Quantcast
Channel: SRX Services Gateway topics
Viewing all 3959 articles
Browse latest View live

DHCP client port randomly drops the IP address??? please help

August 31, 2017, 1:33 pm
$
0
0

hello 

srx210HE

12.1X46-D40.2

 

the version does not seem to matter really. if we set out port to get a DHCP address from a local modem, on SOME boxes the DHCP like falls into the bit-bucket randomly in most case it is getting the 192.168.x.x for a local DSL/cable modem. 

 

when this happen our IPSEC tunnel goes down and only 2 things fix it, a reboot, unplug network cable fore 30 seconds then plug back in (if we have remote access the dhcp renew command works as well) 

 

does anybody know how to fix this? i only happen on about 10-15 boxes out of a few 100, but it is very annoying 

Search

Help with Configuring SNMP

September 1, 2017, 2:17 pm
$
0
0

Hey guys-

 Im brand spankin' new to JunOS and trying to set up SNMP.  Its pretty basic, I know, but I believe something with the security zones may be blocking it from being polled.  I searched for and found a ton of information on how to troubleshoot it, but I havent had any luck.  This is my snmp config:

 

name DeviceName;
description Device;
location CityTown;
contact "Administrator";
community SNMPv2 {
authorization read-only;
}

 

We have an internal zone where smp is enabled and vlan.1 is assigned to:

 

show security zones security-zone Internal host-inbound-traffic
system-services {
all;
snmp;
}

 

However, when I send a get to the IP on vlan.1 it doesnt respond.

 

Any help would be appreciated!

 

Thanks.

 

 

Setting up NAT

September 2, 2017, 8:33 pm
$
0
0

Hi,

 

I have only ever used Junos for publicly routed IP's. I currently have a setup where I have a SRX240H. I am currently using two interfaces ge-0/0/0 is in zone  UNTRUST with a /29 and ge-0/0/1 is in ZONE TRUST with a /27 this is all working great. We have a lab that we need to set up behind NAT. Is there a way to set up one of the interfaces on the SRX to be the local gateway (say 192.168.1.1) and then whenever any PC behind it (say 192.168.1.2) goes out to the NET I set aside a specific ip in my available /27 range to be used or is the entire /27 only able to be accessed via ge-0/0/1 ?

 

I had a look at https://www.juniper.net/documentation/en_US/junos/topics/example/nat-security-static-subnet-translation-configuring.html but that seems where you have one interface with an external IP and one with the itnernal one.

 

TIA.

 

Dovid

Policy based routing

September 3, 2017, 11:17 pm
$
0
0

 

PBR.JPG

Hi ,

 

I want configure policy based routing . What I want is when traffic is coming from 192.168.1.0/24 to host 10.1.1.1 traffic should go out from reth2.0 and if the traffic is coming from any other subnet it should use normal routing.

 

We have two VR inet.o and vr1.

Inet0 have default route pointing out to vr1

VR1 have default route pointing toward reth2.1

 

I think I need to configure following:

 

set firewall family inet filter PBR_Routing term 1 from source-address 192.168.1.0/24
set firewall family inet filter PBR_Routing term 1 then next-ip 192.168.0.3 routing-instance VR1
set firewall family inet filter PBR_Routing term 2 then accept

 

Please suggest.

 

Regards,

Pankaj Kumar

Arp on two joining switches, srx, ers5000

September 4, 2017, 8:52 am
$
0
0
I want to know if arp will work properly with an srx240 and an ers5000 stack. Does one have to have arp off for arp to work properly? I also want to statically add an NLB cluster but I have particulars and a major drawback. My cluster address is on a totally different subnet. The srx seems to add the stack right. Not the NLB cluster though.

Dual ISP destination nat and RPM dual ISP failover

September 4, 2017, 6:07 pm
$
0
0

Hi,

I configured a SRX210 with 2x ISPs and RPM to provide a failover.

It worked fine but now I have to configure destination nats for both ISPs (in some cases the destination nat points to the same internal address) and I`m stuck.

With the configuration attached I have the error "Reject route in make_nsp_ready_no_resolve. zone mismatch".

 

 

 

SRX300 legacy DHCP vs JDHCP client-identifier

September 4, 2017, 6:08 pm
$
0
0

Hi,

 

I'm attempting to use an SRX300 to front my FiOS home Internet connection.

 

FiOS is very particular about the DHCP request from the CPE and essentially option 61 is supposed to look like 0x01 (hardware type Ethernet) plus the MAC address.

 

The legacy DHCP subsystem correctly sets this with the following command:

set interfaces ge-0/0/0 unit 0 family inet dhcp client-identifier hexadecimal 01aabbccddeeff

 

The above properly generates the option 61 client-id and Verizon will happily respond with a DHCP lease.

 

The equivalent JDHCP configuration is supposed to be:

set interfaces ge-0/0/0 unit 0 family inet dhcp-client client-identifier user-id hexadecimal 01aabbccddeeff

 

 

Unfortunately the JDHCP client is prefixing the data with the interface name (ie ge-0/0/0.0) no matter what hex or ASCII value is supplied. This is causing Verizon to ignore the DHCPDISCOVER because it doesn't recognize the option 61 field created by JDHCP. This is confirmed behavior in the following JunOS versions I've tried:

 

15.1X49-D45

* 15.1X49-D75.5
* 15.1X49-D100.6

 

Is there any way to make JDHCP behave like the legacy DHCP client for option 61? I've attached screenshots of the highlighted option 61 fields in Wireshark for two DHCPDISCOVER packets from ge-0/0/0.0 on my SRX300 - one with the legacy DHCP client, the other with JDHCP.

 

Thanks.

SRX240H2, no mini-PIMs, routing possible?

September 4, 2017, 7:32 pm
$
0
0

  Painfully basic question but I'm painfully new to Juniper gear that I'm suddenly supporting.

  I now have a SRX240H2 with no mini-PIMs, placed in network such that it is simply switching not routing.  To confirm, I need a mini-PIM to configure the SRX240H2 as a router or can 1 of the Ethernet ports in the switch be configured as a WAN port?  and if it can, should it be configured as a WAN port or should I get an Ethernet mini-PIM?

  If I do need to get a mini-PIM to connect to a Gigabit Ethernet WAN line, is the SRX-MP-1SFP-GE "1-Port Gigabit Ethernet small form-factor pluggable (SFP)" the correct mini-PIM needed?

Thanx in advance.

Search

Anti-spam on vSRX 15.xD100?

September 4, 2017, 11:42 pm
$
0
0

Hi all,

 

I'm in try to learn anti-spam feature on vSRX. I'm follow the KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB17286  . But when i do command below is said disable

 

test@vSRX-LAB> test security utm anti-spam profile junos-as-defaults test-string test@gmail.com
error: Anti-Spam test is disabled now

 

 

Thanks and appreciate any feedback

Juniper SRX -> Software-Upgrade

September 5, 2017, 2:47 am
$
0
0

Hi guys,

 

I am a bit confused aboud the new JunOS 17.3 for SRX-devices.

I was always thinking, that software for SRX-devices always run on "X"-Firmware.

 

So, which file is to choose if I want to upgrade.

Should I stay on 15.X49-Path or should I move to 17.3 ?

 

Thanks for your help.

 

Best regards, Christoph.

Juniper SRX 3600 how to define GRE and PPTP applications

September 5, 2017, 3:16 am
$
0
0

Hello all,

 

I'm trying to get PPTP and GRE permitted across our firewall. I have realised those protocols/services are not preconfigured like HTTP or HTTPS is (junos-http or junos-https) so need some help.

 

I have configured PPTP (not too sure if correctly):

 

set applications application junos-pptp term junos-pptp protocol tcp
set applications application junos-pptp term junos-pptp source-port 0-65535
set applications application junos-pptp term junos-pptp destination-port 1723-1723

 

But don't know how to get GRE configured, I guess that will be a different protocol (perhaps GRE) but what about the ports?

 

Anyone can assist please?

IPSec goes down because of DPD after cluster failover or reboot of primary node but shouldn't

September 5, 2017, 3:16 am
$
0
0

Hi guys.

 

I have failover cluster of two SRX100H2. And have ikev2 tunnel to remote site with 8 remote network.

Problem what after manual failover or reboot of primary node all tunnel goes down because of DPD. Recovery takes to 6 minutes, because tunnel goes up not simultaneously. It's disaster for our network.

 

It's normal state? And what about HA for IPSec VPN for such situation?

 

Key configuration:

IKEv2:

 

gateway GW_1A {
ike-policy ike_1A;
address 1.1.1.1.;
dead-peer-detection probe-idle-tunnel;
local-identity inet 2.2.2.2;
external-interface reth0;
version v2-only;

 

---------------------------

IPSec:

 

vpn VPN_1A_0 {
bind-interface st0.240;
ike {
gateway GW_1A;
proxy-identity {
local 192.168.252.1/32;
remote 4.4.4.0/22;
service any;
}
ipsec-policy ipsec_1A;
}
establish-tunnels immediately;
}
vpn VPN_1A_1 {
bind-interface st0.241;
ike {
gateway GW_1A;
proxy-identity {
local 192.168.252.1/32;
remote 5.5.5.5/32;
service any;
}
ipsec-policy ipsec_1A;
}
establish-tunnels immediately;
}
vpn VPN_1A_2 {
bind-interface st0.242;
ike {
gateway GW_1A;
proxy-identity {
local 192.168.252.1/32;
remote 6.6.6.6/32;
service any;
}
ipsec-policy ipsec_1A;
}
establish-tunnels immediately;
}

 

---------------------------

Cluster:

 

cluster {
traceoptions {
file cluster-trace;
flag all;
}
control-link-recovery;
reth-count 1;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
fe-0/0/0 weight 255;
fe-1/0/0 weight 255;
}
}
}

Custom signatures: checking for elements in the http header

September 5, 2017, 7:30 am
$
0
0

Hi all


I am trying to write a compound signature that, among other things, checks for the existance of the "Referer" element in the HTTP header, or the "Accept" or "Cookie" element.

Something like this:
set security idp custom-attack "My custom attack" severity major
set security idp custom-attack "My custom attack" attack-type signature context http-request
set security idp custom-attack "My custom attack" attack-type signature pattern .*Referer:.*
set security idp custom-attack "My custom attack" attack-type signature direction client-to-server

This strangely does not work! I could possibly get away with:
set security idp custom-attack "My custom attack" severity major
set security idp custom-attack "My custom attack" attack-type signature context http-header-referer
set security idp custom-attack "My custom attack" attack-type signature pattern .
set security idp custom-attack "My custom attack" attack-type signature direction client-to-server

.. but this seems to me a not very pretty solution to the problem.

How can I achieve this?

Thanks!

UTM-Anti-Virus with shophos to scan https?

September 6, 2017, 12:42 am

mix reth and normal aggregate in chassis cluster?

September 6, 2017, 1:40 am
$
0
0

Hi all,

 

Currently i' have setup chassis cluster. May i know if i add another normal aggregate on chassis cluster is it can or not?

 

{primary:node0}
test@srx1> show configuration chassis
alarm {
    management-ethernet {
        link-down ignore;
    }
}
cluster {
    reth-count 4;

 

add new config (normal aggregate)

 

set chassis aggregated-devices ethernet device-count 6

Search

SRX1500 Active/Active deployment

September 6, 2017, 9:11 am
$
0
0

Hi,

 

I am configuring 2 x SRX1500s and have successfully configured as Active/Passive.... But, we need, from a company and toplogical perspective, to have these SRX1500s clustered in active/active HA configuration.

 

From reading the active/active technical documents on the juniper sites, it seems to indicate that this CANNOT be achieved with a back to back setup. It indicates that switches are required for an Active/Active to be acheived.

 

Can you please confirm if I can connect, back-to-back, 2 x SRX1500s and configure them in an active/active configuration?

 

Thanks in advance

Best way to hide the real server IP by an IP from my network.

September 6, 2017, 1:35 pm
$
0
0

Hello,

 

I have few Juniper SRX using route based VPN. Everything is routing and working fine. It’s like this:

FW1 – site 1 = 10.11.0.0/16
FW2 – site 2 = 10.12.0.0/16
FW3 – site 3 = 10.13.0.0/16
FW4 – site 4 = 10.14.0.0/16
etc.

 

On my site 1, I have a VPN with a partner. From this site, I can access the remoter server (https srv1 = 192.168.1.1).

Only the site 1 can access the partner network 192.168.1.0/24. The VPN added a static route to this remote desktop and this network isn’t propagated through my OSFP.

 

The thing is I don’t really want to route this network to my other site into my OSPF.
I would like to hide this remote network to my coworker.

 

Instead of doing https://192.168.1.1 I would like to give them https://10.11.55.249 (assuming my internal routing is ok).

 

So, if from a laptop in site3, I do https://10.11.55.249, it will do: laptop site 3 à GW FW3 à GW FW1 à 10.11.55.249 à 192.168.1.1

 

I tried this on FW1:

set security nat proxy-arp interface reth1.54 address 10.12.55.249/32

set security nat destination pool remote-srv1 address 192.168.1.1/32

set security nat destination rule-set nat-test from zone Trust

set security nat destination rule-set nat-test from zone VPN-PLW

set security nat destination rule-set nat-test rule DNAT-nat-test match destination-address 10.12.55.249/32

set security nat destination rule-set nat-test rule DNAT-nat-test then destination-nat pool remote-srv1

 

It’s working but only from the site 1. Not from the other site. I’m sure I can reach the 10.12.55.249/24 because I have servers in this network working normally.

I guess, the proxy-arp isn’t going thought my internal VPN.
I check the on the FW1 with a show security flow session, I can see the flow on the FW1 from my laptop in site 3 but after nothing.

 

What is the best way to hide this remote server and no route the remote network?

 

Thanks,

Upgrade Downgrade 12 to 11.4 SRX110

September 7, 2017, 12:38 am
$
0
0

Hi guys,

 

I am currently facing following issue:

 

I try to upgrade a SRX110 which has currently an old Junos 11.4-Version to 12.1X46-D50 via USB-Autoinstall.

The process abort with an incompatbilty message.

 

It is like the same issue which is a know behavior for SRX240

 

On the SRX240B2 and SRX240H2 models, when you try to upgrade from Junos OS Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade fails when attempting to validate the configuration. To resolve this, use the no-validate option.

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/12.1x46/topic-82923.html#jd0e4127

 

So when I try to start the update via CLI and add the "no-validate" the updates works.

 

So first question: Can someone confirm that the SRX110 acts the same like the SRX240 ?

And is there a possibilty to start the Upgrade the SRX via USB wihtout running in this issue ?

 

 

Second short question:

What will happen, if I start a downgrade from 12 to 11 via USB. Does the SRX act the same way like the upgrade (validation-check ?)

 

Best regards, CHristoph.

 

 

Local Authentication on SRX

September 7, 2017, 5:03 am
$
0
0

Hi All,

I have SRX 345,

Is there any method to define built in user to authenticate locally without integrate SRX with authentication server (like Active Directory )?

Is SRX have built in authentication? 

 

Thanks in advance

what actualy action done by IDP when the action is "recommended"?

September 7, 2017, 7:34 am
$
0
0

Hi all,

 

When we use idp template "Recomended" then in the template will show the action "recommended". May i know what actually action done by "recommended"? Is it just bypass or block or etc.

 

Another question if add new rule on existing template then is it enough to commit only so the idp template will apply with new rule that i just add? Or i need to delete template and apply template back same as first time we apply the idp template?

 

 

[edit security idp idp-policy Recommended]
test@vSRX-LAB# show
/* This legacy template policy covers most current vulnerabilities.  This template is supported on all platforms, including Branch devices with 1G of memory. */
rulebase-ips {
    rule TCP/IP {
        /* This rule is designed to protect your networks against important TCP/IP attacks. */
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP - Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ];
            }
        }
        then {
            action {
                recommended;
            }
            notification {
                log-attacks;
            }
        }
    }
rule Block-Torrent {
        description "Torrent Blocker";
        match {
            from-zone any;
            source-address any;
            to-zone any;
            destination-address any;
            application default;
            attacks {
                predefined-attack-groups "P2P - All";
            }
        }
        then {
            action {
                drop-connection;
            }
            notification {
                log-attacks;
            }
        }
    }
}

 

Thanks and appreciate any feedback

Viewing all 3959 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>