Segmenting Datacenter Servers (Security and Performance)

In data center networking, you really don’t care what is hosted on a server. Let’s face it. You know it’s true. Some business unit probably calls this app “critical”. It probably generates a report that 3 people in the company see. But it’s important to them. To you, it’s a VLAN, an IP address, a … Continue Reading

Dual routing-engines/control ports on a @JuniperNetworks SRX

The Juniper Networks SRX architecture is frequently deployed in a redundant configuration. Especially the data-center SRX’s (SRX1400, SRX3400, SRX3600, SRX5600, SRX5800). It’s pretty obvious why. When you think about the data that the firewall is protecting, uptime is just as critical to the security of the system, sometimes even more-so. Production web, database, storage, and … Continue Reading

Juniper SRX Op Script: op-monitor

On the data center SRX’s running “show security flow session summary” will return all of the sessions on each SPC.  This can be a bit time consuming when your SRX is fully loaded with SPCs.  A great way to find out how many sessions are on each SPC at any given moment is the “srx-monitor” … Continue Reading

Troubleshooting a @JuniperNetworks SRX Flow

How I troubleshoot on an SRX Prerequisite: Log Everything! Look for logs If you see denied logs, the SRX is not allowing the flow. Check the policy configuration: Make sure this traffic is hitting the correct policy Change the policy or reorder policies to allow the traffic If you see permitted logs, the SRX is … Continue Reading

SRX Clustering (cluster-id 0)

You can disable clustering in a Juniper SRX with the following command: set chassis cluster disable You can also disable clustering with this command: set chassis cluster cluster-id 0 This goes against the way most things work inside JUNOS. Typically, if you have a numbered field, it always starts at Zero. Not the case for … Continue Reading

iMessage and FaceTime behind a Firewall

If you have a bunch of Apple devices behind a firewall.  You’ve probably noticed that people are complaining that they can’t send iMessages or place/receive FaceTime calls.   You’ll need to open up a few ports to allow this activity. Facetime TCP 80 TCP 443 UDP 3478 – 3497 TCP 5223 UDP 16384 – 16387 … Continue Reading

Rate Limit Per IP in JUNOS

If you want to rate limit certain IP’s in JUNOS, here’s an easy way to do it! This policer will set each IP to a bandwidth limit of 64 Kbps and allow up to 128 KBps of burst. Remember that burst-size is BYTES whereas bandwidth is BITS.  

Load Balance on a #Juniper SRX in #JUNOS

Many small-businesses and branch offices have 2 ISP connections and 1 Juniper SRX.  The branch office Juniper SRX is awesome for anti-virus, anti-spam, intrusion detection, VPNs, and just plain firewalling, but one of the downsides is the fact that per-packet or per-flow load-balancing isn’t possible on a stateful Juniper SRX. You won’t be able to “truly” … Continue Reading

Add Logging to All Security Policies on a #Juniper #SRX

If you’re tired of typing “then log session-init” or clicking on the log button in NSM or on the web GUI there is an easy way to log every single policy. We’ll use JUNOS groups to accomplish this. From the CLI: configure set groups log-all-policies security policies from-zone <*> to-zone <*> policy <*> then log … Continue Reading