[j-nsp] Default SRX Behaviour

Paul Stewart paul at paulstewart.org
Thu Aug 5 09:59:15 EDT 2010


Hi there..

 

We just deployed an SRX650 in front of some servers recently   - at this
point it's doing nothing more than routing + running screen on inbound
traffic.  No other UTM features are enabled at this point.

 

Configuration is pretty "stock" but we're running into a few issues.  First
the relevant config:

 

security {

    idp {

        security-package {

            url https://services.netscreen.com/cgi-bin/index.cgi;

        }

    }

    screen {

        ids-option Internet-Inbound {

            icmp {

                ping-death;

            }

            ip {

                source-route-option;

                tear-drop;

            }

            tcp {

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    timeout 20;

                }

                land;

            }

        }

    }

    zones {

        security-zone Internet {

            screen Internet-Inbound;

            interfaces {

                ge-6/0/23.0 {

                    host-inbound-traffic {

                        system-services {

                            ssh;

                            snmp;

                            ping;

                            traceroute;

                        }

                        protocols {

                            ospf;

                        }

                    }

                }

            }

        }

        security-zone Linux {

            interfaces {

                vlan.11 {

                    host-inbound-traffic {

                        system-services {

                            ping;

                        }

                    }

                }

            }

        }

 

 

    policies {

        from-zone Internet to-zone Linux {

            policy Internet-to-Linux {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

        from-zone Linux to-zone Internet {

            policy Linux-to-Internet {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

 

 

The problem is a couple of things that we've noticed so far. the first is a
minor issue with inactivity - if I have a SSH session open to one of these
servers and let it sit for approximately 2 minutes then the connection
drops.  The SSH configuration on the boxes is set to 10 minutes of
inactivity which worked well before the SRX was implemented.  

 

The second issue is alarming us - we run Bacula for server backups.  The
actual Bacula server is remote from this network (not on the same subnet or
attached to the SRX logically/physically).  Some of the servers are backing
up just fine (smaller datasets) but some of these servers which contain
larger amounts of backup data are timing out after an hour or more of the
backup working - something is stopping the data transfer in the middle.

 

We removed the "screen" process on the security-zone but that made no
difference - now I'm thinking there is some default settings that are
causing this but not sure where to look.

 

Model: srx650

JUNOS Software Release [10.0R3.10]

 

Any thoughts?  Appreciate it.

 

Paul

 

 



More information about the juniper-nsp mailing list