At this moment the access is set  to any address but i want to give acces to a limmited number of external ip adresses.

this wil work for static ip adresses but mobilephone users have changing ip adresses. does anybody have a clue how to solve this.

mij juniper is a SRX210

Hi, I am having hard time to understand how BFD works on SRX-5400, I have a BGP session with peer 169.254.254.1, zone security policy is allowing host inbound protocol bgp and bfd

SRX-5400>show bgp summary | match 169.254.254.1
169.254.254.1          9059      37084      38202       0       1 1w5d 7:41:27 1/1/1/0              0/0/0/0

SRX-5400>show bfd session | match 169.254.254.1
169.254.254.1            Up        reth0.103      1.500     0.500        3

All is well, however, "show security flow session source " confuses me,

SRX-5400> show security flow session source-prefix 169.254.254.1

Session ID: 30000034, Policy name: self-traffic-policy/1, State: Active, Timeout: 60, Valid
  In: 169.254.254.1/49152 --> 169.254.254.2/3784;udp, Conn Tag: 0x0, If: reth0.103, Pkts: 25066025, Bytes: 1303433300, CP Session ID: 30000128
  Out: 169.254.254.2/3784 --> 169.254.254.1/49152;udp, Conn Tag: 0x0, If: .local..0, Pkts: 0, Bytes: 0, CP Session ID: 30000128

The outbound leg counters always show 0, why is that? the actual BFD hello packets went out otherwise BFD session wouldn't be in UP state.

hi All,

I like to know if any way use GUI to whitelist some IPs allowed to access Juniper SRX web management instead of using console?

The SRX340 base model closest to an SRX240B or B2 has a minimum version of JunOS. What is this version. I know the model numbers might not resemble the B or B2 designation but im sure someone can make the distinction. What is the base JunOS version of the SRX340 ? I want to make sure DHCPV6 client is installed. I think ver 12.xxx is what i need. Need sessions. Is this the correct answer? I have no sessions showing, but my flow is proper. See my post....

https://forums.juniper.net/t5/SRX-Services-Gateway/No-IPV6-flow-sessions/m-p/376674#M51198

Hello!

Device: SRX4200

Version: 15.1X49-D110.4

I've been trying to do some JunOS security hardening and I'm stumbling upon a weird phenomenon (at least to me it is) with the logged in users.

So I know you can logout users and it's been successful to a certain degree.  This is the current situation:

"Request system logout terminal p1" doesn't do anything, CLI doesn't return any message. Making it more specific doesn't work either, "request system logout terminal p1 user chxxx". I know that the root users are more finnicky to kick, but I have actually been able to do that on my QFXs and even on the SRX:

(Been able to kick root (d0) from both nodes)

Now I did find this post:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB9341&cat=JUNOS&actp=LIST

And I tried this too; I checked the system processes both trying to match out the terminal values and by just looking through with my own eyes. The users that don't have a "WHAT" value don't seem to have a process linked to them. It's almost like they exist in the void? The chxxx user that exists on both nodes is probably from when I logged in between node1 and back to node0, but as said, I can't even kick these!

Before you point me towards an idle-timeout config, I do have that, but I need to fix the login class and make new local ones because it's not sticking to the standard super-user classes so currently it doesn't really work, and frankly I want to figure this out! I suppose the answer lies in what type of terminal the user is? I have been able to kick "p" TTYs from my QFXs, although they did have a "WHAT" value...

Any KB or PR articles, or response would be appreciated!

Hi Community,

I need deployment a SRX like CPE with 2 Virtual Router, one for Internet Access with NAT feature and the other VR with BGP peering, I tried to deployment BGP VR in packet mode with selective filter but doenst work all BGP keepalives are discarding.

Is possible to do this implementation? , the documentation describe  "Make sure to configure host-bound TCP traffic to use flow-based forwarding—exclude this traffic when specifying match conditions for the firewall filter term containing the packet-mode action modifier. Any host-bound TCP traffic configured to bypass flow is dropped. Asynchronous flow-mode processing is not supported with selective stateless packet-based services"

Please let me know your comments and experiencie

Thanks in advance

BR

Martin

hello ,

i am using srx 340 in production and have limited traffic open for internal users like pop smtp 80 and 443..

now there is app called anydesk for remote support. this is application is not working i already opened port 80 and 443 as suggested by support team of anydesk. if i creat policy with any any source and destination it start work but this is not possible to open all port for internal traffic.

now i wanted to trace what traffic hiting to srx from local traffic which is notpermitted and blocked by firewall.

Thnaks

Hi,

I am new to Junos RPM having primarily worked with Cisco IP SLA features...

I have a site with Junos SRXs which has connectivity to other sites with SRXs... RPM works great, though i believe that you have to have a responder configured, i.e. RPM is Junos proprietary... Hence does that mean that i can't test ICMP-pings out to other Vendor devices? If so is ther another probe i can configure for this? Just need RTT, jitter and pkt loss...

Thanks in advance!

To start with, here is my point of reference:

http://networkingbodges.blogspot.com/2015/07/ospf-stuck-in-exchange-exstart.html - in particular the second paragraph under sub-heading 'Papering Over the Cracks'

I have recently (over the last 6 months) replaced our estate of Netscreen and SSG devices with SRXs. Most employ a VPN back to the 'hub'. The aforementioned devices only supported VPN tunnels with a maximum MTU of 1500. When the SRXs went in, a third party Juniper consultant advised that this limitation no longer applied, i.e. we could use the default MTU for the tunnels  - the maximum for a jumbo frame of 9192. Sure enough all of our new tunnels have been happily functioning with this value. However, 2 of said connections have recently become stuck in the Exchange state. JTAC got involved, and for whatever reason OSPF will now only function if the tunnel carries an MTU of 1388 (over a VDSL link). JTAC could offer no explanation as to why this is now the case.

The article above, may or may not be relevant in this instance, but if it is, I fear each site will be lost one by one. However, I do not want to needlessly and significantly lower the MTU value of all tunnels. The 1388 value above was merely arrived at by trial and error.

Can anyone help me avoid a bit of a disaster?

Came across an issue when i was trying to run a configlet against an SRX router from Junos Space.  Discovered that after the last firmware update i had an uncommitted configuration because the firmware version didn't save to the configuration.  Is there something i missed doing the firmware update?  Junos Space doesn't like to run configlets against routers with uncommitted changes so i probably have a hundred routers with this issue.

When commiting configuration changes I see strange errors (although commit ends with "commit complete"). What does this error mean:

node0:
configuration check succeeds
ssamlib error. Error code SSAMLIB_ASYNC_ERRORssamlib: ERROR ssam_add error code 0x2, type 0x8000002fssamlib error. Error code SSAMLIB_ASYNC_ERRORssamlib: ERROR ssam_add error code 0x2, type 0x80000028ssamlib error. Error code SSAMLIB_ASYNC_ERRORssamlib: ERROR ssam_add error code 0x2, type 0x80000007

P.S.

Model: srx5600
Junos: 18.1R2.5

Hi All,

I have a Juniper SRX 210 that I need some help with. I have a corporate network with a EX2300 with 3 VLANS 100,200,300 which is connected to a dedicated fibre link and a corporate firewall. I have the SRX 210 sitting in my lab with a DSL connection on the AT interface, there has been cases when connections on the corporate network are being blocked by the firewall and the provider can be slow in replying so I have undertaken some bypasses namely to test if the problem is the firewall or something else. My setup is below:

On the EX2300 port 4 setup as access port with VLAN member 200 --> Connected to SRX port 7 setup as access port with VLAN member 200
On the EX2300 port 5 setup as access port with VLAN member 300 --> Connected to SRX port 6 setup as access port with VLAN member 300

My problem is as below:
When I console into the SRX I can't ping anything on VLAN 200 but can ping everything on VLAN 300.
From a machine connected via EX2300 on VLAN 200 can't ping the SRX VLAN interfaces either VLAN200 or VLAN300.
From a machine connected via EX2300 on VLAN 300 I can ping both SRX VLAN interfaces and access the Internet when using the default gateway of the VLAN 300.
When I unplug from the SRX VLAN 300 (port 6) from a machine connected via EX2300 on VLAN 200 ping the SRX VLAN 200 interfaces and access the Internet when using the default gateway of the VLAN 300.

How can I get both working at the same time?

I have even set up static routes for each vlan but same problem. I have also set up a rule to allow all traffic from trust to trust.

SRX 210 Configuration (snippets)

fe-0/0/6 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan3;
                }
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family ethernet-switching {
                port-mode access;
                vlan {
                    members vlan2;


	vlan {
        unit 2 {
            family inet {
                address 172.25.199.142/24;
            }
        }
	    unit 3 {
            family inet {
                address 172.25.200.242/24;

				 zones {
        security-zone trust {
            interfaces 
                vlan.2 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
                vlan.3 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        
}
vlans {
    vlan2 {
        vlan-id 200;
        l3-interface vlan.2;
    }
    vlan3 {
        vlan-id 300;
        l3-interface vlan.3;
    }
}

Thanks for your help all!.

Cheers Jason

We will be supplying SRX300 and SRX340 devices to customers on an ethernet core as an NTE device.

Currently I have everything configured to protect the NTE from any customer access, except one issue:

The customer could easily perform a password recovery by rebooting the device and pressing the spacebar. I have tested this and can confirm that the root password can be reset and then the configuration becomes visible to the customer.

To stop this I have logged onto the SRX340 as "root" and have entered the shell and navigated to "boot/defaults" and then vi "loader.conf" .... I set the line "autoboot_delay="10" " to be -1 as per recommendations, however, when I try and "save and quit" from vi.... I get told that root does not have permission.

Any ideas on how to get around this issue please?

I have the following firewall filter in place:

firewall {
    filter VPN {
        term VPN-Source {
            from {
                source-address {
                    xxx.xxx.xxx.xxx/32;
                }
                destination-port 500;
            }
            then accept;
        }
        term IKE-BLOCK {
            from {
                destination-port 500;
            }
            then {
                reject;
            }
        }
        term else {
            then accept;
        }
    }
}

I'd like to add an additional souce address for 'either or' or 'both' sceanrios, is it simply a case of adding a new line under source-address or is more complicated than that?

Hi,

I am deploying SRX1500 in transparent mode to Inspect traffic (IPS) passing from firewall. I am attaching High level topology with it. Below is my Scenario,

I have one trunk link between Cisco Switch & Transparent Firewall in Server VLAN (in Green Color) and One trunk link between them for Gateway VLAN (In Black Color) -- refer diagram. I followed below link to configure ReWrite Configuration and its working fine. https://kb.juniper.net/InfoCenter/index?page=content&id=KB32245&actp=RSS.

I have two queries for this topology.

1. Is it possible to have LACP configuration by using this topology? Is it possible to configure LACP (reth1) with interface xe-0/0/16 of both Firewall, and LACP(reth2) with interface xe-0/0/17 of Firewall. I tried to configure but reth1/reth2 interface remain down and even on Cisco side they remain down. What will be configuration if possible.
2. Is it possible to bundle all four interface on Juniper and two PortChannel on Cisco, one for FW-1 and 2nd for FW-2 and able to perform rewrite. I didn't get any document to do this. Kindly guide me if possible.

Regards,

Atif.

SRX220H2 running 12.3X48-D75.4

This is my first foray into configuring MPLS on any Juniper device.

I'm trying to get the route target import and export working.  When I apply the import policy, I get the error in the subject line.

Policies look like this:

[edit policy-options]
root@MIRf1c1# show
policy-statement EXPORT-RT-POLICY {
    from {
        family route-target;
        rtf-prefix-list EXPORT-RT;
    }
    then accept;
}
policy-statement IMPORT-RT-POLICY {
    from {
        family route-target;
        rtf-prefix-list IMPORT-RT;
    }
    then accept;
}
rtf-prefix-list EXPORT-RT {
    65001:1200:12/96;
}
rtf-prefix-list IMPORT-RT {
    65001:1200:12/96;
    65001:1300:12/96;
    65001:500:12/96;
    65001:501:12/96;
    65001:600:12/96;
    65001:601:12/96;
}

My VRF MAIN routing instance looks like this:

[edit routing-instances MAIN]
root@MIRf1c1# show
instance-type vrf;
interface lo0.12;
route-distinguisher 1200:12;
vrf-import IMPORT-RT-POLICY;
vrf-export EXPORT-RT-POLICY;
vrf-target target:1200:12;
protocols {
  pim {
    rp {
       static {
           address 192.168.200.252;
       }
    }
  }
}

When I try to set a target without using the 65001 AS, I get the following:

[edit policy-options rtf-prefix-list IMPORT-RT]
root@MIRf1c1# set target:1200:12/96
error: prefix: 'target:1200:12/96': Use format 'as:x:y/len' where 'as' is an AS number and 'x' is an AS number followed by an option
al 'L' (To indicate 4 byte AS), or an IP address and 'y' is a number. e.g. 123456L:100 and len is a prefix length from 32 to 96 or 0
error: statement creation failed: target:1200:12/96

And when I try to commit my config, I get:

root@MIRf1c1# commit
error: MAIN: vrf-import policy permits accept action only if matching conditions contain a target community
error: configuration check-out failed

I was looking at https://www.juniper.net/documentation/en_US/junos/topics/example/vpn-bgp-route-target-filtering.html as an example, but in the example, it references vpn3-import and vpn3-export, but gives no example definition of either of those.

I know the export policy is formatted correctly, because I can remove the vrf-import statement and it commits.

Ideas on how to get past this hurdle?

Thanks,

Matt

Hello Guys,

I need your help.

I will setup Enhanced Web Filtering with scheduler for restricted internet access, but i want certain IP/MAC Address to have all internet access. How do i apply the certain IP/MAC Address in the security policies ?

Thanks.

set access address-assignment pool DHCP-POOL family inet network 192.168.2.0/24
set access address-assignment pool DHCP-POOL family inet range DHCP-RANGE-2 low 192.168.2.11
set access address-assignment pool DHCP-POOL family inet range DHCP-RANGE-2 high 192.168.2.254
set access address-assignment pool DHCP-POOL family inet dhcp-attributes router 192.168.2.1
set access address-assignment pool DHCP-POOL host PC1 hardware-address 01:03:05:07:09:0b ip-address 192.168.2.254
set access address-assignment pool DHCP-POOL host PC2 hardware-address 01:03:05:07:10:0a ip-address 192.168.2.253

set security address book ALLOWED-PC address ADDR1 range-address 192.168.2.253 to 192.168.2.254

set security utm feature-profile web-filtering juniper-enhanced server host rp.cloud.threatseeker.com
set security utm feature-profile web-filtering juniper-enhanced server port 80
set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-business category Enhanced_Web_and_Email_Spam action permit
set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-business default block
set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-business custom-block-message "***The requested webpage is blocked by your organization's access policy ***"
set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-business no-safe-search
set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-business timeout 10
set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-business fallback-settings default log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-business fallback-settings server-connectivity log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-business fallback-settings timeout log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile junos-wf-enhanced-business fallback-settings too-many-requests log-and-permit
set security utm utm-policy utm-clients-policy web-filtering http-profile junos-wf-enhanced-business

set security policies from-zone LAN to-zone INTERNET policy utm-security-policy match source-address any
set security policies from-zone LAN to-zone INTERNET policy utm-security-policy match destination-address any
set security policies from-zone LAN to-zone INTERNET policy utm-security-policy match application any
set security policies from-zone LAN to-zone INTERNET policy utm-security-policy then permit application-services utm-policy utm-clients-policy
set security policies from-zone LAN to-zone INTERNET policy utm-security-policy default-policy block-all
set security policies from-zone LAN to-zone INTERNET policy utm-security-policy scheduler-name business-hours

set schedulers scheduler business-hours daily start-time 08:00:00 stop-time 12:00:00
set schedulers scheduler business-hours daily start-time 13:00:00 stop-time 17:00:00
set schedulers scheduler business-hours saturday exclude
set schedulers scheduler business-hours sunday exclude

Hello,

I have workstation A connected to SRX240 on ge-0/0/5 (one of the ports that acting as a switch) for VLAN123 (zone trust)
for network A.A.A.A/24 with (LAN DHCP). Workstation A has access to the Internet.

In the same room I have unmanaged switch connected to the back of ISP modem (that setup for LAN B.B.B.B/24)
Laptop B is connected to that unmanaged switch.

Is it possible for workstation A on VLAN123 (connected to SRX) to see Laptop B connected to the switch?
With this setup how do I accomplish this result: network A.A.A.A/24 will see network B.B.B.B/24 and vise versa?
Do I need to add an extra L3 device or since I have available extra ports on SRX and access to the switch that won't be needed?
My ISP is the same for both sides.
I looked in different places for my answer but I can't find it.

Thank you!