Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Digital Certificate exchange

June 5, 2017, 4:54 pm
$
0
0

Good evening,

i would like to check my understanding in PKI:

 

1-if we have 2 HOSTS (Host A and Host B) under same CA, what will happen is :

each Host will receive a local certificate and CA-certificate from the CA.

Host A will receive the local certificate from Host B and will use the CA-Certificate to validate it ???????

 

 

2-If we have 2 Host under different CAs (CA-sales , CA-marketing) but of-course the 2 CAs under a common root-CA what will happend is :

-Host A will receive a local certificate and CA-certificate from CA-sales and also receive a CA-certificate from the Root-CA

-Host B will receive a local certificate and CA-certificate from CA-marketing and also receive a CA-certificate from the root-CA

-Host A will send  the local certificate and the CA-Certificate(CA-sales) to Host B

-Host B will use the Root CA-Certificate to validate the received CA-Certificate(CA-sales) and then will use the CA-Certificate(sales) to Validate the received local certifcate of Host A

Search

Re: Digital Certificate exchange

June 5, 2017, 6:24 pm
$
0
0

Hello,

 

1) 'Host A will receive the local certificate from Host B and will use the CA-Certificate to validate it' --- In simple terms you are right.

 

2) At no point of time Host sends the CA certificate to other host generally. It only sends the local certificate. The receiver checks whether he has a trust chain built.

 

e.g. Only if ''CA-Sales - CA-Root'' trust chain is built on Host A and ''CA-Marketing - CA Root'' chain is built on Host B (This generally happens when you load host and CA certificates on device) they will be able to authenticate each other based on their local certificates.

 

Regards,

 

Rushi

 

Re: Digital Certificate exchange

June 5, 2017, 6:42 pm
$
0
0

That's soo confusing Smiley Sad 

When i was studying it was said that you may receive a certificate chain from a remote peer containing EE certificate and intermediate CA-certificates and you will use the common CA certificate to validate the top CA-certificate and then you will use this intermediate CA certificate to validate the next and so on til validate the end entity certificate Smiley Sad 

Re: Digital Certificate exchange

June 5, 2017, 7:00 pm

Re: Digital Certificate exchange

June 5, 2017, 7:34 pm
$
0
0

Hello,

 

 

Your understanding is not entirely wrong. In simple words:-

 

* Recipient must maintain the certificate chain if it needs to secure authenticate peer when their Sub-CAs are different.

* Sender can send certificate chain (e.g. Local Cert + Sub Cert + Root Cert) but sender's chain will not be used generally to

  authenticate Sender unless receiver has trust relations with Sub Cert + Root Cert. This chain may be used to gather

  information like CRL but not authenticating sender.

 

So just because sender is sending Sub CA + Root CA, I (receiver) will not use those certificates for validating sender unless receiver also trusts Sub CA + Root CA (It has a chain).

 

Regards,

 

Rushi

Re: Fabric Monitoring

June 5, 2017, 7:53 pm
$
0
0

Hello,

 

As long as your fabric is healthy, in my opinion it should not have any impact.

 

Regards,

 

Rushi

Re: PKI- validation

June 5, 2017, 7:56 pm
$
0
0

Hello,

 

So that entity requesting it can confirm that response has come from the valid CA.

 

Regards,

 

Rushi

SRX240 Change the Broadband IP

June 5, 2017, 8:23 pm
$
0
0

Hello, 

 

My Public IP not enough to use, So I apply to ISP renew more IP. On the SRX, All public IP is set to reth 1.0 port,  source and dest NAT, Would you have suggest to do change the public IP?! 

 

Many Thanks!!!

 

Best regards,

Zero

Search

Re: SRX240 Change the Broadband IP

June 6, 2017, 12:41 am
$
0
0

Hi Zero,

 

So if we understand properly, the public IP pool provided to you by ISP is not enough for your network and hence you have requested for few more Ips.

If the ISP is the same and the old public IP provided by ISP is the same,  then you do not require to change the public IP.

However if the subnet provided by the ISP for renewd IP is in the same subnet then you need to configure proxy-arp on the SRX so that request for those IPs should reach SRX reth1.0 port. Also you need to configure security policies for the IPs to be allowed to pass the traffic.

 

nothing else is required to be changed

 

regards,

Guru Prasad

Re: SRX240 Change the Broadband IP

June 6, 2017, 2:32 am
$
0
0

Unfortunately, ISp gave different IP and Subnet to me. How could I re-configure the new IP and subnet  on SRX240? Thanks!!!

/var/db/utm_policy.id: File too large

June 6, 2017, 2:35 am
$
0
0

Hello,

I have problem witch my SRX 210, when I try to check new configuration, I see message

 

# commit check
error: could not open /var/db/utm_policy.id: File too large
error: foreign file propagation (ffp) failed

Someone can help me ?

Re: /var/db/utm_policy.id: File too large

June 6, 2017, 2:44 am
$
0
0
Possible file system corruption, try doing junos re-install or an upgrade.

Re: SRX240 Change the Broadband IP

June 6, 2017, 2:46 am
$
0
0
Whats the gateway for new subnet IPs provided by ISP? Is that same as old one?

Re: /var/db/utm_policy.id: File too large

June 6, 2017, 2:55 am
$
0
0

I my opinion file system is ok, when I try check this file 

 

% cat /var/db/utm_policy.id

I see three license records

Re: /var/db/utm_policy.id: File too large

June 6, 2017, 2:59 am
$
0
0
Did you try reboot? Do you have active UTM license/config?
Search

Re: Fabric Monitoring

June 6, 2017, 3:21 am
$
0
0

Before application run

 

show chassis cluster interfaces

 

And be sure there are no errors or warnings in progress.  If you enable when in some inconsistent state you may trigger failover events.

 

I would still do it at a low traffic period to be cautious.

Re: SRX240 Change the Broadband IP

June 6, 2017, 3:24 am
$
0
0

You will need to change the following types of configuration with this:

 

the interface

the default route

Destination and source NAT using ip addresses specifically in this range (interface NAT can stay the same)

any eBGP sessions configured

Re: /var/db/utm_policy.id: File too large

June 6, 2017, 4:05 am
$
0
0

No, I didn't reboot, because I can't at this moment. In this file are three licenses and this licenses are expired. But few days ago I change configuration and everything was ok.

Re: Digital Certificate exchange

June 6, 2017, 4:50 am
$
0
0

im really upset with juniper explanation of stuff . Smiley Sad this is not the first time to keep studying a topic and find out that my understanding is wrong Smiley Mad

SRX3600 In Service Upgrade

June 6, 2017, 4:53 am
$
0
0

Hello everyone! Do I need to upload the new firmware on both devices in an in-service upgrade? Or is it enough when I do this on the master

Viewing all 17645 articles
Browse latest View live
Search