Thanks for explaning that, can you confirm, would this happen without manual intervention, ie if we never tried to use number 20 is it possible that could be automatically assigned in new rules.
Ie. we have a separate logging system that said rule #20 has not been hit for 6 months, so we delete that rule, but it still shows in the databse as unused, its possible we may go and delete the new rule #20
Yes, that might happen. You can create all your new policies on the cli and manually then choose the id number at creation time.
set policy id ##
Hello.
We have a failed Firewall in our HA pair. We are sourcing a replacement, but we need the ScreenOS to match the primary firewall.
I need to find a copy of ScreenOS 6.1.0R6. The model firewall is SSG-550M-SH. We will update after we can sync the pair.
Anyone have a copy?
Thanks!
Follow up question.. Is HA possible with mismatched minor revisions? i.e. 6.1 and 6.2?
https://download.juniper.net/software/screenos/6.1.0r6/ssg500.6.1.0r6.0.zip
It does require you to log in. You can run 6.1 and 6.2 on the devices for a short time period, however, you might have some sync issues due to differences in commands. The only supported version of code is 6.3.
i has been set IP camera at my shop.install camera software at office pc,connect to shop IP Camera,however auto disconnect after 3 mins.
At my home connect IP camera normal.
office firewall is SRX210HE,what is wrong.
Software Version: JUNOS Software Release [11.4R7.5]
Bios Version: 2.0
Have you checked the Session Timeouts?
show security flow session
https://kb.juniper.net/InfoCenter/index?page=content&id=KB21344&actp=search
From webmin,time out show below.
how to amend time out?
Yup - looks like your UDP-Session is about to timeout.
1. Configure a custom application for your Camera Traffic (UDP Port 7028 from what i see on your screenshot):
applications {
application my-camera {
protocol udp;
source-port 0-65535;
destination-port 7028;
inactivity-timeout never;
}
This will set the timeout to "never" - you also can define the number of Seconds like 100000 (set applications application my-camera inactivity-timeout 100000)
2. Configure a security policy to the junos-host zone and call the application
[edit security policies]
from-zone trust to-zone junos-host {
policy test {
match {
source-address any;
destination-address any;
application my-camera;
}
then {
permit;
}
}
}That should fix your Problem.By the way this is the wrong Forum - you should Post SRX-Questions under the SRX Section - for future Posts.
HI STEVE
Was the url filtering license previously installed and lost?. NO
is this a new setup that needs the license applied?. YES
The portal Support->find license key and search by seral number: FEATURE: Extended Mode: Extended Mode Key
This is the serial number of the device: 0162112010004886 (SSG5)
Tell me what could I do?
THANKS
RAFAEL
1: Product Name: SSG5-ISDN
Software Version: 6.3.0r22.0 <-- this means device is already on the latest version.
2 :ssg5-isdn -> save software from tftp 192.168.XX.XX Loadssg5ssg20v132.d to flash // bootloader upgrade
If you are getting software error during the bootloader upgrade then it looks to be fine because this is not how you should upgrade the bootloader.
Please follow KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB10949&smlogin=true&actp=search to upgrade the bootloader.
Thanks,
Vikas
That is total device capacity. If you have one tunnel that is doing 60Mbps, then the other 4 would only be able to get up to 40Mbps
We have 3 adsl on ssg350M
Trust Zone: ethernet0/3 192.168.7.254/24
Untrust Zone: ethernet0/1 (1.1.1.254/24 ) & ethernet0/2 (2.2.2.254/24) & ethernet1/0 (3.3.3.254/24)
ethernet1/0 has one MIP 3.3.3.253 --> 192.168.7.144
Untrust --> Trust Policy : Any --> MIP 3.3.3.253 SMTP Port
Trust --> Untrust Policy: 192.168.7.144 --> Any SMTP Port
Our problem is from trust:192.168.7.144 send mail to untrust: Any , it show Translated Source Address 1.1.1.254 not 3.3.3.253.
Is there anyone can help me ? Thanks a lot.
Hello all,
maybe it's a too simple question. I've to setup a SSG-5 with two VPN tunnels. I'm completely new to Juniper devices and only have an example config and the documentation.
My question is: how do I setup MIP with the same IPs for the two tunnels? They are configured for redundancy and so I need to map the IPs on both. Or do I've to configure it in a complete different way?
Kind regards,
Funny
Hello,
You can make use of the below link:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB8157&actp=search
Note:- That link talks about accessing same MIP from Internet and loopback. Same principle should apply for accessing MIP from two different tunnels.
Try to do something like this:
Let us say ethernet1 terminates ISP1. It is end point of one tunnel with its tunnel interface tunnel.1
And ethernet2 terminates ISP2. It is end point of another tunnel with its tunnel interface tunnel.2.
Configure MIP for loopback.1
Now put eth1, eth2, tunnel.1, tunnel.2 & loopback.1 in untrust zone.
put tunnel.1 and tunnel.2 in loopback-group loopback.1.
Regards,
Rushi
Is your security policy with the MIP object before the general NAT policy?
This tech note shows how to create a VPN between sites with overlapping subnets using the MIP on the tunnel interfaces.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB5346