Is your topology like the one shown in the first picture?
And if so, have you considered clustering the SRXs, which essentially makes then act as one, with one interface passing traffic (active) and the other one in standby (shown in the second picture)?
Hi all,
Any chance to address my concern that previously I posted?
Really appreciate your ideas, technics, approaches..
look forward to seeing your reply..
Thanks
Hi,
If i have allowed traffic for some custom tcp port from security policy but that port/service is not available under - host-inbound-traffic system-services then how that tcp traffic will pass through that security zone.
Thank you
You need a security policy.
Say you have this topology:
Configure this:
set security-zone OUTSIDE interfaces ge-0/0/1.0
set security-zone WEB interfaces ge-0/0/2.0
set from-zone OUTSIDE to-zone WEB policy 1 match source-address any
set from-zone OUTSIDE to-zone WEB policy 1 match destination-address WEB SERVER
set from-zone OUTSIDE to-zone WEB policy 1 match application CUSTOM-WEB
set from-zone OUTSIDE to-zone WEB policy 1 then permit
set security address-book global address WEB-SERVER 10.1.1.1
set applications application CUSTOM-WEB protocols tcp
set applications application CUSTOM-WEB destination port 8080
set applications application CUSTOM-WEB application-protocol http
HTH,
WAIT! Maybe I misunderstood the question.
Are you trying to access j-web on your SRX using a port other than 80? Something like this?
if so, this is what you need:
[edit system services web-management]
root@R1# show | display set relative
set http port 8080
[edit security zones security-zone OUTSIDE]
root@R1# show | display set relative
set host-inbound-traffic system-services http <= you still need this!
Thanks for your recommendations @lpaniagua
In the end the problem I had was internal.
Juniper's JTAC team investigated the SRX300 Gateway, where Pulse Secure VPN client suppose to connect, while the VPN connectivity was failing and found out that it was caused by an over-utilization of its Routing Engine.
Next, we will show the Juniper commands the JTAC engineer ran on the SRX in config mode
user@SRXGateway# run show chassis routing-engine
Routing Engine status:
Temperature 45 degrees C / 113 degrees F
CPU temperature 59 degrees C / 138 degrees F
Total memory 4096 MB Max 983 MB used ( 24 percent)
Control plane memory 2624 MB Max 656 MB used ( 25 percent)
Data plane memory 1472 MB Max 309 MB used ( 21 percent)
5 sec CPU utilization:
User 50 percent
Background 0 percent
Kernel 45 percent
Interrupt 0 percent
Idle 5 percent <---- idle was down to 0% when we initally executed the command at the time the VPN client was failing to connect
Last reboot reason 0x200:normal shutdown
Load averages: 1 minute 5 minute 15 minute
user@SRXGateway# run show system processes extensive | except 0.00
last pid: 49064; load averages: 2.33, 1.67, 1.38 up 3+07:22:08 10:40:48
160 processes: 16 running, 130 sleeping, 2 zombie, 12 waiting
Mem: 304M Active, 144M Inact, 1574M Wired, 385M Cache, 112M Buf, 1572M Free
Swap:
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
........................
.......................
49023 nobody 3 84 0 11600K 5032K ucondt 0 0:01 1.46% httpd <---- was in the low 90% when the VPN client could not connect
Finally he executed
run show security flow session interface st0.21
and that returned a list of pair of communicating IPs, their Session IDs and the Policy Names that allow them.
The overwhelming majority of the records were indicating 3 specific IP addresses trying to aggressively connect to the SRX itself. All IPs were assigned on Hardware in the internal network and there was no config to get accessed externally, via DDNS for example.
Two of those IPs were given to IP power switches [to power up hardware when power from the grid restores after an outage] and the 3rd one on a server.
The IP power switches by design ping 5 different external preset targets every few seconds; if those become unreacheable then they would power-cycle one or both of their AC power outlets according to the user's configuration.
Unexpectedly, the SRX300 logs showed the traffic from the IP power switches wasn't icmp, as expected, but plain http, so the fact it was directed to the SRX raised suspicions of having been hacked, so I removed them from the network.
The server among other SW had 2 very resources intensive network mngt SW [SolarWinds and PRTG Network Monitor] that were hitting the Gateway to extract descriptive network info and stats for reporting purposes.
Both pieces of SW were completely removed [down to the Windows registry level] from the server and the machine was deeply scanned with a couple of AVs to assess/ensure its virus/spyware clean status.
The Juniper engineer also disabled http mngt access on the SRX
[edit system services web-management] <--- config setting he changed
and we agreed not to restart the SRX again but monitor Pulse connectivity daily. So far it has been 6 days and we haven't experienced any Pulse secure VPN outage hoping it'll stay that way.
However, Juniper highly recommends NOT to use Pulse Secure as a VPN client accessing their gateways, especially from Win10 machines [albeit, from personal experience Pulse Secure still works from Win7 and it's pretty stable and reliable].
Instead they propose to use NCP. Below is a KB article about how to set it up on the SRX and a PDF with NCP set up instructions for the Client:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB32418&actp=RSS
I hope the above info is helpful providing enough insight to help others in their troubleshooting efforts.
Thanks
Stavros
Hi,
QUE :-
If I configured custom port for untrust interface web access and trying to access from outside network then can I access the firewall web interface on custom port.
I simply want to know, if the services is not available under host-inbound services then what will be solution.
ANS :-
Service (http-custom)* has to be enabled on the outside interface zone.
https access wont work if http service is not available under host-inbound services.
* - Needs to be defined
Regards,
Rahul
Hi,
You do not need to allow any custom port explicitly. You just need to allow system-services http. Automatically, the custom port is allowed.
root@srx# show system services web-management
http {
port 8080;
}
root@srx# show security zones functional-zone management
interfaces {
ge-0/0/0.0;
}
host-inbound-traffic {
system-services {
ping;
ssh;
telnet;
http; <<< I only have http allowed
https;
snmp;
ntp;
ftp;
}
}
root@srx# run show system connections | grep 8080
tcp46 0 0 *.8080 *.* LISTEN
tcp4 0 0 *.8080 *.* LISTEN
J-WEB on port 8080 works with the above configuration (Screen-shot attached).
I hope this helps.
Regards,
Vikas
Hello,
This is a very common issue we see with performance over IPSec VPN. I would therefore first try to set the tcp-mss value for VPN traffic as suggested by "CRM" earlier and check for any performance improvement.
set security flow tcp-mss ipsec-vpn mss 1328
Please ensure to have this set on both sides of the VPN tunnel. On the branch and the hub location.
Getting into packet captures can get messy and time-consuming. Fragmentation may not necessarily be happening on the firewall. Frag and de-frag anywhere along the path is a costly operation and can impact latency.
Regards,
Vikas
Bringing up a really old topic but does anyone have this JIST translater? Would really appreciate if someone who has it could share this!
Thanks
RS
I am an end user. I work for a small school district that has signed up with a new ISP. They have installed their own SRX 340 and our school is using the enhanced web filtering.
What is necessary to see detailed info on what has been blocked or passed, preferably using a GUI? Apparently the SRX can't do that directly by itself. From my Google searches, some of which lead to past discussions on this forum, the SRX can either produce a basic summary with no detail, or it spew a highly detailed running log of all activity to an external syslog server.
I see mention of a "Security Threat Response Manager" (STRM) that can be used with the SRX 340.. but is it end of life? And if so, what is the current alternative?
I see there is lots 'n lots of monitoring that can occur beyond the web filter. I only want to know the activity of the web filtering component.
The ISP owns the SRX 340 and currently they are very tightly controlling access to it, so it's unclear what level of detailed web filtering monitoring I will be able to have access to.
For those users who will make the decision to purchase an NCP client here is the generic URL of their site: https://www.ncp-e.com/en/exclusive-remote-access-solution/vpn-client/#c12977
In our case we don't need a volume license so, in order to obtain a few of those one will need what it's called an "NCP Exclusive Entry Client for Windows" as it shows at
https://www.ncp-e.com/en/exclusive-remote-access-solution/vpn-client/exclusive-entry-client/
How-To-Buy site of NCP Exclusive Entry Client for Windows, MacOS and Android devices with lots of FAQs
https://www.ncp-e.com/en/exclusive-remote-access-solution/how-to-buy/
With your permission we'll reply back after we run the installation of an NCP client so others can benefit from our findings. Please bear with us as it'll be our first time to set it up.
Thanks
Stavros
Hi,
U can use JSA or Security Director + Log Collector. On JWEB it also can be done but it limited storage to store the log.
Thanks
Hi Javik,
Since you do not have control for the SRX and only have Web Access[JWEB].
Option #1
If security logging is enabled, you can have JWEB generate a Report under "Reports".
Select "URL Report" and then Click, "Generate Report".
>>> This will provide you with an html file showing URL's blocked (count/over time/over catagories).
If you have checked this and this does not complement what you need.
Option #2
Check if the said configuration can be in place with your ISP.
Use stream mode and send utm logs to a syslog server to see all activities (including blocked and permitted URLS).
set system syslog file utm-logs any any set system syslog file utm-logs match "RT_UTM
syslog server/viewer could parse required information with timestamp as per your need.
Regards,
Rahul
Junos Space security director is the central management for SRX not STRM.
But you really cannot use this if you don't fully own and control the SRX device.
So the options outlined by Rahul are your best bet in this situation.
As you have noticed the pulse client is no longer supported and is having issues connecting on the most recent windows system patching.
So for official and tested support you would need to purchase the NCP licenses for the clients.
A free open source alternative you could test, but also would not be officially supported would be Shrew Soft.
