Hi Scott,
basically you are mixing up address book entries and address-sets (groups).
Your command "delete security zones security-zone internet address-book address-set address Dave_home 70.x.x.x/32" tries to delete an address name 'Dave_home' within an address-set names 'address'.
The correct command should be:
delete security zones security-zone internet address-book address Dave_home
I hope this solves your issue.
Hi all,
i have upgraded my SRX340 to the latest 15.1x49-D70.3 Junos, and i have referened the below link to setup dynamic VPN, however, i couldn't access the https://<wan ip>/dynamic-vpn to login. i did allow ping, http, https, ike on the wan interface and also enabled web management http and https service on wan interface, but still not ok. is there somthing new in this release for setup dynamic VPN? thanks.
Hi,
I have a fixed external ip on the external interface of our SRX device, I recently set up a default deny rule so i can monitor traffic on a syslog server.
I am seeing lots of telnet and ssh traffic being denied not on our main ip but on the proxy arp addresses that i set up.
Im now a bit worried that something could get through, have i done something wrong?
Thanks
Hi,
Traffic being destined to the proxied IP on the SRX has nothing to do with the configuration.
You are getting that traffic as you are proxying for that IP (maybe hosting services) and any traffic originated from the Internet destined to your IP would reach the SRX Wan interface.
The traffic would be permitted only as per your security policies.
You can implement Screens :-
If there are specific IP addresses which are initiating that unwanted traffic, you can block them using filters on the interface :-
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21872&smlogin=true&actp=search
(Use reject instead of accept)
HTH!
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Hi,
Thanks for taking the time to reply, here is my config
set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security zones security-zone untrust screen untrust-screen
show security zones security-zone untrust
screen untrust-screen;
host-inbound-traffic {
system-services {
ping;
ike;
https;
}
}
interfaces {
ge-0/0/5.0;
}show security nat proxy-arp
interface ge-0/0/5.0 {
address {
1.1.1.2/32;
1.1.1.3/32;
1.1.1.4/32;
}
}
show interfaces ge-0/0/5
per-unit-scheduler;
unit 0 {
family inet {
address 1.1.1.1/29;
}
}
Please let me know if anything is wrong
Hi,
There nothing wrong with the config as such.
The screen thresholds depend on your network and the traffic passing through.
There is nothing in the configuration which would force the users on the internet to initiate tarffic towards those IP addresses.
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Hi,
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
On top of sahilsha sahilshas questions, I remember it as you cannot access /dynamic-vpn in the 15.1X49-D70 release. Have you tried connecting with the Pulse Secure client towards your WAN IP and see if you are able to connect?
Potentially also try to move jweb to a seperate url with "set system services web-management management-url jweb". That way Jweb is accessed via https://<WAN-IP>/jweb instead of directly via the IP.
Dynamic VPN was taken out of the SRX300 line with the 15.x version. Word around the campfire is it will be added back with version 17.x. Hopefully some of the switching functions will also be added....
i degel3030. That's not fully true - yes, initially it was not present in 15.1X49 but was readded in 15.1X49-D60 due to demand from partners and customers.
Hi degel3030,
Jonas is correct. Dynamic VPN is fully supported from 15.1X49-D60.
From the release notes :-
Dynamic VPN remote access for Secure Pulse clients to SRX300, SRX320, SRX340, SRX345, and SRX550M devices—Starting with Junos OS Release 15.1X49-D60, dynamic VPN simplifies remote access by enabling Pulse Secure clients to establish IPsec VPN tunnels to SRX services gateways without having to manually configure VPN settings on their PCs or laptops. User authentication is supported through a RADIUS server or a local IP address pool.
The same can be found in the release notes under "VPNs" :-
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
This is faboulus news! I'm re-doing my lab now to test.
Hi,
You can configure rpm probes on the SRX to monitor reachability to a specific IP on the internet.
Syslog mesasges containing "PING_TEST_COMPLETED" and "PING_PROBE_FAILED" would be generated.
Please go through the following document for more details :-
https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/RPM-to-SYSLOG-Reportingv1.0.pdf
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Hi Jonas! Happy New Year to you sir!
Well I finally got it to work. Two things -
First I had to delete the Policy associated with Dave_home. Then using your given command I was able to delete the address book entry- My issue was that I had a lower case "i" for Internet - that's why it wasn't found. 
But after I corrected that, it would'nt take the commit because the Policy for Dave_home was squaking that it didn't have an address for Dave.!
So, I got the Policy out first, commited that, then went into the address book as noted. With a captial "I" for internet.
Thank you so much!
Scott
Tested with 15.1X49-D70.3 and it works! Thank you Juniper! Now here is hoping for switching functions....
Back to OP question, care to share your config?
MPLS support is on all the SRX models.
But I"m pretty sure most of the cgnat operations will only work on the High End SRX as they require the SPC installs and configuration.
Generally the most accurate information on specific feature availability can be found in Feature Explorer. You can drill in by version and platform here to confirm support.
https://pathfinder.juniper.net/feature-explorer/
Assuming you have a default outbound source nat policy, you want to add something like this to the nat rule to exclude the VPN traffic.
set security nat source rule-set trust-to-untrust rule vpn match source-address 10.0.100.0/24 set security nat source rule-set trust-to-untrust rule vpn match destination-address 192.168.178.0/24 set security nat source rule-set trust-to-untrust rule vpn then source-nat off insert security nat source rule-set trust-to-untrust rule vpn before rule source-nat-rule
Hello,
SPDNet wrote:is there a way to limit a range the syn mtu between 1000-1800 on mx ?
Yes there is - in JUNOS 14.2 or newer and on MX only (not SRX). Here is my NY gift to You:
[edit]
aarseniev@R1# show | compare rollback 1
[edit interfaces ae0 unit 0 family inet]
+ filter {
+ input f1;
+ }
[edit]
+ class-of-service {
+ forwarding-classes {
+ class MARK queue-num 4;
+ }
+ }
+ firewall {
+ family inet {
+ filter f1 {
+ term t1 {
+ from {
+ protocol tcp;
+ tcp-flags "(!ack & syn)";
+ }
+ then {
+ forwarding-class MARK;
+ next term;
+ }
+ }
+ term t2 {
+ from {
+ forwarding-class MARK;
+ flexible-match-range {
+ match-start layer-4;
+ byte-offset 20;
+ bit-length 32;
+ range 33817576-33818376;
+ }
+ }
+ then {
+ count TCPSYN;
+ policer 1m;
+ accept;
+ }
+ }
+ term else {
+ then accept;
+ }
+ }
+ }
+ }You have to "spend" one Forwarding Class (FC) for that.
"range 33817576-33818376" is in decimal and corresponds to TCP MSS option with values 1000-1800 as You asked.
In hex that would be 0x020403E8 ... 0x02040708.
HTH
Thx
Alex
Hi sahilsha,
Sorry for late reply. Kindly please see attachment for log that u requested, I'm dont know how to anaylysis it. Appreciate your help.
Thanks
Hi kronicklez,
Looks like the SRX is sending the logs as the transmitted bytes are there on the SPUs :-
0: name=TO-SIEM, ip(H)=a446747 (a 44 67 47), port=514, codec=2, sev=7
ip_id=233, tx=233, txByte=138936, txFail=0, dropByte=0
sevDropCnt=0
fwd egress=0, fwd ingress=0.This looks to be a problem on the SIEM as the SRX is sending the logs.
You can take packet captures on the SIEM to verify if it is receiving the logs from the SRX.
Regards,
Sahil Sharma
---------------------------------------------------
Please mark my solution as accepted if it helped, Kudos are appreciated as well.