You are on page 1of 171

JUNIPER

SRX

2015 5


JUNOS ............................................................................................................ 5
1.1.

........................................................................................................... 5

1.2.

Junos ........................................................................................................... 6

1.3.

Junos ........................................................................................... 7
1.3.1.

CLI .................................................................................... 7

1.3.2.

J-WEB ............................................................................................ 9

1.3.3.

......................................................................................................... 10

1.3.4.

root ....................................................................................... 12

1.3.5.

................................................................................. 13

1.3.6.

................................................................................. 16

1.3.7.

......................................................................................... 24

SRX .................................................................................................... 25
2.1. ........................................................................................................................ 25
2.2. ................................................................................................................ 26
2.3. ........................................................................................................................ 35
SRX .............................................................................................................. 36
3.1. ................................................................................................................. 36
3.2. ................................................................................................. 37
3.3. DHCP ................................................................................................................ 43
3.4. ................................................................................................................. 45
3.4.1. .............................................................................. 45

Juniper Networks, Inc.

2 / 171

3.4.2. .............................................................................................. 47
3.4.3. ...................................................................................... 49
3.4.4. ...................................................................................................... 50
3.5. ......................................................................................................... 53
3.5.1. Interface based Nat ..................................................... 54
3.5.2. Pool based Source Nat ............................................. 57
3.5.3. Pool based Destination Nat ................................. 62
3.5.4. Pool based Static Nat ........................................... 69
3.6. IPSEC VPN ................................................................................................................ 76
3.6.1. SITE TO SITE IPSEC VPN ................................................................... 77
3.6.2. SITE TO SITE IPSEC VPN ................................................................... 95
3.6.3. DYNANMIC VPN................................................................................ 99
3.6.4. GROUP VPN ......................................................................................................... 118
3.7. ALG .......................................................................................... 126
3.8. SRX UTM ........................................................................................... 130
3.8.1

UTM ......................................................................................... 131

3.8.2

SRX UTM IDP ........................................................................... 132

3.8.3

SRX UTM Antivirus ................................................................... 134

3.8.4

SRX UTM WEB ................................................................ 136

3.8.5

SRX UTM ................................................................... 138

3.9. Appsecure .............................................................................................. 140


3.9.1. ................................................................ 141

Juniper Networks, Inc.

3 / 171

3.9.2. Apptrack CLI ................................................................. 141


3.9.3.

AppFirewall .................................................................................. 142

3.9.4.

APPDDOS ..................................................................................... 144

3.10. Firewall Filter ....................................................................................... 146


3.10.1. FBF ............................................................................................................ 147
3.10.2. .......................................................................................... 150
3.10.3. ACL .............................................................................. 150
3.11. Screen .......................................................................................... 151
3.12. JSRP HA ........................................................................................ 155
SNMP ............................................................................... 160
Troubleshooting .............................................................................. 164
5.1. Flow ................................................................................................................... 164
5.2. IPSEC VPN .......................................................................................................... 166
5.3. LOG ........................................................................................................ 167
5.4. RSI LOG ..................................................................................... 168
-.................................................................................................... 170

Juniper Networks, Inc.

4 / 171


SRX Branch SRX210 SRX

SRX SRX
CLI WEB

SRX210B*2SRX210-SH*1
WINDOWS 7

JUNOS
JUNOS Juniper
SRX JUNOS
JUNOS
JUNOS FreeBSD CLI WEBUI

1.1.
JUNOS CLI operationalconfigure

config edit

Juniper Networks, Inc.

5 / 171

run JUNOS
edit unix cd ,up up
nexit topquit

1.2. Junos
JUNOS set
Candidate Config commit
SRX commit
Active config
JUNOS commit
commit confirmed 2 2
commit 2
SRX
commit show Candidate
Config
commit run show config
Active config
show | compare
Juniper Networks, Inc.

6 / 171

SRX commit 50
rolback commit rollback 0/commit
commit
save configname.conf
load override configname.conf / commit load
factory-default / commit
SRX TFTP/FTP
J-WEB

1.3. Junos
SRX CLI J-WEB
2 CLI J-WEB
CLI

1.3.1.

CLI

console/telnet/ssh CLI
console Telnet SSH ROOT
root SSH
2
1 % root shell
shell SRX cli>

root@srx210% cli

Juniper Networks, Inc.

7 / 171

root@srx210>
2 >

config #

root@srx210> con
root@srx210#
show shconfig con
sh
show

SRX set delete delete security


nat
Edit NAT edit security nat
NAT set
SRX copy
2
copy interfaces ge-0/0/1 to ge-0/0/2
SRX deactivate security nat
NAT activate security nat NAT
Rollback 0

Juniper Networks, Inc.

8 / 171

Run run
root@srx210#run ping 192.168.1.1

1.3.2.

J-WEB

http/https WEB URL


Juniper SCREENOS WEB html
SRX J-WEB Javascript Javascipt html
WEB
html SRX WEB
SCREENOS Javascipt WEB
HTML Javascipt WEB

Javascript
IE WEB

Juniper Networks, Inc.

9 / 171

SRX J-WEB

J-WEB commit
SCREENOS WEB

J-WEB HA J-WEB
SRX HA
(I/O)

J-WEB Javascript
WEB

J-WEB WEB
CLI

1.3.3.

CONSOLE
Console () SRXroot <>

COM

Bits per second: 9600

Data bits: 8

Parity: None

Stop bits: 1

Flow control: None


login: root
Password:
--- JUNOS 12.1X46-D20.5 built 2014-05-14 20:00:03 UTC
root% cli
/******/
root>
root> configure
Juniper Networks, Inc.

10 / 171

Entering configuration mode


[edit]

/******/

Root#

WEB
ping IP 192.168.1.1
http://192.168.1.1
SRX 192.168.1.1 root Log
In

Juniper Networks, Inc.

11 / 171

1.3.4.

root

ROOT

CLI
root

root# set system root-authentication plain-text-password


root# new password : root123
root# retype new password: root123

root# show system root-authentication


encrypted-password "$1$xavDeUe6$fNM6olGU.8.M7B62u05D6."; # SECRET-DATA

WEB
Start

* root

Juniper Networks, Inc.

12 / 171

1.3.5.

HTTP/HTTPS/TELNET/SSH ROOT
HTTP/HTTPS/SSHTELNET Super-User

CLI
root# set system login user lab class super-user authentication plain-text-password
root# new password : lab123
root# retype new password: lab123
/*** lab lab123***/

WEB
System Properties User Management Edit

Juniper Networks, Inc.

13 / 171

Add

Juniper Networks, Inc.

14 / 171

User name login classic super-user

lab

Juniper Networks, Inc.

15 / 171

1.3.6.

CLI
set system services telnet
set system services web-management http
/***telnet/http ***/

set system services web-management http interface ge-0/0/0.0


/***WEBhttp interfacege-0/0/0.0
WEB***/

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.238/24


set routing-options static route 0.0.0.0/0 next-hop 192.168.1.2
/***SRX IP ScreenOS
0 ***/

set security zones security-zone untrust interfaces ge-0/0/0.0


/***ge-0/0/0.0 ScreenOS***/

set security zones security-zone untrust host-inbound-traffic system-services ping


set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services telnet
set security zones security-zone untrust host-inbound-traffic system-services ssh
/***untrust zone ScreenOS SRX Zone
Ping/http/telnet/sshzone ***/

WEB
Juniper Networks, Inc.

16 / 171

System Propeties Management Access Edit

Services Enable Telnet Enable SSH Enable Http


ge0/0/0.0 Selected Interface

Juniper Networks, Inc.

17 / 171

Ge0/0/0.0 Selected Interfaces

Interfaces Ports Ge0/0/0.0 Edit

Juniper Networks, Inc.

18 / 171

IPV4 Address Add IP

IP

Juniper Networks, Inc.

19 / 171

Routing Static Routing Add

Static Router Next-hop

Juniper Networks, Inc.

20 / 171

Zone name Untrust Edit

Juniper Networks, Inc.

21 / 171

http http

ping ssh telnet Selected

Juniper Networks, Inc.

22 / 171

commit

Juniper Networks, Inc.

23 / 171

1.3.7.

2
reset

CLI

root# load factory-default


root

Reset
reset 15
Status Status

Juniper Networks, Inc.

24 / 171

SRX

2.1.
JUNOS

CLI

1.
user@host> request system power-off
2. JUNOS Console
user@host> request system halt

The operating system has halted.


Please press any key to reboot

WEB
WEB halt

Juniper Networks, Inc.

25 / 171

2.2.

OS

http://www.juniper.net/support/downloads/junos.html
Juniper 12.1X44-D45.2

CLI

1. OS
WINSCP FTP
3CDaemon FTP

Juniper Networks, Inc.

26 / 171

OS G:\FTP
SRX
lab@SRX210B> ftp 192.168.1.3
Connected to 192.168.1.3.
220 3Com 3CDaemon FTP Server Version 2.0
Name (192.168.1.3:lab): anonymous
331 User name ok, need password
Password:
230-The response '' is not valid.
230-Next time, please use your email address as password.
230 User logged in
Remote system type is UNIX.

Juniper Networks, Inc.

27 / 171

Using binary mode to transfer files.


ftp> ls
200 PORT command successful.
150 File status OK ; about to open data connection
drwxrwxrwx 1 owner group

0 Apr 06 20:26 .

drwxrwxrwx 1 owner group

0 Apr 06 20:26 ..

-rwxrwxrwx 1 owner group 138198178 Apr 06 20:26 junos-srxsme-12.1X44-D45.2domestic.tgz


226 Closing data connection
ftp> bin
200 Type set to I.
ftp> lcd

/******/

Local directory now /cf/var/home/lab


ftp> lcd /cf/var/tmp

/***/cf/var/tmp***/

Local directory now /cf/var/tmp


ftp> mget junos-srxsme-12.1X44-D45.2-domestic.tgz /*** mget OS
***/
mget junos-srxsme-12.1X44-D45.2-domestic.tgz?
200 PORT command successful.
150 File status OK ; about to open data connection
100%
|**************************************************************************************

Juniper Networks, Inc.

28 / 171

********************************************************************|

131

MB

00:00 ETAA
226 Closing data connection; File transfer successful. /******/
138198178 bytes received in 87.72 seconds (1.50 MB/s)
ftp>
2.
lab@SRX210B> request system snapshot media internal slice alternate
Formatting alternate root (/dev/da0s2a)...
Copying '/dev/da0s1a' to '/dev/da0s2a' .. (this may take a few minutes)
The following filesystems were archived: /
3.
lab@SRX210B> request system software add /cf/var/tmp/junos-srxsme-12.1X44D45.2-domestic.tgz no-copy no-validate reboot
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 297.9MB (610044 sectors) block size 16384, fragment size
2048
using 4 cylinder groups of 74.47MB, 4766 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
32, 152544, 305056, 457568
Installing package '/altroot/cf/packages/install-tmp/junos-12.1X44-D45.2domestic' ...
Verified

Juniper Networks, Inc.

junos-boot-srxsme-12.1X44-D45.2.tgz

29 / 171

signed

by

PackageProduction_12_1_0
Verified

junos-srxsme-12.1X44-D45.2-domestic

signed

PackageProduction_12_1_0
JUNOS 12.1X44-D45.2 will become active at next reboot
Saving state for rollback ...
Rebooting ...
shutdown: [pid 5537]
Shutdown NOW!

*** FINAL System shutdown message from root@SRX210B ***


System going down IMMEDIATELY
/*** OS ***/
4.
lab@SRX210B> show system software
Information for junos:
Comment:
JUNOS Software Release [12.1X44-D45.2]

lab@SRX210B> request system software rollback


** /dev/altroot
FILE SYSTEM CLEAN; SKIPPING CHECKS

Juniper Networks, Inc.

30 / 171

by

clean, 76202 free (26 frags, 9522 blocks, 0.0% fragmentation)


junos-11.2R4.3-domestic will become active at next reboot

lab@SRX210B> request system storage cleanup /******/


List of files to delete:
Size Date

Name

62B Jul 30 2012 /cf/var/crash/flowd_octeon.log..0


62B Jan 26 16:44 /cf/var/crash/flowd_octeon.log..1
62B Feb 24 16:02 /cf/var/crash/flowd_octeon.log..2
62B Apr 6 09:26 /cf/var/crash/flowd_octeon.log..3
62B Apr 6 09:48 /cf/var/crash/flowd_octeon.log.SRX210B.0
752B Apr 6 20:34 /cf/var/crash/flowd_octeon.log.SRX210B.1
11B Apr 6 20:34 /cf/var/jail/tmp/alarmd.ts
49.5K Feb 12 16:01 /cf/var/log/autod.0.gz
68.0K Feb 12 02:34 /cf/var/log/autod.1.gz
119B Apr 6 21:04 /cf/var/log/interactive-commands.0.gz
8046B Apr 6 21:04 /cf/var/log/messages.0.gz
183B Apr 6 20:37 /cf/var/log/wtmp.0.gz
137B Apr 6 09:25 /cf/var/log/wtmp.1.gz
87B Jan 26 16:44 /cf/var/log/wtmp.2.gz
3871B Apr 6 20:34 /cf/var/tmp/cleanup-pkgs.log
0B Apr 6 20:33 /cf/var/tmp/eedebug_bin_file

Juniper Networks, Inc.

31 / 171

34B Apr 6 20:33 /cf/var/tmp/gksdchk.log


124.0K Apr 6 20:31 /cf/var/tmp/gres-tp/env.dat
0B Jan 26 16:44 /cf/var/tmp/gres-tp/lock
131.8M Apr 6 12:26 /cf/var/tmp/junos-srxsme-12.1X44-D45.2-domestic.tgz
33B Apr 6 20:33 /cf/var/tmp/kmdchk.log
155B Apr 6 20:34 /cf/var/tmp/krt_gencfg_filter.txt
30B Apr 6 20:35 /cf/var/tmp/policy_status
0B Apr 6 20:34 /cf/var/tmp/rtsdb/if-rtsdb
0B Jan 26 16:43 /cf/var/tmp/spu_kmd_init
0B Apr 6 20:35 /cf/var/tmp/vpn_tunnel_orig.id
Delete these files ? [yes,no] (no)

/*** yes ***/

WEB
Maintain Software UploadPackage
tgz Upload
and Install Package

Juniper Networks, Inc.

32 / 171

Juniper Networks, Inc.

33 / 171

Dashboard Software Version

Juniper Networks, Inc.

34 / 171

2.3.
console
root

1. CONSOLE
2.
boot -s
Loading /boot/defaults/loader.conf
/kernel data= syms=[ ]
Hit [Enter] to boot immediately, or space bar for command
prompt.
loader>
loader> boot s
Juniper Networks, Inc.

35 / 171

3. Recovery
Enter full pathname of shell or 'recovery' for root password
recovery or RETURN for /bin/sh: recovery
4. root root
user@host> configure
Entering configuration mode
user@host#delete system root-authentication
user@host#set system root-authentication plain-text-password
user@host#New password:
user@host#Retype new password:
user@host# commit
5. commit complete

SRX

3.1.

Juniper Networks, Inc.

36 / 171

3.2.
ZONE
SRX IP

type-pim/0/port.logical-unit-number
GE-0/0/0.0 0 0 0

Juniper Networks, Inc.

37 / 171

Trust Untrust Null


Null Null

Juniper Networks, Inc.

38 / 171

CLI
SRX210B GE-0/0/0.0 192.168.1.239/24 zone
Untrust Vlan.0 172.17.1.1/24 zone Trust

SRX210B IP
root@SRX210B# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.239/24
root@SRX210B# set interfaces vlan unit 0 family inet address 172.17.1.1/24

SRX210B ZONE
root@SRX210B# set security zones security-zone trust interfaces vlan.0
root@SRX210B# set security zones security-zone untrust interfaces ge-0/0/0.0

SRX210B
root@SRX210B# set routing-options static route 0.0.0.0/0 next-hop 192.168.1.253

WEB
ge-0/0/0.0 Untrust

Juniper Networks, Inc.

39 / 171

Vlan.0 IP

Juniper Networks, Inc.

40 / 171

VLAN.0 Trust

Juniper Networks, Inc.

41 / 171

Routing-Static Routing 0/0


192.168.1.253

Juniper Networks, Inc.

42 / 171

3.3. DHCP
SRX210B DHCP
172.17.1.100-200172.17.1.1DNS 192.168.1.10Vlan.0

CLI
set system services dhcp pool 172.17.1.0/24 address-range low 172.17.1.100
set system services dhcp pool 172.17.1.0/24 address-range high 172.17.1.200
set system services dhcp pool 172.17.1.0/24 name-server 192.168.1.10
set system services dhcp pool 172.17.1.0/24 router 172.17.1.1
set system services dhcp pool 172.17.1.0/24 propagate-settings vlan.0

WEB
Services-DHCP-DHCP Service DHCP Pools DHCP Pools

Juniper Networks, Inc.

43 / 171

Juniper Networks, Inc.

44 / 171

3.4.

3.4.1.

untrust
DNSGROUP
DNS10192.168.1.10/32 DNS10 DNSGROUP
trust
Lan 172.17.1.0/24

CLI
set security zones security-zone untrust address-book address DNS10
192.168.1.10/32
set security zones security-zone untrust address-book address-set DNSGROUP
address DNS10
set security zones security-zone trust address-book address Lan 172.17.1.0/24

WEB
Security-Policy Elements-Address Book Address untrust
DNS10 DNSGROUP

Juniper Networks, Inc.

45 / 171

DNS10

Address Sets DNSGROUP

Trust Lan

Juniper Networks, Inc.

46 / 171

3.4.2.

TCP-8080

CLI
set applications application tcp-8080 protocol tcp
set applications application tcp-8080 destination-port 8080
Juniper Networks, Inc.

47 / 171

WEB
Security-Policy Elements-Applications Custom-Applicatios

Juniper Networks, Inc.

48 / 171

3.4.3.

AllowDNS 1200-1300

CLI
set schedulers scheduler AllowDNS daily start-time 12:00:00 stop-time 13:00:00

WEB
Security-Policy Elements-Scheduler

Juniper Networks, Inc.

49 / 171

3.4.4.
zone zone

Trust Lan Untrust DNSGROUP


TCP-8080 AllowDNS

CLI
set security policies from-zone trust to-zone untrust policy AllowDNS match sourceaddress Lan
set security policies from-zone trust to-zone untrust policy AllowDNS match

Juniper Networks, Inc.

50 / 171

destination-address DNSGROUP
set security policies from-zone trust to-zone untrust policy AllowDNS match
application tcp-8080
set security policies from-zone trust to-zone untrust policy AllowDNS then permit
set security policies from-zone trust to-zone untrust policy AllowDNS schedulername AllowDNS

WEB
Security-Policy-Apply Policy

Juniper Networks, Inc.

51 / 171

Scheduling AllowDNS

Juniper Networks, Inc.

52 / 171

3.5.
SRX NAT ScreenOS
ScreenOSNAT policy MIP/VIP/DIP NATpolicy
NAT untrust Souec-NAT SRX NAT
Policy
Juniper Networks, Inc.

53 / 171

NAT NAT
Policy
SRX NAT Policy
Policy Policy
Policy IP
ScreenOS
SRX MIP/VIP/DIP MIP Static
DIPSource NAT Policy VIP Destination NAT
ScreenOS Untrust zone SRX SRX
Trust Zone NAT ScreenOSStatic NAT
NAT
SRX proxy-arp IP Pool
SRX Pool ARP IP Pool MAC
MAC SRX

3.5.1. Interface based Nat

172.17.1.0
192.168.1.239

Juniper Networks, Inc.

54 / 171

CLI
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match sourceaddress 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat
interface

WEB
Nat-Source NAT Source Rule Set Add

Juniper Networks, Inc.

55 / 171

Rule Set Name Rule Set Rule

Rules Add RuleRule


Nat NAT 0.0.0.0/0 Source Address

Juniper Networks, Inc.

56 / 171

Source Nat

3.5.2. Pool based Source Nat

Name Snatpool 192.168.1.220-230 Pool


172.17.1.0/24 SnatPool

CLI
set security nat source pool snatpool address 192.168.1.220/32 to 192.168.1.230/32
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule snatpool220-230 match sourceaddress 172.17.1.0/24
set security nat source rule-set trust-to-untrust rule snatpool220-230 then sourcenat pool snatpool
Juniper Networks, Inc.

57 / 171

set security nat proxy-arp interface ge-0/0/0.0 address 192.168.1.220/32 to


192.168.1.230/32

Pool Zone proxy-arp SRX


Pool IP
ge-0/0/0.0 Pool

WEB
NAT-Source Nat Source NAT Pool Add POOL

Pool Name

Juniper Networks, Inc.

58 / 171

Port

SnatPool

Juniper Networks, Inc.

59 / 171

Source Rule Set Rule

Rule Name SnatPool220-230 172.17.1.0/24 Source


NAT With Pool

Juniper Networks, Inc.

60 / 171

SnatPool Proxy Arp ge-0/0/0.0


Pool
NAT-Proxy Add

Juniper Networks, Inc.

61 / 171

3.5.3. Pool based Destination Nat


NAT IP SCREENOS VIP
IP
IP-172.16.1.11 3389 192.168.1.236 3389

Juniper Networks, Inc.

62 / 171

CLI
/***NAT ***/
set security nat destination pool srv11-3389 address 172.16.1.11/32
set security nat destination pool srv11-3389 address port 3389
set security nat destination rule-set utot from zone untrust
set security nat destination rule-set utot rule u236-srv11-3389 match sourceaddress 0.0.0.0/0
set security nat destination rule-set utot rule u236-srv11-3389 match destinationaddress 192.168.1.236/32
set security nat destination rule-set utot rule u236-srv11-3389 match destinationport 3389
set security nat destination rule-set utot rule u236-srv11-3389 then destinationnat pool srv11-3389

Juniper Networks, Inc.

63 / 171

/*** 3389 ***/


set applications application tcp-3389 protocol tcp
set applications application tcp-3389 destination-port 3389
/*** SRV11 ***/
set security zones security-zone trust address-book address srv11 172.16.1.11/32
/******/
set security policies from-zone untrust to-zone trust policy utot-srv11-3389 match
source-address any
set security policies from-zone untrust to-zone trust policy utot-srv11-3389 match
destination-address srv11
set security policies from-zone untrust to-zone trust policy utot-srv11-3389 match
application tcp-3389
set security policies from-zone untrust to-zone trust policy utot-srv11-3389 then
permit

WEB
NAT-Destination NAT Destination Nat Pool Add Pool

Pool Name IP

Juniper Networks, Inc.

64 / 171

OK Pool

Destination Rule Set Add NAT

Rule Set Name Rules Add

Juniper Networks, Inc.

65 / 171

Rule Name Actions Pool

Juniper Networks, Inc.

66 / 171

NAT OK Rule Set

Juniper Networks, Inc.

67 / 171

Juniper Networks, Inc.

68 / 171

3.5.4. Pool based Static Nat


Static Nat IP Screenos MIP

Static Nat 192.168.1.237 172.16.1.10


Juniper Networks, Inc.

69 / 171

CLI
/***Static Nat ***/
set security nat static rule-set SUTOT from zone untrust
set security nat static rule-set SUTOT rule U237-SRV10 match destination-address
192.168.1.237/32
set security nat static rule-set SUTOT rule U237-SRV10 then static-nat prefix
172.16.1.10/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.1.237/32
/***SRV10 ***/
set security zones security-zone trust address-book address SRV10 172.16.1.10/32
/******/
set security policies from-zone untrust to-zone trust policy U237-SRV10 match
source-address any

Juniper Networks, Inc.

70 / 171

set security policies from-zone untrust to-zone trust policy U237-SRV10 match
destination-address SRV10
set security policies from-zone untrust to-zone trust policy U237-SRV10 match
application any
set security policies from-zone untrust to-zone trust policy U237-SRV10 then
permit

WEB
NAT-Static NAT Add NAT

Rule Set Name Add Rules

Juniper Networks, Inc.

71 / 171

Juniper Networks, Inc.

72 / 171

Juniper Networks, Inc.

73 / 171

Proxy-Arp

Juniper Networks, Inc.

74 / 171

Juniper Networks, Inc.

75 / 171

3.6. IPSEC VPN


SRX IPSEC SITE TO SITE VPN
VPN VPN

2 SRX210A SRX210B VPN


Juniper Networks, Inc.

76 / 171

172.16.1.0/24 172.17.1.0/24

3.6.1. SITE TO SITE IPSEC VPN


VPN
IKE -P1
Mode:main
Proposal-set:standard
Pre-shared-key:juniper
IPSEC VPN -P2:
Proposal-set:standard

CLI
SRX210A
set interfaces st0 unit 0 family inet
set security zones security-zone vpn interfaces st0.0
Juniper Networks, Inc.

77 / 171

set routing-options static route 172.17.1.0/24 next-hop st0.0


st0.0 tunnel ZoneVPN

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic


system-services ike
IKE

set security ike policy aike mode main


set security ike policy aike proposal-set standard
set security ike policy aike pre-shared-key ascii-text juniper
IKE Phase1 policy main modestandard proposal

set security ike gateway gw1 ike-policy aike


set security ike gateway gw1 address 192.168.1.239
set security ike gateway gw1 external-interface ge-0/0/0.0
IKE Gateway 192.168.1.239ge-0/0/0.0

set security ipsec policy ap2 proposal-set standard


set security ipsec vpn vpn1 bind-interface st0.0
set security ipsec vpn vpn1 ike gateway gw1
set security ipsec vpn vpn1 ike ipsec-policy ap2
set security ipsec vpn vpn1 establish-tunnels immediately
ipsec Phase 2 VPN standard proposalst0.0 Phase 1 gw1 ike

set security policies from-zone vpn to-zone trust policy vpn-policy match sourceaddress any
set security policies from-zone vpn to-zone trust policy vpn-policy match
destination-address any
set security policies from-zone vpn to-zone trust policy vpn-policy match

Juniper Networks, Inc.

78 / 171

application any
set security policies from-zone vpn to-zone trust policy vpn-policy then permit
set security policies from-zone trust to-zone vpn policy vpn-policy match sourceaddress any
set security policies from-zone trust to-zone vpn policy vpn-policy match
destination-address any
set security policies from-zone trust to-zone vpn policy vpn-policy match
application any
set security policies from-zone trust to-zone vpn policy vpn-policy then permit

SRX210B
set interfaces st0 unit 0 family inet
set security zones security-zone vpn interfaces st0.0
set routing-options static route 172.16.1.0/24 next-hop st0.0
st0 tunnel zone VPN
set security ike policy bikemode main
set security ike policy bike proposal-set standard
set security ike policy bike pre-shared-key ascii-text juniper
IKE Phase1 policy main modestandard proposal
set security ike gateway gw1 ike-policy bike
set security ike gateway gw1 address 192.168.1.238
set security ike gateway gw1 external-interface ge-0/0/0.0

Juniper Networks, Inc.

79 / 171

IKE gateway ,192.168.1.238ge-0/0/0.0


set security ipsec policy bp2 proposal-set standard
set security ipsec vpn vpn1 bind-interface st0.0
set security ipsec vpn vpn1 ike gateway gw1
set security ipsec vpn vpn1 ike ipsec-policy bp2
set security ipsec vpn vpn1 establish-tunnels immediately
ipsec Phase 2 VPN standard proposalst0.0 Phase 1
gw1 ike
set security policies from-zone vpn to-zone trust policy vpn-policy match sourceaddress any
set security policies from-zone vpn to-zone trust policy vpn-policy match
destination-address any
set security policies from-zone vpn to-zone trust policy vpn-policy match
application any
set security policies from-zone vpn to-zone trust policy vpn-policy then permit
set security policies from-zone trust to-zone vpn policy vpn-policy match sourceaddress any
set security policies from-zone trust to-zone vpn policy vpn-policy match
destination-address any
set security policies from-zone trust to-zone vpn policy vpn-policy match
application any
set security policies from-zone trust to-zone vpn policy vpn-policy then permit

Juniper Networks, Inc.

80 / 171

policy VPN

WEB
SRX210A
VPN Zone Security-Zones/screens Add

zone name zone type

Juniper Networks, Inc.

81 / 171

Interfaces-Ports St0 Add Tunnel

ZONE IP

Juniper Networks, Inc.

82 / 171

Ipsec VPN-Auto Tunnel-Phase I IKE Policy Add P1 IKE


Policy

Juniper Networks, Inc.

83 / 171

IKE Policy NameMode Proposal

IKE Policy Options Pre Share Key

Juniper Networks, Inc.

84 / 171

IKE Policy

Phase I Gateway Add Gateway

Juniper Networks, Inc.

85 / 171

IKE GATEWAY Name Policy IP

Gateway

Juniper Networks, Inc.

86 / 171

Phase II IPSEC POLICY Add

Ipsec Policy Name Proposal

Juniper Networks, Inc.

87 / 171

Auto Key VPN Add

Juniper Networks, Inc.

88 / 171

P1 gateway Ipsec Policy Tunnel

Auto Key VPN

Juniper Networks, Inc.

89 / 171

VPN Tunnel st0.0 Routing-Static Routing


Add

Static Route IPV4 Add

Juniper Networks, Inc.

90 / 171

St0.0

Juniper Networks, Inc.

91 / 171

2
Configure Security-Policy-Apply
Policy Add

Juniper Networks, Inc.

92 / 171

Policy Name

Juniper Networks, Inc.

93 / 171

VPN Trust

SRX210B
VPN
CLI

WEB Monitor Ipsec VPN Phase I II SA

Juniper Networks, Inc.

94 / 171

3.6.2. SITE TO SITE IPSEC VPN


VPN VPN TUNNEL
VPN

CLI
SRX210A
set security ike policy aike mode main
set security ike policy aike proposal-set standard
set security ike policy aike pre-shared-key ascii-text juniper
set security ike gateway gw1 ike-policy aike

Juniper Networks, Inc.

95 / 171

set security ike gateway gw1 address 192.168.1.239


set security ike gateway gw1 external-interface ge-0/0/0.0
set security ipsec policy ap2 proposal-set standard
set security ipsec vpn vpn1 ike gateway gw1
set security ipsec vpn vpn1 ike ipsec-policy ap2
set security ipsec vpn vpn1 establish-tunnels immediately
set security policies from-zone trust to-zone untrust policy vpn-policy match
source-address LanA
set security policies from-zone trust to-zone untrust policy vpn-policy match
destination-address LanB
set security policies from-zone trust to-zone untrust policy vpn-policy match
application any
set security policies from-zone trust to-zone untrust policy vpn-policy then permit
tunnel ipsec-vpn vpn1
set security policies from-zone trust to-zone untrust policy vpn-policy then permit
tunnel pair-policy vpn-policy
set security policies from-zone untrust to-zone trust policy vpn-policy match
source-address LanB
set security policies from-zone untrust to-zone trust policy vpn-policy match
destination-address LanA
set security policies from-zone untrust to-zone trust policy vpn-policy match
application any

Juniper Networks, Inc.

96 / 171

set security policies from-zone untrust to-zone trust policy vpn-policy then permit
tunnel ipsec-vpn vpn1
set security policies from-zone untrust to-zone trust policy vpn-policy then permit
tunnel pair-policy vpn-policy
set security zones security-zone trust address-book address LanA 172.16.1.0/24
set security zones security-zone untrust address-book address LanB 172.17.1.0/24
SRX210B
VPN

WEB

Juniper Networks, Inc.

97 / 171

Juniper Networks, Inc.

98 / 171

3.6.3. DYNANMIC VPN


VPN PC VPN
(IPsec) VPN
VPN 3
VPN
HTTPS Web VPN
appweb Web [edit system services webmanagement]
VPN
VPN
Juniper Networks, Inc.

99 / 171

Juniper Networks IPsec VPN Web

Web VPN
VPN
1. SRX VPN HTTP HTTPS
Web
2. Web
3.

4.

5. IPsec (XAuth)
RADIUS IP
VPN Web
VPN Juniper Networks

:
IPsec SA

Juniper Networks, Inc.

100 / 171

SCREENOS IPSEC VPN


DYNAMIC VPN

SRX210A DYNAMIC VPN VPN1 VPN2


DYNAMIC VPN 192.168.100.0/24
172.16.1.0/24

CLI

set access profile dyn-profile client vpn1 firewall-user password vpn1


set access profile dyn-profile client vpn2 firewall-user password vpn2
set access profile dyn-profile address-assignment pool dyn-ip-pool

Juniper Networks, Inc.

101 / 171

set

access

address-assignment

pool

dyn-ip-pool

family

inet

network

192.168.100.0/24
set access address-assignment pool dyn-ip-pool family inet range 10to100 low
192.168.100.10
set access address-assignment pool dyn-ip-pool family inet range 10to100 high
192.168.100.100
set access firewall-authentication web-authentication default-profile dyn-profile
VPN
IKE Gateway
set security ike policy DVPN-vpn mode aggressive
set security ike policy DVPN-vpn proposal-set compatible
set security ike policy DVPN-vpn pre-shared-key ascii-text juniper
set security ike gateway DVPN-vpn ike-policy DVPN-vpn
set security ike gateway DVPN-vpn dynamic hostname dynvpn
set security ike gateway DVPN-vpn dynamic connections-limit 50
set security ike gateway DVPN-vpn dynamic ike-user-type group-ike-id
set security ike gateway DVPN-vpn external-interface ge-0/0/0
set security ike gateway DVPN-vpn xauth access-profile dyn-profile
IPSEC
set security ipsec policy DVPN-vpn proposal-set standard
set security ipsec vpn DVPN-vpn ike gateway DVPN-vpn
set security ipsec vpn DVPN-vpn ike ipsec-policy DVPN-vpn

Juniper Networks, Inc.

102 / 171


set security policies from-zone untrust to-zone trust policy dyn-vpn match sourceaddress any
set security policies from-zone untrust to-zone trust policy dyn-vpn match
destination-address LanA
set security policies from-zone untrust to-zone trust policy dyn-vpn match
application any
set security policies from-zone untrust to-zone trust policy dyn-vpn then permit
tunnel ipsec-vpn DVPN-vpn
zone IKE HTTPS
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
VPN
set security dynamic-vpn access-profile dyn-profile
set

security

dynamic-vpn

clients

dyn-vpn

remote-protected-resources

172.16.1.0/24
set security dynamic-vpn clients dyn-vpn ipsec-vpn DVPN-vpn
set security dynamic-vpn clients dyn-vpn user vpn1
set security dynamic-vpn clients dyn-vpn user vpn2

Juniper Networks, Inc.

103 / 171

WEB
Access Profile Configure Access-Access Profiles Add
Profile dyn-profile Address Assignment Configure

Address Pool Configuration Name dyn-ip-pool


192.168.100.10-100

Juniper Networks, Inc.

104 / 171

Close Dyn-Ip-Pool Add

Juniper Networks, Inc.

105 / 171

VPN1 VPN2

dyn-profile

Juniper Networks, Inc.

106 / 171

Access-FW Authentication Web-auth settings Default Profile dynprofile

Ipsec VPN-Dynamic VPN Global Settings Access Profile dynprofile

Juniper Networks, Inc.

107 / 171

dynamic vpn

DYNAMIC VPN

Juniper Networks, Inc.

108 / 171

Juniper Networks, Inc.

109 / 171

zone Interface IKE HTTPS

DYNAMIC VPN

Juniper Networks, Inc.

110 / 171

Juniper Networks, Inc.

111 / 171

Action-Commit
DYN-VPN
IE 192.168.1.238

Juniper Networks, Inc.

112 / 171

Pulse

Junos Pulse
https://www.juniper.net/customers/support/#task

Juniper Networks, Inc.

113 / 171

SRX URL DYNAMIC VPN IP

Juniper Networks, Inc.

114 / 171

Juniper Networks, Inc.

115 / 171

VPN1

IP

Juniper Networks, Inc.

116 / 171

SRX210 IKE

SRX210 DYNAMIC-VPN USERS

DYNAMIC VPN URL WEB

#set system services web-management management-url admin


http://192.168.1.238/admin

Juniper Networks, Inc.

117 / 171

3.6.4. GROUP VPN


Group VPN
IPsec (SA) (VPN)
VPN SA
VPN IPsec SA
VPN IP

VPN


SA
SA

1 65,535

VPN
1. UDP 848 IKE 1

2. GDOI groupkey-pull SA

3.
Juniper Networks, Inc.

118 / 171

4. SA
(GDOI groupkey-push) SA
SA
SA

+
2

CLI

SRX210A
Lo0.0
set interfaces lo0 unit 0 family inet address 192.168.1.230/32

Juniper Networks, Inc.

119 / 171

group-vpn member
set security group-vpn member ike proposal prop1 authentication-method preshared-keys
set security group-vpn member ike proposal prop1 dh-group group2
set security group-vpn member ike proposal prop1 authentication-algorithm sha1
set security group-vpn member ike proposal prop1 encryption-algorithm 3descbc
set security group-vpn member ike policy pol1 mode main
set security group-vpn member ike policy pol1 proposals prop1
set security group-vpn member ike policy pol1 pre-shared-key ascii-text juniper
set security group-vpn member ike gateway g1 ike-policy pol1
set security group-vpn member ike gateway g1 address 192.168.1.238
set security group-vpn member ike gateway g1 local-address 192.168.1.230
set security group-vpn member ipsec vpn v1 ike-gateway g1
set security group-vpn member ipsec vpn v1 group-vpn-external-interface ge0/0/0.0
set security group-vpn member ipsec vpn v1 group 1
group-VPN server
set security group-vpn server ike proposal srv-prop authentication-method preshared-keys
set security group-vpn server ike proposal srv-prop dh-group group2
set security group-vpn server ike proposal srv-prop authentication-algorithm sha1

Juniper Networks, Inc.

120 / 171

set security group-vpn server ike proposal srv-prop encryption-algorithm 3descbc


set security group-vpn server ike policy srv-pol mode main
set security group-vpn server ike policy srv-pol proposals srv-prop
set security group-vpn server ike policy srv-pol pre-shared-key ascii-text juniper
set security group-vpn server ike gateway gw1 ike-policy srv-pol
set security group-vpn server ike gateway gw1 address 192.168.1.230
set security group-vpn server ike gateway gw2 ike-policy srv-pol
set security group-vpn server ike gateway gw2 address 192.168.1.239
set security group-vpn server ipsec proposal group-prop authentication-algorithm
hmac-sha1-96
set security group-vpn server ipsec proposal group-prop encryption-algorithm
3des-cbc
set security group-vpn server ipsec proposal group-prop lifetime-seconds 3600
set security group-vpn server group grp1 group-id 1
set security group-vpn server group grp1 ike-gateway gw1
set security group-vpn server group grp1 ike-gateway gw2
set security group-vpn server group grp1 anti-replay-time-window 120
set security group-vpn server group grp1 server-address 192.168.1.238
set

security

group-vpn

server

group

grp1

server-member-communication

group

grp1

server-member-communication

communication-type unicast
set

security

group-vpn

Juniper Networks, Inc.

server

121 / 171

encryption-algorithm aes-128-cbc
set security group-vpn server group grp1 server-member-communication sig-hashalgorithm md5
set

security

group-vpn

server

group

grp1

server-member-communication

certificate srv-cert
set security group-vpn server group grp1 ipsec-sa group-sa proposal group-prop
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1 source
172.16.1.0/24
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1
destination 172.17.1.0/24
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1
source-port 0
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1
destination-port 0
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1
protocol 0
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p2 source
172.17.1.0/24
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p2
destination 172.16.1.0/24
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p2
source-port 0

Juniper Networks, Inc.

122 / 171

set security group-vpn server group grp1 ipsec-sa group-sa match-policy p2


destination-port 0
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p2
protocol 0

set security group-vpn co-location

set security address-book gvpnbook1 address Gvpn 172.16.0.0/12


set security address-book gvpnbook1 attach zone trust
set security address-book gvpnbook2 address Gvpn 172.16.0.0/12
set security address-book gvpnbook2 attach zone untrust
Gvpn
set security policies from-zone untrust to-zone trust policy scope1 match sourceaddress Gvpn
set security policies from-zone untrust to-zone trust policy scope1 match
destination-address Gvpn
set security policies from-zone untrust to-zone trust policy scope1 match
application any
set security policies from-zone untrust to-zone trust policy scope1 then permit
tunnel ipsec-group-vpn v1
set security policies from-zone trust to-zone untrust policy scope1 match sourceaddress Gvpn

Juniper Networks, Inc.

123 / 171

set security policies from-zone trust to-zone untrust policy scope1 match
destination-address Gvpn
set security policies from-zone trust to-zone untrust policy scope1 match
application any
set security policies from-zone trust to-zone untrust policy scope1 then permit
tunnel ipsec-group-vpn v1

SRX210B
Group-VPN member
set security group-vpn member ike proposal prop1 authentication-method preshared-keys
set security group-vpn member ike proposal prop1 dh-group group2
set security group-vpn member ike proposal prop1 authentication-algorithm sha1
set security group-vpn member ike proposal prop1 encryption-algorithm 3des-cbc
set security group-vpn member ike policy pol1 mode main
set security group-vpn member ike policy pol1 proposals prop1
set security group-vpn member ike policy pol1 pre-shared-key ascii-text juniper
set security group-vpn member ike gateway g1 ike-policy pol1
set security group-vpn member ike gateway g1 address 192.168.1.238
set security group-vpn member ike gateway g1 local-address 192.168.1.239
set security group-vpn member ipsec vpn v1 ike-gateway g1
set security group-vpn member ipsec vpn v1 group-vpn-external-interface ge0/0/0.0

Juniper Networks, Inc.

124 / 171

set security group-vpn member ipsec vpn v1 group 1

set security address-book gvpnbook1 address gvpn 172.16.0.0/12


set security address-book gvpnbook1 attach zone trust
set security address-book gvpnbook2 address gvpn 172.16.0.0/12
set security address-book gvpnbook2 attach zone untrust
Gvpn
set security policies from-zone trust to-zone untrust policy scope1 match sourceaddress gvpn
set security policies from-zone trust to-zone untrust policy scope1 match
destination-address gvpn
set security policies from-zone trust to-zone untrust policy scope1 match
application any
set security policies from-zone trust to-zone untrust policy scope1 then permit
tunnel ipsec-group-vpn v1
set security policies from-zone untrust to-zone trust policy scope1 match sourceaddress gvpn
set security policies from-zone untrust to-zone trust policy scope1 match
destination-address gvpn
set security policies from-zone untrust to-zone trust policy scope1 match
application any
set security policies from-zone untrust to-zone trust policy scope1 then permit

Juniper Networks, Inc.

125 / 171

tunnel ipsec-group-vpn v1
Srx210A IKE SERVER

Srx210B Ipsec SA

WEB
WEB

3.7. ALG
(ALG) Junos OS Juniper Networks
(SIP) FTP ALG
ALG
TelnetFTPSMTP HTTP
4 TCP UDP TCP UDP
Juniper Networks, Inc.

126 / 171


4 7
7
ALG
ALG ALG

1.
2.

3.
ALG ALG
ALG IP
(NAT) ALG IP

FTP ftp-testTCP 2100


3600 FTP ALGFTP
FTP ALG
set applications application ftp-test protocol tcp destination-port 2100 inactivity-timeout
3600
set applications application ftp-test application-protocol ftp
Set Security alg alg
lab@srx210A# set security alg ?
Juniper Networks, Inc.

127 / 171

Possible completions:
> alg-manager
> alg-support-lib
+ apply-groups

Configure ALG-MANAGER
Configure ALG-SUPPORT-LIB
Groups from which to inherit configuration data

+ apply-groups-except Don't inherit configuration data from these groups


> dns
> ftp
> h323
> ike-esp-nat

Configure DNS ALG


Configure FTP ALG
Configure H.323 ALG
Configure IKE-ESP ALG with NAT

> mgcp

Configure MGCP ALG

> msrpc

Configure MSRPC ALG

> pptp

Configure PPTP ALG

> rsh

Configure RSH ALG

> rtsp

Configure RTSP ALG

> sccp

Configure SCCP ALG

> sip

Configure SIP ALG

> sql

Configure SQL ALG

> sunrpc

Configure SUNRPC ALG

> talk

Configure Talk ALG

> tftp

Configure TFTP ALG

> traceoptions

ALG trace options

[edit]

Juniper Networks, Inc.

128 / 171

lab@srx210A# set security alg sql ?


Possible completions:
disable

Disable SQL ALG

> traceoptions

SQL ALG trace options

ALG
lab@srx210A> show security alg status
ALG Status :
DNS
FTP
H323

: Enabled
: Enabled
: Enabled

MGCP

: Enabled

MSRPC

: Enabled

PPTP

: Enabled

RSH

: Enabled

RTSP

: Enabled

SCCP

: Enabled

SIP
SQL
SUNRPC

: Enabled
: Enabled
: Enabled

TALK

: Enabled

TFTP

: Enabled

IKE-ESP : Disabled

Juniper Networks, Inc.

129 / 171

web security-ALG

3.8. SRX UTM


UTM

(SBL)Sophos
IP SBL

Kaspersky Lab
Juniper Networks, Inc.

130 / 171


CPU

Juniper Networks
MIME

Web Web Web


Web Web
Websense CPA Server URL
Web Web Web
HTTP URL Websense URL
Web Web
Juniper Web URL
Web Juniper

3.8.1 UTM
UTM UTM Juniper
https://www.juniper.net/customers/support/#task

Juniper Networks, Inc.

131 / 171

1
Internet
lab@srx210h> request system license update trial trial
License
lab@srx210h> show system license
web Maintain-Licenses

UTM

3.8.2 SRX UTM IDP


IDP
lab@srx210h> request security idp security-package download
Juniper Networks, Inc.

132 / 171


lab@srx210h> request security idp security-package download status

lab@srx210h> request security idp security-package install


IDP
lab@srx210h# set security idp idp-policy ?
Possible completions:
<policy-name>

IDP policy name

IDP

Juniper Networks, Inc.

133 / 171

lab@srx210h# set security idp active-policy +IDP


IDP

IDP
lab@srx210h> show security idp status

3.8.3 SRX UTM Antivirus

Antivirus Profile
lab@srx210h# set security utm feature-profile anti-virus type kaspersky-lab-engine
Antivirus

Juniper Networks, Inc.

134 / 171

lab@srx210h# set security utm utm-policy default-av anti-virus

lab@srx210h> show security utm anti-virus status

lab@srx210h> request security utm anti-virus kaspersky-lab-engine pattern-

Juniper Networks, Inc.

135 / 171

update

3.8.4 SRX UTM WEB


Juniper SRX Branch WEB

,,
news.163.com,, <51JOB >
web-filtering
lab@srx210h# set security utm custom-objects url-pattern url

lab@srx210h# set security utm custom-objects custom-url-category


url feature-profile

Juniper Networks, Inc.

136 / 171

lab@srx210h# set security utm feature-profile web-filtering


category

lab@srx210h# set security utm feature-profile web-filtering surf-control-integrated

lab@srx210h# set security utm utm-policy utm

Juniper Networks, Inc.

137 / 171

utm

web
lab@srx210h# run show security utm web-filtering ?
Possible completions:
statistics
status

Show web-filtering statistics


Show web-filtering status

3.8.5 SRX UTM


(SBL)

(SBL)
Juniper Networks, Inc.

138 / 171

(DNS) SBL DNS SBL


IP SBL
DNSSBL DNS
DNS

: IP
Sophos IP

#
lab@srx210h# set security utm feature-profile anti-spam sbl profile sblprofile1
#SBL
lab@srx210h# set security utm feature-profile anti-spam sbl profile sblprofile1 sbldefault-server
#
lab@srx210h# set security utm feature-profile anti-spam sbl profile sblprofile1 sbldefault-server spam-action block
#UTM
lab@srx210h# set utm utm-policy spampolicy1 anti-spam smtp-profile sblprofile1
#UTM
lab@srx210h# set security policies from-zone trust to-zone untrust policy
utmsecuritypolicy1 match source-address any

Juniper Networks, Inc.

139 / 171

lab@srx210h# set security policies from-zone trust to-zone untrust policy


utmsecuritypolicy1 match destination-address any
lab@srx210h# set security policies from-zone trust to-zone untrust policy
utmsecuritypolicy1 match application junos-smtp
lab@srx210h# set security policies from-zone trust to-zone untrust policy
utmsecuritypolicy1 then permit application-services utm-policy spampolicy1

lab@srx210h> show security utm anti-spam status

3.9. Appsecure
AppSecure SRX AppSecure

AppSecure
AppTrack
AppFirewall
AppDoS
AppQos
Appsecure SRX
UTM

Juniper Networks, Inc.

140 / 171

3.9.1.

lab@srx210h>request services application-identification download

lab@srx210h>request services application-identification download status

lab@srx210h>show services application-identification version


IDP
lab@srx210h>request security idp security-package download
IDP
lab@srx210h>request security idp security-package install
IDP
lab@srx210h>request security idp security-package install status
IDP
lab@srx210h>show security idp security-package-version

3.9.2. Apptrack CLI


AppTrack
AppTrack
AppTrack

1. Zone
Juniper Networks, Inc.

141 / 171

set security zones security-zone <name> application-tracking


2. SYSLOG :
set security log format sd-syslog
set security log source-address x.x.x.x
set security log stream Syslogsrv host y.y.y.y
3.
show security application-tracking counters
show services application-identification application-system-cache

3.9.3. AppFirewall
HTTP HTTP
IP

ID

AppFirewall

Juniper Networks, Inc.

142 / 171


ID
AppFirewall

ID

IDID

facebook youtube
AppFirewall
set security application-firewall rule-sets allowed-apps rule 1 match dynamicapplication [ junos:FACEBOOK-ACCESS junos:FACEBOOK-APP junos:FACEBOOKCHAT junos:FACEBOOK-FANAPPZ junos:FACEBOOK-MAIL junos:FACEBOOK-MUSIC
junos:FACEBOOK-MUSIKGW

junos:FACEBOOK-SOCIALRSS

junos:FACEBOOK-

YEARBOOK junos:FACEBOOK-YOUTUBEBOX]
set security application-firewall rule-sets allowed-apps rule 1 then permit
set security application-firewall rule-sets allowed-apps rule 2 match dynamicapplication junos:YOUTUBE
set security application-firewall rule-sets allowed-apps rule 2 match dynamic-

Juniper Networks, Inc.

143 / 171

application junos:YOUTUBE-COMMENT
set security application-firewall rule-sets allowed-apps rule 2 match dynamicapplication junos:YOUTUBE-STREAM
set security application-firewall rule-sets allowed-apps rule 2 match dynamicapplication junos:YOUTUBEVIDEOBOX
set security application-firewall rule-sets allowed-apps rule 2 then permit
set security application-firewall rule-sets allowed-apps default-rule deny
appfirewall
set security policies from-zone trust to-zone untrust policy allowed-web-apps
match source-address any
set security policies from-zone trust to-zone untrust policy allowed-web-apps
match destination-address any
set security policies from-zone trust to-zone untrust policy allowed-web-apps
match application junos-http
set security policies from-zone trust to-zone untrust policy allowed-web-apps then
permit application-services application-firewall rule-set allowed-apps

3.9.4. APPDDOS
DDoS 7

8053443 L3 / L4

Juniper Networks, Inc.

144 / 171

APPDDOS HTTP DNS CLI


1. APPDOS
set security idp application-ddos Webserver service http
set security idp application-ddos Webserver connection-rate-threshold 1000
set security idp application-ddos Webserver context http-get-url hit-rate-threshold
60000
set security idp application-ddos Webserver context http-get-url value-hit-ratethreshold 60000
set security idp application-ddos Webserver context http-get-url time-bindingcount 10
set security idp application-ddos Webserver context http-get-url time-bindingperiod 60
2. IDP APPDDOS
set security idp idp-policy AppDoS-Webserver rulebase-ddos rule 1 match
destination-address Web-Login
set security idp idp-policy AppDoS-Webserver rulebase-ddos rule 1 match
application-ddos Webserver
set security idp idp-policy AppDoS-Webserver rulebase-ddos rule 1 then action noaction
set security idp idp-policy AppDoS-Webserver rulebase-ddos rule 1 then ip-action
ip-block
set security idp idp-policy AppDoS-Webserver rulebase-ddos rule 1 then ip-action

Juniper Networks, Inc.

145 / 171

timeout 60
3. APPDDOS
set security idp active-policy AppDoS-Webserver
4. IDP application-service
set security policies from-zone untrust to-zone trust policy appddos match sourceaddress any
set security policies from-zone untrust to-zone trust policy appddos match
destination-address any
set security policies from-zone untrust to-zone trust policy appddos match
application junos-http
set security policies from-zone untrust to-zone trust policy appddos then permit
application-services idp

>show security idp counters application-ddos


> show security idp application-ddos application http-url-parsed

3.10. Firewall Filter


SRX ,

Juniper Networks, Inc.

146 / 171

3.10.1. FBF
FBF SCREEN OS PBR FBF
dual-ISP srx down
SRX down/up
Junos RPM IP DOWN

set routing-instances ISP1 instance-type forwarding

Juniper Networks, Inc.

147 / 171

set routing-instances ISP1 routing-options static route 0.0.0.0/0 next-hop 192.168.1.253


set routing-instances ISP1 routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.58.253
preference 100
set routing-instances ISP2 instance-type forwarding
set routing-instances ISP2 routing-options static route 0.0.0.0/0 next-hop 192.168.58.253
set routing-instances ISP2 routing-options static route 0.0.0.0/0 qualified-next-hop 192.168.1.253
preference 100

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.238/24


set interfaces ge-0/0/1 unit 0 family inet address 192.168.58.238/24
set interfaces fe-0/0/2 unit 0 family inet filter input FBF
set interfaces fe-0/0/2 unit 0 family inet address 172.16.1.1/24

Filter
set firewall filter FBF term ISP1 from source-address 172.16.1.10/32
set firewall filter FBF term ISP1 then routing-instance ISP1
set firewall filter FBF term ISP2 from source-address 172.16.1.20/32
set firewall filter FBF term ISP2 then routing-instance ISP2
set firewall filter FBF term accept then accept

RIB-GROUP
set routing-options interface-routes rib-group inet rib-fbf
set routing-options rib-groups rib-fbf import-rib inet.0
set routing-options rib-groups rib-fbf import-rib isp1.inet.0
set routing-options rib-groups rib-fbf import-rib isp2.inet.0
FBF C1 ISP1C2 ISP2

RPM
set services rpm probe Probe-isp1 test isp1-gw target address 192.168.1.253
set services rpm probe Probe-isp1 test isp1-gw probe-count 10
set services rpm probe Probe-isp1 test isp1-gw probe-interval 5
set services rpm probe Probe-isp1 test isp1-gw test-interval 10
set services rpm probe Probe-isp1 test isp1-gw thresholds successive-loss 10
set services rpm probe Probe-isp1 test isp1-gw thresholds total-loss 5

Juniper Networks, Inc.

148 / 171

set services rpm probe Probe-isp1 test isp1-gw destination-interface ge-0/0/0.0


set services rpm probe Probe-isp1 test isp1-gw next-hop 192.168.1.253
set services rpm probe Probe-isp2 test isp2-gw target address 192.168.58.253
set services rpm probe Probe-isp2 test isp2-gw probe-count 10
set services rpm probe Probe-isp2 test isp2-gw probe-interval 5
set services rpm probe Probe-isp2 test isp2-gw test-interval 10
set services rpm probe Probe-isp2 test isp2-gw thresholds successive-loss 10
set services rpm probe Probe-isp2 test isp2-gw thresholds total-loss 5
set services rpm probe Probe-isp2 test isp2-gw destination-interface ge-0/0/1.0
set services rpm probe Probe-isp2 test isp2-gw next-hop 192.168.58.253

IP-Monitoring
set services ip-monitoring policy isp1-Tracking match rpm-probe Probe-isp1
set services ip-monitoring policy isp1-Tracking then preferred-route routing-instances isp1 route
0.0.0.0/0 next-hop 192.168.58.253
set services ip-monitoring policy isp2-Tracking match rpm-probe Probe-isp2
set services ip-monitoring policy isp2-Tracking then preferred-route routing-instances isp2 route
0.0.0.0/0 next-hop 192.168.1.253

ZONE RPM
set security-zone security-zone isp1 interface ge-0/0/0.0 host-inbound-traffic system-services rpm
set security-zone security-zone isp1 interface ge-0/0/0.0 host-inbound-traffic system-services ping
set security-zone security-zone isp2 interface ge-0/0/1.0 host-inbound-traffic system-services rpm
set security-zone security-zone isp2 interface ge-0/0/1.0 host-inbound-traffic system-services ping

> show services ip-monitoring status all

Juniper Networks, Inc.

149 / 171

3.10.2.
192.168.1.0/26 10M

set firewall family inet filter limit10M term Nolimite from address 192.168.1.0/26
set firewall family inet filter limit10M term Nolimite then accept
# 192.168.1.0/26
set firewall family inet filter limit10M term other-10M from source-address 0.0.0.0/0
set firewall family inet filter limit10M term other-10M then policer Upto10M
# Upto10M
set firewall family inet filter limit10M term other-accept then accept
#
set firewall policer Upto10M if-exceeding bandwidth-limit 10m
set firewall policer Upto10M if-exceeding burst-size-limit 128k
set firewall policer Upto10M then discard
# Upto10M
set interfaces fe-0/0/2 unit 0 family inet filter input limit10M
Input Filter

3.10.3. ACL
denylist-attack
set firewall family inet filter DenyAC term deny-list from prefix-list denylist-attack
Juniper Networks, Inc.

150 / 171

set firewall family inet filter DenyAC term deny-list then discard
# Filter DenyAC denylist-attack prefix-list
set firewall family inet filter DenyAC term other-accept then accept
#
set policy-options prefix-list denylist-attack 124.232.0.0/16
set policy-options prefix-list denylist-attack 182.100.0.0/16
# denylist-attack 2 124.232.0.0/16 182.100.0.0/16
set interfaces fe-0/0/2 unit 0 family inet filter input DenyAC
# Filter Input

3.11. Screen
Juniper SRX
MGT
SCREEN

SCREEN

SCREEN (IDP)
SCREEN Untrust

CLI

Juniper Networks, Inc.

151 / 171

root# show security screen


ids-option juniper-srx-screen-test {
alarm-without-drop; <
>
icmp {
ip-sweep threshold 1000;
fragment;
flood threshold 100;
}
ip {
bad-option;
spoofing;
tear-drop;
}
tcp {
syn-frag;
port-scan threshold 1000; 1000< 1000 >
land;
winnuke;
}
udp {
flood threshold 100; UDP FLOOD 100< 100 >

Juniper Networks, Inc.

152 / 171

}
limit-session {
source-ip-based 128;< IP >
destination-ip-based 128;< IP >
}
}

[edit]
root# show security zones security-zone untrust
screen juniper-srx-screen-test; screen untrust

WEB
ConfigureSecurityZone/Screens Screens list Add

Main Screen name Screen

Juniper Networks, Inc.

153 / 171

Denial of ServiceAnomailiesFlood Defense


Apply to Zones

Juniper Networks, Inc.

154 / 171

3.12. JSRP HA
JSRP Juniper SRX HA ScreenOS NSRP
A/P A/A JSRP ScreenOS NSRP JUNOS Cluster
NSRP JSRP JSRP NSRP
JSRP Cluster
ScreenOS
ScreenOS NSRP session

JSRP
SRX JSRP ()
(Session ) 3K\5K

Branch

SRX Branch HA
HA

Juniper Networks, Inc.

155 / 171


1. SRX110 HA
2. SRX650<4 RJ-45 >SRX650 HA ,
<HA
3 >
JSRP
0 0 1
0
JSRP

22

JSRP 7
Cluster id Node id (ScreenOS NSRP cluster id
id
Control Port
Fabric Link Port session RTO

Juniper Networks, Inc.

156 / 171

Redundancy Group NSRP VSD group


IP

Redundant Ethernet Interface NSRP Redundant


Interface Monitoring NSRP interface monitor RG

2 SRX210 HA

SRX210 3 HA FE-0/0/7 FE-0/0/7


CONTROL LINK
GE-0/0/0 GE-0/0/0 FABRIC LINK

FE-0/0/6 FXP0
CONSOLE
SRX210-A
set chassis cluster cluster-id 1 node 0 reboot

Juniper Networks, Inc.

157 / 171

SRX210-B
set chassis cluster cluster-id 1 node 1 reboot
SRX210-A
set groups node0 system host-name srx210-a
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.101.1/24
set groups node1 system host-name srx210-b
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.101.2/24
set apply-groups "${node}"
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set interfaces fab0 fabric-options member-interfaces ge-0/0/0
set interfaces fab1 fabric-options member-interfaces ge-2/0/0
set interfaces ge-0/0/1 gigether-options redundant-parent reth0
set interfaces ge-2/0/1 gigether-options redundant-parent reth0
set interfaces fe-0/0/2 gigether-options redundant-parent reth1
set interfaces fe-2/0/2 gigether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
set security zones security-zone Trusted
set security zones security-zone Untrusted
set security zones security-zone Trusted host-inbound-traffic system-services all
set interfaces reth0 unit 0 family inet address 172.16.1.1/24
set security zones security-zone Trusted interfaces reth0.0
set interfaces reth1 unit 0 family inet address 192.168.1.238/24
set security zones security-zone Untrusted interfaces reth1.0
# DOWN
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-2/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/2 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-2/0/2 weight 255

HA
>show chassis cluster status
Cluster ID: 1
Node

Priority

Juniper Networks, Inc.

Status

Preempt

Manual failover

158 / 171

Redundancy group: 0 , Failover count: 0


node0

200

primary

no

node1

100

secondary

no

no
no

Redundancy group: 1 , Failover count: 0


node0

200

primary

node1

100

secondary

yes

no

yes

no

> request chassis cluster failover redundancy-group 0 node 1


node1:
-------------------------------------------------------------------------Initiated manual failover for redundancy group 0
> request chassis cluster failover redundancy-group 1 node 1
node1:
-------------------------------------------------------------------------Initiated manual failover for redundancy group 1
>show chassis cluster status
Cluster ID: 1
Node

Priority

Status

Preempt

Manual failover

Redundancy group: 0 , Failover count: 1


node0

200

secondary

no

yes

node1

255

primary

no

yes

Redundancy group: 1 , Failover count: 1


node0

200

secondary

yes

yes

node1

255

primary

yes

yes

HA
t> request chassis cluster failover reset redundancy-group 0
node0:
-------------------------------------------------------------------------No reset required for redundancy group 0.
node1:
-------------------------------------------------------------------------Successfully reset manual failover for redundancy group 0
{secondary:node0}
> request chassis cluster failover reset redundancy-group 1
node0:
-------------------------------------------------------------------------No reset required for redundancy group 1.
node1:
--------------------------------------------------------------------------

Juniper Networks, Inc.

159 / 171

Successfully reset manual failover for redundancy group 1


> show chassis cluster status HA
Cluster ID: 1
Node

Priority

Status

Preempt

Manual failover

Redundancy group: 0 , Failover count: 2


node0

200

secondary

node1

100

primary

no

no

no

no

Redundancy group: 1 , Failover count: 2


node0

200

secondary

no

node1

100

primary

no

no
no

SNMP

Show system software


show system uptime
Show chassis haredware
show chassis environment
show chassis routing-engine RE
show route
show arp ARP
show log messages
show interface terse
show interface ge-x/y/z detail
monitor interface ge-x/y/z
monitor traffic interface ge-x/y/z Tcpdump ScreenOS snoop

Juniper Networks, Inc.

160 / 171

show security flow session summary


show security flow session
clear security flow session all session
show security alg status ALG
SNMP
SNMP
CPU PPS SNMP
MIB OID
OID
JUNOS MIB OID
OIDVIEW JUNOS MIB

Juniper Networks, Inc.

161 / 171

SRX Object

lab@srx210h> show snmp mib walk ascii ifDescr


ifDescr.3
= fxp2
ifDescr.4
= lsi
ifDescr.6
= lo0
ifDescr.7
= tap
ifDescr.8
= gre
ifDescr.9
= ipip
ifDescr.10
= pime
ifDescr.11
= pimd
ifDescr.12
= mtun
ifDescr.15
= fxp2.0
ifDescr.21
= lo0.16384
Juniper Networks, Inc.

162 / 171

ifDescr.22
ifDescr.248
ifDescr.501
ifDescr.502
ifDescr.503
ifDescr.504
ifDescr.505
ifDescr.506
ifDescr.507
ifDescr.508
ifDescr.509
ifDescr.510
ifDescr.511
ifDescr.512
ifDescr.513
ifDescr.514
ifDescr.515
ifDescr.516
ifDescr.517
ifDescr.518
ifDescr.519
ifDescr.520
ifDescr.521
ifDescr.523
ifDescr.524
ifDescr.526
ifDescr.527
ifDescr.529
ifDescr.530
ifDescr.533
ifDescr.534

= lo0.16385
= lo0.32768
= irb
= pp0
= st0
= ppd0
= ppe0
= vlan
= ge-0/0/0
= ge-0/0/1
= ge-0/0/0.0
= fe-0/0/2
= fe-0/0/3
= fe-0/0/4
= fe-0/0/5
= fe-0/0/6
= fe-0/0/7
= ge-0/0/1.0
= sp-0/0/0
= gr-0/0/0
= ip-0/0/0
= lsq-0/0/0
= mt-0/0/0
= lt-0/0/0
= fe-0/0/2.0
= fe-0/0/4.0
= fe-0/0/5.0
= sp-0/0/0.0
= sp-0/0/0.16383
= st0.1
= st0.2

fe-0/0/2.0 524 fe-0/0/2.0

lab@srx210h> show interfaces fe-0/0/2.0 extensive


Logical interface fe-0/0/2.0 (Index 73) (SNMP ifIndex 524) (Generation 138)
fe-0/0/2.0 PPS OIDVIEW
PPS Object ifIn1SecPkts OID 1.3.6.1.4.1.2636.3.3.1.1.3

Juniper Networks, Inc.

163 / 171

fe-0/0/2.0 524
1.3.6.1.4.1.2636.3.3.1.1.3.524 OID
SNMP OID fe-0/0/2.0 PPS

Troubleshooting

5.1. Flow

Juniper Networks, Inc.

164 / 171

1. Traffic
lab@SRX210B> monitor traffic interface ge-0/0/0.0 no-resolve

2. Flow Debug
set security flow traceoptions file flowlog # flowlog
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter to0 source-prefix 192.168.1.61/32
set security flow traceoptions packet-filter to0 destination-prefix 192.168.0.12/32
# 2 packet-filter 192.168.1.61 192.168.0.12
Debug floglog
lab@srx210B>show log filelog # filelog
lab@srx210B>clear log filelog # filelog

3.
show security flow session summary
show security flow session destination-prefix <ip-prefix>
show security flow session session-identifier <value>
show interface extensive

Juniper Networks, Inc.

165 / 171

5.2. IPSEC VPN


IPSEC VPN
show security ike security-association
show security ike security-association index <number> detail
show security ike stats sa ()
show security ike stats sa index ()
show security ike memory-usage ()
show security ipsec security-association
show security ipsec security-association index <number> detail
show security flow session tunnel
monitor interface st0.x
show security ipsec statistics
show security ipsec next-hop-tunnels
Logs:
show log messages
show log kmd
DEBUG:
edit security ike traceoptions
set file ike-debug
set flag all
edit security ipsec traceoptions
set flag all
Juniper Networks, Inc.

166 / 171

5.3. LOG
/VAR/LOG LOG CLI LOG
DEBUG

file list <>

show log <>

Juniper Networks, Inc.

167 / 171

5.4. RSI LOG

#RSI/VAR/LOGRSI_
request support information | save /var/log/rsi_YYYY-MM-DD.txt
#/VAR/LOG/VAR/TMPLOGS_RSI

file archive compress source /var/log/* destination /var/tmp/logs_YYYY-MM-DD


# LOGS WINSCP FTP
WINSCP
WINSCP http://winscp.net/eng/download.php

Juniper Networks, Inc.

168 / 171

F5

Juniper Networks, Inc.

169 / 171

OS

Juniper Networks, Inc.

170 / 171

https://www.juniper.net/customers/support/

http://forums.juniper.net/jnet/
OID
http://contentapps.juniper.net/mib-explorer/navigate.jsp

https://partners.juniper.net/partnercenter/tools-resources/fulfill-order/juniperfirewall-migration-cloud/index.page

http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/JSRXDebugInfo.pdf
VPN Troubleshooting
http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_kb10093.htm
SRX HA
http://www.juniper.net/support/tools/srxha/

Juniper Networks, Inc.

171 / 171