Pubclic IP issues

January 21, 2019, 4:12 am

≫ Next: Local to public ip mapping in srx300

≪ Previous: Behavior of NAT source pool with no PAT

I have openvpn in my lan and want to route that machine with public, i have tried static / destination nat. I am able to connect my internal lan via openvpn with public ip but i can't do ssh to any machine in lan, i can only ping to internal lan from outside

My static Nat

root@srx# show security nat static
rule-set rs1 {
    from zone Internet;
    rule r1 {
        match {
            destination-address 2.2.2.2/32;
        }
        then {
            static-nat {
                prefix {
                    192.168.50.21/32;
                }
            }
        }
    }
}

root@rx# show security nat proxy-arp
interface ge-0/0/0.0 {
    address {
       2.2.2.2/32;

root@srx# show security policies from-zone Internal to-zone Internet
policy All_Internal_Internet {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}
policy permit-all {
    match {
        source-address ov-server;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}
root@srx# show security policies from-zone Internet to-zone Internal
policy ov-access {
    match {
        source-address any;
        destination-address ov-server;
        application any;
    }
    then {
        permit;
    }
}

[edit]

↧

Local to public ip mapping in srx300

January 21, 2019, 7:19 am

≫ Next: Unified policy not working

≪ Previous: Pubclic IP issues

root@rt #show security nat static

rule-set rs1 {
    from zone Internet;
    rule r1 {
        match {
            destination-address 10.2.3.4/32;
        }
        then {
            static-nat {
                prefix {
                    192.168.50.21/32;
                }
            }
        }
    }
}

[edit]

root@rx# show security nat proxy-arp

interface ge-0/0/0.0 {
    address {
        10.2.3.4/32;
    }
}

[edit]

root@srx# show security policies from-zone Internet to-zone Internal

policy All_Internal_Internet {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}
policy permit-all {
    match {
        source-address ov-server;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}
root@srx# show security policies from-zone Internet to-zone Internal
policy ov-access {
    match {
        source-address any;
        destination-address ov-server;
        application any;
    }
    then {
        permit;
    }
}

[edit]

↧

Unified policy not working

January 21, 2019, 1:44 pm

≫ Next: Dual Load balance and Source base route

≪ Previous: Local to public ip mapping in srx300

I got latest 18.4 vSRX 3.0.

Been playing with new unified policy.

So with config below the unified rules (Fake_News) is never hit.

Is there a higher priority with classic rules regardless of the order?

root@T> show configuration security policies 
from-zone trust to-zone untrust {
    policy Fake_News {
        match {
            source-address any;
            destination-address any;
            application junos-defaults;
            dynamic-application junos:CNN;
        }
        then {
            deny;
        }
    }
    policy LAN-to-WAN {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {  
                    ssl-proxy {
                        profile-name ssl-fp;
                    }
                    utm-policy UTM;
                    security-intelligence-policy SKY_policy;
                    advanced-anti-malware-policy SKY_policy;
                }
            }
            log {
                session-init;
                session-close;
            }
            count;
        }
    }
}

↧

Dual Load balance and Source base route

January 22, 2019, 5:59 am

≫ Next: srx4600 an Cisco Nexus 7000 ping lost

≪ Previous: Unified policy not working

Dear All,

I am beginner in Juniper FW.Now i am using SRX340 and fail over clustering.

i have two ISP links.So i want to use one network (1.1.10.0/24) always user ISP 1 and the rest are using ISP 2.

ISP1----->| |--------1.1.10.0/24

|-----SRX340 cluster---->L3 Switches------|

ISP2----->| |---------other networks

i also default route in L3 switches because i am connect one cable L3 switch to SRX firewall.

How should i do source base route for my design. Please give me some sample links

↧

srx4600 an Cisco Nexus 7000 ping lost

January 23, 2019, 6:37 am

≫ Next: Can I use google authenticator for SRX300 Remote VPN client authentication?

≪ Previous: Dual Load balance and Source base route

Hello everybody,

I have a problem.The SRX4600 is connected with 10 gigabit to the Nexus 7000.The interface is also up.If I put a ping on the gateway from the firewall now I get massive packet losses.If I try to ping the firewall from the gateway I get no answer

The configuratio:

show configuration interfaces reth2
description xxx;
vlan-tagging;
redundant-ether-options {
redundancy-group 1;
minimum-links 1;
lacp {
passive;
periodic slow;
}
}
unit 427 {
description xxxx;
vlan-id 427;
family inet {
address x.y.x.15/24;
}
}
unit 1503 {
description xxx;
vlan-id 1503;
family inet {
address x.y.x.3/24;
}
}

show configuration interfaces
xe-1/1/0 {
gigether-options {
redundant-parent reth2;
}
}
xe-1/1/1 {
gigether-options {
redundant-parent reth2;
}
}

xe-8/1/0 {
gigether-options {
redundant-parent reth2;
}
}
xe-8/1/1 {
gigether-options {
redundant-parent reth2;

Cisco

interface Ethernet2/31

switchport mode trunk
channel-group 27 mode active

interface Ethernet2/32

switchport mode trunk
channel-group 27 mode active

interface port-channel27

switchport mode trunk

↧

Can I use google authenticator for SRX300 Remote VPN client authentication?

January 24, 2019, 9:01 pm

≫ Next: Does SRX4200 support port mirror?

≪ Previous: srx4600 an Cisco Nexus 7000 ping lost

Can I use google authenticator for SRX300 Remote VPN client authentication?

I want to setup the SRX300 IPSec remote VPN client login with google authenticator, how can I do this?

Thank you so much.

Matthew Ho

↧

Does SRX4200 support port mirror?

January 25, 2019, 12:13 am

≫ Next: SRX clustering and source base route for internet

≪ Previous: Can I use google authenticator for SRX300 Remote VPN client authentication?

↧

SRX clustering and source base route for internet

January 25, 2019, 6:40 am

≫ Next: ERR_TOO_MANY_REDIRECTS

≪ Previous: Does SRX4200 support port mirror?

Dear All,

I would like to request to help for SRX cluster and source base route for internet using.

Last time i am using dual loadbalancing (round robin) and clustering.

Now i would like to change source base route but i can not solve.

And I want to use 10.10.10.0/24 to ISP1 and 10.10.20.0/24 network and other networks will use ISP2.

but after configuration below link, the all network are using ISP2 Please help me.

interfaces {
reth3{
unit 0 {
family inet {
filter {
input ISP1;
}
address 11.11.11.1/24;
}
}
}

firewall {
family inet {
filter ISP1 {
term 0 {
from {
source-address {
10.10.10.0/24;
}
}
then {
routing-instance DEMO-ROUTER;
}
}
term 1 {
then accept;
}
}
}

}
routing-instances {
DEMO-ROUTER {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.2;
}
}
}
}
routing-options {
interface-routes {
rib-group inet DEMO-ROUTER;
}
static {
route 0.0.0.0/0 next-hop 1.1.1.1 ;
}
rib-groups {
DEMO-ROUTER {
import-rib [inet.0 DEMO-ROUTER.inet.0];
}
}
}

↧

ERR_TOO_MANY_REDIRECTS

January 27, 2019, 11:46 pm

≫ Next: VPN Failover needed upon Packet Loss in ISP Link

≪ Previous: SRX clustering and source base route for internet

Hello,

I am configuring a vSRX and I have an experience on SRX240

I cannot connect to Jweb while SSH works fine (vSRX 18.3R1.9)

I always have the ERR_TOO_MANY_REDIRECTS error on different browsers (Chrome, Firefox ...)

Someone would have any idea ?

Thanks

Gilles

↧

VPN Failover needed upon Packet Loss in ISP Link

January 28, 2019, 1:37 am

≫ Next: Sky-ATP SMTP Profile

≪ Previous: ERR_TOO_MANY_REDIRECTS

Hello,

We have dual ISP links at branch offices with failover config. Whever Primary link goes down, Secondary link takes over, but when packet loss occurs in the primary link, Route still follows Primary tunnel (Primary link) and brnach office face Application degradation, so we manually shift the VPN from Primary to Secondary by Deactivating the Primary VPN.

My question is " Is there any way for the failover to happen at a certain defined PERCENTAGE OF PACKET LOSS ? "

For example setting 40% Packet loss means the Primary VPN will shift to Secondary VPN.

↧

Sky-ATP SMTP Profile

January 28, 2019, 5:59 am

≫ Next: Sky-ATP HTTPS and SMTPs Traffic

≪ Previous: VPN Failover needed upon Packet Loss in ISP Link

I have SkyATP Premium license and managing the SX5400 through Space SD 16.1.

I am trying to configure the SMTP profile but didn't find SMTP profile configuration in Sky portal, and there is no option to configure SMTP through the SRX CLI, as only HTTP is available.

Thanks

↧

Sky-ATP HTTPS and SMTPs Traffic

January 28, 2019, 6:01 am

≫ Next: Out-of-band management fxp0 doesn't work on a vSRX

≪ Previous: Sky-ATP SMTP Profile

are the HTTPs and SMTPs traffic inspected through SkyATP by default, or there is a special configuration required?

Thanks

↧

Out-of-band management fxp0 doesn't work on a vSRX

January 29, 2019, 2:25 am

≫ Next: no SRX name after the user name

≪ Previous: Sky-ATP HTTPS and SMTPs Traffic

Hello,

I am working with a vSRX (version 18.3R1.9) and I can not configure the interface fxp0.

The interface is on the first network adapter. The " show interface fxp0 " command gives the same mac address as on the configuration of the virtual machine

The network adapter is on the 201 tagged VLAN.

On the same ESX, if I put a virtual machine on the same network (vlan 201) it works properly but with fxp0.0 I can’t reach the gateway

Could the problem be that I have not yet added the serial number of the vSRX ?

Any ideas ????

Thanks

Regards

↧

no SRX name after the user name

January 29, 2019, 2:49 am

≫ Next: How to send RST after an inactive-timeout happens?

≪ Previous: Out-of-band management fxp0 doesn't work on a vSRX

Hello,
Normally I'm used to when I sign on ssh on the machine my username and the @ with the name of the SRX is.
On the new srx4600 is now only my username without @

Is this normal or is there still an error in the configuration?

node0 {
system {
host-name Hans1;
services {
ssh {
max-sessions-per-connection 32;
}
}
syslog {
file default-log-messages {
match "(requested 'commit' operation)|(requested 'commit synchronize' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES";
structured-data;
}
}
}
}
node1 {
system {
host-name Hans2;
syslog {
file default-log-messages {
match "(requested 'commit' operation)|(requested 'commit synchronize' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES";
structured-data;
}
}
}
}

{primary:node0}
root>

↧

How to send RST after an inactive-timeout happens?

January 29, 2019, 3:01 am

≫ Next: Unable to commit configuration on J-Web

≪ Previous: no SRX name after the user name

We have some applications which can be idle for a long time.

They're hitting the inactive-timeout.

The problem is, once that happens, the application gets confused because it never gets a response, but it never gets an RST either.

Is there a way to get the SRX to send a RST when a flow times out?

↧

Unable to commit configuration on J-Web

January 29, 2019, 6:14 am

≫ Next: Copying config on Active and backup partition

≪ Previous: How to send RST after an inactive-timeout happens?

Hi experts!

I have created a custom login class 'WEB1" to restrict the commands and the configuration changes to be made by a particular user. The commands work exactly as expected when the user logs in using CLI but when we try to execute/ configure the same commands on J-Web we are getting a permission denied error message.

Below is the login class I created for the user pavan :

====================================

set system login class WEB1 permissions configure

set system login class WEB1 permissions interface

set system login class WEB1 permissions interface-control

set system login class WEB1 permissions security

set system login class WEB1 permissions system

set system login class WEB1 allow-configuration "(system name-server .*) | (interfaces ge-0/0/0.0 .* .* .* .* .* .*) | (routing-options static route .* .* .* .*)"

set system login class WEB1 deny-configuration .*

I am basically allowing a bunch of show-commands and giving the user an explicit ability to modify the interface ge-0/0/0.0 , change the DNS server IP and set the default static route.

All of these are successfully done on CLI but when we try to implement the same on GUI, it says permission denied.

Example :

I try to set the IP address of ge-0/0/0.0 on CLI using the command :

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/29

it worked fine without a problem and I was able to commit. I tried implementing the same on J-Web, it says "permission denied."

Please help.

Thanking you.

Regards,

Pavan Katakam

↧

Copying config on Active and backup partition

January 29, 2019, 6:31 am

≫ Next: Custom login class configuration issue : commands not working on J-Web..while they works on CLI

≪ Previous: Unable to commit configuration on J-Web

Morning guys!

I am trying to understand if there is a simple command to copy the running config from one partition to the other and boot the SRX from that partition ?

Lets say the Active partition has been corrupted and the SRX booted up using the Backup partition, I would like to restore the config on the Active partition by copying the config file from Backup partition.

Is this the appropriate command to do that ?

request system snapshot slice altnerate

Or do we have any file copy <Source> <destination> command ?

I am assuming the config resides on /config folder of the active partition and the /altconfig of the backup partition.

Kindly help me understand.

Thanking you.

Regards,

Pavan Katakam

↧

Custom login class configuration issue : commands not working on J-Web..while they works on CLI

January 29, 2019, 3:38 pm

≫ Next: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

≪ Previous: Copying config on Active and backup partition

Hi experts!

Below is the login class I created for the user pavan :

====================================

set system login class WEB1 permissions configure

set system login class WEB1 permissions interface

set system login class WEB1 permissions interface-control

set system login class WEB1 permissions security

set system login class WEB1 permissions system

set system login class WEB1 allow-configuration "(system name-server .*) | (interfaces ge-0/0/0.0 .* .* .* .* .* .*) | (routing-options static route .* .* .* .*)"

set system login class WEB1 deny-configuration .*

I am basically allowing a bunch of show-commands and giving the user an explicit ability to modify the interface ge-0/0/0.0 , change the DNS server IP and set the default static route.

Except the reboot command all of these are successfully done on CLI but when we try to implement the same on GUI, it says permission denied.

Example :

I try to set the IP address of ge-0/0/0.0 on CLI using the command :

set interfaces ge-0/0/0 unit 0 family inet address 1.1.1.1/29

it worked fine without a problem and I was able to commit. I tried implementing the same on J-Web, it says "permission denied."

The "request system reboot" gives me the below error when requested from CLI :

pavan@xx> request system reboot
Reboot the system ? [yes,no] (no) yes

mgd: unable to execute /sbin/shutdown: Permission denied

Please help.

Thanking you.

Regards,

Pavan Katakam

↧

Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

January 29, 2019, 7:57 am

≫ Next: SRX 240 ISSU upgradeFailure

≪ Previous: Custom login class configuration issue : commands not working on J-Web..while they works on CLI

Saw some interesting denied traffic in the logs on multiple SRX firewalls and didn't have an explanation.

We see denied traffic sourced from random public ip's on the web destined to IP addresses that we do not own not in our public subnet or affilitated with our firewall (interfaces, NAT, etc)

Any thoughts?

↧

SRX 240 ISSU upgradeFailure

January 29, 2019, 11:28 am

≫ Next: SRX240H2 - IDP License.

≪ Previous: Logs Show Denied Traffic Sourced from the Web Destined to Public IPs not owned

I have done upgrades on our SRX 240 using ISSU multiple time but lately we are having issue upgrading from 12.3X48-D70.3 to 12.3X48-D75" WARNING: Not enabled dual root partition on secondary node ISSU not allowed" how do i over come this. Other option would be to upgrade using regular method but i want to stick with ISSU method for now.

↧