I'm trying to set up a DMZ on a vSRX
I have a ge-0/0/0 interface in an untrust zone and a ge-0/0/1 interface in a trust zone
Behind the ge-0/0/1 interface I have a level 3 switch with a declared level 3 vlan

I added a ge-0/0/2 interface, I assigned an IP adress and I created a new DMZ zone.

I added all DMZ rules in security policies (DMZ to untrust pass all)

If I put the ge-0/0/2 interface in the trust zone everything works fine: internet access and ping response from the vlan behind the vSRX. So the routing is correct.

If I put the ge-0/0/2 interface in the DMZ zone, nothing works: no more access to the internet and no more response to the ping of the vlan which is behind the vSRX

I  think I forgot something but I do not know what

Thanks for your help

Gilles

Is it possible to upgrade BIOS in SRX300, I tried to execute:

root@rudn> request system firmware upgrade re bios
^
syntax error, expecting <command>.

root@rudn> request system firmware upgrade ?
Possible completions:
fpc Upgrade FPC ROM monitor
pic Upgrade PIC firmware
vcpu Upgrade VCPU ROM monitor

As for SRX550 i see:

junoadmin@srx550> request system firmware upgrade ?
Possible completions:
fpc Upgrade FPC ROM monitor
pic Upgrade PIC firmware
re Upgrade baseboard BIOS/FPGA
vcpu Upgrade VCPU ROM monitor

Also I suppose that there is no Backup BIOS in SRX300:

show system firmware compatibility
Part Type Tag Current Available Status version version
Routing Engine 0 RE BIOS 0 3.1 2.9 OK
Routing Engine 0 RE BIOS Backup 1 0.0 2.9 OK

May be the reason is that Current BIOS 3.1 > Available BIOS 2.9

I didn't upgrade anything in srx300, the device was unpacked some days ago.

First of all I wold like to say that I've just upgraded SRX300 to 15.1X49D150 and everything is fine with J-Web.

And everything was fine with J-Web in initial JunOS 15.1X49D45/SRX-300 unpacked from the box.

After login page I see webpage and menus, but everything is broken.

As for JunOS 15.1X49D150 in SRX550HM, I opened the HTTPD log and saw:

httpd: 2: Error: "Not Found", code 404 for URI "/extjs/resources/ext-theme-classic/ext-theme-classic-all.css", file "/html/extjs/resources/ext-theme-classic/ext-theme-classic-all.css": Can't open document: /html/extjs/resources/ext-theme-classic/ext-theme-classic-all.css.

Browser debugger said that no ext-theme-classic-all.css loaded.

I opened J-Web for SRX300 with JunOS 15.1X49D45 2016 as well as upgraded JunOS 15.1X49D45/SRX-300, there are no errors with CSS, by the way there are two CSS: for classic theme and for j-web theme. SRX300 is the NG SRX and J-web theme is loaded, as well as classic is available for browser too.

Then I've found that php-scripts (index.php and login.php in the root) contain  /html/extjs/resources/ext-theme-classic/ path to load ext-theme-classic-all.css, but there is no any CSS there,  the both CSS (for classic and for j-web are located in /jail/html/extjs/resources/ext-theme-jweb folder!

here is an index.php:

........

if(check_model('MODEL_NGSRX')) {
print <<<EOF
<script type="text/javascript" src="/javascript/ext-jnpr-slipstream.js?$urlArgs"></script>
<link rel="stylesheet" type="text/css" href="/extjs/resources/ext-theme-jweb/ext-theme-jweb-all.css"/>
<link rel="stylesheet" type="text/css" href="/extjs/resources/css/ext-all.css"/>
<link rel="stylesheet" type="text/css" href="/stylesheet/ext-jnpr-slipstream.css"/>
EOF;
} else {
print <<<EOF
<link rel="stylesheet" type="text/css" href="/extjs/resources/ext-theme-classic/ext-theme-classic-all.css"/>
EOF;

......

550 is not NG SRX, so  the browser was redirected to load extjs/resources/ext-theme-classic/ext-theme-classic-all.css,

but there is no ext-theme-classic-all.css in extjs/resources/ext-theme-classic/. ext-theme-classic-all.css is located in /jail/html/extjs/resources/ext-theme-jweb folder!

I tried to put this CSS to extjs/resources/ext-theme-classic folder, but I've got a message:

--- JUNOS 15.1X49-D150.2 built 2018-09-19 17:44:55 UTC
$ su root
Password:
root@juno% cp /jail/html/extjs/resources/ext-theme-jweb/ext-theme-classic-all.css /jail/html/extjs/resources/ext-theme-classic/
cp: /jail/html/extjs/resources/ext-theme-classic/ext-theme-classic-all.css: Read-only file system

As for 15.1X49D45 in SRX300, both CSS are in /jail/html/extjs/resources/ext-theme-jweb/ as well as in D150, but there is no redirect to classic css:

if(check_model('MODEL_NGSRX')) {
print <<<EOF
<link rel="stylesheet" type="text/css" href="/extjs/resources/css/ext-all.css"/> 
EOF;
}
print <<<EOF
<link rel="stylesheet" type="text/css" href="/stylesheet/ext-jnpr.css"/>

There are some screens attached.

How do I setup the Network Policy Server in Windows Server 2016 in order to added as my RADIUS server in the juniper devices?

Hello,
I wanted to set the timeout of ssh to 4 hours.
When I type the command:

set applications application junos-ssh inactivity-timeout 14400

Do I get the following message:

error: cannot use reserved identifier: junos-ssh

Software version is: Junos: 18.4R1.8

How did I set the timeout high?

Thank you for your help

Hello people how are you

I'm in trouble, I think it's a SYNTAX problem.

When I type this part:
source-identity "example.net \ galenrikka";

He takes the space, and draws the backslash.

It is thus source-identity "example.net galenrikka";

Can someone help me ?

Here is the sample material:

https://www.juniper.net/documentation/en_US/junos12.1x47/topics/example/example-userfw-ad.html

From configuration mode, confirm your policy configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host# show security policies
from-zone trust to-zone untrust {
policy p1 {
match {
source-address any;
destination-address any;
application any;
source-identity unauthenticated-user;
}
then {
permit {
firewall-authentication {
user-firewall {
access-profile profile1;
}
}
}
}
}
policy p2 {
match {
source-address any;
destination-address any;
application any;
source-identity “example.net\galenrikka”;
}
then {
permit;
}
}
}
If you are done configuring the device, enter commit from configuration mode.

Hello, everybody,
have the following problem:
Restarted the cluster after a software update.
After restart em1 was up. Then the other interfaces came up and em1 go down.

I already did an ifconfig em1 up on the shell but without success.

Had a similar problem on a SRX3600. Here the following method helped:

1. request chassis cb slot 1 offline node 0
   2. wait several seconds.
   3. request chassis cb slot 1 online node 0

Is there a similar command on the srx4600?

What else can I do to get em1 up?

I have been using the Juniper SRX240 router for several years now and it is frustrating that one can not view any stats regarding the network in and out of the router.

I mean people like to hype the big names in the industry a lot rather than judge by the quality and output of their product but how does this make Juniper an industry leader when a basic inbound and outbound stats or just network stats that one can view and see how the router is doing its job is no where to be found?

Anyways if anyone else is using the same router and is able to setup a way to monitor stats for bandwidth usage or inbound and outbound traffic please share below

Thanks

HI Community,

I'm using the S2J migration tool but having issues translating the below. If anyone can assist, I would greatly appreciate it! Thank you in advance! 

!
!

95:set alg appleichat enableLine not yet supported by S2J96:unset alg appleichat re-assembly enableLine not recognized by S2J97:set alg sctp enableLine not yet supported by S2J112:set admin format dosLine not recognized by S2J
113:set zone "Trust" vrouter "trust-vr"
114:set zone "Untrust" vrouter "trust-vr"
115:set zone "DMZ" vrouter "trust-vr"116:set zone "VLAN" vrouter "trust-vr"Transparent mode is  not supported by the S2J tool yet.
117:set zone id 100 "Voice"
118:set zone id 101 "TESTZONE"
119:set zone id 102 "ServProc"120:set zone "Untrust-Tun" vrouter "trust-vr"Tunnel Zone is not supported in JUNOS
121:set zone "Trust" tcp-rst122:set zone "Untrust" blockThis is the default in JUNOS
123:unset zone "Untrust" tcp-rst124:set zone "MGT" blockThis is the default in JUNOS
125:unset zone "V1-Trust" tcp-rst
126:unset zone "V1-Untrust" tcp-rst
127:set zone "DMZ" tcp-rst
128:unset zone "V1-DMZ" tcp-rst129:unset zone "VLAN" tcp-rstTransparent mode is  not supported by the S2J tool yet.
130:unset zone "Voice" tcp-rst
131:unset zone "TESTZONE" tcp-rst
132:unset zone "ServProc" tcp-rst
133:set zone "Untrust" screen tear-drop
134:set zone "Untrust" screen syn-flood
135:set zone "Untrust" screen ping-death
136:set zone "Untrust" screen ip-filter-src
137:set zone "Untrust" screen land
138:set zone "V1-Untrust" screen tear-drop
139:set zone "V1-Untrust" screen syn-flood
140:set zone "V1-Untrust" screen ping-death
141:set zone "V1-Untrust" screen ip-filter-src
142:set zone "V1-Untrust" screen land
143:set interface "ethernet0/0" zone "Trust"
144:set interface "ethernet0/1" zone "DMZ"
145:set interface "ethernet0/2" zone "Untrust"
146:set interface "ethernet0/3" zone "ServProc"
147:set interface "ethernet0/4" zone "DMZ"
148:set interface "ethernet0/6" zone "Voice"
149:set interface "ethernet0/8" zone "Trust"
150:set interface "ethernet0/9" zone "Untrust"151:set interface "tunnel.1" zone "Untrust"This interface type is not supported in JUNOS152:unset interface vlan1 ipLine not recognized by S2J
153:set interface ethernet0/1 ip 192.168.2.254/24154:set interface ethernet0/1 natNAT Mode is not supported in JUNOS
155:set interface ethernet0/2 ip 216.183.190.226/28156:set interface ethernet0/2 routeThis is the default in JUNOS
157:set interface ethernet0/3 ip 192.168.14.254/24158:set interface ethernet0/3 natNAT Mode is not supported in JUNOS
159:set interface ethernet0/4 ip 192.168.3.254/24160:set interface ethernet0/4 natNAT Mode is not supported in JUNOS
161:set interface ethernet0/6 ip 192.168.6.254/24162:set interface ethernet0/6 natNAT Mode is not supported in JUNOS
163:set interface ethernet0/8 ip 192.168.1.254/24164:set interface ethernet0/8 natNAT Mode is not supported in JUNOS
165:set interface ethernet0/8 ip 192.168.4.254 255.255.255.0 secondary
166:set interface ethernet0/8 ip 192.168.15.254 255.255.255.0 secondary
167:set interface ethernet0/9 ip x.x.x.x/30168:set interface ethernet0/9 routeThis is the default in JUNOS169:set interface tunnel.1 ip unnumbered interface ethernet0/9This interface type is not supported in JUNOS170:set interface ethernet0/9 bandwidth egress mbw 51200 ingress mbw 51200Line not recognized by S2J
171:set interface ethernet0/9 mtu 1500172:unset interface vlan1 bypass-others-ipsecLine not recognized by S2J173:unset interface vlan1 bypass-non-ipLine not recognized by S2J
174:set interface ethernet0/1 ip manageable
175:set interface ethernet0/2 ip manageable
176:set interface ethernet0/3 ip manageable177:unset interface ethernet0/4 ip manageableThe interface is not IP managed
178:set interface ethernet0/6 ip manageable
179:set interface ethernet0/8 ip manageable
180:set interface ethernet0/9 ip manageable
181:set interface ethernet0/0 manage ping
182:set interface ethernet0/0 manage ssh
183:set interface ethernet0/0 manage telnet
184:set interface ethernet0/0 manage snmp185:set interface ethernet0/0 manage sslSSL/Certificates must be manually installed and configured
186:set interface ethernet0/0 manage web
187:unset interface ethernet0/0 manage ident-reset188:set interface ethernet0/0 g-arpLine not recognized by S2J
189:set interface ethernet0/1 manage ping
190:unset interface ethernet0/1 manage ssh
191:unset interface ethernet0/1 manage telnet
192:set interface ethernet0/1 manage snmp193:unset interface ethernet0/1 manage sslSSL/Certificates must be manually installed and configured
194:set interface ethernet0/1 manage web
195:unset interface ethernet0/1 manage ident-reset196:set interface ethernet0/1 g-arpLine not recognized by S2J
197:set interface ethernet0/2 manage ping
198:unset interface ethernet0/2 manage ssh
199:set interface ethernet0/2 manage telnet
200:set interface ethernet0/2 manage snmp201:unset interface ethernet0/2 manage sslSSL/Certificates must be manually installed and configured
202:set interface ethernet0/2 manage web
203:unset interface ethernet0/2 manage ident-reset204:set interface ethernet0/2 g-arpLine not recognized by S2J
205:set interface ethernet0/3 manage ping
206:unset interface ethernet0/3 manage ssh
207:set interface ethernet0/3 manage telnet
208:set interface ethernet0/3 manage snmp209:unset interface ethernet0/3 manage sslSSL/Certificates must be manually installed and configured
210:set interface ethernet0/3 manage web
211:unset interface ethernet0/3 manage ident-reset212:set interface ethernet0/3 g-arpLine not recognized by S2J
213:set interface ethernet0/4 manage ping
214:unset interface ethernet0/4 manage ssh
215:set interface ethernet0/4 manage telnet
216:set interface ethernet0/4 manage snmp217:unset interface ethernet0/4 manage sslSSL/Certificates must be manually installed and configured
218:unset interface ethernet0/4 manage web
219:unset interface ethernet0/4 manage ident-reset220:set interface ethernet0/4 g-arpLine not recognized by S2J
221:set interface ethernet0/6 manage ping
222:set interface ethernet0/6 manage ssh
223:set interface ethernet0/6 manage telnet
224:set interface ethernet0/6 manage snmp225:unset interface ethernet0/6 manage sslSSL/Certificates must be manually installed and configured
226:set interface ethernet0/6 manage web
227:unset interface ethernet0/6 manage ident-reset228:set interface ethernet0/6 g-arpLine not recognized by S2J
229:set interface ethernet0/8 manage ping
230:set interface ethernet0/8 manage ssh
231:set interface ethernet0/8 manage telnet
232:set interface ethernet0/8 manage snmp233:unset interface ethernet0/8 manage sslSSL/Certificates must be manually installed and configured
234:set interface ethernet0/8 manage web
235:unset interface ethernet0/8 manage ident-reset236:set interface ethernet0/8 g-arpLine not recognized by S2J
237:set interface ethernet0/9 manage ping
238:unset interface ethernet0/9 manage ssh
239:set interface ethernet0/9 manage telnet
240:set interface ethernet0/9 manage snmp241:unset interface ethernet0/9 manage sslSSL/Certificates must be manually installed and configured
242:set interface ethernet0/9 manage web
243:unset interface ethernet0/9 manage ident-reset244:set interface ethernet0/9 g-arpLine not recognized by S2J245:set interface vlan1 manage pingThis is not supported by Junos246:set interface vlan1 manage sshThis is not supported by Junos247:set interface vlan1 manage telnetThis is not supported by Junos248:set interface vlan1 manage snmpThis is not supported by Junos249:set interface vlan1 manage sslThis is not supported by Junos250:set interface vlan1 manage webThis is not supported by Junos251:unset interface vlan1 manage ident-resetLine not recognized by S2J252:unset interface vlan1 g-arpLine not recognized by S2J253:set zone V1-Trust manage pingLine not recognized by S2J254:set zone V1-Trust manage sshLine not recognized by S2J255:set zone V1-Trust manage telnetLine not recognized by S2J256:set zone V1-Trust manage snmpLine not recognized by S2J257:set zone V1-Trust manage sslLine not recognized by S2J258:set zone V1-Trust manage webLine not recognized by S2J259:unset zone V1-Trust manage ident-resetLine not recognized by S2J260:set zone V1-Trust g-arpLine not recognized by S2J261:unset zone V1-Untrust manage pingLine not recognized by S2J262:unset zone V1-Untrust manage sshLine not recognized by S2J263:unset zone V1-Untrust manage telnetLine not recognized by S2J264:unset zone V1-Untrust manage snmpLine not recognized by S2J265:unset zone V1-Untrust manage sslLine not recognized by S2J266:unset zone V1-Untrust manage webLine not recognized by S2J267:unset zone V1-Untrust manage ident-resetLine not recognized by S2J268:set zone V1-Untrust g-arpLine not recognized by S2J269:set zone V1-DMZ manage pingLine not recognized by S2J270:unset zone V1-DMZ manage sshLine not recognized by S2J271:unset zone V1-DMZ manage telnetLine not recognized by S2J272:unset zone V1-DMZ manage snmpLine not recognized by S2J273:unset zone V1-DMZ manage sslLine not recognized by S2J274:unset zone V1-DMZ manage webLine not recognized by S2J275:unset zone V1-DMZ manage ident-resetLine not recognized by S2J276:set zone V1-DMZ g-arpLine not recognized by S2J277:unset zone V1-Null manage pingLine not recognized by S2J278:unset zone V1-Null manage sshLine not recognized by S2J279:unset zone V1-Null manage telnetLine not recognized by S2J280:unset zone V1-Null manage snmpLine not recognized by S2J281:unset zone V1-Null manage sslLine not recognized by S2J282:unset zone V1-Null manage webLine not recognized by S2J283:unset zone V1-Null manage ident-resetLine not recognized by S2J284:set zone V1-Null g-arpLine not recognized by S2J
285:set interface ethernet0/4 dhcp server service
286:set interface ethernet0/6 dhcp server service
287:set interface ethernet0/4 dhcp server enable
288:set interface ethernet0/6 dhcp server enable
289:set interface ethernet0/4 dhcp server option lease 1440000
290:set interface ethernet0/4 dhcp server option gateway 192.168.3.254
291:set interface ethernet0/4 dhcp server option netmask 255.255.255.0
292:set interface ethernet0/4 dhcp server option dns1 8.8.8.8
293:set interface ethernet0/4 dhcp server option dns2 8.8.4.4
294:set interface ethernet0/4 dhcp server option dns3 4.2.2.2
295:set interface ethernet0/6 dhcp server option lease 1440000
296:set interface ethernet0/6 dhcp server option gateway 192.168.6.254
297:set interface ethernet0/6 dhcp server option netmask 255.255.255.0
298:set interface ethernet0/6 dhcp server option dns1 8.8.8.8
299:set interface ethernet0/6 dhcp server option wins1 8.8.4.4
300:set interface ethernet0/4 dhcp server ip 192.168.3.100 to 192.168.3.110
301:set interface ethernet0/6 dhcp server ip 192.168.6.100 to 192.168.6.229302:unset interface ethernet0/4 dhcp server config next-server-ipLine not recognized by S2J303:unset interface ethernet0/6 dhcp server config next-server-ipLine not recognized by S2J310:set interface "ethernet0/9" mip x.x.x.x host 192.168.1.17 netmask 255.255.255.255 vr "trust-vr"Corresponding policy statement not found for MIP. No rule-set created314:unset flow no-tcp-seq-checkTCP No Seq Check is disabled by default315:set flow tcp-syn-checkTCP Syn Check is on by default316:unset flow tcp-syn-bit-checkLine not recognized by S2J317:set flow reverse-route clear-text preferLine not recognized by S2J318:set flow reverse-route tunnel alwaysLine not recognized by S2J319:set console page 0This Command is Operational Command in JUNOS
320:set hostname ssg140321:set pki authority default scep mode "auto"This is not supported by S2J yet322:set pki x509 default cert-path partialLine not yet supported by S2J
323:set dns host dns1 9.9.9.9 src-interface ethernet0/9
324:set dns host dns2 208.67.222.222 src-interface ethernet0/9
325:set dns host dns3 8.8.8.8 src-interface ethernet0/9326:set dns host schedule 06:28Cache Refresh is not tunable. The cache refresh is scheduled once per day.334:set address "Trust" "192.168.1.170 /24" 192.168.1.170 255.255.255.0 "Video Conferencing System"Invalid IP Address.Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask. 356:set address "Untrust" "18.72.0.3 /16" 18.72.0.3 255.255.0.0 "bitsy.mit.edu (time server)"Invalid IP Address.Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask. 361:set address "Untrust" "192.168.55.0 /24" 192.168.55.0 255.255.255.0 "Remote 1385 Cambridge"Route interface cannot be null. Please define the interface.362:set address "Untrust" "192.43.244.18 /16" 192.43.244.18 255.255.0.0 "time.nist.gov"Invalid IP Address.Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask. 363:set address "Untrust" "192.5.41.41 /24" 192.5.41.41 255.255.255.0 "tock.usno.navy.mil"Invalid IP Address.Not accepted in Junos. Host IP should have /32 or 255.255.255.255 as mask. 
427:set group address "Untrust" "Time Servers"428:set group address "Untrust" "Time Servers" add "18.72.0.3 /16"Member Definition for "18.72.0.3 /16" is missing or the member is not being converted.429:set group address "Untrust" "Time Servers" add "192.43.244.18 /16"Member Definition for "192.43.244.18 /16" is missing or the member is not being converted.430:set group address "Untrust" "Time Servers" add "192.5.41.41 /24"Member Definition for "192.5.41.41 /24" is missing or the member is not being converted.
431:set group address "DMZ" "DMZ Servers"
432:set group address "DMZ" "DMZ Servers" add "192.168.2.25"433:set group service "Allowed Services" comment "Ports open to PCA"Application(s) in the group is/are not defined in config or did not convert.434:set group service "Allowed Services" add "AOL"Application(s) in the group is/are not defined in config or did not convert.435:set group service "Allowed Services" add "Apple iCloud"Application(s) in the group is/are not defined in config or did not convert.436:set group service "Allowed Services" add "BlueBeam Studio"Application(s) in the group is/are not defined in config or did not convert.437:set group service "Allowed Services" add "CityofBostonStreaming"Application(s) in the group is/are not defined in config or did not convert.438:set group service "Allowed Services" add "DNS"Application(s) in the group is/are not defined in config or did not convert.439:set group service "Allowed Services" add "FTP"Application(s) in the group is/are not defined in config or did not convert.440:set group service "Allowed Services" add "Gaijin"Application(s) in the group is/are not defined in config or did not convert.441:set group service "Allowed Services" add "Gmail IMAP"Application(s) in the group is/are not defined in config or did not convert.442:set group service "Allowed Services" add "Gmail POP3"Application(s) in the group is/are not defined in config or did not convert.443:set group service "Allowed Services" add "Gmail SMTP"Application(s) in the group is/are not defined in config or did not convert.444:set group service "Allowed Services" add "HTTP"Application(s) in the group is/are not defined in config or did not convert.445:set group service "Allowed Services" add "HTTPS"Application(s) in the group is/are not defined in config or did not convert.446:set group service "Allowed Services" add "IM"Application(s) in the group is/are not defined in config or did not convert.447:set group service "Allowed Services" add "IMAP"Application(s) in the group is/are not defined in config or did not convert.448:set group service "Allowed Services" add "MAIL"Application(s) in the group is/are not defined in config or did not convert.449:set group service "Allowed Services" add "Masonry iQ"Application(s) in the group is/are not defined in config or did not convert.450:set group service "Allowed Services" add "MSN"Application(s) in the group is/are not defined in config or did not convert.451:set group service "Allowed Services" add "NetMeeting"Application(s) in the group is/are not defined in config or did not convert.452:set group service "Allowed Services" add "NTP"Application(s) in the group is/are not defined in config or did not convert.453:set group service "Allowed Services" add "PING"Application(s) in the group is/are not defined in config or did not convert.454:set group service "Allowed Services" add "POP3"Application(s) in the group is/are not defined in config or did not convert.455:set group service "Allowed Services" add "PPTP"Application(s) in the group is/are not defined in config or did not convert.456:set group service "Allowed Services" add "PrintRipper Activation"Application(s) in the group is/are not defined in config or did not convert.457:set group service "Allowed Services" add "pushy.me"Application(s) in the group is/are not defined in config or did not convert.458:set group service "Allowed Services" add "SFTP"Application(s) in the group is/are not defined in config or did not convert.459:set group service "Allowed Services" add "SketchUp"Application(s) in the group is/are not defined in config or did not convert.460:set group service "Allowed Services" add "SQL Database Engine"Application(s) in the group is/are not defined in config or did not convert.461:set group service "Allowed Services" add "SSH"Application(s) in the group is/are not defined in config or did not convert.462:set group service "Allowed Services" add "Streamer"Application(s) in the group is/are not defined in config or did not convert.463:set group service "Allowed Services" add "TELNET"Application(s) in the group is/are not defined in config or did not convert.464:set group service "Allowed Services" add "UDP-ANY"Application(s) in the group is/are not defined in config or did not convert.465:set group service "Allowed Services" add "WINFRAME"Application(s) in the group is/are not defined in config or did not convert.
485:set group service "Mail Server" add "Time Servers"486:set group service "Restricted Services" comment "Ports restricted from PCA"Application(s) in the group is/are not defined in config or did not convert.487:set group service "Restricted Services" add "AOL"Application(s) in the group is/are not defined in config or did not convert.488:set group service "Restricted Services" add "IRC"Application(s) in the group is/are not defined in config or did not convert.489:set group service "Restricted Services" add "MAIL"Application(s) in the group is/are not defined in config or did not convert.490:set group service "Restricted Services" add "NetMeeting"Application(s) in the group is/are not defined in config or did not convert.491:set group service "Restricted Services" add "PC-Anywhere"Application(s) in the group is/are not defined in config or did not convert.492:set group service "Restricted Services" add "POP3"Application(s) in the group is/are not defined in config or did not convert.493:set group service "Restricted Services" add "Real Media"Application(s) in the group is/are not defined in config or did not convert.494:set group service "Restricted Services" add "TALK"Application(s) in the group is/are not defined in config or did not convert.
495:set group service "SMTP-Full"
496:set group service "SMTP-Full" add "SMTP"
497:set group service "SMTP-Full" add "SMTP2"
498:set user "Administrator" uid 1
499:set user "Administrator" ike-id u-fqdn "administrator@.com" share-limit 1500:set user "Administrator" type ikeThis is not supported in JUNOS
501:set user "Administrator" "enable"
502:set user-group "VPN Client Members" id 1
503:set user-group "VPN Client Members" user "Administrator"504:set crypto-policyLine not recognized by S2J
505:exit
506:set ike gateway "Remote P1385" address 75.147.54.82 Main outgoing-interface "ethernet0/9" preshare "/7b1CNK3N5aTItsVVECqjW/CQnniw5j0Vw==" sec-level compatible507:set ike gateway "Remote P1385" nat-traversalNAT-T is enabled by default
508:unset ike gateway "Remote P1385" nat-traversal udp-checksum509:set ike gateway "Remote P1385" nat-traversal keepalive-frequency 0Keep Alive Secounds should be between 0-300
510:set ike gateway "Remote PjsC" address 0.0.0.0 id "remotepjsc@.com" Aggr outgoing-interface "ethernet0/9" preshare "cWH/vA+zNZi17WsjncCGPi2wlan5Imj4jw==" proposal "pre-g2-des-md5"
511:set ike gateway "Remote PjsC" cert peer-ca all512:set ike gateway "Remote PjsC" nat-traversal udp-checksumNAT-T is enabled by default
513:set ike gateway "Remote PjsC" nat-traversal keepalive-frequency 5
514:set ike respond-bad-spi 1515:set ike ikev2 ike-sa-soft-lifetime 60Line not recognized by S2J516:unset ike ikeid-enumerationLine not recognized by S2J517:unset ike dos-protectionLine not recognized by S2J518:unset ipsec access-session enableLine not recognized by S2J519:set ipsec access-session maximum 5000Line not recognized by S2J520:set ipsec access-session upper-threshold 0Line not recognized by S2J521:set ipsec access-session lower-threshold 0Line not recognized by S2J522:set ipsec access-session dead-p2-sa-timeout 0Line not recognized by S2J523:unset ipsec access-session log-errorLine not recognized by S2J524:unset ipsec access-session info-exch-connectedLine not recognized by S2J525:unset ipsec access-session use-error-logLine not recognized by S2J
526:set vpn "Remote P1385 VPN" gateway "Remote P1385" no-replay tunnel idletime 0 sec-level compatible
527:set vpn "Remote P1385 VPN" monitor optimized rekey528:set vpn "Remote P1385 VPN" id 0xa bind interface tunnel.1Interface not found or User did not choose to convert this interface
529:set vpn "Remote PjsC VPN" gateway "Remote PjsC" replay tunnel idletime 0 proposal "g2-esp-des-md5"530:set url protocol websenseLine not recognized by S2J
531:exit532:set vpn "Remote P1385 VPN" proxy-id checkLine not recognized by S2J
533:set vpn "Remote P1385 VPN" proxy-id local-ip 192.168.1.0/24 remote-ip 192.168.55.0/24 "ANY"
534:set vpn "Remote P1385 VPN" proxy-id local-ip 192.168.4.0/24 remote-ip 192.168.55.0/24 "ANY"
535:set vpn "Remote P1385 VPN" proxy-id local-ip 192.168.0.0/16 remote-ip 192.168.55.0/24 "ANY"
536:set vpn "Remote PjsC VPN" proxy-id local-ip 192.168.0.0/16 remote-ip 192.168.50.0/24 "ANY"
537:set policy id 66 name "TEMP EARTH BLOCK" from "Trust" to "Untrust"  "Email Servers" "Any" "ANY" deny
538:set policy id 66
539:exit
540:set policy id 56 name "Tunnel - JSC" from "Trust" to "Untrust"  "192.168.0.0 /16" "192.168.50.0 /24" "ANY" tunnel vpn "Remote PjsC VPN" id 0xb pair-policy 58 log
541:set policy id 56
542:exit
543:set policy id 35 name "vpn_with_srx" from "Trust" to "Untrust"  "192.168.0.0 /16" "192.168.55.0 /24" "ANY" permit log
544:set policy id 35545:set log session-initLine not recognized by S2J
546:exit
547:set policy id 55 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
548:set policy id 55 disable
549:set policy id 55
550:exit
551:set policy id 67 name "HTTPS" from "Trust" to "Untrust"  "Any" "Any" "HTTPS" permit log
552:set policy id 67 disable
553:set policy id 67554:set log session-initLine not recognized by S2J
555:exit556:set policy id 9 from "Trust" to "Untrust"  "192.168.0.0 /16" "Any" "Allowed Services" permit logApplication Group has application(s) that is/are not supported in JUNOS557:set policy id 9Missing Policy data Or Policy has an error and not being converted.
558:exit
559:set policy id 29 name "FTP" from "Trust" to "Untrust"  "192.168.0.0 /16" "MIP()" "ANY" permit
560:set policy id 29
561:exit
562:set policy id 64 name "JoinMe VOIP" from "Trust" to "Untrust"  "Any" "JoinMe VOIP" "JoinMe" permit
563:set policy id 64
564:exit
565:set policy id 1 name "Domain Controllers" from "Trust" to "Untrust"  "Domain Controllers" "Time Servers" "NetTime" permit log
566:set policy id 1
567:exit
568:set policy id 65 from "Trust" to "Untrust"  "192.168.1.14 /32" "Any" "SMTP-Full" permit
569:set policy id 65
570:set src-address "192.168.1.15 /32"
571:set src-address "192.168.1.18 /32"
572:set src-address "192.168.1.19 /32"
573:set src-address "192.168.1.23 /32"
574:set src-address "192.168.1.26 /32"
575:set src-address "Copiers"
576:exit
577:set policy id 7 name "IT Admin Workstations" from "Trust" to "Untrust"  "IT Admin Workstations" "Any" "ANY" permit log
578:set policy id 7
579:exit
580:set policy id 58 name "Tunnel - JSC" from "Untrust" to "Trust"  "192.168.50.0 /24" "192.168.0.0 /16" "ANY" tunnel vpn "Remote PjsC VPN" id 0xb pair-policy 56 log
581:set policy id 58
582:exit
583:set policy id 36 from "Untrust" to "Trust"  "192.168.55.0 /24" "192.168.0.0 /16" "ANY" permit log
584:set policy id 36585:set log session-initLine not recognized by S2J
586:exit
655:set policy id 69 name "TEMP-TITAN" from "DMZ" to "Trust"  "192.168.2.12 /32" "Any" "ANY" permit
656:set policy id 69 disable
657:set policy id 69
658:exit
659:set policy id 70 from "Untrust" to "DMZ"  "Any" "MIP()" "HTTP" permit
660:set policy id 70
661:set service "HTTPS"
662:set service "PING"
663:exit664:set policy id 71 from "DMZ" to "Untrust"  "192.168.2.12 /32" "Any" "Allowed Services" permitApplication Group has application(s) that is/are not supported in JUNOS665:set policy id 71Missing Policy data Or Policy has an error and not being converted.666:set service "Bitdefender BEST"Missing Policy data Or Policy has an error and not being converted.
667:exit
668:set policy id 72 from "Untrust" to "Trust"  "Any" "MIP(50.204.118.199)" "HTTP" permit
669:set policy id 72
670:set service "HTTPS"
671:set service "FTP Server"
672:exit
673:set policy id 73 from "Trust" to "ServProc"  "Any" "Any" "HTTP" permit
674:set policy id 73
675:set service "HTTPS"
676:set service "PING"
677:set service "SSH"
678:exit
679:set policy id 74 from "ServProc" to "Untrust"  "Any" "Any" "HTTP" permit
680:set policy id 74 disable
681:set policy id 74
682:set service "HTTPS"
683:set service "PING"
684:set service "SMTP"
685:set service "SSH"
686:exit
687:set policy id 75 from "ServProc" to "Untrust"  "Any" "Any" "ANY" permit
688:set policy id 75
689:exit
690:set policy id 76 from "Untrust" to "ServProc"  "Any" "Any" "ANY" permit
691:set policy id 76
692:exit
693:set policy id 78 from "Trust" to "Voice"  "Any" "Any" "Call Manager" permit
694:set policy id 78
695:set service "HTTP"
696:set service "HTTPS"
697:set service "PING"
698:set service "VNC"
699:exit
700:set policy id 80 from "Voice" to "Untrust"  "Any" "Any" "ANY" nat src permit log
701:set policy id 80702:set log session-initLine not recognized by S2J
703:exit
704:set policy id 79 from "Voice" to "Untrust"  "Any" "Any" "PING" nat src permit log
705:set policy id 79 disable
706:set policy id 79
707:set service "SMTP-Full"
708:exit
709:set syslog config "192.168.1.17"
710:set syslog config "192.168.1.17" facilities local0 local0711:set syslog config "192.168.1.17" log trafficThis is no distinction between traffic and event log in JUNOS
712:set syslog src-interface ethernet0/8713:set webtrends config "192.168.1.17"Line not recognized by S2J
714:set webtrends enable715:set nsmgmt bulkcli reboot-timeout 60This can't be translated as it requires changes in NSM database.NSM will make all necessary configuation changes when you add SRX device to NSM.
716:set ssh version v2
717:set ssh enable718:set config lock timeout 5Line not recognized by S2J719:unset license-key auto-updateLine not recognized by S2J720:set telnet client enableLine not recognized by S2J
721:set ntp server "time.nist.gov"722:set ntp server src-interface "ethernet0/2"Line not yet supported by S2J723:set ntp interval 60Line not yet supported by S2J724:set ntp max-adjustment 300Line not yet supported by S2J
725:set snmp community "PRTG" Read-Write Trap-on traffic version v1
726:set snmp community "LPI" Read-Write Trap-on traffic version v1727:set snmp host "LPI" 192.168.1.6/32  trap v1Line not recognized by S2J728:set snmp host "PRTG" 192.168.1.16/32  trap v1Line not recognized by S2J729:set snmp host "PRTG" 192.168.1.33/32  trap v1Line not recognized by S2J730:set snmp host "PRTG" 192.168.1.17/32  trap v1Line not recognized by S2J731:set snmp port listen 161There is no equivalent in JUNOS
732:set snmp port trap 162733:set snmpv3 local-engine id "0185042010000620"Line not recognized by S2J
734:set vrouter "untrust-vr"
735:exit
736:set vrouter "trust-vr"737:unset add-default-routeLine not recognized by S2J
738:set route 0.0.0.0/0 interface ethernet0/2 gateway x.x.x.x preference 20
739:set route 0.0.0.0/0 interface ethernet0/3 gateway x.x.x.x preference 20
740:set route 0.0.0.0/0 interface ethernet0/9 gateway x.x.x.x preference 10741:set route 192.168.55.0/24 interface tunnel.1Cannot determine next-hop.
742:exit
743:set vrouter "untrust-vr"
744:exit
745:set vrouter "trust-vr"
746:exit

Dear All,

I had upgrade my SRX300 Junos from the hardware default version to 15.1X49-D160 version.

It can works after updating, however after I reset the hardware to manufaturing default, the hardware cannot be connected anymore.

In web browser say "https://192.168.1.1/" , browser has changed to "Juniper Phone Home Client" with "Device Cannot Connect" error message.

I have try to skip to J-Web option, and the J-Web login screen would go out and asked me to input the User name and password.

However, whatever I type , username "root" , by default without password,,  or my previous username and password,  all combination can't go to the managment console menu.

Please hep on it and how I can go into the Setup Wizard for re-config the SRX300 hardware again?

Thank you so much.

I am pulling my hair out on this problem because it seems that a lot of people have had this issue, but none of the solutions have worked for me. I've got an SRX100H2 on 12.3X48-D65.1 and running dhcp-local-server. Some clients are getting IP addresses, but some are just stuck in SELECTING. I've narrowed this down to mostly iPhones, but it does affect other devices. I've tried setting the hidden command 'no-unicast-replies', but this does not help. I've tried configuring dhcp-relay and bootp helper mode to relay to a remote DHCP server and nothing seems to work.

#show system services dhcp-local-server 
group vl13 {
    interface vlan.0;
}

#show access 
address-assignment {
    pool vl13-dhcp {
        family inet {
            network 172.21.1.0/24;
            range r1 {
                low 172.21.1.32;
                high 172.21.1.254;
            }
            dhcp-attributes {
                maximum-lease-time 86400;
                server-identifier 172.21.1.1;
                domain-name domain.com;
                name-server {
                    x.x.x.x;
                    x.x.x.x;
                }
                router {
                    172.21.1.1;
                }
            }
        }
    }
}

#show security zones security-zone trust 
host-inbound-traffic {
    system-services {
        bootp;
        dhcp;
        ping;
        traceroute;
        ntp;
        snmp;
    }
}
interfaces {
    vlan.0;
    lo0.0;
}
interfaces {
    vlan.0;
    lo0.0;
}

# run show dhcp server binding 

IP address        Session Id  Hardware address   Expires     State      Interface
172.21.1.44       1664        30:6a:85:7c:7e:9a  10757       BOUND      vlan.0              
172.21.1.42       1662        78:8a:20:08:e0:90  10590       BOUND      vlan.0              
172.21.1.35       1655        a0:c9:a0:c7:a1:71  10003       BOUND      vlan.0              
172.21.1.43       1663        d0:df:9a:ef:3b:e3  10595       SELECTING  vlan.0              
172.21.1.34       1654        e4:e1:30:c5:35:c3  9924        BOUND      vlan.0              
172.21.1.41       1661        f8:95:ea:71:5a:07  10529       SELECTING  vlan.0              

Hi all,

I ve an SRX240 device and syn vpn configured on it. It works fine but I want to setup LDAP authentication for dyn vpn users. I am using the default 2 licence for this. However after I applied the configuration, I can the the config on JWeb UI but when i click on that I am getting the following error message.. Is this because of using default licence or am I missing something ?

set access profile ldap-usr-profile authentication-order ldap
set access profile ldap-usr-profile address-assignment pool engpool
set access profile ldap-usr-profile ldap-options base-distinguished-name OU=Users,DC=company,DC=com
set access profile ldap-usr-profile ldap-options search search-filter sAMAccountName=
set access profile ldap-usr-profile ldap-options search admin-search distinguished-name "CN=LDAP Connector,OU=SysAdmins,OU=Users,DC=company,DC=com"
set access profile ldap-usr-profile ldap-options search admin-search password "password"
set access profile ldap-usr-profile ldap-server 192.168.10.215 port 389
set access address-assignment pool engpool family inet network 192.168.200.0/24
set access address-assignment pool engpool family inet range range1 low 192.168.200.40
set access address-assignment pool engpool family inet range range1 high 192.168.200.100
set access address-assignment pool engpool family inet xauth-attributes primary-dns 8.8.8.8/32
set access address-assignment pool engpool family inet xauth-attributes secondary-dns 4.3.2.1/32
set access firewall-authentication web-authentication default-profile ldap-usr-profile

Thanks

hi all

I have one srx300 version is 18.3R1.9

I want to do one thing : when client access youtube(ex: https://www.youtube.com) will using ISP B

There is my config , but not working need help

root# run show system license

anti_spam_key_sbl
idp-sig
dynamic-vpn
av_key_sophos_engine
logical-system
wf_key_websense_ewf
remote-access-ipsec-vpn-client

// routing-instance k is a fake instance , if match I wish it will dead

set security advance-policy-based-routing profile p1 rule r1 match category bad
set security advance-policy-based-routing profile p1 rule r1 then routing-instance k
set security advance-policy-based-routing profile p2 rule r2 match category Enhanced_Social_Web_Youtube
set security advance-policy-based-routing profile p2 rule r2 match category Enhanced_Social_Web_Facebook
set security advance-policy-based-routing profile p2 rule r2 then routing-instance k

set security zones security-zone test advance-policy-based-routing-profile p2

set security utm utm-policy mypolicy web-filtering http-profile my_ewfprofile01

set security utm custom-objects url-pattern block value www.youtube.com
set security utm custom-objects url-pattern block value www.facebook.com

set security utm custom-objects custom-url-category bad value block

set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 category bad action block
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 category Enhanced_Social_Web_Youtube action block
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 site-reputation-action very-safe log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 site-reputation-action moderately-safe log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 site-reputation-action fairly-safe log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 site-reputation-action suspicious log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 site-reputation-action harmful log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 default log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 fallback-settings default log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 fallback-settings server-connectivity log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 fallback-settings timeout log-and-permit
set security utm feature-profile web-filtering juniper-enhanced profile my_ewfprofile01 fallback-settings too-many-requests log-and-permit

set security policies from-zone test to-zone mgt policy aaa match source-address any
set security policies from-zone test to-zone mgt policy aaa match destination-address any
set security policies from-zone test to-zone mgt policy aaa match application any
set security policies from-zone test to-zone mgt policy aaa then permit application-services utm-policy mypolicy

in this situation , when user typing https://www.youtube.com will time-out , but not as expected , is there someone can help me ,thanks~

Dear all,

Before I start my explanation here go some information:

- My external IP is 187.72.138.193

- My internal network goes under 10.196.X.X

- I am using Juniper SRX220

Now my question is about accessing a service I run at http://10.196.24.178:8086 (internal network) from outside.

as you will see below I have others services running outside already, but I do not know how to configure it considering I am pretty new in SRX devices.

My point is that I need that if someone from anywhere in the world types  187.72.138.193:8086 in browser it redirects to my internal network and shows the content of the service running on 10.196.24.178:8086.

If possible please tell me the commands I have to run in order to make it available from outside.

- Below my current configuration

system {
    host-name d_a12312;
    time-zone UTC;
    authentication-order password;
    root-authentication {
        encrypted-password "$1$n8cjdRa21dacqMR71050";
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    login {
        user admin {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$voasd21249z12FAG.";
            }
        }
           }
    }
    services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            management-url admin;
            http {
                port 8081;
            }
            https {
                system-generated-certificate;
            }
        }
        dhcp {
            maximum-lease-time 28800;
            default-lease-time 28800;
            name-server {
                10.196.24.31;
            }
            router {
                10.196.24.1;
                10.196.25.1;
            }
            pool 10.196.24.0/24 {
                address-range low 10.196.24.51 high 10.196.24.210;
                exclude-address {
                    10.196.24.177;
                    10.196.24.178;
                    10.196.24.74;
                }
            }
            pool 10.196.25.0/24 {
                address-range low 10.196.25.100 high 10.196.25.200;
                exclude-address {
                    10.196.25.129;
                    10.196.25.126;
                }
            }
            propagate-settings ge-0/0/0.0;
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    inactive: ntp {
        server 200.160.7.186 prefer;
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 187.72.138.193/28;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.196.25.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }
    ge-1/0/0 {
        description "##Backbone##";
        gigether-options {
            auto-negotiation;
        }
        unit 0 {
            description "##Backbone##";
            family inet {
                address 10.196.24.1/24 {
                    primary;
                }
            }
        }
    }
    st0 {
        unit 0 {
            family inet;
            family inet6;
        }
    }
    vlan {
        unit 0;
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 187.72.138.206;
        route 10.0.0.0/8 next-hop st0.0;
        route 58.87.44.105/32 next-hop st0.0;
        route 58.87.44.106/32 next-hop st0.0;
        route 58.87.44.107/32 next-hop st0.0;
        route 58.87.44.93/32 next-hop st0.0;
    }
}
protocols {
    stp;
}
security {
    ike {
        proposal pre-g2-3des-sha {
            authentication-method pre-shared-keys;
            dh-group group2;
            authentication-algorithm sha1;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 28800;
        }
        policy Rotem {
            mode aggressive;
            proposals pre-g2-3des-sha;
            pre-shared-key ascii-text "$9$kmQasdsamz6ApB";
        }
        gateway Rotem {
            ike-policy Rotem;
            address 58.87.57.67;
            local-identity hostname r12a;
            external-interface ge-0/0/0;
        }
    }
    ipsec {
        proposal esp-3des-sha {
            protocol esp;
            authentication-algorithm hmac-sha1-96;
            encryption-algorithm 3des-cbc;
            lifetime-seconds 3600;
        }
        policy Rotem {
            proposals esp-3des-sha;
        }
        vpn Rotem {
            bind-interface st0.0;
            ike {
                gateway Rotem;
                no-anti-replay;
                ipsec-policy Rotem;
            }
            establish-tunnels immediately;
        }
    }
    utm {
        feature-profile {
            web-filtering {
                type surf-control-integrated;
                surf-control-integrated {
                    server;
                }
            }
        }
    }
    flow {
        inactive: traceoptions {
            file webtest;
            flag basic-datapath;
            packet-filter 1-server {
                destination-prefix 10.196.24.31/32;
                destination-port 80;
            }
            packet-filter 2-server-out {
                source-prefix 10.16.24.31/32;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set DMZ-TO-INTERNET {
                from zone DMZ-trust;
                to zone untrust;
                rule DMZ-TO-INTERNET {
                    match {
                        source-address 10.196.24.31/24;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool dnat_10_196_24_31m24 {
                address 10.196.24.31/32 port 80;
            }
            pool Webserver1 {
                address 10.196.24.31/32 port 8080;
            }
            pool Webserver2 {
                address 10.196.24.31/32 port 80;
            }
            inactive: rule-set DEST-NAT {
                from zone untrust;
                rule WEB-SERVER-TCP-80 {
                    match {
                        destination-address 187.72.138.193/32;
                        destination-port 8080;
                    }
                    then {
                        destination-nat pool dnat_10_196_24_31m24;
                    }
                }
            }
            rule-set Webserver1 {
                from zone untrust;
                rule Web1 {
                    match {
                        destination-address 187.72.138.193/32;
                        destination-port 8080;
                    }
                    then {
                        destination-nat pool Webserver1;
                    }
                }
                rule HR {
                    match {
                        destination-address 187.72.138.193/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool Webserver2;
                    }
                }
            }
        }
        proxy-arp {
            interface ge-0/0/0.0 {
                address {
                    187.72.138.194/32 to 187.72.138.204/32;
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
            policy catia-alc-license {
                description catia-alc-license;
                match {
                    source-address trust;
                    destination-address [ catia catia2 catia3 ];
                    application any;
                }
                then {
                    deny;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy RotemVPN {
                match {
                    source-address 10.0.0.0/8;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-close;
                    }
                }
            }
            policy Allow-Webserver1 {
                match {
                    source-address any;
                    destination-address Webserver1;
                    application [ HTTP junos-http HR ];
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone DMZ-trust {
            policy INTERNET-TO-DMZ {
                match {
                    source-address any;
                    destination-address WebServer;
                    application [ HTTP junos-http ];
                }
                then {
                    permit {
                        destination-address;
                    }
                }
            }
        }
        from-zone DMZ-trust to-zone trust {
            policy DMZ-to-trust-web {
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-http HTTP ];
                }
                then {
                    permit {
                        destination-address;
                    }
                }
            }
        }
        from-zone trust to-zone DMZ-trust {
            policy ALLOW-web-to-DMZ {
                match {
                    source-address trust;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address trust 10.196.24.0/24;
                address Webserver1 10.196.24.31/32;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                vlan.0;
                ge-1/0/0.0;
                ge-0/0/1.0;
            }
        }
        security-zone untrust {
            address-book {
                address 10.0.0.0/8 10.0.0.0/8;
                address catia 10.196.34.46/32;
                address catia2 10.196.34.47/32;
                address catia3 10.196.34.48/32;
            }
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            ike;
                            all;
                        }
                    }
                }
                st0.0;
            }
        }
        security-zone DMZ-trust {
            address-book {
                address WebServer 10.196.24.31/32;
            }
        }
    }
}
applications {
    application HTTP {
        protocol tcp;
        destination-port 8080;
    }
    application HR {
        protocol tcp;
        destination-port 80;
    }
}
vlans {
    vlan-trust {
        vlan-id 3;
        l3-interface vlan.0;
    }
}

Kind regards.

what is the best solution for previous date reports fro SRX 1400 UTM. Current inbulit log is live and has no previous dates. Is there any syslog server compatible with Juniper SRX 1400

Hello, forum! Help me plese find a source of icmp flood that use a lot of CPU. Count of flow sessions or traffic on interfaces without changes. First topic with diagnostic https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-240-CPU-THRESHOLD-EXCEEDED/m-p/458653#M52327 

show pfe statistics ip icmp | refresh 20
---(refreshed at 2019-02-12 16:05:28 MSK)---
ICMP Statistics:
3347958 requests
0 network unreachables
52826 ttl expired
0 ttl captured
1873 redirects
9 mtu exceeded
0 icmp/option handoffs

ICMP Errors:
0 unknown unreachables
0 unsupported ICMP type
0 unprocessed redirects
0 invalid ICMP type
0 invalid protocol
0 bad input interface
3293250 throttled icmps
0 runts

ICMP Discards:
0 multicasts
0 bad source addresses
0 bad dest addresses
0 IP fragments
0 ICMP errors
---(refreshed at 2019-02-12 16:05:48 MSK)---
ICMP Statistics:
3392791 requests
0 network unreachables
53530 ttl expired
0 ttl captured
1897 redirects
9 mtu exceeded
0 icmp/option handoffs

ICMP Errors:
0 unknown unreachables
0 unsupported ICMP type
0 unprocessed redirects
0 invalid ICMP type
0 invalid protocol
0 bad input interface
3337355 throttled icmps
0 runts

ICMP Discards:
0 multicasts
0 bad source addresses
0 bad dest addresses
0 IP fragments
0 ICMP errors
---(refreshed at 2019-02-12 16:06:08 MSK)---
ICMP Statistics:
3437591 requests
0 network unreachables
54237 ttl expired
0 ttl captured
1921 redirects
9 mtu exceeded
0 icmp/option handoffs

ICMP Errors:
0 unknown unreachables
0 unsupported ICMP type
0 unprocessed redirects
0 invalid ICMP type
0 invalid protocol
0 bad input interface
3381424 throttled icmps
0 runts

ICMP Discards:
0 multicasts
0 bad source addresses
0 bad dest addresses
0 IP fragments
0 ICMP errors
---(*more 100%)---[abort]

Hello,
I am working with a vSRX appliance and I would like to use a level 3 VLAN with public adresses for NAT

I would like to use this vlan in NAT pool

Then, I declared my vlan-id and my l3-interface :
vlans {
    VLAN210 {
        vlan-id 210;
        l3-interface irb.210;
    }
}

 irb {
        unit 210 {
            family inet {
                address 134.59.21.190/28;
            }
        }
    }

I attached it to a security zone :

 zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0 / 1.0;
                irb.210;
            }
        }

vSRX# run show interfaces irb terse
Interface Admin Link Proto Local Remote
irb.210   up    down inet 134.59.21.190/28

vSRX# run show route

134.59.21.190/32 *[Local/0] 4d 02:35:35
Reject

The irb.210 is not attached to any ge-0 interface.

Is there a way to up this interface ?

Thanks

Gilles

Hello,

The rollback command is missing witch junos 18.4 on vSRX.

How can I go back with the command line without this command?

Regards

Gilles

I have 3 sites with SRX routers one is at Main site IP10.0.1.0 with 2 remote sites that I am trying to get communtion between. Site RA IP 10.0.2.0 and Site RB 10.0.3.0 can communicate with Main site without problems Site RA has VPN to Main Site RB does not. How do I setup SRX to communicate between the 2 remote sites by going to Main site?

Dear  community 

I'm  trying  to build  a cluster between  2 srx4100 and i have few issues.   CTL and FAB interfaces are connected with 1G SFP-T trough  cisco nexus 5k devices, with 2 separate vlans. Igmp snooping is disable for both vlans. 

After setting the nodes priority (200 for node0 and 100 for node1) i noted that on node0 redundancy  group 0 node0 have priority 200 but for node1 proirity is 1.. on node1 i see priority 100 for himself  but node0 is with priority 1.  Rolese are ok on both nodes.: node0 is primary, node1 is secondary. .

If i reboot node1  i see that is in lost state on node0. The strange thing is after node1 is comming up : still remains  in lost on node0 and on himself all roles and priorities are ok.

Both firewalls have version 15.1x49-D160.2

Any ideea ?