SRX Services Gateway
Reply
Visitor
MPashby
Posts: 3
Registered: ‎10-14-2009
0
Accepted Solution

SRX210 configured to work with Solarwinds Orion Network Traffic Analysis

Hi,

 

I have gone by all the configurations posted on the boards and I am not having any luck on setting up the SRX210 trial device we have here to work with Orion NTA. 

 

Below is my config on my device:-

 

 

## Last commit: 2009-10-14 18:13:29 UTC by root version 9.5R1.8; system { autoinstallation { delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit traceoptions { level verbose; flag { all; } } } host-name EX-FWSRX210; root-authentication { encrypted-password "$1$owsJK56P$T.qjV36H3T7H/V/EwEbFF/"; ## SECRET-DATA } login { user borat { uid 2001; class read-only; authentication { encrypted-password high5; ## SECRET-DATA } } user telnet { uid 2000; class super-user; authentication { encrypted-password "$1$8m.zOg5H$m7JIYg/I2F9ZGm5gVS9DY1"; ## SECRET-DATA } } } services { ssh; web-management { http { interface ge-0/0/0.0; } } } syslog { user * { any emergency; } file messages { any critical; authorization info; } file interactive-commands { interactive-commands error; } } max-configurations-on-flash 5; max-configuration-rollbacks 5; license { autoupdate { url https://ae1.juniper.net/junos/key_retrieval; } } } interfaces { ge-0/0/0 { unit 0 { family inet { filter { input cflow; } address 192.168.1.1/24; } } } lo0 { unit 0 { family inet { address 127.0.0.1/32; } } } } forwarding-options { sampling { input { family inet { rate 1; run-length 0; max-packets-per-second 1000; } } output { cflowd 192.168.1.20 { port 2055; version 5; } } } } snmp { community public { authorization read-only; clients { 192.168.1.20/32; } } community orion { authorization read-only; clients { 192.168.1.20/32; } } } security { screen { ids-option untrust-screen { icmp { ping-death; } ip { source-route-option; tear-drop; } tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; queue-size 2000; ## Warning: 'queue-size' is deprecated timeout 20; } land; } } } zones { security-zone trust { tcp-rst; host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { http; https; ssh; telnet; dhcp; } } } } } security-zone untrust { screen untrust-screen; } } policies { from-zone trust to-zone trust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone untrust { policy default-permit { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone untrust to-zone trust { policy default-deny { match { source-address any; destination-address any; application any; } then { deny; } } } } } firewall { filter all { term all { then { sample; accept; } } } filter cflow { term 1 { then { sample; accept; } } } }

 

 I have setup the forwarding options with max packets on 1000 as recommended from the juniper community forums in a similar configuration. I have also setup the snmp communities on both the Orion NPM server and the SRX. When I try to validate the SNMP settings and add the trust interface of the SRX to the Orion node list, it fails every time.

 

I get this message in Orion when I restart the netflow service (the IP address of the device is correct but I have blanked out):-

 

Netflow Receiver Service [xxxxxx] is receiving a netflow data stream from an unmanaged device (xxx.xxx.xxx.xxx). The netflow data stream from xxx.xxx.xxx.xxx will be discarded. Please use the Orion System Manager to add this IP address in order to process this Netflow data stream or just use this link....

 

 Any help is apprechiated.

 

Thanks in advance,

 

Mark

 

Recognized Expert
wimclend
Posts: 275
Registered: ‎04-03-2009
0

Re: SRX210 configured to work with Solarwinds Orion Network Traffic Analysis

add SNMP as an allowed system-service under ge-0/0/0; I see you have it for the zone, but you also need it for each interface.  Honestly i'm not exactly sure what configuring it under the zone does since you have to still enablel it for each interface . . .

 

(this assumes ge-0/0/0 is the interface you are trying to poll /monitor in Orion)

Visitor
MPashby
Posts: 3
Registered: ‎10-14-2009
0

Re: SRX210 configured to work with Solarwinds Orion Network Traffic Analysis

Hi wimcled,

 

Thanks for your response!

 

I am pretty new to SRX (enabling SNMP on a netscreen/ssg interface was much easier), how I go about adding this as a service to the ge interface (which you are correct in that I am using).

 

Thanks,

 

Mark

Recognized Expert
wimclend
Posts: 275
Registered: ‎04-03-2009

Re: SRX210 configured to work with Solarwinds Orion Network Traffic Analysis

should just be --

 

set security zones security-zone trust interface ge-0/0/0  host-inbound-traffic system-services snmp

 

 

good luck

Visitor
MPashby
Posts: 3
Registered: ‎10-14-2009
0

Re: SRX210 configured to work with Solarwinds Orion Network Traffic Analysis

awesome, works a treat, thanks mate!

 

 

Recognized Expert
wimclend
Posts: 275
Registered: ‎04-03-2009
0

Re: SRX210 configured to work with Solarwinds Orion Network Traffic Analysis

no problem --- are you successfully getting the NetFlow data now?

 

please also mark it as an Solved / Answered so its easier for others to find in case they have the same issue :smileyhappy:

 

good luck!

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.