SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX345 Dropping good traffic

    Posted 02-09-2023 09:39

    Junos: 22.4R1.10

    For some reason traffic to my web servers are bouncing. I keep getting so many alerts from Uptime Robot that my sites are up and down all day long. I set up a whitelist policy in which I have all the uptime robots ips listed with access to my servers before any deny policy with the bad ip of known hacked about 100K yet all day I noticed that our traffic going thru the srx is bouncing while the traffic going thru the Netscreen ISG-2000 is stable in the same network. I am really confused.

    Below are my Policies as they are in my SRX345

    1- Allow- The first one from our office trusted IPs to the trust Web and mail servers so no filtering that way if our IPs get listed by security software they are whitelisted and always allowed access regardless of feed listing.

    2- Allow The second is a whitelist policy that has all the IPs of Uptime Robot, Cloud Flare, Google bots and so forth just in case one of those IP is blacklisted by the Deny policy we make sure they can scan the websites.

    3- Deny - After that I have a Block-mail-server Deny policy that has an address feed of about 70K of IP that have attempted to login into our mailboxes (hackers) using IPBan Pro and instantly exporting to our Feed, Spamhaus Deny List and Emerging Threats Feeds. Total abou 90K IPs.

    5- Deny - After That I have a Block Wordpress Deny Policy of Wordpress hackers feed of about 12K and growing of anyone that tries to hack any of our wordpress sites and blocked by WordFence. We read all the MySQL Databases and compile one feed. We instantly add them the the WP Feed.

    4- Deny all to any web server Feed from different sites listing the hacker IPs about 560K IPs ( I am going to drop several feeds) to see if that will help for the time being I will keep this one empty.

    5- Allow After that we have ou Mail-servers Policy Mail ports with IPS set to (Web Server) Content Security set for (Antispam, Antivirus) From Juniper

    6-Allow - After that we have a allow http, https Web-Server Policy with IPS set (Web Server)

    For the Feeds I am running the first one that I generate in my Ubuntu .sh script which creates 4 list ipban.txt, Spamhaus.txt, emerging-Block-IPs.txt, threat-50.txt, wp.txt and the white lite wl.txt into a folder ipban and compresses them into a .tgz file

    And the big on the same all added into one single ips.txt into the root folder file which SRX firewall reads directly as a text file with 560K IPs.

    Here are the Resource
    I kept checking resources and I am at ; RE CPU 42%, RE Memory 65%, PFE CPU 3%, PFE Memory 65% and Storage 6%.

    Not sure what do do next



    ------------------------------
    JAY ECHOUAFNI
    ------------------------------


  • 2.  RE: SRX345 Dropping good traffic

     
    Posted 02-11-2023 08:21

    Hello Jay,

    Since you are running on version 22.4R1.10, you can use the below command to know why packets are dropped.

    > monitor security packet-drop  ( you can add source, destination protocol etc..  if needed )

    To view the output:

    > show security packet-drop records 

    To clear the records:

    > clear security packet-drop records

    Hope it helps. 

    Regards,



    ------------------------------
    Brijil R
    ------------------------------