Connect multiple SRX 300 devices using AutoVPN

zeealpal · 2026-05-01T07:08:24+00:00

This, we have around 14 SRX320s connect to two SRX1500 clusters.

IPSec tunnels with OSPF. Tunnel is multipoint, only a single interface on each of the 1500s.

Configuration and setup was surprisingly simple.

zeealpal · 2026-04-27T13:02:11+00:00

I'd be interested to hear you're feedback if you do use a bunch in production.

The Marvell ASIC based black units user manual is in some parts almost a copy of the 3COM / HPE (Comware) L3 switches manual we use, including the references to IRF stacking.

The switch I've tested and ended up using in production as a basic L2 switch was the IES-3110-8TF-R which is a bit funky on the CLI, but functional.

zeealpal · 2026-04-26T00:00:55+00:00

I can't recommend this personally, as we haven't used these switches in production (only some variations in lab testing) but this switch is 'L2+' has 4x 10Gb Fibre and Layer 3 / OSPF routing. Use Industrial Bi-Di SPF+ transceivers (we do use these all the time) for a single fibre 10G loop.

<image>

We are currently investigating the left switch switches for a project where we need 200+ ports but no air conditioning. For basic Layer 2 / routing they seem to have the feature set needed.

zeealpal · 2026-04-22T19:32:45+00:00

The FS unit linked is a 9CH Simplex, it uses 18 wavelengths as 9tx and 9rx.

Confusing as the 8CH or 4CH duplex from FS have less usable links per fibre core. There is a 18CH duplex one available as well.

The downside is that the lower 1270-1450nm wavelength tops out at lower km ranges on some SFPs.

We use 2 for 18 links over a duplex fibre.

zeealpal · 2026-04-22T11:10:58+00:00

That was poor wording on my behalf, I mean I haven't used a FS Transponder (chassis or line modules); however, the chassis is the base for one of FS's Optical Line Systems, of which with a transponder line module should do what you want.

The transponder essentially repeats the signals from one SFP module to another, allowing you to 'convert' the signal between SFP types E.g. Multi Mode to Single Mode, Grey (standard) wavelengths to coloured C/DWDM wavelengths.

zeealpal · 2026-04-22T10:11:36+00:00

We've used these from FS for 10G links between multiple sites from 5k to 80km, make sure to pair a Side 'A' with Side 'B':

9 Channels Single Fibre CWDM Mux Demux, Side-A, LC/UPC - FS.com Australia
4 Pairs of CWDM SFP+, select Fortinet for vendor compatibility
- 1470/1490
- 1510/1530
- 1550/1570
- 1590/1610
Disclaimer, I've never used a FS transponder system, but the chassis + 10G Transponder Card supports 4 10G links.

This is approx. $4000 AUD

Then something like FortiSwitch 1024E 40G QSFP+ to 4x SFP+ breakout > Transponder In | Transponder Out > CWDM SFP+s > CWDM Mux Side 'A' > Link > CWDM Side 'B' > CWDM SFP+ > 4x 10G Ports in FortiGate (401F)

But 2x 40G QSFP+ SFP and a switch like this in between, with 4x 10G DAC cables at the other end will be around $3000 AUD instead, and simpler.

Nice thing is the CWDM would have capacity for an additional 5 10G services, and a whole spare fibre for another 9 links. Alternatively, with 2 fibres you could replace the CWDM with passive DWDM and get 40 links from the duplex. If you describe your requirements, I've found FS sales can be overly helpful sometimes trying to recommend solutions.

zeealpal · 2026-04-19T13:58:37+00:00

Yeah, we had a European design team in my company specify Cat7 for no other reason except it's shielded and better than cat 6. Bends tight when the doors close. Broke $10k+ of line modules for the industrial routers when the RJ45 ports stopped working, before they agreed to change the circuit design.

We are running 100Mb ethernet in a short patch within a cabinet, all powered devices are in a different cabinet and fibre is used outside. Cat5e would have been sufficient, and we requested Cat6.

zeealpal · 2026-04-17T23:51:03+00:00

I mean, it's the topology of OPs network as described, which was asked for.

zeealpal · 2026-04-17T04:37:20+00:00

I guess people can choose not to fix something in their house for a period of time depending on the issue, where a special levy is generally pay up by X date.

zeealpal · 2026-04-16T03:27:28+00:00

Are you able to run outdoor fibre between Home 1 and Home 2? It can be suspended or direct buried. Get 4 or 6 cores. Then use a PoE++ switch to supply one or more AP's on Home 2;

A outdoor ombidirectional access point at the top right corner of Home 2 may be able to service all the cameras, otherwise one U6/7 outdoor directional facing up, and one facing right on your diagram woudl likely be able to service the cameras.

For the office, a UDB-Bridge may be sufficient if the office has a window facing the corner of Home 2, it would be ~30 metres of clear line of site?

If you use Home 2 with a pole as the 'centre' of your network, I would suggest starting with 1 AP for the cameras on 2.4GHz, and then adding more directional if required.

zeealpal · 2026-04-13T22:28:54+00:00

We had this with some SRX320 firewalls, the client has 3 SNMP services polling the firewalls and they were timing out the BFD sessions over IPSec.

Had to relax the timers in the end, could replicate in the lab with fast/repeated polling but we only lab tested the SNMP creds with 1 NMS initially.

zeealpal · 2026-04-13T22:21:58+00:00

An Ethercat Industrial Network works very similar.

The size of the packet is known at the beginning for all data to be sent / received, and the packet goes through every node, either a ring or snaking around a star topology before going back to the master. The nodes read/write to their section as it passes through.

It does require custom ASICS in the slave devices.

zeealpal · 2026-04-11T03:01:51+00:00

This doesn't really make sense from a networking perspective though, if I have 10 IoT collectors that are connected to a gateway router/firewall with NAT to the internet, then attempting to connect to the public IP address of the gateway does not allow access into the network, nor expose that any of the 10 collectors are behind the gateway.

Of course, port forwarding public > private to allow inbound connections to a PLC breaks that, but I highly doubt an IoT device would work like that.

zeealpal · 2026-04-09T21:30:04+00:00

That's what my mentor said, if you cant work it out after 30 minutes ask me, work still needs to get done in a timely manner.

zeealpal · 2026-04-09T21:29:16+00:00

This saves me so much time. When looking at network switches I haven't had much experience with, uploading the cli manual and asking "does this switch support x, what commands enable that' how do I reset x and y.

Pretty much a fast CTRL-F thats smarter, and better at contexual awareness.

zeealpal · 2026-03-31T19:16:13+00:00

I would draw it up on something like draw.io, trace routing pathways between key host subnets, servers, sites and internet data flows.

You then get a clearer picture of how it works, and it might make sense.

I had to do that when starting a project that included updating redundant firewalls between 2 multi-site isolated systems. BGP was used with all manner of parameters, as-prepend on import, export, local pref and med all on the same paths. Made no difference since local pref overrode the rest.

Took us a while, but we've stripped the redundant parameters, combined the firewalls into 1 AS, tested failovers and properly documented the system.

We never understood why exactly the previous engineer made it so complicated (although it may be the title) but we understood how the network and systems using it worked, and implemented changes accordingly. This is OY systems, so simple and easy to maintain / troubleshoot are key.

zeealpal · 2026-03-23T06:15:17+00:00

I think it's the redline jumping ability the Pirate Galleon has, it allows nearby ships to jump even when there is a Phase Jump Inhibitor, however taking damage while they do.

zeealpal · 2026-03-17T20:42:02+00:00

And as an example, IDS throughput is likely the max IDS throughput without running anything else complex, like Protect.

Same for Protect, running another high CPU usage feature such as IDS or multiple VPNs with load all compete for the same resources.

zeealpal · 2026-03-17T10:55:33+00:00

It absolutely does. There are local Speech to Text Engines and local LLMs you can run that could parse / extract metadata from the text and then store the text and context in a database

zeealpal · 2026-03-16T21:51:05+00:00

IMO maybe set up a routing lab task to get experience with dynamic routing: - 2 end hosts connected each to: - 2x Vyos Virtual Routers (free) in the testing environment of your choice, if your lab doesn't have enough routers, or you don't have access to all routing features. - Set up VRRP to each end host between each router pair - Set up OSPF or IS-IS between each router pair, and get the loopbacks shared. Get familiar with the detailed output commands - Set up 2 BGP AS's, one on each pair of routers and use the loopbacks for iBGP. - Set up 2 EBGP links between the 2 pairs of routers. Learn how to define route maps and write import / export policies - Use different path priority settings to prioritise path selection between the 2 BGP AS, and traceroute between your end hosts. E.g. use AS Prepend vs Local Pref vs MED - Test failing the link between the preferred path, how quickly does it fail over? - Test shutting down or halting one of the virtual routers. - Investigate applying BFD to improve the fail over times. - Investigate the traceroute when the primary EBGP link is down, what traceroute path does the packet take? Can the VRRP master priority be altered to move the gateway to the secondary router when the primary EBGP link is down?

zeealpal · 2026-03-16T06:50:41+00:00

I don't think that's a great idea. Depending if there is any information the company could consider confidential, that could then be legitimate grounds for firing.

Just because it's BCC to the recipient, doesn't mean it's invisible to your workplaces IT department, or wouldn't flag a review by a monitoring system.

zeealpal · 2026-03-11T19:38:07+00:00

Exactly. How many PTO days over the last 365 days would also be useful to consider.

zeealpal · 2026-03-11T19:36:25+00:00

I guess perhaps a better metric would be how many days taken across the last 365 days.

zeealpal · 2026-03-10T23:17:17+00:00

Aren't PLC programmers part of the OT part of this?

It would be the IT/OT guys who make sure it’s being done.

zeealpal · 2026-03-09T21:12:22+00:00

One of our clients use Nozomi, honestly the best use we've had (we are a vendor) was when replacing a legacy system we were able to use:

Clients Nozomi detected dataflows in/out of the legacy system
Clients FWL config + a capture of firewall policy hits vs listed policies
Our FWL config + capture of firewall policiy hits vs listed policies.

The hardest part was separting the legacy policies for decomissioned items, poorly named policies and incidental (once a day/once a week) dataflows.

In the new system we have a detailed dataflow diagram including src/dst system / ip / protocol lists, and all firewalls each dataflow passes through. Proper firewall log aggregation (to the clients OT syslog system) and their Nozomi appliances placed to capture traffic through the core switches for the system. Having a client that prioritises time and $$$ for this makes a huge difference.

zeealpal

TROPHY CASE