Tag: firewall

Juniper SRX Cluster Failover Tuning

If you check Juniper configuration guide for SRX firewall clustering, there will be a default example of redundancy-group weight values which are fine if you have one Uplink towards outside and multiple inside interfaces on that firewall.

set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/5 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 255

This is the one: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

But if!

If you get to a situation where you may have multiple outside interfaces which are giving you Internet access or WAN access redundancy then maybe you don’t want failover to secondary SRX box to occur when you lose one of those two uplinks. If that’s the case, you should follow this article and get your SRX cluster to behave as it should.

Juniper SRX cluster failover

Check Point Firewall VM Disk Resize

It is related to Check Point MGMT VM with R80.10 in my story, but you would as well want to resize Check Point gateway firewall hardware box or VM.

I was searching for a simple solution and found different ones that didn’t work for me, so here are the steps that you need to go through when you resize your CheckPoint VM disk in vCenter and then need to expand the partition inside Check Point VM in order to use the additional space.

Of course, you did choose too small HDD for your VM when you created it and now you cannot upload some hotfixes or vSEC gateway files to it because you don’t have enough space.

Get to vCenter and shut down the VM.

vCenter VM Shutdown

Get more GB to your VM and power it back up.

vCenter VM HDD Space Increase

Unable to access Cisco ASA through AnyConnect VPN?

I stepped on this issue few weeks ago. I was implementing a new ASA Firewall solution, first time for me with software newer than version 8.4.2

It seems that all those stories about changes in the NAT logic after that version were true. This is what I found out about ASA packet processing.firewall

Configuration was really straightforward and everything worked fine except one thing. When connected remotely using Cisco AnyConnect I was able to access all devices inside the network (inside ASA firewall), but not the ASA itself. I wasn’t able to connect with SSH nor with ASDM.

Transparent Firewalls

A firewall in terms of traditional network configurations serves as a default gateway for hosts connecting to one of its secured subnets. A transparent firewall acts like a “stealth firewall” and it is actually a Layer 2 firewall. In order to implement this, the connection of the security equipment is made to same network on both the internal and external ports. However, there is a separate VLAN for each interface.

Now let’s discuss the characteristics of transparent firewall mode:

  • Transparent firewall mode supports outside interface and an inside interface.
  • The best thing about transparent firewall mode is that it can run in both the single and multiple context modes.
  • Instead of routing table lookups the MAC lookups are performed.

How does Firewall defend our Network?

firewall

We all are familiar with the term ‘firewall’ but majority of us don’t know the source of its origination. It is actually a terminology used for describing a part of automobile that separated the automobile’s interior from the compartment of engine. In the world of network this term is used metaphorically to show the way internal networks are separated from the hazards of external world. With the help of firewalls the networks are divided into various physical networks and as a result of this the occurrence of potential damages can be controlled otherwise these damages can spread to different subnets.

This works in the same way as the original firewalls worked to stop the spreading of a fire.