Author: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN, currently living in the Netherlands and works as a Network Support Engineer. // JNCIE-SEC #223 / RHCE / PCNSE


Here are my notes I have taken while preparing for JNCIS-SEC exam. It may not be useful for everyone as it is for me to remember some of the stuff. Zones are logical groupings of logical interfaces with a common security requirement. Special interfaces like fxp0,chassis cluster interfaces and em0 interfaces cannot be assigned to
Read More »

advanced commands

Here is a command I have just seen. Command takes you to flow daemon and allows several advanced troubleshooting options. It is good to look deeply. root@host>start shell pfe network fwdd BSD platform (OCTEON processor, 136MB memory, 1024KB flash) FLOWD_OCTEON(host vty)#

ipsec configuration on srx

Below is a site-to-site configuration between two SRX boxes (240 and 210) HOST1 root@host1# show security ike {     proposal prop-basic {         authentication-method pre-shared-keys;         dh-group group2;         encryption-algorithm 3des-cbc;         lifetime-seconds 3600;     }

Junos NAT

Doing NAT is very easy with SRX indeed. For example: SOURCE NAT (INTERFACE BASED)  [edit security nat] root@host# show | display set set security nat source rule-set rs1 from zone trust set security nat source rule-set rs1 to zone untrust set security nat source rule-set rs1 rule rl1 match source-address set security nat source
Read More »

Packet debug in SRX

If you want to debug a packet flow you can use the following config by which testdebug.log file will contain icmp traffic debugs. [edit security flow] root@host# show traceoptions {     file testdebug.log;     flag basic-datapath;     packet-filter look-icmp {         protocol icmp;     } }

some things about policies/sessions

1)  An ICMP packet occupies a session entry in SRX 2) There is an intra-zone policy applied by default so packets belonging to the same zone but in different interfaces cannot traverse unless there is a intra-zone policy permitting them. 3) If the policy doesn’t allow a packet, it cannot be seen in monitor traffic
Read More »

trim on output

Today I learned a handy option in show command which is particularly useful when debugging trace files.  For example if you display a debug file host>show log debug.log Apr  8 21:36:29 21:36:28.1118827:CID-0:RT:packet [60] ipid = 60723, @4094a01c Apr  8 21:36:29 21:36:28.1118978:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 13, common flag 0x0, mbuf 0x40949e80, rtbl_idx = 0 Apr  8
Read More »

SRX cluster

You can find step by step instructions to set up an SRX firewall chassis cluster in different branch models. Before starting your cluster config, please make sure you have installed the JTAC recommended release which you can find at Please note that these instructions below belong to several branch models each of which has
Read More »

SRX policy-rematch

Today I played with policies in SRX and made a policy change which is supposed to block SSH traffic from internal clients to outside networks. I made the change and committed the configuration but I saw that my SSH connection was still alive and connection wasn’t dropped. However when I disconnect and try to reconnect,
Read More »

loading junos configuration is very easy

I love the way junos manages configuration file.  Here is my favorite command “load” and some examples about it. [edit interfaces ge-4/0/0] root@router#load update terminal relative [Type ^D at a new line to end input] If you are at a relative location such as an interface configuration as above, any thing you paste will override
Read More »