Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - Configuring overlapping IP address space at two sites separated by a single SRX series device

0

0

Article ID: KB21286 KB Last Updated: 21 Feb 2020Version: 3.0
Summary:

This article provides information on how to implement overlapping IP networks at two sites separated by a single SRX series security gateway.

Symptoms:

Overlapping IP addresses can sometimes occur in a network. In fact, IP address ranges may be commonly used in small office/home office (SoHo) environments. This situation is sometimes encountered with acquisitions and mergers.

In this setup, the same IP address subnet (192.168.1.0/24) is used at both sites: OrgA and OrgB.

192.168.1.0/24 OrgA ---ge-0/0/1--- SRX ---ge-0/0/2--- OrgB 192.168.1.0/24

The configuration and troubleshooting for this topology are included in the Solution section below.

For another configuration example, refer to TN68 - LAN-to-LAN VPN with Overlapping Subnets Configuration and Troubleshooting (Version 2.0.

Solution:

To avoid overlapping address space, the requirements below must be met:

  • The two overlapping subnets must be non-shared, equal-size address blocks.
  • The two subnets are generally routed to each other through direct links or through an IPsec tunnel.
  • The two subnets must be allowed to communicate with each other through Security Policies. (Double NAT can fix the problem of overlapping subnets.)

To implement this on the same SRX device, routing-instances are needed. The sample configuration below meets this objective:

192.168.1.0/24 OrgA ---ge-0/0/1--- SRX ---ge-0/0/2--- OrgB 192.168.1.0/24

OrgA Virtual Network - 1.1.1.0/24
OrgB Virtual Network - 2.2.2.0/24

Note: The Virtual Network is used for mapping the original network of OrgA and OrgB in Static NAT. These virtual networks do not have to be configured on the SRX because, per the SRX flow module, Static NAT is performed before the Route Lookup.


CLI Configuration


 
root@SRX# run show configuration | no-more 
## Last commit: 2011-06-20 10:44:48 UTC by root
version 10.4R5.5;
system {
    host-name SRX;
    root-authentication {
        encrypted-password “$ABC123"; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
security {
       nat {
        static {
            rule-set A-B {
                from routing-instance OrgA;
                rule A {
                    match {
                        destination-address 2.2.2.0/24;
                    }
                    then {
                        static-nat prefix 192.168.1.0/24 routing-instance OrgB; ## please refer to the Verification section
                    }
                }
            }
            rule-set B-A {
                from routing-instance OrgB;
                rule B {
                    match {
                        destination-address 1.1.1.0/24;
                    }
                    then {
                        static-nat prefix 192.168.1.0/24 routing-instance OrgA; ## please refer to the verification section
                    }                   
                }
            }
        }
    }
    zones {
        security-zone OrgA {
            address-book {
                address OrgA-Lan 192.168.1.0/24;
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone OrgB {
            address-book {
                address OrgB-Lan 192.168.1.0/24;
            }
            interfaces {
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone OrgA to-zone OrgB {
            policy A-B {
                match {
                    source-address OrgA-Lan;
                    destination-address OrgB-Lan;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone OrgB to-zone OrgA {
            policy B-A {
                match {
                    source-address OrgB-Lan;
                    destination-address OrgA-Lan;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    flow {
        traceoptions {
            file overlapping;
            flag all;
            packet-filter 1 {
                source-prefix 192.168.1.2/32;
                destination-prefix 2.2.2.3/32;
            }
            packet-filter 2 {
                source-prefix 192.168.1.3/32;
                destination-prefix 1.1.1.2/32;
            }
        }
    }
}
routing-instances {
    OrgA {
        instance-type virtual-router;
        interface ge-0/0/1.0;
    }
    OrgB {
        instance-type virtual-router;
        interface ge-0/0/2.0;
    }
}


Verification

After the routing-instance statement is configured under Static NAT, the traceoptions capture looks like the following:

Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:<192.168.1.2/111->2.2.2.3/1;1> matched filter 1:

Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:packet [60] ipid = 279, @423f5a9c
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 13, common flag 0x0, mbuf 0x423f5880, 
rtbl_idx = 65529
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT: flow process pak fast ifl 67 in_ifp ge-0/0/1.0
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:  ge-0/0/1.0:192.168.1.2->2.2.2.3, icmp, (8/0)
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT: find flow: table 0x4f125ce8, hash 9679(0xffff), sa 192.168.1.2, da 2.2.2.3, 
sp 111, dp 1, proto 1, tok 20499
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:self ip check: not for self (address=02020203)
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:  flow_first_create_session
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:Installing pending sess (3040) in ager
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:First path alloc and instl pending session, natp=0x5237efd0, id=3040
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A> dst_adr 2.2.2.3, sp 111, dp 1
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:  chose interface ge-0/0/1.0 as incoming nat if.
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:flow_first_rule_dst_xlate: packet 192.168.1.2->2.2.2.3 nsp2 0.0.0.0->192.168.1.3.
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 192.168.1.2, x_dst_ip 192.168.1.3, 
in ifp ge-0/0/1.0, out ifp N/A sp 111, dp 1, ip_proto 1, tos 0
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:Doing DESTINATION addr route-lookup
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:flow_rt_lkup in VR-id: 6
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:flow_rt_lkup: Found route entry 0x0x57bb2c18,nh id 0x212, out if 0x4d
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:flow_rt_lkup: nh word 0x40010
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:flow_ipv4_rt_lkup success 192.168.1.3, iifl 0x43, oifl 0x4d
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:  routed (x_dst_ip 192.168.1.3) from OrgA (ge-0/0/1.0 in 0) to ge-0/0/2.0, 
Next-hop: 192.168.1.3
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:  policy search from zone OrgA-> zone OrgB (0x114,0x6f0001,0x1)
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:Permitted by policy 200
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:  found reversed mip 1.1.1.2 for 192.168.1.2 (on ge-0/0/2.0)
 
Jun 20 10:36:59 10:36:58.1145142:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: True, nat_src_xlate_failed: False
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:flow_first_src_xlate: hip xlate: 192.168.1.2->1.1.1.2 at ge-0/0/2.0 (vs. ge-0/0/2.0)
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  dip id = 0/0, 192.168.1.2/111->1.1.1.2/111
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  choose interface ge-0/0/2.0 as outgoing phy if
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/2.0, addr: 192.168.1.3, rtt_idx:6
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:jsf sess interest check. regd plugins 13
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT: Allocating plugin info block for 12 plugin(s) from OL
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:-jsf int check: plugin id  1, svc_req 0x0. rc 4
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:-jsf int check: plugin id  2, svc_req 0x2. rc 4
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:-jsf int check: plugin id  3, svc_req 0x0. rc 4
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:-jsf int check: plugin id  5, svc_req 0x0. rc 4
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:+++++++++++jsf_test_plugin_data_evh: 3
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:-jsf int check: plugin id  6, svc_req 0x0. rc 4
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:-jsf int check: plugin id  7, svc_req 0x0. rc 4
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:-jsf int check: plugin id  8, svc_req 0x0. rc 4
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:-jsf int check: plugin id 10, svc_req 0x0. rc 4
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:-jsf int check: plugin id 11, svc_req 0x0. rc 2
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT: No JSF plugins enabled for session
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT: Releasing plugin info block for 12 plugin(s) to OL
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:flow_first_service_lookup(): natp(0x5237efd0): app_id, 0(0).
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  service lookup identified service 0.
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  flow_first_final_check: in <ge-0/0/1.0>, out <ge-0/0/2.0>
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:In flow_first_complete_session
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:flow_first_complete_session: pak_ptr is xlated packet
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:construct v4 vector for nsp2
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  existing vector list 1200-49f008b0.
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  Session (id:3040) created for first pak 1200
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:first pak processing successful
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  flow_first_install_session======> 0x5237efd0
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT: nsp 0x5237efd0, nsp2 0x5237f034
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  make_nsp_ready_no_resolve()
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:flow_rt_lkup in VR-id: 5
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:flow_rt_lkup: Found route entry 0x0x57ba9538,nh id 0x200, out if 0x43
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:flow_rt_lkup: nh word 0x30010
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:flow_ipv4_rt_lkup success 192.168.1.2, iifl 0x0, oifl 0x43
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  route lookup: dest-ip 192.168.1.2 orig ifp ge-0/0/1.0 output_ifp ge-0/0/1.0 
orig-zone 19 out-zone 19 vsd 0
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  route to 192.168.1.2
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:Installing c2s NP session wing
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  flow_spu_install_np_session: FLOW STUB
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:Installing s2c NP session wing
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  flow_spu_install_np_session: FLOW STUB
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:updating pending sess (3040) in ager
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:first path session installation succeeded
 
Jun 20 10:36:59 10:36:58.1145644:CID-0:RT:  flow got session.
 
Jun 20 10:36:59 10:36:58.1146149:CID-0:RT:  flow session id 3040
 
Jun 20 10:36:59 10:36:58.1146149:CID-0:RT: vector bits 0x1200 vector 0x49f008b0
 
Jun 20 10:36:59 10:36:58.1146149:CID-0:RT:flow_handle_icmp_xlate
 
Jun 20 10:36:59 10:36:58.1146149:CID-0:RT:  post addr xlation: 1.1.1.2->192.168.1.3.
 
Jun 20 10:36:59 10:36:58.1146149:CID-0:RT:  post addr xlation: 1.1.1.2->192.168.1.3.
 
Jun 20 10:36:59 10:36:58.1146149:CID-0:RT:skip pre-frag: is_tunnel_if- 0, is_if_mtu_configured- 0
 
Jun 20 10:36:59 10:36:58.1146149:CID-0:RT:mbuf 0x423f5880, exit nh 0x40010
 
Jun 20 10:36:59 10:36:58.1146149:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
  1. Verify routing table.

    Note: Additional routing configuration is not required for the virtual networks (1.1.1.0/24 and 2.2.2.0/24) because Destination NAT is performed before the route lookup.

    [edit]
    root@SRX# run show route 
    
    OrgA.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    192.168.1.0/24     *[Direct/0] 00:18:42
                        > via ge-0/0/1.0
    192.168.1.1/32     *[Local/0] 00:26:19
                          Local via ge-0/0/1.0
    
    OrgB.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    192.168.1.0/24     *[Direct/0] 00:16:50
                        > via ge-0/0/2.0
    192.168.1.1/32     *[Local/0] 00:26:19
                          Local via ge-0/0/2.0
    
    [edit]
    
  2. Verify session entries while initiating traffic from both sides.

    Client 192.168.1.2 at OrgA wants to communicate with 192.168.1.3 at OrgB, so data is sent to the virtual address 2.2.2.2:

    [edit]
    root@SRX# run show security flow session    
    Jun 20 10:37:00
    Session ID: 3040, Policy name: A-B/200, Timeout: 2, Valid
      In: 192.168.1.2/111 --> 2.2.2.3/1;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
      Out: 192.168.1.3/1 --> 1.1.1.2/111;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 60
    Total sessions: 1
    

    Client 192.168.1.3 at OrgB wants to communicate with 192.168.1.2 at OrgA, so data is sent to the virtual address 1.1.1.2

    [edit]
    root@SRX# run show security flow session    
    Jun 20 10:36:14
    Session ID: 3037, Policy name: B-A/201, Timeout: 4, Valid
      In: 192.168.1.3/3328 --> 1.1.1.2/512;icmp, If: ge-0/0/2.0, Pkts: 1, Bytes: 60
      Out: 192.168.1.2/512 --> 2.2.2.3/3328;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
    
  3. Enable Flow traceoptions to understand the need for "then static-nat prefix 192.168.1.0/24 routing-instance OrgX."

    If the routing instance statement is not configured correctly under the [edit security nat static] hierarchy, a route lookup is performed (after destination NAT is performed) on the incoming interface's routing table itself, and traffic is routed back to the same site instead of the other site.

    routed (x_dst_ip 192.168.1.3) from OrgA (ge-0/0/1.0 in 0) to ge-0/0/1.0, Next-hop: 192.168.1.3

    Jun 20 10:45:35 10:45:35.604335:CID-0:RT:<192.168.1.2/112->2.2.2.3/1;1> matched filter 1:
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT:packet [60] ipid = 283, @423f6b9c
    
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 13, common flag 0x0, 
    mbuf 0x423f6980, rtbl_idx = 65529
    
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT: flow process pak fast ifl 67 in_ifp ge-0/0/1.0
    
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT:  ge-0/0/1.0:192.168.1.2->2.2.2.3, icmp, (8/0)
    
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT: find flow: table 0x4f125ce8, hash 50399(0xffff), sa 192.168.1.2, da 2.2.2.3, 
    sp 112, dp 1, proto 1, tok 20499
                                          
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0
     
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT:self ip check: not for self (address=02020203)
     
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT:  flow_first_create_session
     
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT:Installing pending sess (3044) in ager
     
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT:First path alloc and instl pending session, natp=0x5237f610, id=3044
     
    Jun 20 10:45:35 10:45:35.604335:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/1.0>, out <N/A> dst_adr 2.2.2.3, sp 112, dp 1
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:  chose interface ge-0/0/1.0 as incoming nat if.
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:flow_first_rule_dst_xlate: packet 192.168.1.2->2.2.2.3 nsp2 0.0.0.0->192.168.1.3.
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 192.168.1.2, x_dst_ip 192.168.1.3, 
    in ifp ge-0/0/1.0, out ifp N/A sp 112, dp 1, ip_proto 1, tos 0
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:Doing DESTINATION addr route-lookup
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:flow_rt_lkup in VR-id: 5
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:flow_rt_lkup: Found route entry 0x0x4eb8d8f0,nh id 0x20d, out if 0x43
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:flow_rt_lkup: nh word 0xeed40006
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:flow_ipv4_rt_lkup success 192.168.1.3, iifl 0x43, oifl 0x43
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:  routed (x_dst_ip 192.168.1.3) from OrgA (ge-0/0/1.0 in 0) to ge-0/0/1.0, 
    Next-hop: 192.168.1.3
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:  policy search from zone OrgA-> zone OrgA (0x114,0x700001,0x1)
     
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
                                            
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:  packet dropped, denied by policy
                                            
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:Denied by policy 2, dropping pkt
                                            
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:  packet dropped,  policy deny.
                                            
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:set_nat_invalid: natp:id 3044, flag 2bb47
                                            
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:flow_initiate_first_path: first pak no session
                                            
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT:  flow find session returns error.
                                            
    Jun 20 10:45:35 10:45:35.604619:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)
    
    Note: VR-Ids cand be found from the VTY mode with the following command 
    
    FLOWD_OCTEON( vty)# sh route ip table    
    Protocol: IPv4
        Table Name                       Table Index (lrid ) # of Routes  Bytes        FRRP TID         
        -----------------------------------------------------------------------------------------------
        OrgA.5                           5           (0    ) 10           876          low  255         
        OrgB.6                           6           (0    ) 10           876          low  255         
        __juniper_private1__.1           1           (0    ) 11           964          low  255         
        __juniper_private2__.2           2           (0    ) 6            524          low  255         
        __master.anon__.3                3           (0    ) 5            436          low  255         
        default.0                        0           (0    ) 5            436          low  0           
    
    FLOWD_OCTEON( vty)# exit
    

Note: During session-creation, reverse route lookups are always performed on the incoming interface's routing table (in this example VR-Id :5). For more information, refer to Troubleshooting route-lookups in virtual-routers on SRX series platforms.

Modification History:

2020-02-21: Changed encrypted password to “$ABC123".

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search