Reachability is not checked during VPN commit, can you share your configuration?
↧
Re: Dynamic VPN behind NAT
↧
Re: IP-Monitoring not failing over
Are you able to ping 4.4.4.4 from srx via ge-0/0/0.0? IF not can you try the same config with some other IP thats reachable from SRX?
↧
↧
Re: What are mean Invalidated sessions?
"show security flow session" is the command to check invalidated session count. In ideal conditions the value should be changing matching to the actual active sessions. If you see the invalidated session count is continusouly increasing and not decreasing then there can be a problem.
↧
Re: SRX240 Max IPSec VPN's
Thats a great news, thanks for sharing 
↧
Re: I am not able to access my protected resources via Dyn VPN from public remote site.
Can you share your security policy config and IP address on ge-0/0/0.0
↧
↧
Re: rate-limit for each client in SRX240
thanks for your answer,
if I want a general rule that every single session (in both directions) does not exceed 20 mbps?
I have standard configuration (outside, DMZ and inside zones)
↧
Re: rate-limit for each client in SRX240
AFAIK, its not possible to rate limit each session to 20M.
↧
Re: I am not able to access my protected resources via Dyn VPN from public remote site.
hi Suraj,
i cannot share my ge-0/0/0 as it is public IP. but below is my configuration :
nali@JEDDAH-JEDDAH-MDIA200> show configuration security | display set |no-more
set security ssh-known-hosts host 78.93.73.34 rsa-key "mOe$sTcAs#"
set security ike policy SERVER_IKE mode aggressive
set security ike policy SERVER_IKE proposal-set standard
set security ike policy SERVER_IKE pre-shared-key ascii-text "$9$n-3d9t0EhrMWxz3hyleXxjHqfF/tp0BEc0Odb"
set security ike gateway SERVER_GW ike-policy SERVER_IKE
set security ike gateway SERVER_GW dynamic hostname DYNVPN
set security ike gateway SERVER_GW dynamic connections-limit 10
set security ike gateway SERVER_GW dynamic ike-user-type group-ike-id
set security ike gateway SERVER_GW external-interface ge-0/0/0.0
set security ike gateway SERVER_GW xauth access-profile SERVER
set security ipsec vpn-monitor-options interval 10
set security ipsec vpn-monitor-options threshold 10
set security ipsec policy IPSEC_DYN_POLICY proposal-set standard
set security ipsec vpn DYN_VPN ike gateway SERVER_GW
set security ipsec vpn DYN_VPN ike ipsec-policy IPSEC_DYN_POLICY
set security address-book global address FINGER-PRINT 10.2.73.7/32
set security dynamic-vpn access-profile SERVER
set security dynamic-vpn clients all remote-protected-resources 10.0.0.0/8
set security dynamic-vpn clients all remote-exceptions 0.0.0.0/0
set security dynamic-vpn clients all ipsec-vpn DYN_VPN
set security dynamic-vpn clients all user client1
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security nat destination pool FNGR-PRNT address 10.2.73.7/32
set security nat destination pool SER_DESK address 10.2.73.8/32
set security nat destination rule-set FNGR-PRNT from zone untrust
set security nat destination rule-set FNGR-PRNT rule 1 then destination-nat pool FNGR-PRNT
set security nat destination rule-set FNGR-PRNT rule 2 then destination-nat pool SER_DESK
set security nat static rule-set BLOCK_utube from zone untrust
set security nat static rule-set BLOCK_utube rule 1 match destination-address 216.58.210.238/32
set security nat static rule-set BLOCK_utube rule 1 then static-nat prefix 127.0.0.1/32
set security nat static rule-set BLOCK_utube rule 2 match destination-address 216.58.210.206/32
set security nat static rule-set BLOCK_utube rule 2 then static-nat prefix 127.0.0.2/32
set security nat proxy-arp interface ge-0/0/1.0 address 10.2.72.19/28 to 10.2.72.22/32
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone untrust to-zone trust policy FNGR-PRNT match source-address any
set security policies from-zone untrust to-zone trust policy FNGR-PRNT match destination-address FINGER-PRINT
set security policies from-zone untrust to-zone trust policy FNGR-PRNT match application any
set security policies from-zone untrust to-zone trust policy FNGR-PRNT then permit
set security policies from-zone untrust to-zone trust policy BLK_UTUBE match source-address any
set security policies from-zone untrust to-zone trust policy BLK_UTUBE match destination-address any
set security policies from-zone untrust to-zone trust policy BLK_UTUBE match application junos-http
set security policies from-zone untrust to-zone trust policy BLK_UTUBE match application junos-https
set security policies from-zone untrust to-zone trust policy BLK_UTUBE then permit application-services idp
set security policies from-zone untrust to-zone trust policy BLK_UTUBE then log session-close
set security policies from-zone untrust to-zone trust policy DYN_VPN match source-address any
set security policies from-zone untrust to-zone trust policy DYN_VPN match destination-address any
set security policies from-zone untrust to-zone trust policy DYN_VPN match application any
set security policies from-zone untrust to-zone trust policy DYN_VPN then permit tunnel ipsec-vpn DYN_VPN
set security policies from-zone untrust to-zone trust policy DEFAULT match source-address any
set security policies from-zone untrust to-zone trust policy DEFAULT match destination-address any
set security policies from-zone untrust to-zone trust policy DEFAULT match application any
set security policies from-zone untrust to-zone trust policy DEFAULT then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic protocols all
but now i can see i can reach my resources over the internet when in the same subnet. Advertising any other pool is not pining
↧
Re: rate-limit for each client in SRX240
ok, if I want to limit my ip addresses of the inside zone to 20 Mbps each, how can I do without having to write as many filters as ip addresses. My inside network is a x.x.x.x/24, I have to write 254 filters? one for each IP inside client?
thanks
↧
↧
Jflow COnfiguration on SRX1400
Hi everybody. I'm trying to configure a SRX1400 device in our laboratory to send jflow flow to a collector (nfdump + nfsend in CentOS). This is more or lees the diagram:
Jflow packets have to be sent through fxp0.0 (is this possible?) that's our management network. Below's the configuration that I'm trying to implement:
set forwarding-options sampling input rate 1
set forwarding-options sampling input run-length 0
set forwarding-options sampling family inet output flow-server 10.16.130.205 port 9996
set forwarding-options sampling family inet output flow-server 10.16.130.205 aggregation destination-prefix
set forwarding-options sampling family inet output flow-server 10.16.130.205 source-address 10.16.130.24
set forwarding-options sampling family inet output flow-server 10.16.130.205 version 8
set interfaces ge-0/0/0 unit 1 family inet sampling input
set interfaces ge-0/0/0 unit 1 family inet sampling output
As I'm not receiving any information I've checked traffic in eth0 server's interface. I've run a tcpdump capture with fw source address but I'm only getting ARP requests... I can ping the server from the firewall so end to end connectivity is ok but I'm not receiving the flows.
Could anybody please help me with this?
Regards,
Luis
↧
Re: Jflow COnfiguration on SRX1400
↧
Re: rate-limit for each client in SRX240
That’s correct.
↧
Re: What are mean Invalidated sessions?
Hi rsuraj,
when u said invalid session out when using command show security flow session is it refer as per below bold highlated? The invalid session i see increase. So i need to check how to check which policy that match with invalid session. Appreciate anyone feedback
{primary:node1}
test@srx1> show security flow session node 1
node1:
--------------------------------------------------------------------------
Flow Sessions on FPC0 PIC1:
Session ID: 10000043, Policy name: 5172/664, State: Active, Timeout: 2, Valid
↧
↧
Re: Jflow COnfiguration on SRX1400
Hi Folks,
Please find some pointers in enabling sampling in srx device,
SRX Getting Started - Configure J-Flow
https://kb.juniper.net/InfoCenter/index?page=content&id=kb16677
↧
License for SRX Firewall
Hello Experts,
I am asked to replace a couple of firewalls with new SRX 345s. I have received the new hardware from the client. But I haven't got any license for the device. Do I need to install any sort of license in the device to deploy this device as standard firewalls without any fancy capabilites like IPS.
↧
Re: IP-Monitoring not failing over
Hi Folks,
Please find some pointers on IP Monitoring,
[SRX] Example - IP Monitoring with route fail-over configuration and behavior
https://kb.juniper.net/InfoCenter/index?page=content&id=KB25052
Example: Configuring IP Monitoring on SRX Series Devices
Configuring IP Monitoring with Route Failover
To add, 4.4.4.4 is a public ip; does the srx device has a Public IP or is there any NAT in picture?
↧
Re: rate-limit for each client in SRX240
Hi Folks,
I am just trying to understand the use-case and why do you want to do this in the SRX Device?
↧
↧
Re: License for SRX Firewall
Licenses are only for additional functionality, such as UTM (anti-spam, anti-virus, IDP, etc) and dynamic VPNs. You do not need additional licenses for basic firewall abilities.
↧
Re: License for SRX Firewall
↧
Re: What are mean Invalidated sessions?
As Wojtek mentioned, the KB has the right explanations
https://kb.juniper.net/InfoCenter/index?page=content&id=KB23462&smlogin=true
↧