Preface: I created this for the poor souls out there who purchased a Juniper SRX and realized how utterly complicated and how miserable the documentation is for configuring these firewalls. I would never recommend purchasing these... there are easier and far more stable firewalls out there that can do the same thing as these horrible devices. Now for those who are stuck with them and need a quick guide on how to get these muther's working, read on.
Please be aware that I whipped this rather quick, so I'm sure there are some errors here and there. I'll update it as necessary. Also, if there are better ways to configure this or more optimized methods, please don't hesitate to comment!
Moving on.. here's a summary of each site:
Site A: 2x SRX 220's running in a cluster with a dual-ISP setup. It is also running an SMTP server that is accessible on both the primary and secondary ISP's. It has IP-Monitoring so if the primary or backup ISP goes down, traffic is rerouted automatically.
Site B: A single SRX w/IDP running.
Between the sites, VPN connections are setup over every ISP. OSPF is running for redundancy and to take care of all the static routes. All SRX's are running 11.4 or later.
Configs
Great post...thanks
ReplyDeleteStill useful, Thank you for this effort
ReplyDeleteWe migrated to Palo Alto Firewalls, although the NAT setup is confusing as hell it just blows away Juniper in every aspect. Juniper has been nothing but unstable and buggy. Every month I would have to kill the web management process because it would be consuming all the CPU. Even with disabling all IDP/UTM features, the device could barely handle 50Mbs. Just a poorly designed device. Trying to log traffic kills the CPU, UDP traffic kills the CPU, IDP/UTM is a joke (not exaggerating but I would say 20% chance on every IDP update something would break, either the DB would corrupt or it couldn't send it to the other cluster). The VPN tunnels are barely usable (so many packet drops/retries between Junipers because of bugs). We had a Nimble array that could barely keep up replication when we had a tunnel between 2 Junipers. Switching it out to Palo Alto, the replication traffic tripled, I could see far less packet retries and no more babysitting the firewalls.
ReplyDeleteGood post
ReplyDeletehttp://www.routexp.com/2017/07/dmvpn-configurations-on-juniper-router.html