advanced commands

Here is a command I have just seen. Command takes you to flow daemon and allows several advanced troubleshooting options. It is good to look deeply. root@host>start shell pfe network fwdd BSD platform (OCTEON processor, 136MB memory, 1024KB flash) FLOWD_OCTEON(host vty)#

ipsec configuration on srx

Below is a site-to-site configuration between two SRX boxes (240 and 210) HOST1 root@host1# show security ike {     proposal prop-basic {         authentication-method pre-shared-keys;         dh-group group2;         encryption-algorithm 3des-cbc;         lifetime-seconds 3600;     }

Junos NAT

Doing NAT is very easy with SRX indeed. For example: SOURCE NAT (INTERFACE BASED)  [edit security nat] root@host# show | display set set security nat source rule-set rs1 from zone trust set security nat source rule-set rs1 to zone untrust set security nat source rule-set rs1 rule rl1 match source-address 10.200.2.0/24 set security nat source
Read More »

Packet debug in SRX

If you want to debug a packet flow you can use the following config by which testdebug.log file will contain icmp traffic debugs. [edit security flow] root@host# show traceoptions {     file testdebug.log;     flag basic-datapath;     packet-filter look-icmp {         protocol icmp;     } }

some things about policies/sessions

1)  An ICMP packet occupies a session entry in SRX 2) There is an intra-zone policy applied by default so packets belonging to the same zone but in different interfaces cannot traverse unless there is a intra-zone policy permitting them. 3) If the policy doesn’t allow a packet, it cannot be seen in monitor traffic
Read More »

trim on output

Today I learned a handy option in show command which is particularly useful when debugging trace files.  For example if you display a debug file host>show log debug.log Apr  8 21:36:29 21:36:28.1118827:CID-0:RT:packet [60] ipid = 60723, @4094a01c Apr  8 21:36:29 21:36:28.1118978:CID-0:RT:---- flow_process_pkt: (thd 3): flow_ctxt type 13, common flag 0x0, mbuf 0x40949e80, rtbl_idx = 0 Apr  8
Read More »

SRX cluster

You can find step by step instructions to set up an SRX firewall chassis cluster in different branch models. Before starting your cluster config, please make sure you have installed the JTAC recommended release which you can find at http://kb.juniper.net/KB21476 Please note that these instructions below belong to several branch models each of which has
Read More »

SRX policy-rematch

Today I played with policies in SRX and made a policy change which is supposed to block SSH traffic from internal clients to outside networks. I made the change and committed the configuration but I saw that my SSH connection was still alive and connection wasn’t dropped. However when I disconnect and try to reconnect,
Read More »

loading junos configuration is very easy

I love the way junos manages configuration file.  Here is my favorite command “load” and some examples about it. [edit interfaces ge-4/0/0] root@router#load update terminal relative [Type ^D at a new line to end input] If you are at a relative location such as an interface configuration as above, any thing you paste will override
Read More »

monitoring files in JUNOS

If you want to monitor a growing log file in JUNOS, there is a builtin command for this purpose. For example, if you want to monitor the log file /var/log/messages just run; user@host> monitor start /var/log/messages and any change in this file will be displayed on your screen. To stop monitoring simply run; user@host> monitor
Read More »