Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: SSL Libraries out of Date SRX240H2

June 17, 2019, 10:26 am
$
0
0

This is supported list in D80 (I don't have D85 anywhere):

 

    Accepted  TLS12  256 bits  DHE-RSA-AES256-GCM-SHA384
    Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA256
    Accepted  TLS12  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLS12  256 bits  AES256-GCM-SHA384
    Accepted  TLS12  256 bits  AES256-SHA256
    Accepted  TLS12  256 bits  AES256-SHA
    Accepted  TLS12  128 bits  DHE-RSA-AES128-GCM-SHA256
    Accepted  TLS12  128 bits  DHE-RSA-AES128-SHA256
    Accepted  TLS12  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLS12  128 bits  AES128-GCM-SHA256
    Accepted  TLS12  128 bits  AES128-SHA256
    Accepted  TLS12  128 bits  AES128-SHA

I'm not sure if editing httpd.conf is possible or supported but default accepted ciphers are below.

<VirtualHost *:443>
  ServerName "xxx"
  DocumentRoot "/html"
  SSLEngine on
  SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:-MEDIUM
  SSLProtocol ALL -SSLV3 -SSLV2 -TLSv1 -TLSv1.1 +TLSv1.2
  SSLCertificateFile "/var/db/certs/system-cert/system-generated.cert"
  SSLCertificateKeyFile "/var/db/certs/system-key-pair/system-generated.priv"</VirtualHost>

 

Search

Re: SSL Libraries out of Date SRX240H2

June 17, 2019, 11:20 am
$
0
0

Thank you for the response.  The question is more about what ssl libraries are in use and what version they are at.  Some of the ciphers in the list are acceptable but could be configured as you have stated in the config... if it is supported.  But my concern is more about what version they are at and what potential security issues may exist as a result of the versioning.

Re: DHCP over sub interfaces /vlans

June 17, 2019, 11:58 am
$
0
0

Hello AZKhan,

 

It will be very helpful if you could share the relevant configuration.

 

Mostly the answer provided by 

 

 

Re: Shaping on multiple st0 interfaces

June 17, 2019, 12:07 pm

Re: SSL Libraries out of Date SRX240H2

June 17, 2019, 12:11 pm
$
0
0

OpenSSL appears to be at 1.0.2.r, if that helps. I'm not sure how to determine individual library versions.

 

% ssh -V
OpenSSH_6.9, SSH protocols 1.5/2.0, OpenSSL 1.0.2r  26 Feb 2019
SSH release 12.3X48-D80.4 built by builder on 2019-03-28 01:42:20 UTC

Re: SSL Libraries out of Date SRX240H2

June 17, 2019, 1:01 pm
$
0
0

Well at least openSSL is almost current. https://www.openssl.org/ - 

28-May-2019OpenSSL 1.0.2s is now available, including bug fixes
26-Feb-2019OpenSSL 1.0.2r is now available, including bug and security fixes

 

But of the SSH libraries:

openSSH 8.X recently became available and 6 major branch has long since been deprecated. Any idea on how to bring that to the right person's attention?  I am not eligible for a support maintaneance agreement because I purchased my SRX SG from a reseller  Smiley Sad

Re: SIP voice service from l2 vlan to internet through SRX345

June 17, 2019, 6:47 pm
$
0
0

Hi David,

 

Thanks, glad it worked.

 

ALG does a few other things as well apart from opening dynamic pinholes, like NAT of application headers as per Network Layer translation. Perhaps that is what fixed it in this case.

 

Regards,

 

Vikas

Re: SSL Libraries out of Date SRX240H2

June 17, 2019, 7:05 pm
$
0
0

Hello,

 

In the 12.3 release train the focus would be more on the bug fixes in JUNOS. With 18.4 and 19.1 I see we are on version 7 of openSSH.

 

% ssh -V
OpenSSH_7.3, SSH protocols 1.5/2.0, OpenSSL 1.0.2q 20 Nov 2018
SSH release 18.4R20190305_2020_builder built by builder on 2019-03-05 20:24:04 UTC

 

I hope this helps. Regards,

 

Vikas

Search

Re: DHCP over sub interfaces /vlans

June 17, 2019, 7:27 pm

Re: Shaping on multiple st0 interfaces

June 17, 2019, 11:13 pm
$
0
0

No I am using p-2-p tunnels. and i have tried to shape even on vlan units not only st0.x tunnels.

I use as oubound interface an ae composed of 2 x 1 GBps links.

My platform is an SRX340.

The device is behaving like the per-unit-shceduler behaviour is not enabled.

It behaves like the shaper is applied to the physical interface.

firewall events not showing on J-web

June 18, 2019, 12:55 am
$
0
0

Hi Guys,

 

traffic events are not showing on our srx345 jweb. 'Monitor > Events > Firewall' it always shows "Traffic logging is not Enable" but we've did it many times already. even in the security policies log. no problem on cli we can see the traffic log on show log. security log is in event mode as it is configured by default in enterprise SRX 

Re: firewall events not showing on J-web

June 18, 2019, 1:07 am
$
0
0

Hello,

 

What is the version that you are running on the device. If you are running Junos OS release 15.1X49-D100 and later, J-Web has been enhanced to support on-box reporting which works in stream mode.

 

This is the configuration that should be present to make this work:

security {
log {
mode stream; <<< Don't use event mode.
report; <<<
source-address X.X.X.X
stream XXXXX {
host {
X.X.X.X
}
}

 

Please follow this KB for more information:

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB32479&pmv=print&actp=METADATA&searchid=&type=currentpaging

 

Regards,

Prakash

Re: firewall events not showing on J-web

June 18, 2019, 1:09 am
$
0
0

Hi,

 

I believe you have followed this KB: https://kb.juniper.net/InfoCenter/index?page=content&id=KB19490&actp=METADATA

 

Can you please double check the below?

 

J-web will recognize the following settings as the syslog file that contains the traffic log: 

file policy_session {
        any any;                   // This can be any of [any/any, any/info, user/any, user/info]
        match RT_FLOW;             // Need exact the same match string for system in searching logs for policy
        archive world-readable;    // Requried
        structured-data;           // Preferred for fast searching when using filters 
    }

 

You can do a quick check on the file permissions and whether the RT_FLOW tag is seen in the file.

file list detail /var/log/<log-file-name>

show log log-file-name | match RT_FLOW

 

If you can share details of the log file configuration and above two commands it would help.

 

Regards,

 

Vikas

Two routing engines on SRX5600

June 18, 2019, 3:38 am
$
0
0

 Hi all!

Can I use two routing engines on a single SRX5600 ? I haven't found any docs for this scenario. Thanks. Regards, Endi

Re: Why traffic is very slow over ipsec

June 18, 2019, 3:46 am
$
0
0

Hi stwardlp,

Thanks for your replies. I have read your posts. I will review again and get back to you. There is some interesting tips you pinpointed. I need some time to deal with it....

Much appreciated....

 

Thanks

Search

Re: Two routing engines on SRX5600

June 18, 2019, 3:50 am
$
0
0

Yes, You can install two routing-engines on a single SRX5600. But it does not provide any backup (failover) functionality. Second routing-engine is usually used in cluster environment where it requires dual control link functionality. In that case,the purpose of the second Routing Engine is only to initialize the switch on the SCB.

 

Site-to-Site VPN with one site behind NAT device

June 18, 2019, 6:36 am
$
0
0

Hi

 

I have SRX in the branch, the SRX is behind a NAT device, so the public IP is in the NAT device and the SRX external interface has private IP address.

We need to setup site to site VPN with a Cisco ASA in HQ.

I configured the Juniper SRX as below commands but neither phase1 nor phase2 goes up.

 

set security ike proposal HQ-VPN authentication-method pre-shared-keys
set security ike proposal HQ-VPN dh-group group2
set security ike proposal HQ-VPN authentication-algorithm sha1
set security ike proposal HQ-VPN encryption-algorithm aes-128-cbc
set security ike proposal HQ-VPN lifetime-seconds 86400
set security ike policy HQ-VPN mode main
set security ike policy HQ-VPN proposals HQ-VPN
set security ike policy HQ-VPN pre-shared-key ascii-text "$9$dDVgaJZD.PQHqT369OBvWLN-bwYgGDkqm0BREyr24o"
set security ike gateway HQ-VPN ike-policy HQ-VPN
set security ike gateway HQ-VPN address "Peer public IP"
set security ike gateway HQ-VPN local-identity inet "NAT device Public IP"
set security ike gateway HQ-VPN external-interface ge-0/0/0.0

set security ipsec proposal HQ-VPN protocol esp
set security ipsec proposal HQ-VPN authentication-algorithm hmac-sha1-96
set security ipsec proposal HQ-VPN encryption-algorithm aes-128-cbc
set security ipsec proposal HQ-VPN lifetime-seconds 28800
set security ipsec policy HQ-VPN proposals HQ-VPN
set security ipsec vpn HQ-VPN ike gateway HQ-VPN
set security ipsec vpn HQ-VPN ike proxy-identity local x.x.x.x
set security ipsec vpn HQ-VPN ike proxy-identity remote y.y.y.y
set security ipsec vpn HQ-VPN ike ipsec-policy HQ-VPN
set security ipsec vpn HQ-VPN establish-tunnels immediately

set security policies from-zone trust to-zone untrust policy Branch-To-HQ match source-address x.x.x.x
set security policies from-zone trust to-zone untrust policy Branch-To-HQ match destination-address y.y.y.y
set security policies from-zone trust to-zone untrust policy Branch-To-HQ match application any
set security policies from-zone trust to-zone untrust policy Branch-To-HQ then permit tunnel ipsec-vpn HQ-VPN

set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match source-address y.y.y.y
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match destination-address x.x.x.x
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch match application any
set security policies from-zone untrustt to-zone trust policy HQ-To-Branch then permit tunnel ipsec-vpn HQ-VPN

set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0

RT_ALG_ERR_NAT: SIP ALG NAT failed

June 18, 2019, 6:49 am
$
0
0

Hi,

 

I am trying to enable persistent-NAT and SIP ALG on an SRX220 and see a bunch of these :

 

Jun 18 09:45:01 SRX220 junos-alg: RT_ALG_ERR_NAT: SIP ALG NAT failed.
Jun 18 09:45:02 SRX220 junos-alg: RT_ALG_ERR_NAT: SIP ALG NAT failed.
Jun 18 09:45:58 SRX220 last message repeated 50 times

 

So I guess there are some issues with the SIP ALG, but is there any debug I can do to find out whats the exact error?

 

Thank you!

Re: Two routing engines on SRX5600

June 18, 2019, 6:57 am

Re: RT_ALG_ERR_NAT: SIP ALG NAT failed

June 18, 2019, 7:16 am
$
0
0

What junos version installed on your srx?

Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>