Thursday, March 23, 2017

Add Juniper SRX Cluster into JunOS Space 16.1 Security Director

My old post "Import Existing Juniper SRX Cluster into JunOS Space Security Director" was created based on Space 14.1 and SRX11.x version. Now both have been upgraded. Space NMP and Security Director have been upgrade to 16.1 (Post is here). SRX240H has been upgrade to 12.1D46.55.

Basically, all steps are similar except the web interface is different. What you need to do is to configure your SRX cluster with a master-only ip on both nodes. The configuration should looks like this:

Wednesday, March 22, 2017

Juniper JUNOS Commands (Tips and Tricks)

Juniper Networks has a Day one book for 'JunOS Tips, Techniques, and Templates 2011' in Junos Fundamentals Series. To record some my own tips, I put them together in this post. Let me know if you have some more to share.

1.  Find big size files 

find . -type f -size +10000 -exec ls -lh {} \; 

root@FW% find . -type f -size +10000 -exec ls -lh {} \;
-rw-r--r--  1 930  929   134M Jan  5 17:34 ./cf/packages/junos-11.4R6.6-domestic
-rw-r--r--  1 root  wheel   139M Sep  8  2011 ./cf/var/log/junos-srxsme-11.2R2.4-domestic.tgz
-rw-r-----  1 root  wheel   4.9M Feb 11 17:12 ./cf/var/db/idpd/db/secdb_02.db
-rw-r-----  1 root  wheel   6.7M Feb 11 17:13 ./cf/var/db/idpd/db/secdb_03.db
-rw-r-----  1 root  wheel    64M Feb 11 17:13 ./cf/var/db/idpd/db/secdb_06.db
-rwxr-xr-x  1 admin  20    24M May 23 08:38 ./cf/var/db/idpd/nsm-download/SignatureUpdate.xml
-r-xr-xr-x  1 root  wheel   5.2M Jan  5 17:33 ./jail/html/dynamic-vpn/client/jam/InstallerComponentSRX.exe
-rw-r--r--  1 root  wheel   139M Sep  8  2011 ./jail/var/log/junos-srxsme-11.2R2.4-domestic.tgz
-rw-r-----  1 root  config    14M Feb  8 22:16 ./mfs/var/run/db/schema.db
-rw-r-----  1 root  wheel    10M Feb  8 22:19 ./mfs/var/sdb/log.0000000001
-r--r--r--  1 root  wheel   6.5M Jan  5 13:59 ./usr/lib/dd/
-r-xr-xr-x  1 root  wheel    13M Jan  5 15:39 ./usr/sbin/authd
-r-xr-xr-x  1 root  wheel   6.0M Jan  5 16:51 ./usr/sbin/chassisd
-r-xr-xr-x  1 root  wheel    27M Jan  5 13:05 ./usr/sbin/flowd_octeon
-r-xr-xr-x  1 root  wheel    34M Jan  5 13:05 ./usr/sbin/flowd_octeon_hm
-r-xr-xr-x  1 root  wheel   5.5M Jan  5 16:51 ./usr/sbin/kmd
-r-xr-xr-x  1 root  wheel    13M Jan  5 16:24 ./usr/sbin/rpd

% find / -size +100000 | xargs ls -lhS
find: /mfs/var/spool/opielocks: Permission denied
-rw-r--r--  1 930   929     142M Aug 28  2014 /cf/packages/junos-12.1X44-D40.2-domestic
-rw-r-----  1 root  wheel    84M Feb 23 21:31 /cf/var/db/idpd/db/secdb_06.db

Tuesday, March 21, 2017

JunOS Space Network Management Platform Basic Configuration including Log Collector

JunOS Space is in my environment and starting to replace NSM. I have played with in testing lab which recorded in my previous posts:
In this post, I will focus on more regarding JunOS Space itself, some basic configuration to get JunOS space into your production environment.

Notes: Recently Space has been upgraded from 14.1 to 16.1 with my post: Juniper JunOS Space Upgrade Procedures from 14.1 to 16.1. The installation and configuration steps for 16.1 is similar as 14.1. This post is updated during configuring JunOS Space 16.1.

Juniper JunOS Space Upgrade Procedures from 14.1 to 16.1

Usually you can easily upgrade an application from the Junos Space user interface. You must download the image file for the new version of the application, navigate to the Applications page (Network Management Platform > Administration > Applications) and select the application that you want to upgrade. From the right-click menu, choose Upgrade Application to upload the image file into Junos Space via HTTP or SCP.

But upgrade JunOS Space to latest version 16.1 is different and it is not a easy task. There are many steps to follow especially the last step to upgrade to 16.1 from 15.2R2. Here is my recent upgrade procedures.

Steps to upgrade JunOS Space 14.1  to the latest version 16.1:

Saturday, February 25, 2017

Gartner Magic Quadrant for WAN Optimization (2016, 2015, 2014, 2013, 2012, 2011)

WAN optimization provides a range of features to: (1) improve the performance of applications running across the WAN; and (2) reduce the cost of the WAN. The range and scope of features supported by
WAN optimization solutions continue to evolve, typically in support of three high-level needs:
  • Improve the response times as experienced by users of business-critical applications over WAN links or mobile connections, often addressing application performance problems caused by bandwidth constraints, latency or protocol limitations.
  • Assist in maximizing the ROI for WAN bandwidth, and delay costly bandwidth upgrades.
  • Optimize data-center-to-data-center (DC-to-DC) traffic for faster replication and synchronization.

Gartner Magic Quadrant for Application Delivery Controllers (2016, 2015,2014,2013,2012,2010)

Application delivery controllers (ADCs) are generally deployed in the data center and provide functions that optimize delivery of enterprise applications across the network. ADCs provide functionality for both user-to-application and application-to-application traffic. The ADC effectively bridges the gap between the application and underlying protocols and the traditional packet-based networks. The market evolved from load-balancing systems that were developed in the latter half of the 1990s to ensure the availability and scalability of websites. Enterprises use ADCs today to improve the following aspects of their applications:
  • Availability
  • Scalability
  • End-user performance
  • Data center resource utilization
  • Security
F5 Networks Named a Leader in Gartner Magic Quadrant for Application Delivery Controllers for 10th Consecutive Year
Citrix: Recognized as a Gartner ADC Magic Quadrant Leader for 10 years

Wednesday, February 22, 2017

Renew Cisco IOS IPSec VPN Certificates from Symantec

I am not sure if there is other better way to do it. There is no good documentation from Cisco or somewhere else regarding how you should do on renewing your ssl certificates once it is expired. Every a couple of years, I have to face this problem,  renewing all routers ssl certificates. As far as I know, you can not renew current existing certificates, you will have to created a new trustpoint , generate new CSR and import a renewed certificate. Actually you can use same trustpoint configuration configured before as long as you are using different trustpoint name.

I recorded those steps again which I did a couple of years ago in following posts:

NetSec Youtube Videos