Thursday, March 23, 2017

Add Juniper SRX Cluster into JunOS Space 16.1 Security Director

My old post "Import Existing Juniper SRX Cluster into JunOS Space Security Director" was created based on Space 14.1 and SRX11.x version. Now both have been upgraded. Space NMP and Security Director have been upgrade to 16.1 (Post is here). SRX240H has been upgrade to 12.1D46.55.

Basically, all steps are similar except the web interface is different. What you need to do is to configure your SRX cluster with a master-only ip on both nodes. The configuration should looks like this:





root@fw-m-t-1> show configuration 
## Last commit: 2017-03-23 14:44:28 UTC by root
version 12.1X46-D55.3;
groups {
    node1 {
        system {
            host-name fw-m-t-2;
            backup-router 10.9.1.1;
            services {
                ssh {
                    max-sessions-per-connection 32;
                }
            }
            syslog {
                file default-log-messages {
                    any info;
                    match "(requested 'commit' operation)|(requested 'commit synchronize' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES";
                    structured-data;
                }
            }
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.9.1.14/24 {
                            preferred;
                        }
                        address 10.9.1.15/24 {
                            master-only;
                        }
                    }
                }
            }
        }
    }
    node0 {
        system {
            host-name fw-m-t-1;
            backup-router 10.9.1.1;
            services {
                ssh {
                    max-sessions-per-connection 32;
                }
            }
            syslog {
                file default-log-messages {
                    any info;
                    match "(requested 'commit' operation)|(requested 'commit synchronize' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES";
                    structured-data;
                }
            }
        }
        interfaces {
            fxp0 {
                unit 0 {
                    family inet {
                        address 10.9.1.13/24 {
                            preferred;
                        }
                        address 10.9.1.15/24 {
                            master-only;
                        }
                    }
                }
            }                           
        }
    }
    security;
    global-policy {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy default-logdrop {
                        match {
                            source-address any;
                            destination-address any;
                            application any;
                        }
                        then {
                            deny;
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
}



In Juniper Space, you just need to import master-only ip into it. Here are steps with screenshots.

1. Device Discovery

Security Director -> Devices ->Device Discovery

Create Device Discovery Profile



Specify Probes



Specify credentials




Secify Device Fingerprint

Schedule Discovery Job



Discovery Progress

Discovered Device

Note: If your Space Schema Version does not have your SRX OS version, it will shows mismatch on Schema Version column. In that case , you will need to do DMI Schema download the version you are missing.
DMS Download


2. Import Device

Import Devices

Follow the on-screen notes to complete steps, you will be able to import Firewall policy, NAT policy and IDP policy ,etc.


Imported Firewall Policy

Imported IPS Policy

3. Publish and Update policy to your SRX devices

Update Firewall Policy

4. Troubleshooting

During updating policy, I met following two errors:

4.1. [Error] Configuration update failed.

Severity : error
Message : remote lock-configuration failed on node1

The fix is at KB27800 - [SRX] The error 'remote lock-configuration failed on node' is seen in SRX chassis cluster
  1. Go to node with the stuck lock. 
  2. Execute the following commands:

>start shell

%mgd clr-chg 




4.2. [Error] Configuration update failed.

Severity : error
           At : [edit security idp idp-policy Space-IPS-Policy rulebase-ips rule Recommended-TCP/IP match]
Message : Please install the Signature Database
  Details : attacks
Severity : error
Message : configuration check-out failed 

The fix is just to download latest signature database and install it to devices.


Download Latest Signature Database







1 comment:

  1. - is it going to display to me two srx nodes on active and one passive ? or just one node (which is the active one) ?
    - if the passive member of the cluster is down .. is this procedure gonna notify me ?

    ReplyDelete