Re: [j-nsp] SRX AppFW issue
Try these two rules... rule facebook { match { dynamic-application-group junos:web:social-networking:facebook; } then { deny; } } rule facebook-1 { match { dynamic-application junos:FACEBOOK-ACCESS; } then { deny; } } On Wed, Oct 22, 2014 at 7:13 AM, Yuriy B. Borysov yokod...@yokodzun.kiev.ua wrote: Hello! I have configured application-firewall on SRX220H (12.1X45-D15.5). Configuration is below: security application-firewall rule-sets common-customers { rule soc-net { match { dynamic-application-group [ junos:social-networking junos:web:social-networking ]; } then { deny; } } rule bt-block { match { dynamic-application-group [ junos:p2p junos:p2p:file-sharing junos:web:p2p junos:web:p2p:file-sharing ]; } then { deny; } } rule unknow-staff { match { dynamic-application junos:UNSPECIFIED-ENCRYPTED; } then { deny; } } default-rule { permit; } } security policies from-zone trust to-zone untrust policy trust-to-untrust { match { source-address any; destination-address any; application any; } then { permit { application-services { application-firewall { rule-set common-customers; } } } } } All necessary licenses and signatures installed. But when I go to facebook.com or vk.com, pages open. And the counters on the rule soc-net show 0: # run show security application-firewall rule-set all Rule-set: common-customers Rule: soc-net Dynamic Application Groups: junos:social-networking, junos:web:social-networking Action:deny Number of sessions matched: 0 Number of sessions redirected: 0 Rule: bt-block Dynamic Application Groups: junos:p2p, junos:p2p:file-sharing, junos:web:p2p, junos:web:p2p:file-sharing Action:deny Number of sessions matched: 95863 Number of sessions redirected: 0 Rule: unknow-staff Dynamic Applications: junos:UNSPECIFIED-ENCRYPTED Action:deny Number of sessions matched: 19296 Number of sessions redirected: 0 Default rule:permit Number of sessions matched: 172311 Number of sessions redirected: 0 Number of sessions with appid pending: 241 Where am I wrong? Thanks! -- WBR, Yuriy B. Borysov YOKO-UANIC | YOKO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Single SRX DSCP writing before traffic is encrypted into IPSec
Last I heard from JTAC, this was still not available with no ETA. Even with several high profile enterprises requesting it. -Ben On Wednesday, August 10, 2011, Andrew Jones and...@commitconfirmed.com wrote: Hi, I've got an SRX240 runing 10.4R4.5 running at a brach site serving as the site gateway and I figure out a way to write DSCP values before traffic is encrypted into an IPSec VPN due to the SRX being the only device at the site. The only place I can apply outbound DSCP marking is on the Interface that the IPSec VPN lies, since you can't configure dscp rewrites on the st0.x interfaces. This works okay since the IPSec packet is marked and scheduled correctly, but once the traffic makes it to the other site and is decrypted, the DSCP marking is lost and needs to be re-marked again. It also makes it hard to audit how much traffic is being put into each class when doing J-Flow exports, or if certain types of traffic are being marked correctly. Has anyone else got a similar setup or experienced and fixed this issue? I'm currently terminating VPN's on the physical interface itself, could I potentially move this to a vlan.x interface and perform outbound DSCP marking there? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] jcs:split() function with errors
Slax dudes, i'm running into a weird issue that i can't seem to figure out... i'm try to find out the number of pipes | in all of my interface descriptions, but for some reason the jcs:split() function errors out in my commit script. Does anyone have any suggestions? junos version 10.0R3.10 code: /* Loop through all logical interfaces checking for descriptions and format*/ for-each( interfaces/interface/unit ) { /* Missing description */ if( jcs:empty( description ) ) { xnm:error { call jcs:edit-path(); message !!!CONFIGURATION ERROR!!! Interface description is MISSING. Format = 'INTERFACE TYPE | CIRCUIT ID | CONNECTING ROUTER | CONNECTING PORT | FUNCTION'; } } else { var $description_parts = jcs:split(|, description); /* if ( not($description_parts[5]) ) { xnm:error { call jcs:edit-path(); message !!!CONFIGURATION ERROR!!! Interface description is INCORRECT. Format = 'INTERFACE TYPE | CIRCUIT ID | CONNECTING ROUTER | CONNECTING PORT | FUNCTION'; } } */ } } when i comment out var $description_parts = jcs:split(|, description); i don't run into errors I have 4 interface descriptions, and when i commit, this is all i see: error: 4 errors reported by commit scripts error: commit script failure ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] jcs:split() function with errors
On Fri, Jul 22, 2011 at 1:37 PM, ben b benboyd.li...@gmail.com wrote: Slax dudes, i'm running into a weird issue that i can't seem to figure out... i'm try to find out the number of pipes | in all of my interface descriptions, but for some reason the jcs:split() function errors out in my commit script. Does anyone have any suggestions? junos version 10.0R3.10 code: /* Loop through all logical interfaces checking for descriptions and format*/ for-each( interfaces/interface/unit ) { /* Missing description */ if( jcs:empty( description ) ) { xnm:error { call jcs:edit-path(); message !!!CONFIGURATION ERROR!!! Interface description is MISSING. Format = 'INTERFACE TYPE | CIRCUIT ID | CONNECTING ROUTER | CONNECTING PORT | FUNCTION'; } } else { var $description_parts = jcs:split(|, description); /* if ( not($description_parts[5]) ) { xnm:error { call jcs:edit-path(); message !!!CONFIGURATION ERROR!!! Interface description is INCORRECT. Format = 'INTERFACE TYPE | CIRCUIT ID | CONNECTING ROUTER | CONNECTING PORT | FUNCTION'; } } */ } } when i comment out var $description_parts = jcs:split(|, description); i don't run into errors I have 4 interface descriptions, and when i commit, this is all i see: error: 4 errors reported by commit scripts error: commit script failure Here is my cscript.log (yes i know my date is wrong... ) Sep 5 08:45:23 cscript script processing begins Sep 5 08:45:23 reading commit script configuration Sep 5 08:45:23 testing commit script configuration Sep 5 08:45:23 opening commit script '/var/db/scripts/commit/validation.slax' Sep 5 08:45:23 script file '/var/db/scripts/commit/validation.slax': size = 67310 ; md5 = bd939292d9077b1defe91f2fbee91e94 sha1 = cdccbfddf0ae75101931380d42ca0b5ceb18cf9d sha-256 = 1925ca096715357aa42c2a791cf48d6ddd91c345086eb28c944978c07df3f1a2 Sep 5 08:45:23 reading commit script 'validation.slax' Sep 5 08:45:23 running commit script 'validation.slax' Sep 5 08:45:23 regex error: empty (sub)expression Sep 5 08:45:23 regex error: empty (sub)expression Sep 5 08:45:23 regex error: empty (sub)expression Sep 5 08:45:23 regex error: empty (sub)expression Sep 5 08:45:23 processing commit script 'validation.slax' Sep 5 08:45:24 no errors from validation.slax Sep 5 08:45:24 saving commit script changes for script validation.slax Sep 5 08:45:24 summary of script validation.slax: changes 18, transients 0, syslog 0 Sep 5 08:45:24 cscript script processing ends ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] jcs:split() function with errors
On Fri, Jul 22, 2011 at 3:06 PM, Phil Shafer p...@juniper.net wrote: ben b writes: i'm try to find out the number of pipes | in all of my interface descriptions, but for some reason the jcs:split() function errors out in my commit script. Does anyone have any suggestions? jcs:split() takes a pattern (regex) instead of a simple string. You'll need to escape the | to prevent it from being interpreted in the regex context. You escape this using a backslash, but you also need to escape the backslash since SLAX interprets this as _it's_ escape character as well. So you'll end up needing: var $description_parts = jcs:split(\\|, description); Thanks, Phil Thanks Phil, that worked that would be why my error was regex empty expression. :) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SXR 650 Redundancy Group Problem
Try removing preempt. I've seen issues with preemption. On Saturday, March 19, 2011, Walaa Abdel razzak wala...@bmc.com.sa wrote: Hi Experts I am configuring redundancy group to trigger failover in case of interface failure. I have reth interface for trust zone that has two physical interfaces, one interface on the active node and the other on the passive and the same for reth1 on untrust zone. The target is to make traffic go through the passive node in case of any physical interface failure in the active node. The problem I am facing is that the failover happen normally when any interface goes down but there is no traffic from trust to untrust or vice versa, when the down interface comes to up again, the traffic flows without problems. The RG configuration is as follows: test@FW1# show chassis cluster { reth-count 2; redundancy-group 0 { node 0 priority 100; node 1 priority 1; } redundancy-group 1 { node 0 priority 100; node 1 priority 1; preempt; gratuitous-arp-count 4; interface-monitor { ge-2/0/0 weight 255; à Interface on the active node ge-2/0/1 weight 255; à Interface on the active node } } } When the active interface goes down: Mar 20 03:43:51 FW1 jsrpd[1085]: JSRPD_RG_STATE_CHANGE: Redundancy-group 1 transitioned from 'primary' to 'secondary-hold' state due to Monitor failed: IF Mar 20 03:43:52 FW1 jsrpd[1085]: JSRPD_RG_STATE_CHANGE: Redundancy-group 1 transitioned from 'secondary-hold' to 'secondary' state due to Back to back failover interval expired Interface belonging to the reth: test@ FW1# show interfaces ge-2/0/0 à active node gigether-options { redundant-parent reth1; } {primary:node0}[edit] test@ FW1# show interfaces ge-2/0/1 à active node gigether-options { redundant-parent reth0; } {primary:node0}[edit] test@ FW1# show interfaces ge-11/0/0 à passive node gigether-options { redundant-parent reth1; } {primary:node0}[edit] test@ FW1# show interfaces ge-11/0/1 à passive node gigether-options { redundant-parent reth0; } test@FW1# run show interfaces terse | match reth ge-2/0/0.15 up down aenet -- reth1.15 à active interface down ge-2/0/0.20 up down aenet -- reth1.20 ge-2/0/0.32767 up down aenet -- reth1.32767 ge-2/0/1.5 up up aenet -- reth0.5 ge-2/0/1.32767 up up aenet -- reth0.32767 ge-11/0/0.15 up up aenet -- reth1.15 ge-11/0/0.20 up up aenet -- reth1.20 ge-11/0/0.32767 up up aenet -- reth1.32767 ge-11/0/1.5 up up aenet -- reth0.5 ge-11/0/1.32767 up up aenet -- reth0.32767 reth0 up down reth0.5 up down inet 172.16.0.2/30 reth0.32767 up down reth1 up down reth1.15 up down inet 192.168.0.2/30 reth1.20 up down inet 192.168.1.2/30 reth1.32767 up down Any suggestions? BR, ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX650 Clustering Issue
Just add the additional interfaces to the reth interface. No need for AE interface. You configure LACP under reth interface.. On Wed, Mar 9, 2011 at 10:29 AM, Walaa Abdel razzak wala...@bmc.com.sawrote: Thanks All Now if I need to configure the reth interface using ae interface instead of physical interface as I need more than one gig on each node. The problem is that I can't issue the command to join ae0 to reth0 as follows: admin@FW1# set interfaces ae0 aggregated-ether-options ? Possible completions: + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups ethernet-switch-profile Ethernet virtual LAN/media access control-level options flow-control Enable flow control lacp Link Aggregation Control Protocol configuration link-protection Enable link protection mode link-speed Link speed of individual interface that joins the AE loopback Enable loopback minimum-linksMinimum number of aggregated links (1..8) no-flow-control Don't enable flow control no-link-protection Don't enable link protection mode no-loopback Don't enable loopback Note: The target is to have more than one gig link for each node and load balance between them, I tried to use ae0 interface as mentioned above but it didn't work. Any other ideas are welcomed. BR, -Original Message- From: Stefan Fouant [mailto:sfou...@shortestpathfirst.net] Sent: Wednesday, March 09, 2011 3:26 PM To: Walaa Abdel razzak Cc: Ben Dale; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX650 Clustering Issue You do not need to configure an IP address on the fab link for proper operation. Stefan Fouant Sent from my iPad On Mar 9, 2011, at 2:16 AM, Walaa Abdel razzak wala...@bmc.com.sa wrote: Thanks, Now HA is configured, but regarding the fab link, is it necessary to have L3 address or not. BR, -Original Message- From: Ben Dale [mailto:bd...@comlinx.com.au] Sent: Sunday, March 06, 2011 12:12 PM To: Walaa Abdel razzak Cc: Scott T. Cameron; juniper-nsp@puck.nether.net Subject: Re: [j-nsp] SRX650 Clustering Issue This is a pretty common error when you are bringing pre-configured devices together in a chassis cluster. My advice would be to run the following from edit mode on each box: delete interfaces delete vlans delete security delete protocols Then commit and cable them together (control AND fabric). If you've run the set chassis cluster command correctly, the boxes should now come together. After that you should be able to make all configuration changes from the primary box, so the assign fabric interfaces: set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-5/0/2 And then build some redundancy groups set chassis cluster control-link-recovery set chassis cluster reth-count 15 set chassis cluster redundancy-group 0 node 0 priority 100 set chassis cluster redundancy-group 0 node 1 priority 1 set chassis cluster redundancy-group 1 node 0 priority 100 set chassis cluster redundancy-group 1 node 1 priority 1 set chassis cluster redundancy-group 1 preempt then build reth interfaces and assign them to redundancy groups etc. On 06/03/2011, at 12:17 AM, Walaa Abdel razzak wrote: Hi Scott The old configuration was test config (very simple) like hostname, aggregate ethernet,.as its fresh FW. After enabling clusterign using the standard command set chassis clustering..and reboot, we got the following: {hold:node0} root@-FW1 edit warning: Clustering enabled; using private edit error: shared configuration database modified Please temporarily use 'configure shared' to commit outstanding changes in the shared database, exit, and return to configuration mode using 'configure' when I issue most commands I got the following: {hold:node0} root@-FW1 show version error: Could not connect to node0 : No route to host The JUNOS version is 10.3. Also here is a sample of Chassisd log: Mar 5 19:32:49 completed chassis state from ddl Mar 5 19:32:49 ch_set_non_stop_forwarding_cfg:Setting non-stop-forwarding to Disabled, source DDL Mar 5 19:32:49 ch_do_multichassis_overrides:Setting multichassis replication to Disabled Mar 5 19:32:49 config_do_overrides: Keepalives not set. Setting it to 300 secs Mar 5 19:32:49 if_init Mar 5 19:32:49 Skip cleaning pic state on LCC Mar 5 19:32:49 chassis_alarm_module_init Mar 5 19:32:49 timer_init Mar 5 19:32:49 main_snmp_init Mar 5 19:32:49 snmp_init: snmp_chassis_id = 0, chas_type = 1 Mar 5 19:32:49 chas_do_registration: or_obj = 0xdfe400, or_rows = 23 Mar 5 19:32:49 chas_do_registration: or_obj =
Re: [j-nsp] RPM Event Script - Attributes Help
cool, thanks for that! I was pulling that information later in the script anyway, might as well do it earlier. Thanks! On Tue, Mar 8, 2011 at 3:22 PM, Curtis Call cc...@juniper.net wrote: I'm writing an event-script based on RPM threshold exceeds/failures and can't seem to find the passed attributes anywhere. I found {$$.test- name} online, but nothing else. I'm looking for the rtt-jitter and rrt-max- delay values so I can pass them to the script. Anyone out there know them or know how I can find them? help syslog will tell you what attributes are available for a particular event, but it might be that Junos simply isn't sending that particular information through the event itself, in which case you could always request it by performing the appropriate show rpm command via jcs:invoke(). ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Scripting - Redefining variables in For-each Loops
Experts, I'm in the process of not liking that you can't redefine variables in slax. I have need to add the values calculated inside of a for-each loop. Has anyone ever had to do that? Example of what I want for-each ( $result ) { $a = . + 1; $b = $b + a; } $result could be 200 results or 2. Is this possible in slax? Thanks in advance, Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Scripting - Redefining variables in For-each Loops
sweet thanks! works like a charm On Tue, Mar 8, 2011 at 5:28 PM, Curtis Call cc...@juniper.net wrote: I have need to add the values calculated inside of a for-each loop. Has anyone ever had to do that? Example of what I want for-each ( $result ) { $a = . + 1; $b = $b + a; } You'll need to split this into multiple steps: var $values := { for-each( $result ) { value . + 1; } } var $b = sum( $values/value ); ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Simple Script Running
All, I'm trying to get a feel for op scripts in JUNOS and I can invoke commands, but I'm not seeing the output I thought I'd see (it looks like raw data). What I'd like to do is run a list of show commands with a script alias. Could someone point me in the right direction to be able to run like 5 'show' commands (with normal output) in a row with one simple command like 'op status' Thanks in advance, Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
If the results of the show security policies detail operational command show the policies in the right order and allowing the right ports and show security nat static rule 214 looks like it's natting correctly, and removing the periods doesn't fix it, the only thing I can think of is that 192.168.1.214 isn't reachable from the SRX and the SRX is dropping the traffic. I typically start with an any any any permit to verify ping/trace through the SRX, then replace that with a narrowed down policy On Tue, Jun 22, 2010 at 12:06 PM, Brendan Mannella bmanne...@teraswitch.com wrote: I double checked i do have from zone untrust I will try updating the address book and remove the periods. Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
The policy looks good, but your nat isn't translating. You have 0 translation hits. Your destination address is never changed to 192.169.1.214 which is why your policy is never invoked. Is 192.168.1.214 reachable from the SRX? I would say check previous nat rules, but the position of this one is 1. -Ben On Tue, Jun 22, 2010 at 1:00 PM, Brendan Mannella bmanne...@teraswitch.comwrote: Ok i updated the address book from . to _ Below is the output of the commands, i havent had a chance to retest with the updated address book to see if that does it, i will let you know. The Nat and polices look ok.. r...@srx210 show security nat static rule all Total static-nat rules: 58 Static NAT rule: 51 Rule-set: static Rule-Id: 1 Rule position : 1 From zone : untrust Destination addresses : 111.111.111.214 (external public ip) Host addresses : 192.168.1.214 Netmask: 255.255.255.255 Host routing-instance : N/A Translation hits : 0 r...@srx210 show security policies detail Default policy: deny-all Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4 Sequence number: 1 From zone: trust, To zone: untrust Source addresses: any: 0.0.0.0/0 Destination addresses: any: 0.0.0.0/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Policy: 240-214, action-type: permit, State: enabled, Index: 5 Sequence number: 1 From zone: untrust, To zone: trust Source addresses: any: 0.0.0.0/0 Destination addresses: 192_168_1_214: 192.168.1.214/32 Application: rdp IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [3389-3389] Application: junos-dns-udp IP protocol: udp, ALG: dns, Inactivity timeout: 60 Source port range: [0-0] Destination port range: [53-53] Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] Application: junos-https IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [443-443] Application: junos-ms-sql IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [1433-1433] Session log: at-create, at-close ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
The system does default deny if you haven't specified a default policy action. set security policies default-policy permit-all As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? -Ben On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.comwrote: Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
I noticed you didn't include all of the nat config.make sure you have the from-zone configured for the static nat rule-set... ex. set security nat static rule-set natting from zone untrust set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32 set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32 I've also noticed strange things when using . inside of an address-book address. I use _ instead. -Ben On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote: The system does default deny if you haven't specified a default policy action. set security policies default-policy permit-all As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? -Ben On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Config Question
the rule-set won't be natting, it'll be whatever rule-set rule 214 exists in -Ben On Mon, Jun 21, 2010 at 3:13 PM, Brendan Mannella bmanne...@teraswitch.comwrote: I have to double check but i might have missed set security nat static rule-set natting from zone untrust... I will double check and update the list. - Original Message - From: ben b benboyd.li...@gmail.com To: Brendan Mannella bmanne...@teraswitch.com Cc: Scott T. Cameron routeh...@gmail.com, juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 4:10:43 PM Subject: Re: [j-nsp] SRX Config Question I noticed you didn't include all of the nat config.make sure you have the from-zone configured for the static nat rule-set... ex. set security nat static rule-set natting from zone untrust set security nat static rule-set natting rule 214 match destination-address 111.111.111.214/32 set security nat static rule-set natting rule 214 then static-nat prefix 192.168.1.214/32 I've also noticed strange things when using . inside of an address-book address. I use _ instead. -Ben On Mon, Jun 21, 2010 at 2:57 PM, ben b benboyd.li...@gmail.com wrote: The system does default deny if you haven't specified a default policy action. set security policies default-policy permit-all As far as the policy is concerned, the policy is applied AFTER destination nat is performed and BEFORE source nat is performed. What is the output of 'show security policies' or 'show security policies from-zone untrust to-zone trust'? -Ben On Mon, Jun 21, 2010 at 1:18 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Nope, i actually dont see any deny statements at all. Does the system, just deny everything thats not defined as allowed? Any other thing i should look at? Brendan Mannella President and CEO TeraSwitch Networks Inc. Office: 412.224.4333 x303 Toll-Free: 866.583.6338 Mobile: 412-592-7848 Efax: 412.202.7094 - Original Message - From: Scott T. Cameron routeh...@gmail.com To: juniper-nsp juniper-nsp@puck.nether.net Sent: Monday, June 21, 2010 1:35:06 PM Subject: Re: [j-nsp] SRX Config Question Your rules actually seem fine at a glance. Are those the only rules in your system? No deny that might otherwise be blocking the traffic? I also migrated from ScreenOS and ditched all the old catch-all denies that I had at the bottom of zone policies because they don't work the same way in JunOS land. You're right, you run the policies against the post-translated address, not the pre-translated. The NAT is separate entirely from policies. scott On Mon, Jun 21, 2010 at 12:54 PM, Brendan Mannella bmanne...@teraswitch.com wrote: Yes that makes sense. And the policy pre srx was like this. But I am almost positive I read somewhere the srx was different in that the policy is looked at post NAT and so the private ip should be used. I will give that a shot though. Brendan Mannella TeraSwitch Networks Inc. Office: 412.224.4333 x303 Mobile: 412.592.7848 Efax: 412.202.7094 On Jun 21, 2010, at 12:50 PM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp- boun...@puck.nether.net] On Behalf Of Brendan Mannella Sent: Monday, June 21, 2010 11:20 AM To: juniper-nsp Subject: [j-nsp] SRX Config Question So main issue is the firewall does not seem to allow any incoming traffic on the ports i opened below on the policies. Anyone have any ideas what i am missing? Hi Brendan, How are things? I could be wrong, but I believe the issue is with the untrust-to-trust policy where you are matching on destination-address 192.168.1.214: from-zone untrust to-zone trust { policy 240-51 { match { source-address any; destination-address 192.168.1.214; application [ rdp junos-dns-udp junos-ftp junos-http junos-https junos-ms-sql ]; } I believe in order for this to work you are going to need to make the destination-address 111.111.111.214. This will cause it to vector off into the NAT policy which will translate from 111.111.111.214 to 192.168.1.214. I think you might also need to use an address book entry whereby you put the pre-natted address (111.111.111.214) into your trust zone as well. Feel free to contact me offline if you'd like additional assistance. HTHs. Stefan Fouant, CISSP, JNCIEx2 www.shortestpathfirst.net GPG Key ID: 0xB5E3803D ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https
Re: [j-nsp] Bridge Domain
and on the non branch SRX series which is based on the MX arch On Sat, May 29, 2010 at 12:21 AM, Chen Jiang iloveb...@gmail.com wrote: no, only MX family support virtual switch. On Fri, May 28, 2010 at 10:35 PM, Jay Hanke jha...@myclearwave.net wrote: What equipment at the low end supports a virtual switch with a bridge domains? Does the J-series? Thanks, Jay ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp