Hi there,

I need to set up a new subnet because I am being out of IP address.

Now we use 10.196.24.X network with 255.255.255.0 subnet mask, gateway 10.196.24.1.

I need to set up a new range like this: 10.196.25.X but pointing to the same gateway (10.196.24.1).

I want to activate the DHCP pool from 10.196.25.10 ~ 10.196.25.240

How can I do that? I am very new on Juniper devices.If possible please tell me how to do that using the J-web interface, if not possible, please send me the commands.

I have a SRX220H2 with JUNOS Software Release 12.1X44-D15.5.

How to block a nested application but leave the main page available ??

can this be done by using AppFW + IDP policy ???

is it a must in GVPN that all member must use the same key to communicate ?? or i can define different IPSEC SA to different match-policy ????

For example i have 3 members A & B & C , i want A & B to use a key different than they between A & C ?? is it possible ?

Hello,

I have put my SRX100 into DMZ of my home router and I am unable to ssh to it from the Internet.

As a test I put my PC with FTP server to the same DMZ(same physical port, same cable) and I am able to access FTP on that PC from my phone(external network).
as another test I set up FTP server on SRX, but that FTP server was unreachable.

Currently it looks like PC in DMZ of a home router is working, and SRX is not(ssh nor ftp).

I would appreciate some help here.

Please look at my config:

SRX_100_H2> show interfaces fe-0/0/1 terse
Interface               Admin Link Proto    Local                 Remote
fe-0/0/1                up    up
fe-0/0/1.0              up    up   inet     192.168.1.177/24

z@SRX_100_H2> show configuration
## Last commit: 2017-05-26 21:56:01 CEST by mateusz
version 12.3X48-D40.5;
system {
    host-name SRX_100_H2;

    authentication-order [ tacplus radius password ];
    root-authentication {

            }
        }
    }
    services {
        ftp;
        ssh {
            protocol-version v2;
        }
    }
}
security {
    policies {
        from-zone untrust to-zone untrust {
            policy POLICY {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone untrust {
            host-inbound-traffic {
                system-services {
                    ssh;
                    ftp;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                fe-0/0/1.0;
            }
        }
    }
}
interfaces {
    fe-0/0/0 {
        description "PC connection";
        unit 0 {
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    fe-0/0/1 {
        description DMZ;
        unit 0 {
            family inet {
                address 192.168.1.177/24;
            }
        }
    }
    fe-0/0/7 {
        description "EX-2200 switch connection";
        unit 0 {
            family inet {
                address 10.1.10.1/30;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 192.168.1.1;
    }
}
protocols {
    ospf {
        area 0.0.0.0 {
            interface fe-0/0/7.0;
            interface fe-0/0/0.0 {
                passive;
            }
        }
    }
}

@SRX_100_H2> ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=46 time=29.848 ms
64 bytes from 8.8.8.8: icmp_seq=1 ttl=46 time=36.833 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=46 time=28.872 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 28.872/31.851/36.833/3.545 ms

ping towards Google is working,

there has to be something Im doing wrong here

Cheers

SRX 220, about 2 years old.  Yesterday we lost all routing.  A quick check revealed the unit reset itself to factory defaults.  Logging in to the web GUI using factory-default IP (192.168.1.1) brought up the setup wizard.  

In normal operation it has dual boot partition and a rescue config.  Unit never lost power.  It just spontaneously reset itself as if someone had pressed and held the Reset button.  (nobody did, device is in a secure location)  And ALL config was lost, including rescue config and autorecovery state.

I ran through the wizard setup just to get to a point where I could upload the previous good config (we keep archives) and also set it as the rescue.  Had to re-save the autorecovery state (request system autorecovery state save) because it had also been lost when this unit borked itself. 

For good measure, I did a graceful power-off and reboot.  Router came up in good config, so we were back in business.

15 hours later the same thing happened again.

Unit did NOT lose power because uptime is over 15 hours-- when I rebooted it after the last config loss.

I ran nand-mediack and fsck.  Neither returned any errors.

Ideas?

Hi all,

I have a feeling that this might not be supported, but I would like to confirm this in case I am missing something

Basically we would like to enable the ethernet-switching family on the VDSL2 interface on an SRX320 running JunOS v15.1. This VDSL2 line will be used as a backup, but it needs to share the same L2 domain as the builtin Ethernet ports.

After enabling switching mode, the ethernet-switching family can be enabled on the GigaEthernet ports, but this option does not seem to be available on the VDSL2 interface:

set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan100

root@SRX320-VDSL# set interfaces pt-1/0/0 unit 0 family ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> inet IPv4 parameters
> inet6 IPv6 protocol parameters
> iso OSI ISO protocol parameters
> mlfr-end-to-end Multilink Frame Relay end-to-end protocol parameters
> mlfr-uni-nni Multilink Frame Relay UNI NNI protocol parameters
> mlppp Multilink PPP protocol parameters
> mpls MPLS protocol parameters

The link below makes me thing that only builtin ports support that mode, but it does not talk about the SRX320:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB15455&actp=METADATA

Anybody knows if this mode is/might be supported on those interfaces? If not, any ideas about how it could be implemented using different encapsulations? We are looking at converting the SRX320 into a VDSL2 bridge basically

Any ideas/comments will be more than welcome,

Kind regards,

C

Hi all,

Is there anyone facing the error as per below when do commit in SRX5800 chassis cluster using LSYS. I'm already have open case with L3 Support but until now engineering team cannot duplicate the error on their lab.

test@SRX5800# commit and-quit
node0:
configuration check succeeds
node1:
warning: ignoring noise in patch:
        application [ TCP-4118 TCP-4120 TCP-4122 ];
/tmp/juniper-47863.patch:50) syntax error
warning: Load error seen when propagating changes into LR database
commit complete
[edit logical-systems LSYS-01 security policies from-zone vFW3 to-zone Server policy 13 match]
  'source-address 192.168.30.0/24'
    warning: statement does not exist
[edit logical-systems LSYS-01 security policies from-zone vFW3 to-zone Server policy 13 match]
  'source-address 192.168.40.0/24'
    warning: statement does not exist
[edit logical-systems LSYS-01 security policies from-zone vFW3 to-zone Server policy 13 match]
  'source-address Global-222'
    warning: statement does not exist
[edit logical-systems LSYS-01 security policies from-zone vFW3 to-zone Server policy 13 match]
  'source-address Global-221'
    warning: statement does not exist
[edit logical-systems LSYS-01 security policies from-zone vFW3 to-zone Server policy 13 match]
  'source-address 172.10.10.0/24'
    warning: statement does not exist
[edit logical-systems LSYS-01 security policies from-zone vFW3 to-zone Server policy 13 match]
  'source-address 172.10.11.0/24'
    warning: statement does not exist
[edit logical-systems LSYS-01 security policies from-zone vFW3 to-zone Server policy 13 match]
  'source-address 172.10.12.0/24'
    warning: statement does not exist
[edit logical-systems LSYS-01 security policies from-zone vFW3 to-zone Server policy 13 match]
  'source-address 172.10.13.74'
    warning: statement does not exist
error: statement not found: destination-address
warning: ignoring noise in patch:
        application [ TCP-4118 TCP-4120 TCP-4122 ];
warning: Load error seen when propagating changes into LR database
node0:
commit complete

Hi all,

Is there any command that make the cluster on node 1 back to normal after i delete the monitoring interface? Below is the log. Previously interface xe-23/2/4 was in reth2 but now i'm delete entire configuration reth2 and physical interface with chassis cluster monitoring then commit. But now cluster break due to monitoring. Any one know the command without reboot the node 1. Thanks and appreciate someone help.

{primary:node0}
test@srx5800> show chassis cluster status
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring

Cluster ID: 1
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  129      primary        no      no       None
node1  128      secondary      no      no       None

Redundancy group: 1 , Failover count: 29
node0  129      primary        no      no       None
node1  0        secondary      no      no       IF


{primary:node0}
test@srx5800> show chassis cluster information | no-more
node0:
--------------------------------------------------------------------------
Redundancy Group Information:

    Redundancy Group 0 , Current State: primary, Weight: 255

        Time            From           To             Reason
        Apr  4 11:19:48 hold           secondary      Hold timer expired
        Apr  4 11:20:23 secondary      primary        Better priority (1/1)

    Redundancy Group 1 , Current State: primary, Weight: 255

        Time            From           To             Reason
        Feb 14 02:37:25 primary        secondary-hold Monitor failed: IF
        Feb 14 02:37:26 secondary-hold secondary      Ready to become secondary
        Feb 14 02:41:11 secondary      primary        Remote yield (129/0)
        Jun  1 02:25:48 primary        secondary-hold Monitor failed: IF
        Jun  1 02:25:49 secondary-hold secondary      Ready to become secondary
        Jun  1 03:02:05 secondary      primary        Remote is in secondary hold

Chassis cluster LED information:
    Current LED color: Green
    Last LED change reason: No failures

node1:
--------------------------------------------------------------------------
Redundancy Group Information:

    Redundancy Group 0 , Current State: secondary, Weight: 255

        Time            From           To             Reason
        Apr  4 11:20:27 hold           secondary      Hold timer expired

    Redundancy Group 1 , Current State: secondary, Weight: 0

        Time            From           To             Reason
        Feb 14 02:37:25 secondary      primary        Remote is in secondary hold
        Feb 14 02:41:12 primary        secondary-hold Monitor failed: IF
        Feb 14 02:41:13 secondary-hold secondary      Ready to become secondary
        Jun  1 02:25:47 secondary      primary        Remote yield (128/0)
        Jun  1 03:02:05 primary        secondary-hold Monitor failed: IF
        Jun  1 03:02:06 secondary-hold secondary      Ready to become secondary

Chassis cluster LED information:
    Current LED color: Amber
    Last LED change reason: Monitored objects are down

Failure Information:

    Interface Monitoring Failure Information:
        Redundancy Group 1, Monitoring status: Failed
          Interface                 Status
          xe-23/2/4                 Down


{primary:node0}
test@srx5800> show configuration chassis cluster
control-link-recovery;
reth-count 2;
control-ports {
    fpc 1 port 0;
    fpc 13 port 0;
}
network-management {
    cluster-master;
}
redundancy-group 0 {
    node 0 priority 129;
    node 1 priority 128;
}
redundancy-group 1 {
    node 0 priority 129;
    node 1 priority 128;
    interface-monitor {
        ge-10/1/1 weight 255;
        ge-22/1/1 weight 255;
        ge-11/1/1 weight 255;
        ge-23/1/1 weight 255;
    }
}

Dears,

I have SRX320 with JSB version, and I want to use some MPLS functionality. Can I upgrade or install JSE on the same HW?

or the SW is one time installation?

Hi everyone!

I would like to ask for some help. We are trying to put together 2 SRX240 firewalls in a cluster with a Cisco switch between them and with LACP between them on the reth interfaces. 

The control and the fabric link won't work through the switch only when we connect them together. The management link works fine through the switch. Also the LACP wont aggregate, there's no connection between the two firewalls through these links.

Here is the config from the SRXs and the switch:

set groups node0 interfaces fxp0 unit 0 family inet address 10.X.Y.2/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.X.Y.3/24


set chassis cluster reth-count 1
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/14 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/15 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/15 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/14 weight 255

set security zones security-zone MGMT host-inbound-traffic system-services ping
set security zones security-zone MGMT host-inbound-traffic protocols all
set security zones security-zone MGMT interfaces reth1.100
set security zones security-zone MGMT interfaces reth1.104
set security zones security-zone MGMT interfaces reth1.108
set security zones security-zone MGMT interfaces reth1.254

set interfaces ge-0/0/14 gigether-options redundant-parent reth1
set interfaces ge-0/0/15 gigether-options redundant-parent reth1
set interfaces ge-5/0/14 gigether-options redundant-parent reth1
set interfaces ge-5/0/15 gigether-options redundant-parent reth1
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2

set interfaces reth1 vlan-tagging
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options minimum-links 1
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp periodic slow

set interfaces reth1 unit 100 vlan-id 100
set interfaces reth1 unit 100 family inet address 10.X.Y.1/24
set interfaces reth1 unit 104 vlan-id 104
set interfaces reth1 unit 104 family inet address 10.X.Y.1/22
set interfaces reth1 unit 108 vlan-id 108
set interfaces reth1 unit 108 family inet address 10.X.Y.1/23
set interfaces reth1 unit 254 vlan-id 254
set interfaces reth1 unit 254 family inet address 10.X.Y.1/24

vlan 100
 name MGMT
vlan 104
 name whatever
vlan 108
 name whatever108
vlan 33 
 name control
vlan 34
 name fabric
vlan 254
 name vlan254


interface Port-channel10
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
!
interface Port-channel20
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
!
interface GigabitEthernet0/1
 switchport access vlan 100
 switchport mode access
!
interface GigabitEthernet0/2
 switchport access vlan 33
 switchport mode access
!
interface GigabitEthernet0/3
 switchport access vlan 34
 switchport mode access
!

interface GigabitEthernet0/13
 switchport access vlan 100
 switchport mode access
!
interface GigabitEthernet0/14
 switchport access vlan 33
 switchport mode access
!
interface GigabitEthernet0/15
 switchport access vlan 34
 switchport mode access

interface GigabitEthernet0/37
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
 channel-group 10 mode active
!
interface GigabitEthernet0/38
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
 channel-group 10 mode active
!

interface GigabitEthernet0/47
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
 channel-group 20 mode active
!
interface GigabitEthernet0/48
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100,104,108,254
 switchport mode trunk
 channel-group 20 mode active
!

interface Vlan100
 ip address 10.X.Y.50 255.255.255.0
!
ip default-gateway 10.X.Y.1

And here is how the devices are connected together:

Juniper SRX 240 primary side:


SRX -> Cisco SW
ge-0/0/0 -> GigabitEthernet0/1 (mgmt)
ge-0/0/1 -> GigabitEthernet0/2 (control)
ge-0/0/2 -> GigabitEthernet0/3 (fabric)
ge-0/0/14 -> GigabitEthernet0/37 (lacp)
ge/0/0/15 -> GigabitEthernet0/38 (lacp)

Juniper SRX 240 secondary:

ge-0/0/0 -> GigabitEthernet0/13 (mgmt)
ge-0/0/1 -> GigabitEthernet0/14 (control)
ge-0/0/2 -> GigabitEthernet0/15 (fabric)
ge-0/0/14 -> GigabitEthernet0/47 (lacp)
ge/0/0/15 -> GigabitEthernet0/48 (lacp)

So what am I missing? The fabric and control links are not supposed to be access ports but rather trunk ports?

I'd appriciate any help and thanks for your help in advance.

Best regards,

Tihi

i have done the configuration for dyanmic vpn on srx 650 and able to connect the user to private network.

how can i restrict a user to get the same  ip address each time he connects from the pool. 

regards

i have a confusion regarding IP-actions which stop future attacks with matching attributes...

why do i need to use it when the IDP policy itself stop the attack and record the target source address ???

Hi

My internet bandwidth is 30 Mbps.

I have the policer configured  to limit upload  and download bandwidth to 2 Mbps to  certain user groups.

My LAN is  connected  to  ge-0/0/0  and  WAN  is connected  to ge-0/0/2 interfaces.

The folowing  is my policer  and  filter configured.

set policy-options prefix-list 2mb_group 192.168.1.211/32
set policy-options prefix-list 2mb_group 192.168.1.213/32
set policy-options prefix-list 2mb_group 192.168.1.218/32

set firewall policer limit_2mbps if-exceeding bandwidth-limit 2m
set firewall policer limit_2mbps if-exceeding burst-size-limit 62k
set firewall policer limit_2mbps then discard 

Filter for upload traffic

set firewall filter input-limit term 1 from source-prefix-list 2mb_group
set firewall filter input-limit term 1 then policer limit_2mbps
set firewall filter input-limit term 1 then accept
set firewall filter input-limit term last then accept

Filter for download tarffic

set firewall filter output-limit term 1 from destination-prefix-list 2mb_group
set firewall filter output-limit term 1 then policer limit_2mbps
set firewall filter output-limit term 1 then accept
set firewall filter output-limit term last then accept

Upload Filter applied on Input direction in LAN interface

set interfaces ge-0/0/0 unit 0 description Local-LAN
set interfaces ge-0/0/0 unit 0 family inet filter input input-limit
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24

Download Filter applied on Input direction in WAN interface

set interfaces ge-0/0/2 unit 0 description "WAN"
set interfaces ge-0/0/2 unit 0 family inet filter input output-limit
set interfaces ge-0/0/2 unit 0 family inet address 111.139.102.80/30

Am able to suceed for the upload limit (nearing 2 mbps) but could not control the download limit. Am getting the full bandwidth.

If i applied the download filter in the output direction on LAN interface, then am getting very low download less than 128kbps..

Let me have your suggestion to fine tune the errors.

Regards,

AN

For my private office I needed to radically improve my security capabilities, hence the introduction of an SRX300.

I am trying to get basic functionality sorted before expanding my use of VPNs and introducing vSRX to my remote environments. As a non-Juniper non-network administrator person, my approach has been to try and get a basic configuration using J-Web, and then to modify that to achieve my goals - hence my switch to D-90.7, which is actually capable of generating a configuration through J-Web that is valid and accepted.

I have two main problems right now.

• A device that expects encrypted multicast IPv4 packets, 802.1P priority 0 and 802.1Q VLAN ID tagged 101. The 802.1 related information is not being passed through the SRX300, although the Meraki switch (in default ex factory mode) does pass this information through when connected to the ISP supplied router, so I'm reasonably confident that the problem is SRX300 related, not switch related.
• A number of devices that have ethernet connectivity, and need to be able to access the internet, that I perceive as "risky", in the way that virtually all IOT devices are risky. Mostly my secure devices communicate with them through non-ethernet interfaces (usually HDMI 2), although there are some grey areas (Sony AV equipment and Sony computers talk to each other in so many ways).

The SRX300 is in Ethernet switching mode. I have a default VLAN and irb configured.

Ideally, I would like to attach the multicast device to a separate port on the SRX, in a zone of its own, and not worry about it. I'm not sure how to set up a static route that would work, that passes through the 802.1 info unchanged from the remote site. So that everything else is isolated from it.

I'd like to put the questionably insecure devices into isolation, from which they can go out to the internet but not elsewhere, but I'd prefer to retain the present "casting" capability.

However, there are updates which are pushed to these devices, to add to the difficulties. I imagine I can whitelist who is doing the pushing.

I'd be extremely grateful for some pointers to help with making these configuration changes. What is obvious to networking engineers isn't always obvious to me.

Incidentally, anybody in Britain should be aware that Open Reach FTTC cabinets are now mostly capable of handling Baby Jumbo and Jumbo frames (<9000), although I haven't tried anything at the larger end of the scale.

why there is the option digest in the command : request security PKI generate-certificate-request <Digest> ??????

my point is the CA is one who should make the digest and then sign it with its private key, why i specify the Hash algorithm and make the digest ?

We are getting error at login time: /usr/libexec/ld-elf.so.1: Cannot open "/usr/lib/libjunoscript.so.1”

can't login from console also, what is the reason? anybody help me to restore the issue.

The platform is SRX1500.

Hi all,

My physical topology as per below. My question does all the devices before it can reach SRX5800 need to configure something static arp also same as SRX config below?

Porta-Web-Voice (virtual mac 03:00:60:0d:f0:0d ) ----> (Trunk) Cisco Switch ----> (Trunk) Cisco Switch --> (Trunk) Huwaei Switch ---> (Trunk) SRX5800

set logical-systems LSYS-1 interfaces reth0 unit 79 family inet address 7.7.7.1/26 arp 7.7.7.10 multicast-mac 03:00:60:0d:f0:0d

Thanks and appreciate any feedback.

I was wondering if it were possible to create a custom "destination-port" for use in the [firewall] filter

Then create a "protocol set"

I want it to be similar to the Cisco ASA ACL using custom objects and object groups. Can this only be done using security policies?

I know how to create custom applications for use in [security policies]

What I mean exactly, is there a way to add to the port list in the firewall filter statements?

@srx# set firewall filter allow_AD_445 term 1 from destination-port ?
Possible completions:
  <range>              Range of values
  [                    Open a set of values
  afs                  AFS
  bgp                  Border Gateway Protocol
  biff                 Biff/Comsat

Is it safe to enable chassis cluster fabric monitoring on production firewalls with no impact to service?

would someone please explain to me this Note : why would the initial response be authenticated by the CA-Certificate