What is JunOS version?
It doesn't work in 12.1X46 release.
↧
Re: DHCPv6 client doesn't correct work
↧
Re: I battle with the fxp0 interfaces in a cluster configuration and I do not understand anything
Whats the source IP from you are pinging? If its not in same subnet as fxp0, you need "back-up router" config. If its from same subnet,run "show arp " and confirm if its learned on SRX.
↧
↧
Re: Do not use source nat off when deploying site to site vpn
I'm not sure I understand the question then.
when you use policy VPN this will place the VPN policy in the same zone relationship as your NAT - trust to untrust
So unless you apply a no NAT rule the NAT rule is hit.
↧
Re: Difference between UTM & NGFW
Juniper used ot offer a stand alone UTM only hardware. Now that funcationality is built into the SRX as a configuration option.
So some deploys are UTM only by configuration on the SRX and others are NGFW only without using UTM features or license.
With flexibility can sometimes come complexity and confusion.
↧
Re: I battle with the fxp0 interfaces in a cluster configuration and I do not understand anything
I would check the routing involved.
remember that the fxp0 mgmt interface is inside the base or root routing instance. So unless you have added routing instances this shares the route table with all your other interfaces on the SRX. Thus if you attempt to ping in/out from outside the mgmt subnet you very likely have assymettrical routing.
You get around this by creating a routing instance for your other interfaces and then your fxp0 can have its own independent route table and default route.
Or you use NAT rules and routes to NAT addresses to work around the internal production routing table. But this can get cumbersome.
↧
↧
how to delete multiple count under security policy in one single command?
Hi all,
Currently my security policy has been configured with "then count" with around 1000 policy. As per advise by Juniper Engineering team the using "count" under security policy will make RE burden so they advise to removed it. So the issue is how i can remove the "count" in the policy? replace pattern can be use if we want to change from one word to another word. But how if we want to delete it?
Thanks and appreciate someone help.
↧
Re: I battle with the fxp0 interfaces in a cluster configuration and I do not understand anything
Thank you for you answer.
I don't know why I haven't think to make a show arp and this is for that I like the community, because sometimes it's front of you and you don't see it. I pluged my ethernet cable in the wrong place. Now, It's better. I can ping my interface fxp0, but in don't able to make ssh or https connection.
result of show arp:
gus@EROS# run show arp MAC Address Address Name Interface Flags 3c:8a:b0:2a:32:b0 30.17.0.2 30.17.0.2 fab0.0 permanent 50:c5:8d:33:f6:30 30.18.0.1 30.18.0.1 fab1.0 permanent 3c:8a:b0:2a:32:47 130.16.0.1 130.16.0.1 fxp1.0 none 00:17:95:dc:49:48 192.168.6.1 192.168.6.1 fxp0.0 none 00:17:95:dc:49:4f 192.168.81.1 192.168.81.1 reth0.81 none a4:93:4c:ee:5f:a6 192.168.111.1 192.168.111.1 reth1.0 none Total entries: 6
But, It's always possible for me to make a connection in ssh or https and spuluka must have right, my routing is asymmetrical.
I'm going to work on this point... and I return to you.
↧
Re: I battle with the fxp0 interfaces in a cluster configuration and I do not understand anything
Thank you spukula to spend time for us.
So, You are right, my routing is asymmetrical, so I make some modification in my configuration and now all work correctly.
That, this is for my fxp0:
routing-options {
static {
route 192.168.100.0/24 next-hop 192.168.6.1;
I will put the subnets which must access at administration interfaces (SSH and HTTPS)
}
}and that, this is to access in a same LAN:
routing-instances {
RI-VR-LAN {
instance-type virtual-router;
interface reth0.81;
routing-options {
static {
route 192.168.100.0/24 next-hop 192.168.81.1;
I will put the subnets of my LANs
}
}
}
}Result of show route:
netgus@EROS# run show route
inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.6.0/24 *[Direct/0] 5d 00:03:18
> via fxp0.0
192.168.6.30/32 *[Local/0] 5d 00:03:18
Local via fxp0.0
192.168.100.0/24 *[Static/5] 00:22:50> to 192.168.6.1 via fxp0.0
192.168.111.0/24 *[Direct/0] 22:40:04> via reth1.0
192.168.111.30/32 *[Local/0] 22:40:04
Local via reth1.0
RI-VR-LAN.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
192.168.81.0/24 *[Direct/0] 00:44:12
> via reth0.81
192.168.81.254/32 *[Local/0] 00:44:12
Local via reth0.81
192.168.100.0/24 *[Static/5] 00:40:43> to 192.168.81.1 via reth0.81This is very different a Cisco ASA, but once you have understand how that work, that seem not very complicated (I hope so).
Again, a big thank for your help.
I will continious in my understanding of Juniper SRX.
↧
Re: how to delete multiple count under security policy in one single command?
Hi,
I have tested this and you would not be able to use the replace pattern command here.
Instead, use the following method :-
- #show security policies | display set | match count
- Copy the statements in a text editor.
- Replace "set" with "delete"
- Enter config mode on the SRX.
- Paste all the statements.
- #show | compare to verify the changes.
- #commit
Hope this helps !
Thanks and Regards,
Sahil Sharma
Please mark as solution if it resolved the issue. Kudos are appreciated as well.
↧
↧
Re: Difference between UTM & NGFW
when i firstly went through google i found that some vendor call that UTM is a device that include functionaly of NGFW but i think that UTM features are different from a vendor to another ....
So if i got the license for UTM on SRX the device will be called UTM or NGFW 
↧
Dynamic VPN
Is dynamic VPN considered to be IPSEC VPN or SSL VPN ???
>i was searching and i found that some vendors like fortinet consider dialup VPN or Client vpn as type of SSL VPN ???
↧
Ip monitoring on SRX 240
I have two reth interfaces reth1.0 and reth0.0 both is on defferent subnets?? can I configure IP monitoring or not??! if not what options I have to keep my system alive.
where I can find the commands.
↧
Re: Fabric link for SRX 240
Thats the problem I have one fabric on ge-0/0/2 , ge-5/0/2 only. but still child 1 is not active and packets are 0
When I need a double fabric links??? my cluster is belt to monitor two IP address both on defferent subnts to have aredundancy. This is the goal of my cluster.
↧
↧
Re: how to delete multiple count under security policy in one single command?
Hi sahilsha,
So in other word i need to delete one by one "count" for each policy? Any other method that can be done in one single command?
Thanks and appreciate any feedback.
↧
Re: Not responding to ARP?
God bless you!
I've tried everything. Your way works!
Cheers!
↧
Re: SRX Chassis-Cluster and dns-proxy
Hi Jeff,
yes - we rebooted both the Devices during maintenance and worked with JTAC - they fixed it.
Somehow the reth-Devices were not recognized in DNS-Proxy and needed to be "registered".
Now everything works fine.
↧
Policy configuration SRX3600
Hi Experts,
Cannot configure any more policies in the firewall. it says we have reached the limit of 60 allowed policies.
admin@fw-cl1# commit
error: system security-profile policy logical-system quota exceeded (usage 61 > max 60) in OM
error: configuration check-out failed.
The release on srx is 12.1X44-D45.2 which is EOS
Best Regards,
Waqas
↧
↧
Filter Based Forwarding support on st0 interface
Hi,
I have a need to configure FBF on IPsec tunnel interface st0
SRX-300#set interfaces st0.10 family inet ?
Possible completions:
<[Enter]> Execute this command
> address Interface address/destination prefix
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> dhcp-client Dynamic Host Configuration Protocol client configuration
mtu Protocol family maximum transmission unit
negotiate-address Negotiate address with remote
> next-hop-tunnel One or more next-hop tunnel tables
no-neighbor-learn Disable neighbor address learning on interface
> sampling Interface sampling
unconditional-src-learn Glean from arp packets even when source cannot be validated
| Pipe through a command
SRX-300 is running 15.1X49, It does not even have the option to configure filters on st0 interface, is FBF only supported on physical interfaces on low end SRXes? I do see "filter" option available on higher end SRX boxes (SRX-5400 running 15.1), but I need to verify the configuration on small SRX boxes in the lab before applying to production boxes.
↧
Re: Filter Based Forwarding support on st0 interface
This option appears on my SRX-300 running 15.1X49-D100.
# set interfaces st0.10 family inet filter ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
group Group to which interface belongs (1..255)
> input Filter to be applied to received packets
+ input-list List of filter modules applied to received packets
> output Filter to be applied to transmitted packets
+ output-list List of filter modules applied to transmitted packets
[edit]
↧
Re: Filter Based Forwarding support on st0 interface
Cool, thanks, I will upgrade SRX-300, feature parity on the same Junos but different platform is annoying.
↧
