Troubleshooting Juniper Advanced Threat Prevention Cloud: Checking DNS and Routing Configurations
Domain name system (DNS) servers are used for resolving hostnames to IP addresses.
For redundancy, it is a best practice to configure access to multiple DNS servers. You can configure a maximum of three DNS servers. The approach is similar to the way Web browsers resolve the names of a Web site to its network address. Additionally, Junos OS enables you configure one or more domain names, which it uses to resolve hostnames that are not fully qualified (in other words, the domain name is missing). This is convenient because you can use a hostname in configuring and operating Junos OS without the need to reference the full domain name. After adding DNS server addresses and domain names to your Junos OS configuration, you can use DNS resolvable hostnames in your configuration and commands instead of IP addresses.
DNS servers are site-specific. The following presents examples of how to check your settings. Your results will be different than those shown here.
First, check the the IP addresses of your DNS servers.
user@host# show groups global system name-server xxx.xxx.x.68; xxx.xxx.xx.131;
If you set up next-hop, make sure it points to the correct router.
user@host# show routing-options
static {
route 0.0.0.0/0 next-hop xx.xxx.xxx.1;
user@host# show groups global routing-options
static {
route xxx.xx.0.0/12 {
next-hop xx.xxx.xx.1;
retain;
no-readvertise;
}
}
Use ping to verify the SRX Series Firewall can communication with the cloud server. First use the
show services advanced-anti-malware status CLI command to get the cloud
server hostname.
user@host> show service advanced-anti-malware status
Server connection status:
Server hostname: xxx.xxx.xxx.com
Server port: 443
Control Plane:
Connection Time: 2015-12-14 00:08:10 UTC
Connection Status: Connected
Service Plane:
fpc0
Connection Active Number: 0
Connection Failures: 0Now ping the server. Note that the cloud server will not respond to ping, but you can use this command to check that the hostname can be resolved to the IP address.
user@host>ping xxx.xxx.xxx.com
If you do not get a ping: cannot resolve hostname: Unknown host message, then the hostname can be resolved.
You can also use telnet to verify the SRX Series Firewall can communicate to the cloud server.
First, check the routing table to find the external route interface. In the following example,
it is ge-0/0/3.0.
user@host> show route
inet.0: 23 destinations, 23 routes (22 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 2d 17:42:53
> to xx.xxx.xxx.1 via ge-0/0/3.0Now telnet to the cloud using port 443.
telnet xxx.xxx.xxx.xxx.com port 443 interface ge-0/0/3.0 Trying xx.xxx.xxx.119... Connected to xxx.xxx.xxx.xxx.com Escape character is '^]'
If telnet is successful, then your SRX Series Firewall can communicate with the cloud server.