Juniper SRX, Routing Instances, and Syslog Challenges

In the previous post I described the issue I had with routing instances and DHCP-relay, and how I fixed it. It turns out that DHCP-relay wasn't my only problem. Turns out that syslog also stopped at the time I implemented the routing instances.

To solve this I needed to inject the route to my syslog server (Splunk) in the global routing instance by using policy options.

set policy-options policy-statement syslog-policy term 10 from instance DEFAULT
set policy-options policy-statement syslog-policy term 10 from route-filter 192.168.20.0/24 exact
set policy-options policy-statement syslog-policy term 10 then accept
set policy-options policy-statement syslog-policy then reject

set routing-options instance-import syslog-policy

Posted on June 25, 2018 by Willem and filed under Annoying, Security, Tips'n Tricks and tagged Junos syslog routing-instances firewall srx.

Run Juniper Virtual SRX in VMWare Workstation

The Juniper Virtual SRX firewall can run on multiple platforms, but VMware Workstation is not mentioned in the list of supported platforms. Having some experience with both, I know that almost all VM's designed for the VMware ESXi environment will run on the (stand-alone) VMware Workstation product.

I downloaded the .ova file from the Juniper website and imported it in VMware Workstation v12.1. During the import I adjusted the number of CPU's to save resources, which turned out to be a mistake. The VM really needs the two CPU's, because if you don't it just won't work (routing failures, etc..). So, don't change the defaults for CPU and memory.

Posted on January 12, 2016 by Willem and filed under Junos, Security, Tips'n Tricks and tagged vSRX Juniper vmware vmxnet3 firewall.

Apple OSX Server Firewall

My Apple OSX server (Mountain Lion) at home is the centre of my network and entertainment system. It provides provides the following services:

DNS
DHCP
VMWare Server platform (VMWare fusion)
Air Video HD Server (for streaming video over the network)
General Internet download station

Since several (soft-, and hardware) upgrades and redesigns of my internal network (from a single VLAN to a multi-VLAN with firewall services and traffic inspection) several services failed under certain circumstances. E.g. Air-Video would work internally where the client was in the same network as the OSX server network interface. But trying to connect through the SSL VPN stopped working for some reason. Also, the VNC Viewer did work in the old days, but stopped working over time. Same for several static NAT entries; worked before, and stopped working without 'no reason'. Other services like ssh did work in the old and new network design....

Posted on September 3, 2014 by Willem and filed under Annoying, Apple, Security and tagged ipfw firewall OSX server Air Video.

Juniper SRX Apply-groups

A while back I wrote a blog post about enabling global logging on security rules. This week I applied the same technique to enable ping on all zones for testing / troubleshooting purposes.

Instead of adding ping as a host-inbound-traffic system-service to all zones, and if you have a couple this means some configuring, you can solve this by adding just 3 (three) lines of config to the firewall.

Posted on July 15, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged srx config apply-groups groups ping firewall Juniper.

Filter / Block IP Addresses On A Juniper SRX

While exploring the configuration options on the Juniper SRX firewall, I stumbled upon the so-called firewall filters. These filters are not to be mistaken for the firewall policy rules. They are something different, but can be used for achieving similar goals.

In my case, I wanted to see if it was possible to quickly block a list of IP addresses (or subnets) without the hassle of creating addressbook entries (Address Sets). My list of IP addresses consists of known hosts that participate in the criminal ZeuS network. These IP addresses are either Command&Control servers or servers used to transfer (captured) data to. In any case, servers you don't want to communicate with.

The solution on the SRX is to create a firewall filter containing the list with hosts / networks. The filter, in my case, is applied to the outgoing interface (fe-0/0/0).

Posted on January 9, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged Filters Juniper srx firewall.

Enable Global (Security) Logging On SRX Policies

Normally, one would enable logging on each security policy. If you have hundreds of policies, and you want/need logging for troubleshooting, it takes a while (and some serious) effort to enable this for all policies.

Posted on January 8, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged firewall srx logging Juniper.

Enable Juniper SRX Firewall Logging

Juniper started to migrate their firewalls from Netscreen to the Junos environment 'a couple of' months back. The advantage is that there's a universal OS for routers, switches and firewalls. Just like Cisco IOS. The disadvantage is that the Junos OS is being adapted for the firewalls. So the foundations are there, but there are still lots of features missing and bugs are also still abundant.

The bugs are thankfully mostly related to the WebGUI. On the commandlinethe bugs are in the same league as the Cisco, Checkpoint and every other vendor bugs. No piece of software is perfect.

Posted on March 1, 2011 by Willem and filed under Annoying, Hardware, Security, Tips'n Tricks, Junos and tagged firewall logging srx Juniper.

VMWare and Firewall / VPN Clients

Well, that was another morning well spent....

A couple off weeks ago I started experimenting with FreeRADIUS on Ubuntu server (v6.06.2 TLS). Mainly because I needed to test some things for work. So I used VMWare to experiment. The networking part was set-up as Bridged.

Today, I wanted to test with iperf (a tool for network performance testing). So I launched the virtual machine, but there was no network connectivity. ifconfig showed that eth1 didn't received an IP adres.
So I ran every possible test there was;

restarted the interfaces (/etc/init.d/networking restart)

This resulted in the following;

Listening on LPF/eth1/00:0c:29:68:e3:eb
Sending on LPF/eth1/00:0c:29:68:e3:eb
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 8
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 12

The "DHCPDISCOVER" messages continue about 4 times, then the message:

No DHCPOFFERS received.
No working leases in persistent database - sleeping.

restarted the DHCP server
rebooted the virtual machine
changes the networking to NAT instead of Bridged (this way, connectivity was restored, but not the way I wanted. I needed Bridge-mode)
Tried to run the virtual machine on OSX (VMWare Fusion), which worked surprisingly.

After this I ran Wireshark on my server to see if DHCP request were coming in.... And you might have guessed; No DHCP request were reaching the DHCP server. So the problem was work PC related.... As a matter of fact, I had the Cisco VPN client running..... Which didn't allow the DHCP request broadcast.

Shutting the VPN client down solved the DHCP problem. After the virtual machine worked I could reinitiate the VPN.

Mental note to myself: do NOT boot/restart the virtual machines when the VPN is up.

Posted on April 8, 2008 by Willem and filed under Annoying, Operating Systems, Software and tagged Cisco VPN client DHCPDISCOVER FreeRADIUS dhcp firewall iperf ubuntu vmware.