expert-mode.blogspot.com
Expert Mode: February 2012
http://expert-mode.blogspot.com/2012_02_01_archive.html
CCMA #40 and JNCIE-SEC #166s blog about all things Check Point and Juniper. Wednesday, 29 February 2012. Upgrade to R70.50 from R70.30/40 fails due to licensing errors on IPSO. It's been awhile since I've posted anything, but tonight I actually experienced something I hadn't seen before, so I figured I should share:. I was in the process of upgrading three separate clusters from R70.30/R70.40 to R70.50 and was presented with this error upon running the UnixInstallScript:. I've seen a few unanswered posts...
expert-mode.blogspot.com
Expert Mode: Juniper SRX: IF-MAP, source-identity and restrict-source-identity-lookup
http://expert-mode.blogspot.com/2014/05/juniper-srx-if-map-source-identity-and.html
CCMA #40 and JNCIE-SEC #166s blog about all things Check Point and Juniper. Friday, 16 May 2014. Juniper SRX: IF-MAP, source-identity and restrict-source-identity-lookup. The terms for the uninitiated:. Is a (but not the only - see UAC. Is a hidden feature/command within the 'unified-access-control' stanza that was added into the 12.1X44D30.4 release which is meant to significantly increase the performance of a device leveraging the source-identity. To enable the feature, run:. Set services unified-acces...
expert-mode.blogspot.com
Expert Mode: December 2012
http://expert-mode.blogspot.com/2012_12_01_archive.html
CCMA #40 and JNCIE-SEC #166s blog about all things Check Point and Juniper. Tuesday, 11 December 2012. How to calculate the total amount of FireWall Logs per second. Posting this here for the time being since the support site's SK is broken. Edit: Not sure why CP runs this with three separate strings.just copy/paste this and you'll get your numbers (sleeps for 120 seconds):. Connect to CLI on Security Management Server - over SSH, or console. Expert@HostName]# mdsenv [Domain Name Domain IP]. Expert@HostN...
expert-mode.blogspot.com
Expert Mode: July 2012
http://expert-mode.blogspot.com/2012_07_01_archive.html
CCMA #40 and JNCIE-SEC #166s blog about all things Check Point and Juniper. Friday, 6 July 2012. SPLAT/GAIA: How to determine bond status (link/LACP etc). Had this question asked today: "How do you determine if your LACP (or XOR) bond is up and running and what state is it in? Since ethtool and ifconfig don't provide you LACP details, you have to check via /proc like so (removed MACs for privacy):. Looking at bond0 here:. Ethernet Channel Bonding Driver: v3.2.4 (January 28, 2008). Up Delay (ms): 200.
expert-mode.blogspot.com
Expert Mode: Juniper SRX: How to manage fxp0 across a VPN (Remote Management Best Practices)
http://expert-mode.blogspot.com/2015/07/juniper-srx-how-to-manage-fxp0-across.html
CCMA #40 and JNCIE-SEC #166s blog about all things Check Point and Juniper. Wednesday, 15 July 2015. Juniper SRX: How to manage fxp0 across a VPN (Remote Management Best Practices). SRX 650 - SRX 5800), and by dedicated CPU cores on the shared CPUs on the smaller branch devices. In this example, our topology will contain the following:. 1 Cluster of two SRX to be managed via fxp0 remotely. 1 Stand-Alone SRX acting as our VPN peer. Our SSH Proxy will reside behind this gateway. This example assumes the cl...
expert-mode.blogspot.com
Expert Mode: Juniper SRX - PKI - Certificate-based VPNs - Part 03 - SRX Configuration
http://expert-mode.blogspot.com/2014/03/juniper-srx-pki-certificate-based-vpns.html
CCMA #40 and JNCIE-SEC #166s blog about all things Check Point and Juniper. Thursday, 27 March 2014. Juniper SRX - PKI - Certificate-based VPNs - Part 03 - SRX Configuration. Continuing on with Part 03 of this series ( Part 02 found here. We'll finish the SRX configuration and bring up the tunnel:. Set security ike proposal CERT PROP authentication-method rsa-signatures. Set security ike proposal CERT PROP dh-group group2. Set security ike proposal CERT PROP authentication-algorithm sha1. Exchange type: ...
expert-mode.blogspot.com
Expert Mode: June 2012
http://expert-mode.blogspot.com/2012_06_01_archive.html
CCMA #40 and JNCIE-SEC #166s blog about all things Check Point and Juniper. Wednesday, 27 June 2012. CheckPoint HA: How to force a failover (ClusterXL/VRRP). Based on some recent conversations I've had, it seems most people don't know how to force or test a failover with Check Point HA. There is a single requirement for non-SPLAT/GAIA systems; FW-1 Monitoring State needs to be enabled. If you're running IPSO, you can do this via the VRRP configuration page. Cphaprob -d fail -s problem -t 0 register.
expert-mode.blogspot.com
Expert Mode: November 2012
http://expert-mode.blogspot.com/2012_11_01_archive.html
CCMA #40 and JNCIE-SEC #166s blog about all things Check Point and Juniper. Friday, 23 November 2012. SPLAT GAIA : Inaccessible via Console/SSH/GUI. Over the last few months I've seen a large amount of SPLAT appliances become completely inaccessible via "normal" methods (R71- R75). Upon further investigation it seems all of them are suffering from the same problem, however it's quite strange as all three methods use separate authentication schemes. SSH attempt with the -vv flags:. Looking at the file in ...
SOCIAL ENGAGEMENT