Junos Dual ISP Backup Route Configuration

The last couple of years, we've had two ISP's on premise. One (XS4ALL) for basic Internet Access via VDSL, and one our (VoIP) phone provided by Ziggo. The Ziggo phone services includes free (and ultra lite) Internet access through the use of their cable modem. It's ultra-lite, since it's only 256kbps. More than enough for VoIP, but not nearly enough for modern basic Internet access.

Having these two ISP's means that I should be able to provide some redundancy in case my primary DSL connection fails (for whatever reason). Preferably an automated fail-over of some kind. Since there are no dynamic protocols available from either ISP (the Internet service is consumer-grade), I have to find some work-around.

Posted on August 16, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged IP monitoring fail-over ISP dual isp Splunk Juniper.

Create a Juniper SRX ca-profile For Unified Access Control

When you have a registered Juniper UAC / IC appliance, you have to option to download a VMWare version of the system. This is called a DTE appliance (Development and Test Environment). With this you have a full-blown UAC at your disposal for testing and development. Only downside is that it's limited to 5 connected users. Apart from that, it's just like the real-deal.

Posted on July 30, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged xca srx UAC Unified Access Control PKI Juniper.

Juniper SRX Apply-groups

A while back I wrote a blog post about enabling global logging on security rules. This week I applied the same technique to enable ping on all zones for testing / troubleshooting purposes.

Instead of adding ping as a host-inbound-traffic system-service to all zones, and if you have a couple this means some configuring, you can solve this by adding just 3 (three) lines of config to the firewall.

Posted on July 15, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged srx config apply-groups groups ping firewall Juniper.

Configure Application Firewalling On A Juniper SRX

Juniper entered the realm of application firewalling since the release of Junos 11.4 (for SRX platforms). A realm that is mainly dominated by Palo Alto (they basically invented it) and Checkpoint, but more and more vendor's are starting to move in on that territory.
And Juniper is one of those vendors that started to implement Application Firewalling (AppFW) on their (SRX) firewalls.

This post will show what needs to be done to enable AppFW, and how to configure those policies by using the J-Web interface and the CLI. The Junos software used in this exercise is version 12.1X44.4.

Posted on May 10, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged AppFW Juniper YouTube block srx application firewall example config configuration.

Juniper SRX With DNS Proxy Service Enabled

Since the release of Junos v12.1x44D10 for branche SRX firewalls, Juniper added a feature called DNS-Proxy. This features enables the Junos device as a caching DNS server with several additional options. One of those feature is to define a Fully Qualified Domain Name (FQDN) with an IP address which overrides (if it exists) the entry in the 'official' DNS system on the Internet.

Posted on February 20, 2013 by Willem and filed under Tips'n Tricks, Security, Junos and tagged DNS Juniper Proxy Junos srx.

Public DMZ Access From Within The Network

This post basically describes the technique of how to deal with traffic originating from the inside of a firewall, and directing the traffic over the external interface IP address to a different internal zone.

First a network overview of the things used in this setup.

Posted on February 2, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged NAT Juniper DMZ srx.

Filter / Block IP Addresses On A Juniper SRX

While exploring the configuration options on the Juniper SRX firewall, I stumbled upon the so-called firewall filters. These filters are not to be mistaken for the firewall policy rules. They are something different, but can be used for achieving similar goals.

In my case, I wanted to see if it was possible to quickly block a list of IP addresses (or subnets) without the hassle of creating addressbook entries (Address Sets). My list of IP addresses consists of known hosts that participate in the criminal ZeuS network. These IP addresses are either Command&Control servers or servers used to transfer (captured) data to. In any case, servers you don't want to communicate with.

The solution on the SRX is to create a firewall filter containing the list with hosts / networks. The filter, in my case, is applied to the outgoing interface (fe-0/0/0).

Posted on January 9, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged Filters Juniper srx firewall.

Enable Global (Security) Logging On SRX Policies

Normally, one would enable logging on each security policy. If you have hundreds of policies, and you want/need logging for troubleshooting, it takes a while (and some serious) effort to enable this for all policies.

Posted on January 8, 2013 by Willem and filed under Security, Tips'n Tricks, Junos and tagged firewall srx logging Juniper.

Ziggo Internet, Juniper Firewalls and DHCP

At the house I have currently two ISP delivering broadband. Well, broadband isn't the correct word, since the the one of them is only a mere 256kbps (I think). The other is a 'whopping' 20Mbps.
The 20Mb connection is provided by XS4ALL, and the 256kbps is for free (if you have a phone subscription with Ziggo). The 256kbp is the minimum they provide to transport the phone calls, but if you're a masochist you can also browse the internet over that connection.

So, two ISP @ home. Combine that with a Juniper SRX firewall, and a dual ISP setup is born. The theory of that setup is that I connect both ISP's to the firewall, and use the 20Mb line as a default internet connection, but when that one dies, I automatically get switched to the backup line (256kbps).

Posted on August 9, 2012 by Willem and filed under Annoying, Hardware, Internet, Security, Tips'n Tricks and tagged Dual ISP Ziggo dhcp srx Juniper.

Junos Pulse, Apple iOS, and Split-Tunneling

When you create (SSL)VPN access for you employees, you might enable split-tunneling to save corporate bandwidth. No split-tunneling means that all traffic is forwarded into the VPN tunnel. So if you browse the internet with an active VPN, the traffic goes through the VPN, and accesses the Internet through the corporate Internet connection. This isn't a big problem with a couple of employees, but with hundreds on the road or working from home, this might frustrate the employees in the building.

Posted on June 15, 2012 by Willem and filed under Annoying, Apple, Security, Software, Junos and tagged Junos Pulse VPN iOS ssl Juniper.

Powered by Squarespace