It's a good question Suraj, I think I'd only really thought about 80/20 for traffic coming in, I was advised by a customer to split the bandwidth 80/20, with a max 20 going one way and min 80 going the other - tbh they didn't mention shaping it for traffic going out, so I hadn't really thought about it but I suppose I need to ask the question. Thanks for the responses guys.
↧
Re: Dynamic Traffic Shaping
↧
Re: Site to site VPN with self signed certificate
Quick update:
I’ve created a self signed certificate on each device. I’ve exported the certificates as PEM files.
Now I’m thinking I need to import these files to each other device and then when I setup the vpn using certificates as authentication - they have each other’s certs to authenticate against?
Thanks
I’ve created a self signed certificate on each device. I’ve exported the certificates as PEM files.
Now I’m thinking I need to import these files to each other device and then when I setup the vpn using certificates as authentication - they have each other’s certs to authenticate against?
Thanks
↧
↧
Question about Address prefix vs. range-address in Security Policies
Hi,
I was trying to set up intra-zone (trust-to-trust) security policies and discovered my source-address that references a network prefix doesn't work but when redefined as a range-address does work.
Has anyone run into this before?
security {
address-book {
trusted-addresses {
address A-prefix-subnet x.y.z.0/24;
address A-range-subnet {
range-address x.y.z.1 {
to {
x.y.z.254;
}
}
}
address B-prefix-subnet a.b.c.0/24;
address B-range-subnet {
range-address a.b.c.1 {
to {
a.b.c.254;
}
}
}
attach {
zone trust;
}
}
}
policies {
from-zone trust to-zone trust {
policy Intra-trust-allow {
match {# client in x.y.z.107 cannot ping B's q.r.s.tsource-address A-prefix-subnet;
# client in x.y.z.107 can ping B's q.r.s.t
source-address A-range-subnet;
destination-address any;
application any;
source-identity any;
}
then {
permit;
}
}
}
}
}
Within the SRX's (12.1X46-D71) CLI, I can ping all IPs.
Thanks
↧
Re: Question about Address prefix vs. range-address in Security Policies
Hello ,
I do not see any issue in mentioning a prefix as subnet in security policy . It should work with either prefix or range . Maybe try removing the "source-identity any" configuration and try again with prefix .
↧
Default Route on RIP
I,
I configured RIP onMy Juniper SRX300 series, but my brach site cannot have defaut route from HQ.
waiting for your advise.
===================RIP CONFIGURATION=================
protocols {
rip {
group RIP-MPLS {
export advertise-routes-through-rip;
import advertise-routes-through-rip;
neighbor ge-0/0/0.0 {
send broadcast;
receive version-2;
check-zero;
}
neighbor ge-0/0/3.0;
neighbor ge-0/0/3.1;
neighbor ge-0/0/3.2;
neighbor ge-0/0/3.3;
neighbor ge-0/0/3.4;
neighbor ge-0/0/3.5;
neighbor ge-0/0/3.6;
neighbor ge-0/0/1.1;
}
}
=======================================================
↧
↧
Re: router on stick and switch trunk config
delete security
set security forwarding-options family mpls mode packet-based
I just wan't to give a huge thank you for this. I've be working with Cisco devices for a while, and I figured I would pick up some Juniper and HPE units to try out some inter-brand configurations. I bought an HP A-MSR20-12-T and had a router-on-a-stick config with one of my cisco switches up in about 15 minutes, with never having used an HP router before. Now the JSRX-210H I've been trying to do the same thing for about a week unitl I came across this thread. Thank you thank you and thank you again. I don't understand why something so simple was such a pain to figure out.
↧
Re: Question about Address prefix vs. range-address in Security Policies
I just tried it by modifying the address and policy but didn't make any difference. Guess it could be the way I've created my policies although I only have one trust-to-trust.
↧
Re: SRX 340 - Clustering
Hi Rahul,
Thanks for the clarification, appreciated!
I have followed the below steps and it performed the clustering:
-set chassis cluster cluster-id and node id reboot (node 1)
- Once the firewall (node 1) booted and back up, replaced the config on the firewall (node 1) with the one on the node 0 (currently active) firewall, After this, shut down the firewall (node 1) and taken it to the site.
- At the site, mounted the firewall, leave it powered off. Then connected the HA cables, Port 1 of node 0 to port 1 of node 1. Port 2 of node 0 to Port 2 of node 1
- And then powered on node 1
It performed the clustering without rebooting however, I haven't gone through the failover process as you mentioned. It's important to do the failover testing but due to time constraint, I have planned for the next time.
Your comments and previous post really useful and contains all process from clustering to the failover test. It definitely helps me.
Thank you for your time.
Regards,
Chirag
↧
Re: Question about Address prefix vs. range-address in Security Policies
Hope there is no type in address book ip address. Please use below mentioned command in both cases and check the status:
show security match-policies from-zone trust to-zone trust source-ip a.b.c.d destination-ip e.f.g.h source-port 1025 destination-port 1025 protocol icmp
↧
↧
Re: Question about Address prefix vs. range-address in Security Policies
Hello ,
SRX by default in flow mode , blocks in intra zonal traffic also . So indeed you need trust-to-trust policy if the traffic is traversing from x.y.z.0/24 to x.y.z.0/24or a.b.c.0/24 as they both are binded to the trust zone .
Can you also try configuring the following way :
set security zones security-zone trust address-book address A-prefix-subnet x.y.z.0/24
set security zones security-zone trust address-book address B-prefix-subnet a.b.c.0/24
set security policies from-zone trust to-zone trust policy Intra-trust-allow match source-address A-prefix-subnet
set security policies from-zone trust to-zone trust policy Intra-trust-allow match destination-address B-prefix-subnet
set security policies from-zone trust to-zone trust policy Intra-trust-allow match application any
set security policies from-zone trust to-zone trust policy Intra-trust-allow then permit
↧
Re: Default Route on RIP
Hope rip neighborship is up and you allowed rip in zone host-inbound-traffic. Please check neighbor status and the advertised routes and share the export policy config
show rip neighbor
show route advertising-protocol rip ge-0/0/3.0
↧
Re: Default Route on RIP
Hello,
> I see you are peering over MPLS and using the same policy statement for both exporting and importing routes.
> Could you please share details of the policy-statement "advertise-routes-through-rip"
> Are we sure it is advertised from HQ? Are other branches receving the same
Regards,
Vikas
↧
Re: Question about Address prefix vs. range-address in Security Policies
Hello,
Indeed sounds strange. Assuming no typo in the /24 subnet definition I would try the following
> Remove the /24 entry
> commit the config
> Add the /24 address book entry
> Add the /24 address-book entry to the policy while removing the range entry
> commit full (note that dynamic routing and vpns may encounter a blip with this)
> Can you check if the policy detial shows the correct subnet?
root@srx> show security policies from-zone trust to-zone trust detail
Policy: Subnet1-to-Subnet2, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust, To zone: trust
Source addresses:
Subnet1(global): 192.168.10.0/24
Destination addresses:
Subnet2(global): 192.168.20.0/24
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No
> Which platform is this? We can check if the policy is programmed properly in the pfe is the above steps dont help
I hope this helps.
Regards,
Vikas
↧
↧
Re: Default Route on RIP
Hi, This is the policy statement
===========
}
policy-options {
policy-statement advertise-routes-through-rip {
term 1 {
from protocol [ direct rip ];
then accept;
}
============================
Please i JUST WANT TO ADVERTISE THE DEFAULT ROUTE OF HQ to branch Office, HQ and Branch Offices are receiving others routes.
↧
Re: Default Route on RIP
Please share the output of below mentioned command from the device you want to advertise the default route. Hope you have a active rip default route in the routing table.
show route 0/0 exact
↧
Re: Default Route on RIP
Hello,
Thanks for sharing this.
I am assuming this is the output from the branch and I see you are accepting routes learnt via RIP. Since you say other RIP routes are learnt looks HQ is not advertising the default route via RIP. I would focus on the config in HQ.
Could you share the RIP config and policy statement outputs from HQ?
Regards,
Vikas
↧
Re: Default Route on RIP
Hello,
You can advertise the default route from HQ by adding an additional term in HQ export statement.
set policy-options policy-statement advertise-routes-through-rip term 2 from protocol static
set policy-options policy-statement advertise-routes-through-rip term 2 from route-filter 0.0.0.0/0 exact
set policy-options policy-statement advertise-routes-through-rip term 2 then accept
Your eventual policy statement should look like this:
policy-options {
policy-statement advertise-routes-through-rip {
term 1 {
from protocol [ direct rip ];
then accept;
}
term 2 {
from {
protocol static;
route-filter 0.0.0.0/0 exact;
}
then accept;
}
Hope this helps.
Regards,
Vikas
↧
↧
Re: Migration from PIX firewall to SRX ?
yes , i tried these before but unfortunantly it is not working fine with PIX firewalls
↧
Re: SRX 300 - VLANS on "untrust" zone and NAT
Hello all,
I tried the same config on an VSRX D120, and it is working well.
Then it seems that there is an issue with my SRX300 D70. For info, a test with a separate interface for the two vlans is working.
Thanks for all of you.
Etnik
↧
Re: junos equivilant to screenos VIP port redirection
Hi mate,
Once again, thank you for your help. I'll test the new config and I'll let you know.
Cheers
ismail
↧