Load Balance on a #Juniper SRX in #JUNOS

Many small-businesses and branch offices have 2 ISP connections and 1 Juniper SRX.  The branch office Juniper SRX is awesome for anti-virus, anti-spam, intrusion detection, VPNs, and just plain firewalling, but one of the downsides is the fact that per-packet or per-flow load-balancing isn’t possible on a stateful Juniper SRX. You won’t be able to “truly” … Continue Reading

Add Logging to All Security Policies on a #Juniper #SRX

If you’re tired of typing “then log session-init” or clicking on the log button in NSM or on the web GUI there is an easy way to log every single policy. We’ll use JUNOS groups to accomplish this. From the CLI: configure set groups log-all-policies security policies from-zone <*> to-zone <*> policy <*> then log … Continue Reading

Denial of Service @JuniperNetworks SRX Firewalls #whitehat

So my job as a Network Security Engineer is to test networks and devices for stress and vulnerability.  I haven’t ever uncovered anything that hasn’t already been discovered, but there seems to be a pretty serious design flaw in the traffic handling on high-end Juniper SRX firewalls. The high-end Juniper SRX firewalls are massive stateful … Continue Reading

Juniper SRX Status (High End) #Juniper

If you want to capture the full status of an SRX, here are the commands I run to get a good baseline of what’s going on in a high end Juniper SRX. If you’re running routing-instances, make sure to update the protocol statuses with “routing-instance xyz”   show arp no-resolve | no-more show bgp summary … Continue Reading

IPv6 Default Route

Just incase you didn’t know: The default route for IPv4 is 0/0 This stands for (any value of all 32 bits) (ALL IPv4 address) The default route for IPv6 is ::/0 This stands for 0:0:0:0:0:0:0:0/0 (any value of all 128 bits) (ALL IPv6 address) This is how you blackhole them in a Juniper IPv4 … Continue Reading

Juniper SRX Q&A Session

I was recently asked a few questions about Juniper SRX’s I figured everyone could benefit from knowing the answers to… Q. How would I disable flow processing on IPv4? A. In JUNOS config mode: set security forwarding-options family mpls mode packet-based You will also need to delete all security policies. This will also disable features … Continue Reading

JUNOS (Navigating versions)

There seems to always be confusion when dealing with network operating systems. I saw a post on a forum that explained Juniper’s way of doing things and decided it needed to be put on the web. Starting in 2010, Juniper went to a new way of versioning thier operating system, JUNOS. It’s slightly different than … Continue Reading

Juniper SRX Troubleshooting Library

After extensive and exhaustive troubleshooting of Juniper SRX’s and realizing there really isn’t a comprehensive “go to manual” for command information, I decided to create one!   Click Here to Download the SRX Troubleshooting Command Library.v3

Policies and the 1000 implementations

Here are some policy examples that would all accomplish the same thing for an External BGP Peer advertising many routes including the default 0/0 route. What we want to do is reject all routes and only accept the default route from our peer.   1 Policy, 2 Terms accepts and rejects in the same policy … Continue Reading