Quantcast
Viewing all 17645 articles
Browse latest View live

SRX345 Recovery help

January 10, 2020, 4:41 am
$
0
0

Hi Experts

 

I have run in to some issuese trying to recover a  SRX345.

First off it has been locked in a few places, console is disabled when it the boot is completed.

So logging in to Junos is not possible.

and reset button is disabled so password recovery seen to be out off the question, but i am not interrested in the configuration, just to  get in to Junos and configure as a new fw.

 

I have tried to reinstall Junos using USB but it fails:

 

loader> install file:///junos.tgz

Target device selected for installation: internal media

/kernel data=0xba0974+0x152ba4 pkg_seek: negative file seek (-1362)

 

lseek failed

syms=[0x4+0xa0810+0x4+0xf0441]

 

any other surgestions ?

 

Unfortunately i dont have a working SRX345 (but proberly any other model Image may be NSFW.
Clik here to view. Smiley Frustrated ), so i cant boot from a USB snapshot.

 

Hope you guys can give me a little assistance, it would be very much appreciated

 

 

Search

Re: Vrrp generating "%CRYPTO-4-RECVD_PKT_INV_SPI" errors

January 10, 2020, 5:14 am
$
0
0

Hello,

 

 wrote:

When i set vrrp authentication-key with md5, should the secret data be identical on both routers ? 

 

 

No. Reading the source code of Juniper $9$ encryption algo shows that encrypted password starts with $9${salt}{random number} so the crypto result is different when performed in different places.

The source code of Juniper $9$ encryption algorithm is freely available on the internet

Java https://forums.juniper.net/t5/Junos/Password-encryption-algorithm-in-Junos/td-p/96208

Perl https://metacpan.org/pod/distribution/Crypt-Juniper/lib/Crypt/Juniper.pm

HTH

Thx

Alex

 

 

 

Re: SRX345 Recovery help

January 10, 2020, 7:38 am
$
0
0

@WOLF_OF_DK

 

Without console and/or the reset button, you're out of luck. All recovery routes require some form of this. Even to get the device to boot from USB to recover requires a press of the reset button at turn on.

 

I'd try the USB boot with turning the device on and pressign the reset button just in case the reset block is set and takes effect after boot.

 

USB Automatic Recovery documentation can be found here
https://kb.juniper.net/InfoCenter/index?page=content&id=KB23882&actp=METADATA

KR
Adam

SRX320, apps and graphs

January 10, 2020, 7:58 am
$
0
0

I'm testing features of the SRX to see if it can provide us an alternative to our current router selection.

 

System is up and running,  consisting of a vSRX with trial licenses, Sky enterprise, and i already blocked some things like Linkedin and Youtube as a test.

(I have a physical SRX320 too, but no special licenses to play with it)

 

Anyway, we love graphs, as bandwith is often very limited.

If I open sky enterprise, and go to the device -> interface graps, there's a nice bandwith graph, but "apptrack data" remains empty.

 

On the web interface of the SRX itself, the graps regarding apps do not get filled with data either. I assume this is because it's based upon "app firewall" which is not longer being used?

 

The only way I get a good view on apps and their usage is in monitor -> secuity services -> app tracking.

Shows me a list of apps and their sessions, KB, and % of total. Pretty much the things we're looking for.

(would also love to visualize app bandwith against time. to see if a certain website or app is saturating the line)

 

Is there any way of getting this info into sky enterprise?

I've been reading about the log settings and streaming the files to an external location. But no option to have it added to Sky Enterprise.

 

Bit by bit i'm getting furter, but there's quite a learning curve before everything works. Licenses and their functions are also a bit confusing.

For example, junos:youtube and junos:linkedin in the dynamic application filter do work directly. But junosImage may be NSFW.
Clik here to view. Smiley Surprisedpenvpn did not. Even adding a custom app with udp and external port 1194 as a filter did not catch it somehow.

 

 

 

Betreff: SRX345 Recovery help

January 10, 2020, 8:26 am
$
0
0

Hello WOLF_OF_DK,

 

the re-installation at the loader prompt would be the right procedure. For me it seems that your installation image is corrupted. Please download a new image and perform a checksum check, if it matches with the provided checksum on the Juniper download site.

 

E.g. for JUNOS 18.2R3, the command you should use looks like:

 

install file:///junos-srxsme-18.2R3.4.tgz

Re: SRX320, apps and graphs

January 10, 2020, 8:34 am
$
0
0

Hi!

Firstly, here is your SkyEnterprise one stop techie shop! https://www.juniper.net/documentation/product/en_US/juniper-sky-enterprise

Now onto the task at hand!

Basically, SkyEnterprise is a cut down version of on-premise JunOS Space and JunOS Security Director in the cloud.

AppTrack Analyzes application data and classifies it based on risk level, zones, source and destination addresses. Tracks application usage to identify high-risk applications and analyze traffic patterns, improving network management and
control. It will be empty because there isn't any high-risk apps or traffic patterns identified I would assume.

I think that answers everything, if there is anything else reply and let me know Image may be NSFW.
Clik here to view. Smiley Happy

 

KR
Adam

Betreff: SRX345 Recovery help

January 10, 2020, 1:56 pm
$
0
0

@AdamHartley

Password recovery yes, that i imposible but, perhaps the title is misleading, what i need is a reinstall, config is not important.
It should be possible, but i am having some trouble doing it.


@F1ght3r

I have CRC checked the file on the drive and even downloaded and new and different file, but same result.
I am gonna try another USB pen, perhaps its not compatible, so i will try a new Sandisk USB.

I did exactly what what you recommend, but had no succes, as you can see i got some errors when i tried and i have no idea what they mean:

loader> install file:///junos.tgz

Target device selected for installation: internal media

/kernel data=0xba0974+0x152ba4 pkg_seek: negative file seek (-1362)

 

lseek failed

syms=[0x4+0xa0810+0x4+0xf0441]

 


If some one have a USB snapshot image from a new SRX345 or another suggestion i would be very grateful.

Betreff: SRX345 Recovery help

January 11, 2020, 2:38 am
$
0
0

I can assure you that the "loader> install file:///" command is the right one. Please check some other USB devices, make sure they are error free and that they are FAT32 formatted. After copying the JUNOS image to the USB device, please verify the checksum again, to make sure that there were no errors during copying.

Search

J-Web broken after Upgrade to 19.4R1.10

January 12, 2020, 2:04 am
$
0
0

Hey all,

 

i just got my SRX300-JSE delivered yesterday and upgraded from 15.1X49-D180.2 to 19.4R1.10. Now J-Web doesnt show any policies and zones. instead it displays just a circle saying "please wait, syncing from device" which you can wait hours for and it doesnt do anything.

 

If i do changes on the CLI it works flawless, but i cant do any changes on J-WEB since it doesnt show zones, policies and interfaces etc. In addition the box gets super slow and huge cpu load after clicking a while around in the JWEB Interface and it crashes completly so that only restart web-management helps.

 

I dont really mind since im fine with the command line and i also dont really want to setup the config completly again after i go the ipsec tunnels, sky atp etc. all working.

 

Just curious if someone knows how it may be fixed, is jweb using some own kind of database which is synced from cli config and may be broken now? I dont even find anything strange in the log files, no errors or anything. There must be some way to regenerate it. 

Betreff: J-Web broken after Upgrade to 19.4R1.10

January 12, 2020, 2:39 am

Re: J-Web broken after Upgrade to 19.4R1.10

January 12, 2020, 3:46 am
$
0
0

I assume from your description this works correctly in 15.1 and has the issue in 19.4 thus this is going to be a software bug.  These are known as PR (problem reports) in Junos.  I don't see your particular one listed in my searches of the public PR database located here.

 

https://prsearch.juniper.net/InfoCenter/index?page=prsearch

 

You can report this bug via a JTAC ticket and they can confirm if it is already known or create a new PR if needed for the software team to fix the issue.

https://my.juniper.net/#dashboard/servicerequests

 

Re: Issue with setting up network admin Auth via. ldap/NPS

January 12, 2020, 4:02 am
$
0
0

Since you can see the request packet arriving on the server but ignored by NPS this means that at least one of the match conditions in your NPS setup for the Juniper client is not correct.  

 

Betreff: SRX345 Recovery help

January 12, 2020, 9:29 pm

Re: SRX320, apps and graphs

January 12, 2020, 11:30 pm
$
0
0

Thanks Adam,

 

Well there are no virusses running around AFAIK, as only my Laptop is connected. And I havn't set up a lot of filtering yet. But on the j-web I've got this attached graph for example, and I hoped the Skyenterprise could show similair graphs. As it pretty much shows us where the bandwith is being used for.

 

IIRC those graphs are based on the traffic logs, which eventually can be streamed to a external server for analysis. Maybe that's the best way for in-depth analysis of traffic.  But a quick view in Sky Enterprise would be nice.

Re: SRX320, apps and graphs

January 13, 2020, 3:33 am
$
0
0

Hi Ferry,

 

Oh, I see where you are coming from here and to be fair I'm a little stumped here too. As the data is being collected and displayed in JWEB on the vSRX and somehow isn't getting pushed to SkyEnterprise despite the data being collected and the devices are in SkyEnterprsie...

 

I've searched the TechDocs and KBs with nothing here about manually having to push AppSecure or any of the parts within AppSec into SkyEnt to enable to data to stream...

 

I'm going to have to unfortunately bow out here and leave it to more SkyEnt knowledgable people or ask you to go to JTAC as this seems to be a potential backend issue.

 

KR
Adam

Search

Enabling web authentication allows J-web access

January 13, 2020, 12:04 pm
$
0
0

We use the web-authentication portal for vendors to log in. After log in the vendor can access internal systems as defined by our security policies and destination NAT rules. This works flawlessly except for one detail.

 

webauth.example.com resolves to a.b.c.d(below).


Going to https://webauth.example.com/ takes one to the Firewall User Web-Authentication Login page.

 

But, if one goes to https://webauth.example.com/asdfa (or any other random letters) the J-Web login is presented.

 

Is it possible to use web-authentication without exposing J-web on the same interface?

 

We have an SRX-300 running 18.2R3.4.

# show system services web-management 
management-url admin;
https {
    pki-local-certificate webauth-cert;
    interface [ ge-0/0/0.0 ge-0/0/1.0 ge-0/0/5.0 ];
}
session {
    idle-timeout 60;
}

# show interfaces ge-0/0/5 unit 0 family inet address a.b.c.d/28    
web-authentication https;

# show security zones security-zone Internet 
screen untrust-screen;
interfaces {
    ge-0/0/5.0 {
        host-inbound-traffic {
            system-services {
                ping;
                https;
                ike;
            }
        }
    }
}

 

Re: Enabling web authentication allows J-web access

January 14, 2020, 1:40 am
$
0
0

Hi WSGC,

Basically because you have configured WebAuth and JWeb on the same interface WebAuth Passthrough Authentication takes presidence by default, however when errors happen in the WebAuth (aka adding unexpected letters at the end of the URL Path) it defaults to Direct Authentication (to the SRX300) which is why J-Web is displayed.

Is there a reason or usecase as to why you are using GE5 instead of the default FXP0 interface for this? Also the JTAC recommended version is 18.2R3-S2 so you are running two sub-releases above the recommended.

KR Adam

Re: Enabling web authentication allows J-web access

January 14, 2020, 6:13 am
$
0
0

Hi Adam,

Thanks for the reply.  How would I enable web-authentication via HTTPS on the interface without also enabling web management on it? They seem to be linked to me: one can only cofigure a certificate for HTTPS using the system/services/web-management options and then this certificate is also used for web-authentication.

 

This was also a problem on 15.1X49-D45 that I was using prior to recently upgrading.

 

The use of 18.2R3.4 is an oversight on my part. I can downgrade to 18.2R3-S2 but I'd like to focus on my initial inquiry first.

 

This is not a clustered firewall so there is no fxp interface.

Netflow / ip Cache flow commands for Juniper SRX240 OS15

January 14, 2020, 4:19 pm
$
0
0

Hi All,

 

Are there any equivalent commands like :show ip flow top-talkers" or "Show ip accounting" or "Show ip cache flow" on Juniper SRX240 firewall ? I am aware of the "monitor traffic interface" command but its not of much use if you want to see which "IP ADDRESS" is consuming how much bandwidth ? Also the show subscriber bandwidth command does not even exist on the CLI. Is there any way to see LAN ip address to input / output bandwidth on Juniper SRX box without using any external collectors ? 

 

Thanks

 

Re: Netflow / ip Cache flow commands for Juniper SRX240 OS15

January 14, 2020, 6:35 pm
Viewing all 17645 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>