Hi everyone.
Please consider the following output:
Flash Drive:
Denoted by da0, but i do not see any " Slice" on the fash Drive? Am i correct and missing something?
Hard drive:
seems like usb0 being used to denote hard drive ( because of the well known HDD vendor)
1) What are slices in Juniper File system? Based on some goodle search, it looks like Disk space is divided in " Slices" then each slice is further devided into Partitions.
Thanks and have a nice evening!!
I think this will be relatively simple to achieve, but I can't get over the final hurdle:-
I have a site (A) connected via VPN. At the moment 'inter-site' traffic i.e. between me, the site in question and any other connected sites is allowed. However, I wish this remote site to only be able to access the internet (locally connected via the SRX) and not the wider internal network (for security reasons), but I need to maintain 'admin' of this site from my location. We use OSPF for routing. I think the solution is to leave OSPF alone and configure a local firewall rule(s) of some sort on the remote SRX or perhaps apply a filter?!
Any thoughts?
Some quick fire quesitons to earn some Kudos 
Is there a way to see what time is left for a 1 year subscription for IPS on an SRX1500?
Are subscriptions purchased on a "per year" basis or longer? In other words, once the subscription time has passed, will the IPS cease functioning?
Hello Guys,
I need your advise. I want to implement SSL VPN on SRX3XX.
I understand it requires NCP Exclusive Remote Access Client.
But I want to know, can I use Pulse Secure Client for the SSL VPN ?
Thanks.
Hello
I am quite new to FW and after I've learned some basics about JunOS and SRX I am trying to configure some VPNs.
For the moment using this route based VPN KB i have managed to bring up the VPN between LAN10 host and LAN50 host, next i want to configure a policy based VPN between LAN60 host and LAN20 host following this policy based VPN KB.
If can you advise me on how to approach this because right now for me policy VPN is quite messy .
I am working in EVE-NG with virtual devices.
Edit: dunno why i cannot upload picture, so here is my topology
Thank you.
1. I have been advised to disable all ALG setttings for performance reasons, is this wise? Most them don't ring a bell, but surely I need the DNS ALG? We also use RTSP streams, so should I keep this on? If I disable it, what will the impact be?
2. With regard to Screen Options are there any recommendations or best practices around what to set and their respective values?
1. My main issue is, when connected via our dial-in VPN client (NCP Secure Entry Client) I cannot connect to the LAN interface of the SRX340 which handles these connections. I can ping it, but can't gain https access, which I can when connecting via the LAN. The LAN interface is 192.168.1.254. The VPN clients receive 10.0.0.0/24 addresses. I can access other resources on the .1 subnet, just not the SRX340.
2. An odd issue, which I doubt will be readily solved, is that it can take numerous attempts over a period of time to establish a dial-in connection. The log on the NCP client simply states that the gateway did not respond..... Not sure where to start with this one.
Is it possible to downgrade an SRX320 from JUNOS Software Release: 15.1X49-D70.3 to a previous code? If so, are there any previous versions supported on an SRX320?
I am having issues inserting dhcp pools with version 15.1X49-D70.3 and read that versions 15.1X49-D60 and Junos OS Release 17.3R1 onwards does not support legacy DHCPD (DHCP daemon) configuration.
I am wanting to insert dhcp pool statements "set system services dhcp pool x.x.x.x/x name-server x.x.x.x" but receiving the below error error messages:
[edit system services dhcp-local-server]
'group'
Incompatible with the dhcp server configured under 'system services dhcp'
[edit system services dhcp-local-server]
'group'
Incompatible with the dhcp server configured under 'system services dhcp'
[edit system services]
'dhcp'
Incompatible with 'system services dhcp-local-server group'
error: commit failed: (statements constraint check failed)
Hello
I am testing the clustering feature on a SRX1500 by connecting it a Virtual chassis EX4600. However, i cannot obtain basic ip connectivity between the reth0.0 to the AE0.
Thank you for taking the time to check. Any ideas?
i want update my idp but i have a error
all command have this problem
root@FW01# run request security idp security-package download status
error: the idp-policy subsystem is not responding to management requests
i have same problem in 2 firewall , i dont have any firewall filter on my loopback interface
please help me or resolve this problem ?
thnaks
Dear All,
Please let me know ,i configured my SRX 340 with dual loadbalance for two ISP link.It is round robin .
I would like to know i want the one of my local network vlan 5 to go throught ISP 1 only. The others networks are still using loadbalance function (round robin with two ISP) .Can i conbined the source base policy routing and dual loadbalancing ?
How can i solve this saturation ? which funcition do i need to use ?
We have the SRX320 device and several Internet providers connected to it.
Interfaces ge-0/0/0 and ge-0/0/1 actually connected to one provider “ISP-1”. Two different links used because contract with two different organizations. ISP-1 in each link provides multiple public IP addresses from different subnets. Each subnet uses its own gateway. ISP-1 uses same subnets in the both links. These subnets are marked blue and yellow markers on the scheme.
Interface ge-0/0/2 connected to the second provider “ISP-2”. This is a backup channel with only one public IP address. It marked green marker on the scheme.
What do we want?
Please tell me is it possible to configure all above on the SRX device? How can I do this using the minimum number of routing instances?
I have weird communication issue on an SRX1500 cluster running Junos 18.1R2.5. From the console I cannot ping anything through my public interface such as 8.8.8.8. All other communication is working. I am able to ping,ssh to the ip address assigned to my untrust interface. Any traffic from the trust zone to untrust works as intended.
There is a virtual routing instance to split up mgmt interface routing and everything else because the mgmt interface is configured in the same subnet as a sub interface in another zone.
If I just issue the ping command to my gateway, it says "ping: sendto: No route to host"
If I issue the command "ping bypass-routing interface reth0.0 address" I can ping the gateway
config below:
user@srx1500cluster-0> show configuration interfaces
ge-0/0/0 {
description "WAN Uplink pair 1 of 2 - partner ge-7/0/0";
gigether-options {
redundant-parent reth0;
}
}
xe-0/0/17 {
description "Trust Interfaces Uplink pair 1 of 2 - partner xe-7/0/17";
gigether-options {
redundant-parent reth1;
}
}
ge-7/0/0 {
description "WAN Uplink pair 2 of 2 - partner ge-0/0/0";
gigether-options {
redundant-parent reth0;
}
}
xe-7/0/17 {
description "Trust Interfaces Uplink pair 2 of 2 - partner xe-0/0/17";
gigether-options {
redundant-parent reth1;
}
}
fab0 {
fabric-options {
member-interfaces {
xe-0/0/18;
xe-0/0/19;
}
}
}
fab1 {
fabric-options {
member-interfaces {
xe-7/0/18;
xe-7/0/19;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.2.48.10/24 {
master-only;
}
}
}
}
reth0 {
description "WAN Uplink - ge-0/0/0 & ge-7/0/0";
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 1.1.1.1/25;
}
}
}
reth1 {
description "Trust Interfaces - xe-0/0/17 & xe-7/0/17";
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
disable;
vlan-id 3967;
}
unit 40 {
vlan-id 40;
family inet {
address 10.2.40.200/24;
}
}
unit 45 {
vlan-id 45;
family inet {
address 10.2.45.1/24;
}
}
unit 48 {
vlan-id 48;
family inet {
address 10.2.48.1/24;
}
}
}
user@srx1500cluster-0> show configuration routing-instances
vr1 {
instance-type virtual-router;
interface reth0.0;
interface reth1.40;
interface reth1.45;
routing-options {
static {
route 0.0.0.0/0 next-hop 1.1.1.1;
}
}
}
{primary:node0}
user@srx1500cluster-0> show configuration routing-options
{primary:node0}
user@srx1500cluster-0> show configuration security zones security-zone untrust
screen untrust-screen;
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
snmp;
netconf;
traceroute;
}
}
}
}
user@srx1500cluster-0# run show configuration chassis cluster
control-link-recovery;
reth-count 4;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 1 priority 1;
node 0 priority 100;
preempt;
interface-monitor {
xe-0/0/17 weight 255;
xe-7/0/17 weight 255;
ge-0/0/0 weight 255;
ge-7/0/0 weight 255;
}
}
redundancy-group 2 {
node 1 priority 100;
node 0 priority 1;
preempt;
interface-monitor {
ge-0/0/1 weight 255;
ge-7/0/1 weight 255;
ge-0/0/2 weight 255;
ge-7/0/2 weight 255;
}
}
user@srx1500cluster-0> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring RE Relinquish monitoring
Cluster ID: 1
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 100 primary no no None
node1 1 secondary no no None
Redundancy group: 1 , Failover count: 1
node0 100 primary yes no None
node1 1 secondary yes no None
Redundancy group: 2 , Failover count: 2
node0 1 secondary yes no None
node1 100 primary yes no None
I have a Pulse Secure SSLVPN behind my Juniper SRX240 and I'm trying to figure out how to block SYN packets on existing sessions as described in this KB article from Pulse Secure. Can anyone clue me in on how to do this?
https://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB40346
I am new to using L4-L7 capability in a firewall and new to junos firewall as well - so I apologize some answers are obvious
I could not find the answers by googling hence posting them here now
We have a pair of srx4600 on which I need to implement URL filtering Need help with below info
- how many max URLs can be defined manually on srx4600?
- can we bulk upload URL list manually to the firewall? how to do it?
- how to see the URLs that are present in the predefined lists on the firewall?
- can we have the firewall - fetch updates from customer defined URL in parallel with juniper site
Using about a 3 month old SRX345. When brand new I was able to make a snapshot as expected - now can't.
I see:
ERROR: usb (/dev/da1) media missing or invalid
I've checked hardware - the usb flash drive is seen and correctly sized. I've tried several flash drives, including the one that worked originally. (This was 4 GB) Recently I did try a 2 GB. All of these are name-brand FD's. I've tried different formatting. I searched this forum without success. I need, hopefully, for someone to point me toward how to make the unit recognise the FD as the object to write to. This is obviously not a critical problem but a vexing one nontheless.
Mark
Hi everone,
On SRX we have Control plane logs and Data plane logs (Security logs)
Are data plane logs considered as SYSLOG? The reason I said that for security logs we can use streammode, and send Security logs to SYSLOG Server which means data plane logs are also SYSLOG.
Thanks.
Hi All,
I have route based IPSEC VPN deployed but the Tunnel Interface link is down. Interface is admin up. All the config looks good not sure why the link is down. Please Suggest !
User performed a basic telnet test and received connection refused error. I was expecting to see Successful Phase 2 SA establishment & session initiated syslog messages but nothing. Wouldn't the initial TCP SYN packet not be encrypted and sent over to the other end for the user to get the "Connection Refused" error ?