Posts Tagged ‘juniper’

 

Deploy vSRX – VMware Workstation

RE – Routing Engine

— Manages the PFE

— Maintins Routing Tables

— Manages the Packet Forwarding Engine


PFE – Packet Forward Engine

— Is incharge of Policing , Stateless Firewall Filtering and CoS implemented by forwarding plane

— Forarding Plane Central Procesing contains the PFE

They are seperated in Juniper ( Control and Forwarding Planes ) to benifit speed and reduce bottlenecks -> https://www.juniper.net/techpubs/en_US/junos9.3/topics/concept/psd-control-and-forwarding-plane-in-separate-chassis.html

– Forwarding table is stored on both

-Routing Table ( stored on Control Plane ) Populate Forwarding Table

–Import Policys filter items doing to Routing Table

Routing Policy

Must have a then doesn’t need a from

Juniper also split software processes in Modules

Same base source code for all Boxes

Ctrl-A = Left All

Ctrl-U = Delete All

Ctrl-W = Backspace

Default Location for Configs are in /home/user

Default Location for logs /var/logs/

WIP Config = Canidate Configurations

Active Config = After Commit

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

SRX210[1]Trying to get  site to site route based VPN working with 2 x SRX 240’s with the config ; 

routing-options {

static {

route 192.168.60.0/24 next-hop 172.27.0.18

This was worked on a previous site to site vpn , however , using Show route after committing this did not show 192.168.60.0 in the routing table

172.27.0.18 was the IP of the secure tunnel interface st0.3 which was 

it’s a Juniper official technical document for route-based VPN setup that you just declare the Secure Tunnel interface instead of the IP

http://www.juniper.net/techpubs/en_US/junos12.1×44/topics/example/ipsec-route-based-vpn-configuring.html

routing-options {

static {

route 192.168.60.0/24 next-hop st0.3

 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

SRX210[1]In configuring a IPSec site to site vpn with SRX 240 we need to set the st0/1/2 Adapters to manual address

For this I choose 172.27.0.0 Subnet 30 which only gives 2 IP’s per subnet (between SRX1 and SRX2)

If you try and assign an IP in the Broadcast Address or Subnet Address wou will get

Cannot assign broadcast address as ip address

or

Cannot assign address 0 on subnet

Use a subnet caculator for checking these address’ and only use the values in between the Min and Max Host


http://wintelguy.com/subnetcalc.pl

VN:F [1.9.22_1171]
Rating: 9.0/10 (2 votes cast)
VN:F [1.9.22_1171]
Rating: +1 (from 1 vote)

Recently I needed to train a SysAdmin on how to whitelist sites using the Gui. I couldn’t find an online guide ( only using CLI ) so here it is! 

  1. Create a Block and Allow List

2. Add URL’s you would like to block and allow

3. Create a new policy to block and allow these

4. Add this policy as a UTM Policy under Web Filtering Polices

5) Define this UTM policy in between zones 

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)