Routing
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 14
Registered: ‎02-22-2017
0 Kudos

J2320 - V12.4 BGP And Firewall Setup

Hi,

 

I`m trying to get a J2320 to connect via BGP to our branch sites but having issues. I cannot get it to connect to our remote peer. I was using V8 before that did not have a stateful firewall, does this also need conifguring?

 

regards,

 

Distinguished Expert
Posts: 5,119
Registered: ‎03-30-2009
0 Kudos

Re: J2320 - V12.4 BGP And Firewall Setup

I am not quite sure what your configuration need is here, so sorry if this is the wrong direction.

 

You can use the J2320 in either packet mode as a plain router or flow mode that would be a firewall.  If it is in flow mode, then yes, you would need to configure security policies to allow the BGP session through.

 

Do you need a firewall or just want a router for this site?

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 14
Registered: ‎02-22-2017
0 Kudos

Re: J2320 - V12.4 BGP And Firewall Setup

Hi,

 

Sure, it is a main router here that all our branch sites connect to through an MPLS, currently the J2320 is in packet mode and all branches route to us, we then host services that the branches rely on. I`d like to use flow mode and beef up security by creating policies that only permit certain ports from our branches and back to them. I have setup basic peering but that would not connect at all. Do the security policies have any influence on the BGP peer itself connecting to the external interface? I did allow all in both directions across all interfaces but it still wouldnt connect.

 

Cheers,

 

Distinguished Expert
Posts: 5,119
Registered: ‎03-30-2009
0 Kudos

Re: J2320 - V12.4 BGP And Firewall Setup

Thanks for the explanation.

 

Security policies are needed for all traffic that passes THROUGH the SRX, that is with pairs of devices outside the SRX.

Interfaces belong to zones.  

Traffic is classified by the ingress and egress interface of the initiator of the traffic

so the policy is written security policy from-zone X to-zone Y with all the desired specifications

These only need to be in the direction of the initiator, return traffic on this is permitted by the flow engine

 

For self traffic, traffic that starts or ends on the SRX itself (like the BGP peer) we first must enable the protocol on the zone.

The interface that the traffic is destined for belongs to a zone

under security zones security-zone NAME host-inbound-traffic we must allow the type of traffic (bgp in this case)

This will allow that traffic from any host

If you want to further restrict that traffic you also then create a security policy from-zone X to-zone junos-host with all the desired restrictions

 

This document has the details:

 

Inbound traffic in chapter 3

security policies in chapter 6

 

https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/securi...

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 14
Registered: ‎02-22-2017
0 Kudos

Re: J2320 - V12.4 BGP And Firewall Setup

Hi,

 

Ok that`s great. I will get this configuration setup, hopefully it will work. I believe i have the BGP working now, on v12 of the firmware it added a confederate AS, i`ve removed all that and added the regular BGP configuration.

 

Will confirm asap Smiley Happy

Contributor
Posts: 14
Registered: ‎02-22-2017
0 Kudos

Re: J2320 - V12.4 BGP And Firewall Setup

Hi,

 

Ok so BGP has come up and i`m seeing active routes in the table but i cannot get any traffic to pass through the router itself e.g. ping or see any devices at either end. I have at the moment set all zones to all with all services to allow apart from the default global which is set to deny.

 

Config:

 

## Last commit: 2017-09-05 13:23:52 UTC by root
version 12.1X44-D40.2;
system {
host-name DC-MPLS-01;
root-authentication {
encrypted-password 
}
name-server {
192.168.50.80;
192.168.50.81;
192.168.50.89;
}
login {
user administrator {
uid 2000;
class super-user;
authentication {
encrypted-password 
}
}
}
services {
ssh;
telnet;
web-management {
http;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description "LAN HQ";
family inet {
address 192.168.50.4/22;
}
}
}
ge-0/0/2 {
description "WAN MPLS";
unit 0 {
family inet {
address 172.0.0.6/30;
}
}
}
ge-0/0/3 {
description "UNUSED LAN";
unit 0 {
family inet {
address 10.1.1.1/24;
}
}
}
lo0 {
unit 0 {
family inet {
address 172.0.0.6/32;
}
}
}
}
snmp {
community public {
authorization read-only;
}
}
routing-options {
static {
route 172.0.0.0/30 next-hop 172.0.0.5;
}
router-id 172.0.0.6;
autonomous-system 65000;
}
protocols {
bgp {
group MPLS {
type external;
description "BT MPLS PEER";
export export-LAN;
peer-as 2856;
neighbor 172.0.0.5 {
local-address 172.0.0.6;
hold-time 90;
}
}
}
}
policy-options {
policy-statement export-LAN {
from {
protocol [ direct local ];
interface ge-0/0/0.0;
}
then accept;
}
policy-statement jweb-policy-default-route {
from {
route-filter 0.0.0.0/0 exact;
}
then accept;
}
policy-statement jweb-policy-direct {
from {
protocol direct;
interface ge-0/0/2.0;
}
then accept;
}
policy-statement jweb-policy-rip {
from protocol rip;
then accept;
}
}
security {
address-book {
Test {
description test;
address 1.1.1.1 {
description test;
1.1.1.1/32;
}
attach {
zone UnTrust;
}
}
}
policies {
from-zone Trust to-zone UnTrust {
policy Trust-Untrust {
description Trust-Untrust;
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
count;
}
}
}
from-zone UnTrust to-zone Trust {
policy Untrust-Trust {
description Untrust-Trust;
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
count;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone Trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
lo0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone UnTrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}

 

Cheers,

 

Distinguished Expert
Posts: 5,119
Registered: ‎03-30-2009
0 Kudos

Re: J2320 - V12.4 BGP And Firewall Setup

The two things to check then are to confirm that sessions are being accepted and created for your traffic.  Setup the ping and then use:

 

show security flow session source-prefix 1.1.1.1 destination-prefix 2.2.2.2

 

This should show the accepted sessions with nat and packet counts.  If there are no sessions you will need to enable trace options to find out why.

 

Second thing to confirm is that the remote side has the return route for the traffic and that they ahve polcies to accept the traffic as well.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 14
Registered: ‎02-22-2017
0 Kudos

Re: J2320 - V12.4 BGP And Firewall Setup

Hi,

 

Stil not having much luck.... I have setup a pair of J2320`s running V12 firmware, configured BGP between them (to simulate the MPLS proviers end) and i can see those routes replicating between the routers. On the head office end i can see and connect to all devices on the remote end but not the other way round e.g. communicating with head office end from the remote network. When running a trace i get as far as the external interface on the head office end`s router but no further. Machines in the head office end have a static route pointing back at the branch router.

 

Sorry it`s quite vague, let me know if you need any other info.

 

Cheers,

 

Distinguished Expert
Posts: 5,119
Registered: ‎03-30-2009
0 Kudos

Re: J2320 - V12.4 BGP And Firewall Setup

Securiity policies that permit the traffic are needed in the direction of the initiator (from-zone) of the traffic to the destination (to-zone)

 

set security policy from-zone NAME to-zone NAME

 

Both SRX need to have a policy that permits the traffic.

 

So in your case one of the two SRX does not have a policy from the hub zone to the spoke zone for the traffic to be permitted.  You confirm the existence of the sessions with the show security flow command.

 

If the session is not being created you can use trace options to get the details on why.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Highlighted
Contributor
Posts: 14
Registered: ‎02-22-2017
0 Kudos

Re: J2320 - V12.4 BGP And Firewall Setup

Hi,

 

I updated the configuration and all branches are connecting, the issue i have left is that 1-2 people can connect at a branch but any additional ones will be blocked. I had policy-rematch enabled, would that potentially stop any additional sessions or would that only remove flows upon a commit?

 

regards,

 

Distinguished Expert
Posts: 5,119
Registered: ‎03-30-2009
0 Kudos

Re: J2320 - V12.4 BGP And Firewall Setup

No session rematch just compares all your existing sessions against the new policies you are committing.  If there is a match they stay and if they are now being denied they are closed.

 

To figure out why the sessions are blocked you will need to first verify that the session is not created using

show security session flow

 

As noted above.  If the session does exist then the issue will be with return path routing or the policies on the other J-series firewall.

 

If there is no session, use the trace options above to get the reason the session is being denied.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home