Escolar Documentos
Profissional Documentos
Cultura Documentos
Thomas Schmidt
Consulting Systems Engineer
WHAT IS THIS PURPOSE OF THIS QUICK START ?
This collection is for users who already have experience with ScreenOS firewalls and the
underlying concepts and now want to use JUNOS based SRX Firewalls
This Collection assumes you have already some knowledge of JUNOS (there are free
trainings to help you) but need a guide to configure a complete system.
This Collection is a guide to help you find the commands required for typical features and
tasks and give you brief, working examples.
Navigation:
Click on the in the right Top corner to get to the Jump Station Central
If you need more in depth information or more details of the underlying concepts consult the
documentation or participate in trainings.
This collection can not replace full JUNOS documentation or trainings and can not cover all
parameters available with a certain feature.
Network Interfaces Switching Routing Trunk & Link Multicast IPv6 Transparent ...
OSPF,BGP LAG Redundanc Mode
Firewall Packet Flow Zones Policies Screens & NAT Flow & ALG Virtualize ... ...
Defense VR + LSys
VPN Route Policy VPNs with VPN Dynamic ... ... ... ...
based VPN based VPN Certificates Diagnostics VPN
Manage, Admin User Inband or Logging & SNMP & Netflow Space NSM STRM
Log,Monitor Role & Auth Outband Syslog RMON
Toolbox Access list DHCP Time & NTP DNS PPPoE UAC Port Class of
& DSL Enforcer Mirroring Service
AppFirewall Licenses AppSecure IDP AppTrack AppFirewall AppDDOS UTM, UTM, ...
IDP and UTM Overview Antivirus Webfilter
Juniper Forum
Configuration Library http://forums.juniper.net/t5/Configuration-Library/bd-p/ConfigLib
DayOne Tips http://forums.juniper.net/t5/Day-One-Tips-Contest/bd-p/DayOneContest
Session-based features:
Implements some ScreenOS features and functionality
through the use of new daemons
First packet of flow triggers session creation based on:
Source and destination IP address
Source and destination port
Protocol
Session token
Zone-based security features
Packet on the incoming interface is associated with the incoming zone
Packet on the outgoing interface is associated with the outgoing zone
Core security features:
Firewall, VPN, NAT, ALGs, IDP, and SCREEN options
Control Plane:
Implemented on the Routing Engine
JUNOS software kernel, daemons, chassis management, user
interface, routing protocols, system monitoring, clustering control
Data Plane:
Implemented on the IOCs and SPCs
Forwarding packets, session setup and maintenance,
load-balancing, security policy, screen options, IDP, VPN
login: root
********************************************************************
** Welcome to JUNOS: **
** **
** To run the console configuration wizard, please run the **
** command 'config-wizard' at the 'root%' prompt. **
** **
** To enter the JUNOS CLI, please run the command 'cli'. **
** **
********************************************************************
root@% cli
root>
login: user
Password:
The root user must start the CLI from the shell
Do not forget to exit root shell after logging out of the CLI!
switch (ttyu0)
Less Specific
clear configure help monitor set show etc.
Ctrl+a
user@switch> show interfaces
Cursor Position
Ctrl+f
user@switch> show interfaces
Ctrl+e
user@switch> show interfaces
user@host> show i
[edit policy-options]
user@host#
ScreenOS Style
root@J6350> show config | display set
set version 9.3R2.8
set system host-name J6350
set system root-authentication encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."
set system name-server 172.30.80.65
set system login user lab uid 2000
set system login user lab class super-user
21 ........ Copyright 2011 Juniper Networks, Inc. www.juniper.net
CONFIGURATION, CANDIDATE, COMMIT, ROLLBACK
Example :
ge-0/1/2.3 - Gigabit Interface (Slot 0, Module 1, Port 2, Logical unit 3)
fe-0/1/2.3 - Fast Ethernet Interface
st0.0 - First Secure Tunnel Interface (VPN Tunnel)
lo0 - First loopback interface
# A interface vlan unit 0 is assigned to this vlan as the Layer3 interface in this VLAN
set vlans vlan-trust l3-interface vlan.0
# This layer 3 interface can has an IP address that is reachable from all
# host on it's VLAN. In Branch deployments this is typically the gateway address.
set interfaces vlan unit 0 family inet address 192.168.1.1/24
# All physical interfaces - except ge-0/0/0 of the SRX210 are now assigned
# to a interface-range with the name interfaces-trust
set interfaces interface-range interfaces-trust member ge-0/0/1
set interfaces interface-range interfaces-trust member fe-0/0/2
set interfaces interface-range interfaces-trust member fe-0/0/3
set interfaces interface-range interfaces-trust member fe-0/0/4
set interfaces interface-range interfaces-trust member fe-0/0/5
set interfaces interface-range interfaces-trust member fe-0/0/6
set interfaces interface-range interfaces-trust member fe-0/0/7
# It's a firewall, so the interface is mapped to zone trust where all services are enabled
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
32 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SWITCHING
ANOTHER CONFIGURATION EXAMPLE
# Before you can add an interface to Switching you probably have to remove assignments.
# If there is an IP address assigned to the interface you have to remove it
delete interfaces fe-0/0/2 unit 0 family inet
# If the interface is member of an interface-group in use, you have to untie it
delete interfaces interface-range .... member fe-0/0/2
J2320
J2350
J4350
J6350
SRX100
SRX110
SRX210 *
SRX220 *
SRX240 *
SRX550 * **
SRX650 **
* Ethernet switching support is planned for future release for 1 Gigabit Ethernet SFP MPIM on the SRX210,SRX220,SRX240 and SRX550.
** As of JUNOS OS Release 12.1, Ethernet switching is not supported on 10G XPIM.
# Network Route
set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254
# Default Route
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254
# Route to an Interface
# Useful for Point-to-Point Interfaces like pppoe, vpn-tunnel, gre-tunnel
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 10.1.1.0/24 next-hop st0.0
# Example for a the Definition of the VR with name Logging referenced above
set routing-instances Logging instance-type virtual-router
set routing-instances Logging interface ge-0/0/7.0
# A network route to discard any traffic that did not hit a more specific route
# Black hole Routes could sometimes save performance for policy lookups or
# avoid rerouting in case of interfaces failures (example: VPN is down)
set routing-options static route 0.0.0.0/0 discard
# Forwarding table (includes all active routes, visible for the data-plane)
root@J2300> show route forwarding-table
# to get direct interface routes announced you can add them to OSPF in passive mode
set protocols ospf area 0.0.0.0 interface vlan.100 passive
# On SRX Clusters for RG0 failover, you might have to extend OSPF Timers to survive
# a dead interval of 5-20 seconds and also use the following setting:
set protocols ospf graceful-restart no-strict-lsa-checking
# For export of all other routes or to filter inbound routes you need Routing Policy
# Filters
# Example Filter to export all local static and all direct routes
set policy-options policy-statement ALL-LOCAL
set term 1 from protocol direct
set term 1 then accept
set term 2 from protocol static
set term 2 then accept
top
set protocols ospf export ALL-LOCAL
# Example Filter to export only a certain route (which must exist on the routing table)
set policy-options policy-statement JUST-ONE
set term 1 from route-filter 172.10.0.0/16 exact
set term 1 then metric 10 accept
top
set protocols ospf export JUST-ONE
# Specify Peer(s)
set protocols bgp group UPSTREAM
set local-address 1.1.1.2
set peer-as 64005
set local-as 64006
set neighbor 1.1.1.1 export BGP-EXPORT-POLICY
top
# When Fragementation happens in a GRE Tunnel there are two options for reassembly
# a) use IDP Inspection on the traffic leaving the tunnel
# b) since JUNOS 11.2 you can apply the following command
"set security flow force-ip-reassembly
# Option 2: we are Rendezvous Point by yourself - in this case loopback int. is best pract.
set interface lo0.0 <IP-for-RP>
set protocols pim rp local address <IP-for-RP>
# DEBUGGING
set protocols pim traceoptions file trace-pim
set protocols pim traceoptions flag all
set protocols igmp traceoptions file trace-igmp
set protocols igmp traceoptions flag all
For more Details on IPv6 Feature Support in JUNOS 12.1 check this Documentation
http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-ipv6-support.html
# For exact IP assignment and DHCP Server assignment use these statements
edit access address-assignment pool TRUSTv6 family inet6
set dhcp-attributes dns-server ....
set dhcp-attributes options ....
set range RANGE1 high ...
set range RANGE1 low ...
top
#
show route <table inet6.0>
show ipv6 neighbours
show ipv6 router-advertisement
# Monitoring
show route receive-protocol ripng
show route advertising-protocol ripng
show route protocol ripng
# Monitoring Commands
show ospf3 neighbour
show ospf3 overview
show ospf3 route
show ospf3 statistics
# reload after commit is suggested to clear out any bogus neighbor entries in the cache
"Switching" Configuration
Allows Switching between all interfaces that are part of a VLAN. The
member interfaces can be tagged and/or untagged
Supported only on Branch SRX
Not supported on redundant interfaces of a cluster
"Routing" Configuration
Allows to create a sub interface and use it for routing
Supported on all SRX Platforms
Supported also in cluster mode (can be applied to reth Interfaces)
Supported also on aggregate interfaces
66 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VLAN TRUNK
CONFIGURATION EXAMPLE FAMILY "INET"
# For Trunk Ports which have multiple VLANs use the following Syntax
set interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members all
# For Access Ports which are untagged but mapped to a certain VLAN
# use the following syntax
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members <name>
# From the Network Point of view, these are two independent Aggregate Interfaces.
# Only the interfaces on the active node are used for transmission
# Usually only one of these routes would show up in the forwarding table.
# We need a Policy Statement to enable per packet load-balancing.
# On SRX this statement enforces in reality per flow balancing
set policy-statement LBP then load-balance per-packet
# Finally we might influence the balancing algorithm (L3 = IP only, L4, TCP+UDP too)
set forwarding-options hash-key family inet layer-3
set forwarding-options hash-key family inet layer-3
78 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VRRP
CONFIGURATION
# VRRP allows to failover an Interface between two devices - which are not a cluster
# Typical use case: Primary and backup Internet access device (each with it's own WAN link)
# Remember that VRRP Cluster does not sync sessions - all session must be reestablished
# VRRP - node0
edit interfaces fe-0/0/7 unit 0 family inet address 192.168.0.101/24 vrrp-group 150
set virtual-address 192.168.0.150
set priority 100
set no-preempt
set authentication-type md5
set authentication-key secret
top
# VRRP - node 1
set interfaces fe-0/0/7 unit 0 family inet address 192.168.0.102/24 vrrp-group 150
set virtual-address 192.168.0.150
set priority 110
set no-preempt
set authentication-type md5
set authentication-key secret
top
# VRRP Troubleshooting
run show vrrp summary
run show vrrp interface fe-0/0/7
Today (12.1) a firewall can either be in pure Layer 2 mode or Layer 3 routed mode, no mix
During a Cluster Failover the physical links on the inactive machine will get bumped (L1 down for some seconds and
then up again) to clear CAM tables on the attached Switches.
# For Management access, you must attach an irb Interface a bridge domain
set interfaces irb unit 0 family inet address 1.1.1.0/24
set bridge-domains BD1 routing-interface irb.0
# For Management access, you must attach an irb Interface a bridge domain
set interfaces irb unit 0 family inet address 1.1.1.0/24
set bridge-domains BD1 routing-interface irb.0
# Monitoring Commands
show bridge-domains
show protocols l2-learning
Reverse
Static Dest Source
Screens Route Zones Policy Static Services Session
NAT NAT NAT NAT
NO YES YES
1) Pull packet from queue 5a) No existing session 5b) Established session 6) Filter packet
2) Police packet FW screen check FW screen check 7) Shape packet
3) Filter packet Static and destination NAT TCP checks 8) Transmit packet
4) Session lookup Route lookup NAT translation
Destination zone lookup ALG processing
Policy lookup
Reverse static and source NAT
Setup ALG vector
Install session
87 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SECURITY SERVICES PACKET WALK
Reverse
Static Dest Source
Screens Route Zones Policy Static Services Session
NAT NAT NAT NAT
NO YES YES
Match
Session? Screens TCP NAT Services
# Interface will not forward any traffic until they are assigned to a zone
# Each interface can only be mapped to one zone
# All interfaces in the same zone must be mapped to the same VR
# JUNOS >=11.1 also supports wildcard address masks with non-contiguous bitmasks
# for IPv4. The first octets of the mask must be greater than 128
set security zones security-zone trust address-book address SERVER4 10.0.0.4/255.0.0.255
# JUNOS Op Scripts exist to convert from old to new format and back
https://www.juniper.net/us/en/community/junos/script-automation/library/
# If both formats are used in one file, the configuration can not be committed
# They also appear when you use Tab completion during writing policies
set security policies from-zone trust to-zone untrust policy X match application ?
# Monitor commands
show security policies
show security flow session
#Policy lookup is available on CLI and in Web-UI since JUNOS 10.3
show security match-policies ....
Zone Policy
Lookup
Policy1
Ordered No match
Policy N Policy 1
Lookup Global Policy lookup
Zone-specific Policies
Ordered
Lookup Policy M
Global Policies
# Alerts can be enabled per policy to generate alerts if usage exceeds thresholds
edit security policies from-zone trust to-zone untrust policy pol-01
set then count alarm per-minute-threshold 1000
set then count alarm per-second-threshold 50
top
# Since JUNOS 10.3 there is Security Policy Lookup to predict policy decision
# The query goes directly to the forwarding plane for evaluation
show security match-policies ....
# Until 11.4 Usage statistics are only available, if counting is enabled (see prev page)
show security policies detail
# JUNOS 12.1 introduces usage tracking of Firewall Policies independent from counter
# Counter since the last reboot/failover can be retrieved with the following command
# Create a new Policy with the name "FIRST" and apply the scheduler definition "SCHEDULER1"
edit security policies from-zone untrust to-zone trust policy FIRST
set match source-address any
set match destination-address any
set match application any
set then permit
set scheduler SCHEDULER1
top
# Monitoring
show schedulers
show security policies detail
# Add an additional IP to an existing interface, that is used for WebAuth, HTTP to this Interface
# gives you a login page
set interface vlan unit 0 family inet address 192.168.1.210/24 web-authentication http
# and use this profile as default for firewall auth (inline in telnet, http, ftp connection) and webauth
set access firewall-authentication pass-through default-profile TESTPROFILE
set access firewall-authentication web-authentication default-profile TESTPROFILE
# Monitoring Commands
show security firewall-authentication users
show security firewall-authentication history
Rematch Flag
Action on Policy Description
Enable Disable (default)
# Example: Make sure TCP packets going through VPN tunnels avoid fragmentation
set security flow tcp-mss ipsec-vpn mss 1420
# Example: Avoid TCP Split Handshake Attacks by more strict SYN checking
set security flow tcp-session strict-syn-check
# Most ALGs are enabled per default. To check which ALGs are there and enabled use
show security alg status
# Monitoring Commands
show security screen statistics zone untrust
show security screen statistics interface ge-0/0/0
# TCP SYN Flood Protection, SYN-Cookie has better Performance than SYN-Proxy
set security flow syn-flood-protection-mode syn-cookie
edit security screen ids-option FLOOD tcp syn-flood
# Start using Cookie when we hit more than 20 SYNs/sec
set attack-threshold 20
set alarm-threshold 10000
# If we get more than these SYNs per second from a Source-IP we start dropping
set source-threshold 1024
# If we get more than these SYNs per to the same Destination-IP we start dropping
set destination-threshold 100000
# Time before we start dropping half-open connections from the queue
set timeout 5
top
# Finally apply the Screen Profile Definitions to the zone(s) where the flood arrives
set security zones security-zone untrust screen FLOOD
# Monitoring
show security screen statistics zone trust
show interfaces ge-0/0/1.0 extensive | match Syn
root@raticate# set security screen ids-option FLOOD tcp syn-flood WHITE-LIST ipv4 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
+ destination-address Destination IP based
+ source-address Source IP based
# Set levels (percent of max session nr) when aggressive aging starts and when it stops
set security flow aging high-watermark 80 low-watermark 60
# Monitoring
show security alarms
Limitations in the number of NAT rules did exist, but finally even the last (8
rules for destination NAT) disappeared with 10.2.
See http://kb.juniper.net/KB14149
"Juniper Networks SRX Series and J Series NAT for ScreenOS Users"
http://www.juniper.net/us/en/products-services/security/srx-series/#literature
121
NAT
CONFIGURATION INCLUDES 3 FLAVORS
Source NAT
Interface based NAT
Pool based NAT- with and without port translation
IP address shifting
Destination NAT
Destination IP and/or port number translation
IP address shifting
Static NAT
Bi-directional
No port translation supported
dst-xlate for packets to the host
src-xlate for packets initiated from the host
122
NAT
PROCESSING ORDER
Static & Destination NAT are performed before security policies are
applied
Reverse Static & Source NAT are performed after security policies
are applied
Accordingly, policies always refer to the actual address of the
endpoints
123
10.1.1.0/24
ge-0/0/0
INTERNET
10.1.2.0/24
ge-0/0/1
192.1.1.0/24
rule rule2 {
match {
172.1.1.0/24 source-address 192.1.1.0/24;
}
then {
[edit security nat source]
}
source-nat pool src-nat-pool2;
rule-set nat-internet { }
from zone trust; }
to zone untrust; rule rule3 {
rule rule1 { match {
match { source-address 172.1.1.0/24;
source-address [ 10.1.1.0/24 10.1.2.0/24 ]; }
destination-address 0.0.0.0/0; then {
} source-nat off;
then { }
source-nat pool src-nat-pool1; }
}
126} Copyright 2011 Juniper Networks, Inc. www.juniper.net
DESTINATION NAT
EXAMPLE FOR MANY-TO-MANY
TRUST UNTRUST
[edit security nat destination]
INTERNET
ge-0/0/0
1.1.1.1/24
ge-0/0/1
10.1.2.0/24
Source NAT
Proxy-ARP required for all source IP pool addresses in the same subnet as egress
interface ge-0/0/0
For source pools not in the same subnet as egress interface IP, route to the IP pool
subnet with the SRX device as next-hop is required on the upstream router
Destination/Static NAT
Proxy-ARP required for all IP pool addresses in the same subnet as ingress
interface ge-0/0/0
For static and destination NAT pools not in the same subnet as egress interface IP,
route to the IP pool subnet with the SRX device as next-hop is required on the
upstream router
Configuration command
set security nat proxy-arp interface <if_name> address <ip_prefix>
130 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DOUBLE NAT- SOURCE AND DESTINATION NAT
TRUST UNTRUST 192.168.1.3->1.1.1.100
1.1.1.10-> 10.1.1.100
192.168.1.3/24
10.1.1.100/24
# Static NAT:
show security nat static rule <all|rule-name>
# Source NAT:
show security nat source summary
show security nat source pool <pool-name>
show security nat source rule <rule-name>
show security nat source persistent-nat-table <all|summary|....>
# Destination NAT:
show security nat destination summary
show security nat destination pool <pool-name>
show security nat destination rule <rule-name>
show security nat interface-nat-ports
# Incoming NAT:
show security nat incoming-table
# ARP table
show arp no-resolve
132
VIRTUALIZATION
133 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION
BUILDING BLOCKS AND CONCEPTS
SRX Firewalls offer several building blocks and concepts to achieve virtualization
Zone based Separation: No traffic can get from one zone to another if there is no policy
Virtual Routers based Separation: avoid any traffic leakage between different instances
(usecase: managed service for customers with overlapping address space).
Logical Systems : for complete administrative isolation. Create virtual firewalls with individual
administrators and protected resources per firewall (memory, cpu, objects ...)
Virtual SRX: Virtual Machine for installation on a Hypervisor (Vmware, KVM)
Coke Coke
Zone User
Coke
Untrust
Zone
Pepsi Pepsi
Zone User
Pepsi
Simple design
High scale (no additional overhead)
No overlapping IP addresses
Little to no user-based admin
Coke Coke
Coke
Untrust Trust
Zone Zone User
Coke VR
Coke
Pepsi Pepsi
Untrust Trust Pepsi
Zone Zone User
Pepsi
Pepsi VR
Coke Coke
Coke
Untrust Trust
Zone Zone User
Coke VR
Coke
Coke LSYS
Pepsi Pepsi
Untrust Trust Pepsi
Zone Zone User
Pepsi
Pepsi VR
Pepsi LSYS
Complex design
Lower scale (possible additional overhead)
Overlapping IP addresses supported
Routing protocols per VR give additional flexibility (and
introduce performance caveats)
User-based admin supported
137 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION:
VIRTUAL ROUTERS
138 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DIFFERENCE IN OWNERSHIP HIERARCHY
ScreenOS JUNOS
Routing
Virtual Instance
Router
Interface
Zone
IP
Virtual router Address
Interface
split from zones
in JUNOS
Zone
IP Address
Interface
# Create the Virtual Router, assign two physical and a loopback interface
set routing-instances red-vr instance-type virtual-router
set routing-instances red-vr interface fe-0/0/6.0
set routing-instances red-vr interface fe-0/0/7.0
set routing-instances red-vr interface lo0.0
# Optional: You can set static routes to get from one VR to another
# If you need to exchange dynamic routes you will need RIB Groups
set routing-instances red-vr routing-options static route 5.0.0.0/24 next-table blue-
vr.inet.0
red-trust Red-VR
Inet.0 VR
blue-trust Blue-VR untrust
green-trust Green-VR
# Apply Policy to filter routes from the rib-groups export-rib to the member ribs
set routing-options rib-groups test-rib import-policy into-red
# Add the Root System Profile. All off-box logging comes from the Root LSYS.
# If this is undefined then syslog/SNMP will not work
set system security-profile ROOT-LSYS auth-entry maximum 5
set system security-profile ROOT-LSYS policy maximum 5
set system security-profile ROOT-LSYS policy reserved 1
set system security-profile ROOT-LSYS policy-with-count maximum 0
set system security-profile ROOT-LSYS root-logical-system
# Assigned Profile and current usage for each individual profile parameter
show system security-profile ? logical-system <all|Lsys>
Dynamic VPN
For Remote Access of travelling Users
Rollout and Update of VPN Client Software
Authenticate User and assign IPs during VPN establishment
158 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ROUTED BASED VPN
159 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ROUTE BASED VPN
SITE-TO-SITE WITH MAIN MODE (1/3)
# Enable IKE Traffic on the untrust interface
edit security zone security-zone untrust interfaces ge-0/0/1.0
set host-inbound-traffic system-services ike
top
# Use this statement - on one side of the VPN - to get tunnel established fast
set security ipsec vpn VPN1 establish-tunnels immediately
# Configure routing.
set routing-options static route 10.1.1.0/24 next-hop st0.0
# There are global options (system wide for all Phase 2) to set VPN Monitor thresholds
# Default is interval 10, threshold 10 which results in 100 Sec Detection Time
set security ipsec vpn-monitor-options interval 3
set security ipsec vpn-monitor-options threshold 3
# Next Hop Tunnel Binding - Allows multiple endpoints on one Tunnel interface
set interfaces st0 unit 0 multipoint
Technote: http://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf
Copy to output of the above command to a file and use it as signing request for your CA.
It is very important to define X509v3 Subject Alternative Name. JUNOS supports ip-address, domain-name and email. In this
request we define a ip-address and the domain-name. This attribute is used as a IKE-ID and has to match with the IKE
configuration.
The signing CA has to support X509v3 Subject Alternative Name. E.g. for OpenSSL you have to modify the file openssl.cnf in
this way:
The local-identity has to match with the X509v3 Subject Alternative Name of the Gateway local certificate as a IKE-
ID.
Since 10.2 there is a hidden command set security ike gateway srx210-top general-ikeid to ignore a IKE-ID
mismatch. Nevertheless the certificate needs a X509v3 Subject Alternative Name to get Phase-1 up.
CA profile: RSA_CA_LAB
CRL version: V00000001
CRL issuer: C = CH, O = SA, OU = Security, CN = RSA-CA
Effective date: 11- 9-2010 13:54
Next update: 11-10-2010 13:54
Revocation List:
Serial number Revocation date
1b9433a6682555883abf042c15e602da 06-10-2010 07:54
21fffde9d68115b3d9335a97c8744b46 11- 9-2010 13:30
4a5c1a9e624cd522b49f0485272c42b4 06-10-2010 08:28
4de41accc7e4cc606a1dad93cb510092 06-22-2010 06:31
59304b23b9e6f80abd9fe0325af16b80 06- 9-2010 14:16
5b336a94660f5a69e00b48af9662b71d 11- 8-2010 17:36
678a297eccfe78ab0d693ff162e8cdf4 06- 9-2010 15:01
6bf7aff47f68f8687a1f14f0df2b014a 11- 8-2010 15:48
6f4168f96a06957ac769be5465f753a2 06- 9-2010 15:09
8610479e69f64eb08972b27bba24365a 06-10-2010 07:47
89ac59d9df40954feac5c57e4d0739a2 11- 9-2010 13:31
bec78a93e4101f71c782784b34c33ef4 11- 9-2010 10:47
cadd34f4f77f5042198792dd02cbcb1a 06-22-2010 07:35
e87b6aa7ea5562ecdd1379e51bb02ba8 06- 9-2010 13:24
### Monitoring
# Phase 1 - Cookies
show security ike security-associations
# Phase 2 - Security Associations
show security ipsec security-associations
# IPSEC and Interface Statistics
show security ipsec statistics
show interfaces st0 [terse|detail]
# Manually Clear Tunnels
clear security ike
clear security ipsec
# Logs and Traces are per Default written to File kmd
file show /var/log/kmd | last
### JUNOS 11.4 and 12.1x44 have several improvements for IPSEC Troubleshooting
# 1. extend Output for show security ike|ipsec security-associations
# 2. start debugging for a certain session without commit, write output to kmd
request security ike debug-enable local 10.1.1.10 remote 10.1.1.30 level 15
request security ike debug-disable
show security ike debug-status
# 3. Inactive Tunnel information
show security ipsec inactive-tunnels
The following Notes are based on pre 10.4 Releases. You should better use
the latest, excellent Configuration Example from
http://kb.juniper.net/index?page=content&id=KB14318
Since 11.4 J-Web offers a Wizard to complete the configuration
There is also a good Troubleshooting Guide from
http://kb.juniper.net/KB17220
# Set correct time zone, date and time NTP
set system time-zone Europe/Berlin
# In Operation Mode
srx> set date YYYYMMDDhhmm.ss or
srx> set date ntp de.pool.ntp.org
27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec
# use this configuration statement to activate a self signed certificate (unless you have a signed one)
set system services web-management https system-generated-certificate
# Since 10.3: if an interface accepts dynamic-vpn connections all http traffic is redirected to
# https://<ip>/dynamic-vpn so you can not manage any more on this interface unless you
# specify a URL (see KB19411 )
set system services web-management management-url admin
# The above definition with local users may work, but officially we
# currently support xauth in IPSEC only together with Radius Authentication
set profile radius_profile authentication-order radius;
set profile radius_profile radius-server 10.204.129.50 secret xxx
URL is https://<SRXIP>/dynamic-vpn/
AND
MANAGEMENT ACCESS
194 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ADMIN USERS
Set the password of the root user
root> configure
root# set system root-authentication plain-text-password
New password:
Retype new password:
Add another User
root# set system login user netscreen class super-user authentication plain-text-password
New password:
Retype new password:
# Online Help
help topic system server-radius
help topic system radius
# Online Help
help topic system tacplus
# Drop a User
request system logout user <user>
MANAGEMENT ACCESS
201 Copyright 2011 Juniper Networks, Inc. www.juniper.net
MANAGEMENT ACCESS OVERVIEW
Current State and Changes over Time
individual protocols must be enabled/disabled per zone or interface (host-inbound-traffic.)
Stateless firewall filter can be applied to interfaces to restrict protocols or source-IPs
Since JUNOS 11.4 Self Traffic Policies (firewall policies with zone junos-host) are the easiest
way to restrict management traffic. They also allow to use all available inspection techniques
(AppFW, AppTrack, IDP ..) on management traffic
# use this configuration statement to activate a self signed certificate (unless you have a signed one)
set system services web-management https system-generated-certificate
# Finally you can specify allowed services and protocols per Zone
edit security zones security-zone trust interfaces
set system-services all
set protocols all
top
# or per interface. Per Interface definitions override all per Zone permissions
edit security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic
set system-services https
set system-services ssh
set system-services ping
top
# A second term can be used to count all other attempts and fall through to the last term
set firewall family inet filter PROTECT-RE term 2 from source-address 0.0.0.0/0
set firewall family inet filter PROTECT-RE term 2 then count ACCESS-ATTEMPT-RE
set firewall family inet filter PROTECT-RE term 2 then next term
# A third term can be written to drop all other attempts (but this is default already)
# This is because all chains end with a default "deny all" term
set firewall family inet filter PROTECT-RE term 3 from source-address 0.0.0.0/0
set firewall family inet filter PROTECT-RE term 3 then reject
# To monitor access attempts you can later use the counter with the following command
show firewall filter PROTECT-RE counter ACCESS-ATTEMPT-RE
MANAGEMENT
207 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IN-BAND OR OUT-BAND MANAGEMENT
What is the difference ?
Out-band management connections use the management interface fxp0
In-band management connections use an interface which also is used to forward traffic (for
example ge-x/x/x, fe-x/x/x or rethx )
In-band Management
In HA clusters the passive node can not communicate on any in-band management
interface - direct access, monitoring, delivery of software updates, scripts, attack
database updates for this node is not possible and requires workarounds
In-band Management Interfaces can be assigned to any virtual router
In-band Interfaces allow high performance logging (stream mode)
Software Updates
Use the ISSU and LICU Cluster Upgrade Procedure. They require the image is copied only to the
primary device and is automatically copied to the secondary device
Script Installations
Before they can be enabled in the configuration (commit) the scripts must installed on both nodes.
To achieve this, upload scripts to the primary node first, then copy manually to secondary node
Hint: How to get from one Node of a cluster to the other Node ?
If fxp0 interfaces are connected simply use ssh with fxp0-adress of the second node
On Branch SRX use "request routing-engine login node x"
On Datacenter SRX use shell command "rlogin -Ji nodex"
Cluster-IP
20.0.0.1
reth0 reth0
ge-1/0/0 Control ge-8/0/0
(untrust) ge-0/0/1 (untrust)
Control
reth1 ge-0/0/1 reth1
ge-1/0/1 fxp0 ge-8/0/1 fxp0
(trust) =ge-0/0/0 (trust) =ge-0/0/0
10.0.0.1 10.0.0.2
Cluster-IP
30.0.0.1
NSM or Space
10.0.0.3
Router-IP Router-IP
30.0.0.254 10.0.0.254
Router-IP
40.0.0.254
NSM or Space
40.0.0.3
You have two options to send Dataplane Logs (Firewall, IDP, UTM, AppSecure ...)
Controlplane Dataplane
(Process Logs) (Process Logs)
On a single SRX
- Control plane and Data plane Logs
can use the same egress interface
On SRX Cluster
- Control plane Logs come from the
Management Interface fxp0
- Data plane Logs need another
interface
STRM
(Syslog Server)
Controlplane Dataplane
(Process Logs) (Process Logs)
Branch SRX:
default mode
Datacenter SRX:
possible since 10.0 (1.5kEPS Ratelimit)
STRM
NSM
(Syslog Server)
Controlplane Dataplane
(Process Logs) (Process Logs)
NSM
2) Dataplane Logs sent as Syslog from SRX to NSM - requires NSM 2011.1 or higher
220 Copyright 2011 Juniper Networks, Inc. www.juniper.net
STREAM MODE
HOW MANY INTERFACES ARE INVOLVED ?
Simple solution - use two interfaces on SRX and STRM Controlplane Dataplane
(Process Logs) (Process Logs)
Looking at the log picture it is obvious that SRX might use
different interfaces to send the two types of logs
Since two interfaces of the same VR can not be in the same
network, the two interfaces have to be in two different networks or VRs
The easiest solution is, when LOG reciver and SRX both use two
interfaces too. STRM can be reconfigured to use two interfaces and IPs.
Worst case - need to add a logging interface in the same network as fxp0
When you migrate from event to stream logs and can not add additonal
interfaces on other networks than the one existing on fxp0
So you have to add a second forwarding interface in the same network
This is only possible when this interface is in another VR than fxp0
See Next Page (Logging with Overlapping Interface IP) for a complete
configuration example
221 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DATACENTER SRX
LOGGING WITH OVERLAPPING INTERFACE IP
# Datacenter SRX uses fxp0 for RE Logs and a Forwarding Interface for Security Logs
# If Syslog-Receiver is attached to the same Management LAN as the fxp0, you need a
# second interface/VR to that LAN to deliver Security Logs (Firewall Traffic and IDP)
# For this worst case, we have two interfaces in the same network
set interfaces fxp0 unit 0 family inet address 10.0.0.1/24
set interface reth7 unit 0 family inet address 10.0.0.2/24
# To allow two interfaces on the same net, one interface must be moved to a custom VR
set routing-instances Logging instance-type virtual-router
set routing-instances Logging interface reth7.0
# Now we use a host-route to send all trafic for the Log-Receiver to this VR
set routing-options static route 10.0.0.100/32 next-table Logging.inet.0
# The following commands create and show a list of registered SNMP Instances
show snmp registered-objects
file show /var/log/snmp_reg_objs
# A SNMP Table (Tablename jnxUtilData) can be used to store user defined content.
# Event Scripts can be used to update this table
request snmp utility-mib set .....
show snmp mib walk jnxUtilData
# Chassis Hardware
show snmp mib walk [jnxBoxClass|jnxBoxDescr|jnxBoxSerialNo|jnxBoxRevision|jnxBoxInstalled]
show snmp mib walk [jnxBoxAnatomy|jnxContainersTable|jnxContentsTable|jnxFilledTable]
# State, Memory Usage and CPU Load on all Modules (always reports both RE as active)
show snmp mib walk jnxOperatingTable
# Software version
show snmp mib walk .1.3.6.1.2.1.25.6.3
# Disk Usage
show snmp mib walk []
show snmp mib walk 1.3.6.1.2.1.25.2.3.1hrStorageSize | hrStorageUsed
# sshv2 is mandatory for NSM. SSHv2 is not included in the export restricted
# software version. You will always need the domestic version.
lab@srx5600> show version | match JUNOS
JUNOS Software Release [9.5R2.7]
# For NSM access both ssh and netconf over ssh must be enabled
set system services ssh [protocol-version v2]
set system services netconf ssh
# Enable SNMP
set snmp location lab-munich
set snmp contact "labuser@juniper.net"
set snmp community public authorization read-write
# Make sure all services required for NSM Auto discovery are opened for access
edit security zones security-zone trust interfaces ge-0/0/0.0
set host-inbound-traffic system-services ping
set host-inbound-traffic system-services ssh
set host-inbound-traffic system-services snmp
top
# Data plane Logs from Branch SRX are sent to NSM when a Log file "default-log-messages"
# is written. NSM adds this configuration automatically to SRX with the "device is
# reachable" workflow
set system syslog file default-log-messages any any
set system syslog file default-log-messages structured-data
# On Datacenter SRX Traffic Logs are not sent to the Routing-Engine by Default
# as the preferred logging method is to stream the logs directly
# from a forwarding interface. If Log Volume is low, the Logs can also be sent
# to the routing-engine. The following statements allow to do this since JUNOS 10.0
set security log mode event
set security log mode event event-rate 1000
# Since NSM Version 2011.1 it is possible to send Security Logs via Syslog in stream-mode
# Check page 767 of the NSM Admin Guide for the necessary DevSrv Configuration Changes
# Add "devSvr.enableSyslogOverUdp true " to /var/netscreen/DevSvr/var/devSvr.cfg file
# On the SRX side use the following configuration statements to send traffic logs
# via syslog to NSM
set security log mode stream
set security log format sd-syslog
# Primary NSM
set security log stream NSM1 format sd-syslog
set security log stream NSM1 host <primary DevSvr IP>
set security log stream NSM1 host port 5140
# If NSM is a HA Cluster use a second feed to send logs to the secondary NSM
set security log stream NSM2 format sd-syslog
set security log stream NSM2 host <Secondary DevSvr IP>
set security log stream NSM2 host port 5140
Out-band Management
For out-band management you connect to the fxp0 Interfaces of the cluster members
You add a cluster-object to NSM and add both members (start with the node where RG0 is
passive)
# In NSM you add just a single virtual chassi device (the current primary).
# Only the master will attempt to establish a session to NSM.
# He can use any interface to establish this connection.
# For Space access both ssh and netconf over ssh must be enabled
set system services ssh [protocol-version v2]
set system services netconf ssh
# When SNMP is enable before device discovery, Space (OpenNMS) will collect and
# visualize SNMP data from the device. It will also reconfigure the device to send
# traps to Space.
set snmp location lab-munich
set snmp contact "labuser@juniper.net"
set snmp community public authorization read-write
# Make sure all services required for Space Discovery are opened for access
edit security zones security-zone trust interfaces ge-0/0/0.0
set host-inbound-traffic system-services ping
set host-inbound-traffic system-services ssh
set host-inbound-traffic system-services snmp
top
# Caveat: STRM can no longer reach fxp0 of the SRX, because all routing to
# STRM Host IP goes through reth7, and traffic from reth7 to fxp0 is not possible.
"show log" or "file list /var/log" List all Log files available (under /var/log)
show log messages Show Log File "messages" from start
show log messages | last 100 List last 100 Log Messages
show log messages | match LOGIN Search within the Log
show log messages | trim 39 Remove first 39 columns from each line
# To quickly pause and resume Output !! This does not stop logging to the File !!
Press "ESC-Q"
# To stop Real-Time monitoring !! This does not stop logging to the File !!
monitor stop
# To turn off logging to the File you must deactivate or delete the configuration
deactivate security flow traceoptions
commit
263 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DEBUGGING A FIREWALL FLOW
EXAMPLE OUTPUT (1/2)
lab@Demo-081-113>
*** flow-trace ***
Aug 2 22:04:36 22:04:35.935844:CID-1:RT:<10.10.20.2/2048->10.10.10.2/49265;1> matched filter f0:
Aug 2 22:04:36 22:04:35.935862:CID-1:RT:packet [84] ipid = 0, @4bb0526e
Aug 2 22:04:36 22:04:35.935872:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0,
mbuf 0x4bb05060
Aug 2 22:04:36 22:04:35.935881:CID-1:RT: flow process pak fast ifl 67 in_ifp reth1.0
Aug 2 22:04:36 22:04:35.935896:CID-1:RT: reth1.0:10.10.20.2->10.10.10.2, icmp, (8/0)
Aug 2 22:04:36 22:04:35.935907:CID-1:RT: find flow: table 0x4e789b20, hash 9938(0xffff), sa 10.10.20.2, da
10.10.10.2, sp 1, dp 34861, proto 1, tok 448
Aug 2 22:04:36 22:04:35.935926:CID-1:RT: no session found, start first path. in_tunnel - 0, from_cp_flag -
Aug 2 22:04:36 22:04:35.935941:CID-1:RT: flow_first_create_session
Aug 2 22:04:36 22:04:35.935953:CID-1:RT: flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr
10.10.10.2, sp 1, dp 34861
Aug 2 22:04:36 22:04:35.935965:CID-1:RT: chose interface reth1.0 as incoming nat if.
Aug 2 22:04:36 22:04:35.935976:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to
10.10.10.2(34861)
Aug 2 22:04:36 22:04:35.935988:CID-1:RT:flow_first_routing: call flow_route_lookup(): src_ip 10.10.20.2,
x_dst_ip 10.10.10.2, in ifp reth1.0, out ifp N/A sp 1, dp 34861, ip_proto 1, tos 0
Aug 2 22:04:36 22:04:35.936001:CID-1:RT:Doing DESTINATION addr route-lookup
Aug 2 22:04:36 22:04:35.936017:CID-1:RT: routed (x_dst_ip 10.10.10.2) from untrust (reth1.0 in 1) to
reth0.0, Next-hop: 10.10.10.2
Aug 2 22:04:36 22:04:35.936030:CID-1:RT: policy search from zone untrust-> zone trust
Aug 2 22:04:36 22:04:35.936057:CID-1:RT: app 0, timeout 60s, curr ageout 60s
Aug 2 22:04:36 22:04:35.936095:CID-1:RT:flow_first_src_xlate: src nat 0.0.0.0(1) to 10.10.10.2(34861)
returns status 0, rule/pool id 0/0.
Aug 2 22:04:36 22:04:35.936110:CID-1:RT: dip id = 0/0, 10.10.20.2/1->10.10.20.2/1
Aug 2 22:04:36 22:04:35.936120:CID-1:RT: choose interface reth0.0 as outgoing phy if
Aug 2 22:04:36 22:04:35.936127:CID-1:RT:is_loop_pak: No loop: on ifp: reth0.0, addr: 10.10.10.2, rtt_idx:0
Aug 2 22:04:36 22:04:35.936136:CID-1:RT: check nsrp pak fwd: in_tun=0x0, VSD 1 for out ifp reth0.0
Aug 2 22:04:36 22:04:35.936142:CID-1:RT: vsd 1 is active
Aug 2 22:04:36 22:04:35.936151:CID-1:RT:policy is NULL (wx/pim scenario)
Aug 2 22:04:36 22:04:35.936160:CID-1:RT:sm_flow_interest_check: app_id 0, policy 6, app_svc_en 1, flags
0x2. interested
Aug 2 22:04:36 22:04:35.936171:CID-1:RT:sm_flow_interest_check: app_id 1, policy 6, app_svc_en 0, flags
0x2. not interested
..................
264 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DEBUGGING A FIREWALL FLOW
EXAMPLE OUTPUT (2/2)
.............
Aug 2 22:04:36 22:04:35.936178:CID-1:RT:flow_first_service_lookup(): natp(0x5047eb48): app_id, 0(0).
Aug 2 22:04:36 22:04:35.936187:CID-1:RT: service lookup identified service 0.
Aug 2 22:04:36 22:04:35.936194:CID-1:RT: flow_first_final_check: in <reth1.0>, out <reth0.0>
Aug 2 22:04:36 22:04:35.936203:CID-1:RT: existing vector list e20-624fdc28.
Aug 2 22:04:36 22:04:35.936212:CID-1:RT: existing vector list 0-6248ba28.
Aug 2 22:04:36 22:04:35.936220:CID-1:RT: Session (id:26784) created for first pak e20
Aug 2 22:04:36 22:04:35.936229:CID-1:RT: flow_first_install_session======> 0x5047eb48
Aug 2 22:04:36 22:04:35.936236:CID-1:RT: nsp 0x5047eb48, nsp2 0x5047ebb8
Aug 2 22:04:36 22:04:35.936248:CID-1:RT: make_nsp_ready_no_resolve()
Aug 2 22:04:36 22:04:35.936263:CID-1:RT: route lookup: dest-ip 10.10.20.2 orig ifp reth1.0 output_ifp
reth1.0 orig-zone 7 out-zone 7 vsd 1
Aug 2 22:04:36 22:04:35.936274:CID-1:RT: route to 10.10.20.2
Aug 2 22:04:36 22:04:35.936288:CID-1:RT:Installing c2s NP session wing
Aug 2 22:04:36 22:04:35.936293:CID-1:RT:Installing s2c NP session wing
Aug 2 22:04:36 22:04:35.936301:CID-1:RT:sm_flow_notify_session_creation: app_id 0, flags 0x0, ifl_in 67,
zone_in 7, ifl_out 66, zone_out 6
Aug 2 22:04:36 22:04:35.936394:CID-1:RT: flow got session.
Aug 2 22:04:36 22:04:35.936399:CID-1:RT: flow session id 26784
Aug 2 22:04:36 22:04:35.936411:CID-1:RT: vsd 1 is active
Aug 2 22:04:36 22:04:35.936608:CID-1:RT:mbuf 0x4bb05060, exit nh 0x243c1
Aug 2 22:04:36 22:04:35.936621:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Aug 2 22:04:36 22:04:35.996278:CID-1:RT:<10.10.10.2/0->10.10.20.2/51313;1> matched filter f0:
Aug 2 22:04:36 22:04:35.996296:CID-1:RT:packet [84] ipid = 12824, @4ba9f04e
Aug 2 22:04:36 22:04:35.996307:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0,
mbuf 0x4ba9ee40
Aug 2 22:04:36 22:04:35.996318:CID-1:RT: flow process pak fast ifl 66 in_ifp reth0.0
Aug 2 22:04:36 22:04:35.996330:CID-1:RT: reth0.0:10.10.10.2->10.10.20.2, icmp, (0/0)
Aug 2 22:04:36 22:04:35.996341:CID-1:RT: find flow: table 0x4e789b20, hash 33408(0xffff), sa 10.10.10.2, da
10.10.20.2, sp 34861, dp 1, proto 1, tok 384
Aug 2 22:04:36 22:04:35.996362:CID-1:RT: flow got session.
Aug 2 22:04:36 22:04:35.996366:CID-1:RT: flow session id 26784
Aug 2 22:04:36 22:04:35.996380:CID-1:RT: vsd 1 is active
Aug 2 22:04:36 22:04:35.996520:CID-1:RT:mbuf 0x4ba9ee40, exit nh 0x20bc1
Aug 2 22:04:36 22:04:35.996533:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
265 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DEBUGGING PACKET DROPS
# To see Drop Counters per interface for the various drop reasons
show interfaces ge-4/0/1.0 extensive | find Error
# Specify the interface where you want to take the pcap from
set interfaces vlan unit 0 family inet sampling input
set interfaces vlan unit 0 family inet sampling output
# Apply this filter to the input and output direction (maybe input is obsolete ?)
set interfaces vlan unit 0 family inet filter output PCAP
set interfaces vlan unit 0 family inet filter input PCAP
# To inspect the resulting PCAP either copy it to a system with Wireshark installed
# or start a shell locally and use "tcpdump -nr /var/log/SRXPCAP"
set firewall family inet filter TEST term 1 from source-address 0.0.0.0/0
set firewall family inet filter TEST term 1 from port 22
set firewall family inet filter TEST term 1 then count MYCOUNT
set firewall family inet filter TEST term 1 then accept
Filter: TEST
Counters:
Name Bytes Packets
MYCOUNT 70455 1005
lab@SRX210>
# Today (12.1) SRX does not neither offer DNS-Server nor DNS-Proxy nr Dynamic DNS Client
# DNS-Proxy and Dynaic DNS Client are currently scheduled for 12.1X44
# Diagnostics
# What time is it ?
srx> show system uptime | match Current
Current time: 2009-04-22 17:21:20 CEST
# Enable NTP on cluster member in backup state (traffic is leaving from fxp0)
edit groups node1 system ntp
set server 10.0.0.1
set source-address ip of fxp0/node1
top
# Per Node Backup Routes are required, when NTP-Server is not directly connect to fxp0
set groups node0 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254
set groups node1 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254
# Option: You can propagate DNS/WINS settings learnt from the DHCP client to be
# reused by local DHCP Servers
set system services dhcp propagate-settings fe-0/0/7.0
# Monitoring
show system services dhcp pool
show system services dhcp binding
show system services dhcp statistics
show system services dhcp conflict
# Until 10.4 DHCP Relay could not be configured inside virtual Routers
# TODO
# PPP-Interface Settings
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces pp0 unit 0 family inet mtu 1492
# Authentication Credentials
set interfaces pp0 unit 0 ppp-options pap access-profile ppp-profile
set interfaces pp0 unit 0 ppp-options pap local-password xxxxx
set interfaces pp0 unit 0 ppp-options pap local-name xxxx
set interfaces pp0 unit 0 ppp-options pap passive
# Diagnostic Commands
show interfaces pp0
show pppoe interfaces
show pppoe statistics
show pppoe statistics
request pppoe [connect|disconnect]
285 Copyright 2011 Juniper Networks, Inc. www.juniper.net
PPP OVER ADSL (FOR T-ONLINE, GERMANY)
BASED ON JUNOS 10.0 WITH ADSL MINI-PIM
# T-Online Germany typically uses the ATM VPI 1 and VCI 32
# Encapsulation is pppoe-over-atm with llc
# Default Route (mandatory, because negotiated gateway will not appear in routing table)
set routing-options static route 0.0.0.0/0 next-hop pp0.0
Enforcer-Options:
# enable test-only-mode (only logging without enforcement)
set services unified-access-control test-only-mode
Fabric
Forwarding Class
&
Loss Priority
# 6. Enable Scheduler on the WAN Interface, so that egress traffic gets shaped
set interfaces reth1 per-unit-scheduler
show class-of-service
show firewall filter
show policer
show interface queue <if-name>
show interface extensive <if-name>
ADSL
DS3 Network T1
E1
Node 0 Node 1
Forwarding Forwarding
fab0 fab1
Daemon Daemon Control Plane
Data Plane + RTOs
Node0 Node1
Control Plane
Connection
SPC to SPC
Data Plane
Connection
IOC to IOC
slot 0 slot 12
ge-13/0/0
ge-1/0/0
RE 0
RE 1
slot 23
312 Copyright 2011 Juniper Networks, Inc. www.juniper.net
CLUSTER INTERFACES
MODELL MANAGEMENT Control-Link Fabric-Link
(fxp0) (fxp1)
SRX 100 fe-0/0/6 fe-0/0/7 Any Interface,
tagged - Vlan 4094 1) untagged
MTU on SRX100 is 1628
Management Yes, No
(fxp0) on the Routing Engine
# And here we make sure that both data are part of the configuration,
# but only the node specific settings are applied on each cluster member
# Fabric Link Monitoring is disabled per default on High-End SRX since 10.4r4
# to avoid "hold" state after link loss. To enable use the following command
set chassis cluster fabric-monitoring
Graceful Restart
# If all participants of a routing protocol can handle graceful restart, then
# use this option to avoid downtimes resulting from OSPF or BGP reestablishment
set routing-options graceful-restart
# Hardware Checks
show chassis hardware
show chassis fpc pic-status
show pfe terse
show chassis alarms
show system alarms
# Display Information about HA interfaces (11.4 show state of redundant HA links too)
show chassis cluster interfaces
# Status information
show chassis cluster statistics
show chassis cluster information
show chassis cluster ip-monitoring status
# Inspect Log Files (For support cases always collect Log files from both Nodes !!)
show log jsrpd or file show /var/log/jsrpd
show log messages or file show /var/log/messages
show log chassisd or file show /var/log/chassid
# To jump from one node to the other you can use the following options:
# CLI-Command for Branch SRX
request routing-engine login node x
# Shell command for Datacenter SRX
rlogin -Ji nodex
# Or usually you can also use ssh with fxp0-adress of the second node
- Dual Fabric Links do offer redundancy, but there only one link
is used for forwarding and RTO sync
Requesting Failover
Manually failover redundancy groups between chassis
RG0 should only be failed over in emergencies
Should only be done after both REs have been up for 5 minutes
Rapid failovers will cause RE crash
RG1 supports rapid failovers
Clearing Failover
Failovers need to be cleared after manually triggered
Prevents accidently failover over
{primary:node1}
root@srx> show chassis cluster status
Cluster ID: 3
Node name Priority Status Preempt Manual failover
Clear/Reset Failover
root@srx> request chassis cluster failover reset redundancy-group 1
Control Plane The data plane will continue to run up to 5 minutes without
Failure/RE Reboot an RE, or until the RE came back up, when Chassisd comes
backup and reinitializes all of the cards.
Control and Data Link Both nodes will detect the failure of the links by the loss of
(fail at same time) the heartbeat messages. In this case secondary node will go
disabled
Fabric-link
failure Primary
Ctrl-link node dies
failure
Secondary Primary node dies
Primary
Hold
Failover (manual, i/f failure, ip-mon failure, preempt etc.)
Note: Transition to disabled state will only happen only if the node is RG0 secondary.
Note: Once in disabled state the only option to recover is to reboot the device
Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx
Memory upgrade x - - -
Extreme License - - - - - - x
Logical Systems - - - - - - up to 32 up to 32 up to 32
(1.5.25) (1.5.25) (1.5.25)
Advanced BGP x - - - - - x
AppSec - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 10.4 2) 10.4 2) 10.4 2)
# Or if you received a license for manual installation use this command to paste it
# Install manually, when the license keys are available as a text file
request system license add terminal
Licensing
SKU Appsec-A (Advanced) AppSec-B (Basic)
High End SRX Branch SRX
Includes Application signature license & Includes Application signature license only.
IPS license. IPS license has to be purchased seperately
App-ID Database
On High End SRX the AppID Signatures were moved to a separate Database with 11.4
On Branch SRX the AppID Signatures where always in a separate Database since 11.2
AppTrack (11.4)
AppFW (11.4 )
AppDoS Future
IPS
Final Steps
Activate the desired policy
add action "IDP" for all firewall rules where you want to have IDP enabled
Once the IDP Policy is defined, you can activate it "per rule"
edit security policies from-zone trust to-zone untrust policy <policyname>
set then permit application-services idp
top
# The following situations inhibit that devices can pull Database Updates
# * when internet access is not possible at all
# * when internet access has to use a Proxy
# * in a cluster: when the passive member can not get internet access from fxp0
# The following options can help to solve problems with delivery of automatic updates
# * NSM or Space can be used to pull the attack database and push it to the device
# both can even use proxy connections
# * An offline update Procedure description is available in the Knowledgebase
# For clusters where only the active node can pull the update
# * After RG0 failover, the second node becomes active and can fetch the update
# * A description and a script to perform the sync is posted in forum.juniper.net
# * Automatic File sync from the active node to the passive node is planned for JUNOS
12.1
351 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IDP PACKET CAPTURES
# Since JUNOS 10.2, the Datacenter SRX support collection and delivery of packet
# captures, when an attack is found. On the STRM side you need STRM 2010.0r1 / Patch 3
# and updates of these rpms: PROTOCOL-PCAP, DSM-DSMCommon, DSM-JuniperJunOS
# IDP statistics
show security idp status
# Application Identification, Cache with last connections and per application stats
show security idp application-statistics
show security idp application-identification application-system-cache
# IDP counters
show security idp counters ?
# Catch IDP-Logs and write them to a local log file (only possible in log mode event)
set system syslog file IDP-Logs user info
set system syslog file IDP-Logs match IDP_ATTACK
set system syslog file IDP-Logs archive size 1m
set system syslog file IDP-Logs archive files 3
set system syslog file IDP-Logs structured-data brief
# If event Logging was enabled, Logs are available in the local log file
file show /var/log/policy_session | match APPLICATION
# In addition to the logs, a cache is enabled by default and can be used for monitoring
show services application-identification application-system-cache
# Since 11.4 there are additional statistics showing per-group/application usage
show services application-identification statistics application-groups
show services application-identification statistics applications
# Since 11.4 the Signatures are no longer part of the configuration, but still can be seen
show services application-identification version
# With 11.4 there where also some groups introduced, which make it easier to
# select the AppID Signatures for Application Firewalling
show services application-identification application detail junos:FTP
show services application-identification group summary
show services application-identification statistics application-groups
CLIENTLESS AD INTEGRATION
WITH SRX AND UAC
368 Copyright 2011 Juniper Networks, Inc. www.juniper.net
CLIENTLESS AD INTEGRATION
AD
SRX
Finance
AD
5
IC
4 3. User wants to connect to finance
4. Drop notification sent to IC from
3
SRX SRX
Finance
5. User gets re-directed to IC (302)
6 IC
6. IC challenges user with SPNEGO
(401)
AD
7 7. Endpoint pulls service ticket
from KDC
SRX
8
IC 8. Endpoint re-submits HTTP get
request to IC with SPNEGO auth
token
10 AD
IC 10. IC re-directs user back to the
protected resource
11
SRX
Finance 11. User now can access Finance
# Set UAC infranet connection on SRX (this uses Destination port 11123)
set services unified-access-control infranet-controller SERVER address 172.30.81.141
set services unified-access-control infranet-controller SERVER interface fxp0.0
set services unified-access-control infranet-controller SERVER password
AppDDOS today (12.1) can be used to protect HTTP and DNS Services
AppDDOS is available with AppSec-A License for Datacenter SRX since 10.0
376 Copyright 2011 Juniper Networks, Inc. www.juniper.net
AppDDOS 3-Stage Processing
ApplicationDDOS Profile
The ApplicationDDOS profile defines the following:
Context to Match
Connections per Second to trigger Phase 2
Contexts Thresholds to trigger Phase 3, or direct actions based only on overall thresholds.
Client Contexts per Period
IDP Policy
Within the IDP security policy the rulebase-ddos is where the configuration defines
what criteria to match based on: source zone, destination zone, source ip,
destination ip, application, and application-ddos profile. This rule will define what to
do with the offending connection along with future ip-action connections.
# Firewall Policy
# Activate IDP on the Firewall Rules, that permit traffic to these Servers
set security policies from-zone trust to-zone untrust policy 1 then permit application-services idp
# Add a DDOS Rule to this IDP-Policy to hunt for DDOS attacks against the two Servers
edit security idp idp-policy IDP-POLICY rulebase-ddos rule RULE1
set match from-zone untrust
set match to-zone trust
set match destination-address WEBSERVER
set match application default
set match application-ddos HTTP_DDOS
set then action no-action
set then notification log-attacks
# Use IP-Action to rate limit any bot found to a maximum of 5 connections per second
set then ip-action ip-connection-rate-limit 5
set then ip-action log
set then ip-action timeout 15
set then ip-action refresh-timeout
top
Web filteringWebSense/SurfControl/Enhanced WF
Control (allow/deny) access to Websites based on URL category
Off-box (in-the-cloud or on-premise) URL servers/ databases
Content filtering
Provides basic DLP functionalityfilters traffic based on file/MIME type, file
extension, and protocol commands; keyword matching expected in the future
Antispam - Sophos
Stop e-mail spam based on IP address/reputation of sender
Off-box spam blacklist databaseSophos SBL/RBL (spam/real-time block
list)available as a subscription license
383 Copyright 2011 Juniper Networks, Inc. www.juniper.net
HOW UTM PROFILES ARE CHAINED WITH POLICIES
UTM Features are activated per firewall rule, by assigning an UTM-Policy
The UTM-Policy has a section for each protocol, that allows UTM-Protection
Each Profile has references to Profiles for the different UTM Features
SOPHOS ANTIVIRUS
Cloud Based
Verifies Source-URL and File checksums against Malware Database
EXPRESS AV
Reduces local Scan Engine
PROCESSING ORDER
# Configure the SRX Series device to use the express antivirus engine
set security utm feature-profile anti-virus type juniper-express-engine
# Apply the UTM policy to the existing trust to untrust security policy
edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services utm-policy UTM-POL
top
# Configure the SRX Series device to use the express antivirus engine
set security utm feature-profile anti-virus type kaspersky-lab-engine
# Apply the UTM policy to the existing trust to untrust security policy.
edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services utm-policy UTM-POL
top
# Check the URLs against Database that identifies known Malware Sources
edit security utm feature-profile anti-virus sophos-engine profile SOPHOS
set scan-options uri-check
# To log all URLs (even those that where not blocked) use
set fallback-options default log-and-permit
top
# Apply the UTM policy to the existing trust to untrust security policy.
edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services utm-policy UTM-POL
top
# Statistics on AV operation
show security utm anti-virus statistics
Enhanced Webfilter
(juniper-enhanced)
REDIRECT (WEBSENSE)
For the old, integrated Surfcontrol Engine use the following Online URL:
http://mtas.surfcontrol.com/mtas/JuniperTest-a-Site.asp
For the new, enhanced Webfilter use this following Online URL:
http://aceinsight.websense.com/
A CLI command can be used to return information how the site is treated:
test security utm web-filtering profile "EWF-PROFILE" test-string www.facebook.com
Configure a new utm-policy to use the predefined Web filtering profile junos-
wf-cpa-default
edit security utm utm-policy UTM-POL
set web-filtering http-profile junos-wf-cpa-default
top
Apply the UTM policy to the existing trust to untrust security policy.
edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services utm-policy UTM-POL
top
To return from cluster mode to a single unit use the following command,
which also performs the necessary reboot
If you are in cluster mode but can not login to your system, you have to use
Method 4 (Single User Boot Procedure)
Notes
You have to exit the shell first
The node name in the shell prompt appears to be unchanged,
but this will change with the next reboot
If you have a Branch SRX which is still in Cluster mode, the factory default
configuration can not commit ,as it includes switching configuration.
You then should use method 5 (USB Snapshot) or 4 (Single User Mode)
Since JUNOS 10.0 you have to disable a watchdog in the boot monitor.
See http://kb.juniper.net/KB17565
# Now move the USB Stick to the System you want to recover and power it up
# Interrupt the Boot Process to get access to the Boot loader prompt
loader> nextboot usb
Setting next boot dev usb
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
loader> reboot
# Once the system has booted from the USB Stick, copy the image
# with the default configuration back to the internal Flash
srx> request system snapshot factory partition media internal
Notes:
- The USB Stick must have at least size of internal Flash (SRX100 = 1GB)
- This procedure also reformats and partitions flash and copies the software
from the stick. All existing information is overwritten
DUAL ROOT
414 Copyright 2011 Juniper Networks, Inc. www.juniper.net
NOTES
Since JUNOS 10.0, Branch SRX can have a dual root partitioning scheme
Dual root improves fault tolerance and rollback capabilities and is recommended
Dual root have two partitions with JUNOS software on two different partitions.
The configuration is kept in another shared partition
# Since JUNOS 10.2 the following command shows the partitioning and which partition
is active
show system storage partitions
# To copy the software from the current active partition to the backup partition use
request system snapshot slice alternate
Primary
Backup Primary
Backup
4a. For other updates decide how to bring the software to your SRX
(T1) Upload or Download File in Advance (scp or ftp)
(T2) Use Controlled Download with the Download Manager
(T3) Mount and install from a USB Stick
(T4) Reference URL during installation
# On J-Series
show chassis hardware detail | match Flash
# To avoid that somebody uses this procedure you can use the following command:
set system auto installation usb disable
% su -
Password:
# find out the right device name. On SRX210 "da1" is upper USB "da2" is lower USB
# Either watch Console Logs during USB plugin or scan the information from the Logfile
root@srx-172% dmesg | grep umass
da1 at umass-sim1 bus 1 target 0 lun 0
# Once Devicename is found add "s1" to the device name and mount it to /mnt
# Now you can install the image from the USB stick
# partition, formats the Flash partition
# Now you can install the image from the local file
srx> request system software add /var/tmp/JUNOS-srxsme-11.1R1.8-domestic.tgz
Starting download #1
# Example: Download and install image from an ftp Server (user username)
request system software add no-copy no-validate reboot
ftp://username:prompt@172.16.42.8/JUNOS-srxsme-10.2R2.8-domestic.tgz
# Example: start installation from a USB stick previously mounted under /mnt
request system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot
It is a single command, that you have to run from the RG0 primary device.
The following actions are performed during the update:
First upgrade the secondary device
then forms a cross version cluster
failover to the new device
upgrade the old primary
Check Documentation and KB17946 for more details on ISSU operation and
supported features for different releases
430 Copyright 2011 Juniper Networks, Inc. www.juniper.net
BEST PRACTICE:
FLASH HARDENING ON BRANCH SRX
# Once your software version and your configuration is reliable use the following
# steps to make the Branch SRX devices more robust against Flash Problems
# Copy primary partition image to the secondary, so they carry the same release
# Check KB22798 for details on dual partitioning
request system snapshot slice alternate
# Make sure your current configuration is also saved as your rescue configuration
# Check KB15788 for details on configuration versions and rollback
request system configuration rescue save
# Save License, Partition Data and Recovery Config to the Auto recovery Partition
# Check Release notes of JUNOS 11.2 for details on auto recovery
request system autorecovery state save
Operations Scripts
Allows custom output for diagnosis and event management
e.g.. Combine 2 different show commands to get a custom output for better analysis
Activation of Op Scripts
Copy the script to the /var/db/scripts/op directory
Enable the script by including a file statement at the [edit system scripts
op] hierarchy level (must be user from super user class).
Now you can run the script as a command (e.g.. op status overview)
Syntax
address-book {
address address-name (ip-prefix | dns-name dns-address-name);
address-set address-set-name {
address address-name;
}
}
....
# On J-Series press reset button for more than 5 and less than 15 Seconds
# to automatically load and commit the rescue configuration
# To switch the primary partition, so that next reboot uses the other image just execute
root@srx100-2> request system software rollback
junos-12.1R2.9-domestic will become active at next reboot
# To switch back to the previous partition just execute the same command once more
request system software rollback
root@srx100-2> request system software rollback
junos-12.1R3.5-domestic will become active at next reboot
CLI Shortcuts
CTRL-A takes you to the beginning of the command line
CTRL-E takes you to the end of the command line
CTRL-W deletes backwards to the previous space
CTRL-U deletes the entire command line
CTRL-L redraws the command line (in case it has been interrupted by messages, etc.)
CTRL-R starts CLI history search, start typing and matching results will be
displayed and can be executed by simply pressing ENTER
[edit]
srx#
Login Messages
# To make a message appear before login
set system login message Welcome \n to \n JUNOS Training\n
# To make a message appear after successful authentication
set system login announcement Maintenance scheduled 11PM to 2AM tonight
JTAC Knowledgebase
http://kb.juniper.net/
SRX Channel: http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB
User Forums
http://forums.juniper.net/jnet/
http://www.juniperforum.com/
Books
http://www.juniper.net/us/en/training/jnbooks/
http://www.juniper.net/training/fasttrack/
http://www.juniper.net/us/en/training/technical_education/
http://www.juniper.net/us/en/training/elearning/jsl.html
https://www.juniper.net/partners/partner_center/common/training/virtual_lab.jsp
https://www.juniper.net/partners/partner_center/common/training/post_sales_webcasts.jsp
http://JUNOS.juniper.net/prometricvoucher/