Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - screenie.

Pages: 1 2 3 [4] 5 6 7 8 9 ... 66
SRX Platform and J-series / Re: Traffic shaping SRX 210
« on: November 10, 2010, 02:09:16 pm »
Sure you can as long as you can "capture" the traffic in packet filters. Well known destination port or somthing. Or bij source prefix or destination address, etc. And yes you can limit traffic by asigning a policer. So much you can do, but is quitte a lot to explain in a quick post I'm afraid.

Some usefull links:

And the best:

SRX Platform and J-series / Re: Traffic shaping SRX 210
« on: November 10, 2010, 01:21:56 pm »
Traffic shaping can be done on a 210, but not in the sec policies.  You need to configure:

- firewall rules (stateless: "packetfilter") wich assgns queue
- COS settings

Please google jonos cos for examples. When something not clear drop a new post

Age out means that a session is created (and a packet send out) but no reply is seen. And you are using transparant mode I saw.

Can you look at the order of the policies? You want a tunnel so a tunnel action should be hit before a accept policy.

NetScreen and SSG/ISG Series Firewalls / Re: Disable OSPF Logs
« on: November 01, 2010, 02:34:59 am »
You're wellcome!

H'mm are you using interfaces in the v1-* zones? Seems like a transpartant mode config!

The client you start from the bookmark is on the box!!

I'm allmost certain you have a mistake in the policy. Either the traffics hits a deny policy or never a permit policy.

Could you do this:
set ff dest-ip
debug flow basic
clear db
-> do the ping here <-
undebug all
get db stream

and post the output?

It will show on wich polict the traffic is denied.

Did you run a debug ike on this issue? It might show what's going on. Anything in the event log?

Add a 10 address as secondary on the interface!

NetScreen and SSG/ISG Series Firewalls / Re: Disable OSPF Logs
« on: October 29, 2010, 06:35:29 am »
It's here in the menu:

Configuration -> admin -> exclude rules

Couldn't stand it, looked it up in the cli manual. Probalably you're looking for this (realy ssg this time) exec
backup interface interface { failover | revert } |
dhcp client interface renew |
bert-test [ start | stop ] |
ext-loop-back-test [ interval number | round number [ interval l number ] ] |
all | interface
phy setting force-sync |
bert-test [ start | stop ]

See also concept and examples guide on

NetScreen and SSG/ISG Series Firewalls / Re: Tunnel State Ready
« on: October 29, 2010, 05:14:57 am »
It means the VPN is up and ok, but you didn't enable monitoring on the tunnel interface. When enabling monitoring the state will be up or down. With monitoring when the vpn goes down the tunnel interface goes down, associated routes go down en backup routes might become active.

Sorry, was thinking about srx, not ssg. Don't know about ssg, sorry again!

NetScreen and SSG/ISG Series Firewalls / Re: Disable OSPF Logs
« on: October 28, 2010, 05:02:27 am »
In the gui management -> exclude rules. There;s help about it on this page.

Sure there is. I forgot the exact test, but a burt test is supported. Something like test on operatinal mode. Otherside has to be in loopback for this test ofcourse.

Probably hw problem with the flash. Recovery procedure normaly works ok! Contact jtac!

NetScreen and SSG/ISG Series Firewalls / Re: ssh on ssg20
« on: October 27, 2010, 04:47:58 pm »
You can't. There only a telnet client, no ssh client.

NetScreen and SSG/ISG Series Firewalls / Re: Disable OSPF Logs
« on: October 27, 2010, 04:46:56 pm »
Try a rule in configuration exclude rules. You can exclude specific event types from being logged.

Policy based routing is used to route traffic based up other ip header fields than destionation address. That's got nothing to do with natting. To nat your traffic you define a DIP address pool (can be address) on the outgoing interface. You can also translate a complete range by using IP shift in the dip pool. I think that's what you need in this case.
Then in the policy you go to advanced setting, select source nat using this DIP pool. Of course you need to make sure this polcy is hot before a generall permit rule without natting.

PBR isn;t the problem I tnink, traffic is routed to int3.
But the message: packet dropped, denied by policy means that there's no policy allowing the traffic.

Pages: 1 2 3 [4] 5 6 7 8 9 ... 66