Hi everyone,

edited:  Corrected the post.

Below Destination IP can be multicast  address or  it is just unicast address?

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-introduction-to-adp.html

Use the UDP flood IDS option to protect against UDP flood attacks. A UDP flood attack occurs when an attacker sends IP packets containing a UDP datagram with the purpose of slowing down the resources, such that valid connections can no longer be handled.

The threshold value defines the number of UDP packets per second allowed to ping the same destination IP address. When the number of packets exceeds this value within any 1-second period, the device generates an alarm and drops subsequent packets for the remainder of that second.

Thanks

I have a  new, very basic route-based vpn failing to setup on my SRX P1 with this message:

Exchange type mismatch (configured 4, proposed by peer 2) for tunnel local:<my ip> remote:<remote ip> IKEv1

My end is an SRX, the remote end is a Fortigate 300D supposedly.

Any idea precisely what is misconfigured on their end (what does not match my IKE config? 

My guess was they are proposing aggressive mode to my main, but that's merely a guess and they say not.  Possibly they're proposing IKEv2?  I am just not familiar enought with Fortinet stuff to lead them.

I have looked all over to see precisely what "4" and "2" are in the exchange type as if there is a key, but I have not found anything on the Juniper site.

Hi Everyone,

By defaut SRX uses  inet6.0   for multicast traffic, let say  I created  a static  route  238.0.0.0/8  in  inet.0.

How can we tell SRX  to  use inet.0   for  238.0.0.0/8  instead of inet6.0?

Thanks and have a nice weekend!!

I would implemented the attached scenario, is it supported?

I have two different SRXs each with different ISPs.

SRX 1

10.0.0.1 has a static 0.0.0.0 route to ISP1

SRX 2

is on two redundant paths and has two ip's

10.0.0.10

10.0.0.11

and it also has a loopback ip of 10.20.0.1

My core switch is directly connected to all three paths.   I have a static route to 10.0.0.10 and if we have to change IPS's i just manually change this route.  

Is it possible to use OSPF or some other auto-routing mechinism to automate the failover?

ISP2 has more bandwith than ISP1 so i'd like to prefer ISP2 over ISP1.

I tried enabling OSPF on the interfaces to my ISPs but that just advertised the route to the /30 networks between us.  

Hi,

Here's the set up:

CPE --> NTE (SRX340) --> Downstream ISP - (dot1q tagged) --> Core --> Upstream ISP

Remit:

VLAN 10 Tagged direct from Core to CPE

VLAN 99 Tagged - Management to NTE (SRX340)

So, we only have a single interface at the Core and the NTE (SRX340). This means, if we are using the SRX340 at Layer 2 for VLAN 10 but layer 3 for VLAN 99, I need to be able to create a Sub-Interface at Layer 2 and a Sub-Interface at Layer 3.

So, as follows:

NTE (SRX340):

Interface ge-0/0/15 unit 10 vlan-id 10

Interface ge-0/0/15 unit 99 vlan-id 99

Interface ge-0/0/15 unit 99 family inet address xxx.xxx.xxx.xxx/30

Core to CPE - IP /30 at bothe ends - so, for VLAN 10 the SRX340 is just acting as basic layer 2 switch passing the traffic.

Is this even possible please?

I configured threat policy on SRX by working with SkyATP. And I'm confused about each verdict threshold value in configuration

set services security-intelligence profile policyATP_CC category CC
set services security-intelligence profile policyATP_CC rule Rule-1 match threat-level 1
set services security-intelligence profile policyATP_CC rule Rule-1 match threat-level 2
set services security-intelligence profile policyATP_CC rule Rule-1 match threat-level 3
set services security-intelligence profile policyATP_CC rule Rule-1 match threat-level 4
set services security-intelligence profile policyATP_CC rule Rule-1 then action permit
set services security-intelligence profile policyATP_CC rule Rule-1 then log
set services security-intelligence profile policyATP_CC rule Rule-2 match threat-level 5
set services security-intelligence profile policyATP_CC rule Rule-2 match threat-level 6
set services security-intelligence profile policyATP_CC rule Rule-2 match threat-level 7
set services security-intelligence profile policyATP_CC rule Rule-2 then action permit
set services security-intelligence profile policyATP_CC rule Rule-2 then log
set services security-intelligence profile policyATP_CC rule Rule-3 match threat-level 8
set services security-intelligence profile policyATP_CC rule Rule-3 match threat-level 9
set services security-intelligence profile policyATP_CC rule Rule-3 match threat-level 10
set services security-intelligence profile policyATP_CC rule Rule-3 then action block drop
set services security-intelligence profile policyATP_CC rule Rule-3 then log
set services security-intelligence profile policyATP_Infected-Hosts category Infected-Hosts
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-1 match threat-level 1
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-1 match threat-level 2
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-1 match threat-level 3
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-1 match threat-level 4
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-1 match threat-level 5
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-1 match threat-level 6
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-1 then action permit
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-1 then log
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-2 match threat-level 7
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-2 match threat-level 8
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-2 match threat-level 9
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-2 match threat-level 10
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-2 then action block drop
set services security-intelligence profile policyATP_Infected-Hosts rule Rule-2 then log
set services security-intelligence policy policyATP CC policyATP_CC
set services security-intelligence policy policyATP Infected-Hosts policyATP_Infected-Hosts
set services advanced-anti-malware policy policyATP verdict-threshold 7

As my understand, threshold value on C&C is verdicted which is retured from SkyATP.  What's about other values i.e Infected host and global (in services advanced-anti-malware  hierarchy)??

When I test to ping C&C server, threshold of IP C&C is 6 but client threshold is 2. 

Same as I test to downlaod malicious file on eicar, threshold of malicious is 10 but client client threshold is 8.

Please explain me

Thanks to your help I have a working NTE device now.....

I have one question that I am 99.9 per cent sure  I know the answer to but thought I would ask anyway....

Is there any way of controlling VoiP traffic over the NTE device as for the customer it is acting purely as a switch at Layer 2?

I cannot think of anything and have never seen it, so, just asking really if any of you guys have seen CoS implimented in this configuration?

We only use OSPF for routing. A requirement has come about where a remote site will no longer be using its VPN connection back to the hub site and is being replaced with a managed MPLS service. We have been provided with a local IP address (on the subnet of this remote site) of the managed router that connects us to this service. There is another managed router at the hub site, again with a local IP address. Given the managed routers are out of our control, how can I ensure traffic from the remote site flows over this managed service to the hub and vice versa? OSPF on the remote site's LAN is set as passive. Are static routes the answer? This doesn't sit well, there must be a way to keep it OSPF?!

Hello,

Context: I'd like to be able to reach a destination network (78.x.y.z/32) via a specific interface (reth 1.112 : 172.28.x.2/30) from my source network (172.20.x.y/24). (I change the network for confidentiality):

So I just created a static route to this destination via the specific interface.

Then I created policies when I allow the traffic from source zone to the destination zone.

Results : 

1) When I try to ping/traceroute from the juniper to this destination, the route is working.

I can see the "hops" on the specific interface that I specified in the route. 

2) When I try to ping/traceroute from my source to this destination, the route doesn't work.

No ping answers, no hops in the traceroute results.

If you have any idea to help me to solve this ? Any debug commands ? 

I'll give you the configuration that I setup.

Policies :

set security policies from-zone zone-destination to-zone zone-source policy permit-all match source-address any
set security policies from-zone zone-destination to-zone zone-source policy permit-all match destination-address any
set security policies from-zone zone-destination to-zone zone-source policy permit-all match application any
set security policies from-zone zone-destination to-zone zone-source policy permit-all then permit

set security policies from-zone zone-source to-zone zone-destination policy server-access match source-address any
set security policies from-zone zone-source to-zone zone-destination policy server-access match destination-address any
set security policies from-zone zone-source to-zone zone-destination policy server-access match application any
set security policies from-zone zone-source to-zone zone-destination policy server-access then permit

Route : 

set routing-options static route 78.x.y.z/32 next-hop 172.28.x.1

Results : 

Simple ping without specifying the source OK : 

> ping 78.x.y.z
PING 78.x.y.z (78.x.y.z): 56 data bytes
64 bytes from 78.x.y.z: icmp_seq=0 ttl=254 time=4.238 ms
64 bytes from 78.x.y.z: icmp_seq=1 ttl=254 time=5.294 ms
^C
--- 78.x.y.z ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.238/4.766/5.294/0.528 ms

Traceroute OK :

> traceroute 78.x.y.z
traceroute to 78.x.y.z (78.x.y.z), 30 hops max, 40 byte packets
1 hop1 (172.28.x.1) 3.435 ms 1.262 ms 1.394 ms
2 hop2 (1.2.3.4) 2.344 ms 2.311 ms 2.357 ms
3 hop3 (78.x.y.z) 6.184 ms 5.215 ms 4.856 ms

Simple ping with source KO :

> ping 78.x.y.z source 172.20.x.254
PING 78.x.y.z (78.x.y.z): 56 data bytes

^C
--- 78.x.y.z ping statistics ---
854 packets transmitted, 0 packets received, 100% packet loss

Traceroute with source :

> traceroute 78.x.y.z source 172.20.x.254
traceroute to 78.x.y.z (78.x.y.z) from 172.20.x.254, 30 hops max, 40 byte packets
1 * * *
2 * * *
3 * *^C

Best Regards,

John

Hi,

Not sure what's going on with this one, seems stuck after reboot at Oct 3 10:19:21 after upgrading to D130 - been about 20 minutes now

kern.securelevel: -1 -> 1
Creating JAIL MFS partition...
JAIL MFS partition created
Boot media /dev/da0 has dual root support
WARNING: JUNOS versions running on dual partitions are not same
** /dev/da0s1a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 1138726 free (54 frags, 142334 blocks, 0.0% fragmentation)
chassis.ko loaded Loading JUNOS chassis module
chassis_init_hw_chassis_startup_time: chassis startup time 0.000000
Wed Oct 3 10:18:29 UTC 2018

Amnesiac (ttyu0)

login: Oct 3 10:19:21 init: gstatd is thrashing, not restarted
Oct 3 10:19:21 init: exec_command: /usr/sbin/cli (PID 1997) started
Oct 3 10:19:21 init: Alarm set command: /usr/sbin/cli (PID 1997) started

Hi all. I am having a little trouble with a particular scenario. I am quite new to JunOS so it's possible I'm not doing it right, hopefully somebody can set me straight!

The scenario is basically that I have an SRX1500 connected to a HP DL360 server running ESXi 6.5.0. I have four connections between them that I want to aggregate and trunk a number of VLANs across. This will need to be a static LAG as ESXi does not support LACP.

So, I have tried configuring it two ways, with mixed results. Firstly, I add the physical interfaces to the LAG:

ge-0/0/0 {

    description Corexf1nomacfelp01:nic1;

    ether-options {

        802.3ad ae0;

    }

    gigether-options {

        802.3ad ae0;

    }

Same for ge-0/0/1-3. Initially I just had ether-options, I added the second as part of my efforts to get it to work. Firstly, I tried create layer 3 interfaces on the LAG as follows:

ae0 {

    vlan-tagging;

    unit 100 {

        vlan-id 100;

        family inet {

            address 10.10.10.1/28;

        }

    }

}

I then configured the management IP of the ESXi box to an IP in this subnet, configured vlan 100 and enabled all four NICs. I am unable to ping the box from the SRX, or anywhere else. However, if I disable three out of four interfaces on the SRX, I can ping it from the SRX and from my laptop. I have tried various combinations of enabled/disabled interfaces and found that sometimes I can ping with two interfaces enabled, or even three. All interfaces seem to work if enabled individually, just not together, implying there is some issue with the link aggregation.

The configuration options on ESXi are very limited so I can't see any reason to think the problem lies there.

The second thing I tried is to configure the ae0 interface as a layer two VLAN trunk, with the VLANs connected to layer 3 virtual interfaces. As follows:

ae0 {

    native-vlan-id 100;

    unit 0 {

        family ethernet-switching {

            interface-mode trunk;

            vlan {

                members device-management;

            }

        }

    }

}

irb {

    unit 100 {

        family inet {

            address 10.10.10.1/28;

        }

    }

vlans {

    device-management {

        vlan-id 100;

        l3-interface irb.100;

    }

With this configuration, I seem to have the same issues with the LAG, plus another possible issue with VLAN tagging. If I set the ESXi box to use vlan 100, it is not reachable. If I set it to untagged (plus add the native-vlan-id command to the SRX) it is reachable (again, subject to the issues with LAG.)

As I say, I'm pretty new to Juniper and I may well be doing it wrong. This particular scenario doesn't seem to have come up in the searches I have been doing on google, usually people connect an ESXi host to a switch rather than an SRX. 

Cheers

Paul

I am trying to configure an SRX550 to function as a layer 2 firewall.  I am doing it via J-Web as I haven't had success via the CLI either, so I was hoping J-Web would overcome whatever silliness I am missing in the CLI.

I go to Ports > Interfaces and then choose 'Switch to L2 Mode' and am prompted to enter a management IP with subnet mask.  What is the format for this field?  No matter what I enter or how I enter it I am told it's an invalid management address.  For example I enter 192.168.1.1/24 and I receive an error stating that it's an invalid management address.  If I enter just 192.168.1.1 I receive an error telling me to put in a subnet mask.  I've tried using subnet masks and CIDR notation separated by several common separation markers (space, comma, colon, etc.), but get no joy.

I am relatively new to JunOS and certainly J-Web, so if this goes in the stupid question column I apologize, but Google didn't yield any helpful results.

Hi,

Ok, so had a strange experince with an SRX tonight!

My SRX100H (12.1X46-D67) has been running fine for a while now. 

However tonight the power cut out. I powered the SRX back on and I was unable to pass traffic through the box.

On checking on of the SRX connected hosts, I could see the link was up/up on both sides but there was no traffic reaching the other side i.e no ARP seen or received.

I rebooted the box, no change. But confirmed the boot sequence looked ok via console.

I fully powered down the box, no change again.

The interface stats and output from a 'show interface xx/xx/xx' showed that the interface looked fine.

Then the power went off again (we belive it to be a dodgy kettle!).

But then the SRX powered up and started passing traffic. 

From what I can see this is either a hw issue or bug. Can anyone offer any advice, next best action of anything to check for on the box?

Thanks,

Hi All, really basic question, i need to connect an SRX320 to a european ADSL line, so i know i need to purchase an ADSL PIM.

My options are:-

ADSL2+ PIM

or

VDSL PIM for greater speeds

From research i know i need to order an Annex B card, but i need to know:-

• do i need a PIM or mini PIM module
• what is the part code for a standard ADSL2+ , is it SRX-MP-1ADSL2-B
• i cannot find any confirmation that this card is compatible with the SRX320, only documentation i can find confirms it is compatible with the SRX240 or SRX550

just need a bit of guidance in ordering the righ part.

thanks for the help.

Assuming an export policy is what I need, I'd like some assistance in configuring an OSPF export policy to inject/advertise some static routes in our network. I have been looking at the article below for assistance, but I'm not sure how to take it and apply my requirements. We have multiple 192.168.x.x subnets that use OSPF, but these subnets need to know about systems on a 10.250.x.x network that we do not manage. The aforementioned 10.250.x.x subnets are connected to our network via a router (not under our control) on one of the 192.168.x.x subnets with an IP address on the subnet e.g. 192.168.1.253. How should I go about configuring OSPF to advertise the 10.250.x.x subnets to the 192.168.x.x network?

https://www.juniper.net/documentation/en_US/junos/topics/example/ospf-routing-policy-redistributing-static-routes-into-ospf-configuring.html

Hello, how can I set up Kiwi Cat Tool  to back up SRX configuration?
For QFX 5110 and EX devices my question is the same.

Thank you.

Hi,

Setting up a certificate based site-to-site VPN. 

I have -

1. Created the key-pair.
2. Generated a CSR.
3. Had the CSR signed by our Windows CA.
4. Uploaded the signed certificate to the firewall as a local certificate.
5. Uploaded the intermediate CA certificate under one ca-profile.
6. Uploaded the root CA certificate under a different ca-profile.
7. Uploaded the CA certificate for the external site.

I am having IKE v1 authentication errors.

In the logs I can see " IP; No public key found".

Is there a step I have missed? I noticed on the SRX you cannot upload a certificate chain, so I had to upload the intermediate and root certificates under seperate ca-profiles, do I need to "link" these somehow?

Thanks.

Hi,

I have a BGP connection to my ISP and when my network is using the public IP of the SRX all is ok. But when I try to use a different IP in the subnet allocated such as 119.28.29.135.

Servers can send packets out but dont see a reply. I have setup a tcpdump on an external server and can see the packet arrive there from 119.28.29.135. It is showing the correct external IP and reply's to the ping to the correct addess 119.28.29.135, but I never see it arrive. I have put on a packet filter onto the SRX and still dont see a reply. Policises and static NAT are correct.

I think possibly the person that setup this BGP connection missed something, can someone double check the below BGP setup, and advise?

Thanks

from zone [ trust untrust ];
rule 4 {
 match {
 destination-address 119.28.29.135/32;
 }
 then {
 static-nat {
 prefix {
 192.168.2.11/32;
 }
 }
 }
 } 
 }
 }
 proxy-arp {
 interface reth0.0 {
 address {
 192.168.2.0/32;
 }
 }
 }
policy trust_to_any {
 match {
 source-address any;
 destination-address any;
 application any;
 from-zone trust;
 to-zone any;
 }
 then {
 permit;
 }
 }
zones {
 security-zone untrust {
 host-inbound-traffic {
 system-services {
 https;
 ssh;
 ping;
 ike;
 }
 protocols {
 bgp;
 bfd;
 }
 }
 interfaces {
 reth1.0 {
 host-inbound-traffic {
 system-services {
 ssh;
 https;
 ping;
 ike;
 }
 protocols {
 bgp;
 bfd;
 }
 }
 }
 }
 }
 }
reth1 {
 description "Internet Primary";
 redundant-ether-options {
 redundancy-group 1;
 }
 unit 0 {
 family inet {
 address 119.28.29.130/28;
 }
 }
 }

routing-options { autonomous-system 0.65000; } 
protocols { 
bgp { 
authentication-algorithm md5; 
group ISP { 
type external;
 preference 100;
 import import-default-route;
 authentication-algorithm md5;
 export my-bgp-network;
 peer-as 38333;
 outbound-route-filter { 
prefix-based { 
accept { inet; } } } 
neighbor 119.28.29.129 { 
local-address 119.28.29.130;
 authentication-key "£dj60em9t045gimlkfvDfjnd6Au1"; ## SECRET-DATA } }
l2-learning {
 global-mode switching;
 }
}