SRX Next-Gen Firewalls

1) Yes!!! This is one my favorite JunOS features -- Configuration Groups (see https://www.juniper.net/documentation/us/en/software/junos/cli/topics/topic-map/configuration-groups-usage.html for lots of examples)! You can use groups not just for policies, ...

Would it be possible to create security policies and later attach them to zones when needed? I have done this on VyOS and it makes reading through the SET commands much easier. Here is an example: I would like to change the following: set security ...

Oh, yeah, didn't think about that. The IP Spoofing screen also uses the routing table to make its decisions. If it fits your network, you should also be able to avoid triggering the screen by having by ISP interfaces in the same zone, rather than disabling ...

Took a closer look at the SPAN. I saw ICMP responses. And... these logs being spammed over and over again. USER.ERR: Jul 7 15:52:45 LabBR RT_IDS: RT_SCREEN_IP: IP spoofing! source: 8.8.8.8, destination: 10.255.250.13, protocol-id: 1, zone name: ...

Thanks for that bit of info! That command does return a list of next-hop gateway IPs (the private ones) and the corresponding certificate, which is useful for correlating the private IPs with the hostname in the cert's CN. I just wish it would show ...

JunOS has show security ipsec next-hop-tunnels which should be similar ish, I think ... ------------------------------ Nikolay Semov ------------------------------

That is an excellent question. I haven't been able to find any ADVPN-specific commands yet which could shed light on it. For example, Cisco has "show nhrp" and "show ip nhrp" ------------------------------ ae_zero ------------------------------