SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  J-Web not loading properly - SRX4100

    Posted 12-04-2023 13:39

    Got a new SRX-4100 to replace our old 1400. Did all the configuration by CLI as it allowed a, more-or-less, direct copy/paste from the 1400. With web management enabled I get this when trying to load the site. This is in Firefox on Rocky 8 as Chrome fails with the self-signed cert.

    The configuration is as such.
    admin@fw> show configuration system services web-management 
    management-url admin;
    https {
        system-generated-certificate;
        interface fxp0.0;
    }
    control {
        max-threads 2;
    }
    session {
        idle-timeout 5;
        session-limit 2;
    }
    The device is running 21.4R3.15.


    ------------------------------
    CHRIS WOELKERS
    ------------------------------


  • 2.  RE: J-Web not loading properly - SRX4100

    Posted 12-05-2023 03:54

    Hi Chris,

    Please make sure you download and use 21.4R3-S5    as per announcement... https://supportportal.juniper.net/s/article/2023-08-Out-of-Cycle-Security-Bulletin-Junos-OS-SRX-Series-and-EX-Series-Multiple-vulnerabilities-in-J-Web-can-be-combined-to-allow-a-preAuth-Remote-Code-Execution?language=en_US

    I would try another browser first, you can accept the certificate by importing it to your trusted certificate store on your PC. I would also suggest deactivating the security control measures (such as max-threads, idle-timeout and session-limit, while troubleshooting the issue. 



    ------------------------------
    GAVIN WHITE
    ------------------------------



  • 3.  RE: J-Web not loading properly - SRX4100

    Posted 12-05-2023 13:06

    Gavin,

    Thanks for the info on that. I was unaware that there was a vulnerability and that it affected J-Web. I'll be certain to get it installed ASAP, hopefully it will help with my J-Web issue.

    I've tried both Firefox and Chrome. Both give the usual self-signed cert warning but Chrome won't let me proceed. Checking the cert in Chrome gives an error "Unable to  decode certificate," I can still save it though. Trying to import the certificate into Chrome fails with it saying there is no private key in the cert. I also tried saving the cert in Firefox with the same issue when importing it into Chrome. As for Firefox it will let me access the site after adding an exception.



    ------------------------------
    CHRIS WOELKERS
    ------------------------------



  • 4.  RE: J-Web not loading properly - SRX4100

    Posted 12-06-2023 06:06

    You may want to generate your own Public/Private Key pair, this might be better accepted by browsers as you can customize the encryption algorithm and the size of the encryption key etc with a CN of your choice.

    Instructions are found here: https://www.juniper.net/documentation/us/en/software/junos/security-services/topics/topic-map/public-key-cryptography.html#id-manually-generating-selfsigned-certificates-on-switches-cli-procedure

    Typically we would recommend creating your own CA-signed pki certificate for use in production, LetsEncrpyt is a good free option for testing.



    ------------------------------
    GAVIN WHITE
    ------------------------------



  • 5.  RE: J-Web not loading properly - SRX4100

    Posted 12-06-2023 10:43

    Problem solved.

    The self-generated certificate seems to have been to root of the issue. Once I did all that was necessary to add an SSL cert using our internal CA the problems went away. No more certificate errors with Chrome and the interface finally loads correctly.

    This seems to be an issue with the self-generated certificate. Either it isn't generated correctly, such as the wrong bit-length, format, etc, or it isn't served correctly. Don't know which, or if it is something completely different, but it may be something to bring up to the engineers.

    Thanks for the assist.



    ------------------------------
    CHRIS WOELKERS
    ------------------------------