SRX Next-Gen Firewalls

Strange... Looks like your traffic is correctly identified as KRB5. Can you run a flow trace to see at what point exactly things are going sideways? And just to eliminate the simple things: * I'm pretty sure you still need an "application" statement ...

Policy: MS_DYNAPP, action-type: permit, services-offload:not-configured , State: enabled, Index: 25 0 Policy Type: Configured It seems that the KRB5 dynamic application only allows UDP. However, Kerberos can operate over both UDP and TCP. Looks ...

You can also use show security match-policies to check what policies get applied. Reference: https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/command/show-security-match-policies.html ------------------------------ ...

I haven't used it for JSC specifically, but generally NPS works fine with JunOS. Since you're getting rejections from the NPS, check its logs to see if you can see any clues for the rejection. You can also experiment with the authentication methods on ...

That's surprising. I have a 340 which did raise a minor alarm about this not too long ago. If you have auto-snapshot enabled, though, you wouldn't get an alarm. ------------------------------ Nikolay Semov ------------------------------

I use this policy to allow users to authenticate in the Windows domain : policy MS_DYNAPP { match { source-address any; destination-address [ DC1 DC2 ]; dynamic-application [ junos:LDAP junos:CLDAP junos:NBNS junos:MSRPC ...

I've only done vpls port mirrors on mx devices so not sure if it is supported on the SRX. But here is the kb on the setup. https://supportportal.juniper.net/s/article/MX-How-to-configure-Layer-2-VPLS-Port-Mirroring ------------------------------ ...