Quantcast
Channel: All SRX Services Gateway posts
Viewing all 17645 articles
Browse latest View live

Re: Cluster failed over but want to move back

$
0
0

Sorry, my mistake relaylimit, and period options are added in Junos OS Release 17.4R1.

 

So just to clarify I need to issue the following 'set chassis cluster redundancy-group 1 preempt'.

 

Then I can reboot SRXB, if there are issues with reth0 on SRXA, SRB will take over one it boots back up. If there are not issues SRX! will stay as the primary?


Re: Cluster failed over but want to move back

$
0
0

So just to clarify I need to issue the following 'set chassis cluster redundancy-group 1 preempt'. - Yes.

 

Then I can reboot SRXB, if there are issues with reth0 on SRXA, SRB will take over one it boots back up. - Yes

 

If there are not issues SRX! will stay as the primary? - No. Even if there are no issues with SRX-A, SRX-B will be Primary for RG-1. Once you confirm that there are no errors with SRX-A, you can initiate a manual failover to SRX-A from SRX-B for RG-1.

 

Re: Cluster failed over but want to move back

Re: Cluster failed over but want to move back

$
0
0

I have done command committed and reboot SRXB. Good news SRXA is working fine. But SRXB, once it came back up, did not take over. Current status below:

 

 

show chassis cluster status Monitor Failure codes: CS Cold Sync monitoring FL Fabric Connection monitoring GR GRES monitoring HW Hardware monitoring IF Interface monitoring IP IP monitoring LB Loopback monitoring MB Mbuf monitoring NH Nexthop monitoring NP NPC monitoring SP SPU monitoring SM Schedule monitoring CF Config Sync monitoring Cluster ID: 1 Node Priority Status Preempt Manual Monitor-failures Redundancy group: 0 , Failover count: 1 node0 200 primary no no None node1 100 secondary no no None Redundancy group: 1 , Failover count: 1 node0 200 primary yes no None node1 100 secondary yes no None

 

 

Re: Cluster failed over but want to move back

$
0
0

I'm glad the SRX-A is working fine.

 

The reason why SRX-B didn't take over as Primary is that the priority of SRX-B is 100 and SRX-A is 200 for RG-1. So, when you give preempt option for RG-1, whomsoever has the highest priority will be chosen as Primary automatically.

SRX5400 not support RPM by source and destination? Any other alternative?

Re: SRX5400 not support RPM by source and destination? Any other alternative?

Re: Database of names of static clients (hosts) of individual computers - SRX 240H

$
0
0

Hi,

1. Is it possible to edit the hosts file (/etc/hosts) with J-WEB or prepare it on the PC in advance and upload it srx?

2. Is another file editor (other than vi) available from the console or a file manager - like MC (midnight commander) in Linux?

 

 


vSRX web-authentication

$
0
0

Hello Experts,

 

I'm stuck with configuring the web-authentication on vSRX. I've tried searching on youtube juniper channel but can't seem to find a tutorial on setting web-authentication for SRX hence I've followed this video which for older junos 12.  https://www.youtube.com/watch?v=HtO_qqTW2mY

 

The issue i face is, I'm not able to load the authentication page on web browser (firefox or chrome) see attached image, please can you advise where i've made a mistake? Also is there any config i can do that doesn't need one to specifically go to web-authentication inet address instead gets redirected to web-authentication automatically and once authenticated, srx continues to the web address user wanted to browse?

 

below is the config, appreciate your support.

 

root# run show configuration
## Last commit: 2020-08-07 07:50:56 UTC by root
version 20200609.165031.6_builder.r1115480;
system {
root-authentication {
encrypted-password "$6$mr8vHc28$cDObHnV2hYL7zS7XD8et/FWGOjFeuJtbJFpyNBiESLvR4xZlpYLvijo5icJbYt8NpVRS37dTsmKGuAD5clKIq0"; ## SECRET-DATA
}
services {
ssh;
dhcp-local-server {
group WIRED {
interface ge-0/0/1.20;
}
group WLAN {
interface ge-0/0/1.10;
}
}
web-management {
http {
interface fxp0.0;
}
https {
system-generated-certificate;
interface [ fxp0.0 ge-0/0/0.0 ];
}
}
}
domain-name www.vsrx3.com;
name-server {
4.2.2.2;
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set LAN-TO-WAN {
from zone trust;
to zone untrust;
rule LAN-TO-WAN {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
firewall-authentication {
web-authentication {
client-match [ G1 G2 G3 ];
}
}
}
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
ping;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.10 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
ge-0/0/1.20 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
telnet;
snmp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.0.200/24;
}
}
}
ge-0/0/1 {
vlan-tagging;
unit 10 {
vlan-id 10;
family inet {
address 10.10.10.1/24;
address 10.10.10.2/24 {
web-authentication {
http;
https;
redirect-to-https;
}
}
}
}
unit 20 {
vlan-id 20;
family inet {
address 10.10.20.1/24;
}
}
}
fxp0 {
unit 0;
}
}
access {
profile WEBAUTH {
client Client-1 {
client-group [ G1 G2 G3 ];
firewall-user {
password "$9$iHPQCtOEhr"; ## SECRET-DATA
}
}
session-options {
client-group [ G1 G2 G3 ];
}
}
address-assignment {
pool WLAN {
family inet {
network 10.10.10.0/24;
range WLAN-Clients {
low 10.10.10.10;
high 10.10.10.200;
}
dhcp-attributes {
name-server {
1.1.1.1;
4.2.2.2;
}
router {
10.10.10.1;
}
}
}
}
pool WIRED {
family inet {
network 10.10.20.0/24;
range WIRED-Clients {
low 10.10.20.10;
high 10.10.20.200;
}
dhcp-attributes {
name-server {
4.2.2.2;
1.1.1.1;
}
router {
10.10.20.1;
}
}
}
}
}
firewall-authentication {
web-authentication {
default-profile WEBAUTH;
banner {
success "LOGIN SUCCESS";
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.0.1;
}
}

[edit]
root#

Re: vSRX web-authentication

$
0
0

This was the issue.

 

[edit]
root# show | compare
[edit system services web-management http]
- interface fxp0.0;
+ interface [ fxp0.0 all ];
[edit system services web-management https]
- interface [ fxp0.0 ge-0/0/0.0 ];
+ interface [ fxp0.0 ge-0/0/0.0 all ];

🙂 solved

Re: JUNOS PULSE vpn client version with Winows 10

$
0
0

In order to connect to an SRX's Dynamic VPN under Windows 10 1909 or newer you must use Juniper's specific version of the Pulse Secure Desktop 9.1R2.0. It contains an updated version of an embedded driver that will work under that OS. If you use Pulse Secure's version, which are released later 9.1R2.0--for example the recently released 9.1R8.0--they still have old versions of the driver and you will get issues like being able to connect but can't access any of your protected resources. Refer to Juniper TSB17441 and KB35342.

In addition if you have an old version of the 240, you most likely won't have the latest version of the firmware, which has a security vulnerability that affects its Dynamic VPN. I highly advise you not to expose your SRX with Dynamic VPN enabled to the internet. See https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021

Re: JUNOS PULSE vpn client version with Winows 10

$
0
0

Hi, thanks for the answer.
Since I have purchased a second-hand SRX 240H (EOL) (soft version JUNOS 12.1X44-D40.2 built 08/28/2014 - I can't download any newer updates for free in any way?
Because how do I click on this link: https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11021
and how i want to download the update files contained therein i have a message again:

--------------

You have encountered this error because your account privileges do not currently permit access to the information or service requested. Software download entitlement is granted for customers under the following scenarios.

  • Juniper Product within the first 90 days of the hardware warranty period.
  • Juniper Product which is currently under an active maintenance contract.
  • Juniper Standalone Software Subscription which is currently active.


How may I update my account privileges to enable access?

  • Users with an approved Customer or Partner login account may request access to software downloads using the Juniper Digital Assistant (JDA). You will require your entitled Juniper product SN/SSRN.
  • Users with a Guest user login account interested in evaluating Juniper's product software may contact Customer Care for assistance.
  • If you do not yet have a Juniper login account and are interested in downloads for your Juniper product or evaluation software you may create an account here.

---------------------------------------------------------------------

Do any of you know how to help me? Does that mean I can't download any firmware updates anymore? 😞

 

 

Re: JUNOS PULSE vpn client version with Winows 10

$
0
0

Hi, thanks for the answer.
Since I have purchased a second-hand SRX 240H (EOL) (soft version JUNOS 12.1X44-D40.2 built 08/28/2014 - I can't download any newer updates for free in any way?

For now, I am having fun and getting to know Juniper, and although I have this firewall on a public address - however, communication from outside after https is limited only to a specific address. So no one is likely to come in.

Because when I click on this link what you provided: and how i want to download the update files contained therein

I have a message again:

You have encountered this error because your account privileges do not currently permit access to the information or service requested. Software download entitlement is granted for customers under the following scenarios.

  • Juniper Product within the first 90 days of the hardware warranty period.
  • Juniper Product which is currently under an active maintenance contract.
  • Juniper Standalone Software Subscription which is currently active.


How may I update my account privileges to enable access?

  • Users with an approved Customer or Partner login account may request access to software downloads using the Juniper Digital Assistant (JDA). You will require your entitled Juniper product SN/SSRN.
  • Users with a Guest user login account interested in evaluating Juniper's product software may contact Customer Care for assistance.
  • If you do not yet have a Juniper login account and are interested in downloads for your Juniper product or evaluation software you may create an account here.

 

Do any of you know how to help me? Does that mean I can't download any firmware updates anymore? 😞

Re: SRX5400 not support RPM by source and destination? Any other alternative?

$
0
0

Hi Noobmaster,

 

Is it anything i need to fine tune if i'm use FBF method based on url that u given? Also i'm use both default route? If i look config below it look like show to RPM?

 

 

services {
rpm {
probe Failover-ISP1 {
test probe-failover {
probe-type icmp-ping;
target address 30.30.86.1;
probe-count 5;
probe-interval 1;
test-interval 5;
thresholds {
successive-loss 10;
total-loss 3;
}
destination-interface reth2.10;
##
## Warning: statement ignored: unsupported platform (srx5400)
##
next-hop 30.30.86.1;
}
}
probe Failover-ISP2 {
test probe-failover {
probe-type icmp-ping;
target address 20.20.86.1;
probe-count 5;
probe-interval 1;
test-interval 5;
thresholds {
successive-loss 10;
total-loss 3;
}
destination-interface reth2.20;
##
## Warning: statement ignored: unsupported platform (srx5400)
##
next-hop 20.20.86.1;
}
}
}
}

 

 

Thanks and appreciate your feedback

 

 

 

Re: FBR - PBR - SRX - Outbound L3 inbound L2 Flow and IRB interfaces

$
0
0

Hi Chaimae,

 

Is you requirement is to route the traffic from irb.10 or irb.20 towards the external interface(let's say - ge-0/0/1) to the Internet in SRX?

 

If that's the case then I would suggest you to try it because I never did this configuration. But I think it should work. Second, please don't change any modes in SRX, just leave it by default.


Re: JUNOS PULSE vpn client version with Winows 10

$
0
0

You can only download firmware if you have a service contract. The version you're running is no longer maintained and it is quite likely the issue affects that branch.

 

I don't think you understand the seriousness of the vulnerability so I will highlight the relevant description of the problem.

A vulnerability in the HTTP/HTTPS service used by J-Web, Web Authentication, Dynamic-VPN (DVPN), Firewall Authentication Pass-Through with Web-Redirect, and Zero Touch Provisioning (ZTP) allows an unauthenticated attacker to perform local file inclusion (LFI) which could be leveraged to perform Remote Code Execution (RCE) and take control of the device.

This issue only affects Juniper Networks Junos OS devices with HTTP/HTTPS services enabled.

 

The problem is not only bad actors accessing your network but using your device as a springboard to do harm to others.

 

JunOS's Dynamic VPN on these older devices is getting long in the tooth anyway because it's IPSec only and the Pulse Secure client for mobile only supports SSL. It would be better if you deploy OpenVPN or some other VPN software and turn off HTTP/HTTPS on your internet-facing port. I understand newer versions of JunOS will support SSLVPN. It is best practice to put the management port of the SRX in an allowed list on your internal facing network, too.

Re: SRX5400 not support RPM by source and destination? Any other alternative?

$
0
0

Hi Kronicklez,

 

I think implementing FBF which includes Routing-Instance with event-options is a long shot. I never tried but think it should work.

 

1. Configuring Routing-Instance and separate default routes.

2. Performing route import/export between the instances.

3. Configuring RPM with probe targets.

4. Using event-options to deactivate ISP-1 route when it is down and activating when its back.

 

I may missed few steps in between because I never tried with this combination.

Vlan, not irb

$
0
0
I'm not up to speed on why exactly juniper has turned to the irb rather than the vlan object. At least that's what I'm seeing I think. My srx300 has an irb. My srx240b2 has the vlan. My question is this.

Does any of the srx 300 series sport a vlan object? If not, why, not.

Re: Vlan, not irb

$
0
0

HIeugene1973

 

Greetings, you are seeing this difference because the SRX300 uses the enhanced layer 2 software and you SRX240 does not 

 

ELS devices use the "IRB interface" as the SVI, here is a list of devices that are ELS as well, any other device that is not in this list will be considered as a legacy device hence they will use the "vlan interface" as their SVI

 

SRX300
Junos OS 15.1X49-D40
 
SRX320
Junos OS 15.1X49-D40
 
SRX340
Junos OS 15.1X49-D40
 
SRX345
Junos OS 15.1X49-D40
 
SRX380
Junos OS 20.1R1
 
SRX550 HM
Junos OS 15.1X49-D40
 
SRX4100
Junos OS 15.1X49-D65
 
SRX4200
Junos OS 15.1X49-D65
 
SRX4600
Junos OS 17.4R2
 
SRX5400
Junos OS 15.1X49-D10
 
SRX5600
Junos OS 15.1X49-D10
 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

 

Regards,

 

Lil Dexx JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

 

 

Re: Vlan, not irb

$
0
0

Hello Eugene,

 

All the legacy SRX series devices with the Junos code 12.3X48 and below uses VLAN interface while the Next-Generation SRX series devices with Junos code 15.1X49 and above uses IRB interfaces. However, for QFX/EX/MX IRB interfaces was introduced way before these Junos versions.

 

The reason for introducing this IRB interfaces replacing the VLAN is given in the following link - https://networkengineering.stackexchange.com/questions/58449/whats-irb-meaning-and-whats-the-difference-between-it-and-vlan

 

Excerpt from the above link:

In 2013, Juniper introduced a new configuration syntax for EX switches (starting with Junos 13.2) to remedy this: Enhanced Layer-2 Software (ELS). This syntax is similar to the syntax used on MX routers. One of the changes in the new syntax is renaming vlan interfaces from vlan.xx to irb.xx. You can find a complete list of all changes on the juniper.net website.

Viewing all 17645 articles
Browse latest View live


<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>