Re: [j-nsp] Block externals ip to firewall srx240

2017-01-10 Thread Alexander Arseniev
Hello, Last time I checked, the order of operations on branch SRX is: 1/ input interface filter 2/ self-traffic policy 3/ junos-host zone policy 4/ loopback filter Hence, the most CPU-effective way is to use interface filter to drop early. HTH Thx Alex On 10/01/2017 19:18, Karsten Thomann

Re: [j-nsp] disaccord in output of "df" and "df " in Junos

2017-01-10 Thread Phil Shafer
Vincent Bernat writes: >Unfortunately, there is no "stat" command that would help to have a >better picture. df will "stat" the file you provide to get the device it >is stored on and there search the device and its mountpoint to display the >result. You'll see the same behavior for symlinks: %

Re: [j-nsp] Block externals ip to firewall srx240

2017-01-10 Thread Karsten Thomann
I would use Junos-host if the device needs to be managed from the untrust network, I have the impression it shouldn't be possible to manage it at all from the untrust zone and then I would disable all management protocols from the system-service section within the untrust zone. Karsten Am

Re: [j-nsp] Block externals ip to firewall srx240

2017-01-10 Thread Kevin Shymkiw
My apologies - it is called the junos-host zone at this point: https://kb.juniper.net/InfoCenter/index?page=content=KB24227=search Kevin On Tue, Jan 10, 2017 at 10:07 AM, Kevin Shymkiw wrote: > David, > > https://www.juniper.net/documentation/en_US/junos12. >

Re: [j-nsp] Block externals ip to firewall srx240

2017-01-10 Thread Kevin Shymkiw
David, https://www.juniper.net/documentation/en_US/junos12.1x44/topics/concept/security-policy-for-self-traffic-understanding.html It is called self-traffic-policy. If your version doesn't support this - then you would need to do the old school method of using a Firewall Filter on Lo0 Kevin

Re: [j-nsp] Juniper MPC-3D-16XGE-SFPP/SCBE2 incompatibility?

2017-01-10 Thread Daniel Verlouw
On Tue, Jan 10, 2017 at 7:45 PM, Brandon Ross wrote: > I have a colleague trying to use a MPC-3D-16XGE-SFPP with SCBE2s and getting > an "FPC misconfiguration" message in 'show chassis fpc' on an MX. It works > fine with SCBE, just not SCBE2, they tell me. > > Does anyone have

[j-nsp] Block externals ip to firewall srx240

2017-01-10 Thread David Samaniego
Hi, I have a juniper srx240 in firewall mode, I create a Untrust Zone to control the traffic access from Internet to my LAN. All work fine, but I need to block all the connections to my device for example block the ssh or https. The idea is deny all attempts to manage my device througth internet.

[j-nsp] Juniper MPC-3D-16XGE-SFPP/SCBE2 incompatibility?

2017-01-10 Thread Brandon Ross
I have a colleague trying to use a MPC-3D-16XGE-SFPP with SCBE2s and getting an "FPC misconfiguration" message in 'show chassis fpc' on an MX. It works fine with SCBE, just not SCBE2, they tell me. Does anyone have any experience with this? I searched all over the place but can find no