Configuring SRX210 JFlow for Solwar Winds Orion NTA

Hi,

I have followed several links and all the documents I can find about setting this up (there isn't much to go on).

Here is my current config on the SRX210:-

## Last commit: 2009-10-14 18:13:29 UTC by root
version 9.5R1.8;
system {
    autoinstallation {
        delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit
        traceoptions {
            level verbose;
            flag {
                all;
            }
        }
    }
    host-name EX-FWSRX210;
    root-authentication {
        encrypted-password "$1$owsJK56P$T.qjV36H3T7H/V/EwEbFF/"; ## SECRET-DATA
    }
    login {
        user borat {
            uid 2001;
            class read-only;
            authentication {
                encrypted-password high5; ## SECRET-DATA
            }
        }
        user telnet {
            uid 2000;
            class super-user;
            authentication {
                encrypted-password "$1$8m.zOg5H$m7JIYg/I2F9ZGm5gVS9DY1"; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                filter {
                    input cflow;
                }
                address 192.168.1.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 127.0.0.1/32;
            }
        }
    }
}
forwarding-options {
    sampling {
        input {
            family inet {
                rate 1;
                run-length 0;
                max-packets-per-second 1000;
            }
        }
        output {
            cflowd 192.168.1.20 {
                port 2055;
                version 5;
            }
        }
    }
}
snmp {
    community public {
        authorization read-only;
        clients {
            192.168.1.20/32;
        }
    }
    community orion {
        authorization read-only;
        clients {
            192.168.1.20/32;
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            http;
                            https;
                            ssh;
                            telnet;
                            dhcp;
                        }
                    }
                }
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
}
firewall {
    filter all {
        term all {
            then {
                sample;
                accept;
            }
        }
    }
    filter cflow {
        term 1 {
            then {
                sample;
                accept;
            }
        }
    }
}

I have setup the forwarding options with max packets on 1000 as recommended from the juniper community forums in a similar configuration. I have also setup the snmp communities on both the Orion NPM server and the SRX. When I try to validate the SNMP settings and add the trust interface of the SRX to the Orion node list, it fails every time.

I have pretty much hit a wall this morning on this one, my last step would be to contact solarwinds and speak with an engineer (but I have to go through sales first as this is a trial).

Cheers,

Pash

Find more posts tagged with

Comments

Pash

Quoted from the dude who helped me on the juniper community forums:-

"
set security zones security-zone trust interface ge-0/0/0 host-inbound-traffic system-services snmp"

SNMP is not enabled by default on SRX interfaces seemingly.

If this was a netscreen or ssg I would of been all over this, damn this change malarkey!

Cheers,

Aldur

Pash wrote: »

Quoted from the dude who helped me on the juniper community forums:-

"
set security zones security-zone trust interface ge-0/0/0 host-inbound-traffic system-services snmp"

SNMP is not enabled by default on SRX interfaces seemingly.

If this was a netscreen or ssg I would of been all over this, damn this change malarkey!

Cheers,

lol, I know, stupid changes! I agree that the new SRX boxes are something to get use too. So far I really like them though, definitely easier to setup NAT or SFW then it is on the M/T routers. You just have to get use to the idea that they start out very restrictive and you have to open up what you want to use.

Something interesting that I noticed in your configs is that you have all services allowed in the untrust zone and then under the ge-0/0/0 interface a subset of services are specified. If you would have left off any interface services config there then snmp would have been allowed without any further configuration.

Pash

Aldur wrote: »

lol, I know, stupid changes! I agree that the new SRX boxes are something to get use too. So far I really like them though, definitely easier to setup NAT or SFW then it is on the M/T routers. You just have to get use to the idea that they start out very restrictive and you have to open up what you want to use.

Something interesting that I noticed in your configs is that you have all services allowed in the untrust zone and then under the ge-0/0/0 interface a subset of services are specified. If you would have left off any interface services config there then snmp would have been allowed without any further configuration.

Aye dude, I don't think Juniper should move to the SRX series, but I guess they can't stop that now....

Well apart from what I manually entered at cli the rest of the config was default, all services allowed on the untrust zone be bad, luckily its a lab!

Aldur

Pash wrote: »

Aye dude, I don't think Juniper should move to the SRX series, but I guess they can't stop that now....

I know a few people who feel this way too. ScreenOS and the devices that it resides on are good products so why use another box that provides the same functionality but uses a different operating system? IMO I think that this helps bridge the gap between people who know routing and people who know security and also implements the flexibility and routing features of JUNOS. My expertise is in the routing realm and security is somewhat new to me. Being able to work on a security box that runs an OS that I'm already familiar with is a god send. I'm finding out that I really enjoy security and am thinking of possibly specializing in that.

Without a doubt there will be some pain as people transition over to using JUNOS on the SRX's vs using ScreenOS on the SSG's but I think it's a good move long run.

Also something to keep in mind is that production and development is still on going with ScreenOS products so this means that they aren't going away any time soon