SRX Next-Gen Firewalls

Is there anywhere I can read about when to use simple\legacy versus "new" dynamic applications? By the way, I couldn't find any "legacy" applications definitions for Kerberos :( Yes, I understand that custom applications can be added :) I'm just curious ...

Hi, If possible, don't use dynamic-applications for service rules like this one. Just create a rule somewhere on top of the zone-context, use predefined or custom applications, and set the dynamic-application to "none". ------------------------------ ...

Strange... Looks like your traffic is correctly identified as KRB5. Can you run a flow trace to see at what point exactly things are going sideways? And just to eliminate the simple things: * I'm pretty sure you still need an "application" statement ...

Policy: MS_DYNAPP, action-type: permit, services-offload:not-configured , State: enabled, Index: 25 0 Policy Type: Configured It seems that the KRB5 dynamic application only allows UDP. However, Kerberos can operate over both UDP and TCP. Looks ...

You can also use show security match-policies to check what policies get applied. Reference: https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/command/show-security-match-policies.html ------------------------------ ...

I haven't used it for JSC specifically, but generally NPS works fine with JunOS. Since you're getting rejections from the NPS, check its logs to see if you can see any clues for the rejection. You can also experiment with the authentication methods on ...

That's surprising. I have a 340 which did raise a minor alarm about this not too long ago. If you have auto-snapshot enabled, though, you wouldn't get an alarm. ------------------------------ Nikolay Semov ------------------------------