Hi Skeeve, I haven't used this feature but this is what would I check first.
Looking at web log provided: 10.x.x.x - - [28/Apr/2014:10:27:32 +1000] "x HTTP/1.1" 304 - " http://blocked.xxxxx.com/?JNI_URL=www.9to5mac.com/&JNI_REASON=BY_SITE_REPUTATION&JNI_CATEGORY=Enhanced_Information_Technology&JNI_REPUTATION=HARMFUL&JNI_POLICY=POLICY_EWF_STANDARD&JNI_SRCIP=x.x.x.x&JNI_SRCPORT=11742&JNI_DSTIP=x.x.x.x&JNI_DSTPORT=80" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36" What is IP in DSTIP=x.x.x.x ? Source PC that requested the page might be infected with malware, if destination IP does not match dns record of www.9to5mac.com that can be a hint. Also what is"http://blocked.xxxxx.com/?" in that web log? Is it part of original request? Regards, Sinisa Pesa Senior Network and Security Specialist www.bluecentral.com ________________________________________ From: juniper-nsp [juniper-nsp-boun...@puck.nether.net] On Behalf Of juniper-nsp-requ...@puck.nether.net [juniper-nsp-requ...@puck.nether.net] Sent: Friday, 2 May 2014 2:00 AM To: juniper-nsp@puck.nether.net Subject: juniper-nsp Digest, Vol 138, Issue 1 Send juniper-nsp mailing list submissions to juniper-nsp@puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/juniper-nsp or, via email, send a message with subject or body 'help' to juniper-nsp-requ...@puck.nether.net You can reach the person managing the list at juniper-nsp-ow...@puck.nether.net When replying, please edit your Subject line so it is more specific than "Re: Contents of juniper-nsp digest..." Today's Topics: 1. Re: Junos Dynamic VPN (Tim Dykes) 2. Re: Rstp or stp (Tim Dykes) 3. Limitations of MPLS support on EX4200 (Victor Sudakov) 4. Re: Limitations of MPLS support on EX4200 (Dale Shaw) 5. Re: Limitations of MPLS support on EX4200 (Jerry Jones) 6. Re: Limitations of MPLS support on EX4200 (Eric Van Tol) 7. Enhanced Web Filtering and Websense (Skeeve Stevens) 8. Re: Enhanced Web Filtering and Websense (Skeeve Stevens) ---------------------------------------------------------------------- Message: 1 Date: Thu, 1 May 2014 14:38:06 +1000 From: Tim Dykes <ttdy...@gmail.com> To: Ali Sumsam <ali+juniper...@eintellego.net> Cc: "<juniper-nsp@puck.nether.net>" <juniper-nsp@puck.nether.net> Subject: Re: [j-nsp] Junos Dynamic VPN Message-ID: <CAJ=3pYFDk=rGm+wx=jjeloscaw0ajg3kuo0anm9nrhfz0fz...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Dynamic VPN on SRX is a pain in the ass. doesnt do half of what you would expect it to do. Go a SA instead. Its built on IPSec (unlike the MAG which is ssl vpn) Pulse from a mobile will work, Pulse on a Mac wont. Heres the official list: *Junos Pulse* - Vista (32-bit and 64-bit) - Windows XP (32-bit and 64-bit) - Windows 7 (32-bit and 64-bit) - Windows 8.0 (32-bit and 64-bit) - Windows 8.1 (32-bit and 64-bit) *Junos Access Manager* - Windows XP 32-bit and 64-bit with any service pack - Windows Vista 32-bit and 64-bit with any service pack - Windows 7 32-bit and 64-bit with any service pack (Junos 10.4 and above only) I dont think you can route from a client though the ipsec session (if thats what you mean). Once you are in the VPN public IP's dont mean much and return routes are hard to install for a dynamic session. I would suggest a true IPSec (device to device) vpn for that. Tim Dykes M: 041 962 0603 E: ttdykes at gmail.com On Wed, Apr 30, 2014 at 12:50 PM, Ali Sumsam <ali+juniper...@eintellego.net>wrote: > Hi all, > > I have a SRX240 cluster and doing VPN to it using Junos pulse client. > > My first question is, can we use a mac or windows client to connect this > VPN rather than the Junos Pulse? > > One of the options, Junose pulse shows is the "SRX". What is the protocol > behind VPN Type "SRX"? > > My second question is about the routing through the VPN session. Is it > possible to run the internet through the VPN. Has someone ever done that? > > My rough idea is, If I send default route to the VPN client > and > on the client's PC, set a route in which pointing SRX's public IP towards > the main internet connection of the PC. > This way SRX public IP will be reachable from the client's PC and default > route will be pointing towards the VPN. > > Please comment. > > Thanks, > > *Ali Sumsam - *eintellego Networks Pty Ltd > Senior Network Engineer > a...@eintellegonetworks.com ; www.eintellegonetworks.com > > Phone: 1300 239 038; Cell +61 (0)450 609 592 ; skype://sumsam.ali80 > > facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau> > linkedin.com/in/alisumsam > > > The Experts Who The Experts Call > Juniper - Cisco - Cloud > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ------------------------------ Message: 2 Date: Thu, 1 May 2014 14:54:22 +1000 From: Tim Dykes <ttdy...@gmail.com> To: Rodrigo Augusto <rodr...@1telecom.com.br> Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> Subject: Re: [j-nsp] Rstp or stp Message-ID: <CAJ=3pyeb-jgn8vgno0n9huc8wws64-6_du+9ffmry63620g...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 That doc is correct for the commands to implement rstp on JunOS. But you really need to read and understand what you are trying to configure before you just light it up. Tim Dykes M: 041 962 0603 E: ttdykes at gmail.com On Sun, Apr 13, 2014 at 10:27 PM, Rodrigo Augusto <rodr...@1telecom.com.br>wrote: > Hi folks!!! > What i have to do to configuring rstp on my network?! > I have 6 switchs ex3300 in-line and the last switch have a other fiber > route to the first switch . > In lab i follow this doc : > > http://www.juniper.net/techpubs/en_US/junos13.3/topics/task/configuration/layer-2-services-stp-configuration-rstp.html > But i don't know is this correct form. > > I use vlan tagging on xe interfaces to transport vlans to our customers > and if open the fiber A i want to transport all vlans to fiber B > > Enviado via iPhone ? > Grupo Connectoway > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ------------------------------ Message: 3 Date: Thu, 1 May 2014 14:15:36 +0700 From: Victor Sudakov <v...@mpeks.tomsk.su> To: juniper-nsp@puck.nether.net Subject: [j-nsp] Limitations of MPLS support on EX4200 Message-ID: <20140501071536.ga84...@admin.sibptus.tomsk.ru> Content-Type: text/plain; charset=us-ascii Colleagues, Is MPLS support on EX4200 not complete? It is not a router after all, it is an L3 switch, so I expect there to be limitations. Where can I read more about EX4200 MPLS limitations and supported features? E.g. I cannot find "ldp" under "edit protocols". I have an Advanced license installed with says: admin@sw-us-parabel> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed bgp 0 1 0 permanent isis 0 1 0 permanent mpls 0 1 0 permanent -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ------------------------------ Message: 4 Date: Thu, 1 May 2014 17:28:51 +1000 From: Dale Shaw <dale.shaw+j-...@gmail.com> To: Victor Sudakov <v...@mpeks.tomsk.su> Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> Subject: Re: [j-nsp] Limitations of MPLS support on EX4200 Message-ID: <cag_v284qbppmdwg-bv3dvhaqs5ptkblevuhezpusggbu5ha...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Hi Victor, On Thu, May 1, 2014 at 5:15 PM, Victor Sudakov <v...@mpeks.tomsk.su> wrote: > > Is MPLS support on EX4200 not complete? It is not a router after all, > it is an L3 switch, so I expect there to be limitations. > Where can I read more about EX4200 MPLS limitations and supported features? This may help; see: http://www.juniper.net/techpubs/en_US/release-independent/nce/information-products/topic-collections/nce/nce0115-mpls-switching-faq/mpls-switching-frequently-asked-questions.pdf cheers, Dale ------------------------------ Message: 5 Date: Thu, 1 May 2014 06:56:35 -0500 From: Jerry Jones <jjo...@danrj.com> To: Victor Sudakov <v...@mpeks.tomsk.su> Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] Limitations of MPLS support on EX4200 Message-ID: <ba0da554-9661-4ab4-811c-c005d3064...@danrj.com> Content-Type: text/plain; charset=us-ascii My favorite place to go and find out if a feature is available for any platform vs release is the feature explorer. It really does a nice quick job and produces a nice savable output http://pathfinder.juniper.net/feature-explorer/ On May 1, 2014, at 2:15 AM, Victor Sudakov <v...@mpeks.tomsk.su> wrote: Colleagues, Is MPLS support on EX4200 not complete? It is not a router after all, it is an L3 switch, so I expect there to be limitations. Where can I read more about EX4200 MPLS limitations and supported features? E.g. I cannot find "ldp" under "edit protocols". I have an Advanced license installed with says: admin@sw-us-parabel> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed bgp 0 1 0 permanent isis 0 1 0 permanent mpls 0 1 0 permanent -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ------------------------------ Message: 6 Date: Thu, 1 May 2014 09:47:48 -0400 From: Eric Van Tol <e...@atlantech.net> To: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> Subject: Re: [j-nsp] Limitations of MPLS support on EX4200 Message-ID: <2C05E949E19A9146AF7BDF9D44085B8670E0BE7DC6@exchange.aoihq.local> Content-Type: text/plain; charset="us-ascii" > -----Original Message----- > From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf > Of Jerry Jones > Sent: Thursday, May 01, 2014 7:57 AM > To: Victor Sudakov > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] Limitations of MPLS support on EX4200 > > My favorite place to go and find out if a feature is available for any > platform vs release is the feature explorer. It really does a nice quick > job and produces a nice savable output > > http://pathfinder.juniper.net/feature-explorer/ Yeah, if only the data it produced was actually correct. I wasn't aware that the MX80 supported Virtual Chassis, 100-Gigabit Ethernet MICs, MX-MPC2-3D MPCs, and any number of DPCs, but according to Feature Explorer, all these things are supported. -evt ------------------------------ Message: 7 Date: Fri, 2 May 2014 00:36:25 +1000 From: Skeeve Stevens <skeeve+juniper...@eintellegonetworks.com> To: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> Subject: [j-nsp] Enhanced Web Filtering and Websense Message-ID: <CAEUfUGOjrF8sBx6j=ioqbhv+mvs_ukuypi397euds8btxju...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Hey all, I have a license for Enhanced Web Filtering for a cluster of SRX550's.... but... there is a site being caught 'by reputation' that shouldn't be: www.9to5mac.com We seem to have no access to tools on their website or anyway to lookup a site and see why the reputation is bad. Does anyone have any thoughts or know of a way to access to the tool... or ? Thanks all. ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau> linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud - Consulting - IPv4 Brokering ------------------------------ Message: 8 Date: Fri, 2 May 2014 00:46:35 +1000 From: Skeeve Stevens <skeeve+juniper...@eintellegonetworks.com> To: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net> Subject: Re: [j-nsp] Enhanced Web Filtering and Websense Message-ID: <CAEUfUGOF8CRVC39_qUQ=-qu8q1ogx0uszq6dfb_eqj1yrmx...@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Sorry, here is the web log. 10.x.x.x - - [28/Apr/2014:10:27:32 +1000] "x HTTP/1.1" 304 - " http://blocked.xxxxx.com/?JNI_URL=www.9to5mac.com/&JNI_REASON=BY_SITE_REPUTATION&JNI_CATEGORY=Enhanced_Information_Technology&JNI_REPUTATION=HARMFUL&JNI_POLICY=POLICY_EWF_STANDARD&JNI_SRCIP=x.x.x.x&JNI_SRCPORT=11742&JNI_DSTIP=x.x.x.x&JNI_DSTPORT=80" "Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.116 Safari/537.36" ...Skeeve *Skeeve Stevens - *eintellego Networks Pty Ltd ske...@eintellegonetworks.com ; www.eintellegonetworks.com Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau> linkedin.com/in/skeeve twitter.com/theispguy ; blog: www.theispguy.com The Experts Who The Experts Call Juniper - Cisco - Cloud - Consulting - IPv4 Brokering On Fri, May 2, 2014 at 12:36 AM, Skeeve Stevens < skeeve+juniper...@eintellegonetworks.com> wrote: > Hey all, > > I have a license for Enhanced Web Filtering for a cluster of SRX550's.... > but... there is a site being caught 'by reputation' that shouldn't be: > www.9to5mac.com > > We seem to have no access to tools on their website or anyway to lookup a > site and see why the reputation is bad. > > Does anyone have any thoughts or know of a way to access to the tool... or > ? > > Thanks all. > > ...Skeeve > > *Skeeve Stevens - *eintellego Networks Pty Ltd > ske...@eintellegonetworks.com ; www.eintellegonetworks.com > > Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve > > facebook.com/eintellegonetworks ; <http://twitter.com/networkceoau> > linkedin.com/in/skeeve > > twitter.com/theispguy ; blog: www.theispguy.com > > > The Experts Who The Experts Call > Juniper - Cisco - Cloud - Consulting - IPv4 Brokering > ------------------------------ Subject: Digest Footer _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ------------------------------ End of juniper-nsp Digest, Vol 138, Issue 1 ******************************************* IMPORTANT NOTICE: This email (and any attachments) is only for the personal use of the intended recipient and may contain information that is confidential to BlueCentral or the intended recipient. If you have received this message by mistake, BlueCentral does not authorize you to act on it and asks you to notify us immediately (at the email address shown above) and delete the message from your system. BlueCentral does not accept responsibility for any loss or damage caused by a computer virus, trojan horse, worm or similar program that may have attached itself to this message. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp