By default, SRX sends as best-effort. Is it possible to set the prority to Network control ?  I have a qos policy on the outbound, I assume keepalive messages will be subject to this ?

Thanks

Hi All,

Please forgive my newbness, i will most likely be outsourcing this unless i can get on some training but i'm after some confirmation.

I need to link 5 facilities together.  i was initially thinking MPLS or Ethernet Services from our ISP (not ruled out yet).  anothet suggestion has been ipsec vpns.

most sites are using Juniper SRX (220 and 320), although one as on a palo alto and another is on Smoothwall, so will change them if needed, but...

each site has between 900 and 1800 users (about 200-600 active concurrently.  The sites will house half a dozen servers which will regularly replicate to a DC.  Facilities currently have a 300mbps internet connection (looking to upgrade in the future, but i'm wondering if SRX's are sufficient for this use and will they support this of vpn topology

Hi all,

i have some question and it contridict with what JTAC said to me. Below is the log that appear when i commit the change. During the commit all the session that login (application) has been kick out and need to be login back. JTAC said when we change the MTU "MTU size change WOULD NOT affect the current sessions and only new sessions. The only change that would affect current sessions would be MSS value which is a per policy/flow session."

But

{primary:node1}
test@srx2> show log messages | last 300 | no-more
Dec 6 20:00:30.000 2017  srx2 : %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: iff_handle_ifa_delete: deletion of address on  IFL reth8 has resulted in the removal of primary source address
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 last message repeated 15 times
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.32767 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.700 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.711 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.722 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.721 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 2) SPC0_PIC2 kernel: lage_iffconfig: reth8.720 not found!
Dec 6 20:00:30.000 20177  srx2 : %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 last message repeated 15 times
Dec 6 20:00:30.000 2017 srx2: %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: lage_iffconfig: reth8.32767 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: lage_iffconfig: reth8.700 not found!
Dec 6 20:00:30.000 2017 srx2 : %USER-4: (FPC Slot 0, PIC Slot 3) SPC0_PIC3 kernel: lage_iffconfig: reth8.711 not found!

Thanks and appreciate some feedback

Hi all,

Let's say previously i have setup the chassis cluster. But due to certain issue the Node1 need to be power off almost 3 weeks. So all the updated config on Node0. So when i join back the node 1 to cluster then may i know whether it have some hidden command that can verify the Node1 have same updated config with Node0?  I'm understand when node1 join cluster all the latest config will sync to Node1 but just as precution to make it same both node.

Thanks and appreciate any feedback

Hi folks, 

I have a topology with 2 devices running NAT shown below

the PC is double NAT before outgoing to the INTERNET. 
After that, the PC can not access a Web server on the Internet. I have ping test IP's Web Server and DNS 8.8.8.8, it works. Then, testing packet capture via Wireshark, the result does not see any DNS response from DNS server (only see DNS query from PC)

Can anyone explain the reason for the case above?

Regards, 
Hoang Nguyen Huy
 

Hi,

I am trring to test some new security policies and have configured new zones and VRs.... but the Junos SRX seems to handle it different to the old ScreenOS....

So I cretaed 2 x new VR labelled as Green-VR and Customer-VR.... I then created 2 x zones labelled as Green-DMZ and Customer-Network.... I then applied interface ge-0/0/2 to the Green side and interface ge-0/04 to the Customer side. 

Okay, all good so far and committed okay....

So, then I complete the following command:

set interfaces ge-0/02 unit0 family iso

Commit okay

set protocols isis interface ge-0/0/2.0

And I get the following error:

[edit protocols isis]
  'interface ge-0/0/2.0'
    IS-IS: interface is not in this instance
error: configuration check-out failed

Presumably because ISIS does not know about the new VR and needs to know about it... but how? I can't find any documenttion about this...

The SRX config is very simple:

set version 15.1X49-D110.4
set system root-authentication encrypted-password "$5$z0x/bUE1$7a0.XL.aD8Tj4HrTCLYWvinpjKFmI79nFjbCJF8HXj4"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system login user Clive uid 2000
set system login user Clive class super-user
set system login user Clive authentication encrypted-password "$5$Qx1BnOI.$haJ9bhIUBcROyvUpibcE4UkYuYSuB8qTIMufMaaA7q9"
set system login user Jim uid 2003
set system login user Jim class super-user
set system login user Jim authentication encrypted-password "$5$2jd10ZcZ$WH.lj5bRlh7P4qV3tEDJnM2hwkAiT3OAADRi3j5Wqb8"
set system login user Lee uid 2002
set system login user Lee class super-user
set system login user Lee authentication encrypted-password "$5$EGzUTmfP$9ySV5xu4jyoPAno2qfRCjjDsAg1r9hreOFSu7luLXE/"
set system login user Oliver uid 2004
set system login user Oliver class super-user
set system login user Oliver authentication encrypted-password "$5$nHRTwAfF$O.7LJxttsI8Rgb8Qd/n0oEszEKk4CsE3GyLpyVcl5y/"
set system login user Stephen uid 2001
set system login user Stephen class super-user
set system login user Stephen authentication encrypted-password "$5$okr6bMjJ$bRThHm0wAqEB6T.QmSlbv.VRx31GvaNPhlC4K.0tHmD"
set system services ssh
set system services xnm-clear-text
set system services netconf ssh
set system services dhcp-local-server group jdhcp-group interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system max-configurations-on-flash 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system phone-home server https://redirect.juniper.net
set system phone-home rfc-complaint
set security log mode stream
set security log report
set security forwarding-options family inet6 mode flow-based
set security forwarding-options family iso mode packet-based
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone trust interfaces xe-0/0/16.0
set security zones security-zone trust interfaces xe-0/0/17.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone NineGroup-DMZ interfaces ge-0/0/2.0
set security zones security-zone Customer-Network interfaces ge-0/0/4.0
set interfaces ge-0/0/0 unit 0 family inet dhcp-client update-server
set interfaces ge-0/0/1 unit 0 family inet
set interfaces ge-0/0/2 unit 0 description TO-THW-RADIUS-SERVER
set interfaces ge-0/0/2 unit 0 family inet address 172.16.16.39/24
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/3 unit 0 family inet
set interfaces ge-0/0/4 unit 0 family inet address 192.168.1.2/24
set interfaces ge-0/0/4 unit 0 family iso
set interfaces xe-0/0/16 unit 0 description Group-ae2
set interfaces xe-0/0/16 unit 0 family inet
set interfaces xe-0/0/17 unit 0 family inet
set interfaces xe-0/0/18 unit 0 description Group-ae2
set interfaces ae2 unit 0 description TO-THW-CORE-01-ae2
set interfaces ae2 unit 0 family iso
set interfaces fxp0 unit 0 family inet address 185.89.120.8/24
set interfaces lo0 unit 0 family inet address 195.80.0.3/32
set interfaces lo0 unit 0 family iso address 49.0001.1950.0080.0003.00
set interfaces lo0 unit 0 family inet6 address 2a05:d840:000e:ffff:ffff:ffff:0000:0001/128
set routing-options static route 172.16.16.0/24 next-hop 172.16.16.39
set protocols isis export export_statics
set protocols isis level 1 authentication-key "$9$sxYJD.mT3/t5QtOIcvM-VwYaZDikPTz"
set protocols isis level 1 authentication-type md5
set protocols isis level 2 authentication-key "$9$Yo2ZjmPQn9pTzpBRSMWdbs2JGjHqfQF"
set protocols isis level 2 authentication-type md5
set protocols isis interface ae2.0
set protocols isis interface lo0.0 passive
set policy-options policy-statement export_statics term 1 from protocol static
set policy-options policy-statement export_statics term 1 then accept
set access address-assignment pool junosDHCPPool family inet network 192.168.2.0/24
set access address-assignment pool junosDHCPPool family inet range junosRange low 192.168.2.2
set access address-assignment pool junosDHCPPool family inet range junosRange high 192.168.2.254
set access address-assignment pool junosDHCPPool family inet dhcp-attributes router 192.168.2.1
set access address-assignment pool junosDHCPPool family inet dhcp-attributes propagate-settings ge-0/0/0.0
set routing-instances Customer-VR instance-type virtual-router
set routing-instances Customer-VR interface ge-0/0/4.0
set routing-instances NineGroup-VR instance-type virtual-router
set routing-instances NineGroup-VR interface ge-0/0/2.0

Thanks

Hi,

has anybody some experience on failover duration ?

I have a SRX-550M cluster, connected on donwlink side to a (HPE) L3 Switch cluster, in a 'square' architecture :

 |           |

SRX1--SRX2

 |           |

SW1--SW2

Each SRX is connected to its SW via 8 aggregated links.

Routing is made with secondary routes : on the SW cluster, one default route to SRX1 and one route with lower priority to SRX2. On the SRX cluster,  routes to SW1 and routes with lower priority to SW2. 

RG0 and RG1 are configured for uplink interconnexion.

I tried 4 config , combiantions of :

- static or dynamic LAGs,

- BFD to supervise routes in order to accelerate secondary routes activation in case of loss of chassis #1 or interfaces on chassis #1.

I run traffic crossing the whole chain, and measure traffic interruption when I perform a manual failover (by CLI), here are the results :

1. without lacp and without  bfd : traffic interruption ~ 1s : very good

2. with lacp and without  bfd : traffic interruption ~ 18s 

3. without lacp and with  bfd : traffic interruption ~ 22s 

4. with lacp and with  bfd : traffic interruption ~ 28s : very bad

Is that 'normal' , compare to the SRX , to have such high duration as soon as I add protocols ? Or do you think they is a 'problem somewhere' ?

The only clue I found at Juniper is :

(https://www.juniper.net/documentation/en_US/junos/topics/concept/chassis-cluster-redundancy-group-failover-manual-understanding.html)
Caution: Be cautious and judicious in your use of redundancy group 0 manual failovers. A redundancy group 0 failover implies a Routing Engine failover, in which case all processes running on the primary node are killed and then spawned on the new master Routing Engine. This failover could result in loss of state, such as routing state, and degrade performance by introducing system churn.

Thanks for your advices !

Hi all,

Have got a setup whereby a sattelite site is connected via an IPSEC VPN, routes are exchanged via BGP, the sattelite site has a local internet breakout (Web/Email/DNS traffic picked up by a firewall filter and sent to a separate routing instance) to save VPN bandwidth.

For the most part, everything is working fine, but I've got a corner case that's failing.

Our public IP space is at the main site, and a device on the sattelite has a Static NAT set at the main site on one of the public IPs.

When trying to use this, all traffic is failing if originating from off the network, but sessions from the target device outwards pickup the public IP correctly. Have checked flow traces and it's not a security policy issue on either SRX, it's a routing issue at the sattelite site, flow traces are failing with an incorrect route lookup and the interface invalid route counter is increasing.

Clearly I've missed something somewhere but can't work out for the life of me what it is.

Will post up configs and route-tables in a sec once I've cleared out the identifiable info

Is there a way to improve the detection of a link failure? If I manually disconnect a fiber, I see the link led up for a second (after the disconnection) and then goes down.
Thanks

Hello-

I have an SRX300 and have created quite a few port forwarding instance. I recently created one it it works intermitently. I am connecting to an NVR with a web browser and I have 2 issues:

Going to the URL, say http://11.22.33.44:1080, sometimes the page comes right up, sometimes I have to wait, sometimes it does come up at all. Currently, port 1080 goes to port 1080 internally (was previously translating to port 80 on the inside). Sometimes the page comes right up, sometimes I have to wait, sometimes it does come up at all. When i have to wait or if it is not responding, running a "show security flow session destination-port 1080" does not show any results - once the connection happens, then the session flow shows up.

If the page does come up and I then start looking at the various camera views, it will run for a while and then stop.  By a while, I mean that the session can last 5 minutes or 2 hours or 5 hours - there's just no rhyme or reason.

I have a PC on the inside of the network and it can connect first time, every time, and run all day.

Anyone have a clue?

Good Evening

I have notice alot of our IPS down here are now running IPOE. The issue is that the SRX thinks everything is ok if there is an upstream issue as it only needs to try every few hours to renew its IP address via IPOE/DHCP. Is there a safe way to reset the interface or flush the route table of 0.0.0.0/0 discovered by dhcp if there is a ISP outage? The issue is that the net hop is not working due to the fault 0.0.0.0/0 path still in the routing table. Disbaling the interface is easy using events scripts but we want to ablitliy to just flush the dhcp route so that when the service comes back up again it will relearn that route. Yes I know having bgp or BFD is a better option but down here we have to deal with the NBN which using IPOE for most of there RSP's

I want to create a policy on SRX firewall to allow  anything *.cisco.com any uri cisco.com/uri. I would say anything on cisco website but block other websites.

for eg. mycase.cloudapps.cisco.com

sso.cisco.com/autho/forms

can we create fqdn (dns name object) for the above and allow in the policy.

Hello,

I just started using a SRX device two days back only. So this might be very newbie question.

I am basically trying to create a firewall policy using address-books. I just want to confirm that this is the right way to configure this.

1) It's always better to use the global address. If I define a non-global addrress book, that will need to be attached to a zone and that address-book will be usable only inside that zone policy.

2) Firewall policy are written as shown below. There is no option to have just one policy and have different terms(term1, term2......) like in a routing policy

user@FW-01> show configuration security address-book                                
global {
    address Test 1.1.1.1/32;
    address New 3.3.3.0/27;
    address-set Test-Set {
        address Test;
        address New;
    }
}

user@FW-01> show configuration security policies from-zone untrust to-zone trust    
policy Test {
    match {
        source-address Test-Set;
        destination-address any;
        application junos-tftp;
    }
    then {
        permit;
    }
}
policy New_Policy {
    match {
        source-address any;
        destination-address any;
        application junos-ike;
    }
    then {
        permit;
    }
}

user@FW-01> 

Hi all,

May i know the invalidated session refer to what? Is it refer to traffic that drop due to policy deny? or other thing that need to investigate detail?  Appreciate any feedback

{primary:node1}
test@srx5400> show security flow session summary
node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Unicast-sessions: 64213
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 0
Sessions-in-use: 68415
  Valid sessions: 64149
  Pending sessions: 0
  Invalidated sessions: 4266
  Sessions in other states: 0
Maximum-sessions: 6291456

Flow Sessions on FPC0 PIC2:
Unicast-sessions: 62546
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 0
Sessions-in-use: 66487
  Valid sessions: 63810
  Pending sessions: 0
  Invalidated sessions: 2677
  Sessions in other states: 0
Maximum-sessions: 6291456

Flow Sessions on FPC0 PIC3:
Unicast-sessions: 62172
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 0
Sessions-in-use: 66204
  Valid sessions: 64074
  Pending sessions: 0
  Invalidated sessions: 2130
  Sessions in other states: 0
Maximum-sessions: 6291456

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Unicast-sessions: 63665
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 0
Sessions-in-use: 68093
  Valid sessions: 62900
  Pending sessions: 0
  Invalidated sessions: 5193
  Sessions in other states: 0
Maximum-sessions: 6291456

Flow Sessions on FPC0 PIC2:
Unicast-sessions: 62244
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 0
Sessions-in-use: 67517
  Valid sessions: 62255
  Pending sessions: 0
  Invalidated sessions: 5262
  Sessions in other states: 0
Maximum-sessions: 6291456

Flow Sessions on FPC0 PIC3:
Unicast-sessions: 61811
Multicast-sessions: 0
Services-offload-sessions: 0
Failed-sessions: 0
Sessions-in-use: 66183
  Valid sessions: 61816
  Pending sessions: 1
  Invalidated sessions: 4366
  Sessions in other states: 0
Maximum-sessions: 6291456

I am probing address 4.4.4.4, it shows pass but the history shows failed?

    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    INET-UP                TargetIP        4.4.4.4          PASS

    Owner, Test                 Probe Sent              Probe received              Round trip time
    INET-UP, TargetIP                                   Sat Dec 16 22:59:57 2017    Request timed out
    INET-UP, TargetIP                                   Sat Dec 16 23:00:22 2017    Request timed out
    INET-UP, TargetIP                                   Sat Dec 16 23:00:47 2017    Request timed out

show services rpm
probe INET-UP {
    test TargetIP {
        target address 4.4.4.4;
        probe-interval 15;
        test-interval 10;
        thresholds {
            successive-loss 3;
            total-loss 3;
        }
        destination-interface ge-0/0/0.0;
    }
}

show services ip-monitoring
policy INET-UP-MON {
    match {
        rpm-probe INET-UP;
    }
    then {
        preferred-route {
            route 4.2.2.2/32 {
                next-hop 192.168.0.2;
            }
        }
    }
}
show services ip-monitoring status

Policy - INET-UP-MON (Status: PASS)
  RPM Probes:
    Probe name             Test Name       Address          Status
    ---------------------- --------------- ---------------- ---------
    INET-UP                TargetIP        4.4.4.4          PASS
  Route-Action:
    route-instance    route             next-hop         state
    ----------------- ----------------- ---------------- -------------
    inet.0            4.2.2.2/32        192.168.0.2      NOT-APPLIED

show services rpm history-results
    Owner, Test                 Probe Sent              Probe received              Round trip time
    INET-UP, TargetIP                                   Sat Dec 16 22:59:57 2017    Request timed out
    INET-UP, TargetIP                                   Sat Dec 16 23:00:22 2017    Request timed out
    INET-UP, TargetIP                                   Sat Dec 16 23:00:47 2017    Request timed out
    INET-UP, TargetIP                                   Sat Dec 16 23:01:12 2017    Request timed out
    INET-UP, TargetIP                                   Sat Dec 16 23:01:37 2017    Request timed out
    INET-UP, TargetIP                                   Sat Dec 16 23:02:02 2017    Request timed out
    INET-UP, TargetIP                                   Sat Dec 16 23:02:27 2017    Request timed out
    INET-UP, TargetIP                                   Sat Dec 16 23:02:52 2017    Request timed out

Hello Experts, 

Can anyone please verify my config if it will satisfy these 2 requirements:

1) Do static NAT translation from 10.10.200.10/11 to 10.10.22.10/11 when traffic flow from trusted to untrusted zone. Also traffic will be translated from 10.10.22.10/11 to 10.10.200.10/11 when traffic hit the unstrusted zone and destined to trusted zone.

set security nat static rule-set RS1 from zone untrust
set security nat static rule-set RS1 rule 1 match destination-address 10.10.22.10/32
set security nat static rule-set RS1 rule 1 then static-nat prefix 10.10.200.10/32

set security nat static rule-set RS1 rule 2 match destination-address 10.10.22.11/32
set security nat static rule-set RS1 rule 2 then static-nat prefix 10.10.200.11/32

2) Any traffic that flows from trust to untrust zone that doesn't have a static NAT entry should be translated to interface IP of untrust zone. If there is a static NAT entry, it should take precedence.

set security nat source rule-set RS1 from zone trust
set security nat source rule-set RS1 to zone untrust
set security nat source rule-set RS1 rule 255 match source-address 0.0.0.0/0
set security nat source rule-set RS1 rule 255 match destination-address 0.0.0.0/0
set security nat source rule-set RS1 rule 255 then source-nat interface

Hi There,

I am having issue with my dynamic vpn using pulse secure. i am able to connected and getting IP, but not able to ping the resoureces. The starnge is that i cannot even ping my SRX LAN IP as well.

below is my configuration.

nali@JEDDAH-JEDDAH-MDIA200# show security dynamic-vpn
access-profile SERVER;
clients {
    all {
        remote-protected-resources {
            10.2.72.0/28;
        }
        remote-exceptions {
            0.0.0.0/0;
        }
        ipsec-vpn DYN_VPN;
        user {
            client1;
        }
    }
}

[edit]
nali@JEDDAH-JEDDAH-MDIA200# show security ike
policy SERVER_IKE {
    mode aggressive;
    proposal-set standard;
    pre-shared-key ascii-text "$9$n-3d9t0EhrMWxz3hyleXxjHqfF/tp0BEc0Odb"; ## SECRET-DATA
}
gateway SERVER_GW {
    ike-policy SERVER_IKE;
    dynamic {
        hostname DYNVPN;
        connections-limit 10;
        ike-user-type group-ike-id;
    }
    external-interface ge-0/0/0.0;
    xauth access-profile SERVER;
}

[edit]
nali@JEDDAH-JEDDAH-MDIA200# show security ipsec
vpn-monitor-options {
    interval 10;
    threshold 10;
}
policy IPSEC_DYN_POLICY {
    proposal-set standard;
}
vpn DYN_VPN {
    ike {
        gateway SERVER_GW;
        ipsec-policy IPSEC_DYN_POLICY;
    }
}

[edit]
nali@JEDDAH-JEDDAH-MDIA200# show access address-assignment    
pool SERVER_POOL {
    family inet {
        network 10.10.10.0/24;
        xauth-attributes {
            primary-dns 4.4.4.2/32;
        }
    }
}

[edit]
nali@JEDDAH-JEDDAH-MDIA200#

C:\Users\MRS-5>ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection* 15:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::c03f:be5d:4968:bd12%17
   IPv4 Address. . . . . . . . . . . : 10.10.10.1
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

hope someone can help me with many thanks in advance

I want to introduce a rate-limit (20 Mbps for example) for each client (inside, outside and DMZ) in my juniper SRX240

Hi everybody. I'm trying to configure a SRX1400 device in our laboratory to send jflow flow to a collector (nfdump + nfsend in CentOS). This is more or lees the diagram:

Jflow packets have to be sent through fxp0.0 (is this possible?) that's our management network. Below's the configuration that I'm trying to implement:
set forwarding-options sampling input rate 1
set forwarding-options sampling input run-length 0
set forwarding-options sampling family inet output flow-server 10.16.130.205 port 9996
set forwarding-options sampling family inet output flow-server 10.16.130.205 aggregation destination-prefix
set forwarding-options sampling family inet output flow-server 10.16.130.205 source-address 10.16.130.24
set forwarding-options sampling family inet output flow-server 10.16.130.205 version 8
set interfaces ge-0/0/0 unit 1 family inet sampling input
set interfaces ge-0/0/0 unit 1 family inet sampling output

As I'm not receiving any information I've checked traffic in eth0 server's interface. I've run a tcpdump capture with fw source address but I'm only getting ARP requests... I can ping the server from the firewall so end to end connectivity is ok but I'm not receiving the flows.

Could anybody please help me with this? 

Regards,

Luis

Hello Experts,

I am asked to replace a couple of firewalls with new SRX 345s. I have received the new hardware from the  client. But I haven't got any license for the device. Do I need to install any sort of license in the device to deploy this device as standard firewalls without any fancy capabilites like IPS.