After upgrading Juniper SRX (branch versions) from 11.x to 12.x, IDP gets stuck in a very weird state. It will start detecting false positives as well as fail when updating.
To fix (for clusters):
configure
set system processes idp-policy disable
deactivate security idp
commit and-quit
Then remove the IDP directories (running "request security idp storage-cleanup" will NOT fix the issue, you need to force-remove the old files and stuck policies in there):
start shell
cd /var/db/idpd
rm -r *
exit
Repeat the commands on the secondary node:
request routing-engine login node 1
cd /var/db/idpd
rm -r *
exit
Check cluster status to make sure the redundancy groups are all on one node:
>show chassis cluster status
Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
Redundancy group: 1 , Failover count: 1
node0 100 primary no no
node1 1 secondary no no
Reboot the secondary node:
request system reboot node 1
Go get coffee while it comes back up... (keep checking the cluster status until node 1 shows "secondary" and not "lost").
After its back, failover to the secondary node:
request chassis cluster failover redundancy-group 1 node 1
request chassis cluster failover redundancy-group 0 node 1
Reconnect if you are SSH'ing into the device for management and check cluster status.
Once node 1 shows primary on both redundancy groups, reboot node 0.
request system reboot node 0
Go to the restroom while you wait for it to come back online... (keep checking the cluster status until node 0 shows "secondary" and not "lost").
Once they are both up and in their primary/secondary states, reset the failover.
request chassis cluster failover reset redundancy-group 1
request chassis cluster failover reset redundancy-group 0
Configure to reenable IDP:
configure
delete system process idp-policy disable
commit and-quit
At this point, sometimes the update will fail. You can either reboot the nodes AGAIN doing another failover or try issuing "request security idp storage-cleanup downloaded-files".
Download the full IDP update: request security idp security-package download full-update
Check the status when its finished.
If it DID NOT sync ok, you will have to manually copy over the files to the secondary node and move them to the right directory:
start shell
rcp -T -r /var/tmp/sec-download/* node1:/var/db/idpd/sec-download/
mv /var/tmp/sec-download/* /var/db/idpd/sec-download
Install/update IDP: request security idp security-package install
Check the status. When its done, it should look something like:
request security idp security-package install status
node0:
--------------------------------------------------------------------------
Done;Attack DB update : successful - [UpdateNumber=2415,ExportDate=Wed Sep 3 18:26:00 2014 UTC,Detector=12.6.160140626]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : not performed
due to no active policy configured.
node1:
--------------------------------------------------------------------------
Done;Attack DB update : successful - [UpdateNumber=2415,ExportDate=Wed Sep 3 18:26:00 2014 UTC,Detector=12.6.160140626]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : not performed
due to no active policy configured.
If you use policy templates, then make to rerun the download and install the templates: request security idp security-package install policy-templates
Re-Enable IDP:
configure
activate security idp
commit and-quit
And verify its running:
show security idp policy-commit-status
show security idp status
Thursday, September 4, 2014
Tuesday, April 8, 2014
Fixing Juniper SRX VPN Issues for "KMD_INTERNAL_ERROR: Error:File exists in adding SA config for tunnel id xxxxxx spi 0"
If you have funky issues where your tunnels refuse to connect and a "show security ike security-associations" is showing DOWN with a responder cookie of 0000000000000000, check your kmd log.
If you see any entries with this obscure message: "KMD_INTERNAL_ERROR: Error:File exists in adding SA config for tunnel id 666666 spi 0" then read on...
To fix this issue, you have two options:
1) Reboot (if its in a cluster, reboot them both simultaneously) or
2) Edit the config:
Completely remove the dead/broken st0.xxx interfaces out of the config (including all references to it in the SECURITY IKE, IPSEC, and ZONES sections).
Do a "commit full", wait for it to finish.
Then rollback the config to before you removed the interfaces (in config mode, its "rollback 1").
Afterwards the VPN tunnels will miraculously come back to life on these horribly buggy firewalls.
Friday, November 22, 2013
Juniper SRX Dual-ISP w/redundant VPNs by Example
Preface: I created this for the poor souls out there who purchased a Juniper SRX and realized how utterly complicated and how miserable the documentation is for configuring these firewalls. I would never recommend purchasing these... there are easier and far more stable firewalls out there that can do the same thing as these horrible devices. Now for those who are stuck with them and need a quick guide on how to get these muther's working, read on.
Please be aware that I whipped this rather quick, so I'm sure there are some errors here and there. I'll update it as necessary. Also, if there are better ways to configure this or more optimized methods, please don't hesitate to comment!
Moving on.. here's a summary of each site:
Site A: 2x SRX 220's running in a cluster with a dual-ISP setup. It is also running an SMTP server that is accessible on both the primary and secondary ISP's. It has IP-Monitoring so if the primary or backup ISP goes down, traffic is rerouted automatically.
Site B: A single SRX w/IDP running.
Between the sites, VPN connections are setup over every ISP. OSPF is running for redundancy and to take care of all the static routes. All SRX's are running 11.4 or later.
Configs
Please be aware that I whipped this rather quick, so I'm sure there are some errors here and there. I'll update it as necessary. Also, if there are better ways to configure this or more optimized methods, please don't hesitate to comment!
Moving on.. here's a summary of each site:
Site A: 2x SRX 220's running in a cluster with a dual-ISP setup. It is also running an SMTP server that is accessible on both the primary and secondary ISP's. It has IP-Monitoring so if the primary or backup ISP goes down, traffic is rerouted automatically.
Site B: A single SRX w/IDP running.
Between the sites, VPN connections are setup over every ISP. OSPF is running for redundancy and to take care of all the static routes. All SRX's are running 11.4 or later.
Configs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| set version 11.4R9.4 | |
| set groups node0 system host-name siteA-node0 | |
| set groups node0 interfaces fxp0 unit 0 family inet | |
| set groups node1 system host-name siteA-node1 | |
| set groups node1 interfaces fxp0 unit 0 family inet | |
| set apply-groups "${node}" | |
| set system domain-name mydomain.com | |
| set system time-zone PST8PDT | |
| set system no-redirects | |
| set system root-authentication encrypted-password "Password" | |
| set system name-server 192.168.1.10 | |
| set system services ssh root-login allow | |
| set system services ssh protocol-version v2 | |
| set system services web-management http interface reth0.0 | |
| set system services web-management https system-generated-certificate | |
| set system services web-management https interface reth1.0 | |
| set system services web-management https interface reth2.0 | |
| set system syslog archive size 100k | |
| set system syslog archive files 3 | |
| set system syslog user * any emergency | |
| set system syslog file messages any warning | |
| set system syslog file messages authorization info | |
| set system syslog file interactive-commands interactive-commands error | |
| set system max-configurations-on-flash 5 | |
| set system max-configuration-rollbacks 5 | |
| set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval | |
| # Disable UTM permanently if you are not using it to save memory | |
| set system processes utmd disable | |
| set system ntp server 10.10.0.1 | |
| set chassis cluster reth-count 3 | |
| set chassis cluster redundancy-group 0 node 0 priority 100 | |
| set chassis cluster redundancy-group 0 node 1 priority 1 | |
| set chassis cluster redundancy-group 1 node 0 priority 100 | |
| set chassis cluster redundancy-group 1 node 1 priority 1 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-0/0/2 weight 255 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-3/0/0 weight 255 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-3/0/1 weight 255 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-3/0/2 weight 255 | |
| set interfaces ge-0/0/0 gigether-options redundant-parent reth0 | |
| set interfaces ge-0/0/1 gigether-options redundant-parent reth1 | |
| set interfaces ge-0/0/2 gigether-options redundant-parent reth2 | |
| set interfaces ge-3/0/0 gigether-options redundant-parent reth0 | |
| set interfaces ge-3/0/1 gigether-options redundant-parent reth1 | |
| set interfaces ge-3/0/2 gigether-options redundant-parent reth2 | |
| set interfaces fab0 fabric-options member-interfaces ge-0/0/5 | |
| set interfaces fab1 fabric-options member-interfaces ge-3/0/5 | |
| # Set the lo0 with an unused dummy IP that is not on your network | |
| set interfaces lo0 unit 0 family inet address 172.16.172.181/32 | |
| set interfaces reth0 redundant-ether-options redundancy-group 1 | |
| set interfaces reth0 unit 0 description LAN | |
| set interfaces reth0 unit 0 family inet mtu 1500 | |
| set interfaces reth0 unit 0 family inet filter input LAN-IN-FILTER | |
| set interfaces reth0 unit 0 family inet address 10.10.0.2/30 | |
| set interfaces reth1 redundant-ether-options redundancy-group 1 | |
| set interfaces reth1 unit 0 description ISP1 | |
| set interfaces reth1 unit 0 family inet mtu 1500 | |
| set interfaces reth1 unit 0 family inet filter input ISP1-IN-FILTER | |
| set interfaces reth1 unit 0 family inet address 66.66.66.66/28 | |
| set interfaces reth2 redundant-ether-options redundancy-group 1 | |
| set interfaces reth2 unit 0 description ISP2 | |
| set interfaces reth2 unit 0 family inet mtu 1500 | |
| set interfaces reth2 unit 0 family inet filter input ISP2-IN-FILTER | |
| set interfaces reth2 unit 0 family inet address 77.77.77.77/28 | |
| set interfaces st0 unit 0 description VPN-SITEB-ISP1 | |
| set interfaces st0 unit 0 family inet mtu 1350 | |
| set interfaces st0 unit 0 family inet address 10.0.0.1/30 | |
| set interfaces st0 unit 1 description VPN-SITEB-ISP2 | |
| set interfaces st0 unit 1 family inet mtu 1350 | |
| set interfaces st0 unit 1 family inet address 10.0.0.5/30 | |
| set snmp location SITEA | |
| set snmp community public authorization read-only | |
| # Only allow host 10.10.10.10 to access SNMP | |
| set snmp community public clients 10.10.10.10/32 | |
| set routing-options interface-routes rib-group inet inside | |
| # Set the virtual-router ISP1 as the default route out | |
| set routing-options static route 0.0.0.0/0 next-table ISP1.inet.0 | |
| # I do not think you need the next line anymore with 11.4 but I put it in just for kicks on how confusing this setup is | |
| set routing-options static route 88.88.88.88/32 next-hop 172.16.172.181 | |
| set routing-options static route 10.10.10.0/24 next-hop 10.10.0.1 | |
| set routing-options static route 10.10.11.0/24 next-hop 10.10.0.1 | |
| # rib-groups basically import and export routing tables from other instances | |
| set routing-options rib-groups inside import-rib inet.0 | |
| set routing-options rib-groups inside import-rib TRUST-VRF.inet.0 | |
| set routing-options rib-groups inside import-rib ISP1.inet.0 | |
| set routing-options rib-groups inside import-rib ISP2.inet.0 | |
| # This is only for comestics which sets the OSPF router ID | |
| set routing-options router-id 10.10.0.2 | |
| # This is for adding more routes via OSPF, not necessary if your internal router supports OSPF | |
| set protocols ospf export Export-Local-Nets | |
| # Now lets create a simple OSPF area for the VPNs and routing between sites so we dont have massive static routes to babysit | |
| set protocols ospf area 0.0.0.0 interface st0.0 metric 150 | |
| # Notice how this interface is a higher metric than st0.0. We dont want VPN traffic going over st0.1 unless st0.0 is down | |
| set protocols ospf area 0.0.0.0 interface st0.1 metric 160 | |
| # If you don't have OSPF on your internal router add the word passive at the end of the next line | |
| set protocols ospf area 0.0.0.0 interface reth0.0 | |
| # I dont use spamming-tree so its disabled | |
| set protocols stp disable | |
| # This is just an example of hosts that get dropped with my firewall interface filter | |
| set policy-options prefix-list blocked-access 111.111.111.111/32 | |
| set policy-options prefix-list blocked-access 222.222.222.222/32 | |
| # This list is for hosts I want to give ssh and https access so they can manage this firewall remotely | |
| set policy-options prefix-list mgmnt-access 55.55.55.55/24 | |
| set policy-options prefix-list mgmnt-access 55.55.55.44/32 | |
| # If you do not have OSPF on your internal router then add the lines below if you have internal routes that dont hit the firewall | |
| # From my static routes above in the routing-options section, Im adding my 2 internal subnets | |
| set policy-options policy-statement Export-Local-Nets term 1 from protocol static | |
| set policy-options policy-statement Export-Local-Nets term 1 from protocol direct | |
| set policy-options policy-statement Export-Local-Nets term 1 from route-filter 10.10.10.0/24 exact | |
| set policy-options policy-statement Export-Local-Nets term 1 from route-filter 10.10.11.0/24 exact | |
| set policy-options policy-statement Export-Local-Nets term 1 then accept | |
| # Below is the VPN settings | |
| set security ike proposal SHA1-PSK-DH2-AES128 authentication-method pre-shared-keys | |
| set security ike proposal SHA1-PSK-DH2-AES128 dh-group group2 | |
| set security ike proposal SHA1-PSK-DH2-AES128 authentication-algorithm sha1 | |
| set security ike proposal SHA1-PSK-DH2-AES128 encryption-algorithm aes-128-cbc | |
| set security ike proposal SHA1-PSK-DH2-AES128 lifetime-seconds 86400 | |
| set security ike policy PSK-IKE-Policy mode main | |
| set security ike policy PSK-IKE-Policy proposals SHA1-PRE-AES128 | |
| set security ike policy PSK-IKE-Policy pre-shared-key ascii-text "PreSharedKey" | |
| # OK so this gets funky | |
| # For DUAL-ISPs you need to add the local and remote identities on both sides of the VPN | |
| # Also there is a bug with Juniper and ike v1's dead peer detection so use version v2 which has | |
| # it in there by default and does not have this bug. You can still use v1 but you get weird | |
| # errors in the logs like "Notification payload contains invalid protocol id" | |
| set security ike gateway SITEB-GW-ISP1 ike-policy PSK-IKE-Policy | |
| set security ike gateway SITEB-GW-ISP1 address 88.88.88.88 | |
| set security ike gateway SITEB-GW-ISP1 local-identity inet 10.0.0.1 | |
| set security ike gateway SITEB-GW-ISP1 remote-identity inet 10.0.0.2 | |
| set security ike gateway SITEB-GW-ISP1 external-interface reth1.0 | |
| set security ike gateway SITEB-GW-ISP1 version v2-only | |
| set security ike gateway SITEB-GW-ISP2 ike-policy PSK-IKE-Policy | |
| set security ike gateway SITEB-GW-ISP2 address 88.88.88.88 | |
| set security ike gateway SITEB-GW-ISP2 local-identity inet 10.0.0.5 | |
| set security ike gateway SITEB-GW-ISP2 remote-identity inet 10.0.0.6 | |
| set security ike gateway SITEB-GW-ISP2 external-interface reth2.0 | |
| set security ike gateway SITEB-GW-ISP2 version v2-only | |
| set security ipsec proposal SHA1-AES128-ESP protocol esp | |
| set security ipsec proposal SHA1-AES128-ESP authentication-algorithm hmac-sha1-96 | |
| set security ipsec proposal SHA1-AES128-ESP encryption-algorithm aes-128-cbc | |
| set security ipsec proposal SHA1-AES128-ESP lifetime-seconds 3600 | |
| set security ipsec policy IPSEC-PFS2-Policy perfect-forward-secrecy keys group2 | |
| set security ipsec policy IPSEC-PFS2-Policy proposals SHA1-AES128-ESP | |
| set security ipsec vpn SITEB-VPN-ISP1 bind-interface st0.0 | |
| set security ipsec vpn SITEB-VPN-ISP1 ike gateway SITEB-GW-ISP1 | |
| set security ipsec vpn SITEB-VPN-ISP1 ike ipsec-policy IPSEC-PFS2-Policy | |
| set security ipsec vpn SITEB-VPN-ISP2 bind-interface st0.1 | |
| set security ipsec vpn SITEB-VPN-ISP2 ike gateway SITEB-GW-ISP2 | |
| set security ipsec vpn SITEB-VPN-ISP2 ike ipsec-policy IPSEC-PFS2-Policy | |
| # Address book entries. I put them all in global to make life easy. | |
| set security address-book global address LAN_SMTP_SERVER 10.10.10.250/32 | |
| # All my inside subnets | |
| set security address-book global address NET_LOOPBACK 172.16.172.181/32 | |
| set security address-book global address NET_LAN10 10.10.10.0/24 | |
| set security address-book global address NET_LAN11 10.10.11.0/24 | |
| set security address-book global address NET_LAN1 10.10.0.0/30 | |
| # Group them up | |
| set security address-book global address-set NET_LOCAL address NET_LOOPBACK | |
| set security address-book global address-set NET_LOCAL address NET_LAN10 | |
| set security address-book global address-set NET_LOCAL address NET_LAN11 | |
| set security address-book global address-set NET_LOCAL address NET_LAN1 | |
| # Algs are mostly broken so disable them to avoid headaches | |
| set security alg dns disable | |
| # If you want to keep DNS then add the entry below | |
| set security alg dns maximum-message-length 8192 | |
| set security alg dns doctoring none | |
| set security alg mgcp disable | |
| set security alg msrpc disable | |
| set security alg sunrpc disable | |
| set security alg sql disable | |
| set security flow allow-dns-reply | |
| # Below is only needed for certain DSL connections to fix web site loading | |
| # For example, if yahoo.com doesnt load correctly add the line below | |
| set security flow tcp-mss all-tcp mss 1350 | |
| # Add the line below for your VPN connections -- fixes fragmentation problems | |
| set security flow tcp-mss ipsec-vpn mss 1350 | |
| # This screen stuff is just all default -- keep or tweak at your own discretion | |
| set security screen ids-option untrust-screen icmp ping-death | |
| set security screen ids-option untrust-screen ip source-route-option | |
| set security screen ids-option untrust-screen ip tear-drop | |
| set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 | |
| set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 | |
| set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 | |
| set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 | |
| set security screen ids-option untrust-screen tcp syn-flood timeout 20 | |
| set security screen ids-option untrust-screen tcp land | |
| # This is the source NAT (outgoing) setup for both ISPs. | |
| # For examples sake Im using a different IP for the primary ISP | |
| # and just the same IP as the interface for the secondary ISP | |
| set security nat source pool SNAT-ISP1-67 address 66.66.66.67/32 | |
| set security nat source rule-set SNAT-ISP1 from routing-instance default | |
| set security nat source rule-set SNAT-ISP1 to routing-instance ISP1 | |
| # I'm adding my address book entry "NET_LOCAL" just to be anal | |
| # you can use "source-address 0.0.0.0/0" just as well | |
| set security nat source rule-set SNAT-ISP1 rule SNAT-POOL-ISP1-67 match source-address-name NET_LOCAL | |
| set security nat source rule-set SNAT-ISP1 rule SNAT-POOL-ISP1-67 match destination-address 0.0.0.0/0 | |
| set security nat source rule-set SNAT-ISP1 rule SNAT-POOL-ISP1-67 then source-nat pool SNAT-ISP1-67 | |
| # Now to add ISP2 in case ISP1 ever goes down | |
| set security nat source rule-set SNAT-ISP2 from routing-instance default | |
| set security nat source rule-set SNAT-ISP2 to routing-instance ISP2 | |
| set security nat source rule-set SNAT-ISP2 rule SNAT-INTERFACE-ISP2 match source-address-name NET_LOCAL | |
| set security nat source rule-set SNAT-ISP2 rule SNAT-INTERFACE-ISP2 match destination-address 0.0.0.0/0 | |
| set security nat source rule-set SNAT-ISP2 rule SNAT-INTERFACE-ISP2 then source-nat interface | |
| # This is the destination NAT (incoming) setup for the SMTP server | |
| set security nat destination pool DNAT_SMTP_SERVER address 10.10.10.250/32 | |
| set security nat destination rule-set ISP1-dnat from routing-instance ISP1 | |
| set security nat destination rule-set ISP1-dnat rule ISP1-to-SMTP_SERVER match source-address 0.0.0.0/0 | |
| set security nat destination rule-set ISP1-dnat rule ISP1-to-SMTP_SERVER match destination-address 66.66.66.68/32 | |
| set security nat destination rule-set ISP1-dnat rule ISP1-to-SMTP_SERVER then destination-nat pool DNAT_SMTP_SERVER | |
| set security nat destination rule-set ISP2-dnat from routing-instance ISP2 | |
| set security nat destination rule-set ISP2-dnat rule ISP2-to-SMTP_SERVER match source-address 0.0.0.0/0 | |
| set security nat destination rule-set ISP2-dnat rule ISP2-to-SMTP_SERVER match destination-address 77.77.77.79/32 | |
| set security nat destination rule-set ISP2-dnat rule ISP2-to-SMTP_SERVER then destination-nat pool DNAT_SMTP_SERVER | |
| # Add all external IPs that will be used here (not including the interface IPs) | |
| set security nat proxy-arp interface reth1.0 address 66.66.66.67/32 | |
| set security nat proxy-arp interface reth1.0 address 66.66.66.68/32 | |
| set security nat proxy-arp interface reth2.0 address 77.77.77.79/32 | |
| # Now this is where we define security ACLs | |
| # I like to block garbage traffic from going out | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match source-address any-ipv4 | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match destination-address any-ipv4 | |
| # Below is just an example of stuff to block | |
| # You can create your own at the end of the config or use "show configuration groups junos-defaults applications" to see the predefined ones | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-netbios-session | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-smb-session | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-nbname | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-nbds | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-cifs | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff then deny | |
| set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 match source-address NET_LOCAL | |
| set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 match destination-address any-ipv4 | |
| set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 match application any | |
| set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 then permit | |
| # Copy the above for ISP2 | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-netbios-session | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-smb-session | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-nbname | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-nbds | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-cifs | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff then deny | |
| set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 match source-address NET_LOCAL | |
| set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 match destination-address any-ipv4 | |
| set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 match application any | |
| set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 then permit | |
| # Allow LAN to LAN | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match source-address any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match destination-address any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match application any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN then permit | |
| # Allow Destination NAT traffic | |
| set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER match source-address any-ipv4 | |
| set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER match destination-address LAN_SMTP_SERVER | |
| # Notice how im using my own application called cust-smtp | |
| # Which will be explained at the end of the config | |
| set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER match application cust-smtp | |
| set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER then permit | |
| set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER match source-address any-ipv4 | |
| set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER match destination-address LAN_SMTP_SERVER | |
| set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER match application cust-smtp | |
| set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER then permit | |
| # Add allowed traffic to hit the firewall | |
| # Note: this isn't allowing traffic to pass through firewall, but rather actually hit the interfaces of the firewall | |
| set security zones security-zone LAN host-inbound-traffic system-services all | |
| set security zones security-zone LAN host-inbound-traffic protocols ospf | |
| # adding a custom entry here instead of the global one above for LAN because the loopback interface doesnt need ospf on it | |
| # You can do the same for the reth0.0 interface is you dont have an internal router using OSPF | |
| set security zones security-zone LAN interfaces lo0.0 host-inbound-traffic system-services all | |
| set security zones security-zone LAN interfaces reth0.0 | |
| set security zones security-zone LAN interfaces st0.0 | |
| set security zones security-zone LAN interfaces st0.1 | |
| # For the ISP zones, services will be limited | |
| set security zones security-zone ISP1 screen untrust-screen | |
| set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services ike | |
| set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services traceroute | |
| set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services ping | |
| set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services ssh | |
| set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services https | |
| set security zones security-zone ISP2 screen untrust-screen | |
| set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services ping | |
| set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services ike | |
| set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services traceroute | |
| set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services ssh | |
| set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services https | |
| # | |
| # Now these are the firewall interface filters. They are used before the policies. | |
| # | |
| # The LAN-IN-FILTER is an example only if you want a certain host or subnet to go out ISP2 instead of the default ISP1 | |
| # Here the computer at 10.10.10.100 will be using ISP2 by default. | |
| set firewall filter LAN-IN-FILTER term 1 from source-address 10.10.10.100/32 | |
| set firewall filter LAN-IN-FILTER term 1 from destination-address 0.0.0.0/0 | |
| set firewall filter LAN-IN-FILTER term 1 from destination-address 10.0.0.0/8 except | |
| set firewall filter LAN-IN-FILTER term 1 then routing-instance ISP2 | |
| set firewall filter LAN-IN-FILTER term 2 then accept | |
| # The ISP1 and ISP2-IN-FILTERs handle routing traffic coming back in from the virtual routers | |
| set firewall filter ISP1-IN-FILTER term 1 from source-prefix-list blocked-access | |
| set firewall filter ISP1-IN-FILTER term 1 then discard | |
| # Because ssh and https from the remote management networks needs to be accepted for it to work | |
| # This term will do that. Otherwise it gets re-routed and dropped. | |
| set firewall filter ISP1-IN-FILTER term 2 from source-prefix-list mgmnt-access | |
| set firewall filter ISP1-IN-FILTER term 2 from protocol tcp | |
| set firewall filter ISP1-IN-FILTER term 2 from destination-port 22 | |
| set firewall filter ISP1-IN-FILTER term 2 from destination-port 443 | |
| set firewall filter ISP1-IN-FILTER term 2 then accept | |
| # Here all other trafficon our ISP subnet gets rerouted to the default instance and checked for policies and NAT | |
| set firewall filter ISP1-IN-FILTER term 3 from destination-address 66.66.66.64/28 | |
| set firewall filter ISP1-IN-FILTER term 3 then routing-instance TRUST-VRF | |
| set firewall filter ISP1-IN-FILTER term 4 then accept | |
| # Rinse and repeat for ISP2 | |
| set firewall filter ISP2-IN-FILTER term 1 from source-prefix-list blocked-access | |
| set firewall filter ISP2-IN-FILTER term 1 then discard | |
| set firewall filter ISP2-IN-FILTER term 2 from source-prefix-list mgmnt-access | |
| set firewall filter ISP2-IN-FILTER term 2 from protocol tcp | |
| set firewall filter ISP2-IN-FILTER term 2 from destination-port 22 | |
| set firewall filter ISP2-IN-FILTER term 2 from destination-port 443 | |
| set firewall filter ISP2-IN-FILTER term 2 then accept | |
| set firewall filter ISP2-IN-FILTER term 3 from destination-address 77.77.77.74/28 | |
| set firewall filter ISP2-IN-FILTER term 3 then routing-instance TRUST-VRF | |
| set firewall filter ISP2-IN-FILTER term 4 then accept | |
| # Setup the virtual routers | |
| set routing-instances ISP1 instance-type virtual-router | |
| set routing-instances ISP1 interface reth1.0 | |
| set routing-instances ISP1 routing-options interface-routes rib-group inet inside | |
| set routing-instances ISP1 routing-options static route 0.0.0.0/0 next-hop 66.66.66.69 | |
| set routing-instances ISP2 instance-type virtual-router | |
| set routing-instances ISP2 interface reth2.0 | |
| set routing-instances ISP2 routing-options interface-routes rib-group inet inside | |
| set routing-instances ISP2 routing-options static route 0.0.0.0/0 next-hop 77.77.77.80 | |
| # Setup the forwarder | |
| set routing-instances TRUST-VRF instance-type forwarding | |
| # Add in any internal routes that are not connected directly to the firewall | |
| set routing-instances TRUST-VRF routing-options static route 10.10.10.0/24 next-hop 10.10.0.1 | |
| set routing-instances TRUST-VRF routing-options static route 10.10.11.0/24 next-hop 10.10.0.1 | |
| # Setup the IP Monitoring service in case one of the ISP goes down | |
| # I'm using the gateway of ISP1 and the next hop of ISP2's gateway for examples sake | |
| set services rpm probe ISP1-GW test uplink target address 66.66.66.69 | |
| set services rpm probe ISP1-GW test uplink probe-count 5 | |
| set services rpm probe ISP1-GW test uplink probe-interval 3 | |
| set services rpm probe ISP1-GW test uplink test-interval 30 | |
| set services rpm probe ISP1-GW test uplink thresholds successive-loss 5 | |
| set services rpm probe ISP1-GW test uplink thresholds total-loss 5 | |
| set services rpm probe ISP1-GW test uplink destination-interface reth1.0 | |
| set services rpm probe ISP1-GW test uplink next-hop 66.66.66.69 | |
| # ISP2 probing | |
| set services rpm probe ISP2-GW test uplink target address 77.77.78.1 | |
| set services rpm probe ISP2-GW test uplink probe-count 5 | |
| set services rpm probe ISP2-GW test uplink probe-interval 3 | |
| set services rpm probe ISP2-GW test uplink test-interval 30 | |
| set services rpm probe ISP2-GW test uplink thresholds successive-loss 5 | |
| set services rpm probe ISP2-GW test uplink thresholds total-loss 5 | |
| set services rpm probe ISP2-GW test uplink destination-interface reth2.0 | |
| set services rpm probe ISP2-GW test uplink next-hop 77.77.77.80 | |
| # This is what to do when the probe fails | |
| # Basically we are taking the ISP that is down and giving it the gateway of the ISP that is up | |
| set services ip-monitoring policy ISP1-Tracking match rpm-probe ISP1-GW | |
| set services ip-monitoring policy ISP1-Tracking then preferred-route routing-instances ISP1 route 0.0.0.0/0 next-hop 77.77.77.80 | |
| set services ip-monitoring policy ISP2-Tracking match rpm-probe ISP2-GW | |
| set services ip-monitoring policy ISP2-Tracking then preferred-route routing-instances ISP2 route 0.0.0.0/0 next-hop 66.66.66.69 | |
| # This is where we define our custom ports or applications | |
| set applications application cust-tcp-587 protocol tcp | |
| set applications application cust-tcp-587 destination-port 587 | |
| # We can group applications together for simplicity | |
| # Here im going to group my custom port along with the default SMTP one | |
| set applications application-set cust-smtp application cust-tcp-587 | |
| set applications application-set cust-smtp application junos-smtp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| set version 11.4R9.6 | |
| set system host-name SITEB | |
| set system domain-name mydomain.com | |
| set system time-zone PST8PDT | |
| set system no-redirects | |
| set system root-authentication encrypted-password "Password" | |
| set system name-server 10.20.10.50 | |
| set system services ssh root-login allow | |
| set system services ssh protocol-version v2 | |
| set system services web-management http interface ge-0/0/0.0 | |
| set system services web-management https system-generated-certificate | |
| set system services web-management https interface ge-0/0/1.0 | |
| set system syslog archive size 100k | |
| set system syslog archive files 3 | |
| set system syslog user * any emergency | |
| set system syslog file messages any critical | |
| set system syslog file messages authorization info | |
| set system syslog file interactive-commands interactive-commands error | |
| set system syslog file IDP-Log any any | |
| set system syslog file IDP-Log match RT_IDP | |
| set system max-configurations-on-flash 5 | |
| set system max-configuration-rollbacks 5 | |
| set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval | |
| # IDP is NOT related to UTM | |
| set system processes utmd disable | |
| set system ntp server 10.20.0.1 | |
| set interfaces ge-0/0/0 unit 0 description LAN | |
| set interfaces ge-0/0/0 unit 0 family inet mtu 1500 | |
| set interfaces ge-0/0/0 unit 0 family inet address 10.20.0.2/30 | |
| set interfaces ge-0/0/1 unit 0 description WAN | |
| set interfaces ge-0/0/1 unit 0 family inet mtu 1500 | |
| set interfaces ge-0/0/1 unit 0 family inet filter input FILTER-WAN-IN | |
| set interfaces ge-0/0/1 unit 0 family inet address 88.88.88.88/27 | |
| set interfaces st0 unit 0 description VPN-SITEA-ISP1 | |
| set interfaces st0 unit 0 family inet mtu 1350 | |
| set interfaces st0 unit 0 family inet address 10.0.0.2/30 | |
| set interfaces st0 unit 1 description VPN-SITEA-ISP2 | |
| set interfaces st0 unit 1 family inet mtu 1350 | |
| set interfaces st0 unit 1 family inet address 10.0.0.6/30 | |
| set snmp location SITEB | |
| set snmp community public authorization read-only | |
| set routing-options static route 0.0.0.0/0 next-hop 88.88.88.89 | |
| set routing-options static route 10.20.10.0/24 next-hop 10.20.0.1 | |
| set routing-options router-id 10.20.0.2 | |
| set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 passive | |
| set protocols ospf area 0.0.0.0 interface st0.0 metric 150 | |
| set protocols ospf area 0.0.0.0 interface st0.1 metric 160 | |
| set protocols stp disable | |
| set policy-options prefix-list mgmnt-access 55.55.55.55/24 | |
| set policy-options prefix-list mgmnt-access 55.55.55.44/32 | |
| set policy-options policy-statement Export-Local-Nets term 1 from protocol static | |
| set policy-options policy-statement Export-Local-Nets term 1 from protocol direct | |
| set policy-options policy-statement Export-Local-Nets term 1 from route-filter 10.20.10.0/24 exact | |
| set policy-options policy-statement Export-Local-Nets term 1 then accept | |
| # This is the IDP setup | |
| # Rule 1 - Bypass and stop checking more rules from our trusted remote sites so they do not get blocked by accident | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 1 match from-zone WAN | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 1 match source-address WAN_TRUSTED_SITES | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 1 match destination-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 1 then action no-action | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 1 terminal | |
| # Rule 2 - Block and log all critical attacks | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match from-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match source-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match to-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match destination-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match application default | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]IP - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]TCP - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]HTTP - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]SHELLCODE - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]VIRUS - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]WORM - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]TROJAN - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 then action recommended | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 then notification log-attacks alert | |
| # Rule 3 - Log all major attacks | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match from-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match source-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match to-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match destination-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match application default | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match attacks predefined-attack-groups "[Recommended]SHELLCODE - Major" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match attacks predefined-attack-groups "[Recommended]VIRUS - Major" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match attacks predefined-attack-groups "[Recommended]WORM - Major" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match attacks predefined-attack-groups "[Recommended]TROJAN - Major" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 then action no-action | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 then notification log-attacks alert | |
| # Exemptions - This is only an example of how to exempt certain attacks | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-exempt rule E1 match from-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-exempt rule E1 match source-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-exempt rule E1 match to-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-exempt rule E1 match destination-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-exempt rule E1 match attacks predefined-attacks HTTP:AUDIT:UNKNOWN-VERB | |
| set security idp active-policy SITEB-IDP-Policy | |
| # Setup automatic IDP updating | |
| set security idp security-package automatic start-time "2013-11-1.15:59:00 +0800" | |
| set security idp security-package automatic interval 48 | |
| set security idp security-package automatic download-timeout 5 | |
| set security idp security-package automatic enable | |
| set security ike proposal SHA1-PSK-DH2-AES128 authentication-method pre-shared-keys | |
| set security ike proposal SHA1-PSK-DH2-AES128 dh-group group2 | |
| set security ike proposal SHA1-PSK-DH2-AES128 authentication-algorithm sha1 | |
| set security ike proposal SHA1-PSK-DH2-AES128 encryption-algorithm aes-128-cbc | |
| set security ike proposal SHA1-PSK-DH2-AES128 lifetime-seconds 86400 | |
| set security ike policy PSK-IKE-Policy mode main | |
| set security ike policy PSK-IKE-Policy proposals SHA1-PRE-AES128 | |
| set security ike policy PSK-IKE-Policy pre-shared-key ascii-text "PreSharedKey" | |
| set security ike gateway SITEA-ISP1-GW ike-policy PSK-IKE-Policy | |
| set security ike gateway SITEA-ISP1-GW address 66.66.66.66 | |
| set security ike gateway SITEA-ISP1-GW local-identity inet 10.0.0.2 | |
| set security ike gateway SITEA-ISP1-GW remote-identity inet 10.0.0.1 | |
| set security ike gateway SITEA-ISP1-GW external-interface ge-0/0/1.0 | |
| set security ike gateway SITEA-ISP1-GW version v2-only | |
| set security ike gateway SITEA-ISP2-GW ike-policy PSK-IKE-Policy | |
| set security ike gateway SITEA-ISP2-GW address 77.77.77.77 | |
| set security ike gateway SITEA-ISP2-GW local-identity inet 10.0.0.6 | |
| set security ike gateway SITEA-ISP2-GW remote-identity inet 10.0.0.5 | |
| set security ike gateway SITEA-ISP2-GW external-interface ge-0/0/1.0 | |
| set security ike gateway SITEA-ISP2-GW version v2-only | |
| set security ipsec proposal SHA1-AES128-ESP protocol esp | |
| set security ipsec proposal SHA1-AES128-ESP authentication-algorithm hmac-sha1-96 | |
| set security ipsec proposal SHA1-AES128-ESP encryption-algorithm aes-128-cbc | |
| set security ipsec proposal SHA1-AES128-ESP lifetime-seconds 3600 | |
| set security ipsec policy IPSEC-PFS2-Policy perfect-forward-secrecy keys group2 | |
| set security ipsec policy IPSEC-PFS2-Policy proposals SHA1-AES128-ESP | |
| set security ipsec vpn SITEA-ISP1-VPN bind-interface st0.0 | |
| set security ipsec vpn SITEA-ISP1-VPN ike gateway SITEA-ISP1-GW | |
| set security ipsec vpn SITEA-ISP1-VPN ike ipsec-policy IPSEC-PFS2-Policy | |
| set security ipsec vpn SITEA-ISP2-VPN bind-interface st0.1 | |
| set security ipsec vpn SITEA-ISP2-VPN ike gateway SITEA-ISP2-GW | |
| set security ipsec vpn SITEA-ISP2-VPN ike ipsec-policy IPSEC-PFS2-Policy | |
| set security address-book global address LAN_Local 10.20.0.0/16 | |
| set security address-book global address WAN_TRUSTED_SITEA_ISP1 66.66.66.66/28 | |
| set security address-book global address WAN_TRUSTED_SITEA_ISP2 77.77.77.77/28 | |
| set security address-book global address-set WAN_TRUSTED_SITES address WAN_TRUSTED_SITEA_ISP1 | |
| set security address-book global address-set WAN_TRUSTED_SITES address WAN_TRUSTED_SITEA_ISP2 | |
| set security alg dns disable | |
| set security alg dns doctoring none | |
| set security alg mgcp disable | |
| set security alg msrpc disable | |
| set security alg sunrpc disable | |
| set security alg sql disable | |
| set security flow allow-dns-reply | |
| set security flow tcp-mss ipsec-vpn mss 1350 | |
| set security screen ids-option untrust-screen icmp ping-death | |
| set security screen ids-option untrust-screen ip source-route-option | |
| set security screen ids-option untrust-screen ip tear-drop | |
| set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 | |
| set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 | |
| set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 | |
| set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 | |
| set security screen ids-option untrust-screen tcp syn-flood timeout 20 | |
| set security screen ids-option untrust-screen tcp land | |
| set security nat source rule-set LAN-to-WAN from zone LAN | |
| set security nat source rule-set LAN-to-WAN to zone WAN | |
| set security nat source rule-set LAN-to-WAN rule LAN-snat match source-address-name LAN_Local | |
| set security nat source rule-set LAN-to-WAN rule LAN-snat match destination-address 0.0.0.0/0 | |
| set security nat source rule-set LAN-to-WAN rule LAN-snat then source-nat interface | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match source-address any-ipv4 | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match destination-address any-ipv4 | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-netbios-session | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-smb-session | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-gnutella | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-nbname | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-nbds | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-cifs | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic then deny | |
| set security policies from-zone LAN to-zone WAN policy LAN-to-WAN match source-address LAN_Local | |
| set security policies from-zone LAN to-zone WAN policy LAN-to-WAN match destination-address any-ipv4 | |
| set security policies from-zone LAN to-zone WAN policy LAN-to-WAN match application any | |
| # Notice the permit application-services idp instead of just permit | |
| set security policies from-zone LAN to-zone WAN policy LAN-to-WAN then permit application-services idp | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match source-address any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match destination-address any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match application any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN then permit | |
| # Here we seperate the VPN zone from the LAN zone just for examples sakes | |
| set security policies from-zone LAN to-zone VPN policy LAN-to-VPN match source-address any | |
| set security policies from-zone LAN to-zone VPN policy LAN-to-VPN match destination-address any | |
| set security policies from-zone LAN to-zone VPN policy LAN-to-VPN match application any | |
| set security policies from-zone LAN to-zone VPN policy LAN-to-VPN then permit | |
| set security policies from-zone VPN to-zone LAN policy VPN-to-LAN match source-address any | |
| set security policies from-zone VPN to-zone LAN policy VPN-to-LAN match destination-address any | |
| set security policies from-zone VPN to-zone LAN policy VPN-to-LAN match application any | |
| set security policies from-zone VPN to-zone LAN policy VPN-to-LAN then permit application-services idp | |
| set security policies from-zone VPN to-zone VPN policy VPN-to-VPN match source-address any | |
| set security policies from-zone VPN to-zone VPN policy VPN-to-VPN match destination-address any | |
| set security policies from-zone VPN to-zone VPN policy VPN-to-VPN match application any | |
| set security policies from-zone VPN to-zone VPN policy VPN-to-VPN then permit | |
| set security zones security-zone VPN host-inbound-traffic system-services all | |
| set security zones security-zone VPN host-inbound-traffic protocols ospf | |
| set security zones security-zone VPN interfaces st0.0 | |
| set security zones security-zone VPN interfaces st0.1 | |
| set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services all | |
| set security zones security-zone WAN screen untrust-screen | |
| set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh | |
| set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services https | |
| set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ping | |
| set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ike | |
| set firewall filter WAN-FILTER-IN term 1 from source-prefix-list mgmnt-access | |
| set firewall filter WAN-FILTER-IN term 1 from protocol tcp | |
| set firewall filter WAN-FILTER-IN term 1 from destination-port 22 | |
| set firewall filter WAN-FILTER-IN term 1 from destination-port 443 | |
| set firewall filter WAN-FILTER-IN term 1 then accept | |
| set firewall filter WAN-FILTER-IN term 2 from protocol tcp | |
| set firewall filter WAN-FILTER-IN term 2 from destination-port 22 | |
| set firewall filter WAN-FILTER-IN term 2 from destination-port 443 | |
| set firewall filter WAN-FILTER-IN term 2 then discard | |
| set firewall filter WAN-FILTER-IN term 3 then accept | |
Thursday, October 11, 2012
VMWare ESXi 4/5 APD Lockup Problem
Problem: You click Rescan All... in the VSphere client and the ESXi host becomes unmanageable due a dead LUN or downed path of offlined volume (this is for iSCSI, I dont know about any others if this problem still happens). Only fix is to hard-reboot the server.
Despite this long and lengthy from VMware on how to do this cleanly (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2004605) it still is prone to a lot of errors and most likely this will not work for your environment. I'm not even about to connect to 6 different hosts and run all this nonsense to make sure VMware cleanly unmounts a volume.
The quick fix: Go to your Storage Adapters and click on the properties of iSCSI Software Adapter. Click the Static Discovery tab. Remove the dead connections. Then you can rescan without the host locking up. No other method has proven reliable for me other than this.
Update: this still didn't fix the issue. The only real way to overcome this problem is to upgrade to 5.1 where they finally fixed the issue.
Despite this long and lengthy from VMware on how to do this cleanly (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2004605) it still is prone to a lot of errors and most likely this will not work for your environment. I'm not even about to connect to 6 different hosts and run all this nonsense to make sure VMware cleanly unmounts a volume.
The quick fix: Go to your Storage Adapters and click on the properties of iSCSI Software Adapter. Click the Static Discovery tab. Remove the dead connections. Then you can rescan without the host locking up. No other method has proven reliable for me other than this.
Update: this still didn't fix the issue. The only real way to overcome this problem is to upgrade to 5.1 where they finally fixed the issue.
Wednesday, September 19, 2012
Sophos (Shh/Updater-B)
Before I go into my rant on how fucked up Sophos' Endpoint Protection management system is, let me run through how I fixed this problem with the false detection.
My policies were set to move malware if cleanup failed. Fortunately, only a handful of computers actually were able to move some of these files before I was able to update the policy. Also fortunate that my antivirus server was NOT running the Sophos Client so nothing on the server broke.
Immediately I added these Windows exclusions to all on-access policies:
C:\Program Files (x86)\Sophos
C:\Program Files\Sophos
C:\ProgramData\Sophos
Also changed the policies to blocked instead of move at this time.
Forced all clients to update the policy. Next I forced the update manager to grab the fix. Let it push out to our file server which eventually synced it up using DFS to all locations.
Now the fun.. for the clients that didn't break themselves, I let them self-update and this fixed the issue.
For the clients that did quarantine/delete Sophos' own update files (grabbed a list of them by checking which computers were not fully up to date in the console), I copied the entire C:\Program Files (x86)\Sophos\AutoUpdate directory as well as the update definition that fixes this false detection to our server.
Ran a quick script to copy back the programs and dll files Sophos removed:
xcopy "\\Server\SophosAutoUpdate\*.*" "C:\Program Files\Sophos\AutoUpdate\*.*" /y
xcopy "\\Server\SophosIDE\javab-bd.ide*" "C:\Program Files\Sophos\Sophos Anti-Virus\*.*" /y
(change to "C:\Program Files (x86)" for 64-bit OS)
Restarted Sophos Anti-Virus service (SAVservice) and Sophos Updater with Dameware and I was back in business.
For clients who are not connected, I think the best bet is to send them a script to stop Sophos Anti-Virus, then have them run an executable ZIP file to restore the AutoUpdate and java*.ide file. I cannot imagine how larger corporations are dealing with this disaster. For the company I am at, I was able to catch this issue when the first round of alerts started flooding in. And luckily since we use DFS to distribute updates, I used "Previous versions" to restore back the files that were modified before the last update to stop the spread.
---
Now the rant... Sophos' support on this problem was beyond horrible. How this update slipped through QA is unforgivable. In fact the only way this could have slipped through their quality control is if they didn't have quality control or testing. Otherwise, they would have realized this update breaks their own program!
I understand some other antiviruses released bad updates, but NEVER have I ever seen one that actually detected itself as a virus.
How did they respond to this fuckup? They issued 1 advisory which was so vague and would not fix anyone's issue unless their policy was changed to do nothing when Malware was detected (which I don't even think is their default setting). Their support lines were unreachable from the massive number of customers calling in, their email support was non-existent, and it appears the only help available was 1 employee responding periodically on their forums.
Regardless of this recent incident, there was numerous other annoyances that aggravated me:
1. You cannot unquarantine files remotely. You had to manually go the client computer and run Sophos from there. On top of this, quarantine files are not moved back. You have to sort through the log files and figure out where they came from. FAIL.
2. Server-Client communication is sub-optimal. The clients stay connected to the server over 2 ports at all times. Its not a simple push/pull method, but a constant connection. Drains server resources, and just an overall poor design that was probably meant for a network of 20 computers, not hundreds or thousands.
3. Version 10 and the bloat. Their "web-intelligence" services (2 more services it has to run) breaks a lot of network programs. Disabling in it the policy has no effect, the only fix is to actually set the service to disabled. It's a broken LSA that destroyed our Sharepoint server (email notifications stopped working, SQL connections broke) and some clients were not able to browse the web or use Oracle applications.
Sophos did have its advantages back in the day, lightest and strongest Antivirus out there. But I'm afraid its time has gone, they are not improving the product but just bloating it with useless addons -- making it an absolute disaster to manage and maintain. I'm going to have to take a peek at Vipre, had some issues when testing it years ago but at least it was manageable, where I had the ability to release quarantined files.
My policies were set to move malware if cleanup failed. Fortunately, only a handful of computers actually were able to move some of these files before I was able to update the policy. Also fortunate that my antivirus server was NOT running the Sophos Client so nothing on the server broke.
Immediately I added these Windows exclusions to all on-access policies:
C:\Program Files (x86)\Sophos
C:\Program Files\Sophos
C:\ProgramData\Sophos
Also changed the policies to blocked instead of move at this time.
Forced all clients to update the policy. Next I forced the update manager to grab the fix. Let it push out to our file server which eventually synced it up using DFS to all locations.
Now the fun.. for the clients that didn't break themselves, I let them self-update and this fixed the issue.
For the clients that did quarantine/delete Sophos' own update files (grabbed a list of them by checking which computers were not fully up to date in the console), I copied the entire C:\Program Files (x86)\Sophos\AutoUpdate directory as well as the update definition that fixes this false detection to our server.
Ran a quick script to copy back the programs and dll files Sophos removed:
xcopy "\\Server\SophosAutoUpdate\*.*" "C:\Program Files\Sophos\AutoUpdate\*.*" /y
xcopy "\\Server\SophosIDE\javab-bd.ide*" "C:\Program Files\Sophos\Sophos Anti-Virus\*.*" /y
(change to "C:\Program Files (x86)" for 64-bit OS)
Restarted Sophos Anti-Virus service (SAVservice) and Sophos Updater with Dameware and I was back in business.
For clients who are not connected, I think the best bet is to send them a script to stop Sophos Anti-Virus, then have them run an executable ZIP file to restore the AutoUpdate and java*.ide file. I cannot imagine how larger corporations are dealing with this disaster. For the company I am at, I was able to catch this issue when the first round of alerts started flooding in. And luckily since we use DFS to distribute updates, I used "Previous versions" to restore back the files that were modified before the last update to stop the spread.
---
Now the rant... Sophos' support on this problem was beyond horrible. How this update slipped through QA is unforgivable. In fact the only way this could have slipped through their quality control is if they didn't have quality control or testing. Otherwise, they would have realized this update breaks their own program!
I understand some other antiviruses released bad updates, but NEVER have I ever seen one that actually detected itself as a virus.
How did they respond to this fuckup? They issued 1 advisory which was so vague and would not fix anyone's issue unless their policy was changed to do nothing when Malware was detected (which I don't even think is their default setting). Their support lines were unreachable from the massive number of customers calling in, their email support was non-existent, and it appears the only help available was 1 employee responding periodically on their forums.
Regardless of this recent incident, there was numerous other annoyances that aggravated me:
1. You cannot unquarantine files remotely. You had to manually go the client computer and run Sophos from there. On top of this, quarantine files are not moved back. You have to sort through the log files and figure out where they came from. FAIL.
2. Server-Client communication is sub-optimal. The clients stay connected to the server over 2 ports at all times. Its not a simple push/pull method, but a constant connection. Drains server resources, and just an overall poor design that was probably meant for a network of 20 computers, not hundreds or thousands.
3. Version 10 and the bloat. Their "web-intelligence" services (2 more services it has to run) breaks a lot of network programs. Disabling in it the policy has no effect, the only fix is to actually set the service to disabled. It's a broken LSA that destroyed our Sharepoint server (email notifications stopped working, SQL connections broke) and some clients were not able to browse the web or use Oracle applications.
Sophos did have its advantages back in the day, lightest and strongest Antivirus out there. But I'm afraid its time has gone, they are not improving the product but just bloating it with useless addons -- making it an absolute disaster to manage and maintain. I'm going to have to take a peek at Vipre, had some issues when testing it years ago but at least it was manageable, where I had the ability to release quarantined files.
Tuesday, April 10, 2012
Red Hat 5, iSCSI and multipath
So you setup multipath with iSCSI on Red Hat 5 but noticing traffic is only going out 1 interface?
The problem is iscsiadm seems to ignore the physical interface you are trying to bond to. I think you can manually force the iface when setting up each node but when you have a storage array with 5 adapters, and your server has 3 adapters you are using, do you really want to enter 15 commands per volume? If you are as lazy as I am, the quick fix is to edit each iface entry in /var/lib/iscsi/ifaces and add the line:
"iface.net_ifacename = eth0" where eth0 is the physical interface you are bonding.
Then its simple a matter of discovering the volumes:
iscsiadm -m discovery -t st -p <iscsi discovery IP>
Add the node to all available ifaces in 1 shot:
iscsiadm -m node iqn.veryveryverylongname000000666.feedge --login
Check multipath:
multipath -ll
mpath10 (2bfc5148f7267432c5d7ce900ed0e9ff4) dm-2 Nimble,Server
[size=800G][features=0][hwhandler=0][rw]
\_ round-robin 0 [prio=15][active]
\_ 147:0:0:0 sdef 128:112 [active][ready]
\_ 149:0:0:0 sdeg 128:128 [active][ready]
\_ 148:0:0:0 sdeh 128:144 [active][ready]
\_ 151:0:0:0 sdei 128:160 [active][ready]
\_ 153:0:0:0 sdel 128:208 [active][ready]
\_ 150:0:0:0 sdej 128:176 [active][ready]
\_ 152:0:0:0 sdek 128:192 [active][ready]
\_ 154:0:0:0 sdem 128:224 [active][ready]
\_ 156:0:0:0 sden 128:240 [active][ready]
\_ 158:0:0:0 sdeq 129:32 [active][ready]
\_ 155:0:0:0 sdeo 129:0 [active][ready]
\_ 157:0:0:0 sdep 129:16 [active][ready]
\_ 159:0:0:0 sder 129:48 [active][ready]
\_ 160:0:0:0 sdes 129:64 [active][ready]
\_ 161:0:0:0 sdet 129:80 [active][ready]
and mount (or format) your volume:
mount /dev/mpath/mpath10 /myvolume
You can check ifconfig to confirm all the ethernet adapters bound to iSCSI have equal amounts of traffic or use iptraf to check the packets.
The problem is iscsiadm seems to ignore the physical interface you are trying to bond to. I think you can manually force the iface when setting up each node but when you have a storage array with 5 adapters, and your server has 3 adapters you are using, do you really want to enter 15 commands per volume? If you are as lazy as I am, the quick fix is to edit each iface entry in /var/lib/iscsi/ifaces and add the line:
"iface.net_ifacename = eth0" where eth0 is the physical interface you are bonding.
Then its simple a matter of discovering the volumes:
iscsiadm -m discovery -t st -p <iscsi discovery IP>
Add the node to all available ifaces in 1 shot:
iscsiadm -m node iqn.veryveryverylongname000000666.feedge --login
Check multipath:
multipath -ll
mpath10 (2bfc5148f7267432c5d7ce900ed0e9ff4) dm-2 Nimble,Server
[size=800G][features=0][hwhandler=0][rw]
\_ round-robin 0 [prio=15][active]
\_ 147:0:0:0 sdef 128:112 [active][ready]
\_ 149:0:0:0 sdeg 128:128 [active][ready]
\_ 148:0:0:0 sdeh 128:144 [active][ready]
\_ 151:0:0:0 sdei 128:160 [active][ready]
\_ 153:0:0:0 sdel 128:208 [active][ready]
\_ 150:0:0:0 sdej 128:176 [active][ready]
\_ 152:0:0:0 sdek 128:192 [active][ready]
\_ 154:0:0:0 sdem 128:224 [active][ready]
\_ 156:0:0:0 sden 128:240 [active][ready]
\_ 158:0:0:0 sdeq 129:32 [active][ready]
\_ 155:0:0:0 sdeo 129:0 [active][ready]
\_ 157:0:0:0 sdep 129:16 [active][ready]
\_ 159:0:0:0 sder 129:48 [active][ready]
\_ 160:0:0:0 sdes 129:64 [active][ready]
\_ 161:0:0:0 sdet 129:80 [active][ready]
and mount (or format) your volume:
mount /dev/mpath/mpath10 /myvolume
You can check ifconfig to confirm all the ethernet adapters bound to iSCSI have equal amounts of traffic or use iptraf to check the packets.
Thursday, November 3, 2011
Removing Yahoo Email Account on an Android
For those getting errors trying to remove Yahoo or any other email account...
2) Connect to a wifi network
3) Restart the phone
4) Leave wifi on
5) Go to delete the account again
Subscribe to:
Posts (Atom)