Announcing Juniper SRX Next Generation Firewall (NGFW) Support


Indeni’s automation platform did it again! We are proud to announce support for
Juniper SRX series Next-Generation Firewalls. Kudos and credits are due to our Expert community for requesting, developing, testing, and delivering!

Here are a few scenarios that network and security professionals can avoid by using Indeni:

1. Network Outages caused by traceoptions and sampling settings

We’ve all been there and forgot to enable or disable a setting. If by chance you forget to disable traceoptions and sampling during a maintenance window it will continue to run thereafter. This feature uses a large amount of CPU and could cause packets to drop.  

Without Indeni, manual troubleshooting would uncover high CPU and memory utilization on the firewall, dropped packets, and a partition nearly full. After reviewing the process running on the device, you would find that traceoptions and sampling were still running. The issue is a simple one to resolve by turning these settings off and CPU would go back to normal.

Indeni’s platform allows resolution of the issue quickly by proactively informing you about any outages caused by high CPU utilization.

The Indeni server periodically checks the CPU utilization by each process and generates an alert if the CPU exceeds the threshold. As a result, network administrators can perform the prescriptive remediation steps found in the Indeni alert before CPU reaches limit and packet drops start.

2. Service interruption when chassis cluster failed due to a configuration, not in synchronization

When you are deploying new Juniper SRX next-generation firewalls in a datacenter, you also need to build SRX chassis clustering. It is important to synchronize the configuration from the primary node to the secondary node when the secondary joins the primary as a cluster.  Without this automation in place, a network engineer will need to manually check the devices to ensure the same configuration is in place on each node in the cluster. Annoying, but not hard right? Not so fast.

What happens if there is a configuration change on primary node later on and those changes are not synchronized with secondary node? A service interruption will ensue when the primary node goes down and the chassis cluster failovers.   

How Indeni server can help you to resolve the issue quickly by proactively inform you about cluster synchronization issue.

Indeni server periodically checks the SRX cluster configuration status and generates an alarm when the cluster configuration is out of synchronization. Therefore, network administrators can perform cluster synchronizations before the cluster takeover fails.

3. Network outage because the SRX cannot reach the peer device on the same network

Maintenance windows happen from time to time to upgrade some devices in the network. Imagine you are the network administrator who completed this upgrade by staying up all night and then, when you’re just waking up, you receive a call in the morning about a service outage to the network. Not fun.

One of the possible issues that could take place is your SRX device might not have been able to reach the peer device on the same Layer 3 networks. Without Indeni, you can manually spend time investigating the issue on the physical link interface configuration. What you may find is that the interface can still be up but the SRX still fails to talk to the peer devices (sigh). Even further troubleshooting the issue, you would find that the identified SRX device does not have arp entry for peer devices.  This problem can easily be resolved by using different ports on peer devices since it failed to respond to arp request.

Indeni can help you to resolve the issue quickly by proactively informing you about the next hop fail issue. Indeni Server will periodically check arp entries in the arp table and generate an alarm when next hop is shown as failed or incomplete. Therefore, network administrators can perform the proper remediation steps to immediately fix the issue.

4. Functions on SRX did not work due to license expiration

From time to time, licenses expire on network and security devices, and unfortunately, this may happen at different time intervals. This is a commonly forgotten or overlooked maintenance task that operation teams need to complete amongst the list of other urgent tasks.

Imagine a situation where your VPN and IDP service functions stop working.  The typical next step would be for the network administrator to manually investigate why these services are not working, only to discover the licenses for services are expired. The services would remain disabled until a workaround has been implemented.

Indeni can help you to resolve the issue quickly by proactively informing you of your license expiration issues.

Indeni Server regularly checks SRX activated features and licenses. An alert will be generated with remediation steps in case of license expiration. Network administrators can perform remediation before the license functions are disabled.

5. Disk full and failed to write log and event files to the disk

Nearly every company is dependant on their network in today’s digital world. As a result, IT operations need complete visibility into the state of their network. Imagine you are the network administrator and you receive a message that your SRX disk is full. When you manually check the device log and event files, you notice a large volume of log event files and the debug information was not saved on the disk. As a result, it is difficult to track the history of events on the SRX device. The next step would be to clean unused files and debug files to continue storing logs and event files.  

Indeni can help you resolve the issue quickly by proactively informing you about a disk capacity full issue.

Indeni Server periodically checks the disk utilization and generates an alarm when disk space utilization exceeds the threshold with prescriptive steps to resolve.  The Network administrator can then perform the prescriptive remediation steps included in the Indeni alert and prevent logs and event data loss.

Are you looking for ways to extend the value of your Juniper SRX next-generation firewalls? Download Indeni today and join our community Indeni Crowd to engage with other certified Juniper SRX experts.

About the author
Liz Salemi