Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
It needs some specific configuration to get that working and we found out the hard way
4 Comments - no search term matches found in comments.
Zone-based vs Global When dealing with address objects on an SRX running older versions of Junos, they typically would employ a zone-based address-book for it's configuration. When using a zone-based address-book, the address objects referenced in the security policies are created per zone, which means that every zone will have an address-book configuration, and could potentially have duplicate objects. Newer Junos versions use a global address-book configuration. The global address-book reduces complexity in your configuration by managing all address objects in one spot, and if you need to reference the same object in different zones, you aren't defining said object under multiple zones in your configuration
1 Comment - try this. show configuration | display set | save config.txt start shell sed s”/set security zones
Step 2) Using the key-pair we just generated we create a self-signed certificated: root@leen-1500> request security pki local-certificate generate-self-signed certificate-id root domain-name leen-1500.wsa.local email "user@domain.com" add-ca-constraint subject DC=wsa,DC=local,CN=leen-1500 ' Note: the FQDN of this srx is leen-1500.wsa.local Step 3) Instruct the SRX to trusted the root-ca’s and use the certificate just created. We move to configuration mode now: user@host# set services ssl proxy profile trusted-ca-group-profile trusted-ca user@host# set services ssl proxy profile trusted-ca-group-profile root-ca root The configuration should show this now: root@leen-1500> show configuration services ssl proxy profile trusted-ca-group-profile ( trusted-ca all; root-ca root; ) At this point the configuration of the SRX is almost done
4 Comments - giving you the error when you configure the SET SERVICES SSL PROXY stanza ## ## Warning: configuration block ignored: unsupported platform (srx300) ## Feature explorer also backs this up Prior to 15.1X49-D50 you could however configure this on an SRX300
The following shows the basic configuration for interfaces, zones, and BGP: interfaces ( ge-0/0/4 ( description Untrust; unit 0 ( family inet ( address 200.200.200.2/30; ) ) ) ge-0/0/8 ( description Trust; unit 0 ( family inet ( address 172.16.0.1/24; ) ) ) ) protocols ( bgp ( group partner ( export conditional route; peer-as 1111; neighbor 200.200.200.1; ) group wan ( peer-as 65100; neighbor 172.16.0.2; ) ) ) routing-options ( autonomous-system 65100; ) security ( zones ( security-zone untrust ( interfaces ( ge-0/0/4.0 ( host-inbound-traffic ( protocols ( bgp; ) ) ) ) ) security-zone trust ( interfaces ( ge-0/0/8.0 ( host-inbound-traffic ( protocols ( bgp; ) ) ) ) ) ) ) The export policy conditional route is as follows: policy-options ( policy-statement conditional route ( term 1 ( from ( route-filter 1.1.1.0/24 exact; condition check route; ) then accept; ) then reject; ) ) The SRX Series device advertises 1.1.1.0/24 based on the condition labeled check route, shown as follows: policy-options ( condition check route ( if-route-exists ( 192.168.1.0/24; table inet.0; ) ) ) You must add 1.1.1.0/24 into the route table
1 Comment - no search term matches found in comments.
In addition to the configuration aspects, before using Juniper’s Neutron plugin, you must also determine how to set up and scale this infrastructure
If >= 11.1, do address book conversion */ 038 var $version = ( call get-junos-version(); ) 039 if ($version > 11.1) ( 040 var $conn = jcs:open(); 041 042 <op-script-results> ( 043 044 <output> "Converting old address books in the committed configuration database to " $version " address books
With the latest Apple iOS improvements, and support for IKEv2, it's now possible to establish a VPN connection between Apple iPhone/iPad devices and Juniper SRX devices. Note: You must have Apple iOS 9.x installed and have access to an Apple MAC to prepare an Apple VPN profile. Read Milan...
8 Comments - I'm having only issue at one of the last step with the configuration of the srx. I tried every possible combi but none did work
Source Code and GitHub Links The source code below is also available from the following GitHub locations: track-ip in Junoscriptorium on GitHub Example Configuration SLAX Script Contents XML Script Contents Example Configuration 01 The track IP JUNOScript implementation utilizes the event system
Description Here is a sample configuration used to simulate two routers on a single SRX100. Notes on this configuration: The virtual topology drawing below is also inside the configuration so you can easily see your "testbed"