Greetings, I'm not a sophisticated user of my home SRX220. The reason for this post is a recent upgrade to Comcast docsis 3.1 gigaspeed. I can actually see this speed with a direct to modem connection of my pc, but no matter what I do to the router I can only see about at best 500mbps throughput. I have nothing complicated set up. I do have a DMZ set up on one port.

So far I have upgraded the software to the recommended, I've disabled UTM, I've changed tcp-mss to 1460, I've checked connection wires = Cat6. None of this mattered.

What kind of throughput should I expect?

Thanks for any suggestions.

Mark

I seen this with other versions of 12.1X44-D35 to 12.1X46-D30 but out of 100 firewalls only about 4 experienced this issue.

Issue:

SRX100H running 12.1X44-D40 was upgraded to 12.1X46-D72 via Junos SPACE.  The upgrade reported as failed but the customer isn't complaining about access and I can ping the inside interface.  When I attempt to ssh to the firewall I get: "ssh_exchange_identification: Connection closed by remote host".

I asked google but he didn't answer me.  I only found references to upgraded to 17 and needing to enable a ssh command to correct it but that's not my problem.

I have about 130 more srx100H's that I need to upgrade to the recommended code version and I can't move forward if I'm going to lose management access.

Does anyone know how to prevent this from occuring?

Hi,

we have just migrated from SSG to SRX, on SSG we have web auth configured on it. users login to http then authenticated by external server which is RSA to have a connection to our servers. but when we configured it on srx it didnt work, its not authenticating. though im not sure if we configured it right. below is the config i made:

set access profile RSA_SecureID authentication-order radius
set access profile RSA_SecureID authentication-order password
set access profile RSA_SecureID radius-server 192.168.x.x port 1646
set access profile RSA_SecureID radius-server 192.168.x.x secret "$9$pVFMuIhSyK8xdlKGiHkPf1RhcyKM8X7Nd"
set access profile RSA_SecureID radius-server 192.168.x.x timeout 90
set access profile RSA_SecureID radius-server 192.168.x.x source-address 10.4.x.1
set access firewall-authentication web-authentication default-profile RSA_SecureID

Hello, I have an interesting routing issue between hosts protected by my srx340 chassis cluster and cloud resources behind a Microsoft Azure cloud VPN gateway.  In summary:

• I have two virtual routing instances, one for each of the ISP connections and I am leaking routes to ensure that internet connectivity from the inside works over both.
• RPM and ip-monitoring are used to enable failover to ISP2.
• IPSEC tunnels are established to the cloud over both ISPs, and routes to my cloud resources are received using BGP
• local static routes are injected into BGP using bgp export policy
• BGP routes learned in each VR are shared with the other using rib-groups
• Policies are in place to allow traffic between the trust and azure zones
• I have set security flow tcp-session no-syn-check-in-tunnel to allow for asymmetric routing over the tunnels

Today, we saw that no connectivity was possible between the trust and azure zones.  Tracing the packet flow for a connection from trust to azure, I saw the inital SYN was permitted, but the return SYNACK was dropped. It seems that outbound and return traffic is routed over different tunnels, which for some reason results in a drop.

I have removed config for the vpn tunnel via isp2 as a workaround for now.

The critical part of the flow trace for the dropped return packet is as follows (full output attached):

Mar 9 10:36:27 10:36:27.913319:CID-1:RT:<Y.Y.Y.4/3389->X.X.X.180/65258;6,0x0> matched filter f1:
...
Mar 9 10:36:27 10:36:27.913857:CID-1:RT:Conflict session (18602) is VALID state
Mar 9 10:36:27 10:36:27.913857:CID-1:RT: packet dropped, failed to install nsp2
Mar 9 10:36:27 10:36:27.913857:CID-1:RT:failed to install nsp2
Mar 9 10:36:27 10:36:27.913857:CID-1:RT:first path session installation failed
Mar 9 10:36:27 10:36:27.913857:CID-1:RT: flow find session returns error.
Mar 9 10:36:27 10:36:27.913857:CID-1:RT:flow_proc_rc: -1.
Mar 9 10:36:27 10:36:27.913857:CID-1:RT:flow_process_pkt_exception: Freeing lpak 0x51029cd0 associated with mbuf 0x438c0280
Mar 9 10:36:27 10:36:27.913857:CID-1:RT: ----- flow_process_pkt rc 0x7 (fp rc 0)

Hi,

We have 2 MPLS link connected on SRX for internet connection. Primary ISP 50 Mbps(ge-0/0/0.10) Secondary ISP 10 Mbps(ge-0/0/2) both link from different ISP. AS no. and Peer AS is same for both ISP. There is no default route configured. SRX is configured in Packet mode.

We observed slowness issue from some days. As we checked, ge-0/0/0.100 interface status showing only input(38654789xx) bytes, output bytes showing "0" bytes. And on ge-0/0/2 interface status showing input byetes "0" and output bytes(10673547xx)

If we disabled ge-0/0/2 interface all in and out traffice passing through ge-0/0/0.100 interface. There is no slowness observed.

If we enabled ge-0/0/2 interface again in and out traffic devide in both interface(as mentioned above- in and out traffic) and network traffic slow.

Kindly suggest solution, to pass all traffic from primary ISP and secondary ISP will get active while primary ISP goes down.

set interfaces ge-0/0/0 vlan-tagging
set interfaces ge-0/0/0 speed 100m
set interfaces ge-0/0/0 link-mode full-duplex
set interfaces ge-0/0/0 gigether-options no-auto-negotiation
set interfaces ge-0/0/0 unit 10 vlan-id 20
set interfaces ge-0/0/0 unit 10 family inet filter output voip
set interfaces ge-0/0/0 unit 10 family inet sampling input
set interfaces ge-0/0/0 unit 10 family inet sampling output
set interfaces ge-0/0/0 unit 10 family inet address 10.100.50.2/30
set interfaces ge-0/0/0 unit 15 vlan-id 45
set interfaces ge-0/0/0 unit 15 family inet address 10.100.20.2/30
set interfaces ge-0/0/1 speed 1g
set interfaces ge-0/0/1 link-mode full-duplex
set interfaces ge-0/0/1 unit 0 family inet sampling input
set interfaces ge-0/0/1 unit 0 family inet sampling output
set interfaces ge-0/0/1 unit 0 family inet address 10.44.47.25/24 vrrp-group 67 virtual-address 10.44.47.27
set interfaces ge-0/0/1 unit 0 family inet address 10.44.47.25/24 vrrp-group 67 priority 120
set interfaces ge-0/0/1 unit 0 family inet address 10.44.47.25/24 vrrp-group 67 advertise-interval 3
set interfaces ge-0/0/1 unit 0 family inet address 10.44.47.25/24 vrrp-group 67 preempt
set interfaces ge-0/0/1 unit 0 family inet address 10.44.47.25/24 vrrp-group 67 accept-data
set interfaces ge-0/0/2 speed 100m
set interfaces ge-0/0/2 link-mode full-duplex
set interfaces ge-0/0/2 gigether-options auto-negotiation
set interfaces ge-0/0/2 unit 0 family inet sampling input
set interfaces ge-0/0/2 unit 0 family inet sampling output
set interfaces ge-0/0/2 unit 0 family inet address 10.100.90.2/30

set routing-instances Corporate instance-type vrf
set routing-instances Corporate interface ge-0/0/0.10
set routing-instances Corporate interface ge-0/0/1.0
set routing-instances Corporate interface ge-0/0/2.0
set routing-instances Corporate route-distinguisher 32561:150
set routing-instances Corporate vrf-target target:32561:100
set routing-instances Corporate routing-options static route 10.44.90.0/22 next-hop 10.44.66.3
set routing-instances Corporate routing-options static route 10.44.66.0/26 next-hop 10.44.66.3
set routing-instances Corporate routing-options static route 10.45.251.0/26 next-hop 10.44.47.1
set routing-instances Corporate routing-options static route 10.16.18.0/18 next-hop 10.44.47.1
set routing-instances Corporate routing-options static route 10.12.0.0/20 next-hop 10.44.47.1
set routing-instances Corporate routing-options static route 10.44.47.0/19 next-hop 10.44.47.1
set routing-instances Corporate routing-options static route 10.44.47.0/19 next-hop 10.44.47.1
set routing-instances Corporate routing-options static route 10.5.43.0/24 next-hop 10.44.47.1
set routing-instances Corporate protocols bgp group Corporate-Sec type external
set routing-instances Corporate protocols bgp group Corporate-Sec export redistribute-static-connected
set routing-instances Corporate protocols bgp group Corporate-Sec peer-as 2833
set routing-instances Corporate protocols bgp group Corporate-Sec local-as 32561
set routing-instances Corporate protocols bgp group Corporate-Sec neighbor 10.100.90.1
set routing-instances Corporate protocols bgp group Corporate-Pri type external
set routing-instances Corporate protocols bgp group Corporate-Pri export redistribute-static-connected
set routing-instances Corporate protocols bgp group Corporate-Pri peer-as 2833
set routing-instances Corporate protocols bgp group Corporate-Pri local-as 32561
set routing-instances Corporate protocols bgp group Corporate-Pri neighbor 10.100.50.1

Thank You...

Looking to put a 240V circuit into my server room at my house. I have a Dell R610, SRX210 a couple of miners and other switches. Question is, can I just plug the SRX into the 240V circuit? Based on the label, on the unit (AC/DC converter brick), I would think yes but wanted to ask.

ALso, given that the brick only has a standard 2 prong plug, how would I get something to allow it to plug into a NEMA 6-20R - thinking that's what will be on the wall.

Appreciate any input!!!

Hi everyone,

We are exploring the implementation of MSDP on SRX for our particular issue.

I have set up a home lab to understand MSDP on SRX. 

Please consider the following  very basic set up:

LAPTOP-30.30.30.30---30.30.30.3- f0/0/3 SRX -f0/0/0---10.10.10.1-----10.10.10.10 CISCO router--Lsitener 235.1.1.1

Laptop is the source of multicast 235.1.1.1

SRX is RP , address is 100.100.100.254, Similrarly Cisco router is the rp , address is 1.1.1.1

Expected behavior:

Upon receiving Multicast stream from 30.30.30.30 , 235.1.1.1, SRX should send SA message to MSDP peer 1.1.1.1 , but I do not see that it is happening:

We can see stream is  hitting f0/0/3:

root> show firewall log interface fe-0/0/3
Log :
Time      Filter    Action Interface     Protocol        Src Addr                                                                                                                 Dest Addr
21:56:12  pfe       A      fe-0/0/3.0    ICMP            30.30.30.30                                                                                                              235.1.1.1
21:56:07  pfe       A      fe-0/0/3.0    ICMP            30.30.30.30

We can see MSDP peer is established:

root> show msdp brief
Peer address    Local address   State       Last up/down Peer-Group   SA Count
1.1.1.1         10.10.10.1      Established     00:24:00              0/0

Note SA count is zero,  capture between SRX and Cisco shows no SA is being sent to  CISCO MSDP peer

ADDITIONAL INFO:

SRX config:

root> show configuration | display set
set version 11.4R7.5
set system arp
set system root-authentication encrypted-password "$1$FNZOHrui$SIlLbizu6WwnQTkFcjVV9."
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings fe-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members 301
set interfaces fe-0/0/2 description REAL-ONE
set interfaces fe-0/0/2 unit 0
set interfaces fe-0/0/3 unit 0 family inet filter input TEST
set interfaces fe-0/0/3 unit 0 family inet address 30.30.30.3/24
set interfaces fe-0/0/4 unit 0 family inet
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0 family ethernet-switching
set interfaces fe-0/0/7 unit 0 family ethernet-switching
set interfaces lo0 unit 0 family inet address 100.100.100.254/24
set interfaces ppe0 unit 0 family inet
set interfaces vlan unit 10 family inet
set interfaces vlan unit 301 family inet address 10.10.10.1/24
set routing-options max-interface-supported 0
set routing-options static route 1.1.1.1/32 next-hop 10.10.10.10
set protocols msdp peer 1.1.1.1 export EXPORT-GROUP-IN-SA
set protocols msdp peer 1.1.1.1 local-address 10.10.10.1
set protocols ospf area 0.0.0.0 interface vlan.301
set protocols pim rp static address 100.100.100.254
set protocols pim interface vlan.301 mode sparse-dense
set protocols pim interface fe-0/0/3.0 mode sparse-dense
set protocols pim interface lo0.0 mode sparse
set policy-options policy-statement EXPORT-GROUP-IN-SA from route-filter 235.1.1.1/32 exact
set policy-options policy-statement EXPORT-GROUP-IN-SA from source-address-filter 30.30.30.30/32 exact
set policy-options policy-statement EXPORT-GROUP-IN-SA then accept
set security policies from-zone LEE to-zone ZOO policy LEE-TO-ZOO match source-address any
set security policies from-zone LEE to-zone ZOO policy LEE-TO-ZOO match destination-address any
set security policies from-zone LEE to-zone ZOO policy LEE-TO-ZOO match application any
set security policies from-zone LEE to-zone ZOO policy LEE-TO-ZOO then permit
set security policies from-zone ZOO to-zone LEE policy LEE-TO-ZOO match source-address any
set security policies from-zone ZOO to-zone LEE policy LEE-TO-ZOO match destination-address any
set security policies from-zone ZOO to-zone LEE policy LEE-TO-ZOO match application any
set security policies from-zone ZOO to-zone LEE policy LEE-TO-ZOO then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone ZOO interfaces fe-0/0/3.0 host-inbound-traffic system-services all
set security zones security-zone ZOO interfaces fe-0/0/3.0 host-inbound-traffic protocols all
set security zones security-zone LEE interfaces vlan.301 host-inbound-traffic system-services all
set security zones security-zone LEE interfaces vlan.301 host-inbound-traffic protocols all
set security zones security-zone LEE interfaces vlan.301 host-inbound-traffic protocols igmp
set security zones security-zone LEE interfaces vlan.301 host-inbound-traffic protocols pim
set firewall family inet filter TEST term T1 from destination-address 235.1.1.1/32
set firewall family inet filter TEST term T1 then log
set vlans VLAN-301 vlan-id 301
set vlans VLAN-301 l3-interface vlan.301

########################

1) What am i missing?

2) What is default export policy for MSDP?  Above I am  using EXPORT-GROUP-IN-SA policy to only advertise source 30.30.30.30 , grp 235.1.1.1 in SA to peer, if  I do not use this export policy, will SA be still advertised to peer about source 30.30.30.30, grp 235.1.1.1?

Thanks and have a nice weekend!!

So for awhile my company has been deploying systems with Juniper switches. With that they were using untangle software routers installed on a dell R220.  I finally argued away the software router and thought I had everything working proper on the bench.  I come to a new site deployment and no DHCP working anywhere.  We have 12 PCs per site that needs a DHCP address where the rest is static.  Can anyone point out where I made my mistake?  I have speent the past 3 days digging deep into KBs and wipe edit and rewritting configs to no avail.   I even started to delve into re-writting the switches in which their config worked with the previous software router.   (note I was able to successfully get an EX4550's internal DHCP to work no problem but it caused some weird routing issue)  

Setup:
Cisco Meraki on 0/0 this is the Gateway out
EX4550 on 0/1  Has 4 DHCP devices

EX4200 on 0/2 Has 8  DHCP devices

SRX ports 0/3 - 0/8 have static IP'd devices

I thank anyone tenfold for assistance! 

Hello

New to Juniper routers so i thought this forum could be a good start for geting some help with a task i have in hand.

Basicly what i am trying to do is: I have two SRX 5400 routers and i need them to be in active/active cluster mode.  Both routers will have different ISP connections and ip addresses. But i need the inside network to be same on both. So the „primari“ router will have main connection to inside switch with address 192.168.1.1. If isp 1 or primary router should fail, then router 2 will take over and have same internal ip, but different isp connection. And it would be nice if both outside ips- would be active at the same time, for monitoring purposes.

Is such confing even possible ?

Egert

I have an SRX 1500 that I am trying to pass Layer 2 traffic only. I have a fab0 and swfab0 setup with dedicated 10gb ports that connect to each SRX. I also have the HA 1GB port connected to the other Cluster Member.

What I am trying to do is pass a few vlans to my core switch on both SRX's. My core switch is setup in an MC-LAG(9206 Chassis). Before I had it setup as normal trunk port on both SRX's

set interfaces xe-0/0/16 unit 0 family ethernet switching interface-mode trunk

set interfaces xe-0/0/16 unit 0 family ethernet switching vlan-members VLANA

set interface xe-0/0/16 unit  0 family ethernet switching vlan-members VLANB

set interfaces xe-7/0/16 unit 0 famil ethernet switching interface-mode trunk

set interfaces xe-7/0/16 unit 0 family ethernet switching vlan-members VLANA

set interface xe-7/0/16 unit  0 family ethernet switching vlan-members VLANB

Before spanning-tree was deciding which link would be active. I could failover to the node1 but I am guessing that it would using the swfab to connect back to node0 with the active spanning-tree link. However, once I did a reboot on node0 I would loose all connectivity with everything connected to my Core. Not just the vlans that were members on the trunk all vlans. I'm gussing some type of loop.

After contacting Juniper Support the recommended setting up a reth interface with IP associated with each vlan. I'm not getting real clear answers from them and hoping you could help.

They recommended setting up a reth interface like below.

set chassis cluster redundancy-group 1 node 0 priority 100

set chassis cluster redundancy-group 1 node 1 priority 1

set chassis cluster redundancy-group 1 interface-monitor xe-0/0/16 weight 255

set chassis cluster redundancy-group 1 interface-monitor xe-7/0/16 weight 255

 

set interfaces xe-0/0/16 gigether-options redundant-parent reth1

set interfaces xe-7/0/16 gigether-options redundant-parent reth1

 

set interfaces reth1 vlan-tagging

set interfaces reth1 redundant-ether-options redundancy-group 1

set interface reth1 unit 1 vlan-id 1

set interfaces reth1 unit 1 family inet address 192.168.1.1

set interfaces reth1 unit 2 vlan-id 2

set interfaces reth1 unit 2 family inet address 192.168.2.1

set interfaces reth1 unit 3 vlan-id 3

set interfaces reth1 unit 3 family inet address 192.168.3.1

 

Which is the best route to take since I don't want family inet address on each vlan. Is the prefered way the way I was doing it before. Can I setup a trunk interface on a reth?

 

set interfaces reth1 redundant-ether-options redundancy-group 1

set interfaces reth1 unit 0 family ethernet switching interface-mode trunk

set interfaces reth1 unit 0 family ethernet switching vlan-members A

set interfaces reth1 unit 0 family ethernet switching vlan-members B

set interfaces reth1 unit 0 family ethernet switching vlan-members C

 

 

Hi,

Would any problems arise if i do the configuration of a SRX firewall first on the CLI, then after doing the changes just resynchronize it with Junos Space? 

I just usually use space for multiple firewall policies configuration but i find i think its easier to do a single firewall configuration on CLI because I can just copy and paste the config.

Thanks!

Jon

Can somebody check my knowledge regarding of the session that has been established by being listed on following command?

show security flow session

 When i execute the command, i saw the session is listed. So that's mean that the connection has been made and able to passthorugh from SRX device. I got problem regarding to the session, the session is created but no packet reply.

Does the SRX device made any mistake to the cause of that? If don't, what exacly the cause of just by your experience.

Any clue would be appreciated.

Hi 

I try to enroll SRX device with SkyATP . 

But there is an error shown "error: [Error] Enrollment failed when communicating with cloud. Device has no license"

How I solve it? 

Hi dear everybody,

i'm trying to manage my SRX 1500 cluster in GUI via 2 interfaces (loopback and reth1.1) but i can't. I can access it via the management interface (fxp0)

This is the configuration. Am i missing something? Thanks in advance for your help

root@nrsvdrsrx-a0a-core01# show system services
ssh {
authentication-order [ radius password ];
root-login allow;
}
web-management {
https {
system-generated-certificate;
interface [ fxp0.0 lo0.0 reth1.1 ];

root@nrsvdrsrx-a0a-core01# show security zones security-zone XXX
interfaces {
reth1.1 {
host-inbound-traffic {
system-services {
all;

lo0.0 {
host-inbound-traffic {
system-services {
https;
ssh;
ping;
}
}
}

Hi,

Although configured exactly the same as a working SRX for SSH access, I still get refusal on one SRX. I am thinking this may be certificate related so I have removed the SSH config but don't know where to remove the certificate so that the SRX is forced to create a new one.

Could someone let me know where I remove the SSH certificate from please?

Thanks

Migrating a configuration from an SSG to an SRX and had a few "best practices" questions.

the configuration has two public facing LAN segments.    On my SSG, I had both in a single Untrust zone.     I also had all my tunnel interfaces in the same zone.   Reading through the SRX docs, it suggest that I should be splitting this up a bit more.  I am planning to create a separate zone per VPN GW.  This got me to thinking of what to do with the LAN segments.  Should I create two zones one for each LAN segment or will that complicate things unnecessarily?

Thanks..

Tim

Here is my config.

PC (192.168.2.10/24) <- Trust-> SRX210 <-Untrust-> Netgear SoHo (192.168.1.1) <--> ISP modem

root@srx210# show | display set | no-more

set version 12.1R1.3

set system host-name srx210

set system time-zone Asia/Calcutta

set system root-authentication encrypted-password "$1$yD4x1yfQ$6FFl4H4ePtA8Aq6TjzOiM1"

set system name-server 208.67.222.222

set system name-server 208.67.220.220

set system name-server 8.8.8.8

set system services ssh

set system services telnet

set system services xnm-clear-text

set system services web-management http interface vlan.0

set system services web-management http interface ge-0/0/1.0

set system services web-management https system-generated-certificate

set system services web-management https interface vlan.0

set system services web-management https interface ge-0/0/1.0

set system services dhcp router 192.168.1.1

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2

set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254

set system services dhcp propagate-settings ge-0/0/0.0

set system syslog archive size 100k

set system syslog archive files 3

set system syslog user * any emergency

set system syslog file messages any critical

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands error

set system max-configurations-on-flash 5

set system max-configuration-rollbacks 5

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.100/24

set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24

set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust

set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust

set interfaces fe-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust

set interfaces fe-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust

set interfaces fe-0/0/6 unit 0 family ethernet-switching vlan members vlan-trust

set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members vlan-trust

set interfaces vlan unit 0 family inet address 192.168.1.1/24

set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1

set protocols stp

set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option

set security screen ids-option untrust-screen ip tear-drop

set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200

set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048

set security screen ids-option untrust-screen tcp syn-flood timeout 20

set security screen ids-option untrust-screen tcp land

set security nat source rule-set trust-to-untrust from zone trust

set security nat source rule-set trust-to-untrust to zone untrust

set security nat source rule-set trust-to-untrust rule trust-access match source-address 192.168.2.0/24

set security nat source rule-set trust-to-untrust rule trust-access match destination-address 0.0.0.0/0

set security nat source rule-set trust-to-untrust rule trust-access then source-nat interface

set security policies from-zone trust to-zone untrust policy allow-internal-clients match source-address home_2

set security policies from-zone trust to-zone untrust policy allow-internal-clients match destination-address any

set security policies from-zone trust to-zone untrust policy allow-internal-clients match application any

set security policies from-zone trust to-zone untrust policy allow-internal-clients then permit

set security zones security-zone trust address-book address home_2 192.168.2.0/24

set security zones security-zone trust host-inbound-traffic system-services all

set security zones security-zone trust host-inbound-traffic protocols all

set security zones security-zone trust interfaces vlan.0

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services http

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services https

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services telnet

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping

set security zones security-zone untrust screen untrust-screen

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp

set vlans vlan-trust vlan-id 3

set vlans vlan-trust l3-interface vlan.0

[edit]

root@srx210#

I am unable to ping ISP router (192.168.1.1). Any inputs?

Kind Regards,

Raj

Hello community,

we are currently using a virtual machine with Linux and iptables to filter network traffic. This VM and iptables rules also provide some kind of "DoS protection" by rate limiting new or the maximum amount of open connections or the amount of packets which may pass from a specific source or network.

We will upgrade our network connection to 10 Gbps and are therefore not sure, if a linux vm will be sufficient to filter the possible maximum amount of packets per second.

Our data center offered us to lease a Juniper SRX. The initial suggestion was a Juniper SRX4100.

We need:

• A filter engine which can filter 20 Gbps traffic in total with the smallest possible packet size. (Let's say 64 Byte packets, not IMIX.)
• A feature to handle half-open connections. (Like synproxy.)
• The ability to limit the maximum amount of packets or tcp connections from a source address or network. (dropping packets or replying with RST, when the limit exceeds or something similar.)
• The ability to read out traffic for every rule configured via an API or SNMP.

We don't need any "fancy" stuff like virus scanning, etc.

Can a Juniper SRX???? fulfill our requirements? Which SRX do we need to choose to meet our filter requirements?

I'm going to make a BOM for SRX345 with some security features on board, but I've some problem to combine correctly every SKU needed.

For example I need:

- AppSecure

- Juniper SkyATP

- Antivirus

...and is not clear if I have to:

- Included JSE (with app secure features) and add just SkyATP with bundle of "main Office Content Security" for receive also AV:

  JSE + SRX345-ATP-1 + SRX345-CS-BUN-1

....or...

- Included JSE (with app secure feature) and add the ATP bundle that it seems include everithing BESIDE anti-malware?! :-|

But antimalware seems to be no purchased without bundle.... and then?! :-)

....or....

- Included normal JSB, but with bundle add other features as below.

BTW at the end, seems that each one confitct with the others...

SOmeone can help me?

regards