Firewall

Fortigate Management Interface in HA Mode

Fortigate Management Interface in HA Mode First you activate the feature config system ha set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 set interface wan2 set gateway 192.168.147.254 next end end Do not forget to set a default gateway. This interface is isolated and requires its own routing. Then you assign an individual IP address to every node in the cluster System1 config system interface edit wan2 set ip 10.11.101.101/24 set allowaccess https ping ssh snmp next end System2

Tuesday, September 8, 2020 Read

HA command

load merge relative terminal # On a brand-new device without HA enabled, you must define the cluster ID. # Cluster ID must be unique and cannot duplicate other SRX, because HA creates a virtual MAC address and this ID affects it. Duplicates may cause MAC duplication and unexpected errors. # request system zeroize # The following commands must be run in `>` mode. set chassis cluster cluster-id <ID range 0~255> node 0 # This is on node 0 set chassis cluster cluster-id <ID range 0~255> node 1 # This is on node 1 # On the secondary node, run this command. request chassis cluster configuration-synchronize # After reboot, you will see Hold or standby; check whether the cluster is up. show chassis cluster status # This appears only after RETH interfaces are created; you must configure first. show chassis cluster interfaces # The following commands are run in config mode; build the config first. --- # The backup-router is for the HA standby device management interface (fxp) so it can respond to routing; by default the standby does not enable the routing engine, so this is required. set groups node0 system host-name SRX-node0 set groups node0 system backup-router 10.10.0.254 set groups node0 system backup-router destination 0.0.0.0/0 set groups node0 interfaces fxp0 unit 0 family inet address 10.10.0.2/24 set groups node1 system host-name SRX-node1 set groups node1 system backup-router 10.10.0.254 set groups node1 system backup-router destination 0.0.0.0/0 set groups node1 interfaces fxp0 unit 0 family inet address 10.10.0.3/24 set apply-groups "${node}" set system time-zone Asia/Taipei set chassis cluster control-link-recovery set chassis cluster reth-count 10 set chassis cluster heartbeat-interval 2000 # It is recommended to enable IPv6 during setup using the following command, because enabling IPv6 later requires a reboot. set security forwarding-options family inet6 mode flow-based # Interface numbers vary by chassis model. # The easiest way is to check how many slots the device has. For example, SRX550HM has expansion 0-8, so HA starts at 9, hence ge-9/x/x. set chassis cluster redundancy-group 0 node 0 priority 150 set chassis cluster redundancy-group 0 node 1 priority 100 set chassis cluster redundancy-group 0 interface-monitor ge-0/0/3 weight 150 set chassis cluster redundancy-group 0 interface-monitor ge-0/0/5 weight 150 set chassis cluster redundancy-group 0 interface-monitor ge-9/0/3 weight 100 set chassis cluster redundancy-group 0 interface-monitor ge-9/0/5 weight 100 set chassis cluster redundancy-group 1 node 0 priority 150 set chassis cluster redundancy-group 1 node 1 priority 100 set chassis cluster redundancy-group 1 interface-monitor ge-0/0/3 weight 150 set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 150 set chassis cluster redundancy-group 1 interface-monitor ge-9/0/3 weight 100 set chassis cluster redundancy-group 1 interface-monitor ge-9/0/5 weight 100 # This is the data sync setting for redundancy group 1; you must set it to enable the ge-0/0/2 heartbeat link. set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-9/0/2 # Add interfaces to the reth group. set interfaces ge-0/0/3 gigether-options redundant-parent reth0 set interfaces ge-0/0/4 gigether-options redundant-parent reth0 set interfaces ge-9/0/3 gigether-options redundant-parent reth0 set interfaces ge-9/0/4 gigether-options redundant-parent reth0 set interfaces ge-0/0/5 gigether-options redundant-parent reth1 set interfaces ge-9/0/5 gigether-options redundant-parent reth1 set interfaces reth0 vlan-tagging # You must add RETH to the data sync group, otherwise it will not work. set interfaces reth0 redundant-ether-options redundancy-group 1 # Note: SRX uses LACP passive mode, but the switch must use LACP active mode. set interfaces reth0 redundant-ether-options lacp passive set interfaces reth0 redundant-ether-options lacp periodic slow set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth1 unit 0 family inet address 202.99.240.100/26

Saturday, July 21, 2018 Read

[Juniper Firewall] command

The following commands are run in operational mode, or use run show in configuration mode. Show current firewall session count show security flow session | match 10.22.12.104 show security flow session source-prefix 10.22.12.104 Clear current sessions clear security flow session all Query OID show snmp mib walk decimal 1.3.6.1.2.1.2.2.1.2 Check current software version show system software Check system uptime show system uptime Check hardware cards and serial numbers show chassis haredware Check current hardware status show chassis environment Show routing table

Wednesday, June 27, 2018 Read

Firewall Update

Preparation: Plug in the console. Copy the update file to the USB drive. Before starting, use show version to check the current version Update SOP: start shell su to root Create a directory: mkdir /var/tmp/usb (name can be anything) Insert the USB. Note the number after da, currently da1. Mount it: mount -t msdos /dev/da1s1 /var/tmp/usb (if da0, then use da0s1, etc.) After it finishes, cd /cf/var/tmp/usb/da2s1/ (usb) ls (junos-srxsme-15.1X49-D120.3-domestic.tgz) Switch the CLI to operational mode request system software add /var/tmp/usb/da2s1/junos-srxsme-15.1X49-D120.3-domestic.tgz request system reboot show version

Tuesday, June 12, 2018 Read

Juniper notes

[Juniper Firewall] tunnel ACG icare@TWCHIJF01# show | compare rollback 4 [edit security policies] from-zone DB_12 to-zone TCT_Office { ... } + from-zone DB_12 to-zone JC32 { + policy For_Backup { + match { + source-address DB_10.11.12.0/24; + destination-address BACKUP_10.32.32.130; + application any; + } + then { + permit; + } + } + } [edit security zones security-zone DB_12 address-book] address DB_10.11.12.57 { ... } + address DB_10.11.12.0/24 10.11.12.0/24; [edit security zones] security-zone ESB_15 { ... } + security-zone JC32 { + address-book { + address BACKUP_10.32.32.130 10.32.32.130/32; + } + host-inbound-traffic { + system-services { + ping; + } + } + interfaces { + gr-0/0/0.32; + } + } [edit interfaces gr-0/0/0] + unit 32 { + description To_JC32_DBBackup; + tunnel { + source 202.168.193.128; + destination 218.253.210.8; + } + family inet { + address 10.32.0.101/30; + } + } [edit routing-options static] route 0.0.0.0/0 { ... } + route 10.32.32.130/32 next-hop 10.32.0.102; set security policies from-zone DB_12 to-zone JC32 policy For_Backup match source-address DB_10.11.12.0/24 set security policies from-zone DB_12 to-zone JC32 policy For_Backup match destination-address BACKUP_10.32.32.130 set security policies from-zone DB_12 to-zone JC32 policy For_Backup match application any set security policies from-zone DB_12 to-zone JC32 policy For_Backup then permit set security zones security-zone DB_12 address-book address DB_10.11.12.0/24 10.11.12.0/24 set security zones security-zone JC32 address-book address BACKUP_10.32.32.130 10.32.32.130/32 set security zones security-zone JC32 host-inbound-traffic system-services ping set security zones security-zone JC32 interfaces gr-0/0/0.32 set interfaces gr-0/0/0 unit 32 description To_JC32_DBBackup set interfaces gr-0/0/0 unit 32 tunnel source 202.168.193.128 set interfaces gr-0/0/0 unit 32 tunnel destination 218.253.210.8 set interfaces gr-0/0/0 unit 32 family inet address 10.32.0.101/30 set routing-options static route 10.32.32.130/32 next-hop 10.32.0.102 icare@TWCHIJF01> show configuration | compare rollback 1

Thursday, November 23, 2017 Read