Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Rename Zone and security policies.

November 28, 2018, 11:42 am
$
0
0

Hi All,

i need to change the security zones is its respective security policies. However, i have some Security Zones that has same name that some address book. For example:

Security Zone: TEST-AI
Address_Book: TEST-AI.

 

If i change to [edit security policies] hierarchy and run the command "replace pattern TEST-AI with TEST-AI-123, the address book will be changed too.

 

So, i´m trying to find a way to replace the pattern TEST-AI, only when this being displayed with "from-zone TEST-AI" and "to-zone TEST-AI".

 

To change the zone name, i can follow with "rename", or even with "replace pattern" into the [edit security zones] hierarchy. The problem is only with the Security Policies.

 

Please, could you help me?

 

Thanks

João Victor

Search

Re: Rename Zone and security policies.

November 28, 2018, 12:12 pm
$
0
0

You can do this in two steps:

1. Go to security policies hierarchy and do replace. This will change zone and addres-book name

edit security policies
replace pattern TEST-AI with TEST-AI-123
top

2. Now go to policy zone hierarchy and do replace for address-book only to old value

edit security policies from-zone TEST-AI-123 to-zone TEST-AI-123
replace pattern  TEST-AI-123 with TEST-AI
top

show | compare

Re: Routing IRB on SRX

November 28, 2018, 4:26 pm
$
0
0

Not sure if this is also needed on SRX but on the MX series when using irb interfaces with DHCP relay you have to enable the broadcast option in the bridge domain.

 

https://www.juniper.net/documentation/en_US/junos/topics/usage-guidelines/policy-configuring-routers-or-interfaces-as-dhcp-and-bootp-relay-agents.html

 

Best Practice

To use bootp helper on a MX Series router (MX80, MX240, MX480 and MX960) connected via IRB, you may need to take steps to ensure that DHCP discover packets (the bootp reply) are sent to clients and received as expected. Otherwise, bootp replies may be dropped because the DHCP client is clearing the broadcast bit in the discover packet, or because the DHCP server is stripping option-82 flags from the offer.

This happens when the IRB interface is a layer 3 (logical) interface associated with a bridge domain that has multiple layer 2 (physical) interfaces associated with it. In such cases, if the offer from the DHCP server is unicast and doesn’t include an ingress interface identifying the physical interface on which the discovery packet was received, the MX router won’t be able to determine an interface for sending out offers.

 

Re: Routing IRB on SRX

November 29, 2018, 1:39 am
$
0
0

Please share your dhcp-related config as there can be many reasons why it isn't working.

 

Steves comment regarding broadcast option is not relevant on the SRX300 series.

Re: SNMP on SRX with Routing-Instances

November 29, 2018, 4:07 am
$
0
0

Because of the 30,000+ OIDs it gave us, I have no idea which ones to use.... anyone got any ideas please?

Re: SNMP on SRX with Routing-Instances

November 29, 2018, 4:28 am

Re: SNMP on SRX with Routing-Instances

November 29, 2018, 5:24 am
$
0
0

The problem does not seem to be the Context or the RI or the Mibs....

 

All of that is configured correctly within the SRX as per the links you provided (thanks), but when then completing the autodiscovery within prtg we get nothing back.

 

If we complete the walkthrough, as I mentioned, we get the 30,000+ OIDs, but that is really just saying "Hey, SNMP works"....

 

I don't want to monitor anything attached to the SRX as that is already being monitored, I want to be able to monitor the SRX itself, but we have no default "inet.0" table.... only routing-instances. All the other devices are working really well from an SNMP perspective.... Here is what I configured (I've added a second context to test with same results):

 

set snmp v3 usm local-engine user ng-sh-engineer authentication-md5 authentication-key <key>
set snmp v3 usm local-engine user ng-sh-engineer privacy-aes128 privacy-key <key>
set snmp v3 vacm security-to-group security-model usm security-name ng-sh-engineer group snmpgroup
set snmp v3 vacm access group snmpgroup context-prefix Customer-VR security-model usm security-level authentication read-view allmibs
set snmp v3 vacm access group snmpgroup context-prefix ninegroup-radius security-model usm security-level authentication read-view allmibs
set snmp engine-id use-default-ip-address
set snmp view allmibs oid .1.3.6.1 include
set snmp view allmibs oid .1 include
set snmp routing-instance-access

 

 

 

SRX Active Directory groups limitation

November 29, 2018, 9:52 am
$
0
0

Hello,

 

I wanted to post a question here, since i have not been able to find any other resource on the web.

 

We have integrated group-mapping and ip-user, it works well with certain active directory groups but others they won't. As an example

 

If we have 

 


match {
source-address any;
destination-address host_10.116.196.33;
application [ ssh_version_2 icmp-requests traceroute ];
source-identity "otecel.com.ec\internet_users";
}
then {

Then it works just fine but if instead we get

 


match {
source-address any;
destination-address host_10.116.196.33;
application [ ssh_version_2 icmp-requests traceroute ];
source-identity "otecel.com.ec\P&I Plataforma de usos";
}
then {

 

 

Seems not to be working, is the SRX not able to identify whitespaces, or accent marks for example in Spanish, in regards of active directory groups specified on the rules stanza.

 

does the SRX provide a workaround on this?

 

 

I appreciate any lead on this 

 

Search

GeoIP policy is not working

November 30, 2018, 4:10 am
$
0
0

Dear Juniper

My VSRX(18.2Version) was complete Download GeoIP from string US. I try to create a policy that block destination to USA and test Ping to 8.8.8.8 but the result is not working. 

Please Help me!

 

Below is my result.

 

root# run show security dynamic-address ip-start 8.8.8.8

Instance default Total number of matching entries: 0
No. IP-start IP-end Feed Address
1 8.8.0.0 8.11.255.255 geoip_country USA

Instance geoip Total number of matching entries: 1
Instance advanced-anti-malware Total number of matching entries: 0

/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

[edit security policies from-zone trust to-zone untrust]
root# show
policy USA {
match {
source-address any;
destination-address USA;
application any;
}
then {
reject;
log {
session-init;
session-close;
}
count;
}
}
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}

 ////////////////////////////////////////////////////////

 Session ID: 3423, Policy name: default-permit/6, Timeout: 2, Valid
In: 10.10.10.10/7959 --> 8.8.8.8/1;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 60,
Out: 8.8.8.8/1 --> 223.27.234.249/2439;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 60,
Total sessions: 42

 //////////////////////////////////////////////////

Re: SRX220, SRX-MP-1VDSL2-A and VDSL Vectoring

November 30, 2018, 7:18 am
$
0
0

Hi,

 

i have a SRX220 on latest release. but need the VDSL firmware update.
JUNOS Software Release [12.3X48-D75.4]

 

FPC 1
PIC 0 VDSLBCM 10 2.10.0 OK
Routing Engine 0 RE BIOS 0 2.5 2.8 OK
Routing Engine 0 RE BIOS Backup 1 2.5 2.8 OK

 

could you please tell me how i can get of this please.

Re: I have a problem with ip-monitoring and rpm in fail-over route default

November 30, 2018, 7:25 am
$
0
0

command "show services ip-monitoring status" is not support on SRX5400 Model: srx5400 Junos: 15.1X49-D75.5 JUNOS Software Release [15.1X49-D75.5] .
Also ip-monitoring is not working when rpm probe fails .

configuration is herewith :

set services rpm probe Failover1 test probe-ge1 probe-type icmp-ping
set services rpm probe Failover1 test probe-ge1 target address 4.2.2.2
set services rpm probe Failover1 test probe-ge1 probe-count 5
set services rpm probe Failover1 test probe-ge1 probe-interval 1
set services rpm probe Failover1 test probe-ge1 test-interval 5
set services rpm probe Failover1 test probe-ge1 thresholds total-loss 3
set services rpm probe Failover1 test probe-ge1 destination-interface ge-1/3/0.0
set services rpm probe Failover1 test probe-ge1 next-hop 164.100.131.1

set services ip-monitoring policy GE1 match rpm-probe Failover1
set services ip-monitoring policy GE1 then preferred-route route 0.0.0.0/0 next-hop 59.145.219.65
set services ip-monitoring policy GE1 then preferred-route route 0.0.0.0/0 preferred-metric 4

 

REQUEST YOU PLEASE MAIL ME the SOLUTION

ajay11.kumar@airtel.com,

ajaykamboj2007@gmail.com

Re: GeoIP policy is not working

November 30, 2018, 10:09 am
$
0
0

I cannot see your dynamic-address configuration but when I read the documentation on https://www.juniper.net/documentation/en_US/release-independent/jatp/topics/task/configuration/jatp-srx-integration-geoip-commands.html i expect the configuration should look something like this. Especially note that USA is refered as "US" :-)

 

user@fw# show security dynamic-address
address-name BlockUS {
    profile {
        category GeoIP {
            property country {
                string US;
            }
        }
    }
}

[edit]
user@fw# ...ity policies from-zone untrust to-zone internal policy blockUS
match {
    source-address BlockUS;
    destination-address any;
    application any;
}
then {
    deny;
}

[edit]

Re: SRX320 filter base forwarding with Nat on routing instance issue

November 30, 2018, 5:01 pm
$
0
0

Hi and thanks for your replay,

Please find below for the expained scenario:

 

We have all Trust users goes internet via ISP1(pp0.0) except one ip (10.78.1.250) must go via ISP2 (ge-0/0/1 connected to ADSL modem).

This done successfully using Filter Base forwarding as below- using forwarding instance-type.

 

set interfaces ge-0/0/2 unit 0 family inet filter input webFilter                      (ge-0/0/2=10.78.1.1=Trust)

set firewall family inet filter webFilter term 1 from source-address 10.78.1.250/32

set firewall family inet filter webFilter term 1 then routing-instance webtraffic

set firewall family inet filter webFilter term 2 then accept

set routing-instances webtraffic instance-type forwarding

set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 131.1.1.200(adsl modem)

set routing-options static route 0.0.0.0/0 next-hop pp0.0

set routing-options interface-routes rib-group inet FBF-rib

set routing-options rib-groups FBF-rib import-rib inet.0

set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0

set security nat source rule-set FB from zone Trust

set security nat source rule-set FB to zone ISP2

set security nat source rule-set FB rule R1 match source-address 10.78.1.250/32

set security nat source rule-set FB rule R1 match destination-address 0.0.0.0/0

set security nat source rule-set FB rule R1 then source-nat interface

 

The same ip (10.78.1.250) configured with static nat to allow traffic to it from ISP2.

Traffic comes to ADSL modem-->nat to SRX Ge-0/0/1(ISP2 zone). Static nat is configured from ISP2 zone then destination IP of Ge-0/0/1-(131.1.1.201) to internal prefix ip (10.78.1.250).

 

What needs to be modified to make the static nat works fine as below doesn’t work-(Needed Security policies configured too omitted)

 

set security nat static rule-set FB1 from zone ISP2

set security nat static rule-set FB1 rule ru1 match destination-address 131.1.1.201/32 (srx-ge-0/0/1port)

set security nat static rule-set FB1 rule ru1 match destination-port 134

set security nat static rule-set FB1 rule ru1 then static-nat prefix 10.78.1.250/32

set security nat static rule-set FB1 rule ru1 then static-nat prefix mapped-port 134

 

I tried also to configure the routing instance type as virtual router, also do the static nat from instance route instead of ISP2 zone but not worthy.

 

Can the instance-type configured as virtual-router and add to it the ISP2 port (ge-0/0/1) and static nat?? Without adding the Trust interface (ge-0/0/2)????

 

Thanks and Regard,

Re: SRX220, SRX-MP-1VDSL2-A and VDSL Vectoring

November 30, 2018, 9:10 pm
$
0
0

Hi,

 

I had a check with Junos Release Team to post the firmware onto the download page so that authorized user can download them however due to S/W polices & other security measurements, the SRX firmware couldn't be posted to download page for certain specfic releases. You will need to log a Case/Ticket with JTAC to in order to get the firmware for your desired JUNOS version/release. In case if you do not hold any Support contract with Juniper for your Juniper product, you can reach out to Juniper Customer Care Support Team and request for one time courtesy support case to download firmware.

 

 

 

 

 

Re: SRX320 filter base forwarding with Nat on routing instance issue

December 1, 2018, 4:51 am
$
0
0

I see that the address used for the server is not the same as the interface address but is in the same subnet.

131.1.1.201-- nat address

131.1.1.20--interace address

 

Is proxy arp enabled for the nat address on the SRX interface?

This is needed for this situation.

 

If it is already on, when you make the connection attempt can you look at the sesssion table at the same time to see which policy and nat action is take by the SRX.  Use the public source address your inbound connection attempt is coming from to see how the SRX matches the traffic.

show security flow session source-prefix x.x.x.x

 

Search

Re: SRX320 filter base forwarding with Nat on routing instance issue

December 1, 2018, 5:11 am
$
0
0

Hi Puluka,

thanks for replay. i dont see in my post that there is an ip address 131.1.1.20.

However, the nat address and the interface ip address ge-0/0/1 are the same= 131.1.1.201. So am not using a proxy arp.

Is there any other sugession to solve my issue??

 

regards,

Source NAT processing query

December 1, 2018, 6:13 am
$
0
0

Hi all,

 

I've found some information that says source NAT happens after route lookup, forwarding lookup and policy checks in order to 'separate the source NAT from other layer 3 processes'.

 

Please can anyone explain what that means?

 

Thanks

Re: Source NAT processing query

December 1, 2018, 9:51 am
$
0
0

I assume you are reading documentation going over this SRX packet flow chart.

SRXpacketFlow.gif

As more fully described here.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

 

Note where policy lookup occurs during the first packet session process above which is after forward static nat & destination nat but before source nat and reverse static nat.

 

This has the zone to zone policy written then to the locally connected real ip addresses of devices. 

 

Destination and forward static nat are changing  an outside public ip address to the internal assigned address of the resource.  So by doing these before policy lookup we write policy based on real resouce addresses.

 

Likewise outbound source nat and reverse static nat are converting real internal ip addresses to the outside public address.  Thus we perform this function after the policy match so once again the policy is written to the real ip address of the resources involved.

 

Re: SRX320 filter base forwarding with Nat on routing instance issue

December 1, 2018, 9:55 am
$
0
0

If the nat address is the same as the interface then proxy arp is not needed.

 

Please do run the session viewer to see what policy your inbound connection attempts are hitting. This will also show the nat rules that are engaged.  If they are hitting the incorrect policy or nat rule we will see which one and can look at the policy details and ordering to adjust and move policies to have the desired effect.

 

If no session is created than the policies are not correct so they we will need to see the whole policy stack to determine why.

 

Client Certificate Dynamic VPN with Pulse Secure Client and SRX320 15.1.X49-D150?

December 1, 2018, 3:36 pm
$
0
0

Hi All, 

 

Trying to find out whether it is possible to use Client Certificate auth for Dynamic (User Remote Access) VPN with Juniper SRX320-POE, running 15.1.X49-D150 and the Pulse Secure Client (v9.0R2)?

 

Can anyone point me towards an example config / official guide for this?

 

The Pulse Secure Admin guide has a very limited section on 'Juniper SRX Connection Modes' and seems to be mostly for if you are using a Pulse Secure Connection Gateway (which I am not). All the SRX specific guides are either for the NCP client or JUNOS Pulse client...

 

Can't seem to find any official documentation of example configuration specifically for the above combination. 

 

The changeover from Junos Pulse, NCP, back to Secure has left very disparate documentation. Would be great if Juniper could provide some more clarity on this. 

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>