In case any one is interested, I setup as stated in my original question, and it worked as I'd hoped.
↧
Re: 2 VPNs to Hub Site - how to implement
↧
after upgrade too 15.1X49-D140.2 screen logging stopped
hello upgrade to 15.1X49-D140.2 in july, i noticed our screen loggin has stopped
the screen is still havtice and the counters are incresing but it is not logging at all ???
↧
↧
Re: after upgrade too 15.1X49-D140.2 screen logging stopped
Hello Andrew,
Can you share with us your screen and logging config?
If you can also share a sample log from the time it was working, it will be great too.
↧
Re: after upgrade too 15.1X49-D140.2 screen logging stopped
show log messages.3.gz | match screen
Oct 09 12:30:19
Jul 19 18:17:02 rtr_199_w10_1G RT_IDS: RT_SCREEN_TCP: TCP sweep!
show system uptime
Oct 09 12:30:47
System booted: 2018-07-19 21:39:33 CDT
show configuration security screen | display set
Oct 09 12:34:25
set security screen ids-option untrust-screen icmp ip-sweep threshold 1000000
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip unknown-protocol
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-fin
set security screen ids-option untrust-screen tcp tcp-no-flag
set security screen ids-option untrust-screen tcp syn-frag
set security screen ids-option untrust-screen tcp port-scan threshold 1000000
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 1500
set security screen ids-option untrust-screen tcp syn-flood source-threshold 200
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 200
set security screen ids-option untrust-screen tcp syn-flood timeout 10
set security screen ids-option untrust-screen tcp land
set security screen ids-option untrust-screen tcp winnuke
set security screen ids-option untrust-screen tcp tcp-sweep threshold 1000000
set security screen ids-option untrust-screen udp udp-sweep threshold 1000000
set security screen ids-option untrust-screen limit-session source-ip-based 2000
set security screen ids-option untrust-screen limit-session destination-ip-based 2000
show configuration system syslog
Oct 09 12:31:21
user * {
any critical;
}
host 10.x.x.x {
any info;
source-address 192.x.x.x.;
}
file messages {
any warning;
authorization warning;
}
file ids {
any any;
match RT_IDS;
archive world-readable;
structured-data;
show log ids
Oct 09 12:32:15
Jul 19 18:17:00 rtr_199_w10_1G newsyslog[75343]: logfile turned over due to -F request
<11>1 2018-07-19T18:17:02.309-05:00 rtr_199_w10_1G RT_IDS - RT_SCREEN_TCP [junos@2636.1.1.1.2.137 attack-name="TCP sweep!" source-address="113.16.205.122" source-port="6000" destination-address="40.134.20.98" destination-port="1433" source-zone-name="untrust"
↧
Re: after upgrade too 15.1X49-D140.2 screen logging stopped
The configuration looks fine. Is the "untrust-screen" applied to a specific security-zone?
Are you testing/triggering an attack on that zone that will trigger any of the screens hence the logging of them?
↧
↧
Re: after upgrade too 15.1X49-D140.2 screen logging stopped
im seeing hits i cleared this a couple hours ago,
its applied to untrust and our interface is in the untrust zone
set security zones security-zone untrust screen untrust-screen
show security screen statistics zone untrust
Oct 09 13:00:21
Screen statistics:
IDS attack type Statistics
ICMP flood 0
UDP flood 0
TCP winnuke 0
TCP port scan 440
UDP port scan 0
ICMP address sweep 0
TCP sweep 136
UDP sweep 885
IP tear drop 0
TCP SYN flood 0
SYN flood source 0
SYN flood destination 0
IP spoofing 0
ICMP ping of death 0
IP source route option 0
TCP land attack 0
TCP SYN fragment 0
TCP no flag 0
IP unknown protocol 0
IP bad options 0
IP record route option 0
IP timestamp option 0
IP security option 0
IP loose source route option 0
IP strict source route option 0
IP stream option 0
ICMP fragment 0
ICMP large packet 0
TCP SYN FIN 0
TCP FIN no ACK 0
Source session limit 0
TCP SYN-ACK-ACK proxy 0
IP block fragment 0
Destination session limit 0
IPv6 extension header 0
IPv6 extension hop by hop option 0
IPv6 extension destination option 0
IPv6 extension header limit 0
IPv6 malformed header 0
ICMPv6 malformed packet 0
IP tunnel summary 0
↧
Re: DHCP Issue being a client and server
Guys any help, ISP side is Dynamic, what do you do in that case?
↧
Link Aggregation - SRX firewall - question.
Hi Guys,
i need to configure a link aggregation in a SRX firewall 1500. However, i´m afraid with CPU/Memory utilization, because, nowadays we have IDP service enabled, and IPSEC VPN Site to Site enabled in this same device. Someone has some suggestion about the utilization of link agregation in SRX.
Tks,
João Victor
↧
SRX3400 management port.
Hi,
Can we configure any other port as management port on SRX3400 then the FXP0?
Regards,
Neeraj.
↧
↧
Re: after upgrade too 15.1X49-D140.2 screen logging stopped
Can you post the config under [edit security log]? I would like to see if mode "event" is configured.
Whats the SRX model?
↧
Re: after upgrade too 15.1X49-D140.2 screen logging stopped
show configuration security log | display set
Oct 09 13:41:15
nothing, (this has never benn configured)
SRX1500
↧
Re: SRX3400 management port.
Hi Neeraj,
Yes you can manage the SRX (SSH/Telnet/SNMP/etc) via a revenue/normal port. The fxp0 interface is intended for Out-of-Band management access, meaning that you have a separate network just for management purposes and your management traffic wont be mixed/affected by your production traffic. If you ever have a problem on the production network, like a broadcast storm, you wont lose management access to your SRX.
You could also have a revenue port working as a Out-of-Band management interface by placing it in the "management" funtional-zone. Note this type of zone is different from a security-zone and any traffic reaching the SRX via the management funtional-zone wont be routed to other zones, it will be only useful for managament of the SRX.
https://www.oreilly.com/library/view/juniper-srx-series/9781449339029/ch04.html (see funtional zone section)
↧
Re: Link Aggregation - SRX firewall - question.
Hi João,
We can start by verifying the actual CPU/memory usage on your device. Please post the following commands:
show chassis routing-engine
show security monitoring fpc 0
show security monitoring performance spu
↧
↧
Re: after upgrade too 15.1X49-D140.2 screen logging stopped
Andrew,
You need to configure mode "event" under that hierarchy.
NOTE
Starting with Junos OS Release 15.1X49-D100, the default mode for SRX1500 device is stream mode. Prior to Junos OS Release 15.1X49-D100, the default mode for SRX1500 device was event mode.
Please let us know if you see the logs after setting mode event.
↧
Re: DHCP Issue being a client and server
Hi hayyankk,
When you say that you have the same issue, you mean that you have both DHCP server and client configured and its not working? (thats the issue of this ppost) If not, maybe you could open a new forum post for your specific question/issue.
↧
Re: Link Aggregation - SRX firewall - question.
Hi tks for your repply. Follow below:
show chassis routing-engine
node0:
--------------------------------------------------------------------------
Routing Engine status:
Temperature 35 degrees C / 95 degrees F
CPU temperature 35 degrees C / 95 degrees F
Total memory 1954 MB Max 703 MB used ( 36 percent)
Memory utilization 31 percent
5 sec CPU utilization:
User 2 percent
Background 0 percent
Kernel 3 percent
Interrupt 2 percent
Idle 93 percent
1 min CPU utilization:
User 2 percent
Background 0 percent
Kernel 3 percent
Interrupt 2 percent
Idle 93 percent
5 min CPU utilization:
User 2 percent
Background 0 percent
Kernel 3 percent
Interrupt 2 percent
Idle 93 percent
15 min CPU utilization:
User 2 percent
Background 0 percent
Kernel 3 percent
Interrupt 2 percent
Idle 93 percent
Model SRX Routing Engine
Serial ID BUILTIN
Start time 2018-04-16 17:38:26 UTC
Uptime 176 days, 1 hour, 42 minutes, 15 seconds
Last reboot reason 0x4000:VJUNOS reboot
Load averages: 1 minute 5 minute 15 minute
0.19 0.11 0.09
show security monitoring fpc 0 node 0
node0:
--------------------------------------------------------------------------
FPC 0
PIC 0
CPU utilization : 1 %
Memory utilization : 40 %
Current flow session : 15231
Current flow session IPv4: 15231
Current flow session IPv6: 0
Max flow session : 2097152
Total Session Creation Per Second (for last 96 seconds on average): 309
IPv4 Session Creation Per Second (for last 96 seconds on average): 309
IPv6 Session Creation Per Second (for last 96 seconds on average): 0
show security monitoring performance spu
node0:
--------------------------------------------------------------------------
fpc 0 pic 0
Last 60 seconds:
0: 1 1: 1 2: 1 3: 2 4: 1 5: 2
6: 1 7: 2 8: 1 9: 1 10: 2 11: 2
12: 1 13: 1 14: 1 15: 2 16: 1 17: 2
18: 1 19: 2 20: 1 21: 2 22: 2 23: 2
24: 1 25: 2 26: 2 27: 2 28: 1 29: 2
30: 2 31: 2 32: 1 33: 2 34: 1 35: 2
36: 2 37: 2 38: 2 39: 2 40: 1 41: 2
42: 1 43: 1 44: 1 45: 2 46: 1 47: 2
48: 1 49: 1 50: 1 51: 2 52: 1 53: 2
54: 2 55: 2 56: 1 57: 1 58: 1 59: 2
{primary:node0}
↧
Re: Link Aggregation - SRX firewall - question.
The SRX1500 is only loaded a few percent both on the control and data plane so I see no issue enabling link aggregation.
↧
↧
Re: Link Aggregation - SRX firewall - question.
The control-plane and dataplane memory and the CPU utilization look fine, go ahead with the Link-aggregation implementation:
show chassis routing-engine node0: -------------------------------------------------------------------------- Routing Engine status: Temperature 35 degrees C / 95 degrees F CPU temperature 35 degrees C / 95 degrees F Total memory 1954 MB Max 703 MB used ( 36 percent) Memory utilization 31 percent 5 sec CPU utilization:
User 2 percent
Background 0 percent
Kernel 3 percent
Interrupt 2 percent
Idle 93 percent
1 min CPU utilization:
User 2 percent
Background 0 percent
Kernel 3 percent
Interrupt 2 percent
Idle 93 percent
5 min CPU utilization:
User 2 percent
Background 0 percent
Kernel 3 percent
Interrupt 2 percent
Idle 93 percent
15 min CPU utilization:
User 2 percent
Background 0 percent
Kernel 3 percent
Interrupt 2 percent
Idle 93 percent
Model SRX Routing Engine
Serial ID BUILTIN
Start time 2018-04-16 17:38:26 UTC
Uptime 176 days, 1 hour, 42 minutes, 15 seconds
Last reboot reason 0x4000:VJUNOS reboot
Load averages: 1 minute 5 minute 15 minute
0.19 0.11 0.09
show security monitoring fpc 0 node 0 node0: -------------------------------------------------------------------------- FPC 0 PIC 0 CPU utilization : 1 %Memory utilization : 40 % Current flow session : 15231 Current flow session IPv4: 15231 Current flow session IPv6: 0 Max flow session : 2097152 Total Session Creation Per Second (for last 96 seconds on average): 309 IPv4 Session Creation Per Second (for last 96 seconds on average): 309 IPv6 Session Creation Per Second (for last 96 seconds on average): 0
I hope this information was helpful.
↧
Re: Link Aggregation - SRX firewall - question.
Ok Guys,
thanks a lot for quick response. I have a last question:
I would be afraid if the CPU/Memory was about what percentage? 85%, 90%, 95%?
I noted that sometimes in another SRX box (1400), i have a memory utilization about of 85%, however, this number IS STABLE. This number doesn´t decrease, and doesn´t increase considerably.
Again, tks for a help.
↧
Re: Link Aggregation - SRX firewall - question.
Q. I would be afraid if the CPU/Memory was about what percentage? 85%, 90%, 95%?
A. If CPU utilization is more than 85%, then you are facing a high CPU utilization and yes you should try to fix it before giving more laod to the SRX. If the memory in your SRX1400 is 85% but it wont pass that threslhod I think you do not need to worry about it, I have seen those numbers on other firewalls.
↧