SRX

Got a new SRX-4100 to replace our old 1400. Did all the configuration by CLI as it allowed a, more-or-less, direct copy/paste from the 1400. With web management enabled I get this when trying to load the site. This is in Firefox on Rocky 8 as Chrome fails with the self-signed cert.

Hi Chris,

Please make sure you download and use 21.4R3-S5    as per announcement... https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US

I would try another browser first, you can accept the certificate by importing it to your trusted certificate store on your PC. I would also suggest deactivating the security control measures (such as max-threads, idle-timeout and session-limit, while troubleshooting the issue. 

Got a new SRX-4100 to replace our old 1400. Did all the configuration by CLI as it allowed a, more-or-less, direct copy/paste from the 1400. With web management enabled I get this when trying to load the site. This is in Firefox on Rocky 8 as Chrome fails with the self-signed cert.

Gavin,

Thanks for the info on that. I was unaware that there was a vulnerability and that it affected J-Web. I'll be certain to get it installed ASAP, hopefully it will help with my J-Web issue.

I've tried both Firefox and Chrome. Both give the usual self-signed cert warning but Chrome won't let me proceed. Checking the cert in Chrome gives an error "Unable to  decode certificate," I can still save it though. Trying to import the certificate into Chrome fails with it saying there is no private key in the cert. I also tried saving the cert in Firefox with the same issue when importing it into Chrome. As for Firefox it will let me access the site after adding an exception.

Hi Chris,

Please make sure you download and use 21.4R3-S5    as per announcement... https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US

I would try another browser first, you can accept the certificate by importing it to your trusted certificate store on your PC. I would also suggest deactivating the security control measures (such as max-threads, idle-timeout and session-limit, while troubleshooting the issue. 

Got a new SRX-4100 to replace our old 1400. Did all the configuration by CLI as it allowed a, more-or-less, direct copy/paste from the 1400. With web management enabled I get this when trying to load the site. This is in Firefox on Rocky 8 as Chrome fails with the self-signed cert.

You may want to generate your own Public/Private Key pair, this might be better accepted by browsers as you can customize the encryption algorithm and the size of the encryption key etc with a CN of your choice.

Instructions are found here: https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/public-key-cryptography.html#id-manually-generating-selfsigned-certificates-on-switches-cli-procedure

Typically we would recommend creating your own CA-signed pki certificate for use in production, LetsEncrpyt is a good free option for testing.

Gavin,

Thanks for the info on that. I was unaware that there was a vulnerability and that it affected J-Web. I'll be certain to get it installed ASAP, hopefully it will help with my J-Web issue.

I've tried both Firefox and Chrome. Both give the usual self-signed cert warning but Chrome won't let me proceed. Checking the cert in Chrome gives an error "Unable to  decode certificate," I can still save it though. Trying to import the certificate into Chrome fails with it saying there is no private key in the cert. I also tried saving the cert in Firefox with the same issue when importing it into Chrome. As for Firefox it will let me access the site after adding an exception.

Hi Chris,

Please make sure you download and use 21.4R3-S5    as per announcement... https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US

I would try another browser first, you can accept the certificate by importing it to your trusted certificate store on your PC. I would also suggest deactivating the security control measures (such as max-threads, idle-timeout and session-limit, while troubleshooting the issue. 

Got a new SRX-4100 to replace our old 1400. Did all the configuration by CLI as it allowed a, more-or-less, direct copy/paste from the 1400. With web management enabled I get this when trying to load the site. This is in Firefox on Rocky 8 as Chrome fails with the self-signed cert.