Hi,
You can assign an address to all the units of loopback (including 0). Junos only allow one loopback in global table so any new unit interface you create must be in routing-instance.
You can keep lo0 in global table and lo0.10 in routing-instance and assign both of them an IP address.
HTH
it does not seem strange to limit the clients bandwith, otherwise a single client could use all the internet bandwidth!
Just for the record if anyone has a similar doubt in the future I leave the final configuration below:
SRX1400
set forwarding-options sampling instance instance1 input rate 100 set forwarding-options sampling instance instance1 input run-length 0 set forwarding-options sampling instance instance1 family inet output flow-server X.X.X.X port 9996 set forwarding-options sampling instance instance1 family inet output flow-server X.X.X.X version9 template ipv4-test set forwarding-options sampling instance instance1 family inet output inline-jflow source-address X.X.X.X set services flow-monitoring version9 template ipv4-test ipv4-template set interfaces ge-0/0/0 unit 1 family inet sampling input set interfaces ge-0/0/0 unit 1 family inet sampling output
Nfsen
%sources = (
'JuniperSRX' => { 'port' => '9996', 'IP' => 'X.X.X.X', 'type' => 'netflow', 'col' => '#0000ff' },
'ASR1000' => { 'port' => '9997', 'IP' => 'X.X.X.X', 'type' => 'netflow', 'col' => '#ff0000' },
);
Thanks for your help 
Regards,
Luis
Hi,
Thank you for tha response. Okay, I have a strange issue occuring.... I have configured as suggested:
set interfaces lo0.10 family inet address xxx.xxx.xxx.xxx
set interfaces lo0.10 family inet6 address xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx
set interfaces lo0.10 family iso address 49.0001.xxxx.xxxx.xxxx.00
set routing-instance Customer-VR interface ae2
set routing-instance Customer-VR protocols isis interface ae2
Now, I get ISIS routes being advertised now, which is awesome work from you guys, but now I have an extremely frustrating, but I am sure easily solved, problem....
SRX-A --> MX240 --> MX240 --> SRX-B
SRX-A has the Customer-VR but SRX-B has no new VRs associated with it....
If I ping from the ae2 interface from SRX-B to the ae2 interface of SRX-A, I get a response, which is brilliant.
If I ping from the ae2 interface on SRX-A to the ae2 interface on SRX-B I get a "No route to host" response..... On SRX-B there is a route via the correct interface to SRX-A and on SRX-A there is a correct route to SRX-B.... How is this possible.....
In fact, from SRX-A I cannot even ping the directly connected neighbor as I get the "no route to host" response.... this is very obviously related to the VR, but I am unsure how?
Thanks
Hi Python, thanks,
I agree. And made the following tests :
I unplugged the power supply of SRX1 in order to simulate the chassis loss, and measured how long the trafic going through the SRX cluster was interupted.
It is up to 42 seconds !
SRX cluster config is the 'lightest' one : without bfd, without lacp.
I managed to make printouts on SRX2 durings those 42s and here is the results :
t=0 FW1 chassis loss
15s FW2 gets primary
FW2 still sees FW1 ports as up, routing are still via => trafic can't get through the SRX cluster!
36s FW2 change routing via FW2. Trafic starts coming up littel by little.
Conclusion : SRX takes time to switch over : 36s.
Is it normal for SRX-550M ? I do not think so ...
If it is, maybe it is possible to decrease switch over duration by tuning parameters gracious failover, etc) ?
I am a bloody idiot sometimes..... I have been telling another Colleague that when a VR is being used EVERYTHING must be done via that VR and then I make that mistake..... Sorry for waisting your time....
Two edge routers on the LAN. A Primary SRX at 192.168.0.1 and the backup DSL router at 192.168.0.2.
I have ip-monitoring working so that on fail it inserts route 0.0.0.0/0-192.18.0.2 but none of the traffic ever reaches the backup router. I can ping from the router but none of the client traffic is making it back out.
I am guessing that the security zones aren't allowing the Internet destined traffic back on the interface of the LAN to get over to the other router.
Not sure how or if I can configure this to work the way I would like it to.
Hi Folks,
Can you please share the SRX device configuration?
Hi Folks,
Just my 2 cents on this... Interesting KB article,
https://kb.juniper.net/InfoCenter/index?page=content&id=KB29811
Hi Folks,
Just my 2 cents on this... Interesting TechPub articles, influencing of hostbound traffic egressing can be done in two ways. All host-bound traffic or specific protocols.
Default Routing Engine Protocol Queue Assignments
Changing the Default Queuing and Marking of Host Outbound Traffic
We can configure the COS to put all host bound traffic in to queue3 and reduce the traffic rate in queue3. This configuration will applicable for all the locally generated traffic including ICMP.
Understanding Queuing and Marking of Host Outbound Traffic
We can specifically match protocols and assign it in to specific queue.
Assigning Forwarding Class and DSCP Value for Routing Engine-Generated Traffic
Hi Folks,
Just my 2 cents on this...
If you have plans for checking stuffs with Virtual Machine; then you don’t need a “4port PCIe ethernet port”. You can create virtual bridge and connect the VM;s in your hypervisor.
Hi,
Is it possible to use a l3.interface for source NAT? Kind of something liek this...:
vlan-nat1 {
vlan-id 30;
l3-interface vlan.30;
}
security-zone nat1 {
interfaces {
vlan.30
}
}
security-policies from-zone trust1 to-zone nat1 {
policy trust1-to-nat1 {
source-address trust1-subnets;
destination-address any;
application any;
}
then {
permit;
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan-nat1;
}
}
vlan {
unit 30 {
description nat1;
family inet {
address 10.0.0.202/24;
}
}
}
}
nat {
source {
pool nat1-l3-interface {
address 10.0.0.202/32;
}
rule-set trust1-to-nat1 {
from zone trust1;
to zone nat1;
rule source-nat-rule1 {
match {
source-address 172.16.0.0/24; #trust1 subnet
}
then {
source-nat {
pool {
nat1-l3-interface;
}
}
}
}
}
}
}
Is it possible to then have traffic from trust1 going to nat1 to source NAT? This is just a rough example I typed out to get advice...
What would I need to do if I wanted to use ge-0/0/0 for source NAT like that w/ a VLAN interface (if it is even possible), but maybe also turn it into a trunk to allow the Comcast network to also pass through on another VLAN... if that makes any sense.
By the way, I couldn't get this to work... the only way I got source NAT to work from 'trust1' subnets was to assign the interface as family inet and give it an ip address on the Comcast network i.e. 10.0.0.202/24 - instead of putting up a l3-interface vlan.30...
Here's the config
## Last changed: 2017-12-21 05:36:08 GMT-6
version 15.1X49-D75.5;
system {
host-name xxx;
time-zone GMT-6;
root-authentication {
encrypted-password "xxx";
}
name-server {
208.67.222.222;
208.67.220.220;
}
name-resolution {
no-resolve-on-input;
}
login {
user xxx {
uid 2000;
class super-user;
authentication {
encrypted-password "xxx";
}
}
}
services {
ssh;
telnet;
dns {
dns-proxy {
interface {
ge-0/0/1.0;
}
default-domain * {
forwarders {
208.67.222.222;
208.67.220.220;
}
}
}
}
web-management {
http {
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
https {
system-generated-certificate;
interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}
session {
idle-timeout 60;
}
}
dhcp {
pool 172.16.1.0/24 {
address-range low 172.16.1.50 high 172.16.1.199;
router {
172.16.1.1;
}
}
propagate-settings pp0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
file webfilter-log {
any any;
match WEBFILTER_;
}
file antivirus-log {
any any;
match AntiVirus;
}
file IDP_Log {
any any;
match RT_IDP;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server us.ntp.pool.org;
}
}
services {
rpm {
probe INET-UP {
test TargetIP {
target address x.x.x.x;
probe-count 3;
probe-interval 15;
test-interval 10;
thresholds {
successive-loss 3;
total-loss 3;
}
destination-interface ge-0/0/0.0;
}
}
}
ip-monitoring {
policy INET-UP-MON {
match {
rpm-probe INET-UP;
}
then {
preferred-route {
route 4.2.2.2/32 {
next-hop 192.168.0.2;
}
}
}
}
}
}
security {
idp {
idp-policy shelmet-idp-policy {
rulebase-ips {
rule 1 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
predefined-attack-groups Critical;
}
}
then {
action {
drop-connection;
}
notification {
log-attacks {
alert;
}
}
severity critical;
}
}
rule 2 {
match {
from-zone any;
source-address any;
to-zone any;
application default;
attacks {
predefined-attack-groups Major;
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
severity major;
}
}
}
}
active-policy shelmet-idp-policy;
traceoptions {
file size 100m;
flag all;
level all;
}
security-package {
automatic {
start-time "2017-6-24.08:00:00 +0600";
interval 72;
}
}
}
utm {
custom-objects {
url-pattern {
white {
value [ *.assist.com *.fastsupport.com *.fedex.com *.gotoassist.com *.grainger.com *.mcmaster.com *.mcsdirect.com *.microsoft.com *.mscdirect.com *.noaa.gov *.office365.com *.olsensafety.com *.outlook.com *.ups.com *.weather.com *.weather.gov *.eicar.org *.spn.com *.symantec.com *.norton.com ];
}
black {
value www.msn.com;
}
Office365 {
value [ *.office365.com *.office.com *.microsoftonline.com *.msocdn.com *.office.net *.live.com *.windows.net *.microsoft.com *.cloudapp.net *.outlook.com *.oaspapps.com *.outlookgroups.ms *.onmicrosoft.com *.msedge.net *.microsoftonline-p.com *.edgekey.net *.akadns.net *.bing.com *.aria.microsoft.com *.portal.microsoft.com *.urs.microsoft.com *.res.office365.com *.pipe.aria.microsoft.com *.officeapps.live.com *.portal.office.com *.data.microsoft.com *.aadcdn.microsoftonline-p.com ];
}
Exec {
value *.siriusxm.com;
}
}
custom-url-category {
Cust-Category-Prod {
value [ white Office365 ];
}
Cust-Category-Exec {
value Exec;
}
}
}
feature-profile {
anti-virus {
type sophos-engine;
sophos-engine {
profile AV_Profile {
fallback-options {
default log-and-permit;
content-size log-and-permit;
engine-not-ready log-and-permit;
timeout log-and-permit;
out-of-resources log-and-permit;
too-many-requests log-and-permit;
}
scan-options {
content-size-limit 10000;
timeout 180;
}
notification-options {
virus-detection {
type message;
notify-mail-sender;
custom-message "VIRUS WARNING";
}
fallback-block {
type message;
notify-mail-sender;
}
}
}
}
}
web-filtering {
type juniper-enhanced;
juniper-enhanced {
cache {
timeout 1800;
size 500;
}
profile Production_Profile {
category {
Cust-Category-Prod {
action permit;
}
Enhanced_Information_Technology {
action log-and-permit;
}
Enhanced_Hosted_Business_Applications {
action log-and-permit;
}
}
default block;
fallback-settings {
default log-and-permit;
server-connectivity log-and-permit;
timeout log-and-permit;
too-many-requests log-and-permit;
}
}
profile Exec_Profile {
category {
Enhanced_Malicious_Web_Sites {
action block;
}
Enhanced_Advanced_Malware_Command_and_Control {
action block;
}
Enhanced_Advanced_Malware_Payloads {
action block;
}
Enhanced_Malicious_Embedded_Link {
action block;
}
Enhanced_Malicious_Embedded_iFrame {
action block;
}
Enhanced_Bot_Networks {
action block;
}
Enhanced_Keyloggers {
action block;
}
Enhanced_Parked_Domain {
action block;
}
Enhanced_Phishing_and_Other_Frauds {
action block;
}
Enhanced_Potentially_Exploited_Documents {
action block;
}
Enhanced_Potentially_Unwanted_Software {
action block;
}
Enhanced_Spyware {
action block;
}
Enhanced_Suspicious_Embedded_Link {
action block;
}
Enhanced_Society_and_Lifestyles {
action permit;
}
Cust-Category-Exec {
action log-and-permit;
}
}
site-reputation-action {
very-safe permit;
moderately-safe permit;
fairly-safe permit;
suspicious log-and-permit;
harmful block;
}
default permit;
fallback-settings {
default log-and-permit;
server-connectivity log-and-permit;
timeout log-and-permit;
too-many-requests log-and-permit;
}
}
}
}
}
utm-policy Prod_Policy {
anti-virus {
http-profile AV_Profile;
ftp {
upload-profile AV_Profile;
download-profile AV_Profile;
}
}
web-filtering {
http-profile Production_Profile;
}
traffic-options {
sessions-per-client {
limit 200;
over-limit log-and-permit;
}
}
}
utm-policy AV_Policy {
anti-virus {
http-profile AV_Profile;
ftp {
upload-profile AV_Profile;
download-profile AV_Profile;
}
}
traffic-options {
sessions-per-client {
over-limit log-and-permit;
}
}
}
utm-policy Exec_Policy {
anti-virus {
http-profile AV_Profile;
ftp {
upload-profile AV_Profile;
download-profile AV_Profile;
}
}
web-filtering {
http-profile Exec_Profile;
}
traffic-options {
sessions-per-client {
over-limit log-and-permit;
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
spoofing;
source-route-option;
tear-drop;
}
tcp {
port-scan;
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone Internal;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set Guest-Nat {
from zone Guest;
to zone Internet;
rule Guest-Nat {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool webmgt {
routing-instance {
default;
}
address 192.168.0.1/32 port 80;
}
}
}
}
policies {
from-zone Internal to-zone Internet {
policy Exec_Rule {
match {
source-address Exec_192-223;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit {
application-services {
utm-policy Exec_Policy;
}
}
}
}
policy Egress_Rule {
match {
source-address any;
destination-address any;
application egress_blacklist;
}
then {
deny;
}
}
policy Prod_Web-Filter {
match {
source-address Prod_160-191;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit {
application-services {
utm-policy Prod_Policy;
}
}
}
}
policy Office_Web-Filter {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit {
application-services {
utm-policy junos-av-wf-policy;
}
}
}
}
policy All_Internal_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy Shelmet_AV {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy junos-av-policy;
}
}
}
}
}
from-zone Internet to-zone Internal {
policy RDPpolicy {
match {
source-address any;
destination-address any;
application RDP;
}
then {
permit;
}
}
policy webmgr {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit;
}
}
policy sshmgt {
match {
source-address any;
destination-address any;
application junos-ssh;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
policy TEC_Panel {
description "Access to 192.168.0.16/2001";
match {
source-address TEC_Security;
destination-address any;
application TEC_Panel;
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
from-zone Guest to-zone Internet {
policy Office_Web-Filter {
match {
source-address any;
destination-address any;
application [ junos-http junos-https ];
}
then {
permit {
application-services {
utm-policy junos-av-wf-policy;
}
}
}
}
policy All_Guest_Internet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone Internal {
address-book {
address Prod_160-191 192.168.0.160/27;
address Exec_192-223 192.168.0.192/27;
address Guest_WiFi 172.16.1.0/24;
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
http;
https;
ssh;
telnet;
dns;
}
protocols {
all;
}
}
}
}
}
security-zone Internet {
address-book {
address Outside_Addr x.x.x.x/32;
address TEC_Security x.x.x.x/32;
}
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
inactive: tftp;
inactive: dhcp;
inactive: https;
}
}
}
}
}
security-zone Guest {
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
telnet;
http;
ssh;
https;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address x.x.x.x/30;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 192.168.0.1/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 172.16.1.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop x.x.x.x;
qualified-next-hop 192.168.0.2 {
preference 6;
}
preference 2;
}
}
}
class-of-service {
interfaces {
ge-0/0/0 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/0/1 {
unit 0 {
classifiers {
dscp default;
}
}
}
ge-0/0/2 {
unit 0 {
classifiers {
dscp default;
}
}
}
}
}
applications {
application RDP {
protocol tcp;
source-port 1024-65535;
destination-port 3389;
}
application snmp {
protocol udp;
source-port 1024-65535;
destination-port 161-162;
}
application irc {
protocol tcp;
source-port 1024-65535;
destination-port 6660-6669;
}
application SMB_Ports {
term smb_udp_ports protocol udp source-port 1024-65535 destination-port 135-139;
term smb_tcp_ports protocol tcp source-port 1024-65535 destination-port 135-139;
}
application TEC_Panel {
protocol tcp;
source-port 1024-65535;
destination-port 2001;
}
application-set egress_blacklist {
application SMB_Ports;
application irc;
application snmp;
application junos-tftp;
application junos-netbios-session;
application junos-smb-session;
application junos-smtp;
application junos-syslog;
}
}
I'm seeing this with BGP sessions over IPsec tunnels to AWS since I enabled node1 in my cluster. I was running 12.3X48-D40 and it continued after I upgraded to 12.3X48-D55. Was there ever a fix?
Hi Folks,
Junos Security: A Guide to Junos for the SRX Services Gateways and Security Certification is a good book covering such use cases
https://www.amazon.com/Junos-Security-Services-Gateways-Certification-ebook/dp/B0043D2E1S
Hi Folks,
One more KB that could be useful,
https://kb.juniper.net/InfoCenter/index?page=content&id=KB13080&actp=METADATA
Hi Suraj,
Thanks for dedication. I tried moving the policy up . but it was not successful.
i found that issue was in proxy arp since they were in the same nertwork. Since everytime the IP was increasing form /24 subnet.
Meaning, when i get IP 192..168.1.1 from pool it starts working. but after reconnecting again, i get the IP .2 from the pool and again the protected resource are not reaching.
What is did, i made a very specif pool of 192.168.1.0/30 so that the only IP's i get from the pool are .1 and .2 and then specifically permitted proxy arp from .1 and .2 in the security nat. For since then things are working fine with my customer.
somehow i closed the ticket with my customer that is why i cannot do anything at the moment untill customer opens new ticket for any issue.
PLeae let me know more clarification is required.
Is the interface vlan.30 up/up?
show interface terse vlan.30
For a layer 3 vlan interface to be up there has to be a physical interface in the same vlan that is also in the up/up status.
the nat and security configuration looks correct to me.