Posts published in “Juniper”

My previous post (Juniper SRX DB mode (Debug mode)) described a situation which is one of firewall cluster members got stuck into DB mode. Although it was fixed eventually by re-installed image, it was still failed again after a couple of months.

RMA ticket created with vendor Juniper and a new device was issued by Juniper. This post recorded all steps how to configure this new device and re-joined it back into existing cluster.

The all steps are quite straightforward. You may meet some file transferring issues or connectivity issues, but as long as you know your environment enough, those will be easily resolved if you followed all steps listed below.

Similar posts are in this  blog:

• Juniper SRX340 HA Configuraiton
• Configure SRX 240 cluster Step by Step
• Configure High End Juniper SRX 1400 as Chassis Cluster Steps
• Juniper SRX 240 Chassis Cluster (High Availability) Configuration

Notes: before let new cluster member join into existing cluster, please make sure one thing:
Disable IDP feature on existing Chassis cluster. Else your new cluster member will fail to join into existing cluster  and get into disabled mode. Fabric interface will show down status because new cluster member could not take your IDP configuration since it does not have IDP license and Signature Database.

An Intrusion Detection and Prevention (IDP) policy lets you selectively enforce various attack detection and prevention techniques on the network traffic passing through your SRX Series. The SRX Series offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks. The basic IDP configuration involves the following tasks:

• Download and install the IDP license.
• Download and install the signature database—You must download and install the IDP signature database. The signature databases are available as a security package on the Juniper Networks website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.
• Configure recommended policy as the IDP policy—Juniper Networks provides predefined policy templates to use as a starting point for creating your own policies. Each template is a set of rules of a specific rulebase type that you can copy and then update according to your requirements.
• To get started, we recommend you use the predefined policy named “Recommended”.
• Enable a security policy for IDP inspection—For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect.

1. License

Juniper Support has some License Management Online Tools available on their website:

• Manage Product Licenses - Generate License Keys
• Generate Subscriptions
• Manage Product Licenses - Find License Keys
• Generate Licenses for RMA Devices

Click https://lms.juniper.net/lcrs/license.do should get you the classic Generate Licenses, but for newer hardware, it has been moved to new site: https://license.juniper.net/licensemanage

I have been dealing with Juniper SRX IDP error many times when NSM was been used. Mostly those errors are caused by corrupted signature DB or not enough storage space on SRX itself. Here is the latest one I encountered.

Symptoms
From Space, if I make a new change on firewall policy and push it to gateway, I will get following errors.

During our regular maintenance, after rebooted one SRX345, and found it stuck at db mode, which is debug mode. After a short and quick analysis, I found Juniper JunOS devices may get stuck in the boot process or fail to boot the OS, in rare cases, after a sudden power loss or ungraceful power shut down. Juniper  routers, switches and firewalls  can experience file system corruption, which prevents the device from recovering to a functional…

Issue Symptons:

• Normally, each firewall rule on the SRX auto-updates a snmp counter for hit-count, regardless of whether 'count' is configured or not.  Juniper Space Security Director periodically polls these OIDs and updates the hit-count.   
• In Junper Space 16.1 R1, the issue found is unable to view policy
  hit counts from Juniper Space Security Director, but SRX itself is keep updating. 

Actions Taken:

• Verify Security Appliance Policy Hits from Command line

root@fw-mgmt-2> show security policies hit-count 
node1:
--------------------------------------------------------------------------

Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       Vlan2              Vlan1        Baramondi_Monitor 0            
 2       Vlan2              Vlan1        10             4428         
 3       Vlan2              Vlan1        50             0            
 4       Vlan2              Vlan1        40             11136        
 5       Vlan2              Vlan1        default-logdrop 0            
 6       Vlan2              Vlan1        53             2007         
 7       Vlan2              Vlan1        54             0            
 8       Vlan2              Vlan1        55             0            
 9       Vlan2              MGMT              6              538          
 10      Vlan2              MGMT              23             0            
 11      Vlan2              MGMT              74             2            
 12      Vlan2              MGMT              default-logdrop 81           
 13      Office              Vlan1        default-logdrop 0            
 14      Office              Vlan1        60             447          
 15      Office              Vlan1        Office_Archive    0            
 16      Office              Vlan1        58             0            
 17      Office              Vlan1        Baramondi_Monitor-1 0            
 18      Office              MGMT              Office_Archive-1  0            
 19      Office              MGMT              default-logdrop 0            
 20      Vlan1       Vlan2               Baramondi_Rules 0            
 21      Vlan1       Vlan2               VA             0            
 22      Vlan1       Vlan2               A_Office_2_Vlan2    292          
 23      Vlan1       Vlan2               default-logdrop 1696         
 24      Vlan1       Office               VA-1           0            
 25      Vlan1       Office               Baramondi_Rules-1 0            
 26      Vlan1       Office               Device-Zone-1  0            
 27      Vlan1       Office               4              1299         
 28      Vlan1       Office               default-logdrop 0            
   ........

Based on Juniper "Junos Space Virtual Appliance Installation and Configuration Guide" , JunOS Space " must deploy the virtual appliance on a VMware ESX, VMWare ESXi or KVM server, which provides a CPU, hard disk, RAM, and a network controller, but requires installation of an operating system and applications to become fully functional."

In my test environment, one JunOS Space has been installed on Citrix Xen environment and it is working fine until we tried to import a license.

The license was generated from Juniper License site and emailed to us in a txt file. It used to work on another machine hosted in Vmware ESX environment. Unfortunately, this time, JunOS Space said no.

The License Information windows says:
License upload failed. Please check the following:
1) License data format
2) License Keys

Juniper Space VE at Citrix Xen Server - License Error

My old post “Import Existing Juniper SRX Cluster into JunOS Space Security Director” was created based on Space 14.1 and SRX11.x version. Now both have been upgraded. Space NMP and Security Director have been upgrade to 16.1 (Post is here). SRX240H has been upgrade to 12.1D46.55. Basically, all steps are similar except the web interface is different. What you need to do is to configure your SRX cluster with a master-only ip on both nodes.…