Application-Firewall cannot block torrent (utorrent) if not combine with IDP?

September 7, 2017, 8:54 am

≫ Next: Whatsapp Android App issue with Juniper SRX

≪ Previous: what actualy action done by IDP when the action is "recommended"?

$

0

0

Hi all,

 

 

Currently i'm testing Application-Firewall feature in vSRX D100. I'm follow this url http://junosnotes.blogspot.my/2013/04/srx-application-firewall.html#more  . when i just use Application-Firewall without IDP custome then the torrent still can work. So is it until now SRX Application-Firewall still cannot block torrent without IDP? Another thing that i see during the test when we apply IDP then the current session torrent download will decrease. But it will not totally block the torrent session at same time. If i close torrent then open back torrent client the session cannot connect. So it's look like it will not totally block the current session torrent. Is it behavior like this?

 

test@vSRX-LAB# run show configuration security application-firewall rule-sets Block-STEAM-P2P-FB
rule p2p-block {
    match {
        dynamic-application junos:UNSPECIFIED-ENCRYPTED;
        dynamic-application-group junos2p:file-sharing;
    }
    then {
        deny;
    }
}
rule steam-block {
    match {
        dynamic-application junosTEAM-STORE;
    }
    then {
        deny;
    }
}
rule facebook-block {
    match {
        dynamic-application-group junos:web:social-networking:facebook;
    }
    then {
        deny;
    }
}
default-rule {
    permit;
}

 

test@vSRX-LAB# run show configuration security policies from-zone DMZ-ZONE to-zone UNTRUST-INTERNET policy PERMIT-ALL
match {
    source-address any;
    destination-address any;
    application any;
}
then {
    permit {
        application-services {
            idp;
            utm-policy mix-policy;
            application-firewall {
                rule-set Block-STEAM-P2P-FB;
            }
            security-intelligence-policy secintel-policy1;
            advanced-anti-malware-policy aamw_policy1;
        }
    }
    log {
        session-init;
        session-close;
    }
}

 

Thanks and appreciate any advise.

---

Whatsapp Android App issue with Juniper SRX

September 8, 2017, 2:42 am

≫ Next: STATIC NAT and Security Policy on SRX

≪ Previous: Application-Firewall cannot block torrent (utorrent) if not combine with IDP?

$

0

0

I have made a simple AppID policy to block WhatsApp, but to my dimay (surprisingly) WhatsApp messages on its Android App are still working as if there is no policy but the other WhatsApp signature for WHATSAPP_SSL (webpage) is working...

 

Any ideas whether this is becasue of encrypted calls or something else?

 

 

STATIC NAT and Security Policy on SRX

September 8, 2017, 8:39 am

≫ Next: SRX PIM DENSE MODE | RECEIVER AND SOURCE

≪ Previous: Whatsapp Android App issue with Juniper SRX

$

0

0

Hi everyone,

 

I apologize for the long winded email but I want to provide as much info as possible to get this concept straight.

 

Please consider following cases:

 

CASE1: STATIC NAT (Only Changing destination IP)

 

H1 199.199.199.1/24--------199.199.199.10/24 -F1 SRX F2 -10.10.10.1-------10.10.10.2 SERVER

 

F1 in Zone A

F2 in Zone B

 

All traffic from H1 destined to Server enters F1 on SRX with destination IP 200.200.200.2

SRX has a Static NAT where we change destination 200.200.200.2 to 10.10.10.2 and route it to Server.

 

Traffic from H1 to Server:

1. Traffic enters F1 with destination IP 200.200.200.2 and SRC IP 199.199.199.1
2. SRX has a static NAT rule which says all traffic with destination IP 200.200.200.2 and from Zone A, must have destination IP netted to 10.10.10.2
3. We configure our Security Policy on POST NAT IP which says all traffic from ZONE1 to ZONE2 are allowed, note that the reference of Zones are determined after the NAT is already performed and using route look up we determine “from ZONE to Zone”
4. Note above order of operation i.e. NAT then Security policy evaluation

 

Return traffic:

From Server to H1

1. Traffic enters F2 on SRX with SRC IP 10.10.10.2 and destination IP 199.199.199.1

What will happen next NAT or Security Policy evaluation?

If NAT occurs first, i.e. SRC IP 10.10.10.2 replaced by 200.200.200.2 then Security Policy evaluation, then we have an issue:

 

200.200.200.2 Is not configured on any interface on SRX so we cannot determine Zone for Security policy.

 

If Security Policy occurs first, will the Zones for Security Policy determined based on PRE NAT IP i.e SRC IP 10.10.10.2 destination IP 199.199.199.1?

 

################

 

Case2: (Only Changing SRC IP)

 

H1 199.199.199.1/24--------199.199.199.10/24 F1 SRX F2 10.10.10.1-------10.10.10.2 SERVER

F1 in Zone A

F2 in Zone B

GOAL:

All traffic from H1 must reach Server with SRC IP 10.10.10.10

Traffic from H1 to Server:

Traffic with SRC IP 199.199.199.1, destination IP 10.10.10.2 enters F1 on SRX.

 

Based on Order of operation diagram show below, NAT occurs first

 

 

 

 

On SRX we have NAT rule that says all traffic from ZONE A must have SRC NATTED to 10.10.10.10

Based on the Diagram above, Zones for Security Policies are determined on POST NAT IP i.e. SRC IP 10.10.10.10 Right?

 

Return traffic:

 

Traffic with SRC IP 10.10.10.2 destination IP 10.10.10.10 enters F2 on SRX.

What will happen next?

Will SRX first perform NAT i.e. destination IP 10.10.10.10 is replaced by 199.199.199.1 then Security Policy evaluation, if yes, are Security Zones determined based POST NAT IP?

 

OR

 

 

Security Policy evaluation first then NAT if yes, are Security Zones determined based on PRE NAT IP?

 

#####################

 

Thanks and have nice weekend!!

 

 

 

 

 

SRX PIM DENSE MODE | RECEIVER AND SOURCE

September 10, 2017, 10:02 am

≫ Next: Arp question, arp-resp on lo0

≪ Previous: STATIC NAT and Security Policy on SRX

$

0

0

Hi everyone,

 

Please consider the following set up:

 

We are using PIM DENSE MODE

 

S-----f1 SRX1 f2--------f2-SRX2 -f1-----R

 

S:  Multicast source sending stream at 239.1.1.1

R; Receiver listening on 239.1.1.1

SRX1: FHR ( connected to S)

SRX2: LHR ( connecetd to R)

 

 

FHR i.e SRX connected to S:

 

In Cisco, I have to enable PIM under F1 on FHR , we can not use Ip pim passive, it has to be pim mode dense or all received multicast stream from S is ignored. ( again only consider these statements in the context of  PIM DENSE only)

 

How is it on SRX1? Do we have to enable PIM dense on interface facing the SOURCE?

 

LHR i.e SRX2 connected to RECEIVER:

 

In Cisco,   Ip pim dense also enable IGMP on the interface facing RECEIVER, that also means LHR is now sending PIM hello and IGMP query as well, if we do not have any PIM router on the interface just receiver which is the case here, we can use IP PIM PASSIVE which will stop PIM hello so basiclaly we have now IGMP between LHR and RECEIVER , router can still create ( *,G) entry in the tabe. ( ( again only consider these statements in the context of  PIM DENSE only)

 

ON  SRX2  Juniper, do we have to enable PIM on the Interface connected to RECEIVER or we can simply use IGMP  between LHR?  Will SRX still able to create ( *,G) state if we have ony IGMP running between SRX and Receiver as we see in Cisco?

 

Thanks and have a nice weekend!!

 

 

 

 

 

 

Arp question, arp-resp on lo0

September 10, 2017, 11:43 pm

≫ Next: Dyn VPN with SRX behind NAT Device, and Split Tunnel

≪ Previous: SRX PIM DENSE MODE | RECEIVER AND SOURCE

$

0

0

I tried to configure the arp-resp command on the lo0.0 interface and it did not work. It isn't a sub command there. I thought I did successfully use it in the past. About a day or two ago. Weird. Any comments or experiences?

Dyn VPN with SRX behind NAT Device, and Split Tunnel

September 11, 2017, 12:46 am

≫ Next: SRX340 max. sessions

≪ Previous: Arp question, arp-resp on lo0

$

0

0

Hi,

 

I'm trying to establish a Dynamic VPN which the SRX is behind a 1-to-1 NAT Device, whith Split tunnel enabled.

 

The connection is successfull, but im experiencing a weird behavior.

The internet browsing is not working, meanwhile, i'm able to ping any public IPs.

btw, i have the below dns command:

set access address-assignment pool dyn-vpn-address-pool family inet xauth-attributes primary-dns dns_ip_address

 

Any idea

 

Thank you

SRX340 max. sessions

September 11, 2017, 1:58 pm

≫ Next: SRX VPN Tunnel Change MTU size

≪ Previous: Dyn VPN with SRX behind NAT Device, and Split Tunnel

$

0

0

Hi there,

 

I've seen in srx3XX datasheet, most specifically on this one: https://www.juniper.net/assets/fr/fr/local/pdf/datasheets/1000550-en.pdf , that srx340 has a maximum of concurrent sessions of 256,000, but in every srx340 I've saw there just a maximum of 131072. For example if I run "show security monitoring fpc 0" in one of these srx, this is my result:

 

FPC 0
PIC 0
CPU utilization : 3 %
Memory utilization : 50 %
Current flow session : 776
Current flow session IPv4: 776
Current flow session IPv6: 0
Max flow session : 131072
Total Session Creation Per Second (for last 96 seconds on average): 24
IPv4 Session Creation Per Second (for last 96 seconds on average): 24
IPv6 Session Creation Per Second (for last 96 seconds on average): 0

 

 

Can somebody explain me why appears this result? Maybe I'm misunderstanding something about how srx works...

SRX VPN Tunnel Change MTU size

September 11, 2017, 9:26 pm

≫ Next: IS-IS and VLANs

≪ Previous: SRX340 max. sessions

$

0

0

Hi,

 

I have a branch router in a different country with IPSEC VPN tunnels set. Recently there are intermittent latency issues due to Network Congession experienced by the ISP in the remote country.

 

My st0 is set with default MTU size. Would I see any improvement if I change MTU size to 1500 for the st0 interface only for the remote router? Do I need to change TCP MTU size too? 

 

 

---

IS-IS and VLANs

September 12, 2017, 7:30 am

≫ Next: Why mix mode setup on SRX5800 need reboot?

≪ Previous: SRX VPN Tunnel Change MTU size

$

0

0

Hi all,

Does anyone have any pointers for running IS-IS between SRX's with a VLAN in between?

Setup is as follows:

Router A -

ge-0/0/2 - vlan-tagging, mtu 1540, unit 5 vlan-id 5, family inet address 10.128.1.1/29, family iso

 

Switch B

trunk port with tagging for vlans 5-8, mtu 1540

untagged ports for vlan 5 (one of which connected to....)

 

Router C

ge-0/0/1 unit 0 family inet address 10.128.1.2/29, family iso.

 

Have tried setting up ge-0/0/2.5 with both Passive and non-passive in ISIS config and neither showing an adjacency

Why mix mode setup on SRX5800 need reboot?

September 12, 2017, 11:18 am

≫ Next: IP Sec VPN implementation

≪ Previous: IS-IS and VLANs

$

0

0

Hi all,

 

Based on this url https://www.juniper.net/documentation/en_US/junos/topics/concept/security-mixed-mode-understanding.html  it should not required reboot. On junos version 15.xD30 it dont need reboot if we setup mix mode. But suddenly on ver 15.1X49-D70.3 it required reboot. Can somebody confirm it?

 

test@SRX5800# commit check
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
node1:
configuration check succeeds
node0:
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
warning: Interfaces are changed from route mode to mix mode. Please reboot the device or all nodes in the HA cluster!
configuration check succeeds

 

Thanks

IP Sec VPN implementation

September 14, 2017, 1:42 am

≫ Next: SRX with GRE and NAT scenario

≪ Previous: Why mix mode setup on SRX5800 need reboot?

$

0

0

Hi,

 

Can any one tell me if its possible to use IPSec VPN when there is only One SRX available, as i believe its is only possible when we have 2 x SRX devices.

 

Regards,

 

Mannan

SRX with GRE and NAT scenario

September 14, 2017, 6:27 am

≫ Next: jdhcpd - adding permanent arp entry for leases

≪ Previous: IP Sec VPN implementation

$

0

0

Hello everyone,

 

Please consider the following set up:

 SERVER 10.10.10.10---10.10.10.1-f1 SRX1-f2 199.199.199.2---INTERNET----200.200.200.2-f2-SRX2-f1-10.11.11.0/24 hosts

Above we have:

GRE tunnel between SRX1/SRX2 i.e

SRX1

Gr-0/1/0.0

Tunnel source 199.199.199.2

Tunnel destination 200.200.200.2

Ip address 172.172.172.1/24

We place the tunnel in ZONE A

Also we place the physical interface f1 GRE is riding on in ZONE AA

 

SRX2 :

Gr-0/1/0.0

Tunnel source 200.200.200.2

Tunnel destination 199.199.199.1

Ip address 172.172.172.2/24

 

We place the tunnel in ZONE B

Also we place the physical interface f1 GRE is riding on in ZONE AA

 

Goals:

All hosts on 10.11.11.0/24 will send traffic to 10.10.10.12, which is GRE encapsulated with outer IP HEADER SRC IP 200.200.200.2 DEST IP 199.199.199.2

SRX1 will encapsulate the GRE packet, recover the original packet with src in 10.11.11.0/24 and destination 10.10.10.12

SRX1 is configured with STATIC NAT rule which says If the packet is received from CERTIAN ZONE, and destination IP is 10.10.10.12, then replace the destination IP with 10.10.10.10

So that is how traffic from hosts on 10.11.11.0/24 to Server flows.

 

QUESTION:

• On SRX1, what that certain zone should be for NAT rule, is the Zone associated with physical interface f1 i.e. ZONE AA or is it a zone associated with GRE tunnel i.e. ZONE A?

 

Thanks and have a nice day!!

jdhcpd - adding permanent arp entry for leases

September 14, 2017, 6:34 am

≫ Next: SRX1800 LAC

≪ Previous: SRX with GRE and NAT scenario

$

0

0

I've been incontact with Juniper regarding there deprecation of the "old" dhcpd service in favor of jdhcpd in Junos. The new jdhcpd service add a permanent arp entry for it's leases into the arp table. This has complications for situations where you have e.g. some wifi-ethernet bridge connecting "remote" ethernet to the SRX via a wifi and requiring at least WPA2-PSK/Enterprise on the wifi. What I have observed is that the jdhcp service reads the DHCP request and allocates IP according to client's MAC address, but when adding the MAC to ARP table it uses the wifi-bridge's MAC for the IP. This effectively blocks all traffic to the client. For the old dhcp service this isn't an issue, it's even proposed as a work-around for jdhcp (https://kb.juniper.net/InfoCenter/index?page=content&id=KB28646).

 

Now to my point. Since dhcp is being depracated in favor of jdhcp, the work-around will no longer be valid. I have requested that adding the MAC as "permament" in the ARP-table to be be configurable instead of as it is now with jdhcp. This is requested through ER-075195, so if anyone else would like to make their voice heard on this, please contact your local sales team and have them push for this ER - to increase the likelyhood of it getting implemented.

 

Simple schematic:

client <-ethernet-> wifi-bridge <-wifi-> wifi-access-point <- ethernet -> srx

 

That's all folks

/mille

SRX1800 LAC

September 14, 2017, 6:42 am

≫ Next: SRX 1400 - redirect blocked users to custom URL

≪ Previous: jdhcpd - adding permanent arp entry for leases

$

0

0

Quick question....

 

Can an SRX1800 be configured to act as a LAC (L2TP Access Concentrator)?

SRX 1400 - redirect blocked users to custom URL

September 14, 2017, 8:21 am

≫ Next: Controlling Multicast stream on SRX enabled for PIM DENSE MODE

≪ Previous: SRX1800 LAC

$

0

0

I have SRX 1400 @ JUNOS 12.3X48-D40.5

 

Imagine having, among others, following zones: UNTRUSTED-CLIENTS, WORLD and INTRANET.

 

I want to block all traffic from UNTRUSTED-CLIENTS to WORLD, but I want to keep users to know why they are being blocked, thus I want them to be redirected to custom URL (eg. http://lockmessage.local) on a machine located in INTRANET.

Attempt

I have created a simple Application Firewall profile, that should match all traffic and deny it with custom-redirect-url specified. This profile has then been attached to a permit policy.

Result

• The policy is correctly matched against traffic (as evidenced in logs)
• User cannot access any URL in WORLD zone, but...
• User does NOT reach a designated URL, getting timeouted instead
• No traffic between UNTRUSTED-USERS and INTRANET is logged

Any suggestions?

• Should this work, or am I completely wrong?
• What might be missing?
• Is there another way I can achieve what I want?

Config

Application firewall:

application-firewall {
    profile Block-Message-profile {
        block-message {
            type {
                custom-redirect-url {
                    content http://blockmessage.local;
                }
            }
        }
    }
    rule-sets Block-Message {
        rule Dummy-Policy-Deny-Everything {  # I am using any application available, since I need at least one rule;
            match {
                dynamic-application junos:GOOGLE;
                ssl-encryption any;
            }
            then {
                deny {
                    block-message;
                }
            }
        }
        default-rule {  # For all other websites - also block
            deny {
                block-message;
            }
        }
        profile Block-Message-WLAN-profile;
    }
}

Afterwards, policy (ommited logging to make it tidy):

policies {
    from-zone UNTRUSTED-CLIENTS to-zone WORLD {
        policy REDIRECT-UNTRUSTED-CLIENTS-TO-BLOCK-URL {
            match {
                source-address any;
                destination-address any;
                application [ junos-http junos-https ];
            }
            then {
                permit {
                    application-services {
                        application-firewall {
                            rule-set Block-Message;
                        }
                    }
                }
            }
        }
    }
    from-zone UNTRUSTED-CLIENTS to-zone INTRANET {
        policy ALLOW-ACCESS-TO-BLOCK-URL-SERVER {
            match {
                source-address any;
                destination-address BOCK-URL-SERVER;
                application [ junos-http junos-https ];
            }
            then {
                permit 
            }
        }
    }
}

---

Controlling Multicast stream on SRX enabled for PIM DENSE MODE

September 14, 2017, 10:43 am

≫ Next: Dynamic DNS script not working

≪ Previous: SRX 1400 - redirect blocked users to custom URL

$

0

0

Hi everyone,

 

Please consider the following set up:

 

S-----f1 SRX1—f2------WAN-----f2SRX2—Receiver (239.2.2.2)

 

 

Above we have multicast source sending traffic at 239.1.1.1, SRX 1is running PIM dense mode all interfaces including f2.

Only f2 is shown for brevity

Our issue:

All traffic destined to 239.1.1.1 is flooded out of F2 where it gets pruned as there is no receiver off that interface. It consumes slow WAN bandwidth.

Can we do this? (Assume we cannot use SPARSE MODE)

Apply filter that egress on F2 on SRX1 that denies all traffic destined to 239.1.1.1?

 

 

Thanks and have a nice day!!

Dynamic DNS script not working

September 14, 2017, 1:02 pm

≫ Next: Arp-resp on avaya stack

≪ Previous: Controlling Multicast stream on SRX enabled for PIM DENSE MODE

$

0

0

Found an article here: https://forums.juniper.net/t5/Junos-Automation-Scripting/Script-for-DDNS/td-p/56004

 

I set this script up, and I can manually execute it as an "op" and it works fine. When I let the event trigger the script, I see in the "messages" log file that it can't find the file that's supposed to be written to /var/log. It appears that the script can't write to the /var/log folder, but I've changed it around, checked permissions, and still can't get the script to write anywhere.

 

I'm using an SRX300 on 15.1X49-D80.4 trying to use this with No-IP dynamic dns service. Like I said, it works fine when I manually execute the script in the console...

 

Any advice would be greatful.

 

Thanks!

Arp-resp on avaya stack

September 15, 2017, 7:15 am

≫ Next: How to convert this command on screenos to srx?

≪ Previous: Dynamic DNS script not working

$

0

0

I have a problem with using arp-resp on a stack. Any help would be appreciated.

How to convert this command on screenos to srx?

September 16, 2017, 8:50 am

≫ Next: Arp and NDP on different interfaces...

≪ Previous: Arp-resp on avaya stack

$

0

0

Hi all,

 

Below is the command in screenos. Tools I2J fail to convert this below command. May i know how to convert into srx junos?

 

set service "FTP" timeout 1
set service "HTTPS" timeout 40
set service "SIP" timeout never
set service "TELNET" timeout 1

set service "MySQL&SQLnetCustom10" protocol tcp src-port 0-65535 dst-port 7000-7000
set service "MySQL&SQLnetCustom10" + tcp src-port 0-65535 dst-port 3300-3300
set service "MySQL&SQLnetCustom10" timeout never

 

Thanks and appreciate someone feedback

Arp and NDP on different interfaces...

September 16, 2017, 8:40 pm

≫ Next: Entire FPC restart on both node on SRX5800 for second time in this month?

≪ Previous: How to convert this command on screenos to srx?

$

0

0

I am running arp on my vlan and NDP on my ingress/egress interface(not vlan, ge-0/0/0.0), cable modem wan. Does any body have comments. I can't get NDP to stick to my vlan.