Dual routing-engines/control ports on a @JuniperNetworks SRX

The Juniper Networks SRX architecture is frequently deployed in a redundant configuration. Especially the data-center SRX’s (SRX1400, SRX3400, SRX3600, SRX5600, SRX5800). It’s pretty obvious why. When you think about the data that the firewall is protecting, uptime is just as critical to the security of the system, sometimes even more-so. Production web, database, storage, and … Continue Reading

Juniper SRX Op Script: op-monitor

On the data center SRX’s running “show security flow session summary” will return all of the sessions on each SPC.  This can be a bit time consuming when your SRX is fully loaded with SPCs.  A great way to find out how many sessions are on each SPC at any given moment is the “srx-monitor” … Continue Reading

Troubleshooting a @JuniperNetworks SRX Flow

How I troubleshoot on an SRX Prerequisite: Log Everything! Look for logs If you see denied logs, the SRX is not allowing the flow. Check the policy configuration: Make sure this traffic is hitting the correct policy Change the policy or reorder policies to allow the traffic If you see permitted logs, the SRX is … Continue Reading

SRX Clustering (cluster-id 0)

You can disable clustering in a Juniper SRX with the following command: set chassis cluster disable You can also disable clustering with this command: set chassis cluster cluster-id 0 This goes against the way most things work inside JUNOS. Typically, if you have a numbered field, it always starts at Zero. Not the case for … Continue Reading

Load Balance on a #Juniper SRX in #JUNOS

Many small-businesses and branch offices have 2 ISP connections and 1 Juniper SRX.  The branch office Juniper SRX is awesome for anti-virus, anti-spam, intrusion detection, VPNs, and just plain firewalling, but one of the downsides is the fact that per-packet or per-flow load-balancing isn’t possible on a stateful Juniper SRX. You won’t be able to “truly” … Continue Reading

Add Logging to All Security Policies on a #Juniper #SRX

If you’re tired of typing “then log session-init” or clicking on the log button in NSM or on the web GUI there is an easy way to log every single policy. We’ll use JUNOS groups to accomplish this. From the CLI: configure set groups log-all-policies security policies from-zone <*> to-zone <*> policy <*> then log … Continue Reading

Denial of Service @JuniperNetworks SRX Firewalls #whitehat

So my job as a Network Security Engineer is to test networks and devices for stress and vulnerability.  I haven’t ever uncovered anything that hasn’t already been discovered, but there seems to be a pretty serious design flaw in the traffic handling on high-end Juniper SRX firewalls. The high-end Juniper SRX firewalls are massive stateful … Continue Reading

Juniper SRX Status (High End) #Juniper

If you want to capture the full status of an SRX, here are the commands I run to get a good baseline of what’s going on in a high end Juniper SRX. If you’re running routing-instances, make sure to update the protocol statuses with “routing-instance xyz”   show arp no-resolve | no-more show bgp summary … Continue Reading

Juniper SRX Q&A Session

I was recently asked a few questions about Juniper SRX’s I figured everyone could benefit from knowing the answers to… Q. How would I disable flow processing on IPv4? A. In JUNOS config mode: set security forwarding-options family mpls mode packet-based You will also need to delete all security policies. This will also disable features … Continue Reading