13:41:24.806Z
Any idea how to achieve this?
Best regards,
Christophe
↧
↧
global multi-zone policy to junos-host doesn't match
Hello everybody,
I'm merging policies using the multi-zone feature of 12.1X47. This allows a global policy to bind to several zones.
So I made the following policy. This should replace the firewall on lo0 from the default config.
user@srx100h2# show security policies global
policy any-to-junos-host-allow {
match {
source-address manager-ips;
destination-address any;
application junos-ssh;
from-zone any;
to-zone junos-host;
}
then {
permit;
log {
session-init;
}
count;
}
}
policy any-to-junos-host-deny {
match {
source-address any;
destination-address any;
application any;
from-zone any;
to-zone junos-host;
}
then {
deny;
}
}
However, traffic to the srx is not blocked:
flow_first_policy_search: policy search from zone untrust-> zone junos-host (0x0,0x1fab0016,0x16)
Policy lkup: vsys 0 zone(10:untrust) -> zone(2:junos-host) scope:0
a.b.c.d/8107 -> w.x.y.z/22 proto 6
app 22, timeout 1800s, curr ageout 20s
permitted by policy self-traffic-policy(1)
packet passed, Permitted by policy.
But, if I rewrite the global policy to an untrust to junos-host policy traffic to the SRX is correctly blocked.
user@srx100h2# show security policies from-zone untrust to-zone junos-host
policy any-to-junos-host-allow {
match {
source-address manager-ips;
destination-address any;
application junos-ssh;
}
then {
permit;
log {
session-init;
}
count;
}
}
policy any-to-junos-host-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
flow_first_policy_search: policy search from zone untrust-> zone junos-host (0x0,0xc6680016,0x16)
Policy lkup: vsys 0 zone(10:untrust) -> zone(2:junos-host) scope:0
a.b.c.d/50792 -> w.x.y.z/22 proto 6
app 22, timeout 1800s, curr ageout 20s
packet dropped, denied by policy
denied by policy any-to-junos-host-deny(16), dropping pkt
packet dropped, policy deny.Is this by design?
↧
Trouble with firewall filters
Hello everyone
Hoping someone could point me in the right direction.
I want to implement some firewall filters to restrict management access to our SRXs. I have followed a number of guides to include the official Juniper harderning guide (volume 2). Unlike most guides out there on this one specific SRX we do not manage it via the Fxp0 or the loopback interface, rather we direct all traffic to a physical interface that connects to our OOB management network.
The bits that do not seem to work are the SNMP polls (incoming), TACACS authentication (outgoing) and ICMP (incoming). Here is how I have created these configurations:
1. Create prefix lists to define source IPs:
set policy-options prefix-list ACS XX.XXX.220.45/32
set policy-options prefix-list SPECTRUM XX.XXX.220.43/32
set policy-options prefix-list EHEALTH XX.XXX.220.46/32
2. Create firewall filter for each type of traffic:
set firewall family inet filter SRX-MGMT term PERMIT-SNMP-ICMP from source-prefix-list SPECTRUM
set firewall family inet filter SRX-MGMT term PERMIT-SNMP-ICMP from source-prefix-list EHEALTH
set firewall family inet filter SRX-MGMT term PERMIT-SNMP-ICMP from protocol udp
set firewall family inet filter SRX-MGMT term PERMIT-SNMP-ICMP from protocol icmp
set firewall family inet filter SRX-MGMT term PERMIT-SNMP-ICMP from destination-port snmp
set firewall family inet filter SRX-MGMT term PERMIT-SNMP-ICMP then accept
!
set firewall family inet filter SRX-MGMT term PERMIT-TACACS from source-prefix-list ACS
set firewall family inet filter SRX-MGMT term PERMIT-TACACS from protocol tcp
set firewall family inet filter SRX-MGMT term PERMIT-TACACS from source-port 49
set firewall family inet filter SRX-MGMT term PERMIT-TACACS then accept
3. Create default deny at bottom to reject everything else:
set firewall family inet filter SRX-MGMT term DEFAULT-DENY then syslog log reject
4. Apply to interface:
set interfaces ge-0/0/2.0 family inet filter input SRX-MGMT
With this I cannot authentication using TACACS. Even by adding in the destination prefix list to match the ACS, still nothing. All incoming ICMP pings are being rejected and all incoming SNMP polls too.
Any ideas on where my issue is?
Thank you
↧
fabric physical up ,but Fabric link status: Down . why
show chassis cluster interfaces
Control link status: Up
Control interfaces:
Index Interface Status
0 em0 Up
1 em1 Up
Fabric link status: Down
Fabric interfaces:
Name Child-interface Status
(Physical/Monitored)
fab0 ge-0/0/1 Up / Down
fab0
fab1 ge-4/0/1 Up / Down
fab1
↧
Clustering
Hi,
I have a SRX650 already running and I bought a new identical SRX650 to do clusturing. What is the process for doing so? Do I need to have down time, or can we configure the new one while the old one is running?
Thanks in advance.
Amjad
↧
↧
how to read total policy on device srx3400
hai all
i have device srx3400, i config many zone and policy. but dont know, how see total policy on srx3400.
The device
Model: srx3400
JUNOS Software Release [10.4R10.7]
Thanks,
↧
IDP Direction on SRX
Hi,
My understanding says it is more worth to apply IDP only from Untrust to all zones direction as this is direction from where most attacks come from and decrease the amount of traffic processed by IDP if you have a lot LAN to LAN or cross site traffic over MPLS.
Please share your insights.
Am
↧
Filesystem full when trying add software on SRX5800
Hello,
I am trying to upgrade my SRX5800 chassis's but am getting an error that my /cf filesystem is low of disk sace. This is the eact error:
/cf filesystem is low on free disk space. This package requires 362380k free, but there is only 43742k available.
I did run the "df -k" command in the shell and /juno/cf is atr 95% capacity. Used = 823044 and Available=43742.
What can I delete to free up some space?
Regards,
TD
↧