Re: Cannot reset root password
Did you have any password rules like "minimum changes" or "length" and have a "protect" statement on those rules? Anand
View ArticleRe: AppID - Preprocessing
If you do not have any L7 services enabled on the FW there will be no reassembly. Re-assembly is only needed if you need to do inspection. That is why pre-processing is necessary if you have App-ID or...
View ArticleRe: Lan1 to Lan2 Nat config
So this and..[edit security nat proxy-arp]interface reth3.0 { address {10.1.1.0/24;}} and this? policy inside2-zone-outbound {match {source-address any;destination-address any;application any;from-zone...
View ArticleRe: Lan1 to Lan2 Nat config
Hi, There is no need to configure proxy-arp for entire /24 network. Enable it only for the natted IP 10.1.1.220/32.I hope you are using global policy. If yes, one policy is enough and in that policy...
View ArticleRe: Lan1 to Lan2 Nat config
Ok, So this would be ok policy wise? policy inside2-zone-outbound {match {source-address any;destination-address any;application any;from-zone [ inside_lan inside_lan2 ];}then {permit;}}
View ArticleRe: SRX 1400 inactive-tunnels
Mh, not sure. Here's one sanitized example: username@fwname_node0> show security ipsec inactive-tunnels detailnode0:--------------------------------------------------------------------------...
View ArticleRe: SRX 1400 inactive-tunnels
And ipsec part of this particular tunnel configuration is very simple, SRX device at both ends so no proxy-id: username@fwname_node0> show configuration security ipsec vpn...
View ArticleRe: Lan1 to Lan2 Nat config
Excellent it works! In regards to the proxy-arp if I want more servers in there do I need to add individually like below?: interface reth3.0 { address { 10.1.1.220/32;10.1.1.221/32; } }
View ArticleRe: Lan1 to Lan2 Nat config
Hi,There are two methods to configure proxy-arp:First method is just like you mentioned; configure proxy arp for each addressSecond method, if the address are contiguous, address range can be used:set...
View ArticleIssues with IPSEC when one side is Dynamic
Ok, here's my issue. We have multiple VPN tunnels (around 70) running back from remote offices and they work great (Juniper SRX's on both ends). I need to add another that will not have the luxury of a...
View ArticleRe: Issues with IPSEC when one side is Dynamic
Hi, From what you have informed it seems there is some issue with rekeying, after the VPN is established initially.Could you share the output of the below command with respect to this VPN;>show...
View ArticleRe: SRX 1400 inactive-tunnels
Hi, The message "Tunnel is ready. Waiting for trigger event or peer to trigger negotiation" is an information that the device is ready to negotiate ike but there has been no event triggering it. Either...
View ArticleRe: After enable SSL Forward Proxy the traffic would decrease 90%
, Enabling SSL forward proxy does take a toll on the device and the performance/throughput would decrease but in your case it is a huge hit.Please share if all the traffic is forwarded through the...
View ArticleRe: Issues with IPSEC when one side is Dynamic
Hi, Try to disable DPD at Static SRX side.
View ArticleRe: SRX 1400 inactive-tunnels
They are aggressive mode VPNs with dynamic public IP at the other end. IKE configuration looks like this: username@fwname_node0> show configuration security ike gateway...
View ArticleIssues with connecting SRX210 to BT Broadband
So I am trying to replace my home Hub 5 with an SRX210 HE2 - I have finnally managed to get it to connect & I can connected to a few websites, but that is mainly Google, & BT.com - if I try...
View ArticlePXE TFTP problems through SRX
Hi, Background: We have an environment where we have MPLS + IPSEC on the bottom. On top of that we've built another network with SRX firewalls using IPSEC-tunnels (without encryption). So it's IPSEC...
View ArticleRe: Issues with connecting SRX210 to BT Broadband
When I first got my 240 I had to figure out one key issue. Here is the link. I had hughesnet then and this did the trick. I don't know if you already have an internal ip at the modem, or if it's an...
View Article