Hello,
Any specific deployment you are trying to do?
Following link mentions limitation of Auto VPN.
Regards,
Rushi
↧
Re: Can I use advpn conbination with FBF ?
↧
Re: ISG2000 to SRX3600 Help (with mroute)
Hello,
You can try something like this on SRX and see if it works.
Basically configuration on the ISG2000 is for passing multicast through firewall without PIM.
Alternatively you can use IGMP proxy to accomplish exactly the same.
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/mcast-igmp-snooping.html#jd0e201
Regards,
Rushi
↧
↧
Re: Custom App Friewall app
Hello,
What is the junos version?
If you enable APPID traceoptions, do you see anything as to why default-rule is hit instead of the custom rule you created?
Regards,
Rushi
↧
Moving to SRX from SSG
Hi All,
We've had great service from our SSG's and now want to replace them - it's overdue. We've made use of 2 x SSG140s in our head-office (active-passive HA) and single SSG20s in remote offices. Our needs are pretty simple - decent firewall and good policies, a handful of VPNs, OSPF and RIP, good bandwidth control and shaping, plus only need to operate one remote office these days; I've kind of settled on SRX340s and SRX320s - they seem to be postioned similarly to where our SSGs sat in the family and are within our budget. We want to run two devices at both sites to achieve the same sort of HA.
As the boxes have just sat there for many years doing a great job we've become very rusty when it comes to where the latest Juniper devices are. I've tried to trawl the internet for some answers to a couple of queries but have struggled to find info so wondered if anyone can advise at all?
1 - We run dedicated cloud email and web filtering solutions (Mimecast and Symantec Web Security service, itself a VPN from the SSGs) as well as Symantec Endpoint Protection for on-device security. Bearing that in mind we are really looking at these devices to offer really good firewalling functionality - are they overkill if we don't use any sort of UTM features? What are people's opinion of quality of firewall on these devices?
2 - Is the 300 series relatively new? I haven't come across any EOL information to say they are going away any time soon (vs. the 200 series which looks to be EOL in a couple of years).
3 - We'd ideally like to somehow manage the firewall's outgoing policies across both sites centrally to save manually keeping complex rules (like bypassing the web filtering for Office 365 services) in sync. Are there any tools or software from Juniper to help with this?
4 - One bugbear of ScreenOS is that we've never been able to use wildcard hostnames for firewall rule address book entries (again a real pig for Office 365). Is that offered on the SRX's? How to others manage this challenge?
5 - Our SSG's have operated brilliantly and have been very reliable. For those who have moved from them to SRX can you say the same?
6 - The Enhanced Junos software only appears appears to offer Application Security (AppID, AppFW, AppQOS and AppRoute) features over base - is everything else equivilant across the software? I'm struggling to find decent documentation on the App security features; can anyone point me in the right direction? Would we benefit from these features bearing in mind our web filtering software?
7 - I'm finding the software licensing confusing. I get that these are sold as a hardware first with a seperation from the software point-of-view (to aid hardware portability I believe). I'm looking at the SRX340-SYS-JB part (unless Enhanced proves useful) and similar for the SRX320. Would the -JB parts include the cost of software? What ongoing support/licensing packages would we need to ensure ongoing use of the software and provide access future software updates?
8 - Broad, but is there anything that the SRX's don't do that the SSG's did well?
Apologies for length but if there's anything anyone could advise it would be really appreicated.
EDIT - I've also read some opinions that the IPS features on the SRX are pretty poor - can anyone provide some experience?
TIA.
↧
Re: Can I use advpn conbination with FBF ?
FBF relies on having a known next hop for the forwarding instance of the traffic you are catching and forwarding.
So it depends on how unknown your next hop would be in an AD-VPN environment for the traffic you are trying to control forwarding this way.
↧
↧
Re: Moving to SRX from SSG
I can contribute to a few of these. But I use the SRX as a basic firewall and packet mode MPLS so don't have any experience with the rest.
1- The additional licensed features like IDP or web browsing are completely optional and not connected to the main functionality. So you can skip them.
2- yes the 300 series is only a couple years old has a hardware upgrade with newer faster chips and speeds replacing the 200 series.
3- central mgmt is via the Junos Space Security Directory platform. This can be either a VM or hardware appliance.
4- same problem with wild cards on the SRX for standard firewall rules. But there is a application firewall license to have application based rules applied and with these you can the permit office 365 as an applicaiton instead of managing ip address rules. This starts to get into the licensed features I haven't used outside a lab.
↧
Tryin g to get DHCP working on srx650
I understand the device is EoL and no longer supported but I need help configuring DHCP on an SRX650 with XPIM module installed. Ethernet-switching family is NOT supported so I've been trying to use the family bridge and subinterface units but DHCP will not work. Not DHCP traffic is being generated by the SRX 650.
Does anyone have a configuration for DHCP on an SRX 12.3X48- (with an XPIM device)?
↧
software for Juniper 240srx
We are having an issue with our Windows 1 0 workstations where Pulse connect successfully but sometimes the client won't pass any data. Happens randomly, usually 1 out of 5 trys. The client always connects but sometimes you can't ping across it. Our Windows 7 machines are fine. We have not been able to identify a certain build of Win 10 or patch causing this. The other end is a Juniper 240srx. We have the 5.2 version and 9.0.1 of the PulseSecure client. What software can you offer for connecting from client PCs with Windows 10 through Juniper 240srx.
Thanks.
↧
SRX 300 LIcense?
Hi all, I am new to the Juniper Licensing. Do I have to buy a license to use a SRX300 such as this legally? Do I just lose functionality if I don't.
If so why do they even sell an unlicensed/unusable device? Is this just a hardware replacement purchase type of device that I would move a license from an existing srx300?
Seems like I am better off buying the jsb (assuming its an all in one purchase with software and hardware) for my needs https://www.cdw.com/product/Juniper-Networks-SRX300-Services-Gateway-security-appliance/4720675?pfm=srh I don't need the JSE at this time
Thanks for the help on understanding this licensing situation.
↧
↧
Re: Tryin g to get DHCP working on srx650
Are trying to setup dhcp client on and interface or dhcp server on the SRX for connected clients?
↧
Re: Tryin g to get DHCP working on srx650
Trying to have SRX as a DHCP server (i.e router on a stick)
↧
Re: Tryin g to get DHCP working on srx650
Can you share your current config?
↧
Re: software for Juniper 240srx
As per KB KB17436 ( https://kb.juniper.net/InfoCenter/index?page=content&id=KB17436&actp=METADATA), pulse client is supposed to work fine on Windows10. I would recommend you open a JTAC case to check/troubleshoot the traffic issue during problem state .
↧
↧
Re: SRX 300 LIcense?
With SRX300-JSB , you get "SRX300 Junos Secure Branch Software with Firewall, NAT, IPSec, Routing and Switching Services.
If you go for SRX300-JSE - additional to above features you can use MPLS and Application Security Services .
I hope this helps.
↧
Re: Custom App Friewall app
You have mentioned HTTPS, but the custom application is specified as over http, can you try using ssl ?
set services application-identification application app1 over ssl signature s1 member m02
↧
Re: automatic route change as per tunnel state
Use aggressive VPN-Monitoring parameters to get the st0 flaps quickly when VPN is down.
↧
Re: GRE tunnel implementation to Zscaler using multi tunnels and failover between primary and secondary gateway - (gre tunnel loadbalancing and failover)
Hi Alexander
Thanks for your reply. Here the routing table on traffic_tunnel.inet.0.
user@junipersrx1500> show route table traffic_tunnel.inet.0
traffic_tunnel.inet.0: 23 destinations, 26 routes (23 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
144.155.100.16/28 *[Direct/0] 36w5d 22:26:40
> via reth0.2613
[Direct/0] 36w5d 22:26:40
> via reth0.2613
[Direct/0] 36w5d 22:26:40
> via reth0.2613
[Direct/0] 36w5d 22:26:40
> via reth0.2613
144.155.100.20/32 *[Local/0] 36w5d 22:26:40
Local via reth0.2613
144.155.100.21/32 *[Local/0] 36w5d 22:26:40
Local via reth0.2613
144.155.100.22/32 *[Local/0] 36w5d 22:26:40
Local via reth0.2613
144.155.100.23/32 *[Local/0] 36w5d 22:26:40
Local via reth0.2613
165.225.100.0/22 *[Static/200] 13w0d 17:31:37
via gr-0/0/0.2
via gr-0/0/0.4
via gr-0/0/0.6
> via gr-0/0/0.0
172.17.21.224/30 *[Direct/0] 36w5d 22:26:40
> via gr-0/0/0.3
172.17.21.225/32 *[Local/0] 36w5d 22:26:40
Local via gr-0/0/0.3
172.17.21.228/30 *[Direct/0] 36w5d 22:26:40
> via gr-0/0/0.2
172.17.21.229/32 *[Local/0] 36w5d 22:26:40
Local via gr-0/0/0.2
172.17.81.96/30 *[Direct/0] 36w5d 22:26:40
> via gr-0/0/0.1
172.17.81.97/32 *[Local/0] 36w5d 22:26:40
Local via gr-0/0/0.1
172.17.81.100/30 *[Direct/0] 36w5d 22:26:40
> via gr-0/0/0.0
172.17.81.101/32 *[Local/0] 36w5d 22:26:40
Local via gr-0/0/0.0
172.17.87.96/30 *[Direct/0] 36w5d 22:26:40
> via gr-0/0/0.5
172.17.87.97/32 *[Local/0] 36w5d 22:26:40
Local via gr-0/0/0.5
172.17.87.100/30 *[Direct/0] 36w5d 22:26:40
> via gr-0/0/0.4
172.17.87.101/32 *[Local/0] 36w5d 22:26:40
Local via gr-0/0/0.4
172.17.87.104/30 *[Direct/0] 36w5d 22:26:40
> via gr-0/0/0.7
172.17.87.105/32 *[Local/0] 36w5d 22:26:40
Local via gr-0/0/0.7
172.17.87.108/30 *[Direct/0] 36w5d 22:26:40
> via gr-0/0/0.6
172.17.87.109/32 *[Local/0] 36w5d 22:26:40
Local via gr-0/0/0.6
185.46.100.0/23 *[Static/5] 12w5d 16:31:20
> via gr-0/0/0.3
via gr-0/0/0.5
via gr-0/0/0.7
via gr-0/0/0.1
How did you mean that the primary route is typically defined with next-hop and not with qualified next-hop?
Sorry to ask you that, but we implemented the GRE as Zscaler told us to do. Strange is that I was more or less thinking the same like you.
BTW: we implemented in the LAB an test environment using 4 tunnel (two primary and two secondary) and using the last implementation setup they explain in https://help.zscaler.com/zia/gre-configuration-example-juniper-srx we also set a tunnel monitor. But the issue stays the same as before...
Thanks in advance
BR Patrick
↧
↧
Re: Tryin g to get DHCP working on srx650
This should be your basic setup instructions
I think this may be missing adding allow dhcp to the host inbound traffic on the zone where the clients connect as well.
↧
Re: SRX 300 LIcense?
I see the problem you note. Since JSB is the lowestest end SRX300 sold why is there such a big price difference between those two postings at CDW. And the lower price one does not mention JSB but just the model number.
In my experience Juniper only sells devices without any license or production use privilege for labs, hot hardware spare and non production demo/training specifically labeled NFR (not for resale) and approves these through partners per deal.
So I think this first lower price listing was some kind of sale posted by CDW and will also be a JSB device.
Maybe a partner/reseller can chime in on the processes here.
↧
Re: SRX 300 LIcense?
Initially the SRX300 series was sold in seperate HW and SW SKU's where you needed to buy SRX300 + SRX300-JSB to have a valid configuration.
Later on the combination SKUs was introduced - eg. SRX300-SYS-JB.
So the right way to go is to buy the combination SKU as it's easier 
↧