Re: [j-nsp] SRX AppFW issue
Try these two rules...
rule facebook {
match {
dynamic-application-group junos:web:social-networking:facebook;
}
then {
deny;
}
}
rule facebook-1 {
match {
dynamic-application junos:FACEBOOK-ACCESS;
}
then {
deny;
}
}
On Wed, Oct 22, 2014 at 7:13 AM, Yuriy B. Borysov yokod...@yokodzun.kiev.ua
wrote:
Hello!
I have configured application-firewall on SRX220H (12.1X45-D15.5).
Configuration is below:
security application-firewall
rule-sets common-customers {
rule soc-net {
match {
dynamic-application-group [ junos:social-networking
junos:web:social-networking ];
}
then {
deny;
}
}
rule bt-block {
match {
dynamic-application-group [ junos:p2p junos:p2p:file-sharing
junos:web:p2p junos:web:p2p:file-sharing ];
}
then {
deny;
}
}
rule unknow-staff {
match {
dynamic-application junos:UNSPECIFIED-ENCRYPTED;
}
then {
deny;
}
}
default-rule {
permit;
}
}
security policies from-zone trust to-zone untrust
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
application-firewall {
rule-set common-customers;
}
}
}
}
}
All necessary licenses and signatures installed.
But when I go to facebook.com or vk.com, pages open.
And the counters on the rule soc-net show 0:
# run show security application-firewall rule-set all
Rule-set: common-customers
Rule: soc-net
Dynamic Application Groups: junos:social-networking,
junos:web:social-networking
Action:deny
Number of sessions matched: 0
Number of sessions redirected: 0
Rule: bt-block
Dynamic Application Groups: junos:p2p, junos:p2p:file-sharing,
junos:web:p2p, junos:web:p2p:file-sharing
Action:deny
Number of sessions matched: 95863
Number of sessions redirected: 0
Rule: unknow-staff
Dynamic Applications: junos:UNSPECIFIED-ENCRYPTED
Action:deny
Number of sessions matched: 19296
Number of sessions redirected: 0
Default rule:permit
Number of sessions matched: 172311
Number of sessions redirected: 0
Number of sessions with appid pending: 241
Where am I wrong?
Thanks!
--
WBR, Yuriy B. Borysov
YOKO-UANIC | YOKO-RIPE
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Single SRX DSCP writing before traffic is encrypted into IPSec
Last I heard from JTAC, this was still not available with no ETA. Even with several high profile enterprises requesting it. -Ben On Wednesday, August 10, 2011, Andrew Jones and...@commitconfirmed.com wrote: Hi, I've got an SRX240 runing 10.4R4.5 running at a brach site serving as the site gateway and I figure out a way to write DSCP values before traffic is encrypted into an IPSec VPN due to the SRX being the only device at the site. The only place I can apply outbound DSCP marking is on the Interface that the IPSec VPN lies, since you can't configure dscp rewrites on the st0.x interfaces. This works okay since the IPSec packet is marked and scheduled correctly, but once the traffic makes it to the other site and is decrypted, the DSCP marking is lost and needs to be re-marked again. It also makes it hard to audit how much traffic is being put into each class when doing J-Flow exports, or if certain types of traffic are being marked correctly. Has anyone else got a similar setup or experienced and fixed this issue? I'm currently terminating VPN's on the physical interface itself, could I potentially move this to a vlan.x interface and perform outbound DSCP marking there? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] jcs:split() function with errors
Slax dudes,
i'm running into a weird issue that i can't seem to figure out...
i'm try to find out the number of pipes | in all of my interface
descriptions, but for some reason the jcs:split() function errors out in my
commit script. Does anyone have any suggestions?
junos version 10.0R3.10
code:
/* Loop through all logical interfaces checking for descriptions and
format*/
for-each( interfaces/interface/unit ) {
/* Missing description */
if( jcs:empty( description ) ) {
xnm:error {
call jcs:edit-path();
message !!!CONFIGURATION ERROR!!! Interface description is MISSING.
Format = 'INTERFACE TYPE | CIRCUIT ID | CONNECTING ROUTER | CONNECTING PORT
| FUNCTION';
}
}
else {
var $description_parts = jcs:split(|, description);
/*
if ( not($description_parts[5]) ) {
xnm:error {
call jcs:edit-path();
message !!!CONFIGURATION ERROR!!! Interface description is INCORRECT.
Format = 'INTERFACE TYPE | CIRCUIT ID | CONNECTING ROUTER | CONNECTING PORT
| FUNCTION';
}
}
*/
}
}
when i comment out
var $description_parts = jcs:split(|, description);
i don't run into errors
I have 4 interface descriptions, and when i commit, this is all i see:
error: 4 errors reported by commit scripts
error: commit script failure
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] jcs:split() function with errors
On Fri, Jul 22, 2011 at 1:37 PM, ben b benboyd.li...@gmail.com wrote:
Slax dudes,
i'm running into a weird issue that i can't seem to figure out...
i'm try to find out the number of pipes | in all of my interface
descriptions, but for some reason the jcs:split() function errors out in my
commit script. Does anyone have any suggestions?
junos version 10.0R3.10
code:
/* Loop through all logical interfaces checking for descriptions and
format*/
for-each( interfaces/interface/unit ) {
/* Missing description */
if( jcs:empty( description ) ) {
xnm:error {
call jcs:edit-path();
message !!!CONFIGURATION ERROR!!! Interface description is MISSING.
Format = 'INTERFACE TYPE | CIRCUIT ID | CONNECTING ROUTER | CONNECTING PORT
| FUNCTION';
}
}
else {
var $description_parts = jcs:split(|, description);
/*
if ( not($description_parts[5]) ) {
xnm:error {
call jcs:edit-path();
message !!!CONFIGURATION ERROR!!! Interface description is INCORRECT.
Format = 'INTERFACE TYPE | CIRCUIT ID | CONNECTING ROUTER | CONNECTING PORT
| FUNCTION';
}
}
*/
}
}
when i comment out
var $description_parts = jcs:split(|, description);
i don't run into errors
I have 4 interface descriptions, and when i commit, this is all i see:
error: 4 errors reported by commit scripts
error: commit script failure
Here is my cscript.log (yes i know my date is wrong... )
Sep 5 08:45:23 cscript script processing begins
Sep 5 08:45:23 reading commit script configuration
Sep 5 08:45:23 testing commit script configuration
Sep 5 08:45:23 opening commit script
'/var/db/scripts/commit/validation.slax'
Sep 5 08:45:23 script file '/var/db/scripts/commit/validation.slax': size =
67310 ; md5 = bd939292d9077b1defe91f2fbee91e94 sha1 =
cdccbfddf0ae75101931380d42ca0b5ceb18cf9d sha-256 =
1925ca096715357aa42c2a791cf48d6ddd91c345086eb28c944978c07df3f1a2
Sep 5 08:45:23 reading commit script 'validation.slax'
Sep 5 08:45:23 running commit script 'validation.slax'
Sep 5 08:45:23 regex error: empty (sub)expression
Sep 5 08:45:23 regex error: empty (sub)expression
Sep 5 08:45:23 regex error: empty (sub)expression
Sep 5 08:45:23 regex error: empty (sub)expression
Sep 5 08:45:23 processing commit script 'validation.slax'
Sep 5 08:45:24 no errors from validation.slax
Sep 5 08:45:24 saving commit script changes for script validation.slax
Sep 5 08:45:24 summary of script validation.slax: changes 18, transients 0,
syslog 0
Sep 5 08:45:24 cscript script processing ends
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] jcs:split() function with errors
On Fri, Jul 22, 2011 at 3:06 PM, Phil Shafer p...@juniper.net wrote: ben b writes: i'm try to find out the number of pipes | in all of my interface descriptions, but for some reason the jcs:split() function errors out in my commit script. Does anyone have any suggestions? jcs:split() takes a pattern (regex) instead of a simple string. You'll need to escape the | to prevent it from being interpreted in the regex context. You escape this using a backslash, but you also need to escape the backslash since SLAX interprets this as _it's_ escape character as well. So you'll end up needing: var $description_parts = jcs:split(\\|, description); Thanks, Phil Thanks Phil, that worked that would be why my error was regex empty expression. :) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SXR 650 Redundancy Group Problem
Try removing preempt. I've seen issues with preemption.
On Saturday, March 19, 2011, Walaa Abdel razzak wala...@bmc.com.sa wrote:
Hi Experts
I am configuring redundancy group to trigger failover in case of interface
failure. I have reth interface for trust zone that has two physical
interfaces, one interface on the active node and the other on the passive and
the same for reth1 on untrust zone. The target is to make traffic go through
the passive node in case of any physical interface failure in the active
node. The problem I am facing is that the failover happen normally when any
interface goes down but there is no traffic from trust to untrust or vice
versa, when the down interface comes to up again, the traffic flows without
problems.
The RG configuration is as follows:
test@FW1# show chassis
cluster {
reth-count 2;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
preempt;
gratuitous-arp-count 4;
interface-monitor {
ge-2/0/0 weight 255; à Interface on the active node
ge-2/0/1 weight 255; à Interface on the active node
}
}
}
When the active interface goes down:
Mar 20 03:43:51 FW1 jsrpd[1085]: JSRPD_RG_STATE_CHANGE: Redundancy-group 1
transitioned from 'primary' to 'secondary-hold' state due to Monitor failed:
IF
Mar 20 03:43:52 FW1 jsrpd[1085]: JSRPD_RG_STATE_CHANGE: Redundancy-group 1
transitioned from 'secondary-hold' to 'secondary' state due to Back to back
failover interval expired
Interface belonging to the reth:
test@ FW1# show interfaces ge-2/0/0 à active node
gigether-options {
redundant-parent reth1;
}
{primary:node0}[edit]
test@ FW1# show interfaces ge-2/0/1 à active node
gigether-options {
redundant-parent reth0;
}
{primary:node0}[edit]
test@ FW1# show interfaces ge-11/0/0 à passive node
gigether-options {
redundant-parent reth1;
}
{primary:node0}[edit]
test@ FW1# show interfaces ge-11/0/1 à passive node
gigether-options {
redundant-parent reth0;
}
test@FW1# run show interfaces terse | match reth
ge-2/0/0.15 up down aenet -- reth1.15 à active interface
down
ge-2/0/0.20 up down aenet -- reth1.20
ge-2/0/0.32767 up down aenet -- reth1.32767
ge-2/0/1.5 up up aenet -- reth0.5
ge-2/0/1.32767 up up aenet -- reth0.32767
ge-11/0/0.15 up up aenet -- reth1.15
ge-11/0/0.20 up up aenet -- reth1.20
ge-11/0/0.32767 up up aenet -- reth1.32767
ge-11/0/1.5 up up aenet -- reth0.5
ge-11/0/1.32767 up up aenet -- reth0.32767
reth0 up down
reth0.5 up down inet 172.16.0.2/30
reth0.32767 up down
reth1 up down
reth1.15 up down inet 192.168.0.2/30
reth1.20 up down inet 192.168.1.2/30
reth1.32767 up down
Any suggestions?
BR,
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX650 Clustering Issue
Just add the additional interfaces to the reth interface. No need for AE
interface. You configure LACP under reth interface..
On Wed, Mar 9, 2011 at 10:29 AM, Walaa Abdel razzak wala...@bmc.com.sawrote:
Thanks All
Now if I need to configure the reth interface using ae interface instead
of physical interface as I need more than one gig on each node. The
problem is that I can't issue the command to join ae0 to reth0 as
follows:
admin@FW1# set interfaces ae0 aggregated-ether-options ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these
groups
ethernet-switch-profile Ethernet virtual LAN/media access
control-level options
flow-control Enable flow control
lacp Link Aggregation Control Protocol configuration
link-protection Enable link protection mode
link-speed Link speed of individual interface that joins the
AE
loopback Enable loopback
minimum-linksMinimum number of aggregated links (1..8)
no-flow-control Don't enable flow control
no-link-protection Don't enable link protection mode
no-loopback Don't enable loopback
Note: The target is to have more than one gig link for each node and
load balance between them, I tried to use ae0 interface as mentioned
above but it didn't work. Any other ideas are welcomed.
BR,
-Original Message-
From: Stefan Fouant [mailto:sfou...@shortestpathfirst.net]
Sent: Wednesday, March 09, 2011 3:26 PM
To: Walaa Abdel razzak
Cc: Ben Dale; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] SRX650 Clustering Issue
You do not need to configure an IP address on the fab link for proper
operation.
Stefan Fouant
Sent from my iPad
On Mar 9, 2011, at 2:16 AM, Walaa Abdel razzak wala...@bmc.com.sa
wrote:
Thanks, Now HA is configured, but regarding the fab link, is it
necessary to have L3 address or not.
BR,
-Original Message-
From: Ben Dale [mailto:bd...@comlinx.com.au]
Sent: Sunday, March 06, 2011 12:12 PM
To: Walaa Abdel razzak
Cc: Scott T. Cameron; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] SRX650 Clustering Issue
This is a pretty common error when you are bringing pre-configured
devices together in a chassis cluster.
My advice would be to run the following from edit mode on each box:
delete interfaces
delete vlans
delete security
delete protocols
Then commit and cable them together (control AND fabric). If you've
run the set chassis cluster command correctly, the boxes should now
come together.
After that you should be able to make all configuration changes from
the primary box, so the assign fabric interfaces:
set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set
interfaces fab1 fabric-options member-interfaces ge-5/0/2
And then build some redundancy groups
set chassis cluster control-link-recovery set chassis cluster
reth-count
15 set chassis cluster redundancy-group 0 node 0 priority 100 set
chassis cluster redundancy-group 0 node 1 priority 1 set chassis
cluster redundancy-group 1 node 0 priority 100 set chassis cluster
redundancy-group 1 node 1 priority 1 set chassis cluster
redundancy-group 1 preempt
then build reth interfaces and assign them to redundancy groups etc.
On 06/03/2011, at 12:17 AM, Walaa Abdel razzak wrote:
Hi Scott
The old configuration was test config (very simple) like hostname,
aggregate ethernet,.as its fresh FW. After enabling clusterign
using the standard command set chassis clustering..and reboot, we
got the
following:
{hold:node0}
root@-FW1 edit
warning: Clustering enabled; using private edit
error: shared configuration database modified
Please temporarily use 'configure shared' to commit
outstanding changes in the shared database, exit,
and return to configuration mode using 'configure'
when I issue most commands I got the following:
{hold:node0}
root@-FW1 show version
error: Could not connect to node0 : No route to host
The JUNOS version is 10.3.
Also here is a sample of Chassisd log:
Mar 5 19:32:49 completed chassis state from ddl
Mar 5 19:32:49 ch_set_non_stop_forwarding_cfg:Setting
non-stop-forwarding to Disabled, source DDL
Mar 5 19:32:49 ch_do_multichassis_overrides:Setting multichassis
replication to Disabled
Mar 5 19:32:49 config_do_overrides: Keepalives not set. Setting it
to
300 secs
Mar 5 19:32:49 if_init
Mar 5 19:32:49 Skip cleaning pic state on LCC
Mar 5 19:32:49 chassis_alarm_module_init
Mar 5 19:32:49 timer_init
Mar 5 19:32:49 main_snmp_init
Mar 5 19:32:49 snmp_init: snmp_chassis_id = 0, chas_type = 1
Mar 5 19:32:49 chas_do_registration: or_obj = 0xdfe400, or_rows = 23
Mar 5 19:32:49 chas_do_registration: or_obj =
Re: [j-nsp] RPM Event Script - Attributes Help
cool, thanks for that! I was pulling that information later in the script
anyway, might as well do it earlier. Thanks!
On Tue, Mar 8, 2011 at 3:22 PM, Curtis Call cc...@juniper.net wrote:
I'm writing an event-script based on RPM threshold exceeds/failures and
can't seem to find the passed attributes anywhere. I found {$$.test-
name}
online, but nothing else. I'm looking for the rtt-jitter and rrt-max-
delay values so I can pass them to the script. Anyone out there know
them or know how I can find them?
help syslog will tell you what attributes are available for a particular
event, but it might be that Junos simply isn't sending that particular
information through the event itself, in which case you could always request
it by performing the appropriate show rpm command via jcs:invoke().
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Scripting - Redefining variables in For-each Loops
Experts,
I'm in the process of not liking that you can't redefine variables in slax.
I have need to add the values calculated inside of a for-each loop. Has
anyone ever had to do that?
Example of what I want
for-each ( $result ) {
$a = . + 1;
$b = $b + a;
}
$result could be 200 results or 2.
Is this possible in slax?
Thanks in advance,
Ben
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Scripting - Redefining variables in For-each Loops
sweet thanks! works like a charm
On Tue, Mar 8, 2011 at 5:28 PM, Curtis Call cc...@juniper.net wrote:
I have need to add the values calculated inside of a for-each loop.
Has anyone ever had to do that?
Example of what I want
for-each ( $result ) {
$a = . + 1;
$b = $b + a;
}
You'll need to split this into multiple steps:
var $values := {
for-each( $result ) {
value . + 1;
}
}
var $b = sum( $values/value );
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Simple Script Running
All, I'm trying to get a feel for op scripts in JUNOS and I can invoke commands, but I'm not seeing the output I thought I'd see (it looks like raw data). What I'd like to do is run a list of show commands with a script alias. Could someone point me in the right direction to be able to run like 5 'show' commands (with normal output) in a row with one simple command like 'op status' Thanks in advance, Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
If the results of the show security policies detail operational command show the policies in the right order and allowing the right ports and show security nat static rule 214 looks like it's natting correctly, and removing the periods doesn't fix it, the only thing I can think of is that 192.168.1.214 isn't reachable from the SRX and the SRX is dropping the traffic. I typically start with an any any any permit to verify ping/trace through the SRX, then replace that with a narrowed down policy On Tue, Jun 22, 2010 at 12:06 PM, Brendan Mannella bmanne...@teraswitch.com wrote: I double checked i do have from zone untrust I will try updating the address book and remove the periods. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
The policy looks good, but your nat isn't translating. You have 0 translation hits. Your destination address is never changed to 192.169.1.214 which is why your policy is never invoked. Is 192.168.1.214 reachable from the SRX? I would say check previous nat rules, but the position of this one is 1. -Ben On Tue, Jun 22, 2010 at 1:00 PM, Brendan Mannella bmanne...@teraswitch.comwrote: Ok i updated the address book from . to _ Below is the output of the commands, i havent had a chance to retest with the updated address book to see if that does it, i will let you know. The Nat and polices look ok.. r...@srx210 show security nat static rule all Total static-nat rules: 58 Static NAT rule: 51 Rule-set: static Rule-Id: 1 Rule position : 1 From zone : untrust Destination addresses : 111.111.111.214 (external public ip) Host addresses : 192.168.1.214 Netmask: 255.255.255.255 Host routing-instance : N/A Translation hits : 0 r...@srx210 show security policies detail Default policy: deny-all Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: 240-214, action-type: permit, State: enabled, Index: 5 Sequence number: 1 From zone: untrust, To zone: trust Source addresses: any: 0.0.0.0/0 Destination addresses: 192_168_1_214: 192.168.1.214/32 Application: rdp IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3389-3389] Application: junos-dns-udp IP protocol: udp, ALG: dns, Inactivity timeout: 60 Source port range: [0-0] Destination port range: [53-53] Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443] Application: junos-ms-sql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [1433-1433] Session log: at-create, at-close ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
The system does default deny if you haven't specified a default policy
action.
set security policies default-policy permit-all
As far as the policy is concerned, the policy is applied AFTER destination
nat is performed and BEFORE source nat is performed.
What is the output of 'show security policies' or 'show security policies
from-zone untrust to-zone trust'?
-Ben
On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella
bmanne...@teraswitch.comwrote:
Nope, i actually dont see any deny statements at all. Does the system, just
deny everything thats not defined as allowed? Any other thing i should look
at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: Scott T. Cameron routeh...@gmail.com
To: juniper-nsp juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in
your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in
JunOS
land.
You're right, you run the policies against the post-translated address, not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella
bmanne...@teraswitch.com
wrote:
Yes that makes sense. And the policy pre srx was like this. But I am
almost
positive I read somewhere the srx was different in that the policy is
looked
at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming
traffic
on
the ports i opened below on the policies. Anyone have any ideas what i
am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector off
into
the NAT policy which will translate from 111.111.111.214 to
192.168.1.214.
I think you might also need to use an address book entry whereby you put
the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.make sure you have
the from-zone configured for the static nat rule-set...
ex.
set security nat static rule-set natting from zone untrust
set security nat static rule-set natting rule 214 match destination-address
111.111.111.214/32
set security nat static rule-set natting rule 214 then static-nat prefix
192.168.1.214/32
I've also noticed strange things when using . inside of an address-book
address. I use _ instead.
-Ben
On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote:
The system does default deny if you haven't specified a default policy
action.
set security policies default-policy permit-all
As far as the policy is concerned, the policy is applied AFTER destination
nat is performed and BEFORE source nat is performed.
What is the output of 'show security policies' or 'show security policies
from-zone untrust to-zone trust'?
-Ben
On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella
bmanne...@teraswitch.com wrote:
Nope, i actually dont see any deny statements at all. Does the system,
just deny everything thats not defined as allowed? Any other thing i should
look at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: Scott T. Cameron routeh...@gmail.com
To: juniper-nsp juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in
your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I had
at the bottom of zone policies because they don't work the same way in
JunOS
land.
You're right, you run the policies against the post-translated address,
not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella
bmanne...@teraswitch.com
wrote:
Yes that makes sense. And the policy pre srx was like this. But I am
almost
positive I read somewhere the srx was different in that the policy is
looked
at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming
traffic
on
the ports i opened below on the policies. Anyone have any ideas what i
am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector off
into
the NAT policy which will translate from 111.111.111.214 to
192.168.1.214.
I think you might also need to use an address book entry whereby you
put
the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
the rule-set won't be natting, it'll be whatever rule-set rule 214
exists in
-Ben
On Mon, Jun 21, 2010 at 3:13 PM, Brendan Mannella
bmanne...@teraswitch.comwrote:
I have to double check but i might have missed
set security nat static rule-set natting from zone untrust... I will double
check and update the list.
- Original Message -
From: ben b benboyd.li...@gmail.com
To: Brendan Mannella bmanne...@teraswitch.com
Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp
juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 4:10:43 PM
Subject: Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.make sure you have
the from-zone configured for the static nat rule-set...
ex.
set security nat static rule-set natting from zone untrust
set security nat static rule-set natting rule 214 match
destination-address 111.111.111.214/32
set security nat static rule-set natting rule 214 then static-nat prefix
192.168.1.214/32
I've also noticed strange things when using . inside of an address-book
address. I use _ instead.
-Ben
On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote:
The system does default deny if you haven't specified a default policy
action.
set security policies default-policy permit-all
As far as the policy is concerned, the policy is applied AFTER destination
nat is performed and BEFORE source nat is performed.
What is the output of 'show security policies' or 'show security policies
from-zone untrust to-zone trust'?
-Ben
On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella
bmanne...@teraswitch.com wrote:
Nope, i actually dont see any deny statements at all. Does the system,
just deny everything thats not defined as allowed? Any other thing i should
look at?
Brendan Mannella
President and CEO
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Toll-Free: 866.583.6338
Mobile: 412-592-7848
Efax: 412.202.7094
- Original Message -
From: Scott T. Cameron routeh...@gmail.com
To: juniper-nsp juniper-nsp@puck.nether.net
Sent: Monday, June 21, 2010 1:35:06 PM
Subject: Re: [j-nsp] SRX Config Question
Your rules actually seem fine at a glance. Are those the only rules in
your
system? No deny that might otherwise be blocking the traffic? I also
migrated from ScreenOS and ditched all the old catch-all denies that I
had
at the bottom of zone policies because they don't work the same way in
JunOS
land.
You're right, you run the policies against the post-translated address,
not
the pre-translated. The NAT is separate entirely from policies.
scott
On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella
bmanne...@teraswitch.com
wrote:
Yes that makes sense. And the policy pre srx was like this. But I am
almost
positive I read somewhere the srx was different in that the policy is
looked
at post NAT and so the private ip should be used.
I will give that a shot though.
Brendan Mannella
TeraSwitch Networks Inc.
Office: 412.224.4333 x303
Mobile: 412.592.7848
Efax: 412.202.7094
On Jun 21, 2010, at 12:50 PM, Stefan Fouant
sfou...@shortestpathfirst.net wrote:
-Original Message-
From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-
boun...@puck.nether.net] On Behalf Of Brendan Mannella
Sent: Monday, June 21, 2010 11:20 AM
To: juniper-nsp
Subject: [j-nsp] SRX Config Question
So main issue is the firewall does not seem to allow any incoming
traffic
on
the ports i opened below on the policies. Anyone have any ideas what
i am
missing?
Hi Brendan,
How are things? I could be wrong, but I believe the issue is with the
untrust-to-trust policy where you are matching on destination-address
192.168.1.214:
from-zone untrust to-zone trust {
policy 240-51 {
match {
source-address any;
destination-address 192.168.1.214;
application [ rdp junos-dns-udp junos-ftp junos-http junos-https
junos-ms-sql ];
}
I believe in order for this to work you are going to need to make the
destination-address 111.111.111.214. This will cause it to vector off
into
the NAT policy which will translate from 111.111.111.214 to
192.168.1.214.
I think you might also need to use an address book entry whereby you
put
the
pre-natted address (111.111.111.214) into your trust zone as well.
Feel free to contact me offline if you'd like additional assistance.
HTHs.
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https
Re: [j-nsp] Bridge Domain
and on the non branch SRX series which is based on the MX arch On Sat, May 29, 2010 at 12:21 AM, Chen Jiang iloveb...@gmail.com wrote: no, only MX family support virtual switch. On Fri, May 28, 2010 at 10:35 PM, Jay Hanke jha...@myclearwave.net wrote: What equipment at the low end supports a virtual switch with a bridge domains? Does the J-series? Thanks, Jay ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
