SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX240 HA cluster

    Posted 05-08-2012 08:54

    Hi,

     

    I have two SRX240 in HA mode.  When I implemented this the first time HA worked fine no issues but I had other issues that I have since resolved in a lab network.  In the LAB I only used one of the firewalls and modified its configuration.  Now I am ready to put the them back together, what is the best way to do this?  Meaning Primary firewall has the changes I want.  Will the secondary just take the config from the primary?

     

    Thanks,

     

    John



  • 2.  RE: SRX240 HA cluster

    Posted 05-08-2012 20:29

    This should work but if you are worried then simply copy the config of the Primary firewall onto the secondary then reboot the secondary and reboot it and connect it back up before it reboots.



  • 3.  RE: SRX240 HA cluster
    Best Answer

    Posted 05-09-2012 03:57

    Hi John,

     

     As you updated you have necessary configuration on primary firewall so what you can do is connect them into the cluster and just do commit full or commit synch in primary box (make sure in primary box only) so primary box will resynch the config with secondary.

     

    You can verify via below command whether config has synched or not.

     

    Root#show | display set | count<<<<<<<Check this command in both nodes, this should be the same until and unless there is any extra local config on primary node.

     

    Note:- While connecting SRX back into the cluster make sure that one node is in power off condition.

    Lets say you have node 0 up and running and want to add node 1 into the cluster.

    You should do a first step power off the device (node 1) connect the control and fab link and then power on node 1.

    i am assuming here is basic cluster config is available on node1.

     



  • 4.  RE: SRX240 HA cluster

    Posted 05-09-2012 21:31

    Thanks....



  • 5.  RE: SRX240 HA cluster

    Posted 05-09-2012 22:49

    Hi All,

    Longing to ask a few questions about the SRX series gateway hopefully will get some answers over here

     

    Doubts :

     

    1. Can we incrase the bandwidth of the internal interface joining RE and PFE or it is the same for all the device models or does it vary from model to model . I suppose that the bandwidth is 100 mbps as per juniper datasheets. Correct me if i am wrong

     

    2. Do we have any limit on the number of  terms i can define with in a routing policy and a firewall filter?

     

    3. What is the default interface mtu size in junos platforms?

     

    4. Maximum number of VLAN's that can be created on a physical interface ? Is it the 4096 or 1024 in Junos?

     

    5. The switch which is connected to the 2 physical interfaces , which are combined together to form a Reth interface should it necessarily be a L2 switch or an L3 switch will also do the same functionality?

     

    6. When i use Radius server in my authentication order , do i still need to have users mapped in my device? If yes how do i map only the usernames , because anyways authorization is already defined on the radius server

     

    7.In Firewall Authentication, lets say there is a NAT enabled device before the firewall , once the user who has the right credential gets authenticated subsequently all the users will be given access to my server because authentication table entry is stored based on the ip address and not usernames. So how do i restrict that other users who dont have the credentials without accessing my server?

     

    8. Shoud i use application as telnet , ftp and http in the security policy when i am using pass through authentication? Because pass through supports only ftp,http and telnet traffic?

     

    9. Can we use the primary interface ip address as the web authentication ip address or is it mandatory that we define one more ip address on the interface as web auth ip

     

    10. When is a real time scenario that we have 2 ip address defined on the interface and both being actually used?

     

    NAT questions : 

     

    11. How many actual translations can we have with 1 public IP when i disable PAT ?

     

    12. What does this actually mean D-NAT will generate allow incoming packets for voip algs?

     

    13. Can we use the same ip for S NAT and D NAT then wat is the use of static NAT?

     

    14. When we r doing Static NAT , can we have both the internal and external communication happen at the same time , because  there can be only one translation per one public IP when i disable PAT?

     

    15. In source NAT with address shifting , the user will bind private IP range to public ip range . 

     

    Lets imagine my private range starts from 10.1.10.5 to 10.1.10.254

    My public pool is from 100.1.1.1 to 100.1.1.200

     

    I map my private base address to public address from 10.1.10.5 to 100.1.1.1

    So lets say 10.1.10.5 gets translated to 100.1.1.1

     

    What happens if 10.1.10.7 intiates a session before 10.1.10.6 will he be assigned 100.1.1.3 or 100.1.1.2

     

     

    VPN : 

     

    16.Can we actualy load balance between redundant VPN tunnels between two branch offices?

     

    17.In the IPSEC header , what does the Next Header information mean?