Hi
Does SRX firewall limit number of users?
As my understanding, SRX dosen't limit number of user on firewall but limit number of remote user for dynamic VPN feature. Am I correct?
↧
Maximum user on SRX Firewall
↧
Re: Maximum user on SRX Firewall
2 user license by default for dynamic VPN on SRX.
Any further user requirements will require a new license.
↧
↧
Maximum number user on SRX Firewall
Hi
Does SRX firewall limit number of users?
As my understanding, SRX dosen't limit number of user on firewall but limit number of remote user for dynamic VPN feature. Am I correct?
↧
Re: Maximum user on SRX Firewall
2 user license by default for dynamic VPN on SRX.
Any further user requirements will require a new license.
↧
Re: Maximum user on SRX Firewall
What's about nomally users that they only had traffic passed firewall? i.g. client within LAN in trust zone
↧
↧
Re: (No) traffic through Dynamic VPN. Sometimes
Hi Elmiatero,
There is an ongoing issue with the Pulse software causing the problem you mentioned. The problem was introduced in Windows version 1802 if I am not mistaken, please check you Windows version. Also try the connection from a Windows version lower then 1802 and confirm if the problem goes away. As of now there is nothing that can be done on the SRX side and a fix from Pulse secure is pending.
I believe you are experiencing this issue because you mentioned it works via Linux. Could that be your workaround for the meantime?
↧
Re: Maximum user on SRX Firewall
Hi Halo,
The SRX wont limit the number of users but the numbers of concurrent sessions that it can handled at a given time. Note that one user could establish several sessions through the firewall at the same time and that we are talking about traffic transiting via the SRX.
This info can be found in the datasheets for each model. Check "Product Comparison" table in the following document and you will find the "Maximum concurrent sessions" supported by each device:
http://www.safenet-co.net/uploads/1000281-en(1).pdf
Is this the info you are looking for?
↧
Re: Maximum user on SRX Firewall
There is however a limit to the number of users if using any type of user authentication. This depends on the platform as well.
↧
Re: SRX300 - Filter Based Forwarding
...as a sanity test if I directly connect to https://10.83.42.1 from 10.83.30.12 the log file shows loads of output,
Yes, this is what I will expect, can you share the file with that info?
What is the other way you would use to connect? if it is by using a URL (a domain-name) then maybe there is a DNS problem where your PC is not being able to resolve IP address 10.83.42.1 from the URL being used.
↧
↧
Re: SRX300 - Filter Based Forwarding
OK, so attempting to connect to any random website from 10.83.30.12 shows nothing in the log. If I connect directly to http://10.83.42.1 the connection is succesful and the log starts to fill. Attached 'FBF_traceoption_log.txt'
Then I had a brain wave, altered the flow traceoption and attempted to browse to some website:
show configuration security flow traceoptions packet-filter TEST source-prefix 10.83.30.12/32; destination-port 80-443;
See log file 'FBF_working_maybe.txt' . This has the encouraging line:
Oct 12 18:48:34 18:48:34.674250:CID-0:RT: routed (x_dst_ip 143.204.229.127) from INSIDE (irb.30 in 0) to irb.22, Next-hop: 10.83.42.1
...but then a liitle later:
Oct 12 18:48:34 18:48:34.674250:CID-0:RT: denied by policy default-policy-logical-system-00(2), dropping pkt
Where is that policy coming from. I have a policy for INSIDE -> SERVERS :
show configuration security policies from-zone INSIDE to-zone SERVERS
policy ARM02 {
match {
source-address any-ipv4;
destination-address ARM02;
application [ junos-dns-udp junos-dns-tcp junos-ssh junos-https junos-http ];
}
then {
permit;
}
}Thanks for your patience with this 
cheers,
Seb.
↧
Re: (No) traffic through Dynamic VPN. Sometimes
See the document made avaialble by Juniper today:
https://kb.juniper.net/InfoCenter/index?page=content&id=TSB17441&actp=METADATA#
↧
Re: No IPV6 flow sessions....
Thx again epaniagua. A bug is a probable cause. I wonder if I'm doing something wrong still. Thx for the great links. I hardly believe that zero counters is what everyone was getting. I want to upgrade but I'm thinking of getting the srx340 because I'm getting low memory.
↧
Re: No IPV6 flow sessions....
You are very welcome! The SRX340 sounds like a good idea.
↧
↧
Re: SRX300 - Filter Based Forwarding
Can you share the output from:
root@srx# show | display set | match ARM02
Note that your polciy only permits traffic destined to ARM02 (I assume it represent IP address 10.83.42.1). If this is the case, then it is expected that the rest of the traffic is getting blocked.
If you need to send traffic from 10.83.30.12 to several IP addresses, you either need to specify all these addresses in the destinaiton section of the security-policy or use the "any" option.
↧
Re: (No) traffic through Dynamic VPN. Sometimes
Article is in review and not yet ready for viewing
Seems I have to wait few more days.
But I see that I'm not the only one with the problem and it hopefuly gets resolved soon.
↧
Re: SRX300 - Filter Based Forwarding
That was it! For the record this is the policy to got it working:
policies {
from-zone INSIDE to-zone OUTSIDE {
policy ARM02_FBF {
match {
source-address INSIDE-NET-10.83.30;
destination-address any-ipv4;
application [ junos-https junos-http ];
}
then {
permit;
}
}
}
}
Many thanks!!
cheers,
Seb.
↧
source nat pool and proxy-arp not working
I've found all of the docs and troubleshooting guides and think everything is configured properly. I've gone through the guide (https://kb.juniper.net/InfoCenter/index?page=content&id=KB21922&actp=METADATA) and double checked. I'm currently testing with just one internal IP/machine.
Here's the short version:
Internal machine 10.20.15.172 connected to ge-0/0/1.0 (10.20.15.254).
Outside (cable modem) 172.20.15.1 connected to ge-0/0/0.0 (172.20.15.254).
If I setup the source nat rule to use the interface (10.20.15.254), everything works just fine.
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.128/26
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.100/32
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.101/32
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.250/32
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.210/32
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match destination-address-name ADDR_ANY_IPV4
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet then source-nat interface
When I set it up to use the source pool
set security nat source pool NAT_SRCE_POOL_HOME_LAN description "NAT SOURCE POOL FOR HOME-LAN to INTERNET CONNECTIONS"
set security nat source pool NAT_SRCE_POOL_HOME_LAN address 172.20.15.172/32
set security nat source pool NAT_SRCE_POOL_HOME_LAN port no-translation
set security nat source pool NAT_SRCE_POOL_HOME_LAN address-pooling paired
If I get onto .172 and try to ping out, it fails:
user@barney:~$ ping -c1 23.216.159.40
PING 23.216.159.40 (23.216.159.40) 56(84) bytes of data.
--- 23.216.159.40 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
At the same time, I see the flow session on the SRX:
root@GreatGazoo> show security flow session source-prefix 10.20.15.172 destination-prefix 23.216.159.40 protocol icmp
cSession ID: 7818, Policy name: HOME_LAN_Internet/9, Timeout: 48, Valid
In: 10.20.15.172/1 --> 23.216.159.40/7051;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84
Out: 23.216.159.40/7051 --> 172.20.15.172/1;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 1
I also did setup traceoptions and verified that the session was created there but don't want to waste space pasting that in.
Finally, when I monitor the interface (the one connected from the SRX to the cable modem), I see the arp requests:
root@GreatGazoo> monitor traffic interface ge-0/0/0 no-resolve no-domain-names
verbose output suppressed, use or for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/0, capture size 96 bytes
18:08:59.573682 In arp who-has 172.20.15.172 tell 73.xx.xx.x7
18:09:18.483741 In arp who-has 172.20.15.172 tell 73.xx.xx.x7
18:09:39.737295 In arp who-has 172.20.15.172 tell 73.xx.xx.x7
But as you can see, the SRX is not replying 
even though the proxy-arp is setup:
root@GreatGazoo> show configuration security nat proxy-arp |display set
set security nat proxy-arp interface ge-0/0/0.0 address 172.20.15.172/32
I also did check the hit counts on the nat rule and pool after clearing them and they both showed 1 hit with the single ping.
So best I can tell, the ping is getting out of the machine to the ingress of the SRX (ge-0/0/1.0) as 10.20.15.172 destined for 23.216.159.40. It is then natted to 172.20.15.172 and destined to leave the SRX out ge-0/0/0.0 which I can assume that it does since a moment later I see an arp request on ge-0/0/0.0 looking for 172.20.15.172. The request is coming from 73.xx.xx.x7 which is the WAN side interface of the cable modem - hence the assumption that the ping went out. So why does the SRX not answer the arp request for an IP that is in the range of what proxy-arp is set to - which in this case for testing is a single IP address, 172.20.15.172.
Appreciate any suggestions you may have and if you need additional information, I can provide it.
↧
↧
Re: source nat pool and proxy-arp not working
can you configure ip 172.20.15.172 on lo0.0 interface and check if you can ping any address on the wan with src 172.20.15.172 ?
↧
Re: source nat pool and proxy-arp not working
Hi,
SRX will not reply to the arp requests if the request is not in the same subnet range. In this case, srx subnet is 172.20.15.0/24 and the arp request is coming from different subnet 73.x.x.x. Try to add static arp entry for 172.20.15.172 in DSL modem, if possible.
↧
Re: SRX220, SRX-MP-1VDSL2-A and VDSL Vectoring
Also interested on an update to this if there is one. I have SRX210 12.1X46-D81 missing the 2.16 jfirmware:
PIC 0 VDSLBCM 10 2.10.0 OK
Routing Engine 0 RE BIOS 0 2.8 2.8 OK
Routing Engine 0 RE BIOS Backup 1 2.8 2.8 OK
It's been a while since @Karan said they were working on getting this into the downloads so hopefully it's close...
↧