Junos version is: 18.2R3-S2.9
↧
Re: SRX dhcp server stopped working
↧
Customizing log view using Juniper JSA SIEM
Hello,
We are currently forwarding syslog traffic from our SRX series firewall to the Juniper JSA appliance.
I’m able to see most of the information such as timestamp, source ip, destination ip etc. but would it also be possible to see other data such as:
Rule Name
Incoming Interface
Outgoing Interface
Source Zone
Destination Zone
Bytes received
Bytes sent
Pre NAT source IP
Post NAT IP
etc.
At present I’m using the Log activity tab to view log information in JSA. On the SRX firewall policies are configured with log at session close.
Any help would be highly appreciated.
Thanks,
B
We are currently forwarding syslog traffic from our SRX series firewall to the Juniper JSA appliance.
I’m able to see most of the information such as timestamp, source ip, destination ip etc. but would it also be possible to see other data such as:
Rule Name
Incoming Interface
Outgoing Interface
Source Zone
Destination Zone
Bytes received
Bytes sent
Pre NAT source IP
Post NAT IP
etc.
At present I’m using the Log activity tab to view log information in JSA. On the SRX firewall policies are configured with log at session close.
Any help would be highly appreciated.
Thanks,
B
↧
↧
Re: SRX300-series with routing-instance is not sending flow-related syslog
Some recommendation:
Make sure logs are being forwarded through revenue (transit) interfaces and not via the management fxp0 interface.
Make sure your security policies are configured with atleast log at session close, but logging at session init is a plus.
The syslog related traffic is usually sourced from the master routing instance of the firewall. So, if the Syslog server is not reachable via the master instance, but only reachable via an interface on the custom VR, there has to be a static route configured in the master instance with destination belonging to the Syslog server, using the next table of the custom VR (eg. custom-vr.inet.0).
This config ( set security log stream JSA host routing-instance client_VR) might not be required. As stated earlier syslog traffic has to be sourced from the master instance, although the source of Syslog traffic can be a transit interface on the custom VR.
Verify end to end reachability between the firewall and syslog server. If there are any intermediate firewall between the path, ensure that syslog communication is allowed.
Just to confirm the source addres (172.22.1.7) belongs to a transit interface on the custom VR correct?
Make sure logs are being forwarded through revenue (transit) interfaces and not via the management fxp0 interface.
Make sure your security policies are configured with atleast log at session close, but logging at session init is a plus.
The syslog related traffic is usually sourced from the master routing instance of the firewall. So, if the Syslog server is not reachable via the master instance, but only reachable via an interface on the custom VR, there has to be a static route configured in the master instance with destination belonging to the Syslog server, using the next table of the custom VR (eg. custom-vr.inet.0).
This config ( set security log stream JSA host routing-instance client_VR) might not be required. As stated earlier syslog traffic has to be sourced from the master instance, although the source of Syslog traffic can be a transit interface on the custom VR.
Verify end to end reachability between the firewall and syslog server. If there are any intermediate firewall between the path, ensure that syslog communication is allowed.
Just to confirm the source addres (172.22.1.7) belongs to a transit interface on the custom VR correct?
↧
Re: SRX300-series with routing-instance is not sending flow-related syslog
If the above doesn’t help, please share the o/p of the show route 172.22.1.7 | no-more command from the firewall.
↧
Re: ipv6 issue. Unable to disable slaac at any means
Can you clarify what the final router side config was ?
Remove the following to disable SLAAC ?
no-managed-configuration;
Please let us know.
↧
↧
RE: issues when trying to move to the shell prompt %
Greetings,
When trying to move from the operational mode to the shell prompt using the "start shell user root" command, instead of getting the % prompt, I am getting # prompt on my SRX firewall:
{primary:node0}
admin@srx-fw> start shell user root
Password:
root@srx-fw:/var/home/su #
Has anybody encountered this issue? Is it possible to move from the # prompt to the % prompt?
↧
Fail Connection dydns - juniper srx 300
Hello everyone, everything good? I would like to help with my Juniper SRX300 I am trying to enable the DYNDNS configuration but it is not working.
I performed the configurations below:
user@host# set system services dynamic-dns client <XYZ.com> agent <Test> server <members.ddnsserver.org> interface <ge-0/0/1.0> username <test_dns> password <test_dns123>
myuser_root@myequipament> show system services dynamic-dns client detail
Hostname : my_domain.dyndns.org
Server : members.dyndns.org
Last response: error connecting
Last update : 2020-08-15 16:59:08 BRT
Username : my_user
Interface : ge-0/0/1.0
Agent : ddns-0.1 JUNOS [Model #] (Firmware version)
the system does not connect, what can I be doing wrong? Thanks for the personal help
↧
RE: issues when trying to move to the shell prompt %
Hello Biraj,
Actually for shell mode in the latest Junos versions it has been changed from % to # just like Linux OS. It doesn't mean that you are in configuration mode when you give "start shell user root". You are still in the shell mode and the indication is root@host:~#
Actually for shell mode in the latest Junos versions it has been changed from % to # just like Linux OS. It doesn't mean that you are in configuration mode when you give "start shell user root". You are still in the shell mode and the indication is root@host:~#
↧
RE: issues when trying to move to the shell prompt %
Hello Biraj,
This is the expected behavior.
Below is the o/p from one of our lab device:
labroot@XX> show version
Hostname: XX
Model: srx1500
Junos: 18.4R3-S2
labroot@XX> start shell user root
Password:
root@XX:/var/home/labroot #
You are under the shell mode when you are entering the /var/home/ directory.
# doesn't mean that you are under configuration mode.
In all the latest versions, we get to see this change.
Wednesday, May 6, 2020
6:43 PM
I hope this helps. Please mark this post "Accept as solution" if this answers your query.
Kudos are always appreciated! 
Best Regards,
Lingabasappa H
↧
↧
Re: Fail Connection dydns - juniper srx 300
Just out of curiosity... is the SRX able to resolve DNS and can you do a telnet to the url on port 80 or 443 ?
...and what about NTP? Your output looks like the date is ~10 days behind.
↧
Re: SRX dhcp server stopped working
Bump..
↧
Re: Customizing log view using Juniper JSA SIEM
Hello Biraj,
Ideally, when you configure a stream log with session_close under security policies you will be seeing multiple Syslog attributes as mentioned in the following link - https://apps.juniper.net/syslog-explorer/#msg=RT_FLOW_SESSION_CLOSE&sw=Junos%20OS&rel=20.2R1
Sample output:
Please share the output that you are seeing in the JSA.
↧
Re: SRX300-series with routing-instance is not sending flow-related syslog
Hello Rob,
I would suggest you to follow the below checks to resolve this issue.
- If the ping is allowed on your Syslog server, test the reachability of the server from the SRX's routing instance. e.g. user@host> ping 172.25.2.1 routing-instance client_VR
- Check the routing table and forwarding table to determine whether the routes are active. e.g. user@host> show route 172.25.2.1 and user@host> show route forwarding-table 172.25.2.1
- Please note that only for the security policies which was configured with session_init or session_cloe or both, the streams will be generated and sent out to your server. Check whether you have configured the logging under security policy.
- If the logging is configured under security policy, check-in the security flow sessions whether traffic is hitting that policy where we have configured the logging.
- I assume you haven't configured any firewall filter in the outbound direction blocking the port 514 in loopback or the egress interface.
- Finally, if all of the above are properly set, then I would suggest you to configure the packet captures in the SRX to determine whether the stream logs are sent out. Follow this link for configuring PCAP - https://kb.juniper.net/InfoCenter/index?page=content&id=KB11709&actp=METADATA
- If you are seeing SRX sending the logs out then the problem resides with a next-hop device or the Syslog server itself.
- If you don't see SRX sending the logs out in the packet captures, just deactivate and activate the security logs once.
e.g.
user@host# deactivate security log
user@host# commit
user@host# activate security log
user@host# commit
↧
↧
Re: NCP client - Limit specific users access to predefined IPs
The problem here is the users will be assigned with Dynamic IP address so, we can't guarantee which IP address will be assigned to whom. That being said we can't configure security policies or traffic selectors to restrict the access to a particular IP address because that IP address can also be automatically assigned to a different user.
But, I think there is one way. We can create 2 NCP VPNs on the SRX hence 2 access profiles. Assign access profile-1 to your accepted users and assign access profile-2 to the restricted users.
Accepted users: 10.0.1.0/24
Restricted users: 10.0.2.0/24
Traffic selector for accepted users:
set security ipsec vpn remote-vpn1 traffic-selector TS1 local-ip 192.168.0.0/24
set security ipsec vpn remote-vpn1 traffic-selector TS1 remote-ip 0.0.0.0/0
Traffic selector for restricted users:
set security ipsec vpn remote-vpn2 traffic-selector TS2 local-ip 192.168.0.10/32
set security ipsec vpn remote-vpn2 traffic-selector TS2 remote-ip 0.0.0.0/0
I think this way we can achieve your requirement.
↧
Re: NCP client - Limit specific users access to predefined IPs
Thank you, noobmaster. I'll try it next time!
↧
Re: Fail Connection dydns - juniper srx 300
Hi Jonas, how are you? This update date was the day I created the DYNDNS service settings. Access via TELNET is blocked. I perform the access through SSH or JWEB.
↧
RE: issues when trying to move to the shell prompt %
Thank you very much for the confirmation folks, I was going a little crazy there.
Followup question, I was however unable to mount my usb drive when being at # prompt.
Inserted my USB drive
root@# ls /dev/da*
/dev/da0 /dev/da0s1
root@# mount_msdosfs /dev/da0s1 /mnt
The mount_msdosfs operation didn’t succeed. Have any of tried mounting a usb drive, when being at # level?
Followup question, I was however unable to mount my usb drive when being at # prompt.
Inserted my USB drive
root@# ls /dev/da*
/dev/da0 /dev/da0s1
root@# mount_msdosfs /dev/da0s1 /mnt
The mount_msdosfs operation didn’t succeed. Have any of tried mounting a usb drive, when being at # level?
↧
↧
OSPF between SRX1500 and Cisco ISR4300 Issues
Hi
I have managed to get the IPSec tunnel betweem devices, can ping between them.
But OSPF is not coming up, on the SRX debug logs I get below
OSPF packet ignored: no matching interface from 10.30.128.70
I have the basic configuration on both units.
I can't find anything specific on Packets ignored for above error, it is not an MTU or Area mistmatch issue.
Anyone seen this before.
↧
RE: issues when trying to move to the shell prompt %
Hi Biraj,
I have mounted the USB multiple times in latest Junos versions.
When you plugged the USB, did you get any information in the SRX like below?
root@% umass1: TOSHIBA TransMemory, rev 2.00/1.00, addr 3
da2 at umass-sim1 bus 1 target 0 lun 0
da2: <TOSHIBA TransMemory 5.00> Removable Direct Access SCSI-0 device
da2: 40.000MB/s transfers
da2: 983MB (2013184 512 byte sectors: 64H 32S/T 983C)
If not, I would suggest you to format the USB once again in FAT32 and try tge operation again.
I have mounted the USB multiple times in latest Junos versions.
When you plugged the USB, did you get any information in the SRX like below?
root@% umass1: TOSHIBA TransMemory, rev 2.00/1.00, addr 3
da2 at umass-sim1 bus 1 target 0 lun 0
da2: <TOSHIBA TransMemory 5.00> Removable Direct Access SCSI-0 device
da2: 40.000MB/s transfers
da2: 983MB (2013184 512 byte sectors: 64H 32S/T 983C)
If not, I would suggest you to format the USB once again in FAT32 and try tge operation again.
↧
Re: Fail Connection dydns - juniper srx 300
I'm great, thanks 🙂
OK in regards to date/NTP. I did not expect you to manage your SRX via telnet but to try a telnet connection from your SRX towards the DynDNS service to validate that DNS and connectivity to the service works as expected.
Example - change port number depending on the documentation from your dynamic DNS provider.
↧