Hi everybody!

I have an SRX divided in 3 logical systems: I would like to grab the SNMP values of the string jnxJsSPUMonitoringObjectsTable for each of the logical system I have configured.

If I walk that string I can just get the result per node

show snmp mib walk jnxJsSPUMonitoringObjectsTable

jnxJsSPUMonitoringFPCIndex.1 = 1
jnxJsSPUMonitoringFPCIndex.9 = 1
jnxJsSPUMonitoringSPUIndex.1 = 0
jnxJsSPUMonitoringSPUIndex.9 = 0
jnxJsSPUMonitoringCPUUsage.1 = 0
jnxJsSPUMonitoringCPUUsage.9 = 0
jnxJsSPUMonitoringMemoryUsage.1 = 66
jnxJsSPUMonitoringMemoryUsage.9 = 66
jnxJsSPUMonitoringCurrentFlowSession.1 = 421
jnxJsSPUMonitoringCurrentFlowSession.9 = 244
jnxJsSPUMonitoringMaxFlowSession.1 = 819200
jnxJsSPUMonitoringMaxFlowSession.9 = 819200
jnxJsSPUMonitoringCurrentCPSession.1 = 284
jnxJsSPUMonitoringCurrentCPSession.9 = 242
jnxJsSPUMonitoringMaxCPSession.1 = 1048576
jnxJsSPUMonitoringMaxCPSession.9 = 1048576
jnxJsSPUMonitoringNodeIndex.1 = 0
jnxJsSPUMonitoringNodeIndex.9 = 1
jnxJsSPUMonitoringNodeDescr.1 = node0
jnxJsSPUMonitoringNodeDescr.9 = node1
jnxJsSPUMonitoringFlowSessIPv4.1 = 418
jnxJsSPUMonitoringFlowSessIPv4.9 = 241
jnxJsSPUMonitoringFlowSessIPv6.1 = 3
jnxJsSPUMonitoringFlowSessIPv6.9 = 3
jnxJsSPUMonitoringCPSessIPv4.1 = 281
jnxJsSPUMonitoringCPSessIPv4.9 = 238
jnxJsSPUMonitoringCPSessIPv6.1 = 3
jnxJsSPUMonitoringCPSessIPv6.9 = 4

As "Best Practice" suggests I can also run jnxJsSPUMonitoringCurrentTotalSession but that will give only for the system-level total session. The correspondig CLI for the trap I'm looking for is:

show security flow session summary logical-system ls-application
node0:
--------------------------------------------------------------------------

Flow Sessions on FPC1 PIC0:
Unicast-sessions: 93
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 0
Sessions-in-use: 290
Valid sessions: 93
Pending sessions: 0
Invalidated sessions: 197
Sessions in other states: 0
Maximum-sessions: 819200

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC1 PIC0:
Unicast-sessions: 95
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 0
Sessions-in-use: 106
Valid sessions: 95
Pending sessions: 0
Invalidated sessions: 11
Sessions in other states: 0
Maximum-sessions: 819200

Any suggestion?

Hi,

I have two srx110h2 boxes connected to two ex4200 switches (which are in VC mode). I understand chassis cluster is not supported for some reason on the srx110h2? Why?

What are my HA options then? VRRP for the clients behind them? reth for the untrust/trust side?

Really surprised.

Thanks.

Hello,

I am wanting to configure dynamic vpn to allow multiple clients to connect.  Each client may have a different IP to a device/server directly connected to SRX.  I have configured the basic dynamic vpn, but need assistance in configuring the ports, nats, etc.  I do appreciate it.

client1-------->internet------->srx----->server1 10.30.4.0/24 on fe-0/0/5 

client2------->internet-------->srx----->server2 10.30.8.0/24 on fe-0/0/6

client3------>internet--------->srx----->server3 10.30.x.x/24 on fe-0/0/7

Hi,

We came through this issue today , so just wanted to share this information with you guys .

Error received while trying to connect to a remote FTP server , this error received on filezilla .

Could not connect to server ...... Initializing TLS .....



The solution was to enable FTPS in SRX650 firewall .

# set security alg ftp ftps-extension

"enable FTPS explicit mode"

Only this option (according to KB19444) is not supported on active mode , only passive .

Now it works fine .

I have simple test- config SRX210

interfaces {
    ge-0/0/0 {
        disable;
    }
    ge-0/0/1 {
        disable;
    }
    fe-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.52.1/24;
            }
        }
    }
    fe-0/0/3 {
        disable;
    }
    fe-0/0/4 {
        disable;
    }
    fe-0/0/5 {
        disable;
    }
    fe-0/0/6 {
        disable;                       
    }
    fe-0/0/7 {
        description ISP-1;
        unit 0 {
            family inet {
                address 192.168.230.133/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.230.1;
    }
}
protocols {
    stp;
}
security {
    flow {
        tcp-mss {
            ipsec-vpn {
                mss 1350;
            }
        }
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }                          
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 192.168.52.0/24;
                        destination-address 0.0.0.0/0;
                        protocol [ tcp udp icmp ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;            
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address LOCALNET 192.168.52.0/24;
            }
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/2.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ssh;
                    ike;
                    ping;
                    https;
                    http;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/7.0;
            }
        }
    }
}

version 12.1X46-D50.4 not working ....
  On the hostin the network192.168.230.0 I see"untranslated"packets   192.168.52.0

version 12.1X44-D30.4  OK! .... -packetsare transmittedas a  192.168.230.133

Hi,

I have two srx devices which are connected through a route-based vpn.  Our srx1400 network has a Windows server  and the client's network is behind a srx210.  The clients workstations on the srx210 network connect to the server on the srx1400 through a route-based vpn between the two srx devices.  The clients are experiencing random disconnects and slow downs with their connection to the server from their workstations.  We have troubleshooted and we're unable to find the reason why they are experiencing these issues on the route-based vpn.  I was thinking of creating second vpn connection as a backup connection and need some help with setting up srx devices so that when there's a disconnect or slowdown, the traffic will be instantly redirected over to the second vpn connection so they don't experience any down time.

I am not sure how to have the traffic redirected to the new vpn connection when they experience issues and would like some help with that please.

So I was thinking of using static route preferences and qualified next hops:

10.1.8.0/24 is the client's network.  10.2.2.22/32 is the windows server.  St0.0 is the original tunnel and St0.1 will be the new backup tunnel.

SRX1400
set routing-options static route 10.1.8.0/24 next-hop st0.0 
set routing-options static route 10.1.8.0/24 qualified-next-hop st0.1 preference 25 

SRX210
set routing-options static route 10.2.2.22/32 next-hop st0.0 (primary vpn tunnel)
set routing-options static route 10.2.2.22/32 qualified-next-hop st0.1 preference 25

Please let me know if this is the correct or best way to do this, thanks!

Greetings All,

I am attempting to create a LAG between an SRX345 and EX4200 Virtual Chassis.  The trivial case of single ethernet connections is not a problem but I am having trouble replicating my topology with redundant connections.  I was hoping you might be able to remove some of the fog and provide better understanding for me.  I have read and tested many examples but none I have seen are quite what I am looking for.

Desired Result:

SRX345 ge-0/0/0 connects to EX4200 ge-0/0/0

SRX345 ge-0/0/1 connects to EX4200 ge-1/0/0

The SRX345 ge-0/0/0 and ge-0/0/1 form ae0 with an IP address of 10.0.0.1/24, while the EX4200 has no IP address.

I have read that ether-switching and vlan-tagging are not compatible, so I am asking if there is another solution I have not considered.

I really appreciate any help you might be able to provide.

-john

HI all

I got this example below. As you can see it is an HTTP application with many different ports. Now when I create FW polices I would just use http_all as my application and that would be it. But what if I want to reference specifically reference the term t2? 

set applications application http_all term t1 protocol tcp
set applications application http_all term t1 destination-port 3125
set applications application http_all term t2 protocol tcp
set applications application http_all term t2 destination-port 8080-8081
set applications application http_all term t3 protocol tcp
set applications application http_all term t3 destination-port 80
set applications application http_all term t4 protocol tcp
set applications application http_all term t4 destination-port 8000
set applications application http_all term t5 protocol tcp
set applications application http_all term t5 destination-port 8001
set applications application http_all term t6 protocol tcp
set applications application http_all term t6 destination-port 8002

I got another FW policy that I have to make and it is only for http 8080 and 8081, is there a way to reference only t2 in the FW without me having to create another application for it?

Thanks

How do I restrict access to the web interface on an SRX210? For example if I only want it accessible from inside my local network and not the internet, or only accessible from the internet from specific IPs?

I've got a very simple network, the uplink from our datacentre plugs into the WAN port on the SRX and then I have a few servers plugged into the other interfaces forming a local network. I then use NAT to give the server public IP addresses and firewall rules to restrict access.

I'm a novice user, I only know how to use the GUI and set up NAT and firewall, not much else. I've seen some guides on how to do this via the CLI, but could it be done via the GUI?

Hi, we are having this annoying issue since we rebuilt our SRX110 from scratch. We lost the original config and it seems that there was something configured on there that made this work.

Each time we receive a SIP call, if we put the caller on hold for more than one minute, when we un-hold the call, the caller can hear us but we cannot hear the caller. What we normally have to do, is put the caller back on hold and then un-hold to be able to have a two-way conversation again. This is really impacting on our business and we would be grateful if we could rectify this ASAP with your assistance.

We have tried to disable sip alg but that has not helped.

Here is the device:

Model: srx110h2-va
JUNOS Software Release [12.1X46-D40.2]

I'm wondering if newer versions of Junos can overcome the limitation described below or if anyone has any conceptual ideas on how to simplify what I had to do below.

Our SRX210 cluster setup has to be able to selectively route traffic between multipe sites, each site having two ISP's and two VPN tunnels, choosing which tunnel based on business rules according to traffic type, and using filter-based forwarding.  I learned long ago (Junos version 11.2R43, to be exact), that the only way to accomplish this is to have:

1. two virtual routers, one for each ISP, containing the ISP gateway interface and associated VPN tunnels using that interface
2. two security zones, each paired to the corresponding virtual router, resulitng in the associated VPN tunnels being in the same (untrusted) security zone as the public ISP interface
3. identical inbound rules, duplicated in both security zones, for every VPN subnet allowing tunnel traffic from the various subnets
4. another pair of identical policies within each security zone for inbound destination-NAT traffic so that our web servers etc. can be reached via either interface
5. Parallel/duplicated source-NAT policies for each security zone
6. Importing static and interface routes back and forth between the three zones

 All of this complicaton and duplication works, but is needed for only one simple and frustrating reason: the SRX routers simply cannot  consistently return outbound traffic via the same interface it came in on, any other way.  Filter-based forwarding doesn't work with a much simpler VR type=forwarding arrangement with only one 'Untrust' security zone for just the two public ISP interfaces and all the tunnels in the 'Trust' zone.  FBF works great when traffic originates from the local router, but is IGNORED when it comes to traffic originating from the remote site.  So an inbound packet on tunnel st0.1 from ISP-A, originating from the remote site, will go back out tunnel st0.2 from ISP-B via the default routing-instance (configured via an "instance-import from-ISPB-to-default" statement on local router) regardless of FBF rules trying to simply return the packet out the same interface it came in on, out the same VR it came in on.

The older Netscreen routers we replaced the SRX's with just did this automatically!  I am hard-pressed to understand why any router wouldn't just by default return packets via the same interface they came in on and make you go through such trouble to avoid asymmetric routing.

The duplicatiion is OK for one or two sites but it gets old keeping up with the configuration as more sites and more businesss rules come into play.  I am using 'apply-groups' where I can but still...

Just wondering if newer versions of Junos overcome this limitation so I can bring back Netscreen-like simplicity to the configuration, or barring that if someone conceptually can see a simpler way to do what I need to do.  Thanks.

Hi all

I have this idea but I am not sure where to start. I would like a webapp that takes the following: source IP, dest IP, applications, and scheduled expirary date and generate the FW commands for me. 

This would require the app the talk to my SRX, get the the zones, and get teh applications and set the scheduler, and finally generate the commands out as a text for the operator to apply.

I know the srx has a web page for this already but for whatever reason at our place our SRX doesn't have the webpage. We always ssh in and manipulate via cmd line. And I am not sure where to start to develope such a tool. 

Any advice/pointers you guys can provide would be greatly appreciated.

Thanks

Hi everybody.

I; struggling to understand what is wrong with my conf.

I'm configurig a nat destination rule:

set security nat destination rule-set PFW-RASPI rule PFW-8080 match source-address-name ASET-YOTI-OFFICE

but when I commit:

root@SRX210# commit
[edit security nat destination rule-set PFW-RASPI rule PFW-8080 match]
'source-address-name ASET-YOTI-OFFICE'
Can not find address/address-set(ASET-YOTI-OFFICE) in default global address book
error: configuration check-out failed

However I have that address book configured

root@SRX210# show | display set | match ASET-YOTI-OFFICE
set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-1
set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-2

Question 1: What is the reason of that error?

Question 2: Why JunOS gives the opportunity  to restrict the access to a range of IP under NAT as well as under the security policy for that nat rule? What is the difference?

Thanks

I don't know why, but apparently my SRX can't resolve internet domain names, for example www.juniper.net
I realized this because I created a policy to block some internet pages, but this policy never worked, I had to modify this policy and aggregate the IPv4 of destination page, so I assume that my policy doesn't work because my SRX is not resolving domain names.

If I ping an internet IP via CLI (for example google DNS 8.8.8.8) the response is correct, but if I ping an internet page (for example www.juniper.net) this is what appears:

ping: cannot resolve www.juniper.net: Host name lookup failure

this is my configuration for DNS:

name-server {
8.8.8.8;
8.8.4.4;
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;

Do you know what can I be doing wrong? I'm sorry if the answer is too dumb, but I'm still newbie in SRX...

I've noticed that the SRX allows domain names to be added to the address book, as follows:

security-zone untrust {
 address-book {
  address SomeHost {
 dns-name example.com;
}

But how often will the Juniper device check which IP the domain resolves to? I.e. if example.com changes the IP that it resolves to how long before the Juniper device notices?

What I'm trying to do is create a rule so that some staff can access our network from home. They don't have static IP addresses but they do have dynamic DNS, like the no-ip.com service, where they get a domain name which follows their IP.

Hi, I am buffled on what I see here, a SRX-650 (running 12.1X46-D40.2) has an IPsec tunnel to a remote gateway, IPsec SA is active and traffic is flowing fine, but I don't see anything on IKE phase I security association, it has always been my understanding that IPsec SA comes after IKE Phase one SA, how can an IPsec SA exists without corresponding IKE phase one SA to the same gateway?!!

root# run show security ipsec security-associations vpn-name VPN-ATL
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<211812365 ESP:aes-cbc-256/sha1 8a6377a1 1560/ 4607445 - root 500 63.92.6.156
>211812365 ESP:aes-cbc-256/sha1 ef95ca4c 1560/ 4607445 - root 500 63.92.6.156

[edit]
root# run show security ike security-associations 63.92.6.156 detail <= No IKE SA

[edit]

I was setting up a dynamic vpn on the new SRX300 running JunOS 15.x code and was getting authentication errors and was told by tech support that its not supported. Anyone have a different experience?

Hello,

I would like tu update my selt signet certificate. What I did:

request security pki generate-key-pair certificate-id test-gw-2016 size 2048
request security pki generate-certificate-request certificate-id test-gw-2016 domain-name example.net subject CN=test-gw.example.net

then I genetare cert on my CA and copy to device:

request security pki local-certificate load certificate-id test-gw-2016 filename /config/test-gw.cer
Local certificate loaded successfully

Create CA profile and load ca cert:

set security pki ca-profile test1-ca ca-identity test1-CA
set security pki ca-profile test1-ca revocation-check disable
set security pki ca-profile test1-ca revocation-check crl disable on-download-failure

request security pki ca-certificate load filename test1CA.cer ca-profile test1-ca
Local certificate loaded successfully

But when I tried to configure web management I cannot choose new cert:

set system services web-management https pki-local-certificate ?
Possible completions:<pki-local-certificate>  X.509 certificate to use (from PKI local store)
[edit]

What did I miss to do?

JUNOS Software Release [12.1X44-D40.2]

Thanks.

Hello, I want to know if it is possible to convert our Firewall ASA 5540 configuration file to Juniper SRX 5400. If this is how is it done for the conversion?

As part of this move, The SRX 5400 Firewalls need to be reprogrammed the same way as the ASA. Could you please advise on a way to ease this process, and make it eas and smooth. 

Thanks,