That is pretty much it, your SRX will be the GW router for the other firewall. What i do suggest is rather use /31 or /30 of that publick block on the interface to the other FW therefore preserving the rest of the public which might be already NAT. You can also go as far as adding firewall filters with packetmode so anything to and from the other firewall will be stateless through the SRX so it will become just a router.
↧
Re: SRX BGP/NAT question about putting another FW in the SRX's "outside"
↧
Re: SRX210 Jweb interface page errors - Browser version?
Thanks, this displays on multiple pages within Jweb interface, not just maintain -> Software. just wanted to verify that all functionality of Jweb interface should be working if I see this error.
↧
↧
SRX4100 cluster commit fails with error: init: write failed: No space left on device error: commit failed: daemon file propagation failed
Oberseved issues:
- root@*******-SRX41-HA# commit
error: init: write failed: No space left on device
error: commit failed: daemon file propagation failed - request system storage cleanup on both nodes does not clear issue.
show system storage reveals that /dev/md1 320M 320M -25.5M 109% /mfs is over calpacity on Node0
node0:
--------------------------------------------------------------------------
Filesystem Size Used Avail Capacity Mounted on
/dev/vtbd0s1a 501M 361M 99M 78% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/md0 1.0G 1.0G 0B 100% /junos
/cf 501M 361M 99M 78% /junos/cf
devfs 1.0K 1.0K 0B 100% /junos/dev/
procfs 4.0K 4.0K 0B 100% /proc
/dev/vtbd1s1e 1.6G 206K 1.4G 0% /config
/dev/vtbd1s1f 14G 270M 13G 2% /var
/dev/vtbd3s2 91M 940K 90M 1% /var/host
/dev/md1 320M 320M -25.5M 109% /mfs
/var/jail 14G 270M 13G 2% /jail/var
/var/jails/rest-api 14G 270M 13G 2% /web-api/var
/var/log 14G 270M 13G 2% /jail/var/log
devfs 1.0K 1.0K 0B 100% /jail/dev
192.168.1.1:/var/tmp/corefiles 119G 254M 113G 0% /var/crash/corefiles
192.168.1.1:/var/volatile 31G 4.0K 31G 0% /var/log/host
192.168.1.1:/var/log 119G 254M 113G 0% /var/log/hostlogs
192.168.1.1:/var/traffic-log 119G 254M 113G 0% /var/traffic-log
192.168.1.1:/var/local 119G 254M 113G 0% /var/db/host
192.168.1.1:/var/db/aamwd 119G 254M 113G 0% /var/db/aamwd
192.168.1.1:/var/db/secinteld 119G 254M 113G 0% /var/db/secinteld
192.168.1.1:/app_disk 14M 136K 13M 1% /var/install_disk
192.168.1.1:/var/log 119G 254M 113G 0% /var/host-mnt/var/lognode1:
--------------------------------------------------------------------------
Filesystem Size Used Avail Capacity Mounted on
/dev/vtbd0s1a 501M 359M 102M 78% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/md0 1.0G 1.0G 0B 100% /junos
/cf 501M 359M 102M 78% /junos/cf
devfs 1.0K 1.0K 0B 100% /junos/dev/
procfs 4.0K 4.0K 0B 100% /proc
/dev/vtbd1s1e 1.6G 108K 1.4G 0% /config
/dev/vtbd1s1f 14G 124M 13G 1% /var
/dev/vtbd3s2 91M 940K 90M 1% /var/host
/dev/md1 320M 21M 274M 7% /mfs
/var/jail 14G 124M 13G 1% /jail/var
/var/jails/rest-api 14G 124M 13G 1% /web-api/var
/var/log 14G 124M 13G 1% /jail/var/log
devfs 1.0K 1.0K 0B 100% /jail/dev
192.168.1.1:/var/tmp/corefiles 119G 255M 113G 0% /var/crash/corefiles
192.168.1.1:/var/volatile 31G 4.0K 31G 0% /var/log/host
192.168.1.1:/var/log 119G 255M 113G 0% /var/log/hostlogs
192.168.1.1:/var/traffic-log 119G 255M 113G 0% /var/traffic-log
192.168.1.1:/var/local 119G 255M 113G 0% /var/db/host
192.168.1.1:/var/db/aamwd 119G 255M 113G 0% /var/db/aamwd
192.168.1.1:/var/db/secinteld 119G 255M 113G 0% /var/db/secinteld
192.168.1.1:/app_disk 14M 136K 13M 1% /var/install_disk
192.168.1.1:/var/log 119G 255M 113G 0% /var/host-mnt/var/log- Log in as root run the following command in shell sh -c 'find / -size +10485760c 2> /dev/null' | xargs du -h | sort -nr on both nodes
- Node0
355M /cf/packages/junos-srxjcp-15.1X49-D100.6-domestic
309M /mfs/var/etc/resolv.conf
32K /var/db/userid/__db.003
29M /modules/bcmsdk_5_9_x.ko
22M /usr/lib/dd/libjkernel-dd.tlv
21M /usr/sbin/rpd
20M /var/db/da_data_geo/database/log.0000000001
20M /var/db/da_data/database/log.0000000001
19M /usr/sbin/ipfd
17M /modules/bcmsdk_5_6_1.ko
15M /var/rundb/schema.db
14M /usr/share/icu/4.6/icudt46l.dat
14M /usr/sbin/chassisd
14M /usr/sbin/authd
14M /usr/lib/dd/libjroute-dd.tlv
13M /usr/sbin/jpppd
13M /usr/sbin/aamwd
12M /usr/sbin/kmd
12M /usr/sbin/jdhcpd
10M /var/db/appid/bins/libqmprotocols.so.amd64
10M /usr/lib/libidp-compiler.so.0 - Node1
355M /cf/packages/junos-srxjcp-15.1X49-D100.6-domestic
32K /var/db/userid/__db.003
29M /modules/bcmsdk_5_9_x.ko
22M /usr/lib/dd/libjkernel-dd.tlv
21M /usr/sbin/rpd
20M /var/db/da_data_geo/database/log.0000000001
20M /var/db/da_data/database/log.0000000001
19M /usr/sbin/ipfd
17M /modules/bcmsdk_5_6_1.ko
15M /var/rundb/schema.db
14M /usr/share/icu/4.6/icudt46l.dat
14M /usr/sbin/chassisd
14M /usr/sbin/authd
14M /usr/lib/dd/libjroute-dd.tlv
13M /usr/sbin/jpppd
13M /usr/sbin/aamwd
12M /usr/sbin/kmd
12M /usr/sbin/jdhcpd
10M /var/db/appid/bins/libqmprotocols.so.amd64
10M /usr/lib/libidp-compiler.so.0 - We see that file /mfs/var/etc/resolv.conf at 309M does not match on Node1 and is consuming to much space.
Solution:
- In shell on Node0 used rm -f /{filepath}/[filename] to remove the file. Run sh -c 'find / -size +10485760c 2> /dev/null' | xargs du -h | sort -nr for a second time to confirm the file has been removed, if it is renamed delete it a second time.
- In configuration mode run commit full and the configuration will commit to both nodes correctly.
↧
destination nat for 1 public IP to 2 local host that use the same service port 443 (web application server)
Hi Guys,
will it work in destination nat if we use 1 public IP to 2 private IP that use the same service port 443? one is configured to port forward 8443(public) to port 443(private) then the other one is 443 to 443. the two local host were same web application server. below is the config of destination nat that i created:
edit security nat destination
pool 10_154_252_240 {
address 10.154.252.240/32;
}
pool 10_104_64_5 {
address 10.104.64.5/32;
}
rule-set NAT_for_server {
from zone UNTRUST;
rule DNAT-64_5 {
match {
destination-address 1.1.1.1/32;
destination-port {
443;
}
}
then {
destination-nat {
pool {
10_104_64_5;
}
}
}
}
rule DNAT-252_240 {
match {
destination-address 1.1.1.1/32;
destination-port {
8443;
}
}
then {
destination-nat {
pool {
10_154_252_240;
}
↧
How to create multiple different local web filtering on SRX
Hi All
I need to create some different types of web filtering (local - as we don't have web filtering license)
example:
Policy 1: block abc.com, def.com and permit all other
Policy 2: block XYZ.net, TUV.net and permit all other
Policy 3: block ghi.org, mnv.org and permit all other
But as I did research and check on our SRX220H2, there is only 1 method is to use Global option Blacklist, but if I use Global, there is only 1 collection of url blocking.
Last time, when using SSG we can do easily
If possible, could you please guide me how to create multiple different web filtering on SRX
Many thanks
↧
↧
Disable cluster mode on SRX300 firewall
Hi All
I have two SRX300 firewall that configured in cluster mode. Now, i want to disable the cluster mode. If disabled, will it keep the other configuration? eg. static route, NAT , RULEs
THANKSSSSSSSSSSSS
↧
Re: Disable cluster mode on SRX300 firewall
It will keep the configuration, but you need to change interfaces from reth to ge-
↧
Re: Disable cluster mode on SRX300 firewall
Sorry i am new with juniper. How to change interfaces from reth to ge-. Thanks
↧
Re: Disable cluster mode on SRX300 firewall
Use the following commands to remove reth interfaces:
delete interfaces reth0
delete interfaces reth1 (and so on)
delete chassis cluster
Then configure individual interfaces as necessary:
set interface ge-x/x/x unit x ......
And then assign these ge-interfaces to relevant security zones.
Anand
↧
↧
Re: SRX BGP/NAT question about putting another FW in the SRX's "outside"
If the existing SRX is running as a firewall for the rest of the network, then packet mode is not an option here. Packet mode is a device level configuration you can be either a router or a firewall you cannot mix the two on the same device.
↧
Re: Disable cluster mode on SRX300 firewall
The process will be slightly complicated. There is interface configuration on these are redundant interfaces (reth) that take two physical interfaces, one on each of the two devices in matching positions, and make them a failover pair.
So the process will be:
on specific ge interface: remove the reth membership
copy from reth interaface configuration
change name to lower number ge interface of the pair and apply to this interface
delete the reth interface connection
delete all the ge-1/x/x interfaces as they are on the second device
I would pull a copy of the entire interface stanza as is:
show configuration interface | display set | no-more
Save this in a text only file
example existing reth1 pair
set interfaces ge-0/0/0 gigether-options redundant-parent reth1
set interfaces ge-1/0/0 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 10.10.0.1/29
changes
delete interfaces ge-0/0/0
set interfaces ge-0/0/0 unit 0 family inet address 10.10.0.1/29
delete interfaces reth1
delete interfaces ge-1/0/0
peform this for all reth interface sets
↧
Re: destination nat for 1 public IP to 2 local host that use the same service port 443 (web application server)
THe pool used for the 8443 forward has to include also changing the destination port in addition to the address to hit the server 443 port.
pool 10_154_252_240 {
address 10.154.252.240/32 port 443;
}
↧
Re: Any one already try fxp0 in the mgmt_junos Routing Instance on Chassis Cluster?
Hi all,
are there any news on this feature related to SRX compatibility?
I was trying to set this up on a SRX345 Cluster, bit i don't get any connections on the fxp0 interfaces. mgmt_junos routing-table is empty.
Thanks.
↧
↧
Fight with ASA - Alternative to 5505 and 5506 - Different between suggested alternative srx2xx or srx3xx
Hi,
I re-searched and understand some different features matrix between these "fights" for cisco and juniper.
I like more Juniper in this moment and I'd like to suggest a specific closer alternative to Cisco.
The main question is that I found SRX2xx as good alternative to ASA-5505, but I don't know why, from the configuration tools the price is realy different and unexpected, I mean:
- SRX-320: less than 2.000$
- SRX-220: more than 2.000$
?!?!?!
Why this different, if the model 3xx should be better?!
I checked also features, throuputs and so on... but everythings seems to be better on 320... and the price is cheaper?! :-\
- Maybe some licenses needed more on srx-320 not included?
- Maybe.... boh.. :-)
What would be the suggested model for firewall against 5505 asa with Poe, VPN and gigabit ports?
Anyone can help me?
regards
↧
Re: Fight with ASA - Alternative to 5505 and 5506 - Different between suggested alternative srx2xx or srx3xx
the srx220is EOL ( as is nearly the complete 100 and 200 series due to ROHS compliance)
unfortunately it can be still found in the srx comparison matrix SRX Compare Products
So IMHO you should not consider the srx220 anymore
it is replaced by newer SRX typically the 300 series
regards
alexander
↧
Re: Fight with ASA - Alternative to 5505 and 5506 - Different between suggested alternative srx2xx or srx3xx
Thanks for fast reply.
Ah! ok... Finding not updates tables I found some mistake about all of these information. thanks once again!
Then... I'm looking for srx-3xx with 8 gigabit port and poe for match my requirement.
Not easy BTW... cause srx-2xx all have integrated rj-45.... srx-3xx only 6...
let's see.
regards
↧
Re: SRX240 Security zone & VR limitation
.. it wasnt ASAP 
Below is the right command.
run show log nsd_chk_only | match "max "
Max Policy = 4096
Max Policy Context = 256
Max Policy per Context = 4096
Max Statistics Counter = 256
Max Address per Policy = 1024
Max Applications per Policy = 128
Max Role per Policy = 128
Max Scheduler = 128
Max Security Zones = 32
Max Security Address Books = 32
↧
↧
Unable to get SNMP working remotley
Hi All
I'm having getting SNMP data from remote servers to my SRX 1500. Locally on the decive snmpwalk works fine. Below are the 2 config settings I have inplace. On the remote servers its timing out. The server I'm coming from also have a access rule policy allowing it into the firewall. I'm stuck on how to troubleshoot this further.
firewall {
filter protect-re {
term snmp {
from {
prefix-list {
snmp-hosts;
}
port snmp;
protocol udp;
}
then {
accept;
}
}
term accept-all {
then accept;
}
}
}snmp {
community public4ASD21 {
authorization read-only;
clients {
63.17.248.2/32;
44.240.68.11/32;
172.40.0.181/32;
172.40.0.161/32;
}
}
trap-group snmp-trap-group1 {
version v2;
categories {
authentication;
chassis;
link;
remote-operations;
routing;
startup;
rmon-alarm;
configuration;
services;
chassis-cluster;
}
targets {
44.240.68.11;
172.40.0.181;
172.40.0.161;
}
}
}
↧
Re: Unable to get SNMP working remotley
Hi
Could you check if you have reachability from your NMS/Server to this device? Check if the NMS is able discover this node?
If yes, enable SNMP traceoptions and try to fetch data from the server & then see what clue does the traceoption debug log gives you.
set snmp traceoptions file snmpd.log
set snmp traceoptions file size 100m
set snmp traceoptions file files 5
set snmp traceoptions flag all
↧
Analog Security Screen features in CISCO ISR 4xxx
Hello!
I want to consider CISCO ISR 4xxx Series routers for remote branch, but for now i don't know if they have basic DoS Protection like security screens in Juniper SRX for preventing basic DoS atacks.
If anyone has been working with CISCO ISR and Juniper SRX can you tell me - Does the CISCO ISR 4xxx series have this basic security functionality?
↧