Re: [j-nsp] curious optic issue
On Wed, Apr 10, 2013 at 11:06 AM, Alexandre Snarskii wrote: > Are there any way to power-off SFP+ in MPC-3D-16XGE as well ? > Looks like we have the same issue in one more location... :( Maybe you need the still uncommon low power transceiver <=1.5 Watts just like in the other camp to power on all ports on high density 10Gig line cards. This is supposedly because of thermal dissipation limits. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ISG 1000
On Sun, Mar 7, 2010 at 7:02 PM, networking alcatel wrote: > Hi > > I have got a ISG 1000 firewall which has the default 4 interfaces, i need to > configure 4 zones on a single interface and 1 zone which is the untrusted > zone on another interface , the other 2 interfaces will be used for HA and > heartbeat as there are 2 ISG 1000 my point is > > - can i have 4 different zones on a single interface these are all > trusted (inside) and require to communicate with one another and also with > the outside interface > - can the DMZ zone and the trusted zone be binded with the same interface > (sub-interfaces are proposed using vlan tagging) > > will this type of solution work. Yes it works, juste use vlan tagged sub-interfaces. You can bind sub-interfaces to any zone you want. Be sure to check your licence supports the number of zone you want to create. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] manage nodes from Netscreen device
On Sun, Oct 18, 2009 at 10:59 PM, Ibariouen Khalid < ibariouen.kha...@ericsson.com> wrote: > Hi all > Is it possible to perform SSH from Netscreen device? I know that telent > is not possible ? > Hi, Starting with 6.2, there is a telnet client available. HTH Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Bulk updates to Netscreen 5400
On Fri, Jun 26, 2009 at 5:02 PM, Ross Vandegrift wrote: > On Fri, Jun 26, 2009 at 12:52:49PM +0100, Phil Mayers wrote: > > However - I have it on good authority that NSM merely uses a hidden CLI > > command to start & commit bulk updates "all at once", a bit like SQL > You can view the raw config file by issuing a "get config datafile". I guess NSM is pushing such a file through the SSP connection established with the firewall. Don't know if you could do this manualy. If you have a heavily loaded cluster, I recommend to push policy changes to the backup unit of your cluster. By enablign NSRP config sync, changes will be replicated to the master. HTH Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] [Screen OS ] : Load sharing on two static routes to the same distination
On Mon, Apr 27, 2009 at 7:17 PM, Ibariouen Khalid < ibariouen.kha...@ericsson.com> wrote: > hi all > > I just want to know if there is a method to load-share between two > static route in ScreenOS; > Hi, ScreenOS supports ECMP (set vr trust max-ecmp-routes X). You can load share on up to 4 routes. When doing ECMP with static routes be sure to use the track-ip feature so you don't blackhole traffic when losing one of the next hop. Have a look at KB7376 for detailed information. HTH Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] ScreenOS on ISG2000 and MGT Interface
On Fri, Mar 27, 2009 at 9:47 PM, Thomas Eichhorn wrote: > Hi, > > I'm just wondering if it is possible to change the vrouter behind > the MGT Zone - I want to have specific routes just for the MGT Interface, > is their maybe another alternative? Hi Thomas, There is two way to accomplish that. Changing all your inband interface from the default vrouter (untrust-vr) for another. Starting with ScreenOS 6.2 you can bind the MGT interface to any vr of your choice. HTH. Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] License : Juniper ISG-2000
On Fri, Feb 20, 2009 at 5:43 PM, Ross Vandegrift wrote: > > Just to be clear - the vsys licenses and the vrouter licenses are > different. A vsys license enables a vrouter for each purchased vsys, > but the converse does not hold. > AFAIK vrouter license don't exist. And if you buy a 5 vsys license, you can choose to exclusively use the 5 VR provided with it on the root vsys (but you can't create VSYS anymore as a VSYS needs its own VR). This was tested on an ISG2000 with ScreenOS 6.0. Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] License : Juniper ISG-2000
On Fri, Feb 20, 2009 at 11:06 AM, Ibariouen Khalid < ibariouen.kha...@ericsson.com> wrote: > > Can someone tell me if I need to look for a license on my firewall ? I > have only a maximum of 3 VR. > > If yes please let me know how to install it ?? > > BR/ > khalid > Hi Khalid, VR are routing instance, 3 is generally enough for most setups. If you need additional ones you have to buy a vsys licence. Instructions on how to generate and install it are provided by Juniper with the licence file. Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] OpenSSH V5.1 with ScreenOS
On Tue, Sep 9, 2008 at 9:50 PM, Mark Kamichoff <[EMAIL PROTECTED]> wrote: > I just received a working patch from JTAC built for SSG 5/20 that fixes > this issue: ssg5ssg20.6.0.0r6-fq4.0. Just ask JTAC for this patch, and > reference PR# 312992... A knowledge base article has been published concerning this issue: http://kb.juniper.net/KB12409 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Netcsreen and cisco vpn concentrator 3020 connection issues
On Thu, Sep 18, 2008 at 6:10 PM, <[EMAIL PROTECTED]> wrote: > I'm thinkin that the lifetime may not be the same, I thus would like to > change this on my netscreem to that of the concentrator but the option is not > there in the GUI which I have been using how can I do this in cmd. Or is my > isolation of the problem correct Hi, You have to define a custom P2 proposal and bind it on your autokey ike VPN. Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SSG
On 9/1/08, SunnyDay <[EMAIL PROTECTED]> wrote: > Hello > > Is there anyway to log failed login attempts to SSG firewalls? Failled login should appear in the event log: 2008-09-01 10:46:56 warning Admin user "netscreen" login attempt for Web(http) management (port 80) from x.x.x.x:62851 failed. 2008-09-01 10:46:56 warning Admin user netscreen has been rejected via the TACACS server at x.x.x.x. 2008-09-01 10:46:54 warning ADM: Local admin authentication failed for login name netscreen: invalid password In case of multiple login failure a critical event is raised: 2008-09-01 11:01:20 crit Multiple login failures occurred for user a from IP address x.x.x.x:62913 These messages can be sent to NSM and a syslog server. Critical events can also raise a snmp trap. Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Vpn in active/active HA
On 8/29/08, SunnyDay <[EMAIL PROTECTED]> wrote: > Im not going to use cerificates just policy based vpn or route-based > is there any issue on these? As long as your cluster is well configured (rto mirror sync, config sync, etc), I can't thing of anything else. B.R ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Vpn in active/active HA
On 8/29/08, SunnyDay <[EMAIL PROTECTED]> wrote: > Hello is there anything specific setting to watch out for when configuring a > vpn in > two ssg when in high availability active/active state? Hello, If you are going to use certificate authentication for some tunnels, be sure to configure a nsrp cluster name and issue your certificates with this name so as not to disrupt the ipsec tunnel in case of vsd group failover. B.R Sidney ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp