SRX Next-Gen Firewalls

There is a PR 1692526 which probably has something to do with this. The PR is not public, because no customer has reported it yet. It increases SPU utilization, and crashes it eventually. The trigger of this is the firewall events that SPU has to process ...

The other great mystery of the universe: dynamic-applications ;) I just try to do rules for internal services (DNS, NTP, AD, or other known ones) as standard rules, and then use AppFW (mostly) for connections to Internet. Of course if the requirement ...

Is there anywhere I can read about when to use simple\legacy versus "new" dynamic applications? By the way, I couldn't find any "legacy" applications definitions for Kerberos :( Yes, I understand that custom applications can be added :) I'm just curious ...

Hi, If possible, don't use dynamic-applications for service rules like this one. Just create a rule somewhere on top of the zone-context, use predefined or custom applications, and set the dynamic-application to "none". ------------------------------ ...

Strange... Looks like your traffic is correctly identified as KRB5. Can you run a flow trace to see at what point exactly things are going sideways? And just to eliminate the simple things: * I'm pretty sure you still need an "application" statement ...

Policy: MS_DYNAPP, action-type: permit, services-offload:not-configured , State: enabled, Index: 25 0 Policy Type: Configured It seems that the KRB5 dynamic application only allows UDP. However, Kerberos can operate over both UDP and TCP. Looks ...

You can also use show security match-policies to check what policies get applied. Reference: https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/command/show-security-match-policies.html ------------------------------ ...