Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Apr 14, 2021 4:57 am


News News of Juniper SRX

Site map of Juniper SRX » Forum : Juniper SRX


 [ Total topics 25 Go to page 1, 2, 3

Message
 Post subject: Juniper SRX: How to access/vty on the PFE from CLI
PostPosted: Mon Jan 26, 2015 6:39 am 
This guide shows how to jump to the VTY of the pfe on Juniper SRX branch firewalls (srx100 to srx650).

The SRX branch devices have a virtual (or software) PFE. It is formed from a flowd daemon running on the routing engine unix and taking 100% cpu due to polling mode.


last pid: 62815; load averages: 0.12, 0.05, 0.05 up 42+06:32:33 10:36:45
58 processes: 2 running, 55 sleeping, 1 zombie
CPU states: 53.1% user, ...

Read more : Juniper SRX: How to access/vty on the PFE from CLI | Views : 7443 | Replies : 0

Top
 Post subject: How to copy files between two SRX cluster nodes - remote procedure
PostPosted: Fri Jan 23, 2015 7:03 pm 
A Juniper SRX chassis cluster is formed by joining two (max) devices that act as a single chassis. Some of the enterprise networks allow management of both nodes via the management port fxp0 management interface. But sometimes, the environment allows managing the cluster via the revenue port, specifically the redundant (reth) ethernet interface.

The trick with these reth interfaces is that they are formed of members physical fe/ge/xe interfaces of both nodes and each reth ...

Read more : How to copy files between two SRX cluster nodes - remote procedure | Views : 5472 | Replies : 0

Top
 Post subject: SRX GRE with loopback endpoints over Ipsec tunnel does not pass traffic
PostPosted: Wed Jan 21, 2015 11:49 am 
This has been discovered on Junos 12.1X44-D40 on branch SRX 240 when a GRE tunnel with loopback endpoints is configured over an IPSEC tunnel (one reason for this layout will be explained in future post) AFTER REBOOT (there is a workaround, read on).

It is a Juniper supported design and according the Juniper KB GRE over IPsec configuration example, it is straight forward.

Here is SRX 240 relevant configuration.

SRX interfaces configuration:
[edit]
user@srx240# ...

Read more : SRX GRE with loopback endpoints over Ipsec tunnel does not pass traffic | Views : 6024 | Replies : 0

Top
 Post subject: Juniper SRX Packet mode - how to switch between flow mode and packet mode
PostPosted: Thu Jan 15, 2015 6:36 am 
Juniper SRX firewalls are stateful firewalls - they keep a memory table of tcp and udp sessions and match packets to existing sessions. This is called flow mode.

It can also operate as a stateless device or a router (even a switch if ethernet-switching is used). This is called packet mode.

To check if flow mode or packet mode is currently configured in SRX:

root@srx-host> show security flow status
node0:
--------------------------------------------------------------------------
Flow forwarding mode: ...

Read more : Juniper SRX Packet mode - how to switch between flow mode and packet mode | Views : 9634 | Replies : 0

Top
 Post subject: Juniper SRX IPv6 forwarding - flow mode or packet mode.
PostPosted: Thu Jan 15, 2015 6:13 am 
Default to Junos 11.4, 12.1X44, 12.1X45/46 and 47 for Juniper SRX firewalls is to drop Native ipv6 packets because flow mode for IPv6 is set to "drop". SRX can be configured to either forward IPv6 traffic in "flow" mode (stateful firewall) or "packet" mode (stateless - router behavior).

As with ipv4 traffic, SRX can act as stateful or stateless firewall mode: Meaning both packet mode and flow mode Ipv6 can be configured.

Checking ipv6 forwarding ...

Read more : Juniper SRX IPv6 forwarding - flow mode or packet mode. | Views : 3854 | Replies : 0

Top
 Post subject: Juniper SRX PPPoE configuration for RCS RDS provider in Romania
PostPosted: Fri Jan 09, 2015 8:21 am 
Juniper SRX PPPoE configuration for RCS RDS provider in Romania

Romanian ISP RCS-RDS provides very good internet connection for residential users. This services runs over fiber to home in some cases.

A Huawei modem/router/media converter is provided and configured as layer 2 device. This means that it will simply act as an ethernet switch, allowing the device behind it to perform PPPoE with ISP PPPoE server.

Juniper SRX firewall can be configured as a PPPoE ...

Read more : Juniper SRX PPPoE configuration for RCS RDS provider in Romania | Views : 3756 | Replies : 0

Top
 Post subject: Juniper - SRX: SNMP monitoring of interface input output bytes per second
PostPosted: Wed Oct 16, 2013 9:45 am 
How to monitor interface bps throughput in Juniper SRX branch firewall

To find the index number of the desired interface, first check the interface index table via SNMP (IF-MIB MIB file). This can be done with following command:

# snmpwalk -v2c -c public 10.11.1.2 1.3.6.1.2.1.2.2.1.2
IF-MIB::ifDescr.502 = STRING: ae0
IF-MIB::ifDescr.503 = STRING: ae0.0
IF-MIB::ifDescr.504 = STRING: ae1
IF-MIB::ifDescr.532 = STRING: ge-0/0/0
IF-MIB::ifDescr.533 = STRING: ge-0/0/1
IF-MIB::ifDescr.534 = STRING: fe-0/0/2
IF-MIB::ifDescr.535 = STRING: ge-0/0/0.0
IF-MIB::ifDescr.536 ...

Read more : Juniper - SRX: SNMP monitoring of interface input output bytes per second | Views : 9805 | Replies : 0

Top
 Post subject: Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 2
PostPosted: Sat Jul 27, 2013 3:59 pm 
Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 2

For part 1, click here: http://forum.ivorde.ro/juniper-srx-branch-blocking-https-websites-using-the-appfw-application-firewall-feature-part-1-t14981.html
For the client part, I won't be using a browser, but command line openssl s_client:
usage: s_client args

-host host - use -connect instead
-port port - use -connect instead
-connect host:port - who to connect to (default is localhost:4433)
-verify arg - turn on peer certificate verification
-cert arg - certificate file to ...

Read more : Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 2 | Views : 6288 | Replies : 0

Top
 Post subject: Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 1
PostPosted: Sat Jul 27, 2013 3:48 pm 
Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature

Tools and utilities used:
- Juniper SRX210-HE
- Junos 12.1X44-D15
- FreeBSD 7.4
- OpenSSL 1.0.1 ( version is necessary for SNI extension)
- Nginx
- tcpdump
- setfib

In order to generate client-to-server and server-to-client traffic from one FreeBSD 7 box without jail and any kind of virtual machines (it's a Pentium 3 box), I had to use different routing tables (or ...

Read more : Juniper SRX Branch - Blocking HTTPS websites using the AppFW (application-firewall) feature - Part 1 | Views : 10545 | Replies : 0

Top
 Post subject: Juniper SRX - How to collect RSI (Request Support Information) to provide it to Juniper TAC
PostPosted: Fri Jul 12, 2013 9:46 am 
Code:
user@srx-220> request support information | save RSI-11-07-2013.txt
Wrote 21585 lines of output to 'RSI-11-07-2013.txt'

user@srx-220>
user@srx-220> file archive compress source /cf/var/home/user/RSI-11-07-2013.txt destination /cf/var/home/user/RSI-11-07-2013.txt.tgz
/usr/bin/tar: Removing leading `/' from member names

user@srx-220>


If relative path is given to "save" command (Unix absolute path starts with a forward slash ), it will have the file in user's home directory (as seen above). You can save the RSI to "/var/tmp/" and use relative file name to "file ...

Read more : Juniper SRX - How to collect RSI (Request Support Information) to provide it to Juniper TAC | Views : 26852 | Replies : 0

Top
 [ Total topics 25 Go to page 1, 2, 3


Last 10 active topics


Memory, Storage, Backup and Filesystems

No new posts FreeBSD: List disk drives and re-scan after adding hot-add disk (in virtual environments)
View the latest post

Routing and dynamic routing protocols

No new posts JUNOS BGP: How to drain a BGP peering router gracefully without bgp session reset
View the latest post

TP-Link JetStream Switching

No new posts TP-Link TL-SG3210 How to configure ARP Inspection, DHCP Snooping and ARP Scanning
View the latest post
No new posts TP-Link JetStream SG3210 V2.0 CLI, User Guide downloads
View the latest post

Apache, Nginx, Lighttpd and other web server software

No new posts NGINX: 413 Request Entity Too Large
View the latest post

System administration

No new posts MAC OS X: read image/jpeg EXIF information on command line
View the latest post

Shell Scripting and Programming

No new posts Shell scripting
View the latest post
No new posts AWK: How to replace a newline with actual \n
View the latest post
No new posts How to use $variable in conditional sentences?
View the latest post

Virtualization

No new posts SSH Login to Vmware ESXi with ssh keys
View the latest post

Login

Username:   Password:   Log me on automatically each visit  

Statistics

Statistics

Total posts 617 | Total topics 987 | Total members 1192



News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO