CA Certificate for SSL Forward Proxy and iOS 13
Hello, In the context of SSL Forward Proxy: Apple has increased the requirement for trusted CA certificates (https://support.apple.com/en-ca/HT210176) The certificates generated on an SRX300 series...
View ArticleFilter Based Forwarding based on Natd Source Address
set security policies from-zone dmz to-zone dmz policy dmz-dmz match source-address any set security policies from-zone dmz to-zone dmz policy dmz-dmz match destination-address any set security...
View ArticleSSL Certificate Vulnerabilities on SRX
Hi Experts, we just had our PCI vulnerability report and a lot of the vulnerabililty found were about SSL certicate. solution is to "Please install a server certificate signed by a trusted third-party...
View ArticleSignificance of subtype 43 and 44 errors
After some routine log checks, prompted in some cases by a problem, I have spotted some subtype 43 and 44 errors, which according to JTAC "indicate some internal hadrware issue", which is not...
View ArticleSRX routing-engine bios uninterrupt - What is this exactly?
Does anyone know what exactly does this do? Why/What scenarios would this be used for? Juniper doc:...
View ArticleHow to configure incoming traffic on secondary ISP connection
So, right now, we have two ISP connections on our Juniper SRX260H2. Both connections provide us with a range of public IP addresses, and the Juniper differentiates between them to connect various...
View ArticleDest NAT rule drops 50% of ping to untrust interface
I recently implemented the dest NAT rule on my SRX300 in attempt to put a gaming console (Nintendo Switch) in a DMZ.Oddly enough, that rule incurs a 50% drop in ping success on the Untrust...
View ArticleClik here to view.
VPN Site-to-Site IPSEC between two SRX300 using ADSL connection
Hi experts,I wonder if I can deploy a VPN site-to-site between two SRX300 whose link to internet is through ISP and they are using CGNAT. The dynamic IP can be obtained from ISP via PPPoE connection or...
View ArticleVPN stopped working, debug log is empty
Hey there. I have one SRX 210 (PPPOE, static IP) and a SRX 100 (WWAN dial in, GCNAT). Everything worked well, but it suddendly stopped working.SRX 210 (central site, PPPOE, static IP):security { ike {...
View ArticleClik here to view.
is it possible to make srx340 NOT to check global address-book entry
I get a lot of the following messages in the firewall logs: nsd[2060]: LIBRESOLVER_DNS_SERVER_REPLY_ERROR_CODE: DNS server (index:0, ip:8.8.8.8) replies with error code 3 for domain xxxxx.xxx.xx is it...
View ArticleOutgoing issues on same LAN Subnet in dual WAN ISP Setup for SRX650
Hi, Recently, we subscribed a second ISP (ISP2)Our firewall setup is in the cluster mode setup. Firewall InterfaceISP1=vlan81= untrust reth0.81 = 1.1.1.254/24 = GW 1.1.1.1ISP2= vlan82= reth0.82 =...
View Articlebandwidth limit in juniper srx
I have a problem when configuring a bandwidth limit. This script works but local traffic is also to the limit. How do you make the local traffic not limit? admin@vSRX# show firewall policer...
View ArticleThere is issue when impletement static NAT + FBF in SRX240
Hi all JUNOS experts,I meet a problem when implement static NAT and FBF in SRX240.Before we only have ISP1 connect to SRX240, the default route to ISP1, the static NAT addresses are also in same...
View ArticleSRX100H and AirCard 320U
Hey Experts,I have a remote box with an AirCard 320U, but the dial in is not working. If I put the SIM card to an AirCard 312U, it is working. I checked on my Linux laptop that the 320U is working. The...
View ArticleSRX550 - upgrade from 15.1X49-D170.4 to 18.2R3-S2.9 - Validation failed
Hi. I am trying upgrade software on SRX550m from 15.1X49-D170.4 to 18.2R3-S2.9 and I get Validation failed message. I am aware that I can use no-validate option. Howerver - is it safe to use that...
View ArticleRange of Port - JUNIPER SRX300
Gente, desculpe meu inglês! Estou implementando um 3cx pabx, mas ele exige que eu coloque um intervalo de portas (9000-10999), mas o zimbro não possui essas funções. Não ativado, alguém me ajudaria?...
View ArticleClik here to view.
SRX SNAT FLOW SESSION
I am struggling in uderstanding the SNAT. Below is the flow session: Session ID: 443, Policy name: OK/6, Timeout: 2, ValidIn: 192.168.111.2/51744 --> 91.201.212.238/80;tcp, Conn Tag: 0x0, If:...
View ArticleSRX 100/240 to SRX 300 Config Issue
We currently have 11 locations setup and looking to add number 12. Main location is SRX240 and 10 other current locations are SRX100. They are setup with VPN mesh and everything works fine. I'm...
View ArticleSRX320 End of Support/End of Life Confirmation
Good afternoon, I am trying to pin down information regarding the SRX320 device. We are being told we have to replace this device because it is coming up on end of support (EOS)/end of life (EOL). I...
View ArticleTraffic to node 1 is blocked when HA data plane is in active-active mode
Hi, all, Let me copy&paste this KB article, because it directly relates to my question:SUMMARY: This article explains why traffic that goes to node 1 is blocked when HA data plane is running in...
View Article