SRX Commands

SRX Commands

#. Find a match security policy for a specific connection:
show security match-policies from-zone untrust to-zone trust source-ip 192.168.2.100 source-port 4000 destination-ip 192.168.2.88 destination-port 22 protocol tcp

# Check available storage:
> show system storage
Filesystem              Size       Used      Avail  Capacity   Mounted on
/dev/da0s2a             617M       146M       422M       26%  /
....

# Set VPN DF-BIT to copy
When a host send a packet over the VPN tunnel, the packet DF bit by default is not copied to the outer VPN header. In case the packet from a host has DF bit is set, in normal circumstance, a network device on the path see this  DF-bit set packet but can't send it without fragment it, the network devices will send ICMP message back to the host to ask the host to re-send a smaller packet. In case a VPN, if the DF-bit set packet can't copy this bit to outer VPN IP header, the network device on the path may fragment it, this will cause VPN performance issue. The following command will copy the bit to outer header:

#set security ipsec vpn vpnname df-bit copy

# Modify TCP-MSS for IPSEC-VPN
Due the overhead of VPN header, set TCP-MSS to a small value can also improve the performance:

#set security flow tcp-mss ipsec-vpn mss 1350