Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - signal15

Pages: [1] 2 3 4 5 6 ... 26
Suggestions/Feedback / Testing
« on: November 15, 2017, 11:53:13 am »

JunoSpace / Is anyone else here using Space?
« on: February 09, 2014, 07:03:01 pm »
I've done a couple of installs of it to manage SRX clusters.  It works well, I like the policy management much better than NSM.

Anyone else using it?  Experiences?

SRX Platform and J-series / Address objects based on DNS name
« on: June 28, 2012, 01:03:04 pm »
I'm converting a policy from ScreenOS to SRX.  It has a lot of objects that are DNS name based.  How does this perform on the SRX?  Am I going to see performance issues as it performs the lookups?

I'm getting this same error.  Other people running the same version of NC and the same patch level of the OS are not.  I have not been able to figure it out, so I switched over to Pulse.

Do you have any other VPN clients installed?  Thinking back, I did install the Palo Alto VPN client shortly before this issue started occurring.

NetScreen and SSG/ISG Series Firewalls / Policy merging - scripts?
« on: June 05, 2012, 02:00:40 pm »
Say I have two firewalls that I want to merge into one.  As an example, say I have a prod firewall and a dev firewall.  They are connected by a link in the "Transit" zone.  I have rules on the prod firewall which grant access to dev resources via "DMZ->Transit" policies.  On the dev firewall, a corresponding Transit->dev-DMZ rule exists.  If I replace both firewalls with a single firewall and merge the policies, then I will need a single DMZ->dev-DMZ rule.

Does anyone know of a good automated way to do this?  The NSM policy merge tool doesn't seem to take this into account.

A script would need to determine what source and destination zone the objects were in, and change the rule appropriately. You may also run into situations where the destination zone is Transit on the first firewall, but the objects specified are actually in multiple zones on the dev firewall. 

Does anyone have a script to do this?  Or, any suggestions on existing scripts that could be modified rather than writing something from scratch?

NetScreen and SSG/ISG Series Firewalls / Re: OSPF issue
« on: May 15, 2012, 02:43:29 pm »
Set a delay on the secondary router interface that faces the firewall.

Suggestions/Feedback / Re: Status of our spam efforts
« on: March 01, 2012, 02:39:51 pm »

Remote Access SSL VPN/UAC/MAG, Pulse, and SBR / Re: Sip Voip via SSL VPN
« on: February 13, 2012, 04:21:14 pm »
Network Connect and Pulse will work with it.  You might get it working with WSAM if you allow the .exe for the softphone, but probably not with JSAM.

NSM / Re: At what point NSM global security rules are taken into account
« on: December 23, 2011, 10:15:56 am »
Policies are interpreted in this order:
- Intrazone
- Interzone
- Global
- Default

NetScreen and SSG/ISG Series Firewalls / Re: SSG550M configuration
« on: December 23, 2011, 10:12:52 am »
You are not limited to one untrusted port.  You can designate any port, or subinterfaces, however you like.

Any, the answer is yes to your two questions.  Search the forum and you will find a couple of threads that should help with the setup of your ISP failover.

Suggestions/Feedback / Status of our spam efforts
« on: December 20, 2011, 07:44:31 pm »
We are shutting down roughly 700-1000 spammers per day who attempt to register to the site.  Occasionally, we'll have one or two slip in though.  I've noticed recently that some of them are actually posting semi-relevant replies, and then putting links in their signature.

PLEASE report these users if you see this practice so we can delete them.

I am a Cisco guy, and now new to Juniper SSG5 and SSG140; want to know if the following situations work:

1. Two sites :
    One site with Juniper SSG5 connecting to two ISP links, so WAN link failover is configured.
    The other site with Juniper SSG140 connecting also two other ISP links, so WAN link failover is configured.
2. Want to set up two VPN links ( they can back up each other ), that is totally four VPN configurations (2 WAN Links x 2 WAN links = 4 VPN links )

Are the VPN links are working ( failover architecture only ) ?

This should work.  The way I would set it up would be to have both VPN links (set them up as route-based) active at one time, but then use route metrics to make one the primary.

Thanks Signal. Ive put some debugging on and am still getting an issue. On A, eth0/1 is and the tunnel endpoint. On B, eth0/2.7 is and is the other end of the tunnel. I have bound tunnel.1 on B to eth0/0 and set eth0/0 as outgoing-interface. When the first IKE packet reaches B, it complains:

## 2011-09-09 13:36:35 : IKE<> ****** Recv packet if <ethernet0/2.7> of vsys <Root> ******
## 2011-09-09 13:36:35 : IKE<> Catcher: get 160 bytes. src port 500
## 2011-09-09 13:36:35 : IKE<        >   ISAKMP msg: len 160, nxp 1[SA], exch 2[MM], flag 00
## 2011-09-09 13:36:35 : IKE<    > Recv : [SA] [VID] [VID] [VID]
## 2011-09-09 13:36:35 : IKE<        >   Not found: 1st peer_ent that is used, with no peer IP, and right local IP.
## 2011-09-09 13:36:35 : IKE<> Rejected an initial Phase 1 packet from an unrecognized peer gateway.
11998648.0: ethernet0/0(i) len=202:0016c8268d43->0010dbff2000/0800

Why would it be complaining that its an 'unrecognized peer gateway' when the gateway on B is defined as:
set ike gateway "test-gw" address Main outgoing-interface "ethernet0/0" preshare "blahblah" proposal "pre-g2-aes128-sha"

Your IKE ID is not being set or is incorrect on the remote end.  You are doing Main mode.  Is your remote side a dynamic IP?  If so, you need to switch to aggressive mode.  You may also need to use an email style IKE ID if it's dynamic.

SRX Platform and J-series / Re: SRX with 2 ISPs, any thoughts
« on: December 02, 2011, 11:07:22 am »
This does work now I am doing in it in a number of SRX finally.

Then I would do it the same way you are doing it in ScreenOS.  One thing I notice in ScreenOS is that interfaces that get their IP address/default route via DHCP will have a metric of 0 for the default route.  Whereas a static route has a metric of 20.  So if you have two internet interfaces in the same VR with one static and one DHCP, you run into a situation where there is no way to give equal metrics, hence the need to create a VR for each internet provider and another internal VR.

Just something to keep in mind.  No idea if the SRX acts the same way.  I'd log into one and check it now, but I'm in the middle of something.

SRX Platform and J-series / Re: SRX with 2 ISPs, any thoughts
« on: November 30, 2011, 10:57:02 pm »
If you can terminate VPN's to interfaces in non-default routing instances, you can do this.  I posted a config a long time ago on here for doing this on ScreenOS based devices.

Someone needs to confirm the status of terminating VPN's in routing instances other than the default. This was broken before, and I have not had a chance to test it.

Routers / Your IPV6 plans
« on: October 10, 2011, 12:32:07 pm »
After you vote, please elaborate at where you are in the process, and any drivers behind it.  Looking for real world data.

Are you talking on the Android device?  Then yes.

If you're talking about on the SA, then I don't see where to do that.

Suggestions/Feedback / Mobile browsing enabled through Tapatalk
« on: September 18, 2011, 12:36:31 pm »
Just install the Tapatalk app from your respective app store, and search for JuniperForum.

Is this still occurring for anyone? 

Sounds like something is misconfigured, or whatever you are using for a portscanner is generating false information.  Try scanning with nmap:

nmap -sT -n -p 0-65535 <ip address>

If it has the same results, post your config.

Pages: [1] 2 3 4 5 6 ... 26