Load Balance on a #Juniper SRX in #JUNOS

Many small-businesses and branch offices have 2 ISP connections and 1 Juniper SRX.  The branch office Juniper SRX is awesome for anti-virus, anti-spam, intrusion detection, VPNs, and just plain firewalling, but one of the downsides is the fact that per-packet or per-flow load-balancing isn’t possible on a stateful Juniper SRX. You won’t be able to “truly” … Continue Reading

Add Logging to All Security Policies on a #Juniper #SRX

If you’re tired of typing “then log session-init” or clicking on the log button in NSM or on the web GUI there is an easy way to log every single policy. We’ll use JUNOS groups to accomplish this. From the CLI: configure set groups log-all-policies security policies from-zone <*> to-zone <*> policy <*> then log … Continue Reading

Juniper SRX Status (High End) #Juniper

If you want to capture the full status of an SRX, here are the commands I run to get a good baseline of what’s going on in a high end Juniper SRX. If you’re running routing-instances, make sure to update the protocol statuses with “routing-instance xyz”   show arp no-resolve | no-more show bgp summary … Continue Reading

Juniper SRX Q&A Session

I was recently asked a few questions about Juniper SRX’s I figured everyone could benefit from knowing the answers to… Q. How would I disable flow processing on IPv4? A. In JUNOS config mode: set security forwarding-options family mpls mode packet-based You will also need to delete all security policies. This will also disable features … Continue Reading

(D)DoS Script and How to Block with an SRX #antisec

In the spirit of all of the #antisec fun on twitter, here is a TCP SYN Flood perl script to test your intrusion detection solutions… PS> How to block it with a Juniper SRX is below the script.. Perl Script #!/usr/bin/perl # USAGE: sudo perl synflooder.pl source_ip destination_ip destination_port # # Find your source_ip with … Continue Reading

A typical Juniper RPM Configuration

Here is an example of a typical RPM configuration ben@olive80> show configuration services rpm { probe NET-B-SRX-PROBE { test NET-B-SRX-P1-TEST { probe-type icmp-ping; target address 172.20.90.30; probe-count 15; probe-interval 1; test-interval 1; source-address 172.17.8.30; history-size 255; dscp-code-points ef; data-size 64000; thresholds { total-loss 1; rtt 60000; jitter-rtt 5000; } traps test-completion; ## ## Warning: statement … Continue Reading

PPPoE Configuration on Juniper SRX

If you’ve ever wondered how to set up a PPPoE Interface on an SRX, here is the configuration that worked for me. This works for AT&T DSL. Here is the Stanza format: description “PPPoE interface to Internet”; unit 0 { ppp-options { pap { default-password “wxyz”; ## SECRET-DATA local-name “user@service.com”; local-password “wxyz”; ## SECRET-DATA passive; … Continue Reading

Juniper SRX Troubleshooting Library

After extensive and exhaustive troubleshooting of Juniper SRX’s and realizing there really isn’t a comprehensive “go to manual” for command information, I decided to create one!   Click Here to Download the SRX Troubleshooting Command Library.v3

SRX Status Checker Script

I built an SRX Status Checker Script. Check it out here: http://benboyd.info/scripts/srx_status_checker.php