Quantcast
Channel: SRX Services Gateway topics
Viewing all 3959 articles
Browse latest View live

Digital Certificate exchange

June 5, 2017, 4:54 pm
$
0
0

Good evening,

i would like to check my understanding in PKI:

 

1-if we have 2 HOSTS (Host A and Host B) under same CA, what will happen is :

each Host will receive a local certificate and CA-certificate from the CA.

Host A will receive the local certificate from Host B and will use the CA-Certificate to validate it ???????

 

 

2-If we have 2 Host under different CAs (CA-sales , CA-marketing) but of-course the 2 CAs under a common root-CA what will happend is :

-Host A will receive a local certificate and CA-certificate from CA-sales and also receive a CA-certificate from the Root-CA

-Host B will receive a local certificate and CA-certificate from CA-marketing and also receive a CA-certificate from the root-CA

-Host A will send  the local certificate and the CA-Certificate(CA-sales) to Host B

-Host B will use the Root CA-Certificate to validate the received CA-Certificate(CA-sales) and then will use the CA-Certificate(sales) to Validate the received local certifcate of Host A

Search

SRX240 Change the Broadband IP

June 5, 2017, 8:23 pm
$
0
0

Hello, 

 

My Public IP not enough to use, So I apply to ISP renew more IP. On the SRX, All public IP is set to reth 1.0 port,  source and dest NAT, Would you have suggest to do change the public IP?! 

 

Many Thanks!!!

 

Best regards,

Zero

/var/db/utm_policy.id: File too large

June 6, 2017, 2:35 am
$
0
0

Hello,

I have problem witch my SRX 210, when I try to check new configuration, I see message

 

# commit check
error: could not open /var/db/utm_policy.id: File too large
error: foreign file propagation (ffp) failed

Someone can help me ?

SRX3600 In Service Upgrade

June 6, 2017, 4:53 am
$
0
0

Hello everyone! Do I need to upload the new firmware on both devices in an in-service upgrade? Or is it enough when I do this on the master

web-management port

June 6, 2017, 7:06 am
$
0
0

Hi there,

 

My web management is being accessed  from ge-0/0/0 and I need it to be accessed also by ge-1/0/0

I need both allowed. which command I shoould run to add the ge-1/0/0 to the config below?

 

 services {
        ssh;
        telnet;
        xnm-clear-text;
        web-management {
            management-url admin;
            http {
                port 8081;
                interface [ vlan.0 ge-0/0/0.0 ];
            }
            https {
                system-generated-certificate;
            }
        }

Kind regards.

Digital signature

June 6, 2017, 7:13 am
$
0
0

How does Digital signature provide non-repudation??

Traffic selector

June 6, 2017, 4:31 pm
$
0
0

Why do i need to use traffic selector or Proxy-ID in route-based VPN to specify the permitted traffics across the tunnel where i can already use security policy to regulate my traffics??

OSPF and a backup link

June 7, 2017, 12:55 am
$
0
0

I'm trying to get my head around the config needed to dynamically fail over to a backup link.  All sites are using SRX240 running Junos 12.3.

 

Head office has vlan.10 assigned 10.1.0.0/24. Its SRX has this in stub area 0.0.0.1 as a passive interface.

Between head office and site1 is a layer 3 link serviced by ge-0/0/0.0 on both SRX. ge-0/0/0.0 on both is set in ospf area 0.

site1 uses vlan.10 as its local lan with ip range 10.2.0.0/24. vlan.10 is in stub area 0.0.0.1

Between site1 and site2 is a fast, but intermittent, link connectected to interface ge0/0/2 on each site's SRX

site2 uses vlan.10 as its local lan with ip range 10.3.0.0/24. vlan.10 is in stub area 0.0.0.1

 

site2 has a satellite backup link to head office.  The SRX at site2 connects ge-0/0/3 to the satellite. The SRX in head office connects ge-0/0/3 to the satellite. The satellite link is up all the time. However we want to set the SRX at site2 to prefer its link to site1 as the path back to head office and only use the satellite if the site1 to site2 link is down.

What would the ospf config look like to achieve this?

Search

hub and spoke VPN

June 7, 2017, 3:47 am
$
0
0

1-can HUB & spoke VPN be done using policy-based VPN ??

 

2-is it possible to connect 2 SRX devices one using policy-based and the other one using route-based ??? if yes how ?

Question about Virtual-router and Zone

June 7, 2017, 6:01 am
$
0
0

Hi Guys,

 

I'd like to know if I can configure a Zone accross 2 VR? Which means I have 2 interfaces in Trust Zone, 2 interfaces in Untrust Zone but interfaces in the same Zone belong to different VR.

 

Thanks

Sean

Question abot logical-systems and address-book

June 7, 2017, 7:49 am
$
0
0

Hi Guys,

 

I'd like to know if I can create global address in a LSYS such as:

 

set logical-systems NAME_OF_LSYS security address-book global address xxx

 

 

Thanks

 

ICMP screen filling loogs from IPAM scans

June 7, 2017, 10:12 am
$
0
0

RT_SCREEN_ICMP: Address sweep! source: 10.x.x.x, destination: 10.x.x.x zone name: Untrust, interface name: fe-0/0/4.0, action: alarm-without-drop

 

the source is our solarwinds box IPAM scanning the subents.. 

 

I have treid inscrese the time on the IPAM settings to slow it down I have also tried incresing the threshodl on the screen 

 

is ther a way to white list this device for ICMP (you can with TCP) 

 

please help !! thanks 

Group-VPN

June 7, 2017, 12:09 pm
$
0
0

i studied GVPN and i understood its concept but i haven't seen or worked in a place using GVPN either cisco or juniper ...

i want to know who use GVPN ?? is it used by serivce provider or by enterprises such as bank and its branchs 

-Does it used by service provider to secure its MPLS network or its used by enterprise to secure its traffics when it pass through the SP networ ????

 

DHCP option 121. how to specify /16 mask?

June 8, 2017, 5:50 am
$
0
0

Hello,

I'm trying to distribute addition route to dhcp clients using dhcp 121 option and this KB

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26862

set system services dhcp option 121 array ip-address 24.172.16.0

set system services dhcp option 121 array ip-address 192.168.55.1

works as expected - clients getting 172.16.0.0/24 next-hop 192.168.55.1 route

 

but

set system services dhcp option 121 array ip-address 16.172.16.0

set system services dhcp option 121 array ip-address 192.168.55.1

doesn't work and clients getting some mess.

 

how to specify / mask?

 

additional question: no option 249?

HOW TO BUNDLE LAYER 3 INTERFACES ON SRX 1500

June 8, 2017, 7:39 am
$
0
0

Hello,

 

I have SRX 1500 and i want to bundle to the XE ports and assign IP addresses to them, how can i do it?

 

Thank you in advance.

 

Search

SRX - MPLS as primary path / IPSEC VPN as secondary path

June 8, 2017, 2:19 pm
$
0
0

Hi all,

i would like to know if someone can suggest how i can deploy the following scenario:

 

1- one path through the trust zone connect to destination through mpls link;

2- if the mpls link goes down, one vpn site-to-site need be established automatically and the destintion need be reached through this vpn;

 

Someone know how i can deploy this?

 

Note: the vpn site to site that will be used as secondary path will use traffic-selector as proxy-id config.

 

When i use traffic-selector as proxy-id config, the routing table to the other side display the route as [Static/5] automatically. 

 

Someone has any idea how i can deploy this?

 

Tks,

João Victor

 

(Juniper SRX) Configure dual internet connection

June 8, 2017, 11:56 pm
$
0
0

Hello, i want to ask,

i have 2 internet connection with static ip public and i want to configure my juniper srx 100 with scenario like this:

 

a. user with ip address list 1-30 connect to internet with ISP 1

b. user with ip address 31-254 connect to internet with ISP 2

 

i have already configure fortigate with scenario like that use routing policy for dual internet connection

can i do that routing policy like fortigate in juniper srx 100 ?

 

anyone can help me ?

 

sorry for my bad english.

Group VPN

June 9, 2017, 11:16 am
$
0
0

i studied Group VPN and i have made a revision , but i dont get the idea of IP-preservation

 

How it is suppose to be an advantage . i think it is the opposite .

making every host in my LAN has its own public IP is a waste of IP addresses 

would someone please explain to me the advantage of IP preservation , can i overcome it by using NAT ??

SRX Hacking?

June 9, 2017, 11:39 am
$
0
0

Hi there,

 

Today my connection site-to-site was down and I checked some logs.

 

 I found something wierd, please tell me what it means.

Are the logs below normal? I can see a lot of tentatives of root login failed from IPs that I don't know.

 

is there anyone trying to hack my srx device?

 

Jun  9 15:39:23  rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired
Jun  9 15:39:48  rotem_brazil_aqa sshd[3155]: Failed password for root from 116.31.116.27 port 62338 ssh2
Jun  9 15:39:48  rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '116.31.116.27'
Jun  9 15:39:53  rotem_brazil_aqa sshd[3155]: Received disconnect from 116.31.116.27: 11:  [preauth]
Jun  9 15:40:23  rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired
Jun  9 15:40:53  rotem_brazil_aqa sshd[3160]: Failed password for root from 116.31.116.27 port 42071 ssh2
Jun  9 15:40:53  rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '116.31.116.27'
Jun  9 15:40:58  rotem_brazil_aqa sshd[3160]: Received disconnect from 116.31.116.27: 11:  [preauth]
Jun  9 15:41:23  rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired
Jun  9 15:42:02  rotem_brazil_aqa sshd[3162]: Failed password for root from 116.31.116.27 port 17492 ssh2
Jun  9 15:42:02  rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '116.31.116.27'
Jun  9 15:42:07  rotem_brazil_aqa sshd[3162]: Received disconnect from 116.31.116.27: 11:  [preauth]
Jun  9 15:42:23  rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired
Jun  9 15:42:28  rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '84.38.211.151'
Jun  9 15:42:28  rotem_brazil_aqa sshd[3164]: Failed password for root from 84.38.211.151 port 4869 ssh2
Jun  9 15:42:50  rotem_brazil_aqa sshd[3164]: fatal: Read from socket failed: Connection reset by peer [preauth]
Jun  9 15:43:10  rotem_brazil_aqa sshd[3166]: Failed password for root from 116.31.116.27 port 49758 ssh2
Jun  9 15:43:10  rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '116.31.116.27'
Jun  9 15:43:15  rotem_brazil_aqa sshd[3166]: Received disconnect from 116.31.116.27: 11:  [preauth]
Jun  9 15:43:23  rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired
Jun  9 15:44:17  rotem_brazil_aqa sshd[3168]: Failed password for root from 116.31.116.27 port 30031 ssh2
Jun  9 15:44:17  rotem_brazil_aqa sshd: SSHD_LOGIN_FAILED: Login failed for user 'root' from host '116.31.116.27'
Jun  9 15:44:22  rotem_brazil_aqa sshd[3168]: Received disconnect from 116.31.116.27: 11:  [preauth]
Jun  9 15:44:23  rotem_brazil_aqa alarmd[1337]: LICENSE_EXPIRED: License for feature wf_key_surfcontrol_cpa(28) expired

Kind regards.

SRX 550 Boot Problems

June 9, 2017, 11:30 am
$
0
0

Hello ,

 

The device is not booting and can cause the following error ?

 

U-Boot 1.1.6-JNPR-2.1 (Build time: Nov 24 2011 - 05:13:40)

Initializing memory this may take some time...
Measured DDR clock 533.33 MHz
SRX_550 board revision major:1, minor:22, serial #: ACMW7502
OCTEON CN6335-AAP pass 2.2, Core clock: 1300 MHz, DDR clock: 533 MHz (1066 Mhz data rate)
DRAM: 2048 MB
Starting Memory POST...
Checking datalines... OK
Checking address lines... OK
Checking 512K memory for U-Boot... OK.
Running U-Boot CRC Test... OK.
Flash: 8 MB
WARNING: Running from backup u-boot
USB: scanning bus for devices... 2 USB Device(s) found
scanning bus for storage devices... 1 Storage Device(s) found
Clearing DRAM...... done
BIST check passed.
PCIe: Initializing port 1
PCIe: Port 1 link active, 1 lanes, speed gen1
Warning!!!Last reboot reason 0x5 abnormal
Boot Media: usb internal-compact-flash
Net: octeth0
sil3132 command timed out
sil3132 soft reset command failed count=1
sil3132 command timed out
sil3132 soft reset command failed count=2
sil3132 command timed out
sil3132 soft reset command failed count=3
sil3132 command timed out
sil3132 soft reset command failed count=4
sil3132 command timed out
sil3132 soft reset command failed count=5
sil3132 command timed out
sil3132 soft reset command failed count=6

Viewing all 3959 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>