SRX Services Gateway
SRX Services Gateway

How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎02-10-2019 01:34 PM

I have been using the Juniper SRX240 router for several years now and it is frustrating that one can not view any stats regarding the network in and out of the router.

I mean people like to hype the big names in the industry a lot rather than judge by the quality and output of their product but how does this make Juniper an industry leader when a basic inbound and outbound stats or just network stats that one can view and see how the router is doing its job is no where to be found?

 

Anyways if anyone else is using the same router and is able to setup a way to monitor stats for bandwidth usage or inbound and outbound traffic please share below

 

Thanks

35 REPLIES 35
SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎02-10-2019 01:55 PM

Hi junipersrx240,

 

First google result shared this:

 

https://www.juniper.net/documentation/en_US/junos-space-apps/network-director3.1/topics/task/operati...

 

Basically any SNMP solution can leverage the information from the SRX to provide info about the throughput. Are you looking for something different?

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎02-10-2019 02:01 PM

Did you really spend time to read my post and understand what am asking?

Am looking for a graph that shows inbound and outbound traffic from the router 

 

If someone asks me hey how much bandwidth did i use on the router this month? or hey what is 95% bandwidth usage for the week...the kind of graph that will quickly show that is what am looking for

Also network speed graph that shows the network speed in and out of the router. Those kind of stats which modern next generation firewalls come packed with but until i get no way around this i will forever leave juniper behind and move elsewhere

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎02-10-2019 02:30 PM

SRX240 is not a Juniper Next-Gen firewall and actually it was announced End-of-life on 05/30/2018 so I wouldnt demand NG-FW features:

 

                 https://support.juniper.net/support/eol/hardware/srx_series/

 

Still it could show the information you are looking for by leveraging SNMP/jflow, and using external applications like Solarwinds:

 

              https://www.youtube.com/watch?v=0k90h0NyfHY

 

Juniper NG-FWs now also provide on-box reporting:

 

             https://kb.juniper.net/InfoCenter/index?page=content&id=KB32479&cat=SRX_SERIES&actp=LIST

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!
SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎02-10-2019 02:59 PM

You are correct that there is no way on the SRX to see stats over time.  The system is setup so you can monitor live traffic or view logs over limited periods as they roll over.  But nothing is saved and nothing is in the graphical interface for this.

 

Junos space would do this but can be expensive for small networks.  Likewise other commercial software that collects saves and graphically displays these stats via SNMP is an option.

 

For smaller limited budget networks the open source Cacti graphing tool has worked well for me in the past.  There is no license cost and it can run on a free linux distro in a virtual machine.

https://www.cacti.net/

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎02-10-2019 07:06 PM

Hi Junipersrx240,

 

You're asking features of iPhone X while having iphone3. In order to compare with other vendors, you need to pick similar category products.

 

Thanks,

MYN

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-28-2019 05:14 PM

After setting up cacti, how do i then use it to graph the network speed usage for my SRX240 router?

How does it authenticate to be able to pull data from the router?

Also any cacti template that exists already that will show me the network usage?

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-28-2019 05:27 PM

Based on what I'm understanding from your posts, it seems like you'd be interesting in two main sets of protocols: SNMP and NetFlow. 

SNMP will give you the ability to record stats from your SRX over time. For example, every 5 mins you can store automatically poll your device and record traffic (bits per second in and out of all interfaces). Many popular NMSes can perform this (Solarwinds, Zabbix, Cacti etc). It authenticates to your device by simply using a community (in SNMPv1 and V2c). To set up your SRX for SNMP, see for example (https://kb.juniper.net/InfoCenter/index?page=content&id=KB16545)

 

I'm honestly not sure how to configure the Cacti side since I've only worked with Zabbix and Solarwinds.

To get more advanced data (such as 95% traffic flows etc), you'll need to use another bit of software for NetFlow or JFlow. See for example: http://showconfiguration.com/netflow-on-juniper/

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-28-2019 10:34 PM

any guide to using zabbix with srx?

also any zabbix templates for juniper that is more recent?

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

[ Edited ]
‎04-28-2019 11:01 PM

ok was able to add new host in zabbix for the SRX240 device

and i setup snmp via j-web and comitted my changes

but here is error am getting

 

Timeout while connecting to "192.151.100.8:161"

Also am using this template here but does not have he stats i want so anyone with template of what i want will appreciate it. I want to monitor the network speed in and out of my SRX. inbound and outbound traffic speed so i can know how much bandwidth am using.

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-29-2019 02:39 AM

The errror on your server

Timeout while connecting to "192.157.88.228:161"

Means the SNMP is not responding.

Verify the ip address polled is one configured on the SRX

Verify the community used is configured as a read community on the SRX

Verify the zone that the ip address interface is assigned to has snmp or all as an allowed service in the zone configuration

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-29-2019 12:09 PM

here is guide i followed to setup SNMP on my SRX

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16545#j-web_config

 

I used public as community according to the guide above

 

The ip for the SRX to access jweb is 

192.151.100.8

and it is the ip on ge-0/0/0.0 so am guessing that is right ip to use

 

 

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-29-2019 07:23 PM

Hi,

 

Can you check if the zone associated with ge-0/0/0.0 has snmp allowed?

 

Example:

functional-zone management {
interfaces {
ge-0/0/0.0;
}
host-inbound-traffic {
system-services {
ping;
ssh;
telnet;
http;
https;
snmp; <<<
ntp;
}
}
}

 

Regards,

 

Vikas

 

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

[ Edited ]
‎04-29-2019 08:25 PM

Here is what i have under cli viewer for the snmp configuration

 

snmp {
    location lab;
    contact "john.doe@mail.com";
    view jweb-view-all {
        oid .1 include;
    }
    community public {
        view jweb-view-all;
        authorization read-write;
    }
}

I have also attached the monitoring page on the dashboard showing nothing...seems there is issue with my router or something

I get nothing being reported under "monitoring" tab

please see screenshot attached

 

Screen Shot 2019-04-29 at 11.21.59 PM.png

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

[ Edited ]
‎04-29-2019 08:40 PM

snmp wasn't added before so just added it and here is what i have

 

interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            https;
                            ssh;
                            ike;
                            ping;
                            snmp;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }

quick question.

If the zabbix server is remote, can it connect via public ip of the srx? or they both have to be in the same private network?

 

 

 

UPDATE

works now.

but how can i restrict access from only internal private network only so no one can have access to my router via snmp?

 

 

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-29-2019 08:59 PM

Hi,

 

Glad to hear that. You can use client-list to restrict acess to SNMP.

 

Perhaps this is what you are looking for?

 

root@srx# show snmp 
client-list private-range {
    172.16.0.0/12;
    192.168.0.0/24;
    10.0.0.0/8;
}
community public {
    authorization read-write;
    client-list-name private-range;
}
 
set snmp client-list private-range 172.16.0.0/12
set snmp client-list private-range 192.168.0.0/24
set snmp client-list private-range 10.0.0.0/8
set snmp community public authorization read-write
set snmp community public client-list-name private-range
 
Regards,
 
Vikas
SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-29-2019 09:04 PM

Hi,

 

Is your ge-0/0/0.0 (mgt) exposed to the internet?

 

I strongly recommend you also configure an RE protection filter to restrict management (including snmp) access to the firewall.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/permitted-ip-configuring.html

https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-t...

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21265&cat=SRX_SERIES&actp=LIST

 

Regards,

 

Vikas

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-29-2019 09:54 PM

all of those links show how to restrict management from private ip addresses

but how do i restrict access so that certain public remote ip addresses can access the router via jweb or ssh and other ways?

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-29-2019 10:29 PM

Hi,

 

While the articles mentioned about restricting access to private IPs the same procedure/commands can be used to restrict access to specific public IPs as well. Here is a sample with the steps to follow.

 

1> Specify the filter with the requirements
set firewall family inet filter PROTECT-RE term allowed-tcp-apps from source-prefix-list <Public IP/IPs>
set firewall family inet filter PROTECT-RE term allowed-tcp-apps from port ntp
set firewall family inet filter PROTECT-RE term allowed-tcp-apps from port ssh
set firewall family inet filter PROTECT-RE term allowed-tcp-apps from port https
set firewall family inet filter PROTECT-RE term allowed-tcp-apps then count allowed-tcp-apps
set firewall family inet filter PROTECT-RE term allowed-tcp-apps then accept
set firewall family inet filter PROTECT-RE term allowed-udp-apps from source-prefix-list <Public IP/IPs>
set firewall family inet filter PROTECT-RE term allowed-udp-apps from port domain
set firewall family inet filter PROTECT-RE term allowed-udp-apps from port snmp
set firewall family inet filter PROTECT-RE term allowed-udp-apps then count allowed-udp-apps
set firewall family inet filter PROTECT-RE term allowed-udp-apps then accept
set firewall family inet filter PROTECT-RE term icmp from source-prefix-list <Public IP/IPs>
set firewall family inet filter PROTECT-RE term icmp from protocol icmp
set firewall family inet filter PROTECT-RE term icmp then count icmp
set firewall family inet filter PROTECT-RE term icmp then accept
set firewall family inet filter PROTECT-RE term other then count other
set firewall family inet filter PROTECT-RE term other then syslog
set firewall family inet filter PROTECT-RE term other then discard

 

2> Apply it to the loopback interface
set interfaces lo0.0 family inet filter input PROTECT-RE

 

3> Optionally you can check what traffic to the RE is getting dropped by writing it to a specific file:
set system syslog file RE-Filter-Drops firewall info

 

Preferably have console access while you apply the RE protect filter to prevent yourself from being locked out Smiley Happy

 

I hope this helps. Regards,

 

Vikas

SRX Services Gateway

Re: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

‎04-29-2019 10:52 PM

any CLI editor option instead of the commands?

i just edit vis CLI editor, like you provided earlier

so that will be much appreciated than the terminal commands