object manager-UTM-Misc-URL Category
Monday, August 26, 2013
change the web filtering of SRX in NSM
if you want to add URL in white list of NSM, it might take a long time to find out where is it, even when you have central policy management:
object manager-UTM-Misc-URL Category
object manager-UTM-Misc-URL Category
Thursday, August 8, 2013
dhcp relay configuration of Juniper SRX
our topology is DHCP server and DHCP client connect to same physical interface and different vlans. before you want to configure DHCP agent on SRX, you need make sure routing between the DHCP server and subnet of DHCP scope is working, mean you can ping the dhcp server with the source ip of the scope.
To configure an SRX Series device as a relay agent to forward incoming requests from BOOTP or DHCP clients to a BOOTP or DHCP server:
- Provide a description for the relay service. In this example, "Global DHCP relay service" is the descriptive text.
user@host# set forwarding-options helpers bootp description "Global DHCP relay service" - Specify the IP address of the server to which requests are forwarded. In this example, the IP address is 192.18.24.38.
user@host# set forwarding-options helpers bootp server 192.18.24.38 - Specify the maximum number of hops allowed per packet. In this example, the hop count is 4.( options)
user@host#set forwarding-options helpers bootp maximum-hop-count 4 - Specify the interface bootp requests will be received on.
user@host# set forwarding-options helpers bootp interface fe-0/0/7.0 or vlan.xxx - Specify DHCP as an allowed inbound service for each interface that is associated with DHCP. In the following example, DHCP is configured as an inbound service for fe-0/0/7 and fe-0/0/8.
user@host# set security zones security-zone trust interfaces fe-0/0/7 host-inbound-traffic system-services dhcp
user@host# set security zones security-zone untrust interfaces fe-0/0/8 host-inbound-traffic system-services dhcp
note: you might have global setting of the host-inbound-traffic apply on all interface, skip this if you have, otherwise, it will overwrite the global setting.
6. (this is based on the client and server on different security zone) Make sure that you have a security policy that allows the session from the DHCP server to the DHCP client apart for the policy from trust to untrust.
user@host# set security zones security-zone untrust address-book address DHCP-server 192.18.24.38user@host# set security policies from-zone trust to-zone untrust policy DHCP-request match source- address any
user@host# set security policies from-zone trust to-zone untrust policy DHCP-request match destination-address DHCP-server
user@host# set security policies from-zone trust to-zone untrust policy DHCP-request match application any
user@host# set security policies from-zone trust to-zone untrust policy DHCP-request then permit
user@host# set security policies from-zone untrust to-zone trust policy DHCP-reply match source-address DHCP-server
user@host# set security policies from-zone untrust to-zone trust policy DHCP-reply match destination-address any
user@host# set security policies from-zone untrust to-zone trust policy DHCP-reply match application any
user@host# set security policies from-zone untrust to-zone trust policy DHCP-reply then permitVerification
To verify that the DHCP relay configuration, use the following operational mode command:
user@host> show system services dhcp relay-statistics
Tuesday, August 6, 2013
trunks between Juniper EX swtich, SRX and Cisco switch
In a mixed layer 2 networks, trunks between Juniper and Cisco are always headache, here is some tips to solve the problem:
1. set the vlan-id for default vlan
set vlans default vlan-id 1
2. set vlans default l3-interface vlan.0
eg:
3. unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
native-vlan-id 1;
}
}
4.add the vlan interfaces to security zone.
otherwise you can't ping the other side.
5. set ip address for vlan interface unit
1. set the vlan-id for default vlan
set vlans default vlan-id 1
2. set vlans default l3-interface vlan.0
eg:
vlans {
VLAN23 {
vlan-id 23;
l3-interface vlan.23;
}
default {
vlan-id 1;
l3-interface vlan.0;
}
3. unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members all;
}
native-vlan-id 1;
}
}
4.add the vlan interfaces to security zone.
otherwise you can't ping the other side.
5. set ip address for vlan interface unit
vlan {
unit 0 {
family inet {
address 192.168.1.1/32;
}
}
unit 23 {
family inet {
address 10.0.1.1/24;
}
}
Subscribe to:
Posts (Atom)
-
when you updated your firmware of fortigate or setup new sslvpn, if you are using certificate other than factory default you might have is...
-
Installing or Upgrading HostScan Use this procedure to upload, or upgrade, and enable a new HostScan image on the ASA. Use the image to ...
-
Reboot the switch. You will see a prompt during boot right after the cisco logo made out of #s that says "Autoboot in 2 seconds - p...
