Hi All,

Recently the following log messages have been taking place on the high end SRX in cluster environment. Is any one experiencing in these errors?

 node0.fpc0.pic0 cpu_util_usp_ipc_cmd_handler: message is type 4
 node0.fpc0.pic1 cpu_util_usp_ipc_cmd_handler: message is type 4
 node0.fpc0.pic2 cpu_util_usp_ipc_cmd_handler: message is type 4
 node0.fpc0.pic3 cpu_util_usp_ipc_cmd_handler: message is type 4
 node0.fpc0.pic0 cpu_util_usp_ipc_cmd_handler: message is type 4
 node0.fpc0.pic1 cpu_util_usp_ipc_cmd_handler: message is type 4
 node0.fpc0.pic2 cpu_util_usp_ipc_cmd_handler: message is type 4
 node0.fpc0.pic3 cpu_util_usp_ipc_cmd_handler: message is type 4
 rpd[2740]: Decode ifd ge-5/3/9 index 172: ifdm_flags 0xc001
 rpd[2740]: EVENT <UpDown> ge-5/3/9.0 index 101 <Broadcast Multicast> address #0 0.10.db.ff.b0.0
 rpd[2740]: EVENT <UpDown> ge-5/3/9 index 172 <Broadcast Multicast> address #0 0.10.db.ff.b0.0
 /kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
 mib2d[2796]: SNMP_TRAP_LINK_DOWN: ifIndex 680, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-5/3/9
 (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ge-5/3/9: get tlv ppfeid 0
 (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
 (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
 (FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ge-5/3/9: get tlv ppfeid 0
 (FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
 (FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
 (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ge-5/3/9: get tlv ppfeid 0
 (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
 (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
 (FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ge-5/3/9: get tlv ppfeid 0
 (FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc001
 (FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ae_linkstate_ifd_change: MDOWN received for interface ge-5/3/9, member of reth0
 /kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
 rpd[2740]: Decode ifd ge-5/3/9 index 172: ifdm_flags 0xc000
 rpd[2740]: EVENT <UpDown> ge-5/3/9.0 index 101 <Up Broadcast Multicast> address #0 0.10.db.ff.b0.0
 rpd[2740]: EVENT <UpDown> ge-5/3/9 index 172 <Up Broadcast Multicast> address #0 0.10.db.ff.b0.0
 mib2d[2796]: SNMP_TRAP_LINK_UP: ifIndex 680, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-5/3/9
 mib2d[2796]: SNMP_TRAP_LINK_UP: ifIndex 681, ifAdminStatus up(1), ifOperStatus up(1), ifName ge-5/3/9.0
 (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ge-5/3/9: get tlv ppfeid 0
 (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
 (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
 (FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ge-5/3/9: get tlv ppfeid 0
 (FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
 (FPC Slot 0, PIC Slot 0) SPC0_PIC0 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
 (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ge-5/3/9: get tlv ppfeid 0
 (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
 (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
 (FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ge-5/3/9: get tlv ppfeid 0
 (FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: if_pfe_set_dcd_link_state: ifd=ge-5/3/9, ifd flags=0xc000
 (FPC Slot 0, PIC Slot 1) SPC0_PIC1 kernel: ae_linkstate_ifd_change: MUP received for interface ge-5/3/9, member of reth0
 mustd: UI_DELTA_CONSTRAINT_CHECK_NOT_RUNNING: delta constraint check process can not run because persist groups is not configured
 nsd[2784]: ipc_pipe_write:353 num_sent=-1 errno=35 Resource temporarily unavailable

Thanks

Erx

Is it possible to have two policies from the same zone to the same zone to only allow SSH access from the VPN range of address rather than from everywhere please?

I will try and explain the issue:

I have a "Customer-VR" which is connected to an aggregated interface "AE1". This in turn is connected to the internal network where the LNS resides and the Core.

I have a second VR, let's call it "ssh-vpn-VR". This has a physical interface of ge-0/0/8.

The ST interface, as the end point for data, is located within the "Customer-VR".

This all works perfectly at the moment but now I have the issue of allowing all traffic other than SSH through the Customer-VR but only SSH traffic from the VPN. So, can I craft two policies to complete this please?

Hi All,

We've had great service from our SSG's and now want to replace them - it's overdue.  We've made use of 2 x SSG140s in our head-office (active-passive HA) and single SSG20s in remote offices.  Our needs are pretty simple - decent firewall and good policies, a handful of VPNs, OSPF and RIP, good bandwidth control and shaping, plus only need to operate one remote office these days;  I've kind of settled on SRX340s and SRX320s - they seem to be postioned similarly to where our SSGs sat in the family and are within our budget.  We want to run two devices at both sites to achieve the same sort of HA.

As the boxes have just sat there for many years doing a great job we've become very rusty when it comes to where the latest Juniper devices are.  I've tried to trawl the internet for some answers to a couple of queries but have struggled to find info so wondered if anyone can advise at all?

1 - We run dedicated cloud email and web filtering solutions (Mimecast and Symantec Web Security service, itself a VPN from the SSGs) as well as Symantec Endpoint Protection for on-device security.  Bearing that in mind we are really looking at these devices to offer really good firewalling functionality - are they overkill if we don't use any sort of UTM features?  What are people's opinion of quality of firewall on these devices?

2 - Is the 300 series relatively new?  I haven't come across any EOL information to say they are going away any time soon (vs. the 200 series which looks to be EOL in a couple of years).

3 - We'd ideally like to somehow manage the firewall's outgoing policies across both sites centrally to save manually keeping complex rules (like bypassing the web filtering for Office 365 services) in sync.  Are there any tools or software from Juniper to help with this?

4 - One bugbear of ScreenOS is that we've never been able to use wildcard hostnames for firewall rule address book entries (again a real pig for Office 365).  Is that offered on the SRX's?  How to others manage this challenge?

5 - Our SSG's have operated brilliantly and have been very reliable.  For those who have moved from them to SRX can you say the same?

6 - The Enhanced Junos software only appears appears to offer Application Security (AppID, AppFW, AppQOS and AppRoute) features over base - is everything else equivilant across the software?  I'm struggling to find decent documentation on the App security features; can anyone point me in the right direction?  Would we benefit from these features bearing in mind our web filtering software?

7 - I'm finding the software licensing confusing.  I get that these are sold as a hardware first with a seperation from the software point-of-view (to aid hardware portability I believe).  I'm looking at the SRX340-SYS-JB part (unless Enhanced proves useful) and similar for the SRX320.  Would the -JB parts include the cost of software?  What ongoing support/licensing packages would we need to ensure ongoing use of the software and provide access future software updates?

8 - Broad, but is there anything that the SRX's don't do that the SSG's did well?

Apologies for length but if there's anything anyone could advise it would be really appreicated.

TIA.

I understand the device is EoL and no longer supported but I need help configuring DHCP on an SRX650 with XPIM module installed. Ethernet-switching family is NOT supported so I've been trying to use the family bridge and subinterface units but DHCP will not work.  Not DHCP traffic is being generated by the SRX 650. 

Does anyone have a configuration for DHCP on an SRX 12.3X48- (with an XPIM device)? 

Hi all, I am new to the Juniper Licensing.  Do I have to buy a license to use a SRX300 such as this legally?  Do I just lose functionality if I don't.

 https://www.cdw.com/product/Juniper-Networks-SRX300-Services-Gateway-security-appliance/4019552?pfm=srh

If so why do they even sell an unlicensed/unusable device?  Is this just a hardware replacement purchase type of device that I would move a license from an existing srx300?

Seems like I am better off buying the jsb (assuming its an all in one purchase with software and hardware) for my needs https://www.cdw.com/product/Juniper-Networks-SRX300-Services-Gateway-security-appliance/4720675?pfm=srh  I don't need the JSE at this time

Thanks for the help on understanding this licensing situation. 

We are having an issue with our Windows 1 0 workstations where Pulse connect successfully but sometimes the client won't pass any data.  Happens randomly, usually 1 out of 5 trys.  The client always connects but sometimes you can't ping across it.  Our Windows 7 machines are fine.  We have not been able to identify a certain build of Win 10 or patch causing this.  The other end is a Juniper 240srx.  We have the 5.2 version and 9.0.1 of the PulseSecure client. What software can you offer for connecting from client PCs with Windows 10 through Juniper 240srx.

Thanks. 

Hi,

I have a configuration like this to log the details of the blocked traffic to a file.

set groups Default-Deny-LOG-Template security policies from-zone <*> to-zone <*> policy defult-deny match source-address any
set groups Default-Deny-LOG-Template security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any
set groups Default-Deny-LOG-Template security policies from-zone <*> to-zone <*> policy defult-deny match application any
set groups Default-Deny-LOG-Template security policies from-zone <*> to-zone <*> policy defult-deny then deny
set groups Default-Deny-LOG-Template security policies from-zone <*> to-zone <*> policy defult-deny then log session-init
set groups Default-Deny-LOG-Template security policies from-zone <*> to-zone <*> policy defult-deny then count


set groups node0 system host-name x.x.x.x
set groups node0 interfaces fxp0 unit 0 family inet address x.x.x.x
set groups node1 system host-name x.x.x.x
set groups node1 interfaces fxp0 unit 0 family inet address x.x.x.x

set apply-groups "${node}"
set apply-groups Default-Deny-LOG-Template


set system syslog file blocked-traffic any any
set system syslog file blocked-traffic match RT_FLOW_SESSION_DENY


user@FW> show log blocked-traffic            
May 24 12:25:42 FW clear-log[6156]: logfile cleared    ---> THIS FILE IS NOT SHOWING ANY DATA

{primary:node0}
user@FW> 

I am sure that there is traffic that is getting denied at the FW but the details are not getting added to the log file. Can anyone please point me what is wrong in this configuration?

Hi guys,

the customer would want to have a global and complete view about the network flows managed by a SRX firewall. to do that, I thought to get the sessions table periodically for a long period of time, for example one month, and then provide to him a good excel document with all sessions (source IP, destination IP, protocol and port) except the duplicates of course.

If I use the "show security flow session node xx " command, the output doesn't finish, there are too many connections. the "show security flow session node xx summary" command, tell me that there is around 68.000 connections in use!

is there a way to get the session table of this firewall quickly without using the "security flow session" command and without forcing the CPU? the customer manage each firewall through JunOS SPACE. can SPACE help me to reach my goal?

let me know. thanks

Hi everyone -

I currently have 3 sub-interfaces off a single RETH - for exmpale:

reth7.2 = 192.168.72.1/24 

reth7.3 = 192.168.73.1/24

reth7.4 = 192.168.74.1/24

I have placed each sub-interface into its own routing-instance - for example:

set routing-instances vr-72 interface reth7.2

set routing-instances vr-73 interface reth7.3

set routing-instances vr-74 interface reth7.4

I wasn't able to create subinterfaces without enabling vlan-tagging.

My question is: I don't want to have to tag any of the subinterfaces - is there a way to do so?   I mean, for all intents and purposes, since each sub-interface resides within a different routing instance, why can't the SRX simply treat each interface as if it's all by itself?  Why the need for a tag?

For example: If reth7 is plugged directly into an EX4200 switch interface (access-port) that is configured for VLAN_10; if another host in VLAN_10 broadcasts an ARP for 192.168.72.1, the switch will flood it out all VLAN_10 interfaces - wouldn't reth7.2 respond?

Similarly, if a different host in VLAN_10 broadcasts an ARP for 192.168.73.1, the switch will flood it out all VLAN_10 interfaces - wouldn't reth7.3 respond?

Is it really much different than having several different IP-addresses of different IP-networks on a single interface that is plugged into the same switch interface?

Anyway - hope I'm not sounding too confusing or forgetting basic networking!

Thanks!

Hi,

I am trying to completely lock down our SRX firewalls and so am at the very last point, the rest is working fine as expected.

I have an NCP Client that connected fine before this lockdown implimentation.  I have a VR called Customer-VR that the st0.1 interface resides in and this is tied to the dynamic VPN configuration. So, to lock this down I have cretaed the following policy:

set security policies from-zone Customer-Network to-zone Customer-Network policy test match source-address any

set security policies from-zone Customer-Network to-zone Customer-Network policy test match destination-address any

set security policies from-zone Customer-Network to-zone Customer-Network policy test match application NCPVPN (UDP 500 and 4500)

set security policies from-zone Customer-Network to-zone Customer-Network policy test then permit

set security policies from-zone Customer-Network to-zone Customer-Network policy test1 match source-address any

set security policies from-zone Customer-Network to-zone Customer-Network policy test1 match destination-address any

set security policies from-zone Customer-Network to-zone Customer-Network policy test1 match application any

set security policies from-zone Customer-Network to-zone Customer-Network policy test1 then deny

set applications application NCPVPN term 1 protocols udp

set applications application NCPVPN term 1 destination-port 500

set applications application NCPVPN term 2 protocols udp

set applications application NCPVPN term 2 destination-port 4500

As mentioned, without the deny policy it all works fine, so, theoretically with the deny policy it should also work as it hits the permit policy first.

The only issue I can think of is that we have not configured the application correctly.

Can you let me know what the ports are for NCP or dynamic VPN or what I have configured wrong.

Thanks

Hi Junos Expert.

does srx jweb version can be upgraded on old/new platform? i tried to google it but i cant find any. many thanks

Equiptment:

• Juniper SRX220h
• Playstation 4 pro
• Cisco/Linksys WRT610N
• Verizon FIOS 100/100
• Dell Poweredge Server

Research Source links:

• https://www.linksys.com/us/support-article?articleNum=135179
• https://networkshinobi.wordpress.com/2015/06/26/playstation-network-xbox-live-nat-type-3-to-nat-type-2-on-juniper-srx-with-dynamic-public-ip-address/
• https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-config-for-Playstation/td-p/297350

I understand I am using old equiptment however an Desktop Support IT guy, I don't mind reusing equiptment for home use especially if it was brand new, never opened, and aquired as gifts. I also host a Plex Server and a Ubooquity, web server, all for personal use.  Choosing to be behind a enterprise grade Juniper Enterprise gateway Firewall, is a smart choice. Plus, I get to learn something new like when I see net admins at work clacking away in a CLI box. This has been an awesome experience for me to learn juniper on an enterprise level to secure my home Server and Docker Containers. 

Now that I have added a playststion4 to the mix. I am finding this quite complicated where I now need to post on a fourm for help and guidance. I have looked though the links about this topic, and knowing me, the Desktop Support guy, I am always thinking around the box. 

At first I Thought the Nat Type-3 Playstation network is becuase I was double Nat'ing my Wireless router and I did not set it up as an AP, just put it on a Different Subnet.  I didn't care before because most devices connecting to the wireless gateway as on the 2.4ghz 1Laptop, chromecast, 5GHZ: 1TV, PS4, 1 Laptop, 3 mobile phones. As soon as I got this PS4 my world is upside down and its been a while since I gamed, 2005 with a ps2 to be exact. back in the day it just worked my buddys and I could clan up and talk in SOCOM. Old school I know.     

Because of the UPnP limitation, I am not at all comfortable opeing up (ranges) of ports, Over 2,030+ ports spand across TCP/UDP.

Interface ge-0/0/0 is connected directly to the Verizon FIOS ONT vLAN Gateway on X.X.2.1
Interface ge-0/0/7 is connected to the Cisco/Linksys WRT610N Wireless router (*AP mode - in LAN 1 on the 4 port switch) or (**Gateway mode on X.X.3.1 subnet in the Internet Port) which I have had both set up and work. Currenty Wireless Router its in AP Mode which I also set the ip/mac address in wLAN settings in JUNOS SRX. 

If I go back to **Gateway mode Double NAT exists.

If I were to have Double NAT, NAT from Juniper and NAT from he Wireless Router, Would puting the Wireless Router in the SRX DMZ zone on Interface ge-0/0/7 , help achive NAT type 2 for the Playstation 4? and How would this effect other local connectivity to my server,  would I still be able to access NAS file storage,  admin web config pages on Example: X.X.2.255:65553 and JUNOS on X.X.2.1 wirelessly if the Router is in the DMZ zone or is it completly independant and isolated? 

Double NAT and DMZ is completly new to me.  

The  third party said the registration need UDP 5060,1812,1813 , i had permit, The  Port  but not work ....................

Many Thank 
 

policy SIP_Vendor {
                match {
                    source-address VOIP;
                    destination-address any;
                    application [ IPPHONE IPPHONE1 IPPHONE2 ];
                }
                then {
                    permit;
                }

applications {
    application msa {
        protocol tcp;
        destination-port 587;
    }
    application IPPHONE {
        protocol udp;
        destination-port 1812-1813;
    }
    application IPPHONE1 {
        protocol udp;
        destination-port 5060;
    }
    application IPPHONE2 {
        protocol tcp;
        destination-port 5060;

Hi,

I have searched for a clear cut answer to this question but cannot seem to find one.

I want to be able to protect our SRX Firewalls from stealth scans via nmap or a similar program that will silently look for listening ports or even open ports. Is there a very quick, easy method for this or some easy to read document somewhere that will state the best way to complete this please?

Thanks

Hi all,

Previously i can activate license SRX5K-SVCS-OFFLOAD-RTU for SRX5800 that using junos version 15.1X49-D70 using old juniper license portal. But using new portal https://license.juniper.net/licensemanage/           i dont know how to activate this license. Appreciate someone can guide me.

Thanks

Our ISP is giving us 1G of data on a 10G port.  We can use up to 10G but at an extra rate.  I'd like to limit the users who could exceed 1G to a specific range.  Is that possible?

Using an SRX 1500 

Version 15.1X49-D40.6

Dear Experts,

I'm strugling with dhcp client setup on SRX300 (JunOS 15.1X49-D130.6).Any help will be appretiated. 

I've 2 ISP's, connected to ge-0/0/0 and ge-0/0/1 and I'm not able to obtain IP address from their networks with my brand new SRX. Everything works as expected with other devices if I place them as dhcp clients instead of SRX (Mikrotik and Huawei AR3) and If I plug ge-0/0/1 in my internal network switch, it will obtain IP address.

I've tryed various configurations, including https://www.juniper.net/documentation/en_US/junos/topics/example/security-device-dhcp-client-configuring.html . There are no suspicious messages in the log and I'm really puzzled what is wrong.

What is the minimal working dhcp client configuration for this version ?

My configuration is:

root@srx300> show configuration interfaces ge-0/0/1
description External2;
speed 100m;
link-mode full-duplex;
mac c4:6e:1f:xx:xx:xx;
gigether-options {
no-auto-negotiation;
}
unit 0 {
family inet {
dhcp-client {
lease-time 86400;
retransmission-attempt 6;
retransmission-interval 5;
update-server;
vendor-id ether;
force-discover;
options {

no-hostname;}}}}

This is show interface:

root@srx300> show interfaces ge-0/0/1
Physical interface: ge-0/0/1, Enabled, Physical link is Up
Interface index: 138, SNMP ifIndex: 512
Description: External2
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Link-mode: Full-duplex, Speed: 100mbps, BPDU Error: None, MAC-REWRITE Error: None,
Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Disabled, Remote fault: Online
Device flags : Present Running
Interface flags: SNMP-Traps Internal: 0x0
Link flags : None
CoS queues : 8 supported, 8 maximum usable queues
Current address: c4:6e:1f:xx:xx:xx, Hardware address: d8:b1:22:xx:xx:xx
Last flapped : 2018-06-26 15:06:31 EEST (01:30:03 ago)
Input rate : 6536 bps (12 pps)
Output rate : 0 bps (0 pps)
Active alarms : None
Active defects : None
Interface transmit statistics: Disabled

Logical interface ge-0/0/1.0 (Index 75) (SNMP ifIndex 520)
Flags: Up SNMP-Traps 0x0 Encapsulation: ENET2
Input packets : 245351
Output packets: 39
Security: Zone: untrust
Allowed host-inbound traffic : dhcp
Protocol inet, MTU: 1500
Flags: Sendbcast-pkt-to-re

security-zone untrust {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
dhcp; }}}}

Kind regards,

D