SRX

Hi,

I have a question about Juniper SRX firewall configuration,
Running 11.4R7

My Q, is about routing table used while processing traffic passing through the firewall,

I have routing configuration part of the routing-instances definition, and it looks like
set routing-instances Main-VR instance-type virtual-router
set routing-instances Main-VR interface reth0.0
set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40

Then i could find another routing definition as
routing-options static route 10.62.170.190/32 next-hop 10.80.93.1
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1

What’s the difference between the two definitions?
Are both active, i mean checked while traffic processing taking place?
Or I could remove one of them

Hi Arouba,

In the following configuration;

Then i could find another routing definition as
routing-options static route 10.62.170.190/32 next-hop 10.80.93.1  >> 1
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1      >> 2
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1      >> 3
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1    >> 4

2 should take care of 1 as well and hence 1 can be deleted, unless you only want the /32 address to pass through, in whcih case you should check and delete 2.

For 3 and 4 it is different as 10.66.65.103 is  not included in 10.61.105.0/26, so both will be required as per your network requirements.

set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40

>> This takes care of traffic present in the routing instances and so is crucial for traffic that has to be routed from the routing instance.

To see which routes are actually active you need to run the operational command:

show route

or the more specific

show route protocol static

This will show you the active routes indicated by the * symbol and organize them by the routing instance in which they are active.

Hi SSN,

i thought down 1 to 4 routing-options, will not function at all, as the next hop is not part of 10.80.90.0/27, which is defined at the routing-instances , as

set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40

routing-options static route 10.62.170.190/32 next-hop 10.80.93.1  >> 1
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1      >> 2
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1      >> 3
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1    >> 4

is this right? or could you help me to understand the different functionality of the 2 definitions

1- set routing-instances Main-VR routing-options static route

2- routing-options static route

could you help me to understand the different functionality of the 2 definitions
1- set routing-instances Main-VR routing-options static route
2- routing-options static route

When you create a routing instance this creates an independent routing table within the device.  

1 - adds a static route to the Main-VR routing instance route table

2- adds a static route to the root routing instance route table

Use the operation command will show both route tables.  This is an example of an SRX with 2 routing instances configured Trust-vr and Untrust-vr and inet.0 is the root routing instance.

root@none> show route 

inet.0: 3 destinations, 4 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 16w5d 14:04:33
                    > to 192.168.0.1 via fe-0/0/7.0
                    [Access-internal/12] 18w6d 20:44:27
                    > to 192.168.128.1 via fe-0/0/0.0
192.168.0.0/24     *[Direct/0] 24w5d 17:49:39
                    > via fe-0/0/7.0
192.168.0.20/32    *[Local/0] 24w5d 18:02:06
                      Local via fe-0/0/7.0

Trust-vr.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.27.64/28   *[Direct/0] 17w5d 17:29:41
                    > via fe-0/0/1.0
192.168.27.65/32   *[Local/0] 18w6d 20:46:02
                      Local via fe-0/0/1.0

Untrust-vr.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.27.64/28   *[Direct/0] 16w5d 14:04:33
                    > via fe-0/0/1.0
192.168.128.0/24   *[Direct/0] 18w6d 20:44:27
                    > via fe-0/0/0.0
192.168.128.14/32  *[Local/0] 18w6d 20:44:27
                      Local via fe-0/0/0.0

“All those traffic that will arrive to srx interface other then reth0.0 use global defination.”
Where to find this global definition

Your original configuration shows that reth0.0 is assigned to the Main-VR.  Thus any traffic that arrives on this sub interface will be processed by the Main-VR routing table.  Traffic that arrives on any other interface will be procesed by the root routing instance.

Thanks Spuluka,

Much appreciating your reply and clarification,

I got the show route results, and am reviewing one by one,

Q, do those definitions in global configuration, defined as         routing-options static route

Interact with Zones or Security Policies?

                Or is it only for the basic functionality related to the Firewall as a device (I mean, for the syslog/NTP/… accessibility)

Q, do those definitions in global configuration, defined as routing-options static route

Interact with Zones or Security Policies?

                Or is it only for the basic functionality related to the Firewall as a device (I mean, for the syslog/NTP/… accessibility)

The routing helps to determine which zone is involved with a flow which then determines which security policy will apply.

When a packet arrives, the ingress interface belongs to a zone, this is the from-zone for the policy check.

A route lookup occurs for the destination address, this determines then the egress interface for the traffic and the zone assigned to this interface is the to-zone in the policy check.

thanks spuluka

am reviewing and matching one by one to understand

for sure will come back,

much appreciated

Hi,

while reviewing the outout of

show route command, one output lines i started to dig about shows as

681    10.14.224.193/32   *[Local/0] 24w6d 22:05:53
682                          Reject

i tried to find a reason, but could find nothing, except one, where there is no

got directed to this interface,

but is it really the reason?

here is the VR definition

Hi,

In need for your help please,

to know the reason of getting

reject

to one of the interfaces!

is it because no route defined to use it?

is it because no use of related zone, in any security policy as from-zone (but it does exist in other security policies as to-zone)

is it something not related to the firewall configuration, i mean its related to any of the devices later, routers, or the subnet is not defined properly?

or, is it something in configuration for sure, but need to go through to identify it

show route command, one output lines i started to dig about shows as
681    10.14.224.193/32   *[Local/0] 24w6d 22:05:53
682                          Reject

You get a reject local route when you have an ip address configured on an interface and the interface is currently link down.

thanks,

when you descripe the interface as down, do you mean its down from the firewall configurations?

or outside device, like router connected, and the interface from router side is down?

any commands would you recommend to run, in order to diagnose the issue?

The local routes are ones assigned in the configuration to interfaces.

Reject means the interface with that ip address is admin up and link down.  You need to check the cabling attached to that interface and the neighbor device to which it is connected.

This command will show you the ip address and current status of the interfaces.

show interfaces terse

Hi again,

the result related to the issue interface, of the command

show interfaces terse

is as follow

Interface               Admin Link Proto    Local                 Remote
reth4                   up    down
reth4.1549              up    down inet     10.14.224.193/26
                                   multiservice
reth4.32767             up    down multiservice

does this confirm your finding, that its the naighbor device, which is down, and not the firewall configuration?

second q, from where this interface reth4.32767 came, its not at all in the configuraton, is it system default?

Yes, this is showing that your link from this interface is down.

Interface               Admin Link Proto    Local                 Remote
reth4                   up    down

Admin = the interface configuration is active

Link = the physical layer link is down meaning the cable is not good or disconected or the partner interface is not up.

Since this is a reth interface you may also want to confirm the status of the underlying physical ethernet port.  Look at the interface stanza and see which physical port is assigned to reth4 and also run the show interface terse for this physical interface to confirm it is admin up.  

If no interface is assigned to reth4 then one will need to be assigned and connected to the desired partner device.

Hi All,

I also got a reject route as below. 

SRX345> show route 10.24.176.3 

inet.0: 8 destinations, 8 routes (7 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 109w0d 04:59:26
                    > to 10.24.163.1 via reth3.7

FW1-VR1.inet.0: 280 destinations, 685 routes (262 active, 0 holddown, 239 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

10.24.176.0/21     *[Aggregate/130] 109w0d 05:04:20
                      Reject

In order to have a route to this subnet , should I just simply add the subnet to a security zone. Will it be routable then ? And the reason being reject , is that the same as logical interface down ? or due to any other reasons?

e.g. I want to have this subnet able to route to via interface reth0.2111. Does below config suffice ? what else requires?

set security address-book fw1-nms address 10.24.176.0/24 10.24.176.0/24

Besides,

set routing-instances FW1-VR1 routing-options aggregate route 10.24.160.0/20 as-path origin incomplete<<<<<<<<<<<what's the 'incomplete' means in here ?

Aggregated routes are reject by nature and do not foward traffic.  These are created in order to bundle multiple smaller downstream routes into a single upstream route advertisement.  So they do not handle actual forwarding.

https://www.juniper.net/documentation/en_US/junos/topics/concept/policy-aggregate-routes.html

Typically you create these at the edge where all the smaller routes come together to send just the single route out.  If this is not the right device for that and the total subnet should be dealt with on another router, you can just use a static rotue for the entire subnet pointing to that router instead.

Another alternative is what Juniper calls the generated route.  This creates an aggregate route that will forward the subnet to the first installed next hop of a contributing route.  But this route will only be present when the contributing route is there.

https://www.juniper.net/documentation/software/cable/junosg30/swconfig30-interfaces/html/routing-tables-config27.html

Security policies only permit traffic you do need routes to forward traffic.  And furthermore, the route is what is used to determine the zone that is checked for the policy.  The route looking is done and the interface where that traffic will be forwarded is the zone that will be used in the route lookup.

Incomplete means the route was learned by something other than igp or egp in the route table.

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/as-path-edit-routing-options.html

Hi Arouba

Routing lookup will be perfromed based on the souce interface. if the source interface is bind to a user defined routing-instance, the defination mention in those routing instance will be used.

set routing-instances Main-VR instance-type virtual-router
set routing-instances Main-VR interface reth0.0
set routing-instances Main-VR routing-options static route 10.80.90.0/27 next-hop 10.80.90.40

All those traffic that will arrive to srx interface other then reth0.0 use global defination.

routing-options static route 10.62.170.190/32 next-hop 10.80.93.1
routing-options static route 10.62.170.0/24 next-hop 10.80.93.1
routing-options static route 10.61.105.0/26 next-hop 10.80.93.1
routing-options static route 10.66.65.103/32 next-hop 10.80.93.1

Hi vMicroMe,

In your reply,

“All those traffic that will arrive to srx interface other then reth0.0 use global defination.”

Where to find this global definition