SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

    Posted 12-13-2016 12:48

    Hi,

    I am having issues trying to delete firewall filters via jweb. I click to delete them, and then click commit and they show up with &amp time and time again. Anyone know how to correct this issue? It might have something to do with the jweb interface timing out after about 10minutes. Not sure what else I should post for logs. Any help would be greatly appreciated.

     

    jWeb delete issue.PNG



  • 2.  RE: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

     
    Posted 12-13-2016 20:48

    do you get any error/warning while commit? Also can you verify the configuration from CLI after you delete?

     



  • 3.  RE: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

    Posted 12-14-2016 07:53

    It is still showing up in the cli, and I am not getting an error when trying to commit. Below is the cli for one of the filters that won't delete. Let me know if you need me to post the second one. When I am trying to delete it from the cli I am getting the error "warning: statement not found"

     

     

     

     

    filter "Servers - MSN OPS & Lab to CAV/COW OPS" {
    term "lab (OPSWAN) to COWOPSWAN" {
    from {
    source-address {
    X.X.100.0/24;
    }
    destination-address {
    X.X.108.18/32;
    X.X.108.19/32;
    X.X.108.23/32;
    X.X.108.27/32;
    X.X.108.28/32;
    X.X.108.41/32;
    X.X.108.42/32;
    X.X.108.43/32;
    X.X.108.44/32;
    X.X.108.45/32;
    X.X.108.46/32;
    X.X.108.47/32;
    }
    protocol udp;
    source-port ntp;
    destination-port ntp;
    }
    then accept;
    }
    }



  • 4.  RE: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

     
    Posted 12-14-2016 19:54

    As soon as you commit the changes from J-web, can you collect below output from SRX CLI- this is to confirm if the commit is successfull.  As steve mentioned you cannot delete filrewall filters if its used on some interfaces, but I expect a commit fail/error in that case.

     

    root> show system uptime

    root> show system commit

     

     



  • 5.  RE: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

    Posted 12-15-2016 07:39

    So this is a brand new setup, and we haven't configured any of the actual interfaces yet, besides the IP address to be able to access the jWeb GUI. So I find it hard to believe that it could be attached to an actual interface, when we haven't even configured one. Here is the system uptime and the commit. It seems that maybe it has something to do with an apostrophy in the title name that is throwing it off?

     

    root@SRX550> show system uptime
    Current time: 2016-12-15 15:34:50 UTC
    Time Source: LOCAL CLOCK
    System booted: 2016-12-12 16:31:11 UTC (2d 23:03 ago)
    Protocols started: 2016-12-12 16:31:12 UTC (2d 23:03 ago)
    Last configured: 2016-12-15 15:27:50 UTC (00:07:00 ago) by root
    3:34PM up 2 days, 23:04, 1 user, load averages: 0.00, 0.05, 0.06

    root@SRX550> show system commit
    0 2016-12-15 15:27:50 UTC by root via junoscript
    1 2016-12-15 15:27:18 UTC by root via junoscript
    2 2016-12-15 15:20:47 UTC by root via junoscript
    3 2016-12-14 19:17:26 UTC by root via junoscript
    4 2016-12-12 20:26:27 UTC by root via junoscript
    5 2016-12-12 20:07:20 UTC by root via junoscript

    root@SRX550>



  • 6.  RE: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

     
    Posted 12-15-2016 18:33

    Hi Colorado,

     

    Do you wish to remove all the firewall filters or just the one you have attached earlier? 

     

    can you share the output of 

     

    #show interfaces | match filter | display set

    #show firewall | display set

     

    Regards,

    Anand



  • 7.  RE: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

    Posted 12-16-2016 07:49

    So I am just trying to delete the two filters that have &amp. I tried to delete the filter and it keep giving me a syntax error. I have attached the #show firewall | display set logs, the #show interfaces | match filter | display set command didnt display anything. Let me know if you need anything else.

    Attachment(s)

    txt
    Show firewall display set.txt   117 KB 1 version
    txt
    delete filter.txt   1 KB 1 version


  • 8.  RE: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb
    Best Answer

    Posted 12-17-2016 06:24

    thanks for the detail files.  I ran some tests in the lab and here are a couple options.

     

    Remove all filters

     

    From your screen shot it looks like you might be deleting ALL filters.  If so, you can use this method

     

    root@none# edit firewall family inet     

[edit firewall family inet]
root@none# delete 
Delete everything under this level? [yes,no] (no) yes

    If you do have filters you need to keep use these to delete just the filters you listed.  Note the key is to stop the delete command at the name of the filter and not include any of the leaf elements as in these examples for each configured filter.

    delete firewall family inet filter "Broadcast NetBIOS Echos" 
delete firewall family inet filter "Router to Any" 
delete firewall family inet filter "Lab OPS to/from CAV FW" 
delete firewall family inet filter "Servers - MSN OPS & Lab to CAV/COW OPS"

     



  • 9.  RE: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

    Posted 12-16-2016 03:05

    I think you will need to try the delete on the CLI and then do a commit check so the error can be seen.



  • 10.  RE: SRX550 Firewill Filter Deletion/Timeout Issue via jWeb

    Posted 12-14-2016 15:21

    I suspect you cannot delete them because they are in use in another portion of the configuration.  Usually they would be applied to interfaces.  So in order to remove the filter you also need to remove the reference to the filter on the interface as well.