Juniper Firewalls

As it stands Juniper SRX (version 11.1R1.10) only provides support for DynDNS (DDNS) via the use of an automation script. Configuration This script can be downloaded here. Once you have downloaded the script transfer it to the SRX directory /var/db/scripts/event/. Finally configure your SRX via the following commands : set system services apply-macro dyndns-client1 hostname XXX.dyndns.orgset … Read more

Within this article we will look at the various steps required in debugging a Site to Site VPN on an SRX series gateway. 1. Confirm Configuration First of all check the VPN configuration. This is also useful if and when you need to confirm the Phase 1 and Phase 2 parameter’s with the remote end. … Read more

Issue When connecting trying to connect via Dynamic VPN your client displays the following error:         IKE Negotiations Failed Within the output of the IKE debug logs you see the following error: Jul 26 11:35:46 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 …, data[0..0] … Read more

To configure a global deny statement for all your policy entries the following commands are used. set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match source-address any set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match destination-address any set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop … Read more

Below details the nessecary commands required to enable global logging on all security policies. set groups global-logging security policies from-zone <*> to-zone <*> policy <*> then log session-initset security policies apply-groups global-logging

By default IPv4 Path MTU is enabled. However all PMTU options can be located under [set system internet-options ….]. root@srx100# set system internet-options ?Possible completions:+ apply-groups         Groups from which to inherit configuration data+ apply-groups-except  Don’t inherit configuration data from these groups  gre-path-mtu-discovery  Enable path MTU discovery for GRE tunnels> icmpv4-rate-limit    Rate-limiting parameters for ICMPv4 messages> … Read more

Within this article we will show the required commands to restrict and secure management access to your Juniper SRX series gateway. Note : The following syntax/configuration has been tested with a PPPoE setup. Configure Addresses First of all the addresses that are allowed management access to the device are configured. This also includes any DNS … Read more

Below provides the basic commands for configuring the date, time and NTP on your Juniper SRX gateway. Configure the Time Zone system time-zone Europe/London Configure NTP set system ntp server 0.uk.pool.ntp.org preferset system ntp server 1.uk.pool.ntp.orgset system ntp server 2.uk.pool.ntp.org Set the Time/Date set date ntp 0.uk.pool.ntp.org Confirm user@switch> show ntp statusstatus=0644 leap_none, sync_ntp, 4 … Read more

Within this article destination NAT is configured to port forward traffic through to multiple servers based upon the destination port. This type of NAT configuration is equivalent to a ScreenOS VIP.  This example syntax is based upon the following setup : 172.16.1.2:2222    –> 192.168.1.5:22172.16.1.2:3389 –> 192.168.1.6:3389   Configure Address Book First the real addresses … Read more

Issue VPN fails to route traffic through to the tunnel interface when using Route Based VPN upon a SRX platform. The following is observed : Both Phase 1 and Phase 2 is successfully establishing. Traffic is being received inbound from the Remote Peer and decypted successfully. Multiple VPN policies are assigned to a single tunnel … Read more

Below shows you the steps on how to configure a tunnel that will encapsulate your IPv6 traffic within an IPv4 tunnel. Please Note : Below uses the Zone Work which is the equivalent to Trust and contains eth1. Ethernet3 is the untrust interface. Enable IPv6 Add the following command and then reboot your device, set … Read more

A proxy-ID is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Both ends of a VPN tunnel either have a proxy-ID manually configured (route-based VPN), or simply use a combination of source IP, destination IP and service in a tunnel policy. When phase 2 of IKE is negotiated, each … Read more

You may find when trying to download a file from your FTP server using Internet Explorer 6 with “Folder View Enabled” when using Passive FTP the file download transfer will fail after a short time period. This can be down to Internet Explorer sending TCP packets with sequence numbers which are outside that of the … Read more

Issue When updating a Device from the NSM the Job Information dialog shows as successful. The Device Status shows as “In Sync” but the device does not show the new configuration, and an additional Delta Config Summerization shows that the NSM configuration is different to that of the device. Cause ScreenOS has a source/destination object … Read more

Below shows you the basic configuration on how to create a VLAN trunk on a Netscreen Firewall. A VLAN trunk is a term used to describe a collection of logical interfaces, each one being able to receive and de-capsulate VLAN tagged packets for its relevant VLAN. In this example our trunk will consist of 2 … Read more

In order to reset a Netscreen back to factory default you will need to first connect via the console connection. This is because you will lose IP connectivity once you reset the devices configuration. You will then need to obtain the devices serial number from either of the device itself or from the CLI, netscreen-> … Read more

In this example we will run through various steps to troubleshoot a Site 2 Site VPN. Confirm General Details This will give us a general overview of our vpn. netscreen(M)-> get vpn Name            Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface ————— ————— —- —– ——————– ——- ——- ———- sitea_vpn   sitea       tunl Yes   g2-esp-3des-sha      … Read more

Below is the list of all the commands (including the hidden commands) from a Netscreen NS5GT running ScreenOS 6.2. set fips-mode enable set fips-mode self-test afterkeygen set fips-mode self-test interval set key protection enable set all set vendor-def set envar set clock dst-off set clock dst recurring start-weekday last end-weekday last set clock dst recurring … Read more

The Open Shortest Path First (OSPF) routing protocol is an Interior Gateway rotocol (IGP) intended to operate within a single Autonomous System (AS). A router running OSPF distributes its state information (such as usable interfaces and neighbor reachability) by periodically flooding link-state advertisements (LSAs)throughout the AS. Enabling OSPF on a VR set vrouter trust-vr router-id … Read more