> I cant compare j-web performance between branch and DC series. Never used
> jweb on branch..
It's just as slow.
- CK.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
CLI was a nightmare on screenOS so at the time I used the web interface
which was ok in terms of reactivity.
Since we switched to Junos (first with Junos with Enhanced services) we
went to the CLI (like we do for all our routers) because :
- the GUI is very slow (on all systems I tested so far, J23
Hi David,
about your question on bigger ones: I recently used j-web on srx 3k and it
is slow...
I cant compare j-web performance between branch and DC series. Never used
jweb on branch..
On Mar 6, 2012 5:53 AM, "David Klein" wrote:
>
>
> Just curious about your experiences with the SRX J-Web GU
On Mon, Mar 5, 2012 at 4:58 PM, David Klein wrote:
>
>
> Just curious about your experiences with the SRX J-Web GUI.
>
>
>
> We have been testing the SRX-210 for a couple of years and have noticed
> that
> the GUI is very slow to load and configure compared to an SSG5.
>
>
>
> We're running the S
Just curious about your experiences with the SRX J-Web GUI.
We have been testing the SRX-210 for a couple of years and have noticed that
the GUI is very slow to load and configure compared to an SSG5.
We're running the SRX at OS 11.4R1.6; the SSG5 at 6.2.0r5.
Is it just the GUI on th
Thanks for all of the responses.
A few more questions:
- Can the L2 switch "feature" on the SRX240 be used when I have a pair of
appliances in HA mode? The docs seem to be conflicting on this -- it appears
that it may be supported in 11.x?
- Can the SRX be used as a multi-tenant firewall t
Having dealt with the SRX through some very trying times (from early
alpha boxes running on SSG) to current 11.x code I have to say the SRX
has come a long long way. The 9.x code train and even well into 10.x
saw some pretty big bugs with HA, VPN and other critical features.
I have you say 10.4 an
On Mon, Mar 5, 2012 at 3:28 PM, TCIS List Acct wrote:
> Over the past few years the general feeling I've gotten reading j-nsp and
> elsewhere was to stay away from the SRX line until the code matured. We've
> got an upcoming project that I'm considering using a SRX 240 for.
>
> Has the code matur
Yes. I've got several deployed in those roles.
Will O'Brien
On Mar 5, 2012, at 5:28 PM, "TCIS List Acct" wrote:
> Over the past few years the general feeling I've gotten reading j-nsp and
> elsewhere was to stay away from the SRX line until the code matured. We've
> got an upcoming project t
Over the past few years the general feeling I've gotten reading j-nsp and
elsewhere was to stay away from the SRX line until the code matured. We've got
an upcoming project that I'm considering using a SRX 240 for.
Has the code matured to the point that it can be considered a stable platform
Hi Stefan:
Thanks again for your input. It looks like it won't take this command
either on the SRX... See below when configuring the
physical-interface-policer:
juniper@SRX210-1-ipv6# edit firewall policer cos1_drop_80_out_small
[edit firewall policer cos1_drop_80_out_small]
juniper@S
Hi all,
Thanks for the advice and information. Very much appreciated.
I'll forward on to the JTAC and see where I get.
All the best,
David
-Original Message-
From: juniper-nsp-boun...@puck.nether.net
[mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of
juniper-nsp-requ...@puck.neth
Hello,
We purchased a second RE600 (we had only one RE600). Does anyone know a
procedure for adding a second RE?. The new RE has the same version and
configuration as the RE installed. Do you have any recommendations of
previous changes in the configuration? .
PS:Junos /7.3R1.4
/Thanks
Is
On (2012-03-05 10:47 -0500), Justin M. Streiner wrote:
> With this in mind, do you have any recommendations for deploying a
> sane IPv6 ingress/egress filter policy on Juniper gear?
Try to make IPv6 rules where ultimate address matching rule is deny. So if
you are doing iACL, allow UDP high ports
On Mon, 5 Mar 2012, Saku Ytti wrote:
So maybe you're stopping your DSL users from spamming by allowing TCP/25 to
your SMTPd and then denying other TCP/25 then allowing rest. This should
not be done in JunOS in IPv6, as it can be easily bypassed. Or any other
situation, where you deny something a
On (2012-03-05 10:13 -0500), Adam Leff wrote:
> next-header tcp;
> destination-port ssh;
Bear in mind that you cannot use these in 'deny' context for security
purposes, as bypassing them is as trivial as adding extension header
between TCP and IPv6.
So maybe you're stopping your
Perhaps I'm wrong, but I think you're looking for "next-header" for your
protocol match.
term T1 {
from {
next-header tcp;
destination-port ssh;
}
then {
count T1;
accept;
}
}
~Adam
On Mon, Mar 5, 2012 at 9:44 AM, Justin M. Streiner
wrote:
> On S
On Sun, 4 Mar 2012, Richard A Steenbergen wrote:
Depends on your definition of "normal". I run into firewall bugs like
this all the time these days (probably on my 6th one in the last 2
years). When in doubt, remove the filter and re-apply, this causes a
data structure rebuild on the hw and make
On Mon, Mar 5, 2012 at 2:55 PM, Ben Dale wrote:
> If that is the actual config off the ASA, then another thing that may be
> affecting connectivity:
>
>> crypto map foo 5 match address MYACL
>> crypto map foo 5 set pfs <
>> crypto map foo 5 set peer x.y.w.z
>> crypto map foo 5 set transfo
If that is the actual config off the ASA, then another thing that may be
affecting connectivity:
> crypto map foo 5 match address MYACL
> crypto map foo 5 set pfs <
> crypto map foo 5 set peer x.y.w.z
> crypto map foo 5 set transform-set ipsec-p2
> crypto map foo interface outside
you ha
The ASAs are usually quite picky about Propxy-ID, and since you haven't
specified one, the SRX will use "any, any, any" (all 0). That kind of Proxy-ID
(or lack of) usually works well when you are using a route-based setup. The ASA
on the other hand (almost) always use policy based VPN, where you
On 05/03/2012, at 9:57 PM, bizza wrote:
>gateway gw_vpn2remote {
>ike-policy ike_pol_vpn2remote;
>address X.Y.W.Z;
>local-identity inet A.B.C.D;
>external-interface fe-0/0/7.0;
>version v1-only;
>}
In your IKE gateway con
On Mon, Mar 5, 2012 at 1:28 PM, Asad Raza wrote:
> Hi Marco,
>
> I see that you are using a custom proposal in phase-1 but using compatible
> in phase-2, that could be the problem. You need to define exact proposal in
> phase-2 aswell. Could you confirm if proposal mismatch is in phase-1 (ike)
> o
Hi Marco,
I see that you are using a custom proposal in phase-1 but using compatible
in phase-2, that could be the problem. You need to define exact proposal in
phase-2 aswell. Could you confirm if proposal mismatch is in phase-1 (ike)
or phase-2 (ipsec) ot be more specific?
regards,
Asad
On Mo
Hi,
I have some problem in to configure a vpn between a srx and a cisco asa.
This is my configuration:
ike {
proposal trans-vpn {
authentication-method pre-shared-keys;
dh-group group5;
authentication-algorithm sha-256;
encryption-algorit
On Sun, Mar 04, 2012 at 11:10:54PM -0600, Richard A Steenbergen wrote:
> My personal recollection is that MX back in the DPC days only supported
> 1000.
Depends. Some DPCs were multirate (e.g. the 2x10GE + 20x1GE combos).
> I could probably go dust off some documentation on the internals
> of t
26 matches
Mail list logo
