migrating zone based address book to global in Juniper SRX

I have written a small script to convert SRX address books which are in zone base format to global. There was already a ready script on juniper forums but I saw they lack duplicate address checks and it couldn’t connect to some SRX devices. Below is the link to the code and how it can be used.

1) First fetch your current zone based addresses from SRX to a Linux host.

2) Download the tool at https://github.com/rtodto/junosrepo/blob/master/srx_migrate_zone2global.py

3) Let’s say your zone based address book file is like this;

4) Run the tool against the legacy address book file as below.
Once you run you will get the new set based commands to be pasted into your SRX box.
If you have a conflict, you will get a message as below but how can a conflict happen?
It is because zone based address books allow you to choose the same address object name
if you blindly convert via another tool it can override your address book entry. In order to
prevent this, tool is simply telling you that address book object “addr1” has more than one
IP address. If both IP addresses are the same, you won’t get a warning.

Once you resolve the conflict i.e rename address book name and update security policies,
simply paste the set/del lines on your SRX command line. Then your address book should be converted.

SRX240 and SRX340 failure rates

Recently I upgraded dozens of SRX240H2 and SRX340 series Juniper firewalls and around %10 of SRX240H2 boxes either crashed during upgrade or after upgrade and none on 340 series. Although 340 is a newer platform, I would like to be positive and believe the fact that Juniper has improved both hardware and software quality. What do you think? What is your experience on newer platforms as far as hardware and software are concerned?

SRX standard and structured syslogging

SRX can send the logs in two formats standard and structured. If you haven’t made any extra config, what you see in the traffic logs is usually standard one. However structured one is easier to read and parse. Look, it is in the format field_name = field_value, so you can parse it or more friendly.

but you don’t get this by default. I have put a sample config which can help you log syslog in structured format.
Apparently sd-syslog isn’t sufficient alone but stream is also needed.

Palo Alto Networks Amsterdam glassdoor rating

I wonder if people look at the rating of a company at glassdoor.com before making their decision? Please share your view if you can, I really wonder. I checked the rating of my former employer PAN in Amsterdam and the current rating is 2.1 when the global rating is 3.7
What are your criteria before jumping onto another company/position? or if you are a manager what do you do to keep your staff?

Changes bringing interface down in Junos

I don’t know if there is any comprehensive list of changes which brings down an interface apart from specifically disabling the interface.
So far I recall two of them which are striking and might not be expected to flap interface. If anyone has also experience, it might be a good
place to share.

Years back I didn’t know that this change (i.e adding or removing this) was flapping the interface. If you have any routing protocol or any other component depending on the interface, be aware!

MTU change
If you change the MTU of an interface and again if you are running e.g BGP you will see a flap as traceoptions will clearly tell you that interface is going down.

Any other change you know affecting interface status? Please feel free to share!

error: put-file failed on Junos

I have got the following error while I was trying to copy a file via SCP on Junos. As per the error, I thought it is something
to do with my local permissions but I could read the source backup.conf file. I searched online, numerous entries showed up.

In the end, error turns out to be so funny. It is the “~” character which is causing this issue. As soon as I changed the destination
path as follows;

it just went through. Apparently this isn’t interpreted as “HOME” directory in Junos the way it works in Linux.
Another lesson learned!

deleting all addresses in Palo Alto Networks firewall

if you somehow end up having hundreds of address objects in a PAN firewall and you would like to delete all of them, good luck!
probably to prevent accidental removal there is no way on GUI as of now on 7.1.x releases (or I don’t know yet)
but if you want to you can use the following CLI option.

copy the output you get on the previous “show address” command and paste into a file e.g “address.txt” in a Linux host then do
grab the first 3 lines

for example our file may contain the followings;

by doing this you create the delete statements of address objects. Your output should be like this

now you need to paste this on PAN cli. Depending on the number of objects you may need to enable scripting mode

and then paste the delete commands and commit. That should be it!

Panorama address object mismatch with firewall

Panorama is a nice management tool. It is nice compared to NSM and Security Director:) On the other hand, I had to deal with an issue which is address group content on panorama was different than the firewall. Here is an example;

Panorama had AddGroup1 = Addr1 , Addr2, Addr3
Firewall had AddGroup1 = Addr1, Addr2, Addr3, Addr4

Security rule (Block_IPs) referencing AddGroup1 address group object had the action block but we needed to delete this Addr4. I don’t even want to think how this sync issue happened. The problem is that panorama pushed objects are read-only, you can’t delete them. What did I do?
Continue reading

SSH client preference

There are various SSH clients for Windows platforms and up until couple of months ago I was thinking that the best SSH client for me was SecureCRT but I discovered another one called Mobaxterm. This product really took my attention, primary reason of which is the richness of the feature set. Fist look at what protocols it supports;

In my daily job,  I no longer have to use Filezilla and Rdesktop as it supports RDP and SFTP, The beauty of this is that each connection stays in its own tab so you only use one window for all connections.

Continue reading

Slow file transfer and TCP Zero Window Probe

Slow file transfers must be really bothering everyone. I have a ZyXEL NSA325 NAS device which has a gigabit interface but I am getting extremely low throughput. Unfortunately this has been a problem I think since I bought this device. Now I could finally get hold of time to troubleshoot the issue. Here is my topology I used in testing this scenario.


As per the topology above, my laptop and this NAS device are connected to two ports of this Juniper EX2200 switch. I have enabled jumbo frame on the ports, laptop and NAS device.

Continue reading