Juniper SRX Quickstart 12.1R3 by Thomas Schmidt

SRX JUMP STATION
Based on JUNOS Versions up to 12.1R3

last modified Nov 08 2012
Thomas Schmidt
Consulting Systems Engineer
WHAT IS THIS PURPOSE OF THIS QUICK START ?
This collection is for users who already have experience with ScreenOS firewalls and the
underlying concepts and now want to use JUNOS based SRX Firewalls
This Collection assumes you have already some knowledge of JUNOS (there are free
trainings to help you) but need a guide to configure a complete system.
This Collection is a guide to help you find the commands required for typical features and
tasks and give you brief, working examples.
Navigation:
Click on the in the right Top corner to get to the Jump Station Central
Click on the Login Chapter Buttons to get to the desired chapters
If you need more in depth information or more details of the underlying concepts consult the
documentation or participate in trainings.
This collection can not replace full JUNOS documentation or trainings and can not cover all
parameters available with a certain feature.
2 Copyright 2011 Juniper Networks, Inc. www.juniper.net

JUMP STATION CENTRAL
Basics Docs & Controll- & Login CLI ... ... ... ... ...
Papers Dataplane
Network Interfaces Switching Routing Trunk & Link Multicast IPv6 Transparent ...
OSPF,BGP LAG Redundanc Mode
Firewall Packet Flow Zones Policies Screens & NAT Flow & ALG Virtualize ... ...
Defense VR + LSys
VPN Route Policy VPNs with VPN Dynamic ... ... ... ...
based VPN based VPN Certificates Diagnostics VPN
Manage, Admin User Inband or Logging & SNMP & Netflow Space NSM STRM
Log,Monitor Role & Auth Outband Syslog RMON
Trouble- Monitor Log files Interface Debug Packet Debug

shooting Commands Monitoring Flow Capture VPN
Toolbox Access list DHCP Time & NTP DNS PPPoE UAC Port Class of
& DSL Enforcer Mirroring Service
AppFirewall Licenses AppSecure IDP AppTrack AppFirewall AppDDOS UTM, UTM, ...
IDP and UTM Overview Antivirus Webfilter
High Cluster Cluster Cluster Failover Cluster Cluster

Availability Overview Interfaces Setup Behavior States & NSM
More.. Boot loader Reset to Software Automation Nice Further

3 & Flash Factory Def. Copyright 2011&Juniper
Upgrade Networks, Inc.
Scripting Stuff www.juniper.net
Information
JUNOS BASICS
DOCUMENTATION AND GUIDES
THE RIGHT PLACE FOR
SRX HARDWARE AND SOFTWARE DOCUMENTATION
Use the following Link

ADDITIONAL USEFUL INFORMATION SOURCES
Day One Booklets
http://www.juniper.net/us/en/community/junos/training-certification/day-one/
Feature Explorer and Content Explorer

http://pathfinder.juniper.net/feature-explorer/
http://www.juniper.net/techpubs/content-applications/content-explorer/
Feature Support Reference Guide

https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/feature-support-
reference.html?chap-feature-support-tables.html
SRX Knowledgebase (Jump Station)

http://kb.juniper.net/KB15694
SRX Knowledgebase (Here a list of the latest SRX articles)

http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB
SRX Application Notes

http://www.juniper.net/us/en/products-services/security/srx-series/#literature
JUNOS Network Configuration Examples

http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/nce/index.html
Juniper Forum
Configuration Library http://forums.juniper.net/t5/Configuration-Library/bd-p/ConfigLib
DayOne Tips http://forums.juniper.net/t5/Day-One-Tips-Contest/bd-p/DayOneContest

CONTROLPLANE AND DATAPLANE
JUNOS SOFTWARE FEATURES (1 OF 2)
JUNOS software for SRX-series services gateways includes the

following elements:
JUNOS software as the base operating system
Session-based forwarding
Some ScreenOS-like security features
Packet-based features:
Control plane OS
Routing protocols
Forwarding features:
Per-packet stateless filters
Policers
CoS
J-Web

JUNOS SOFTWARE FEATURES (2 OF 2)
Session-based features:
Implements some ScreenOS features and functionality
through the use of new daemons
First packet of flow triggers session creation based on:
Source and destination IP address
Source and destination port
Protocol
Session token
Zone-based security features
Packet on the incoming interface is associated with the incoming zone
Packet on the outgoing interface is associated with the outgoing zone
Core security features:
Firewall, VPN, NAT, ALGs, IDP, and SCREEN options

CONTROL PLANE VERSUS DATA PLANE
Control Plane:
Implemented on the Routing Engine
JUNOS software kernel, daemons, chassis management, user
interface, routing protocols, system monitoring, clustering control
Data Plane:
Implemented on the IOCs and SPCs
Forwarding packets, session setup and maintenance,
load-balancing, security policy, screen options, IDP, VPN

LOGIN
LOGIN
Login in factory default state as user "root". Password is empty

Amnesiac (ttyd0)
login: root
********************************************************************
** Welcome to JUNOS: **
** **
** To run the console configuration wizard, please run the **
** command 'config-wizard' at the 'root%' prompt. **
** **
** To enter the JUNOS CLI, please run the command 'cli'. **
** **
********************************************************************
root@% cli
root>

LOGIN
Non root users are placed into the CLI automatically
switch (ttyu0)
login: user
Password:
--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC

user@switch>
The root user must start the CLI from the shell
Do not forget to exit root shell after logging out of the CLI!
switch (ttyu0)
login: root Shell Prompt

Password:
--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC

root@switch% cli CLI Prompt
root@switch>

CLI BASICS
CLI MODES
Shell - when you login as root
root% The % character identifies
cli Shell mode
root>
CLI - Operational Mode

The > character identifies
user@switch>
operational mode
CLI - Configuration mode:

user@switch> configure
[edit]
user@switch# The # character identifies
exit configuration mode
user@switch>

CLI HIERARCHY
Execute commands (mainly) from the default CLI level (user@switch>)

Can execute from configuration mode with the run command
Hierarchy of commands
Example: show spanning-tree interface
Less Specific
clear configure help monitor set show etc.
dot1x configuration spanning-tree version etc.
bridge interface mstp statistics More Specific

CLI EDITING
EMACS-style editing sequences are supported

user@switch> show interfaces
Keyboard
Sequence
Ctrl+b
Ctrl+a
Cursor Position
Ctrl+f
Ctrl+e
A VT100 terminal typeCopyright

also supports the Arrow keys
18 2011 Juniper Networks, Inc. www.juniper.net
COMMAND AND VARIABLE COMPLETION
Spacebar completes a command
user@host> sh<space>ow i<space> Enter a space to
'i' is ambiguous.
complete a command
Possible completions:
igmp Show Internet Group Management Protocol...
ike Show Internet Key Exchange information
interfaces Show interface information
ipsec Show IP Security information
isis Show Intermediate System-to-Intermediate...
user@host> show i
Use the Tab key to complete an assigned variable

[edit policy-options]
user@host# show policy-statement t<tab>his-is-my-policy
then accept;
[edit policy-options]
user@host#
Use Tab to complete

assigned variables

CONTEXT-SENSITIVE HELP
Type ? anywhere on the command line

user@host> ?
clear Clear information in the system
configure Manipulate software configuration information
file Perform file operations
help Provide help information
. . .
user@host> clear ?
arp Clear address resolution information
bfd Clear Bidirectional Forwarding Detection
information
bgp Clear Border Gateway Protocol information
firewall Clear firewall counters
. . .

SHOW CURRENT CONFIGURATION
JUNOS Style
root@J6350> show config
## Last commit: 2009-03-18 10:27:20 UTC by lab
version 9.3R2.8;
system {
host-name Demo-081-111-J6350;
root-authentication {
encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."; ## SECRET-DATA
}
name-server {
172.30.80.65;
}
login {
user lab {
uid 2000;
class super-user;
........
ScreenOS Style
root@J6350> show config | display set
set version 9.3R2.8
set system host-name J6350
set system root-authentication encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."
set system name-server 172.30.80.65
set system login user lab uid 2000
set system login user lab class super-user
21 ........ Copyright 2011 Juniper Networks, Inc. www.juniper.net
CONFIGURATION, CANDIDATE, COMMIT, ROLLBACK

COMMANDS IN CONFIGURATION MODE (1)

COMMANDS IN CONFIGURATION MODE (2)

COPY/PASTE CONFIGURATIONS
To paste and override the whole configuration

SRX# load replace terminal
[Type ^D at a new line to end input]
system {
........
To paste and add pieces of configuration

SRX# load merge terminal <relative>
system {
........
To paste configuration written with "set" commands

SRX# load set terminal <relative>
set system .

CONTROL AND FORWARDING PLANE OF A JUNOS
ROUTER

NETWORK
INTERFACES
INTERFACE NUMBERING
Interfaces Names and Numbers
Interface name = <Interface Type>-<Slot>/<Module>/<Port>.<logical number>
All numbers start from 0
Example :
ge-0/1/2.3 - Gigabit Interface (Slot 0, Module 1, Port 2, Logical unit 3)
fe-0/1/2.3 - Fast Ethernet Interface
st0.0 - First Secure Tunnel Interface (VPN Tunnel)
lo0 - First loopback interface
For a list of Interface Types see

http://www.juniper.net/techpubs/software/JUNOS/JUNOS96/swconfig-network-
interfaces/frameset.html
Wildcards - Many commands accept wildcards in ifnames

show interfaces ge-0/0/*

SWITCHING
SWITCHING ON FIREWALLS ?
Switching Features on the Firewall can help to simplify the network by
eliminating additional switches. This can be a commercial and
management advantage, especially in small branch offices.
Switching is possible on Branch SRX Models (SRX100.SRX650)

and J-Series with UPIM Modules
Switching is not available (and not needed) on High-End SRX
Switching is done in Hardware. Full throughput can be achieved,

without consuming CPU-performance
Since JUNOS 10.0 the smaller SRX (100...240) have Switching

enabled on all interfaces (except ge-0/0/0) in the Factory Default
configuration

SWITCHING
DEFAULT CONFIGURATION ON SRX210 WITH JUNOS 10.0
# An internal VLAN (vlan-trust) is defined to allow switching several interfaces
set vlans vlan-trust vlan-id 3
# A interface vlan unit 0 is assigned to this vlan as the Layer3 interface in this VLAN
set vlans vlan-trust l3-interface vlan.0
# This layer 3 interface can has an IP address that is reachable from all
# host on it's VLAN. In Branch deployments this is typically the gateway address.
set interfaces vlan unit 0 family inet address 192.168.1.1/24
# All physical interfaces - except ge-0/0/0 of the SRX210 are now assigned
# to a interface-range with the name interfaces-trust
set interfaces interface-range interfaces-trust member ge-0/0/1
set interfaces interface-range interfaces-trust member fe-0/0/2
# The interface-range is assigned to the VLAN vlan-trust

set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan
members vlan-trust
# It's a firewall, so the interface is mapped to zone trust where all services are enabled
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
SWITCHING
ANOTHER CONFIGURATION EXAMPLE
# Before you can add an interface to Switching you probably have to remove assignments.
# If there is an IP address assigned to the interface you have to remove it
delete interfaces fe-0/0/2 unit 0 family inet
# If the interface is member of an interface-group in use, you have to untie it
delete interfaces interface-range .... member fe-0/0/2
# You can specify a VLAN, which will be used for Switching

set vlans VLAN-100 vlan-id 100
# Configure Ethernet switching on the interfaces that are part of VLAN.

# Default for new switching interfaces is access mode (=untagged)
set interfaces fe-0/0/2 unit 0 family ethernet-switching
set interfaces fe-0/0/3 unit 0 family ethernet-switching
# Assign these interface to the desired VLAN

set vlans VLAN-100 interface fe-0/0/2.0
set vlans VLAN-100 interface fe-0/0/3.0
# Configure a VLAN interface with an IP for this VLAN

set interfaces vlan unit 100 family inet address 192.168.1.1/24
# Assign this VLAN interface as your Layer3 Interface on this VLAN

set vlans VLAN-100 l3-interface vlan.100
# It's a firewall, so the VLAN interface must also be in a zone

set security zones security-zone trust interfaces vlan.100
# Allow services on the VLAN interface if desired

set security zones security-zone trust interfaces vlan.100 host-inbound-traffic ....
SWITCHING
TROUBLESHOOTING COMMANDS
# show which vlans exist and which interfaces are assigned
show vlans [detail]
# history of MACs added and removed

show ethernet-switching mac-learning-log
# Current MAC Table

show ethernet-switching table
# Current MAC Table from a certain interface

show ethernet-switching table interface fe-0/0/2

ETHERNET SWITCHING ON BRANCH SRX
INTERFACES SUPPORTED
Platforms On-Board uPIM MPIM XPIM
J2320
J2350
J4350
J6350
SRX100
SRX110
SRX210 *
SRX220 *
SRX240 *
SRX550 * **
SRX650 **
* Ethernet switching support is planned for future release for 1 Gigabit Ethernet SFP MPIM on the SRX210,SRX220,SRX240 and SRX550.
** As of JUNOS OS Release 12.1, Ethernet switching is not supported on 10G XPIM.

REMARKS
Configuration Syntax for all supported features is exactly the same
as with the EX Switches. The Documentation Feature Support
Reference explains which Switching Features are supported
There are some dependencies which Ports can be used for

switching (see Documentation )
Before 11.1 Switching was only applicable for single units.

Commit in the Cluster was only possible, when all switching
configuration was removed. The assumption was, that HA cluster
Configurations are usually designed with external Switches
Since 11.1 Switching is also supported on Branch SRX and can

even span the two Cluster members. This requires an additional
link between the two nodes.

ROUTING
STATIC ROUTES
CONFIGURATION
# Host Route
set routing-options static route 10.2.2.1/32 next-hop 10.1.1.254
# Network Route
# Default Route
# Route to an Interface
# Useful for Point-to-Point Interfaces like pppoe, vpn-tunnel, gre-tunnel
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 10.1.1.0/24 next-hop st0.0
# Route to another Virtual Router

set routing-options static route 10.0.0.100/32 next-table Logging.inet.0
# Example for a the Definition of the VR with name Logging referenced above
set routing-instances Logging instance-type virtual-router
set routing-instances Logging interface ge-0/0/7.0
# A network route to discard any traffic that did not hit a more specific route
# Black hole Routes could sometimes save performance for policy lookups or
# avoid rerouting in case of interfaces failures (example: VPN is down)
set routing-options static route 0.0.0.0/0 discard

STATIC ROUTES
ROUTE FAILOVER WITH IP-MONITORING
# Since 11.4 all Branch SRX support IP-Monitoring and automatic route failover
# Check out KB22052 for configuration details of an dual ISP connection with RPM for
# IP-Monitoring and Filter based Forwarding for load distribution
set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server

set services ip-monitoring policy Server-Tracking then preferred-route routing-
instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 ------> Installs route in the First
Routing Instance
set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1

set services ip-monitoring policy Server-Tracking1 then preferred-route routing-
instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1 ------> Installs route in Second
Routing Instance

STATIC ROUTES
MONITORING
# display Routing table
root@J2300> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:13:15

> to 172.16.42.1 via fe-0/0/0.0
10.2.2.0/24 *[Static/5] 00:00:05
> to 172.16.42.1 via fe-0/0/0.0
172.16.42.0/24 *[Direct/0] 01:13:15
> via fe-0/0/0.0
172.16.42.230/32 *[Local/0] 01:21:12
Local via fe-0/0/0.0
224.0.0.9/32 *[RIP/100] 01:21:37, metric 1
MultiRecv
# route lookup for a certain destination

root@J2300> show route 20.0.0.1
# routing table overview

root@J2300> show route summary
# Forwarding table (includes all active routes, visible for the data-plane)
root@J2300> show route forwarding-table

OSPF
CONFIGURATION
# enable OSPF on a interface
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
# And permit ospf traffic to this zone
set security zones security-zone host-inbound-traffic protocols ospf
# Recommended: use loopback interface

set interfaces lo0 unit 0 family inet address 192.168.1.2/32
set protocols ospf area 0.0.0.0 interface lo0.0 passive
# Option: specify your own Router-id

set routing-options router-id 192.168.1.2
# to get direct interface routes announced you can add them to OSPF in passive mode
set protocols ospf area 0.0.0.0 interface vlan.100 passive
# Option: Negotiate graceful restart

set routing-options graceful-restart
# On SRX Clusters for RG0 failover, you might have to extend OSPF Timers to survive
# a dead interval of 5-20 seconds and also use the following setting:
set protocols ospf graceful-restart no-strict-lsa-checking

RIP
CONFIGURATION
# RIP requires a group, all interface are attached to this group
set protocols rip group RIP ge-0/0/0.0
set protocols rip group RIP ge-0/0/1.0
# And permit rip traffic to the zones of these interfaces

set security zones security-zone TRUST host-inbound-traffic protocols rip
# You can add IPSEC Tunnel-Interfaces with relaxed RIP-Update-Timers

# You can even work with Tunnel-Interfaces with Next-Hop-Tunnel-Binding (NHTB)
set protocols rip group RIP neighbour st0.0 interface-type p2mp
set protocols rip group RIP neighbour st0.0 dynamic-peers
set interface st0 unit 0 multipoint
# Option: Negotiate graceful restart

# Import Routes to the RIP group via policy-options filter

set policy-options policy-statement FILTER term a from route-filter 1.2.3.0/24 exact
set policy-options policy-statement FILTER term a then accept
set policy-options policy-statement FILTER term drop then reject
set protocols rip group RIP export FILTER

OSPF
MONITORING
# See Neighbors and State
root> show ospf neighbour
Address Interface State ID Pri Dead
10.222.2.2 ge-0/0/11.0 Full 192.168.36.1 128 36
# Link State Database

root> show ospf database

OSPF IMPORT/EXPORT FILTER (POLICY-OPTIONS)
# OSPF default is to import everything (into RT) and export routes only from interfaces
# that are (active) members of the same OSPF area
# For export of all other routes or to filter inbound routes you need Routing Policy
# Filters
# Example Filter to export all local static and all direct routes
set policy-options policy-statement ALL-LOCAL
set term 1 from protocol direct
set term 1 then accept
set term 2 from protocol static
set term 2 then accept
top
set protocols ospf export ALL-LOCAL
# Example Filter to export only a certain route (which must exist on the routing table)
set policy-options policy-statement JUST-ONE
set term 1 from route-filter 172.10.0.0/16 exact
set term 1 then metric 10 accept
top
set protocols ospf export JUST-ONE

BGP
CONFIGURATION
# Example Configuration With Two AS
# Permit BGP traffic on the zone or interface(s) where you reach your peer(s)
set security zones security-zone trust host-inbound-traffic protocols bgp
# Recommended: use loopback interface

set interfaces lo0 unit 0 family inet address 1.1.1.2/32
# Specify your own AS and your Router-ID

set routing-options autonomous-system 1234
set router-id 1.1.1.2
# Specify Peer(s)
set protocols bgp group UPSTREAM
set local-address 1.1.1.2
set peer-as 64005
set local-as 64006
set neighbor 1.1.1.1 export BGP-EXPORT-POLICY
top
# A Policy how to export the routes

set policy-options policy-statement BGP-EXPORT-POLICY from protocol direct
set policy-options policy-statement BGP-EXPORT-POLICY then accept
# Option: Set static routes that do not redistribute

set routing-options static route 1.1.2.0/24 no-readvertise
# Option: Specify how to aggregate routes

set routing-options aggregate 1.1.1.1/20 [policy ... ]
BGP
MONITORING
show bgp neighbour
show bgp summary
show route summary
# Which routes did we receive from a neighbour

show route receive-protocol bgp <peer-ip>
# Which routes do we send to a neighbour

show route advertising-protocol bgp <peer-ip>

IS-IS
CONFIGURATION
set interfaces ge-0/0/1 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family iso
set interfaces lo0 unit 0 family iso address 49.0002.0002.0002.00
set protocols isis interface ge-0/0/1.0

set protocols isis interface ge-0/0/2.0
set protocols isis interface lo0.0 passive

TUNNEL INTERFACES
TUNNEL INTERFACES :
GRE - GENERIC ROUTING ENCAPSULATION
# Typical Use cases for GRE Tunnels are
# - OSPF over GRE with non-Juniper Routers
# - Multicast over GRE with non-Juniper Routers
set interfaces gr-0/0/0 unit 0 tunnel source 10.0.0.1

set interfaces gr-0/0/0 unit 0 tunnel destination 10.0.0.2
set interfaces gr-0/0/0 unit 0 family inet address 10.1.0.1/3
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces gr-0/0/0.0
# MTU Adjustments might be necessary because GRE Default MTU is ~ 9000
# When Fragementation happens in a GRE Tunnel there are two options for reassembly
# a) use IDP Inspection on the traffic leaving the tunnel
# b) since JUNOS 11.2 you can apply the following command
"set security flow force-ip-reassembly

TUNNEL INTERFACES:
LOGICAL TUNNEL
# Logical Tunnel can be used like a physical wire between two interfaces of an SRX
# Typical use cases are:
# - forwarding between VR in packet mode and VR in flow mode
# - forwarding between VR to apply two policies to one session
# - Intra-Lsys Traffic (all Lsys have one Tunnel to Lsys0)
# Logical Tunnel Interfaces

set interfaces lt-0/0/0 unit 0 encapsulation ethernet
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 family inet
set interfaces lt-0/0/0 unit 1 family inet
# and now use them between two VRs

set routing-instances r1 interface lt-0/0/0.0
set routing-instances r2 interface lt-0/0/0.1

TUNNEL INTERFACES:
IP OVER IP
# This Example is used to forward all IPv6 traffic encapsulated in IPv4 to 10.19.3.1
set interfaces ip-0/0/0 unit 0 tunnel source 10.19.2.1

set interfaces ip-0/0/0 unit 0 tunnel destination 10.19.3.1
set interfaces ip-0/0/0 unit 0 family inet6 address 7019::1/126
set routing-options rib inet6.0 static route ::0/0 next-hop ip-0/0/0

MULTICAST
IPV4 MULTICAST CONFIGURATION (1)
# IGMP to allow Receivers to join/leave a group,
# Version1 had join only and 3 min timeout
# Version2 (Default) allows Receiver join and leave
# Version3 allows to join and select Source-IP of Sender selection
set protocols igmp interface reth2.0 version 3
# Enable PIM to communicate with Multicast Routers in the Distribution Tree

set protocols pim interface reth1.0
# Finding the Rendezvous Point

# Option 1: Static Rendezvous point on an other Router
set protocols pim rp static address 192.168.1.1
# Option 2: we are Rendezvous Point by yourself - in this case loopback int. is best pract.
set interface lo0.0 <IP-for-RP>
set protocols pim rp local address <IP-for-RP>
# Other Options supported for RP selection: Anycast, Bootstrap, Auto-RP

# Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP
# Check Technote: Multicast Implementation Guide

IPV4 MULTICAST CONFIGURATION (2)
# Allow igmp on all interfaces where we expect receivers to join
set security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols igmp
set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols igmp
# Allow PIM on all interfaces where we expect distribution Routers

set security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols pim
set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols pim
# All interfaces can also be in a custom VR
# IGMP Configuration is not in VR context

set protocols igmp interface reth20.0 version 3
set routing-instances VR-MCAST instance-type virtual-router

edit routing-instances VR-MCAST
set interface vlan.3
set protocols igmp interface vlan.20
set protocols pim rp local address 10.0.42.110
set protocols pim interface vlan.10
top

IPV4 MULTICAST TROUBLESHOOTING
# Monitoring
show pim bootstrap [instance VR]
show pim interfaces [instance VR]
show pim join [instance VR]
show pim mdt [instance VR]
show pim neighbors [instance VR]
show pim rps [instance VR]
show pim source [instance VR]
show pim statistics [instance VR]
show igmp interface

show igmp output-group
show igmp statistics
show multicast route

show multicast rpf
# tcpdump to watch PIM and IGMP Packets

monitor traffic interface vlan.10 no-resolve detail size 1500 matching "pim || igmp"
# DEBUGGING
set protocols pim traceoptions file trace-pim
set protocols pim traceoptions flag all
set protocols igmp traceoptions file trace-igmp
set protocols igmp traceoptions flag all
# PIM to IGMP Proxy

show multicast pim-to-igmp-proxy
IPV4 MULTICAST FURTHER INFORMATION
# Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP
# Check Technote: Multicast Implementation Guide
# IGMP-Proxy is not available, but pim-to-igmp-proxy is available

set pim-to-igmp-proxy upstream-interface ge-0/1/0.1
# Important Hint for Multicast on SRX-Cluster:

# Disable IGMP-Snooping on the surrounding switches to avoid outages after failover
# Multicast Configuration Overview and Examples

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-
guide-multicast/config-guide-multicast.html#configuration
# Dense Mode and Debugging Example

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24781
# Multicast Implementation Guide (EX and MX)

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/8010062-001-EN.pdf

IPV6
IPV6
CURRENT STATE (12.1)
IPv6 firewalling
- works in route mode with the following Features:
- Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth
- in Active/Passive Clusters since 10.0
- in Active/Active Clusters since 11.2
- IDP on Ipv6 in route mode since 11.4
- works in transparent mode with the following features since 11.4r3

Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth/Vlan Retagging/SNMP
For more Details on IPv6 Feature Support in JUNOS 12.1 check this Documentation
http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-ipv6-support.html

IPV6 DHCPV6 SERVER
# DHCP-Server for Prefix Delegation is available on High-end-SRX
# Example below offers prefix delegation only (no exact IP assignment)

edit system services dhcp-local-server dhcpv6
set overrides interface-client-limit 100
set group GROUP1 interface ge-0/0/0.0
top
edit access address-assignment pool TRUSTv6 family inet6

set prefix fd27:9816:dca8:1::/48
set range RANGE1 prefix-length 64
top
# For exact IP assignment and DHCP Server assignment use these statements
edit access address-assignment pool TRUSTv6 family inet6
set dhcp-attributes dns-server ....
set dhcp-attributes options ....
set range RANGE1 high ...
set range RANGE1 low ...
top

IPV6
DIAGNOSTICS
show interface terse
# it will then shows two IPv6 IPs for each interface
# 2001:........ = global address
# fe80:x:x:x = link local address
#
show route <table inet6.0>
show ipv6 neighbours
show ipv6 router-advertisement
# Interface Traffic monitor - filtered to IPv6 only

monitor traffic interface ge-0/0/0.0 matching ip6 size 200 detail
# ping, we use the same ping for ipv4 and ipv6

ping 2001:638:c:a057::1
# force ping with IPv6

ping inet6 www.heise.de
# traceroute, same command as for IPv4

traceroute 2001:db8:0:6:202:b300:2215:595 source 2001:db8::5
# Monitoring session table

show security flow session summary family [inet|inet6]

IPV6
DYNAMIC ROUTING WITH RIPNG
# Enable RIP Listener on the following interfaces
edit protocols ripng
edit group NEIGHBORS
set neighbour ge-0/0/0.0
set neighbour ge-0/0/1.0
set neighbour fe-0/0/2.0
set neighbour fe-0/0/3.0
top
# If you want to export routes you need a route filter

edit policy-options policy-statement RIPNG-EXPORT
set term RIPNG from protocol ripng
set term RIPNG then accept
set term DIRECT from protocol direct
set term DIRECT from route-filter 2001:DB8::/32 orlonger
set term DIRECT then accept
top
# The Route Filter must be applied to the RIPNG Group

set protocols ripng group NEIGHBORS export RIPNG-EXPORT
# Monitoring
show route receive-protocol ripng
show route advertising-protocol ripng
show route protocol ripng

IPV6
DYNAMIC ROUTING WITH OSPFV3
# Introduction of a loopback Interface is best practice when using Routing protocols
set interface lo0 unit 0 family inet address 10.0.0.210/32
# Specifying the router-id (as IPv4) is also recommended

set routing-options router-id 10.0.0.210
# Enable OSPF Listener on the following interfaces

edit protocols ospf3
set area 0 interface lo0.0 passive
set area 0 interface ge-0/0/0.0
set area 0 interface ge-0/0/1.0
set area 0 interface fe-0/0/2.0
set area 0 interface fe-0/0/3.0
top
# Monitoring Commands
show ospf3 neighbour
show ospf3 overview
show ospf3 route
show ospf3 statistics

IPV6
IMPROVED SECURITY
# Off-link malicious IPv6 nodes may spoof Neighbor Discovery messages to poison
# the routers ND cache. To mitigate, use
set protocols neighbor-discovery onlink-subnet-only
# reload after commit is suggested to clear out any bogus neighbor entries in the cache

VLAN TRUNKING AND
LINK AGGREGATION
VLAN TRUNKS
VLAN TRUNKS
NOTES AND LIMITATIONS
There are two possible approaches to configure a VLAN trunks on SRX
As part of the "Switching" Configuration (family ethernet-switching)
As part of the "Routing" Configuration (family inet)
"Switching" Configuration
Allows Switching between all interfaces that are part of a VLAN. The
member interfaces can be tagged and/or untagged
Supported only on Branch SRX
Not supported on redundant interfaces of a cluster
"Routing" Configuration
Allows to create a sub interface and use it for routing
Supported on all SRX Platforms
Supported also in cluster mode (can be applied to reth Interfaces)
Supported also on aggregate interfaces
VLAN TRUNK
CONFIGURATION EXAMPLE FAMILY "INET"
# Enable VLAN-Tagging on a physical interface

set interfaces ge-0/0/0 vlan-tagging
# Now we can create two sub interfaces on this physical interface

# Best practice: use vlan-id also for the unit number
set interfaces ge-0/0/0 unit 11 vlan-id 11
set interfaces ge-0/0/0 unit 11 family inet address 10.0.11.1/24
set interfaces ge-0/0/0 unit 12 vlan-id 12

# The different interface can be in different VLANs

set security zone security-zone zone11 interface ge-0/0/0.11
set security zone security-zone zone12 interface ge-0/0/0.12

VLAN TRUNK
CONFIGURATION EXAMPLE FAMILY "SWITCHING"
# Define all Vlans you want to participate in

set vlans VLAN-80 vlan-id 80
# For Trunk Ports which have multiple VLANs use the following Syntax
set interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members all
# For Access Ports which are untagged but mapped to a certain VLAN
# use the following syntax
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members <name>
# To create a RVI (routed virtual interface) to have an IP on a VLAN

set interface vlan unit 80 family inet address 80.0.0.1/24
# And assign this interface to the VLAN

set vlans VLAN-80 l3-interface vlan.80

LINK AGGREGATION
AND LACP
LINK AGGREGATION ON BRANCH SRX
Standalone Units:
Link Aggregation is possible by configuration of AE interfaces
AE interfaces are supported with family ethernet-switching since JUNOS 9.5
AE interfaces are supported with family inet since JUNOS 10.1r2
LACP on AE interfaces with family switching is supported since JUNOS 9.5
LACP on AE interfaces with family inet are supported since JUNOS 10.2r2
Chassis Clusters (Redundant Interfaces)
Redundant Interfaces (as required in Clusters to failover) can have Aggregate Interfaces as
members since JUNOS 10.3r2
Switching across Members of an HA Cluster is available since 11.2 - this requires an
additional link between the two Branch SRX
Chassis Cluster (Private Interfaces)
Private Interfaces - that are only active on one Cluster member - are possible in Clusters
Private Interfaces still can be aggregate interfaces (local LAG)
Private Interfaces can not have member interfaces from both Chassis at the same time
A configuration with member interfaces from different chassis might commit but it is not
supported

LINK AGGREGATION ON DATACENTER SRX
Standalone Units
Link Aggregation is possible by configuration of AE interfaces
Aggregated Ethernet Interfaces are supported since JUNOS 10.0
Aggregate Ethernet Interfaces can be used with family inet only
LACP support is available on High-End SRX, since JUNOS 10.2r3
Chassis Clusters (Redundant Interfaces)
AE can not be used in Chassis Cluster for redundant interfaces but since JUNOS 10.1 there
is another configuration available for link aggregation in chassis clusters.
This configuration can even span cluster members. Only interfaces on the active link will be
used to receive and transmit data.
Check Admin Guide for these "Redundant Ethernet Interface Link Aggregation Groups".
Chassis Clusters (Private Interfaces)
Private Interfaces - that are only active on one Cluster member - are possible in Clusters
Private Interfaces still can be aggregate interfaces (local LAG)
Private Interfaces can not have member interfaces from both Chassis at the same time
A configuration with member interfaces from different chassis might commit but it is not
supported

LINK AGGREGATION ON A SINGLE UNIT
Configuration Example for a Aggregate Ethernet Interface

# Set number of Aggregated Interfaces on this device/chassis
set chassis aggregated-devices ethernet device-count <number>
# Configure AE interfaces (ae0,ae1.)

# On High-End SRX AE can be members of family inet
# On Branch SRX AE can be members of family inet and family ethernet-switching
set interfaces <aex> unit 0 family inet address <ip address>
# Associate physical ethernet interfaces to the AE

set interfaces <interface-name> gigether-options 802.3ad <aex>
# Minimum number of Links required for this aggregate to be UP

set interfaces <aex> aggregated-ether-options minimum-links <n>
# LACP configuration (today only supported on Branch SRX)

set interfaces <aex> aggregated-ether-options lacp passive

LINK AGGREGATION ON A CHASSIS CLUSTER
Configuration Example for a Redundant Ethernet Interface

# On High End SRX LAG support starts with 10.1r2, LACP starts with 10.2r3
# On some Branch SRX LAG support starts with 10.3r2, LACP also starts with 10.3r2
# Documentation: "Chassis Cluster Redundant Ethernet Interface Link Aggregation Groups"
set interfaces ge-1/0/1 gigether-options redundant-parent reth1

set interfaces reth1 redundant-ether-options minimum-links 3
# From the Network Point of view, these are two independent Aggregate Interfaces.
# Only the interfaces on the active node are used for transmission
# Further LACP Configuration can be added to the reth Interface now

set interfaces reth1 redundant-ether-options lacp periodic fast
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp active

LINK AGGREGATION ON DATACENTER SRX
Extend lacpd to Support RETHs with JUNOS 10.2

Hitless RG failover for transit
traffic Cluster 1
SRX 5600 SRX 5600
Handle active/standby LAGs HA HA
independently and simultaneously Node 0 Node 1
Support: A reth is connected to

two switches reth0
Active LAG standby LAG
Support: A reth is connected to RLAG
one single switch
At remote side: Active LAG and
standby LAG each shall be ae0 ae1
terminated at an AE or equivalent
(same as 10.1)
Switch / Router Switch / Router

LINK REDUNDANCY
IP MONITORING & FAILOVER WITH RPM
# Since 11.4r2 Branch SRX allows to use RPM to monitor reachability of a destination
# and in response of PASS or FAIL failover route or interface
# Configure Probes for user PING-PROBE

# Example probe SERVER1 checks if server responds to ping
edit services rpm probe PING-PROBE test SERVER1
set probe-type icmp-ping
set target address 192.168.42.1
set probe-count 5
set probe-interval 5
set thresholds successive-loss 5
set test-interval 10
top
edit services ip-monitoring policy FAILOVER-Policy

set match rpm-probe PING-PROBE
# admin state of a back-up interface can be enabled if the RPM fails on the primary
# If the normal condition is restored the backup-interface is disabled again
set then interface ge-0/0/1/0 enable
top
# Monitoring of the ip-monitoring feature

show services ip-monitoring status

BLACKHOLE FORWARDING DETECTION
# Black hole Forwarding Detection, Available in OSPF/BGP
# Useful for link availability tests with aggressive timing (failover within 300msec)
# Detect OSPF Link Failure after 3x500msec

edit protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set bfd-liveness-detection minimum-interval 500;
set bfd-liveness-detection multiplier 3;
set bfd-liveness-detection full-neighbors-only;
top
# Detect BGP Link Failure

set protocols bgp bfd-liveness-detection
set minimum-interval 800
set multiplier 3
set transmit-interval minimum-interval 150
set transmit-interval threshold 500
set detection-time threshold 200
set holddown-interval 5
top

FLOW LOAD BALANCING WITH
EQUAL COST MULTIPATH ROUTING
# ECMP for Flows is supported on SRX since JUNOS 12.1
# Add multiple routes to the same destination

set static route 26.0.0.0/8 next-hop 23.0.54.111
# Usually only one of these routes would show up in the forwarding table.
# We need a Policy Statement to enable per packet load-balancing.
# On SRX this statement enforces in reality per flow balancing
set policy-statement LBP then load-balance per-packet
# And we must apply this policy to the forwarding-table

set forwarding-table export LBP
# Forwarding table shows several routes to the same destination

user@host> show route forwarding-table
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
...
26.0.0.0/8 user 0 23.0.54.111 rslv 0 1 ge-0/0/4.0
26.0.0.0/8 user 0 24.0.44.101 rslv 0 1 ge-0/0/6.0
26.0.0.0/8 user 0 25.0.44.106 rslv 0 1 ge-0/0/7.0
# Finally we might influence the balancing algorithm (L3 = IP only, L4, TCP+UDP too)
set forwarding-options hash-key family inet layer-3
set forwarding-options hash-key family inet layer-3
VRRP
CONFIGURATION
# VRRP allows to failover an Interface between two devices - which are not a cluster
# Typical use case: Primary and backup Internet access device (each with it's own WAN link)
# Remember that VRRP Cluster does not sync sessions - all session must be reestablished
# VRRP - node0
edit interfaces fe-0/0/7 unit 0 family inet address 192.168.0.101/24 vrrp-group 150
set virtual-address 192.168.0.150
set priority 100
set no-preempt
set authentication-type md5
set authentication-key secret
top
# VRRP - node 1
set interfaces fe-0/0/7 unit 0 family inet address 192.168.0.102/24 vrrp-group 150
set virtual-address 192.168.0.150
set priority 110
set no-preempt
set authentication-type md5
set authentication-key secret
top
# VRRP Troubleshooting
run show vrrp summary
run show vrrp interface fe-0/0/7

TRANSPARENT MODE
TRANSPARENT MODE OR BRIDGE MODE
Transparent/Bridge Mode on Datacenter SRX
Transparent Mode in A/P Clusters is supported since JUNOS 9.6
Transparent Mode in A/A Clusters is supported since JUNOS 10.0
Interface can either be in trunk mode or in access mode
VLAN Retagging is possible, and requires a per interface statement
Link Aggregation on reth Interfaces in Transparent Mode is supported since 11.4r1
IDP is supported in A/P since 11.2
Transparent/Bridge Mode on Branch SRX

Transparent Mode in A/P Clusters is supported since JUNOS 11.2
Interfaces can only be in access mode
Management access requires definiton of an IRB Interface as member of one bridge-domain
Today (12.1) a firewall can either be in pure Layer 2 mode or Layer 3 routed mode, no mix
During a Cluster Failover the physical links on the inactive machine will get bumped (L1 down for some seconds and
then up again) to clear CAM tables on the attached Switches.
A number of Features are not available/supported in Transparent Mode (12.1)

NAT, IPSEC VPN, GRE, Lsys, VR for IRB, L3/L4 classification for QoS (but 802.1q)

TRANSPARENT MODE / BRIDGE MODE
EXAMPLE1: TWO UNTAGGED INTERFACES
# A bridge domain is used to assign which interface share a MAC-Table
set bridge-domains BD1 domain-type bridge
set bridge-domains BD1 vlan-id 10
set bridge-domains BD1 domain-type bridge interface fe-0/0/0.0
set bridge-domains BD1 domain-type bridge interface fe-0/0/1.0
# This example uses 2 untagged interfaces

set interfaces ge-0/0/0 unit 0 family bridge interface-mode access
set interfaces ge-0/0/0 unit 0 family bridge vlan-id 10
# Reuse Zones trust and untrust

set security zones security-zone trust host-inbound-traffic system-services ssh
# Bind Interface to the Zone
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.0
# For Management access, you must attach an irb Interface a bridge domain
set interfaces irb unit 0 family inet address 1.1.1.0/24
set bridge-domains BD1 routing-interface irb.0

EXAMPLE2: MIXED TAGGED AND UNTAGGED INTERF.
# A bridge domain is used to assign which interface share a MAC-Table
set bridge-domains BD1 domain-type bridge
set bridge-domains BD1 vlan-id X (could be set to none)
set bridge-domains BD1 domain-type bridge interface xe-1/0/0
set bridge-domains BD1 domain-type bridge interface xe-2/0/0
# Example for Trunk Mode Interface (on Datacenter SRX)

set interfaces ge-0/0/10 vlan-tagging
set interfaces ge-0/0/10 native-vlan-id 10
set interfaces ge-0/0/10 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/10 unit 0 family bridge vlan-id-list 40-50
# Untagged traffic on Trunk Mode Interface is mapped to native VLAN
# Example for a Interface in Access Mode

# create a layer2 zone and define Permitted System Services

set security zones security-zone layer2 host-inbound-traffic system-services ssh
# Bind Interface to the Zone
set security zones security-zone layer2 interfaces ge-0/0/10.0
# For Management access, you must attach an irb Interface a bridge domain
set interfaces irb unit 0 family inet address 1.1.1.0/24
set bridge-domains BD1 routing-interface irb.0

HINTS AND MONITORING
# By default, family bridge allows forwarding for IPv4-unicasts and L2 broadcasts
# The following statement should allows other traffic too (CDP, STP, )
# IPv6 forwarding in transparent mode is currently planned for 11.4r4 (DC-SRX only)
set security flow bridge bypass-non-ip-unicast
# Full Documentation for Transparent Mode

https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-
pages/security/security-layer2-bridging-transparent-mode.html#configuration
show bridge-domains
show protocols l2-learning

FIREWALL
PACKET FLOW
SECURITY SERVICES PACKET WALK
Forwarding
Lookup
Reverse
Static Dest Source
Screens Route Zones Policy Static Services Session
NAT NAT NAT NAT
NO YES YES
Per Per Per Per

Match
Packet Packet Session? Screens TCP NAT Services Packet Packet
Policer Filter Filter Shaper
JUNOS Flow Module
1) Pull packet from queue 5a) No existing session 5b) Established session 6) Filter packet
2) Police packet FW screen check FW screen check 7) Shape packet
3) Filter packet Static and destination NAT TCP checks 8) Transmit packet
4) Session lookup Route lookup NAT translation
Destination zone lookup ALG processing
Policy lookup
Reverse static and source NAT
Setup ALG vector
Install session
SECURITY SERVICES PACKET WALK
Reverse
Static Dest Source
Screens Route Zones Policy Static Services Session
NAT NAT NAT NAT
NO YES YES
Match
Session? Screens TCP NAT Services
JUNOS Flow Module
AppID IDP SSL AppID IDP

ALG UTM AppFW UserFW
(packet) (packet) Proxy (stream) (stream)
Services ALG Module

ZONES
ZONES AND INTERFACES
# Zone Names are useful to map existing segmentation
# Typical zone names are derived from areas with same trust level (trust/untrust) or
# from department names (development, productions ...)
# Interface will not forward any traffic until they are assigned to a zone
# Each interface can only be mapped to one zone
# All interfaces in the same zone must be mapped to the same VR
# Assign IPv4 IP to an interface

# Create custom zones

set security zones security-zone DEVELOPMENT
set security zones security-zone VPN
# Assign Interface to zone

set security zones security-zone VPN interfaces st0.0

OBJECTS & POLICIES
OBJECT AND POLICIES OVERVIEW
Current State and Changes over Time
Global Policies and Address Objects are available since JUNOS 11.4
Logging:
To enable Logging for permit Rules use "set then log session-close"
To enable Logging for deny/reject Rules use "set then log session-init"
Counting:
Counting with "per time statistics" can be activated per policy (number of policies is limited)
Since JUNOS 12.1 there is a hit counter tracked by default for every policy
Description
Since JUNOS 12.1 Policies can have a description
Nested Groups (Groups of Groups) are supported since JUNOS 11.2
Before 11.2 NSM could be used to create nested groups (
DNS Resolution
DNS names can be resolved either at object creation time or frequently during usage
Wildcard Mask
Bitmasks for Address Objects are supported since JUNOS 11.1
Ranges
Address Ranges are not available in JUNOS today (12.1)
Negation
Negated Address Objects are not available in JUNOS today (12.1)

ADDRESS OBJECTS AND GROUPS (JUNOS <11.2)
set security zones security-zone trust address-book address NET10 10.1.1.0/24
set security zones security-zone trust address-book address HOST10 10.1.1.1/32
# We can also use DNS names, there are two ways

edit security zones security-zone trust address-book
# Resolve the Address once at commit time
set address JUNIPER-FIX www.juniper.net
# Resolve dynamically when policy is used (cached for 24 hours)
set address JUNIPER-DNS dns-name www.juniper.net
top
# Groups of Addresses are referenced as address sets

set security zones security-zone trust address-book address-set ALL10
set address NET10
set HOST10
top
# JUNOS >=11.1 also supports wildcard address masks with non-contiguous bitmasks
# for IPv4. The first octets of the mask must be greater than 128
set security zones security-zone trust address-book address SERVER4 10.0.0.4/255.0.0.255

ADDRESS OBJECTS AND GROUPS (JUNOS >=11.2)
# Since JUNOS 11.2 Address Book entries can either use the old stanza
set security zones security-zone trust address-book address NET10 10.1.1.0/24
# Or it is possible to create ALL Objects as zone independent address book entries

set security address-book global address NET10 10.1.1.0/24
# JUNOS Op Scripts exist to convert from old to new format and back
https://www.juniper.net/us/en/community/junos/script-automation/library/
# If both formats are used in one file, the configuration can not be committed
# NSM supports global policies with Version 2012.1

# Space Security Design supports global policies since Version 12.1
# J-Web supports global address objects and global policies since 11.4

SERVICE OBJECTS
# Create Custom Service Objects
# Default TCP Timeout is 1800 sec.
# Default Timeout for other protocols is 60sec.
set applications application my-ssh protocol tcp
set applications application my-ssh destination-port 22
set applications application my-ssh inactivity-timeout 3600
set applications application my-ssh term ssh protocol tcp
set applications application my-ssh term ssh destination-port 22
set applications application my-ssh term ssh inactivity-timeout 3600
# A number of Service definitions is already built-in - starting with junos-xxxx

# To see them you can use the following command
show configuration groups junos-defaults applications
or
top show groups junos-defaults | match application | match junos
# They also appear when you use Tab completion during writing policies
set security policies from-zone trust to-zone untrust policy X match application ?

ZONE BASED FIREWALL POLICIES (1)
# Create a new Policy with the name "FIRST".
edit security policies from-zone untrust to-zone trust policy FIRST
set match source-address any
set match destination-address any
set match application any
set then permit
# Since JUNOS 12.1 you can add a description for this policy
set description "First Policy created here"
top
# Insert a second policy "NEW"

edit security policies from-zone untrust to-zone trust policy NEW
set match destination-address NET10
set then permit
top
# New Policies are always added at the end

# To move the "NEW" policy before the "FIRST" policy
insert security policies from-zone untrust to-zone trust policy NEW before policy FIRST

ZONE BASED FIREWALL POLICIES (2)
# By default all traffic, that is not permitted by policy is denied (without logging)
# There is a command to change this - Recommended only for testing !!
set security policies default-policy permit-all
# Policy Actions can be permit/deny/reject.

# deny means silent drop, reject create response packets to the initiator
# for UDP traffic icmp port unreachable
# for TCP traffic TCP RST
# Monitor commands
show security policies
show security flow session
#Policy lookup is available on CLI and in Web-UI since JUNOS 10.3
show security match-policies ....

GLOBAL FIREWALL POLICIES
# Beginning with JUNOS 11.4 Policies can be specified as global policies
# These Policies must always reference global address objects
# Policy Lookup Order is:
# a) zone-to-zone
# b) global
# c) default policy
# NSM can not manage global policies and objects
# For JUNOS Space global policy support is currently planned for Release 12.1
set security address-book global address SERVER1 1.1.1.1

set security address-book global address SERVER2 2.2.2.2
set security policies global policy GP1 match source-address SERVER1

set security policies global policy GP1 match destination-address SERVER2
set security policies global policy GP1 match application junos-ftp
set security policies global policy GP1 then deny
set security policies global policy GP2 match source-address SERVER1

set security policies global policy GP2 match destination-address SERVER2
set security policies global policy GP2 match application any
set security policies global policy GP2 then permit
# Count per zone and global policies

show security policies zone-context

GLOBAL POLICIES
Global policies take lower precedence than zone-specific
policies. If a matching zone-based policy is found, the global
policies are not evaluated
from-zone to-zone context
Zone Policy
Lookup
Policy1
Ordered No match
Policy N Policy 1
Lookup Global Policy lookup
Zone-specific Policies
Ordered
Lookup Policy M
Global Policies

FIREWALL POLICY
MONITORING AND USAGE TRACKING (1/2)
# Counting can be enabled on a limited number of policies. Counting includes
# Input/Output Bytes & Packets, Session rate, Active & Deleted sessions, Policy lookups
edit security policies from-zone trust to-zone untrust policy pol-01
set then count
top
# To monitor the policy counters use

run security policies from-zone show trust to-zone untrust policy-name pol-01 detail
# Alerts can be enabled per policy to generate alerts if usage exceeds thresholds
set then count alarm per-minute-threshold 1000
set then count alarm per-second-threshold 50
top
# To monitor the policy alerts use

run show security alerts

FIREWALL POLICY
MONITORING AND USAGE TRACKING (2/2)
# Security Policy Overview (Hidden until 12.1)
show security policies information
# Since JUNOS 10.3 there is Security Policy Lookup to predict policy decision
# The query goes directly to the forwarding plane for evaluation
show security match-policies ....
# Until 11.4 Usage statistics are only available, if counting is enabled (see prev page)
show security policies detail
# JUNOS 12.1 introduces usage tracking of Firewall Policies independent from counter
# Counter since the last reboot/failover can be retrieved with the following command
srx210> show security policies hit-count from-zone untrust ascending
from-zone to-zone policy hit-count

untrust trust pol-1 10

FIREWALL POLICY SCHEDULERS
(A.K.A. TIME BASED POLICIES)
# Create a Scheduler to activate a policy every working day from 9-12 and 13-20
set schedulers scheduler "SCHEDULER1" daily start-time 09:00 stop-time 12:00
set schedulers scheduler "SCHEDULER1" daily start-time 13:00 stop-time 20:00
set schedulers scheduler "SCHEDULER1" sunday exclude
# Create a new Policy with the name "FIRST" and apply the scheduler definition "SCHEDULER1"
edit security policies from-zone untrust to-zone trust policy FIRST
set then permit
set scheduler SCHEDULER1
top
# Monitoring
show schedulers
show security policies detail

FIREWALL WEB AUTHENTICATION
# Firewall Authentcation can Intercept Web Session (redriect) and enforce user authentication first
# before allowing traffic (any protocol) to be passed by the firewall. This is like an "unlock" door.
# Add an additional IP to an existing interface, that is used for WebAuth, HTTP to this Interface
# gives you a login page
set interface vlan unit 0 family inet address 192.168.1.210/24 web-authentication http
# Specify a Profile with 2 local Users

set access profile TESTPROFILE client TESTUSER1 firewall-user password netscreen
set access profile TESTPROFILE client TESTUSER2 firewall-user password netscreen
# and use this profile as default for firewall auth (inline in telnet, http, ftp connection) and webauth
set access firewall-authentication pass-through default-profile TESTPROFILE
set access firewall-authentication web-authentication default-profile TESTPROFILE
# A policy specifies for which Source/Destination Web Auth is required.

# Once Addresses have matched, Authentication is required, no Fall through to other rules.
set security zones security-zone untrust address-book address PROTECTED 172.16.42.1/32
edit security policies from-zone trust to-zone untrust policy WEB-AUTH
set match destination-address PROTECTED
set then permit firewall-authentication access-profile TESTPROFILE
set then permit firewall-authentication pass-through web-redirect
up
insert policy WEB-AUTH before policy trust-to-untrust
top
show security firewall-authentication users
show security firewall-authentication history

REMATCH FOR POLICY CHANGES
# To enable Policy rematching when policy changes are made use the following command
# By Default Policy Rematch is disabled
set security policies policy-rematch
Rematch Flag
Action on Policy Description
Enable Disable (default)
Delete Policy is deleted All existing All existing

sessions are sessions are
dropped dropped
Insert New policy is N/A N/A
inserted
Modify the action Action field of All existing All existing

policy is modified sessions are sessions continue
from permit to deny dropped
or reject, or vice
versa
Modify address Source or Policy lookup will All existing
destination be re-evaluated sessions continue
address field of
policy match is
modified
Modify application Application field of Policy lookup will All existing
policy match is be re-evaluated sessions continue
modified

REMATCH FOR POLICY CHANGES
WITH USER IDENTITY BASED FIREWALL
The user/role info is re-retrieved from UI module again for rematch

FLOW & ALG
FLOW
# Flow Configuration changes default behavior for a number of topics that influence
# session creation/teardown/modification.
# Examples are SYN Checking, Sequence Number Checking, Fragmentation, MSS Patching,
# Session Aging
# Example: Make sure TCP packets going through VPN tunnels avoid fragmentation
set security flow tcp-mss ipsec-vpn mss 1420
# Example: Avoid TCP Split Handshake Attacks by more strict SYN checking
set security flow tcp-session strict-syn-check

ALG
# ALGs exist for the several protocols. When enabled they either help to open firewall
# pinholes (FTP), assist in NAT for inband protocol data (VOIP) or check for protocol
# violation (DNS). See next pages for a Table of ALGs and their functions
# Most ALGs are enabled per default. To check which ALGs are there and enabled use
show security alg status
# To disable an ALG either disable ALG completly

set security alg msrpc disable
# or use custom service with the application service disabled
set applications application TEST application-protocol ignore
# Knowlegebase Articles have good hints on monitoring and troubleshooting

# or changing behaviour of each ALG. Check the Knowledgebase if you have
# trouble with any of the protocols where ALGs are active and disabling ALG
# does not solve your problem. Example KB entries:
SQL: KB21550
MSRPC : KB23730 and KB18346

BASIC ALGS
ALG Firewall Pinholes NAT Protocol
Checking
DNS format, length
FTP command
TFTP
SQL format
Sun RPC format
MS RPC format
RSH format
PPTP format
Talk format
IKE-NAT format

VOIP/STREAMING ALGS
ALG Firewall Pinholes NAT Protocol
Checking
SIP
H.323
MGCP
SCCP
RTSP

SCREENS & DEFENSE
WHAT ARE SCREENS ?
Screens are Filters for Attacks on Layer3/4 (Scans, Floods, IP
Option Anomalies, TCP/IP Anomalies, DOS Attacks)
Screens are applied before Routing Lookup and Policy decision
Screens are in many cases implemented in Hardware
Screens can be enabled with Logging only

SCREENS
# Configure all Screen Options in a Named Profile
edit security screen ids-option MY-SCREEN-PROFILE
# Best Practice; Start using Screens with Alarm only, but Dropping disabled.
set alarm-without-drop
set icmp ping-death
set ip source-route-option
set ip tear-drop
set tcp syn-flood alarm-threshold 1024
set tcp syn-flood attack-threshold 200
set tcp syn-flood source-threshold 1024
set tcp syn-flood destination-threshold 2048
set tcp syn-flood queue-size 2000
set tcp syn-flood timeout 20
set tcp land
set limit-session destination-ip-based 50
top
# Finally apply the Profile to the Zones which need protection
set security zones security-zone untrust screen MY-SCREEN-PROFILE
show security screen statistics zone untrust
show security screen statistics interface ge-0/0/0
Descriptions of each of the Screen Parameter are here

SCREENS FOR FLOOD PROTECTION
# Session Limits for Source and Destination IP
set security screen ids-option FLOOD limit-session source-ip-based 10000
set security screen ids-option FLOOD limit-session destination-ip-based 10000
# ICMP AND UDP FLOOD PROTECTION (threshold is in packets/sec)

set security screen ids-option FLOOD icmp flood threshold 10000
set security screen ids-option FLOOD udp flood threshold 20000
# TCP SYN Flood Protection, SYN-Cookie has better Performance than SYN-Proxy
set security flow syn-flood-protection-mode syn-cookie
edit security screen ids-option FLOOD tcp syn-flood
# Start using Cookie when we hit more than 20 SYNs/sec
set attack-threshold 20
set alarm-threshold 10000
# If we get more than these SYNs per second from a Source-IP we start dropping
set source-threshold 1024
# If we get more than these SYNs per to the same Destination-IP we start dropping
set destination-threshold 100000
# Time before we start dropping half-open connections from the queue
set timeout 5
top
# Finally apply the Screen Profile Definitions to the zone(s) where the flood arrives
set security zones security-zone untrust screen FLOOD
# Monitoring
show security screen statistics zone trust
show interfaces ge-0/0/1.0 extensive | match Syn

WHITE LISTS FOR SYN COOKIE & SYN PROXY
# JUNOS 12.1 will introduce White lists for SYN Cookie and SYN Proxy
# The SYN Protection Screens can be active, but certain sources or
# destinations can be excluded from this protection.
# White lists can included up to 32 IPv4 and IPv6 source and/or destination addresses
# Typical Use case: exclude Proxies as Sources, excluded monitored Servers as Destination
root@raticate# set security screen ids-option FLOOD tcp syn-flood WHITE-LIST ipv4 ?
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
+ destination-address Destination IP based
+ source-address Source IP based

FLOOD PROTECTION FOR THE SRX SESSION TABLE
# In a Flood Situation, there is still a risk that the session table is filled up
# completely and new sessions can't be established any more
#
# A Self Defense Strategy of the SRX for a flood situation is "aggressive aging"
# to start removal of sessions which have not been used for x seconds before session
# table gets filled up completely
#
# This overrides the default session timeouts, but might be better
# than a overcrowded session table
# Set levels (percent of max session nr) when aggressive aging starts and when it stops
set security flow aging high-watermark 80 low-watermark 60
# Idle time in seconds after which sessions can be purged

set security flow aging early-ageout 30
# Monitoring: If the Thresholds are reached, there are logs for

# FLOW_HIGH_WATERMARK_TRIGGERED and FLOW_LOW_WATERMARK_TRIGGERED

FIREWALL USAGE ALARMS
# Create Alerts if Errors exceeds thresholds
edit security alarms potential-violation
set authentication 10
set decryption-failures threshold 100
set encryption-failures threshold 100
set ike-phase1-failures threshold 100
set ike-phase2-failures threshold 100
set replay-attacks threshold 100
set security-log-percent-full 90
top
# Create Alerts if firewall total policy usage exceeds thresholds

edit security alarms potential-violation policy
set application size 10240
set source-ip threshold 1000 duration 20
set destination-ip threshold 1000 duration 10
set policy-match threshold 100 size 100
top
# Create Alerts if individual firewall policy usage exceeds thresholds

set then count alarm per-minute-threshold 1000
set then count alarm per-second-threshold 50
top
# Monitoring
show security alarms

WHERE ARE SCREENS IMPLEMENTED ?
# Screens that are implemented on the NPU
block-frag, fin-no-ack, icmpfragment, icmp-id, icmp-large, ipbad-option, ip-filter-src,
ip-loosesrc-route, ip-record-route, ipsecurity-opt, ip-stream-opt, ipstrict-src-route, ip-
timestamp-opt, land, ping-death, syn-fin, syn-frag, tcp-no-flag, unknown-protocol,
winnuke, icmp-flood, udp-flood, syn-flood destination-threshold / source-threshold
# Screens that are implemented on the SPU

teardrop, ipspoofing, syn-ackack-proxy, syn-flood (syncookie/synproxy),
# Screens that are implemented on the CP

limit-session, portscan, ip-sweep, syn-flood (syncookie/syn-proxy)

NAT
NAT
BASIC INFORMATION
Since JUNOS 9.5 NAT uses a separate policy (a.k.a. NAT-ng)
The Hierarchy for this is under "set security nat ...."
Older JUNOS Documentation and OJSE Training Materials might still mention
the previous method (policy based NAT)
Destination NAT often requires additional Proxy-ARP rules
Limitations in the number of NAT rules did exist, but finally even the last (8
rules for destination NAT) disappeared with 10.2.
See http://kb.juniper.net/KB14149
We have a good Application Note on NAT


SCREENOS NAT FEATURES AND JUNOS COUNTERPART
For Details and Examples see the Application Note
"Juniper Networks SRX Series and J Series NAT for ScreenOS Users"
121
NAT
CONFIGURATION INCLUDES 3 FLAVORS
Source NAT
Interface based NAT
Pool based NAT- with and without port translation
IP address shifting
Destination NAT
Destination IP and/or port number translation
IP address shifting
Static NAT
Bi-directional
No port translation supported
dst-xlate for packets to the host
src-xlate for packets initiated from the host
122
NAT
PROCESSING ORDER
Static & Destination NAT are performed before security policies are
applied
Reverse Static & Source NAT are performed after security policies
are applied
Accordingly, policies always refer to the actual address of the
endpoints
123

NAT
ADDRESS POOL CONFIGURATION
[edit security nat source]
Address pools can be root# show
pool src-nat-pool1 {
Single IP address address {
192.0.0.10/32 to 192.0.0.24/32;
Range of addresses }
}
Range of ports pool src-nat-pool2 {
address {
Interface (source NAT only) 192.0.0.100/32 to 192.0.0.249/32;
}
No port translation port no-translation;
overflow-pool interface;
Overflow pools }
pool src-nat-pool3 {
Configured as a fall back address {
192.0.0.25/32;
Requires pools with no port }
}
translation pool src-nat-pool4 {

address {
192.0.0.50/32 to 192.0.0.59/32;
}
port range 5000 to 6000;

SOURCE NAT
TWO EXAMPLES
}
rule-set nat-internet {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
TRUST destination-address 0.0.0.0/0;
UNTRUST
}
10.1.1.0/24 then {
source-nat interface
ge-0/0/0 }
INTERNET
192.1.1.0/24 [edit security nat source]

ge-0/0/1
}
rule-set nat-internet {
from zone trust;
10.1.2.0/24 to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat pool src-nat-pool1
}

SOURCE NAT
EXAMPLE WITH MULTIPLE RULES
TRUST UNTRUST
10.1.1.0/24
ge-0/0/0
INTERNET
10.1.2.0/24
ge-0/0/1
192.1.1.0/24
rule rule2 {
match {
172.1.1.0/24 source-address 192.1.1.0/24;
}
then {
}
source-nat pool src-nat-pool2;
rule-set nat-internet { }
from zone trust; }
to zone untrust; rule rule3 {
rule rule1 { match {
match { source-address 172.1.1.0/24;
source-address [ 10.1.1.0/24 10.1.2.0/24 ]; }
destination-address 0.0.0.0/0; then {
} source-nat off;
then { }
source-nat pool src-nat-pool1; }
}
126} Copyright 2011 Juniper Networks, Inc. www.juniper.net
DESTINATION NAT
EXAMPLE FOR MANY-TO-MANY
TRUST UNTRUST
[edit security nat destination]
10.1.1.0/24 root# show

pool dnat-pool-1 {
ge-0/0/0 address 192.168.1.100/32;
INTERNET }
10.1.2.0/24 pool dnat-pool-2 {
address 192.168.1.200/32 port 8000;
ge-0/0/1
}
rule-set dst-nat {
from zone untrust;
192.1.1.100/24 rule rule1 {
match {
192.1.1.200/24
}
then {
destination-nat pool dnat-pool-1;
}
dnat-pool-1: }
1:1.1.1.100/80->192.168.1.100/80 rule rule2 {
match {
dnat-pool-2: }
then {
1.1.1.101/80->192.168.1.200/8000 destination-nat pool dnat-pool-2;
}
}
}
DESTINATION NAT
EXAMPLE FOR ONE-TO-MANY
TRUST UNTRUST
[edit security nat destination]
10.1.1.0/24 root# show

pool dnat-pool-1 {
ge-0/0/0 address 192.168.1.100/32;
INTERNET }
10.1.2.0/24 pool dnat-pool-2 {
address 192.168.1.200/32 port 8000;
ge-0/0/1
}
rule-set dst-nat {
from zone untrust;
192.1.1.100/24
rule rule1 {
match {
192.1.1.200/24
destination-port 80;
}
then {
dnat-pool-1 }
1.1.1.100/80->192.168.1.100/80 }
rule rule2 {
match {
dnat-pool-2 destination-address 1.1.1.100/32;
1.1.1.100/8000->192.168.1.200/8000 destination-port 8000;
}
then {
}
STATIC NAT
Provides one-to-one mapping of hosts or subnets
Bi-directional NAT
dst-xlate for packets to the host
src-xlate for packets initiated from the host
TRUST [edit security nat]

UNTRUST
10.1.1.0/24 root# show static

rule-set static-nat {
ge-0/0/0
INTERNET from zone untrust;
rule rule1 {
10.1.2.0/24
match {
ge-0/0/1
}
then {
192.1.1.200/24 static-nat prefix 192.168.1.200/32;
}
}

PROXY-ARP
10.1.1.0/24
INTERNET
ge-0/0/0
1.1.1.1/24
ge-0/0/1
10.1.2.0/24
Source NAT
Proxy-ARP required for all source IP pool addresses in the same subnet as egress
interface ge-0/0/0
For source pools not in the same subnet as egress interface IP, route to the IP pool
subnet with the SRX device as next-hop is required on the upstream router
Destination/Static NAT
Proxy-ARP required for all IP pool addresses in the same subnet as ingress
interface ge-0/0/0
For static and destination NAT pools not in the same subnet as egress interface IP,
route to the IP pool subnet with the SRX device as next-hop is required on the
upstream router
Configuration command
set security nat proxy-arp interface <if_name> address <ip_prefix>
DOUBLE NAT- SOURCE AND DESTINATION NAT
TRUST UNTRUST 192.168.1.3->1.1.1.100
1.1.1.10-> 10.1.1.100
192.168.1.3/24
10.1.1.100/24
[edit security nat source] [edit security nat destination]

root# show root# show
pool src-pool-1 { pool dst-src-pool-1 {
address { address 10.1.1.100/32;
1.1.1.10/32 to 1.1.1.14/32; }
} rule-set dst-rs1 {
} from zone trust;
rule-set src-rs1 { rule rule1 {
from zone trust; match {
to zone untrust; destination-address 1.1.1.100/32;
rule r1 { }
match { then {
source-address 0.0.0.0/0; destination-nat pool dst-src-pool-1;
} }
then { }
source-nat pool src-pool-1; }
}
}
NAT
MONITORING AND TROUBLESHOOTING
# NAT session can be identified from the session table
show security flow session
# Static NAT:
show security nat static rule <all|rule-name>
# Source NAT:
show security nat source summary
show security nat source pool <pool-name>
show security nat source rule <rule-name>
show security nat source persistent-nat-table <all|summary|....>
# Destination NAT:
show security nat destination summary
show security nat destination pool <pool-name>
show security nat destination rule <rule-name>
show security nat interface-nat-ports
# Incoming NAT:
show security nat incoming-table
# ARP table
show arp no-resolve
# Tracing (output is written to file defined under security->flow-> traceoptions)

set security nat traceoptions flag all
132
VIRTUALIZATION
VIRTUALIZATION
BUILDING BLOCKS AND CONCEPTS
SRX Firewalls offer several building blocks and concepts to achieve virtualization
Zone based Separation: No traffic can get from one zone to another if there is no policy
Virtual Routers based Separation: avoid any traffic leakage between different instances
(usecase: managed service for customers with overlapping address space).
Logical Systems : for complete administrative isolation. Create virtual firewalls with individual
administrators and protected resources per firewall (memory, cpu, objects ...)
Virtual SRX: Virtual Machine for installation on a Hypervisor (Vmware, KVM)
Zones only Zones and Logical Systems Virtual

Virtual Routers SRX
separate traffic of yes yes yes yes
different instances
separate routing no yes yes (with VRs) yes
decisions per
instance
allow different no no yes yes
administrators per
instance
protect resources per no no partial yes
instance
more than 32 no no max 32 instance per yes
instances firewall
ZONE-BASED SEPARATION
Coke Coke
Zone User
Coke
Untrust
Zone
Pepsi Pepsi
Zone User
Pepsi
Simple design
High scale (no additional overhead)
No overlapping IP addresses
Little to no user-based admin

VR-BASED SEPARATION
Coke Coke
Coke
Untrust Trust
Zone Zone User
Coke VR
Coke
Pepsi Pepsi
Untrust Trust Pepsi
Zone Zone User
Pepsi
Pepsi VR
More complex design

High scale (little additional overhead)
Overlapping IP addresses supported
Routing protocols per VR give additional flexibility
Little to no user-based admin
LSYS-BASED SEPARATION
Coke Coke
Coke
Untrust Trust
Zone Zone User
Coke VR
Coke
Coke LSYS
Pepsi Pepsi
Untrust Trust Pepsi
Zone Zone User
Pepsi
Pepsi VR
Pepsi LSYS
Complex design
Lower scale (possible additional overhead)
Overlapping IP addresses supported
Routing protocols per VR give additional flexibility (and
introduce performance caveats)
User-based admin supported
VIRTUALIZATION:
VIRTUAL ROUTERS
DIFFERENCE IN OWNERSHIP HIERARCHY
ScreenOS JUNOS
Routing
Virtual Instance
Router
Interface
Zone
IP
Virtual router Address
Interface
split from zones
in JUNOS
Zone
IP Address
Interface

EXAMPLE WITH 2 INDEPENDANT VR
red-trust Red-VR red-untrust
blue-trust Blue-VR blue-untrust

VIRTUAL ROUTERS - SIMPLE EXAMPLE
Create a Virtual Router and bind interface to this VR

# Assign Interface IPs like usual
set interface fe-0/0/6 unit 0 family inet address 1.0.0.1/24
# Create the Virtual Router, assign two physical and a loopback interface
set routing-instances red-vr instance-type virtual-router
set routing-instances red-vr interface fe-0/0/6.0
set routing-instances red-vr interface fe-0/0/7.0
set routing-instances red-vr interface lo0.0
# Also tie all interfaces to security zones

set security zone security-zone red-untrust interface fe-0/0/6.0
set security zone security-zone red-trust interface fe-0/0/7.0
# Optional, set a static route in this vr

set routing-instances red-vr routing-options static route 4.0.0.0/24 next-hop 1.0.0.2
# Optional: You can set static routes to get from one VR to another
# If you need to exchange dynamic routes you will need RIB Groups
set routing-instances red-vr routing-options static route 5.0.0.0/24 next-table blue-
vr.inet.0

EXAMPLE WITH 3 CUSTOM AND ONE SHARED VR
red-trust Red-VR
Inet.0 VR
blue-trust Blue-VR untrust
green-trust Green-VR

VIRTUAL ROUTERS
ROUTER DEFINITION
Create a Virtual Router and bind interface to this VR

# Assign Interface IPs like usual
# Create the Virtual Router, assign one physical interface

set routing-instances RED-VR instance-type virtual-router
set routing-instances RED-VR interface fe-0/0/5.0

set routing-instances BLUE-VR instance-type virtual-router
set routing-instances BLUE-VR interface fe-0/0/6.0

set routing-instances GREEN-VR instance-type virtual-router
set routing-instances GREEN-VR interface fe-0/0/7.0

VIRTUAL ROUTERS
SECURITY ZONES
Interface binding to zones is defined independent from the VR
BUT all interfaces in the same zone must be bound to same VR
# Create Zones and assign interfaces
set security zones security-zone red-trust
set security zones security-zone red-trust interfaces fe-0/0/5.0
set security zones security-zone blue-trust
set security zones security-zone blue-trust interfaces fe-0/0/6.0
set security zones security-zone green-trust
set security zones security-zone green-trust interfaces fe-0/0/7.0
# If desired enable management

set security zones security-zone red-trust host-inbound-traffic system-services all
set security zones security-zone red-trust host-inbound-traffic protocols all
set security zones security-zone blue-trust host-inbound-traffic system-services all
set security zones security-zone blue-trust host-inbound-traffic protocols all
# Add policies to permit traffic

edit security policies from-zone red-trust to-zone untrust
set policy outbound1 match source-address any
set policy outbound1 match destination-address any
set policy outbound1 match application any
set policy outbound1 then permit
set policy outbound1 then log session-close session-init
exit
top

VIRTUAL ROUTERS
EXCHANGING ROUTES BETWEEN VIRTUAL ROUTERS
# To set a route from one VR to another just use the instance name as next-table
edit routing-instances BLUE-VR
set routing-options static route 10.0.0.0/8 next-table RED-VR.inet.0
top
# To redistribute Routes that exist in one VR into another use Filters

edit policy-options policy-statement SUMMARY-RED
set term ACCEPT from instance RED-VR
set term ACCEPT from route-filter 10.0.0.0/8 exact
set term ACCEPT then tag 5000
set term ACCEPT then accept
top
set routing-instances BLUE-VR routing-options instance-import SUMMARY-RED

VIRTUAL ROUTERS
RIB-GROUPS
RIB Groups (RIB=Routing Information Base) are useful if you want to
share static and dynamic routes between multiple VRs
# Create a rib-group
set routing-options static rib-group test-rib
# Routes imported into the rib-group are distributed to the rib

set routing-options rib-groups test-rib import-rib inet.0
set routing-options rib-groups test-rib import-rib RED-VR.inet.0
# set routing-options rib-groups test-rib import-rib BLUE-VR.inet.0
# set routing-options rib-groups test-rib import-rib GREEN-VR.inet.0
# Only one rib can be used to export (primary-rib by default)

set routing-options rib-groups test-rib export-rib inet.0
# Optional: publish interface routes to the RIB

set routing-instances RED-VR routing-options interface-routes rib-group inet test-rib
set routing-instances BLUE-VR routing-options interface-routes rib-group inet test-rib
set routing-instances GREEN-VR routing-options interface-routes rib-group inet test-rib

VIRTUAL ROUTERS
RIB-GROUPS, FILTER
Filters can be applied to drop unwanted routes
# Create a policy statement
edit policy-options policy-statement into-red
set term reject-to-red from family inet protocol ospf
set term reject-to-red to rib red-vr.inet.0
set term reject-to-red then reject
top
# Apply Policy to filter routes from the rib-groups export-rib to the member ribs
set routing-options rib-groups test-rib import-policy into-red

VIRTUAL ROUTERS
RIB Group is useful to share Routes between multiple VRs
Before JUNOS 10.4 IPSEC VPN Interfaces could only be terminated in
zones, which are assigned to inet.0 (see KB 12866)
For self initiated management traffic (e.g.. syslog, traps ..) route lookup
starts in the default VR (inet.0)
Interfaces that are not explicitly members of any custom VR are
members of inet.0
DHCP Server and DHCP Relay inside a VR will require JUNOS 10.4r5
or higher
Static routes from VR1 to VR2 and at the same time from VR2 to VR1
will not commit (potential loop). You have to introduce a third VR as
additional hop for one direction.

VIRTUALIZATION:
LOGICAL SYSTEMS
LOGICAL SYSTEMS
Root System (=physical firewall) is always there. Root Admin can

create new Lsys
create user admin(s) for the Lsys
create and assign Lsys Profiles
create and assign logical interfaces to Lsys
configure the interconnect Lsys0
Lsys0 has a special role as the interconnect Lsys

all traffic between User Lsys and Rootsys goes through Lsys0
for this purpose Lsys0 has a lt-Interface to each Lsys and Rootsys
Lsys1..32 are the user logical systems itself

Each user logical system can have
a number of zones, interfaces and 0, 1 or more Virtual Routers
exactly one interface to the Interconnect Lsys0 (lt0.x)
one or more users to configure routing and security inside the Lsys
EXAMPLE SETUP
# Example Setup
Root System with

- shared Internet Uplink
- separate VR vrf-root
Interconnect Lsys0 with

-seperate vr-ic
- lt interfaces to each root and lsys
Two Custom Lsys with

-private interfaces and zones
- lt Interfaces to interconnect Lsys0

LOGICAL SYSTEMS
CONFIGURATION 1/4 - PROFILES AND USERS
# Define a Profile for the System Limits for each User Logical Systems
set system security-profile USER-LSYS policy maximum 50
set system security-profile USER-LSYS policy reserved 25
set system security-profile USER-LSYS address-book maximum 100
set system security-profile USER-LSYS address-book reserved 50
set system security-profile USER-LSYS logical-system [Coke-LSYS Pepsi-LSYS]
# Add the Root System Profile. All off-box logging comes from the Root LSYS.
# If this is undefined then syslog/SNMP will not work
set system security-profile ROOT-LSYS auth-entry maximum 5
set system security-profile ROOT-LSYS policy maximum 5
set system security-profile ROOT-LSYS policy reserved 1
set system security-profile ROOT-LSYS policy-with-count maximum 0
set system security-profile ROOT-LSYS root-logical-system
# Add LSYS to your login classes to assign users to an LSYS

# Users are assigned to a login class to get their rights, and with LSYS
# they also get assigned to an LSYS at the same time
set system login class COKE-LOGIN logical-system COKE-LSYS
set system login class PEPSI-LOGIN logical-system PEPSI-LSYS
# Create Users for each Lsys

set system login user coke class COKE-LOGIN
set system login user pepsi class PEPSI-LOGIN

LOGICAL SYSTEMS
CONFIGURATION 2/4 - INTERCONNECT
# Set up lt-0/0/0.x interfaces in the Interconnect LSYS0
# LSYS0 is layer 2 only and will hold multiple LT interfaces
# all other LSYS will only have a single LT interface
# LT interfaces are paired one-to-one
set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 encapsulation ethernet-vpls
set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 peer-unit 1
# Set up lt-0/0/0.x interfaces, LT interface in LSYS > 0 need an IP address
# LT Interface in the Rootsys

set interfaces lt-0/0/0 unit 1 family inet address 10.0.1.1/24
# LT Interface in the Lsys Coke

# LT Interface in the Lsys Pepsi


LOGICAL SYSTEMS
CONFIGURATION 3/4 - FIRST USER LSYS
# Now setup the COKE-Logical System
edit logical-systems COKE-LSYS

set interfaces reth1 unit 1 vlan-id 1
set interfaces reth1 unit 1 family inet address 12.1.1.1/24
edit routing instances COKE-VR
set instance-type virtual-router
set interface reth1.1
set interface lt-0/0/0.3
up
set security zones security-zone Coke-Trust
set security zones security-zone Coke-Trust host-inbound-traffic system-services ping
set security zones security-zone Coke-Trust interfaces reth1.1
set security zones security-zone Coke-Untrust interfaces lt-0/0/0.1
edit security policies from-zone Coke-Trust to-zone Coke-Untrust
set policy to-Inter-LSYS match source-address any
set policy to-Inter-LSYS match destination-address any
set policy to-Inter-LSYS match application any
set policy to-Inter-LSYS then permit
top

LOGICAL SYSTEMS
CONFIGURATION 4/4 - SECOND USER LSYS
# Now setup the PEPSI-Logical System
edit logical-systems PEPSI-LSYS

edit routing instances PEPSI-VR
set instance-type virtual-router
set interface reth1.2
set interface lt-0/0/0.5
up
set security zones security-zone PEPSI-Trust
set security zones security-zone PEPSI-Trust host-inbound-traffic system-services ping
set security zones security-zone PEPSI-Trust interfaces reth1.2
set security zones security-zone PEPSI-Untrust interfaces lt-0/0/0.5
edit security policies from-zone PEPSI-Trust to-zone PEPSI-Untrust
set policy to-Inter-LSYS match source-address any
set policy to-Inter-LSYS match destination-address any
set policy to-Inter-LSYS match application any
set policy to-Inter-LSYS then permit
top

LOGICAL SYSTEMS
MONITORING
# Flow Statistics
show security flow statistics root-logical-system
show security flow statistics logical-system <all|Lsys>
# Assigned Profile and current usage for each individual profile parameter
show system security-profile ? logical-system <all|Lsys>

VPN
IPSEC VPN FLAVOURS
Policy Based VPN
For site-to-site VPNs
Upon match a security Policy sets up a VPN tunnel
Route Based VPN

For site-to-site VPNs
Specify a VPN tunnel interface (st0.x)
Upon match a security policy permits traffic to this tunnel interface
Dynamic VPN
For Remote Access of travelling Users
Rollout and Update of VPN Client Software
Authenticate User and assign IPs during VPN establishment
ROUTED BASED VPN
ROUTE BASED VPN
SITE-TO-SITE WITH MAIN MODE (1/3)
# Enable IKE Traffic on the untrust interface
edit security zone security-zone untrust interfaces ge-0/0/1.0
set host-inbound-traffic system-services ike
top
# Define Phase 1 Proposal

edit security ike proposal P1-AES
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
top
# Define Phase 2 Proposal

set security ipsec proposal P2-AES protocol esp
set security ipsec proposal P2-AES authentication-algorithm hmac-sha1-96
set security ipsec proposal P2-AES encryption-algorithm aes-128-cbc
# Predefined Proposals also exist

lab@srx-210# set security ike policy ike-policy-1 proposal-set ?
basic IKE proposal-set for basic
compatible IKE proposal-set for compatible
standard IKE proposal-set for standard
[edit]

ROUTE BASED VPN
# Phase 1 Gateway Definition
set security ike policy IKE-POLICY-1 mode main
set security ike policy IKE-POLICY-1 proposals P1-AES
set security ike policy IKE-POLICY-1 pre-shared-key ascii-text juniper
set security ike gateway GW1 address 172.16.42.11

set security ike gateway GW1 external-interface ge-0/0/0.0
set security ike gateway GW1 ike-policy IKE-POLICY-1
# Phase 2 VPN definition

set security ipsec policy IPSEC-POLICY-1 proposals P2-AES
set security ipsec policy IPSEC-POLICY-1 perfect-forward-secrecy keys group2
set security ipsec vpn VPN1 ike gateway GW1

set security ipsec vpn VPN1 ike ipsec-policy IPSEC-POLICY-1
# Optional VPN Monitor (Phase 2 Keep alive as Ping inside tunnel)

set security ipsec vpn VPN1 vpn-monitor optimized
# Use this statement - on one side of the VPN - to get tunnel established fast
set security ipsec vpn VPN1 establish-tunnels immediately

ROUTE BASED VPN
# Create a secure tunnel interface.
set interfaces st0 unit 0 family inet
set security zones security-zone trust interfaces st0.0
# Optional: If numbered interface is required: set an interface IP

set interfaces st0 unit 0 family inet address 1.1.1.1/28
# Configure routing.
# Assign IPSEC Configuration to the Interface

set security ipsec vpn VPN1 bind-interface st0.0
# There are global options (system wide for all Phase 2) to set VPN Monitor thresholds
# Default is interval 10, threshold 10 which results in 100 Sec Detection Time
set security ipsec vpn-monitor-options interval 3
set security ipsec vpn-monitor-options threshold 3

ROUTE BASED VPN
ADDITIONAL OPTIONS
# Interface number for a Second VPN Tunnel Interface
# Use Name st0 with another unit
set interfaces st0 unit 1 family inet
# By Default we use Proxy-ID local 0.0.0.0/0 remote 0.0.0.0/0 service 0

# To override this for third party compatibility you can manually set one proxy-id
# When SRX checks incoming proxy-id: then more specific IPs match less specific IPs
# Example Remote-ID 192.168.1.0/24 is accepted when Proxy-ID is 0.0.0.0/0
set security ipsec vpn vpn-1 ike proxy-identity local <net> remote <net> service <svc>
# Next Hop Tunnel Binding - Allows multiple endpoints on one Tunnel interface
set interfaces st0 unit 0 multipoint
# Dead-Peer Detection (Phase1 - Keep alive as IKE Message)

set security ike gateway GW1 dead-peer-detection

ROUTE BASED VPN
BRANCH-TO-CENTRAL WITH AGRESSIVE MODE (1/2)
Branch Site with Dynamic IP
set security ike policy BRANCH-POLICY mode aggressive
set security ike policy BRANCH-POLICY proposal-set standard
set security ike policy BRANCH-POLICY pre-shared-key ascii-text secret
set security ike gateway CENTRAL-GW ike-policy BRANCH-POLICY

set security ike gateway CENTRAL-GW address 1.1.1.1
set security ike gateway CENTRAL-GW local-identity user-at-hostname "branch@test.de"
set security ike gateway CENTRAL-GW external-interface pp0.0
Central Site with Fixed IP (1.1.1.1)

set security ike policy BRANCH-POLICY mode aggressive
set security ike policy BRANCH-POLICY proposal-set standard
set security ike policy BRANCH-POLICY pre-shared-key ascii-text secret
set security ike gateway BRANCH-GW ike-policy BRANCH-POLICY

set security ike gateway BRANCH-GW dynamic user-at-hostname "branch@test.de"
set security ike gateway BRANCH-GW external-interface ge-0/0/0.0

ROUTE BASED VPN
BRANCH-TO-CENTRAL WITH AGRESSIVE MODE (1/2)
Branch Site with Dynamic IP
# Phase 2 definitions with Tunnel binding and optional Proxy-ID
set security ipsec policy BRANCH-POLICY proposal-set standard
set security ipsec vpn CENTRAL-VPN bind-interface st0.0
set security ipsec vpn CENTRAL-VPN vpn-monitor optimized
set security ipsec vpn CENTRAL-VPN ike gateway CENTRAL-GW
set security ipsec vpn CENTRAL-VPN ike proxy-identity local 10.0.0.0/24
set security ipsec vpn CENTRAL-VPN ike proxy-identity remote 20.0.0.0/24
set security ipsec vpn CENTRAL-VPN ike proxy-identity service any
set security ipsec vpn CENTRAL-VPN ike ipsec-policy BRANCH-POLICY
set security ipsec vpn CENTRAL-VPN establish-tunnels immediately
# Route into Tunnel
Central Site with Fixed IP

# Phase 2 definitions with Tunnelbinding and optional Proxy-ID
set security ipsec policy BRANCH-POLICY proposal-set standard
set security ipsec vpn BRANCH-VPN bind-interface st0.0
set security ipsec vpn BRANCH-VPN vpn-monitor optimized
set security ipsec vpn BRANCH-VPN ike gateway BRANCH-GW
set security ipsec vpn BRANCH-VPN ike proxy-identity local 20.0.0.0/24
set security ipsec vpn BRANCH-VPN ike proxy-identity remote 10.0.0.0/24
set security ipsec vpn BRANCH-VPN ike proxy-identity service any
set security ipsec vpn BRANCH-VPN ike ipsec-policy BRANCH-POLICY
# Route into Tunnel

POLICY BASED VPN
POLICY BASED VPN
CONFIGURATION
TODO
Technote: http://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf

VPN WITH CERTIFICATES
VPN WITH CERTIFICATES (1/6)
PKI Operations
# Create a CA profile (simplified with CRL Checking disabled)
set security pki ca-profile ca-profile-ipsec ca-identity xyz.com
set security pki ca-profile ca-profile-ipsec revocation-check disable
# Create a key pair

request security pki generate-key-pair certificate-id ca-ipsec size 1024
# Create a certificate request for the local device certificate

request security pki generate-certificate-request certificate-id ca-ipsec
subject "CN=srx210-bot,OU=IT,L=LAB" ip-address 10.1.0.1 domain-name srx210-bot.xyz.com
Copy to output of the above command to a file and use it as signing request for your CA.
It is very important to define X509v3 Subject Alternative Name. JUNOS supports ip-address, domain-name and email. In this
request we define a ip-address and the domain-name. This attribute is used as a IKE-ID and has to match with the IKE
configuration.
The signing CA has to support X509v3 Subject Alternative Name. E.g. for OpenSSL you have to modify the file openssl.cnf in
this way:
# Extension copying option: use with caution.

copy_extensions = copy

Copy the signed certificate and the CA root certificate from the CA to SRX file system.
# Load the signed certificate from the file system

request security pki local-certificate load certificate-id ca-ipsec filename
/var/tmp/certnew.cer
# Load the CA root certificate from the file system
request security pki ca-certificate load ca-profile ca-ipsec filename
/var/tmp/CA-certnew.cer

lab@SRX210-bot> show security pki ca-certificate
Certificate identifier: ca-profile-ipsec
Issued to: ic.xyz.com, Issued by: C = US, ST = CA, L = Sunnyvale, O = XYZ, OU = IT, CN = ic.xyz.com,
emailAddress = user@xyz.com
Validity:
Not before: 09-18-2009 13:25
Not after: 10-27-2013 13:25
Public key algorithm: rsaEncryption(1024 bits)
lab@SRX210-bot> show security pki local-certificate detail

Certificate identifier: ca-ipsec
Certificate version: 3
Serial number: 00000010
Issuer:
Organization: XYZ, Organizational unit: IT, Country: US, State: CA, Locality: Sunnyvale,
Common name: ic.xyz.com
Subject:
Organizational unit: IT, Locality: LAB, Common name: srx210-bot
Alternate subject: email empty, srx210-bot.xyz.com, 10.1.0.1
Validity:
Not before: 12-28-2010 13:17
Not after: 02- 5-2015 13:17
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:aa:e8:f0:49:0f:0d:28:9e:71:5b:a7:c1:64

bc:b2:7f:6c:26:f3:8c:54:dc:2b:7f:3d:64:0d:09:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
28:1d:f4:b6:96:41:8d:13:fa:dd:7d:fd:26:ed:2b:53:15:88:bd:97 (sha1)
e3:1b:af:db:e7:e9:90:99:5a:c7:ac:d4:e2:ef:2a:da (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started

VPN Configuration
# Create IKE proposal
set security ike proposal P1-AES-CERT authentication-method rsa-signatures
set security ike proposal P1-AES-CERT dh-group group2
set security ike proposal P1-AES-CERT authentication-algorithm sha1
set security ike proposal P1-AES-CERT encryption-algorithm aes-256-cbc
# Create IKE policy

set security ike policy ike-policy-1 mode main
set security ike policy ike-policy-1 proposals P1-AES-CERT
set security ike policy ike-policy-1 certificate local-certificate ca-ipsec
set security ike policy ike-policy-1 certificate trusted-ca use-all
set security ike policy ike-policy-1 certificate peer-certificate-type x509-signatur
# Create IKE gateway

set security ike gateway srx210-top ike-policy ike-policy-1
set security ike gateway srx210-top address 10.1.0.10
set security ike gateway srx210-top local-identity inet 10.0.1.10
set security ike gateway srx210-top external-interface ge-0/0/1.0
The local-identity has to match with the X509v3 Subject Alternative Name of the Gateway local certificate as a IKE-
ID.
Since 10.2 there is a hidden command set security ike gateway srx210-top general-ikeid to ignore a IKE-ID
mismatch. Nevertheless the certificate needs a X509v3 Subject Alternative Name to get Phase-1 up.
The IPSec configuration is the same as with preshared keys.

Advanced Features CRL-Checking and SCEP Auto-enrollment
# Create CA Profile with CRL-Checking and SCEP
set security pki ca-profile RSA_CA_LAB ca-identity RSA-CA
set security pki ca-profile RSA_CA_LAB enrollment url

https://10.100.160.59:446/aca4eeb14189074335ac14b30259698fa8862b66/pkiclient.exe
set security pki ca-profile RSA_CA_LAB revocation-check crl url

http://10.100.160.59:447/RSA-CA.crlset security pki ca-profile RSA_CA_LAB revocation-
check crl refresh-interval 24
set security pki auto-re-enrollment certificate-id SRX-210-HQ ca-profile-name

RSA_CA_LAB
set security pki auto-re-enrollment certificate-id SRX-210-HQ challenge-password

"$9$3qaq6/t0ORSyKu0LxdVY2
set security pki auto-re-enrollment certificate-id SRX-210-HQ re-enroll-trigger-time-

percentage 5

root@SRX-210-HQ-1> show security pki crl detail | no-more
CA profile: RSA_CA_LAB
CRL version: V00000001
CRL issuer: C = CH, O = SA, OU = Security, CN = RSA-CA
Effective date: 11- 9-2010 13:54
Next update: 11-10-2010 13:54
Revocation List:
Serial number Revocation date
1b9433a6682555883abf042c15e602da 06-10-2010 07:54
21fffde9d68115b3d9335a97c8744b46 11- 9-2010 13:30
4a5c1a9e624cd522b49f0485272c42b4 06-10-2010 08:28
4de41accc7e4cc606a1dad93cb510092 06-22-2010 06:31
59304b23b9e6f80abd9fe0325af16b80 06- 9-2010 14:16
5b336a94660f5a69e00b48af9662b71d 11- 8-2010 17:36
678a297eccfe78ab0d693ff162e8cdf4 06- 9-2010 15:01
6bf7aff47f68f8687a1f14f0df2b014a 11- 8-2010 15:48
6f4168f96a06957ac769be5465f753a2 06- 9-2010 15:09
8610479e69f64eb08972b27bba24365a 06-10-2010 07:47
89ac59d9df40954feac5c57e4d0739a2 11- 9-2010 13:31
bec78a93e4101f71c782784b34c33ef4 11- 9-2010 10:47
cadd34f4f77f5042198792dd02cbcb1a 06-22-2010 07:35
e87b6aa7ea5562ecdd1379e51bb02ba8 06- 9-2010 13:24

VPN DIAGNOSTICS
IPSEC VPN
MONITORING AND TROUBLESHOOTING (1)
### Ping through VPN - Sometime you might have to alter the source-interface
# or your routing-instance to get the ping into the tunnel
ping 192.168.1.1 [routing-instance xx] interface fe-0/0/7.0
### Monitoring
# Phase 1 - Cookies
show security ike security-associations
# Phase 2 - Security Associations
show security ipsec security-associations
# IPSEC and Interface Statistics
show security ipsec statistics
show interfaces st0 [terse|detail]
# Manually Clear Tunnels
clear security ike
clear security ipsec
# Logs and Traces are per Default written to File kmd
file show /var/log/kmd | last
### JUNOS 11.4 and 12.1x44 have several improvements for IPSEC Troubleshooting
# 1. extend Output for show security ike|ipsec security-associations
# 2. start debugging for a certain session without commit, write output to kmd
request security ike debug-enable local 10.1.1.10 remote 10.1.1.30 level 15
request security ike debug-disable
show security ike debug-status
# 3. Inactive Tunnel information
show security ipsec inactive-tunnels

IPSEC VPN
Tunnel Interface up/down is logged in syslog

ENT <UpDown> st0.0 index 80 <Up Broadcast PointToPoint Multicast>
Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 mib2d[921]: SNMP_TRAP_LINK_UP:
ifIndex 253, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.0
Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 rpd[897]: EVENT UpDown st0.0 index 80
<Up Broadcast PointToPoint Multicast>
Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 srx650-1 IFP trace>
ifp_ifl_anydown_change_event: IFL anydown change event: "st0.0"
If more details are required, use a IKE trace file

set security ike traceoptions file VPNtrace
set security ike traceoptions file files 3
set security ike traceoptions file size 1m
set security ike traceoptions flag ike
set security ike traceoptions flag policy-manager

IPSEC VPN
Example Output from IKE trace file
Jul 29 12:32:39 ike_st_o_all_done: MESSAGE: Phase 1 { 0x4a583c5c adb05f96 -
0xebace718 6f0a0626 } / 00000000, version = 1.0, xchg = Identity protect,
auth_method = Pre shared keys, Initiator, cipher = aes-cbc, hash = sha1, prf =
hmac-sha1, life = 0 kB / 3600 sec, key len
Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 -
ebace718 6f0a0626 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0,
auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hmac-sha1,
life = 0 kB / 3600 sec, key len = 12
ebace718 6f0a0626 [0] / 0x774c39de } QM; MESSAGE: Phase 2 connection succeeded,
Using PFS, group = 2
Jul 29 12:32:39 ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded,
Using PFS, group = 2
ebace718 6f0a0626 [0] / 0x774c39de } QM; MESSAGE: SA[0][0] = ESP aes, life = 0
kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 128, key rounds = 0
Jul 29 12:32:39 ike_qm_call_callback: MESSAGE: SA[0][0] = ESP aes, life = 0
kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 128, key rounds = 0
# Example output for proposal mismatch in phase 2 looks like this:

Jul 29 12:40:25 10.2.1.1:500 (Responder) <-> 10.2.1.100:500 { a0e2f3a5 e02b5e54 -
9b9f2cf3 bf990db6 [0] / 0xf1d579af } QM; Error = No proposal chosen (14)
# Example output for a Proxy-ID mismatch looks like this

Apr 19 12:47:20 KMD_PM_P2_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-2
[responder] failed for p1_local=ipv4(udp:500,[0..3]=172.16.42.210)
p1_remote=usr@fqdn(udp:500,[0..14]=testvpn@lab.com)
p2_local=ipv4_subnet(any:0,[0..7]=10.0.42.210/24)
p2_remote=ipv4_subnet(any:0,[0..7]=192.16.42.220/24)
VPN CONFIGURATION AND TROUBLESHOOTING
FLOW CHART WITH KNOWLEDGEBASE ENTRIES

DYNAMIC VPN CLIENT
LICENSING FOR DYNAMIC VPN
By default all Branch SRX include a license for up to 2 connections.

If you need more than 2 connections, there are licenses available.
Licenses are additive (two 5 user licenses will give you access for up to
10 users)
The client is included as part of the JUNOS Image and can be
downloaded from the SRX. In 11.1 the dynamic VPN client was
replaced with the JUNOS Pulse Client

DYNAMIC VPN
Dynamic VPN feature is available for Branch SRX, not for Datacenter SRX
The following limitations where removed with 10.4
Before 10.4 an external Radius Server was mandatory for Authentication and IP
Address Assignment. Local Users and IP-Pools are not supported
Before 10.4 a IKE-Gateway was required for each and every VPN user.
10.4 introduces shared/Group-IKE-ID
Before 10.4 Only Hostnames are allowed as ike-id (no FQDN, no Email address)
Before 10.4 Access to the Authentication Page did requires the public interface is
opened for web management
In 11.2r3 the capacities for dynamic VPN where increased
SRX-RAC-500-LTU for SRX650 - requires JUNOS 11.2R3
SRX-RAC-250-LTU for SRX240 and 650 - requires JUNOS 11.2R3
SRX-RAC-150-LTU for 650/240/220
SRX-RAC-25-LTU for 210/100

DYNAMIC VPN - PREPARATION
The following Notes are based on pre 10.4 Releases. You should better use
the latest, excellent Configuration Example from
http://kb.juniper.net/index?page=content&id=KB14318
Since 11.4 J-Web offers a Wizard to complete the configuration
There is also a good Troubleshooting Guide from
# Set correct time zone, date and time NTP
set system time-zone Europe/Berlin
# In Operation Mode
srx> set date YYYYMMDDhhmm.ss or
srx> set date ntp de.pool.ntp.org
27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec
# use this configuration statement to activate a self signed certificate (unless you have a signed one)
set system services web-management https system-generated-certificate
# and enable https traffic on the desired interface

set security zones security-zone untrust host-inbound-traffic system-services https
# Since 10.3: if an interface accepts dynamic-vpn connections all http traffic is redirected to
# https://<ip>/dynamic-vpn so you can not manage any more on this interface unless you
# specify a URL (see KB19411 )
set system services web-management management-url admin

VPN CONFIGURATION
Enable IKE Traffic on the untrust interface

set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-
traffic system-services ike
Define Phase 1 Proposal

set security ike proposal P1-Dynamic-AES authentication-method pre-shared-keys
set security ike proposal P1-Dynamic-AES dh-group group2
set security ike proposal P1-Dynamic-AES authentication-algorithm sha1
set security ike proposal P1-Dynamic-AES encryption-algorithm aes-128-cbc
Define Phase 2 Proposal

set security ipsec proposal P2-Dynamic-AES protocol esp
set security ipsec proposal P2-Dynamic-AES authentication-algorithm hmac-sha1-96
set security ipsec proposal P2-Dynamic-AES encryption-algorithm aes-128-cbc

VPN CONFIGURATION
Phase 1 - Gateway Definition

set security ike policy dynvpn mode aggressive
set security ike policy dynvpn proposals P1-Dynamic-AES
set security ike policy dynvpn pre-shared-key ascii-text juniper
set security ike gateway gw-dyn dynamic hostname dynvpn.juniper.net
set security ike gateway gw-dyn external-interface ge-0/0/1.0
set security ike gateway gw-dyn ike-policy dynvpn
set security ike gateway gw-dyn xauth access-profile vpn-users
Phase 2 - VPN Definition

set security ipsec policy dynvpn proposals P2-Dynamic-AES
set security ipsec policy dynvpn perfect-forward-secrecy keys group2
set security ipsec vpn ipsec-dyn ike gateway gw-dyn
set security ipsec vpn ipsec-dyn ike ipsec-policy dynvpn

VPN CONFIGURATION
Add a Access Profile and Users Definition for the

IPSEC client authentication (used with xauth)
# Create a Profile
set access profile vpn-users authentication-order password
# Add two Users to this Profile

set access profile vpn-users client thomas firewall-user password secret1
set access profile vpn-users client peter firewall-user password secret2
# The above definition with local users may work, but officially we
# currently support xauth in IPSEC only together with Radius Authentication
set profile radius_profile authentication-order radius;
set profile radius_profile radius-server 10.204.129.50 secret xxx
Allow the same users from the local profile

to login for IPSEC client download
# Create a Profile
set access firewall-authentication pass-through default-profile vpn-users

VPN CONFIGURATION
Prepare a Policy to permit the Clients Traffic

# Install a Policy for VPN Clients
edit security policies from-zone untrust to-zone trust policy policy-dynvpn
set then permit tunnel ipsec-vpn ipsec-dyn
set then log session-close
exit
# And more it to the beginning

edit security policies from-zone untrust to-zone trust
insert policy policy-dynvpn before policy default-permit
exit

VPN CONFIGURATION
Prepare Security Policy to be delivered to the Client

# Upgrade Policy for VPN Clients (if local policy of client is newer)
set security dynamic-vpn force-upgrade
# User profile for loading the Client

set security dynamic-vpn access-profile vpn-users
# Destinations that are reachable through VPN

set security dynamic-vpn clients client-1 remote-protected-resources 192.168.1.0/24
# Destinations are reachable without going through VPN
set security dynamic-vpn clients client-1 remote-exceptions 0.0.0.0/0
# VPN Definitions and Proposals used

set security dynamic-vpn clients client-1 ipsec-vpn ipsec-dyn
# Users that may login with this Profile

set security dynamic-vpn clients client-1 user thomas
set security dynamic-vpn clients client-1 user peter

LOGIN TO DOWNLOAD VPN CLIENT
URL is https://<SRXIP>/dynamic-vpn/

LOGIN TO DOWNLOAD VPN CLIENT

XAUTH - ACCESS MANAGER PROMPTS FOR USERNAME

ACCESS MANAGER WHEN TUNNEL IS ESTABLISHED

MANAGEMENT
LOGGING
MONITORING
ADMIN USERS
AND
MANAGEMENT ACCESS
ADMIN USERS
Set the password of the root user
root> configure
root# set system root-authentication plain-text-password
New password:
Retype new password:
Add another User
root# set system login user netscreen class super-user authentication plain-text-password
New password:

USER ROLES
# Predefined User roles
lab@srx5600# set system login user <username> class ?

<class> Login class
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]
[edit]
# Define a new User role - even possible to restrict or permit commands
root# set system login class new-role ?

allow-commands Regular expression for commands to allow explicitly
allow-configuration Regular expression for configure to allow explicitly
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
deny-commands Regular expression for commands to deny explicitly
deny-configuration Regular expression for configure to deny explicitly
idle-timeout Maximum idle time before logout (minutes)
login-alarms Display system alarms when logging in
login-script Execute this login-script when logging in
login-tip Display tip when logging in
+ permissions Set of permitted operation categories
[edit]

CUSTOM ADMINISTRATOR CLASS
# Example for an Admin Class that can configure only certain policies
edit system login class AREA1
set permissions configure
set allow-configuration routing-instances VR-1
set allow-configuration security policies from-zone trust-1 to-zone untrust-1
set allow-configuration security policies from-zone untrust-1 to-zone trust-1
set allow-configuration security zones security-zone trust-1
set allow-configuration security zones security-zone untrust-1
top
edit system login user admin1

set class AREA1
set authentication encrypted-password "$1$6xZjWBto$6PBu4Yf17rMgd.Gm3OGUo/"
top

RADIUS
# Define Server IP, Port and Shared Secret
set system radius-server 10.0.0.100 port 1812 secret abc
# Define Authentication order

set system authentication-order password
set system authentication-order radius
# Specify Source-IP, useful when using VPN-Tunnels or non fxp0

set system radius-server 172.30.81.141 source-address 172.30.80.11
# Assign a class to the remote authenticated users

# By default all Radius Users are mapped to user "remote"
set system login user remote full-name "All Remote Users"
set system login user remote class operator
......
# untested - connection timeout 30 minutes
root# set system login class remote idle-timeout 30
# Online Help
help topic system server-radius
help topic system radius

TACACS+
# Define Server IP and Shared Secret
set system tacplus-server address 172.16.30.1 secret Tacacssecret1
# Define Authentication order (local users first ; then tacplus)

set system authentication-order password
insert system authentication-order tacplus after password
# Specify Source-IP, useful when using VPN-Tunnels or non fxp0

set system tacplus-server 172.16.30.1 source-address 10.0.0.1
# Assign a class to the remote authenticated users

# By default all Tacacs+ Users are mapped to user "remote"
set system login user remote full-name "All Remote Users"
set system login user remote class operator
# Ste connection timeout for user of this class to 30 minutes

root# set system login class remote idle-timeout 30
# Online Help
help topic system tacplus

COOPERATION WITH OTHER USERS ON THE CLI
# Show which other Users are currently logged in on the CLI
show system users
# Write a message to all users

request message all message "Anybody logged in ? Please respond with request message"
# Drop a User
request system logout user <user>
# Drop a connection on a certain terminal

request system logout user <user>
# Lock configuration against other edits

configure exclusive
# Display Message before Login

set system login message "Unauthorized Access is prohibited"
# Display Message after Login

set system login announcement "Don't Forget !!!\nUpgrade is scheduled for Friday noon"

RESTRICTING
MANAGEMENT ACCESS
MANAGEMENT ACCESS OVERVIEW
Current State and Changes over Time
individual protocols must be enabled/disabled per zone or interface (host-inbound-traffic.)
Stateless firewall filter can be applied to interfaces to restrict protocols or source-IPs
Since JUNOS 11.4 Self Traffic Policies (firewall policies with zone junos-host) are the easiest
way to restrict management traffic. They also allow to use all available inspection techniques
(AppFW, AppTrack, IDP ..) on management traffic

PERMIT/RESTRICT MANAGEMENT ACCESS
# First the Desired Service must be running. By default only some services are started
# Defaults from JUNOS 9.6 are written in Bold
set system services ssh

set system services web-management http interface ge-0/0/0.0
set system services telnet
set system services ftp
# HTTPS Access may use a self signed certificate

# Set date and time first (in operational mode) before you activate the self-signed certificate
# use this configuration statement to activate a self signed certificate (unless you have a signed one)
set system services web-management https system-generated-certificate
# Finally you can specify allowed services and protocols per Zone
edit security zones security-zone trust interfaces
set system-services all
set protocols all
top
# or per interface. Per Interface definitions override all per Zone permissions
edit security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic
set system-services https
set system-services ssh
set system-services ping
top

RESTRICT SOURCES FOR MANAGEMENT ACCESS
Before 11.4 Management Access to certain Source-IPs had to be restricted
with stateless Firewall Filter. The filter can be tied to each interface where
host-inbound-traffic is permitted, or directly to the loopback interface lo0.0
# Example to restrict access to the Routing-Engine to a certain subnet
# A first TERM specifies permitted sources

set firewall family inet filter PROTECT-RE term 1 from source-address 192.168.42.0/24
set firewall family inet filter PROTECT-RE term 1 from source-address <CUSTOMER-NETWORK/24>
set firewall family inet filter PROTECT-RE term 1 then accept
# A second term can be used to count all other attempts and fall through to the last term
set firewall family inet filter PROTECT-RE term 2 then count ACCESS-ATTEMPT-RE
set firewall family inet filter PROTECT-RE term 2 then next term
# A third term can be written to drop all other attempts (but this is default already)
# This is because all chains end with a default "deny all" term
set firewall family inet filter PROTECT-RE term 3 then reject
# Now we are ready to assign the Filter to an interface

# If you bind the filter to lo0.0 the filter is applied to incoming traffic from all interfaces
set interfaces lo0 unit 0 family inet filter input PROTECT-RE
# To protect out-of band management interface fxp0 you need to assign the firewall there explicitly
set interfaces fxp0 family inet filter input PROTECT-RE
# To monitor access attempts you can later use the counter with the following command
show firewall filter PROTECT-RE counter ACCESS-ATTEMPT-RE

A TEMPLATE FOR MANAGEMENT ACCESS
# Firewall Filter Example to restrict management access
edit firewall filter RE_Protection

set term in-ssh from source-address <trusted host or network>
set term in-ssh from protocol tcp
set term in-ssh from destination-port ssh
set term in-ssh then accept
set term snmp from source-address <SNMP Poller>
set term snmp from protocol udp
set term snmp from port snmp
set term snmp then accept
set term ntp from source-address <NTP SERVER>/32
set term ntp from source-address <NTP SERVER>/32
set term ntp from protocol udp
set term ntp from port ntp
set term ntp then accept
set term deny-any-other-ssh from protocol tcp
set term deny-any-other-ssh from port ssh
set term deny-any-other-ssh from port telnet
set term deny-any-other-ssh from port ftp
set term deny-any-other-ssh from port ftp-data
set term deny-any-other-ssh then discard
set term deny-any-other-udp from protocol udp
set term deny-any-other-udp from port snmp
set term deny-any-other-udp from port snmptrap
set term deny-any-other-udp from port ntp
set term deny-any-other-udp then discard
set term allow-everything-else then accept
top

SELF TRAFFIC FIREWALL POLICIES
# Beginning with JUNOS 11.4 Traffic from and to the SRX itself
# can now be permitted/denied firewall policies
# This uses the new security-zone "junos-host"
#
# self-traffic is anything from/to the RE with any of the local interfaces
#
# By default all traffic from/to zone junos-host is permitted
# Example: Log and tunnel outbound traffic

edit security from-zone junos-host to-zone zone-untrust policy LOG
set match ......
set then permit tunnel
top
# Example: IDP for inbound traffic

edit security from-zone zone-untrust to-zone junos-host policy INSPECT
set match ......
set then permit application-services idp
top

IN-BAND OR OUT-BAND
MANAGEMENT
IN-BAND OR OUT-BAND MANAGEMENT
What is the difference ?
Out-band management connections use the management interface fxp0
In-band management connections use an interface which also is used to forward traffic (for
example ge-x/x/x, fe-x/x/x or rethx )
What is the Advantage/Disadvantage ?

Out-band Management through fxp0
In a HA clusters fxp0 is the only interface which is reachable on the passive node
fxp0 is attached to the default virtual router inet.0
fxp0 is attached to the control plane, no traffic can be forwarded from any interface to fxp0
In Stream Mode - wich is required for high performance logging - security logs can not be
sent out via fxp0
In-band Management
In HA clusters the passive node can not communicate on any in-band management
interface - direct access, monitoring, delivery of software updates, scripts, attack
database updates for this node is not possible and requires workarounds
In-band Management Interfaces can be assigned to any virtual router
In-band Interfaces allow high performance logging (stream mode)

WHICH WAY SHOULD I CHOOSE ?
Out-band Management is preferred
for any Datacenter SRX Cluster because these SRX
NSM Management as virtual chassis is not possible here
for any Branch SRX Cluster installation, where the management systems can connect directly to
the fxp0 interfaces , i.e. are on the same side of the firewall as the management interfaces (see
slides on the next pages for details)
In-band Management is preferred

in all Branch SRX installations which are not clusters
in all Branch SRX cluster installations - where the central management is standing at a central
position and needs to cross the primary SRX first before he can even reach the fxp0 interface of
the passive cluster member
Hint for Clusters: Virtual Chassis Management Option is required for NSM to add the cluster with a
single in-band management connection.
Hint for Clusters: When using In band Management you can leave the fxp0 interfaces on both
members completely unconfigured

IN-BAND MANAGEMENT
UPDATES FOR THE PASSIVE NODE
When In-Band Management is used, the second Node is not directly reachable for management.
This could result in issues for some operations
Software Updates
Use the ISSU and LICU Cluster Upgrade Procedure. They require the image is copied only to the
primary device and is automatically copied to the secondary device
Attack Database Updates

Use JUNOS 11.4 or higher. When Attack Database-Updates are installed, they are automatically
updated on the backup node
Script Installations
Before they can be enabled in the configuration (commit) the scripts must installed on both nodes.
To achieve this, upload scripts to the primary node first, then copy manually to secondary node
Hint: How to get from one Node of a cluster to the other Node ?
If fxp0 interfaces are connected simply use ssh with fxp0-adress of the second node
On Branch SRX use "request routing-engine login node x"
On Datacenter SRX use shell command "rlogin -Ji nodex"

IF IN-BAND OR OUT-BAND IS PREFERRED DEPENDS
ON THE POSITION OF THE MANAGEMENT SYSTEM
Example Setup: SRX650-Cluster with all the Interfaces
Cluster-IP
20.0.0.1
reth0 reth0
ge-1/0/0 Control ge-8/0/0
(untrust) ge-0/0/1 (untrust)
Control
reth1 ge-0/0/1 reth1
ge-1/0/1 fxp0 ge-8/0/1 fxp0
(trust) =ge-0/0/0 (trust) =ge-0/0/0
10.0.0.1 10.0.0.2
Cluster-IP
30.0.0.1

MANGEMENT ON THE SAME NETWORK AS FXP0
OUT-BAND MANAGEMENT IS RECOMMENDED
No changes required, Setup works immediately
NSM or Space can establish ssh connection to both

devices
"Add Device" Workflow is possible
Both Cluster Members use fxp0 to get to

Management
fxp0 (node1) fxp0 (node2)

=ge-0/0/0 =ge-7/0/0
10.0.0.1 10.0.0.2
NSM or Space
10.0.0.3

MANAGEMENT ON DIFFERENT NETWORK AS FXP0
BUT STILL ON THE SAME FIREWALL SIDE
OUT-BAND MANAGEMENT IS RECOMMENDED
Hint for Out-band Management:
Both nodes needs a backuproute

set groups node.. system backup-router destination
40.0.0.3/32 next-hop ....
fxp0 (node1) fxp0 (node2)

=ge-0/0/0 =ge-7/0/0
10.0.0.1 10.0.0.2
Router-IP Router-IP
30.0.0.254 10.0.0.254
Router-IP
40.0.0.254
NSM or Space
40.0.0.3

MANAGEMENT ON EXTERNAL SIDE OF THE FIREWALL
IN-BAND MANAGEMT IS RECOMMENDED
OUT-BAND MANAGEMENT REQUIRES MORE

NSM or Space
COMPLEX ROUTING AND DURING CLUSTER
172.16.42.9
FAILOVER (RG0) MANAGEMENT
CONNECTIONS HAVE TO BE REESTABLISHED
Hints for In-band Management:

Cluster-IP
20.0.0.1 - There is only one connection between SRX and
the Management System (using reth0 of the
active node)
reth0 - For NSM use the Virtual Chassis Management
ge-1/0/0 Option
(untrust) - For Space add just the active node
reth1 Hints for Out-band Management

ge-1/0/1 fxp0 (node2)
(trust) =ge-7/0/0 - use several VRs on SRX. fxp0 must stay in
10.0.0.2 inet.0, all other interfaces go to another VR.
- If you have IKE Traffic this will require

JUNOS 10.4 or higher to terminate IKE
in a custom VR.
Cluster-IP
30.0.0.1 - Both nodes needs a backuproute
set groups node.. system backup-router
destination 172.16.42.9/32 next-hop ...
Router-IP Router-IP
30.0.0.254 10.0.0.254
LOGGING WITH SYSLOG
SRX LOGGING INFRASTRUCTURE
SRX Logs can come from two different sources
From the Control Plane (Management, Routing Daemons ...)
From the Data Plane (Firewall, IDP, AppFirewall, UTM, VPN ..)
Control Plane Logs (same behavior on all JUNOS Devices)

They can be stored in local files, send to Syslog Servers or NSM
Syslogs and NSM connection can leave the SRX via forwarding interfaces or the fxp0 Management
Interface - This is a normal routing decision
Data Plane Logs on the Branch SRX

By default Data Plane Logs are sent to the Routing Engine (Event mode)
From there they can be stored in local files, send to NSM and send to Syslog Servers
Data Plane Logs on the Datacenter SRX

Data Plane Logs are created on each of the SPCs
Each SPCs can create a maximum of 40K logs / sec / SPC
By Default Data Plane Logs are not sent anywhere
they are not even sent to the Routing Engine

WHERE IS THE CHALLENGE ?
You have two options to send Dataplane Logs (Firewall, IDP, UTM, AppSecure ...)
Event Mode Logging

All Data plane Logs are sent to the Routing-Engine and they are sent further from there
This is the default configuration for Branch SRX
Event Mode logging can be used if log rates are low
To avoid RE overload rate limits are in place. These will drop logs in event mode
Stream Mode Logging

Data plane Logs are not sent to the Routing Engine
Data plane Logs can leave the device from every interface
(except fxp0, which is tied to the Routing Engine)
This is the default configuration for Datacenter SRX
Stream Mode Logging are mandatory for high log rates

STREAM MODE
LOGGING TO STRM, OR A SYSLOG SERVER
Controlplane Dataplane
(Process Logs) (Process Logs)
On a single SRX
- Control plane and Data plane Logs
can use the same egress interface
On SRX Cluster
- Control plane Logs come from the
Management Interface fxp0
- Data plane Logs need another
interface
STRM
(Syslog Server)

EVENT MODE
LOGGING TO NSM1)
Branch SRX:
default mode
Datacenter SRX:
possible since 10.0 (1.5kEPS Ratelimit)
STRM
NSM
(Syslog Server)
1) Uses the normal, encrypted connection from the SRX to NSM

STREAM MODE
LOGGING TO NSM2)
NSM
2) Dataplane Logs sent as Syslog from SRX to NSM - requires NSM 2011.1 or higher
STREAM MODE
HOW MANY INTERFACES ARE INVOLVED ?
Simple solution - use two interfaces on SRX and STRM Controlplane Dataplane
Looking at the log picture it is obvious that SRX might use
different interfaces to send the two types of logs
Since two interfaces of the same VR can not be in the same
network, the two interfaces have to be in two different networks or VRs
The easiest solution is, when LOG reciver and SRX both use two
interfaces too. STRM can be reconfigured to use two interfaces and IPs.
Still simple solution - use only one interfaces on both sides

STRM
If STRM - or another Log-Receiver has only one Interface/IP then the (Syslog Server)
SRX must be reconfigured to send all logs through one interface
This one interface can not be fxp0 - because dataplane logs, can not be
delivered through fxp0 - so it must be a forwarding interface
If this forwarding interface is in inet.0 you only need a hostroute to this
interface. If it is in another VR you need to hostroute to next-table vr
Worst case - need to add a logging interface in the same network as fxp0
When you migrate from event to stream logs and can not add additonal
interfaces on other networks than the one existing on fxp0
So you have to add a second forwarding interface in the same network
This is only possible when this interface is in another VR than fxp0
See Next Page (Logging with Overlapping Interface IP) for a complete
configuration example
DATACENTER SRX
LOGGING WITH OVERLAPPING INTERFACE IP
# Datacenter SRX uses fxp0 for RE Logs and a Forwarding Interface for Security Logs
# If Syslog-Receiver is attached to the same Management LAN as the fxp0, you need a
# second interface/VR to that LAN to deliver Security Logs (Firewall Traffic and IDP)
# For this worst case, we have two interfaces in the same network
set interfaces fxp0 unit 0 family inet address 10.0.0.1/24
set interface reth7 unit 0 family inet address 10.0.0.2/24
# Controlplane-Logs , use Source-IP of egress interface to avoid ARP problems !!

set system syslog host 10.0.0.100 any any
set system syslog host 10.0.0.100 source-address 10.0.0.2
# Dataplane-Logs, from the SPCs leave via an forwarding interface)

# also use source-IP of the egress interface
set security log format sd-syslog
set security log source-address 10.0.0.2
set security log stream Log host 10.0.0.100
# To allow two interfaces on the same net, one interface must be moved to a custom VR
set routing-instances Logging instance-type virtual-router
set routing-instances Logging interface reth7.0
# Now we use a host-route to send all trafic for the Log-Receiver to this VR
set routing-options static route 10.0.0.100/32 next-table Logging.inet.0
# Potential other workaround (UNTESTED)

# Use Command to set Default Management IP to Loopback interface IP
set system default-address-selection ....

SYSLOG ADDITONAL INFORMATION
SYSLOG
A LIST OF POSSIBLE EVENTS
Syslog event list (Control plane Events)

# List all possible syslog events
srx> help syslog
Syslog tag Help
ACCT_ACCOUNTING_FERROR Error occurred during file processing
ACCT_ACCOUNTING_FOPEN_ERROR Open operation failed on file
ACCT_ACCOUNTING_SMALL_FILE_SIZE Maximum file size is smaller than record size
ACCT_BAD_RECORD_FORMAT Record format does not match accounting profile
ACCT_CU_RTSLIB_ERROR Error occurred obtaining current class usage statistics
ACCT_FORK_ERR Could not create child process
ACCT_FORK_LIMIT_EXCEEDED Could not create child process because of limit
ACCT_GETHOSTNAME_ERROR gethostname function failed
ACCT_MALLOC_FAILURE Memory allocation failed
# List severity and parameters included for each event

srx> help syslog FLOW_SESSION_CREATE
Name: FLOW_SESSION_CREATE
Message: session created <source-address>/<source-port>-><destination-
address>/<destination-port>,<protocol-id>:
<policy-name>
Help: Session create
Description: A security session was created.
Type: Event: This message reports an event, not an error
Severity: info

SYSLOG - EVENT MODE:
TRAFFIC LOG EXAMPLES
root@srx-210# run monitor start default-log-messages
<14>1 2009-08-28T00:00:03.685+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_CREATE

[junos@2636.1.1.1.2.36 source-address="10.0.101.10" source-port="12288" destination-
address="192.168.100.1" destination-port="1280" service-name="icmp" nat-source-
address="10.0.101.10" nat-source-port="12288" nat-destination-address="192.168.100.1"
nat-destination-port="1280" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-
id="1" policy-name="default-permit" session-id-32="841"] session created
10.0.101.10/12288->192.168.100.1/1280 icmp 10.0.101.10/12288->192.168.100.1/1280 None
None 1 default-permit 841
<14>1 2009-08-28T00:00:06.581+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_CLOSE

[junos@2636.1.1.1.2.36 reason="response received" source-address="10.0.101.10" source-
port="12288" destination-address="192.168.100.1" destination-port="1280" service-
name="icmp" nat-source-address="10.0.101.10" nat-source-port="12288" nat-destination-
address="192.168.100.1" nat-destination-port="1280" src-nat-rule-name="None" dst-nat-
rule-name="None" protocol-id="1" policy-name="default-permit" session-id-32="841"
packets-from-client="1" bytes-from-client="60" packets-from-server="1" bytes-from-
server="60" elapsed-time="3"] session closed response received: 10.0.101.10/12288-
>192.168.100.1/1280 icmp 10.0.101.10/12288->192.168.100.1/1280 None None 1 default-permit
841 1(60) 1(60) 3
<14>1 2009-08-28T00:10:07.682+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_DENY

[junos@2636.1.1.1.2.36 source-address="10.0.101.10" source-port="12544" destination-
address="192.168.100.1" destination-port="1280" service-name="icmp" protocol-id="1" icmp-
type="8" policy-name="icmp-drop"] session denied 10.0.101.10/12544->192.168.100.1/1280
icmp 1(8) icmp-drop

SNMP AND RMON
SNMP AGENT
Set System Identification and Community
set snmp location lab-munich
set snmp contact "admin@nirvana.com"
set snmp community public authorization read-only
Enable SNMP access on an interface

set security zones security-zone trust host-inbound-traffic system-services snmp
Restrict SNMP access to certain sources

set snmp community public clients 172.26.0.0/16
set snmp community public clients 0.0.0.0/0 restrict
Restrict SNMP access to certain tables

# Create a View, defining permitted Objects
set snmp view chassis-info oid jnxBoxAnatomy include
set snmp view chassis-info oid snmpMIBObjects include
set snmp view chassis-info oid system include
# And assign view to community

set snmp community chassis-community view chassis-info

SNMP, CLI QUERIES AND TRICKS
# CLI commands exist to make MIB queries or MIB walks
show snmp mib get sysObjectID.0
show snmp mib get "sysName.0 sysContact.0 sysLocation.0"
show snmp mib walk jnxBoxAnatomy
show snmp mib walk jnxContentsSerialNo
# Display OIDs used for a certain table

show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1 | display xml
# Display OIDs for all MIBtables

show snmp mib walk 1 | display xml
# The following commands create and show a list of registered SNMP Instances
show snmp registered-objects
file show /var/log/snmp_reg_objs
# The List of Interface Indices is reboot persistent as it is saved in a file

file show /var/db/dcd.snmp_ix
# Spoof SNMP Traps for simple Testing

request snmp spoof-trap linkUp variable-bindings ifIndex[14] = 14, ifAdminStatus[14] = 1,
ifOperStatus[14] = 2
# A SNMP Table (Tablename jnxUtilData) can be used to store user defined content.
# Event Scripts can be used to update this table
request snmp utility-mib set .....
show snmp mib walk jnxUtilData

SNMP, PRIVATE MIBS AND USEFUL TABLES
# List of all MIBs (including table, which MIBs exist on which device) and SNMP-Traps
# Chassis Hardware
show snmp mib walk [jnxBoxClass|jnxBoxDescr|jnxBoxSerialNo|jnxBoxRevision|jnxBoxInstalled]
show snmp mib walk [jnxBoxAnatomy|jnxContainersTable|jnxContentsTable|jnxFilledTable]
# Field Replaceable units(FRU) in the chassis (includes empty slots)

show snmp mib walk jnxFruTable
# For a List of Modules installed use

show snmp mib walk jnxContentsDescr
# Interfaces, and Interface Information

show snmp mib walk ifDescr
show snmp mib walk [ifTable | ifChassisTable | ifStackTable ]
show snmp mib walk [ipAddrTable | ipAdEntIfIndex ]
# LEDs and Status (primary only)

show snmp mib walk jnxLedTable
# State, Memory Usage and CPU Load on all Modules (always reports both RE as active)
show snmp mib walk jnxOperatingTable

USEFUL OIDS
# SNMP Walk from the CLI through the complete Private MIB and Display with Name and OID
show snmp mib walk .1.3.6.1.4.1.2636 | display xml
# Software version
show snmp mib walk .1.3.6.1.2.1.25.6.3
# Per FPC Statistics on CPU Load, Memory, Temperature

show snmp mib walk jnxOperatingTable
# some columns here are:
show snmp mib walk jnxOperatingDescr
show snmp mib walk jnxOperatingCPU
show snmp mib walk jnxOperatingTemp
show snmp mib walk jnxOperatingBuffer
# On SRX: SPU Monitoring MIB OIDs (Sessions, CPU Load)

show snmp mib walk jnxJsSPUMonitoringMIB
show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1 | display xml
# Disk Usage
show snmp mib walk []
show snmp mib walk 1.3.6.1.2.1.25.2.3.1hrStorageSize | hrStorageUsed

RMON
Monitor SNMP OIDs and generate Traps if something is wrong
# Specify a Group and a Target for Traps
set trap-group overtemperature
set trap-group overtemperature categories rmon-alarm
set trap-group overtemperature targets 10.0.0.1
edit snmp rmon
# Specify what is monitored

set alarm 1 description "Overtemperature on SRX 5600 Midplane"
set alarm 1 variable jnxOperatingTemp.1.1.0.0
set alarm 1 interval 300
set alarm 1 sample-type absolute-value
set alarm 1 rising-threshold 50
set alarm 1 startup-alarm rising-alarm
set alarm 1 rising-event-index 1
# and the resulting event

set event 1 description Heat-Events
set event 1 type log-and-trap
set event 1 community heat-traps

NETFLOW
NETFLOW CONFIGURATION
Specify the sample rate and where to sent the Netflow Data
set forwarding-options sampling input rate 10
set forwarding-options sampling family inet output flow-server 172.30.80.76 port 2056
set forwarding-options sampling family inet output flow-server 172.30.80.76 version 5
Enable Netflow on the desired interface(s) and directions

set interfaces ge-0/0/0 unit 0 family inet sampling input
set interfaces ge-0/0/0 unit 0 family inet sampling output
Note: Activating Netflow will have significant input on the performance.

The smaller the sample rate (input rate), the higher the performance hit

SRX MANAGEMENT WITH NSM
PREPARING JUNOS DEVICES FOR NSM
# sshv2 is mandatory for NSM. SSHv2 is not included in the export restricted
# software version. You will always need the domestic version.
lab@srx5600> show version | match JUNOS
JUNOS Software Release [9.5R2.7]
# For NSM access both ssh and netconf over ssh must be enabled
set system services ssh [protocol-version v2]
set system services netconf ssh
# Recommendation: Use a dedicated NSM user,

# this allow to identify who made certain changes/operations
root# set system login user nsm class super-user authentication plain-text-password
New password:

ENABLE AUTO DISCOVERY WITH NSM
# The Auto discovery Feature allows to scan an IP-address range for Juniper Devices
# and automatically add and import them NSM.
# This feature requires Ping, SSH and SNMP access to the device.
# Enable SSH and netconf via ssh

set system services ssh protocol-version v2
# Enable SNMP
set snmp contact "labuser@juniper.net"
set snmp community public authorization read-write
# Make sure all services required for NSM Auto discovery are opened for access
edit security zones security-zone trust interfaces ge-0/0/0.0
set host-inbound-traffic system-services ping
set host-inbound-traffic system-services ssh
set host-inbound-traffic system-services snmp
top

EXAMPLE:
SENDING LOGS TO NSM (EVENT MODE)
# Control plane Logs from the Routing Engine are sent to NSM per Default
# Data plane Logs from Branch SRX are sent to NSM when a Log file "default-log-messages"
# is written. NSM adds this configuration automatically to SRX with the "device is
# reachable" workflow
set system syslog file default-log-messages any any
set system syslog file default-log-messages structured-data
# On Datacenter SRX Traffic Logs are not sent to the Routing-Engine by Default
# as the preferred logging method is to stream the logs directly
# from a forwarding interface. If Log Volume is low, the Logs can also be sent
# to the routing-engine. The following statements allow to do this since JUNOS 10.0
set security log mode event
set security log mode event event-rate 1000

EXAMPLE:
SENDING LOGS TO NSM (STREAM MODE)
# Again, Control plane Logs from the Routing Engine are sent to NSM per Default
# Since NSM Version 2011.1 it is possible to send Security Logs via Syslog in stream-mode
# Check page 767 of the NSM Admin Guide for the necessary DevSrv Configuration Changes
# Add "devSvr.enableSyslogOverUdp true " to /var/netscreen/DevSvr/var/devSvr.cfg file
# On the SRX side use the following configuration statements to send traffic logs
# via syslog to NSM
set security log mode stream
# Primary NSM
set security log stream NSM1 format sd-syslog
set security log stream NSM1 host <primary DevSvr IP>
set security log stream NSM1 host port 5140
# If NSM is a HA Cluster use a second feed to send logs to the secondary NSM
set security log stream NSM2 format sd-syslog
set security log stream NSM2 host <Secondary DevSvr IP>
set security log stream NSM2 host port 5140

ADDITIONAL REMARKS
When using Out-band Management :
Start Import to NSM with the passive Member (RG0) first. Som e NSM versions had trouble when
import started with the active member
When using In-band Management:

Don't mix in-band and out-band management.
If you choose in-band Management then leave the fxp0 interfaces on both members unconfigured.
This avoids that the passive member ever connects to NSM
When changing between Outband and Inband Management:

"delete system services outbound-ssh" - from the normal stanza and from the groups stanza,
Otherwise you might end up with multiple, conflicting entries.
In some cases you might have to reboot to make all configuration changes effective
To establish the NSM connection through a VPN Tunnel

to implement this, you should use inband management and introduce a loopback IP, or a numbered
VPN-Tunnelinterface. Otherwise the SRX could use an Interface IP where you don't have proper
Routing back from the NSM through the VPN tunnel.

MANAGING SRX CLUSTERS WITH NSM
WHERE IS THE CHALLENGE ?
You have two options to manage a Cluster in NSM
Out-band Management
For out-band management you connect to the fxp0 Interfaces of the cluster members
You add a cluster-object to NSM and add both members (start with the node where RG0 is
passive)
In-band Management (Branch SRX only)

You connect to the master device via one of reth interfaces
You configure the device for cluster-management and add only one device to NSM

In-band Management
Virtual Chassis Representation of SRX Clusters
# Virtual-chassis configuration, makes a Cluster manageable in NSM as a single device
# This is supported only on Branch SRX since JUNOS 10.1R2 or 10.2R2 or higher.
# You need the following configuration statement in JUNOS
set chassis cluster network-management cluster-master
# In NSM you add just a single virtual chassi device (the current primary).
# Only the master will attempt to establish a session to NSM.
# He can use any interface to establish this connection.

ADDITIONAL REMARKS
When using Out-band Management :
Start Import to NSM with the passive Member (RG0) first.
When using In-band Management:

Leave the fxp0 interfaces on both members unconfigured
NSM can not be used to perform Software Updates or push Attack Database Updates
When changing between Out-band and In-band Management:

"delete system services outbound-ssh" - from the normal stanza and from the groups stanza,
Otherwise you might end up with multiple, conflicting entries.
In some cases you might have to reboot to make all configuration changes effective
To establish the NSM connection through a VPN Tunnel

to implement this, you should use in band management and introduce a loopback IP, or a numbered
VPN-Tunnel interface. Otherwise the SRX could use an Interface IP where you don't have proper
Routing back from the NSM through the VPN tunnel.

MANAGEMENT WITH
JUNOS SPACE / SECURITY DESIGN
PREPARING JUNOS DEVICES FOR SPACE
# For Space access both ssh and netconf over ssh must be enabled
set system services ssh [protocol-version v2]
# Recommendation: Use a dedicated Space user,

# this allow to identify who made certain changes/operations
root# set system login user space class super-user authentication plain-text-password
New password:
# Enable SSH and netconf via ssh

set system services ssh protocol-version v2
# When SNMP is enable before device discovery, Space (OpenNMS) will collect and
# visualize SNMP data from the device. It will also reconfigure the device to send
# traps to Space.
set snmp contact "labuser@juniper.net"
set snmp community public authorization read-write
# Make sure all services required for Space Discovery are opened for access
edit security zones security-zone trust interfaces ge-0/0/0.0
set host-inbound-traffic system-services ping
set host-inbound-traffic system-services ssh
set host-inbound-traffic system-services snmp
top

ADDITIONAL REMARKS (1)
For initial device discovery Space uses ping and ssh/netconf connection to the device
Future direction of management connection depends on Space Application Settings (at the time the
device was discovered). By default Junos Space attemts to establish the connection
If the default is changed Space reconfigures the device during discovery to initiate the connection

ADDITIONAL REMARKS (2)
Space can detect and manage a SRX cluster in both ways:
- with only one in-band management connection to fxp0 (just add one device)
- with two out-band management connections to fxp0
(add both devices in platform, security design creates a cluster view of the security device)

MONITORING SRX LOGS WITH STRM
STREAM MODE LOGS FROM SRX TO STRM
# In this example we send both Control and Dataplane Logs through one
# interface (reth7) which is member of Default VR inet.0
# Destination for both logs is 10.0.0.100
# Source-IP for both logs is 10.0.0.2
# Interface IP for the interface connected to STRM

# Controlplane-Logs , use Source-IP of egress interface to avoid ARP problems !!

set system syslog host 10.0.0.100 any any
set system syslog host 10.0.0.100 source-address 10.0.0.2
# Dataplane-Logs, from the SPCs leave via an forwarding interface)

# also use source-IP of the egress interface
set security log stream Log host 10.0.0.100
# Caveat: STRM can no longer reach fxp0 of the SRX, because all routing to
# STRM Host IP goes through reth7, and traffic from reth7 to fxp0 is not possible.

MONITORING SRX LOGS WITH J-WEB
ACTIVATE LOGS IN J-WEB

EXAMINE LOGS FROM EVENT VIEWER

EXAMINE LOGS FROM POLICY VIEW

FIREWALL ACTIVITY ON J-WEB REPORTING PAGE

TROUBLESHOOTING
NOTES FOR TROUBLESHOOTING
The WEB-UI has a number of useful Pages for Monitoring and
Troubleshooting
JUNOS CLI has powerful Monitoring Commands and offer a lot
of counters and status information
SNMP and RPM also have a good coverage to allow continuous
and ongoing monitoring
Default Log Files exist to track various error conditions
Additional Logs and Debugs can be enabled from the CLI,
writing to separate Log Files or to external Servers
OP Scripts can be used to create custom monitor commands
Event Scripts can be used to trigger actions when events occur

WEB-UI FOR MONITORING

IMPORTANT CLI MONITORING COMMANDS
show version Software version
show chassis hardware detail Hardware and Serial Numbers
show chassis environment Temperatures, Fan and Power Supply
show chassis routing-engine Temperatures, Memory, CPU Load (Routing Engine)
show security monitoring fpc x CPU Load (Flow Processors / SPCs )
show system storage Flash and Disk Usage
show system license Display installed Licenses
show interfaces terse Quick Overview of all Interfaces
show interfaces description Quick Overview of all Interfaces with Description
show interfaces extensive Details Interface and Zone Counters
show route <x.x.x.x> Routing Table Lookups (to get to x.x.x.x)
show security policies List Policies

show security polices detail | find xx Details for a certain ID
show security flow session Current sessions
show security match-policies ... Policy Lookup (added in JUNOS 10.3)
show security zones Security Zones and Interface Binding
show system alarms Alarms
show chassis alarms Alarms

LIVE COUNTERS FOR ALL INTERFACES
Use "monitor interface traffic" to watch live counters on all
available Interfaces. Default Update Interval is 2 seconds

LIVE COUNTERS FOR A CERTAIN INTERFACE
Use monitor interface <ifname> to watch live counters on a
certain interface. Default update interval is every 2 seconds

LIVE TRAFFIC FOR A CERTAIN INTERFACE
(TCPDUMP OF RE TRAFFIC)
Before you start:
This is not promiscuous mode
You will see Broadcast/Unicast/Multicast traffic to the Routing engine
ICMP Traffic to the Route Engine is excluded (SRX, EX and J-Series)
Use the documentation to detect all options
This Option is available from Web-UI, CLI and Shell
Monitor Traffic on a Interface

user> monitor traffic interface e1-0/0/0.0 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Listening on e1-0/0/0.0, capture size 96 bytes
03:03:58.025661 Out IP 10.12.0.1 > 224.0.0.13: 10.12.0.1 > 224.0.0.13:PIMv2, Hello (0), length: 34
03:03:58.237360 In IS-IS, p2p IIH, src-id 1921.6800.1223, length 58
03:03:59.089303 Out IP 10.12.0.1.646 > 224.0.0.2.646: LDP, Label-Space-ID: 192.168.1.222:0, pdu-length: 38
03:03:59.555743 Out IP 10.12.0.1 > 224.0.0.1: igmp query v2
The same function is available from the shell

user> start shell
% su
root@PBR% tcpdump -ni e1-0/0/0.0
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Listening on e1-0/0/0.0, capture size 96 bytes
03:06:47.943726 In IP 10.12.0.2 > 224.0.0.13: 10.12.0.2 > 224.0.0.13:PIMv2, Hello (0), length: 34
03:06:49.603895 In IP 10.12.0.2.646 > 224.0.0.2.646: LDP, Label-Space-ID: 192.168.1.223:0, pdu-length: 38
03:06:50.200510 Out IS-IS, p2p IIH, src-id 1921.6800.1222, length 58

LOG FILES AND SYSLOG
All Log files live in /var/log
"show log" or "file list /var/log" List all Log files available (under /var/log)
show log messages Show Log File "messages" from start
show log messages | last 100 List last 100 Log Messages
show log messages | match LOGIN Search within the Log
show log messages | trim 39 Remove first 39 columns from each line
monitor start <file> Send Logs to terminal (like tail -f)
See also Chapter Logging and Syslog

TYPICAL WAY TO ENABLE DEBUGGING
In many sections of the configuration it is possible to activate

traceoptions (example: set system services dhcp traceoptions..)
set traceoptions file filename
files (default 10)
size (default 128k)
read permissions (e.g.. world-readable)
set traceoptions flag
What do you want to look at?
monitor start filename
like Unix tail f
multiple people can view log files at same time

DEBUGGING A FIREWALL FLOW
SEE HTTP://KB.JUNIPER.NET/KB16110
# Specify a file where to save the Traces
edit security flow traceoptions
set file flowtrace
set file size 1m files 3
set flag basic-datapath
# Use filters to reduce the volume of data
set packet-filter FILTER1 source-prefix 10.48.255.0/24
# Second condition for same filtername is an AND condition
set packet-filter FILTER1 destination-prefix 192.168.210.0/24
# Additional condition with different filtername is an OR condition
set packet-filter FILTER2 source-prefix 192.168.210.0/24
set packet-filter FILTER2 destination-prefix 192.168.220.0/24
top
# Logging to File starts after commit

commit and-quit
# To start Live Monitoring, just monitor the file

monitor start flowtrace
# To quickly pause and resume Output !! This does not stop logging to the File !!
Press "ESC-Q"
# To stop Real-Time monitoring !! This does not stop logging to the File !!
monitor stop
# To turn off logging to the File you must deactivate or delete the configuration
deactivate security flow traceoptions
commit
EXAMPLE OUTPUT (1/2)
lab@Demo-081-113>
*** flow-trace ***
Aug 2 22:04:36 22:04:35.935844:CID-1:RT:<10.10.20.2/2048->10.10.10.2/49265;1> matched filter f0:
Aug 2 22:04:36 22:04:35.935862:CID-1:RT:packet [84] ipid = 0, @4bb0526e
Aug 2 22:04:36 22:04:35.935872:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0,
mbuf 0x4bb05060
Aug 2 22:04:36 22:04:35.935881:CID-1:RT: flow process pak fast ifl 67 in_ifp reth1.0
Aug 2 22:04:36 22:04:35.935896:CID-1:RT: reth1.0:10.10.20.2->10.10.10.2, icmp, (8/0)
Aug 2 22:04:36 22:04:35.935907:CID-1:RT: find flow: table 0x4e789b20, hash 9938(0xffff), sa 10.10.20.2, da
10.10.10.2, sp 1, dp 34861, proto 1, tok 448
Aug 2 22:04:36 22:04:35.935926:CID-1:RT: no session found, start first path. in_tunnel - 0, from_cp_flag -
Aug 2 22:04:36 22:04:35.935941:CID-1:RT: flow_first_create_session
Aug 2 22:04:36 22:04:35.935953:CID-1:RT: flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr
10.10.10.2, sp 1, dp 34861
Aug 2 22:04:36 22:04:35.935965:CID-1:RT: chose interface reth1.0 as incoming nat if.
Aug 2 22:04:36 22:04:35.935976:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to
10.10.10.2(34861)
Aug 2 22:04:36 22:04:35.935988:CID-1:RT:flow_first_routing: call flow_route_lookup(): src_ip 10.10.20.2,
x_dst_ip 10.10.10.2, in ifp reth1.0, out ifp N/A sp 1, dp 34861, ip_proto 1, tos 0
Aug 2 22:04:36 22:04:35.936001:CID-1:RT:Doing DESTINATION addr route-lookup
Aug 2 22:04:36 22:04:35.936017:CID-1:RT: routed (x_dst_ip 10.10.10.2) from untrust (reth1.0 in 1) to
reth0.0, Next-hop: 10.10.10.2
Aug 2 22:04:36 22:04:35.936030:CID-1:RT: policy search from zone untrust-> zone trust
Aug 2 22:04:36 22:04:35.936057:CID-1:RT: app 0, timeout 60s, curr ageout 60s
Aug 2 22:04:36 22:04:35.936095:CID-1:RT:flow_first_src_xlate: src nat 0.0.0.0(1) to 10.10.10.2(34861)
returns status 0, rule/pool id 0/0.
Aug 2 22:04:36 22:04:35.936110:CID-1:RT: dip id = 0/0, 10.10.20.2/1->10.10.20.2/1
Aug 2 22:04:36 22:04:35.936120:CID-1:RT: choose interface reth0.0 as outgoing phy if
Aug 2 22:04:36 22:04:35.936127:CID-1:RT:is_loop_pak: No loop: on ifp: reth0.0, addr: 10.10.10.2, rtt_idx:0
Aug 2 22:04:36 22:04:35.936136:CID-1:RT: check nsrp pak fwd: in_tun=0x0, VSD 1 for out ifp reth0.0
Aug 2 22:04:36 22:04:35.936142:CID-1:RT: vsd 1 is active
Aug 2 22:04:36 22:04:35.936151:CID-1:RT:policy is NULL (wx/pim scenario)
Aug 2 22:04:36 22:04:35.936160:CID-1:RT:sm_flow_interest_check: app_id 0, policy 6, app_svc_en 1, flags
0x2. interested
Aug 2 22:04:36 22:04:35.936171:CID-1:RT:sm_flow_interest_check: app_id 1, policy 6, app_svc_en 0, flags
0x2. not interested
..................
EXAMPLE OUTPUT (2/2)
.............
Aug 2 22:04:36 22:04:35.936178:CID-1:RT:flow_first_service_lookup(): natp(0x5047eb48): app_id, 0(0).
Aug 2 22:04:36 22:04:35.936187:CID-1:RT: service lookup identified service 0.
Aug 2 22:04:36 22:04:35.936194:CID-1:RT: flow_first_final_check: in <reth1.0>, out <reth0.0>
Aug 2 22:04:36 22:04:35.936203:CID-1:RT: existing vector list e20-624fdc28.
Aug 2 22:04:36 22:04:35.936212:CID-1:RT: existing vector list 0-6248ba28.
Aug 2 22:04:36 22:04:35.936220:CID-1:RT: Session (id:26784) created for first pak e20
Aug 2 22:04:36 22:04:35.936229:CID-1:RT: flow_first_install_session======> 0x5047eb48
Aug 2 22:04:36 22:04:35.936236:CID-1:RT: nsp 0x5047eb48, nsp2 0x5047ebb8
Aug 2 22:04:36 22:04:35.936248:CID-1:RT: make_nsp_ready_no_resolve()
Aug 2 22:04:36 22:04:35.936263:CID-1:RT: route lookup: dest-ip 10.10.20.2 orig ifp reth1.0 output_ifp
reth1.0 orig-zone 7 out-zone 7 vsd 1
Aug 2 22:04:36 22:04:35.936274:CID-1:RT: route to 10.10.20.2
Aug 2 22:04:36 22:04:35.936288:CID-1:RT:Installing c2s NP session wing
Aug 2 22:04:36 22:04:35.936293:CID-1:RT:Installing s2c NP session wing
Aug 2 22:04:36 22:04:35.936301:CID-1:RT:sm_flow_notify_session_creation: app_id 0, flags 0x0, ifl_in 67,
zone_in 7, ifl_out 66, zone_out 6
Aug 2 22:04:36 22:04:35.936394:CID-1:RT: flow got session.
Aug 2 22:04:36 22:04:35.936399:CID-1:RT: flow session id 26784
Aug 2 22:04:36 22:04:35.936608:CID-1:RT:mbuf 0x4bb05060, exit nh 0x243c1
Aug 2 22:04:36 22:04:35.936621:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Aug 2 22:04:36 22:04:35.996278:CID-1:RT:<10.10.10.2/0->10.10.20.2/51313;1> matched filter f0:
Aug 2 22:04:36 22:04:35.996296:CID-1:RT:packet [84] ipid = 12824, @4ba9f04e
Aug 2 22:04:36 22:04:35.996307:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0,
mbuf 0x4ba9ee40
Aug 2 22:04:36 22:04:35.996318:CID-1:RT: flow process pak fast ifl 66 in_ifp reth0.0
Aug 2 22:04:36 22:04:35.996330:CID-1:RT: reth0.0:10.10.10.2->10.10.20.2, icmp, (0/0)
Aug 2 22:04:36 22:04:35.996341:CID-1:RT: find flow: table 0x4e789b20, hash 33408(0xffff), sa 10.10.10.2, da
10.10.20.2, sp 34861, dp 1, proto 1, tok 384
Aug 2 22:04:36 22:04:35.996362:CID-1:RT: flow got session.
Aug 2 22:04:36 22:04:35.996366:CID-1:RT: flow session id 26784
Aug 2 22:04:36 22:04:35.996520:CID-1:RT:mbuf 0x4ba9ee40, exit nh 0x20bc1
Aug 2 22:04:36 22:04:35.996533:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
DEBUGGING PACKET DROPS
# To see Drop Counters per interface for the various drop reasons
show interfaces ge-4/0/1.0 extensive | find Error
# To create a Log file to log Packet drops for a certain Source-Network

edit security flow traceoptions
set file DROPS
set flag packet-drops
set packet-filter FFILTER1 source-prefix 20.0.81.0/24
top
# To see packet drops use

monitor start DROPS
# Search the Log file for packet drops of a certain Source-IP

# The trim command improves readability by removing trailing information
root@srx5600>run file show /var/log/DROPS | find 20.0.81.143 | trim 71
ge-4/2/1.0:20.0.81.143->10.1.80.1, icmp, (8/0)

packet dropped, no route to dest
packet dropped, ROUTE_REJECT_GEN_ICMP.
ge-4/2/1.0:20.0.81.143->20.0.80.2, icmp, (8/0)

packet dropped, denied by policy
packet dropped, policy deny.

BRANCH SRX:
TAKING FULL PACKET CAPTURES (1/2)
# Specify where to write the Packet-Capture
# The file specified below, is later created under /var/tmp/
# The appearing will be appended with ".interfacename" e.g. MY-PCAP.vlan
set forwarding-options packet-capture file filename MY-PCAP
set forwarding-options packet-capture file size 1m
set forwarding-options packet-capture maximum-capture-size 500
# Specify the interface where you want to take the pcap from
set interfaces vlan unit 0 family inet sampling input
set interfaces vlan unit 0 family inet sampling output
# Specify a Filter to collect only certain Packets

edit firewall family inet filter PCAP
term 1 from source-address 192.168.210.2/32
term 1 then sample accept
term 2 from destination-address 192.168.210.2/32
term 2 then sample accept
top
# Apply this filter to the input and output direction (maybe input is obsolete ?)
set interfaces vlan unit 0 family inet filter output PCAP
set interfaces vlan unit 0 family inet filter input PCAP
# Wipe the old file before taking new pcaps

run file delete /var/tmp/MY-PCAP.vlan
# and start the PCAP
commit and-quit

BRANCH SRX:
# CLI Command to copy File to a remote FTP-Server to inspect with wireshark
# You can also use scp, tftp and http in the Destination-URL
file copy /var/tmp/MY-PCAP.vlan ftp://username:prompt@172.16.42.210/var/tmp
# Tweak to view the pcap file from the shell:

start shell
cd /var/tmp
tcpdump -n -r MY-PCAP.vlan
# Here is CLI Help with more Details

help reference forwarding-options packet-capture
# And here is Online Documentation

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-
security-admin-guide/config-pcap-chapter.html#config-pcap-chapter

DATACENTER SRX:
# Since JUNOS 10.4r1 Data Path Debugging on Datacenter SRX
# allows to take packet captures
edit security datapath-debug

set capture-file SRXPCAP format pcap size 1m files 5
set maximum-capture-size 100
set action-profile do-capture event np-ingress packet-dump
set packet-filter PCAP1 source-prefix 192.168.1.1/32 action-profile do-capture
set packet-filter PCAP2 destination-prefix 192.168.1.1/32 action-profile do-capture
top
# The start/stop of capture is controlled by CLI

request security datapath-debug capture (start|stop)
# To inspect the resulting PCAP either copy it to a system with Wireshark installed
# or start a shell locally and use "tcpdump -nr /var/log/SRXPCAP"

USEFUL TROUBLESHOOTING INFORMATION
JUNOS Troubleshooting and Monitoring Day One Booklet

Data Collection Checklist KB21781
ScreenOS Debug Commands and JUNOS equivalent KB14000
SRX Troubleshooting Commands KB15779
Monitor interface and Monitor traffic Admin Guide
Taking Packet Captures Admin Guide
Troubleshooting SRX High Availability KB15911
Debug Flow KB16108
Configuring and Troubleshooting VPN KBGuide
Troubleshooting Dynamic VPN KB17220

TOOLBOX
ACCESS LISTS
PACKETFILTER ON A STATEFUL FIREWALL ?
Access lists or Stateless Filters are already in JUNOS for years
Stateless Filters are still useful for three Tasks

Filter and Redirect Traffic
Classify Traffic for QoS purposes
Implement Counters
Configuration uses the "set firewall ." stanza

root# set firewall ....
On many JUNOS interface cards the stateless filters are

implemented on Hardware Level and do not consume CPU
performance

FIREWALL FILTER EXAMPLE (COUNTING ONLY)
# Define a Firewall Filter to count SSH Traffic
set firewall family inet filter TEST term 1 from source-address 0.0.0.0/0
set firewall family inet filter TEST term 1 from port 22
set firewall family inet filter TEST term 1 then count MYCOUNT
set firewall family inet filter TEST term 1 then accept
# We need a second term to permit everything else

# This is because all firewall filter chains end with a default "deny all" term
set firewall family inet filter TEST term 2 from source-address 0.0.0.0/0
set firewall family inet filter TEST term 2 then accept
# Now we are ready to assign the Filter to an interface

set interfaces fe-0/0/7 unit 0 family inet filter input TEST
# Show commands to monitor the counters

lab@SRX210> show firewall counter filter TEST MYCOUNT
Filter: TEST
Counters:
Name Bytes Packets
MYCOUNT 70455 1005
lab@SRX210>

DNS CONFIGURATION
DNS CONFIGURATION
# Set your own hostname
set system hostname mybox
# specify DNS-Server to resolve DNS requests from the SRX

# Example: public DNS Servers from Google
# Example: public DNS Servers from OpenDNS

# Example: public Servers from UltraDNS

# Set own Domainname

set system domain-name test.de
# Today (12.1) SRX does not neither offer DNS-Server nor DNS-Proxy nr Dynamic DNS Client
# DNS-Proxy and Dynaic DNS Client are currently scheduled for 12.1X44

NTP CONFIGURATION
TIME AND NTP CLIENT
# set time zone
set system time-zone Europe/Berlin
# Manual set time/date or simply poll Timeserver

# Specify NTP-Server (here 2 Servers from de.pool.ntp.org)

set system ntp server 78.46.194.186 version 4 prefer
set system ntp server 88.198.34.114 version 4
# Enable NTP reachability during power up and in cluster backup state

set system ntp boot-server 78.46.194.186
# Diagnostics
# What time is it ?
srx> show system uptime | match Current
Current time: 2009-04-22 17:21:20 CEST
srx> show ntp associations no-resolve

remote refid st t when poll reach delay offset jitter
==============================================================================
*192.53.103.104 .PTB. 1 - 504 1024 377 62.492 6.408 0.120

NTP IN HA CLUSTERS
# Define NTP-Server as usual in global context
edit system ntp
set server 10.0.0.1
set source-address 10.0.0.2
top
# Enable NTP on cluster member in backup state (traffic is leaving from fxp0)
edit groups node1 system ntp
set server 10.0.0.1
set source-address ip of fxp0/node1
top
edit groups node1 system ntp

set server 10.0.0.1
set source-address ip of fxp0/node1
top
# Per Node Backup Routes are required, when NTP-Server is not directly connect to fxp0
set groups node0 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254
set groups node1 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254

DHCP
DHCP CLIENT
# Enable DHCP Client on an interface
set interfaces fe-0/0/7 unit 0 family inet dhcp
# permit DHCP traffic on this interface or security zoen

set security zones security-zone untrust host-inbound-traffic interface fe-0/0/7.0
system-services dhcp
# Option: You can propagate DNS/WINS settings learnt from the DHCP client to be
# reused by local DHCP Servers
set system services dhcp propagate-settings fe-0/0/7.0
# Monitoring and Control

show system services dhcp client
request system services dhcp renew

DHCP SERVER
# Pools have Names
edit system services dhcp pool 192.168.1.0/24
set default-lease-time 3600
set domain-name test.de
set router 192.168.1.1
set name-server 192.168.1.1
set address-range low 192.168.1.33
set address-range high 192.168.1.64
# Option - exclude an IP from the Pool
set exclude-address 192.168.1.42
top
# Option - Static Binding, IP must be member of the Pool

edit system services dhcp
set static-binding 00:11:22:33:44:55 fixed-address 192.168.1.33
set static-binding 00:11:22:33:44:55 host-name test
top
# Permit DHCP in the incoming zone

set security zones security-zone trust host-inbound-traffic system-services dhcp
# Monitoring
show system services dhcp pool
show system services dhcp binding
show system services dhcp statistics
show system services dhcp conflict

DHCP RELAY
# Allow incoming DHCP traffic
# "bootp" service is only available in the interface context , not in the zone context
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-
services bootp
# enable on the desired interfaces and forward to your desired destination

edit forwarding-options helpers bootp
set interface ge-0/0/0.0 server 172.18.36.12;
#relay the DHCP request with the source-ip of this interface
set vpn
set relay-agent-option
top
# Until 10.4 DHCP Relay could not be configured inside virtual Routers
# TODO

PPPOE & DSL
PPP OVER ETHERNET
EXAMPLE FOR T-ONLINE, GERMANY
# Define on which interface to use ppp Encapsulation
set fe-0/0/5 unit 0 encapsulation ppp-over-ether
# Use password for authentication

set access profile ppp-profile authentication-order password
# PPP-Interface Settings
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces pp0 unit 0 family inet mtu 1492
# Authentication Credentials
set interfaces pp0 unit 0 ppp-options pap access-profile ppp-profile
set interfaces pp0 unit 0 ppp-options pap local-password xxxxx
set interfaces pp0 unit 0 ppp-options pap local-name xxxx
set interfaces pp0 unit 0 ppp-options pap passive
# PPPoE Settings and binding

set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/5.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
# Diagnostic Commands
show interfaces pp0
show pppoe interfaces
show pppoe statistics
show pppoe statistics
request pppoe [connect|disconnect]
PPP OVER ADSL (FOR T-ONLINE, GERMANY)
BASED ON JUNOS 10.0 WITH ADSL MINI-PIM
# T-Online Germany typically uses the ATM VPI 1 and VCI 32
# Encapsulation is pppoe-over-atm with llc
# ADSL Interface Configuration

set interfaces at-1/0/0 encapsulation ethernet-over-atm
set interfaces at-1/0/0 atm-options vpi 1
set interfaces at-1/0/0 dsl-options operating-mode itu-dmt
set interfaces at-1/0/0 unit 0 encapsulation ppp-over-ether-over-atm-llc
set interfaces at-1/0/0 unit 0 vci 1.32
# PPPoE Configuration on Top of this ADSL-Interface

set interfaces pp0 unit 0 ppp-options pap access-profile T-Online
set interfaces pp0 unit 0 ppp-options pap local-name "xxxx@t-online.de"
set interfaces pp0 unit 0 ppp-options pap local-password "xxxx"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 ppp-options lcp-max-conf-req 0
set interfaces pp0 unit 0 ppp-options ncp-max-conf-req 0
set interfaces pp0 unit 0 pppoe-options underlying-interface at-1/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 1
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1450
set interfaces pp0 unit 0 family inet negotiate-address
set access profile T-Online client "xxxx@t-online.de" pap-password "xxxx"
# Default Route (mandatory, because negotiated gateway will not appear in routing table)
set routing-options static route 0.0.0.0/0 next-hop pp0.0

SRX AS UAC ENFORCER
SRX AS UAC ENFORCER (1/2)
Important to know:
In contrast to ScreenOS, JUNOS does not need a signed certificate on the IC. If not dedicated configured, JUNOS will
ignore the certificate presented by the IC. The communication is than only protected by password.
Captive Portal support has been added with JUNOS 10.2
For IPSec enforcement the SRX has to be configured manually in contrast to ScreenOS, where the IC is pushing the
IPSec configuration too. Please RTFM
If the IC is configured as cluster you have to configure two ICs on JUNOS using their physical IP addresses. Please do not
use the VIP.
Example configuration with a IC cluster:

# create IC connections
set services unified-access-control infranet-controller uac1 address 10.1.1.1
set services unified-access-control infranet-controller uac1 interface reth2.0
set services unified-access-control infranet-controller uac1 password "<PW-Hash>"
set services unified-access-control infranet-controller uac2 address 10.1.1.2
set services unified-access-control infranet-controller uac2 interface reth2.0
set services unified-access-control infranet-controller uac2 password "<PW-Hash>"
set services unified-access-control timeout 20
set services unified-access-control interval 5
# optional add certificate verification root Certificate has to be loaded to the SRX (see VPN with Certificates)
set services unified-access-control infranet-controller uac1 server-certificate-subject <cert-name>
set services unified-access-control infranet-controller uac1 ca-profile <profile-name>
set services unified-access-control infranet-controller uac2 server-certificate-subject <cert-name>
set services unified-access-control infranet-controller uac2 ca-profile <profile-name>

SRX AS UAC ENFORCER (2/2)
Policy Enforcement with captive portal:
# create a captive portal policy redirect-url is optional
set services unified-access-control captive-portal my-cp-policy redirect-traffic unauthenticated
set services unified-access-control captive-portal my-cp-policy redirect-url https://ic.xyz.com/auth
# create a firewall policy with application-service uac-policy

set security policies from-zone untrust to-zone trust policy uac-enforcem match source-address any
set security policies from-zone untrust to-zone trust policy uac-enforcem match destination-address any
set security policies from-zone untrust to-zone trust policy uac-enforcem match application any
set security policies from-zone untrust to-zone trust policy uac-enforcem then permit application-services uac-policy
captive-portal my-cp-policy
set security policies from-zone untrust to-zone trust policy uac-policy then log session-close
Enforcer-Options:
# enable test-only-mode (only logging without enforcement)
set services unified-access-control test-only-mode
# define timeout-action (if connection to IC is lost)

set services unified-access-control timeout-action <close | no-change | open>

SRX AS UAC ENFORCER
Diagnostics
show services unified access-control status
show services unified access-control policies
show services unified access-control rules
show services unified access-control authentication detail
show services unified access-control role-provisioning all
show security flow session ... extensive

PORT MIRRORING
PORT MIRRORING ON BRANCH SRX
# You can mirror traffic from one L3 interface to a Host on another L3 interface.
# For configuration start with selecting outbound interface and destination host
# Traffic sent, has destination Mac rewritten to his own Mac-Address.
edit forwarding-options port-mirroring
set input rate 1 run-length 10
set family inet output interface ge-0/0/1.0 next-hop 10.0.210.33
top
# Next Configure firewall filter to port mirror. 0.0.0.0/0 is all traffic

edit firewall filter port-mirror term 1
set from source-address 0.0.0.0/0
set then port-mirror accept
top
# Finally set filter on the source interface that should be mirrored

# This must be a physical L3 interface (family inet, not family switching)
set interfaces ge-0/0/0 unit 0 family inet filter input port-mirror
set interfaces ge-0/0/0 unit 0 family inet filter output port-mirror

PORT MIRRORING ON DATCENTER SRX
# mirror port ge-0/0/1 to port ge-0/0/2
edit forwarding-options port-mirroring

set input rate 1 run-length 10
set family any output interface ge-0/0/2
set instance inst1 input rate 1 run-length 10
set instance inst1 family any output interface ge-0/0/2
top
set interfaces ge-0/0/1 port-mirror-instance inst1

CLASS OF SERVICE
JUNOS COS SUMMARY
BA Multifield Ingress FWD

Classifier Classifier Policing Policy
Fabric
Forwarding Class
&
Loss Priority
Rewrite/ Scheduler/ Egress Fabric

marker WRED Policing Priority

COS - BUILDING BLOCKS (1/2)
Ingress Processing
Forwarding Classes and Queues
Classification maps traffic to internal queues The 4 default SRX forwarding-classes map to 4 queues.
Additional Forwarding Classes can be specified
show class-of-service
show interfaces queue ge-0/0/0
IFL Classification (Interface Level Classification of Forwarding Class and Loss Priority)
Specify Class based on interface/sub-interface/logical interface
set class-of-service interfaces <name> unit <x> forwarding-class assured-forwarding
BA Classification (Behavior Aggregate Classification of Forwarding Class and Loss Priority)
Specify Class based on DSCP (IP) or EXP (MPLS) Bits
show class-of-service classifier name dscp-default
set class-of-service interface fe-0/0/3 unit 0 classifiers dscp default
MF Classification (Multifield Classification of Forwarding Class and Loss Priority)
Specify Class based on stateless packet filters
set firewall family inet filter ..... then forwarding-class ...
set interfaces fe-0/0/3 unit 0 family inet filter .....
Simple Filters (Implementation on special Hardware)
Specify only class, loss-priority and policer - no drop, count action, only one prefix
set firewall family inet simple-filter ....
set interface <name> unit <x> family inet simple-filter .....
Ingress Policing (Ingress Rate Limiter)
Single Rate Policer: establish a data rate , drop or change forwarding class when thresholds are exceeded
Example on next pages

COS - BUILDING BLOCKS (2/2)
Egress Processing
Scheduler & Scheduler Map
packet notifications placed into forwarding class queue. Queues serviced by a scheduler using WRR
WRED congestion control operates at the head of the queue
Rewriter
Changes DSCP / EXP Bits
show class-of-service rewrite-rule
set class-of-service interface ge-0/0/0 unit 0 rewrite-rules dscp default
PLP (Packet Loss Priority) & Drop-Profiles
PLP allows to influence queuing within the same queue
set class-of-service drop-profiles ...
set class-of-service scheduler .... drop-profile-map .....
Egress Policing
Single Rate Policer: establish a data rate , drop or change forwarding class when thresholds are exceeded
set policer .... if-exceeding bandwidth-limit ... burst-size-limit ... then

SIMPLE COS EXAMPLE
The previous page does list all available methods
It is not mandatory to apply all of them to get a working COS configuration
A simple example on the next pages fulfills the following requirements

We have a LAN-Interface reth0
We have a WAN-Interface reth1
We have a upstream WAN-Bandwidth of 10Mbps
Traffic from the LAN IP 192.168.1.2 should be able to occupy up to 30%
of the WAN bandwidth, even in congestion situations
To achieve this it relies on the following building blocks only

Use the 4 default classes
Create a classifier
Create schedulers and assign them to the forwarding classes with a scheduler map
Apply your Classifier to the ingress interface(s)
Apply your Scheduler Map to the egress interface(s)

SIMPLE COS EXAMPLE (1/3)
# We have a LAN-Interface reth0
# We have a WAN-Interface reth1
# We have a upstream WAN-Bandwidth of 10Mbps
# Traffic from the LAN IP 192.168.1.2 should be able to occupy up to 30%
# of the WAN bandwidth, even in congestion situations
# 1. Create a Classifier, that puts traffic from the Source-IP 192.168.1.2

# into the separate forwarding-class (assured forwarding".
# Add counters, so we can examine how frequently each decision path is used
edit firewall family inet filter TEST-CLASSIFER

set term VOIP from source-address 192.168.1.201/32
set term VOIP then count SPECIAL
set term VOIP then forwarding-class assured-forwarding
set term VOIP then accept
set term ANY then count ANY
set term ANY then forwarding-class best-effort
set term ANY then accept
top

# 2. Specify behaviour for the different Schedulers
# Start with af (assured forwarding)
# Notes on the scheduler parameters
# transmit-rate: can be considered as the "guaranteed bandwidth", you will always get
it
# shaping-rate: can be considered as the "maximum bandwidth", you can send no more
# loss-priority: influences drop behaviour for packets on the same queue (4 priorities)
# LP is Tag on each packet created by classifier or additional policers
# buffer-size: more buffer size allows bursts, but could introduce higher latencies
edit class-of-service schedulers af
set transmit-rate percent 30
set shaping-rate percent 50
set buffer-size percent 5
set priority high
top
# Continue with be (best effort)

edit class-of-service schedulers be
set buffer-size remainder
set priority low
top
# And don't forget nc (network control)

edit class-of-service schedulers nc
set buffer-size percent 10
set priority strict-high
top
# 3. Create a Map how the schedulers should be applied
# to the different forwarding classes
edit class-of-service scheduler-maps TEST-MAP
set forwarding-class assured-forwarding scheduler af
set forwarding-class best-effort scheduler be
set forwarding-class network-control scheduler nc
top
# 4. Set a shaping-rate for the WAN interface and

# apply the desired Scheduler Map to this interface
set class-of-service interfaces reth1 unit 0 scheduler-map TEST-MAP
set class-of-service interfaces reth1 unit 0 shaping-rate 10m
# 5. Apply Classifiers on the LAN Interface(s), so ingress traffic gets classified

set interfaces reth0 per-unit-scheduler
set interfaces reth0 unit 0 family inet filter input TEST-CLASSIFER
# 6. Enable Scheduler on the WAN Interface, so that egress traffic gets shaped
set interfaces reth1 per-unit-scheduler

INGRESS POLICER (FIREWALL FILTER)
# Ingress Policers with simple Filters depend on Interface Hardware and are not
# available on all systems. Known systems to support these are
# SRX-3K and SRX-5K with Combo Card
# simple-filter might be required instead of firewall filter
# The example below limits traffic from a certain source to 1Mbps
edit firewall policer ONE-MBIT

set if-exceeding bandwidth-limit 1m
set if-exceeding burst-size-limit 63k
set then discard
top
edit firewall family inet filter TESTFILTER term TERM1

set then policer ONE-MBIT
top
# apply this filter on the interface (input or outpour is possible)

set interface reth0 unit 0 family inet filter input TESTFILTER

INGRESS POLICER (SIMPLE FILTER)
# On some Systems simple Filters can be used instead of firewall filters
# Simple Filters are ingress only and have less match options than firewall filters,
# but they are better for performance reasons, because Interface Hardware is used to
# perform the filtering (and thus does not require Performance on the Central Point).
# Known systems that support simple filters are SRX-3K and SRX-5K with Combo-Card
# The example below limits traffic from a certain source to 1Mbps
edit firewall policer ONE-MBIT

set if-exceeding bandwidth-limit 1m
set if-exceeding burst-size-limit 63k
set then discard
top
edit firewall family inet simple-filter TESTFILTER term TERM1

set then policer ONE-MBIT
top
# apply this filter on the interface

set interface reth0 unit 0 family inet simple-filter input TESTFILTER

TROUBLESHOOTING AND FURTHER INFORMATION
# COS Monitoring and Investigation Commands
show class-of-service
show firewall filter
show policer
show interface queue <if-name>
show interface extensive <if-name>
# COS Configuration Guide for Security Devices

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-
collections/security/software-all/class-of-service/junos-security-swconfig-cos.pdf
# SRX Interface Guide

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-
security-swconfig-interfaces-and-routing/frameset.html

VIRTUAL CHANNELS (VC)
VC Concept is only available on Branch SRX and J-Series
This approach is useful a central site is sending traffic to several sites
which have limited WAN bandwidth, and the WAN interface of the central
site has more bandwidth, than the branches
Up to 64 virtual channels per system can be supported
Traffic to each site needs to be assigned to VC using firewall filters
Queuing/scheduling/shaping for each VC performed at OUTQ
Configuring shaper for each VC is mandatory
ADSL
DS3 Network T1
E1

VIRTUAL CHANNEL EXAMPLE
edit firewall family inet filter SITE1
set term SITE1 from destination-address 192.2.1.2/32
set term SITE1 then virtual-channel site1;
top
set class-of-service virtual-channels site1
edit virtual-channel-groups WAN
set site1 scheduler-map TEST-MAP
set site1 shaping-rate 2m;
set site2 shaping-rate 1500000
set site4 shaping-rate 1500000
top
# Apply virtual Channels on egress WAN Interface ??
set interfaces ge-0/0/0 per-unit-scheduler
set interfaces ge-0/0/0 unit 0 virtual-channel-group WAN
# Apply Firewall Filters on ingress LAN Interface ??
set interfaces ge-0/0/1 family inet filter input SITE1

COS - NOTES AND LIMITATIONS AND TIPS (1/2)
System Dependencies
SRX branch devices support shaping-rate at the logical (unit) level, not on the physical port.
EX switches support shaping-rate at the physical port level, but not at the logical level
On Datacenter SRX, BA classification is done on NPU and MF classification on SPU
On a given interface, queues can be at one (and only one) of the following levels
Interface
Sub-interface (e.g.. VLAN, DLCI). This is referred as per-unit-scheduling
Virtual-channels (A concept present only in Branch SRX and J series)
Interface Type Dependencies
Today (with JUNOS 10.3) Schedulers can not be applied to Secure Tunnel Interface.
Either apply the Map to the underlying physical interface or use GRE-Tunnels or on
Branch SRX use virtual channels
On SRX Scheduler can be applied on L3-Interfaces and VLAN sub interfaces
Reth interface have a maximum of 4 queues
Interface Hardware Dependencies
Ingress Interface Policing is only available on SRX-5600 and 5800 with Combo Module

COS - NOTES AND LIMITATIONS AND TIPS (2/2)
Default Settings
All router initiated control-plane traffic is automatically assigned to network-control.
Packets originating from protocols such as lldp, rstp, ospf, etc are therefore handled by queue 3
All other traffic goes into best-effort queues
Schedulers are disabled on most interfaces and must be enabled to work
set interface ge-0/0/0 per-unit-scheduler
per-unit-schedulers are enabled per Default on gr- (GRE) , ip- (IPIP) and ls- (Multilink) Interfaces
Bandwidth Calculations
Policers are working on L3 packet sizes
Shapers are working at L2 packet sizes
Tip: Applying Classifiers to multiple Interfaces
set class-of-service interfaces ge-0/0/* unit 0 classifiers ieee-802.1 default

HIGH AVAILABILITY
SOLUTION ARCHITECTURE
GRES provides nonstop failover Single device abstraction

Clean separation of control and
Control Control forwarding planes
Plane fxp1 fxp1 Plane Unified configuration with
Daemons Daemons configuration sync
Node0 Node1
Node 0 Node 1
Forwarding Forwarding
fab0 fab1
Daemon Daemon Control Plane
Data Plane + RTOs
Node0 Node1

TWO CHASSIS CONNECTED TOGETHER
Control Plane
Connection
SPC to SPC
Data Plane
Connection
IOC to IOC

INTERFACE NUMBERING
Interfaces in HA Clusters are renumbered node1

(12-23)
node0
(0-11)
slot 0 slot 12
ge-13/0/0
ge-1/0/0
RE 0
RE 1
slot 23
CLUSTER INTERFACES
MODELL MANAGEMENT Control-Link Fabric-Link
(fxp0) (fxp1)
SRX 100 fe-0/0/6 fe-0/0/7 Any Interface,
tagged - Vlan 4094 1) untagged
MTU on SRX100 is 1628
SRX 210 fe-0/0/6 fe-0.0.7 Any Interface,

Jumbo Frames, MTU 9014
SRX 240 ge-0/0/0 ge-0/0/1 Any Interface,

SRX 650 ge-0/0/0 ge-0/0/1 Any Interface,

J-Series ge-0/0/2 ge-0/0/3 Any Interface,

untagged untagged
SRX 3000 fxp0 onboard HA Port 0 with any Any Interface,

on the Routing Engine type of SFP untagged
untagged Jumbo Frames, MTU 9014
SRX 5000 fxp0 first Port of any SPC Any Interface,

on the Routing Engine same slot SPC on both SRX untagged
313 Fiber
Copyright 2011 Juniper Networks, Inc. SFPs only, untagged
www.juniper.net Jumbo Frames, MTU 9014
1) Vlan tagging became configurable with JUNOS 10.3, Syntax

SRX3000
HARDWARE AND INTERFACE REDUNDANCY
SRX3000 Interface Redundancy Remarks
Management Yes, No
(fxp0) on the Routing Engine
Control link built-in on SFB Module Possible with HA Control untagged,

(fxp1) Use HA Control Port 0 Port 1 on SFB , Requires Jumbo Frames
CRM Module & JUNOS
10.2
Data link Yes Possible since JUNOS 10.2 untagged,
(fab0 & fab1) Jumbo Frames
Uses LAG
Secondary - Not yet supported

Switch Fabric
Secondary - Not yet supported

Routing Engine

SRX5000
HARDWARE AND INTERFACE REDUNDANCY
SRX5000 Interface Redundancy Remarks
Management (fxp0) Yes , Today (10.4) a second

on the first Routing Engine Routing Engine is just used
for Control-Link
Redundancy
Control link (fxp1) first Port of any SPC Requires second Routing Must be on the same SPC
Engine, uses second Port in each Cluster Member
on SPC, supported since Fiber SFPs only !!
JUNOS 10.0,
Data link Yes, can be on any IO- Available since JUNOS
(fab0 & fab1) Card, must be configured 10.2 by using LAG
configuration
Second Switch Second SCB is included in Fallback to single switch

Control Board each SRX-5800 Base reduces maximum
System and is an option for performance
SRX-5600
Third Switch Control Slot exists to install a third
Board SCB on SRX5800 but this
is not yet supported
Secondary - Today (10.4) a second

Routing Engine Routing Engine is just used
315
for Control-Link
Copyright 2011 Juniper Networks, Inc. www.juniper.net
Redundancy
SRX CLUSTER CREATION - STEP BY STEP
Plug-in the cluster control and fabric links
Set the Cluster ID on Both Members and reboot them
On SRX 5000: Configure the Control Ports on Both Members
From now on both members can be configured as one
Specify the Data links (a.k.a. Fabric Ports)
Define Node Specific configuration in Apply-Groups
Define at least 2 Redundancy Groups
Configure Redundant Ethernet Interfaces for these RGs
Continue with the remaining configuration

HIGH AVAILABILITY
CONTROL AND FABRIC LINKS
Create a Cluster
# Cluster ID must be between 1 and 15
# Cluster ID 0 or "disable chassis cluster" unset the cluster
# Each device in the cluster must be given a unique node number
# Reboot is required to make change effective
# This configuration is required on both cluster members
set chassis cluster cluster-id <0-15> node <0-1> reboot
Define Control Ports (on SRX5K between SPCs, Fiber only)

This will become interface fxp1
set chassis cluster control-ports fpc 0 port 0
set chassis cluster control-ports fpc 12 port 0
Define Data Ports (on SRX 5K between IOCs)

fab0 and fab1 are the fabric links
# At least one Interface from each cluster
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
# Since JUNOS 10.2 you can add additional Interfaces

HIGH AVAILABILITY
NODE SPECIFIC CONFIGURATION
Group Configuration (All settings which are Node specific)
# These are the settings for the first Node
set groups node0 system host-name SRX5800-1
set groups node0 system backup-router 172.26.26.1 destination 0.0.0.0/0
set groups node0 interfaces fxp0 unit 0 family inet address 172.26.26.104/24
# These are the settings for the second Node

set groups node1 system host-name SRX5800-2
set groups node1 system backup-router 172.26.26.1 destination 0.0.0.0/0
set groups node1 interfaces fxp0 unit 0 family inet address 172.26.26.105/24
# And here we make sure that both data are part of the configuration,
# but only the node specific settings are applied on each cluster member
set apply-groups "${node}"
# You can specify a secondary to always reach the master

# Don't use this to connect to NSM
set groups node1 interfaces fxp0 unit 0 family inet address 172.26.26.106/24 master-only
set groups node0 interfaces fxp0 unit 0 family inet address 172.26.26.106/24 master-only

HIGH AVAILABILITY
REDUNDANCY GROUPS
Define Two Redundancy Groups for A/P
# Redundancy Group 0 is required for the Routing Engine
set chassis cluster redundancy-group 0 node 0 priority 200

# Redundancy Group 1 is used for redundant interfaces in A/P configuration

Option: A second group for A/A (possible since JUNOS 9.5)

# Redundancy Group 2 is used for redundant interfaces in A/A configuration


HIGH AVAILABILITY
REDUNDANT INTERFACES
Define Number of Redundant Interfaces in your Cluster (at least 2)
# The Total number of redundant Ethernet Interfaces
# This statement allow to creates reth0,reth1,reth2,reth3
set chassis cluster reth-count 4
Configure the redundant Interfaces

set interface reth0 redundant-ether-options redundancy-group 1
set interface reth1 redundant-ether-options redundancy-group 1
Finally assign physical interfaces to them

# Make individual interface members for reth0
set interface ge-0/0/3 gigether-options redundant-parent reth0
# Make individual interface members for reth1


HIGH AVAILABILITY
ADDITIONAL OPTIONS (1)
# Interface Monitoring
# We can release Master Role in case of Layer1 Failure on these Interfaces
set chassis cluster redundancy-group 1 interface-monitor xe-0/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-11/0/0 weight 255
# Optional Pre-emption (fallback, when node with better priority returns)

set chassis cluster redundancy-group 1 preempt
# Optional Holddowntime to prevent too fast failover if redundancy Groups

set chassis cluster redundancy-group 1 hold-down-interval 900
# Track-IP, IP Address Monitoring Redundancy Group

# introduced for Data Center SRX with JUNOS 9.6)
set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.1.1 weight 255
# Additional Monitoring from Backup Interface was added in JUNOS 10.1
set chassis cluster redundancy-group 1 ip-monitoring interface reth0.0 secondary-ip ..
# Optional Control Link Recovery (introduced with JUNOS 9.6)

# Recovers System from Hold state, by automatic reboot
set chassis cluster control-link-recovery
# Fabric Link Monitoring is disabled per default on High-End SRX since 10.4r4
# to avoid "hold" state after link loss. To enable use the following command
set chassis cluster fabric-monitoring

HIGH AVAILABILITY
Redundant Interface as a VLAN Trunk
set interfaces reth1 vlan-tagging
set interfaces reth1 redundant-ether-options redundancy-group 1
# Best practice: use vlan-id also for the unit number
set security zone security-zone zone11 interface reth1.11
set security zone security-zone zone12 interface reth1.12
Graceful Restart
# If all participants of a routing protocol can handle graceful restart, then
# use this option to avoid downtimes resulting from OSPF or BGP reestablishment
Heartbeat Interval Tuning

# Set Heartbeat Interval (1000..2000, Default is 1000)
set chassis cluster heartbeat-interval [msec]
# Set Heartbeat Threshold (3..8, Default is 3)
set chassis cluster heartbeat-threshold [nr]

HIGH AVAILABILITY
VLAN-Tagging on the Branch SRX Control Link
# On Branch SRX the control link traffic per Default uses VLAN ID 4094
# Since JUNOS 10.3 there is a command available to remove the VLAN tag
# A reboot is required to make the change effective
set chassis cluster control-link-vlan enable/disable
# To see current configuration use the following command

show chassis cluster information
Commit Confirm on SRX Cluster

# Since a Cluster Configuration can be edited on both Routing-Engines,
# there is no "commit confirm" available by default
# To allow "commit confirm" you must enter configuration mode with
configure exclusive

HIGH AVAILABILITY
# Configuration Check
show config groups
show config chassis cluster
show config interfaces
# Hardware Checks
show chassis hardware
show chassis fpc pic-status
show pfe terse
show chassis alarms
show system alarms
# Monitor Cluster Status

show chassis cluster status
show chassis cluster status redundancy-group <xx>
# Display Information about HA interfaces (11.4 show state of redundant HA links too)
show chassis cluster interfaces
# Status information
show chassis cluster statistics
show chassis cluster information
show chassis cluster ip-monitoring status
# In case you find a cluster member in disabled state,

# here is a place to find root cause information
show chassis cluster information no-forwarding

HIGH AVAILABILITY
# Inspect Log Files (For support cases always collect Log files from both Nodes !!)
show log jsrpd or file show /var/log/jsrpd
show log messages or file show /var/log/messages
show log chassisd or file show /var/log/chassid
# For ongoing log file monitoring use

monitor start jsprpd
# To enable additional traces in jsrpd you can configure traceoptions

set chassis cluster traceoptions level all flag all
# To jump from one node to the other you can use the following options:
# CLI-Command for Branch SRX
request routing-engine login node x
# Shell command for Datacenter SRX
rlogin -Ji nodex
# Or usually you can also use ssh with fxp0-adress of the second node
# Knowledgebase: Troubleshooting SRX High Availability

http://kb.juniper.net/library/CUSTOMERSERVICE/Resolution_Guides/SRX/Wrapper_SRX_Chassis_Cluster.html

HIGH AVAILABILITY
CLUSTER CONNECTIONS
# Requirements for HA Cluster connections
- Latency on HA-Links must be below 100msec
- Bandwidth on Fabric-Link: 1Gbps for A/P is sufficient for

A/A with 10GE reth interfaces 10GE fabric links are recommended
- Dual Fabric Links do offer redundancy, but there only one link
is used for forwarding and RTO sync
- When the HA connection is traveling over Switches

- Control link traffic and Fabric Link traffic must be kept on separate
L2 connections (different physical links or different VLANs
- Jumbo Frames must be permitted
- IGMP Snooping must be disabled on the Switch ports involved
- For Branch SRX: disable VLAN-Tagging on Control Link or allow QinQ on Switch
"set chassis cluster control-link-vlan disable"
- Use the Guideline from the following Knowledgebase Article:
SRX Cluster Deployments across L2 Networks
http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf

HIGH AVAILABILITY
MANUAL FAILOVER (1)
Requesting Failover
Manually failover redundancy groups between chassis
RG0 should only be failed over in emergencies
Should only be done after both REs have been up for 5 minutes
Rapid failovers will cause RE crash
RG1 supports rapid failovers
Clearing Failover
Failovers need to be cleared after manually triggered
Prevents accidently failover over

HIGH AVAILABILITY
MANUAL FAILOVER (2)
Request Failover
{secondary:node1}
root@srx> request chassis cluster failover redundancy-group 1 node 1
node1:
--------------------------------------------------------------------------
Initiated manual failover for redundancy group 1
{primary:node1}
root@srx> show chassis cluster status
Cluster ID: 3
Node name Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1

node0 200 secondary no no
node1 1 primary no no
Redundancy group: 1 , Failover count: 0

node0 255 primary yes yes
node1 1 secondary yes yes
Clear/Reset Failover
root@srx> request chassis cluster failover reset redundancy-group 1

HIGH AVAILABILITY
MANUAL FAILOVER (3)
Manual Failover can fail if systems are not yet up again
Manual failover can be difficult if the nodes have not completely recovered from a
previous failover. To determine if a device is ready for repeated failovers, perform
these recommended best-practice steps before doing a manual failover.
The best practices we recommend to ensure a proper failover are as follows:
show chassis cluster status

Use this command to verify the following for all redundancy groups:
One node is primary ; the other node is secondary.
Both nodes have nonzero priority values unless a monitored interface is down.
show chassis fpc pic-status

Use this command to verify that the PIC status is Online.
show pfe terse

Use this command to verify that the Packet Forwarding Engine status is Ready
and to verify the following:
All slots on the RG0 primary node have the status Online.
All slots on the RG0 secondary node, except the Routing Engine slots, have the
status Valid.

FAILURE CASES AND EXPECTED BEHAVIORS
Component Expected Behavior
Control Link Secondary node goes into disabled state. Reconnect
control link and then reboot secondary node.
Fabric Link Since 10.4r4 fabric-link is no longer monitored by default.
Enable fabric monitoring with "set chassis cluster fabric-
monitoring"). With monitoring: if Secondary node goes into
disabled state. Reconnect fabric link and then reboot
secondary node.
Power If all power to unit is lost then all redundancy groups will
failover.
Interface Down Redundancy groups that monitor the interface will failover
if total weight exceeds 254
CP Will cause RG1+ to failover but the RE will remain on the
same chassis.
SPC/SPU Any SPC or SPU failure will trigger RG1+ to failover to
secondary chassis
RE or SCB with RE All redundancy groups will failover and chassis goes
offline
SCB w/o RE Reduces throughput of device, will not failover to second
chassis. Third SCB will activate if installed (SRX 5k only)
FAILURE CASES AND EXPECTED BEHAVIORS
(CONTINUED)
Component Expected Behavior

NPC Failure (SRX 3k) The SRX 3k supports NPC monitoring. If the NPC fails then
all RG+1 groups will fail over to the other cluster member.
Control Plane The data plane will continue to run up to 5 minutes without
Failure/RE Reboot an RE, or until the RE came back up, when Chassisd comes
backup and reinitializes all of the cards.
Control and Data Link Both nodes will detect the failure of the links by the loss of
(fail at same time) the heartbeat messages. In this case secondary node will go
disabled
Complete Chassis Whether caused by a software or hardware issue, The

Failure secondary node will look for the gratuitous arps of the other
node, and in the absence of these will assume mastership.

SRX HA State Transition Diagram
Hold Timer
Bootup Expires
Hold Secondary
Secondary-hold Fabric-link Ctrl-link Primary

timer expires failure failure node dies
Ineligible
Disabled timer fires Ineligible
Fabric-link
failure Primary
Ctrl-link node dies
failure
Secondary Primary node dies
Primary
Hold
Failover (manual, i/f failure, ip-mon failure, preempt etc.)
Note: Transition to disabled state will only happen only if the node is RG0 secondary.
Note: Once in disabled state the only option to recover is to reboot the device

APPLICATION SECURITY,
INTRUSION PREVENTION,
UNIFIED THREAT MANAGEMENT
FEATURE LICENSES AND
CONTENT SUBSCRIPTIONS
FEATURE LICENSES
Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx
Memory upgrade x - - -
Dynamic VPN up to 25 up to 10 up to 50 up to 150 up to 250 up to 500 - - -
Extreme License - - - - - - x
Logical Systems - - - - - - up to 32 up to 32 up to 32
(1.5.25) (1.5.25) (1.5.25)
Service Offload - - - - - - Free Free Free

(Low Latency)
Advanced BGP x - - - - - x
1) requires High memory Model

2) include IPS License

CONTENT SUBSCRIPTIONS
AVAILABLE FOR 1,3 5 YEARS
Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx
IPS x 11.41) 11.4 11.41) 11.41) 11.41) 11.4 x x x
AppSec - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 10.4 2) 10.4 2) 10.4 2)
Kaspersky-AV x x1) x x1) x1) x1) x - - -
Sophos-AV - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 - - -
Webfilter- x x1) x x1) x1) x1) x - - -

Websense-
Integrated
Webfilter- - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 - - -

Websense-
Enhanced
Sophos-Antispam x x1) x x1) x1) x1) x - - -
1) requires High memory Model

2) include IPS License

UTM, IDP AND APPLICATION FIREWALL FEATURES
REQUIRE LICENSES
# Once ordered, you can download them from the Juniper License Management Server
# This method is recommended, DNS and Internet access are required
# Default URL, as defined in "show configuration system license", is
# https://ae1.juniper.net/JUNOS/key_retrieval
# To download license, that where bought for a certain device execute

request system license update
# Or if you received a license for manual installation use this command to paste it
# Install manually, when the license keys are available as a text file
request system license add terminal
# You can configure a Proxy Server to retrieve the licenses

set system proxy server 192.168.1.10
set system proxy port 3128
set system proxy username user1
set system proxy password user123
# To track problems with licenses open a log file

set system license traceoptions file license.log
set system license traceoptions flag all
# Trial licenses (valid for 4 weeks) are available

# You can only fetch it once per lifetime for each device serial number
request system license update trial

MANY LICENSE FEATURES ARE ENABLED PER RULE
In the firewall policy you can decide if the licensed Features are applied
edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services [idp, uac-policy, utm-policy ,services-offload]
top

APPLICATION SECURITY FEATURES
- IDP
- APP TRACK
- APP FIREWALL
- IDENTITY BASED APP FIREWALL
- APP QOS
- APP DDOS
STATE OF APPLICATION SECURITY
State of the Application Firewall Feature Set
All AppSecure Features are available on High End SRX with JUNOS 11.4r1
All AppSecure Features - except AppDDOS and AppQoS are available for Branch SRX with 11.4r1
Licensing
SKU Appsec-A (Advanced) AppSec-B (Basic)
High End SRX Branch SRX
Includes Application signature license & Includes Application signature license only.
IPS license. IPS license has to be purchased seperately
App-ID Database
On High End SRX the AppID Signatures were moved to a separate Database with 11.4
On Branch SRX the AppID Signatures where always in a separate Database since 11.2
Management and Logging

Some AppFirewall Features are not supported in NSM Log Viewer or Policy Manager
Preferred Management Solution: Space or J-Web
Preferred Log Solution : STRM

APPLICATION SECURITY AVAILABILITY
High End SRX Branch SRX
AppTrack (11.4)
AppFW (11.4 )
AppQoS (11.4) Future
AppDoS Future
IPS

APPSECURE PERFORMANCE
Source: AppSecure Datasheet

IDP
INTRUSION DETECTION AND PREVENTION
ACTIVATE INTRUSION DETECTION AND PREVENTION
Initial Requirement
Install IDP license
Download and Install the Attack-Database and Detector Engine (a.k.a. security-package)
IDP Policy - Option 1 : Use Juniper Policy Templates

Download policy templates
Install policy templates
IDP Policy - Option 2 : Write your own IDP Policy

Write a custom policy , use custom attack groups (NSM is the preferred tool for this Job)
Final Steps
Activate the desired policy
add action "IDP" for all firewall rules where you want to have IDP enabled

SIGNATURE UPDATES
How can Signature Updates be installed
pull (Device fetches the Updates itself)
push from Space. Space can also pull updates through a proxy connection
Branch SRX can have two different Signature Updates

IDP security-package Updates include
Updates for IDP Signatures &
Application Identification Signatures Updates &
Detector Engine
Application Identification Updates
AppID Update do include only AppID Signatures, no IDP Signatures or Detector Engine

ATTACK DATABASE
Download and install the latest attack database
srx> request security idp security-package download
Will be processed in asynchronous mode. Check the status using the status checking CLI
srx> request security idp security-package download status

In progress:downloading file ...SignatureUpdate_tmp.xml.gz

Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1473(Tue Aug 4 13:41:40 2009, Detector=9.2.160090324)
srx> request security idp security-package install

srx> request security idp security-package install status

In progress:Compiling AI signatures ...
# Takes about 5 minutes on a SRX210 to finish

srx> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=1473,ExportDate=Tue Aug 4 13:41:40
2009,Detector=9.2.160090324]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : not performed
due to no existing running policy found.

POLICY TEMPLATES (1/2)
If you don't want to write custom IDP Policies by yourself, the Juniper Policy
Templates give you a simple starting Point. Use the commands below to
download and install the latest security policy templates
srx> request security idp security-package download policy-templates


Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2
srx> request security idp security-package install policy-templates

lab@srx-172.16.42.210> request security idp security-package install status

Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!

POLICY TEMPLATES (2/2)
To get the policy Templates added to your configuration you must enable
execution of the templates.xsl script with every commit.
# At commit time, the JUNOS management process (mgd) searches the /var/db/scripts/commit
# directory for scripts and runs the script against the candidate configuration database
# to ensure the configuration conforms to the rules dictated by the scripts.
set system scripts commit file templates.xsl
Now you can use the Recommended Policy Template

set security idp active-policy Recommended
Once the IDP Policy is defined, you can activate it "per rule"
edit security policies from-zone trust to-zone untrust policy <policyname>
top

CUSTOM POLICY
Instead of Policy Templates you can write Custom IDP Policies, where you
specify which signatures or signature-groups to use, and what the desired
actions are. The example below uses two INFO Level Signatures so that
you will get IDP Logs with each ping or HTTP Request.
edit security idp idp-policy TEST rulebase-ips rule 1
set match attacks predefined-attacks HTTP:AUDIT:URL
set match attacks predefined-attacks ICMP:INFO:ECHO-REQUEST
set then action no-action
set then notification log-attacks
top
Activate this Policy and enable it on a existing firewall rule
set security idp active-policy TEST
edit security policies from-zone trust to-zone untrust policy <policyname>

top
NSM is recommended to write Custom IDP Policies, Groups and Signatures

CUSTOM ATTACK GROUPS
You can use custom attack groups to specify which attacks you are looking for.
Pay attention, that Server-to-Client signatures have a big performance impact.
They should only be applied when you inspect traffic to untrusted Servers
edit security idp dynamic-attack-group CRITICAL-C2S
set filters severity values critical
set filters direction values exclude-server-to-client
top
edit security idp dynamic-attack-group CRITICAL-ALL

set filters severity values critical
top

match source-address any
set match destination-address MY-OWN-TRUSTED-SERVERS
set match attacks dynamic-attack-groups CRITICAL-C2S
top

set match destination-except MY-OWN-TRUSTED-SERVERS
set match attacks dynamic-attack-groups CRITICAL-ALL
set then action ???
top

INTRUSION DETECTION AND PREVENTION AUTO
UPDATE FOR SIGNATURES
Configure the box to fetch Database Updates automatically
# set start time (Old Format until 10.0r2 MM-DD.hh:mm)
set security idp security-package automatic start-time 01-02.03:00
# set start time (new Format since 10.0r3 YYYY-MM-DD.HH:MM:SS)

set security idp security-package automatic start-time 2010-01-01.02:00:00
# get the update every 24 hours

set security idp security-package automatic interval 24
# enable auto update

set security idp security-package automatic enable
# The following situations inhibit that devices can pull Database Updates
# * when internet access is not possible at all
# * when internet access has to use a Proxy
# * in a cluster: when the passive member can not get internet access from fxp0
# The following options can help to solve problems with delivery of automatic updates
# * NSM or Space can be used to pull the attack database and push it to the device
# both can even use proxy connections
# * An offline update Procedure description is available in the Knowledgebase
# For clusters where only the active node can pull the update
# * After RG0 failover, the second node becomes active and can fetch the update
# * A description and a script to perform the sync is posted in forum.juniper.net
# * Automatic File sync from the active node to the passive node is planned for JUNOS
12.1
IDP PACKET CAPTURES
# Since JUNOS 10.2, the Datacenter SRX support collection and delivery of packet
# captures, when an attack is found. On the STRM side you need STRM 2010.0r1 / Patch 3
# and updates of these rpms: PROTOCOL-PCAP, DSM-DSMCommon, DSM-JuniperJunOS
# Additions to IDP rules to take packet captures

edit security idp idp-policy TEST rulebase-ips rule 1 then notification
set packet-log pre-attack 4
set packet-log post-attack 6
set packet-log post-attack-timeout 2
top
# Specify the destination to deliver these data

# The Port Definition must match the DSM Configuration on STRM
edit security idp sensor-configuration
set packet-log source-address 172.30.81.84
set packet-log host 172.30.80.76
set packet-log host port 515
top
# Resource Consumption Limits can be adjusted

# The values below allow for pcaps on 10% of total-memory and 10% of max-sessions
edit security idp sensor-configuration
set packet-log total-memory 10
set packet-log max-sessions 10
top
# Show Statistics for Packet Logging

show security idp counters packet-log
IDP PACKET CAPTURES IN STRM

MONITORING AND DIAGNOSTICS
# Attack database version
show security idp security-package-version
# Check if the server connection is ok

request security idp security-package download check-server
# Check if IDP is enabled on a Security Policy

show security policies policy-name <name> detail | match Intrusion
# IDP statistics
show security idp status
# Application Identification, Cache with last connections and per application stats
show security idp application-statistics
show security idp application-identification application-system-cache
# Attacks detected since last policy load

show security idp attack table
# IDP counters
show security idp counters ?
# Catch IDP-Logs and write them to a local log file (only possible in log mode event)
set system syslog file IDP-Logs user info
set system syslog file IDP-Logs match IDP_ATTACK
set system syslog file IDP-Logs archive size 1m
set system syslog file IDP-Logs archive files 3
set system syslog file IDP-Logs structured-data brief

IDP FILES AND THEIR LOCATION
# Attack Database in XML Format
file show /var/db/idpd/sec-download/SignatureUpdate.xml
# List of all Attack Groups

file show /var/db/idpd/sec-download/groups.xml
# List of all Attacks

file show /var/db/idpd/sec-repository/attack.list
# List of all Attack Groups

file show /var/db/idpd/sec-repository/attack-group.list
# List of all Applications , AppID can identify

file show /var/db/idpd/sec-repository/application.list
# The final Policy after compilation

file show /var/db/idpd/sets/POLICYNAME.set

SIGNATURE BACKGROUND INFORMATION
LIST OF AVAILABLE SIGNATURES
http://services.netscreen.com/documentation/signatures/
RSS-FEED ABOUT CHANGES

https://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml
Signatures with Reference to CVE, Bugtraq and MS-Vulnerability IDs

https://services.netscreen.com/restricted/sigupdates/nsm-updates/CVE-BID-mapping.csv

APPLICATION VOLUME TRACKING
State of Application Volume Tracking
introduced for High End SRX with JUNOS 10.2
introduced for Branch SRX with JUNOS 11.2
STRM can parse and display AVT logs
NSM today can not parse and display AVT logs
Application Identification Signatures

On High-End SRX: they are still part of the configuration (stanza services application-
identification), but the plan is to move them to a separate database with 11.4
On Branch SRX the signature database since 11.2 is separate
Custom Signatures will stay under "service application-identification"

SIGNATURES DOWNLOAD
# AVT is available on Datacenter SRX since 10.2 and on Branch-SRX since JUNOS 11.2
# AVT uses Signatures to Identify Applications
# Default URL is https://services.netscreen.com/cgi-bin/index.cgi

# Before JUNOS 11.4 the signatures where directly added to the existing configuration
# Since JUNOS 11.4 the predefined signatures are saved to an external database
# similar to the IDP signature database
# Download the Application Signatures

request services application-identification download
# Installation of the downloaded Application Signatures

request services application-identification install

CONFIGURATION
# AppTrack is enabled per security zone
set security zone security-zone trust application-tracking
# Configure the remote syslog device to receive AppTrack messages

# STRM 2010.0 has predefined reports to handle AppTrack Logs
set security log stream STRM host 172.30.80.76
# To generate AppTrack log at session start (disable by default)

set security application-tracking first-update
# To generate a first update message 1 minute after session start

set security application-tracking first-update-interval 1
# To generate additional update messages every 5 minutes

set security application-tracking session-update-interval 5
# A Final log at the session end will be created by default
# Monitoring, Counter and Cache

show services application-identification counter
show services application-identification application-system-cache
# J-Web Support is currently planned for 2H11

MONITORING
# Full monitoring requires users to look at the AVT Logs
# STRM (since 2010.0r2) has parsing and reporting capabilities
# NSM today can not parse the AVT Logs
# If event Logging was enabled, Logs are available in the local log file
file show /var/log/policy_session | match APPLICATION
# In addition to the logs, a cache is enabled by default and can be used for monitoring
show services application-identification application-system-cache
# Since 11.4 there are additional statistics showing per-group/application usage
show services application-identification statistics application-groups
show services application-identification statistics applications
# To see the Signatures (before 11.4)

show config services application-identification application junos:FTP
show config services application-identification nested-application junos:FACEBOOK-CHAT
# Since 11.4 the Signatures are no longer part of the configuration, but still can be seen
show services application-identification version
# With 11.4 there where also some groups introduced, which make it easier to
# select the AppID Signatures for Application Firewalling
show services application-identification application detail junos:FTP
show services application-identification group summary
show services application-identification statistics application-groups

VISIBILITY OF LOGS IN STRM

VISIBILITY IN J-WEB
Monitoring
->Security
->Application Tracking

APPLICATION FIREWALL
STATE OF APP FIREWALL
State of the Application Firewall Feature Set
AppFW was introduced for High End SRX with JUNOS 10.4
AppFW was introduced for Branch SRX officially with JUNOS 11.4
AppFW can be used together with User Identities for all SRX with JUNOS 12.1
Management of the Application Firewall

Management on CLI is possible today on all platforms
Management in J-WebUI is available since 11.2
Support in JUNOS Space Security Designer is available since 11.4
Support for NSM is currently not available
Recommended Tool for Application Firewall Configuration is Space or WebUI
Logging and Reporting of Application Firewall

STRM 2010.0 can decode Application Firewall and Application Tracking Logs
both in stream and event mode.
J-Web UI log visibility and improved reporting is expected with 11.4r2
Support for NSM is currently not available

APPLICATION FIREWALL
EXAMPLE CONFIGURATION YOUTUBE STREAMING
edit security application-firewall rule-sets APPFW
set rule YOUTUBE-STREAM match dynamic-application junos:YOUTUBE-STREAM
set rule YOUTUBE-STREAM then deny
set default-rule permit
top
top edit security policies from-zone trust to-zone untrust policy 1

set match source-address any;
set match destination-address any;
set match application any;
set then permit application-services application-firewall rule-set APPFW
top
# List of Applications that can be found with the current Database

http://services.netscreen.com/documentation/applications/

APPLICATION BACKGROUND INFORMATION
List of Applications and Application Groups
http://services.netscreen.com/documentation/applications/
RSS-Feed with Changes (same as IDP)

https://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml
AppSecure Feature Documentation

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-
pages/security/security-appsecure-index.html

USER IDENTITY BASED FIREWALL
CLIENTLESS AD INTEGRATION
WITH SRX AND UAC
1 1. Connect Push all roles to SRX

IC SRX
AD
2 2. User Authenticates to Domain
SRX
Finance
AD
5
IC
4 3. User wants to connect to finance
4. Drop notification sent to IC from
3
SRX SRX
Finance
5. User gets re-directed to IC (302)

6 IC
6. IC challenges user with SPNEGO
(401)
AD
7 7. Endpoint pulls service ticket
from KDC
SRX
8
IC 8. Endpoint re-submits HTTP get
request to IC with SPNEGO auth
token

9 9. After successful authentication, IC

pushes an auth table entry to SRX
IC SRX
10 AD
IC 10. IC re-directs user back to the
protected resource
11
SRX
Finance 11. User now can access Finance

CONFIGURATION
# User Identity based Firewall was introduced in JUNOS 12.1
# Set UAC infranet connection on SRX (this uses Destination port 11123)
set services unified-access-control infranet-controller SERVER address 172.30.81.141
set services unified-access-control infranet-controller SERVER interface fxp0.0
set services unified-access-control infranet-controller SERVER password
# Set captive portal

edit services unified-access-control captive-portal PORTAL
set redirect-traffic unauthenticated
set redirect-url http://172.30.81.141
top
edit security user-identification

set traceoptions file userid flag all
set authentication-source local-authentication-table priority 100
set authentication-source unified-access-control priority 200
top
# UAC Policy Enable

set security policies ... match source-identity ROLE1
set security policies ... then permit application-services uac-policy
# Captive Portal Enable

set security policies ... then permit application-services uac-policy captive-portal PORTAL
# For the full configuration follow the UAC Solution Guide

COMMANDS FOR UAC
# Commands to monitor uac status and information
show services unified-access-control status
show services unified-access-control policies detail
show services unified-access-control roles
# Directory for UAC Roles

/var/db/uac.roles
# Directory for local Auth Data

/var/db/nsd

COMMANDS FOR LOCAL AUTHENTICATION
# Commands to build and examine the local table
request security user-identification local-authentication-table add ?
request security user-identification local-authentication-table delete ?
clear security user-identification local-authentication-table
show security user-identification local-authentication-table ?
show security user-identification local-authentication-table all ?
# Directory for local Auth Data

/var/db/nsd

APPLICATION DDOS PROTECTION
APPLICATION DDOS PROTECTION
Application DDOS is a technology to identify and mitigate Distributed Denial of
Service Attacks, typically generated from Botnets
Application DDOS works in 3 phases

Phase 1
if the connection rate exceeds a limit we start protocol analysis
Phase 2
track for connection Rate limits (per Destination and/or Context)
Phase 3
Classify Clients as Bots when they exceed thresholds
Once Bots have been identified, we can mitigate their activities by

dropping their existing connections and/or
dropping future connections (for a certain time) and/or
rate limiting future connections new connections (for a certain time)
AppDDOS today (12.1) can be used to protect HTTP and DNS Services
AppDDOS is available with AppSec-A License for Datacenter SRX since 10.0
AppDDOS 3-Stage Processing
Stage 1: Server Monitoring

1. Connections Per Second Access to No
Monitored
Administrator defines CPS threshold to a Server
server to start monitoring for AppDDOS. Yes
CPS below this threshold is considered Connection No
normal activity. Rate Exceeded
Stage 2: Protocol Profiling

Yes
2. Context Rate Monitoring/Limiting Access to No

Once AppDDOS CPS threshold is
Monitored
Context
surpassed, AppDDOS will monitor the Yes
number of Context Rate. If it exceeds this

No No
rate, additional investigation can occur Context Rate
Exceeded
Context Value
Rate Exceeded
depending if stage 3 is configured. If it is

Yes Yes
not configured appropriate action can
Stage 3: Bot Client Classification

occur. No Time-Binding
Configured
3. Client Classification (optional) Yes
If Time Binding is configured, it will track No

Counter
not only the rate of the context being Exceeded
matched, but will also the administrator to Yes
track this value for individual clients to Action/Logging

prevent them from individually surpass the
defined limits within the time period.

AppDDOS Configuration Structure
Firewall Security Policy
On a firewall rule by rule basis IDP processing is configured (since AppDDOS is
part of the IDP functionality.) Firewall processing includes matching based on:
source zone, destination zone, source ip, source port, destination ip, destination
port, and protocol. IDP Security Policy
ApplicationDDOS Profile
The ApplicationDDOS profile defines the following:
Context to Match
Connections per Second to trigger Phase 2
Contexts Thresholds to trigger Phase 3, or direct actions based only on overall thresholds.
Client Contexts per Period
IDP Policy
Within the IDP security policy the rulebase-ddos is where the configuration defines
what criteria to match based on: source zone, destination zone, source ip,
destination ip, application, and application-ddos profile. This rule will define what to
do with the offending connection along with future ip-action connections.

APPLICATION DDOS PROTECTION (1/3)
# AppDDOS is available as licensed feature for Datacenter SRX since JUNOS 10.0
# Define two Servers in a Group for investigation

set security zones security-zone trust address-book address SERVER1 172.30.80.132/32
set security zones security-zone trust address-book address SERVER2 172.30.80.202/32
edit security zones security-zone trust address-book address-set WEBSERVER
set address SERVER1
set address SERVER2
top
# Firewall Policy
# Activate IDP on the Firewall Rules, that permit traffic to these Servers
set security policies from-zone trust to-zone untrust policy 1 then permit application-services idp
# Application DDOS Profile

# Define the thresholds, we use to look for DDOS attacks
edit security idp application-ddos HTTP_DDOS
set service http
# Phase 1- Start protocol Analysis if we see more than 5 connections per second
set connection-rate-threshold 5
# Phase 2 - Start Botnet classification if we see more than 50 URLs per second or 50 different context
set context http-url-parsed hit-rate-threshold 50
set context http-url-parsed value-hit-rate-threshold 50
# Phase 3- Classify clients as Bots if they access more than 20 URLs per minute
set context http-url-parsed time-binding-count 50
set context http-url-parsed time-binding-period 60
top

# Install an IDP Policy
set security idp active-policy IDP-POLICY
# Add a DDOS Rule to this IDP-Policy to hunt for DDOS attacks against the two Servers
edit security idp idp-policy IDP-POLICY rulebase-ddos rule RULE1
set match from-zone untrust
set match to-zone trust
set match destination-address WEBSERVER
set match application default
set match application-ddos HTTP_DDOS
# Use IP-Action to rate limit any bot found to a maximum of 5 connections per second
set then ip-action ip-connection-rate-limit 5
set then ip-action log
set then ip-action timeout 15
set then ip-action refresh-timeout
top

# AppDDOS monitor and control commands
show security idp counters application-ddos
show security idp application-ddos application
show security idp application-ddos application detail
# Show hosts that are targets for ip-action

show security flow ip-action
# Remove all current IP-actions

clear security flow ip-action

UTM-FEATURESET
UTM FEATURES
Antivirus - Sophos or Kaspersky (full and express)
Protect against viruses in e-mail (SMTP, POP, IMAP protocols), Webmail
(HTTP) and FTP traffic
Integrated AV engines and virus signature databasesupdated periodically,
available through AV subscription license
Web filteringWebSense/SurfControl/Enhanced WF
Control (allow/deny) access to Websites based on URL category
Off-box (in-the-cloud or on-premise) URL servers/ databases
Content filtering
Provides basic DLP functionalityfilters traffic based on file/MIME type, file
extension, and protocol commands; keyword matching expected in the future
Antispam - Sophos
Stop e-mail spam based on IP address/reputation of sender
Off-box spam blacklist databaseSophos SBL/RBL (spam/real-time block
list)available as a subscription license
HOW UTM PROFILES ARE CHAINED WITH POLICIES
UTM Features are activated per firewall rule, by assigning an UTM-Policy
The UTM-Policy has a section for each protocol, that allows UTM-Protection
Each Profile has references to Profiles for the different UTM Features

UTM-FEATURE:
ANTIVIRUS
ANTIVIRUS ON SRX
THREE FLAVOURS
KASPERSKY ANTIVIRUS
Full Scan Engine
local Execution of Scan
SOPHOS ANTIVIRUS
Cloud Based
Verifies Source-URL and File checksums against Malware Database
EXPRESS AV
Reduces local Scan Engine
PROCESSING ORDER

ACTIVATE ANTIVIRUS (EXPRESS AV ENGINE)
# Check also Knowledgebase Article KB16620
# Configure the SRX Series device to use the express antivirus engine
set security utm feature-profile anti-virus type juniper-express-engine
# Configure a UTM policy to use the predefined antivirus profile

# http-profile junos-eav-defaults.
set security utm utm-policy UTM-POL anti-virus http-profile junos-eav-defaults
# Apply the UTM policy to the existing trust to untrust security policy
set then permit application-services utm-policy UTM-POL
top

ACTIVATE ANTIVIRUS
(KASPERSKY LAB ENGINE)
set security utm feature-profile anti-virus type kaspersky-lab-engine
# Configure a UTM policy to use the predefined antivirus profile

# http-profile junos-av-defaults.
set security utm utm-policy UTM-POL anti-virus http-profile junos-av-defaults
# Apply the UTM policy to the existing trust to untrust security policy.
top

ACTIVATE ANTIVIRUS
(SOPHOS CLOUD SERVICE)
set security utm feature-profile anti-virus type sophos-engine
edit security utm feature-profile anti-virus sophos-engine

# Configure to download engine and updates once per day
set pattern-update interval 1440
set pattern update url "http://update.juniper-updates.net/SAV/"
top
# Check the URLs against Database that identifies known Malware Sources
edit security utm feature-profile anti-virus sophos-engine profile SOPHOS
set scan-options uri-check
# To log all URLs (even those that where not blocked) use
set fallback-options default log-and-permit
top
# Configure a UTM policy to apply Sophos AV on http connection

set security utm utm-policy UTM-POL anti-virus http-profile SOPHOS
# Apply the UTM policy to the existing trust to untrust security policy.
top

ANTIVIRUS
# Show database version and Update Settings
# Default for Kaspersky is every 1h
# Default for Sophos is every 24h
show security utm anti-virus status
# Statistics on AV operation
show security utm anti-virus statistics
# Run manual pattern update for Kaspersky Engine

request security utm anti-virus kaspersky-lab-engine pattern-update
# Run manual pattern update for Sophos Engine

request security utm anti-virus sophos-engine pattern-update

UTM-FEATURE:
URL FILTERING
URL FILTERING
State of URL Filtering
Local Black and Whitelists can be used for Web filtering
useful as a response to security problems (Phishing Mails, abuse of applications ...)
no licenses required to use this feature
To get a more valuable URL Filter you need a service subscription (license)
where URLs are checked against a database
As a response to the query, a list of categories for this URL is returned
In the Profile it can be defined which categories are permitted/denied
Before 11.4 there where two flavors of Web filtering Services
Integrated Webfilter (aka surfcontrol-integrated, License: WF)
Redirect Webfilter (aka WebSense, no License).
With 11.4 a new option was introduced
Enhanced Webfilter (aka juniper-enhanced, License EWF)
Main Benefits of the Enhanced Webfilter Solution from 11.4 are

comparable to the Integrated Webfilter Solution - but with the following enhancements :
more categories (94 vs. 40) and option for custom categories (based on local pattern lists)
option to activate safe-search to filter Search Engine results
option to receive and react on reputation information for each URL
option to redirect access for blocked sites to another URL
392 better scalability (up to 64K sessions
Copyright on SRX
2011 Juniper 650)Inc.
Networks, www.juniper.net
WEBFILTER ON SRX
Two Options for Cloud based URL Checking
Webfilter Integrated
(surfcontrol-integrated)
and since 11.4
Enhanced Webfilter
(juniper-enhanced)
One Option to redirect Traffic through a Local Websense Server
REDIRECT (WEBSENSE)

HOW TO CHECK THE CLASSIFICATION FOR AN URL ?
CHECK CLASSIFICATION OF A SITE FOR INTEGRATED WEBFILTERING
For the old, integrated Surfcontrol Engine use the following Online URL:
http://mtas.surfcontrol.com/mtas/JuniperTest-a-Site.asp
For the new, enhanced Webfilter use this following Online URL:
http://aceinsight.websense.com/
A CLI command can be used to return information how the site is treated:
test security utm web-filtering profile "EWF-PROFILE" test-string www.facebook.com

WEBFILTER
LOCAL BLACKLIST AND WHITELIST (1/2)
With JUNOS 10.0 a local Black- and White list can be configured
This Filter Method can even work without Web filter License
To work with wildcards pattern must start with "http://...."
# First specify a list of URLs (up to 20 per list object)
edit security utm custom-objects

set url-pattern BAD value [http://www.cisco2.com www.checkpoint2.com]
set url-pattern GOOD value "http://*.juniper.net"
set url-pattern GOOD value "http://www.acmegizmo.???"
top
# Use these Objects to specify new Categories

edit security utm custom-objects
set custom-url-category BLACKLISTED value BAD
set custom-url-category WHITELISTED value GOOD
top
# Finally apply these Categories to the Web Filtering Profile

edit security utm feature-profile web-filtering
set url-blacklist BLACKLISTED
set url-whitelist WHITELISTED
top

WEBFILTER
LOCAL BLACKLIST AND WHITELIST (2/2)
# If no other Web filtering Profile is selected then use type juniper-local
set security utm feature-profile web-filtering type juniper-local
# Define UTM Profile

set security utm utm-policy UTM-POL web-filtering http-profile UTM-PROF
# Configure an UTM Policy using this Profile

edit security utm feature-profile web-filtering juniper-local profile UTM-PROF
set default permit
set custom-block-message "Access to this site is not permitted"
set fallback-settings default block
set fallback-settings too-many-requests block
top
# Apply this Profile in a firewall rule

edit security policies from-zone trust to-zone untrust policy trust-to-untrust
top

WEBFILTER
ACTIVATION OF THE INTEGRATED ENGINE
Configure the SRX Series device to use the Integrated Engine
set security utm feature-profile web-filtering type surf-control-integrated
Configure a new utm-policy to use the predefined Web filtering profile junos-
wf-cpa-default
edit security utm utm-policy UTM-POL
set web-filtering http-profile junos-wf-cpa-default
top
Apply the UTM policy to the existing trust to untrust security policy.
top

WEBFILTER
EXAMPLE FOR A CUSTOM PROFILE
# Configure the SRX Series device to use the Integrated Engine
set security utm feature-profile web-filtering type surf-control-integrated
# Custom categorization and action for this engine

edit security utm feature-profile web-filtering surf-control-integrated
edit profile TS-BLOCK-SELECTED-SITES
set category Violence action block
set category Adult_Sexually_Explicit action block
set category Gambling action block
set Remote_Proxies action block
set default log-and-permit
set fallback-settings default log-and-permit
set fallback-settings server-connectivity log-and-permit
set fallback-settings timeout log-and-permit
set fallback-settings too-many-requests block
set timeout 60
top
edit security utm utm-policy POLICY2

set web-filtering http-profile TS-BLOCK-SELECTED-SITES
top
# Apply the new UTM-Policy in a firewall rules

set then permit application-services utm-policy POLICY2
top

WEB-FILTER
# Show database version and Update Settings (default: every 60 minutes)
show security utm web-filtering status
# Statistics on Web filter operation (not for EWF)

show security utm web-filtering statistics

UTM-FEATURE:
ANTI-SPAM
ANTI SPAM
ACTIVATION OF THE FEATURE
Configure the SRX Series device to use the Anti-Spam Feature
set security utm feature-profile anti-spam symantec-sbl
Use the predefined Anti-Spam profile junos-as-defaults in a new utm-policy.

set security utm utm-policy UTM-POL anti-spam smtp-profile junos-as-defaults
Apply this UTM policy to an existing trust to untrust security policy.

done
Optional Blacklist to drop additional SMTP Traffic from other senders

set security utm custom-objects url-pattern MYBLACKLIST value mail.cisco.com
set security utm feature-profile anti-spam address-blacklist MYBLACKLIST

MORE ....
RESET TO FACTORY DEFAULT
RESET METHODS
The following methods can be used to reset the device to Factory Default
Method 1: Reset via Reset PIN
Method 2: Load Factory Default configuration
Method 3: Wipe Configuration Files and load Default configuration
Method 4: Single User Boot Procedure
Method 5: Install Factory Default Snapshot from Boot monitor
Method 6: Zeroize
The following method can be used to recover the root password

Method 4: Single User Boot Procedure
Important Note for Branch SRX:

To recover a Branch SRX which is in cluster mode you must first turn it
back into non cluster mode (set chassis cluster disable reboot).
If you don't have a password any more, you can only use Method 4 or Method 5
See also http://kb.juniper.net/KB12167 and http://kb.juniper.net/KB15725

BRANCH SRX PREREQUISITE:
YOU MUST ESCAPE CLUSTER MODE FIRST
If your device was member of a cluster you will notice an additional line
before the system prompt
{primary:node1}
root>
To return from cluster mode to a single unit use the following command,
which also performs the necessary reboot
root> set chassis cluster disable reboot
If you are in cluster mode but can not login to your system, you have to use
Method 4 (Single User Boot Procedure)

RESET METHOD 1:
RESET VIA RESET BUTTON
Use the Reset Button
On J-Series: Press Configuration Pin for 15sec. to load the factory default
On SRX: Press the Reset PIN for 15 sec. follow LED color changes
On EX-Switches: Use LCD Menu to load factory default configuration
Notes
You have to exit the shell first
The node name in the shell prompt appears to be unchanged,
but this will change with the next reboot
If you have a Branch SRX which is still in Cluster mode, the factory default
configuration can not commit ,as it includes switching configuration.
You then should use method 5 (USB Snapshot) or 4 (Single User Mode)

RESET METHOD 2:
LOAD FACTORY DEFAULT CONFIGURATION FROM CLI
If Login is still possible you can use commands to load the factory-default configuration.
You have to set a root password to get the configuration committed
Remote Management Console
login: user
password: <none>
root@J2300> configure
root@J2300# load factory-default
# You have to set at least the root password, otherwise you can not commit
root@J2300# set system root-authentication plain-text-password
New password:
root@J2300# commit and-quit
root@J2300>

RESET METHOD 3:
WIPE CONFIGURATION FILES
If Login is still possible and you have shell access you can erase the current
configuration file(s) and reboot. This will be equal to a reboot with default
configuration
root> start shell
root@J6350% cd /config
root@J6350% su
root@J6350% rm juniper.conf.gz
root@J6350% reboot
# Remark on JUNOS 11.2 (or probably earlier)

# You also have to wipe the rescue configuration.
# Otherwise the system will boot the rescue config
# if the normal configuration file has disappeared

RESET METHOD 4:
SINGLE USER BOOT PROCEDURE
Single User Mode, from the Boot monitor
1. Reboot the device
2. When message <Press space bar> appears --> Interrupt boot process
2. boot -s --> Device boots in single user mode
4. login as root , enter "recover" to load factory default
5. enter cli as user root
6. enter configure mode
7. set system login user authorization plaintext --> Enter <Password>
8. Commit
9. If the unit was still in cluster mode, you have to remove interface
configuration and interface assignments to security zones to commit
10. request system reboot
11. If the units was in cluster mode, then disable chassis cluster
and reboot once more.
For latest information on this method please consult the Knowledgebase
Since JUNOS 10.0 you have to disable a watchdog in the boot monitor.
See http://kb.juniper.net/KB17565

RESET METHOD 5:
BOOT AND COPY SNAPSHOT
Boot from a Snapshot USB Stick (see Chapter Software Upgrade)
# First you must copy a snapshot from an existing System to a USB Stick
# Keyword factory means, we copy factory default instead of running config
srx> request system snapshot partition media usb factory
# Now move the USB Stick to the System you want to recover and power it up
# Interrupt the Boot Process to get access to the Boot loader prompt
loader> nextboot usb
Setting next boot dev usb
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
loader> reboot
# Once the system has booted from the USB Stick, copy the image
# with the default configuration back to the internal Flash
srx> request system snapshot factory partition media internal
Notes:
- The USB Stick must have at least size of internal Flash (SRX100 = 1GB)
- This procedure also reformats and partitions flash and copies the software
from the stick. All existing information is overwritten

RESET METHOD 6:
ZEROIZE SYSTEM
If Login is still possible and you have shell access you can completely wipe
anything which is not part of the factory default configuration by zeroizing
the media.
lab@bnlx-srx220-1> request system zeroize media
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no)

BOOTLOADER
BOOTLOADER NOTES
Boot loader Documentation is included in the Admin Guide
To enter the boot monitor
power up and wait for " Loading /boot/defaults/loader.conf"
Hit Space at the following prompt
"Hit [Enter] to boot immediately, or space bar for command prompt."
The "loader>" prompt appears.
To see the current Boot loader Software Version use this command:
show chassis routing-engine bios
Most Methods for Software update do not reformat flash and thus do
not upgrade the Boot loader
Since JUNOS 10.0 (with Boot loader 1.5) the Branch SRX JUNOS
Package includes the latest Boot loader version and Upgrade of the
current boot loader can be performed with this command:
bootupgrade u /boot/uboot l /boot/loader
Dua Root Partitioning Scheme for Branch SRX requires Bootloader
Software Version 1.5

FLASH PARTITIONING
DUAL ROOT
NOTES
Since JUNOS 10.0, Branch SRX can have a dual root partitioning scheme
Dual root improves fault tolerance and rollback capabilities and is recommended
Dual root have two partitions with JUNOS software on two different partitions.
The configuration is kept in another shared partition
# Since JUNOS 10.2 the following command shows the partitioning and which partition
is active
show system storage partitions
# To switch to the backup partition

request system software rollback
# If you change your mind you can switch back again
# To copy the software from the current active partition to the backup partition use
request system snapshot slice alternate

JUNOS installation in a Dual-Root System
JUNOS upgrades from CLI and J-Web will work as follows:
Alternate root will be formatted and mounted.
New package will be installed into the alternate root
Alternate will be marked as the primary root.
On next reboot the system will boot with the newly installed image
JUNOS will always be installed to the alternate root:

When booted from primary root, the new image will go to the backup root
and it will become the new primary.
When booted from the backup root, new image will be installed in the
primary
Thus a simple installation can recover the primary root if it is corrupted.

JUNOS installation in Dual Root (animated Slide)
Primary
Backup Primary
Backup
s1a s2a s3e s3f s4a

JUNOS A JUNOS C
B
Root Root /config /var recovery
Current Root request system software

Alternate
Current Rootadd junos-c
Root /var
JUNOS A JUNOS C JUNOS C

SOFTWARE UPGRADES
JUNOS Software Upgrade on SRX
1. Decide for a Software version and download it
Recommend Software version are listed here
Information which Feature is available in which Release can be found here
Software Downloads are available from here
2. Best Practice: Cleanup Storage before starting the Update
3a. If you have physical access the easiest way is

(M1) Autoinstallation from USB-Stick (requires somebody with physical access)
4a. For other updates decide how to bring the software to your SRX
(T1) Upload or Download File in Advance (scp or ftp)
(T2) Use Controlled Download with the Download Manager
(T3) Mount and install from a USB Stick
(T4) Reference URL during installation
4b. When you are ready to install you can use

(M2) Installation from J-Web
(M3) Install from the CLI
(M4) Install from CLI with ISSU (for SRX clusters)
5. Best Practice: After completion you can use Flash Hardening

DOWNLOAD SOFTWARE FROM SUPPORT PAGES
HTTP://WWW.JUNIPER.NET/SUPPORT/PRODUCTS/

BEST PRACTICE:
CLEANUP BEFORE SOFTWARE UPGRADE
Useful steps to perform before starting an Update are:
Check Flash size, purge unused files
# Check current Flash size
show system storage | match cf
# On J-Series
show chassis hardware detail | match Flash
# purge log files

request system storage cleanup
# If Flash size is still lower than the size of your image:
# if space is not yet sufficient purge software backup

request system software delete backup
# locate directories on the flash with large amount of data

show system directory-usage /cf
# To save space browse directories and erase files manually

file list /cf/var/tmp detail
file delete ..
# Or use the shell to find the largest files on your Flash

find -x /cf -type f -exec du {} \; | sort n

UPGRADE - METHOD 1
AUTO INSTALLATION FROM USB STICK
# Since 10.4 Branch SRX Devices can be set up from a USB Stick with Auto installation
# Step 1 - Prepare
- Prepare a USB-Stick (FAT32, <=8GB) with the following files:
- A File with the name "autoinstall.conf" must exist.
The Content of this File is not important. It can also be an empty File.
- One JUNOS Image, Filename must meet "junos-srxsme*"
- Optional: You can also add a Configuration File. File name must be "junos-config.conf"
# Step 2 - Insert
- After the SRX has booted completly , insert the USB Stick
- The LEDs will start blinking amber (Alarm, Status, Power and HA)
# Step 3 - Reset Button
- Press the Reset button for a short time
- The LEDs (Alarm, Status, Power and HA) will stop blinking and start glowing amber
- Now the new imaged gets copied, existing configuration and rescue configuration
are verified against the new software version
- finally the image gets installed in the second partition, and this partition
becomes the new primary partition
- if present on the stick the new configuration gets copied too (but not yet committed)
- Step 3 takes about 10-12 Minutes in total
- If something goes wrong (insufficient space, image corrupt, configuration
not compatible) the LEDs will glow Red. Otherwise the LEDs will glow green
# Step 4 - Unplug USB stick
- When the LEDs are green, the USB stick can be unplugged
- Some seconds after unplug device starts reboot, which takes ~5 minutes to complete
- during power up the new configuration is installed and applied
# To avoid that somebody uses this procedure you can use the following command:
set system auto installation usb disable

UPGRADE - METHOD 1
AUTO INSTALLATION - FLOW DIAGRAM

TRANSFER METHOD 1
MOUNT A LOCAL USB STICK)
You can add your image from a DOS formatted USB Stick
# USB Sticks are not auto mounted, So we must go to the shell as root to mount them
srx> start shell
% su -
Password:
# find out the right device name. On SRX210 "da1" is upper USB "da2" is lower USB
# Either watch Console Logs during USB plugin or scan the information from the Logfile
root@srx-172% dmesg | grep umass
da1 at umass-sim1 bus 1 target 0 lun 0
# Once Devicename is found add "s1" to the device name and mount it to /mnt
root@srx% mount -t msdos /dev/da1s1 /mnt

root@srx%
exit
exit
# Now you can install the image from the USB stick
# partition, formats the Flash partition
srx> request system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot

TRANSFER METHOD 2
LOAD FILE TO LOCAL FLASH
# prefered destination to store files to local flash is /var/tmp because
# several cleanup operations willmake sure, this locations gets purged
# either Push Image from Outside via scp or ftp

scp JUNOS-srxsme-10.2R2.8-domestic.tgz user@srx:/var/tmp/
# or use interactive session on SRX CLI via scp or ftp command

cd /var/tmp
ftp ... or scp ....
# Now you can install the image from the local file
srx> request system software add /var/tmp/JUNOS-srxsme-11.1R1.8-domestic.tgz

TRANSFER METHOD 3
USING THE DOWNLOAD MANAGER
# Download Manager is available since JUNOS 11.4 and allows to perform rate limited
# downloads which is useful to fethc software updates over slow WAN links without
# saturating the link
# Every Download can also be stopped/paused/resumed
# By Default Download Files are stored under /var/tmp
srx240-0> request system download start ftp://172.1.8.1/junos-x.tgz login user: password

max-rate 50K
Starting download #1
srx240-0> show system download
Download Status Information:

ID Status Start Time Progress URL
1 Active May 23 13:14:27 1% ftp://172.1.8.1/junos-x.tgz
srx240-0> request system download pause 1

Paused download #1
srx240-0> show system download
Download Status Information:

ID Status Start Time Progress URL
1 Paused May 23 13:14:27 11% ftp://172.1.8.1/junos-x.tgz
tschmidt@srx240-0> request system download resume 1

Resumed download #1
TRANSFER METHOD 4:
USE URL TO LOAD IMAGE FROM A SERVER
# Example fetch from an ftp Server (user username) and reboot after update
# Option no-copy allow to save space
J6350> request system software add no-copy reboot

ftp://username:prompt@172.30.80.20/JUNOS-jsr-9.5R1.8-domestic.tgz
# Same example for SRX with user anonymous

# If validation of configuration reports that your current config is not working
# with the new release (e.g.. on downgrade) you can bypass this with no-validate
srx> request system software add no-copy no-validate reboot ftp://172.16.42.8/JUNOS-

srxsme-9.5R1.8-domestic.tgz
# Same example for an SSH Server

srx> request system software add no-copy no-validate reboot scp://172.16.42.8/JUNOS-
srxsme-9.5R1.8-domestic.tgz

UPGRADE METHOD 2
INSTALL FROM WEB-UI
Use the Web-Interface (requires most RAM and Flash)

UPGRADE METHOD 3
INSTALL FROM CLI
# Example: start installation from a local file which is already in /var/tmp
# Option reboot forces reboot after succesful installation
request system software add /var/tmp/JUNOS-srxsme-10.2R2.8-domestic.tgz reboot
# Example: Download and install image from an ftp Server (user username)
request system software add no-copy no-validate reboot
ftp://username:prompt@172.16.42.8/JUNOS-srxsme-10.2R2.8-domestic.tgz
# Example: start installation from a USB stick previously mounted under /mnt
request system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot

UPGRADE METHOD 4 - FOR SRX CLUSTERS
IN SERVICE SOFTWARE UPGRADE
ISSU stands for In Service Software Upgrades
ISSU allows upgrade of cluster members with minimum downtime.
ISSU can be used on High-end SRX in most cases since JUNOS 10.4r4
ISSU can be used on Branch SRX in most cases since JUNOS 11.2r2
request system software in-service-upgrade [package] reboot
It is a single command, that you have to run from the RG0 primary device.
The following actions are performed during the update:
First upgrade the secondary device
then forms a cross version cluster
failover to the new device
upgrade the old primary
Expected Outage with ISSU on DC-SRX is similar to failover

Expected Outage with ISSU on Branch-SRX is about 30 seconds
Check Documentation and KB17946 for more details on ISSU operation and
supported features for different releases
BEST PRACTICE:
FLASH HARDENING ON BRANCH SRX
# Once your software version and your configuration is reliable use the following
# steps to make the Branch SRX devices more robust against Flash Problems
# Optional: Cleanup storage (Documentation)

request system storage cleanup
# Optional: Cleanup IDP Cache and Attack Database Download (new command from 11.4)
request security idp storage-cleanup
# Show Releases in the primary and the secondary partition of Routing-Engine 1

show system snapshot media internal slice 1
# Copy primary partition image to the secondary, so they carry the same release
# Check KB22798 for details on dual partitioning
request system snapshot slice alternate
# Make sure your current configuration is also saved as your rescue configuration
# Check KB15788 for details on configuration versions and rollback
request system configuration rescue save
# Save License, Partition Data and Recovery Config to the Auto recovery Partition
# Check Release notes of JUNOS 11.2 for details on auto recovery
request system autorecovery state save

SCRIPTING AND AUTOMATION
AUTOMATION WITH JUNOS SCRIPTS
Commit Scripts
Enable automated compliance checks & configuration changes
e.g.. Reject guest VLAN tag configuration on access switch trunk ports restrict guest access to a floor
Macros allow operators to simplify complex configurations and self-heal errors
e.g. Apply pre-defined Data+VoIP port template on any switch port that gets a description matching a
particular string data-phone
Operations Scripts
Allows custom output for diagnosis and event management
e.g.. Combine 2 different show commands to get a custom output for better analysis
Event Policies & Scripts

Automated pre-defined responses to events creating self-monitoring networks
e.g.. When a switchs trunk port goes up & down, run show interfaces and show alarms CLI, parse data,
save it to a file and send this to a server

HOW TO INTEGRATE SCRIPTS ?
Activation of Commit scripts
Copy a script to the /var/db/scripts/commit directory
Enable the script by including a file statement at the [edit system scripts
commit] hierarchy level (must be user from super user class).
The script will now be executed every time you do a commit
Useful: to avoid typical errors (VPN without Monitor, wrong MTU ...)
Activation of Op Scripts
Copy the script to the /var/db/scripts/op directory
Enable the script by including a file statement at the [edit system scripts
op] hierarchy level (must be user from super user class).
Now you can run the script as a command (e.g.. op status overview)

USEFUL LINKS FOR AUTOMATION
Useful How-to Information is available from this Scripting Guide
http://www.juniper.net/solutions/literature/white_papers/200252.pdf
Script Library from Juniper

http://JUNOS.juniper.net/scripts/
Script Library on Google

http://code.google.com/p/junoscriptorium/

SCRIPT LIBRARY
HTTPS://WWW.JUNIPER.NET/US/EN/COMMUNITY/JUNOS/SCRIPT-AUTOMATION/LIBRARY/

NICE FEATURES YOU WILL LIKE .....
HELP IS AVAILABLE FROM THE CLI,
EVEN WITHOUT INTERNET
Help available from the CLI [ topic reference apropos ]
# Full description of certain configuration hierarchies
root> help reference security address-book
address-book
Syntax
address-book {
address address-name (ip-prefix | dns-name dns-address-name);
address-set address-set-name {
address address-name;
}
}
....
# Commands which include the word xyz

root> help apropos proxy-arp
...
# Help on certain topics

root> help topic snmp agent
...

WE HAVE FTP/SCP SERVERS ON BOARD
# Start the FTP Server
set system services ftp
# Enable inbound ftp on the desired zone and/or interface
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ftp
And Connect with your favourite FTP Client

USEFUL EXTENSIONS FOR
CONFIGURATION VERSIONING
Configuration Comments
# Add comment to a configuration
commit comment "Let us try this"
# List comments added during commit

show system commit
show | compare rollback ?
Personal Configuration Files

# This will save/load configuration files in the home directory of the user
save mytestconfig.txt
load replace mytestconfig.txt
Load/Save Configuration Files via FTP/HTTP

# load via ftp or http
load merge ftp://user:password@host/filename
load merge http://user:password@host/filename
# save via ftp or scp
show configuration | save ftp://user:password@host/filename.
show configuration | save user@host:filename.

CONFIGURATION ROLLBACK
Automatic rollback if not confirmed within 5 minutes
# Automatic rollback if not confirmed within 5 minutes
commit confirmed 5
# Commit at desired time

commit at hh:mm:ss
# on SRX Clusters Rollback is only available if you entered "configure exclusive"
Rollback Versions , by Default you have 5 (on SRX) to 50 (on EX)

rollback ?
show config | compare rollback <number>
The "Rescue" Configuration

# Create a rescue configuration
request system configuration rescue save
# Manual rollback to rescue

rollback rescue
commit
# On J-Series press reset button for more than 5 and less than 15 Seconds
# to automatically load and commit the rescue configuration

SOFTWARE ROLLBACK
Since JUNOS 10.0, Branch SRX have a dual root partitioning scheme, which
can hold a copy of the image and the configuration under /altroot and /altconfig
# After a Software Upgrade the new software is in the primary partition and the old
# software is in the primary partition.
# You can check the current partition content with
show system snapshot media internal slice 1
# To switch the primary partition, so that next reboot uses the other image just execute
root@srx100-2> request system software rollback
junos-12.1R2.9-domestic will become active at next reboot
# To switch back to the previous partition just execute the same command once more
root@srx100-2> request system software rollback
junos-12.1R3.5-domestic will become active at next reboot

REAL-TIME PROBE AND MONITORING (RPM)
RPM can track server/application reachability and latencies over the network
# Configure Probes for user THOMAS
# Example probe SERVER1 checks if server responds to ping
edit services rpm probe THOMAS test SERVER1
set probe-type icmp-ping
set target address 172.30.80.1
top
# Example probe SERVER2 checks if Web-Server responds within 2000 msec

edit services rpm probe THOMAS test SERVER2
set probe-type http-get
set target url http://172.30.81.70/index.html
set threshold rtt 2000000
top
Results can be monitored from CLI or via SNMP
show services rpm probe-results owner THOMAS test SERVER1
show snmp mib walk 1.3.6.1.4.1.2636.3.50
RPM Events can also be used to trigger Event-Scripts

AUTO ARCHIVING CONFIGURATIONS
Transmit a copy of the current Config file with every commit
You can use ftp, http, scp or a copy to a local file
[edit system archival configuration]
transfer-on-commit;
archive-sites {
ftp://username@host:<port>url-path password password;
http://username@host:<port>url-path password password;
scp://username@host:<port>url-path password password;
file://<path>/<filename>;
}
The Target filename is built like this:

<router-name>_juniper.conf[.gz]_YYYYMMDD_HHMMSS
It is also possible to run periodic archival

set system archival configuration transfer-interval [interval]

MORE USEFUL STUFF .....
DNS lookup and reverse lookup
lab@SRX3600> show host 193.99.144.85
85.144.99.193.in-addr.arpa domain name pointer www.heise.de.
lab@SRX3600> show host www.heise.de
www.heise.de has address 193.99.144.85
Network Clients available on the CLI (route lookup starts in inet.0)

telnet, ssh , ftp, scp, ping, traceroute, mtrace
Some clients can be used to pipe command output

monitor traffic interface count 100 | ftp://172.16.1.1/capture.txt
CLI Shortcuts
CTRL-A takes you to the beginning of the command line
CTRL-E takes you to the end of the command line
CTRL-W deletes backwards to the previous space
CTRL-U deletes the entire command line
CTRL-L redraws the command line (in case it has been interrupted by messages, etc.)
CTRL-R starts CLI history search, start typing and matching results will be
displayed and can be executed by simply pressing ENTER

MORE USEFUL STUFF .....
Replace a pattern in the whole configuration
srx# replace pattern fe-0/0/7 with ge-0/0/7
What have you changed so far ?

srx# set system host-name SRX
srx# show | compare
- host-name srx;
+ host-name SRX;
Configure exclusive (only you have access)

srx> configure exclusive
warning: uncommitted changes will be discarded on exit
Entering configuration mode
[edit]
srx#
Check if commit is possible (but don't do it yet)

srx# commit check

AND MORE ......
Add comments anywhere in the configuration
srx# annotate security policies from-zone trust to-zone trust "this is an annotation"
srx# show security policies

/* this is an annotation */
from-zone trust to-zone trust {
inactive: policy 1 {
.....
# To remove the command redo the command with an empty string
annotate .... ""
Temporary deactivate sections of the configuration

# deactivate whatever you want, but still keep it in the configuration
deactivate protocols ospf
Generate your own Events (good to combine with Event-Scripts)

set event-options generate-event backup-config-event time-of-day 23:30:00

AND MORE .....
apply-groups to
set groups sonet interfaces <so-*> sonet-options rfc-2615
set apply-groups sonet
Copy a file from one cluster member to the other

file copy /var/tmp/test node1:/var/tmp/sampled.test
Show Configuration with Details

# Use this command to get explanations and range information for each parameter
show configuration | display detail
Login Messages
# To make a message appear before login
set system login message Welcome \n to \n JUNOS Training\n
# To make a message appear after successful authentication
set system login announcement Maintenance scheduled 11PM to 2AM tonight

AND MORE .....
Get a timestamp on the CLI every time you execute a command
set cli timestamp
# To disable
set cli timestamp disable
Quick Navigation in Configure Mode

# if you used edit to change your current path in the navigation tree you can still
# reach every leaf of the tree by using "top" at the beginning
# Tab completion works and this "top" does not change your current position
edit protocols ospf

top show interface ge-0/0/0
top set interface ge-0/0/0 unit 0 ...

FURTHER USEFUL INFORMATION
DOCUMENTATION AND ADDITIONAL SOURCES
Software Documentation for SRX and J-Series
http://www.juniper.net/techpubs/software/JUNOS/
Hardware Documentation for SRX und J-Series

http://www.juniper.net/techpubs/hardware/srx-series.html
http://www.juniper.net/techpubs/software/jseries/
The JUNOS Page

http://JUNOS.juniper.net/
JTAC Knowledgebase
http://kb.juniper.net/
SRX Channel: http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB
User Forums
http://forums.juniper.net/jnet/
http://www.juniperforum.com/
Books
http://www.juniper.net/us/en/training/jnbooks/

SELF SERVICE TRAININGS
Training: Fasttrack Program (free materials)
http://www.juniper.net/training/fasttrack/
Training: Complete List of all Training and E-Learning Offers
http://www.juniper.net/us/en/training/technical_education/
Training: JUNOS as a second language
http://www.juniper.net/us/en/training/elearning/jsl.html
Training: Virtual Labs for Partner (Hands-on if you have no HW)
https://www.juniper.net/partners/partner_center/common/training/virtual_lab.jsp
Training: JTAC Webcasts for Partner
https://www.juniper.net/partners/partner_center/common/training/post_sales_webcasts.jsp
Discount Vouchers for Certifications
http://JUNOS.juniper.net/prometricvoucher/

VPN CONFIGURATION GENERATOR
Generator for VPN Configurations (route and policy based)
https://www.juniper.net/customers/support/configtools/vpnconfig.html

MIGRATION TOOLS
Convert Cisco or Netscreen configurations to JUNOS
https://migration-tools.juniper.net/tools/index.jsp

Juniper SRX Quickstart 12.1R3 by Thomas Schmidt

Enviado por

Dados do documento

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Juniper SRX Quickstart 12.1R3 by Thomas Schmidt

Enviado por

Direitos autorais:

Formatos disponíveis

SRX JUMP STATION

Based on JUNOS Versions up to 12.1R3

Click on the Login Chapter Buttons to get to the desired chapters

2 Copyright 2011 Juniper Networks, Inc. www.juniper.net

Trouble- Monitor Log files Interface Debug Packet Debug

High Cluster Cluster Cluster Failover Cluster Cluster

More.. Boot loader Reset to Software Automation Nice Further

6 Copyright 2011 Juniper Networks, Inc. www.juniper.net

Feature Explorer and Content Explorer

Feature Support Reference Guide

SRX Knowledgebase (Jump Station)

SRX Knowledgebase (Here a list of the latest SRX articles)

SRX Application Notes

JUNOS Network Configuration Examples

7 Copyright 2011 Juniper Networks, Inc. www.juniper.net

JUNOS software for SRX-series services gateways includes the

9 Copyright 2011 Juniper Networks, Inc. www.juniper.net

10 Copyright 2011 Juniper Networks, Inc. www.juniper.net

11 Copyright 2011 Juniper Networks, Inc. www.juniper.net

Login in factory default state as user "root". Password is empty

13 Copyright 2011 Juniper Networks, Inc. www.juniper.net

--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC

login: root Shell Prompt

--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC

14 Copyright 2011 Juniper Networks, Inc. www.juniper.net

CLI - Operational Mode

CLI - Configuration mode:

16 Copyright 2011 Juniper Networks, Inc. www.juniper.net

Execute commands (mainly) from the default CLI level (user@switch>)

dot1x configuration spanning-tree version etc.

bridge interface mstp statistics More Specific

EMACS-style editing sequences are supported

A VT100 terminal typeCopyright

Use the Tab key to complete an assigned variable

Use Tab to complete

19 Copyright 2011 Juniper Networks, Inc. www.juniper.net

Type ? anywhere on the command line

20 Copyright 2011 Juniper Networks, Inc. www.juniper.net

22 Copyright 2011 Juniper Networks, Inc. www.juniper.net

23 Copyright 2011 Juniper Networks, Inc. www.juniper.net

24 Copyright 2011 Juniper Networks, Inc. www.juniper.net

To paste and override the whole configuration

To paste and add pieces of configuration

To paste configuration written with "set" commands

25 Copyright 2011 Juniper Networks, Inc. www.juniper.net

26 Copyright 2011 Juniper Networks, Inc. www.juniper.net

All numbers start from 0

For a list of Interface Types see

Wildcards - Many commands accept wildcards in ifnames

29 Copyright 2011 Juniper Networks, Inc. www.juniper.net

Switching is possible on Branch SRX Models (SRX100.SRX650)

Switching is not available (and not needed) on High-End SRX

Switching is done in Hardware. Full throughput can be achieved,

Since JUNOS 10.0 the smaller SRX (100...240) have Switching

31 Copyright 2011 Juniper Networks, Inc. www.juniper.net

# The interface-range is assigned to the VLAN vlan-trust

# You can specify a VLAN, which will be used for Switching

# Configure Ethernet switching on the interfaces that are part of VLAN.

# Assign these interface to the desired VLAN

# Configure a VLAN interface with an IP for this VLAN

# Assign this VLAN interface as your Layer3 Interface on this VLAN

# It's a firewall, so the VLAN interface must also be in a zone

# Allow services on the VLAN interface if desired

# history of MACs added and removed