SRX

Expand all | Collapse all

How can i view inbound and outbound traffic stats for my Juniper SRX 240?

  • 1.  How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 02-10-2019 13:34

    I have been using the Juniper SRX240 router for several years now and it is frustrating that one can not view any stats regarding the network in and out of the router.

    I mean people like to hype the big names in the industry a lot rather than judge by the quality and output of their product but how does this make Juniper an industry leader when a basic inbound and outbound stats or just network stats that one can view and see how the router is doing its job is no where to be found?

     

    Anyways if anyone else is using the same router and is able to setup a way to monitor stats for bandwidth usage or inbound and outbound traffic please share below

     

    Thanks



  • 2.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 02-10-2019 13:55

    Hi junipersrx240,

     

    First google result shared this:

     

    https://www.juniper.net/documentation/en_US/junos-space-apps/network-director3.1/topics/task/operational/port-traffic-statistics-monitoring.html

     

    Basically any SNMP solution can leverage the information from the SRX to provide info about the throughput. Are you looking for something different?

     



  • 3.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 02-10-2019 14:02

    Did you really spend time to read my post and understand what am asking?

    Am looking for a graph that shows inbound and outbound traffic from the router 

     

    If someone asks me hey how much bandwidth did i use on the router this month? or hey what is 95% bandwidth usage for the week...the kind of graph that will quickly show that is what am looking for

    Also network speed graph that shows the network speed in and out of the router. Those kind of stats which modern next generation firewalls come packed with but until i get no way around this i will forever leave juniper behind and move elsewhere



  • 4.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 02-10-2019 14:30

    SRX240 is not a Juniper Next-Gen firewall and actually it was announced End-of-life on 05/30/2018 so I wouldnt demand NG-FW features:

     

                     https://support.juniper.net/support/eol/hardware/srx_series/

     

    Still it could show the information you are looking for by leveraging SNMP/jflow, and using external applications like Solarwinds:

     

                  https://www.youtube.com/watch?v=0k90h0NyfHY

     

    Juniper NG-FWs now also provide on-box reporting:

     

                 https://kb.juniper.net/InfoCenter/index?page=content&id=KB32479&cat=SRX_SERIES&actp=LIST

     



  • 5.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 02-10-2019 14:59

    You are correct that there is no way on the SRX to see stats over time.  The system is setup so you can monitor live traffic or view logs over limited periods as they roll over.  But nothing is saved and nothing is in the graphical interface for this.

     

    Junos space would do this but can be expensive for small networks.  Likewise other commercial software that collects saves and graphically displays these stats via SNMP is an option.

     

    For smaller limited budget networks the open source Cacti graphing tool has worked well for me in the past.  There is no license cost and it can run on a free linux distro in a virtual machine.

    https://www.cacti.net/

     

     

     



  • 6.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 02-10-2019 19:07

    Hi Junipersrx240,

     

    You're asking features of iPhone X while having iphone3. In order to compare with other vendors, you need to pick similar category products.

     

    Thanks,

    MYN



  • 7.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-28-2019 17:15

    After setting up cacti, how do i then use it to graph the network speed usage for my SRX240 router?

    How does it authenticate to be able to pull data from the router?

    Also any cacti template that exists already that will show me the network usage?



  • 8.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-28-2019 17:27

    Based on what I'm understanding from your posts, it seems like you'd be interesting in two main sets of protocols: SNMP and NetFlow. 

    SNMP will give you the ability to record stats from your SRX over time. For example, every 5 mins you can store automatically poll your device and record traffic (bits per second in and out of all interfaces). Many popular NMSes can perform this (Solarwinds, Zabbix, Cacti etc). It authenticates to your device by simply using a community (in SNMPv1 and V2c). To set up your SRX for SNMP, see for example (https://kb.juniper.net/InfoCenter/index?page=content&id=KB16545)

     

    I'm honestly not sure how to configure the Cacti side since I've only worked with Zabbix and Solarwinds.

    To get more advanced data (such as 95% traffic flows etc), you'll need to use another bit of software for NetFlow or JFlow. See for example: http://showconfiguration.com/netflow-on-juniper/



  • 9.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-28-2019 22:34

    any guide to using zabbix with srx?

    also any zabbix templates for juniper that is more recent?



  • 10.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-28-2019 23:01

    ok was able to add new host in zabbix for the SRX240 device

    and i setup snmp via j-web and comitted my changes

    but here is error am getting

     

    Timeout while connecting to "192.151.100.8:161"

    Also am using this template here but does not have he stats i want so anyone with template of what i want will appreciate it. I want to monitor the network speed in and out of my SRX. inbound and outbound traffic speed so i can know how much bandwidth am using.



  • 11.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 04-29-2019 02:40

    The errror on your server

    Timeout while connecting to "192.157.88.228:161"

    Means the SNMP is not responding.

    Verify the ip address polled is one configured on the SRX

    Verify the community used is configured as a read community on the SRX

    Verify the zone that the ip address interface is assigned to has snmp or all as an allowed service in the zone configuration

     



  • 12.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-29-2019 12:10

    here is guide i followed to setup SNMP on my SRX

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16545#j-web_config

     

    I used public as community according to the guide above

     

    The ip for the SRX to access jweb is 

    192.151.100.8

    and it is the ip on ge-0/0/0.0 so am guessing that is right ip to use

     

     



  • 13.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 04-29-2019 19:23

    Hi,

     

    Can you check if the zone associated with ge-0/0/0.0 has snmp allowed?

     

    Example:

    functional-zone management {
    interfaces {
    ge-0/0/0.0;
    }
    host-inbound-traffic {
    system-services {
    ping;
    ssh;
    telnet;
    http;
    https;
    snmp; <<<
    ntp;
    }
    }
    }

     

    Regards,

     

    Vikas

     



  • 14.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-29-2019 20:25

    Here is what i have under cli viewer for the snmp configuration

     

    snmp {
        location lab;
        contact "john.doe@mail.com";
        view jweb-view-all {
            oid .1 include;
        }
        community public {
            view jweb-view-all;
            authorization read-write;
        }
    }

    I have also attached the monitoring page on the dashboard showing nothing...seems there is issue with my router or something

    I get nothing being reported under "monitoring" tab

    please see screenshot attached

     

    Screen Shot 2019-04-29 at 11.21.59 PM.png



  • 15.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-29-2019 20:40

    snmp wasn't added before so just added it and here is what i have

     

    interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                https;
                                ssh;
                                ike;
                                ping;
                                snmp;
                            }
                            protocols {
                                all;
                            }
                        }
                    }
                }

    quick question.

    If the zabbix server is remote, can it connect via public ip of the srx? or they both have to be in the same private network?

     

     

     

    UPDATE

    works now.

    but how can i restrict access from only internal private network only so no one can have access to my router via snmp?

     

     



  • 16.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 04-29-2019 20:59

    Hi,

     

    Glad to hear that. You can use client-list to restrict acess to SNMP.

     

    Perhaps this is what you are looking for?

     

    root@srx# show snmp 
    client-list private-range {
        172.16.0.0/12;
        192.168.0.0/24;
        10.0.0.0/8;
    }
    community public {
        authorization read-write;
        client-list-name private-range;
    }
     
    set snmp client-list private-range 172.16.0.0/12
    set snmp client-list private-range 192.168.0.0/24
    set snmp client-list private-range 10.0.0.0/8
    set snmp community public authorization read-write
    set snmp community public client-list-name private-range
     
    Regards,
     
    Vikas


  • 17.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 04-29-2019 21:04


  • 18.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-29-2019 21:55

    all of those links show how to restrict management from private ip addresses

    but how do i restrict access so that certain public remote ip addresses can access the router via jweb or ssh and other ways?



  • 19.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 04-29-2019 22:29

    Hi,

     

    While the articles mentioned about restricting access to private IPs the same procedure/commands can be used to restrict access to specific public IPs as well. Here is a sample with the steps to follow.

     

    1> Specify the filter with the requirements
    set firewall family inet filter PROTECT-RE term allowed-tcp-apps from source-prefix-list <Public IP/IPs>
    set firewall family inet filter PROTECT-RE term allowed-tcp-apps from port ntp
    set firewall family inet filter PROTECT-RE term allowed-tcp-apps from port ssh
    set firewall family inet filter PROTECT-RE term allowed-tcp-apps from port https
    set firewall family inet filter PROTECT-RE term allowed-tcp-apps then count allowed-tcp-apps
    set firewall family inet filter PROTECT-RE term allowed-tcp-apps then accept
    set firewall family inet filter PROTECT-RE term allowed-udp-apps from source-prefix-list <Public IP/IPs>
    set firewall family inet filter PROTECT-RE term allowed-udp-apps from port domain
    set firewall family inet filter PROTECT-RE term allowed-udp-apps from port snmp
    set firewall family inet filter PROTECT-RE term allowed-udp-apps then count allowed-udp-apps
    set firewall family inet filter PROTECT-RE term allowed-udp-apps then accept
    set firewall family inet filter PROTECT-RE term icmp from source-prefix-list <Public IP/IPs>
    set firewall family inet filter PROTECT-RE term icmp from protocol icmp
    set firewall family inet filter PROTECT-RE term icmp then count icmp
    set firewall family inet filter PROTECT-RE term icmp then accept
    set firewall family inet filter PROTECT-RE term other then count other
    set firewall family inet filter PROTECT-RE term other then syslog
    set firewall family inet filter PROTECT-RE term other then discard

     

    2> Apply it to the loopback interface
    set interfaces lo0.0 family inet filter input PROTECT-RE

     

    3> Optionally you can check what traffic to the RE is getting dropped by writing it to a specific file:
    set system syslog file RE-Filter-Drops firewall info

     

    Preferably have console access while you apply the RE protect filter to prevent yourself from being locked out Smiley Happy

     

    I hope this helps. Regards,

     

    Vikas



  • 20.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-29-2019 22:52

    any CLI editor option instead of the commands?

    i just edit vis CLI editor, like you provided earlier

    so that will be much appreciated than the terminal commands



  • 21.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 04-30-2019 01:06

    Hi,

     

    Here you go Smiley Happy

     

    root@srx# show policy-options
    prefix-list PUB-IP1 {
    <PUB-IP1>/32;
    }
    prefix-list PUB-IP2 {
    <PUB-IP2/32;
    }

    [edit]
    root@srx# show firewall | no-more
    family inet {
    filter PROTECT-RE {
    term allowed-tcp-apps {
    from {
    source-prefix-list {
    PUB-IP1;
    PUB-IP2;
    }
    port [ ntp ssh https ];
    }
    then {
    count allowed-tcp-apps;
    accept;
    }
    }
    term allowed-udp-apps {
    from {
    source-prefix-list {
    PUB-IP1;
    PUB-IP2;
    }
    port [ domain snmp ];
    }
    then {
    count allowed-udp-apps;
    accept;
    }
    }
    term icmp {
    from {
    source-prefix-list {
    PUB-IP1;
    PUB-IP2;
    }
    protocol icmp;
    }
    then {
    count icmp;
    accept;
    }
    }
    term other {
    then {
    count other;
    syslog;
    discard;
    }
    }
    }
    }

    [edit]
    root@srx# show interfaces lo0
    unit 0 {
    family inet {
    filter {
    input PROTECT-RE;
    }
    address 192.168.1.1/32;
    }
    }

    [edit]
    root@srx# show system syslog file RE-Filter-Drops
    firewall info;

     

    Regards,

     

    Vikas



  • 22.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-30-2019 05:13

    Hi,

     

    Firewall filter towards lo0 something like following would work:-  (SSH-IN, HTTPS for jweb and SNMP for polling, rest gets denied)

    Note :- caution must be made while applying FF as you would need to allow all other protocols that is RE facing, like IKE/ICMP/Routing-protocols etc etc..

     

    labroot@vsrx3# show firewall family inet
    filter PROTECT-RE {
    term SSH-IN {
    from {
    source-prefix-list {
    MGMT-ADDRESSES;
    }
    protocol tcp;
    port ssh;
    }
    then accept;
    }
    term HTTPS {
    from {
    source-prefix-list {
    HTTPShosts;
    }
    protocol tcp;
    destination-port https;
    }
    then accept;
    }
    term SNMP {
    from {
    source-prefix-list {
    SNMP-CLIENTS;
    }
    protocol udp;
    destination-port snmp;
    }
    then accept;
    }
    term Deny-Else {
    then {
    count DENY-TO-ROUTING-ENGINE;
    syslog;
    discard;
    }
    }
    }

     

    labroot@vsrx3# show policy-options
    prefix-list MGMT-ADDRESSES {
    1.1.1.1/32; 
    192.168.1.1/32;
    }
    prefix-list SNMP-CLIENTS {
    1.1.1.1/32;
    192.168.1.1/32;
    }
    prefix-list HTTPShosts {
    1.1.1.1/32;
    192.168.1.1/32;
    }

     

    Where prefix list defines the list allowed (private or public.)

    Then apply the FF on the lo0 interface (precisely the steps mentioned by vikas in last post)

    set interfaces lo0.0 family inet filter input PROTECT-RE

     

    Regards,

     

    Rahul



  • 23.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 04-30-2019 06:14

    thanks a lot

    one last question

     

    how do i monitor all traffic inbound and outbound from the SRX?

    using this zabbix template https://github.com/zabbix-tooling/zabbix-juniper-srx-firewall-template/blob/master/Custom%20-%20HW%20-%20Juniper%20SRX.xml

     

    is monitoring inbound on ge-0/0/0 going to monitor all traffic from the SRX? that is where the network drop is attached



  • 24.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 04-30-2019 19:18

    Hello,

     

    Sorry, have not used this tool before. Looks like you would need to follow the setup manual

     

    https://www.zabbix.com/documentation/3.4/manual

     

    > The place where you need to reference the host/Ip of the device being monitored, it would be the IP of the ge-0/0/.0 interface

    > I am assuming zabbix will do the background snmp poll to pull all interface statistics

    > So as far as SNMP connectivity is concerned it would  be from the zabbix server to the ge-0/0/0 IP

     

    Just a couple of questions:

    > Are you particular about zabbix or any open source SNMP server would do?

    > Your eventual goal is to fetch interface utilization stats from the firewall right?

    > Would it be just this one firewall or are you expecting a bunch of them at a later point?

     

    Regards,

     

    Vikas



  • 25.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 05-02-2019 21:31

    yes i think ge-0/0/0 monitors traffic in and out of the server

     

    now there is another issue

    SNMP works for the public ip of my router but not on the private ip

     

    here is my setup of ge-0/0/0

     

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 192.151.100.8/24;
                }
            }
        }

     

     

    so is it because there is no private ip in thet config that is why SNMP does not work for private ip?

     

    if that is the case and i want to add private ip of the router 

    172.21.0.1

    how do i do that so that i can listen for SNMP via the private ip?

     

     

    weird thing is i can already access the router via both public and private ips
    so not sure why SNMP wont work on the private ip as-is

     

    thanks



  • 26.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 05-02-2019 22:24

    Hi,

     

    Which interface and zone is the private IP associated with. Can you checked the host-inbound services under the zone to check if snmp is allowed?

     

    Regards,

     

    Vikas



  • 27.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 05-02-2019 22:26

    snmp is allowed

     

    like i mentioned SNMP works on public ip

    only issue is it does not on private ip

    and get connection error from zabbix when i use the private ip but when i use public ip it works

     

    i can access router ssh/jweb via both public and private ip addresses and i also posted the config part of the interface section of the config

     

    any specific thing you need me to get?



  • 28.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 05-02-2019 22:33

    Hi,

     

    Could you share the output of ?

    > show security zones 

    > show interfaces

    > show system services

    > show firewall

     

    Regards,

     

    Vikas



  • 29.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 05-02-2019 22:42

    i mean i CAN'T paste all of my config here

    i feel like i have provided enough information here already

     

    i just said SNMP works...i am not looking ofr help to mnake SNMP work..that is done already..again read this again

    all am saying is it works on public ip and not on private ip of the router

     

    i also paste the config part of the interface for the public ip and it shoows there is no private ip there

    all i want to know is can i just add the private ip in there as well?

     

    i mean i dont think am far away from what i want..which is to access SNMP from private ip of the router as well

     

    but you asking quetsions as if am just getting started setting up SNMP...that is not the case

    again please read what is working and what i want to do



  • 30.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 05-02-2019 22:56

    Hi,

     

    > Just wanted to know if you have the private IP configured already on the device?

    > If not it needs to be configured on an interface and assigned to a zone. SNMP needs to be allowed on the zone

    > Alternately, depending on your design you can choose to add the private IP as an additional IP on ge-0/0/0

    set interfaces ge-0/0/0.0 family inet address <private IP>

    > If firewall filter is configured with any restiction to allow snmp access to only Pub IP this needs to be changed too

     

    In summary:

    > interface configured with private IP

    > assigned to a zone, snmp allowed in the zone config

    > firewall filter allows the snmp connectivity

    > appropriate routing in the network for the private IP

     

    Regards,

     

    Vikas



  • 31.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 05-02-2019 23:02

    but i did mention that i can access the router from the private ip

    pretty much everything i can do on the public ip of router i can do on private ip

    only thing am having issue with is SNMP

     

    and from my whole entire config..the only time the public ip of the router got menitoned is right here

    when i said no private ip, i meant no private ip below code and that is only place the public ip showns in config

    so am thinking i need to add another line for the private ip...which is why am saying am very close to this working..something is missing where i need to tell SNMP to also listen on private ip

     

    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 192.151.100.8/24;
                }
            }
        }

     

    so again the ONLY single thing is having SNMP work on private ip as EVERYTHING else works on both ips only SNMP this is not the case

     

    i can access router jweb and ssh via private ip

     

    PRIVATE ip of router: 

    172.21.0.1

     

    PUBLIC ip of router: 

    192.151.100.8

     



  • 32.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 05-02-2019 23:41
    Hi,

    > If both the zones associated with the public and private IPs have snmp allowed we should be good.
    > If you say that this is already done, then the only other thing I can think of is firewall filter.
    > If there is no firewall filter, this would need additional troubleshooting.

    Best Regards,

    Vikas



    Juniper Internal


  • 33.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 05-03-2019 00:30

    Hello junipersrx240,

     

    Question: at this point i just want SNMP to work for both public and ip address of router

                     i do NOT want to restrict anything

                    so whatever i need to do to open access and when it works then i can work on restricting later

                    also will appreciate config to just pase in config editor instead of cli commands

     

    Ans:

       snmp is pretty straightforward when it comes to junos srx. 

        >for the public and private snmps to work ofcourse srx must be able to reach them (e.g: trust  and untrust zone).

        >what code your srx240 is running? I assume  12.3x48-Dxx 

     

      set snmp community <your community string> clients <your snmp local ip>

      set snmp community <your community string> clients <your snmp public ip>

     

    eg.

     on your CLI Editor, paste the ff:  commands below the last "set interfaces...." command.

      set snmp community whatsupyall clients 1.1.1.1/32

       set snmp community whatsupyall clients 8.8.8.8/32

       commit

     



  • 34.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 05-02-2019 23:05

    Hi,

     

    QUE :- "all i want to know is can i just add the private ip in there as well?"

     

    ANS: You following the following KB to configure SNMP.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16545#j-web_config

     

    Step 4 defines :- Restrict SNMP access to certain sources.

    user@host# set snmp community public clients 172.26.0.0/16
    user@host#
    set snmp community public clients 0.0.0.0/0 restrict

     

    You can add private ip here if the community string used is "public" for the client to connect from private siude.

     

    Regards,

     

    Rahul

     



  • 35.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

    Posted 05-02-2019 23:17

    at this point i just want SNMP to work for both public and ip address of router

    i do NOT want to restrict anything

     

    so whatever i need to do to open access and when it works then i can work on restricting later

     

     

    also will appreciate config to just pase in config editor instead of cli commands



  • 36.  RE: How can i view inbound and outbound traffic stats for my Juniper SRX 240?

     
    Posted 05-02-2019 23:01

    Hi,

     

    You mentioned that there is no private-ip in the config and then you mentioned you are able to access on both pub and private IP which was a bit confusing.

     

    Regards,

     

    Vikas