You are on page 1of 455

SRX JUMP STATION

Based on JUNOS Versions up to 12.1R3


last modified Nov 08 2012

Thomas Schmidt
Consulting Systems Engineer
WHAT IS THIS PURPOSE OF THIS QUICK START ?
This collection is for users who already have experience with ScreenOS firewalls and the
underlying concepts and now want to use JUNOS based SRX Firewalls
This Collection assumes you have already some knowledge of JUNOS (there are free
trainings to help you) but need a guide to configure a complete system.
This Collection is a guide to help you find the commands required for typical features and
tasks and give you brief, working examples.
Navigation:
Click on the in the right Top corner to get to the Jump Station Central

Click on the Login Chapter Buttons to get to the desired chapters

If you need more in depth information or more details of the underlying concepts consult the
documentation or participate in trainings.
This collection can not replace full JUNOS documentation or trainings and can not cover all
parameters available with a certain feature.

2 Copyright 2011 Juniper Networks, Inc. www.juniper.net


JUMP STATION CENTRAL
Basics Docs & Controll- & Login CLI ... ... ... ... ...
Papers Dataplane

Network Interfaces Switching Routing Trunk & Link Multicast IPv6 Transparent ...
OSPF,BGP LAG Redundanc Mode

Firewall Packet Flow Zones Policies Screens & NAT Flow & ALG Virtualize ... ...
Defense VR + LSys

VPN Route Policy VPNs with VPN Dynamic ... ... ... ...
based VPN based VPN Certificates Diagnostics VPN

Manage, Admin User Inband or Logging & SNMP & Netflow Space NSM STRM
Log,Monitor Role & Auth Outband Syslog RMON

Trouble- Monitor Log files Interface Debug Packet Debug


shooting Commands Monitoring Flow Capture VPN

Toolbox Access list DHCP Time & NTP DNS PPPoE UAC Port Class of
& DSL Enforcer Mirroring Service

AppFirewall Licenses AppSecure IDP AppTrack AppFirewall AppDDOS UTM, UTM, ...
IDP and UTM Overview Antivirus Webfilter

High Cluster Cluster Cluster Failover Cluster Cluster


Availability Overview Interfaces Setup Behavior States & NSM

More.. Boot loader Reset to Software Automation Nice Further


3 & Flash Factory Def. Copyright 2011&Juniper
Upgrade Networks, Inc.
Scripting Stuff www.juniper.net
Information
JUNOS BASICS
4 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DOCUMENTATION AND GUIDES
5 Copyright 2011 Juniper Networks, Inc. www.juniper.net
THE RIGHT PLACE FOR
SRX HARDWARE AND SOFTWARE DOCUMENTATION
Use the following Link

6 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ADDITIONAL USEFUL INFORMATION SOURCES
Day One Booklets
http://www.juniper.net/us/en/community/junos/training-certification/day-one/

Feature Explorer and Content Explorer


http://pathfinder.juniper.net/feature-explorer/
http://www.juniper.net/techpubs/content-applications/content-explorer/

Feature Support Reference Guide


https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/feature-support-
reference.html?chap-feature-support-tables.html

SRX Knowledgebase (Jump Station)


http://kb.juniper.net/KB15694

SRX Knowledgebase (Here a list of the latest SRX articles)


http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB

SRX Application Notes


http://www.juniper.net/us/en/products-services/security/srx-series/#literature

JUNOS Network Configuration Examples


http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/nce/index.html

Juniper Forum
Configuration Library http://forums.juniper.net/t5/Configuration-Library/bd-p/ConfigLib
DayOne Tips http://forums.juniper.net/t5/Day-One-Tips-Contest/bd-p/DayOneContest

7 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CONTROLPLANE AND DATAPLANE
8 Copyright 2011 Juniper Networks, Inc. www.juniper.net
JUNOS SOFTWARE FEATURES (1 OF 2)

JUNOS software for SRX-series services gateways includes the


following elements:
JUNOS software as the base operating system
Session-based forwarding
Some ScreenOS-like security features
Packet-based features:
Control plane OS
Routing protocols
Forwarding features:
Per-packet stateless filters
Policers
CoS
J-Web

9 Copyright 2011 Juniper Networks, Inc. www.juniper.net


JUNOS SOFTWARE FEATURES (2 OF 2)

Session-based features:
Implements some ScreenOS features and functionality
through the use of new daemons
First packet of flow triggers session creation based on:
Source and destination IP address
Source and destination port
Protocol
Session token
Zone-based security features
Packet on the incoming interface is associated with the incoming zone
Packet on the outgoing interface is associated with the outgoing zone
Core security features:
Firewall, VPN, NAT, ALGs, IDP, and SCREEN options

10 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CONTROL PLANE VERSUS DATA PLANE

Control Plane:
Implemented on the Routing Engine
JUNOS software kernel, daemons, chassis management, user
interface, routing protocols, system monitoring, clustering control
Data Plane:
Implemented on the IOCs and SPCs
Forwarding packets, session setup and maintenance,
load-balancing, security policy, screen options, IDP, VPN

11 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LOGIN
12 Copyright 2011 Juniper Networks, Inc. www.juniper.net
LOGIN

Login in factory default state as user "root". Password is empty


Amnesiac (ttyd0)

login: root

********************************************************************
** Welcome to JUNOS: **
** **
** To run the console configuration wizard, please run the **
** command 'config-wizard' at the 'root%' prompt. **
** **
** To enter the JUNOS CLI, please run the command 'cli'. **
** **
********************************************************************

root@% cli
root>

13 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LOGIN
Non root users are placed into the CLI automatically
switch (ttyu0)

login: user
Password:

--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC


user@switch>

The root user must start the CLI from the shell
Do not forget to exit root shell after logging out of the CLI!
switch (ttyu0)

login: root Shell Prompt


Password:

--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC


root@switch% cli CLI Prompt
root@switch>

14 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CLI BASICS
15 Copyright 2011 Juniper Networks, Inc. www.juniper.net
CLI MODES
Shell - when you login as root
root% The % character identifies
cli Shell mode
root>

CLI - Operational Mode


The > character identifies
user@switch>
operational mode

CLI - Configuration mode:


user@switch> configure
[edit]
user@switch# The # character identifies
exit configuration mode
user@switch>

16 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CLI HIERARCHY

Execute commands (mainly) from the default CLI level (user@switch>)


Can execute from configuration mode with the run command
Hierarchy of commands
Example: show spanning-tree interface

Less Specific
clear configure help monitor set show etc.

dot1x configuration spanning-tree version etc.

bridge interface mstp statistics More Specific


17 Copyright 2011 Juniper Networks, Inc. www.juniper.net
CLI EDITING

EMACS-style editing sequences are supported


user@switch> show interfaces
Keyboard
Sequence
Ctrl+b
user@switch> show interfaces

Ctrl+a
user@switch> show interfaces
Cursor Position
Ctrl+f
user@switch> show interfaces

Ctrl+e
user@switch> show interfaces

A VT100 terminal typeCopyright


also supports the Arrow keys
18 2011 Juniper Networks, Inc. www.juniper.net
COMMAND AND VARIABLE COMPLETION
Spacebar completes a command
user@host> sh<space>ow i<space> Enter a space to
'i' is ambiguous.
complete a command
Possible completions:
igmp Show Internet Group Management Protocol...
ike Show Internet Key Exchange information
interfaces Show interface information
ipsec Show IP Security information
isis Show Intermediate System-to-Intermediate...

user@host> show i

Use the Tab key to complete an assigned variable


[edit policy-options]
user@host# show policy-statement t<tab>his-is-my-policy
then accept;

[edit policy-options]
user@host#

Use Tab to complete


assigned variables

19 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CONTEXT-SENSITIVE HELP

Type ? anywhere on the command line


user@host> ?
Possible completions:
clear Clear information in the system
configure Manipulate software configuration information
file Perform file operations
help Provide help information
. . .
user@host> clear ?
Possible completions:
arp Clear address resolution information
bfd Clear Bidirectional Forwarding Detection
information
bgp Clear Border Gateway Protocol information
firewall Clear firewall counters
. . .

20 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SHOW CURRENT CONFIGURATION
JUNOS Style
root@J6350> show config
## Last commit: 2009-03-18 10:27:20 UTC by lab
version 9.3R2.8;
system {
host-name Demo-081-111-J6350;
root-authentication {
encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."; ## SECRET-DATA
}
name-server {
172.30.80.65;
}
login {
user lab {
uid 2000;
class super-user;
........

ScreenOS Style
root@J6350> show config | display set
set version 9.3R2.8
set system host-name J6350
set system root-authentication encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."
set system name-server 172.30.80.65
set system login user lab uid 2000
set system login user lab class super-user
21 ........ Copyright 2011 Juniper Networks, Inc. www.juniper.net
CONFIGURATION, CANDIDATE, COMMIT, ROLLBACK

22 Copyright 2011 Juniper Networks, Inc. www.juniper.net


COMMANDS IN CONFIGURATION MODE (1)

23 Copyright 2011 Juniper Networks, Inc. www.juniper.net


COMMANDS IN CONFIGURATION MODE (2)

24 Copyright 2011 Juniper Networks, Inc. www.juniper.net


COPY/PASTE CONFIGURATIONS

To paste and override the whole configuration


SRX# load replace terminal
[Type ^D at a new line to end input]
system {
........

To paste and add pieces of configuration


SRX# load merge terminal <relative>
[Type ^D at a new line to end input]
system {
........

To paste configuration written with "set" commands


SRX# load set terminal <relative>
[Type ^D at a new line to end input]
set system .

25 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CONTROL AND FORWARDING PLANE OF A JUNOS
ROUTER

26 Copyright 2011 Juniper Networks, Inc. www.juniper.net


NETWORK
27 Copyright 2011 Juniper Networks, Inc. www.juniper.net
INTERFACES
28 Copyright 2011 Juniper Networks, Inc. www.juniper.net
INTERFACE NUMBERING
Interfaces Names and Numbers
Interface name = <Interface Type>-<Slot>/<Module>/<Port>.<logical number>

All numbers start from 0

Example :
ge-0/1/2.3 - Gigabit Interface (Slot 0, Module 1, Port 2, Logical unit 3)
fe-0/1/2.3 - Fast Ethernet Interface
st0.0 - First Secure Tunnel Interface (VPN Tunnel)
lo0 - First loopback interface

For a list of Interface Types see


http://www.juniper.net/techpubs/software/JUNOS/JUNOS96/swconfig-network-
interfaces/frameset.html

Wildcards - Many commands accept wildcards in ifnames


show interfaces ge-0/0/*

29 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SWITCHING
30 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SWITCHING ON FIREWALLS ?
Switching Features on the Firewall can help to simplify the network by
eliminating additional switches. This can be a commercial and
management advantage, especially in small branch offices.

Switching is possible on Branch SRX Models (SRX100.SRX650)


and J-Series with UPIM Modules

Switching is not available (and not needed) on High-End SRX

Switching is done in Hardware. Full throughput can be achieved,


without consuming CPU-performance

Since JUNOS 10.0 the smaller SRX (100...240) have Switching


enabled on all interfaces (except ge-0/0/0) in the Factory Default
configuration

31 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SWITCHING
DEFAULT CONFIGURATION ON SRX210 WITH JUNOS 10.0
# An internal VLAN (vlan-trust) is defined to allow switching several interfaces
set vlans vlan-trust vlan-id 3

# A interface vlan unit 0 is assigned to this vlan as the Layer3 interface in this VLAN
set vlans vlan-trust l3-interface vlan.0

# This layer 3 interface can has an IP address that is reachable from all
# host on it's VLAN. In Branch deployments this is typically the gateway address.
set interfaces vlan unit 0 family inet address 192.168.1.1/24

# All physical interfaces - except ge-0/0/0 of the SRX210 are now assigned
# to a interface-range with the name interfaces-trust
set interfaces interface-range interfaces-trust member ge-0/0/1
set interfaces interface-range interfaces-trust member fe-0/0/2
set interfaces interface-range interfaces-trust member fe-0/0/3
set interfaces interface-range interfaces-trust member fe-0/0/4
set interfaces interface-range interfaces-trust member fe-0/0/5
set interfaces interface-range interfaces-trust member fe-0/0/6
set interfaces interface-range interfaces-trust member fe-0/0/7

# The interface-range is assigned to the VLAN vlan-trust


set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan
members vlan-trust

# It's a firewall, so the interface is mapped to zone trust where all services are enabled
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
32 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SWITCHING
ANOTHER CONFIGURATION EXAMPLE
# Before you can add an interface to Switching you probably have to remove assignments.
# If there is an IP address assigned to the interface you have to remove it
delete interfaces fe-0/0/2 unit 0 family inet
# If the interface is member of an interface-group in use, you have to untie it
delete interfaces interface-range .... member fe-0/0/2

# You can specify a VLAN, which will be used for Switching


set vlans VLAN-100 vlan-id 100

# Configure Ethernet switching on the interfaces that are part of VLAN.


# Default for new switching interfaces is access mode (=untagged)
set interfaces fe-0/0/2 unit 0 family ethernet-switching
set interfaces fe-0/0/3 unit 0 family ethernet-switching

# Assign these interface to the desired VLAN


set vlans VLAN-100 interface fe-0/0/2.0
set vlans VLAN-100 interface fe-0/0/3.0

# Configure a VLAN interface with an IP for this VLAN


set interfaces vlan unit 100 family inet address 192.168.1.1/24

# Assign this VLAN interface as your Layer3 Interface on this VLAN


set vlans VLAN-100 l3-interface vlan.100

# It's a firewall, so the VLAN interface must also be in a zone


set security zones security-zone trust interfaces vlan.100

# Allow services on the VLAN interface if desired


set security zones security-zone trust interfaces vlan.100 host-inbound-traffic ....
33 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SWITCHING
TROUBLESHOOTING COMMANDS
# show which vlans exist and which interfaces are assigned
show vlans [detail]

# history of MACs added and removed


show ethernet-switching mac-learning-log

# Current MAC Table


show ethernet-switching table

# Current MAC Table from a certain interface


show ethernet-switching table interface fe-0/0/2

34 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ETHERNET SWITCHING ON BRANCH SRX
INTERFACES SUPPORTED

Platforms On-Board uPIM MPIM XPIM

J2320
J2350
J4350
J6350
SRX100
SRX110
SRX210 *
SRX220 *
SRX240 *
SRX550 * **
SRX650 **
* Ethernet switching support is planned for future release for 1 Gigabit Ethernet SFP MPIM on the SRX210,SRX220,SRX240 and SRX550.
** As of JUNOS OS Release 12.1, Ethernet switching is not supported on 10G XPIM.

35 Copyright 2011 Juniper Networks, Inc. www.juniper.net


REMARKS
Configuration Syntax for all supported features is exactly the same
as with the EX Switches. The Documentation Feature Support
Reference explains which Switching Features are supported

There are some dependencies which Ports can be used for


switching (see Documentation )

Before 11.1 Switching was only applicable for single units.


Commit in the Cluster was only possible, when all switching
configuration was removed. The assumption was, that HA cluster
Configurations are usually designed with external Switches

Since 11.1 Switching is also supported on Branch SRX and can


even span the two Cluster members. This requires an additional
link between the two nodes.

36 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ROUTING
37 Copyright 2011 Juniper Networks, Inc. www.juniper.net
STATIC ROUTES
CONFIGURATION
# Host Route
set routing-options static route 10.2.2.1/32 next-hop 10.1.1.254

# Network Route
set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254

# Default Route
set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

# Route to an Interface
# Useful for Point-to-Point Interfaces like pppoe, vpn-tunnel, gre-tunnel
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 10.1.1.0/24 next-hop st0.0

# Route to another Virtual Router


set routing-options static route 10.0.0.100/32 next-table Logging.inet.0

# Example for a the Definition of the VR with name Logging referenced above
set routing-instances Logging instance-type virtual-router
set routing-instances Logging interface ge-0/0/7.0

# A network route to discard any traffic that did not hit a more specific route
# Black hole Routes could sometimes save performance for policy lookups or
# avoid rerouting in case of interfaces failures (example: VPN is down)
set routing-options static route 0.0.0.0/0 discard

38 Copyright 2011 Juniper Networks, Inc. www.juniper.net


STATIC ROUTES
ROUTE FAILOVER WITH IP-MONITORING
# Since 11.4 all Branch SRX support IP-Monitoring and automatic route failover
# Check out KB22052 for configuration details of an dual ISP connection with RPM for
# IP-Monitoring and Filter based Forwarding for load distribution

set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server


set services ip-monitoring policy Server-Tracking then preferred-route routing-
instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 ------> Installs route in the First
Routing Instance

set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1


set services ip-monitoring policy Server-Tracking1 then preferred-route routing-
instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1 ------> Installs route in Second
Routing Instance

39 Copyright 2011 Juniper Networks, Inc. www.juniper.net


STATIC ROUTES
MONITORING
# display Routing table
root@J2300> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)


+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 01:13:15


> to 172.16.42.1 via fe-0/0/0.0
10.2.2.0/24 *[Static/5] 00:00:05
> to 172.16.42.1 via fe-0/0/0.0
172.16.42.0/24 *[Direct/0] 01:13:15
> via fe-0/0/0.0
172.16.42.230/32 *[Local/0] 01:21:12
Local via fe-0/0/0.0
224.0.0.9/32 *[RIP/100] 01:21:37, metric 1
MultiRecv

# route lookup for a certain destination


root@J2300> show route 20.0.0.1

# routing table overview


root@J2300> show route summary

# Forwarding table (includes all active routes, visible for the data-plane)
root@J2300> show route forwarding-table

40 Copyright 2011 Juniper Networks, Inc. www.juniper.net


OSPF
CONFIGURATION
# enable OSPF on a interface
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
# And permit ospf traffic to this zone
set security zones security-zone host-inbound-traffic protocols ospf

# Recommended: use loopback interface


set interfaces lo0 unit 0 family inet address 192.168.1.2/32
set protocols ospf area 0.0.0.0 interface lo0.0 passive

# Option: specify your own Router-id


set routing-options router-id 192.168.1.2

# to get direct interface routes announced you can add them to OSPF in passive mode
set protocols ospf area 0.0.0.0 interface vlan.100 passive

# Option: Negotiate graceful restart


set routing-options graceful-restart

# On SRX Clusters for RG0 failover, you might have to extend OSPF Timers to survive
# a dead interval of 5-20 seconds and also use the following setting:
set protocols ospf graceful-restart no-strict-lsa-checking

41 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RIP
CONFIGURATION
# RIP requires a group, all interface are attached to this group
set protocols rip group RIP ge-0/0/0.0
set protocols rip group RIP ge-0/0/1.0

# And permit rip traffic to the zones of these interfaces


set security zones security-zone TRUST host-inbound-traffic protocols rip

# You can add IPSEC Tunnel-Interfaces with relaxed RIP-Update-Timers


# You can even work with Tunnel-Interfaces with Next-Hop-Tunnel-Binding (NHTB)
set protocols rip group RIP neighbour st0.0 interface-type p2mp
set protocols rip group RIP neighbour st0.0 dynamic-peers
set interface st0 unit 0 multipoint

# Option: Negotiate graceful restart


set routing-options graceful-restart

# Import Routes to the RIP group via policy-options filter


set policy-options policy-statement FILTER term a from route-filter 1.2.3.0/24 exact
set policy-options policy-statement FILTER term a then accept
set policy-options policy-statement FILTER term drop then reject
set protocols rip group RIP export FILTER

42 Copyright 2011 Juniper Networks, Inc. www.juniper.net


OSPF
MONITORING
# See Neighbors and State
root> show ospf neighbour
Address Interface State ID Pri Dead
10.222.2.2 ge-0/0/11.0 Full 192.168.36.1 128 36

# Link State Database


root> show ospf database

43 Copyright 2011 Juniper Networks, Inc. www.juniper.net


OSPF IMPORT/EXPORT FILTER (POLICY-OPTIONS)
# OSPF default is to import everything (into RT) and export routes only from interfaces
# that are (active) members of the same OSPF area

# For export of all other routes or to filter inbound routes you need Routing Policy
# Filters

# Example Filter to export all local static and all direct routes
set policy-options policy-statement ALL-LOCAL
set term 1 from protocol direct
set term 1 then accept
set term 2 from protocol static
set term 2 then accept
top
set protocols ospf export ALL-LOCAL

# Example Filter to export only a certain route (which must exist on the routing table)
set policy-options policy-statement JUST-ONE
set term 1 from route-filter 172.10.0.0/16 exact
set term 1 then metric 10 accept
top
set protocols ospf export JUST-ONE

44 Copyright 2011 Juniper Networks, Inc. www.juniper.net


BGP
CONFIGURATION
# Example Configuration With Two AS
# Permit BGP traffic on the zone or interface(s) where you reach your peer(s)
set security zones security-zone trust host-inbound-traffic protocols bgp

# Recommended: use loopback interface


set interfaces lo0 unit 0 family inet address 1.1.1.2/32

# Specify your own AS and your Router-ID


set routing-options autonomous-system 1234
set router-id 1.1.1.2

# Specify Peer(s)
set protocols bgp group UPSTREAM
set local-address 1.1.1.2
set peer-as 64005
set local-as 64006
set neighbor 1.1.1.1 export BGP-EXPORT-POLICY
top

# A Policy how to export the routes


set policy-options policy-statement BGP-EXPORT-POLICY from protocol direct
set policy-options policy-statement BGP-EXPORT-POLICY then accept

# Option: Set static routes that do not redistribute


set routing-options static route 1.1.2.0/24 no-readvertise

# Option: Specify how to aggregate routes


set routing-options aggregate 1.1.1.1/20 [policy ... ]
45 Copyright 2011 Juniper Networks, Inc. www.juniper.net
BGP
MONITORING
show bgp neighbour
show bgp summary
show route summary

# Which routes did we receive from a neighbour


show route receive-protocol bgp <peer-ip>

# Which routes do we send to a neighbour


show route advertising-protocol bgp <peer-ip>

46 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IS-IS
CONFIGURATION
set interfaces ge-0/0/1 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family iso

set interfaces lo0 unit 0 family iso address 49.0002.0002.0002.00

set protocols isis interface ge-0/0/1.0


set protocols isis interface ge-0/0/2.0
set protocols isis interface lo0.0 passive

47 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TUNNEL INTERFACES
48 Copyright 2011 Juniper Networks, Inc. www.juniper.net
TUNNEL INTERFACES :
GRE - GENERIC ROUTING ENCAPSULATION
# Typical Use cases for GRE Tunnels are
# - OSPF over GRE with non-Juniper Routers
# - Multicast over GRE with non-Juniper Routers

set interfaces gr-0/0/0 unit 0 tunnel source 10.0.0.1


set interfaces gr-0/0/0 unit 0 tunnel destination 10.0.0.2
set interfaces gr-0/0/0 unit 0 family inet address 10.1.0.1/3
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces gr-0/0/0.0

# MTU Adjustments might be necessary because GRE Default MTU is ~ 9000

# When Fragementation happens in a GRE Tunnel there are two options for reassembly
# a) use IDP Inspection on the traffic leaving the tunnel
# b) since JUNOS 11.2 you can apply the following command
"set security flow force-ip-reassembly

49 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TUNNEL INTERFACES:
LOGICAL TUNNEL
# Logical Tunnel can be used like a physical wire between two interfaces of an SRX
# Typical use cases are:
# - forwarding between VR in packet mode and VR in flow mode
# - forwarding between VR to apply two policies to one session
# - Intra-Lsys Traffic (all Lsys have one Tunnel to Lsys0)

# Logical Tunnel Interfaces


set interfaces lt-0/0/0 unit 0 encapsulation ethernet
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 family inet
set interfaces lt-0/0/0 unit 1 encapsulation ethernet
set interfaces lt-0/0/0 unit 1 peer-unit 0
set interfaces lt-0/0/0 unit 1 family inet

# and now use them between two VRs


set routing-instances r1 interface lt-0/0/0.0
set routing-instances r2 interface lt-0/0/0.1

50 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TUNNEL INTERFACES:
IP OVER IP
# This Example is used to forward all IPv6 traffic encapsulated in IPv4 to 10.19.3.1

set interfaces ip-0/0/0 unit 0 tunnel source 10.19.2.1


set interfaces ip-0/0/0 unit 0 tunnel destination 10.19.3.1
set interfaces ip-0/0/0 unit 0 family inet6 address 7019::1/126
set routing-options rib inet6.0 static route ::0/0 next-hop ip-0/0/0

51 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MULTICAST
52 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IPV4 MULTICAST CONFIGURATION (1)
# IGMP to allow Receivers to join/leave a group,
# Version1 had join only and 3 min timeout
# Version2 (Default) allows Receiver join and leave
# Version3 allows to join and select Source-IP of Sender selection
set protocols igmp interface reth2.0 version 3

# Enable PIM to communicate with Multicast Routers in the Distribution Tree


set protocols pim interface reth1.0

# Finding the Rendezvous Point


# Option 1: Static Rendezvous point on an other Router
set protocols pim rp static address 192.168.1.1

# Option 2: we are Rendezvous Point by yourself - in this case loopback int. is best pract.
set interface lo0.0 <IP-for-RP>
set protocols pim rp local address <IP-for-RP>

# Other Options supported for RP selection: Anycast, Bootstrap, Auto-RP


# Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP
# Check Technote: Multicast Implementation Guide

53 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IPV4 MULTICAST CONFIGURATION (2)
# Allow igmp on all interfaces where we expect receivers to join
set security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols igmp
set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols igmp

# Allow PIM on all interfaces where we expect distribution Routers


set security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols pim
set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols pim

# All interfaces can also be in a custom VR

# IGMP Configuration is not in VR context


set protocols igmp interface reth20.0 version 3

set routing-instances VR-MCAST instance-type virtual-router


edit routing-instances VR-MCAST
set interface vlan.3
set interface vlan.10
set interface vlan.20
set interface vlan.30
set protocols igmp interface vlan.20
set protocols pim rp local address 10.0.42.110
set protocols pim interface vlan.10
top

54 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IPV4 MULTICAST TROUBLESHOOTING
# Monitoring
show pim bootstrap [instance VR]
show pim interfaces [instance VR]
show pim join [instance VR]
show pim mdt [instance VR]
show pim neighbors [instance VR]
show pim rps [instance VR]
show pim source [instance VR]
show pim statistics [instance VR]

show igmp interface


show igmp output-group
show igmp statistics

show multicast route


show multicast rpf

# tcpdump to watch PIM and IGMP Packets


monitor traffic interface vlan.10 no-resolve detail size 1500 matching "pim || igmp"

# DEBUGGING
set protocols pim traceoptions file trace-pim
set protocols pim traceoptions flag all
set protocols igmp traceoptions file trace-igmp
set protocols igmp traceoptions flag all

# PIM to IGMP Proxy


show multicast pim-to-igmp-proxy
55 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IPV4 MULTICAST FURTHER INFORMATION
# Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP
# Check Technote: Multicast Implementation Guide

# IGMP-Proxy is not available, but pim-to-igmp-proxy is available


set pim-to-igmp-proxy upstream-interface ge-0/1/0.1

# Important Hint for Multicast on SRX-Cluster:


# Disable IGMP-Snooping on the surrounding switches to avoid outages after failover

# Multicast Configuration Overview and Examples


http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-
guide-multicast/config-guide-multicast.html#configuration

# Dense Mode and Debugging Example


http://kb.juniper.net/InfoCenter/index?page=content&id=KB24781

# Multicast Implementation Guide (EX and MX)


http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/8010062-001-EN.pdf

56 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IPV6
57 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IPV6
CURRENT STATE (12.1)
IPv6 firewalling
- works in route mode with the following Features:
- Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth
- in Active/Passive Clusters since 10.0
- in Active/Active Clusters since 11.2
- IDP on Ipv6 in route mode since 11.4

- works in transparent mode with the following features since 11.4r3


Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth/Vlan Retagging/SNMP

For more Details on IPv6 Feature Support in JUNOS 12.1 check this Documentation
http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-ipv6-support.html

58 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IPV6 DHCPV6 SERVER

# DHCP-Server for Prefix Delegation is available on High-end-SRX

# Example below offers prefix delegation only (no exact IP assignment)


edit system services dhcp-local-server dhcpv6
set overrides interface-client-limit 100
set group GROUP1 interface ge-0/0/0.0
top

edit access address-assignment pool TRUSTv6 family inet6


set prefix fd27:9816:dca8:1::/48
set range RANGE1 prefix-length 64
top

# For exact IP assignment and DHCP Server assignment use these statements
edit access address-assignment pool TRUSTv6 family inet6
set dhcp-attributes dns-server ....
set dhcp-attributes options ....
set range RANGE1 high ...
set range RANGE1 low ...
top

59 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IPV6
DIAGNOSTICS
show interface terse
# it will then shows two IPv6 IPs for each interface
# 2001:........ = global address
# fe80:x:x:x = link local address

#
show route <table inet6.0>
show ipv6 neighbours
show ipv6 router-advertisement

# Interface Traffic monitor - filtered to IPv6 only


monitor traffic interface ge-0/0/0.0 matching ip6 size 200 detail

# ping, we use the same ping for ipv4 and ipv6


ping 2001:638:c:a057::1

# force ping with IPv6


ping inet6 www.heise.de

# traceroute, same command as for IPv4


traceroute 2001:db8:0:6:202:b300:2215:595 source 2001:db8::5

# Monitoring session table


show security flow session summary family [inet|inet6]

60 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IPV6
DYNAMIC ROUTING WITH RIPNG
# Enable RIP Listener on the following interfaces
edit protocols ripng
edit group NEIGHBORS
set neighbour ge-0/0/0.0
set neighbour ge-0/0/1.0
set neighbour fe-0/0/2.0
set neighbour fe-0/0/3.0
top

# If you want to export routes you need a route filter


edit policy-options policy-statement RIPNG-EXPORT
set term RIPNG from protocol ripng
set term RIPNG then accept
set term DIRECT from protocol direct
set term DIRECT from route-filter 2001:DB8::/32 orlonger
set term DIRECT then accept
top

# The Route Filter must be applied to the RIPNG Group


set protocols ripng group NEIGHBORS export RIPNG-EXPORT

# Monitoring
show route receive-protocol ripng
show route advertising-protocol ripng
show route protocol ripng

61 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IPV6
DYNAMIC ROUTING WITH OSPFV3
# Introduction of a loopback Interface is best practice when using Routing protocols
set interface lo0 unit 0 family inet address 10.0.0.210/32

# Specifying the router-id (as IPv4) is also recommended


set routing-options router-id 10.0.0.210

# Enable OSPF Listener on the following interfaces


edit protocols ospf3
set area 0 interface lo0.0 passive
set area 0 interface ge-0/0/0.0
set area 0 interface ge-0/0/1.0
set area 0 interface fe-0/0/2.0
set area 0 interface fe-0/0/3.0
top

# Monitoring Commands
show ospf3 neighbour
show ospf3 overview
show ospf3 route
show ospf3 statistics

62 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IPV6
IMPROVED SECURITY
# Off-link malicious IPv6 nodes may spoof Neighbor Discovery messages to poison
# the routers ND cache. To mitigate, use

set protocols neighbor-discovery onlink-subnet-only

# reload after commit is suggested to clear out any bogus neighbor entries in the cache

63 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VLAN TRUNKING AND
LINK AGGREGATION
64 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VLAN TRUNKS
65 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VLAN TRUNKS
NOTES AND LIMITATIONS
There are two possible approaches to configure a VLAN trunks on SRX
As part of the "Switching" Configuration (family ethernet-switching)
As part of the "Routing" Configuration (family inet)

"Switching" Configuration
Allows Switching between all interfaces that are part of a VLAN. The
member interfaces can be tagged and/or untagged
Supported only on Branch SRX
Not supported on redundant interfaces of a cluster

"Routing" Configuration
Allows to create a sub interface and use it for routing
Supported on all SRX Platforms
Supported also in cluster mode (can be applied to reth Interfaces)
Supported also on aggregate interfaces
66 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VLAN TRUNK
CONFIGURATION EXAMPLE FAMILY "INET"

# Enable VLAN-Tagging on a physical interface


set interfaces ge-0/0/0 vlan-tagging

# Now we can create two sub interfaces on this physical interface


# Best practice: use vlan-id also for the unit number
set interfaces ge-0/0/0 unit 11 vlan-id 11
set interfaces ge-0/0/0 unit 11 family inet address 10.0.11.1/24

set interfaces ge-0/0/0 unit 12 vlan-id 12


set interfaces ge-0/0/0 unit 12 family inet address 10.0.12.1/24

# The different interface can be in different VLANs


set security zone security-zone zone11 interface ge-0/0/0.11
set security zone security-zone zone12 interface ge-0/0/0.12

67 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VLAN TRUNK
CONFIGURATION EXAMPLE FAMILY "SWITCHING"

# Define all Vlans you want to participate in


set vlans VLAN-80 vlan-id 80

# For Trunk Ports which have multiple VLANs use the following Syntax
set interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members all

# For Access Ports which are untagged but mapped to a certain VLAN
# use the following syntax
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members <name>

# To create a RVI (routed virtual interface) to have an IP on a VLAN


set interface vlan unit 80 family inet address 80.0.0.1/24

# And assign this interface to the VLAN


set vlans VLAN-80 l3-interface vlan.80

68 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LINK AGGREGATION
AND LACP
69 Copyright 2011 Juniper Networks, Inc. www.juniper.net
LINK AGGREGATION ON BRANCH SRX
NOTES AND LIMITATIONS
Standalone Units:
Link Aggregation is possible by configuration of AE interfaces
AE interfaces are supported with family ethernet-switching since JUNOS 9.5
AE interfaces are supported with family inet since JUNOS 10.1r2
LACP on AE interfaces with family switching is supported since JUNOS 9.5
LACP on AE interfaces with family inet are supported since JUNOS 10.2r2
Chassis Clusters (Redundant Interfaces)
Redundant Interfaces (as required in Clusters to failover) can have Aggregate Interfaces as
members since JUNOS 10.3r2
Switching across Members of an HA Cluster is available since 11.2 - this requires an
additional link between the two Branch SRX
Chassis Cluster (Private Interfaces)
Private Interfaces - that are only active on one Cluster member - are possible in Clusters
Private Interfaces still can be aggregate interfaces (local LAG)
Private Interfaces can not have member interfaces from both Chassis at the same time
A configuration with member interfaces from different chassis might commit but it is not
supported

70 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LINK AGGREGATION ON DATACENTER SRX
NOTES AND LIMITATIONS
Standalone Units
Link Aggregation is possible by configuration of AE interfaces
Aggregated Ethernet Interfaces are supported since JUNOS 10.0
Aggregate Ethernet Interfaces can be used with family inet only
LACP support is available on High-End SRX, since JUNOS 10.2r3
Chassis Clusters (Redundant Interfaces)
AE can not be used in Chassis Cluster for redundant interfaces but since JUNOS 10.1 there
is another configuration available for link aggregation in chassis clusters.
This configuration can even span cluster members. Only interfaces on the active link will be
used to receive and transmit data.
Check Admin Guide for these "Redundant Ethernet Interface Link Aggregation Groups".
Chassis Clusters (Private Interfaces)
Private Interfaces - that are only active on one Cluster member - are possible in Clusters
Private Interfaces still can be aggregate interfaces (local LAG)
Private Interfaces can not have member interfaces from both Chassis at the same time
A configuration with member interfaces from different chassis might commit but it is not
supported

71 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LINK AGGREGATION ON A SINGLE UNIT

Configuration Example for a Aggregate Ethernet Interface


# Set number of Aggregated Interfaces on this device/chassis
set chassis aggregated-devices ethernet device-count <number>

# Configure AE interfaces (ae0,ae1.)


# On High-End SRX AE can be members of family inet
# On Branch SRX AE can be members of family inet and family ethernet-switching
set interfaces <aex> unit 0 family inet address <ip address>

# Associate physical ethernet interfaces to the AE


set interfaces <interface-name> gigether-options 802.3ad <aex>

# Minimum number of Links required for this aggregate to be UP


set interfaces <aex> aggregated-ether-options minimum-links <n>

# LACP configuration (today only supported on Branch SRX)


set interfaces <aex> aggregated-ether-options lacp passive

72 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LINK AGGREGATION ON A CHASSIS CLUSTER

Configuration Example for a Redundant Ethernet Interface


# On High End SRX LAG support starts with 10.1r2, LACP starts with 10.2r3
# On some Branch SRX LAG support starts with 10.3r2, LACP also starts with 10.3r2
# Documentation: "Chassis Cluster Redundant Ethernet Interface Link Aggregation Groups"

set interfaces ge-1/0/1 gigether-options redundant-parent reth1


set interfaces ge-1/0/2 gigether-options redundant-parent reth1
set interfaces ge-1/0/3 gigether-options redundant-parent reth1
set interfaces ge-12/0/1 gigether-options redundant-parent reth1
set interfaces ge-12/0/2 gigether-options redundant-parent reth1
set interfaces ge-12/0/3 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options minimum-links 3

# From the Network Point of view, these are two independent Aggregate Interfaces.
# Only the interfaces on the active node are used for transmission

# Further LACP Configuration can be added to the reth Interface now


set interfaces reth1 redundant-ether-options lacp periodic fast
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp active

73 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LINK AGGREGATION ON DATACENTER SRX

Extend lacpd to Support RETHs with JUNOS 10.2


Hitless RG failover for transit
traffic Cluster 1
SRX 5600 SRX 5600
Handle active/standby LAGs HA HA
independently and simultaneously Node 0 Node 1

Support: A reth is connected to


two switches reth0
Active LAG standby LAG
Support: A reth is connected to RLAG
one single switch
At remote side: Active LAG and
standby LAG each shall be ae0 ae1
terminated at an AE or equivalent
(same as 10.1)
Switch / Router Switch / Router

74 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LINK REDUNDANCY
75 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IP MONITORING & FAILOVER WITH RPM
# Since 11.4r2 Branch SRX allows to use RPM to monitor reachability of a destination
# and in response of PASS or FAIL failover route or interface

# Configure Probes for user PING-PROBE


# Example probe SERVER1 checks if server responds to ping
edit services rpm probe PING-PROBE test SERVER1
set probe-type icmp-ping
set target address 192.168.42.1
set probe-count 5
set probe-interval 5
set thresholds successive-loss 5
set test-interval 10
top

edit services ip-monitoring policy FAILOVER-Policy


set match rpm-probe PING-PROBE
# admin state of a back-up interface can be enabled if the RPM fails on the primary
# If the normal condition is restored the backup-interface is disabled again
set then interface ge-0/0/1/0 enable
top

# Monitoring of the ip-monitoring feature


show services ip-monitoring status

76 Copyright 2011 Juniper Networks, Inc. www.juniper.net


BLACKHOLE FORWARDING DETECTION
# Black hole Forwarding Detection, Available in OSPF/BGP
# Useful for link availability tests with aggressive timing (failover within 300msec)

# Detect OSPF Link Failure after 3x500msec


edit protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set bfd-liveness-detection minimum-interval 500;
set bfd-liveness-detection multiplier 3;
set bfd-liveness-detection full-neighbors-only;
top

# Detect BGP Link Failure


set protocols bgp bfd-liveness-detection
set minimum-interval 800
set multiplier 3
set transmit-interval minimum-interval 150
set transmit-interval threshold 500
set detection-time threshold 200
set holddown-interval 5
top

77 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FLOW LOAD BALANCING WITH
EQUAL COST MULTIPATH ROUTING
# ECMP for Flows is supported on SRX since JUNOS 12.1

# Add multiple routes to the same destination


set static route 26.0.0.0/8 next-hop 23.0.54.111
set static route 26.0.0.0/8 next-hop 24.0.44.101
set static route 26.0.0.0/8 next-hop 25.0.44.106

# Usually only one of these routes would show up in the forwarding table.
# We need a Policy Statement to enable per packet load-balancing.
# On SRX this statement enforces in reality per flow balancing
set policy-statement LBP then load-balance per-packet

# And we must apply this policy to the forwarding-table


set forwarding-table export LBP

# Forwarding table shows several routes to the same destination


user@host> show route forwarding-table
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
...
26.0.0.0/8 user 0 23.0.54.111 rslv 0 1 ge-0/0/4.0
26.0.0.0/8 user 0 24.0.44.101 rslv 0 1 ge-0/0/6.0
26.0.0.0/8 user 0 25.0.44.106 rslv 0 1 ge-0/0/7.0

# Finally we might influence the balancing algorithm (L3 = IP only, L4, TCP+UDP too)
set forwarding-options hash-key family inet layer-3
set forwarding-options hash-key family inet layer-3
78 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VRRP
CONFIGURATION
# VRRP allows to failover an Interface between two devices - which are not a cluster
# Typical use case: Primary and backup Internet access device (each with it's own WAN link)
# Remember that VRRP Cluster does not sync sessions - all session must be reestablished

# VRRP - node0
edit interfaces fe-0/0/7 unit 0 family inet address 192.168.0.101/24 vrrp-group 150
set virtual-address 192.168.0.150
set priority 100
set no-preempt
set authentication-type md5
set authentication-key secret
top

# VRRP - node 1
set interfaces fe-0/0/7 unit 0 family inet address 192.168.0.102/24 vrrp-group 150
set virtual-address 192.168.0.150
set priority 110
set no-preempt
set authentication-type md5
set authentication-key secret
top

# VRRP Troubleshooting
run show vrrp summary
run show vrrp interface fe-0/0/7

79 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TRANSPARENT MODE
80 Copyright 2011 Juniper Networks, Inc. www.juniper.net
TRANSPARENT MODE OR BRIDGE MODE
NOTES AND LIMITATIONS
Transparent/Bridge Mode on Datacenter SRX
Transparent Mode in A/P Clusters is supported since JUNOS 9.6
Transparent Mode in A/A Clusters is supported since JUNOS 10.0
Interface can either be in trunk mode or in access mode
VLAN Retagging is possible, and requires a per interface statement
Link Aggregation on reth Interfaces in Transparent Mode is supported since 11.4r1
IDP is supported in A/P since 11.2

Transparent/Bridge Mode on Branch SRX


Transparent Mode in A/P Clusters is supported since JUNOS 11.2
Interfaces can only be in access mode

Management access requires definiton of an IRB Interface as member of one bridge-domain

Today (12.1) a firewall can either be in pure Layer 2 mode or Layer 3 routed mode, no mix

During a Cluster Failover the physical links on the inactive machine will get bumped (L1 down for some seconds and
then up again) to clear CAM tables on the attached Switches.

A number of Features are not available/supported in Transparent Mode (12.1)


NAT, IPSEC VPN, GRE, Lsys, VR for IRB, L3/L4 classification for QoS (but 802.1q)

81 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TRANSPARENT MODE / BRIDGE MODE
EXAMPLE1: TWO UNTAGGED INTERFACES
# A bridge domain is used to assign which interface share a MAC-Table
set bridge-domains BD1 domain-type bridge
set bridge-domains BD1 vlan-id 10
set bridge-domains BD1 domain-type bridge interface fe-0/0/0.0
set bridge-domains BD1 domain-type bridge interface fe-0/0/1.0

# This example uses 2 untagged interfaces


set interfaces ge-0/0/0 unit 0 family bridge interface-mode access
set interfaces ge-0/0/0 unit 0 family bridge vlan-id 10
set interfaces ge-0/0/1 unit 0 family bridge interface-mode access
set interfaces ge-0/0/1 unit 0 family bridge vlan-id 10

# Reuse Zones trust and untrust


set security zones security-zone trust host-inbound-traffic system-services ssh
# Bind Interface to the Zone
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.0

# For Management access, you must attach an irb Interface a bridge domain
set interfaces irb unit 0 family inet address 1.1.1.0/24
set bridge-domains BD1 routing-interface irb.0

82 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TRANSPARENT MODE / BRIDGE MODE
EXAMPLE2: MIXED TAGGED AND UNTAGGED INTERF.
# A bridge domain is used to assign which interface share a MAC-Table
set bridge-domains BD1 domain-type bridge
set bridge-domains BD1 vlan-id X (could be set to none)
set bridge-domains BD1 domain-type bridge interface xe-1/0/0
set bridge-domains BD1 domain-type bridge interface xe-2/0/0

# Example for Trunk Mode Interface (on Datacenter SRX)


set interfaces ge-0/0/10 vlan-tagging
set interfaces ge-0/0/10 native-vlan-id 10
set interfaces ge-0/0/10 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/10 unit 0 family bridge vlan-id-list 40-50
# Untagged traffic on Trunk Mode Interface is mapped to native VLAN

# Example for a Interface in Access Mode


set interfaces ge-0/0/11 unit 0 family bridge interface-mode access
set interfaces ge-0/0/11 unit 0 family bridge vlan-id 40

# create a layer2 zone and define Permitted System Services


set security zones security-zone layer2 host-inbound-traffic system-services ssh
# Bind Interface to the Zone
set security zones security-zone layer2 interfaces ge-0/0/10.0

# For Management access, you must attach an irb Interface a bridge domain
set interfaces irb unit 0 family inet address 1.1.1.0/24
set bridge-domains BD1 routing-interface irb.0

83 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TRANSPARENT MODE / BRIDGE MODE
HINTS AND MONITORING
# By default, family bridge allows forwarding for IPv4-unicasts and L2 broadcasts
# The following statement should allows other traffic too (CDP, STP, )
# IPv6 forwarding in transparent mode is currently planned for 11.4r4 (DC-SRX only)
set security flow bridge bypass-non-ip-unicast

# Full Documentation for Transparent Mode


https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-
pages/security/security-layer2-bridging-transparent-mode.html#configuration

# Monitoring Commands
show bridge-domains
show protocols l2-learning

84 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FIREWALL
85 Copyright 2011 Juniper Networks, Inc. www.juniper.net
PACKET FLOW
86 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SECURITY SERVICES PACKET WALK
Forwarding
Lookup

Reverse
Static Dest Source
Screens Route Zones Policy Static Services Session
NAT NAT NAT NAT

NO YES YES

Per Per Per Per


Match
Packet Packet Session? Screens TCP NAT Services Packet Packet
Policer Filter Filter Shaper

JUNOS Flow Module

1) Pull packet from queue 5a) No existing session 5b) Established session 6) Filter packet
2) Police packet FW screen check FW screen check 7) Shape packet
3) Filter packet Static and destination NAT TCP checks 8) Transmit packet
4) Session lookup Route lookup NAT translation
Destination zone lookup ALG processing
Policy lookup
Reverse static and source NAT
Setup ALG vector
Install session
87 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SECURITY SERVICES PACKET WALK
Reverse
Static Dest Source
Screens Route Zones Policy Static Services Session
NAT NAT NAT NAT

NO YES YES

Match
Session? Screens TCP NAT Services

JUNOS Flow Module

AppID IDP SSL AppID IDP


ALG UTM AppFW UserFW
(packet) (packet) Proxy (stream) (stream)

Services ALG Module

88 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ZONES
89 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ZONES AND INTERFACES
# Zone Names are useful to map existing segmentation
# Typical zone names are derived from areas with same trust level (trust/untrust) or
# from department names (development, productions ...)

# Interface will not forward any traffic until they are assigned to a zone
# Each interface can only be mapped to one zone
# All interfaces in the same zone must be mapped to the same VR

# Assign IPv4 IP to an interface


set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24

# Create custom zones


set security zones security-zone DEVELOPMENT
set security zones security-zone VPN

# Assign Interface to zone


set security zones security-zone VPN interfaces st0.0

90 Copyright 2011 Juniper Networks, Inc. www.juniper.net


OBJECTS & POLICIES
91 Copyright 2011 Juniper Networks, Inc. www.juniper.net
OBJECT AND POLICIES OVERVIEW
Current State and Changes over Time
Global Policies and Address Objects are available since JUNOS 11.4
Logging:
To enable Logging for permit Rules use "set then log session-close"
To enable Logging for deny/reject Rules use "set then log session-init"
Counting:
Counting with "per time statistics" can be activated per policy (number of policies is limited)
Since JUNOS 12.1 there is a hit counter tracked by default for every policy
Description
Since JUNOS 12.1 Policies can have a description
Nested Groups (Groups of Groups) are supported since JUNOS 11.2
Before 11.2 NSM could be used to create nested groups (
DNS Resolution
DNS names can be resolved either at object creation time or frequently during usage
Wildcard Mask
Bitmasks for Address Objects are supported since JUNOS 11.1
Ranges
Address Ranges are not available in JUNOS today (12.1)
Negation
Negated Address Objects are not available in JUNOS today (12.1)

92 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ADDRESS OBJECTS AND GROUPS (JUNOS <11.2)
set security zones security-zone trust address-book address NET10 10.1.1.0/24
set security zones security-zone trust address-book address HOST10 10.1.1.1/32

# We can also use DNS names, there are two ways


edit security zones security-zone trust address-book
# Resolve the Address once at commit time
set address JUNIPER-FIX www.juniper.net
# Resolve dynamically when policy is used (cached for 24 hours)
set address JUNIPER-DNS dns-name www.juniper.net
top

# Groups of Addresses are referenced as address sets


set security zones security-zone trust address-book address-set ALL10
set address NET10
set HOST10
top

# JUNOS >=11.1 also supports wildcard address masks with non-contiguous bitmasks
# for IPv4. The first octets of the mask must be greater than 128
set security zones security-zone trust address-book address SERVER4 10.0.0.4/255.0.0.255

93 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ADDRESS OBJECTS AND GROUPS (JUNOS >=11.2)
# Since JUNOS 11.2 Address Book entries can either use the old stanza
set security zones security-zone trust address-book address NET10 10.1.1.0/24

# Or it is possible to create ALL Objects as zone independent address book entries


set security address-book global address NET10 10.1.1.0/24

# JUNOS Op Scripts exist to convert from old to new format and back
https://www.juniper.net/us/en/community/junos/script-automation/library/

# If both formats are used in one file, the configuration can not be committed

# NSM supports global policies with Version 2012.1


# Space Security Design supports global policies since Version 12.1
# J-Web supports global address objects and global policies since 11.4

94 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SERVICE OBJECTS
# Create Custom Service Objects
# Default TCP Timeout is 1800 sec.
# Default Timeout for other protocols is 60sec.
set applications application my-ssh protocol tcp
set applications application my-ssh destination-port 22
set applications application my-ssh inactivity-timeout 3600
set applications application my-ssh term ssh protocol tcp
set applications application my-ssh term ssh destination-port 22
set applications application my-ssh term ssh inactivity-timeout 3600

# A number of Service definitions is already built-in - starting with junos-xxxx


# To see them you can use the following command
show configuration groups junos-defaults applications
or
top show groups junos-defaults | match application | match junos

# They also appear when you use Tab completion during writing policies
set security policies from-zone trust to-zone untrust policy X match application ?

95 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ZONE BASED FIREWALL POLICIES (1)
# Create a new Policy with the name "FIRST".
edit security policies from-zone untrust to-zone trust policy FIRST
set match source-address any
set match destination-address any
set match application any
set then permit
# Since JUNOS 12.1 you can add a description for this policy
set description "First Policy created here"
top

# Insert a second policy "NEW"


edit security policies from-zone untrust to-zone trust policy NEW
set match source-address any
set match destination-address NET10
set match application any
set then permit
top

# New Policies are always added at the end


# To move the "NEW" policy before the "FIRST" policy
insert security policies from-zone untrust to-zone trust policy NEW before policy FIRST

96 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ZONE BASED FIREWALL POLICIES (2)
# By default all traffic, that is not permitted by policy is denied (without logging)
# There is a command to change this - Recommended only for testing !!
set security policies default-policy permit-all

# Policy Actions can be permit/deny/reject.


# deny means silent drop, reject create response packets to the initiator
# for UDP traffic icmp port unreachable
# for TCP traffic TCP RST

# Monitor commands
show security policies
show security flow session
#Policy lookup is available on CLI and in Web-UI since JUNOS 10.3
show security match-policies ....

97 Copyright 2011 Juniper Networks, Inc. www.juniper.net


GLOBAL FIREWALL POLICIES
# Beginning with JUNOS 11.4 Policies can be specified as global policies
# These Policies must always reference global address objects
# Policy Lookup Order is:
# a) zone-to-zone
# b) global
# c) default policy
# NSM can not manage global policies and objects
# For JUNOS Space global policy support is currently planned for Release 12.1

set security address-book global address SERVER1 1.1.1.1


set security address-book global address SERVER2 2.2.2.2

set security policies global policy GP1 match source-address SERVER1


set security policies global policy GP1 match destination-address SERVER2
set security policies global policy GP1 match application junos-ftp
set security policies global policy GP1 then deny

set security policies global policy GP2 match source-address SERVER1


set security policies global policy GP2 match destination-address SERVER2
set security policies global policy GP2 match application any
set security policies global policy GP2 then permit

# Count per zone and global policies


show security policies zone-context

98 Copyright 2011 Juniper Networks, Inc. www.juniper.net


GLOBAL POLICIES
Global policies take lower precedence than zone-specific
policies. If a matching zone-based policy is found, the global
policies are not evaluated

from-zone to-zone context

Zone Policy
Lookup
Policy1

Ordered No match
Policy N Policy 1
Lookup Global Policy lookup

Zone-specific Policies
Ordered
Lookup Policy M

Global Policies

99 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FIREWALL POLICY
MONITORING AND USAGE TRACKING (1/2)
# Counting can be enabled on a limited number of policies. Counting includes
# Input/Output Bytes & Packets, Session rate, Active & Deleted sessions, Policy lookups
edit security policies from-zone trust to-zone untrust policy pol-01
set then count
top

# To monitor the policy counters use


run security policies from-zone show trust to-zone untrust policy-name pol-01 detail

# Alerts can be enabled per policy to generate alerts if usage exceeds thresholds
edit security policies from-zone trust to-zone untrust policy pol-01
set then count alarm per-minute-threshold 1000
set then count alarm per-second-threshold 50
top

# To monitor the policy alerts use


run show security alerts

100 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FIREWALL POLICY
MONITORING AND USAGE TRACKING (2/2)
# Security Policy Overview (Hidden until 12.1)
show security policies information

# Since JUNOS 10.3 there is Security Policy Lookup to predict policy decision
# The query goes directly to the forwarding plane for evaluation
show security match-policies ....

# Until 11.4 Usage statistics are only available, if counting is enabled (see prev page)
show security policies detail

# JUNOS 12.1 introduces usage tracking of Firewall Policies independent from counter
# Counter since the last reboot/failover can be retrieved with the following command

srx210> show security policies hit-count from-zone untrust ascending

from-zone to-zone policy hit-count


untrust trust pol-1 10
untrust trust pol-2 20
untrust trust pol-3 30

101 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FIREWALL POLICY SCHEDULERS
(A.K.A. TIME BASED POLICIES)
# Create a Scheduler to activate a policy every working day from 9-12 and 13-20
set schedulers scheduler "SCHEDULER1" daily start-time 09:00 stop-time 12:00
set schedulers scheduler "SCHEDULER1" daily start-time 13:00 stop-time 20:00
set schedulers scheduler "SCHEDULER1" sunday exclude

# Create a new Policy with the name "FIRST" and apply the scheduler definition "SCHEDULER1"
edit security policies from-zone untrust to-zone trust policy FIRST
set match source-address any
set match destination-address any
set match application any
set then permit
set scheduler SCHEDULER1
top

# Monitoring
show schedulers
show security policies detail

102 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FIREWALL WEB AUTHENTICATION
# Firewall Authentcation can Intercept Web Session (redriect) and enforce user authentication first
# before allowing traffic (any protocol) to be passed by the firewall. This is like an "unlock" door.

# Add an additional IP to an existing interface, that is used for WebAuth, HTTP to this Interface
# gives you a login page
set interface vlan unit 0 family inet address 192.168.1.210/24 web-authentication http

# Specify a Profile with 2 local Users


set access profile TESTPROFILE client TESTUSER1 firewall-user password netscreen
set access profile TESTPROFILE client TESTUSER2 firewall-user password netscreen

# and use this profile as default for firewall auth (inline in telnet, http, ftp connection) and webauth
set access firewall-authentication pass-through default-profile TESTPROFILE
set access firewall-authentication web-authentication default-profile TESTPROFILE

# A policy specifies for which Source/Destination Web Auth is required.


# Once Addresses have matched, Authentication is required, no Fall through to other rules.
set security zones security-zone untrust address-book address PROTECTED 172.16.42.1/32
edit security policies from-zone trust to-zone untrust policy WEB-AUTH
set match source-address any
set match destination-address PROTECTED
set match application any
set then permit firewall-authentication access-profile TESTPROFILE
set then permit firewall-authentication pass-through web-redirect
up
insert policy WEB-AUTH before policy trust-to-untrust
top

# Monitoring Commands
show security firewall-authentication users
show security firewall-authentication history

103 Copyright 2011 Juniper Networks, Inc. www.juniper.net


REMATCH FOR POLICY CHANGES
# To enable Policy rematching when policy changes are made use the following command
# By Default Policy Rematch is disabled
set security policies policy-rematch

Rematch Flag
Action on Policy Description
Enable Disable (default)

Delete Policy is deleted All existing All existing


sessions are sessions are
dropped dropped
Insert New policy is N/A N/A
inserted

Modify the action Action field of All existing All existing


policy is modified sessions are sessions continue
from permit to deny dropped
or reject, or vice
versa
Modify address Source or Policy lookup will All existing
destination be re-evaluated sessions continue
address field of
policy match is
modified
Modify application Application field of Policy lookup will All existing
policy match is be re-evaluated sessions continue
modified

104 Copyright 2011 Juniper Networks, Inc. www.juniper.net


REMATCH FOR POLICY CHANGES
WITH USER IDENTITY BASED FIREWALL
The user/role info is re-retrieved from UI module again for rematch

105 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FLOW & ALG
106 Copyright 2011 Juniper Networks, Inc. www.juniper.net
FLOW
# Flow Configuration changes default behavior for a number of topics that influence
# session creation/teardown/modification.
# Examples are SYN Checking, Sequence Number Checking, Fragmentation, MSS Patching,
# Session Aging

# Example: Make sure TCP packets going through VPN tunnels avoid fragmentation
set security flow tcp-mss ipsec-vpn mss 1420

# Example: Avoid TCP Split Handshake Attacks by more strict SYN checking
set security flow tcp-session strict-syn-check

107 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ALG
# ALGs exist for the several protocols. When enabled they either help to open firewall
# pinholes (FTP), assist in NAT for inband protocol data (VOIP) or check for protocol
# violation (DNS). See next pages for a Table of ALGs and their functions

# Most ALGs are enabled per default. To check which ALGs are there and enabled use
show security alg status

# To disable an ALG either disable ALG completly


set security alg msrpc disable
# or use custom service with the application service disabled
set applications application TEST application-protocol ignore

# Knowlegebase Articles have good hints on monitoring and troubleshooting


# or changing behaviour of each ALG. Check the Knowledgebase if you have
# trouble with any of the protocols where ALGs are active and disabling ALG
# does not solve your problem. Example KB entries:
SQL: KB21550
MSRPC : KB23730 and KB18346

108 Copyright 2011 Juniper Networks, Inc. www.juniper.net


BASIC ALGS
ALG Firewall Pinholes NAT Protocol
Checking
DNS format, length
FTP command
TFTP
SQL format
Sun RPC format
MS RPC format
RSH format
PPTP format
Talk format
IKE-NAT format

109 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VOIP/STREAMING ALGS
ALG Firewall Pinholes NAT Protocol
Checking
SIP
H.323
MGCP
SCCP
RTSP

110 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SCREENS & DEFENSE
111 Copyright 2011 Juniper Networks, Inc. www.juniper.net
WHAT ARE SCREENS ?
Screens are Filters for Attacks on Layer3/4 (Scans, Floods, IP
Option Anomalies, TCP/IP Anomalies, DOS Attacks)

Screens are applied before Routing Lookup and Policy decision

Screens are in many cases implemented in Hardware

Screens can be enabled with Logging only

112 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SCREENS
# Configure all Screen Options in a Named Profile
edit security screen ids-option MY-SCREEN-PROFILE
# Best Practice; Start using Screens with Alarm only, but Dropping disabled.
set alarm-without-drop
set icmp ping-death
set ip source-route-option
set ip tear-drop
set tcp syn-flood alarm-threshold 1024
set tcp syn-flood attack-threshold 200
set tcp syn-flood source-threshold 1024
set tcp syn-flood destination-threshold 2048
set tcp syn-flood queue-size 2000
set tcp syn-flood timeout 20
set tcp land
set limit-session destination-ip-based 50
top
# Finally apply the Profile to the Zones which need protection
set security zones security-zone untrust screen MY-SCREEN-PROFILE

# Monitoring Commands
show security screen statistics zone untrust
show security screen statistics interface ge-0/0/0

Descriptions of each of the Screen Parameter are here

113 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SCREENS FOR FLOOD PROTECTION
# Session Limits for Source and Destination IP
set security screen ids-option FLOOD limit-session source-ip-based 10000
set security screen ids-option FLOOD limit-session destination-ip-based 10000

# ICMP AND UDP FLOOD PROTECTION (threshold is in packets/sec)


set security screen ids-option FLOOD icmp flood threshold 10000
set security screen ids-option FLOOD udp flood threshold 20000

# TCP SYN Flood Protection, SYN-Cookie has better Performance than SYN-Proxy
set security flow syn-flood-protection-mode syn-cookie
edit security screen ids-option FLOOD tcp syn-flood
# Start using Cookie when we hit more than 20 SYNs/sec
set attack-threshold 20
set alarm-threshold 10000
# If we get more than these SYNs per second from a Source-IP we start dropping
set source-threshold 1024
# If we get more than these SYNs per to the same Destination-IP we start dropping
set destination-threshold 100000
# Time before we start dropping half-open connections from the queue
set timeout 5
top

# Finally apply the Screen Profile Definitions to the zone(s) where the flood arrives
set security zones security-zone untrust screen FLOOD

# Monitoring
show security screen statistics zone trust
show interfaces ge-0/0/1.0 extensive | match Syn

114 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WHITE LISTS FOR SYN COOKIE & SYN PROXY
# JUNOS 12.1 will introduce White lists for SYN Cookie and SYN Proxy
# The SYN Protection Screens can be active, but certain sources or
# destinations can be excluded from this protection.
# White lists can included up to 32 IPv4 and IPv6 source and/or destination addresses
# Typical Use case: exclude Proxies as Sources, excluded monitored Servers as Destination

root@raticate# set security screen ids-option FLOOD tcp syn-flood WHITE-LIST ipv4 ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
+ destination-address Destination IP based
+ source-address Source IP based

115 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FLOOD PROTECTION FOR THE SRX SESSION TABLE
# In a Flood Situation, there is still a risk that the session table is filled up
# completely and new sessions can't be established any more
#
# A Self Defense Strategy of the SRX for a flood situation is "aggressive aging"
# to start removal of sessions which have not been used for x seconds before session
# table gets filled up completely
#
# This overrides the default session timeouts, but might be better
# than a overcrowded session table

# Set levels (percent of max session nr) when aggressive aging starts and when it stops
set security flow aging high-watermark 80 low-watermark 60

# Idle time in seconds after which sessions can be purged


set security flow aging early-ageout 30

# Monitoring: If the Thresholds are reached, there are logs for


# FLOW_HIGH_WATERMARK_TRIGGERED and FLOW_LOW_WATERMARK_TRIGGERED

116 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FIREWALL USAGE ALARMS
# Create Alerts if Errors exceeds thresholds
edit security alarms potential-violation
set authentication 10
set decryption-failures threshold 100
set encryption-failures threshold 100
set ike-phase1-failures threshold 100
set ike-phase2-failures threshold 100
set replay-attacks threshold 100
set security-log-percent-full 90
top

# Create Alerts if firewall total policy usage exceeds thresholds


edit security alarms potential-violation policy
set application size 10240
set source-ip threshold 1000 duration 20
set destination-ip threshold 1000 duration 10
set policy-match threshold 100 size 100
top

# Create Alerts if individual firewall policy usage exceeds thresholds


edit security policies from-zone trust to-zone untrust policy pol-01
set then count alarm per-minute-threshold 1000
set then count alarm per-second-threshold 50
top

# Monitoring
show security alarms

117 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WHERE ARE SCREENS IMPLEMENTED ?
# Screens that are implemented on the NPU
block-frag, fin-no-ack, icmpfragment, icmp-id, icmp-large, ipbad-option, ip-filter-src,
ip-loosesrc-route, ip-record-route, ipsecurity-opt, ip-stream-opt, ipstrict-src-route, ip-
timestamp-opt, land, ping-death, syn-fin, syn-frag, tcp-no-flag, unknown-protocol,
winnuke, icmp-flood, udp-flood, syn-flood destination-threshold / source-threshold

# Screens that are implemented on the SPU


teardrop, ipspoofing, syn-ackack-proxy, syn-flood (syncookie/synproxy),

# Screens that are implemented on the CP


limit-session, portscan, ip-sweep, syn-flood (syncookie/syn-proxy)

118 Copyright 2011 Juniper Networks, Inc. www.juniper.net


NAT
119 Copyright 2011 Juniper Networks, Inc. www.juniper.net
NAT
BASIC INFORMATION
Since JUNOS 9.5 NAT uses a separate policy (a.k.a. NAT-ng)
The Hierarchy for this is under "set security nat ...."
Older JUNOS Documentation and OJSE Training Materials might still mention
the previous method (policy based NAT)
Destination NAT often requires additional Proxy-ARP rules

Limitations in the number of NAT rules did exist, but finally even the last (8
rules for destination NAT) disappeared with 10.2.
See http://kb.juniper.net/KB14149

We have a good Application Note on NAT


http://www.juniper.net/us/en/products-services/security/srx-series/#literature

120 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SCREENOS NAT FEATURES AND JUNOS COUNTERPART

For Details and Examples see the Application Note

"Juniper Networks SRX Series and J Series NAT for ScreenOS Users"
http://www.juniper.net/us/en/products-services/security/srx-series/#literature

121 Copyright 2011 Juniper Networks, Inc. www.juniper.net

121
NAT
CONFIGURATION INCLUDES 3 FLAVORS
Source NAT
Interface based NAT
Pool based NAT- with and without port translation
IP address shifting

Destination NAT
Destination IP and/or port number translation
IP address shifting

Static NAT
Bi-directional
No port translation supported
dst-xlate for packets to the host
src-xlate for packets initiated from the host

122 Copyright 2011 Juniper Networks, Inc. www.juniper.net

122
NAT
PROCESSING ORDER
Static & Destination NAT are performed before security policies are
applied
Reverse Static & Source NAT are performed after security policies
are applied
Accordingly, policies always refer to the actual address of the
endpoints

123

123 Copyright 2011 Juniper Networks, Inc. www.juniper.net


NAT
ADDRESS POOL CONFIGURATION
[edit security nat source]
Address pools can be root# show
pool src-nat-pool1 {
Single IP address address {
192.0.0.10/32 to 192.0.0.24/32;
Range of addresses }
}
Range of ports pool src-nat-pool2 {
address {
Interface (source NAT only) 192.0.0.100/32 to 192.0.0.249/32;
}
No port translation port no-translation;
overflow-pool interface;
Overflow pools }
pool src-nat-pool3 {
Configured as a fall back address {
192.0.0.25/32;
Requires pools with no port }
}

translation pool src-nat-pool4 {


address {
192.0.0.50/32 to 192.0.0.59/32;
}
port range 5000 to 6000;

124 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SOURCE NAT
TWO EXAMPLES
[edit security nat source]
}
rule-set nat-internet {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
TRUST destination-address 0.0.0.0/0;
UNTRUST
}
10.1.1.0/24 then {
source-nat interface
ge-0/0/0 }
INTERNET

192.1.1.0/24 [edit security nat source]


ge-0/0/1
}
rule-set nat-internet {
from zone trust;
10.1.2.0/24 to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat pool src-nat-pool1
}

125 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SOURCE NAT
EXAMPLE WITH MULTIPLE RULES
TRUST UNTRUST

10.1.1.0/24

ge-0/0/0
INTERNET

10.1.2.0/24
ge-0/0/1

192.1.1.0/24
rule rule2 {
match {
172.1.1.0/24 source-address 192.1.1.0/24;
}
then {
[edit security nat source]
}
source-nat pool src-nat-pool2;
rule-set nat-internet { }
from zone trust; }
to zone untrust; rule rule3 {
rule rule1 { match {
match { source-address 172.1.1.0/24;
source-address [ 10.1.1.0/24 10.1.2.0/24 ]; }
destination-address 0.0.0.0/0; then {
} source-nat off;
then { }
source-nat pool src-nat-pool1; }
}
126} Copyright 2011 Juniper Networks, Inc. www.juniper.net
DESTINATION NAT
EXAMPLE FOR MANY-TO-MANY
TRUST UNTRUST
[edit security nat destination]

10.1.1.0/24 root# show


pool dnat-pool-1 {
ge-0/0/0 address 192.168.1.100/32;
INTERNET }
10.1.2.0/24 pool dnat-pool-2 {
address 192.168.1.200/32 port 8000;
ge-0/0/1
}
rule-set dst-nat {
from zone untrust;
192.1.1.100/24 rule rule1 {
match {
destination-address 1.1.1.100/32;
192.1.1.200/24
}
then {
destination-nat pool dnat-pool-1;
}
dnat-pool-1: }
1:1.1.1.100/80->192.168.1.100/80 rule rule2 {
match {
destination-address 1.1.1.101/32;
dnat-pool-2: }
then {
1.1.1.101/80->192.168.1.200/8000 destination-nat pool dnat-pool-2;
}
}
}
127 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DESTINATION NAT
EXAMPLE FOR ONE-TO-MANY
TRUST UNTRUST
[edit security nat destination]

10.1.1.0/24 root# show


pool dnat-pool-1 {
ge-0/0/0 address 192.168.1.100/32;
INTERNET }
10.1.2.0/24 pool dnat-pool-2 {
address 192.168.1.200/32 port 8000;
ge-0/0/1
}
rule-set dst-nat {
from zone untrust;
192.1.1.100/24
rule rule1 {
match {
destination-address 1.1.1.100/32;
192.1.1.200/24
destination-port 80;
}
then {
destination-nat pool dnat-pool-1;
dnat-pool-1 }
1.1.1.100/80->192.168.1.100/80 }
rule rule2 {
match {
dnat-pool-2 destination-address 1.1.1.100/32;
1.1.1.100/8000->192.168.1.200/8000 destination-port 8000;
}
then {
destination-nat pool dnat-pool-2;
}
128 Copyright 2011 Juniper Networks, Inc. www.juniper.net
STATIC NAT
Provides one-to-one mapping of hosts or subnets
Bi-directional NAT
dst-xlate for packets to the host
src-xlate for packets initiated from the host

TRUST [edit security nat]


UNTRUST

10.1.1.0/24 root# show static


rule-set static-nat {
ge-0/0/0
INTERNET from zone untrust;
rule rule1 {
10.1.2.0/24
match {
ge-0/0/1
destination-address 1.1.1.200/32;
}
then {
192.1.1.200/24 static-nat prefix 192.168.1.200/32;
}
}

129 Copyright 2011 Juniper Networks, Inc. www.juniper.net


PROXY-ARP
10.1.1.0/24

INTERNET
ge-0/0/0
1.1.1.1/24
ge-0/0/1

10.1.2.0/24

Source NAT
Proxy-ARP required for all source IP pool addresses in the same subnet as egress
interface ge-0/0/0
For source pools not in the same subnet as egress interface IP, route to the IP pool
subnet with the SRX device as next-hop is required on the upstream router
Destination/Static NAT
Proxy-ARP required for all IP pool addresses in the same subnet as ingress
interface ge-0/0/0
For static and destination NAT pools not in the same subnet as egress interface IP,
route to the IP pool subnet with the SRX device as next-hop is required on the
upstream router
Configuration command
set security nat proxy-arp interface <if_name> address <ip_prefix>
130 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DOUBLE NAT- SOURCE AND DESTINATION NAT
TRUST UNTRUST 192.168.1.3->1.1.1.100
1.1.1.10-> 10.1.1.100

192.168.1.3/24
10.1.1.100/24

[edit security nat source] [edit security nat destination]


root# show root# show
pool src-pool-1 { pool dst-src-pool-1 {
address { address 10.1.1.100/32;
1.1.1.10/32 to 1.1.1.14/32; }
} rule-set dst-rs1 {
} from zone trust;
rule-set src-rs1 { rule rule1 {
from zone trust; match {
to zone untrust; destination-address 1.1.1.100/32;
rule r1 { }
match { then {
source-address 0.0.0.0/0; destination-nat pool dst-src-pool-1;
} }
then { }
source-nat pool src-pool-1; }
}
}
131 Copyright 2011 Juniper Networks, Inc. www.juniper.net
NAT
MONITORING AND TROUBLESHOOTING
# NAT session can be identified from the session table
show security flow session

# Static NAT:
show security nat static rule <all|rule-name>

# Source NAT:
show security nat source summary
show security nat source pool <pool-name>
show security nat source rule <rule-name>
show security nat source persistent-nat-table <all|summary|....>

# Destination NAT:
show security nat destination summary
show security nat destination pool <pool-name>
show security nat destination rule <rule-name>
show security nat interface-nat-ports

# Incoming NAT:
show security nat incoming-table

# ARP table
show arp no-resolve

# Tracing (output is written to file defined under security->flow-> traceoptions)


set security nat traceoptions flag all

132 Copyright 2011 Juniper Networks, Inc. www.juniper.net

132
VIRTUALIZATION
133 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION
BUILDING BLOCKS AND CONCEPTS
SRX Firewalls offer several building blocks and concepts to achieve virtualization
Zone based Separation: No traffic can get from one zone to another if there is no policy
Virtual Routers based Separation: avoid any traffic leakage between different instances
(usecase: managed service for customers with overlapping address space).
Logical Systems : for complete administrative isolation. Create virtual firewalls with individual
administrators and protected resources per firewall (memory, cpu, objects ...)
Virtual SRX: Virtual Machine for installation on a Hypervisor (Vmware, KVM)

Zones only Zones and Logical Systems Virtual


Virtual Routers SRX
separate traffic of yes yes yes yes
different instances
separate routing no yes yes (with VRs) yes
decisions per
instance
allow different no no yes yes
administrators per
instance
protect resources per no no partial yes
instance
more than 32 no no max 32 instance per yes
instances firewall
134 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ZONE-BASED SEPARATION

Coke Coke
Zone User

Coke
Untrust
Zone

Pepsi Pepsi
Zone User
Pepsi

Simple design
High scale (no additional overhead)
No overlapping IP addresses
Little to no user-based admin

135 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VR-BASED SEPARATION

Coke Coke
Coke
Untrust Trust
Zone Zone User
Coke VR
Coke

Pepsi Pepsi
Untrust Trust Pepsi
Zone Zone User
Pepsi
Pepsi VR

More complex design


High scale (little additional overhead)
Overlapping IP addresses supported
Routing protocols per VR give additional flexibility
Little to no user-based admin
136 Copyright 2011 Juniper Networks, Inc. www.juniper.net
LSYS-BASED SEPARATION

Coke Coke
Coke
Untrust Trust
Zone Zone User
Coke VR
Coke
Coke LSYS

Pepsi Pepsi
Untrust Trust Pepsi
Zone Zone User
Pepsi
Pepsi VR
Pepsi LSYS

Complex design
Lower scale (possible additional overhead)
Overlapping IP addresses supported
Routing protocols per VR give additional flexibility (and
introduce performance caveats)
User-based admin supported
137 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION:
VIRTUAL ROUTERS
138 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DIFFERENCE IN OWNERSHIP HIERARCHY
ScreenOS JUNOS
Routing
Virtual Instance
Router
Interface

Zone

IP
Virtual router Address
Interface
split from zones
in JUNOS

Zone
IP Address

Interface

139 Copyright 2011 Juniper Networks, Inc. www.juniper.net


EXAMPLE WITH 2 INDEPENDANT VR

red-trust Red-VR red-untrust

blue-trust Blue-VR blue-untrust

140 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VIRTUAL ROUTERS - SIMPLE EXAMPLE

Create a Virtual Router and bind interface to this VR


# Assign Interface IPs like usual
set interface fe-0/0/6 unit 0 family inet address 1.0.0.1/24
set interface fe-0/0/7 unit 0 family inet address 2.0.0.1/24
set interface lo0 unit 0 family inet address 3.0.0.1/32

# Create the Virtual Router, assign two physical and a loopback interface
set routing-instances red-vr instance-type virtual-router
set routing-instances red-vr interface fe-0/0/6.0
set routing-instances red-vr interface fe-0/0/7.0
set routing-instances red-vr interface lo0.0

# Also tie all interfaces to security zones


set security zone security-zone red-untrust interface fe-0/0/6.0
set security zone security-zone red-trust interface fe-0/0/7.0

# Optional, set a static route in this vr


set routing-instances red-vr routing-options static route 4.0.0.0/24 next-hop 1.0.0.2

# Optional: You can set static routes to get from one VR to another
# If you need to exchange dynamic routes you will need RIB Groups
set routing-instances red-vr routing-options static route 5.0.0.0/24 next-table blue-
vr.inet.0

141 Copyright 2011 Juniper Networks, Inc. www.juniper.net


EXAMPLE WITH 3 CUSTOM AND ONE SHARED VR

red-trust Red-VR

Inet.0 VR
blue-trust Blue-VR untrust

green-trust Green-VR

142 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VIRTUAL ROUTERS
ROUTER DEFINITION

Create a Virtual Router and bind interface to this VR


# Assign Interface IPs like usual
set interface fe-0/0/5 unit 0 family inet address 1.0.0.1/24
set interface fe-0/0/6 unit 0 family inet address 2.0.0.1/24
set interface fe-0/0/7 unit 0 family inet address 3.0.0.1/24
set interface lo0 unit 0 family inet address 4.0.0.1/32

# Create the Virtual Router, assign one physical interface


set routing-instances RED-VR instance-type virtual-router
set routing-instances RED-VR interface fe-0/0/5.0

# Create the Virtual Router, assign one physical interface


set routing-instances BLUE-VR instance-type virtual-router
set routing-instances BLUE-VR interface fe-0/0/6.0

# Create the Virtual Router, assign one physical interface


set routing-instances GREEN-VR instance-type virtual-router
set routing-instances GREEN-VR interface fe-0/0/7.0

143 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VIRTUAL ROUTERS
SECURITY ZONES
Interface binding to zones is defined independent from the VR
BUT all interfaces in the same zone must be bound to same VR
# Create Zones and assign interfaces
set security zones security-zone red-trust
set security zones security-zone red-trust interfaces fe-0/0/5.0
set security zones security-zone blue-trust
set security zones security-zone blue-trust interfaces fe-0/0/6.0
set security zones security-zone green-trust
set security zones security-zone green-trust interfaces fe-0/0/7.0

# If desired enable management


set security zones security-zone red-trust host-inbound-traffic system-services all
set security zones security-zone red-trust host-inbound-traffic protocols all
set security zones security-zone blue-trust host-inbound-traffic system-services all
set security zones security-zone blue-trust host-inbound-traffic protocols all

# Add policies to permit traffic


edit security policies from-zone red-trust to-zone untrust
set policy outbound1 match source-address any
set policy outbound1 match destination-address any
set policy outbound1 match application any
set policy outbound1 then permit
set policy outbound1 then log session-close session-init
exit
top

144 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VIRTUAL ROUTERS
EXCHANGING ROUTES BETWEEN VIRTUAL ROUTERS
# To set a route from one VR to another just use the instance name as next-table
edit routing-instances BLUE-VR
set routing-options static route 10.0.0.0/8 next-table RED-VR.inet.0
top

# To redistribute Routes that exist in one VR into another use Filters


edit policy-options policy-statement SUMMARY-RED
set term ACCEPT from instance RED-VR
set term ACCEPT from route-filter 10.0.0.0/8 exact
set term ACCEPT then tag 5000
set term ACCEPT then accept
top

set routing-instances BLUE-VR routing-options instance-import SUMMARY-RED

145 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VIRTUAL ROUTERS
RIB-GROUPS
RIB Groups (RIB=Routing Information Base) are useful if you want to
share static and dynamic routes between multiple VRs
# Create a rib-group
set routing-options static rib-group test-rib

# Routes imported into the rib-group are distributed to the rib


set routing-options rib-groups test-rib import-rib inet.0
set routing-options rib-groups test-rib import-rib RED-VR.inet.0
# set routing-options rib-groups test-rib import-rib BLUE-VR.inet.0
# set routing-options rib-groups test-rib import-rib GREEN-VR.inet.0

# Only one rib can be used to export (primary-rib by default)


set routing-options rib-groups test-rib export-rib inet.0

# Optional: publish interface routes to the RIB


set routing-instances RED-VR routing-options interface-routes rib-group inet test-rib
set routing-instances BLUE-VR routing-options interface-routes rib-group inet test-rib
set routing-instances GREEN-VR routing-options interface-routes rib-group inet test-rib

146 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VIRTUAL ROUTERS
RIB-GROUPS, FILTER
Filters can be applied to drop unwanted routes
# Create a policy statement
edit policy-options policy-statement into-red
set term reject-to-red from family inet protocol ospf
set term reject-to-red to rib red-vr.inet.0
set term reject-to-red then reject
top

# Apply Policy to filter routes from the rib-groups export-rib to the member ribs
set routing-options rib-groups test-rib import-policy into-red

147 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VIRTUAL ROUTERS
NOTES AND LIMITATIONS
RIB Group is useful to share Routes between multiple VRs
Before JUNOS 10.4 IPSEC VPN Interfaces could only be terminated in
zones, which are assigned to inet.0 (see KB 12866)
For self initiated management traffic (e.g.. syslog, traps ..) route lookup
starts in the default VR (inet.0)
Interfaces that are not explicitly members of any custom VR are
members of inet.0
DHCP Server and DHCP Relay inside a VR will require JUNOS 10.4r5
or higher
Static routes from VR1 to VR2 and at the same time from VR2 to VR1
will not commit (potential loop). You have to introduce a third VR as
additional hop for one direction.

148 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VIRTUALIZATION:
LOGICAL SYSTEMS
149 Copyright 2011 Juniper Networks, Inc. www.juniper.net
LOGICAL SYSTEMS

Root System (=physical firewall) is always there. Root Admin can


create new Lsys
create user admin(s) for the Lsys
create and assign Lsys Profiles
create and assign logical interfaces to Lsys
configure the interconnect Lsys0

Lsys0 has a special role as the interconnect Lsys


all traffic between User Lsys and Rootsys goes through Lsys0
for this purpose Lsys0 has a lt-Interface to each Lsys and Rootsys

Lsys1..32 are the user logical systems itself


Each user logical system can have
a number of zones, interfaces and 0, 1 or more Virtual Routers
exactly one interface to the Interconnect Lsys0 (lt0.x)
one or more users to configure routing and security inside the Lsys
150 Copyright 2011 Juniper Networks, Inc. www.juniper.net
EXAMPLE SETUP
# Example Setup

Root System with


- shared Internet Uplink
- separate VR vrf-root

Interconnect Lsys0 with


-seperate vr-ic
- lt interfaces to each root and lsys

Two Custom Lsys with


-private interfaces and zones
- lt Interfaces to interconnect Lsys0

151 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LOGICAL SYSTEMS
CONFIGURATION 1/4 - PROFILES AND USERS
# Define a Profile for the System Limits for each User Logical Systems
set system security-profile USER-LSYS policy maximum 50
set system security-profile USER-LSYS policy reserved 25
set system security-profile USER-LSYS address-book maximum 100
set system security-profile USER-LSYS address-book reserved 50
set system security-profile USER-LSYS logical-system [Coke-LSYS Pepsi-LSYS]

# Add the Root System Profile. All off-box logging comes from the Root LSYS.
# If this is undefined then syslog/SNMP will not work
set system security-profile ROOT-LSYS auth-entry maximum 5
set system security-profile ROOT-LSYS policy maximum 5
set system security-profile ROOT-LSYS policy reserved 1
set system security-profile ROOT-LSYS policy-with-count maximum 0
set system security-profile ROOT-LSYS root-logical-system

# Add LSYS to your login classes to assign users to an LSYS


# Users are assigned to a login class to get their rights, and with LSYS
# they also get assigned to an LSYS at the same time
set system login class COKE-LOGIN logical-system COKE-LSYS
set system login class PEPSI-LOGIN logical-system PEPSI-LSYS

# Create Users for each Lsys


set system login user coke class COKE-LOGIN
set system login user pepsi class PEPSI-LOGIN

152 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LOGICAL SYSTEMS
CONFIGURATION 2/4 - INTERCONNECT
# Set up lt-0/0/0.x interfaces in the Interconnect LSYS0
# LSYS0 is layer 2 only and will hold multiple LT interfaces
# all other LSYS will only have a single LT interface
# LT interfaces are paired one-to-one
set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 encapsulation ethernet-vpls
set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 peer-unit 1
set logical-systems LSYS0 interfaces lt-0/0/0 unit 2 encapsulation ethernet-vpls
set logical-systems LSYS0 interfaces lt-0/0/0 unit 2 peer-unit 3
set logical-systems LSYS0 interfaces lt-0/0/0 unit 4 encapsulation ethernet-vpls
set logical-systems LSYS0 interfaces lt-0/0/0 unit 4 peer-unit 5

# Set up lt-0/0/0.x interfaces, LT interface in LSYS > 0 need an IP address

# LT Interface in the Rootsys


set interfaces lt-0/0/0 unit 1 encapsulation ethernet
set interfaces lt-0/0/0 unit 1 peer-unit 0
set interfaces lt-0/0/0 unit 1 family inet address 10.0.1.1/24

# LT Interface in the Lsys Coke


set interfaces lt-0/0/0 unit 3 encapsulation ethernet
set interfaces lt-0/0/0 unit 3 peer-unit 0
set interfaces lt-0/0/0 unit 3 family inet address 10.0.1.2/24

# LT Interface in the Lsys Pepsi


set interfaces lt-0/0/0 unit 5 encapsulation ethernet
set interfaces lt-0/0/0 unit 5 peer-unit 0
set interfaces lt-0/0/0 unit 5 family inet address 10.0.1.3/24

153 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LOGICAL SYSTEMS
CONFIGURATION 3/4 - FIRST USER LSYS
# Now setup the COKE-Logical System

edit logical-systems COKE-LSYS


set interfaces reth1 unit 1 vlan-id 1
set interfaces reth1 unit 1 family inet address 12.1.1.1/24
edit routing instances COKE-VR
set instance-type virtual-router
set interface reth1.1
set interface lt-0/0/0.3
set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
up
set security zones security-zone Coke-Trust
set security zones security-zone Coke-Trust host-inbound-traffic system-services ping
set security zones security-zone Coke-Trust interfaces reth1.1
set security zones security-zone Coke-Untrust interfaces lt-0/0/0.1
edit security policies from-zone Coke-Trust to-zone Coke-Untrust
set policy to-Inter-LSYS match source-address any
set policy to-Inter-LSYS match destination-address any
set policy to-Inter-LSYS match application any
set policy to-Inter-LSYS then permit
top

154 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LOGICAL SYSTEMS
CONFIGURATION 4/4 - SECOND USER LSYS
# Now setup the PEPSI-Logical System

edit logical-systems PEPSI-LSYS


set interfaces reth1 unit 2 vlan-id 1
set interfaces reth1 unit 2 family inet address 13.1.1.1/24
edit routing instances PEPSI-VR
set instance-type virtual-router
set interface reth1.2
set interface lt-0/0/0.5
set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
up
set security zones security-zone PEPSI-Trust
set security zones security-zone PEPSI-Trust host-inbound-traffic system-services ping
set security zones security-zone PEPSI-Trust interfaces reth1.2
set security zones security-zone PEPSI-Untrust interfaces lt-0/0/0.5
edit security policies from-zone PEPSI-Trust to-zone PEPSI-Untrust
set policy to-Inter-LSYS match source-address any
set policy to-Inter-LSYS match destination-address any
set policy to-Inter-LSYS match application any
set policy to-Inter-LSYS then permit
top

155 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LOGICAL SYSTEMS
MONITORING
# Flow Statistics
show security flow statistics root-logical-system
show security flow statistics logical-system <all|Lsys>

# Assigned Profile and current usage for each individual profile parameter
show system security-profile ? logical-system <all|Lsys>

156 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN
157 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IPSEC VPN FLAVOURS
Policy Based VPN
For site-to-site VPNs
Upon match a security Policy sets up a VPN tunnel

Route Based VPN


For site-to-site VPNs
Specify a VPN tunnel interface (st0.x)
Upon match a security policy permits traffic to this tunnel interface

Dynamic VPN
For Remote Access of travelling Users
Rollout and Update of VPN Client Software
Authenticate User and assign IPs during VPN establishment
158 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ROUTED BASED VPN
159 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ROUTE BASED VPN
SITE-TO-SITE WITH MAIN MODE (1/3)
# Enable IKE Traffic on the untrust interface
edit security zone security-zone untrust interfaces ge-0/0/1.0
set host-inbound-traffic system-services ike
top

# Define Phase 1 Proposal


edit security ike proposal P1-AES
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
top

# Define Phase 2 Proposal


set security ipsec proposal P2-AES protocol esp
set security ipsec proposal P2-AES authentication-algorithm hmac-sha1-96
set security ipsec proposal P2-AES encryption-algorithm aes-128-cbc

# Predefined Proposals also exist


lab@srx-210# set security ike policy ike-policy-1 proposal-set ?
Possible completions:
basic IKE proposal-set for basic
compatible IKE proposal-set for compatible
standard IKE proposal-set for standard
[edit]

160 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ROUTE BASED VPN
SITE-TO-SITE WITH MAIN MODE (2/3)
# Phase 1 Gateway Definition
set security ike policy IKE-POLICY-1 mode main
set security ike policy IKE-POLICY-1 proposals P1-AES
set security ike policy IKE-POLICY-1 pre-shared-key ascii-text juniper

set security ike gateway GW1 address 172.16.42.11


set security ike gateway GW1 external-interface ge-0/0/0.0
set security ike gateway GW1 ike-policy IKE-POLICY-1

# Phase 2 VPN definition


set security ipsec policy IPSEC-POLICY-1 proposals P2-AES
set security ipsec policy IPSEC-POLICY-1 perfect-forward-secrecy keys group2

set security ipsec vpn VPN1 ike gateway GW1


set security ipsec vpn VPN1 ike ipsec-policy IPSEC-POLICY-1

# Optional VPN Monitor (Phase 2 Keep alive as Ping inside tunnel)


set security ipsec vpn VPN1 vpn-monitor optimized

# Use this statement - on one side of the VPN - to get tunnel established fast
set security ipsec vpn VPN1 establish-tunnels immediately

161 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ROUTE BASED VPN
SITE-TO-SITE WITH MAIN MODE (3/3)
# Create a secure tunnel interface.
set interfaces st0 unit 0 family inet
set security zones security-zone trust interfaces st0.0

# Optional: If numbered interface is required: set an interface IP


set interfaces st0 unit 0 family inet address 1.1.1.1/28

# Configure routing.
set routing-options static route 10.1.1.0/24 next-hop st0.0

# Assign IPSEC Configuration to the Interface


set security ipsec vpn VPN1 bind-interface st0.0

# There are global options (system wide for all Phase 2) to set VPN Monitor thresholds
# Default is interval 10, threshold 10 which results in 100 Sec Detection Time
set security ipsec vpn-monitor-options interval 3
set security ipsec vpn-monitor-options threshold 3

162 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ROUTE BASED VPN
ADDITIONAL OPTIONS
# Interface number for a Second VPN Tunnel Interface
# Use Name st0 with another unit
set interfaces st0 unit 1 family inet

# By Default we use Proxy-ID local 0.0.0.0/0 remote 0.0.0.0/0 service 0


# To override this for third party compatibility you can manually set one proxy-id
# When SRX checks incoming proxy-id: then more specific IPs match less specific IPs
# Example Remote-ID 192.168.1.0/24 is accepted when Proxy-ID is 0.0.0.0/0
set security ipsec vpn vpn-1 ike proxy-identity local <net> remote <net> service <svc>

# Next Hop Tunnel Binding - Allows multiple endpoints on one Tunnel interface
set interfaces st0 unit 0 multipoint

# Dead-Peer Detection (Phase1 - Keep alive as IKE Message)


set security ike gateway GW1 dead-peer-detection

163 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ROUTE BASED VPN
BRANCH-TO-CENTRAL WITH AGRESSIVE MODE (1/2)
Branch Site with Dynamic IP
# Phase 1 Gateway Definition
set security ike policy BRANCH-POLICY mode aggressive
set security ike policy BRANCH-POLICY proposal-set standard
set security ike policy BRANCH-POLICY pre-shared-key ascii-text secret

set security ike gateway CENTRAL-GW ike-policy BRANCH-POLICY


set security ike gateway CENTRAL-GW address 1.1.1.1
set security ike gateway CENTRAL-GW local-identity user-at-hostname "branch@test.de"
set security ike gateway CENTRAL-GW external-interface pp0.0

Central Site with Fixed IP (1.1.1.1)


# Phase 1 Gateway Definition
set security ike policy BRANCH-POLICY mode aggressive
set security ike policy BRANCH-POLICY proposal-set standard
set security ike policy BRANCH-POLICY pre-shared-key ascii-text secret

set security ike gateway BRANCH-GW ike-policy BRANCH-POLICY


set security ike gateway BRANCH-GW dynamic user-at-hostname "branch@test.de"
set security ike gateway BRANCH-GW external-interface ge-0/0/0.0

164 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ROUTE BASED VPN
BRANCH-TO-CENTRAL WITH AGRESSIVE MODE (1/2)
Branch Site with Dynamic IP
# Phase 2 definitions with Tunnel binding and optional Proxy-ID
set security ipsec policy BRANCH-POLICY proposal-set standard
set security ipsec vpn CENTRAL-VPN bind-interface st0.0
set security ipsec vpn CENTRAL-VPN vpn-monitor optimized
set security ipsec vpn CENTRAL-VPN ike gateway CENTRAL-GW
set security ipsec vpn CENTRAL-VPN ike proxy-identity local 10.0.0.0/24
set security ipsec vpn CENTRAL-VPN ike proxy-identity remote 20.0.0.0/24
set security ipsec vpn CENTRAL-VPN ike proxy-identity service any
set security ipsec vpn CENTRAL-VPN ike ipsec-policy BRANCH-POLICY
set security ipsec vpn CENTRAL-VPN establish-tunnels immediately
# Route into Tunnel
set routing-options static route 20.0.0.0/0 next-hop st0.0

Central Site with Fixed IP


# Phase 2 definitions with Tunnelbinding and optional Proxy-ID
set security ipsec policy BRANCH-POLICY proposal-set standard
set security ipsec vpn BRANCH-VPN bind-interface st0.0
set security ipsec vpn BRANCH-VPN vpn-monitor optimized
set security ipsec vpn BRANCH-VPN ike gateway BRANCH-GW
set security ipsec vpn BRANCH-VPN ike proxy-identity local 20.0.0.0/24
set security ipsec vpn BRANCH-VPN ike proxy-identity remote 10.0.0.0/24
set security ipsec vpn BRANCH-VPN ike proxy-identity service any
set security ipsec vpn BRANCH-VPN ike ipsec-policy BRANCH-POLICY
# Route into Tunnel
set routing-options static route 10.0.0.0/0 next-hop st0.0

165 Copyright 2011 Juniper Networks, Inc. www.juniper.net


POLICY BASED VPN
166 Copyright 2011 Juniper Networks, Inc. www.juniper.net
POLICY BASED VPN
CONFIGURATION
TODO

Technote: http://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf

167 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN WITH CERTIFICATES
168 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VPN WITH CERTIFICATES (1/6)
PKI Operations
# Create a CA profile (simplified with CRL Checking disabled)
set security pki ca-profile ca-profile-ipsec ca-identity xyz.com
set security pki ca-profile ca-profile-ipsec revocation-check disable

# Create a key pair


request security pki generate-key-pair certificate-id ca-ipsec size 1024

# Create a certificate request for the local device certificate


request security pki generate-certificate-request certificate-id ca-ipsec
subject "CN=srx210-bot,OU=IT,L=LAB" ip-address 10.1.0.1 domain-name srx210-bot.xyz.com

Copy to output of the above command to a file and use it as signing request for your CA.

It is very important to define X509v3 Subject Alternative Name. JUNOS supports ip-address, domain-name and email. In this
request we define a ip-address and the domain-name. This attribute is used as a IKE-ID and has to match with the IKE
configuration.

The signing CA has to support X509v3 Subject Alternative Name. E.g. for OpenSSL you have to modify the file openssl.cnf in
this way:

# Extension copying option: use with caution.


copy_extensions = copy

169 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN WITH CERTIFICATES (2/6)
Copy the signed certificate and the CA root certificate from the CA to SRX file system.

# Load the signed certificate from the file system


request security pki local-certificate load certificate-id ca-ipsec filename
/var/tmp/certnew.cer
# Load the CA root certificate from the file system
request security pki ca-certificate load ca-profile ca-ipsec filename
/var/tmp/CA-certnew.cer

170 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN WITH CERTIFICATES (3/6)
lab@SRX210-bot> show security pki ca-certificate
Certificate identifier: ca-profile-ipsec
Issued to: ic.xyz.com, Issued by: C = US, ST = CA, L = Sunnyvale, O = XYZ, OU = IT, CN = ic.xyz.com,
emailAddress = user@xyz.com
Validity:
Not before: 09-18-2009 13:25
Not after: 10-27-2013 13:25
Public key algorithm: rsaEncryption(1024 bits)

lab@SRX210-bot> show security pki local-certificate detail


Certificate identifier: ca-ipsec
Certificate version: 3
Serial number: 00000010
Issuer:
Organization: XYZ, Organizational unit: IT, Country: US, State: CA, Locality: Sunnyvale,
Common name: ic.xyz.com
Subject:
Organizational unit: IT, Locality: LAB, Common name: srx210-bot
Alternate subject: email empty, srx210-bot.xyz.com, 10.1.0.1
Validity:
Not before: 12-28-2010 13:17
Not after: 02- 5-2015 13:17
Public key algorithm: rsaEncryption(1024 bits)
30:81:89:02:81:81:00:aa:e8:f0:49:0f:0d:28:9e:71:5b:a7:c1:64

bc:b2:7f:6c:26:f3:8c:54:dc:2b:7f:3d:64:0d:09:02:03:01:00:01
Signature algorithm: sha1WithRSAEncryption
Fingerprint:
28:1d:f4:b6:96:41:8d:13:fa:dd:7d:fd:26:ed:2b:53:15:88:bd:97 (sha1)
e3:1b:af:db:e7:e9:90:99:5a:c7:ac:d4:e2:ef:2a:da (md5)
Auto-re-enrollment:
Status: Disabled
Next trigger time: Timer not started

171 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN WITH CERTIFICATES (4/6)
VPN Configuration
# Create IKE proposal
set security ike proposal P1-AES-CERT authentication-method rsa-signatures
set security ike proposal P1-AES-CERT dh-group group2
set security ike proposal P1-AES-CERT authentication-algorithm sha1
set security ike proposal P1-AES-CERT encryption-algorithm aes-256-cbc

# Create IKE policy


set security ike policy ike-policy-1 mode main
set security ike policy ike-policy-1 proposals P1-AES-CERT
set security ike policy ike-policy-1 certificate local-certificate ca-ipsec
set security ike policy ike-policy-1 certificate trusted-ca use-all
set security ike policy ike-policy-1 certificate peer-certificate-type x509-signatur

# Create IKE gateway


set security ike gateway srx210-top ike-policy ike-policy-1
set security ike gateway srx210-top address 10.1.0.10
set security ike gateway srx210-top local-identity inet 10.0.1.10
set security ike gateway srx210-top external-interface ge-0/0/1.0

The local-identity has to match with the X509v3 Subject Alternative Name of the Gateway local certificate as a IKE-
ID.
Since 10.2 there is a hidden command set security ike gateway srx210-top general-ikeid to ignore a IKE-ID
mismatch. Nevertheless the certificate needs a X509v3 Subject Alternative Name to get Phase-1 up.

The IPSec configuration is the same as with preshared keys.


172 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VPN WITH CERTIFICATES (5/6)
Advanced Features CRL-Checking and SCEP Auto-enrollment
# Create CA Profile with CRL-Checking and SCEP
set security pki ca-profile RSA_CA_LAB ca-identity RSA-CA

set security pki ca-profile RSA_CA_LAB enrollment url


https://10.100.160.59:446/aca4eeb14189074335ac14b30259698fa8862b66/pkiclient.exe

set security pki ca-profile RSA_CA_LAB revocation-check crl url


http://10.100.160.59:447/RSA-CA.crlset security pki ca-profile RSA_CA_LAB revocation-
check crl refresh-interval 24

set security pki auto-re-enrollment certificate-id SRX-210-HQ ca-profile-name


RSA_CA_LAB

set security pki auto-re-enrollment certificate-id SRX-210-HQ challenge-password


"$9$3qaq6/t0ORSyKu0LxdVY2

set security pki auto-re-enrollment certificate-id SRX-210-HQ re-enroll-trigger-time-


percentage 5

173 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN WITH CERTIFICATES (6/6)
root@SRX-210-HQ-1> show security pki crl detail | no-more

CA profile: RSA_CA_LAB
CRL version: V00000001
CRL issuer: C = CH, O = SA, OU = Security, CN = RSA-CA
Effective date: 11- 9-2010 13:54
Next update: 11-10-2010 13:54
Revocation List:
Serial number Revocation date
1b9433a6682555883abf042c15e602da 06-10-2010 07:54
21fffde9d68115b3d9335a97c8744b46 11- 9-2010 13:30
4a5c1a9e624cd522b49f0485272c42b4 06-10-2010 08:28
4de41accc7e4cc606a1dad93cb510092 06-22-2010 06:31
59304b23b9e6f80abd9fe0325af16b80 06- 9-2010 14:16
5b336a94660f5a69e00b48af9662b71d 11- 8-2010 17:36
678a297eccfe78ab0d693ff162e8cdf4 06- 9-2010 15:01
6bf7aff47f68f8687a1f14f0df2b014a 11- 8-2010 15:48
6f4168f96a06957ac769be5465f753a2 06- 9-2010 15:09
8610479e69f64eb08972b27bba24365a 06-10-2010 07:47
89ac59d9df40954feac5c57e4d0739a2 11- 9-2010 13:31
bec78a93e4101f71c782784b34c33ef4 11- 9-2010 10:47
cadd34f4f77f5042198792dd02cbcb1a 06-22-2010 07:35
e87b6aa7ea5562ecdd1379e51bb02ba8 06- 9-2010 13:24

174 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN DIAGNOSTICS
175 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IPSEC VPN
MONITORING AND TROUBLESHOOTING (1)
### Ping through VPN - Sometime you might have to alter the source-interface
# or your routing-instance to get the ping into the tunnel
ping 192.168.1.1 [routing-instance xx] interface fe-0/0/7.0

### Monitoring
# Phase 1 - Cookies
show security ike security-associations
# Phase 2 - Security Associations
show security ipsec security-associations
# IPSEC and Interface Statistics
show security ipsec statistics
show interfaces st0 [terse|detail]
# Manually Clear Tunnels
clear security ike
clear security ipsec
# Logs and Traces are per Default written to File kmd
file show /var/log/kmd | last

### JUNOS 11.4 and 12.1x44 have several improvements for IPSEC Troubleshooting
# 1. extend Output for show security ike|ipsec security-associations
# 2. start debugging for a certain session without commit, write output to kmd
request security ike debug-enable local 10.1.1.10 remote 10.1.1.30 level 15
request security ike debug-disable
show security ike debug-status
# 3. Inactive Tunnel information
show security ipsec inactive-tunnels

176 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IPSEC VPN
MONITORING AND TROUBLESHOOTING (2)

Tunnel Interface up/down is logged in syslog


ENT <UpDown> st0.0 index 80 <Up Broadcast PointToPoint Multicast>
Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 mib2d[921]: SNMP_TRAP_LINK_UP:
ifIndex 253, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.0
Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 rpd[897]: EVENT UpDown st0.0 index 80
<Up Broadcast PointToPoint Multicast>
Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 srx650-1 IFP trace>
ifp_ifl_anydown_change_event: IFL anydown change event: "st0.0"

If more details are required, use a IKE trace file


set security ike traceoptions file VPNtrace
set security ike traceoptions file files 3
set security ike traceoptions file size 1m
set security ike traceoptions flag ike
set security ike traceoptions flag policy-manager

177 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IPSEC VPN
MONITORING AND TROUBLESHOOTING (3)
Example Output from IKE trace file
Jul 29 12:32:39 ike_st_o_all_done: MESSAGE: Phase 1 { 0x4a583c5c adb05f96 -
0xebace718 6f0a0626 } / 00000000, version = 1.0, xchg = Identity protect,
auth_method = Pre shared keys, Initiator, cipher = aes-cbc, hash = sha1, prf =
hmac-sha1, life = 0 kB / 3600 sec, key len
Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 -
ebace718 6f0a0626 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0,
auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hmac-sha1,
life = 0 kB / 3600 sec, key len = 12
Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 -
ebace718 6f0a0626 [0] / 0x774c39de } QM; MESSAGE: Phase 2 connection succeeded,
Using PFS, group = 2
Jul 29 12:32:39 ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded,
Using PFS, group = 2
Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 -
ebace718 6f0a0626 [0] / 0x774c39de } QM; MESSAGE: SA[0][0] = ESP aes, life = 0
kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 128, key rounds = 0
Jul 29 12:32:39 ike_qm_call_callback: MESSAGE: SA[0][0] = ESP aes, life = 0
kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 128, key rounds = 0

# Example output for proposal mismatch in phase 2 looks like this:


Jul 29 12:40:25 10.2.1.1:500 (Responder) <-> 10.2.1.100:500 { a0e2f3a5 e02b5e54 -
9b9f2cf3 bf990db6 [0] / 0xf1d579af } QM; Error = No proposal chosen (14)

# Example output for a Proxy-ID mismatch looks like this


Apr 19 12:47:20 KMD_PM_P2_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-2
[responder] failed for p1_local=ipv4(udp:500,[0..3]=172.16.42.210)
p1_remote=usr@fqdn(udp:500,[0..14]=testvpn@lab.com)
p2_local=ipv4_subnet(any:0,[0..7]=10.0.42.210/24)
p2_remote=ipv4_subnet(any:0,[0..7]=192.16.42.220/24)
178 Copyright 2011 Juniper Networks, Inc. www.juniper.net
VPN CONFIGURATION AND TROUBLESHOOTING
FLOW CHART WITH KNOWLEDGEBASE ENTRIES

179 Copyright 2011 Juniper Networks, Inc. www.juniper.net


DYNAMIC VPN CLIENT
180 Copyright 2011 Juniper Networks, Inc. www.juniper.net
LICENSING FOR DYNAMIC VPN

By default all Branch SRX include a license for up to 2 connections.


If you need more than 2 connections, there are licenses available.
Licenses are additive (two 5 user licenses will give you access for up to
10 users)
The client is included as part of the JUNOS Image and can be
downloaded from the SRX. In 11.1 the dynamic VPN client was
replaced with the JUNOS Pulse Client

181 Copyright 2011 Juniper Networks, Inc. www.juniper.net


DYNAMIC VPN
NOTES AND LIMITATIONS
Dynamic VPN feature is available for Branch SRX, not for Datacenter SRX
The following limitations where removed with 10.4
Before 10.4 an external Radius Server was mandatory for Authentication and IP
Address Assignment. Local Users and IP-Pools are not supported
Before 10.4 a IKE-Gateway was required for each and every VPN user.
10.4 introduces shared/Group-IKE-ID
Before 10.4 Only Hostnames are allowed as ike-id (no FQDN, no Email address)
Before 10.4 Access to the Authentication Page did requires the public interface is
opened for web management
In 11.2r3 the capacities for dynamic VPN where increased
SRX-RAC-500-LTU for SRX650 - requires JUNOS 11.2R3
SRX-RAC-250-LTU for SRX240 and 650 - requires JUNOS 11.2R3
SRX-RAC-150-LTU for 650/240/220
SRX-RAC-25-LTU for 210/100

182 Copyright 2011 Juniper Networks, Inc. www.juniper.net


DYNAMIC VPN - PREPARATION

The following Notes are based on pre 10.4 Releases. You should better use
the latest, excellent Configuration Example from
http://kb.juniper.net/index?page=content&id=KB14318
Since 11.4 J-Web offers a Wizard to complete the configuration
There is also a good Troubleshooting Guide from
http://kb.juniper.net/KB17220
# Set correct time zone, date and time NTP
set system time-zone Europe/Berlin

# In Operation Mode
srx> set date YYYYMMDDhhmm.ss or
srx> set date ntp de.pool.ntp.org
27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec

# use this configuration statement to activate a self signed certificate (unless you have a signed one)
set system services web-management https system-generated-certificate

# and enable https traffic on the desired interface


set security zones security-zone untrust host-inbound-traffic system-services https

# Since 10.3: if an interface accepts dynamic-vpn connections all http traffic is redirected to
# https://<ip>/dynamic-vpn so you can not manage any more on this interface unless you
# specify a URL (see KB19411 )
set system services web-management management-url admin

183 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN CONFIGURATION

Enable IKE Traffic on the untrust interface


set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-
traffic system-services ike

Define Phase 1 Proposal


set security ike proposal P1-Dynamic-AES authentication-method pre-shared-keys
set security ike proposal P1-Dynamic-AES dh-group group2
set security ike proposal P1-Dynamic-AES authentication-algorithm sha1
set security ike proposal P1-Dynamic-AES encryption-algorithm aes-128-cbc

Define Phase 2 Proposal


set security ipsec proposal P2-Dynamic-AES protocol esp
set security ipsec proposal P2-Dynamic-AES authentication-algorithm hmac-sha1-96
set security ipsec proposal P2-Dynamic-AES encryption-algorithm aes-128-cbc

184 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN CONFIGURATION

Phase 1 - Gateway Definition


set security ike policy dynvpn mode aggressive
set security ike policy dynvpn proposals P1-Dynamic-AES
set security ike policy dynvpn pre-shared-key ascii-text juniper
set security ike gateway gw-dyn dynamic hostname dynvpn.juniper.net
set security ike gateway gw-dyn external-interface ge-0/0/1.0
set security ike gateway gw-dyn ike-policy dynvpn
set security ike gateway gw-dyn xauth access-profile vpn-users

Phase 2 - VPN Definition


set security ipsec policy dynvpn proposals P2-Dynamic-AES
set security ipsec policy dynvpn perfect-forward-secrecy keys group2
set security ipsec vpn ipsec-dyn ike gateway gw-dyn
set security ipsec vpn ipsec-dyn ike ipsec-policy dynvpn

185 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN CONFIGURATION

Add a Access Profile and Users Definition for the


IPSEC client authentication (used with xauth)
# Create a Profile
set access profile vpn-users authentication-order password

# Add two Users to this Profile


set access profile vpn-users client thomas firewall-user password secret1
set access profile vpn-users client peter firewall-user password secret2

# The above definition with local users may work, but officially we
# currently support xauth in IPSEC only together with Radius Authentication
set profile radius_profile authentication-order radius;
set profile radius_profile radius-server 10.204.129.50 secret xxx

Allow the same users from the local profile


to login for IPSEC client download
# Create a Profile
set access firewall-authentication pass-through default-profile vpn-users

186 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN CONFIGURATION

Prepare a Policy to permit the Clients Traffic


# Install a Policy for VPN Clients
edit security policies from-zone untrust to-zone trust policy policy-dynvpn
set match source-address any
set match destination-address any
set match application any
set then permit tunnel ipsec-vpn ipsec-dyn
set then log session-close
exit

# And more it to the beginning


edit security policies from-zone untrust to-zone trust
insert policy policy-dynvpn before policy default-permit
exit

187 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN CONFIGURATION

Prepare Security Policy to be delivered to the Client


# Upgrade Policy for VPN Clients (if local policy of client is newer)
set security dynamic-vpn force-upgrade

# User profile for loading the Client


set security dynamic-vpn access-profile vpn-users

# Destinations that are reachable through VPN


set security dynamic-vpn clients client-1 remote-protected-resources 192.168.1.0/24
# Destinations are reachable without going through VPN
set security dynamic-vpn clients client-1 remote-exceptions 0.0.0.0/0

# VPN Definitions and Proposals used


set security dynamic-vpn clients client-1 ipsec-vpn ipsec-dyn

# Users that may login with this Profile


set security dynamic-vpn clients client-1 user thomas
set security dynamic-vpn clients client-1 user peter

188 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LOGIN TO DOWNLOAD VPN CLIENT

URL is https://<SRXIP>/dynamic-vpn/

189 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LOGIN TO DOWNLOAD VPN CLIENT

190 Copyright 2011 Juniper Networks, Inc. www.juniper.net


XAUTH - ACCESS MANAGER PROMPTS FOR USERNAME

191 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ACCESS MANAGER WHEN TUNNEL IS ESTABLISHED

192 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MANAGEMENT
LOGGING
MONITORING
193 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ADMIN USERS

AND

MANAGEMENT ACCESS
194 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ADMIN USERS
Set the password of the root user
root> configure
root# set system root-authentication plain-text-password
New password:
Retype new password:
Add another User

root# set system login user netscreen class super-user authentication plain-text-password
New password:
Retype new password:

195 Copyright 2011 Juniper Networks, Inc. www.juniper.net


USER ROLES
# Predefined User roles

lab@srx5600# set system login user <username> class ?


Possible completions:
<class> Login class
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]
[edit]

# Define a new User role - even possible to restrict or permit commands

root# set system login class new-role ?


Possible completions:
allow-commands Regular expression for commands to allow explicitly
allow-configuration Regular expression for configure to allow explicitly
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
deny-commands Regular expression for commands to deny explicitly
deny-configuration Regular expression for configure to deny explicitly
idle-timeout Maximum idle time before logout (minutes)
login-alarms Display system alarms when logging in
login-script Execute this login-script when logging in
login-tip Display tip when logging in
+ permissions Set of permitted operation categories
[edit]

196 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CUSTOM ADMINISTRATOR CLASS
# Example for an Admin Class that can configure only certain policies
edit system login class AREA1
set permissions configure
set allow-configuration routing-instances VR-1
set allow-configuration security policies from-zone trust-1 to-zone untrust-1
set allow-configuration security policies from-zone untrust-1 to-zone trust-1
set allow-configuration security zones security-zone trust-1
set allow-configuration security zones security-zone untrust-1
top

edit system login user admin1


set class AREA1
set authentication encrypted-password "$1$6xZjWBto$6PBu4Yf17rMgd.Gm3OGUo/"
top

197 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RADIUS
# Define Server IP, Port and Shared Secret
set system radius-server 10.0.0.100 port 1812 secret abc

# Define Authentication order


set system authentication-order password
set system authentication-order radius

# Specify Source-IP, useful when using VPN-Tunnels or non fxp0


set system radius-server 172.30.81.141 source-address 172.30.80.11

# Assign a class to the remote authenticated users


# By default all Radius Users are mapped to user "remote"
set system login user remote full-name "All Remote Users"
set system login user remote class operator
......
# untested - connection timeout 30 minutes
root# set system login class remote idle-timeout 30

# Online Help
help topic system server-radius
help topic system radius

198 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TACACS+
# Define Server IP and Shared Secret
set system tacplus-server address 172.16.30.1 secret Tacacssecret1

# Define Authentication order (local users first ; then tacplus)


set system authentication-order password
insert system authentication-order tacplus after password

# Specify Source-IP, useful when using VPN-Tunnels or non fxp0


set system tacplus-server 172.16.30.1 source-address 10.0.0.1

# Assign a class to the remote authenticated users


# By default all Tacacs+ Users are mapped to user "remote"
set system login user remote full-name "All Remote Users"
set system login user remote class operator

# Ste connection timeout for user of this class to 30 minutes


root# set system login class remote idle-timeout 30

# Online Help
help topic system tacplus

199 Copyright 2011 Juniper Networks, Inc. www.juniper.net


COOPERATION WITH OTHER USERS ON THE CLI
# Show which other Users are currently logged in on the CLI
show system users

# Write a message to all users


request message all message "Anybody logged in ? Please respond with request message"

# Drop a User
request system logout user <user>

# Drop a connection on a certain terminal


request system logout user <user>

# Lock configuration against other edits


configure exclusive

# Display Message before Login


set system login message "Unauthorized Access is prohibited"

# Display Message after Login


set system login announcement "Don't Forget !!!\nUpgrade is scheduled for Friday noon"

200 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RESTRICTING

MANAGEMENT ACCESS
201 Copyright 2011 Juniper Networks, Inc. www.juniper.net
MANAGEMENT ACCESS OVERVIEW
Current State and Changes over Time
individual protocols must be enabled/disabled per zone or interface (host-inbound-traffic.)
Stateless firewall filter can be applied to interfaces to restrict protocols or source-IPs
Since JUNOS 11.4 Self Traffic Policies (firewall policies with zone junos-host) are the easiest
way to restrict management traffic. They also allow to use all available inspection techniques
(AppFW, AppTrack, IDP ..) on management traffic

202 Copyright 2011 Juniper Networks, Inc. www.juniper.net


PERMIT/RESTRICT MANAGEMENT ACCESS
# First the Desired Service must be running. By default only some services are started
# Defaults from JUNOS 9.6 are written in Bold

set system services ssh


set system services web-management http interface ge-0/0/0.0
set system services telnet
set system services ftp

# HTTPS Access may use a self signed certificate


# Set date and time first (in operational mode) before you activate the self-signed certificate
srx> set date YYYYMMDDhhmm.ss or
srx> set date ntp de.pool.ntp.org
27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec

# use this configuration statement to activate a self signed certificate (unless you have a signed one)
set system services web-management https system-generated-certificate

# Finally you can specify allowed services and protocols per Zone
edit security zones security-zone trust interfaces
set system-services all
set protocols all
top
# or per interface. Per Interface definitions override all per Zone permissions
edit security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic
set system-services https
set system-services ssh
set system-services ping
top

203 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RESTRICT SOURCES FOR MANAGEMENT ACCESS
Before 11.4 Management Access to certain Source-IPs had to be restricted
with stateless Firewall Filter. The filter can be tied to each interface where
host-inbound-traffic is permitted, or directly to the loopback interface lo0.0
# Example to restrict access to the Routing-Engine to a certain subnet

# A first TERM specifies permitted sources


set firewall family inet filter PROTECT-RE term 1 from source-address 192.168.42.0/24
set firewall family inet filter PROTECT-RE term 1 from source-address <CUSTOMER-NETWORK/24>
set firewall family inet filter PROTECT-RE term 1 then accept

# A second term can be used to count all other attempts and fall through to the last term
set firewall family inet filter PROTECT-RE term 2 from source-address 0.0.0.0/0
set firewall family inet filter PROTECT-RE term 2 then count ACCESS-ATTEMPT-RE
set firewall family inet filter PROTECT-RE term 2 then next term

# A third term can be written to drop all other attempts (but this is default already)
# This is because all chains end with a default "deny all" term
set firewall family inet filter PROTECT-RE term 3 from source-address 0.0.0.0/0
set firewall family inet filter PROTECT-RE term 3 then reject

# Now we are ready to assign the Filter to an interface


# If you bind the filter to lo0.0 the filter is applied to incoming traffic from all interfaces
set interfaces lo0 unit 0 family inet filter input PROTECT-RE
# To protect out-of band management interface fxp0 you need to assign the firewall there explicitly
set interfaces fxp0 family inet filter input PROTECT-RE

# To monitor access attempts you can later use the counter with the following command
show firewall filter PROTECT-RE counter ACCESS-ATTEMPT-RE

204 Copyright 2011 Juniper Networks, Inc. www.juniper.net


A TEMPLATE FOR MANAGEMENT ACCESS
# Firewall Filter Example to restrict management access

edit firewall filter RE_Protection


set term in-ssh from source-address <trusted host or network>
set term in-ssh from protocol tcp
set term in-ssh from destination-port ssh
set term in-ssh then accept
set term snmp from source-address <SNMP Poller>
set term snmp from protocol udp
set term snmp from port snmp
set term snmp then accept
set term ntp from source-address <NTP SERVER>/32
set term ntp from source-address <NTP SERVER>/32
set term ntp from protocol udp
set term ntp from port ntp
set term ntp then accept
set term deny-any-other-ssh from protocol tcp
set term deny-any-other-ssh from port ssh
set term deny-any-other-ssh from port telnet
set term deny-any-other-ssh from port ftp
set term deny-any-other-ssh from port ftp-data
set term deny-any-other-ssh then discard
set term deny-any-other-udp from protocol udp
set term deny-any-other-udp from port snmp
set term deny-any-other-udp from port snmptrap
set term deny-any-other-udp from port ntp
set term deny-any-other-udp then discard
set term allow-everything-else then accept
top

205 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SELF TRAFFIC FIREWALL POLICIES
# Beginning with JUNOS 11.4 Traffic from and to the SRX itself
# can now be permitted/denied firewall policies
# This uses the new security-zone "junos-host"
#
# self-traffic is anything from/to the RE with any of the local interfaces
#
# By default all traffic from/to zone junos-host is permitted

# Example: Log and tunnel outbound traffic


edit security from-zone junos-host to-zone zone-untrust policy LOG
set match ......
set then permit tunnel
set then log session-close
top

# Example: IDP for inbound traffic


edit security from-zone zone-untrust to-zone junos-host policy INSPECT
set match ......
set then permit application-services idp
set then log session-close
top

206 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IN-BAND OR OUT-BAND

MANAGEMENT
207 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IN-BAND OR OUT-BAND MANAGEMENT
What is the difference ?
Out-band management connections use the management interface fxp0

In-band management connections use an interface which also is used to forward traffic (for
example ge-x/x/x, fe-x/x/x or rethx )

What is the Advantage/Disadvantage ?


Out-band Management through fxp0
In a HA clusters fxp0 is the only interface which is reachable on the passive node
fxp0 is attached to the default virtual router inet.0
fxp0 is attached to the control plane, no traffic can be forwarded from any interface to fxp0
In Stream Mode - wich is required for high performance logging - security logs can not be
sent out via fxp0

In-band Management
In HA clusters the passive node can not communicate on any in-band management
interface - direct access, monitoring, delivery of software updates, scripts, attack
database updates for this node is not possible and requires workarounds
In-band Management Interfaces can be assigned to any virtual router
In-band Interfaces allow high performance logging (stream mode)

208 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WHICH WAY SHOULD I CHOOSE ?
Out-band Management is preferred
for any Datacenter SRX Cluster because these SRX
NSM Management as virtual chassis is not possible here
for any Branch SRX Cluster installation, where the management systems can connect directly to
the fxp0 interfaces , i.e. are on the same side of the firewall as the management interfaces (see
slides on the next pages for details)

In-band Management is preferred


in all Branch SRX installations which are not clusters
in all Branch SRX cluster installations - where the central management is standing at a central
position and needs to cross the primary SRX first before he can even reach the fxp0 interface of
the passive cluster member
Hint for Clusters: Virtual Chassis Management Option is required for NSM to add the cluster with a
single in-band management connection.
Hint for Clusters: When using In band Management you can leave the fxp0 interfaces on both
members completely unconfigured

209 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IN-BAND MANAGEMENT
UPDATES FOR THE PASSIVE NODE
When In-Band Management is used, the second Node is not directly reachable for management.
This could result in issues for some operations

Software Updates
Use the ISSU and LICU Cluster Upgrade Procedure. They require the image is copied only to the
primary device and is automatically copied to the secondary device

Attack Database Updates


Use JUNOS 11.4 or higher. When Attack Database-Updates are installed, they are automatically
updated on the backup node

Script Installations
Before they can be enabled in the configuration (commit) the scripts must installed on both nodes.
To achieve this, upload scripts to the primary node first, then copy manually to secondary node

Hint: How to get from one Node of a cluster to the other Node ?
If fxp0 interfaces are connected simply use ssh with fxp0-adress of the second node
On Branch SRX use "request routing-engine login node x"
On Datacenter SRX use shell command "rlogin -Ji nodex"

210 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IF IN-BAND OR OUT-BAND IS PREFERRED DEPENDS
ON THE POSITION OF THE MANAGEMENT SYSTEM
Example Setup: SRX650-Cluster with all the Interfaces

Cluster-IP
20.0.0.1

reth0 reth0
ge-1/0/0 Control ge-8/0/0
(untrust) ge-0/0/1 (untrust)

Control
reth1 ge-0/0/1 reth1
ge-1/0/1 fxp0 ge-8/0/1 fxp0
(trust) =ge-0/0/0 (trust) =ge-0/0/0
10.0.0.1 10.0.0.2

Cluster-IP
30.0.0.1

211 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MANGEMENT ON THE SAME NETWORK AS FXP0
OUT-BAND MANAGEMENT IS RECOMMENDED

No changes required, Setup works immediately

NSM or Space can establish ssh connection to both


devices

"Add Device" Workflow is possible

Both Cluster Members use fxp0 to get to


Management

fxp0 (node1) fxp0 (node2)


=ge-0/0/0 =ge-7/0/0
10.0.0.1 10.0.0.2

NSM or Space
10.0.0.3

212 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MANAGEMENT ON DIFFERENT NETWORK AS FXP0
BUT STILL ON THE SAME FIREWALL SIDE
OUT-BAND MANAGEMENT IS RECOMMENDED

Hint for Out-band Management:

Both nodes needs a backuproute


set groups node.. system backup-router destination
40.0.0.3/32 next-hop ....

fxp0 (node1) fxp0 (node2)


=ge-0/0/0 =ge-7/0/0
10.0.0.1 10.0.0.2

Router-IP Router-IP
30.0.0.254 10.0.0.254

Router-IP
40.0.0.254
NSM or Space
40.0.0.3

213 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MANAGEMENT ON EXTERNAL SIDE OF THE FIREWALL
IN-BAND MANAGEMT IS RECOMMENDED

OUT-BAND MANAGEMENT REQUIRES MORE


NSM or Space
COMPLEX ROUTING AND DURING CLUSTER
172.16.42.9
FAILOVER (RG0) MANAGEMENT
CONNECTIONS HAVE TO BE REESTABLISHED

Hints for In-band Management:


Cluster-IP
20.0.0.1 - There is only one connection between SRX and
the Management System (using reth0 of the
active node)
reth0 - For NSM use the Virtual Chassis Management
ge-1/0/0 Option
(untrust) - For Space add just the active node

reth1 Hints for Out-band Management


ge-1/0/1 fxp0 (node2)
(trust) =ge-7/0/0 - use several VRs on SRX. fxp0 must stay in
10.0.0.2 inet.0, all other interfaces go to another VR.

- If you have IKE Traffic this will require


JUNOS 10.4 or higher to terminate IKE
in a custom VR.
Cluster-IP
30.0.0.1 - Both nodes needs a backuproute
set groups node.. system backup-router
destination 172.16.42.9/32 next-hop ...
Router-IP Router-IP
30.0.0.254 10.0.0.254
214 Copyright 2011 Juniper Networks, Inc. www.juniper.net
LOGGING WITH SYSLOG
215 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SRX LOGGING INFRASTRUCTURE
SRX Logs can come from two different sources
From the Control Plane (Management, Routing Daemons ...)
From the Data Plane (Firewall, IDP, AppFirewall, UTM, VPN ..)

Control Plane Logs (same behavior on all JUNOS Devices)


They can be stored in local files, send to Syslog Servers or NSM
Syslogs and NSM connection can leave the SRX via forwarding interfaces or the fxp0 Management
Interface - This is a normal routing decision

Data Plane Logs on the Branch SRX


By default Data Plane Logs are sent to the Routing Engine (Event mode)
From there they can be stored in local files, send to NSM and send to Syslog Servers

Data Plane Logs on the Datacenter SRX


Data Plane Logs are created on each of the SPCs
Each SPCs can create a maximum of 40K logs / sec / SPC
By Default Data Plane Logs are not sent anywhere
they are not even sent to the Routing Engine

216 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WHERE IS THE CHALLENGE ?

You have two options to send Dataplane Logs (Firewall, IDP, UTM, AppSecure ...)

Event Mode Logging


All Data plane Logs are sent to the Routing-Engine and they are sent further from there
This is the default configuration for Branch SRX
Event Mode logging can be used if log rates are low
To avoid RE overload rate limits are in place. These will drop logs in event mode

Stream Mode Logging


Data plane Logs are not sent to the Routing Engine
Data plane Logs can leave the device from every interface
(except fxp0, which is tied to the Routing Engine)
This is the default configuration for Datacenter SRX
Stream Mode Logging are mandatory for high log rates

217 Copyright 2011 Juniper Networks, Inc. www.juniper.net


STREAM MODE
LOGGING TO STRM, OR A SYSLOG SERVER

Controlplane Dataplane
(Process Logs) (Process Logs)
On a single SRX
- Control plane and Data plane Logs
can use the same egress interface

On SRX Cluster
- Control plane Logs come from the
Management Interface fxp0
- Data plane Logs need another
interface

STRM
(Syslog Server)

218 Copyright 2011 Juniper Networks, Inc. www.juniper.net


EVENT MODE
LOGGING TO NSM1)

Controlplane Dataplane
(Process Logs) (Process Logs)

Branch SRX:
default mode

Datacenter SRX:
possible since 10.0 (1.5kEPS Ratelimit)

STRM
NSM
(Syslog Server)

1) Uses the normal, encrypted connection from the SRX to NSM


219 Copyright 2011 Juniper Networks, Inc. www.juniper.net
STREAM MODE
LOGGING TO NSM2)

Controlplane Dataplane
(Process Logs) (Process Logs)

NSM

2) Dataplane Logs sent as Syslog from SRX to NSM - requires NSM 2011.1 or higher
220 Copyright 2011 Juniper Networks, Inc. www.juniper.net
STREAM MODE
HOW MANY INTERFACES ARE INVOLVED ?
Simple solution - use two interfaces on SRX and STRM Controlplane Dataplane
(Process Logs) (Process Logs)
Looking at the log picture it is obvious that SRX might use
different interfaces to send the two types of logs
Since two interfaces of the same VR can not be in the same
network, the two interfaces have to be in two different networks or VRs
The easiest solution is, when LOG reciver and SRX both use two
interfaces too. STRM can be reconfigured to use two interfaces and IPs.

Still simple solution - use only one interfaces on both sides


STRM
If STRM - or another Log-Receiver has only one Interface/IP then the (Syslog Server)
SRX must be reconfigured to send all logs through one interface
This one interface can not be fxp0 - because dataplane logs, can not be
delivered through fxp0 - so it must be a forwarding interface
If this forwarding interface is in inet.0 you only need a hostroute to this
interface. If it is in another VR you need to hostroute to next-table vr

Worst case - need to add a logging interface in the same network as fxp0
When you migrate from event to stream logs and can not add additonal
interfaces on other networks than the one existing on fxp0
So you have to add a second forwarding interface in the same network
This is only possible when this interface is in another VR than fxp0
See Next Page (Logging with Overlapping Interface IP) for a complete
configuration example
221 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DATACENTER SRX
LOGGING WITH OVERLAPPING INTERFACE IP
# Datacenter SRX uses fxp0 for RE Logs and a Forwarding Interface for Security Logs
# If Syslog-Receiver is attached to the same Management LAN as the fxp0, you need a
# second interface/VR to that LAN to deliver Security Logs (Firewall Traffic and IDP)

# For this worst case, we have two interfaces in the same network
set interfaces fxp0 unit 0 family inet address 10.0.0.1/24
set interface reth7 unit 0 family inet address 10.0.0.2/24

# Controlplane-Logs , use Source-IP of egress interface to avoid ARP problems !!


set system syslog host 10.0.0.100 any any
set system syslog host 10.0.0.100 source-address 10.0.0.2

# Dataplane-Logs, from the SPCs leave via an forwarding interface)


# also use source-IP of the egress interface
set security log format sd-syslog
set security log source-address 10.0.0.2
set security log stream Log host 10.0.0.100

# To allow two interfaces on the same net, one interface must be moved to a custom VR
set routing-instances Logging instance-type virtual-router
set routing-instances Logging interface reth7.0
# Now we use a host-route to send all trafic for the Log-Receiver to this VR
set routing-options static route 10.0.0.100/32 next-table Logging.inet.0

# Potential other workaround (UNTESTED)


# Use Command to set Default Management IP to Loopback interface IP
set system default-address-selection ....

222 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SYSLOG ADDITONAL INFORMATION
223 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SYSLOG
A LIST OF POSSIBLE EVENTS

Syslog event list (Control plane Events)


# List all possible syslog events
srx> help syslog
Syslog tag Help
ACCT_ACCOUNTING_FERROR Error occurred during file processing
ACCT_ACCOUNTING_FOPEN_ERROR Open operation failed on file
ACCT_ACCOUNTING_SMALL_FILE_SIZE Maximum file size is smaller than record size
ACCT_BAD_RECORD_FORMAT Record format does not match accounting profile
ACCT_CU_RTSLIB_ERROR Error occurred obtaining current class usage statistics
ACCT_FORK_ERR Could not create child process
ACCT_FORK_LIMIT_EXCEEDED Could not create child process because of limit
ACCT_GETHOSTNAME_ERROR gethostname function failed
ACCT_MALLOC_FAILURE Memory allocation failed

# List severity and parameters included for each event


srx> help syslog FLOW_SESSION_CREATE
Name: FLOW_SESSION_CREATE
Message: session created <source-address>/<source-port>-><destination-
address>/<destination-port>,<protocol-id>:
<policy-name>
Help: Session create
Description: A security session was created.
Type: Event: This message reports an event, not an error
Severity: info

224 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SYSLOG - EVENT MODE:
TRAFFIC LOG EXAMPLES
root@srx-210# run monitor start default-log-messages

<14>1 2009-08-28T00:00:03.685+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_CREATE


[junos@2636.1.1.1.2.36 source-address="10.0.101.10" source-port="12288" destination-
address="192.168.100.1" destination-port="1280" service-name="icmp" nat-source-
address="10.0.101.10" nat-source-port="12288" nat-destination-address="192.168.100.1"
nat-destination-port="1280" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-
id="1" policy-name="default-permit" session-id-32="841"] session created
10.0.101.10/12288->192.168.100.1/1280 icmp 10.0.101.10/12288->192.168.100.1/1280 None
None 1 default-permit 841

<14>1 2009-08-28T00:00:06.581+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_CLOSE


[junos@2636.1.1.1.2.36 reason="response received" source-address="10.0.101.10" source-
port="12288" destination-address="192.168.100.1" destination-port="1280" service-
name="icmp" nat-source-address="10.0.101.10" nat-source-port="12288" nat-destination-
address="192.168.100.1" nat-destination-port="1280" src-nat-rule-name="None" dst-nat-
rule-name="None" protocol-id="1" policy-name="default-permit" session-id-32="841"
packets-from-client="1" bytes-from-client="60" packets-from-server="1" bytes-from-
server="60" elapsed-time="3"] session closed response received: 10.0.101.10/12288-
>192.168.100.1/1280 icmp 10.0.101.10/12288->192.168.100.1/1280 None None 1 default-permit
841 1(60) 1(60) 3

<14>1 2009-08-28T00:10:07.682+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_DENY


[junos@2636.1.1.1.2.36 source-address="10.0.101.10" source-port="12544" destination-
address="192.168.100.1" destination-port="1280" service-name="icmp" protocol-id="1" icmp-
type="8" policy-name="icmp-drop"] session denied 10.0.101.10/12544->192.168.100.1/1280
icmp 1(8) icmp-drop

225 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SNMP AND RMON
226 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SNMP AGENT
Set System Identification and Community
set snmp location lab-munich
set snmp contact "admin@nirvana.com"
set snmp community public authorization read-only

Enable SNMP access on an interface


set security zones security-zone trust host-inbound-traffic system-services snmp

Restrict SNMP access to certain sources


set snmp community public clients 172.26.0.0/16
set snmp community public clients 0.0.0.0/0 restrict

Restrict SNMP access to certain tables


# Create a View, defining permitted Objects
set snmp view chassis-info oid jnxBoxAnatomy include
set snmp view chassis-info oid snmpMIBObjects include
set snmp view chassis-info oid system include

# And assign view to community


set snmp community chassis-community view chassis-info

227 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SNMP, CLI QUERIES AND TRICKS
# CLI commands exist to make MIB queries or MIB walks
show snmp mib get sysObjectID.0
show snmp mib get "sysName.0 sysContact.0 sysLocation.0"
show snmp mib walk jnxBoxAnatomy
show snmp mib walk jnxContentsSerialNo

# Display OIDs used for a certain table


show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1 | display xml

# Display OIDs for all MIBtables


show snmp mib walk 1 | display xml

# The following commands create and show a list of registered SNMP Instances
show snmp registered-objects
file show /var/log/snmp_reg_objs

# The List of Interface Indices is reboot persistent as it is saved in a file


file show /var/db/dcd.snmp_ix

# Spoof SNMP Traps for simple Testing


request snmp spoof-trap linkUp variable-bindings ifIndex[14] = 14, ifAdminStatus[14] = 1,
ifOperStatus[14] = 2

# A SNMP Table (Tablename jnxUtilData) can be used to store user defined content.
# Event Scripts can be used to update this table
request snmp utility-mib set .....
show snmp mib walk jnxUtilData

228 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SNMP, PRIVATE MIBS AND USEFUL TABLES
# List of all MIBs (including table, which MIBs exist on which device) and SNMP-Traps

# Chassis Hardware
show snmp mib walk [jnxBoxClass|jnxBoxDescr|jnxBoxSerialNo|jnxBoxRevision|jnxBoxInstalled]
show snmp mib walk [jnxBoxAnatomy|jnxContainersTable|jnxContentsTable|jnxFilledTable]

# Field Replaceable units(FRU) in the chassis (includes empty slots)


show snmp mib walk jnxFruTable

# For a List of Modules installed use


show snmp mib walk jnxContentsDescr

# Interfaces, and Interface Information


show snmp mib walk ifDescr
show snmp mib walk [ifTable | ifChassisTable | ifStackTable ]
show snmp mib walk [ipAddrTable | ipAdEntIfIndex ]

# LEDs and Status (primary only)


show snmp mib walk jnxLedTable

# State, Memory Usage and CPU Load on all Modules (always reports both RE as active)
show snmp mib walk jnxOperatingTable

229 Copyright 2011 Juniper Networks, Inc. www.juniper.net


USEFUL OIDS
# SNMP Walk from the CLI through the complete Private MIB and Display with Name and OID
show snmp mib walk .1.3.6.1.4.1.2636 | display xml

# Software version
show snmp mib walk .1.3.6.1.2.1.25.6.3

# Per FPC Statistics on CPU Load, Memory, Temperature


show snmp mib walk jnxOperatingTable
# some columns here are:
show snmp mib walk jnxOperatingDescr
show snmp mib walk jnxOperatingCPU
show snmp mib walk jnxOperatingTemp
show snmp mib walk jnxOperatingBuffer

# On SRX: SPU Monitoring MIB OIDs (Sessions, CPU Load)


show snmp mib walk jnxJsSPUMonitoringMIB
show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1 | display xml

# Disk Usage
show snmp mib walk []
show snmp mib walk 1.3.6.1.2.1.25.2.3.1hrStorageSize | hrStorageUsed

230 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RMON
Monitor SNMP OIDs and generate Traps if something is wrong
# Specify a Group and a Target for Traps
set trap-group overtemperature
set trap-group overtemperature categories rmon-alarm
set trap-group overtemperature targets 10.0.0.1

edit snmp rmon

# Specify what is monitored


set alarm 1 description "Overtemperature on SRX 5600 Midplane"
set alarm 1 variable jnxOperatingTemp.1.1.0.0
set alarm 1 interval 300
set alarm 1 sample-type absolute-value
set alarm 1 rising-threshold 50
set alarm 1 startup-alarm rising-alarm
set alarm 1 rising-event-index 1

# and the resulting event


set event 1 description Heat-Events
set event 1 type log-and-trap
set event 1 community heat-traps

231 Copyright 2011 Juniper Networks, Inc. www.juniper.net


NETFLOW
232 Copyright 2011 Juniper Networks, Inc. www.juniper.net
NETFLOW CONFIGURATION
Specify the sample rate and where to sent the Netflow Data
set forwarding-options sampling input rate 10
set forwarding-options sampling family inet output flow-server 172.30.80.76 port 2056
set forwarding-options sampling family inet output flow-server 172.30.80.76 version 5

Enable Netflow on the desired interface(s) and directions


set interfaces ge-0/0/0 unit 0 family inet sampling input
set interfaces ge-0/0/0 unit 0 family inet sampling output

Note: Activating Netflow will have significant input on the performance.


The smaller the sample rate (input rate), the higher the performance hit

233 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SRX MANAGEMENT WITH NSM
234 Copyright 2011 Juniper Networks, Inc. www.juniper.net
PREPARING JUNOS DEVICES FOR NSM

# sshv2 is mandatory for NSM. SSHv2 is not included in the export restricted
# software version. You will always need the domestic version.
lab@srx5600> show version | match JUNOS
JUNOS Software Release [9.5R2.7]

# For NSM access both ssh and netconf over ssh must be enabled
set system services ssh [protocol-version v2]
set system services netconf ssh

# Recommendation: Use a dedicated NSM user,


# this allow to identify who made certain changes/operations
root# set system login user nsm class super-user authentication plain-text-password
New password:
Retype new password:

235 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ENABLE AUTO DISCOVERY WITH NSM
# The Auto discovery Feature allows to scan an IP-address range for Juniper Devices
# and automatically add and import them NSM.
# This feature requires Ping, SSH and SNMP access to the device.

# Enable SSH and netconf via ssh


set system services ssh protocol-version v2
set system services netconf ssh

# Enable SNMP
set snmp location lab-munich
set snmp contact "labuser@juniper.net"
set snmp community public authorization read-write

# Make sure all services required for NSM Auto discovery are opened for access
edit security zones security-zone trust interfaces ge-0/0/0.0
set host-inbound-traffic system-services ping
set host-inbound-traffic system-services ssh
set host-inbound-traffic system-services snmp
top

236 Copyright 2011 Juniper Networks, Inc. www.juniper.net


EXAMPLE:
SENDING LOGS TO NSM (EVENT MODE)
# Control plane Logs from the Routing Engine are sent to NSM per Default

# Data plane Logs from Branch SRX are sent to NSM when a Log file "default-log-messages"
# is written. NSM adds this configuration automatically to SRX with the "device is
# reachable" workflow
set system syslog file default-log-messages any any
set system syslog file default-log-messages structured-data

# On Datacenter SRX Traffic Logs are not sent to the Routing-Engine by Default
# as the preferred logging method is to stream the logs directly
# from a forwarding interface. If Log Volume is low, the Logs can also be sent
# to the routing-engine. The following statements allow to do this since JUNOS 10.0
set security log mode event
set security log mode event event-rate 1000

237 Copyright 2011 Juniper Networks, Inc. www.juniper.net


EXAMPLE:
SENDING LOGS TO NSM (STREAM MODE)
# Again, Control plane Logs from the Routing Engine are sent to NSM per Default

# Since NSM Version 2011.1 it is possible to send Security Logs via Syslog in stream-mode
# Check page 767 of the NSM Admin Guide for the necessary DevSrv Configuration Changes
# Add "devSvr.enableSyslogOverUdp true " to /var/netscreen/DevSvr/var/devSvr.cfg file

# On the SRX side use the following configuration statements to send traffic logs
# via syslog to NSM
set security log mode stream
set security log format sd-syslog

# Primary NSM
set security log stream NSM1 format sd-syslog
set security log stream NSM1 host <primary DevSvr IP>
set security log stream NSM1 host port 5140

# If NSM is a HA Cluster use a second feed to send logs to the secondary NSM
set security log stream NSM2 format sd-syslog
set security log stream NSM2 host <Secondary DevSvr IP>
set security log stream NSM2 host port 5140

238 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ADDITIONAL REMARKS
When using Out-band Management :
Start Import to NSM with the passive Member (RG0) first. Som e NSM versions had trouble when
import started with the active member

When using In-band Management:


Don't mix in-band and out-band management.
If you choose in-band Management then leave the fxp0 interfaces on both members unconfigured.
This avoids that the passive member ever connects to NSM

When changing between Outband and Inband Management:


"delete system services outbound-ssh" - from the normal stanza and from the groups stanza,
Otherwise you might end up with multiple, conflicting entries.
In some cases you might have to reboot to make all configuration changes effective

To establish the NSM connection through a VPN Tunnel


to implement this, you should use inband management and introduce a loopback IP, or a numbered
VPN-Tunnelinterface. Otherwise the SRX could use an Interface IP where you don't have proper
Routing back from the NSM through the VPN tunnel.

239 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MANAGING SRX CLUSTERS WITH NSM
WHERE IS THE CHALLENGE ?
You have two options to manage a Cluster in NSM

Out-band Management
For out-band management you connect to the fxp0 Interfaces of the cluster members
You add a cluster-object to NSM and add both members (start with the node where RG0 is
passive)

In-band Management (Branch SRX only)


You connect to the master device via one of reth interfaces
You configure the device for cluster-management and add only one device to NSM

240 Copyright 2011 Juniper Networks, Inc. www.juniper.net


In-band Management
Virtual Chassis Representation of SRX Clusters
# Virtual-chassis configuration, makes a Cluster manageable in NSM as a single device
# This is supported only on Branch SRX since JUNOS 10.1R2 or 10.2R2 or higher.
# You need the following configuration statement in JUNOS

set chassis cluster network-management cluster-master

# In NSM you add just a single virtual chassi device (the current primary).
# Only the master will attempt to establish a session to NSM.
# He can use any interface to establish this connection.

241 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ADDITIONAL REMARKS
When using Out-band Management :
Start Import to NSM with the passive Member (RG0) first.

When using In-band Management:


Leave the fxp0 interfaces on both members unconfigured
NSM can not be used to perform Software Updates or push Attack Database Updates

When changing between Out-band and In-band Management:


"delete system services outbound-ssh" - from the normal stanza and from the groups stanza,
Otherwise you might end up with multiple, conflicting entries.
In some cases you might have to reboot to make all configuration changes effective

To establish the NSM connection through a VPN Tunnel


to implement this, you should use in band management and introduce a loopback IP, or a numbered
VPN-Tunnel interface. Otherwise the SRX could use an Interface IP where you don't have proper
Routing back from the NSM through the VPN tunnel.

242 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MANAGEMENT WITH
JUNOS SPACE / SECURITY DESIGN
243 Copyright 2011 Juniper Networks, Inc. www.juniper.net
PREPARING JUNOS DEVICES FOR SPACE

# For Space access both ssh and netconf over ssh must be enabled
set system services ssh [protocol-version v2]
set system services netconf ssh

# Recommendation: Use a dedicated Space user,


# this allow to identify who made certain changes/operations
root# set system login user space class super-user authentication plain-text-password
New password:
Retype new password:

# Enable SSH and netconf via ssh


set system services ssh protocol-version v2
set system services netconf ssh

# When SNMP is enable before device discovery, Space (OpenNMS) will collect and
# visualize SNMP data from the device. It will also reconfigure the device to send
# traps to Space.
set snmp location lab-munich
set snmp contact "labuser@juniper.net"
set snmp community public authorization read-write

# Make sure all services required for Space Discovery are opened for access
edit security zones security-zone trust interfaces ge-0/0/0.0
set host-inbound-traffic system-services ping
set host-inbound-traffic system-services ssh
set host-inbound-traffic system-services snmp
top

244 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ADDITIONAL REMARKS (1)
For initial device discovery Space uses ping and ssh/netconf connection to the device
Future direction of management connection depends on Space Application Settings (at the time the
device was discovered). By default Junos Space attemts to establish the connection
If the default is changed Space reconfigures the device during discovery to initiate the connection

245 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ADDITIONAL REMARKS (2)
Space can detect and manage a SRX cluster in both ways:
- with only one in-band management connection to fxp0 (just add one device)
- with two out-band management connections to fxp0
(add both devices in platform, security design creates a cluster view of the security device)

246 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MONITORING SRX LOGS WITH STRM
247 Copyright 2011 Juniper Networks, Inc. www.juniper.net
STREAM MODE LOGS FROM SRX TO STRM
# In this example we send both Control and Dataplane Logs through one
# interface (reth7) which is member of Default VR inet.0
# Destination for both logs is 10.0.0.100
# Source-IP for both logs is 10.0.0.2

# Interface IP for the interface connected to STRM


set interface reth7 unit 0 family inet address 10.0.0.2/24

# Controlplane-Logs , use Source-IP of egress interface to avoid ARP problems !!


set system syslog host 10.0.0.100 any any
set system syslog host 10.0.0.100 source-address 10.0.0.2

# Dataplane-Logs, from the SPCs leave via an forwarding interface)


# also use source-IP of the egress interface
set security log format sd-syslog
set security log source-address 10.0.0.2
set security log stream Log host 10.0.0.100

# Caveat: STRM can no longer reach fxp0 of the SRX, because all routing to
# STRM Host IP goes through reth7, and traffic from reth7 to fxp0 is not possible.

248 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MONITORING SRX LOGS WITH J-WEB
249 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ACTIVATE LOGS IN J-WEB

250 Copyright 2011 Juniper Networks, Inc. www.juniper.net


EXAMINE LOGS FROM EVENT VIEWER

251 Copyright 2011 Juniper Networks, Inc. www.juniper.net


EXAMINE LOGS FROM POLICY VIEW

252 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FIREWALL ACTIVITY ON J-WEB REPORTING PAGE

253 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TROUBLESHOOTING
254 Copyright 2011 Juniper Networks, Inc. www.juniper.net
NOTES FOR TROUBLESHOOTING
The WEB-UI has a number of useful Pages for Monitoring and
Troubleshooting
JUNOS CLI has powerful Monitoring Commands and offer a lot
of counters and status information
SNMP and RPM also have a good coverage to allow continuous
and ongoing monitoring
Default Log Files exist to track various error conditions
Additional Logs and Debugs can be enabled from the CLI,
writing to separate Log Files or to external Servers
OP Scripts can be used to create custom monitor commands
Event Scripts can be used to trigger actions when events occur

255 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WEB-UI FOR MONITORING

256 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IMPORTANT CLI MONITORING COMMANDS
show version Software version
show chassis hardware detail Hardware and Serial Numbers
show chassis environment Temperatures, Fan and Power Supply
show chassis routing-engine Temperatures, Memory, CPU Load (Routing Engine)
show security monitoring fpc x CPU Load (Flow Processors / SPCs )
show system storage Flash and Disk Usage
show system license Display installed Licenses
show interfaces terse Quick Overview of all Interfaces
show interfaces description Quick Overview of all Interfaces with Description
show interfaces extensive Details Interface and Zone Counters
show route <x.x.x.x> Routing Table Lookups (to get to x.x.x.x)

show security policies List Policies


show security polices detail | find xx Details for a certain ID
show security flow session Current sessions
show security match-policies ... Policy Lookup (added in JUNOS 10.3)
show security zones Security Zones and Interface Binding
show system alarms Alarms
show chassis alarms Alarms

257 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LIVE COUNTERS FOR ALL INTERFACES
Use "monitor interface traffic" to watch live counters on all
available Interfaces. Default Update Interval is 2 seconds

258 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LIVE COUNTERS FOR A CERTAIN INTERFACE
Use monitor interface <ifname> to watch live counters on a
certain interface. Default update interval is every 2 seconds

259 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LIVE TRAFFIC FOR A CERTAIN INTERFACE
(TCPDUMP OF RE TRAFFIC)
Before you start:
This is not promiscuous mode
You will see Broadcast/Unicast/Multicast traffic to the Routing engine
ICMP Traffic to the Route Engine is excluded (SRX, EX and J-Series)
Use the documentation to detect all options
This Option is available from Web-UI, CLI and Shell

Monitor Traffic on a Interface


user> monitor traffic interface e1-0/0/0.0 no-resolve
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Listening on e1-0/0/0.0, capture size 96 bytes
03:03:58.025661 Out IP 10.12.0.1 > 224.0.0.13: 10.12.0.1 > 224.0.0.13:PIMv2, Hello (0), length: 34
03:03:58.237360 In IS-IS, p2p IIH, src-id 1921.6800.1223, length 58
03:03:59.089303 Out IP 10.12.0.1.646 > 224.0.0.2.646: LDP, Label-Space-ID: 192.168.1.222:0, pdu-length: 38
03:03:59.555743 Out IP 10.12.0.1 > 224.0.0.1: igmp query v2

The same function is available from the shell


user> start shell
% su
root@PBR% tcpdump -ni e1-0/0/0.0
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Listening on e1-0/0/0.0, capture size 96 bytes
03:06:47.943726 In IP 10.12.0.2 > 224.0.0.13: 10.12.0.2 > 224.0.0.13:PIMv2, Hello (0), length: 34
03:06:49.603895 In IP 10.12.0.2.646 > 224.0.0.2.646: LDP, Label-Space-ID: 192.168.1.223:0, pdu-length: 38
03:06:50.200510 Out IS-IS, p2p IIH, src-id 1921.6800.1222, length 58

260 Copyright 2011 Juniper Networks, Inc. www.juniper.net


LOG FILES AND SYSLOG

All Log files live in /var/log

"show log" or "file list /var/log" List all Log files available (under /var/log)
show log messages Show Log File "messages" from start
show log messages | last 100 List last 100 Log Messages
show log messages | match LOGIN Search within the Log
show log messages | trim 39 Remove first 39 columns from each line

monitor start <file> Send Logs to terminal (like tail -f)

See also Chapter Logging and Syslog

261 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TYPICAL WAY TO ENABLE DEBUGGING

In many sections of the configuration it is possible to activate


traceoptions (example: set system services dhcp traceoptions..)
set traceoptions file filename
files (default 10)
size (default 128k)
read permissions (e.g.. world-readable)
set traceoptions flag
What do you want to look at?
monitor start filename
like Unix tail f
multiple people can view log files at same time

262 Copyright 2011 Juniper Networks, Inc. www.juniper.net


DEBUGGING A FIREWALL FLOW
SEE HTTP://KB.JUNIPER.NET/KB16110
# Specify a file where to save the Traces
edit security flow traceoptions
set file flowtrace
set file size 1m files 3
set flag basic-datapath
# Use filters to reduce the volume of data
set packet-filter FILTER1 source-prefix 10.48.255.0/24
# Second condition for same filtername is an AND condition
set packet-filter FILTER1 destination-prefix 192.168.210.0/24
# Additional condition with different filtername is an OR condition
set packet-filter FILTER2 source-prefix 192.168.210.0/24
set packet-filter FILTER2 destination-prefix 192.168.220.0/24
top

# Logging to File starts after commit


commit and-quit

# To start Live Monitoring, just monitor the file


monitor start flowtrace

# To quickly pause and resume Output !! This does not stop logging to the File !!
Press "ESC-Q"

# To stop Real-Time monitoring !! This does not stop logging to the File !!
monitor stop

# To turn off logging to the File you must deactivate or delete the configuration
deactivate security flow traceoptions
commit
263 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DEBUGGING A FIREWALL FLOW
EXAMPLE OUTPUT (1/2)
lab@Demo-081-113>
*** flow-trace ***
Aug 2 22:04:36 22:04:35.935844:CID-1:RT:<10.10.20.2/2048->10.10.10.2/49265;1> matched filter f0:
Aug 2 22:04:36 22:04:35.935862:CID-1:RT:packet [84] ipid = 0, @4bb0526e
Aug 2 22:04:36 22:04:35.935872:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0,
mbuf 0x4bb05060
Aug 2 22:04:36 22:04:35.935881:CID-1:RT: flow process pak fast ifl 67 in_ifp reth1.0
Aug 2 22:04:36 22:04:35.935896:CID-1:RT: reth1.0:10.10.20.2->10.10.10.2, icmp, (8/0)
Aug 2 22:04:36 22:04:35.935907:CID-1:RT: find flow: table 0x4e789b20, hash 9938(0xffff), sa 10.10.20.2, da
10.10.10.2, sp 1, dp 34861, proto 1, tok 448
Aug 2 22:04:36 22:04:35.935926:CID-1:RT: no session found, start first path. in_tunnel - 0, from_cp_flag -
Aug 2 22:04:36 22:04:35.935941:CID-1:RT: flow_first_create_session
Aug 2 22:04:36 22:04:35.935953:CID-1:RT: flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr
10.10.10.2, sp 1, dp 34861
Aug 2 22:04:36 22:04:35.935965:CID-1:RT: chose interface reth1.0 as incoming nat if.
Aug 2 22:04:36 22:04:35.935976:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to
10.10.10.2(34861)
Aug 2 22:04:36 22:04:35.935988:CID-1:RT:flow_first_routing: call flow_route_lookup(): src_ip 10.10.20.2,
x_dst_ip 10.10.10.2, in ifp reth1.0, out ifp N/A sp 1, dp 34861, ip_proto 1, tos 0
Aug 2 22:04:36 22:04:35.936001:CID-1:RT:Doing DESTINATION addr route-lookup
Aug 2 22:04:36 22:04:35.936017:CID-1:RT: routed (x_dst_ip 10.10.10.2) from untrust (reth1.0 in 1) to
reth0.0, Next-hop: 10.10.10.2
Aug 2 22:04:36 22:04:35.936030:CID-1:RT: policy search from zone untrust-> zone trust
Aug 2 22:04:36 22:04:35.936057:CID-1:RT: app 0, timeout 60s, curr ageout 60s
Aug 2 22:04:36 22:04:35.936095:CID-1:RT:flow_first_src_xlate: src nat 0.0.0.0(1) to 10.10.10.2(34861)
returns status 0, rule/pool id 0/0.
Aug 2 22:04:36 22:04:35.936110:CID-1:RT: dip id = 0/0, 10.10.20.2/1->10.10.20.2/1
Aug 2 22:04:36 22:04:35.936120:CID-1:RT: choose interface reth0.0 as outgoing phy if
Aug 2 22:04:36 22:04:35.936127:CID-1:RT:is_loop_pak: No loop: on ifp: reth0.0, addr: 10.10.10.2, rtt_idx:0
Aug 2 22:04:36 22:04:35.936136:CID-1:RT: check nsrp pak fwd: in_tun=0x0, VSD 1 for out ifp reth0.0
Aug 2 22:04:36 22:04:35.936142:CID-1:RT: vsd 1 is active
Aug 2 22:04:36 22:04:35.936151:CID-1:RT:policy is NULL (wx/pim scenario)
Aug 2 22:04:36 22:04:35.936160:CID-1:RT:sm_flow_interest_check: app_id 0, policy 6, app_svc_en 1, flags
0x2. interested
Aug 2 22:04:36 22:04:35.936171:CID-1:RT:sm_flow_interest_check: app_id 1, policy 6, app_svc_en 0, flags
0x2. not interested
..................
264 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DEBUGGING A FIREWALL FLOW
EXAMPLE OUTPUT (2/2)
.............
Aug 2 22:04:36 22:04:35.936178:CID-1:RT:flow_first_service_lookup(): natp(0x5047eb48): app_id, 0(0).
Aug 2 22:04:36 22:04:35.936187:CID-1:RT: service lookup identified service 0.
Aug 2 22:04:36 22:04:35.936194:CID-1:RT: flow_first_final_check: in <reth1.0>, out <reth0.0>
Aug 2 22:04:36 22:04:35.936203:CID-1:RT: existing vector list e20-624fdc28.
Aug 2 22:04:36 22:04:35.936212:CID-1:RT: existing vector list 0-6248ba28.
Aug 2 22:04:36 22:04:35.936220:CID-1:RT: Session (id:26784) created for first pak e20
Aug 2 22:04:36 22:04:35.936229:CID-1:RT: flow_first_install_session======> 0x5047eb48
Aug 2 22:04:36 22:04:35.936236:CID-1:RT: nsp 0x5047eb48, nsp2 0x5047ebb8
Aug 2 22:04:36 22:04:35.936248:CID-1:RT: make_nsp_ready_no_resolve()
Aug 2 22:04:36 22:04:35.936263:CID-1:RT: route lookup: dest-ip 10.10.20.2 orig ifp reth1.0 output_ifp
reth1.0 orig-zone 7 out-zone 7 vsd 1
Aug 2 22:04:36 22:04:35.936274:CID-1:RT: route to 10.10.20.2
Aug 2 22:04:36 22:04:35.936288:CID-1:RT:Installing c2s NP session wing
Aug 2 22:04:36 22:04:35.936293:CID-1:RT:Installing s2c NP session wing
Aug 2 22:04:36 22:04:35.936301:CID-1:RT:sm_flow_notify_session_creation: app_id 0, flags 0x0, ifl_in 67,
zone_in 7, ifl_out 66, zone_out 6
Aug 2 22:04:36 22:04:35.936394:CID-1:RT: flow got session.
Aug 2 22:04:36 22:04:35.936399:CID-1:RT: flow session id 26784
Aug 2 22:04:36 22:04:35.936411:CID-1:RT: vsd 1 is active
Aug 2 22:04:36 22:04:35.936608:CID-1:RT:mbuf 0x4bb05060, exit nh 0x243c1
Aug 2 22:04:36 22:04:35.936621:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
Aug 2 22:04:36 22:04:35.996278:CID-1:RT:<10.10.10.2/0->10.10.20.2/51313;1> matched filter f0:
Aug 2 22:04:36 22:04:35.996296:CID-1:RT:packet [84] ipid = 12824, @4ba9f04e
Aug 2 22:04:36 22:04:35.996307:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0,
mbuf 0x4ba9ee40
Aug 2 22:04:36 22:04:35.996318:CID-1:RT: flow process pak fast ifl 66 in_ifp reth0.0
Aug 2 22:04:36 22:04:35.996330:CID-1:RT: reth0.0:10.10.10.2->10.10.20.2, icmp, (0/0)
Aug 2 22:04:36 22:04:35.996341:CID-1:RT: find flow: table 0x4e789b20, hash 33408(0xffff), sa 10.10.10.2, da
10.10.20.2, sp 34861, dp 1, proto 1, tok 384
Aug 2 22:04:36 22:04:35.996362:CID-1:RT: flow got session.
Aug 2 22:04:36 22:04:35.996366:CID-1:RT: flow session id 26784
Aug 2 22:04:36 22:04:35.996380:CID-1:RT: vsd 1 is active
Aug 2 22:04:36 22:04:35.996520:CID-1:RT:mbuf 0x4ba9ee40, exit nh 0x20bc1
Aug 2 22:04:36 22:04:35.996533:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
265 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DEBUGGING PACKET DROPS
# To see Drop Counters per interface for the various drop reasons
show interfaces ge-4/0/1.0 extensive | find Error

# To create a Log file to log Packet drops for a certain Source-Network


edit security flow traceoptions
set file DROPS
set flag packet-drops
set packet-filter FFILTER1 source-prefix 20.0.81.0/24
top

# To see packet drops use


monitor start DROPS

# Search the Log file for packet drops of a certain Source-IP


# The trim command improves readability by removing trailing information
root@srx5600>run file show /var/log/DROPS | find 20.0.81.143 | trim 71

ge-4/2/1.0:20.0.81.143->10.1.80.1, icmp, (8/0)


packet dropped, no route to dest
packet dropped, ROUTE_REJECT_GEN_ICMP.

ge-4/2/1.0:20.0.81.143->20.0.80.2, icmp, (8/0)


packet dropped, denied by policy
packet dropped, policy deny.

266 Copyright 2011 Juniper Networks, Inc. www.juniper.net


BRANCH SRX:
TAKING FULL PACKET CAPTURES (1/2)
# Specify where to write the Packet-Capture
# The file specified below, is later created under /var/tmp/
# The appearing will be appended with ".interfacename" e.g. MY-PCAP.vlan
set forwarding-options packet-capture file filename MY-PCAP
set forwarding-options packet-capture file size 1m
set forwarding-options packet-capture maximum-capture-size 500

# Specify the interface where you want to take the pcap from
set interfaces vlan unit 0 family inet sampling input
set interfaces vlan unit 0 family inet sampling output

# Specify a Filter to collect only certain Packets


edit firewall family inet filter PCAP
term 1 from source-address 192.168.210.2/32
term 1 then sample accept
term 2 from destination-address 192.168.210.2/32
term 2 then sample accept
top

# Apply this filter to the input and output direction (maybe input is obsolete ?)
set interfaces vlan unit 0 family inet filter output PCAP
set interfaces vlan unit 0 family inet filter input PCAP

# Wipe the old file before taking new pcaps


run file delete /var/tmp/MY-PCAP.vlan
# and start the PCAP
commit and-quit

267 Copyright 2011 Juniper Networks, Inc. www.juniper.net


BRANCH SRX:
TAKING FULL PACKET CAPTURES (2/2)
# CLI Command to copy File to a remote FTP-Server to inspect with wireshark
# You can also use scp, tftp and http in the Destination-URL
file copy /var/tmp/MY-PCAP.vlan ftp://username:prompt@172.16.42.210/var/tmp

# Tweak to view the pcap file from the shell:


start shell
cd /var/tmp
tcpdump -n -r MY-PCAP.vlan

# Here is CLI Help with more Details


help reference forwarding-options packet-capture

# And here is Online Documentation


http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-
security-admin-guide/config-pcap-chapter.html#config-pcap-chapter

268 Copyright 2011 Juniper Networks, Inc. www.juniper.net


DATACENTER SRX:
TAKING FULL PACKET CAPTURES (1/1)
# Since JUNOS 10.4r1 Data Path Debugging on Datacenter SRX
# allows to take packet captures

edit security datapath-debug


set capture-file SRXPCAP format pcap size 1m files 5
set maximum-capture-size 100
set action-profile do-capture event np-ingress packet-dump
set packet-filter PCAP1 source-prefix 192.168.1.1/32 action-profile do-capture
set packet-filter PCAP2 destination-prefix 192.168.1.1/32 action-profile do-capture
top

# The start/stop of capture is controlled by CLI


request security datapath-debug capture (start|stop)

# To inspect the resulting PCAP either copy it to a system with Wireshark installed
# or start a shell locally and use "tcpdump -nr /var/log/SRXPCAP"

269 Copyright 2011 Juniper Networks, Inc. www.juniper.net


USEFUL TROUBLESHOOTING INFORMATION

JUNOS Troubleshooting and Monitoring Day One Booklet


Data Collection Checklist KB21781
ScreenOS Debug Commands and JUNOS equivalent KB14000
SRX Troubleshooting Commands KB15779
Monitor interface and Monitor traffic Admin Guide
Taking Packet Captures Admin Guide
Troubleshooting SRX High Availability KB15911
Debug Flow KB16108
Configuring and Troubleshooting VPN KBGuide
Troubleshooting Dynamic VPN KB17220

270 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TOOLBOX
271 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ACCESS LISTS
272 Copyright 2011 Juniper Networks, Inc. www.juniper.net
PACKETFILTER ON A STATEFUL FIREWALL ?
Access lists or Stateless Filters are already in JUNOS for years

Stateless Filters are still useful for three Tasks


Filter and Redirect Traffic
Classify Traffic for QoS purposes
Implement Counters

Configuration uses the "set firewall ." stanza


root# set firewall ....

On many JUNOS interface cards the stateless filters are


implemented on Hardware Level and do not consume CPU
performance

273 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FIREWALL FILTER EXAMPLE (COUNTING ONLY)
# Define a Firewall Filter to count SSH Traffic

set firewall family inet filter TEST term 1 from source-address 0.0.0.0/0
set firewall family inet filter TEST term 1 from port 22
set firewall family inet filter TEST term 1 then count MYCOUNT
set firewall family inet filter TEST term 1 then accept

# We need a second term to permit everything else


# This is because all firewall filter chains end with a default "deny all" term
set firewall family inet filter TEST term 2 from source-address 0.0.0.0/0
set firewall family inet filter TEST term 2 then accept

# Now we are ready to assign the Filter to an interface


set interfaces fe-0/0/7 unit 0 family inet filter input TEST

# Show commands to monitor the counters


lab@SRX210> show firewall counter filter TEST MYCOUNT

Filter: TEST
Counters:
Name Bytes Packets
MYCOUNT 70455 1005

lab@SRX210>

274 Copyright 2011 Juniper Networks, Inc. www.juniper.net


DNS CONFIGURATION
275 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DNS CONFIGURATION
# Set your own hostname
set system hostname mybox

# specify DNS-Server to resolve DNS requests from the SRX


# Example: public DNS Servers from Google
set system name-server 8.8.8.8
set system name-server 8.8.4.4

# Example: public DNS Servers from OpenDNS


set system name-server 208.67.222.222
set system name-server 208.67.220.220

# Example: public Servers from UltraDNS


set system name-server 156.154.70.1
set system name-server 156.154.71.1

# Set own Domainname


set system domain-name test.de

# Today (12.1) SRX does not neither offer DNS-Server nor DNS-Proxy nr Dynamic DNS Client
# DNS-Proxy and Dynaic DNS Client are currently scheduled for 12.1X44

276 Copyright 2011 Juniper Networks, Inc. www.juniper.net


NTP CONFIGURATION
277 Copyright 2011 Juniper Networks, Inc. www.juniper.net
TIME AND NTP CLIENT
# set time zone
set system time-zone Europe/Berlin

# Manual set time/date or simply poll Timeserver


srx> set date YYYYMMDDhhmm.ss or
srx> set date ntp de.pool.ntp.org
27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec

# Specify NTP-Server (here 2 Servers from de.pool.ntp.org)


set system ntp server 78.46.194.186 version 4 prefer
set system ntp server 88.198.34.114 version 4

# Enable NTP reachability during power up and in cluster backup state


set system ntp boot-server 78.46.194.186

# Diagnostics
# What time is it ?
srx> show system uptime | match Current
Current time: 2009-04-22 17:21:20 CEST

srx> show ntp associations no-resolve


remote refid st t when poll reach delay offset jitter
==============================================================================
*192.53.103.104 .PTB. 1 - 504 1024 377 62.492 6.408 0.120

278 Copyright 2011 Juniper Networks, Inc. www.juniper.net


NTP IN HA CLUSTERS
# Define NTP-Server as usual in global context
edit system ntp
set server 10.0.0.1
set source-address 10.0.0.2
top

# Enable NTP on cluster member in backup state (traffic is leaving from fxp0)
edit groups node1 system ntp
set server 10.0.0.1
set source-address ip of fxp0/node1
top

edit groups node1 system ntp


set server 10.0.0.1
set source-address ip of fxp0/node1
top

# Per Node Backup Routes are required, when NTP-Server is not directly connect to fxp0
set groups node0 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254
set groups node1 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254

279 Copyright 2011 Juniper Networks, Inc. www.juniper.net


DHCP
280 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DHCP CLIENT
# Enable DHCP Client on an interface
set interfaces fe-0/0/7 unit 0 family inet dhcp

# permit DHCP traffic on this interface or security zoen


set security zones security-zone untrust host-inbound-traffic interface fe-0/0/7.0
system-services dhcp

# Option: You can propagate DNS/WINS settings learnt from the DHCP client to be
# reused by local DHCP Servers
set system services dhcp propagate-settings fe-0/0/7.0

# Monitoring and Control


show system services dhcp client
request system services dhcp renew

281 Copyright 2011 Juniper Networks, Inc. www.juniper.net


DHCP SERVER
# Pools have Names
edit system services dhcp pool 192.168.1.0/24
set default-lease-time 3600
set domain-name test.de
set router 192.168.1.1
set name-server 192.168.1.1
set address-range low 192.168.1.33
set address-range high 192.168.1.64
# Option - exclude an IP from the Pool
set exclude-address 192.168.1.42
top

# Option - Static Binding, IP must be member of the Pool


edit system services dhcp
set static-binding 00:11:22:33:44:55 fixed-address 192.168.1.33
set static-binding 00:11:22:33:44:55 host-name test
top

# Permit DHCP in the incoming zone


set security zones security-zone trust host-inbound-traffic system-services dhcp

# Monitoring
show system services dhcp pool
show system services dhcp binding
show system services dhcp statistics
show system services dhcp conflict

282 Copyright 2011 Juniper Networks, Inc. www.juniper.net


DHCP RELAY
# Allow incoming DHCP traffic
# "bootp" service is only available in the interface context , not in the zone context
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-
services bootp

# enable on the desired interfaces and forward to your desired destination


edit forwarding-options helpers bootp
set interface ge-0/0/0.0 server 172.18.36.12;
#relay the DHCP request with the source-ip of this interface
set vpn
set relay-agent-option
top

# Until 10.4 DHCP Relay could not be configured inside virtual Routers
# TODO

283 Copyright 2011 Juniper Networks, Inc. www.juniper.net


PPPOE & DSL
284 Copyright 2011 Juniper Networks, Inc. www.juniper.net
PPP OVER ETHERNET
EXAMPLE FOR T-ONLINE, GERMANY
# Define on which interface to use ppp Encapsulation
set fe-0/0/5 unit 0 encapsulation ppp-over-ether

# Use password for authentication


set access profile ppp-profile authentication-order password

# PPP-Interface Settings
set interfaces pp0 unit 0 family inet negotiate-address
set interfaces pp0 unit 0 family inet mtu 1492

# Authentication Credentials
set interfaces pp0 unit 0 ppp-options pap access-profile ppp-profile
set interfaces pp0 unit 0 ppp-options pap local-password xxxxx
set interfaces pp0 unit 0 ppp-options pap local-name xxxx
set interfaces pp0 unit 0 ppp-options pap passive

# PPPoE Settings and binding


set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/5.0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 10
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 pppoe-options idle-timeout 0

# Diagnostic Commands
show interfaces pp0
show pppoe interfaces
show pppoe statistics
show pppoe statistics
request pppoe [connect|disconnect]
285 Copyright 2011 Juniper Networks, Inc. www.juniper.net
PPP OVER ADSL (FOR T-ONLINE, GERMANY)
BASED ON JUNOS 10.0 WITH ADSL MINI-PIM
# T-Online Germany typically uses the ATM VPI 1 and VCI 32
# Encapsulation is pppoe-over-atm with llc

# ADSL Interface Configuration


set interfaces at-1/0/0 encapsulation ethernet-over-atm
set interfaces at-1/0/0 atm-options vpi 1
set interfaces at-1/0/0 dsl-options operating-mode itu-dmt
set interfaces at-1/0/0 unit 0 encapsulation ppp-over-ether-over-atm-llc
set interfaces at-1/0/0 unit 0 vci 1.32

# PPPoE Configuration on Top of this ADSL-Interface


set interfaces pp0 unit 0 ppp-options pap access-profile T-Online
set interfaces pp0 unit 0 ppp-options pap local-name "xxxx@t-online.de"
set interfaces pp0 unit 0 ppp-options pap local-password "xxxx"
set interfaces pp0 unit 0 ppp-options pap passive
set interfaces pp0 unit 0 ppp-options lcp-max-conf-req 0
set interfaces pp0 unit 0 ppp-options ncp-max-conf-req 0
set interfaces pp0 unit 0 pppoe-options underlying-interface at-1/0/0.0
set interfaces pp0 unit 0 pppoe-options idle-timeout 0
set interfaces pp0 unit 0 pppoe-options auto-reconnect 1
set interfaces pp0 unit 0 pppoe-options client
set interfaces pp0 unit 0 family inet mtu 1450
set interfaces pp0 unit 0 family inet negotiate-address
set access profile T-Online client "xxxx@t-online.de" pap-password "xxxx"

# Default Route (mandatory, because negotiated gateway will not appear in routing table)
set routing-options static route 0.0.0.0/0 next-hop pp0.0

286 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SRX AS UAC ENFORCER
287 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SRX AS UAC ENFORCER (1/2)
Important to know:
In contrast to ScreenOS, JUNOS does not need a signed certificate on the IC. If not dedicated configured, JUNOS will
ignore the certificate presented by the IC. The communication is than only protected by password.
Captive Portal support has been added with JUNOS 10.2
For IPSec enforcement the SRX has to be configured manually in contrast to ScreenOS, where the IC is pushing the
IPSec configuration too. Please RTFM
If the IC is configured as cluster you have to configure two ICs on JUNOS using their physical IP addresses. Please do not
use the VIP.

Example configuration with a IC cluster:


# create IC connections
set services unified-access-control infranet-controller uac1 address 10.1.1.1
set services unified-access-control infranet-controller uac1 interface reth2.0
set services unified-access-control infranet-controller uac1 password "<PW-Hash>"
set services unified-access-control infranet-controller uac2 address 10.1.1.2
set services unified-access-control infranet-controller uac2 interface reth2.0
set services unified-access-control infranet-controller uac2 password "<PW-Hash>"
set services unified-access-control timeout 20
set services unified-access-control interval 5
# optional add certificate verification root Certificate has to be loaded to the SRX (see VPN with Certificates)
set services unified-access-control infranet-controller uac1 server-certificate-subject <cert-name>
set services unified-access-control infranet-controller uac1 ca-profile <profile-name>
set services unified-access-control infranet-controller uac2 server-certificate-subject <cert-name>
set services unified-access-control infranet-controller uac2 ca-profile <profile-name>

288 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SRX AS UAC ENFORCER (2/2)
Policy Enforcement with captive portal:
# create a captive portal policy redirect-url is optional
set services unified-access-control captive-portal my-cp-policy redirect-traffic unauthenticated
set services unified-access-control captive-portal my-cp-policy redirect-url https://ic.xyz.com/auth

# create a firewall policy with application-service uac-policy


set security policies from-zone untrust to-zone trust policy uac-enforcem match source-address any
set security policies from-zone untrust to-zone trust policy uac-enforcem match destination-address any
set security policies from-zone untrust to-zone trust policy uac-enforcem match application any
set security policies from-zone untrust to-zone trust policy uac-enforcem then permit application-services uac-policy
captive-portal my-cp-policy
set security policies from-zone untrust to-zone trust policy uac-policy then log session-close

Enforcer-Options:
# enable test-only-mode (only logging without enforcement)
set services unified-access-control test-only-mode

# define timeout-action (if connection to IC is lost)


set services unified-access-control timeout-action <close | no-change | open>

289 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SRX AS UAC ENFORCER
Diagnostics
show services unified access-control status

show services unified access-control policies

show services unified access-control rules

show services unified access-control authentication detail

show services unified access-control role-provisioning all

show security flow session ... extensive

290 Copyright 2011 Juniper Networks, Inc. www.juniper.net


PORT MIRRORING
291 Copyright 2011 Juniper Networks, Inc. www.juniper.net
PORT MIRRORING ON BRANCH SRX
# You can mirror traffic from one L3 interface to a Host on another L3 interface.
# For configuration start with selecting outbound interface and destination host
# Traffic sent, has destination Mac rewritten to his own Mac-Address.
edit forwarding-options port-mirroring
set input rate 1 run-length 10
set family inet output interface ge-0/0/1.0 next-hop 10.0.210.33
top

# Next Configure firewall filter to port mirror. 0.0.0.0/0 is all traffic


edit firewall filter port-mirror term 1
set from source-address 0.0.0.0/0
set then port-mirror accept
top

# Finally set filter on the source interface that should be mirrored


# This must be a physical L3 interface (family inet, not family switching)
set interfaces ge-0/0/0 unit 0 family inet filter input port-mirror
set interfaces ge-0/0/0 unit 0 family inet filter output port-mirror

292 Copyright 2011 Juniper Networks, Inc. www.juniper.net


PORT MIRRORING ON DATCENTER SRX
# mirror port ge-0/0/1 to port ge-0/0/2

edit forwarding-options port-mirroring


set input rate 1 run-length 10
set family any output interface ge-0/0/2
set instance inst1 input rate 1 run-length 10
set instance inst1 family any output interface ge-0/0/2
top

set interfaces ge-0/0/1 port-mirror-instance inst1

293 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CLASS OF SERVICE
294 Copyright 2011 Juniper Networks, Inc. www.juniper.net
JUNOS COS SUMMARY

BA Multifield Ingress FWD


Classifier Classifier Policing Policy

Fabric
Forwarding Class
&
Loss Priority

Rewrite/ Scheduler/ Egress Fabric


marker WRED Policing Priority

295 Copyright 2011 Juniper Networks, Inc. www.juniper.net


COS - BUILDING BLOCKS (1/2)
Ingress Processing
Forwarding Classes and Queues
Classification maps traffic to internal queues The 4 default SRX forwarding-classes map to 4 queues.
Additional Forwarding Classes can be specified
show class-of-service
show interfaces queue ge-0/0/0
IFL Classification (Interface Level Classification of Forwarding Class and Loss Priority)
Specify Class based on interface/sub-interface/logical interface
set class-of-service interfaces <name> unit <x> forwarding-class assured-forwarding
BA Classification (Behavior Aggregate Classification of Forwarding Class and Loss Priority)
Specify Class based on DSCP (IP) or EXP (MPLS) Bits
show class-of-service classifier name dscp-default
set class-of-service interface fe-0/0/3 unit 0 classifiers dscp default
MF Classification (Multifield Classification of Forwarding Class and Loss Priority)
Specify Class based on stateless packet filters
set firewall family inet filter ..... then forwarding-class ...
set interfaces fe-0/0/3 unit 0 family inet filter .....
Simple Filters (Implementation on special Hardware)
Specify only class, loss-priority and policer - no drop, count action, only one prefix
set firewall family inet simple-filter ....
set interface <name> unit <x> family inet simple-filter .....
Ingress Policing (Ingress Rate Limiter)
Single Rate Policer: establish a data rate , drop or change forwarding class when thresholds are exceeded
Example on next pages

296 Copyright 2011 Juniper Networks, Inc. www.juniper.net


COS - BUILDING BLOCKS (2/2)
Egress Processing
Scheduler & Scheduler Map
packet notifications placed into forwarding class queue. Queues serviced by a scheduler using WRR
WRED congestion control operates at the head of the queue
Rewriter
Changes DSCP / EXP Bits
show class-of-service rewrite-rule
set class-of-service interface ge-0/0/0 unit 0 rewrite-rules dscp default
PLP (Packet Loss Priority) & Drop-Profiles
PLP allows to influence queuing within the same queue
set class-of-service drop-profiles ...
set class-of-service scheduler .... drop-profile-map .....
Egress Policing
Single Rate Policer: establish a data rate , drop or change forwarding class when thresholds are exceeded
set policer .... if-exceeding bandwidth-limit ... burst-size-limit ... then

297 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SIMPLE COS EXAMPLE
The previous page does list all available methods

It is not mandatory to apply all of them to get a working COS configuration

A simple example on the next pages fulfills the following requirements


We have a LAN-Interface reth0
We have a WAN-Interface reth1
We have a upstream WAN-Bandwidth of 10Mbps
Traffic from the LAN IP 192.168.1.2 should be able to occupy up to 30%
of the WAN bandwidth, even in congestion situations

To achieve this it relies on the following building blocks only


Use the 4 default classes
Create a classifier
Create schedulers and assign them to the forwarding classes with a scheduler map
Apply your Classifier to the ingress interface(s)
Apply your Scheduler Map to the egress interface(s)

298 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SIMPLE COS EXAMPLE (1/3)
# We have a LAN-Interface reth0
# We have a WAN-Interface reth1
# We have a upstream WAN-Bandwidth of 10Mbps
# Traffic from the LAN IP 192.168.1.2 should be able to occupy up to 30%
# of the WAN bandwidth, even in congestion situations

# 1. Create a Classifier, that puts traffic from the Source-IP 192.168.1.2


# into the separate forwarding-class (assured forwarding".
# Add counters, so we can examine how frequently each decision path is used

edit firewall family inet filter TEST-CLASSIFER


set term VOIP from source-address 192.168.1.201/32
set term VOIP then count SPECIAL
set term VOIP then forwarding-class assured-forwarding
set term VOIP then accept
set term ANY then count ANY
set term ANY then forwarding-class best-effort
set term ANY then accept
top

299 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SIMPLE COS EXAMPLE (2/3)
# 2. Specify behaviour for the different Schedulers
# Start with af (assured forwarding)
# Notes on the scheduler parameters
# transmit-rate: can be considered as the "guaranteed bandwidth", you will always get
it
# shaping-rate: can be considered as the "maximum bandwidth", you can send no more
# loss-priority: influences drop behaviour for packets on the same queue (4 priorities)
# LP is Tag on each packet created by classifier or additional policers
# buffer-size: more buffer size allows bursts, but could introduce higher latencies
edit class-of-service schedulers af
set transmit-rate percent 30
set shaping-rate percent 50
set buffer-size percent 5
set priority high
top

# Continue with be (best effort)


edit class-of-service schedulers be
set transmit-rate percent 60
set buffer-size remainder
set priority low
top

# And don't forget nc (network control)


edit class-of-service schedulers nc
set transmit-rate percent 10
set buffer-size percent 10
set priority strict-high
top
300 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SIMPLE COS EXAMPLE (3/3)
# 3. Create a Map how the schedulers should be applied
# to the different forwarding classes
edit class-of-service scheduler-maps TEST-MAP
set forwarding-class assured-forwarding scheduler af
set forwarding-class best-effort scheduler be
set forwarding-class network-control scheduler nc
top

# 4. Set a shaping-rate for the WAN interface and


# apply the desired Scheduler Map to this interface
set class-of-service interfaces reth1 unit 0 scheduler-map TEST-MAP
set class-of-service interfaces reth1 unit 0 shaping-rate 10m

# 5. Apply Classifiers on the LAN Interface(s), so ingress traffic gets classified


set interfaces reth0 per-unit-scheduler
set interfaces reth0 unit 0 family inet filter input TEST-CLASSIFER

# 6. Enable Scheduler on the WAN Interface, so that egress traffic gets shaped
set interfaces reth1 per-unit-scheduler

301 Copyright 2011 Juniper Networks, Inc. www.juniper.net


INGRESS POLICER (FIREWALL FILTER)
# Ingress Policers with simple Filters depend on Interface Hardware and are not
# available on all systems. Known systems to support these are
# SRX-3K and SRX-5K with Combo Card
# simple-filter might be required instead of firewall filter

# The example below limits traffic from a certain source to 1Mbps

edit firewall policer ONE-MBIT


set if-exceeding bandwidth-limit 1m
set if-exceeding burst-size-limit 63k
set then discard
top

edit firewall family inet filter TESTFILTER term TERM1


set from source-address 172.27.60.4/32
set then policer ONE-MBIT
top

# apply this filter on the interface (input or outpour is possible)


set interface reth0 unit 0 family inet filter input TESTFILTER

302 Copyright 2011 Juniper Networks, Inc. www.juniper.net


INGRESS POLICER (SIMPLE FILTER)
# On some Systems simple Filters can be used instead of firewall filters
# Simple Filters are ingress only and have less match options than firewall filters,
# but they are better for performance reasons, because Interface Hardware is used to
# perform the filtering (and thus does not require Performance on the Central Point).
# Known systems that support simple filters are SRX-3K and SRX-5K with Combo-Card

# The example below limits traffic from a certain source to 1Mbps

edit firewall policer ONE-MBIT


set if-exceeding bandwidth-limit 1m
set if-exceeding burst-size-limit 63k
set then discard
top

edit firewall family inet simple-filter TESTFILTER term TERM1


set from source-address 172.27.60.4/32
set then policer ONE-MBIT
top

# apply this filter on the interface


set interface reth0 unit 0 family inet simple-filter input TESTFILTER

303 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TROUBLESHOOTING AND FURTHER INFORMATION
# COS Monitoring and Investigation Commands

show class-of-service
show firewall filter
show policer
show interface queue <if-name>
show interface extensive <if-name>

# COS Configuration Guide for Security Devices


http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-
collections/security/software-all/class-of-service/junos-security-swconfig-cos.pdf

# SRX Interface Guide


http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-
security-swconfig-interfaces-and-routing/frameset.html

304 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VIRTUAL CHANNELS (VC)
VC Concept is only available on Branch SRX and J-Series
This approach is useful a central site is sending traffic to several sites
which have limited WAN bandwidth, and the WAN interface of the central
site has more bandwidth, than the branches
Up to 64 virtual channels per system can be supported
Traffic to each site needs to be assigned to VC using firewall filters
Queuing/scheduling/shaping for each VC performed at OUTQ
Configuring shaper for each VC is mandatory

ADSL
DS3 Network T1

E1

305 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VIRTUAL CHANNEL EXAMPLE
edit firewall family inet filter SITE1
set term SITE1 from destination-address 192.2.1.2/32
set term SITE1 then virtual-channel site1;
top
set class-of-service virtual-channels site1
set class-of-service virtual-channels site2
set class-of-service virtual-channels site3
edit virtual-channel-groups WAN
set site1 scheduler-map TEST-MAP
set site1 shaping-rate 2m;
set site2 scheduler-map TEST-MAP
set site2 shaping-rate 1500000
set site3 scheduler-map TEST-MAP
set site4 shaping-rate 1500000
top
# Apply virtual Channels on egress WAN Interface ??
set interfaces ge-0/0/0 per-unit-scheduler
set interfaces ge-0/0/0 unit 0 virtual-channel-group WAN
# Apply Firewall Filters on ingress LAN Interface ??
set interfaces ge-0/0/1 family inet filter input SITE1

306 Copyright 2011 Juniper Networks, Inc. www.juniper.net


COS - NOTES AND LIMITATIONS AND TIPS (1/2)
System Dependencies
SRX branch devices support shaping-rate at the logical (unit) level, not on the physical port.
EX switches support shaping-rate at the physical port level, but not at the logical level
On Datacenter SRX, BA classification is done on NPU and MF classification on SPU
On a given interface, queues can be at one (and only one) of the following levels
Interface
Sub-interface (e.g.. VLAN, DLCI). This is referred as per-unit-scheduling
Virtual-channels (A concept present only in Branch SRX and J series)
Interface Type Dependencies
Today (with JUNOS 10.3) Schedulers can not be applied to Secure Tunnel Interface.
Either apply the Map to the underlying physical interface or use GRE-Tunnels or on
Branch SRX use virtual channels
On SRX Scheduler can be applied on L3-Interfaces and VLAN sub interfaces
Reth interface have a maximum of 4 queues
Interface Hardware Dependencies
Ingress Interface Policing is only available on SRX-5600 and 5800 with Combo Module

307 Copyright 2011 Juniper Networks, Inc. www.juniper.net


COS - NOTES AND LIMITATIONS AND TIPS (2/2)
Default Settings
All router initiated control-plane traffic is automatically assigned to network-control.
Packets originating from protocols such as lldp, rstp, ospf, etc are therefore handled by queue 3
All other traffic goes into best-effort queues
Schedulers are disabled on most interfaces and must be enabled to work
set interface ge-0/0/0 per-unit-scheduler
per-unit-schedulers are enabled per Default on gr- (GRE) , ip- (IPIP) and ls- (Multilink) Interfaces
Bandwidth Calculations
Policers are working on L3 packet sizes
Shapers are working at L2 packet sizes
Tip: Applying Classifiers to multiple Interfaces
set class-of-service interfaces ge-0/0/* unit 0 classifiers ieee-802.1 default

308 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
309 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SOLUTION ARCHITECTURE

GRES provides nonstop failover Single device abstraction


Clean separation of control and
Control Control forwarding planes
Plane fxp1 fxp1 Plane Unified configuration with
Daemons Daemons configuration sync
Node0 Node1

Node 0 Node 1

Forwarding Forwarding
fab0 fab1
Daemon Daemon Control Plane
Data Plane + RTOs
Node0 Node1

310 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TWO CHASSIS CONNECTED TOGETHER

Control Plane
Connection
SPC to SPC

Data Plane
Connection
IOC to IOC

311 Copyright 2011 Juniper Networks, Inc. www.juniper.net


INTERFACE NUMBERING

Interfaces in HA Clusters are renumbered node1


(12-23)
node0
(0-11)

slot 0 slot 12

ge-13/0/0
ge-1/0/0
RE 0
RE 1

slot 23
312 Copyright 2011 Juniper Networks, Inc. www.juniper.net
CLUSTER INTERFACES
MODELL MANAGEMENT Control-Link Fabric-Link
(fxp0) (fxp1)
SRX 100 fe-0/0/6 fe-0/0/7 Any Interface,
tagged - Vlan 4094 1) untagged
MTU on SRX100 is 1628

SRX 210 fe-0/0/6 fe-0.0.7 Any Interface,


tagged - Vlan 4094 1) untagged
Jumbo Frames, MTU 9014

SRX 240 ge-0/0/0 ge-0/0/1 Any Interface,


tagged - Vlan 4094 1) untagged
Jumbo Frames, MTU 9014

SRX 650 ge-0/0/0 ge-0/0/1 Any Interface,


tagged - Vlan 4094 1) untagged
Jumbo Frames, MTU 9014

J-Series ge-0/0/2 ge-0/0/3 Any Interface,


untagged untagged
Jumbo Frames, MTU 9014

SRX 3000 fxp0 onboard HA Port 0 with any Any Interface,


on the Routing Engine type of SFP untagged
untagged Jumbo Frames, MTU 9014

SRX 5000 fxp0 first Port of any SPC Any Interface,


on the Routing Engine same slot SPC on both SRX untagged
313 Fiber
Copyright 2011 Juniper Networks, Inc. SFPs only, untagged
www.juniper.net Jumbo Frames, MTU 9014

1) Vlan tagging became configurable with JUNOS 10.3, Syntax


SRX3000
HARDWARE AND INTERFACE REDUNDANCY
SRX3000 Interface Redundancy Remarks

Management Yes, No
(fxp0) on the Routing Engine

Control link built-in on SFB Module Possible with HA Control untagged,


(fxp1) Use HA Control Port 0 Port 1 on SFB , Requires Jumbo Frames
CRM Module & JUNOS
10.2
Data link Yes Possible since JUNOS 10.2 untagged,
(fab0 & fab1) Jumbo Frames
Uses LAG

Secondary - Not yet supported


Switch Fabric

Secondary - Not yet supported


Routing Engine

314 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SRX5000
HARDWARE AND INTERFACE REDUNDANCY
SRX5000 Interface Redundancy Remarks

Management (fxp0) Yes , Today (10.4) a second


on the first Routing Engine Routing Engine is just used
for Control-Link
Redundancy
Control link (fxp1) first Port of any SPC Requires second Routing Must be on the same SPC
Engine, uses second Port in each Cluster Member
on SPC, supported since Fiber SFPs only !!
JUNOS 10.0,
Data link Yes, can be on any IO- Available since JUNOS
(fab0 & fab1) Card, must be configured 10.2 by using LAG
configuration

Second Switch Second SCB is included in Fallback to single switch


Control Board each SRX-5800 Base reduces maximum
System and is an option for performance
SRX-5600
Third Switch Control Slot exists to install a third
Board SCB on SRX5800 but this
is not yet supported

Secondary - Today (10.4) a second


Routing Engine Routing Engine is just used
315
for Control-Link
Copyright 2011 Juniper Networks, Inc. www.juniper.net
Redundancy
SRX CLUSTER CREATION - STEP BY STEP
Plug-in the cluster control and fabric links
Set the Cluster ID on Both Members and reboot them
On SRX 5000: Configure the Control Ports on Both Members
From now on both members can be configured as one
Specify the Data links (a.k.a. Fabric Ports)
Define Node Specific configuration in Apply-Groups
Define at least 2 Redundancy Groups
Configure Redundant Ethernet Interfaces for these RGs
Continue with the remaining configuration

316 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
CONTROL AND FABRIC LINKS
Create a Cluster
# Cluster ID must be between 1 and 15
# Cluster ID 0 or "disable chassis cluster" unset the cluster
# Each device in the cluster must be given a unique node number
# Reboot is required to make change effective
# This configuration is required on both cluster members

set chassis cluster cluster-id <0-15> node <0-1> reboot

Define Control Ports (on SRX5K between SPCs, Fiber only)


This will become interface fxp1
set chassis cluster control-ports fpc 0 port 0
set chassis cluster control-ports fpc 12 port 0

Define Data Ports (on SRX 5K between IOCs)


fab0 and fab1 are the fabric links
# At least one Interface from each cluster
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-12/0/2
# Since JUNOS 10.2 you can add additional Interfaces
set interfaces fab0 fabric-options member-interfaces ge-0/0/3
set interfaces fab1 fabric-options member-interfaces ge-12/0/3

317 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
NODE SPECIFIC CONFIGURATION
Group Configuration (All settings which are Node specific)
# These are the settings for the first Node
set groups node0 system host-name SRX5800-1
set groups node0 system backup-router 172.26.26.1 destination 0.0.0.0/0
set groups node0 interfaces fxp0 unit 0 family inet address 172.26.26.104/24

# These are the settings for the second Node


set groups node1 system host-name SRX5800-2
set groups node1 system backup-router 172.26.26.1 destination 0.0.0.0/0
set groups node1 interfaces fxp0 unit 0 family inet address 172.26.26.105/24

# And here we make sure that both data are part of the configuration,
# but only the node specific settings are applied on each cluster member

set apply-groups "${node}"

# You can specify a secondary to always reach the master


# Don't use this to connect to NSM
set groups node1 interfaces fxp0 unit 0 family inet address 172.26.26.106/24 master-only
set groups node0 interfaces fxp0 unit 0 family inet address 172.26.26.106/24 master-only

318 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
REDUNDANCY GROUPS
Define Two Redundancy Groups for A/P
# Redundancy Group 0 is required for the Routing Engine

set chassis cluster redundancy-group 0 node 0 priority 200


set chassis cluster redundancy-group 0 node 1 priority 100

# Redundancy Group 1 is used for redundant interfaces in A/P configuration

set chassis cluster redundancy-group 1 node 0 priority 200


set chassis cluster redundancy-group 1 node 1 priority 100

Option: A second group for A/A (possible since JUNOS 9.5)


# Redundancy Group 2 is used for redundant interfaces in A/A configuration

set chassis cluster redundancy-group 2 node 0 priority 100


set chassis cluster redundancy-group 2 node 1 priority 200

319 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
REDUNDANT INTERFACES
Define Number of Redundant Interfaces in your Cluster (at least 2)
# The Total number of redundant Ethernet Interfaces
# This statement allow to creates reth0,reth1,reth2,reth3
set chassis cluster reth-count 4

Configure the redundant Interfaces


set interface reth0 redundant-ether-options redundancy-group 1
set interface reth0 unit 0 family inet address 10.10.1.3/24
set interface reth1 redundant-ether-options redundancy-group 1
set interface reth1 unit 0 family inet address 20.10.1.3/24

Finally assign physical interfaces to them


# Make individual interface members for reth0
set interface ge-0/0/3 gigether-options redundant-parent reth0
set interface ge-12/0/3 gigether-options redundant-parent reth0

# Make individual interface members for reth1


set interface ge-0/0/4 gigether-options redundant-parent reth1
set interface ge-12/0/4 gigether-options redundant-parent reth1

320 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
ADDITIONAL OPTIONS (1)
# Interface Monitoring
# We can release Master Role in case of Layer1 Failure on these Interfaces
set chassis cluster redundancy-group 1 interface-monitor xe-0/0/0 weight 255
set chassis cluster redundancy-group 1 interface-monitor xe-11/0/0 weight 255

# Optional Pre-emption (fallback, when node with better priority returns)


set chassis cluster redundancy-group 1 preempt

# Optional Holddowntime to prevent too fast failover if redundancy Groups


set chassis cluster redundancy-group 1 hold-down-interval 900

# Track-IP, IP Address Monitoring Redundancy Group


# introduced for Data Center SRX with JUNOS 9.6)
set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.1.1 weight 255
# Additional Monitoring from Backup Interface was added in JUNOS 10.1
set chassis cluster redundancy-group 1 ip-monitoring interface reth0.0 secondary-ip ..

# Optional Control Link Recovery (introduced with JUNOS 9.6)


# Recovers System from Hold state, by automatic reboot
set chassis cluster control-link-recovery

# Fabric Link Monitoring is disabled per default on High-End SRX since 10.4r4
# to avoid "hold" state after link loss. To enable use the following command
set chassis cluster fabric-monitoring

321 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
ADDITIONAL OPTIONS (2)
Redundant Interface as a VLAN Trunk
set interfaces reth1 vlan-tagging
set interfaces reth1 redundant-ether-options redundancy-group 1
# Best practice: use vlan-id also for the unit number
set interfaces reth1 unit 11 vlan-id 11
set interfaces reth1 unit 11 family inet address 10.0.11.1/24
set security zone security-zone zone11 interface reth1.11
set interfaces reth1 unit 12 vlan-id 12
set interfaces reth1 unit 12 family inet address 10.0.12.1/24
set security zone security-zone zone12 interface reth1.12

Graceful Restart
# If all participants of a routing protocol can handle graceful restart, then
# use this option to avoid downtimes resulting from OSPF or BGP reestablishment
set routing-options graceful-restart

Heartbeat Interval Tuning


# Set Heartbeat Interval (1000..2000, Default is 1000)
set chassis cluster heartbeat-interval [msec]
# Set Heartbeat Threshold (3..8, Default is 3)
set chassis cluster heartbeat-threshold [nr]

322 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
ADDITIONAL OPTIONS (3)
VLAN-Tagging on the Branch SRX Control Link
# On Branch SRX the control link traffic per Default uses VLAN ID 4094
# Since JUNOS 10.3 there is a command available to remove the VLAN tag
# A reboot is required to make the change effective
set chassis cluster control-link-vlan enable/disable

# To see current configuration use the following command


show chassis cluster information

Commit Confirm on SRX Cluster


# Since a Cluster Configuration can be edited on both Routing-Engines,
# there is no "commit confirm" available by default
# To allow "commit confirm" you must enter configuration mode with
configure exclusive

323 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
MONITORING AND TROUBLESHOOTING (1)
# Configuration Check
show config groups
show config chassis cluster
show config interfaces

# Hardware Checks
show chassis hardware
show chassis fpc pic-status
show pfe terse
show chassis alarms
show system alarms

# Monitor Cluster Status


show chassis cluster status
show chassis cluster status redundancy-group <xx>

# Display Information about HA interfaces (11.4 show state of redundant HA links too)
show chassis cluster interfaces

# Status information
show chassis cluster statistics
show chassis cluster information
show chassis cluster ip-monitoring status

# In case you find a cluster member in disabled state,


# here is a place to find root cause information
show chassis cluster information no-forwarding

324 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
MONITORING AND TROUBLESHOOTING (2)

# Inspect Log Files (For support cases always collect Log files from both Nodes !!)
show log jsrpd or file show /var/log/jsrpd
show log messages or file show /var/log/messages
show log chassisd or file show /var/log/chassid

# For ongoing log file monitoring use


monitor start jsprpd

# To enable additional traces in jsrpd you can configure traceoptions


set chassis cluster traceoptions level all flag all

# To jump from one node to the other you can use the following options:
# CLI-Command for Branch SRX
request routing-engine login node x
# Shell command for Datacenter SRX
rlogin -Ji nodex
# Or usually you can also use ssh with fxp0-adress of the second node

# Knowledgebase: Troubleshooting SRX High Availability


http://kb.juniper.net/library/CUSTOMERSERVICE/Resolution_Guides/SRX/Wrapper_SRX_Chassis_Cluster.html

325 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
CLUSTER CONNECTIONS
# Requirements for HA Cluster connections

- Latency on HA-Links must be below 100msec

- Bandwidth on Fabric-Link: 1Gbps for A/P is sufficient for


A/A with 10GE reth interfaces 10GE fabric links are recommended

- Dual Fabric Links do offer redundancy, but there only one link
is used for forwarding and RTO sync

- When the HA connection is traveling over Switches


- Control link traffic and Fabric Link traffic must be kept on separate
L2 connections (different physical links or different VLANs
- Jumbo Frames must be permitted
- IGMP Snooping must be disabled on the Switch ports involved
- For Branch SRX: disable VLAN-Tagging on Control Link or allow QinQ on Switch
"set chassis cluster control-link-vlan disable"
- Use the Guideline from the following Knowledgebase Article:
SRX Cluster Deployments across L2 Networks
http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf

326 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
MANUAL FAILOVER (1)

Requesting Failover
Manually failover redundancy groups between chassis
RG0 should only be failed over in emergencies
Should only be done after both REs have been up for 5 minutes
Rapid failovers will cause RE crash
RG1 supports rapid failovers

Clearing Failover
Failovers need to be cleared after manually triggered
Prevents accidently failover over

327 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
MANUAL FAILOVER (2)
Request Failover
{secondary:node1}
root@srx> request chassis cluster failover redundancy-group 1 node 1
node1:
--------------------------------------------------------------------------
Initiated manual failover for redundancy group 1

{primary:node1}
root@srx> show chassis cluster status
Cluster ID: 3
Node name Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1


node0 200 secondary no no
node1 1 primary no no

Redundancy group: 1 , Failover count: 0


node0 255 primary yes yes
node1 1 secondary yes yes

Clear/Reset Failover
root@srx> request chassis cluster failover reset redundancy-group 1

328 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HIGH AVAILABILITY
MANUAL FAILOVER (3)
Manual Failover can fail if systems are not yet up again
Manual failover can be difficult if the nodes have not completely recovered from a
previous failover. To determine if a device is ready for repeated failovers, perform
these recommended best-practice steps before doing a manual failover.

The best practices we recommend to ensure a proper failover are as follows:

show chassis cluster status


Use this command to verify the following for all redundancy groups:
One node is primary ; the other node is secondary.
Both nodes have nonzero priority values unless a monitored interface is down.

show chassis fpc pic-status


Use this command to verify that the PIC status is Online.

show pfe terse


Use this command to verify that the Packet Forwarding Engine status is Ready
and to verify the following:
All slots on the RG0 primary node have the status Online.
All slots on the RG0 secondary node, except the Routing Engine slots, have the
status Valid.

329 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FAILURE CASES AND EXPECTED BEHAVIORS
Component Expected Behavior
Control Link Secondary node goes into disabled state. Reconnect
control link and then reboot secondary node.
Fabric Link Since 10.4r4 fabric-link is no longer monitored by default.
Enable fabric monitoring with "set chassis cluster fabric-
monitoring"). With monitoring: if Secondary node goes into
disabled state. Reconnect fabric link and then reboot
secondary node.
Power If all power to unit is lost then all redundancy groups will
failover.
Interface Down Redundancy groups that monitor the interface will failover
if total weight exceeds 254
CP Will cause RG1+ to failover but the RE will remain on the
same chassis.
SPC/SPU Any SPC or SPU failure will trigger RG1+ to failover to
secondary chassis
RE or SCB with RE All redundancy groups will failover and chassis goes
offline
330 Copyright 2011 Juniper Networks, Inc. www.juniper.net
SCB w/o RE Reduces throughput of device, will not failover to second
chassis. Third SCB will activate if installed (SRX 5k only)
FAILURE CASES AND EXPECTED BEHAVIORS
(CONTINUED)

Component Expected Behavior


NPC Failure (SRX 3k) The SRX 3k supports NPC monitoring. If the NPC fails then
all RG+1 groups will fail over to the other cluster member.

Control Plane The data plane will continue to run up to 5 minutes without
Failure/RE Reboot an RE, or until the RE came back up, when Chassisd comes
backup and reinitializes all of the cards.

Control and Data Link Both nodes will detect the failure of the links by the loss of
(fail at same time) the heartbeat messages. In this case secondary node will go
disabled

Complete Chassis Whether caused by a software or hardware issue, The


Failure secondary node will look for the gratuitous arps of the other
node, and in the absence of these will assume mastership.

331 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SRX HA State Transition Diagram
Hold Timer
Bootup Expires
Hold Secondary

Secondary-hold Fabric-link Ctrl-link Primary


timer expires failure failure node dies
Ineligible
Disabled timer fires Ineligible

Fabric-link
failure Primary
Ctrl-link node dies
failure
Secondary Primary node dies
Primary
Hold
Failover (manual, i/f failure, ip-mon failure, preempt etc.)

Note: Transition to disabled state will only happen only if the node is RG0 secondary.
Note: Once in disabled state the only option to recover is to reboot the device

332 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION SECURITY,
INTRUSION PREVENTION,
UNIFIED THREAT MANAGEMENT
333 Copyright 2011 Juniper Networks, Inc. www.juniper.net
FEATURE LICENSES AND
CONTENT SUBSCRIPTIONS
334 Copyright 2011 Juniper Networks, Inc. www.juniper.net
FEATURE LICENSES

Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx

Memory upgrade x - - -

Dynamic VPN up to 25 up to 10 up to 50 up to 150 up to 250 up to 500 - - -

Extreme License - - - - - - x

Logical Systems - - - - - - up to 32 up to 32 up to 32
(1.5.25) (1.5.25) (1.5.25)

Service Offload - - - - - - Free Free Free


(Low Latency)

Advanced BGP x - - - - - x

1) requires High memory Model


2) include IPS License

335 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CONTENT SUBSCRIPTIONS
AVAILABLE FOR 1,3 5 YEARS
Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx

IPS x 11.41) 11.4 11.41) 11.41) 11.41) 11.4 x x x

AppSec - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 10.4 2) 10.4 2) 10.4 2)

Kaspersky-AV x x1) x x1) x1) x1) x - - -

Sophos-AV - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 - - -

Webfilter- x x1) x x1) x1) x1) x - - -


Websense-
Integrated

Webfilter- - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 - - -


Websense-
Enhanced

Sophos-Antispam x x1) x x1) x1) x1) x - - -

1) requires High memory Model


2) include IPS License

336 Copyright 2011 Juniper Networks, Inc. www.juniper.net


UTM, IDP AND APPLICATION FIREWALL FEATURES
REQUIRE LICENSES
# Once ordered, you can download them from the Juniper License Management Server
# This method is recommended, DNS and Internet access are required
# Default URL, as defined in "show configuration system license", is
# https://ae1.juniper.net/JUNOS/key_retrieval

# To download license, that where bought for a certain device execute


request system license update

# Or if you received a license for manual installation use this command to paste it
# Install manually, when the license keys are available as a text file
request system license add terminal

# You can configure a Proxy Server to retrieve the licenses


set system proxy server 192.168.1.10
set system proxy port 3128
set system proxy username user1
set system proxy password user123

# To track problems with licenses open a log file


set system license traceoptions file license.log
set system license traceoptions flag all

# Trial licenses (valid for 4 weeks) are available


# You can only fetch it once per lifetime for each device serial number
request system license update trial

337 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MANY LICENSE FEATURES ARE ENABLED PER RULE
In the firewall policy you can decide if the licensed Features are applied
edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services [idp, uac-policy, utm-policy ,services-offload]
top

338 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION SECURITY FEATURES
- IDP
- APP TRACK
- APP FIREWALL
- IDENTITY BASED APP FIREWALL
- APP QOS
- APP DDOS
339 Copyright 2011 Juniper Networks, Inc. www.juniper.net
STATE OF APPLICATION SECURITY
State of the Application Firewall Feature Set
All AppSecure Features are available on High End SRX with JUNOS 11.4r1
All AppSecure Features - except AppDDOS and AppQoS are available for Branch SRX with 11.4r1

Licensing
SKU Appsec-A (Advanced) AppSec-B (Basic)
High End SRX Branch SRX
Includes Application signature license & Includes Application signature license only.
IPS license. IPS license has to be purchased seperately

App-ID Database
On High End SRX the AppID Signatures were moved to a separate Database with 11.4
On Branch SRX the AppID Signatures where always in a separate Database since 11.2

Management and Logging


Some AppFirewall Features are not supported in NSM Log Viewer or Policy Manager
Preferred Management Solution: Space or J-Web
Preferred Log Solution : STRM

340 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION SECURITY AVAILABILITY

High End SRX Branch SRX

AppTrack (11.4)

AppFW (11.4 )

AppQoS (11.4) Future

AppDoS Future

IPS

341 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPSECURE PERFORMANCE

Source: AppSecure Datasheet


342 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IDP
INTRUSION DETECTION AND PREVENTION
343 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ACTIVATE INTRUSION DETECTION AND PREVENTION
Initial Requirement
Install IDP license
Download and Install the Attack-Database and Detector Engine (a.k.a. security-package)

IDP Policy - Option 1 : Use Juniper Policy Templates


Download policy templates
Install policy templates

IDP Policy - Option 2 : Write your own IDP Policy


Write a custom policy , use custom attack groups (NSM is the preferred tool for this Job)

Final Steps
Activate the desired policy
add action "IDP" for all firewall rules where you want to have IDP enabled

344 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SIGNATURE UPDATES
How can Signature Updates be installed
pull (Device fetches the Updates itself)
push from Space. Space can also pull updates through a proxy connection

Branch SRX can have two different Signature Updates


IDP security-package Updates include
Updates for IDP Signatures &
Application Identification Signatures Updates &
Detector Engine
Application Identification Updates
AppID Update do include only AppID Signatures, no IDP Signatures or Detector Engine

345 Copyright 2011 Juniper Networks, Inc. www.juniper.net


INTRUSION DETECTION AND PREVENTION
ATTACK DATABASE
Download and install the latest attack database
srx> request security idp security-package download
Will be processed in asynchronous mode. Check the status using the status checking CLI

srx> request security idp security-package download status


In progress:downloading file ...SignatureUpdate_tmp.xml.gz

srx> request security idp security-package download status


Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1473(Tue Aug 4 13:41:40 2009, Detector=9.2.160090324)

srx> request security idp security-package install


Will be processed in asynchronous mode. Check the status using the status checking CLI

srx> request security idp security-package install status


In progress:Compiling AI signatures ...

# Takes about 5 minutes on a SRX210 to finish


srx> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=1473,ExportDate=Tue Aug 4 13:41:40
2009,Detector=9.2.160090324]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : not performed
due to no existing running policy found.

346 Copyright 2011 Juniper Networks, Inc. www.juniper.net


INTRUSION DETECTION AND PREVENTION
POLICY TEMPLATES (1/2)
If you don't want to write custom IDP Policies by yourself, the Juniper Policy
Templates give you a simple starting Point. Use the commands below to
download and install the latest security policy templates

srx> request security idp security-package download policy-templates


Will be processed in asynchronous mode. Check the status using the status checking CLI

srx> request security idp security-package download status


Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2

srx> request security idp security-package install policy-templates


Will be processed in asynchronous mode. Check the status using the status checking CLI

lab@srx-172.16.42.210> request security idp security-package install status


Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!

347 Copyright 2011 Juniper Networks, Inc. www.juniper.net


INTRUSION DETECTION AND PREVENTION
POLICY TEMPLATES (2/2)
To get the policy Templates added to your configuration you must enable
execution of the templates.xsl script with every commit.
# At commit time, the JUNOS management process (mgd) searches the /var/db/scripts/commit
# directory for scripts and runs the script against the candidate configuration database
# to ensure the configuration conforms to the rules dictated by the scripts.
set system scripts commit file templates.xsl

Now you can use the Recommended Policy Template


set security idp active-policy Recommended

Once the IDP Policy is defined, you can activate it "per rule"
edit security policies from-zone trust to-zone untrust policy <policyname>
set then permit application-services idp
top

348 Copyright 2011 Juniper Networks, Inc. www.juniper.net


INTRUSION DETECTION AND PREVENTION
CUSTOM POLICY
Instead of Policy Templates you can write Custom IDP Policies, where you
specify which signatures or signature-groups to use, and what the desired
actions are. The example below uses two INFO Level Signatures so that
you will get IDP Logs with each ping or HTTP Request.
edit security idp idp-policy TEST rulebase-ips rule 1
set match source-address any
set match destination-address any
set match attacks predefined-attacks HTTP:AUDIT:URL
set match attacks predefined-attacks ICMP:INFO:ECHO-REQUEST
set then action no-action
set then notification log-attacks
top

Activate this Policy and enable it on a existing firewall rule

set security idp active-policy TEST

edit security policies from-zone trust to-zone untrust policy <policyname>


set then permit application-services idp
top
NSM is recommended to write Custom IDP Policies, Groups and Signatures

349 Copyright 2011 Juniper Networks, Inc. www.juniper.net


INTRUSION DETECTION AND PREVENTION
CUSTOM ATTACK GROUPS
You can use custom attack groups to specify which attacks you are looking for.
Pay attention, that Server-to-Client signatures have a big performance impact.
They should only be applied when you inspect traffic to untrusted Servers
edit security idp dynamic-attack-group CRITICAL-C2S
set filters severity values critical
set filters direction values exclude-server-to-client
top

edit security idp dynamic-attack-group CRITICAL-ALL


set filters severity values critical
top

edit security idp idp-policy TEST rulebase-ips rule 1


match source-address any
set match destination-address MY-OWN-TRUSTED-SERVERS
set match attacks dynamic-attack-groups CRITICAL-C2S
set then action no-action
top

edit security idp idp-policy TEST rulebase-ips rule 2


set match source-address any
set match destination-except MY-OWN-TRUSTED-SERVERS
set match attacks dynamic-attack-groups CRITICAL-ALL
set then action ???
set then notification log-attacks
top

350 Copyright 2011 Juniper Networks, Inc. www.juniper.net


INTRUSION DETECTION AND PREVENTION AUTO
UPDATE FOR SIGNATURES
Configure the box to fetch Database Updates automatically
# set start time (Old Format until 10.0r2 MM-DD.hh:mm)
set security idp security-package automatic start-time 01-02.03:00

# set start time (new Format since 10.0r3 YYYY-MM-DD.HH:MM:SS)


set security idp security-package automatic start-time 2010-01-01.02:00:00

# get the update every 24 hours


set security idp security-package automatic interval 24

# enable auto update


set security idp security-package automatic enable

# The following situations inhibit that devices can pull Database Updates
# * when internet access is not possible at all
# * when internet access has to use a Proxy
# * in a cluster: when the passive member can not get internet access from fxp0

# The following options can help to solve problems with delivery of automatic updates
# * NSM or Space can be used to pull the attack database and push it to the device
# both can even use proxy connections
# * An offline update Procedure description is available in the Knowledgebase
# For clusters where only the active node can pull the update
# * After RG0 failover, the second node becomes active and can fetch the update
# * A description and a script to perform the sync is posted in forum.juniper.net
# * Automatic File sync from the active node to the passive node is planned for JUNOS
12.1
351 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IDP PACKET CAPTURES
# Since JUNOS 10.2, the Datacenter SRX support collection and delivery of packet
# captures, when an attack is found. On the STRM side you need STRM 2010.0r1 / Patch 3
# and updates of these rpms: PROTOCOL-PCAP, DSM-DSMCommon, DSM-JuniperJunOS

# Additions to IDP rules to take packet captures


edit security idp idp-policy TEST rulebase-ips rule 1 then notification
set packet-log pre-attack 4
set packet-log post-attack 6
set packet-log post-attack-timeout 2
top

# Specify the destination to deliver these data


# The Port Definition must match the DSM Configuration on STRM
edit security idp sensor-configuration
set packet-log source-address 172.30.81.84
set packet-log host 172.30.80.76
set packet-log host port 515
top

# Resource Consumption Limits can be adjusted


# The values below allow for pcaps on 10% of total-memory and 10% of max-sessions
edit security idp sensor-configuration
set packet-log total-memory 10
set packet-log max-sessions 10
top

# Show Statistics for Packet Logging


show security idp counters packet-log
352 Copyright 2011 Juniper Networks, Inc. www.juniper.net
IDP PACKET CAPTURES IN STRM

353 Copyright 2011 Juniper Networks, Inc. www.juniper.net


INTRUSION DETECTION AND PREVENTION
MONITORING AND DIAGNOSTICS
# Attack database version
show security idp security-package-version

# Check if the server connection is ok


request security idp security-package download check-server

# Check if IDP is enabled on a Security Policy


show security policies policy-name <name> detail | match Intrusion

# IDP statistics
show security idp status

# Application Identification, Cache with last connections and per application stats
show security idp application-statistics
show security idp application-identification application-system-cache

# Attacks detected since last policy load


show security idp attack table

# IDP counters
show security idp counters ?

# Catch IDP-Logs and write them to a local log file (only possible in log mode event)
set system syslog file IDP-Logs user info
set system syslog file IDP-Logs match IDP_ATTACK
set system syslog file IDP-Logs archive size 1m
set system syslog file IDP-Logs archive files 3
set system syslog file IDP-Logs structured-data brief

354 Copyright 2011 Juniper Networks, Inc. www.juniper.net


IDP FILES AND THEIR LOCATION
# Attack Database in XML Format
file show /var/db/idpd/sec-download/SignatureUpdate.xml

# List of all Attack Groups


file show /var/db/idpd/sec-download/groups.xml

# List of all Attacks


file show /var/db/idpd/sec-repository/attack.list

# List of all Attack Groups


file show /var/db/idpd/sec-repository/attack-group.list

# List of all Applications , AppID can identify


file show /var/db/idpd/sec-repository/application.list

# The final Policy after compilation


file show /var/db/idpd/sets/POLICYNAME.set

355 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SIGNATURE BACKGROUND INFORMATION
LIST OF AVAILABLE SIGNATURES
http://services.netscreen.com/documentation/signatures/

RSS-FEED ABOUT CHANGES


https://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml

Signatures with Reference to CVE, Bugtraq and MS-Vulnerability IDs


https://services.netscreen.com/restricted/sigupdates/nsm-updates/CVE-BID-mapping.csv

356 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION VOLUME TRACKING
357 Copyright 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION VOLUME TRACKING
State of Application Volume Tracking
introduced for High End SRX with JUNOS 10.2
introduced for Branch SRX with JUNOS 11.2
STRM can parse and display AVT logs
NSM today can not parse and display AVT logs

Application Identification Signatures


On High-End SRX: they are still part of the configuration (stanza services application-
identification), but the plan is to move them to a separate database with 11.4
On Branch SRX the signature database since 11.2 is separate
Custom Signatures will stay under "service application-identification"

358 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION VOLUME TRACKING
SIGNATURES DOWNLOAD
# AVT is available on Datacenter SRX since 10.2 and on Branch-SRX since JUNOS 11.2
# AVT uses Signatures to Identify Applications

# Default URL is https://services.netscreen.com/cgi-bin/index.cgi


# Before JUNOS 11.4 the signatures where directly added to the existing configuration
# Since JUNOS 11.4 the predefined signatures are saved to an external database
# similar to the IDP signature database

# Download the Application Signatures


request services application-identification download

# Installation of the downloaded Application Signatures


request services application-identification install

359 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION VOLUME TRACKING
CONFIGURATION
# AppTrack is enabled per security zone
set security zone security-zone trust application-tracking

# Configure the remote syslog device to receive AppTrack messages


# STRM 2010.0 has predefined reports to handle AppTrack Logs
set security log format sd-syslog
set security log source-address 172.30.81.82
set security log stream STRM host 172.30.80.76

# To generate AppTrack log at session start (disable by default)


set security application-tracking first-update

# To generate a first update message 1 minute after session start


set security application-tracking first-update-interval 1

# To generate additional update messages every 5 minutes


set security application-tracking session-update-interval 5

# A Final log at the session end will be created by default

# Monitoring, Counter and Cache


show services application-identification counter
show services application-identification application-system-cache

# J-Web Support is currently planned for 2H11

360 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION VOLUME TRACKING
MONITORING
# Full monitoring requires users to look at the AVT Logs
# STRM (since 2010.0r2) has parsing and reporting capabilities
# NSM today can not parse the AVT Logs

# If event Logging was enabled, Logs are available in the local log file
file show /var/log/policy_session | match APPLICATION

# In addition to the logs, a cache is enabled by default and can be used for monitoring
show services application-identification application-system-cache
# Since 11.4 there are additional statistics showing per-group/application usage
show services application-identification statistics application-groups
show services application-identification statistics applications

# To see the Signatures (before 11.4)


show config services application-identification application junos:FTP
show config services application-identification nested-application junos:FACEBOOK-CHAT

# Since 11.4 the Signatures are no longer part of the configuration, but still can be seen
show services application-identification version
# With 11.4 there where also some groups introduced, which make it easier to
# select the AppID Signatures for Application Firewalling
show services application-identification application detail junos:FTP
show services application-identification group summary
show services application-identification statistics application-groups

361 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION VOLUME TRACKING
VISIBILITY OF LOGS IN STRM

362 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION VOLUME TRACKING
VISIBILITY IN J-WEB
Monitoring
->Security
->Application Tracking

363 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION FIREWALL
364 Copyright 2011 Juniper Networks, Inc. www.juniper.net
STATE OF APP FIREWALL
State of the Application Firewall Feature Set
AppFW was introduced for High End SRX with JUNOS 10.4
AppFW was introduced for Branch SRX officially with JUNOS 11.4
AppFW can be used together with User Identities for all SRX with JUNOS 12.1

Management of the Application Firewall


Management on CLI is possible today on all platforms
Management in J-WebUI is available since 11.2
Support in JUNOS Space Security Designer is available since 11.4
Support for NSM is currently not available
Recommended Tool for Application Firewall Configuration is Space or WebUI

Logging and Reporting of Application Firewall


STRM 2010.0 can decode Application Firewall and Application Tracking Logs
both in stream and event mode.
J-Web UI log visibility and improved reporting is expected with 11.4r2
Support for NSM is currently not available

365 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION FIREWALL
EXAMPLE CONFIGURATION YOUTUBE STREAMING
edit security application-firewall rule-sets APPFW
set rule YOUTUBE-STREAM match dynamic-application junos:YOUTUBE-STREAM
set rule YOUTUBE-STREAM then deny
set default-rule permit
top

top edit security policies from-zone trust to-zone untrust policy 1


set match source-address any;
set match destination-address any;
set match application any;
set then permit application-services application-firewall rule-set APPFW
top

# List of Applications that can be found with the current Database


http://services.netscreen.com/documentation/applications/

366 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION BACKGROUND INFORMATION
List of Applications and Application Groups
http://services.netscreen.com/documentation/applications/

RSS-Feed with Changes (same as IDP)


https://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml

AppSecure Feature Documentation


http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-
pages/security/security-appsecure-index.html

367 Copyright 2011 Juniper Networks, Inc. www.juniper.net


USER IDENTITY BASED FIREWALL

CLIENTLESS AD INTEGRATION
WITH SRX AND UAC
368 Copyright 2011 Juniper Networks, Inc. www.juniper.net
CLIENTLESS AD INTEGRATION

1 1. Connect Push all roles to SRX


IC SRX

AD

2 2. User Authenticates to Domain

SRX
Finance

AD
5
IC
4 3. User wants to connect to finance
4. Drop notification sent to IC from
3
SRX SRX
Finance
5. User gets re-directed to IC (302)

369 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CLIENTLESS AD INTEGRATION

6 IC
6. IC challenges user with SPNEGO
(401)

AD
7 7. Endpoint pulls service ticket
from KDC
SRX

8
IC 8. Endpoint re-submits HTTP get
request to IC with SPNEGO auth
token

370 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CLIENTLESS AD INTEGRATION

9 9. After successful authentication, IC


pushes an auth table entry to SRX
IC SRX

10 AD
IC 10. IC re-directs user back to the
protected resource
11
SRX
Finance 11. User now can access Finance

371 Copyright 2011 Juniper Networks, Inc. www.juniper.net


USER IDENTITY BASED FIREWALL
CONFIGURATION
# User Identity based Firewall was introduced in JUNOS 12.1

# Set UAC infranet connection on SRX (this uses Destination port 11123)
set services unified-access-control infranet-controller SERVER address 172.30.81.141
set services unified-access-control infranet-controller SERVER interface fxp0.0
set services unified-access-control infranet-controller SERVER password

# Set captive portal


edit services unified-access-control captive-portal PORTAL
set redirect-traffic unauthenticated
set redirect-url http://172.30.81.141
top

edit security user-identification


set traceoptions file userid flag all
set authentication-source local-authentication-table priority 100
set authentication-source unified-access-control priority 200
top

# UAC Policy Enable


set security policies ... match source-identity ROLE1
set security policies ... then permit application-services uac-policy

# Captive Portal Enable


set security policies ... then permit application-services uac-policy captive-portal PORTAL

# For the full configuration follow the UAC Solution Guide

372 Copyright 2011 Juniper Networks, Inc. www.juniper.net


USER IDENTITY BASED FIREWALL
COMMANDS FOR UAC
# Commands to monitor uac status and information
show services unified-access-control status
show services unified-access-control policies detail
show services unified-access-control roles

# Directory for UAC Roles


/var/db/uac.roles

# Directory for local Auth Data


/var/db/nsd

373 Copyright 2011 Juniper Networks, Inc. www.juniper.net


USER IDENTITY BASED FIREWALL
COMMANDS FOR LOCAL AUTHENTICATION
# Commands to build and examine the local table
request security user-identification local-authentication-table add ?
request security user-identification local-authentication-table delete ?
clear security user-identification local-authentication-table
show security user-identification local-authentication-table ?
show security user-identification local-authentication-table all ?

# Directory for local Auth Data


/var/db/nsd

374 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION DDOS PROTECTION
375 Copyright 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION DDOS PROTECTION
Application DDOS is a technology to identify and mitigate Distributed Denial of
Service Attacks, typically generated from Botnets

Application DDOS works in 3 phases


Phase 1
if the connection rate exceeds a limit we start protocol analysis
Phase 2
track for connection Rate limits (per Destination and/or Context)
Phase 3
Classify Clients as Bots when they exceed thresholds

Once Bots have been identified, we can mitigate their activities by


dropping their existing connections and/or
dropping future connections (for a certain time) and/or
rate limiting future connections new connections (for a certain time)

AppDDOS today (12.1) can be used to protect HTTP and DNS Services
AppDDOS is available with AppSec-A License for Datacenter SRX since 10.0
376 Copyright 2011 Juniper Networks, Inc. www.juniper.net
AppDDOS 3-Stage Processing

Stage 1: Server Monitoring


1. Connections Per Second Access to No
Monitored

Administrator defines CPS threshold to a Server

server to start monitoring for AppDDOS. Yes

CPS below this threshold is considered Connection No

normal activity. Rate Exceeded

Stage 2: Protocol Profiling


Yes

2. Context Rate Monitoring/Limiting Access to No


Once AppDDOS CPS threshold is
Monitored
Context

surpassed, AppDDOS will monitor the Yes

number of Context Rate. If it exceeds this


No No
rate, additional investigation can occur Context Rate
Exceeded
Context Value
Rate Exceeded

depending if stage 3 is configured. If it is


Yes Yes
not configured appropriate action can

Stage 3: Bot Client Classification


occur. No Time-Binding
Configured

3. Client Classification (optional) Yes

If Time Binding is configured, it will track No


Counter
not only the rate of the context being Exceeded

matched, but will also the administrator to Yes

track this value for individual clients to Action/Logging


prevent them from individually surpass the
defined limits within the time period.

377 Copyright 2011 Juniper Networks, Inc. www.juniper.net


AppDDOS Configuration Structure
Firewall Security Policy
On a firewall rule by rule basis IDP processing is configured (since AppDDOS is
part of the IDP functionality.) Firewall processing includes matching based on:
source zone, destination zone, source ip, source port, destination ip, destination
port, and protocol. IDP Security Policy

ApplicationDDOS Profile
The ApplicationDDOS profile defines the following:
Context to Match
Connections per Second to trigger Phase 2
Contexts Thresholds to trigger Phase 3, or direct actions based only on overall thresholds.
Client Contexts per Period

IDP Policy
Within the IDP security policy the rulebase-ddos is where the configuration defines
what criteria to match based on: source zone, destination zone, source ip,
destination ip, application, and application-ddos profile. This rule will define what to
do with the offending connection along with future ip-action connections.

378 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION DDOS PROTECTION (1/3)
# AppDDOS is available as licensed feature for Datacenter SRX since JUNOS 10.0

# Define two Servers in a Group for investigation


set security zones security-zone trust address-book address SERVER1 172.30.80.132/32
set security zones security-zone trust address-book address SERVER2 172.30.80.202/32
edit security zones security-zone trust address-book address-set WEBSERVER
set address SERVER1
set address SERVER2
top

# Firewall Policy
# Activate IDP on the Firewall Rules, that permit traffic to these Servers
set security policies from-zone trust to-zone untrust policy 1 then permit application-services idp

# Application DDOS Profile


# Define the thresholds, we use to look for DDOS attacks
edit security idp application-ddos HTTP_DDOS
set service http
# Phase 1- Start protocol Analysis if we see more than 5 connections per second
set connection-rate-threshold 5
# Phase 2 - Start Botnet classification if we see more than 50 URLs per second or 50 different context
set context http-url-parsed hit-rate-threshold 50
set context http-url-parsed value-hit-rate-threshold 50
# Phase 3- Classify clients as Bots if they access more than 20 URLs per minute
set context http-url-parsed time-binding-count 50
set context http-url-parsed time-binding-period 60
top

379 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION DDOS PROTECTION (2/3)
# Install an IDP Policy
set security idp active-policy IDP-POLICY

# Add a DDOS Rule to this IDP-Policy to hunt for DDOS attacks against the two Servers
edit security idp idp-policy IDP-POLICY rulebase-ddos rule RULE1
set match from-zone untrust
set match to-zone trust
set match destination-address WEBSERVER
set match application default
set match application-ddos HTTP_DDOS
set then action no-action
set then notification log-attacks

# Use IP-Action to rate limit any bot found to a maximum of 5 connections per second
set then ip-action ip-connection-rate-limit 5
set then ip-action log
set then ip-action timeout 15
set then ip-action refresh-timeout
top

380 Copyright 2011 Juniper Networks, Inc. www.juniper.net


APPLICATION DDOS PROTECTION (3/3)
# AppDDOS monitor and control commands
show security idp counters application-ddos
show security idp application-ddos application
show security idp application-ddos application detail

# Show hosts that are targets for ip-action


show security flow ip-action

# Remove all current IP-actions


clear security flow ip-action

381 Copyright 2011 Juniper Networks, Inc. www.juniper.net


UTM-FEATURESET
382 Copyright 2011 Juniper Networks, Inc. www.juniper.net
UTM FEATURES
Antivirus - Sophos or Kaspersky (full and express)
Protect against viruses in e-mail (SMTP, POP, IMAP protocols), Webmail
(HTTP) and FTP traffic
Integrated AV engines and virus signature databasesupdated periodically,
available through AV subscription license

Web filteringWebSense/SurfControl/Enhanced WF
Control (allow/deny) access to Websites based on URL category
Off-box (in-the-cloud or on-premise) URL servers/ databases

Content filtering
Provides basic DLP functionalityfilters traffic based on file/MIME type, file
extension, and protocol commands; keyword matching expected in the future

Antispam - Sophos
Stop e-mail spam based on IP address/reputation of sender
Off-box spam blacklist databaseSophos SBL/RBL (spam/real-time block
list)available as a subscription license
383 Copyright 2011 Juniper Networks, Inc. www.juniper.net
HOW UTM PROFILES ARE CHAINED WITH POLICIES
UTM Features are activated per firewall rule, by assigning an UTM-Policy

The UTM-Policy has a section for each protocol, that allows UTM-Protection

Each Profile has references to Profiles for the different UTM Features

384 Copyright 2011 Juniper Networks, Inc. www.juniper.net


UTM-FEATURE:
ANTIVIRUS
385 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ANTIVIRUS ON SRX
THREE FLAVOURS
KASPERSKY ANTIVIRUS
Full Scan Engine
local Execution of Scan

SOPHOS ANTIVIRUS
Cloud Based
Verifies Source-URL and File checksums against Malware Database

EXPRESS AV
Reduces local Scan Engine

PROCESSING ORDER

386 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ACTIVATE ANTIVIRUS (EXPRESS AV ENGINE)

# Check also Knowledgebase Article KB16620

# Configure the SRX Series device to use the express antivirus engine
set security utm feature-profile anti-virus type juniper-express-engine

# Configure a UTM policy to use the predefined antivirus profile


# http-profile junos-eav-defaults.
set security utm utm-policy UTM-POL anti-virus http-profile junos-eav-defaults

# Apply the UTM policy to the existing trust to untrust security policy
edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services utm-policy UTM-POL
top

387 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ACTIVATE ANTIVIRUS
(KASPERSKY LAB ENGINE)

# Configure the SRX Series device to use the express antivirus engine
set security utm feature-profile anti-virus type kaspersky-lab-engine

# Configure a UTM policy to use the predefined antivirus profile


# http-profile junos-av-defaults.
set security utm utm-policy UTM-POL anti-virus http-profile junos-av-defaults

# Apply the UTM policy to the existing trust to untrust security policy.
edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services utm-policy UTM-POL
top

388 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ACTIVATE ANTIVIRUS
(SOPHOS CLOUD SERVICE)
# Configure the SRX Series device to use the express antivirus engine
set security utm feature-profile anti-virus type sophos-engine

edit security utm feature-profile anti-virus sophos-engine


# Configure to download engine and updates once per day
set pattern-update interval 1440
set pattern update url "http://update.juniper-updates.net/SAV/"
top

# Check the URLs against Database that identifies known Malware Sources
edit security utm feature-profile anti-virus sophos-engine profile SOPHOS
set scan-options uri-check
# To log all URLs (even those that where not blocked) use
set fallback-options default log-and-permit
top

# Configure a UTM policy to apply Sophos AV on http connection


set security utm utm-policy UTM-POL anti-virus http-profile SOPHOS

# Apply the UTM policy to the existing trust to untrust security policy.
edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services utm-policy UTM-POL
top

389 Copyright 2011 Juniper Networks, Inc. www.juniper.net


ANTIVIRUS
MONITORING AND DIAGNOSTICS
# Show database version and Update Settings
# Default for Kaspersky is every 1h
# Default for Sophos is every 24h
show security utm anti-virus status

# Statistics on AV operation
show security utm anti-virus statistics

# Run manual pattern update for Kaspersky Engine


request security utm anti-virus kaspersky-lab-engine pattern-update

# Run manual pattern update for Sophos Engine


request security utm anti-virus sophos-engine pattern-update

390 Copyright 2011 Juniper Networks, Inc. www.juniper.net


UTM-FEATURE:
URL FILTERING
391 Copyright 2011 Juniper Networks, Inc. www.juniper.net
URL FILTERING
State of URL Filtering
Local Black and Whitelists can be used for Web filtering
useful as a response to security problems (Phishing Mails, abuse of applications ...)
no licenses required to use this feature
To get a more valuable URL Filter you need a service subscription (license)
where URLs are checked against a database
As a response to the query, a list of categories for this URL is returned
In the Profile it can be defined which categories are permitted/denied
Before 11.4 there where two flavors of Web filtering Services
Integrated Webfilter (aka surfcontrol-integrated, License: WF)
Redirect Webfilter (aka WebSense, no License).
With 11.4 a new option was introduced
Enhanced Webfilter (aka juniper-enhanced, License EWF)

Main Benefits of the Enhanced Webfilter Solution from 11.4 are


comparable to the Integrated Webfilter Solution - but with the following enhancements :
more categories (94 vs. 40) and option for custom categories (based on local pattern lists)
option to activate safe-search to filter Search Engine results
option to receive and react on reputation information for each URL
option to redirect access for blocked sites to another URL
392 better scalability (up to 64K sessions
Copyright on SRX
2011 Juniper 650)Inc.
Networks, www.juniper.net
WEBFILTER ON SRX
Two Options for Cloud based URL Checking
Webfilter Integrated
(surfcontrol-integrated)

and since 11.4

Enhanced Webfilter
(juniper-enhanced)

One Option to redirect Traffic through a Local Websense Server

REDIRECT (WEBSENSE)

393 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HOW TO CHECK THE CLASSIFICATION FOR AN URL ?
CHECK CLASSIFICATION OF A SITE FOR INTEGRATED WEBFILTERING

For the old, integrated Surfcontrol Engine use the following Online URL:
http://mtas.surfcontrol.com/mtas/JuniperTest-a-Site.asp

For the new, enhanced Webfilter use this following Online URL:
http://aceinsight.websense.com/

A CLI command can be used to return information how the site is treated:
test security utm web-filtering profile "EWF-PROFILE" test-string www.facebook.com

394 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WEBFILTER
LOCAL BLACKLIST AND WHITELIST (1/2)
With JUNOS 10.0 a local Black- and White list can be configured
This Filter Method can even work without Web filter License
To work with wildcards pattern must start with "http://...."
# First specify a list of URLs (up to 20 per list object)

edit security utm custom-objects


set url-pattern BAD value [http://www.cisco2.com www.checkpoint2.com]
set url-pattern GOOD value "http://*.juniper.net"
set url-pattern GOOD value "http://www.acmegizmo.???"
top

# Use these Objects to specify new Categories


edit security utm custom-objects
set custom-url-category BLACKLISTED value BAD
set custom-url-category WHITELISTED value GOOD
top

# Finally apply these Categories to the Web Filtering Profile


edit security utm feature-profile web-filtering
set url-blacklist BLACKLISTED
set url-whitelist WHITELISTED
top

395 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WEBFILTER
LOCAL BLACKLIST AND WHITELIST (2/2)
# If no other Web filtering Profile is selected then use type juniper-local
set security utm feature-profile web-filtering type juniper-local

# Define UTM Profile


set security utm utm-policy UTM-POL web-filtering http-profile UTM-PROF

# Configure an UTM Policy using this Profile


edit security utm feature-profile web-filtering juniper-local profile UTM-PROF
set default permit
set custom-block-message "Access to this site is not permitted"
set fallback-settings default block
set fallback-settings too-many-requests block
top

# Apply this Profile in a firewall rule


edit security policies from-zone trust to-zone untrust policy trust-to-untrust
set then permit application-services utm-policy UTM-POL
top

396 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WEBFILTER
ACTIVATION OF THE INTEGRATED ENGINE
Configure the SRX Series device to use the Integrated Engine
set security utm feature-profile web-filtering type surf-control-integrated

Configure a new utm-policy to use the predefined Web filtering profile junos-
wf-cpa-default
edit security utm utm-policy UTM-POL
set web-filtering http-profile junos-wf-cpa-default
top

Apply the UTM policy to the existing trust to untrust security policy.
edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services utm-policy UTM-POL
top

397 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WEBFILTER
EXAMPLE FOR A CUSTOM PROFILE
# Configure the SRX Series device to use the Integrated Engine
set security utm feature-profile web-filtering type surf-control-integrated

# Custom categorization and action for this engine


edit security utm feature-profile web-filtering surf-control-integrated
edit profile TS-BLOCK-SELECTED-SITES
set category Violence action block
set category Adult_Sexually_Explicit action block
set category Gambling action block
set Remote_Proxies action block
set default log-and-permit
set fallback-settings default log-and-permit
set fallback-settings server-connectivity log-and-permit
set fallback-settings timeout log-and-permit
set fallback-settings too-many-requests block
set timeout 60
top

edit security utm utm-policy POLICY2


set web-filtering http-profile TS-BLOCK-SELECTED-SITES
top

# Apply the new UTM-Policy in a firewall rules


edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services utm-policy POLICY2
top

398 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WEB-FILTER
MONITORING AND DIAGNOSTICS
# Show database version and Update Settings (default: every 60 minutes)
show security utm web-filtering status

# Statistics on Web filter operation (not for EWF)


show security utm web-filtering statistics

399 Copyright 2011 Juniper Networks, Inc. www.juniper.net


UTM-FEATURE:
ANTI-SPAM
400 Copyright 2011 Juniper Networks, Inc. www.juniper.net
ANTI SPAM
ACTIVATION OF THE FEATURE
Configure the SRX Series device to use the Anti-Spam Feature
set security utm feature-profile anti-spam symantec-sbl

Use the predefined Anti-Spam profile junos-as-defaults in a new utm-policy.


set security utm utm-policy UTM-POL anti-spam smtp-profile junos-as-defaults

Apply this UTM policy to an existing trust to untrust security policy.


edit security policies from-zone trust to-zone untrust policy default-permit
set then permit application-services utm-policy UTM-POL
done

Optional Blacklist to drop additional SMTP Traffic from other senders


set security utm custom-objects url-pattern MYBLACKLIST value mail.cisco.com
set security utm feature-profile anti-spam address-blacklist MYBLACKLIST

401 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MORE ....
402 Copyright 2011 Juniper Networks, Inc. www.juniper.net
RESET TO FACTORY DEFAULT
403 Copyright 2011 Juniper Networks, Inc. www.juniper.net
RESET METHODS
The following methods can be used to reset the device to Factory Default
Method 1: Reset via Reset PIN
Method 2: Load Factory Default configuration
Method 3: Wipe Configuration Files and load Default configuration
Method 4: Single User Boot Procedure
Method 5: Install Factory Default Snapshot from Boot monitor
Method 6: Zeroize

The following method can be used to recover the root password


Method 4: Single User Boot Procedure

Important Note for Branch SRX:


To recover a Branch SRX which is in cluster mode you must first turn it
back into non cluster mode (set chassis cluster disable reboot).
If you don't have a password any more, you can only use Method 4 or Method 5

See also http://kb.juniper.net/KB12167 and http://kb.juniper.net/KB15725

404 Copyright 2011 Juniper Networks, Inc. www.juniper.net


BRANCH SRX PREREQUISITE:
YOU MUST ESCAPE CLUSTER MODE FIRST
If your device was member of a cluster you will notice an additional line
before the system prompt
{primary:node1}
root>

To return from cluster mode to a single unit use the following command,
which also performs the necessary reboot

root> set chassis cluster disable reboot

If you are in cluster mode but can not login to your system, you have to use
Method 4 (Single User Boot Procedure)

405 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RESET METHOD 1:
RESET VIA RESET BUTTON
Use the Reset Button
On J-Series: Press Configuration Pin for 15sec. to load the factory default
On SRX: Press the Reset PIN for 15 sec. follow LED color changes
On EX-Switches: Use LCD Menu to load factory default configuration

Notes
You have to exit the shell first
The node name in the shell prompt appears to be unchanged,
but this will change with the next reboot
If you have a Branch SRX which is still in Cluster mode, the factory default
configuration can not commit ,as it includes switching configuration.
You then should use method 5 (USB Snapshot) or 4 (Single User Mode)

406 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RESET METHOD 2:
LOAD FACTORY DEFAULT CONFIGURATION FROM CLI
If Login is still possible you can use commands to load the factory-default configuration.
You have to set a root password to get the configuration committed
Remote Management Console
login: user
password: <none>
root@J2300> configure
root@J2300# load factory-default
# You have to set at least the root password, otherwise you can not commit
root@J2300# set system root-authentication plain-text-password
New password:
Retype new password:
root@J2300# commit and-quit
root@J2300>

407 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RESET METHOD 3:
WIPE CONFIGURATION FILES
If Login is still possible and you have shell access you can erase the current
configuration file(s) and reboot. This will be equal to a reboot with default
configuration
root> start shell
root@J6350% cd /config
root@J6350% su
root@J6350% rm juniper.conf.gz
root@J6350% reboot

# Remark on JUNOS 11.2 (or probably earlier)


# You also have to wipe the rescue configuration.
# Otherwise the system will boot the rescue config
# if the normal configuration file has disappeared

408 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RESET METHOD 4:
SINGLE USER BOOT PROCEDURE
Single User Mode, from the Boot monitor
1. Reboot the device
2. When message <Press space bar> appears --> Interrupt boot process
2. boot -s --> Device boots in single user mode
4. login as root , enter "recover" to load factory default
5. enter cli as user root
6. enter configure mode
7. set system login user authorization plaintext --> Enter <Password>
8. Commit
9. If the unit was still in cluster mode, you have to remove interface
configuration and interface assignments to security zones to commit
10. request system reboot
11. If the units was in cluster mode, then disable chassis cluster
and reboot once more.
For latest information on this method please consult the Knowledgebase
http://kb.juniper.net/KB12167

Since JUNOS 10.0 you have to disable a watchdog in the boot monitor.
See http://kb.juniper.net/KB17565

409 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RESET METHOD 5:
BOOT AND COPY SNAPSHOT
Boot from a Snapshot USB Stick (see Chapter Software Upgrade)
# First you must copy a snapshot from an existing System to a USB Stick
# Keyword factory means, we copy factory default instead of running config
srx> request system snapshot partition media usb factory

# Now move the USB Stick to the System you want to recover and power it up
# Interrupt the Boot Process to get access to the Boot loader prompt
loader> nextboot usb
Setting next boot dev usb
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
loader> reboot

# Once the system has booted from the USB Stick, copy the image
# with the default configuration back to the internal Flash
srx> request system snapshot factory partition media internal

Notes:
- The USB Stick must have at least size of internal Flash (SRX100 = 1GB)
- This procedure also reformats and partitions flash and copies the software
from the stick. All existing information is overwritten

410 Copyright 2011 Juniper Networks, Inc. www.juniper.net


RESET METHOD 6:
ZEROIZE SYSTEM
If Login is still possible and you have shell access you can completely wipe
anything which is not part of the factory default configuration by zeroizing
the media.
lab@bnlx-srx220-1> request system zeroize media
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no)

411 Copyright 2011 Juniper Networks, Inc. www.juniper.net


BOOTLOADER
412 Copyright 2011 Juniper Networks, Inc. www.juniper.net
BOOTLOADER NOTES
Boot loader Documentation is included in the Admin Guide
To enter the boot monitor
power up and wait for " Loading /boot/defaults/loader.conf"
Hit Space at the following prompt
"Hit [Enter] to boot immediately, or space bar for command prompt."
The "loader>" prompt appears.
To see the current Boot loader Software Version use this command:
show chassis routing-engine bios
Most Methods for Software update do not reformat flash and thus do
not upgrade the Boot loader
Since JUNOS 10.0 (with Boot loader 1.5) the Branch SRX JUNOS
Package includes the latest Boot loader version and Upgrade of the
current boot loader can be performed with this command:
bootupgrade u /boot/uboot l /boot/loader
Dua Root Partitioning Scheme for Branch SRX requires Bootloader
Software Version 1.5

413 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FLASH PARTITIONING

DUAL ROOT
414 Copyright 2011 Juniper Networks, Inc. www.juniper.net
NOTES
Since JUNOS 10.0, Branch SRX can have a dual root partitioning scheme
Dual root improves fault tolerance and rollback capabilities and is recommended
Dual root have two partitions with JUNOS software on two different partitions.
The configuration is kept in another shared partition
# Since JUNOS 10.2 the following command shows the partitioning and which partition
is active
show system storage partitions

# To switch to the backup partition


request system software rollback
# If you change your mind you can switch back again
request system software rollback

# To copy the software from the current active partition to the backup partition use
request system snapshot slice alternate

415 Copyright 2011 Juniper Networks, Inc. www.juniper.net


JUNOS installation in a Dual-Root System
JUNOS upgrades from CLI and J-Web will work as follows:
Alternate root will be formatted and mounted.
New package will be installed into the alternate root
Alternate will be marked as the primary root.
On next reboot the system will boot with the newly installed image

JUNOS will always be installed to the alternate root:


When booted from primary root, the new image will go to the backup root
and it will become the new primary.
When booted from the backup root, new image will be installed in the
primary
Thus a simple installation can recover the primary root if it is corrupted.

416 Copyright 2011 Juniper Networks, Inc. www.juniper.net


JUNOS installation in Dual Root (animated Slide)

Primary
Backup Primary
Backup

s1a s2a s3e s3f s4a


JUNOS A JUNOS C
B
Root Root /config /var recovery

Current Root request system software


Alternate
Current Rootadd junos-c
Root /var

JUNOS A JUNOS C JUNOS C

417 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SOFTWARE UPGRADES
418 Copyright 2011 Juniper Networks, Inc. www.juniper.net
JUNOS Software Upgrade on SRX
1. Decide for a Software version and download it
Recommend Software version are listed here
Information which Feature is available in which Release can be found here
Software Downloads are available from here

2. Best Practice: Cleanup Storage before starting the Update

3a. If you have physical access the easiest way is


(M1) Autoinstallation from USB-Stick (requires somebody with physical access)

4a. For other updates decide how to bring the software to your SRX
(T1) Upload or Download File in Advance (scp or ftp)
(T2) Use Controlled Download with the Download Manager
(T3) Mount and install from a USB Stick
(T4) Reference URL during installation

4b. When you are ready to install you can use


(M2) Installation from J-Web
(M3) Install from the CLI
(M4) Install from CLI with ISSU (for SRX clusters)

5. Best Practice: After completion you can use Flash Hardening


419 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DOWNLOAD SOFTWARE FROM SUPPORT PAGES
HTTP://WWW.JUNIPER.NET/SUPPORT/PRODUCTS/

420 Copyright 2011 Juniper Networks, Inc. www.juniper.net


BEST PRACTICE:
CLEANUP BEFORE SOFTWARE UPGRADE
Useful steps to perform before starting an Update are:
Check Flash size, purge unused files
# Check current Flash size
show system storage | match cf

# On J-Series
show chassis hardware detail | match Flash

# purge log files


request system storage cleanup

# If Flash size is still lower than the size of your image:

# if space is not yet sufficient purge software backup


request system software delete backup

# locate directories on the flash with large amount of data


show system directory-usage /cf

# To save space browse directories and erase files manually


file list /cf/var/tmp detail
file delete ..

# Or use the shell to find the largest files on your Flash


find -x /cf -type f -exec du {} \; | sort n

421 Copyright 2011 Juniper Networks, Inc. www.juniper.net


UPGRADE - METHOD 1
AUTO INSTALLATION FROM USB STICK
# Since 10.4 Branch SRX Devices can be set up from a USB Stick with Auto installation
# Step 1 - Prepare
- Prepare a USB-Stick (FAT32, <=8GB) with the following files:
- A File with the name "autoinstall.conf" must exist.
The Content of this File is not important. It can also be an empty File.
- One JUNOS Image, Filename must meet "junos-srxsme*"
- Optional: You can also add a Configuration File. File name must be "junos-config.conf"
# Step 2 - Insert
- After the SRX has booted completly , insert the USB Stick
- The LEDs will start blinking amber (Alarm, Status, Power and HA)
# Step 3 - Reset Button
- Press the Reset button for a short time
- The LEDs (Alarm, Status, Power and HA) will stop blinking and start glowing amber
- Now the new imaged gets copied, existing configuration and rescue configuration
are verified against the new software version
- finally the image gets installed in the second partition, and this partition
becomes the new primary partition
- if present on the stick the new configuration gets copied too (but not yet committed)
- Step 3 takes about 10-12 Minutes in total
- If something goes wrong (insufficient space, image corrupt, configuration
not compatible) the LEDs will glow Red. Otherwise the LEDs will glow green
# Step 4 - Unplug USB stick
- When the LEDs are green, the USB stick can be unplugged
- Some seconds after unplug device starts reboot, which takes ~5 minutes to complete
- during power up the new configuration is installed and applied

# To avoid that somebody uses this procedure you can use the following command:
set system auto installation usb disable

422 Copyright 2011 Juniper Networks, Inc. www.juniper.net


UPGRADE - METHOD 1
AUTO INSTALLATION - FLOW DIAGRAM

423 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TRANSFER METHOD 1
MOUNT A LOCAL USB STICK)
You can add your image from a DOS formatted USB Stick
# USB Sticks are not auto mounted, So we must go to the shell as root to mount them

srx> start shell

% su -
Password:

# find out the right device name. On SRX210 "da1" is upper USB "da2" is lower USB
# Either watch Console Logs during USB plugin or scan the information from the Logfile
root@srx-172% dmesg | grep umass
da1 at umass-sim1 bus 1 target 0 lun 0

# Once Devicename is found add "s1" to the device name and mount it to /mnt

root@srx% mount -t msdos /dev/da1s1 /mnt


root@srx%
exit
exit

# Now you can install the image from the USB stick
# partition, formats the Flash partition

srx> request system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot

424 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TRANSFER METHOD 2
LOAD FILE TO LOCAL FLASH
# prefered destination to store files to local flash is /var/tmp because
# several cleanup operations willmake sure, this locations gets purged

# either Push Image from Outside via scp or ftp


scp JUNOS-srxsme-10.2R2.8-domestic.tgz user@srx:/var/tmp/

# or use interactive session on SRX CLI via scp or ftp command


cd /var/tmp
ftp ... or scp ....

# Now you can install the image from the local file
srx> request system software add /var/tmp/JUNOS-srxsme-11.1R1.8-domestic.tgz

425 Copyright 2011 Juniper Networks, Inc. www.juniper.net


TRANSFER METHOD 3
USING THE DOWNLOAD MANAGER
# Download Manager is available since JUNOS 11.4 and allows to perform rate limited
# downloads which is useful to fethc software updates over slow WAN links without
# saturating the link
# Every Download can also be stopped/paused/resumed
# By Default Download Files are stored under /var/tmp

srx240-0> request system download start ftp://172.1.8.1/junos-x.tgz login user: password


max-rate 50K

Starting download #1

srx240-0> show system download

Download Status Information:


ID Status Start Time Progress URL
1 Active May 23 13:14:27 1% ftp://172.1.8.1/junos-x.tgz

srx240-0> request system download pause 1


Paused download #1

srx240-0> show system download

Download Status Information:


ID Status Start Time Progress URL
1 Paused May 23 13:14:27 11% ftp://172.1.8.1/junos-x.tgz

tschmidt@srx240-0> request system download resume 1


Resumed download #1
426 Copyright 2011 Juniper Networks, Inc. www.juniper.net
TRANSFER METHOD 4:
USE URL TO LOAD IMAGE FROM A SERVER
# Example fetch from an ftp Server (user username) and reboot after update
# Option no-copy allow to save space

J6350> request system software add no-copy reboot


ftp://username:prompt@172.30.80.20/JUNOS-jsr-9.5R1.8-domestic.tgz

# Same example for SRX with user anonymous


# If validation of configuration reports that your current config is not working
# with the new release (e.g.. on downgrade) you can bypass this with no-validate

srx> request system software add no-copy no-validate reboot ftp://172.16.42.8/JUNOS-


srxsme-9.5R1.8-domestic.tgz

# Same example for an SSH Server


srx> request system software add no-copy no-validate reboot scp://172.16.42.8/JUNOS-
srxsme-9.5R1.8-domestic.tgz

427 Copyright 2011 Juniper Networks, Inc. www.juniper.net


UPGRADE METHOD 2
INSTALL FROM WEB-UI
Use the Web-Interface (requires most RAM and Flash)

428 Copyright 2011 Juniper Networks, Inc. www.juniper.net


UPGRADE METHOD 3
INSTALL FROM CLI
# Example: start installation from a local file which is already in /var/tmp
# Option reboot forces reboot after succesful installation
request system software add /var/tmp/JUNOS-srxsme-10.2R2.8-domestic.tgz reboot

# Example: Download and install image from an ftp Server (user username)
request system software add no-copy no-validate reboot
ftp://username:prompt@172.16.42.8/JUNOS-srxsme-10.2R2.8-domestic.tgz

# Example: start installation from a USB stick previously mounted under /mnt
request system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot

429 Copyright 2011 Juniper Networks, Inc. www.juniper.net


UPGRADE METHOD 4 - FOR SRX CLUSTERS
IN SERVICE SOFTWARE UPGRADE
ISSU stands for In Service Software Upgrades
ISSU allows upgrade of cluster members with minimum downtime.
ISSU can be used on High-end SRX in most cases since JUNOS 10.4r4
ISSU can be used on Branch SRX in most cases since JUNOS 11.2r2
request system software in-service-upgrade [package] reboot

It is a single command, that you have to run from the RG0 primary device.
The following actions are performed during the update:
First upgrade the secondary device
then forms a cross version cluster
failover to the new device
upgrade the old primary

Expected Outage with ISSU on DC-SRX is similar to failover


Expected Outage with ISSU on Branch-SRX is about 30 seconds

Check Documentation and KB17946 for more details on ISSU operation and
supported features for different releases
430 Copyright 2011 Juniper Networks, Inc. www.juniper.net
BEST PRACTICE:
FLASH HARDENING ON BRANCH SRX
# Once your software version and your configuration is reliable use the following
# steps to make the Branch SRX devices more robust against Flash Problems

# Optional: Cleanup storage (Documentation)


request system storage cleanup
# Optional: Cleanup IDP Cache and Attack Database Download (new command from 11.4)
request security idp storage-cleanup

# Show Releases in the primary and the secondary partition of Routing-Engine 1


show system snapshot media internal slice 1

# Copy primary partition image to the secondary, so they carry the same release
# Check KB22798 for details on dual partitioning
request system snapshot slice alternate

# Make sure your current configuration is also saved as your rescue configuration
# Check KB15788 for details on configuration versions and rollback
request system configuration rescue save

# Save License, Partition Data and Recovery Config to the Auto recovery Partition
# Check Release notes of JUNOS 11.2 for details on auto recovery
request system autorecovery state save

431 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SCRIPTING AND AUTOMATION
432 Copyright 2011 Juniper Networks, Inc. www.juniper.net
AUTOMATION WITH JUNOS SCRIPTS
Commit Scripts
Enable automated compliance checks & configuration changes
e.g.. Reject guest VLAN tag configuration on access switch trunk ports restrict guest access to a floor
Macros allow operators to simplify complex configurations and self-heal errors
e.g. Apply pre-defined Data+VoIP port template on any switch port that gets a description matching a
particular string data-phone

Operations Scripts
Allows custom output for diagnosis and event management
e.g.. Combine 2 different show commands to get a custom output for better analysis

Event Policies & Scripts


Automated pre-defined responses to events creating self-monitoring networks
e.g.. When a switchs trunk port goes up & down, run show interfaces and show alarms CLI, parse data,
save it to a file and send this to a server

433 Copyright 2011 Juniper Networks, Inc. www.juniper.net


HOW TO INTEGRATE SCRIPTS ?
Activation of Commit scripts
Copy a script to the /var/db/scripts/commit directory
Enable the script by including a file statement at the [edit system scripts
commit] hierarchy level (must be user from super user class).
The script will now be executed every time you do a commit
Useful: to avoid typical errors (VPN without Monitor, wrong MTU ...)

Activation of Op Scripts
Copy the script to the /var/db/scripts/op directory
Enable the script by including a file statement at the [edit system scripts
op] hierarchy level (must be user from super user class).
Now you can run the script as a command (e.g.. op status overview)

434 Copyright 2011 Juniper Networks, Inc. www.juniper.net


USEFUL LINKS FOR AUTOMATION
Useful How-to Information is available from this Scripting Guide
http://www.juniper.net/solutions/literature/white_papers/200252.pdf

Script Library from Juniper


http://JUNOS.juniper.net/scripts/

Script Library on Google


http://code.google.com/p/junoscriptorium/

435 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SCRIPT LIBRARY
HTTPS://WWW.JUNIPER.NET/US/EN/COMMUNITY/JUNOS/SCRIPT-AUTOMATION/LIBRARY/

436 Copyright 2011 Juniper Networks, Inc. www.juniper.net


NICE FEATURES YOU WILL LIKE .....
437 Copyright 2011 Juniper Networks, Inc. www.juniper.net
HELP IS AVAILABLE FROM THE CLI,
EVEN WITHOUT INTERNET
Help available from the CLI [ topic reference apropos ]
# Full description of certain configuration hierarchies
root> help reference security address-book
address-book

Syntax

address-book {
address address-name (ip-prefix | dns-name dns-address-name);
address-set address-set-name {
address address-name;
}
}
....

# Commands which include the word xyz


root> help apropos proxy-arp
...

# Help on certain topics


root> help topic snmp agent
...

438 Copyright 2011 Juniper Networks, Inc. www.juniper.net


WE HAVE FTP/SCP SERVERS ON BOARD
# Start the FTP Server
set system services ftp
# Enable inbound ftp on the desired zone and/or interface
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ftp
And Connect with your favourite FTP Client

439 Copyright 2011 Juniper Networks, Inc. www.juniper.net


USEFUL EXTENSIONS FOR
CONFIGURATION VERSIONING
Configuration Comments
# Add comment to a configuration
commit comment "Let us try this"

# List comments added during commit


show system commit
show | compare rollback ?

Personal Configuration Files


# This will save/load configuration files in the home directory of the user
save mytestconfig.txt
load replace mytestconfig.txt

Load/Save Configuration Files via FTP/HTTP


# load via ftp or http
load merge ftp://user:password@host/filename
load merge http://user:password@host/filename
# save via ftp or scp
show configuration | save ftp://user:password@host/filename.
show configuration | save user@host:filename.

440 Copyright 2011 Juniper Networks, Inc. www.juniper.net


CONFIGURATION ROLLBACK
Automatic rollback if not confirmed within 5 minutes
# Automatic rollback if not confirmed within 5 minutes
commit confirmed 5

# Commit at desired time


commit at hh:mm:ss

# on SRX Clusters Rollback is only available if you entered "configure exclusive"

Rollback Versions , by Default you have 5 (on SRX) to 50 (on EX)


rollback ?
show config | compare rollback <number>

The "Rescue" Configuration


# Create a rescue configuration
request system configuration rescue save

# Manual rollback to rescue


rollback rescue
commit

# On J-Series press reset button for more than 5 and less than 15 Seconds
# to automatically load and commit the rescue configuration

441 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SOFTWARE ROLLBACK
Since JUNOS 10.0, Branch SRX have a dual root partitioning scheme, which
can hold a copy of the image and the configuration under /altroot and /altconfig
# After a Software Upgrade the new software is in the primary partition and the old
# software is in the primary partition.
# You can check the current partition content with
show system snapshot media internal slice 1

# To switch the primary partition, so that next reboot uses the other image just execute
root@srx100-2> request system software rollback
junos-12.1R2.9-domestic will become active at next reboot

# To switch back to the previous partition just execute the same command once more
request system software rollback
root@srx100-2> request system software rollback
junos-12.1R3.5-domestic will become active at next reboot

442 Copyright 2011 Juniper Networks, Inc. www.juniper.net


REAL-TIME PROBE AND MONITORING (RPM)
RPM can track server/application reachability and latencies over the network
# Configure Probes for user THOMAS
# Example probe SERVER1 checks if server responds to ping
edit services rpm probe THOMAS test SERVER1
set probe-type icmp-ping
set target address 172.30.80.1
set test-interval 10
top

# Example probe SERVER2 checks if Web-Server responds within 2000 msec


edit services rpm probe THOMAS test SERVER2
set probe-type http-get
set target url http://172.30.81.70/index.html
set test-interval 10
set threshold rtt 2000000
top

Results can be monitored from CLI or via SNMP

show services rpm probe-results owner THOMAS test SERVER1

show snmp mib walk 1.3.6.1.4.1.2636.3.50

RPM Events can also be used to trigger Event-Scripts

443 Copyright 2011 Juniper Networks, Inc. www.juniper.net


AUTO ARCHIVING CONFIGURATIONS
Transmit a copy of the current Config file with every commit
You can use ftp, http, scp or a copy to a local file
[edit system archival configuration]
transfer-on-commit;
archive-sites {
ftp://username@host:<port>url-path password password;
http://username@host:<port>url-path password password;
scp://username@host:<port>url-path password password;
file://<path>/<filename>;
}

The Target filename is built like this:


<router-name>_juniper.conf[.gz]_YYYYMMDD_HHMMSS

It is also possible to run periodic archival


set system archival configuration transfer-interval [interval]

444 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MORE USEFUL STUFF .....
DNS lookup and reverse lookup
lab@SRX3600> show host 193.99.144.85
85.144.99.193.in-addr.arpa domain name pointer www.heise.de.
lab@SRX3600> show host www.heise.de
www.heise.de has address 193.99.144.85

Network Clients available on the CLI (route lookup starts in inet.0)


telnet, ssh , ftp, scp, ping, traceroute, mtrace

Some clients can be used to pipe command output


monitor traffic interface count 100 | ftp://172.16.1.1/capture.txt

CLI Shortcuts
CTRL-A takes you to the beginning of the command line
CTRL-E takes you to the end of the command line
CTRL-W deletes backwards to the previous space
CTRL-U deletes the entire command line
CTRL-L redraws the command line (in case it has been interrupted by messages, etc.)
CTRL-R starts CLI history search, start typing and matching results will be
displayed and can be executed by simply pressing ENTER

445 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MORE USEFUL STUFF .....
Replace a pattern in the whole configuration
srx# replace pattern fe-0/0/7 with ge-0/0/7

What have you changed so far ?


srx# set system host-name SRX
srx# show | compare
- host-name srx;
+ host-name SRX;

Configure exclusive (only you have access)


srx> configure exclusive
warning: uncommitted changes will be discarded on exit
Entering configuration mode

[edit]
srx#

Check if commit is possible (but don't do it yet)


srx# commit check

446 Copyright 2011 Juniper Networks, Inc. www.juniper.net


AND MORE ......
Add comments anywhere in the configuration
srx# annotate security policies from-zone trust to-zone trust "this is an annotation"

srx# show security policies


/* this is an annotation */
from-zone trust to-zone trust {
inactive: policy 1 {
.....
# To remove the command redo the command with an empty string
annotate .... ""

Temporary deactivate sections of the configuration


# deactivate whatever you want, but still keep it in the configuration
deactivate protocols ospf

Generate your own Events (good to combine with Event-Scripts)


set event-options generate-event backup-config-event time-of-day 23:30:00

447 Copyright 2011 Juniper Networks, Inc. www.juniper.net


AND MORE .....
apply-groups to
set groups sonet interfaces <so-*> sonet-options rfc-2615
set apply-groups sonet

Copy a file from one cluster member to the other


file copy /var/tmp/test node1:/var/tmp/sampled.test

Show Configuration with Details


# Use this command to get explanations and range information for each parameter
show configuration | display detail

Login Messages
# To make a message appear before login
set system login message Welcome \n to \n JUNOS Training\n
# To make a message appear after successful authentication
set system login announcement Maintenance scheduled 11PM to 2AM tonight

448 Copyright 2011 Juniper Networks, Inc. www.juniper.net


AND MORE .....
Get a timestamp on the CLI every time you execute a command
set cli timestamp
# To disable
set cli timestamp disable

Quick Navigation in Configure Mode


# if you used edit to change your current path in the navigation tree you can still
# reach every leaf of the tree by using "top" at the beginning
# Tab completion works and this "top" does not change your current position

edit protocols ospf


top show interface ge-0/0/0
top set interface ge-0/0/0 unit 0 ...

449 Copyright 2011 Juniper Networks, Inc. www.juniper.net


FURTHER USEFUL INFORMATION
450 Copyright 2011 Juniper Networks, Inc. www.juniper.net
DOCUMENTATION AND ADDITIONAL SOURCES
Software Documentation for SRX and J-Series
http://www.juniper.net/techpubs/software/JUNOS/

Hardware Documentation for SRX und J-Series


http://www.juniper.net/techpubs/hardware/srx-series.html
http://www.juniper.net/techpubs/software/jseries/

The JUNOS Page


http://JUNOS.juniper.net/

JTAC Knowledgebase
http://kb.juniper.net/
SRX Channel: http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB

User Forums
http://forums.juniper.net/jnet/
http://www.juniperforum.com/

Books
http://www.juniper.net/us/en/training/jnbooks/

451 Copyright 2011 Juniper Networks, Inc. www.juniper.net


SELF SERVICE TRAININGS
Training: Fasttrack Program (free materials)

http://www.juniper.net/training/fasttrack/

Training: Complete List of all Training and E-Learning Offers

http://www.juniper.net/us/en/training/technical_education/

Training: JUNOS as a second language

http://www.juniper.net/us/en/training/elearning/jsl.html

Training: Virtual Labs for Partner (Hands-on if you have no HW)

https://www.juniper.net/partners/partner_center/common/training/virtual_lab.jsp

Training: JTAC Webcasts for Partner

https://www.juniper.net/partners/partner_center/common/training/post_sales_webcasts.jsp

Discount Vouchers for Certifications

http://JUNOS.juniper.net/prometricvoucher/

452 Copyright 2011 Juniper Networks, Inc. www.juniper.net


VPN CONFIGURATION GENERATOR
Generator for VPN Configurations (route and policy based)
https://www.juniper.net/customers/support/configtools/vpnconfig.html

453 Copyright 2011 Juniper Networks, Inc. www.juniper.net


MIGRATION TOOLS
Convert Cisco or Netscreen configurations to JUNOS
https://migration-tools.juniper.net/tools/index.jsp

454 Copyright 2011 Juniper Networks, Inc. www.juniper.net