Quantcast
Channel: All ScreenOS Firewalls (NOT SRX) posts
Viewing all 2577 articles
Browse latest View live

Re: SRX to SSG5 Route-based VPN with GRE?

August 5, 2016, 9:09 pm
$
0
0

Steve,

 

Thanks kindly for your reply, but I think are signals are getting a bit crossed here:

 

- I'm not attempting to "run IPSEC over GRE", I would like to run "GRE inside/through IPSEC", which is very common --- namely used to secure dynamic routing protocols like OSPF. Without encapsulating OSPF inside of GRE tunnel, which will in turn be encapsulated in IPSEC tunnel, your multicast traffic would NOT be secure (at least in the truest sense). 

 

So again, what I'm looking to do is ensure that all OSPF/Multicast traffic is encrypted through IPSEC tunnel ... and to my knowledge, GRE is necessary to do this. 

 

 

Search

Re: SRX to SSG5 Route-based VPN with GRE?

August 6, 2016, 4:16 am
$
0
0

GRE over IPSEC is supported by both ScreenOS and Junos.  I think you read the kb incorrectly.

 

What the kb seems to me to say is that you need the screenOS vpn tunnel interface and gre interface in the same zone.

 

Can you post the config you have on each side?

Re: SRX to SSG5 Route-based VPN with GRE?

August 6, 2016, 8:49 am
$
0
0
In Juniper (both ScreenOS and Junos) OSPF and multicast are supported natively in the IPSEC tunnel - no need of GRE tunnel inside the IPSEC tunnel.
This scenario is only needed for compatibility with Cisco, as there you need GRE tunnel for dynamic routing protocols.

Re: SC-CPA on SSG5 not function

August 6, 2016, 11:44 am
$
0
0

HI STEVE

The Url Filtering is Disable, whats happening?

Thanks,

RAFAEL

Re: SC-CPA on SSG5 not function

August 7, 2016, 3:54 am
$
0
0

Sorry, I'm not sure what you mean by disabled.

 

First, I want to confirm that your license is recognized and installed.  you should see the expiration date here:

 

Configuration > Update > ScreenOS/Keys

License Box:

 

Url Filtering: Expire Date: 20xx/MM/DD

 

If the date is current, then also confirm that your NTP is setup and working.  the current system Date/Time is on the top of the screen and the NTP is set here.

 

Configuration > Date/Time

high CPU utilization

August 7, 2016, 5:53 am
$
0
0

Dears,

 

i have SSG350 firewalls, recently i noticed that the CPU is getting veryhigh on peak time during the day (check attached image), logs are not showing any kind of attacks on the firewall, i need to know what are the main elements that affect the high CPU utilization and how to reduce it, thanks in advance.

 

Regards,

Amjad.

 

Re: SRX to SSG5 Route-based VPN with GRE?

August 7, 2016, 11:12 am
$
0
0

Thanks, Mircho. It would be helpful if I could find some literature that spells that out 100%, even if it's a specs sheet, or whitepaper, etc. 

 

There seems to be a lot ot ambiguity about it. 

 

To plainly state my intentions, I would prefer to not have to run commands at interface level on each side to force convertsion of multicast to unicast (for OSPF), prior to sending over IPSEC tunnel. 

 

The recurring theme of knowledge I see posted everywhere is that OSPF w/ multicast over IPSEC tunnel simply isn't supported (vendor-neutral). So are you saying between my SSG5 and SRX100B, I can natively establish OSPF adjacency (with a single area 0), directly over IPSEC tunnel ---- out of the box --- without any unique configuration to interfaces, other than general OSPF config?

 

Thanks for confirmation in advance. If you're reply is yes, then I'll refer to Recipe 12 in the Day One guide (previously mentioned here: http://forums.juniper.net/jnet/attachments/jnet/Day1Books/336/1/DO_Ambassadors_2014.pdf)

 

Thanks again for contributing!

Re: high CPU utilization

August 7, 2016, 1:47 pm
Search

Re: SRX to SSG5 Route-based VPN with GRE?

August 7, 2016, 1:53 pm
$
0
0

I can't find any clear documentation for you.  But I can assure you that both ScreenOS and Junos can run OSPF directly on the vpn tunnel interfaces and pass the OSPF multicast making full neighbors.  This feature was in ScreenOS for many years and was used to create automatic hub and spoke mulitpoint tunnels where you would not need to create any of the necessary routes for the sites to interconnect.

 

The feature was also then implemented in the SRX Junos code and works there as well.

 

I created the recipe because I encountered a some nuances getting this to work between ScreenOS and Junos so wanted to document and share the working example.

Re: SRX to SSG5 Route-based VPN with GRE?

August 7, 2016, 6:07 pm
$
0
0

I follow you now. Thanks. 

 

So I'm looking at the syntax from the Day One guide, and it looks like it assumes you are only passing a single network between SRX/SSG. 

 

In the even that you wanted to advertise numerous subnets/networks, would you add another line of code for each respective vlan interface? I understand summarization is out of scope for this post, so I'm doing the labor intensive way for argument's sake:

 

Enable OSPF on the SRX and assign the local VLAN interface and the
tunnel interface to OSPF area 0:

set protocols ospf area 0 interface vlan.0

set protocols ospf area 0 interface vlan.10     

set protocols ospf area 0 interface vlan.20

set protocols ospf area 0 interface st0.0

 

Configure vlan.0 to announce OSPF routes:   *Except here I would need to add additional vlan interfaces? RVIs?
set protocols ospf area 0 interface vlan.0 passive

set protocols ospf area 0 interface vlan.10 passive

set protocols ospf area 0 interface vlan.20 passive

 

In most of the environments I work in, it's more common that the RVIs/subnets are defined on L3 switch, for example EX4200, and we have a default route between L3 switch and upstream firewall/SRX. In that sense, no VLANs are defined on the firewall other than native VLAN that exists (untagged). 

 

As an alternative to the above, if I wanted to pass 10 OSPF routes from my L3 Juniper switch up to the SRX, and over to SSG side, would I still need to configured the SRX/SSG the same as the Day One guide? If I were advertising the 10 routes from the L3 Juniper switch on each side of the VPN tunnel? Or would the SRX/SSG drop/not forward the OSPF traffic across the tunnel? 

 

Sorry if I'm confusing you ... definitely not my intentions. Normally this would be a non-issue, because we would have a L2VPN/VPLS (Metro Ethernet) solution ... but this exercise really has me intrigued about capabilities of SRX/SSG with L3 switches in the mix, and forwarding OSPF across tunnel. I have an environment with this exact scenario actually. 

 

 

 

 

 

 

ssg14- Report - Interface Bandwidth

August 7, 2016, 11:39 pm
$
0
0

I see total allocated gbw with a value. I have checked few other ssg140s they dont see that value.I dont have any traffic shapping configured on this interface.

 

bandwidth: physical 1000000kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 17328kbps
total allocated gbw 14000kbps

Re: SRX to SSG5 Route-based VPN with GRE?

August 8, 2016, 2:56 am
$
0
0

Yes, the sample is showing just on local subnet and the vlan interface on the SRX.  This could also be multiple interfaces as your note.

 

But you can have the vlan side of the OSPF setup on the switch.  But naturally the SRX has to neighbor with the switch to get those routes to be learned on the SRX.

 

In shout you can consider the tunnel interface neighbors as if they were just two routers on your standard OSPF setup.  And thne arrange the rest of the area configuration as you would if that link were a normal point to point OSPF link.  Just forget about it being over an IPSEC tunnel.

Re: SC-CPA on SSG5 not function

August 8, 2016, 10:31 pm
$
0
0

the report from the License information is:

...Drp: Enable

Deep Inspection: Enable

Deep Inspection Database Expire Date: Disable

Signature pack: Signature update key is missing

IDP: Disable

AV: Disable(0)

Anti-Spam: Disable(0)

Url Filtering: Disable

Deep Inspection signature database version is 0

 

AND the "Automatically synchronize with an Internet Time Server(NTP)" is check

Netscreen Redundant Interface

August 9, 2016, 10:01 am
$
0
0

In Redundant Interfaces, when one of the interface is active and other is passive, and we configured OSPF over that redundant interface, will disabling of the primary interface in that redundant interface will cause the OSPF to flap. Any one can confirm if tested.

 

Thanks

Re: Netscreen Redundant Interface

August 10, 2016, 12:09 am
$
0
0

Hello,

 

Redundant interface has a MAC address of the first interface added while creating it irrespective of which physical interface is up. So as long as both the physical interfaces are part on same broadcast group (i.e. connected to one or more switch interface in same vlan), I do not think there should be loss of routing neighbourship with peer ScreenOS device.

 

Regards,

 

Rushi

Search

Re: SC-CPA on SSG5 not function

August 10, 2016, 2:50 pm
$
0
0

You setup shows that the url filtering license is not installed at all on the device.  So perhaps this was factory reset or otherwised missed.

 

Was the url filtering license previously installed and lost?  Or is this a new setup that needs the license applied?

 

You will need to go to the Juniper license portal on the support site and get the license key for your url filtering.  This will then be applied in this same screen.

Disable Interface? (Reposted in right topic)

August 11, 2016, 9:02 am
$
0
0

Accidentally posted this in the JunOS thread... firewall in question is running ScreenOS,

 

I have a bit of an odd issue.

 

I have a firewall with two VPN tunnels up to two different VPN hubs.

 

I need the VPN to Hub2 disabled/off if the VPN to Hub1 is up.

 

Is this possible, and if so how?

 

Note: the 'spoke' firewall does not have an 0.0.0.0/0 route. I went as far as making a non permenant roue for the public IP of hub2 via tunnel1 (to hub1) with a lesser priority route via the spokes wan gateway. this didn't solve the issue.

 

Thanks,

Z

Re: Disable Interface? (Reposted in right topic)

August 11, 2016, 9:09 am
$
0
0

You can do this with a route based VPN using floating static routes and VPN monitoring with rekey.  Enable monitor with rekey on the VPN for hub1, then set your route preference for that VPN lower than for hub2.

Re: Disable Interface? (Reposted in right topic)

August 11, 2016, 9:58 am
$
0
0

Thank you for the reply!

 

I actually tried that this morning...

 

Tunnel.1 bound to Hub1
Tunnel.2 bound to Hub2

Both VPNS set monitor optimized rekey

 

set route HUB2_WAN_IP/32 interface tunnel.1 preference 20 description "HUB2_NULL_ROUTE"
set route HUB2_WAN_IP/32 interface ethernet0/2 gateway WAN_GATEWAY preference 20 metric 20 description "HUB2_WAN_ROUTE"

 

I first tried without the metric 20 route at all, but the VPN kept coming up... i traced down the issue i think though. Looks like traffic was allowed from the hub1 VPN to the wan IP of hub2... so we were building the hub2 vpn inside the hub1 vpn.

 

The prblem im seeing now though is that:

- if disable/re-enable the Hub2 tunnel (with Hub1 tunnel up) - the hub2 tunnel does NOT come back (which is what we want)

- If i disable the Hub1 tunnel, the hub2 tunnel comes up after a few seconds (which is what we want)

- if i re-enable the Hub1 tunnel, the hub 2 tunnel does NOT go down (which is a problem)

 

-z

 

Re: Disable Interface? (Reposted in right topic)

August 11, 2016, 10:04 am
$
0
0

Disable monitor/rekey on the Hub2.  Unfortunatly, you will have to wait for the hub2 IKE to time out before it will show down.  If both sides are set with the floating routes, then when hub1 comes back up, all sessions should change to that route.

Viewing all 2577 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>