Today’s post is about static NAT configuration in SRX firewall. I have the following topology and aim is to translate IP network 192.168.211.16/28 to 192.168.250.32/28 and vice versa. JGW1 SRX has 192.168.250.1 in its uplink zone facing interface and 192.168.211.1 in trust zone facing interface and the static nat configuration for this setup is as
Read More »
In today’s post I would like to give an example on how to configure destination port forwarding in juniper srx. For this purpose I am using an ubuntu linux running web service at TCP 80 port and an SRX firewall in front of it. Our aim is to forward any request arriving SRX box at
Read More »
Under normal circumstances if you have a policy from trust zone to transit zone in a network like in the diagram and if you create traffic, packets have to be processed by flow daemon after which a session is created. What if you want to bypass this daemon and only use the packet mode for
Read More »
This is the analysis of the second frame which I posted in my first post 2) Timestamp 0.000044 I won’t describe everything that I already talked about in the first post instead only the necessary stuff. 2nd IP packet contains the TCP SYN-ACK segment which is the response of server side.
When you have an SRX cluster and you need to update/install idp attack database on the second node, you will realize that it isn’t done automatically (before 12.1 release) You can update/install the active node but not the other. The work around to do this is to manually copy attack DB files to the second
Read More »
When I was trying to update my SRX cluster via NSM, I received an error message “idpd busy in commit. Please try again later.” and I found the KB article http://kb.juniper.net/InfoCenter/KB21334 for this issue according to which “commit confirmed” should be disabled under Preferences->Device Update->Netconf Good to learn!
If you want to forward your IDP and traffic session logs to a syslog server, here is how we can do it; 1) First inside the security policy we should set that we want to log session initiations e.g; {primary:node0}[edit] root@srx210-1# top show security policies from-zone downlink to-zone wan { policy net-access { match {
Read More »
While using NSM, I have noticed that I have an alarm for one device but I couldn’t see what the alarm is really about. Right click on the alarm was only bringing the normal device menu but nothing else. Then I found that I have to follow Investigate->Realtime Monitor->Device Monitor path to see the alarm
Read More »
There are two options that you can use to add an SRX cluster into NSM: You will add each nodes separately by using their fxp0 interface IP addresses You will configure virtual chassis and add the entire cluster as a single node As the topic of this post is virtual chassis, set the following configuration
Read More »
During one of my experimental studies I noticed a pattern in TCP ACK’s frequency. ACK segments are sent after receiving every 2 TCP segment. I kept asking why not 3 or 1 but 2. Then I found the answer in RFC1122 “Requirements for Internet Hosts — Communication Layers” when I was trying to find some information
Read More »
You must be logged in to post a comment.