me@co-firewall# show interfaces ge-0/0/5 unit 0 family inet address aa.bb.cc.dd/29 ## ## Warning: statement ignored: unsupported platform (srx300) ## web-authentication https;
[edit]
me@co-firewall# run show version
Hostname: co-firewall
Model: srx300
Junos: 15.1X49-D70.3
JUNOS Software Release [15.1X49-D70.3]
I am sure this feature was working before I upgraded to 15.1X49-D70.3 from 15.1X49-D45.
This page says it should be supported:
Did I miss something? Thanks.
I configured source nat translation and itt's not getting hits. I changed the order of the rules and issue still exist. I have destination NAT configured and it recieved hits. Any tips on troubleshooting the source nat? This translation is on SRX between two servers.
Dear all,
You know about licensing model the new client vpn? (SSL)
I had information that would be released in March, but it's still not in the pricelist.
I just see this: https://www.ncp-e.com/en/products/ipsec-vpn-client-suite/juniper-vpn-client/
Good day.
I have an issue with 1 phase of IPSEC.
I have a stand of 2 Juniper at my table. I use public IP to all it looks like reality.
So I have log messages like this
Mar 14 07:57:26 Node_0_Bottom kmd[1342]: IKE negotiation failed with error: No proposal chosen. IKE Version: 1, VPN: VPN_J-2-J Gateway: IKE_Gate, Local: 212.48.226.94/500, Remote: 212.48.226.93/500, Local IKE-ID: Not-Available, Remote IKE-ID: Not-Available, VR-ID: 0
Config I've attached.
I've triyed:
change all parametrs for IKE proporsal
change password
change zone ( now all interface in trust zone and all permit for tests)
and so on.
Good day!
When I view active tunnels, I get an error
show security ipsec security-associations node1: -------------------------------------------------------------------------- Total active tunnels: 5 error: Not all IKE instances responded to management request.
Does anyone know the solution?
Hello ,
We have an SRX3600 firewall. We want to let it use as packet mode but as far as i see SRX3k series does not support packet mode.
Our main problem is UDP . There is no UDP screen option except Thresholding. We have our own firewall mechanism for UDP after our router. But if we use SRX as router when it face with million spoofed connection on UDP and if screen threshold disabled for UDP then it is fullfill the max session cp. We do not want to let it create Sessions for udp or limit with session udp connections
how should we over come this issue ?
HI,
I need to accept an inbound connection on a known port (6500TCP) via ISP1, then change the source and destination ip fields to be link local on the other side of the SRX. This is needed to override the static route on the server on ISP2, so that proper flow sanity can be maintained. I am unable to easily change the routing on the server and the server is unable to use the SRX for anything other than link local addresses (unable to use the SRX in any way other than link local). The inbound connections have a unknown source and unknown destination IP addresses, The only thing that is known is the dst port and interface. Below is a simplified diagram.
Any assistance would be wonderful.
Thanks,
I'm trying to do a destination nat from a server to a internal server with the following configuration. The incoming server can ping the interface or gateway of the internal server but cannot ping the internal server ip. Below shows the configuration, routes and security policues. Also a output of the destination nat shows no translation hits. Any tip on this?
destination {
pool dnat-pool-1 {
address 10.20.X.20/32;
}
}
}
}
rule-set dst-nat-B_LAN {
from zone B_LAN;
rule rule-2 {
match {
destination-address 10.X.X.56/32;
destination-port 6004;
}
then {
destination-nat pool dnat-pool-1;
}
}
}
}
proxy-arp {
interface ge-0/0/10.0 {
address {
10.X.X.56/32 to 10.X.X.56/32;
}
Security Policy
policy dst-nat-B_LAN {
match {
source-address 10.X.X.56;
destination-address 10.20.X.20;
application TCP-6004;
}
then {
permit;
log {
session-init;
static routes
route 10.X.X.56/32 {
next-hop 10.20.X.1;
preference 20;
root@FW_Cluster> show security nat destination rule all
node0:
--------------------------------------------------------------------------
Total destination-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/0
Destination NAT rule: rule-2 Rule-set: dst-nat-B_LAN
Rule-Id : 1
Rule position : 1
From zone : B_LAN
Destination addresses : 10.X.X.56 - 10.X.X.56
Destination port : 6004
Action : dnat-pool-1
Translation hits : 0
Hello, I'm newbie about using bandwidth limiters, I've doing some tests with policers and forwarding classes in firewall filters, I see that both can restrict bandwidth, but I don't see exactly what's the difference between them or which is better.
Can you explain me in which situations I must use each one please?
I would like to connect 2 High Availability Chassis Clusters in two locations (so 4 total) to be fully redundant at both locations as well as the link between them so each SRX is accessible from both SRX's at the remote site in the event of a failure of 1 SRX. The sites are connected by fibre but there is a limit to how much I can use. I essentially have 4 fibres but can only use 1 wavelength on each.
I want to be able to have active/standby mode for all the ports except the interfaces between the clusters, which will need to be able to carry traffic on both the active/standby boxes at the same time because a failure at the remote site can't be detected. See attached diagram. I would want to be able to send data down both ports between clusters so it arrives at whichever one is active on the other end without knowledge of which that is.
So if C failed, A was active on the left cluster, traffic from a would still reach D.
Hello all,
I have an SRX300 with multiple IP adresses on interface GE-0/0/0 Unit 0
I have source nat configured to use the interface address
I know i can make a Source-Nat pool to determine what IP is used for source nat
But if i let the interface decide. ik uses 1.1.1.1 in my example. What rule will be applied ?
Is it always the lowest IP ?
ge-0/0/0 {
unit 0 {
family inet {
mtu 1492;
address 1.1.1.1/29;
address 1.1.1.2/29;
address 1.1.1.3/29;
}
}
}
rule-set Ruleset1{
from zone Trust;
to zone Untrust;
rule Rule-1 {
match {
source-address 192.168.0.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}Regards,
Robbert
Hi,
Does anyone know if it is possible to aggregate two of the in built ports on an SRX550?
Thanks
Hi,
Secure Configuration Guide for Common Criteria and Junos-FIPS for EX Series, M Series, MX Series, and T Series Devices applies to these "Routing Platforms":
M Series
MX Series
T Series
EX Series
Which routing platform does my SRX100H and SRX100H2 use? Is it one of the ones listed above? show chassis routing-entine and show chassis hardware don't seem to indicate the "routing platform" used.
Thank you,
Chris
Hello
I need some help with a trouble that I had with a client. The guy has two ISP connected to his actual firewall, a linux firewall. So he told me that this FW received all the traffic from the network, but when an end user wants to see a governmental web page, the FW send the traffic by the ISP 1, and when someone wants to see a different web page, send the traffic by the ISP 2.
Could de SRX do the same? or what would be the solution for this?
Thank you very much for your help
Hello,
I have 3 VLANs in my policies and zones and i have the following in my configuration which is setup for anything from the internet inbound and any inter-vlan traffic with deny and log for both session-init and session-close. Because the default action for intervlan traffic is to deny unless trunking is setup will it not log as written below? I do not see anything in the logs unless I am looking in the wrong place? Monitoring->Security->Policy->Activities and then use the Policy Context filter?
from-zone Internet to-zone Home {
policy internet-home {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
session-close;
}
what are the uses of nonces and cookies in ipsec ?
Hi ALL,
we are deploying a lot of routing-instance in a multiclient enviroment but we are afraid about the capacity of SRX-1400.
I would like to know how many routing-instance can a SRX-1400 (and if possible others srx models) support?
Someone can help me?
Tks a lot.
João Victor
I have an SRX300 and with DHCP configured. When I connect my laptop to the SRX, it happily receives an IP address with all the options I have associated with the config. If I connect an IP phone, it will not get an address. I have tried this with 2 different phones from 2 different manufactures with the same result. The same phones connected to a different network and router receive an IP address.
Hi,
I am trying to create a dynamic vpn connetion to my office but everything fail, can some one guide me throught the configuration ?
My setup:
client1: windows 10 with pulse secure from windows store, go to settings -> network and internet -> vpn -> add a vpn connection -> vpn provider: pulse secure, the strange thing is that I cannot edit the user and password fields
juniper configuration:
Model: srx240h
JUNOS Software Release [12.1X46-D65.4]
set access profile dyn-vpn-access-profile client client1 firewall-user password "$ABC123" set access profile dyn-vpn-access-profile client client2 firewall-user password "$ABC123" set access profile dyn-vpn-access-profile address-assignment pool dyn-vpn-address-pool set access address-assignment pool dyn-vpn-address-pool family inet network 10.10.10.0/24 set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns 8.8.8.8 set access firewall-authentication web-authentication default-profile dyn-vpn-access-profile set security ike policy ike-dyn-vpn-policy mode aggressive set security ike policy ike-dyn-vpn-policy proposal-set standard set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text "$ABC123" set security ike gateway dyn-vpn-local-gw ike-policy ike-dyn-vpn-policy set security ike gateway dyn-vpn-local-gw dynamic hostname dynvpn set security ike gateway dyn-vpn-local-gw dynamic connections-limit 10 set security ike gateway dyn-vpn-local-gw dynamic ike-user-type group-ike-id set security ike gateway dyn-vpn-local-gw external-interface ge-0/0/4 set security ike gateway dyn-vpn-local-gw xauth access-profile dyn-vpn-access-profile set security ipsec policy ipsec-dyn-vpn-policy proposal-set standard set security ipsec vpn dyn-vpn ike gateway dyn-vpn-local-gw set security ipsec vpn dyn-vpn ike ipsec-policy ipsec-dyn-vpn-policy set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match source-address any set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match destination-address any set security policies from-zone untrust to-zone trust policy dyn-vpn-policy match application any set security policies from-zone untrust to-zone trust policy dyn-vpn-policy then permit tunnel ipsec-vpn dyn-vpn set security dynamic-vpn access-profile dyn-vpn-access-profile set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8 set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0 set security dynamic-vpn clients all ipsec-vpn dyn-vpn set security dynamic-vpn clients all user client1 set security dynamic-vpn clients all user client2
And the client/windows error is
Protocol error in received messages.
https configuration
set system services web-management https pki-local-certificate cert1
cert1 is the self-signed certificate which I imported into windows Trusted CA
Appreciate your help
--
Dan
Hi.
I am new to Juniper SRX300 and I am trying to setup this scenario:
I want to ping each other, but I don't what I am doing wrong.
Help Please? 
Here is some of the configuration on SRX:
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.2/32;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan0;
}
Thank you.
