Sempat saya melakukan migrasi dari packet mode to flow mode serta melakukan aktivasi security screen juniper srx, tujuan migrasi adanya permasalahan internal network yang membanjiri traffic network hingga sampai mencapai maksimum yang menyebabkan penggunaan cpu menjadi naik.
RTPERF_CPU_THRESHOLD_EXCEEDED
Messages
logs itu nginformasiin adanya penggunaan kapasitas cpu melebihi batas aman
karena adanya traffic yang lewat pada koneksi data plane , nah data plane yang
bisa disebut interface fisik jadi data koneksi yang lewat. Di investigasi lebih
lanjut cek monitor interkoneksi interface juniper srx ke arah internal network
ada banyak yang mencoba akses ke arah tujuan ip address didalam internal
network.
Ternayata yang membanjiri traffic sumbernya dari ip address internet yang ingin akses ke internal network, alur nya begitu dah dari atas ke bawah. Akhirnya saya buat tuh pre konfignya buat migrasi karena penggunaan cpu selalu meningkat dan muncul terus messages log cpu nya.
Packet Mode Juniper SRX
Policy Untrust
to Trust – Internet Ke Internal Network
set
security policies from-zone untrust to-zone trust policy SEMUA-IZINKAN match
source-address any
set
security policies from-zone untrust to-zone trust policy SEMUA-IZINKAN match
destination-address any
set
security policies from-zone untrust to-zone trust policy SEMUA-IZINKAN match
application any
set security policies from-zone untrust to-zone trust policy SEMUA-IZINKAN then permit
Policy Trust
to Untrust – Internal Network Ke Internet
set
security policies from-zone trust to-zone untrust policy SEMUA-IZINKAN match
source-address any
set
security policies from-zone trust to-zone untrust policy SEMUA-IZINKAN match
destination-address any
set
security policies from-zone trust to-zone untrust policy SEMUA-IZINKAN match
application any
set
security policies from-zone trust to-zone untrust policy SEMUA-IZINKAN then
permit
Policy
Trust to Trust – Komunikasi Antar Internal Network
set
security policies from-zone trust to-zone trust policy SEMUA-IZINKAN match
source-address any
set
security policies from-zone trust to-zone trust policy SEMUA-IZINKAN match
destination-address any
set
security policies from-zone trust to-zone trust policy SEMUA-IZINKAN match
application any
set
security policies from-zone trust to-zone trust policy SEMUA-IZINKAN then
permit
Zone
Interface Untrust - Internet
set security zones security-zone untrust
host-inbound-traffic system-services all
set
security zones security-zone untrust host-inbound-traffic protocols all
set
security zones security-zone untrust interfaces interface-name
Zone
Interface Trust – Internal Network
set security zones security-zone
trust host-inbound-traffic system-services all
set
security zones security-zone trust host-inbound-traffic protocols all
set
security zones security-zone trust interfaces interface-name
Aktivasi
Security Screen - Untrust
set
security screen ids-option screen-config icmp ip-sweep threshold 1000
set
security screen ids-option screen-config icmp fragment
set
security screen ids-option screen-config icmp large
set
security screen ids-option screen-config icmp flood threshold 200
set
security screen ids-option screen-config icmp ping-death
set
security screen ids-option screen-config ip bad-option
set
security screen ids-option screen-config ip stream-option
set
security screen ids-option screen-config ip spoofing
set
security screen ids-option screen-config ip strict-source-route-option
set
security screen ids-option screen-config ip unknown-protocol
set
security screen ids-option screen-config ip tear-drop
set
security screen ids-option screen-config tcp syn-fin
set
security screen ids-option screen-config tcp tcp-no-flag
set
security screen ids-option screen-config tcp syn-frag
set
security screen ids-option screen-config tcp port-scan threshold 1000
set
security screen ids-option screen-config tcp syn-ack-ack-proxy threshold 500
set
security screen ids-option screen-config tcp syn-flood alarm-threshold 500
set
security screen ids-option screen-config tcp syn-flood attack-threshold 500
set
security screen ids-option screen-config tcp syn-flood source-threshold 50
set
security screen ids-option screen-config tcp syn-flood destination-threshold
1000
set
security screen ids-option screen-config tcp syn-flood timeout 10
set
security screen ids-option screen-config tcp land
set
security screen ids-option screen-config tcp winnuke
set
security screen ids-option screen-config tcp tcp-sweep threshold 1000
set
security screen ids-option screen-config udp flood threshold 500
set
security screen ids-option screen-config udp udp-sweep threshold 1000
set
security zones security-zone untrust screen screen-config
saya
copy konfigurasinya ke juniper srx, setelah saya commit ternyata gagal ada yang
gak bisa di akses khususnya terhadap custome port karena kalau saya review
konfig yang sudah di buat seharusnya bisa jalan dong kan gak ada filter sama
sekali policy yang sudah di buat begitu juga zone interface nya saya buat
servicenya terima semua. Akhirnya saya rollback dah untuk minimalisir waktu
down timenya. Akhirnya saya buat ticket untuk koordinasi sama TAC Juniper
nyelesain case kenapa gak bisa akses custome port. Masalah terselesaikan juga
cuman salah di konfigurasi zone interface nya doang ternyata.
set
security zones security-zone untrust host-inbound-traffic system-services
any-service
set
security zones security-zone trust host-inbound-traffic system-services
any-service
harus
di ubah ke any-service supaya bisa akses ke custome port. Konfigurasi yang
existing di hapus zone nya.
set security zones security-zone untrust
host-inbound-traffic system-services all
set security zones security-zone
trust host-inbound-traffic system-services all
Sumber Zones
Kalau kita baca referensinya zone service nya harus menggunakan any service bukan yang all. Setelah migrasi kembali akhirnya masalah sudah terselesaikan custome port sudah aktif dan fungsi aktivasi security screen untuk mencegah adanya membajiri traffic melalui koneksi data plane sudah solve. Kita monitor juga messages log yang berhubungan dengan RTPERF_CPU_THRESHOLD_EXCEEDED sudah tidak muncul lagi.
Tidak ada komentar:
Posting Komentar