I recently configured the SSL forwarding proxy.  My reason for doing so is because I need to be able to identify HTTPS and FTPS dns names that aren't passing their SNI.   This is important for sites where IP address is not always the same or changes frequently.  I also wanted to be able to incorporate this into my web filtering so I could properly whitelist or blacklist sites that are SSL and do so by the dns name even if there is no SNI available.  I have added it to a policy, and when running the command "show services ssl proxy statistics" it shows several thousand matched and several thousand sessions created but I can't find anywhere to show me what dns names it has read.  I have the enable-trace option turned on and I am looking at the logs but I can't find anything super helpful.

which SRX firewall module is best for a data center of 100 remote sites. kindly guide.

Hello,

I was able to implement SSL FP on our SRX devices. The thing is I used locally generated certificate with add-ca-constraint  option. The thing is I need to use a certificate which is signed by our CA (Windows 2012 CA if that matters). If I reference a certificate that was signed by the CA on end host I am getting certificate issuer cannot be found error.

Any help is greatly appriciated 
Thanks

       We have two SRX-5600 (software version 18.2R1-S1.5) in chassic cluster setup (active-passive) with SRX5k IOC3 24XGE+6XLG service card. 

When creating nat rule (no matter which, source, static, destination) rule is not applied on commit. We have to change rule order in rule-set few times for rule to apply. Any ideas as tow hy and how to fix this behavior?

P.S.

There are no conflicting rules / rules for same networks.

Hi All,

I am currently implementing an ECMP load-balancing solution for my default route (0.0.0.0/0) on my SRX. I have the load-balancing working as intended for all traffic originating behind the firewall, however, traffic that originates on the device is seeing packet loss. I cannot seem to find a way to bypass the load-balancing for the specific route that I require it to (signature updates for IDP going to services.netscreen.com). 

I am wondering if there is a list of all IPs that services.netscreen.com is registered to, so I can just put a static route on my device and point it to one of the two ISP circuits to use. I assume Juniper uses a CDN service to host it so it may be difficult to find a list of all IPs. IF this is the case, does anyone have any other suggestions for my device bypassing the load-balancing?

Thanks

I would like to create custom vpn proposals like the SSG. Such as pre-g2-3des-sha and nopfs-esp-3des-sha. No CBC.

Help? TIA!

We have a domain, gitserver.ourdomain.com, whose DNS points to our WAN IP address. Our Juniper is then configured with NAT to send requests to our reverse proxy (Nginx).  Everything works great externally.  However, internally, we cannot access gitserver.ourdomain.com because of the way the NAT is set up.  I'm fairly new to the Juniper world, so instead of configuring a new NAT entry, I thought I'd just use the static-host-mapping method to point gitserver.ourdomain.com to the IP address:

static-host-mapping {    gitserver.ourdomain.com inet 192.168.1.22;
}

But this does not work.  When I ping it internally (after flushing DNS), it still resolves to the WAN address.  What am I missing?

I have an SRX 550 where I have two ISPs connected via BGP, both are sending default route only.  I'm advertising my ranges out both.  I receive traffic on both ISPs (CenturyLink and Spectrum) but I'm only sending outbound traffic out Spectrum.  I'm expecting that traffic should take the shortest path out so if a destination is on CenturyLink, then I would expect that to be the shortest path.  Am I incorrect in this assumption?

I'm trying to follow the docs here and here.  Both reference a `rule` directly below the Services/Nat context

[edit services nat]
rule rule-name {

[edit services nat]
user@host# set rule rule-dnat44 match-direction input term t1 from destination-address 20.20.20.20

However, when I try to apply a similar config on my srx240, I get a warning:

The configuration could not be un-locked.

Error(s): 
1) syntax error
2) error recovery ignores input until this point

Warning(s): 
1) rule
2) }

Here is the entire `services` section of my config:

services {
  flow-monitoring {
    version9 {
      template IPv4Test {
        ipv4-template;
      }
    }
  }
  application-identification;
  nat {
    rule testRule {
      term testTerm {
        from {
          destination-address <WAN IP>/32;
        }
        then {
          destination-prefix 192.168.1.22/32;
        }
      }
    }
  }
}

If I remove the rule it works fine.

We are experiencing an issue with DHCP relay on a few of our SRX branch devices.  For this post, I will use our test environment, an SRX320, as the example.  It is running 15.1X49-D70.3.

We have six /26 subnets on the device each in it's own VLAN.  Each VLAN has a L3-interface on the SRX with an IP address assigned as the gateway for that subnet. 

# show vlans
vlan2800 {
    vlan-id 2800;
    l3-interface irb.2800;
}
vlan2600 {
    vlan-id 2600;
    l3-interface irb.2600;
}
vlan2400 {
    vlan-id 2400;
    l3-interface irb.2400;
}
vlan900 {
    vlan-id 900;
    l3-interface irb.900;
}
vlan2900 {
    vlan-id 2900;
    l3-interface irb.2900;
}
vlan2100 {
    vlan-id 2100;
    l3-interface irb.2100;
}

# show interfaces irb
unit 900 {
    family inet {
        address 172.17.100.1/26;
    }
}
unit 2100 {
    family inet {
        address 172.17.0.129/26;
    }
}
unit 2400 {
    family inet {
        address 172.17.0.65/26 {
            primary;
        }
        address 10.100.0.65/26;
    }
}
unit 2600 {
    family inet {
        address 172.17.100.65/26;
    }
}
unit 2800 {
    family inet {
        address 172.17.0.1/26;
    }
}
unit 2900 {
    family inet {
        address 172.17.0.193/26;
    }
}

The DHCP server, a virtual machine running Windows 2012 R2 in an Active Directory environment, is in VLAN 2800 with an IP address of 172.17.0.5.  The SRX is set to forward DHCP requests to 172.17.0.5 with the following code:

# show forwarding-options
dhcp-relay {
    server-group {
        SERVER {
            172.17.0.5;
        }
    }
    group Test {
        active-server-group SERVER;
        interface vlan.900;
        interface vlan.2100;
        interface vlan.2400;
        interface vlan.2600;
        interface vlan.2800;
        interface vlan.2900;
    }
}

The firewall rules are fairly open with any traffic from devices on VLAN 2100 permitted to devices on VLAN 2800 over any application.  The rest of the VLANs are the same.

# show security policies from-zone VLAN2100 to-zone VLAN2800
policy 2100-to-2800 {
    description "Permit wired clients to talk to infrastructure devices";
    match {
        source-address vlan2100;
        destination-address vlan2800;
        application any;
    }
    then {
        permit;
    }
}

Hopefully that gives a good idea of our environment.  Here is where the problem comes in.  The above configuration worked just fine for every subnet on the device.  Out of the blue, DHCP requests stopped forwarding on some of the subnets.  We first noticed it on VLAN 900, which is a public wireless network.  The only difference between that network and the others was that network was not on the same /24 network as the other ones, but that doesn't make any sense why that would prevent it from working.  Our workaround was to add a new network adapter to the server virtual machine on VLAN 900 with an IP address in that network without a gateway.  This "fixed" the issue because now the server was on the same network as the devices and could service requests.  Then, other networks stopped working.  We have seen this issue on 15 out of 70 branch devices.  We have plans to forward our DHCP to a central server out of our control so adding a new network adapter isn't possible.  We need to fix this issue properly.  We haven't gathered any logs yet but can do that.  I think we're also going to call support to see if they can fix it but wanted to also reach out to the community to see if anyone can point us in the right direction.

Thanks, in advance, for any help!

Good Afternoon,

I am workign to configure a dynamic VPN on a VSRX located in AWS.  I am running into no proposal selected errors when I try to connect.

Here's how things look on the SRX side, error wise:

[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ike_st_i_sa_proposal: Start
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ike_process_packet: No output packet, returning
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_st_select_ike_sa: FSM_SET_NEXT:ikev2_fb_st_select_ike_sa_finish
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_phase1_sa_cfg_lookup_by_addr: Found SA-CFG CORIOS-AWS-VSRX-2-VPN by ip address for local:10.132.0.52, remote:XXX.XXX.XXX.XXX IKEv1 remote_port:22709 ksa_cfg_remote_port=4500
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_id_validate id NOT matched.
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] iked_pm_ike_spd_select_ike_sa failed. rc 1, error_code: No proposal chosen
[Feb 28 21:38:36][10.132.0.52 <-> XXX.XXX.XXX.XXX] ikev2_fb_spd_select_sa_cb: IKEv2 SA select failed with error No proposal chosen (neg 8f29e00)

Similarly, I run into this client side (NCP Exclusive Access client)

2/28/2019 1:40:12 PM - IpsDial: connection time interface choice,LocIpa=10.1.11.146,AdapterIndex=201
2/28/2019 1:40:12 PM - Ike: Outgoing connect request AGGRESSIVE mode - gateway=XXX.XXX.XXX.XXX : Corios VPN2
2/28/2019 1:40:12 PM - Ike: ConRef=82, XMIT_MSG1_AGGRESSIVE, name=Corios VPN2, vpngw=XXX.XXX.XXX.XXX:500
2/28/2019 1:40:12 PM - ike_phase1:send_id:ID_USER_FQDNid=0,port=0,itadmins@coriosgroup.com
2/28/2019 1:40:12 PM - Ike: ConRef=82, Send NAT-D vendor ID,remprt=500
2/28/2019 1:40:12 PM - Ike: ConRef=82, NOTIFY : Corios VPN2 : RECEIVED : NO_PROPOSAL_CHOSEN : 14

Here's my IKE config:

proposal PSK-DH19-AES256-SHA256-L28800 {
authentication-method pre-shared-keys;
dh-group group19;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;
}

policy Corios-VPN-IKE-Pol {
mode aggressive;
proposals PSK-DH19-AES256-SHA256-L28800;
pre-shared-key ascii-text "SHARED SECRET HASH"; ## SECRET-DATA
}

gateway Corios-VPN-IKE-GW {
ike-policy Corios-VPN-IKE-Pol;
dynamic {
user-at-hostname "itadmins@coriosgroup.com";
connections-limit 2;
ike-user-type shared-ike-id;
}
dead-peer-detection;
local-identity inet XXX.XXX.XXX.XXX;
external-interface ge-0/0/0.0;
aaa {
access-profile LOCAL_AUTH;
}
version v1-only;
tcp-encap-profile NCP;
}

Here's my IPSEC config:

proposal ESP-AES256-SHA256-L3600 {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}

proposal ESP-AES256-SHA256-L3600 {
protocol esp;
encryption-algorithm aes-256-gcm;
lifetime-seconds 3600;
}

vpn Corios-VPN {
bind-interface st0.9;
ike {
gateway Corios-VPN-IKE-GW;
ipsec-policy Corios-VPN-IPSEC-Pol;
}
traffic-selector TS1 {
local-ip 0.0.0.0/0;
remote-ip 0.0.0.0/0;
}
}

Here's the config for the tunnel interface:

ec2-user@VSRX2> show configuration interfaces st0.9
enable;
description VPN;
family inet {
mtu 1436;
address 10.132.3.1/24;
}

It's also in a security zone:

ec2-user@VSRX2> show configuration security zones security-zone vpn
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
st0.9;
}

The attached images are screenshots from the NCP client config.

One other thing I should also mention is that I have several site-to-s-te VPNs landing on this VSRX.  They're working.

Whatever I'm doing wrong here just isn't making sense to me.  Thanks in advance for pointing me in the right direction.

Hello,

I have a few switches connected in an RSTP ethernet ring.  I would like to use Juniper SRX 340 as my gateway for all the applications and to permit and deny routing between the vlans on the ring.  I will be using two SRXs and VRRP to elect the master gateway.

I have 8 applications, each on a separate VLAN and subnet.  The Junipers needs to be able to participate in each VLAN, and have a logical IP address for each VLAN (as well as a shared VRRP address for each subnet that is available on both).

I think I know how to do most of this however I haven't been able to find examples of creating VLAN interfaces that aren't attached to physical interfaces.  So hopefully someone can tell me how to do that part only.  So I will have two physical ports that are trunk ports and members of each VLAN, then 8 logical interfaces with IP addresses 1 for each VLAN.  Then all traffic destined for outside networks will be routed out 1 of 2 uplink ports to other networks. 

If I can get info on how to create logical L3 interfaces attached to the VLAN without a physical interface I can probably figure out all the VRRP and other stuff myself.

Thanks

Hello,

I've trying to setup a cluster of SRX210 and ingest an IP via Hub 3.0 in modem mode, which works fine cloning the mac on the reth0 interface (reth0 outside, reth1 inside). Unfortunately, I can't ping Google from the firewall.

This same setup worked previously with no cluster with only one unit, although with some random issues where I lost the public IP on the firewall. Overall, it seems like VM Hub 3.0 doesn't work rock-solidly in modem mode, and also it depends a lot on the hardware you behind. 

The first setup was to have PFsense virtually which worked perfectly, but now I'm not sure whether it's the firmware on the Hub or it's something wrong on my SRX configuration.

What annoys and confuses me is the fact that I'm getting (Access-internal/12), where I received "default" (if I remember correctly when I had only one single unit). Another fact is that I'm stripping the VLAN 100 tag from the switch to the Hub3 but tagging it back on the LACP to the SRX cluster. I can see ARP from the street VM cabinets, and I get the public IP correctly although something is wrong as it doesn't work. This same method worked correctly.

root@firewall_node01> show route

inet.0: 23 destinations, 23 routes (23 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Access-internal/12] 00:13:56

                    > to 82.6.88.1 via reth0.100

Any help would be great.

Thanks,

Alberto.

HI All,

Bit stuck here... so i have followed https://kb.juniper.net/InfoCenter/index?page=content&id=KB29227 which works great...

Though now both the ISP facing interfaces tied to a virtual-router type routing-instance, I want to have a default route on SRX-1 within the global routing table for internet breakout... So i need to leak out the default routes from the virtual-routers to the global routing table... though it looks like you can only do with a vrf type routing-instance..?

So has anyone managed to import a route from virtual-router.inet.0 to inet.0 ... ? As currenlty i can't see an option... 

I am trying to restrict management access with the junos-host zone but it doesn't appear to be working. All traffic still seems to be allowed, even though I have tied it down to one IP and only ssh. Any help appreciated, config below;

vsrx> show configuration security zones security-zone mgmt | display set
set security zones security-zone mgmt address-book address mgt-server 192.168.10.133/32
set security zones security-zone mgmt address-book address-set manager-ip address mgt-server
set security zones security-zone mgmt host-inbound-traffic system-services all
set security zones security-zone mgmt host-inbound-traffic protocols all
set security zones security-zone mgmt interfaces lo0.0

vsrx> show configuration security policies | display set
set security policies from-zone mgmt to-zone junos-host policy management-access match source-address manager-ip
set security policies from-zone mgmt to-zone junos-host policy management-access match destination-address any
set security policies from-zone mgmt to-zone junos-host policy management-access match application junos-ssh
set security policies from-zone mgmt to-zone junos-host policy management-access match application junos-http
set security policies from-zone mgmt to-zone junos-host policy management-access then permit
set security policies from-zone mgmt to-zone junos-host policy denyall match source-address any
set security policies from-zone mgmt to-zone junos-host policy denyall match destination-address any
set security policies from-zone mgmt to-zone junos-host policy denyall match application any
set security policies from-zone mgmt to-zone junos-host policy denyall then deny

There are no other security policies on the device other than the ones above (so it's not hitting another policy) When I ssh from another IP in the 192.168.10.x range, it is permitted. 

Thanks

Hi all,

I have a cluster problem, and no clue to it.

After some years of running I had to stop one firewall node(srx550) - this was the node1. After the reboot it's interfaces were down (bot in fpc0 and in fpc3) - so I took if offlilne until replace the HW.

Later I tried to start the fw node withot any cable and the interfaces started normally, so I tried to put it back to the cluster.

When It started it immediately become the active node on RG0 but the reth interfaces remain in down status (with all the ge interraces up) so I turnd off again. No preemtion configured so the interfaces remained active in the other node node1.

After it I discovered, that node1 RG0 shows an error (GR) - probably this is the reason why node 0 took mastership when I plugged back.

Now node0 is turned off, I have this GR (GRES monitoring) error and the firewall is working.

I would like to take node0 back in charge, but first I want to clear this GR error.

When I check show chassis cluster information deatil I can see that gres-not-ready ....

{primary:node1}

user@firewall-node1> show chassis cluster status

Monitor Failure codes:

    CS  Cold Sync monitoring        FL  Fabric Connection monitoring

    GR  GRES monitoring             HW  Hardware monitoring

    IF  Interface monitoring        IP  IP monitoring

    LB  Loopback monitoring         MB  Mbuf monitoring

    NH  Nexthop monitoring          NP  NPC monitoring

    SP  SPU monitoring              SM  Schedule monitoring

    CF  Config Sync monitoring      RE  Relinquish monitoring

Cluster ID: 1

Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 0

node0  0        lost           n/a     n/a      n/a

node1  255      primary        no      yes      GR

Redundancy group: 1 , Failover count: 0

node0  0        lost           n/a     n/a      n/a

node1  0        primary        no      no       CS

{primary:node1}

user@firewall-node1> show chassis cluster information detail

node1:

--------------------------------------------------------------------------

Redundancy mode:

    Configured mode: active-active

    Operational mode: active-active

Cluster configuration:

    Heartbeat interval: 1000 ms

    Heartbeat threshold: 3

    Control link recovery: Disabled

    Fabric link down timeout: 66 sec

Node health information:

    Local node health: Not healthy

    Remote node health: Healthy

Redundancy group: 0, Threshold: 255, Monitoring failures: gres-not-ready

Please help me clearing this gr error.

Thanks,

Balázs

Hi All,

I've got a device with two routing-instances configured. RI A has my ISP circuit installed. RI B has my trusted traffic interfaces configured. RI B also has my loopback interface which I use for management of the device. RI A has a loopback interface which i use for internet traffic destined for my device. I have the default-address-selection configuration applied. 

My question is this. I have no interface in the default routing-instance, when traffic from the device, in this case (IDP signature updates from the device destined for services.netscreen.com) where will the traffic originate from? Will the traffic originate from the loopback in RI A or RI B?

Happy to provide more information if there is not sufficient info. 

The issue I am trying to solve is to do some sort of source based forwarding due to some issues with ECMP that I can't figure out. I need traffic from this device to take a specific ISP of mine rather than be load balanced. 

Thanks

Hi,

We have SRX340 with Junos: 15.1X49-D120.3

I want to configure jflow through dedicated management port me0/em0  JTAC suggested the configuration on physical interface i.e. ge-0/0/0(they said, not supported on me0/em0)  but i want to use only dedicated management port.

Please suggest configuration

Thank you