Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Recommended IKE and IPSEC Security Parameters


Re: SIEM cannot received log when SRX using stream mode?

$
0
0

Hi ,

 

In the syslog server itself (SIEM) it cannot see the syslog such as change log, interactive-command n etc in mode stream. But it not have issue on session flow log. Is it the limitation of mode stream?

 

We need the SIEM can see what ever syslog in the SRX such as config change and etc.

 

Thanks and appreciate your advise.

Re: SRX650 CPU utilization

$
0
0

Is there this  problem on SRX running junos 12.1x44? because of cpu usage of my firewall sometimes is very high.

Re: SIEM cannot received log when SRX using stream mode?

Re: L2TP through SRX

$
0
0

The session is showing that the udp 500 traffic is properly permitted and NAT is working here.

 

Session ID: 316147, Policy name: VPN_PPTP/40, Timeout: 36, Valid
  In: 82.132.227.76/627 --> 200.200.200.202/500;udp, If: ge-0/0/5.0, Pkts: 2, Bytes: 728
  Out: 10.10.10.10/500 --> 82.132.227.76/627;udp, If: vlan.40, Pkts: 2, Bytes: 524

What do the server logs show at this point?  Do they see the connection attempt?

 

With this configuration active I would do a packet capture on the L2tp server and see what the conversation looks like.  Especially the reponse packets from the server.  The flow shows that both the inbound and outbound packets are present and permitted.  So this is likely an application level issue.

Re: SIEM cannot received log when SRX using stream mode?

$
0
0

Hi Spuluka,

 

Thanks for the url given. I'm already read that url given and it;s look like it some of limitation when we use mode stream right? Please corrrect me if i wrong cause my english not so good.

 

Appreciate your feedback .

 

 

Thanks

 

 

Re: SIEM cannot received log when SRX using stream mode?

$
0
0

Yes, on the SRX in Stream mode you need to have TWO configuration stanza setup per those instructions in order to get all of the syslog messages.  You appear to need to add the system syslog one from what is missing on your SEIM.

Re: SIEM cannot received log when SRX using stream mode?

$
0
0

Hi Supuluka,

 

When u said "TWO configuration stanza setup " are u refer  to which part? Below is my config. Can u advise me what need to change to make sure on SIEM can see both syslog on Control Plan such as commit, interactive command n etc. At same time SIEM also can see log RT-FLOW.

 

 

{primary:node0}
test@SRX5800> show configuration system syslog
archive size 1m files 10;
user * {
    any emergency;
}
inactive: host 7.7.7.1 { ----------------------------------> If i activate this then SIEM cannot see log RT-FLOW
    any any;
    change-log any;
    interactive-commands any;
    inactive: match RT_FLOW_SESSION;
    source-address x.x.x.x;
    structured-data;
}
inactive: host 7.7.7.2 {
    any any;
    change-log any;
    interactive-commands any;
    source-address x.x.x.x;
    structured-data;
}
file messages { ------------------------------------> This log cannot see on SIEM
    any notice;
    authorization info;
    explicit-priority;
}
file interactive-commands { -------------------> This log cannot see on SIEM
    interactive-commands any;
}

 

Thanks and appreciate your advise


Re: SIEM cannot received log when SRX using stream mode?

$
0
0

I think you need these two stanzas:

control plane logs - remove the match for flow

host 7.7.7.1 { see log RT-FLOW
    any any;
    change-log any;
    interactive-commands any;
    source-address x.x.x.x;
    structured-data;
}

security logs

security log 
  mode stream;
  format sd-syslog;
  source-address 10.70.50.18;
stream TO-SIEM {
    format sd-syslog;
    category all;
    host {
        10.60.30.50;
    }
}

 

 

 

 

Re: SIEM cannot received log when SRX using stream mode?

$
0
0

Hi Spuluka,

 

 

If i enable the control plane log then the SIEM cannot received security log. That's a reason i deactivate the control plane logs. Your SIEM can see both log at same time?

 

 

Thanks and appreciate your feedback

Re: SIEM cannot received log when SRX using stream mode?

$
0
0

Yes, at a previous company we did have all logging working to Q-radar SEIM.

 

I think you issue with the syslog stanza having the match condition added.  This can tend to restrict what messages are sent.

Re: Link connection between two Virtual Router on SRX220

$
0
0

I"m confused because you original message:

From Host 1 traffic can reach to Host 2 and reverse. 
But with series SRX220, logical lt- interface do NOT support,
so do have any solution to connect two VRs?

But lt interfaces ARE supported on the SRX.

 

As are rib-groups and using physical interfaces to connect VR.

 

So which method is your PREFERRED way to connect the two VR?

 

then share the existing configuration for that method along with the problems or error messages you are getting so we can help get you a final working configuration.

 

Bug Reintroduced on Dynamic VPN

Re: Bug Reintroduced on Dynamic VPN

$
0
0

Hi Folks,

 

12.3X48-D40.5 should have the fix for BUG 1135780. The observation seen could be due to some other trigger. I would suggest you to open a JTAC case to isolate it further.

 

 

Re: SIEM cannot received log when SRX using stream mode?

$
0
0

Hi Spuluka,

 

 

But the config match RT_FLOW is deactivate. How it can restrict the syslog to SIEM?

 

inactive: match RT_FLOW_SESSION;

 

 

Thanks


Re: SIEM cannot received log when SRX using stream mode?

$
0
0

Hi Folks,

I could find some interesting information,

 

The traffic events in stream mode must be sent from one of the revenue ports. Using management ports such as fxp0 (or a revenue port in functional-zone management, in case of SRX) is not supported. Additionally, do not forget to configure the routing table to send traffic events from a revenue port. Syslog packets for traffic events in stream mode look up the default routing instance (inet.0) first by default.

 

Also, please refer the below KB's for more details,

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16509&actp=search&smlogin=true

http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/task/configuration/security-system-stream-security-log-revenue-port-setting.html

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16917&actp=search

http://www.juniper.net/techpubs/en_US/junos12.1x44/topics/task/configuration/security-system-stream-security-log-revenue-port-setting.html

 

Re: SIEM cannot received log when SRX using stream mode?

$
0
0

Hi Phyton,

 

 

I'm use reth interface as source address to send log to SIEM.

 

Thanks

Re: Bug Reintroduced on Dynamic VPN

$
0
0

Unfortunately it works only and only if you insert your external interfaces under "system services web-management".

Otherwise you will get errors like "ERR_TOO_MANY_REDIRECTS" pointing your browser to the Dynamic VPN URL.

 

Thanks.

Re: L2TP through SRX

$
0
0

Hi Spuluka,

 

I managed to get it working in the end, one of the main problems was that i needed to edit the registry on my windows box

 

https://support.microsoft.com/en-gb/kb/926179

 

Thanks so much for taking the time to reply, i hope this thread helps anyone else who is having the same problem

Proxy IDs (traffic Selector) of 0.0.0.0

$
0
0

hello,

I have already asked similar questions 1 year ago without getting feedback;

here it is again with other words :

 

1) when using routed-based VPNs, defining proxy ids can be cumbersome if you have multiple local and remote distincts subnets or hosts concerned that you cannot aggregate in 1 or 2 IP "supernets";

I guess it would be simpler if Juniper allowed to code several names or address-set in those local/remote Proxys (as CISCO does in their Crypto map) (as it is now possible to do into NAT source and dest via source-address-name for example)

 

2) traffic-selector method as described in :
https://www.juniper.net/documentation/en_US/junos12.1x47/topics/concept/ipsec-vpn-traffic-selector-understanding.html :

can be a good way to reduce this constrait as it is shorter to define IPSEC section, but you still need to identify and code each pair of local/remote  IPs

so, if you have, let's say, 5 local and 10 remote IPs concerned, you will have to define 5*10 = 50 traffic selectors in the IPSEC section;

 

and, by the way, this way of coding traffic selector is not supported when using IKE V2 on a tunnel, as stated in this link, which tends to be more frequent now than a few year ago;


3) so, in some cases, either because IKEV2 is used or because the number of local and remote subnets results into an important number of local/remote pairs of addresses (even if it is simpler/shorter with traffic selector), it might be better to create a Policy-based VPN where you don't have to care about coding those pairs ;


the only question left about this Policy-based VPN is related to the fact that, if you have multiple sources or dest addresses or you uses source/dest address-sets coded in some Policy rules, the following Juniper document indicates that the resulting generated Proxy Id (Local and Remote) will be 0.0.0.0 :
see https://kb.juniper.net/InfoCenter/index?page=content&id=KB29364&actp=RSS at the last section "Policy using multi-cell address objects"
In such a case, the question is to know how will the VPN peer box (at the other side of the tunnel, which can be of any kind, not only Juniper)  react ?

will it reject those 0.0.0.0 Proxy Ids if its own Proxy Ids are coded with the concerned real subnets (thanks to CISCO Crypto-map for example) or will it allow them ?

Any idea is welcome

 

Viewing all 17645 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>