Professional Documents
Culture Documents
Bản Sao Của Ajsec-lg
Bản Sao Của Ajsec-lg
juniper
MCT\A/nDlZC
NETWORKS Education Services
3
J
A
3
Engineering
Simplicity
Lab Guide
Juniper University
jumper NETWORKS
MirT\A//^Diy e Education Services
1133 Innovation Way
Sunnyvale, CA 94089 USA
408-745-2000
wvvw.juniper.net
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has no known
time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement
executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and agree to be bound by its
license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain
prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details.
Contents
Lab 1: Implementing Layer 2 Security 1-1
Part 1: Loading the Baseline Configuration .1-2
Part 2: Configuring Transparent Mode ... . 1-4
Part 3: Configuring In-Band Management 1-17
Part 4: Configuring Secure Wire .............. 1-24
This four-day course, designed to build off the current Juniper Security (JSEC) offering, delves deeper into Junos security,
next-generation security features, and ATP supporting software.
Through demonstrationsand hands-on labs, you will gain experience in configuring and monitoring the advanced Junos
OS security features with coverage of advanced logging and reporting, next-generation Layer 2 security, next-generation
advanced anti-malware with Juniper ATP On-Prem and SecIntel. This course uses Juniper Networks SRX Series Services
Gateways for the hands-on component. This course uses on Junos OS Release 20.lRl.il, Junos Space Security Director
19.4, and Juniper ATP On-Prem version 5.0.7.
Course Level
AdvancedJuniper Security (AJSEC) is an advanced-level course.
Intended Audience
This course benefits individuals responsible for implementing, monitoring, and troubleshooting Junos security
components.
Prerequisites
Students should have a strong level of TCP/IP networking and security knowledge. Students should also attend the
Introduction to Juniper Security (IJSEC) and Juniper Security (JSEC) courses before attending this class.
Objectives
After successfully completing this course, you should be able to:
Demonstrate understanding of concepts covered in the prerequisite Juniper Security courses.
Describe the various forms of security supported by the Junos OS.
Describe the Juniper Connected Security model.
Describe Junos security handling at Layer 2 versus Layer 3.
Implement next-generation Layer 2 security features.
Demonstrate understanding of Logical Systems (LSYS).
Demonstrate understanding of Tenant Systems (TSYS).
Implement virtual routing instances in a security setting.
Describe and configure route sharing between routing instances using logical tunnel interfaces.
Describe and discuss Juniper ATP and its function in the network.
Describe and implement Juniper Connected Security with Policy Enforcer in a network.
Describe firewall filters use on a security device.
Implement firewall filters to route traffic.
Explain how to troubleshoot zone problems.
Describe the tools available to troubleshoot SRX Series devices.
Describe and implement IPsec VPN in a hub-and-spoke model.
Describe the PKI infrastructure.
Implement certificates to build an ADVPN network.
Describe using NAT, CoS, and routing protocols over IPsec VPNs.
Implement NAT and routing protocols over an IPsec VPN.
Describe the logs and troubleshooting methodologies to fix IPsec VPNs.
Implement working IPsec VPNs when given incorrect configurations.
Describe Incident Reporting with Juniper ATP On-Prem device.
Day 1
Chapter 1: Course Introduction
Day 2
Chapter 5: Hub-and-Spoke VPN
Day 3
Chapter 8: PKI and ADVPNs
Day 4
Chapter 11: Juniper Connected Security
San serif Normal text. Most of what you read in the Lab Guide and
Student Guide.
CLI Input Text that you must enter. labQSan Jose show route
CLI Undefined Text where the variable’s value is the user’s Type set policy policy-name.
discretion or text where the variable’s value
GUI Undefined ping 10.0 . jc.
as shown in the lab guide might differ from
the value the user must input according to Select File Save, and type filename
the lab topology. in the Filename field.
Technical Publications
You can print technical manuals and release notes directly from the Internet in a variety of formats:
Go to http://www.juniper.net/techpubs/.
Locate the specific software or hardware release and title you need, and choose the format in which you
want to view or print the document.
Documentation sets and CDs are available through your local Juniper Networks sales office or account representative.
Overview
In this lab, you will implement Layer 2 security. You will work with the vSRX-1 to configure transparent
mode operations. You will also configure Layer 2 security, and verify the results.
By completing this lab, you will perform the following tasks:
• Implement transparent mode.
Implement secure wire.
Secure Layer 2 traffic.
Step 1.1
Consult the Management Network Diagram to determine the management addresses of your devices.
Step 1.2
Access the CLI of vSRX-1 using either the console or SSH as directed by your instructor. Refer to
the management network diagram for the IP address associated with vSRX-1.
Step 1.3
Log in to the vSRX-1 device with the username lab and a password of labl23. Note that both the name
and password are case-sensitive. Enter configuration mode and load the reset configuration file using the
load override ajsec/labl-start. configcommand. After the configuration has been loaded
commit the changes before proceeding.
vSRX-1 (ttyuO)
login: lab
Password:
[edit]
lab@vSRX-l# load override ajsec/labl-start.config
[edit]
lab@vSRX-l# commit
commit complete
[edit]
lab@vSRX-l#
Step 1.4
Open a separate session to the vSRX-2 device. From the open session with vSRX-2, log in to the vSRX-2
device with the username lab and a password of labl23. Note that both the name and password are
case-sensitive. Enter configuration mode and load the reset configuration file using the load
override
ajsec/labl-start. config command. After the configuration has been loaded, commit the
changes before proceeding.
vSRX-2 (ttyuO)
login: lab
Password:
[edit]
lab@vSRX-2# load override ajsec/labl-start.config
[edit]
lab@vSRX-2# commit
commit complete
[edit]
lab@vSRX-2#
Step 1.5
Open a separate session to the vSRX-VR device. From the open session with vSRX-VR, log in to the
vSRX-VR device with the username lab and a password of labl23. Note that both the name and
password are case-sensitive. Enter configuration mode and load the reset configuration file using the
load override ajsec/labl-s tart. config com ma nd. After the configuration has been loaded J
login: lab
Password:
[edit]
lab@vSRX-VR# load override ajsec/labl-start.config
[edit]
lab@vSRX-VR# commit
commit complete
[edit]
lab@vSRX-VR#
Answer: Yes. The lab diagram shows that both devices are in the same
subnet.
Step 2.2
Return to the open session with vSRX-1.
From the open session with vSRX-1, navigate to the [edit interfaces ] hierarchy. Examine the
configured interfaces by issuing the show command.
[edit]
lab@vSRX-l# edit interfaces
[edit interfaces]
lab@vSRX-l# show
ge-0/0/0 {
description "MGMT INTERFACE DO NOT DELETE";
unit 0 {
family inet {
address 172.25.11.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family inet {
address 10.10.101.1/24;
}
}
}
ge-0/0/5 {
unit 0 {
family inet {
address 10.10.201.1/24;
}
}
}
fxpO {
disable;
}
loO {
unit 0 {
family inet {
address 192.168.1.1/32;
}
}
}
[edit interfaces]
lab@vSRX-l#
Step 2.3
Delete the configuration for the ge-0/0/4 and ge-0/0/5 interfaces and then configure them with the
ethernet-switching protocol family.
[edit interfaces]
lab@vSRX-l# delete ge-0/0/4
[edit interfaces]
lab@vSRX-l# delete ge-0/0/5
[edit interfaces]
lab@vSRX-l# set ge-0/0/4 unit 0 family ethernet-switching
[edit interfaces]
lab@vSRX-l# set ge-0/0/5 unit 0 family ethernet-switching
[edit interfaces]
lab@vSRX-l# show
ge-0/0/0 {
description "MGMT INTERFACE DO NOT DELETE";
unit 0 {
family inet {
address 172.25.11.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching;
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching;
}
}
loO {
unit 0 {
family inet {
address 192.168.1.1/32;
}
}
}
Step 2.4
Examine the security zones by issuing the run show security zones command.
[edit interfaces]
lab@vSRX-l# run show security zones
Functional zone: management
Policy configurable: No
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Interfaces bound: 1
Interfaces:
ge-0/0/4.0
Step 2.5
Navigate to the [edit security zones] hierarchy, and delete the security zones.
[edit interfaces]
lab@vSRX-l# up 1 edit security zones
Step 2.6
Configure the L2 zone and bind the ge-0/0/4 and ge-0/0/5 interfaces to the zone. Ensure that SSH is
allowed in the zone.
[edit security zones]
lab@vSRX-l# set security-zone L2 interfaces ge-0/0/4
Answer: No, if you were to commit the configuration right now the
Juniper-sv and ACME-sv devices would not be able to
communicate with each other. From the Global Mode field you can
determine that vSRX-1 is set to Not set, which allows only L3
traffic.
step 2.8
Commit the configuration.
Answer: You must now reboot vSRX-1 to get mixed mode to function
properly.
Step 2.9
Reboot vSRX-1 by issuing the run request system reboot command. Enter yes when prompted.
Shutdown NOW!
[pid 2695]
[edit interfaces]
lab@vSRX-l#
'k "k "k
FINAL System shutdown message from lab@vSRX-l 'kk k
Note
Step 2.10
After the reboot, log in to the vSRX-1 device with the username lab and a password of labl23. Note
that both the name and password are case-sensitive.
vSRX-1 (ttyuO)
login: lab
Password:
Step 2.11
Examine the Layer 2 forwarding status by issuing the show ethernet-switching
global-information command.
lab@vSRX-l> show ethernet-switching global-information
Global Configuration:
Answer: The main item that changed in the output is that the Global
Mode status shows Transparent bridge. This status means that
the interfaces that are configured with the ethernet-switching
protocol family can now receive and forward frames from connected
hosts. There is also other important information in the output, such as
MAC learning being enabled and MAC aging interval setting.
Step 2.12
Issue the show ethernet-switching table command.
lab@vSRX-l> show ethernet-switching table
Answer: The output shows two that the ge-0/0/4 and ge-0/0/5
interfaces have received traffic and have recorded the MAC
addresses on the incoming interface. Also, the MAC addresses were
dynamically learned. Note that more or less MAC addresses might be
present. The MAC address values might not match the output
displayed above.
Step 2.13
Issue the show vlans command.
lab@vSRX-l> show vlans
Question: You did not configure any VLANs, why are the interfaces a
part of this VLAN?
Answer: If interfaces are not assigned a VLAN then they are placed in
the default VLAN.
Step 2.14
Issue the show ethernet-switching interface command.
lab@vSRX-l> show ethernet-switching interface
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop.
LH - MAC limit hit, DN interface down,
MMAS - Mac-move action shutdown. AS - Autostate-exclude enabled.
SCTL - shutdown by Storm-control, MI - MAC+IP limit hit)
Answer: The tag field shows that the VLAN ID of 1 is being assigned
to these interfaces.
step 2.15
Open a separate session to the vSRX-VR device.
From the open session the vSRX-VR device, log in to the vSRX-VR device with the username lab and a
password of labl23. Note that both the name and password are case-sensitive.
vr-device (ttypO)
login: lab
Password:
lab@vSRX-VR>
Step 2.16
Test connectivity from the Juniper-svtothe acme-sv device. Remember that the Juniper-SV and
ACME-SV devices are on the same subnet for this lab. To test this connectivity issue the
ssh 10.10.101.100 routing-instance Juniper-SV command.
lab@vSRX-VR> ssh 10.10.101.100 routing-instance Jun±per-SV
Step 2.17
Return to the vSRX-1 device.
From the vSRX-1 device, issue the show security flow session destination-prefix
10.10.101.100 application ssh command.
lab@vSRX-l> show security flow session destination-prefix 10.10.101.100
application ssh
Total sessions: 0
Answer: The output shows that there are no SSH flows for the host.
This result means that the traffic between the Juniper-sv and
ACME-SV devices is not flowing through vSRX-1.
Question: What are some possible items that can cause this situation
on vSRX-1?
Step 2.18
Examine the security zones by issuing the show security zones command.
lab@vSRX-l> show security zones
Functional zone: management
Policy configurable: No
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: L2
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 2
Interfaces:
ge-0/0/4.0
ge-0/0/5.0
Question: Which zone are the ge-0/0/4 and ge-0/0/5 interfaces in? Is
this the correct zone for the interfaces?
Answer: The interfaces are in the L2 zone, which is the correct zone.
Step 2.19
Examine the interfaces by issuing the show interfaces terse | match eth-switch
command.
lab@vSRX-l> show interfaces terse | match eth-switch
ge-0/0/4.0 up up eth-switch
ge-0/0/5.0 up up eth-switch
Step 2.20
Examine the security policies by issuing the show security policies command.
lab@vSRX-l> show security policies
Default policy: deny-all
Pre ID default policy: permit-all
Answer: The only security policy on vSRX-1 is the implicit deny all
policy which is the Default policy on vSRX-1. The Pre ID default poicy
is only for packets being used with Unified Policies where the
application ID is needed to decide if the flow matches the policy. So,
there is no security policy to permit the traffic between the J uniper-SV
and ACME-SV devices.
Step 2.21
Enter configuration mode and navigate to the [edit security policies global policy L2]
hierarchy level.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit security policies global policy L2
Step 2.24
Return to the vSRX-1 device.
From the vSRX-1 device, issue the run show security flow session destination-prefix
10.10.101.100 application ssh command.
[edit security policies global policy L2]
lab@vSRX-l# run show security flow session destination-prefix 10.10.101.100
application ssh
Session ID: 183, Policy name: L2/4, Timeout: 1712, Valid
In: 10.10.101.10/50654 10.10.101.100/22;tcp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 40, Bytes: 8314,
Out: 10.10.101.100/22 -- 10.10.101.10/50654;tcp. Conn Tag: 0x0, If: ge-0/0/5.0.
Pkts : 27, Bytes: 4263,
Total sessions: 1
Step 2.25
Return to the vSRX-VR device.
From the vSRX-VR device, stop the running exit the SSH session by issuing the exit command.
lab@vSRX-VR> exit
lab@vSRX-VR>
Step 3.1
Return to open session with vSRX-1.
From the open session with vSRX-1, navigate to the [edit interfaces] hierarchy.
[edit security policies global policy L2]
lab@vSRX-l# top edit interfaces
[edit interfaces]
lab@vSRX-l#
Step 3.2
Configure the IRB interface with the 10.10.101.101/24 address.
[edit interfaces]
lab@vSRX-l# set irb.O family inet address 10.10.101.101/24
[edit vlans]
lab@vSRX-l#
Step 3.4
Configure the sv VLAN with VLAN ID 101 and bind the irb.O interface as the Layer 3 interface for the
VLAN.
[edit vlans]
lab@vSRX-l# set SV vlan-id 101
[edit vlans]
lab@vSRX-l# set SV 13-interface irb.O
[edit vlans]
lab@vSRX-l# show
SV {
vlan-id 101;
13-interface irb.O;
}
Answer: There are a few different methods to add the interfaces to the
VLAN. You can reference the VLAN name under the interfaces, you can
reference the VLAN ID under the interfaces, or you can add the
interfaces to the VLAN.
Step 3.5
Add the ge-0/0/4 and ge-0/0/5 interfaces to the sv VLAN.
[edit vlans]
lab@vSRX-l# set SV interface ge-0/0/4
[edit vlans]
lab@vSRX-l# set SV interface ge-0/0/5
[edit vlans]
lab@vSRX-l# show
SV {
vlan-id 101;
interface ge-0/0/4.0;
interface ge-0/0/5.0;
13-interface irb.O;
}
step 3.6
Add the irb.O interface to the L2 security zone and attempt to commit the configuration when you are
finished.
[edit vlans1
lab@vSRX-l# top set security zones security-zone L2 interfaces irb.O
[edit vlans1
lab@vSRX-l# commit
[edit security zones security-zone L2]
’interfaces irb.O’
Interface irb is not allowed in mix mode
error: configuration check-out failed
Answer: Although the commit error makes it seem like you cannot use
IRB interfaces while vSRX-1 is in mixed mode, it really means that you
cannot put an IRB interface in a security zone while vSRX-1 is in
mixed mode.
Step 3.7
Remove the irb.O interface from the L2 security zone and commit the configuration when you are
finished.
[edit vlans1
lab@vSRX-l# top delete security zones security-zone L2 interfaces irb.O
[edit vlans1
lab@vSRX-l# commit
commit complete
[edit vlans]
lab@vSRX-l#
Step 3.8
Issue the run show vlans command.
[edit vlans1
lab@vSRX-l# run show vlans
Answer: The output shows that the ge-0/0/4 and ge-0/0/5 interfaces
are now part of the sv VLAN and they use the 101 VLAN ID tag.
Question: Why does the output not show the irb.O interface?
Answer: Although the sv VLAN uses the irb.O interface as the Layer 3
interface for the VLAN, it does not appear in the output because it is
not a Ethernet switching interface.
Step 3.9
Return to the open session with the vSRX-VR device.
From the open session with the vSRX-VR device, start an SSH test by issuing the ssh 10.10.101.101
routing-instance Juniper-SV command.
lab@vSRX-VR> ssh 10.10.101.101 routing-instance Juniper-SV
Step 3.10
Return to the vSRX-1 device.
From the vSRX-1 device, issue the run show security flow session destination-prefix
10.10.101.101 application ssh command.
[edit vlans]
lab@vSRX-l# run show security flow session destination-prefix 10.10.101.101
application ssh
Total sessions: 0
Step 3.11
From the vSRX-1 device, issue the run show ethernet-switching interface command.
[edit vlans]
lab@vSRX-l# run show ethernet-switching interface
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop.
LH - MAC limit hit, DN interface down,
MMAS - Mac-move action shutdown. AS - Autostate-exclude enabled.
SCTL - shutdown by Storm-control, MI - MAC+IP limit hit)
Answer: Before the interfaces were placed in the VLAN, they were
access interfaces, but adding the interfaces to the VLAN causes the
interfaces to become trunk interfaces. You must configure the
interfaces in access mode to solve the problem. Note that you cannot
reference the interfaces in a VLAN if you explicitly configure them as
access mode interfaces. You will need to remove the ge-0/0/4 and
ge-0/0/5 interfaces from the SV VLAN.
Step 3.12
Remove the ge-0/0/4 and ge-0/0/5 interfaces from the sv VLAN.
[edit vlans]
lab@vSRX-l# delete SV interface ge-0/0/4
[edit vlans]
lab@vSRX-l# delete SV interface ge-0/0/5
Step 3.13
Navigate to the [edit interfaces ] hierarchy. Configure the ge-0/0/4 and ge-0/0/5 interfaces as
access interfaces.
[edit vlans1
lab@vSRX-l# up 1 edit interfaces
[edit interfaces]
lab@vSRX-l#
Step 3.14
Configure the ge-0/0/4 and ge-0/0/5 interfaces as access mode interfaces.
[edit interfaces]
lab@vSRX-l# set ge-0/0/4 unit 0 family ethernet-switching interface-mode access
[edit interfaces]
lab@vSRX-l# set ge-0/0/5 unit 0 family ethernet-switching interface-mode access
Step 3.15
Configure the ge-0/0/4 and ge-0/0/5 interfaces to be members of the sv VLAN. Commit the
configuration when you are finished. Note there are a few different ways to configure VLANs and we are
using the interface VLAN assignment method.
[edit interfaces]
lab@vSRX-l# set ge-0/0/4 unit 0 family ethernet-switching vlan members SV
[edit interfaces]
lab@vSRX-l# set ge-0/0/5 unit 0 family ethernet-switching vlan members SV
[edit interfaces]
lab@vSRX-l# show
ge-0/0/0 {
description "MGMT INTERFACE DO NOT DELETE";
unit 0 {
family inet {
address 172.25.11.1/24;
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members SV;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members SV;
}
}
}
}
irb {
unit 0 {
family inet {
address 10.10.101.101/24;
}
}
}
loO {
unit 0 {
family inet {
address 192.168.1.1/32;
}
}
}
[edit interfaces]
lab@vSRX-l# commit
commit complete
[edit interfaces]
lab@vSRX-l#
Step 3.16
Return to the open session with the vSRX-VR device.
From the open session with the vSRX-VR device, press the Ctrl + c key combination to close the SSH
session attempt if it is still open and start the SSH test again by issuing the ssh 10.10.101.101
routing-instance Juniper-SV command. Login to vSRX-1 with a password of labl23. If it asks
you to permanently add the IP address to the list of known hosts, enter yes when asked if you want to
continue.
lab@vSRX-VR> ssh 10.10.101.101 routing-instance Juniper-SV
PING 10.10.101.100 (10.10.101.100): 56 data bytes
The authenticity of host ’10.10.101.101 (10.10.101.101)’ can’t be established.
ECDSA key fingerprint is 07:3c:c5:9d:3b:05:d7:53:5d:2d:f1:11:56:aa:aa:45.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’10.10.101.101’ (ECDSA) to the list of known hosts.
Password:
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-l>
Answer: You are able to manage vSRX-1 from the Juniper-SV device
using SSH.
Step 3.17
Return to the vSRX-1 device.
From the vSRX-1 device, issue the run show security flow session destination-prefix
10.10.101.101 application ssh command.
[edit vlans]
lab@vSRX-l# run show security flow session destination-prefix 10.10.101.101
application ssh
Session ID: 40, Policy name: self-traffic-policy/1, Timeout: 1734, Valid
In: 10.10.101.10/59117 10.10.101.101/22;tcp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 19, Bytes: 3857,
Answer: The output shows that the SSH session is working properly.
Step 3.18
Return to the session with the vSRX-VR device.
From the open session with the vSRX-VR device, issue the exit command to return to the vSRX-VR
terminal.
lab@vSRX-l> exit
lab@vSRX-VR>
[edit interfaces]
lab@vSRX-l# set ge-0/0/7 unit 0 family ethernet-switching vlan members SW
[edit interfaces]
lab@vSRX-l# show ge-0/0/1
unit 0 {
family ethernet-switching {
vlan {
members SW;
}
}
}
[edit interfaces]
lab@vSRX-l# show ge-0/0/7
unit 0 {
family ethernet-switching {
vlan {
[edit vlans]
lab@vSRX-l#
Step 4.3
Configure the SW VLAN to use the VLAN ID of 50.
[edit vlans]
lab@vSRX-l# set SW vlan-id 50
[edit vlans]
lab@vSRX-l# show
SV {
vlan-id 101;
13-interface irb.O;
}
SW {
vlan-id 50;
}
Step 4.4
Navigate to the [edit security forwarding-options secure-wire] hierarchy level.
[edit vlans]
lab@vSRX-l# up 1 edit security forwarding-options secure-wire
Question: What are the next steps in configuring the SW secure wire?
Answer: The next steps would be to add the secure wire interfaces to a
security zone, then create a security policy that allows the traffic.
Step 4.6
Navigate to the [edit security zones security-zone SW] hierarchy.
[edit security forwarding-options secure-wire]
lab@vSRX-l# top edit security zones security-zone SW
Step 4.8
Configure the L2-deny log file by issuing the top set system syslog file L2-deny any any
command. Then, issue the top set system syslog file L2-deny rt_flow_session_deny
command.
[edit security zones security-zone SW]
lab@vSRX-l# top set system syslog file L2-deny any any
Note
These commands will help later for troubleshooting. They are not
required for the operation of secure wire.
Step 4.9
Navigate to the [edit security zones security-zone SW-permit] hierarchy.
[edit security zones security-zone SW-permit]
lab@vSRX-l# top edit security policies global policy SW-peirmit
lab@vSRX-l>
Step 4.13
Clear the log file to L2-deny log file with the clear log L2-deny command.
lab@vSRX-l> clear log L2-deny
Step 4.14
Issue the show vlans command.
lab@vSRX-l> show vlans
Answer: The output shows that the ge-0/0/1 and ge-0/0/7 interfaces
are a part of the SW VLAN and the VLAN is using the VLAN ID of 50.
Step 4.15
Issue the show ethernet-switching interface command.
lab@vSRX-l> show ethernet-switching interface
Routing Instance Name : default-switch
Logical Interface flags (DL - disable learning, AD - packet action drop.
LH - MAC limit hit, DN interface down.
MMAS - Mac-move action shutdown. AS Autostate-exclude
enabled.
SCTL - shutdown by Storm-control, MI - MAC+IP limit hit)
lab@vSRX-l>
Answer: The output shows that the ge-0/0/1 and ge-0/0/7 interfaces
are in the forwarding STP state and are functioning as access
interfaces.
Step 4.16
Return to open session with vSRX-2.
From the open session with vSRX-2, issue the ssh 172.18.1.1 command to open an SSH session with
the local host. To make sure the session does not timeout prematurely, login using the password
labl23.
lab@vSRX-2 ssh 172.18.1.1
Note
You might be prompted if you are sure you want to connect to
the 172.18.1.1 host, if you are enter yes to continue
Password:
--- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-VR>
Step 4.17
Return to open session with vSRX-1.
From the open session with vSRX-1, issue the show security flow session application ssh
source-prefix 172.18.1.2 command.
lab@vSRX-l> show security flow session application ssh source-prefix 172.18.1.2
Session ID: 15435, Policy name: SW-permit/6, Timeout: 1658, Valid
In: 172.18.1.2/63475 -- 172.18.1.1/22;tcp. Conn Tag: 0x0, If: ge-0/0/7.0. Pkts:
19, Bytes: 4091,
Out: 172.18.1.1/22 — 172.18.1.2/63475;tcp. Conn Tag: 0x0, If: ge-0/0/1.0. Pkts:
15, Bytes: 3459,
Total sessions: 1
Answer: The output shows that SSH traffic is going creating a flow in
the session using interfaces ge-0/0/1 and ge-0/0/7 with the
SW-permit policy.
Step 4.18
Issue the show ethernet-switching table command.
lab@vSRX-l> show ethernet-switching table
step 4.19
Return to open session with vSRX-2.
From the open session with vSRX-2, close the SSH session by issuing the exit command.
lab@vSRX-VR> exit
lab@vSRX-2
Step 4.20
Attempt to open a Telnet session with the local host by issuing the telnet 172.18.1.1 command.
lab@vSRX-2 telnet 172.18.1.1
Trying 172.18.1.1...
Step 4.21
Return to open session with vSRX-1.
From the open session with vSRX-1, issue the show log L2-deny command.
lab@vSRX-l> show log L2-deny
Mar 24 14:40:02 vSRX-1 RT FLOW: RT FLOW SESSION DENY: session denied 172.18.1.2/
61645->172.18.1.1/23 0x0 junos-telnet 6(0) SW-deny(global) SW SW UNKNOWN UNKNOWN
N/A(N/A) ge-0/0/7.0 No Denied by policy 196909 N/A N/A -1 N/A N/A N/A
Mar 24 14:40:05 vSRX-1 RT FLOW: RT FLOW SESSION DENY: session denied 172.18.1.2/
61645->172.18.1.1/23 0x0 junos-telnet 6(0) SW-deny(global) SW SW UNKNOWN UNKNOWN
N/A(N/A) ge-0/0/7.0 No Denied by policy 196910 N/A N/A -1 N/A N/A N/A
Mar 24 14:40:08 vSRX-1 RT FLOW: RT FLOW SESSION DENY: session denied 172.18.1.2/
61645->172.18.1.1/23 0x0 junos-telnet 6(0) SW-deny(global) SW SW UNKNOWN UNKNOWN
N/A(N/A) ge-0/0/7.0 No Denied by policy 196911 N/A N/A -1 N/A N/A N/A
Mar 24 14:40:12 vSRX-1 RT FLOW: RT FLOW SESSION DENY: session denied 172.18.1.2/
61645->172.18.1.1/23 0x0 junos-telnet 6(0) SW-deny(global) SW SW UNKNOWN UNKNOWN
N/A(N/A) ge-0/0/7.0 No Denied by policy 196912 N/A N/A -1 N/A N/A N/A
Mar 24 14:40:15 vSRX-1 RT FLOW: RT FLOW SESSION DENY: session denied 172.18.1.2/
61645->172.18.1.1/23 0x0 junos-telnet 6(0) SW-deny(global) SW SW UNKNOWN UNKNOWN
N/A(N/A) ge-0/0/7.0 No Denied by policy 196913 N/A N/A -1 N/A N/A N/A
Answer: The log file shows that Telnet traffic is being denied by the
SW-deny policy.
Step 4.22
Issue the exit command to log out of the device.
lab@vSRX-l> exit
Step 4.23
Return to the open session with vSRX-2.
From the open session with vSRX-2, issue the exit command to log out of the device.
lab@vSRX-2 exit
Step 4.24
Return to the open session with vSRX-VR.
From the open session with vSRX-VR, issue the exit command to log out of the device.
lab@vSRX-VR> exit
STOP
Tell your instructor that you have completed this lab.
Local Server
172.18.1.1
C
ge-0/0/1
ge-O/O/7
ge-0/0/7 172.18.1.2/24
vSRX-1 vSRX-2
ge-0/0/4 ge-0/0/5
Juniper-SV ACME-SV
Virtual Routers
Overview
This lab demonstrates configuration and monitoring of firewall filters on devices running the Junos
operating system. In this lab, you use the command-line interface (CLI) to define, apply, and monitor
firewall filters. Then, you will configure two virtual routing instances. You will then configure the virtual
routers (VRs) to communicate with the Internet host, and then to communicate with each other. You will
then configure filter-based forwarding to direct traffic in a different direction than the installed route
would take it.
In completing this lab, you will perform the following tasks:
• Prepare your device and verify operation.
• Configure and monitor firewall filters.
• Configure Internet access for the VRs.
• Configure inter-VR communication.
• Configure filter-based forwarding.
In this lab, you will make modifications to the configuration and verify proper operation of vSRX-1. You
will also login to vSRX-2 to verify and monitor changes in network operation in response to your changes
in configuration to vSRX-1. In this lab part, you must refer to the network diagram for this lab.
Note
The instructor will inform you as to the nature of your access
and will provide you with the details to access your student
environment.
step 1.1
Access the CLI of vSRX-1 using either the console or SSH as directed by your instructor. Your instructor will
provide you with the access details. Log in to vSRX-1 with username lab and password labl23. Note
that both the name and password are case-sensitive. Enter configuration mode and load the lab
configuration file using the load override ajsec/lab2-start. config command. After the
configuration has been loaded, commit the changes.
Last login: Wed Apr 29 18:42:51 2020 from 172.25.11.254
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# load override ajsec/lab2-start.config
load complete
[edit]
lab@vSRX-l# commit
commit complete
[edit]
lab@vSRX-l#
Step 1.2
Step 1.3
Access the CLI of vSRX-2 using either the console or SSH as directed by your instructor. Your instructor will
provide you with the access details. Log in to vSRX-2 with username lab and password labl23. Note
that both the name and password are case-sensitive. Enter configuration mode and load the lab
configuration file usingthe load override ajsec/Iab2-start. config command. After the
configuration has been loaded, commit the changes and exit to operational mode.
Last login: Wed Apr 29 18:42:51 2020 from 172.25.11.254
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-2> configure
Entering configuration mode
[edit]
lab@vSRX-2# load override ajsec/lab2-start.config
load complete
[edit]
lab@vSRX-2# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-2
Step 1.4
Access the CLI of vSRX-VR using either the console or SSH as directed by your instructor. Your instructor
will provide you with the access details.
Step 1.5
Log in to vSRX-VR with username lab and password labl23. Note that both the name and password
are case-sensitive. Enter configuration mode and load the lab configuration file using the load
override aj sec/lab2-start. config command. After the configuration has been loaded,
commit the changes and exit to operational mode.
Last login: Wed Apr 29 18:42:51 2020 from 172.25.11.254
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-VR> configure
Entering configuration mode
[edit]
lab@vSRX-VR# load override ajsec/lab2-start.conf±g
load complete
[edit]
lab@vSRX-VR# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-VR>
Note
The next lab steps require you initiate traffic from the
Juniper-si/virtual router attached to vSRX-1. The
Juniper-WF virtual router is attached to vSRX-2.
Step 1.6
From vSRX-VR, use the ping utility to verify reachability to the vSRX-1 loopback address and the Internet
host. Refer to the network diagram associated with this lab as needed.
Note
Answer: Yes, as shown in the capture, the ping tests should succeed
from the virtual router.
Step 1.7
Attempt to establish an SSH session with vSRX-1 by issuing the ssh command. Reference virtual router
Juniper-SVuse the vSRX-1 loopback address as the destination address. Login with username
lab and password labl23. Since this will most likely be the first time an ssh session has been
established between the two devices, it is probable there will be a warning issued. Accept the warning
with yes.
lab@vSRX-VR> ssh routing-instance Juniper-SV lab@192.168.1.1
The authenticity of host ’192.168.1.1 (192.168.1.1)’ can’t be established.
ECDSA key fingerprint is SHA256:Ky8SDlsQVqFCRA82+RZ+hSfbfyOWPTrfHeTHkvQ4Gf4.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’192.168.1.1’ (ECDSA) to the list of known hosts.
Password:
Last login: Wed Apr 29 18:42:51 2020 from 172.25.11.254
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-l>
Answer: Yes, as shown in the capture, the SSH session does establish
successfully.
Step 1.8
Issue the exit command to close the SSH session.
lab@vSRX-l> exit
lab@vSRX-VR>
Step 1.9
Attempt to establish a Telnet session with vSRX-1. Reference virtual router Juniper-svar\6 use the
vSRX-1 loopback address as the destination address. Login with username lab and password labl23.
lab@vSRX-VR> telnet routing-instance Juniper-SV 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is ]'. I A
login: lab
Password:
Last login: Fri Feb 7 17:39:49 from 172.20.101.10
Step 1.10
Issue the exit command to close the Telnet session.
lab@vSRX-l> exit
lab@vSRX-VR>
Note
Step 1.11
Return to the open session with vSRX-1.
From the open session with vSRX-1, issue the run show ospf neighbor and run show route
commands.
[edit]
lab@vSRX-l# run show ospf neighbor
Address Interface state ID Pri Dead
172.20.66.2 ge-0/0/7.0 Full 192.168.2.1 128 34
172.20.77.2 ge-0/0/8.0 Full 192.168.2.1 128 33
[edit]
lab@vSRX-l# run show route
0.0.0.0/0 'k
[Static/5] 5d 07:41:01
> to 172.18.1.1 via ge-0/0/1.0
172.18.1.0/30 * [Direct/0] 5d 07:41:01
> via ge-0/0/1.0
172.18.1.2/32 * [Local/0] 5d 07:41:01
Local via ge-0/0/1.0
172.20.66.0/30 *
[Direct/0] 5d 07:41:01
> via ge-0/0/7.0
172.20.66.1/32 ■k
[Local/0] 5d 07:41:01
Local via ge-0/0/7.0
172.20.77.0/30 * [Direct/0] 5d 07:41:01
> via ge-0/0/8.0
172.20.77.1/32 * [Local/0] 5d 07:41:01
Local via ge-0/0/8.0
172.20.101.0/24 * [Direct/0] 5d 07:41:01
> via ge-0/0/4.0
172.20.101.1/32 * [Local/0] 5d 07:41:01
Local via ge-0/0/4.0
172.20.102.0/24 * [OSPF/10] 00:09:20, metric 2
to 172.20.77.2 via ge-0/0/8.0
> to 172.20.66.2 via ge-0/0/7.0
172.21.0.0/24 * [Static/5] 5d 07:41:01
> to 172.20.101.10 via ge-0/0/4.0
172.21.1.0/24 * [Static/5] 5d 07:41:01
> to 172.20.101.10 via ge-0/0/4.0
172.21.2.0/24 * [Static/5] 5d 07:41:01
> to 172.20.101.10 via ge-0/0/4.0
172.25.11.0/24 * [Direct/0] 3w0d 00:00:59
> via ge-0/0/0.0
172.25.11.1/32 * [Local/0] 3w0d 00:00:59
Local via ge-0/0/0.0
192.168.1.1/32 * [Direct/0] 2w6d 22:54:00
> via loO.O
192.168.1.2/32 * [Static/5] 5d 07:41:01
> to 172.20.101.10 via ge-0/0/4.0
192.168.2.1/32 * [OSPF/10] 00:09:20, metric 1
to 172.20.77.2 via ge-0/0/8.0
> to 172.20.66.2 via ge-0/0/7.0
192.168.2.2/32 * [OSPF/10] 00:09:20, metric 2
to 172.20.77.2 via ge-0/0/8.0
> to 172.20.66.2 via ge-0/0/7.0
224.0.0.5/32 * [OSPF/10] 2w6d 22:54:01, metric 1
MultiRecv
Question: Does your device still show its OSPF neighbor adjacencies in
the Full state?
Answer: Yes, at this time vSRX-1 should show two OSPF neighbor
adjacencies in the Full state.
Question: Does vSRX-1 have the required route table entries to route
to all internal and external destinations?
Answer: Yes, at this time all student devices should have the required
route table entries to facilitate routing to both internal and external
destination prefixes.
Question: Which route entries have been learned using the OSPF
protocol?
[edit firewall]
lab@vSRX-l# edit family ?
Possible completions:
> any Protocol-independent filter
> CCC Protocol family CCC for firewall filter
> ethernet-switching Protocol family Ethernet Switching for firewall filter
> evpn Protocol family EVPN for firewall filter
> inet Protocol family IPv4 for firewall filter
> inet6 Protocol family IPv6 for firewall filter
> mpls Protocol family MPLS for firewall filter
> vpls Protocol family VPLS for firewall filter
[edit firewall]
lab@vSRX-l#
Answer: The family inet firewall filter option is used for IPv4
firewall filters.
Step 2.2
Issue the edit family inet filter protect-host command in preparation to create a new
IPv4 firewall filter named protect-host.
[edit firewall]
lab@vSRX-l# edit family inet filter protect-host
commit complete
Note
Answer: Only one of the ping tests succeeds. As shown, the ping test
to the vSRX-1 loopback address does not succeed while the ping test
to the Internet host does succeed. Based on the current
configuration, this result is expected. Remember that our recently
added loopback filter only permits inbound ICMP traffic from the
management subnet. The new filter does not, however, affect transit
traffic.
Step 2.8
Attempt to establish SSH and Telnet sessions with vSRX-1. Use the loopback address assigned to vSRX-1
as the destination address.
Note
Note
lab@vSRX-VR>
Step 2.9
To confirm that the firewall filter applied to your student device’s loopback interface permits inbound
ICMP echo requests, SSH, and Telnet traffic destined for the local host and sourced from the
management subnet, attempt the same tests performed in the previous two steps. Perform these tests
from your vSRX-VR CLI session, but do not specify a routing instance. Use the management IP address
assigned to vSRX-1 as the destination address. Refer to the management network diagram as needed.
lab@vSRX-VR> ping 172.25.11.1 rapid count 25
PING 172.25.11.1 (172.25.11.1): 56 data bytes
I I I I I I I I I I I I I I I I I I I I I I I I I
Answer: Yes, the ping test should now succeed because the ICMP
echo requests use a source address within the management subnet.
lab@vSRX-l> exit
lab@vSRX-l> exit
lab@vSRX-VR>
Step 2.10
Return to the open CLI session with vSRX-1.
From the open CLI session with vSRX-1, issue the run show ospf neighbor and
run show route commands to verify the current state of the OSPF neighbors and route table entries.
[edit interfaces loO]
lab@vSRX-l# run show ospf neighbor
0.0.0.0/0 'k
[Static/5] 5d 07:47:28
> to 172.18.1.1 via ge-0/0/1.0
172.18.1.0/30 * [Direct/0] 5d 07:47:28
> via ge-0/0/1.0
172.18.1.2/32 *
[Local/0] 5d 07:47:28
Local via ge-0/0/1.0
172.20.66.0/30 * [Direct/0] 5d 07:47:28
> via ge-0/0/7.0
172.20.66.1/32 *
[Local/0] 5d 07:47:28
Local via ge-0/0/7.0
172.20.77.0/30 * [Direct/0] 5d 07:47:28
Step 2.11
Deactivate the firewall filter applied to the loopback interface on vSRX-1 and commit the configuration
change.
[edit interfaces loO]
lab@vSRX-l# deactivate unit 0 family inet filter
family inet {
inactive: filter {
input protect-host;
}
address 192.168.1.1/32;
}
}
172.21.2.0/24 ■k
[Static/5] 5d 07:48:22
> to 172.20.101.10 via ge-0/0/4.0
172.25.11.0/24 * [Direct/0] 3w0d 00:08:20
> via ge-0/0/0.0
172.25.11.1/32 * [Local/0] 3w0d 00:08:20
Local via ge-0/0/0.0
192.168.1.1/32 * [Direct/0] 2w6d 23:01:21
> via loO.O
192.168.1.2/32 * [Static/5] 5d 07:48:22
> to 172.20.101.10 via ge-0/0/4.0
192.168.2.1/32 * [OSPF/10] 00:00:04, metric 1
to 172.20.77.2 via ge-0/0/8.0
> to 172.20.66.2 via ge-0/0/7.0
192.168.2.2/32 * [OSPF/10] 00:00:04, metric 2
to 172.20.77.2 via ge-0/0/8.0
> to 172.20.66.2 via ge-0/0/7.0
224.0.0.5/32 * [OSPF/10] 2w6d 23:01:22, metric 1
MultiRecv
Question: With the firewall filter inactive, does vSRX-1 again see OSPF
neighbor adjacencies and routes?
Step 2.13
Navigate to the [edit firewall family inet filter protect-host] hierarchy level.
Restructure the protect-host firewall filter to accomplish the previously stated objectives and also
explicitly allows all other traffic through a term named else-accept that implicitly allows all other
traffic. Include a counter for each defined term. Name each of the counters count -x, where x is the
name of the associated term.
Note
source-address {
172.25.11.0/24 except;
0.0.0.0/0;
}
protocol tcp;
port ssh;
}
then {
count count-limit-ssh;
discard;
}
}
term limit-telnet {
from {
source-address {
172.25.11.0/24 except;
0.0.0.0/0;
}
protocol tcp;
port telnet;
}
then {
count count-limit-telnet;
discard;
}
}
term else-accept {
then {
count count-else-accept;
accept;
}
}
lab@vSRX-l>
Step 2.15
Issue the show ospf neighbor and show route commands again to verify that the state of the
OSPF neighbors is Full and that OSPF routes are still present.
lab@vSRX-l> show ospf neighbor
Address Interface State ID Pri Dead
172.20.77.2 ge-0/0/8.0 Full 192.168.2.1 128 36
172.20.66.2 ge-0/0/7.0 Full 192.168.2.1 128 37
Question: With the firewall filter updated and reapplied, does your
assigned device still see OSPF neighbor adjacencies and OSPF
routes?
Step 2.16
Return to the open CLI session with vSRX-VR.
From the open CLI session with vSRX-VR, attempt to ping the IP address assigned to the vSRX-1 loopback
interface from virtual router Juniper-sv.
Note
Remember that you must reference the appropriate instance
name when sourcing ICMP traffic from a virtual router.
Step 2.17
From Juniper-sv, attempt to establish SSH and Telnet sessions with vSRX-1. Use the vSRX-1 loopback
address as the destination address.
Note
Remember that you must reference the appropriate instance
name when sourcing traffic from a virtual router.
Note
Use the Ctrl+c sequence to break unresponsive attempts for
FTP, SSH, and Telnet sessions.
lab@vSRX-VR>
Step 2.18
To confirm that the firewall filter applied to your student device’s loopback interface permits inbound
ICMP echo requests, FTP, SSH, and Telnet traffic destined for the local host and sourced from the
management subnet, attempt the same tests performed in the previous two steps. Perform these tests
from vSRX-VR, but do not specify a routing instance. Use the management IP address assigned to vSRX-1
as the destination address. Refer to the management network diagram as needed.
lab@vSRX-VR> ping 172.25.11.1 rapid count 25
PING 172.25.11.1 (172.25.11.1): 56 data bytes
I I I I I I I I I I I I I I I I I I I I I I I I I
Answer: Yes, the ping test should now succeed because the ICMP
echo requests use a source address within the management subnet.
lab@vSRX-l> exit
login: lab
Password:
Last login: Fri Feb 7 17:54:51 from 172.25.11.9
lab@vSRX-l> exit
lab@vSRX-VR>
Answer: Yes, based on the results of the verification tasks, the applied
loopback filter is working as designed.
Step 2.19
Return to the open CLI session with vSRX-1.
From the open CLI session with vSRX-1, issue the show firewall command to determine if the
counters are incrementing.
lab@vSRX-l> show firewall
Filter: protect-host
Counters:
Name Bytes Packets
count-else-accept 45561 569
count-limit-icmp 1848 22
count-limit-ssh 128 2
count-limit-telnet 64 1
[edit]
lab@vSRX-l# load override ajsec/Iab2-part3-start.config
[edit]
lab@vSRX-l# commit
commit complete
[edit]
lab@vSRX-l#
Step 3.2
Return to the CLI session with vSRX-2.
From the open CLI session with vSRX-2, enter configuration mode and load the lab configuration file
using the load override ajsec/lab2-part3-start . configcommand. After the configuration
has been loaded, commit the changes and exit to operational mode.
lab@vSRX-2> configure
Entering configuration mode
[edit]
lab@vSRX-2# load override ajsec/Iab2-part3-start.config
[edit]
lab@vSRX-2# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-2
Step 3.3
Return to the open CLI session with vSRX-1.
From the open CLI session with vSRX-1, navigate to the [edit routing-instances] hierarchy
level. Configure two VRs— Juniper-sv and acme-sv. The Juniper-svW should contain the
ge-0/0/4 interface that directly connects the vSRX-1 device with the Juniper-SV device. Then, the
ACME-SV VR should contain the ge-0/0/5 interface that directly connects the vSRX-1 device with the
ACME-SV device.
[edit]
lab@vSRX-l# edit routing-instances
[edit routing-instances]
lab@vSRX-l# set Jun±per-SV instance-type virtual-router
[edit routing-instances]
lab@vSRX-l# set Juniper-SV interface ge-0/0/4
[edit routing-instances]
lab@vSRX-l# set ACME-SV instance-type virtual-router
[edit routing-instances]
lab@vSRX-l# set ACME-SV interface ge-0/0/5
[edit routing-instances]
lab@vSRX-l# show
ACME-SV {
instance-type virtual-router;
interface ge-0/0/5.0;
}
Juniper-sv {
instance-type virtual-router;
interface ge-0/0/4.0;
[edit routing-instances]
lab@vSRX-l
Step 3.4
Configure a security policy named internet-access to permit all traffic from the Juniper-sv zone
to the untrust zone. When you are finished, commit your configuration.
[edit routing-instances]
lab@vSRX-l# top edit security policies from-zone Juniper-SV to-zone untrust policy
Internet-access
}
then {
permit;
}
Answer: The message shows that the next upstream router, the
vSRX-1 device, cannot reach the Internet host.
Step 3.6
Return to the open CLI session established with the vSRX-1 device.
From the open CLI session with vSRX-1, navigate to the [edit routing-instances] hierarchy and
issue the run show route table juniper-sv. inet. 0 and run show route table
acme-sv. inet. 0 commands.
Note
Even though the routing table names have capital letters, it is
not necessary to capitalize any part of the previous commands.
[edit routing-instances]
lab@vSRX-l# run show route table juniper-sv.inet.0
[edit routing-instances]
lab@vSRX-l# run show route table acme-sv.inet.0
Question: Why is traffic that is destined for the Internet host being
discarded?
Step 3.7
Configure the Juniper-svar\6 ACME-SV routing instances to use the main routing instance’s inet.O
routing table for unknown destinations. When you are finished, commit the configuration.
[edit routing-instances]
lab@vSRX-l# set Juniper-SV routing-options static route 0/0 next-table inet.O
[edit routing-instances]
lab@vSRX-l# set ACME-SV routing-options static route 0/0 next-table inet.O
[edit routing-instances]
lab@vSRX-l# commit
commit complete
Step 3.8
Issue the commands run show route table juniper-sv. inet. 0 and
run show route table acme-sv.inet.0.
[edit routing-instances]
lab@vSRX-l# run show route table juniper-sv.inet.0
[edit routing-instances]
lab@vSRX-l# run show route table acme-sv. inet.0
Question: How are the default static routes in the VRs resolving the
next hop?
Answer: The next hop is resolving through the inet.O routing table.
Step 3.9
Return to the open CLI session established with the vSRX-VR device.
From the open CLI session with vSRX-VR, ping the Internet host by issuing the ping 172.31.15.1
routing-instance Juniper-SV count 2 command.
lab@vSRX-VR> ping 172.31.15.1 routing-instance Juniper-SV count 2
PING 172.31.15.1 (172.31.15.1): 56 data bytes
64 bytes from 172.31.15.1: icmp_seq=0 ttl=63 time=14.789 ms
64 bytes from 172.31.15.1: icmp seq=l ttl=63 time=1.036 ms
Answer: The VRs have a default route that resolves through the main
routing instance’s inet.O routing table.
Step 3.10
Return to the open CLI session with vSRX-1.
From the open CLI session with vSRX-1, issue the run show route table inet. 0 command and
examine the routing table.
0.0.0.0/0 ■k
[Static/5] 00:17:06
> to 172.18.1.1 via ge-0/0/1.0
172.18.1.0/30 * [Direct/0] 00:17:06
> via ge-0/0/1.0
172.18.1.2/32 * [Local/0] 00:17:06
Local via ge-0/0/1.0
172.25.11.0/24 * [Direct/0] 01:13:12
> via ge-0/0/0.0
172.25.11.1/32 * [Local/0] 01:13:12
Local via ge-0/0/0.0
192.168.1.1/32 * [Direct/0] 3w0d 00:59:54
> via loO.O
Answer: No. The inet.O routing table does not have a route to either
attached device.
Step 4.2
Return to the open CLI session with vSRX-1.
From the open CLI session with vSRX-1, issue the run show route table junlper-sv. inet. 0
and run show route table acme-sv. inet. 0 commands.
[edit routing-instances]
lab@vSRX-l# run show route table jun±per-sv.inet.0
[edit routing-instances]
lab@vSRX-l# run show route table acme-sv. inet.0
Step 4.3
Navigating to the [edit interfaces lt-0/0/0] hierarchy level. Configure unit 1 with the IP
address of 172.21.1.1/30, and unit 2 with the IP address of 172.21.1.2/30. Configure peering between
the two units, and configure both units with Ethernet encapsulation.
[edit routing-instances]
lab@vSRX-l# up 1 edit interfaces lt-0/0/0
Step 4.4
Associate the lt-0/0/0.1 interface with the Juniper-svinstance. Associate the lt-0/0/0.2 interface
with the ACME-VR instance.
[edit interfaces lt-0/0/0]
lab@vSRX-l# up 2 edit routing-instances
[edit routing-instances]
lab@vSRX-l# set Juziiper-SV interface lt-0/0/0.1
[edit routing-instances]
lab@vSRX-l# set ACME-SV interface lt-0/0/0.2
[edit routing-instances]
lab@vSRX-l#
Step 4.5
Configure OSPF in the Juniper-svan6 acme-svWs. Place the lt-0/0/0.1 and the
ge-0/0/4 interface inside area 0 in the Juniper-sv\/R. Place the lt-0/0/0.2 and the
ge-0/0/5 interface inside area 0 in the acme-svVR. Add the passive option to both
ge-0/0/4 and ge-0/0/5 interfaces inside of OSPF for their respective VRs. When you are finished
commit the configuration.
[edit routing-instances]
lab@vSRX-l# set Juniper-SV protocols ospf area 0 interface lt-0/0/0.1
[edit routing-instances]
lab@vSRX-l# set Juniper-SV protocols ospf area 0 interface ge-0/0/4 passive
[edit routing-instances]
lab@vSRX-l# set ACME-SV protocols ospf area 0 interface lt-0/0/0.2
[edit routing-instances]
lab@vSRX-l# set ACME-SV protocols ospf area 0 interface ge-0/0/5 passive
[edit routing-instances]
lab@vSRX-l# show
ACME-SV {
instance-type virtual-router;
routing-options {
static {
route 0.0.0.0/0 next-table inet.O;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface lt-0/0/0.2;
interface ge-0/0/5.0 {
passive;
}
}
}
}
interface lt-0/0/0.2;
interface ge-0/0/5.0;
}
Juniper-SV {
instance-type virtual-router;
routing-options {
static {
route 0.0.0.0/0 next-table inet.O;
}
}
protocols {
ospf {
area 0.0.0.0 {
interface lt-0/0/0.1;
interface ge-0/0/4.0 {
passive;
}
}
}
}
interface lt-0/0/0.1;
interface ge-0/0/4.0;
}
[edit routing-instances]
lab@vSRX-l# commit
commit complete
Step 4.6
Issue the run show ospf interface command.
[edit routing-instances]
lab@vSRX-l# run show ospf interface
OSPF instance is not running
Step 4.7
Issue the run show ospf interface instance Juniper-SV3^6 run show ospf
interface instance ACME-SVcommands.
[edit routing-instances]
lab@vSRX-l# run show ospf interface instance Juniper-SV
Interface state Area DR ID BDR ID Nbrs
ge-0/0/4.0 DRother 0.0.0.0 0.0.0.0 0.0.0.0 0
lt-0/0/0.1 DR 0.0.0.0 172.20.101.1 0.0.0.0 0
Step 4.8
Test connectivity between the Juniper-VR and acme-vr instances by issuing the run ping
172.21.1.2 routing-instance Juniper-SV count 2command.
[edit routing-instances]
lab@vSRX-l# run ping 172.21.1.2 routing-instance Jiiniper-SV count 2
PING 172.21.1.2 (172.21.1.2): 56 data bytes
Question: What is a possible reason for the ping test and the OSPF
adjacency failures?
Answer: A possible reason for the ping test and OSPF adjacency
failures is a security zone issue.
Step 4.9
Issue the run show security zones command.
[edit routing-instances]
lab@vSRX-l# run show security zones
Security zone: ACME-SV
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/5.0
Answer: No. The logical tunnel interfaces are not bound to any security
zones.
Step 4.10
Bind the lt-0/0/0.1 interface to the Juniper-svzone. Bind the lt-0/0/0.2 interface to the acme-sv
zone. Allow both logical tunnel interfaces to process ping requests and OSPF packets. When you are
finished, commit the configuration.
[edit routing-instances]
lab@vSRX-l# top edit security zones security-zone Junlper-SV
}
protocols {
ospf ;
}
}
}
}
Step 4.12
Issue the run show ospf interface instance Juniper-SV a nd run show ospf
interface instance ACMB-SVcommands.
Step 4.13
Check the status of the OSPF neighbor adjacencies by issuing the run show ospf neighbor
instance all command.
Note
It might take a minute for the OSPF adjacencies to reach the
Full state.
Instance: Juniper-SV
Address Interface State ID Pri Dead
172.21.1.2 lt-0/0/0.1 Full 172.20.201.1 128 33
Step 4.14
Examine the Juniper-svar\6 acme-SV VR routing tables.
[edit security zones]
lab@vSRX-l# run show route table juniper-sv.inet.0
Step 4.15
Configure a security policy named intra-VR-access-Jio permit all traffic from the Juniper-sv
zone to the Juniper-sv zone.
[edit routing-instances]
lab@vSRX-l# top edit security policies from-zone Juniper-SV to-zone Juniper-SV
policy Intra-VR-access-J
}
then {
permit;
}
Step 4.17
Return to the open CLI session with vSRX-VR.
From the open CLI session with vSRX-VR, test communication between the Juniper-SV and ACME-SV
customer devices that are directly connected to the vSRX-1 device. Issue the
telnet 172.20.201.10 routing-instance Juniper-SV com ma nd.
lab@vSRX-VR> telnet 172.20.201.10 routing-instance Juniper-SV
Trying 172.20.201.10...
Connected to 172.20.201.10.
Escape character is ]'. I A
login:
Step 4.18
Log in to the vSRX-VR device with username lab and password labl23 to ensure that the Telnet
session does not time out.
login: lab
Password:
Last login: Fri Feb 7 10:54:05 from 172.25.11.254
lab@vSRX-VR>
Step 4.19
Return to the open session established with the vSRX-1 device.
Step 4.20
Return to the open CLI session with vSRX-VR.
From the open CLI session with vSRX-VR, exit the Telnet session.
lab@vSRX-VR> exit
Connection closed by foreign host.
lab@vSRX-VR>
[edit routing-options]
lab@vSRX-l# show
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
}
rib-groups {
ACME-to-Main {
import-rib [ ACME-SV.inet.0 inet.O ];
}
}
[edit routing-options]
lab@vSRX-l# top edit routing-instances ACME-SV routing-options
0.0.0.0/0 ■k
[Static/5] 00:08:37
> to 172.18.1.1 via ge-0/0/1.0
172.18.1.0/30 * [Direct/0] 00:08:37
> via ge-0/0/1.0
172.18.1.2/32 * [Local/0] 00:08:37
Local via ge-0/0/1.0
172.19.1.0/30 * [Direct/0] 00:00:03
> via ge-0/0/7.0
172.19.1.1/32 * [Local/0] 00:00:03
Local via ge-0/0/7.0
172.20.201.0/24 * [Direct/0] 00:00:03
> via ge-0/0/5.0
172.20.201.1/32 * [Local/0] 00:00:03
Local via ge-0/0/5.0
ff02::2/128 ■k
[INET6/0] 00:50:52
MultiRecv
Answer: You will be sending traffic from the ACME-SV device to the
ACME-WF device and this traffic will return on the ge-0/0/7 interface
on the vSRX-1 device. This interface is located in the main routing
instance. The main routing instance uses the inet.O routing table to
resolve the destination address. Because the route to the ACME-SV
device is located inside the acme-sv. inet.O routing table, the main
routing instance does not have a method to send traffic to the
ACME-WF device by default. Copying routes from the acme-sv. inet.O
routing table to the inet.O routing table allows this traffic to be sent to
the ACME-SV device when it arrives on the vSRX-1 device.
Step 5.6
Configure a forwarding routing instance named FBF-ins tance. Configure a default static route that will
send all traffic to the vSRX-2 device over the ge-0/0/7 interface.
[edit routing-instances ACME-SV routing-options]
lab@vSRX-l# top edit routing-instances FBF-instance
Step 5.10
Return to the open session established with the vSRX-1 device.
From the vSRX-1 device, issue the run show firewall filter fbf- filter command.
[edit interfaces ge-0/0/5 unit 0]
lab@vSRX-l# run show firewall filter FBF-filter
Filter: FBF-fliter
Counters:
Name Bytes Packets
FBF-counter 168 2
Answer: Yes. The filter is being applied to this traffic as the counter is
incrementing.
Step 5.11
Issue the run show route table FBF-instance. inet. 0 command.
[edit interfaces ge-0/0/5 unit 0]
lab@vSRX-l# run show route table FBF-instance.inet.0
Question: How can you put the necessary routing information in this
routing instance?
Step 5.12
Configure the Main-to-FBF RIB group to copy interface routes from the inet. 0 routing table to the
FBF-instance. Inet. 0 routing table. Configure a policy to allow only the
172.19.1.0/30 prefix to be copied from the inet. 0 routing table. When you are finished, commit the
configuration and exit to operational mode.
[edit interfaces vlan unit 201]
lab@vSRX-l# top edit policy-options policy-statement only-172.19.1.0/30 term
accept-route
[edit routing-options]
lab@vSRX-l# set interface-routes rib-group inet Main-to-FBF
[edit routing-options]
lab@vSRX-l# show
interface-routes {
rib-group inet Main-to-FBF;
}
static {
route 0.0.0.0/0 next-hop 172.18.1.1;
}
rib-groups {
ACME-to-Main {
import-rib [ ACME-SV.inet.0 inet.O ];
}
Main-to-FBF {
import-rib [ inet.O FBF-instance.inet.0 ];
import-policy only-172.19.1.0/30;
}
}
[edit routing-options]
lab@vSRX-l# commit and-quit
commit complete
lab@vSRX-l>
Step 5.13
Issue the show route table FBF-instance. Inet.Q connnnand and examinethe routing table.
lab@vSRX-l> show route table FBF-instance.0
Step 5.14
Return to the open CLI session with vSRX-VR.
From the open CLI session with vSRX-VR, issue the command ping 172.20.202.10
routing-instance ACME-sv count 2 to establish communication between the ACME-SV and
ACME-WF customer devices.
lab@vSRX-VR> ping 172.20.202.10 routing-instance ACME-SV count 2
PING 172.20.202.10 (172.20.202.10): 56 data bytes
64 bytes from 172.20.202.10: icmp_seq=0 ttl=62 time=10.203 ms
64 bytes from 172.20.202.10: icmp seq=l ttl=62 time=5.594 ms
Step 5.15
Initiate a Telnet session from the ACME-SV device to the ACME-WF device. Issue the
telnet 172.20.202.10 routing-instance ACME-SVcommand.
Step 5.16
Log in to the vSRX-VR device with username lab and password labl23 to ensure that the Telnet
session does not time out.
login: lab
Password:
Last login: Fri Feb 7 12:32:38 from 172.25.11.3
lab@vSRX-VR>
Step 5.17
Return to the open CLI session with vSRX-1.
From the open CLI session with vSRX-1, issue the command show security flow session
application telnet and examine the session table.
lab@vSRX-l> show security flow session application telnet
Session ID: 16191, Policy name: FBF-ACME-SV/4, Timeout: 1778, Valid
In: 172.20.201.10/53752 172.20.202.10/23;tcp. Conn Tag: 0x0, If: ge-0/0/5.0.
Pkts: 28, Bytes: 1620,
Out: 172.20.202.10/23 -- 172.20.201.10/53752;tcp. Conn Tag: 0x0, If: ge-0/0/7.0.
Pkts : 22, Bytes: 1440,
Total sessions: 1
Answer: The ge-0/0/5 and the ge-0/0/7 interfaces are being used for
the Telnet session.
Step 5.18
Return to the open CLI session with vSRX-VR.
From the open CLI session with vSRX-VR, exit the session and then log out of the vSRX-VR device.
lab@vSRX-VR> exit
lab@vSRX-VR> exit
Step 5.19
Return to the open CLI session with vSRX-1.
From the open CLI session with vSRX-1, log out using the exit command.
lab@vSRX-l> exit
Step 5.20
Return to the open CLI session with vSRX-2
From the open CLI session with vSRX-2, log out using the exit command.
lab@vSRX-2 exit
STOP
Tell your instructor that you completed this lab.
Internet
172.31.15.1
%
-
\
** fda2;:/126 \
.1 •1)
Qe-QIQI7 .1 172,20,66,0/30 ,2) ge-0/0/7 \
vSRX-1 vSRX-2
loO: 192.168.1.1 loO: 192.168.2.1
t ge-0/0/8 (.1) 172.20.77.0/30 (.2) ge-0/0/8 1
fda9::1 fda9::2
(.1) fdal ;:/126 (.1) I
(•1) ge-0/0/4.0 ge-0/0/4.0 (.1) I
I
172.20.101.0/24 172.20.102.0/24
I
OSPFArea O.O.O.O
(.10) /
(.10)
172.21.0.0/24 I
Juniper-WF
172.21.1.0/24
Juniper-SV
loO: 192.168.2.2
loO: 192.168.1.2
172.21.2.0/24
Internet
172.31.15.1
.-S’"
ge-0/0/7 (.1) 172.19.1.0/30 (.2) ge-QIQI7
vSRX-1
172.20.101.0/24 172.20.202.0/24
172.20.201.0/24 vSRX-VR 172.20.102.0/24
Overview
In this lab, you will troubleshoot zones and policies. You will use the Junos CLI to analyze trace log files to
determine the causes for detected problems. Then, you will define and implement the solutions to the
problems.
In this lab, you will perform the following tasks:
• Troubleshoot security zones.
• Troubleshoot security policies.
Implement solutions.
step 1.1
You will primarily configure the vSRX-1 device. The vSRX-2 and vSRX-VR devices are already configured for
you. Consult the Management Network Diagram to determine the management addresses of your
devices.
Step 1.2
Access the CLI on the vSRX-1 device using SSH or console as directed by your instructor. Log in with the
username lab and password labl23. Enter configuration mode and load the lab3-start. config
from the a j sec directory. Commit the configuration when complete and exit to operational mode.
FreeBSD/amd64 (vSRX-1) (ttyuO)
login: lab
Password:
Last login: Wed Apr 29 18:42:51 2020 from 172.25.11.254
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# load override a.jsec/lab3-start.config
load complete
lab@vSRX-l>
Step 1.3
Step 1.4
Access the CLI on the vSRX-2 device using SSH or console as directed by your instructor. Log in with the
user name lab and password labl23. Enter configuration mode and load the lab3-stdrt. config
from the a J sec directory. Commit the configuration and exit to operational mode when complete.
Note
login: lab
Password:
Last login: Fri May 1 21:07:26 2020 from 172.25.11.254
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-2> configure
Entering configuration mode
[edit]
lab@vSRX-2# load override ajsec/lab3-start.config
load complete
lab@vSRX-2
Step 1.5
Access the CLI on the vSRX-VR device using SSH or console as directed by your instructor. Log in with the
username lab and password labl23. Enter configuration mode and load the lab3-start. config
from the a J sec directory. Commit the configuration and exit to operational mode when complete.
Note
login: lab
Password:
Last login: Fri May 1 21:42:51 2020 from 172.25.11.254
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-VR> configure
Entering configuration mode
[edit]
lab@vSRX-VR# load override ajsec/lab3-start.config
load complete
lab@vSRX-VR>
Step 1.6
From the open session with vSRX-1, check the status of your configured Gigabit Ethernet and loopback
interfaces using the show interfaces terse | match ’’ge I lo I fxp” command.
lab@vSRX-l> show interfaces terse | match ’’ge | lo | fxp"
Interface Admin Link Proto Local Remote
ge-0/0/0 down down
ge-0/0/1 up up
ge-0/0/1.0 up up inet 172.18.1.2/30
ge-0/0/2 up up
ge-0/0/3 up up
ge-0/0/4 up up
ge-0/0/4.0 up up inet 10.10.101.1/24
ge-0/0/5 up up
ge-0/0/5.0 up up inet 10.10.102.1/24
ge-0/0/6 up up
up up
up up
fxpO up up
fxpO.0 up up inet 172.25.11.1/24
loO up up
loO.O up up inet 192.168.1.1 0/0
100.16384 up up inet 127.0.0.1 0/0
100.16385 up up inet 10.0.0.1 0/0
100.32768 up up
Step 1.7
Return to the established session with vSRX-VR.
On the vSRX-VR device, verify reachability from each routing instance to the directly connected interface
on the vSRX-1 device by using the ping command. Be sure to source your ping from the correct routing
instance.
lab@vSRX-VR> ping 10.10.101.1 count 3 routing-instance vrlOl
PING 10.10.101.1 (10.10.101.1): 56 data bytes
64 bytes from 10.10.101.1: icmp_seq=0 ttl=64 time=1.134 ms
64 bytes from 10.10.101.1: icmp_seq=l ttl=64 time=0.998 ms
64 bytes from 10.10.101.1: icmp seq=2 ttl=64 time=0.884 ms
Step 2.2
View the forwarding decision on vrlOl to the vSRX-1 device loopback address.
lab@vSRX-VR> show route 192.168.1.1 table vrlOl.inet.O
Answer: The pings are sent from vrl OllQ vSRX-1, and vrl 01 uses
the correct interface for vSRX-1, so the vSRX-1 seems to be the device
discarding the packets.
step 2.3
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, check the zone assignment for the loopback interface loO . 0 and check to see if
ping is allowed in host-inbound-traffic.
lab@vSRX-l> show interfaces loO.O | find security
Security: Zone: Null
Protocol inet, MTU: Unlimited
Max nh cache: 0, New hold nh limit: 0, Curr nh ent: 0, Curr new hold ent: 0,
NH drop ent: 0
Flags: Sendbeast-pkt-to-re
Addresses, Flags: Is-Default Is-Primary
Local: 192.168.1.1
Answer: The loO. 0 interface is assigned to the Null zone and has
notallowed anything in host-inbound-traffic. If an interface
belongs to the Null zone, all traffic on that interface is dropped.
Step 2.4
Enter configuration mode and assign the loO . 0 interface to the Juniper-sv zone. Check if the
zone-level host-inbound-traffic statement allows ping. Commit the configuration changesand
exit to operational mode.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# set security zones security-zone Juniper-SV interfaces loO.O
[edit]
lab@vSRX-l# show security zones security-zone Juniper-SV
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/4.0;
loO.O;
}
[edit]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 2.5
Review the loO . 0 interface details again.
Step 2.6
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, test the reachability from vrlOl to the vSRX-1 device loopback address by using
the ping command. Be sure to source your ping from the vrlOl routing instance.
lab@vSRX-VR> ping 192.168.1.1 count 3 routing-instance vrlOl
PING 192.168.1.1 (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.995 ms
64 bytes from 192.168.1.1: icmp_seq=l ttl=64 time=1.021 ms
64 bytes from 192.168.1.1: iemp seq=2 ttl=64 time=1.043 ms
When the session does not establish after a few seconds, press the
Ctrl + c keyboard sequence to cancel the attempt.
lab@vSRX-VR>
Step 3.2
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, test which security policy is used to handle the SSH connection from vrl Olio the
Internet host. Use the show security match-policies command. Use the 1024 source port in
the command.
lab@vSRX-l> show security match-policies from-zone Juniper-SV to-zone untrust
source-ip 10.10.101.10 destination-ip 172.31.15.1 protocol tcp source-port 1024
destination-port 22
Policy: Default-Policy, action-type: deny-all. State: enabled. Index: 2
Sequence number: 2
Step 3.3
View existing policies from the Juniper-sv to un trust zones context by using the detail option.
lab@vSRX-l> show security policies from-zone Juniper-SV to-zone untrust detail
Policy: internet-Juniper-SV, action-type: permit. State: enabled. Index: 4, Scope
Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: Juniper-sv, To zone: untrust
Source vrf group:
any
Destination vrf group:
any
Source addresses:
vrlOl(Juniper-SV): 10.10.101.0/24
Destination addresses:
internet-host(untrust): 172.31.16.1/32
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination ports: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
Question: If yes, why is the policy not used to handle the SSH
connection?
Question: What would you change for the policy to handle all traffic to
the Internet host?
step 3.4
Modify the address book entry in the address book of the untrust zone for the Internet host. Commit
the change and exit to the operational mode.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit security address-book untrust
lab@vSRX-l>
Step 3.5
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, establish an SSH connection from vrl 01 to the Internet host. If prompted about
an ECDSA key fingerprint respond yes. Login with a password of labl23
lab@vSRX-VR> ssh 172.31.15.1 routing-instance vrlOl
The authenticity of host ’172.31.15.1 (172.31.15.1)’ can’t be established.
ECDSA key fingerprint is 4f:4b:49:30:e7:53:57:73:54:e2:ea:al:37:42:d5:27.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’172.31.15.1’ (ECDSA) to the list of known hosts.
Password: labl23
Last login: Sun May 3 14:14:06 2020 from 172.18.1.2
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-VR>
Step 3.6
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, examine the session table for SSH sessions to the Internet host.
lab@vSRX-l> show security flow session destination-port 22 destination-prefix
172.31.15.1
Session ID: 8796, Policy name: internet-Juniper-SV/7, Timeout: 1726, Valid
In: 10.10.101.10/61873 172.31.15.1/22;tcp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 18, Bytes: 3261,
Out: 172.31.15.1/22 10.10.101.10/61873;tcp. Conn Tag: 0x0, If: ge-0/0/3.0.
Pkts : 16, Bytes: 3773,
Total sessions: 1
lab@vSRX-l>
Step 3.7
Return to the open session on the vSRX-VR device.
On the vSRX-VR device, exit out of the ssh session.
lab@vSRX-VR> exit
lab@vSRX-VR>
Step 3.8
Return to the open session on the vSRX-1 device.
Modify the internet- Juniper-sv policy into a unified policy with a dynamic application match
criteria of any. Also, modify the application match criteria to junos-defaults.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit security policies from-zone Juniper-SV to-zone untrust
lab@vSRX-l>
Step 3.9
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, establish an SSH connection from vrl 01 to the Internet host.
lab@vSRX-VR> ssh 172.31.15.1 routing-instance vrlOl
Password:labl23
Last login: Mon May 4 14:18:20 2020 from 172.18.1.2
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-VR>
Answer: Yes the change in the configuration did not impact the
connection to the Internet host.
Step 3.10
On the vSRX-VR device, exit from the established SSH session to the Internet host.
lab@vSRX-VR> exit
lab@vSRX-VR>
Step 3.11
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, create a catch-all rule in the from-zone Juniper-sv to-zone untrust
hierarchy to drop and log all other packets that have not matched previous rules. Verify that it is at the
bottom of the list.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit security policies from-zone Juniper-SV to-zone untrust policy
catch-all-log
Answer: Yes, the new policy is at the bottom of the context list.
lab@vSRX-l>
Answer: Yes, there is a warning that your new policy is not a Unified
policy but the policy context includes Unified policies. They could be
processed in a different order then top to bottom.
Step 3.12
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, establish an SSH connection from vrl 01 to the Internet host.
lab@vSRX-VR> ssh 172.31.15.1 routing-instance vrlOl
ssh: connect to host 172.31.15.1 port 22: Operation timed out
lab@vSRX-VR>
Answer: There are two options to fix this connection issue. First,
modify the ca tch-dll-log policy to be a Unified policy. Second
move the ca tch-all-log policy to the Global polices hierarchy and
only run standard policies there.
step 3.13
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, modify the catch-all-log rule to include a dynamic application match criteria.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l>
Step 3.14
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, establish an SSH connection from vrl 01 to the Internet host.
lab@vSRX-VR> ssh 172.31.15.1 routing-instance vrlOl
Password:labl23
Last login: Mon May 4 14:18:20 2020 from 172.18.1.2
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-VR>
Step 3.15
On the vSRX-VR device, exit out of the ssh session.
lab@vSRX-VR>
If the session does not establish after a few seconds, press the
Ctrl + c keyboard sequence to cancel the attempt.
lab@vSRX-VR>
Step 4.2
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, test which security policy is used to handle the SSH connection from vrl 01 to the
vSRX-1 interface in the ACME-svzone. Use the show security match-policies command and
enter the 1024 value for the source port.
lab@vSRX-l> show security match-policies from-zone Juniper-SV to-zone ACME-SV
source-ip 10.10.101.10 destination-ip 10.10.102.1 protocol tcp source-port 1024
destination-port 22
Policy: Juniper-SV-to-ACME-SV, action-type: permit, state: enabled. Index: 6
0
Policy Type: Configured
Sequence number: 1
From zone: Juniper-SV, To zone: ACME-SV
Source vrf group:
any
Destination vrf group:
any
Source addresses:
vrlOl(Juniper-SV): 10.10.101.0/24
Destination addresses:
Lab 3-18 • Troubleshooting security Zones and Policies www.juniper.net
Advanced Juniper Security
vrl02(ACME-SV): 10.10.102.0/24
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination ports: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
Step 4.3
Verify if SSH is allowed on the vSRX-1 interface in the ACME-svzor\e.
lab@vSRX-l> show interfaces ge-0/0/5.0 extensive | find security
Zone: ACME-SV
Allowed host-inbound traffic : any-service bfd bgp dvmrp igmp Idp msdp nhrp
ospf ospf3 pgm pirn rip ripng router-discovery rsvp sap vrrp
Step 4.4
Enter configuration mode and enable traceoptions for packet flow processing. Define flow-log as the
file name, set the flag to basic-datapath, and specify a packet filter named Fl that only matches
traffic destined to the interface in the ACMB-svzone. Commit your configuration and exit to the
operational mode when complete.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# set security flow traceoptions file flow-log
[edit]
lab@vSRX-l# set security flow traceoptions packet-filter Fl destination-prefix
10.10.102.1/32
[edit]
lab@vSRX-l# show security flow
traceoptions {
file flow-log;
flag basic-datapath;
packet-filter Fl {
destination-prefix 10.10.102.1/32;
}
}
[edit]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 4.5
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, establish a SSH connection from vrl QI to the vSRX-1 interface in the kCME-sv
zone.
Note
When the session does not establish after a few seconds, press
the Ctrl + c keyboard sequence to cancel the attempt.
lab@vSRX-VR>
Step 4.6
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, examine the flow- log traceoptions file.
Note
For the sake of clarity and time, the interesting lines are bolded
in the output.
May 3 15:53:52 15:53:52.288804:CID-0:RT: app 22, timeout 1800s, curr ageout 20s
May 3 15:53:52 15:53:52.292366:CID-0:RT: app 22, timeout 1800s, curr ageout 20s
Step 4.7
View the security policies from the ACME-svto junos-host zone context by using the detail
command.
lab@vSRX-l> show security policies from-zone ACME-SV to-zone junos-host detail
Policy: deny-ssh, action-type: deny. State: enabled. Index: 5, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: ACME-SV, To zone: j unos-host
Source vrf group:
any
Destination vrf group:
any
Source addresses:
any-ipv4(ACME-SV): 0.0.0.0/0
any-ipv6(ACME-SV): ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: junos-ssh
IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
Source port range: [0-0]
Destination ports: 22
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
Question: Does the security device have any policies from the
ACME-svio junos-host zone context?
Answer: There are several possible solutions. You could change the
action on the deny-ssh policy to permit, create a new policy higher
in the ordered list that allows this particular host to use SSH, or you
could delete the deny-ssh policy, because the default action for
connections to the j unos -hos t zone is permit.
Step 4.8
Enter configuration mode and delete the deny-ssh security policy. Commit the configuration and exit to
operational mode when complete.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit security policies
lab@vSRX-l>
Step 4.9
Return to the session established with the vSRX-VR device
On the vSRX-VR device, establish the SSH connection from vrlOl to the vSRX-1 interface in the
ACME-SV zone. Login with password labl23.
lab@vSRX-VR> ssh 10.10.102.1 routing-instance vrlOl
Password:labl23
Last login: Sun May 3 13:50:58 2020 from 172.25.11.254
Step 4.10
On the vSRX-VR device, use the exit command to disconnect from the established SSH session.
Terminate the session with the vSRX-VR by issuing exit again.
lab@vSRX-l> exit
lab@vSRX-VR> exit
Step 4.11
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, remove the traceoptions configuration used for the troubleshooting process.
Commit the change and exit configuration mode.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# delete security flow traceoptions
[edit]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 4.12
On vSRX-1, terminate the session by issuing the exit command.
lab@vSRX-l> exit
login:
Step 4.13
Return to the active session with the vSRX-2 device.
On the vSRX-2 device, issue the exit command to terminate the session.
lab@vSRX-2 exit
login:
STOP
Tell your instructor that you have completed this lab.
Internet
Internet Host
V 172.31.15.1
vSRX-1 vSRX-2
loO; 192.168.1.1 loO: 192.168.2.1
ge-0/0/5
vrlOl vrl02
vSRX-VR vr201 vr202
Overview
In this lab you will configure a hub-and-spoke VPN by using the Junos CLI. You will configure the vSRX-VR
device as the hub, and the vSRX-1 and vSRX-2 devices as spokes.
In this lab, you will perform the following tasks:
• Configure the hub for a hub-and-spoke VPN.
• Configure the spokes for a hub-and-spoke VPN.
• Monitor the effects of your configuration.
step 1.1
You will primarily configure the vSRX-1 and vSRX-VR devices. The vSRX-2 device is already configured for
you. Consult the Management Network Diagram to determine the management addresses of your
devices.
Step 1.2
Access the CLI on the vSRX-1 device using SSH or console as directed by your instructor. On the vSRX-1
device, login with the username lab and password labl23. Enter configuration mode and load the
lab4-start. config from the ajsec directory. Commit the configuration when complete.
FreeBSD/amd64 (vSRX-1) (ttyuO)
login: lab
Password:
Last login: Mon Mar 2 16:35:47 2020 from 172.25.11.254
[edit]
lab@vSRX-l# load override ajsec/lab4-start.config
load complete
[edit]
lab@vSRX-l# commit
commit complete
Step 1.3
Access the command-line interface (CLI) for the vSRX-2 device as directed by your instructor.
On the vSRX-2 device, login with the username lab and password labl23. Enter configuration mode
and load the lab4-start, conf igr from the aj sec directory. Commit the configuration when
complete.
login: lab
Password:
Last login: Mon Mar 2 20:12:41 2020 from 172.25.11.254
[edit]
lab@vSRX-2# load override ajsec/lab4-start.config
load complete
[edit]
lab@vSRX-2# commit
commit complete
Step 1.4
Access the command-line interface (CLI) for the vSRX-VR device using SSH or console as directed by your
instructor.
Log in with the username lab and password labl23. Enter configuration mode and load the
ldb4-start, confighom the ajsec directory. Commit the configuration when complete.
FreeBSD/amd64 (vSRX-VR) (ttyuO)
login: lab
Password:
Last login: Mon Mar 2 20:16:41 2020 from 172.25.11.254
[edit]
lab@vSRX-VR# load override ajsec/lab4-start.config
load complete
[edit]
lab@vSRX-VR# commit
commit complete
Step 1.5
Verify that the necessary routing information is available to reach the virtual routing instances vrlOl
vrl02, vr201 and vr202.
[edit]
lab@vSRX-VR# show routing-options static
route 10.10.101.0/24 next-hop 172.18.1.2;
route 10.10.102.0/24 next-hop 172.18.1.2;
route 10.10.202.0/24 next-hop 172.18.2.2;
route 10.10.201.0/24 next-hop 172.18.2.2;
[edit]
lab@vSRX-VR# run show route 10.10.0.0/16 table inet.O
■k
10.10.101.0/24 [Static/5] 00:00:54
> to 172.18.1.2 via ge-0/0/1.0
k
10.10.102.0/24 [Static/5] 00:00:54
> to 172.18.1.2 via ge-0/0/1.0
k
10.10.201.0/24 [Static/5] 00:00:54
> to 172.18.2.2 via ge-0/0/2.0
10.10.202.0/24 [Static/5] 00:00:54
> to 172.18.2.2 via ge-0/0/2.0
[edit]
lab@vSRX-VR#
[edit interfaces]
lab@vSRX-VR# set stO unit 0 family inet address 10.25.0.9/24
[edit interfaces]
lab@vSRX-VR# set stO unit 0 multipoint
[edit interfaces]
lab@vSRX-VR# top set security zones security-zone vpn interfaces stO.O
[edit interfaces]
lab@vSRX-VR#
Step 2.2
On the vSRX-VR device, navigate to the [edit security ike] configuration hierarchy and configure
the IKE proposal settings for the hub-and-spoke VPN. The proposal should use the following parameters:
Authentication method: pre-shared-keys;
dh-group: group2;
authentication algorithm: sha-2 56;
encryption algorithm: aes-256-cbc; and
lifetime: 8 64 00.
[edit interfaces]
lab@vSRX-VR# top edit security ike proposal phasel-proposal
Step 2.3
Configure an IKE Phase 1 policy named phasel -policy. The policy should use the following
parameters:
Mode: main
Proposal: phasel -proposal', and
Pre-shared Key: ascii-text juniper
[edit security ike proposal phasel-proposal]
lab@vSRX-VR# up 1 edit policy phasel-policy
step 2.6
Create a Phase 2 policy named phase2-policy. Configure Perfect Forward Secrecy (PFS) to use
Diffie-Hellman Group 14 and reference the Phase 2 proposal you created in the last step.
[edit security ipsec proposal phase2-proposal]
lab@vSRX-VR# up 1 edit policy phase2-policy
Step 2.7
Configure two IPsec VPN tunnels named to-vSRX-1 and to-vSRX-2, one to each remote VPN. Bind
the stO.O interface to this tunnel. Associate the IKE Phase 1 gateway and Phase 2 policy with the VPN
tunnel. Ensure the VPN tunnel is established without the need for a triggering mechanism.
[edit security ipsec policy phase2-policy]
lab@vSRX-VR# up 1 edit vpn to-vSRX-1
}
proposals phase2-proposal;
}
vpn to-vSRX-1 {
bind-interface stO.O;
ike {
gateway vSRX-1;
ipsec-policy phase2-policy;
}
establish-tunnels immediately;
}
vpn to-vSRX-2 {
bind-interface stO.O;
ike {
gateway vSRX-2;
ipsec-policy phase2-policy;
}
establish-tunnels immediately;
}
Step 2.8
Navigateto [edit routing-options static] and replace the existing Static routes to the remote
instances subnets. Configure new routes that use the remote secure tunnel interfaces as their next-hop.
Step 2.9
To allow intra-zone traffic to flow from one branch VPN tunnel to the other branch VPN tunnel within the
vpn zone, configure a security policy that allows traffic from the vpn zone to the vpn zone.
Step 2.10
Commit the changes and exit configuration mode.
[edit routing-options static]
lab@vSRX-VR# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-VR>
[edit interfaces]
lab@vSRX-l# set stO unit 0 family inet address 10.25.0.1/24
[edit interfaces]
lab@vSRX-l#
Step 3.2
Navigate to the [edit security ike] configuration hierarchy and configure IKE proposal settings
for the hub-and-spoke VPN. The proposal should use the following parameters:
Authentication method: pre-shared-keys;
dh-group: group2;
authentication algorithm: sha-256;
encryption algorithm: aes-2 56-cbc; and
lifetime: 8 6400.
[edit interfaces]
lab@vSRX-l# top edit security ike proposal phasel-proposal
Step 3.3
Configure an IKE Phase 1 policy named phasel -policy. The policy should use the following
parameters:
Mode: main
Proposal: phasei -proposal', and
Pre-shared Key: ascii-text juniper
[edit security ike proposal phasel-proposal]
lab@vSRX-l# up 1 edit policy phasel-policy
Ike Policy:phasel-policy
Address: 192.168.9.1
Dead Peer Detection Interval: 2 0
Protocol: esp
Lifetime: 32 00
Step 3.6
Create a Phase 2 policy named phase2-policy. Configure Perfect Forward Secrecy (PFS) to use
Diffie-Hellman Group 14 as the method the device uses to generate the encryption key. Use the Phase 2
proposal you created in the last step.
[edit security ipsec proposal phase2-proposal]
lab@vSRX-l# up 1 edit policy phase2-policy
Step 3.8
Navigate to the [edit routing-options static] and create Static routes to the remote subnets
containing the vr201 and vr202 virtual router instances to use the stO interface as a next hop.
[edit security ipsec vpn hub-device]
lab@vSRX-l# top edit routing-options static
step 3.9
To allow traffic to flow from the Juniper-svar\6 ACME-svzor\es through the VPN interface towards
the remote virtual router instances you must add the stO. 0 interface to a security zone. Name this zone
vpn. Then configure a security policy that allows traffic from the Juniper-svar\6 ACME-svzor\es to
the vpn zone.
[edit routing-options static]
lab@vSRX-l# top edit security zones security-zone vpn
Step 3.10
In order to allow the IKE negotiation to take place, enable IKE as an allowed host inbound service on
interface ge-0/0/1.0.
[edit security policies global policy local-to-vpn]
lab@vSRX-l# top edit security zones security-zone untrust interfaces ge-0/0/1.0
Step 3.11
Commit the changes and exit configuration mode.
[edit security zones security-zone untrust interfaces ge-0/0/1.0]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 4.2
Return to the existing session with the vSRX-VR device.
On the vSRX-VR device, verify that the IKE Phase 1 security association has been formed by issuing show
security ike security-associations. Verify that the IKE Phase 2 security associations have been formed by
issuing show security ipsec security-associations.
lab@vSRX-VR> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
4338774 UP 2037edl8d212630b 2c7de6de7656a55f Main 172.18.1.2
4337537 UP 3e8439aa224eldl4 815b98d302a68cf5 Main 172.18.2.2
10.10.101.0/24 ■k
[Static/5] 23:29:23
> to 10.25.0.1 via stO.0
10.10.102.0/24 * [Static/5] 23:29:23
> to 10.25.0.1 via stO.0
10.10.201.0/24 * [Static/5] 23:29:23
lab@vSRX-VR>
Step 4.4
Return to the existing session with the vSRX-1 device.
On the vSRX-1 device, check the routes used to reach the remote instance subnets by issuing the
show route protocol static table inet. 0 command.
lab@vSRX-l> show route protocol static table inet.O
Step 4.6
Return to the existing session with the vSRX-VR device.
On the vSRX-VR device, clear the IPsec statistics with the clear security ipsec statistics
command. Check the statistics counters with show security ipsec statistics.
lab@vSRX-VR> clear security ipsec statistics
Step 4.7
Test the IPsec tunnel routing by issuing a ping from each local virtual router (vrl 01, vrl 02) to each
remote virtual router {vr201, vr202).
lab@vSRX-VR> ping 10.10.201.10 routing-instance vrlOl rapid
PING 10.10.201.10 (10.10.201.10): 56 data bytes
I I I I I
-- 10.10.201.10 ping statistics --
5 packets transmitted, 5 packets received. 0% packet loss
round-trip min/avg/max/stddev = 0.968/1.160/1.814/0.327 ms
lab@vSRX-VR>
Step 4.8
Verify that the packets between the remote virtual router instances traversed the vSRX-VR device with
the show security ipsec statistics command.
lab@vSRX-VR> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 6240
Decrypted bytes: 3360
Encrypted packets: 40
Decrypted packets: 40
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
Step 4.9
Return to the existing session with the vSRX-1 device.
On the vSRX-1 device, check the IPsec statistics with the show security ipsec statistics
command.
lab@vSRX-l> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 3120
Decrypted bytes: 1680
Encrypted packets: 20
Decrypted packets: 20
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
Answer: The hub device increments at twice the rate of the spokes
because of the traffic using and ingress and egress tunnel on the hub.
This is consistent with the expected routing path where packets from
the vrl 01 and vrl 02 to the vr201 and vr202 virtual routers are
encapsulated on the vSRX-1 device and routed across the stO tunnel
to the vSRX-VR device en route to vSRX-2.
Step 4.10
On the vSRX-1 device, logout using the exit command.
lab@vSRX-l> exit
login:
Step 4.11
Return to the active session with the vSRX-2 device.
On the vSRX-2 device, issue the exit command to terminate the session.
lab@vSRX-2 exit
login:
Step 4.12
Return to the active session with the vSRX-VR device.
On the vSRX-VR device, issue the exit command to terminate the session.
lab@vSRX-VR> exit
login:
STOP Tell your instructor that you have completed this lab.
Internet
vQFX-1 ] Console and
VNC Connections
Junos
Space
Management Addressing
Policy
Enforcer vSRX-1 172.25.11.1
Hypervisor
vSRX-2 172.25.11.2
Virtual Switch
Core ATP On-Prem
MGMT vSRX-VR 172.25.11.9
Network
vQFX-1 172.25.11.10
ATP Web Collector 172.25.11.0/24
Junos Space 172.25.11.100
Student Policy Enforcer 172.25.11.101
AD/NTP/DNS Server Lab Environment ATP On-Prem 172.25.11.120
ATP Web Collector 172.25.11.121
AD/NTPZDNS Server 172.25.11.130
Gateway 172.25.11.254
vSRX-VR
loO: 192.168.9.1
(.9)
St0.1
untrust zone untrust zone
♦
10.25.0.0/24
% %
-5/
vr102
vSRX-VR vr202
vr101 vr201
Overview
In this lab, you will implement Network Address Translation (NAT) in several advanced scenarios. You will
use the Junos CLI to configure source and destination NAT. You will see how NAT rules work together with
security policies to address different objectives. Then, you will examine how routing behavior can impact
some NAT implementations and then resolve those issues. You will then configure devices for NAT46 and
NAT64 operations.
In this lab, you will perform the following tasks:
• Configure and monitor pool-based destination NAT.
• Configure and monitor NAT for local routed and local switched environments.
• Configure and monitor NAT46.
• Configure and monitor NAT64.
step 1.1
You will primarily configure the vSRX-1 device. The vSRX-2 and vSRX-VR devices are already configured for
you. Consult the Management Network Diagram to determine the management addresses of your
devices.
Step 1.2
Access the CLI on the vSRX-1 device using SSH or console as directed by your instructor. Log in with the
username lab and password labl23. Enter configuration mode and load the labS-start. config
from the ajsec directory. Commit the configuration when complete.
FreeBSD/amd64 (vSRX-1) (ttyuO)
login: lab
Password:
Last login: Mon Mar 12 19:50:22 2020 from 172.25.11.254
[edit]
lab@vSRX-l# load override ajsec/lab5-start.config
[edit]
lab@vSRX-l# commit
commit complete
[edit]
lab@vSRX-l#
Step 1.3
Access the CLI on the vSRX-2 device using SSH or console as directed by your instructor. Log in with the
user name lab and password labl23. Enter configuration mode and load the lab5-stdrt. config
from the ajsec directory. Commit the configuration and exit to operational mode when complete.
Note
login: lab
Password:
Last login: Mon Apr 25 19:50:22 2020 from 172.25.11.254
[edit]
lab@vSRX-2# load override ajsec/lab5-start.config
load complete
lab@vSRX-2
Step 1.4
Access the CLI on the vSRX-VR device using SSH or console as directed by your instructor. Log in with the
username lab and password labl23. Enter configuration mode and load the lab5-start. config
from the ajsec directory. Commit the configuration and exit to operational mode when complete.
Note
login: lab
Password:
Last login: Mon Apr 25 19:50:22 2020 from 172.25.11.254
lab@vSRX-VR>
Step 1.5
Return to the open session with vSRX-1.
From the open session with vSRX-1, on the vSRX-1 device, review the routing tables and determine which
routes are used to reach the remote device networks.
[edit]
lab@vSRX-l# run show route table inet.O
0.0.0.0/0 ■k
[Static/5] 4d 03:39:09
> to 172.18.1.1 via ge-0/0/1.0
10.10.101.0/24 * [Direct/0] 4d 03:39:09
> via ge-0/0/4.0
10.10.101.1/32 * [Local/0] 4d 03:39:09
Local via ge-0/0/4.0
10.10.102.0/24 * [Direct/0] 4d 03:39:09
> via ge-0/0/5.0
10.10.102.1/32 * [Local/0] 4d 03:39:09
Local via ge-0/0/5.0
172.18.1.0/30 * [Direct/0] 4d 03:39:09
> via ge-0/0/1.0
172.18.1.2/32 * [Local/0] 4d 03:39:09
Local via ge-0/0/1.0
172.25.11.0/24 * [Direct/0] 4d 03:39:09
> via ge-0/0/0.0
172.25.11.1/32 * [Local/0] 4d 03:39:09
Local via ge-0/0/0.0
192.168.1.1/32 * [Direct/0] 4d 03:40:41
> via loO.O
Step 1.6
Configure the ge-0/0/7 interface with the 10.0.1.1/24 address as shown in the lab network diagram.
[edit interfaces]
lab@vSRX-l# set ge-0/0/7 unit 0 family inet address 10.0.1.1/24
[edit interfaces]
lab@vSRX-l#
Note
We use a /24 prefix to emulate real-world environments where
a range of public-facing IP addresses might exist. NAT allows
you to use public-facing IP addresses without needing to assign
them to the interface.
The vSRX-1 device will own the 10.0.1.0/25 address range
in this topology. The vSRX-2 device will own the
10.0.1.128/25 address range.
Step 1.7
Create a new security zone named public and add the ge-0/0/7 interface to the zone.
[edit interfaces]
lab@vSRX-l# top edit security zones
[edit routing-options]
lab@vSRX-l# delete static route 0/0
[edit routing-options]
lab@vSRX-l# set static route 0/0 next-hop 10.0.1.129
[edit routing-options]
lab@vSRX-l# show static
route 0.0.0.0/0 next-hop 10.0.1.129;
[edit routing-options]
lab@vSRX-l# commit
commit complete
[edit routing-options]
lab@vSRX-l#
Note
Directional context for destination NAT can only be established
with a from statement. No route-lookup takes place to
determine an egress interface until after destination NAT has
been processed.
Step 2.4
Configure a rule named to-ssh-serverio match SSH traffic sourced from the Juniper-ivrand
ACME-WFnetworks using the remote-partner address set. Then, apply the rule to traffic destined for
the vSRX-1 external NAT address of 10.0.1.126.
[edit security nat destination rule-set from-public]
lab@vSRX-l# edit rule to-ssh-server
Question: Will a host from the remote vr202 be able to SSH to your
SSH server after you commit the current changes?
Answer: No external hosts will be able to access your SSH server yet.
There are no security policies are in place that allow traffic originating
from the zone public. You will create the appropriate security policy
in a subsequent step
step 2.5
Configure proxy-arp on the vSRX-1 device. The vSRX-1 device should respond to any ARP requests for
the 10.0.1.2 to 10.0.1.126 range on the ge-0/0/7 interface.
[edit security nat destination rule-set from-public rule to-ssh-server]
lab@vSRX-l# up 3
Step 2.6
Configure a security policy named ssh-server that will allow SSH traffic from the Juniper-WFand
ACME-WFcustomer networks to the local vrl 02 instance. Configure the source address to match the
address-set remote -partner and use the existing vrl 02 address book entry for the destination
address. Next, commit the configuration and exit to operational mode.
[edit security nat]
lab@vSRX-l# top edit security policies from-zone public to-zone ACME-SV policy
ssh-server
lab@vSRX-l>
Step 2.7
Return to the open session with vSRX-VR.
From the open session with vSRX-VR, test your recently configured NAT implementation by initiating an
SSH connection from the vr201 device to the 10.0.1.126 address. Source the connection from the
vr201 routing instance and do not log in.
lab@vSRX-VR> ssh 10.0.1.126 routing-instance vr201
Password:
Step 2.8
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, issue the show security flow session application ssh command.
lab@vSRX-l> show security flow session application ssh
Session ID: 10501, Policy name: allow-to-ssh-server/8, Timeout: 1794, Valid
In: 10.10.201.10/59820 10.0.1.126/22;tcp. Conn Tag: 0x0, If: ge-0/0/7.0.
Pkts : 17, Bytes: 3209,
Out: 10.10.102.10/22 10.10.201.10/59820;tcp. Conn Tag: 0x0, If: ge-0/0/5.0.
Pkts : 16, Bytes: 3773,
Total sessions: 1
Note
The total sessions could be greater than one if you are connected
using SSH instead of console.
Question: Which input and output interfaces are used for the SSH
session?
Step 2.9
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, press the Ctrl + c keyboard sequence to end the SSH session.
lab@vSRX-VR> ssh 10.0.1.126 routing-instance vr201
Password: C
lab@vSRX-VR>
Step 3.1
From the session established with the vSRX-VR device, initiate a SSH session to the external NAT address
on the ge-0/0/7 interface for the vSRX-1 device (10.0.1.126). Source the SSH connection from the
vrlOl routing instance. Press the Ctrl + c keyboard sequence to cancel when the session does not
establish after a few seconds.
lab@vSRX-VR> ssh 10.0.1.126 routing-instance vrlOl
Answer: As shown in the output, the SSH session does not establish.
This likely indicates that NAT is not occurring.
Question: What are some possibilities that could prevent NAT from
occurring?
Answer: One possibility is that the initiating flow is not being evaluated
for NAT. Another possibility is the initiating flow does not match the
criteria set in the NAT rule.
Step 3.2
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, enter configuration mode and review the existing NAT implementation to see if you
can identify the problem.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit security nat destination rule-set from-pviblic
}
}
Step 3.3
Modify the existing rule set from-public so sessions initiated from the vrlOl and vrl02 networks
will be evaluated for NAT. Commit the changes.
[edit security nat destination rule-set from-public]
lab@vSRX-l# set from zone Juniper-SV
Step 3.4
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, initiate a SSH session to the external NAT address on the ge-0/0/7 interface for
the vSRX-1 device (10.0.1.126). Source the SSH connection from the vrlOl routing instance and do not
log in.
lab@vSRX-VR> ssh 10.0.1.126 routing-instance vrlOl
Password:
Step 3.5
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, issue the run show security flow session application ssh
command.
[edit security nat destination rule-set from-public]
lab@vSRX-l# run show security flow session application ssh
Session ID: 10537, Policy name: Juniper-SV-to-ACME-SV/9, Timeout: 1796, Valid
In: 10.10.101.10/64081 10.0.1.126/22;top. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 10, Bytes: 2197,
Out: 10.10.102.10/22 10.10.101.10/64081;tcp. Conn Tag: 0x0, If: ge-0/0/5.0.
Pkts : 8, Bytes: 1977,
Total sessions: 1
Step 3.6
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, press the Ctrl + c keyboard sequence to terminate the SSH session.
lab@vSRX-VR> ssh 10.0.1.126 routing-instance vrlOl
Password:
lab@vSRX-VR>
Step 3.7
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, use the run show security nat destination summary command to
confirm that traffic initiated from the ACME customer zone will be evaluated by the rule-set
from-in ternet NAT.
[edit security nat destination rule-set from-public]
lab@vSRX-l# run show security nat destination summary
Total pools: 1
Pool name Address Routing Port Total
Range Instance Address
ssh-server 10.10.102.10 10.10.102.10 0 1
Total rules: 1
Rule name Rule set From Action
to-ssh-server from-public ACME-SV ssh-server
public
Juniper-sv
Step 3.8
intra-ACME-sv policy to permit traffic from the ACME-svzor\e that is destined to the
Configure the
ACME-SVzone. Ensure that you allow hosts from the acme-sv network to initiate sessions to hosts on
the ACME-SV network. When you are finished, commit the configuration.
Answer: As shown in the output, the SSH session does not establish.
Step 3.10
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, issue the run show security flow session application ssh
command.
[edit security policies from-zone ACME-SV to-zone ACME-SV policy intra-ACME-SV]
lab@vSRX-l# run show security flow session application ssh
Session ID: 10548, Policy name: intrazone-ACME-SV/10, Timeout: 12, Valid
In: 10.10.102.10/56029 10.0.1.126/22;top. Conn Tag: 0x0, If: ge-0/0/5.0.
Pkts : 3, Bytes: 192,
Out: 10.10.102.10/22 10.10.102.10/56029;tcp. Conn Tag: 0x0, If: ge-0/0/5.0.
Pkts : 0, Bytes: 0,
Total sessions: 1
Question: What are some possibilities that could prevent the session
from establishing?
The target host receives the packet and sets up the session locally.
The target host then responds directly to the originating host. The
originating host is on the same network; the target host responds
directly using the Layer 2 information from its local ARP table.
Question: What are some options that can resolve this issue?
Answer: The return flow must transit the device for the required
reverse NAT to occur. This can be accomplished by adding source NAT
to the implementation. Switched environments require this double
NAT implementation.
Step 3.11
Configure double NAT by adding interface-based source NAT to disguise the IP address of the originating
host. Name the NAT rule set acconunoda te-swi tched-network. Name the rule
ndt-return-flow. The rule should only apply source NAT to intrazone traffic. The rule should not
make exclusions based on the destination address. When you are finished, navigate to the top of the
command hierarchy, and commit the configuration.
[edit security policies from-zone ACME-SV to-zone ACME-SV policy intra-ACME-SV]
lab@vSRX-l# top edit security nat source
[edit]
lab@vSRX-l# commit
commit complete
[edit]
lab@vSRX-l#
Step 3.12
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, initiate a SSH session to the external NAT address on the ge-0/0/7 interface for
the vSRX-1 device (10.0.1.126). Source the SSH connection from the vrl02 routing instance.
lab@vSRX-VR> ssh 10.0.1.126 routing-instance vrl02
Password:
Step 3.13
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, issue the run show security flow session application ssh
command.
[edit]
lab@vSRX-l# run show security flow session application ssh
Session ID: 10579, Policy name: intrazone-ACME-SV/10, Timeout: 1792, Valid
In: 10.10.102.10/57323 10.0.1.126/22;top. Conn Tag: 0x0, If: ge-0/0/5.0.
Pkts : 10, Bytes: 2197,
Out: 10.10.102.10/22 10.10.102.1/6886;tcp. Conn Tag: 0x0, If: ge-0/0/5.0.
Pkts : 8, Bytes: 1977,
Total sessions: 1
Answer: The output displays that NAT has modified the source IP
address as the packet traversed the device. The destination host will
use the Layer 2 information associated with the vSRX-1 device for
delivery
Note
The return flow will now transit the vSRX-1 device. The device
will perform reverse NAT operations and the originating host will
receive the SYN-ACK from the expected IP address.
Step 3.14
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, press the Ctrl + c keyboard sequence to terminate the SSH session.
lab@vSRX-VR> ssh 10.0.1.126 routing-instance vrI02
Password: C
lab@vSRX-VR>
In this lab part, you configure and verify NAT46 operations. This NAT implementation requires both
destination NAT and source NAT for proper operation. You will configure source and destination NAT to
perform NAT46, to translate the IPv4 addresses to IPv6 addresses.
The IPv6 NAT implementation will allow an IPv4 host within the acme-svcustomer network on the
vSRX-VR device to SSH to an IPv6 host on the Internet (2001:db2::100) through a public-facing IP address
associated with the ge-0/0/1 interface.
step 4.1
Return to the established session with the vSRX-1 device.
Configure the ge-0/0/1 interface to use the 2001:db2::l/64 IPv6 address.
[edit]
lab@vSRX-l# edit interfaces ge-0/0/1
Step 4.4
Configure a source NAT rule set named na t4 6-dest with a directional context that will perform NAT on
traffic coming from the ACME-svzone and going to the un trust zone.
[edit security nat source]
lab@vSRX-l# edit rule-set nat46-source
Step 4.5
Configure a rule within the rule set na t46-source named 46-source to match traffic sourced from
the 10.10.102.10 address and destined for 2001:db2::100 address. Note that the 10.10.102.10
address is an IP address that is local to the acme-sv network. Then specify that the source address of
the matching traffic will be translated to the pool na t4 6-source-pool.
[edit security nat source rule-set nat46-source]
lab@vSRX-l# edit rule 46-source
Step 4.6
Configure proxy-arp on the ge-0/0/5 interface connected to the acme-svcustomer network for
10.10.102.5.
[edit security nat source rule-set nat46-source rule 46-source]
lab@vSRX-l# top set security nat proxy-arp interface ge-0/0/5 address
10.10.102.5/32
Step 4.7
For steps 5.8-5.10, you will configure NAT46 to translate the destination IPv4 address to an IPv6
address.
Navigate to the [edit security nat destination] hierarchy. Configure a destination NAT pool
named nat46-dst-pool with the IPv6 2001:db2::100/128 address.
[edit security nat source rule-set nat46-source rule 46-source]
lab@vSRX-l# top edit security nat destination
Step 4.9
Configure a destination NAT rule for the nat 4 6-dst rule-set named na t4 6-dst to match traffic to the
10.10.102.5 host. Then, specify that the destination address of the matching traffic will be translated to
the pool nat46-dst-pool.
[edit security nat destination rule-set nat46-dest]
lab@vSRX-l# edit rule nat46-dest
step 4.10
Configure NDP proxy at the [edit security nat] hierarchy. The vSRX-1 device should respond to
any NDP requests for the IPv6 address 2001:db2::2/128 on the ge-0/0/1 interface.
[edit security nat destination rule-set nat46-dest rule nat46-dest]
lab@vSRX-l# top set security nat proxy-ndp interface ge-0/0/1 address
2001:db2::2/128
Step 4.11
Create a global address book entry named na t4 6-src for the 10.10.102.10 address. Create another
global address book entry named na 14 6-Inet-hos t for the 2001:db2::100 address.
[edit security nat destination rule-set nat46-dest rule nat46-dest]
lab@vSRX-l# top edit security address-book global
lab@vSRX-l>
Step 4.13
Verify your recently configured NAT46 implementation. Return to the session established with the
vSRX-VR device.
On the vSRX-VR device, initiate a new SSH session to the 10.10.102.5 address. Source the SSH
connection from the vrl02 routing instance.
Note
If the SSH session fails, please try again, the first session might
fail due to IPv6 neighbor discovery not occurring yet.
Step 4.14
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, issue the show security flow session application ssh command.
lab@vSRX-l> show security flow session application ssh
Session ID: 10694, Policy name: allow-nat46/12, Timeout: 1790, Valid
In: 10.10.102.10/64789 10.10.102.5/22;tcp. Conn Tag: 0x0, If: ge-0/0/5.0.
Pkts: 11, Bytes: 2249,
Out: 2001:db2::100/22 - 2001:db2::2/28595;tcp. Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 8, Bytes: 2137,
Total sessions: 1
Step 4.15
Return to the session established with the vSRX-VR device.
Close out of the established SSH session by entering cntr + c.
lab@vSRX-VR> ssh 10.10.102.5 routing-instance vrl02
Password: c
lab@vSRX-VR>
[edit]
lab@vSRX-l# set interfaces ge-0/0/4 unit 0 family inet6 address 2001:dbS::1/64
Step 5.2
Delete the IPv4 address from the interface associated with your vrlOl network.
[edit]
lab@vSRX-l# delete interfaces ge-0/0/4 unit 0 family inet
Step 5.3
Configure destination NAT64 to translate the IPv6 destination traffic to an IPv4 address.
Navigate to the [edit security nat destination] hierarchy. Configure a destination NAT pool
named ipv6-dest-pool with the IP address of the 10.10.202.10 NAT address.
[edit]
lab@vSRX-l# edit security nat destination
Step 5.5
Configure a rule within the rule set ipv6-dest named ipv6-local to match traffic destined for the
IPv6 address 2001:db8::5/128. Next, specify that the destination address of the matchi ng traffic will be
translated to the pool ipv6-dest-pool. Then configure the ipv6-source-pool to reference the
10.0.1.1 address.
[edit security nat destination rule-set ipv6-dest]
lab@vSRX-l# edit rule ipv6-local
Step 5.6
Configure a source NAT rule set named ipv6-source with a directional context that will perform NAT on
traffic coming from the Juniper-svzone and destined for the public zone.
[edit security nat source]
lab@vSRX-l# edit rule-set ±pv6-source
step 5.8
Create a global address book entry named ipv6-address for the IPv6 address 2001:db8;:8/128.
[edit security nat source rule-set ipv6-source rule ipv6-host]
lab@vSRX-l# top set security address-book global address ipv6-address
2001:db8::8/128
Step 5.9
Create another global address book entry named remote-public for the 10.0.1.0/24 subnet.
[edit security nat destination rule-set from-public rule to-ssh-server]
lab@vSRX-l# top set security address-book global address remote-pviblic 10.0.1.0/24
Step 5.10
Configure N DP proxy at the [edit security nat] hierarchy. The device should respond to any NDP
requests for the IPv6 address 2001:db8;:5/128 on the ge-0/0/4 interface.
[edit security nat destination rule-set from-public rule to-ssh-server]
lab@vSRX-l# top edit security nat
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 5.12
Verify the flow module status by issuing the show security flow status command.
lab@vSRX-l> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
MPLS forwarding mode: drop
ISO forwarding mode: drop
Tap mode: disabled (default)
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: Hash-based
GTP-U distribution: Disabled
Flow ipsec performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Flow power mode IPsec: Disabled
Fat core group status: off
Step 5.13
Test your recently configured NAT64 implementation. Return to the session established with the vSRX-VR
device.
On the vSRX-VR device, initiate an IPv6 SSH session to the IPv6 address 2001:db8::5. Source the SSH
connection from the vrlOl routing instance.
Note
If the SSH session fails, please try again, the first session might
fail due to IPv6 neighbor discovery not occurring yet.
Step 5.14
Return to the session established with the vSRX-1 device.
On the vSRX-1 device, issue the show security flow session application ssh command.
lab@vSRX-l> show security flow session application ssh
Session ID: 10630, Policy name: allow-ipv6/ll, Timeout: 1788, Valid
In: 2001:db8::8/56397 2001:db8::5/22;top. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 11, Bytes: 2469,
Out: 10.10.202.10/22 10.0.1.1/1785;tcp. Conn Tag: 0x0, If: ge-0/0/7.0. Pkts:
8, Bytes: 1977,
Total sessions: 1
Answer: The output displays that NAT has modified both the source
and destination of the IPv6 address as the packet traversed the
device.
Note
The return flow will now transit the vSRX-1 device. The device
will perform reverse NAT operations and the originating host will
receive the SYN-ACK from the expected IP address.
Step 5.15
Issue the show security nat destination rule all command.
lab@vSRX-l> show security nat destination rule all
Total destination-nat rules: 3
Total referenced IPv4/lPv6 ip-prefixes: 6/1
Destination NAT rule: to-ssh-server Rule-set: from-public
Rule-Id 1
Rule position 1
From zone ACME-SV
public
Juniper-SV
Match
Source addresses : remote-partner
Juniper-SV
ACME-SV
Destination addresses : 10.0.1.126 10.0.1.126
Destination port : 22 22
Action : ssh-server
Translation hits : 9
Successful sessions : 9
Failed sessions : 0
Number of sessions : 0
Destination NAT rule: nat46-dest Rule-set: nat46-dest
Rule-Id 2
Rule position 2
From zone ACME-SV
Destination addresses 10.10.102.5 10.10.102.5
Action nat46-dst-pool
Translation hits 1
Successful sessions 1
Failed sessions 0
Number of sessions 0
Destination NAT rule: ipv6-local Rule-set: ipv6-dest
Rule-Id : 3
Rule position : 3
From zone : Juniper-SV
Destination addresses : 2001:db8::5 2001:db8::5
Action : ipv6-dest-pool
Translation hits : 2
Successful sessions : 2
Failed sessions : 0
Number of sessions : 1
lab@vSRX-l>
Question: Do you see translation hits occurring in the output for the
IPv6 NAT rules?
Answer: Yes, the output should display that NAT has modified both the
source and destination of the IPv6 address, and that translation hits
have occurred. The number of hits may vary from the number shown
in the example above.
Step 5.16
Return to the session established with the vSRX-VR device.
On the vSRX-VR device, press the Ctrl + c keyboard sequence to terminate the SSH session.
lab@vSRX-VR> ssh inet6 2001:db8::5 routing-instance vrlOl
Password: C
lab@vSRX-VR>
Step 5.17
On the vSRX-VR device, issue the exit command to terminate the session.
lab@vSRX-VR> exit
login:
Step 5.18
Close the session with the vSRX-1 device by issuing the exit command.
lab@vSRX-l> exit
login:
Step 5.19
Return to the active session with the vSRX-2 device.
On the vSRX-2 device, issue the exit command to terminate the session.
lab@vSRX-2 exit
login:
STOP Tell your Instructor that you have completed this lab.
Internet
vQFX-1 ] Console and
VNC Connections
1
Junos
Space •t J Management Addressing
Policy
Enforcer vSRX-1 172.25.11.1
Hypervisor
Virtual Switch vSRX-2 172.25.11.2
Core ATP On-Prem
MGMT vSRX-VR 172.25.11.9
Network
vQFX-1 172.25.11.10
ATP Web Collector 172.25.11.0/24
Junos Space 172.25.11.100
student Policy Enforcer 172.25.11.101
AD/NTP/DNS Server
c 3
Internet
Internet Host
■Jj 172.31.15.1
O'
A
Sy untrust zone untrust zone 7
vr101 vr102
vSRX-VR vr201 vr202
Overview
In this lab, you configure two tenant systems along with the routing and security options to communicate
with each other using logical tunnels.
By completing this lab, you will perform the following tasks:
• Configure tenant systems interfaces and routing instances.
• Configure tenant systems security features.
• Understand session creation with tenant systems.
• Verify separate config and resource allotment.
In this lab part, you will use the command-line interface (CLI) to log in to the vSRX-1 and vSRX-VR devices.
Next, you will load the starting configuration for the lab.
Note
step 1.1
You will primarily configure the vSRX-1 device. The vSRX-VR device is already configured for you. Consult
the Management Network Diagram to determine the management addresses of your devices.
Step 1.2
Access the CLI on the vSRX-1 device using SSH or console as directed by your instructor. Log in with the
username lab and password labl23. Enter configuration mode and load the lab6-start. config
from the a j sec directory. Commit the configuration when complete and exit to operational mode.
FreeBSD/amd64 (vSRX-1) (ttyuO)
login: lab
Password:
Last login: Wed Apr 29 18:42:51 2020 from 172.25.11.254
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# load override ajsec/lab6-start.conf±g
load complete
lab@vSRX-l# commit
commit complete
[edit]
lab@vSRX-l#
Step 1.3
Access the CLI on the vSRX-VR device as directed by your instructor.
Step 1.4
Access the CLI on the vSRX-VR device using SSH or console as directed by your instructor. Log in with the
username lab and password labl23. Enter configuration mode and load the lab6-stdrt.config
from the a J sec directory. Commit the configuration and exit to operational mode when complete.
Note
login: lab
Password:
Last login: Fri May 1 21:42:51 2020 from 172.25.11.254
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
lab@vSRX-VR> configure
Entering configuration mode
[edit]
lab@vSRX-VR# load override ajsec/lab6-start.config
load complete
lab@vSRX-VR>
In this part, you will configure a security profile for two tenant systems, administrator logins for the tenant
systems, a routing instance for each tenant, and interfaces forthose routing instances.
Step 2.1
Return to the existing session with the vSRX-1 device.
On the vSRX-1 device configure a tenant named tsysi .
[edit]
lab@vSRX-l# edit tenants TSYSI
class TSYS2adminl {
tenant TSYS2;
permissions all;
}
user TSYSladminl {
uid 2002;
class TSYSladminl;
authentication {
encrypted-password
"$6$KlQTIyRJ$Od32aP4MwpWrlZLcuIPIcr7rVux...PfOTOTyzMbKe."; ## SECRET-DATA
}
}
user TSYS2adminl {
uid 2003;
class TSYS2adminl;
authentication {
encrypted-password II $6$AzVE]ndsin$ . . . zTvZuuBiOQ2Inw/" ; ## SECRET-DATA
}
}
user lab {
uid 2000;
class super-user;
authentication {
encrypted-password II $1$84J5Maes$cni5Hrazbd/lEHr/50oY30"; ## SECRET-DATA
}
}
step 2.6
Commit the configuration.
[edit system login]
lab@vSRX-l# commit
error: Check-out failed for Network security daemon (/usr/sbin/nsd) without
details
error: Check-out failed for Advanced Anti-Malware daemon (/usr/sbin/aamwd) without
details
error: tenant TSYSl has no profile assigned
error: Check-out failed for IFF daemon (/usr/sbin/ipfd) without details
error: configuration check-out failed
Step 2.7
Create a security profile that will be shared by tsysi and tsys2. Navigate to the [edit system
security-profile] hierarchy and configure a security profile named SP-Small. Set the maximum
to 100 and the reserve to 50 for the policy, zone, flow-session, nat-nopat-address, and
auth-entry settings.
[edit system login]
lab@vSRX-l# up 1 edit security-profile
SP-Small {
auth-entry {
maximum 100;
reserved 50;
}
policy {
maximum 50;
reserved 50;
}
zone {
maximum 50;
reserved 50;
}
flow-session {
maximum 100;
reserved 50;
}
nat-nopat-address {
maximum 100;
reserved 50;
}
tenant [ TSYSl TSYS2 ] ;
}
Question: Could each tenant system have its own security profile?
Answer: Yes, a security profile could be made for each tenant system.
Any number of tenants may be assigned to this security profile.
Step 2.10
Commit the changes to the configuration.
[edit system security-profile]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 2.11
Open another SSH session from the dashboard to the vSRX-1 device using TSYSladminl as the
username and labl23 as the password.
# ssh TSYSladminlf^ 172.25.11.1
Password: labl23
-- JUNOS 20.lRl.il Kernel 64-bit XEN JNPR-11.0-20200219.fbl20e7_buil
TSYSladminl@vSRX-l:TSYS1>
Answer: You can understand that you are logged into the vSRX-1
device as TSYSladminl, and that you are in the TSYSl tenant.
Step 2.12
Verify the security-profile is set up correctly with the tenant. Use the show system
security-profile command.
TSYSladminl@vSRX-l:TSYS1> show system security-profile ?
Possible completions:
address-book Show address-book resource information
all-resource Show all resources information
auth-entry Show authentication resource information
cpu Show CPU utilization information
dslite-softwire-initiator Show security dslite softwire initiator resource
information
flow-gate Show flow gate resource information
flow-session Show flow session resource information
icap-redirect-profile Show ICAP redirect profile resource information
nat-cone-binding Show nat cone binding resource information
nat-destination-pool Show nat destination pool resource information
nat-destination-rule Show nat destination rule resource information
nat-interface-port-ol Show nat interface port overloading resource information
nat-nopat-address Show nat source nopat address resource information
nat-pat-address Show nat source pat address resource information
nat-pat-portnum Show nat source pat port number resource information
nat-port-ol-ipnumber Show nat port overloading resource information
nat-rule-referenced-prefix Show nat rule referenced IP-prefix information
nat-source-pool Show nat source pool resource information
nat-source-rule Show nat source rule resource information
nat-static-rule Show nat static rule resource information
policy Show policy resource information
policy-with-count Show resource information of policy with count
scheduler Show scheduler resource information
security-log-stream-number Show security log stream number information
zone Show zone resource information
TSYSladminl@vSRX-l:TSYS1>
Step 2.13
Look at the zone and policy settings to see the resource usage information.
TSYSladminl@vSRX-l:TSYS1> show system security-profile zone
Question: How many zones and policies are used by the TSYSl
tenant?
Step 2.14
Return to the open SSH session to vSRX-1 with the master administrator login.
Change to configuration mode. Move to the [edit tenants tsysI] hierarchy. Configure a routing
instance named rsysi, and the interface ge-0/0/4.0 with an IP address of 10.10.101.1/24
within tenant TSYSl.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit tenants TSYSl
[edit tenants]
lab@vSRX-l# show
TSYSl {
interfaces {
ge-0/0/4 {
unit 1 {
vlan-id 101;
family inet {
address 10.10.101.1/24;
}
}
}
}
routing-instances {
RSYSl {
interface ge-0/0/4.0;
instance-type virtual-router;
}
}
}
TSYS2 {
interfaces {
ge-0/0/5 {
unit 2 {
vlan-id 102;
family inet {
address 10.10.102.1/24;
}
}
}
}
routing-instances {
RSYS2 {
interface ge-0/0/5.2;
instance-type virtual-router;
}
}
}
Step 2.17
Nava gate to the top of the hierarchy and configure interface lt-0/0/0 unit 1 with an IP address of
10.1.1.1/24 and a peer unit of 2.
[edit tenants TSYS2]
lab@vSRX-l# top
[edit]
lab@vSRX-l# set interfaces lt-0/0/0 unit 1 family inet address 10.1.1.1/24
[edit]
lab@vSRX-l# set interfaces lt-0/0/0 unit 1 peer-unit 2
[edit]
lab@vSRX-l# set interfaces lt-0/0/0 unit 1 encapsulation ethernet
[edit]
lab@vSRX-l#
Step 2.18
Configure interface lt-0/0/0 unit 2 with an IP address of 10.1.1.2/24 and a peer unit of 1.
[edit]
lab@vSRX-l# set interfaces lt-0/0/0 unit 2 family inet address 10.1.1.2/24
[edit]
lab@vSRX-l# set interfaces lt-0/0/0 unit 2 peer-unit 1
[edit]
lab@vSRX-l# set interfaces lt-0/0/0 unit 2 encapsulation ethernet
[edit]
lab@vSRX-l#
Step 2.19
Commit the configuration and exit to operational mode.
[edit tenants]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
In this part you will configure tenant level options like security zones, security policies, and attaching
interfaces to the tenant routing instances. Then you will verify that the configuration is correct by sending
traffic across the network and verify flow sessions have been created.
Step 3.1
From the open session with vSRX-1. Switch to the TSYSl tenant as the administrator. Enter configuration
mode.
lab@vSRX-l:TSYS1> configure
Entering configuration mode
[edit]
lab@vSRX-l:TSYSl#
Step 3.2
Navigate to the [edit routing-instances RSYSl] hierarchy, and configure interface
lt-0/0/0.1 as part of the routing instance.
[edit]
lab@vSRX-l:TSYSl# edit routing-instances RSYSl
[edit]
lab@vSRX-l:TSYSl# edit security zones security-zone to-ACME
lab@vSRX-l:TSYS1>
Step 3.7
Run the show interfaces terse command to view the interfaces.
lab@vSRX-l:TSYS1> show interfaces terse
Interface Admin Link Proto Local Remote
lt-0/0/0
lt-0/0/0.1 up up inet 10.1.1.1/24
ge-0/0/4
ge-0/0/4.0 up up inet 10.10.101.1/24
Answer: The CLI was set to the tenant tsysi so it is the same as
logging in as the TSYSladminl user. Only the resources for that
tenant show up in output.
Step 3.8
Run the show route command to view the route tables.
lab@vSRX-l:TSYS1> show route
10.1.1.0/24 ■k
[Direct/0] 16:08:24
> via lt-0/0/0.1
10.1.1.1/32 * [Local/0] 16:08:24
Local via lt-0/0/0.1
10.10.101.0/24 * [Direct/0] 00:16:42
> via ge-0/0/4.0
10.10.101.1/32 * [Local/0] 00:16:42
Local via ge-0/0/4.0
lab@vSRX-l:TSYS1>
Note
Again only the route table associated with the tsysi tenant is
available to see from this prompt. If we cleared our tsysi tenant
prompt and went back to the master administrator all resources
would be visible.
Step 3.9
Return to the master administrator prompt by issuing the clear cli tenant command. Then run the
show interfaces terse and show route commands again.
lab@vSRX-l:TSYS1> clear cli tenant
Cleared default tenant
lt-0/0/0 up up
lt-0/0/0.1 up up inet 10.1.1.1/24
lt-0/0/0.2 up up inet 10.1.1.2/24
lt-0/0/0.32767 up up
mt-0/0/0 up up
sp-0/0/0 up up
sp-0/0/0.0 up up inet
inet6
sp-0/0/0.16383 up up inet
ge-0/0/1 up up
ge-0/0/1.0 up up inet 172.18.1.2/30
ge-0/0/2 up up
ge-0/0/3 up up
ge-0/0/4 up up
ge-0/0/4.0 up up inet 10.10.101.1/24
ff02::2/128 ■k
[INET6/0] 19:38:57
MultiRecv
lab@vSRX-l>
step 3.10
Run the show security zones command to view all the security zones.
lab@vSRX-l> show security zones
Interfaces bound: 0
Interfaces:
lab@vSRX-l>
Question: Why are the Juniper-SV and the to-ACME zones not being
displayed by the master administrator prompt?
Step 3.11
Return to the tsysi tenant prompt and run the show security zones command again.
lab@vSRX-l> set cli tenant TSYSI
Tenant: TSYSI
lab@vSRX-l:TSYS1>
Answer: Yes, they did, they are part of the TS YSl tenant.
Answer: No, they are not part of the tsysi tenant and are not
displayed to the tenant administrator.
Step 3.12
Configure an address book entry for the Juniper-svar\6 the ACME-svsubnets so that a policy can be
configured to pass traffic. Configure two address books and attach them to the Juniper-svar\6 the
to-ACME zones.
lab@vSRX-l:TSYS1> configure
Entering configuration mode
[edit]
lab@vSRX-l:TSYSl# edit security address-book
[edit security]
lab@vSRX-l:TSYSl# edit policies from-zone Juniper-SV to-zone to-ACME
Step 3.14
Verify the security configuration using the show command.
[edit security]
lab@vSRX-l:TSYSl# show
address-book {
Juniper {
address Juniper-SV-NET 10.10.101.0/24;
attach {
zone Juniper-SV;
}
}
ACME {
address ACME-SV-NET 10.10.102.0/24;
attach {
zone to-ACME;
}
}
}
policies {
from-zone Juniper-SV to-zone to-ACME {
policy allow-ACME {
match {
source-address Juniper-SV-NET;
destination-address ACME-SV-NET;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone to-ACME {
host-inbound-traffic {
system-services {
r
}
}
interfaces {
lt-0/0/0.1;
}
}
security-zone Juniper-SV {
host-inbound-traffic {
system-services {
r
}
}
interfaces {
ge-0/0/4.0;
}
}
}
[edit security]
lab@vSRX-l:TSYS1#
Step 3.15
Return to the established session with the vSRX-VR device.
Run the ping command to from the vrlOl host to the vrl02 host in the acme-sv zone io verify the
connection.
lab@vSRX-VR> ping 10.10.102.1 routing-instance vrlOl
PING 10.10.102.1 (10.10.102.1): 56 data bytes
36 bytes from 10.10.101.1: Destination Net Unreachable
Vr HL TOS Len ID Fig off TTL Pro cks Src Dst
4 5 00 0054 1015 0 0000 40 01 7f75 10.10.101.10 10.10.102.1
Question: Was the ping successful? If not what is the error message?
Answer: No, the ping was not successful. Host 10.10.101.1 which is
the gateway replied that the destination net is unreachable.
Step 3.16
Return to the established session on the vSRX-1 device.
Display the routes using the show route command.
[edit security]
lab@vSRX-l:TSYSl# run show route
10.1.1.0/24 ■k
[Direct/0] 18:36:57
> via lt-0/0/0.1
10.1.1.1/32 * [Local/0] 18:36:57
Local via lt-0/0/0.1
10.10.101.0/24 * [Direct/0] 02:45:15
> via ge-0/0/4.0
10.10.101.1/32 * [Local/0] 02:45:15
Local via ge-0/0/4.0
[edit security]
lab@vSRX-l:TSYSl#
Step 3.17
Add a route for 10.10.102.0/24 that uses 10.1.1.2 as the next-hop address.
[edit security]
lab@vSRX-l:TSYSl# up
[edit]
lab@vSRX-l:TSYSl# edit routing-instances RSYSl routing-options
Step 3.20
Return to the established session on the vSRX-1 device.
Display the sesion table by running the show security flow session command.
[edit routing-instances RSYSl routing-options]
lab@vSRX-l:TSYSl# run show security flow session
Session ID: 20437, Policy name: allow-ACME/4, Timeout: 2, Valid
In: 10.10.101.10/22043 10.10.102.1/117;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1, Bytes: 84,
Step 3.21
Exit out of TSYSl cli and enter into tsys2 administrative prompt.
[edit routing-instances RSYSl routing-options]
lab@vSRX-l:TSYSl# top
[edit]
lab@vSRX-l:TSYSl# exit
Exiting configuration mode
lab@vSRX-l:TSYS2
Step 3.22
Use the show security policies command to view the policies in TSYS2.
lab@vSRX-l:TSYS2 show security policies
Default policy: deny-all
Pre ID default policy: permit-all
lab@vSRX-l:TSYS2
Step 3.23
Enter configuration mode and set the default policy of tsys2 to permit-all.
lab@vSRX-l:TSYS2> configure
Entering configuration mode
[edit]
lab@vSRX-l:TSYS2# set security policies default-policy permit-all
[edit]
lab@vSRX-l:TSYS2#
Step 3.24
Commit the changes.
[edit]
lab@vSRX-l:TSYS2# commit
commit complete
[edit]
lab@vSRX-l:TSYS2#
Step 3.25
Use the show security policies command to view the policies in tsys2.
[edit]
lab@vSRX-l:TSYS2# run show security policies
Default policy: permit-all
Pre ID default policy: permit-all
[edit]
lab@vSRX-l:TSYS2#
Step 3.26
Exitoutofthe tsys2 tenant prompt and run the show security policies command from the
master administrative prompt.
[edit]
labQvSRX-1:TSYS2# exit
Exiting configuration mode
lab@vSRX-l>
Question: Did changing the default policy settings in tsys2 have any
impact on other tenants?
Step 3.27
Change to the tsys2 administrative prompt again and enter configuration mode.
lab@vSRX-l> set cli tenant TSYS2
Tenant: TSYS2
lab@vSRX-l:TSYS2> configure
Entering configuration mode
[edit]
lab@vSRX-l:TSYS2#
Step 3.28
Configure a route for the 10.10.101.0/24 prefix with the next hop of 10.1.1.1, and add the lt-0/0/0.2
interface into the rsys2 routing instance.
lab@vSRX-l:TSYS2# edit routing-instances RSYS2 routing-options
[edit security]
labOvSRX-1:TSYS2# show
policies {
default-policy {
permit-all;
}
}
zones {
security-zone ACME-SV {
host-inbound-traffic {
system-services {
r
}
}
interfaces {
ge-0/0/5.0;
lt-0/0/0.2;
}
}
}
[edit security]
lab@vSRX-l:TSYS2#
step 3.31
Commit the configuration changes.
[edit security]
lab@vSRX-l:TSYS2# commit
commit complete
[edit security]
lab@vSRX-l:TSYS2#
Step 3.32
Return to the established session with the vSRX-VR device.
Start an SSH session from vrlOl to 10.10.102.10. Log in as lab and say yes if any warnings come up
about adding the host to the list of known hosts.
lab@vSRX-VR> ssh 10.10.102.10 routing-instance vrlOl
The authenticity of host ’10.10.102.10 (10.10.102.10)’ can’t be established.
ECDSA key fingerprint is SHA256:xL2BMAT2zVipnPkkUb2sHdfZ4ajFMzEz5sh/xOHGAlE .
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’10.10.102.10’ (ECDSA) to the list of known hosts.
Password: labl23
Step 3.33
Return to the open session on the vSRX-1 device, and run the show security flow session from
each of the tenant systems to compare.
[edit security]
lab@vSRX-l:TSYS2# top
[edit]
lab@vSRX-l:TSYS2# exit
Exiting configuration mode
lab@vSRX-l:TSYS1>
Question: How many sessions were created for this single SSH
connection?
Answer: There are two sessions created. One in each of the tenant
systems.
Question: What are the session IDs for the two flows? Are they the
same session?
Answer: The session ID will be unique to your lab, but the session ID
from each of the tenant systems will be a different number showing
that two sessions are being used to forward this traffic.
step 3.34
Exit from the tenant system enter configuration mode and from the a J sec directory load the
ldb6-start. config. Commit the start config. This will remove the tenant systems from the vSRX-1
device. You will notice error messages about tenant systems configurations left in configuration. Exit out
of configuration mode.
lab@vSRX-l:TSYS1> clear tenant
Cleared default tenant
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# load override a.jsec/lab6-start.config
load complete
lab@vSRX-l# commit
[edit tenants TSYSl security address-book Juniper attach]
’ zone I
warning: patch removes statement that is not empty
[edit tenants TSYSl security address-book ACME attach]
’ zone I
warning: patch removes statement that is not empty
[edit tenants TSYSl security]
’address-book’
warning: patch removes statement that is not empty
warning: Load error seen when propagating changes into tenant database
commit complete
[edit]
lab@vSRX-l# exit
lab@vSRX-l>
Step 3.35
Return to the established session on the vSRX-VR device.
Close the SSH session.
lab@vSRX-VR> exit
lab@vSRX-VR>
STOP Tell your instructor that you have completed this lab.
CD
172.18.1.0/30
(•2) ge-0/0/1
vSRX-1
(.1) 10.1.1.0/24 (.2)
TSYS1 lt-0/0/0.2
TSYS2
It-0/0/0.1
to-ACME zone ACME-SV zone
10.10.101.0/24 10.10.102.0/24
(•10) (.10)
vrIOI vr102
Overview
In this lab, you will configure PKI and an Auto Discovery VPN (ADVPN). You will use the Junos CLI to
configure certificates on the devices. Then, you will configure an ADVPN to securely route traffic sourced
fromthe virtual routers {vrl 01, vrl02, vr201, vr202} through the vSRX-1, vSRX-2 and vSRX-VR
devices.
In this lab, you will perform the following tasks:
• Configure PKI settings on the devices.
• Generate and sign certificate requests from the devices.
• Configure an ADVPN.
• Monitor and test the function of the ADVPN.
In this lab part, you will use the command-line interface (CLI) to log in to the vSRX-1, vSRX-2, and vSRX-VR
devices. Next, you will load the starting configuration for the lab. You will then generate and sign the
certificates that will be used for the ADVPN configuration. Finally, you will configure the PKI settings on
the devices.
Note
Step 1.1
Consult the Management Network Diagram to determine the management addresses of your devices.
Step 1.2
Access the student desktop using the virtual console. Use the user name lab and the password Iabl23.
Open a terminal session and browse to the Desktop/Certif icates directory. Ensure that only the
ca cert. pern file exists. Delete any other files in this directory. Do not delete the ca cert. pern file!
Last login: Fri Apr 20 13:36:29 2018 from 172.25.11.1
[labSdesktop ]$ Is Desktop/Certificates/
ca_cert.pern
[labSdesktop ]$
Step 1.3
Access the command-line interface (CLI) for the vSRX-1 device from the student desktop by opening a
terminal session and typing ssh 172.25.11.1.
Note
In this lab part, you will be required to copy and paste data from the vSRX
sessions to local files on the student desktop. For this reason, you will need
to access the vSRX devices using SSH by opening a GUI session with the
student desktop and using the terminal program.
Login with the username lab and password labl23. Enter configuration mode and load the
lab7-start, config^rora the ajsec directory. Commit the configuration when complete.
[labOdesktop ]$ ssh 172.25.11.1
Warning: Permanently added ’172.25.11.1’ (RSA) to the list of known hosts.
Password:
Last login: Wed Mar 14 19:47:41 2018 from 172.25.11.254
-- JUNOS 17.4R1.16 Kernel 64-bit JNPR-11.0-20171206.f4cad52 bull
lab@vSRX-l> configure
[edit]
lab@vSRX-l# load override ajsec/lab7-start.config
load complete
[edit]
lab@vSRX-l# commit
commit complete
Step 1.4
Access the command-line interface (CLI) for the vSRX-2 device from the student desktop by
opening a separate terminal session and typing ssh 172.25.11.2.
On the vSRX-2 device, login with the username lab and password labl23. Enter configuration mode
and load the lab7-start. conf igfrom the a j sec directory. Commit the configuration when
complete and exit to operational mode.
FreeBSD/amd64 (vSRX-2) (ttyuO)
login: lab
Password:
Last login: Mon Mar 12 19:50:22 2018 from 172.25.11.254
[edit]
lab@vSRX-2# load override ajsec/lab7-start.config
load complete
[edit]
lab@vSRX-2# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-2
Step 1.5
Access the command-line interface (CLI) for the vSRX-VR device from the student desktop by
opening a separate terminal session and typing ssh 172.25.11.9.
On the vSRX-VR device, login with the username lab and password labl23. Enter configuration mode
and load the lab7-start. conf igfrom the aj sec directory. Commit the configuration when
complete and exit to operational mode.
FreeBSD/amd64 (vSRX-VR) (ttyuO)
login: lab
Password:
Last login: Mon Mar 12 19:50:22 2018 from 172.25.11.254
[edit]
lab@vSRX-VR# commit and-quit
commit complete
Exiting configuration
lab@vSRX-VR>
Step 1.6
Return to the existing session with the vSRX-1 device.
On the vSRX-1 device, configure the suiteB ca-prof ile to use a ca-identity of sui teB.
Disable revocation checks. Commit then exit to operational mode.
[edit]
lab@vSRX-l# edit security pki
lab@vSRX-l>
Step 1.7
Use the SCP utility to retrieve the ca_cert .pem file from the Desktop/Certificates directory on
the student desktop device. Login with the username lab and password labl23.
lab@vSRX-l> scp 172.25.11.254:~/Desktop/Certificates/ca_cert.pem .
The authenticity of host ’172.25.11.254 (172.25.11.254)’ can’t be established.
ECDSA key fingerprint is SHA256:fBR3Hkj5sGfZnk9XSkj/rUC/+OzRQEWWwtHW7qT5kOs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’172.25.11.254 I (ECDSA) to the list of known hosts.
lab@172.25.11.254's password: labl23
ca cert.pem 100% 964 1.2MB/S 00:00
lab@vSRX-l>
Step 1.8
Return to the existing session with the vSRX-2 device.
Use the SCP utility to retrieve the ca_cert .pern file from the Desktop/Certificates directory on
the student desktop device. Login with the username lab and password labl23.
lab@vSRX-2 scp 172.25.11.254:~/Desktop/Certificates/ca_cert.pem .
The authenticity of host ’172.25.11.254 (172.25.11.254)’ can’t be established.
ECDSA key fingerprint is SHA256:fBR3Hkj5sGfZnkOXSkj/rUC/+OzRQEWWwtHW7qT5kOs.
Are you sure you want to continue connecting (yes/no)? yes
lab@vSRX-2
Step 1.9
Return to the existing session with the vSRX-VR device.
Use the SCP utility to retrieve the ca_cert .pem file from the Desktop/Certificates directory on
the student desktop device. Login with the username lab and password labl23.
lab@vSRX-VR> scp 172.25.11.254:~/Desktop/Certificates/ca_cert.pem .
The authenticity of host ’172.25.11.254 (172.25.11.254)’ can’t be established.
ECDSA key fingerprint is SHA256:fBRSHkj5sGfZnk9XSkj/rUC/+OzRQEWWwtHW7qT5kOs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ’172.25.11.254’ (ECDSA) to the list of known hosts.
lab@172.25.11.254’s password: labl23
ca cert.pem 100% 964 1.2MB/S 00:00
lab@vSRX-VR>
Step 1.10
Return to the existing session with the vSRX-1 device.
On the vSRX-1 device, delete any local certificates, certificate requests, and key pairs.
lab@vSRX-l> clear security pki local-certificate all
Step 1.14
Load the ca cert .pem certificate as the ca-certif icate.
lab@vSRX-2 request security pki ca-certificate load ca-profile SuiteB filename
ca_cert .pem
Fingerprint:
7d:25:5c:91:87:5c:d4:c9:la:24:e2:b4:f8:d7:0b:8a:44:21:2a:73 (shal)
61:c2:c2:41:Of:12:95:8d:84:3c:a8:06:Of:3c:fa:01 (md5)
Do you want to load this CA certificate ? [yes,no] (no) yes
Step 1.19
Return to the existing session with the vSRX-1 device.
On the vSRX-1 device, generate a certificate request using the key pair generated previously with the
following criteria:
• Certificate ID: vSRX-1
Subject: DC=vSRX-1 . j uniper. net, CN=vSRX-l. j uniper. net, 0U=Base,
0=Juniper L=SunnyvaleST=California,C=US
Email: ajsec@j uniper. net
lab@vSRX-l> request security pki generate-certificate-request certificate-id
vSRX-1 subject "DC=vSRX-l.juniper.net,CN=vSRX-l.juniper.net,0U=Base,
0=Juniper,L=Sunnyvale,ST=California,C=US" email ajsec@ juniper.net
lab@vSRX-l>
Step 1.20
Return to the existing session with the vSRX-2 device.
On the vSRX-2 device, generate a certificate request using the key pair generated previously with the
following criteria:
• Certificate ID: vSRX-2
Subject: DC=vSRX-2 . j uniper. net
CN=vSRX-2.juniper.net, 0U=Base,0=Juniper,L=Sunnyvale,ST=Californi
a,C=US
Email: ajsec@j uniper. net
lab@vSRX-2 request security pki generate-certificate-request certificate-id
vSRX-2 subject "DC=vSRX-2.juniper.net,CN=vSRX-2.juniper.net,0U=Base,
0=Juniper,L=Sunnyvale,ST=California,C=US" email ajsec@ juniper.net
Generated certificate request
----- BEGIN CERTIFICATE REQUEST-----
MIIBxzCCAUsCAQAwgZgxIjAgBgoJkiaJk/lsZAEZFhJ2UlJYLTEuanVuaXBlci5u
ZXQxGzAZBgNVBAMTEnZTUlgtMi5qdW5pcGVyLm51dDENMAsGAlUECxMEQmFzZTEQ
MA4GAlUEChMHSnVuaXBlcjESMBAGAlUEBxMJU3Vubnl2YWxlMRMwEQYDVQQIEwpD
YWxpZm9ybmlhMQswCQYDVQQGEwJVUzB2MBAGByqGSM49AgEGBSuBBAAiA2lABDgj
aY5vbhQHB3xshl6lSa6AdBb7xlmOPUCMWZMRLlPxT25h9WkE+10fvAuyYRm8jSzq
lab@vSRX-2
Step 1.21
Return to the existing session with the vSRX-VR device.
On the vSRX-VR device, generate a certificate request using the key pair generated previously with the
following criteria:
• Certificate ID: vSRX-vr
Subject: DC=vSRX-VR . j uniper. net,
CP=vSRX-\iR. juniper, net, OU=Base, O=Juniper L=Sunnyvale ST=Californi
a, C=US
Email: ajsec@j uniper. net
lab@vSRX-VR> request security pki generate-certificate-request certificate-id
vSRX-VR subject "DC=vSRX-VR.juniper.net,CN=vSRX-VR.juniper.net,OU=Base,
0=Juniper,L=Sunnyvale,ST=California,C=US" email aj sec@ juniper.net
Generated certificate request
----- BEGIN CERTIFICATE REQUEST-----
MIIByTCCAUOCAQAwgZoxIzAhBgoJkiaJk/lsZAEZFhN2UlJYLVZSLmplbmlwZXIu
bmV0MRwwGgYDVQQDExN2UlJYLVZSLmplbmlwZXIubinV0MQ0wCwYDVQQLEwRCYXNl
MRAwDgYDVQQKEwdKdW5pcGVyMRIwEAYDVQQHEwlTdW5ueXZhbGUxEzARBgNVBAgT
CkNhbGlmb3JuaWExCzAJBgNVBAYTAlVTMHYwEAYHKoZIzjOCAQYFK4EEACIDYgAE
czlD9AwJl/0NNvArS88BA3svVthdh2V9Zqml43XeuvWFljK8jb7jGR4XwcK96gLk
Qa3tYvUGYMPRqVos6TKet8cBhIS7MGj5bWPuE8JugntWRFVfr8NtsgfzTthckvJ2
oDMwMQYJKoZIhvcNAQkOMSQwIjAgBgNVHREEGTAXgRUic3RlZGVudEBqdW5pcGVy
Lm51dCIwDAYIKoZIzjOEAwIFAANoADBlAjEAz69tP62MyjJclZGLMRcAbDNj 8gcK
bAA62xj 4htuQLayVM2r0qp9WURSzI4MqWkH9AjAL4TUqZIvsfrBinAdRQxsgwGMn
eRlwMC0Qin+KdoNhTIFZWrilGiIOSzay4XL8zd60 =
----- END CERTIFICATE REQUEST-----
Fingerprint:
b9:61:d8:86:dl:f3:bf:98:ad:b2:3c:08:33:70:3f:e5:42:99:13:6c (shal)
7e:9b:e5:a2:89:ab:58:la:08:bl:0c:f5:30:4f:83:29 (md5)
lab@vSRX-VR>
Step 1.22
Open a new terminal window on the student desktop and navigate to the Desktop/Certif icates/
folder.
Create a new file called vSRX-1. csr by using vi.
Copythe contents of the certificate request from the previous vSRX-1 session by highlight!ng the text from
the---------- BEGIN CERTIFICATE REQUEST statement to the END CERTIFICATE
REQUEST Statement and pressing the Ctrl + c keyboard sequence.
Return to the student desktop terminal and press i to edit the file. Right-click in the empty file to copy
the certificate request.
Save the file by pressing Esc, then typing : wq! and pressing Enter.
Note
An issue with the copy+paste operation will sometimes cause the first few
characters (hypens) to be left off of the pasted text. If these are missing, fill
in the first line of the certificate so that it matches the output below.
[lab@desktop ]$ cd Desktop/Certificates/
[lab@desktop Certificates]$ vi vSRX-l.csr
: wq!
Step 1.23
Create a new file called vSRX-2. csrby using vim.
Copy the contents of the certificate request from the previous vSRX-2 session by highlighting the text
from the BEGIN CERTIFICATE REQUEST statement to the END
CERTIFICATE REQUEST Statement and pressing the Ctrl + c keyboard sequence.
Return to the student desktop terminal and press i to edit the file. Right-click in the empty file to copy
the certificate request.
Save the file by pressing Esc, then typing : wq! and pressing Enter.
[lab@desktop Certificates]$ vi vSRX-2.csr
8z8c51cQutre7ElZMqsbhKdhX4ImPkfXIkgfiKRCtntfZins73Z 9j 63zfqx9JRKAz
MDEGCSqGSIb3DQEJDjEkMCIwIAYDVR0RBBkwF4EVInN0dWRlbnRAanVuaXBlci5u
ZXQiMAwGCCqGSM49B7kMCBQADaAAwZQIwCqAFquwn3YR41pYoUYCqlLfYw5Vt7h4V
8rhdVkKY5UWckvgVA9kz j j oZvyRrE7 /uAj EA2TpWrcW-l-j 0 j rkt+8h9Xb7nQTiMBr
rrFlIigThxHSTQdBJHgfVXSWoIs7TJ2C4STA
----- END CERTIFICATE REQUEST-----
: wq!
Step 1.24
Create a new file called vSRX- vr . csr by using vim.
Copy the contents of the certificate request from the previous vSRX-VR session by highlighting the text
from the - BEGIN CERTIFICATE REQUEST statement to the END CERTIFICATE
REQUEST Statement and pressing the Ctrl + c keyboard sequence.
Return to the student desktop terminal and press i to edit the file. Right-click in the empty file to copy the
certificate request.
Save the file by pressing Esc, then typing : wq! and pressing Enter.
[labSdesktop Certificates]$ vi vSRX-VR.csr
: wq!
Step 1.25
In this step, you will use the local CA on the student desktop to sign the certificate requests from the
previous steps.
From the terminal session on the student desktop, navigate to the /etc/ssl/SuiteBCA folder. Sign
the certificate request for the vSRX-1 device by using the sudo command. Use the labl23 password
when prompted.
[lab@desktop Certificates]$ cd /etc/ssl/SuiteBCA
Step 1.26
Copy the generated certificate to /home/lab/Desktop/Certif icates/vSRX-1 .pem.
[lab@desktop jsecCA]# sudo cp certs/vSRX-1.pern /home/lab/Desktop/Certificates/
vSRX-1.pem
Step 1.27
In this step, you will use the local CA on the student desktop to sign the certificate requests from the
previous steps.
From the terminal session on the student desktop, navigate to the /etc/pki/CA/jsecCA folder. Sign
the certificate request for the vSRX-2 device by using the sudo command.
[lab@desktop jsecCA]$ sudo openssl ca -in /home/lab/Desktop/Certificates/
vSRX-2.csr -out certs/vSRX-2.pem -keyfile ec_key.pem -cert cacert.pem -md
SHA384 -extfile subalt.txt
Using configuration from /usr/lib/ssl/openssl.cnf
Step 1.28
Copy the generated certificate to /home/lab/Desktop/Certif icates/vSRX-2 .pern
[lab(3desktop jsecCA]# sudo cp certs/vSRX-2 .pern /home/lab/Desktop/Certificates/
vSRX-2.pern
Step 1.29
In this step, you will use the local CA on the student desktop to sign the certificate requests from the
previous steps.
From the terminal session on the student desktop, navigate to the /etc/pki/CA/ j secCA folder. Sign
the certificate request for the vSRX-VR device by using the sudo command.
[lab(3desktop jsecCA]$ sudo openssl ca -in /home/lab/Desktop/Certificates/
vSRX-VR.csr -out certs/vSRX-VR.pem -keyfile ec_key.pem -cert cacert.pem -md
SHA384 -extfile subalt.txt
Using configuration from /usr/lib/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1048578 (0x100002)
Validity
Not Before: Jun 2 20:01:06 2020 GMT
Not After : Jun 2 20:01:06 2021 GMT
Subject:
countryName = US
StateOrProvinceName = California
organizationName = Juniper
organizationalUnitName = Base
commonName = vSRX-VR.juniper.net
X509v3 extensions:
X509v3 Subject Alternative Name:
email:aj sec@juniper.net
Certificate is to be certified until Jun 2 20:01:06 2021 GMT (365 days)
Sign the certificate? [y/n]:y
Step 1.30
Copy the generated certificate to /home/lab/Desktop/Certif icates/vSRX-VR. pem
[labOdesktop jsecCA]# sudo cp certs/vSRX-VR.pem /home/lab/Desktop/Certificates/
vSRX-VR.pem
Step 1.31
Return to the session with the vSRX-1 device.
Use the SCP utility to retrieve the vSRX-1 .pem file from the student desktop.
lab@vSRX-l> scp 172.25.11.254:~/Desktop/Certificates/vSRX-1.pem .
lab@172.25.11.254’s password:
vSRX-1.pem 100% 2440 4.3mb/s 00:00
lab@vSRX-l>
Step 1.32
Import the signed certificate using the request command.
lab@vSRX-l> request security pki local-certificate load certificate-id vSRX-1
filename vSRX-l.pem
Local certificate loaded successfully
Step 1.33
Return to the session with the vSRX-2 device.
Use the SCP utility to retrieve the vSRX-2 .pemtWe from the student desktop.
lab@vSRX-2 scp 172.25.11.254:~/Desktop/Certificates/vSRX-2.pem .
lab@172.25.11.254’s password:
vSRX-2.pem 100% 2440 4.3mb/s 00:00
lab@vSRX-2
Step 1.34
Import the signed certificate using the request command.
lab@vSRX-2 request security pki local-certificate load certificate-id vSRX-2
filename vSRX-2.pem
Local certificate loaded successfully
Step 1.35
Return to the session with the vSRX-VR device.
Use the SCP utility to retrieve the vSRX-VR.pem file from the student desktop.
lab@vSRX-VR> scp 172.25.11.254:~/Desktop/Certificates/vSRX-VR.pem .
lab@172.25.11.254’s password:
vSRX-VR.pem 100% 2440 4.3MB/S 00:00
lab@vSRX-l>
lab@vSRX-VR>
Step 1.36
Innport the signed certificate using the request command.
lab@vSRX-VR> request security pki local-certificate load certificate-id vSRX-VR
filename vSRX-VR.pem
Local certificate loaded successfully
In this lab part, you will configure ADVPN with the vSRX-VR device acting as the hub and the vSRX-1 and
vSRX-2 devices acting as the spokes.
Step 2.1
On the vSRX-1 device, enter configuration mode.
Navigate to the [edit security ike] hierarchy and configure the IKE policy with the following
settings:
Policy Name: advpn-poll
Local Certificate: vSRX-1
Proposal Set: suiteb-gcm-2 5 6
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit security ike policy advpn-poll
Step 2.2
Configure the gateway settings with the following parameters:
• Gateway Name: advpn-gwl
IKE Policy: advpn-poll
Address: 192.168.9.1
Local Identity: distinguished-name
Remote Identity: distinguished-name container O=Juniper
External Interface: ge-0/0/1.0
ADVPN Suggester: disable
Version: v2-only
[edit security ike policy advpn-poll]
lab@vSRX-l# up 1 edit gateway advpn-gwl
Answer: The suggester setting configures the device to act as the hub by
distributing suggested shortcut tunnels to the spoke devices. Since vSRX-1 is
a hub device you will disable this function.
Step 2.3
Navigate to the [edit security ipsec] configuration hierarchy. Configure the following VPN
settings:
VPN Name: advpn-vpn
ike {
gateway advpn-gwl;
ipsec-policy standard;
}
establish-tunnels immediately;
}
[edit interfaces]
lab@vSRX-l# set stO unit 0 family inet address 10.25.0.1/24
[edit interfaces]
lab@vSRX-l# set stO unit 0 multipoint
[edit interfaces]
lab@vSRX-l# top set security zones security-zone vpn interfaces stO.O
[edit interfaces]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 2.5
Verify that the phase 1 and phase 2 IKE SAs establish between the vSRX-1 device and the vSRX-VR
device by running show security ike security-associations and show security
ipsec security-associations.
lab@vSRX-l> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7275110 UP 632881f212182d40 02928c33bfb3bl71 IKEv2 192.168.9.1
Question: Do the outputs from the last step indicate a successful IKE
negotiation?
Answer: Yes. The presence of one IKE security association and two IPsec
security associations indicate that the negotiation between the vSRX-1 and
vSRX-VR devices was successful.
Step 2.6
Check the state of the IPsec next hop tunnels by issuing show security ipsec
next-hop-tunnels.
Answer: Currently, the only IPsec tunnel available connects to the vSRX-VR
device. This indicates that no shortcut tunnels have yet been established.
Step 2.7
On the vSRX-1 device, check the contents of the routing table to see which destinations use the stO
interface.
lab@vSRX-l> show route table inet.O
lab@vSRX-l>
Question: Are the routes to the remote vr201 and vr202 networks
using the IPsec tunnel as intended? Why or why not?
Answer: No. Currently, the vSRX-1 device will use the default route through
the ge-0/0/3 interface to reach the remote networks. Though the IKE
negotiation was successful, there is currently no routing information to direct
traffic to the remote networks into the tunnel.
[edit]
lab@vSRX-l# edit protocols ospf area 0
lab@vSRX-l>
Answer: Simply adding the stO interface to OSPF will only cause OSPF to
advertise the stO tunnel endpoint addresses. By adding the ge-0/0/4 and
ge-0/0/5 interfaces to OSPF, the attached vrlOl and vrl02 networks
will be advertised to peers with the stO interfaces as the next hop. The
passive option is used to prevent adjacency formation across these links.
Step 3.2
Validate that the OSPF neighbor relationships are active by issuing the show ospf neighbors
command.
lab@vSRX-l> show ospf neighbor
Address Interface State ID Pri Dead
10.25.0.9 StO. 0 Down 0.0.0.0 0 22
Answer: There are several reasons this could be happening. In this case,
even though we configured the stO interface to be part of the ypn zone,
we did not add the host-inbound-traffic configuration required to
allow IKE through the zone.
Step 3.3
To allow the OSPF peering to establish over the stO interface, configure OSPF under
host-inbound-traf f ic forthe vpn security zone. Commit the change and exit to operational mode.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# set security zones security-zone vpn host-inbound-traffic protocols
ospf
[edit]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 3.4
Validate that the OSPF neighbor relationships are active by issuing the show ospf neighbors
command.
lab@vSRX-l> show ospf neighbor
Address Interface State ID Pri Dead
10.25.0.9 StO. 0 Full 192.168.9.1 128
Answer: You should see a single OSPF neighbor at 10.25.0.9. This is the
vSRX-VR device. If you do not see this neighbor in the Full state, check with
your instructor.
Step 3.5
Check the contents of the routing table to verify that the stO interfaces are used to reach the remote
vr201 and vr202 networks.
lab@vSRX-l> show route table inet.O
0.0.0.0/0 'k
[Static/5] 03:23:21
> to 172.18.1.1 via ge-0/0/1.0
10.1.1.254/32 * [Local/0] 02:52:35
Reject
10.10.101.0/24 ■k
[Direct/0] 03:23:21
> via ge-0/0/4.0
10.10.101.1/32 * [Local/0] 03:23:21
Local via ge-0/0/4.0
10.10.102.0/24 * [Direct/0] 03:23:21
> via ge-0/0/5.0
10.10.102.1/32 * [Local/0] 03:23:21
Local via ge-0/0/5.0
10.10.201.0/24 * [OSPF/10] 00:00:40, metric 3
> to 10.25.0.9 via stO.O
10.10.202.0/24 * [OSPF/10] 00:00:40, metric 3
> to 10.25.0.9 via stO.O
10.11.10.0/24 * [Direct/0] 02:52:35
> via ge-0/0/3.0
10.11.10.1/32 * [Local/0] 02:52:35
Local via ge-0/0/3.0
10.25.0.0/24 * [Direct/0] 01:13:00
> via StO.O
10.25.0.1/32 * [Local/0] 01:13:00
Local via stO.O
10.25.0.2/32 * [OSPF/10] 00:00:40, metric 2
> to 10.25.0.9 via stO.O
10.25.0.9/32 * [OSPF/10] 00:00:40, metric 1
> to 10.25.0.9 via stO.O
172.18.1.0/30 * [Direct/0] 03:23:21
> via ge-0/0/1.0
172.18.1.2/32 * [Local/0] 03:23:21
Local via ge-0/0/1.0
172.25.11.0/24 * [Direct/0] 03:23:21
> via ge-0/0/0.0
172.25.11.1/32 * [Local/0] 03:23:21
Local via ge-0/0/0.0
192.168.1.1/32 * [Direct/0] 03:25:10
> via loO.O
224.0.0.5/32 * [OSPF/10] 00:01:29, metric 1
MultiRecv
Answer: Yes. The routes use the stO interface IP of the vSRX-VR device,
10.25.0.1, as their next-hop.
Answer: Because not traffic has yet been sent using this route, the vSRX-VR
device has not yet been triggered to suggest the shortcut tunnel directly to
vSRX-2.
step 3.6
Return to the active session with the vSRX-VR device.
On the vSRX-VR device, test routing through the IPsec tunnel by pinging from vrlOl to vr201.
lab@vSRX-VR> ping 10.10.201.10 routing-instance vrlOl rapid
PING 10.10.201.10 (10.10.201.10): 56 data bytes
Answer: There are several possible causes. In this case, we have not yet
configured security policies to allow transit through the vpn zone on the
vSRX-1 device.
Step 3.7
Return to the active session with the vSRX-1 device.
On the vSRX-1 device, configure a global security policy to allow traffic from the vpn zone to any other
zone and vice-versa. Commit the change and exit configuration mode.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit security policies global policy vpn-to-all
lab@vSRX-l>
Step 3.8
Return to the open session with the vSRX-VR device.
On the vSRX-VR device, test the tunnel routingagain by pinging from vrlOlio vr201.
lab@vSRX-VR> ping 10.10.201.10 routing-instance vrlOl rapid
PING 10.10.201.10 (10.10.201.10): 56 data bytes
I I I I I
-- 10.10.201.10 ping statistics --
5 packets transmitted, 5 packets received. 0% packet loss
round-trip min/avg/max/stddev = 1.152/1.337/1.765/0.235 ms
lab@vSRX-VR>
Step 3.9
Return to the open session with the vSRX-1 device.
Answer: The next-hop IP address is now the stO interface IP on the vSRX-2
device. This indicates that tunnel traffic has triggered the establishment of a
shortcut tunnel between the vSRX-1 and vSRX-2 devices.
Question: What can you tell from the output of show security
ipsec next-hop-tunnels?
Step 3.10
Close the session with the vSRX-1 device by issuing exit.
lab@vSRX-l> exit
login:
Step 3.11
Return to the active session with the vSRX-2 device.
On the vSRX-2 device, issue the exit command to terminate the session.
lab@vSRX-2 exit
login:
Step 3.12
Return to the active session with the vSRX-VR device.
On the vSRX-VR device, issue the exit command to terminate the session.
lab@vSRX-VR> exit
login:
STOP Tell your instructor that you have completed this lab.
(.9)
StO.O
untrust zone untrust zon^
10.25.0.0/24 %
vpn zone
I
t
Ji'
OSPFAreaO.0.0.0 % /
e-z /
vSRX-1 ge-0/0/7 public zone ge-QIQI7 vSRX-2
loO: 192.168.1.1 (.1) (.129) loO: 192.168.2.1
10.0.1.0/24
ge-O/OH ge-0/0/5 ge-0/0/4
Overview
In this lab, you will implement some advanced IPsec VPN solutions. You will use the Junos CLI to
configure baseline elements such as interfaces, zones, and security policies, and a route-based IPsec
VPN. You will then configure a generic routing encapsulation (GRE) tunnel to operate over the IPsec VPN.
After establishing the GRE tunnel, you will configure an OSPF adjacency with the peer device. Then, you
will configure static NAT to route traffic between overlapping address spaces.
In this lab, you will perform the following tasks:
• Configure an IPsec VPN.
• Configure a GRE tunnel.
• Configure OSPF over GRE.
• Monitor the effects of your OSPF over GRE over IPsec configuration.
• Configure static NAT for overlapping address spaces.
step 1.1
You will primarily configure the vSRX-1 device. The vSRX-2 and vSRX-VR devices are already configured for
you. Consult the Management Network Diagram to determine the management addresses of your
devices.
Step 1.2
Access the CLI on the vSRX-1 device using SSH or console as directed by your instructor. Log in with the
username lab and password labl23. Enter configuration mode and load the labS-start. config
from the ajsec directory. Commit the configuration when complete.
FreeBSD/amd64 (vSRX-1) (ttyuO)
login: lab
Password:
Last login: Tue May 26 14:30:41 2020 from 172.25.11.254
[edit]
lab@vSRX-l# load override ajsec/lab8-start.config
[edit]
lab@vSRX-l# commit
commit complete
[edit]
lab@vSRX-l#
Step 1.3
Open a separate session to the vSRX-2 device.
On the vSRX-2 device, login with the username lab and password labl23. Enter configuration mode
and load the starting configuration file using the load override ajsec/labS-start. config
command. After the configuration has been loaded, commit the changes before proceeding.
FreeBSD/amd64 (vSRX-2) (ttyuO)
login: lab
Password:
Last login: Tue May 26 14:30:41 2020 from 172.25.11.254
[edit]
lab@vSRX-2# load override ajsec/labS-start.config
[edit]
lab@vSRX-2# commit
commit complete
[edit]
lab@vSRX-2#
Step 1.4
Open a separate session to the vSRX-VR device.
Step 1.5
Open a separate session to the vSRX-VR device using SSH or console. Log in with the username lab
and password labl23. Enter configuration mode and load the starting configuration file using the load
override ajsec/labS-start. config command. After the configuration has been loaded,
commit the changes before proceeding.
FreeBSD/amd64 (vSRX-VR) (ttyuO)
login: lab
Password:
Last login: Tue May 26 14:30:41 2020 from 172.25.11.254
[edit]
lab@vSRX-VR# load override ajsec/labS-start.config
[edit]
lab@vSRX-VR# commit
commit complete
[edit]
lab@vSRX-VR#
Step 1.6
Return to the open session with the vSRX-1 device.
On the vSRX-1 device, review the routing tables and determine which routes are used to reach the remote
device (vr201, vr202) networks.
[edit]
lab@vSRX-l# run show route table inet.O
0.0.0.0/0 ■k
[Static/5] Id 08:49:38
> to 172.18.1.1 via ge-0/0/1.0
10.0.1.0/24 * [Direct/0] 00:03:41
> via ge-0/0/2.0
10.0.1.1/32 * [Local/0] 00:03:41
Local via ge-0/0/2.0
10.10.101.0/24 * [Direct/0] 00:03:41
> via ge-0/0/4.0
10.10.101.1/32 * [Local/0] 00:03:41
Local via ge-0/0/4.0
10.10.102.0/24 * [Direct/0] 00:03:41
> via ge-0/0/5.0
10.10.102.1/32 * [Local/0] 00:03:41
Local via ge-0/0/5.0
172.18.1.0/30 * [Direct/0] Id 08:49:38
> via ge-0/0/1.0
172.18.1.2/32 * [Local/0] Id 08:49:38
Local via ge-0/0/1.0
172.20.100.0/24 * [Direct/0] 00:03:41
> via lt-0/0/0.0
172.20.100.1/32 * [Local/0] 00:03:41
Local via lt-0/0/0.0
172.25.11.0/24 * [Direct/0] Id 08:49:38
> via ge-0/0/0.0
172.25.11.1/32 * [Local/0] Id 08:49:38
Local via ge-0/0/0.0
192.168.1.1/32 * [Direct/0] Id 08:52:03
> via loO.O
192.168.3.1/32 * [Static/5] 00:03:42
> to 172.18.1.1 via ge-0/0/1.0
[edit interfaces]
lab@vSRX-l# set stO unit 0 family inet address 10.10.10.1/24
[edit interfaces]
lab@vSRX-l#
Step 2.2
Navigate to the [edit security ike] hierarchy and create a policy called policy-1. Configure
the policy with the following parameters:
Mode: main
Proposal Set: standard; and
Pre-shared Key: ascii-text juniper
[edit interfaces]
lab@vSRX-l# top edit security ike
Step 2.3
Configure the gateway properties that will be used to establish the IPsec VPN to the remote site.
Configure the gateway with the following parameters:
Address: 172.18.2.2
External Interface: ge-0/0/1. O', and
IKE Policy: policy-1
[edit security ike]
lab@vSRX-l# edit gateway gateway-1
Answer: This interface will be used for the IKE negotiation. For the
negotiation to succeed, we must enable the interface to accept this
traffic.
Step 2.7
Create a zone named vpn and add the stO. 0 interface. Verify the recent changes to both zones.
[edit security zones]
lab@vSRX-l# set security-zone vpn interfaces stO.O
}
protocols {
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
ike;
}
}
}
}
Step 2.8
Navigate to the [edit security policies] hierarchy and create a policy. This policy should allow
all traffic to and from the Juniper-svand vpn zones. Name this policy Juniper-sv- to-vpn. Once
you have verified your configuration, commit these changes and exit to operational mode.
[edit security zones]
lab@vSRX-l# up 1 edit policies global policy Juniper-SV-to-vpn
then {
permit;
}
lab@vSRX-l>
Note
For the purposes of this lab, we allow all traffic to pass through the IPsec
VPN, from the local Juniper-svzonetothe remote router instances, and
vice versa. In a production network, this setup might not be ideal. You can
limit the traffic allowed to pass through the IPsec tunnel by restricting the
source, destination, and applications.
Step 2.9
Verify that the IKE SA has been correctly negotiated using the show security ike
security-associations command.
lab@vSRX-l> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
7275115 UP fala32b4b54acaea 089126aab734bf49 Main 172.18.2.2
Step 2.10
Next, verify that you have a valid IPsec SA using the show security ipsec
security-associations command.
lab@vSRX-l> show security ipsec security-associations
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon Isys Port Gateway
<131073 ESP:3des/shal 5e31354a 3519/ unlim root 500 172.18.2.2
>131073 ESP:3des/shal b3da0df8 3519/ unlim root 500 172.18.2.2
Answer: Yes, you should see one active tunnel. If you do not see an SA,
please review your IPsec configuration and contact your instructor for
assistance if needed.
[edit]
lab@vSRX-l# edit interfaces gr-0/0/0.0
lab@vSRX-l>
Step 3.4
Clear the statistics for the IPsec VPN by issuing the clear security ipsec statistics
command. This command clears all statistics related to all traffic that has traversed the IPsec VPN. After
clearing the statistics, ping through the IPsec VPN, by pinging the vSRX-1 GRE interface address five
times. This task can be accomplished using the ping 10.11.11.2 rapid command. After pinging
the remote GRE interface, review the IPsec statistics to verify the traffic is traversing the tunnel.
Note
ESP Statistics:
Encrypted bytes: 800
Decrypted bytes: 740
Encrypted packets: 5
Decrypted packets: 7
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
Note
You might see additional decrypted packets because the vSRX-2 device has
already configured OSPF over the gr-0/0/0 interface.
In this lab part, you configure OSPF to establish an adjacency over the GRE tunnel. You will also add the
Juniper-SV facing interface to the OSPF area of the vSRX-1 device. The Jun iper-sv zone must be
configured to allow the OSPF protocol. After establishing your adjacencies, you will review your route table
and ensure you have the correct OSPF routes.
Step 4.1
Enter configuration mode and navigate to the [edit protocols ospf area 0.0.0.0 ] hierarchy.
Add the GRE interface as well as the vrIOI-facing interface (ge-0/0/4). Review your configuration
changes before committing.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit protocols ospf area 0
lab@vSRX-l>
Step 4.2
Begin verifying your configuration by looking at the OSPF neighborships.
lab@vSRX-l> show ospf neighbor
Address Interface state ID Pri Dead
10.10.101.10 ge-0/0/4.0 Full 192.168.1.2 128 38
10.11.11.2 gr-0/0/0.0 Full 192.168.2.1 128 30
Answer: You should see two neighbors. You see one neighborship
with the vrl 01 instance and one with the vSRX-2 device over the
GRE interface.
Step 4.3
Review the OSPF routes installed in your routing table.
lab@vSRX-l> show route protocol ospf table inet.O
Answer: Yes, you should see the OSPF routes for the route for the
vr201 and vr202 networks.
Step 4.4
Clear the IPsec statistics database by issuing clear security ipsec statistics.
lab@vSRX-l> clear security ipsec statistics
lab@vSRX-l>
Step 4.5
Verify reachability to the remote vr201 instance. You will use the ping utility to send five ICMP requests
to the VR device IP address. The vSRX-1 device will use the route learned through OSPF, which is
established over the GRE tunnel which is signaled over your IPsec VPN. You can accomplish this task by
issuing the ping 10.10.201.10 rapid command.
lab@vSRX-l> ping 10.10.201.10 rapid
PING 172.20.201.10 (172.20.201.10): 56 data bytes
I I I I I
- 172.20.201.10 ping statistics --
5 packets transmitted. 5 packets received. 0% packet loss
round-trip min/avg/max/stddev = 2.196/8.426/28.251/9.984 ms
Answer: Yes, your pings should complete. If the pings did not
complete, review your configuration and contact your instructor as
needed.
Step 4.6
Verify that the ping packets from the previous step traversed the IPsec tunnel by issuing show
security ipsec statistics.
lab@vSRX-l> show security ipsec statistics
ESP Statistics:
Encrypted bytes: 1120
Decrypted bytes: 852
Encrypted packets: 7
Decrypted packets: 8
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0
Question: Does the output indicate that the ping packets traversed
the IPsec tunnel? Why would this happen?
Answer: Yes, the output should indicate the packets were subject to
IPsec encapsulation. This occurs because the GRE tunnel used to
route these packets is established over the existing IPsec tunnel.
Note
Please note that you do not need to configure a GRE tunnel to establish
OSPF over IPsec when both devices are Junos security devices. The GRE
tunnel is needed when one of the gateways does not support OSPF directly
over the IPsec VPN. Some vendors support this ability and some do not.
Please refer to the vendor documentation for specifics.
While configuring the NAT rule on vSRX-1, recall that a similar rule must be
in place on the vSRX-2 in order for sessions initiated from the
local-vr-2 instance to be translated and successfully routed to the
local-vr-1 instance.
Step 5.1
Enter configuration mode and navigate to the [edit security policies global policy
acqulred-to-untrust] hierarchy level and configure your device to allow all communication
between the acquired zone and the untrust zone.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit security policies global policy acquired-to-untrust
Note
For the purposes of this lab, we want to allow all traffic, from the
local-vr-1 instance network to the remote local-vr-2 instance
network, to pass through the IPsec VPN and vice versa. In a production
network, this situation might not be ideal and you can limit the traffic
allowed to pass through the IPsec tunnel by restricting the source,
destination and applications allowed.
Step 5.2
Examine the routing table to determine which path the traffic will take if destined for the vSRX-2 external
NAT address space of 10.211.2.0/24.
[edit security policies global policy acquired-to-untrust]
lab@vSRX-l# run show route table inet.O
0.0.0.0/0 ■k
[Static/5] 01:43:42
> to 172.18.1.2 via ge-0/0/1.0
10.0.1.0/24 * [Direct/0] 2d 21:27:34
> via ge-0/0/2.0
10.0.1.1/32 * [Local/0] 2d 21:27:34
Local via ge-0/0/2.0
10.10.10.0/24 * [Direct/0] 00:10:11
> via stO.O
10.10.10.1/32 * [Local/0] 00:10:11
Local via stO.O
10.10.101.0/24 * [Direct/0] 01:43:42
> via ge-0/0/4.0
10.10.101.1/32 * [Local/0] 01:43:42
Local via ge-0/0/4.0
10.10.102.0/24 * [Direct/0] 4d 02:54:53
> via ge-0/0/5.0
10.10.102.1/32 * [Local/0] 4d 02:54:53
Local via ge-0/0/5.0
10.10.201.0/24 * [OSPF/10] 00:07:45, metric 2
> via gr-0/0/0.0
10.10.202.0/24 * [OSPF/10] 00:07:45, metric 2
> via gr-0/0/0.0
10.11.11.0/30 * [Direct/0] 00:09:02
> via gr-0/0/0.0
[OSPF/10] 00:07:50, metric 1
> via gr-0/0/0.0
10.11.11.1/32 * [Local/0] 00:09:02
Answer: The route table shows that the traffic destined to the vSRX-2
external NAT address space will use the default route of O.O.O.O/O,
which points through the ge-0/0/1 interface.
step 5.3
Navigate to the [edit security nat static] hierarchy level. Configure a rule set that only
translates traffic that traverses the ge-0/0/1 interface.
[edit security policies global policy acquired-untrust]
lab@vSRX-l# top edit security nat static rule-set static-nat
Answer: No, the test should not succeed at this time. In the following
steps you will diagnose the failure.
Step 5.6
Examine the static NAT statistics in an effort to determine why the ping test failed by issuing the run
show security nat static rule all command.
[edit security nat static]
lab@vSRX-l# run show security nat static rule all
Total static-nat rules: 1
Question: Were the ping packets translated by the static NAT rule?
Step 5.7
To further diagnose the problem, ping the vSRX-1 lt-0/0/0.1 interface address, which is the default
gateway for the local-vr-1 instance, by issuing the run ping 172.20.100.1
routing-instance local-vr-1 rapid command.
[edit security nat static]
lab@vSRX-l# run ping 172.20.100.1 routing-instance local-vr-1 rapid
PING 172.20.100.1 (172.20.100.1): 56 data bytes
I I I I I
- 172.20.100.1 ping statistics --
5 packets transmitted. 5 packets received. 0% packet loss
round-trip min/avg/max/stddev = 0.282/0.657/0.942/0.306 ms
Step 5.8
Now ping the Internet router address from the local-vr-1 instance by issuing the run ping
172.18.1.2 routing-instance local-vr-1 rapid command.
[edit security nat static]
lab@vSRX-l# run ping 172.18.1.2 routing-instance local-vr-1 rapid
PING 172.18.1.2 (172.18.1.2): 56 data bytes
Answer: The ping tests show that the first hop, which is the vSRX-1
device, is responding to the ping packets, but the next hop, which is
the Internet router, does not respond.
Question: What does the lack of response from the Internet router
suggest?
Answer: The lack of response from the Internet router suggests that it
cannot route the traffic for the 10.211.2.0/24 or 10.211.1.0/24
networks. Most likely the problem resides with a lack of routing
information for the Internet router for the previously mentioned
networks. This scenario is common, in that Internet service providers
typically will not route private IP address space.
Answer: You can route the traffic through the IPsec tunnel that is
already in place. This method ensures that the traffic is received by
the remote team device and also adds encryption for the traffic.
However, the encryption is unnecessary in our current scenario, and
thus a GRE tunnel could be used instead.
Step 5.9
Configure a static route for the vSRX-2 external NAT address space (10.211.2.0/24) and use the stO
interface as the next hop for the route.
[edit security nat static]
lab@vSRX-l# top edit routing-options
[edit routing-options]
lab@vSRX-l# set static route 10.211.2. 0/24 next-hop stO
[edit routing-options]
lab@vSRX-l# show
static {
route 192.168.1.2/32 next-hop 192.168.1.1;
route 10.10.101.0/24 next-hop 192.168.1.1;
route 192.168.3.1/32 next-hop 172 .18.1.1;
route 0.0.0.0/0 next-hop 172.18.1 .1;
route 10.211.2.0/24 next-hop stO.O;
}
Answer: No, the test should not succeed at this time. In the following
steps you will diagnose the failure.
Step 5.12
Examine the static NAT statistics in an effort to determine why the ping test failed by issuing the run
show security nat static rule all command.
[edit security policies global]
lab@vSRX-l# run show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/lPv6 ip-prefixes: 2/0
static NAT rule: overlapping-address Rule-set: static-nat
Rule-Id 1
Rule position 1
From interface ge-0/0/1.0
Destination addresses 10.211.1.0
Host addresses 172.20.100.0
Netmask 24
Host routing-instance N/A
Translation hits 0
Successful sessions 0
Failed sessions 0
Number of sessions 0
Answer: To fix the problem, you can set the from criteria to the vpn
zone or the st 0 interface in the static NAT rule set.
Step 5.13
Deactivate the OSPF configuration by issuing the top deactivate protocols ospf command.
Then, change the static NAT rule set to use the stO interface for the from criteria. When you are
finished, commit the configuration and exit to operational mode.
Note
The OSPF configuration was deactivated to ensure that OSPF traffic is not
counted in the following IPsec statistics in the following steps.
lab@vSRX-l>
Step 5.14
Clear the current NAT and IPsec statistics by issuing the clear security nat statistics
static rule all and the clear security ipsec statistics commands. Then, test
connectivity by pinging the local-vr-2 instance five times by issuing the ping 10.211.2.10
routing-instance local-vr-2 rapid command.
lab@vSRX-l> clear security nat statistics static rule all
Answer: The static NAT and IPsec statistics show that traffic is
matching the static NAT rule and that the traffic is being processed
through the IPsec tunnel. Note that you might see additional
decrypted packets because the vSRX-2 device is still sending OSPF
packets.
Step 5.16
On the vSRX-1 device, terminate your session by issuing the exit command.
lab@vSRX-l> exit
login:
Step 5.17
Return to the active session with the vSRX-2 device.
On the vSRX-2 device, issue the exit command to terminate the session.
lab@vSRX-2 exit
login:
Step 5.18
Return to the active session with the vSRX-VR device.
On the vSRX-VR device, issue the exit command to terminate the session.
lab@vSRX-VR> exit
login:
STOP Tell your instructor that you have completed this lab.
Gateway 172.25.11.254
(.10) (.10)
untrust zone untrust zone
172.20.100.0/24 172.20.100.0/24
vr101 vr102
vSRX-VR vr201 vr202
Overview
In this lab, you will troubleshoot IPsec. You will use the Junos CLI to analyze log outputs and then
configure traceoptions to troubleshoot a failing SSH session. Then you will troubleshoot and resolve
several issues with an IPsec tunnel.
In this lab, you will perform the following tasks:
• View and examine logs.
• Configure traceoptions.
• Troubleshoot a failing SSH session.
• Troubleshoot IKE phase 1.
Troubleshoot IKE phase 2.
Troubleshoot a route-based IPsec VPN.
Step 1.1
You will primarily configure the vSRX-1 device. The vSRX-2 and vSRX-VR devices are already configured for
you. Consult the Management Network Diagram to determine the management addresses of your
devices.
Step 1.2
Access the CLI on the vSRX-1 device using SSH or console as directed by your instructor. Log in with the
username lab and password labl23. Enter configuration mode and load the lab9-start. config
from the ajsec directory. Commit the configuration when complete.
FreeBSD/amd64 (vSRX-1) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-l# load override ajsec/lab9-start.conf±g
[edit]
lab@vSRX-l# commit
commit complete
[edit]
lab@vSRX-l#
Step 1.3
Open a new session with the vSRX-2 device.
On the vSRX-2 device, login with the username lab and password labl23. Enter configuration mode
and load the reset configuration file using the load override ajsec/lab9-start. config
command. After the configuration has been loaded, commit the changes before proceeding.
FreeBSD/amd64 (vSRX-2) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-2# load override ajsec/lab9-start.config
[edit]
lab@vSRX-2# commit
commit complete
[edit]
lab@vSRX-2#
Step 1.4
Open a new session with the vSRX-VR device.
On the vSRX-VR device, login with the username lab and password labl23. Enter configuration mode
and load the reset configuration file using the load override ajsec/lab9-start. config
command. After the configuration has been loaded, commit the changes before proceeding.
FreeBSD/amd64 (vSRX-VR) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-VR# load override ajsec/lab9-start.config
[edit]
lab@vSRX-VR# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-VR>
[edit]
lab@vSRX-l#
Step 2.2
Examine the existing IPsec - IKE phase 2 configuration on the vSRX-1 device.
[edit]
lab@vSRX-l# show security ipsec
proposal proposal-1 {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
}
policy policy-1 {
perfect-forward-secrecy {
keys groupl4;
}
proposals proposal-1;
}
vpn vpnl {
bind-interface stO.O;
ike {
gateway gateway-1;
ipsec-policy policy-1;
}
establish-tunnels immediately;
}
vpn vpn2 {
bind-interface stO.O;
ike {
gateway gateway-2;
ipsec-policy policy-1;
}
establish-tunnels immediately;
}
Step 2.3
Exit configuration mode. Restart the IPsec key management daemon. (Note: You would not typically need
to do this but we need to restart this process because of the way this troubleshooting lab is built.)
[edit]
lab@vSRX-l# exit
Exiting configuration mode
lab@vSRX-l>
Step 2.4
Check if any IKE phase 1 and IKE phase 2 SAs are present on the device.
lab@vSRX-l> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2068374 UP 4beae56fbl4b4762 796540d0e8091019 Main 172.18.1.1
Question: How many IKE phase 1 SAs are shown and what is their
status?
Question: How many IKE phase 1 and phase 2 SAs would you expect
considering the configuration from previous steps?
Question: Which step would you take next to find the cause of the
problem?
Step 2.5
Verify the routing information to reach both spokes peering addresses is correct on the vSRX-1 device. For
the topology refer to the lab diagram.
lab@vSRX-l> show route 172.18.1.1 table inet.O
step 2.6
Verify the reachability to the vSRX-2 and vSRX-VR peering addresses using the ping utility. Define the IP
address of external -in ter face from the IKE phase Iconfiguration as the source address for the
ping.
Answer: The pings confirm the device can reach each other The next
step would be examining the IKE phase 1 and phase 2 for negotiation
details using traceoptions.
Step 2.7
Enter configuration mode and enable traceoptions for IKE phase 1 and IKE phase 2. For the traceoptions
configuration define flag all and a trace file called ike-trace, log. Commit the configuration changes
and exit to operational mode when complete.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit security
[edit security]
lab@vSRX-l# set ike traceoptions flag all
[edit security]
lab@vSRX-l# set ike traceoptions file ike-trace.log
[edit security]
lab@vSRX-l# set ipsec traceoptions flag all
[edit security]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 2.8
Review the ike-trace, logrfiie.
Note
For the sake of clarity and time, the interesting lines are bolded
in the output.
[Jun 1 13:05:11] kmd iked cfgbuf addrec: 572: * * Allocated recptr is 4, reclen
1600417131 * *
lab@vSRX-l>
Answer: There are multiple issues revealed by the trace file. First
while IKE phase 1 is successful for the vSRX-VR device (172.18.1.1) J
Answer: You will need to review and compare the proposal and policy
configurations for the vSRX-1 device compared to both remote vSRX
devices. For the purposes of this demonstration, we will assume that
you do not have sufficient privileges to modify the configuration on the
vSRX-2 or vSRX-VR devices, so you will make the necessary changes
to the vSRX-1 device.
Step 2.9
View the current configurations under [edit security ike] and [edit security ipsec].
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# show security ike
traceoptions {
file ike-trace.log;
flag all;
}
proposal proposal-1 {
authentication-method pre-shared-keys;
dh-group groupl4;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy policy-1 {
mode main;
proposals proposal-1;
pre-shared-key ascii-text "$9$/UHwAulSrv7-wRh-wYgUD9Ap"; ## SECRET-DATA
}
gateway gateway-1 {
ike-policy policy-1;
address 172.18.1.1;
dead-peer-detection;
external-interface ge-0/0/1;
}
gateway gateway-2 {
ike-policy policy-1;
address 10.0.1.129;
dead-peer-detection;
external-interface ge-0/0/7;
}
[edit]
lab@vSRX-l# show security ipsec
traceoptions {
flag all;
}
proposal proposal-1 {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
}
policy policy-1 {
perfect-forward-secrecy {
keys groupl4;
}
proposals proposal-1;
}
vpn vpnl {
bind-interface stO.O;
ike {
gateway gateway-1;
ipsec-policy policy-1;
}
establish-tunnels immediately;
}
vpn vpn2 {
bind-interface stO.O;
ike {
gateway gateway-2;
ipsec-policy policy-1;
}
establish-tunnels immediately;
}
Step 2.10
Return to the open session with vSRX-VR.
From the open session with vSRX-VR, view the current configurations under [edit security ike]
and [edit security ipsec].
proposal propl {
authentication-method pre-shared-keys;
dh-group groupl4;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy poll {
mode main;
proposals propl;
pre-shared-key ascii-text "$9$FkkE6CuRhr8X-01X-VwaJ369"; ## SECRET-DATA
}
gateway gwl {
ike-policy poll;
address 172.18.1.2;
external-interface ge-0/0/1;
}
Question: Do you see the configuration issue that is causing the IKE
errors? How can you fix it?
Step 2.11
Return to the open session with vSRX-1.
On the vSRX-1 device, create a new policy {policy-1 is currently used for both VPNs) called policy-2
that does not use the perfect-forward-secrecy setting. Configure this as the policy forthe
vSRX-VR session. Commit the change.
[edit]
lab@vSRX-l# edit security ipsec policy policy-2
Step 2.12
Check the effectiveness of your fix by checking the IKE and IPSec security associations on the vSRX-1
device.
[edit security ipsec vpn vpnl]
lab@vSRX-l# run show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2289674 UP a40c90d5e903c282 9e00 9e93ec3fcfef Main 172.18.1.1
2093153 DOWN 7578f675c790aadb b0bde801880cf584 Unknown 10.0.1.129
Step 2.13
Over the next couple of steps you will compare the configurations between the vSRX-1 and vSRX-2
devices to determine the cause of the IKE negotiation failure.
Examine the IKE and IPsec configurations on vSRX-1.
[edit]
lab@vSRX-l# show security ike
traceoptions {
file ike-trace.log;
flag all;
}
proposal proposal-1 {
authentication-method pre-shared-keys;
dh-group groupl4;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy policy-1 {
mode main;
proposals proposal-1;
pre-shared-key ascii-text "$9$/UHwAulSrv7-wRh-wYgUD9Ap"; ## SECRET-DATA
}
gateway gateway-1 {
ike-policy policy-1;
address 172.18.1.1;
dead-peer-detection;
external-interface ge-0/0/1;
}
gateway gateway-2 {
ike-policy policy-1;
address 10.0.1.129;
dead-peer-detection;
external-interface ge-0/0/7;
}
[edit]
lab@vSRX-l# show security ipsec
traceoptions {
flag all;
}
proposal proposal-1 {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
}
policy policy-1 {
perfect-forward-secrecy {
keys groupl4;
}
proposals proposal-1;
}
policy policy-2 {
proposals proposal-1;
}
vpn vpnl {
bind-interface stO.O;
ike {
Step 2.14
Return to the open session on vSRX-2.
From the open session with vSRX-2, examine the IKE and IPsec configurations.
[edit]
lab@vSRX-2# show security ike
proposal propl {
authentication-method pre-shared-keys;
dh-group groupS;
authentication-algorithm sha-256;
encryption-algorithm aes-256-cbc;
}
policy policy-1 {
mode main;
proposals propl;
pre-shared-key ascii-text "$9$lv8ESeLxdgoGvWoGDif5IEc"; ## SECRET-DATA
}
gateway gateway-1 {
ike-policy policy-1;
address 10.0.1.1;
external-interface ge-0/0/7;
}
[edit]
lab@vSRX-2# show security ipsec
proposal propl {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-256-cbc;
}
policy poll {
perfect-forward-secrecy {
keys groupl4;
}
proposals propl;
}
vpn vpnl {
bind-interface stO.O;
ike {
gateway gateway-1;
ipsec-policy poll;
}
establish-tunnels immediately;
}
Question: Do you see the issue that is causing the IKE negotiation
failure? How will you resolve it?
Step 2.15
Return to the open session on vSRX-1.
On the vSRX-1 device, create a new IKE proposal called proposal-2 that uses the pre-shared key
authentication method, Diffie-Hellman group 5, the SHA-256 authentication algorithm, and the
AES-256-CBC encryption algorithm. Create a new policy called policy-2 that references the new
proposal. Use main mode for the policy and reference the ASCII text pre-shared key of juniper.
Configure policy-2 as the ike-policy for gateway-2. Commit the changes.
[edit]
lab@vSRX-l# edit security ike proposal proposal-2
lab@vSRX-l>
Note
Step 2.16
Verify the status of IKE phase 1 and IKE phase 2 SAs on your SRX.
lab@vSRX-l> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2093113 UP b96ec71d81bd5340 0425681dclff3a74 Main 172.18.1.2
2093161 UP d80a30a67d995715 caad6a7c04 62 6c79 Main 10.0.1.129
Question: How many IKE phase 1 SAs are shown and what is their
status?
Answer: As indicated by the output, there are two IKE phase 1 SAs
with UP status. Note that the previous, failed IKE phase 1 association
may still be shown with a status of down. If you experience different
output, double-check your configuration and notify your instructor.
Answer: As indicated by the output, there are four active IKE phase 2
SAs, a pair for each remote vSRX device. If you experience different
output, double-check your configuration and notify your instructor.
Step 3.2
Return to the active session with the vSRX-1 device.
On the vSRX-1 device, check the routes currently used to reach vr201 and vr202.
lab@vSRX-l> show route 10.10.201.10 table inet.O
Answer: While the route to vr202 uses the stO. 0 interface as the
next hop, the route to vr201 currently uses the ge-0/0/1.0
interface connected to the vSRX-VR device.
Answer: No. Traffic to vr201 is not going into the tunnel interface
stO . 0. While it would be possible to successfully ping vr201 without
modifying the routing information - by configuring the appropriate
security policy and insuring the vSRX-VR device has the necessary
routes - you must insure that this traffic is secured, so the stO . 0
interface is the only option.
Step 3.3
Enter configuration mode.
Create a static route for vr201 traffic to use the IPsec VPN tunnel. Use the vSRX-2 device stO.O interface
as next-hop. Commit the change and exit to the operational mode when complete.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# edit routing-options static
lab@vSRX-l>
Step 3.4
Test the forwarding to spoke 2 after the change.
lab@vSRX-l> show route 10.10.201.10 table inet.O
Step 3.5
Return to the session with the vSRX-VR device.
On the vSRX-VR device, verify connectivity from vrl 01 and vrl 02 to vr201.
Answer: Yes, the pings should now be successful. If they are not,
verify your configuration and consult your instructor.
Step 3.6
Return to the established session with the vSRX-1 device.
On the vSRX-1 device, terminate the OLI session by issuing the exit command.
lab@vSRX-l> exit
login:
Step 3.7
Return to the active session with the vSRX-2 device.
On the vSRX-2 device, issue the exit command to terminate the session.
lab@vSRX-2 exit
login:
Step 3.8
Return to the active session with the vSRX-VR device.
On the vSRX-VR device, issue the exit command to terminate the session.
lab@vSRX-VR> exit
login:
STOP
Tell your instructor that you have completed this lab.
vSRX-VR
loO; 192.168.9.1
<5^
untrust zone untrust zone
.'v
-O';/
public zone &
ge-0/0/7 (.1) 10.0.1.0/24 (.129) ge-0/0/7
vSRX-1 vSRX-2
stO (.1) (.2) stO
loO: 192.168.1.1 . loO; 192.168.2.1
10.10.10.0/24
ge-0/0/4 ge-0/0/5
vrlOl vrl02
vSRX-VR vr201 vr202
Overview
In this lab, you will implement several features related to Juniper SecIntel. You will use the ATP Cloud and
Security Director GUI interfaces to provision SecIntel feeds and use the Junos CLI to verify their
operation.
In this lab, you will perform the following tasks:
• Configure and monitor a security policy using the Office 365 feed.
• Configure and monitor a security policy using a custom feed.
step 1.1
You will primarily configure the vSRX-1 and vSRX-2 devices. Consult the Management Network Diagram to
determine the management addresses of your devices.
Step 1.2
Access the CLI on the vSRX-1 device as directed by your instructor. Log in with the username lab and
password labl23. Enter configuration mode and load the labl 0-start. config from the ajsec
directory. Commit the configuration when complete and exit to operational mode.
FreeBSD/amd64 (vSRX-1) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-l# load override ajsec/lablO-start.config
[edit]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 1.3
Open a new session with the vSRX-2 device.
On the vSRX-2 device, login with the username lab and password labl23. Enter configuration mode
and load the reset configuration file using the load override a jsec/lablO-start. config
command. After the configuration has been loaded, commit the changes before proceeding.
FreeBSD/amd64 (vSRX-2) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-2# load override ajsec/lablO-start.config
[edit]
lab@vSRX-2# commit
commit complete
[edit]
lab@vSRX-2#
Step 1.4
Open a new session with the vSRX-VR device.
On the vSRX-VR device, login with the username lab and password labl23. Enter configuration mode
and load the reset configuration file using the load override ajsec/lablO-start.config
command. After the configuration has been loaded, commit the changes before proceeding.
FreeBSD/amd64 (vSRX-VR) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-VR# load override ajsec/lablO-start.config
[edit]
lab@vSRX-VR# commit
commit complete
[edit]
lab@vSRX-VR#
Step 1.5
Open a virtual console session to the desktop, open a Web browser and navigate to the web management
IP address for Junos Space Security Director, https://172.25.ll.100/dashboard
From the web browser, login with the username of super and the password of Junip3ri23!.
Note
super
Log In
III
Step 1.6
Mouse over the blue navigation bar on the left to expand it. Click on Devices->Device Discovery.
In the Device Discovery dialog, select the ajsec-devices discovery job. Click Run Now.
Global
Devices / Device Discovery q
X Security Devices
Device Discovery®
Device Discovery
vCenter Servers
u □ Device Discovery Profile Target Type Target Details Probes Username Credential T._ Schedule Recurrence
o AISEC-OBCOVERY IP Range 172.25.11.1-17225.11.9 N/A lab Credential Ba... Fn. 01 Jun 203519:42:37 PDT
11tems
■BB
Job Name Oijcover Network Elements-22959S Actual Start Time Thu. 04 Jun 2020 20:1POT
Owner Super
5 :
2 Rows
OK
Step 1.7
Mouse over the blue navigation bar on the left to expand it.
Navigate to Devices->Security Devices. Check the boxes next to vSRX-1 and vSRX-2. Right click
on any device name and select import from the drop-down list.
Global
Devices / Security Devices Q V C 1^ S 9
vCenter Servers
[Bl D Device Name IP Address OS Version Schema Version CPU Storage Authentication Status Connection Status Feed Source
Configuration
Q > vSRX-2 172.25.11.2 20.1 RI .11 Credentials Based • Unverifi... ▲ up
Operations
items 1 of 1 Display 50 V
Update Changes
Upload Keys
Import
Refresh Certificate
Step 1.8
Check the boxes next to all Firewall and NAT policies and click Next.
In the Conflict Resolution dialog, click Finish.
In the Summary page, click ok.
NSX Managers
rite with Network
1 More oz Q V :
vCenter Servers O For devices with Junos OS Release 18.2 and later, ips policy is auto imported along with the assigned Firewall Policy.
Connection Status Feed Source
For devices with Junos OS Release 18.2 and later, Deprecated AppFw configuration will not be imported.
lUnverifi... ▲ up
zseieaed
I Unverifi... ▲ up
»
a Name Rules Errors Summary
1 Display 50 V
Firewall Policy
Q vSRX-2 4 0
NAT Policy
o vSRX-1 1 0
2 items
Cancel Next
vCenier Servers
■us Connection Status Feed Source
Q Y ► Unverifi... ▲ up
»Unverifi... ▲ up
B □ Object Name Object Type value Imported value Conflia Resolution New Object Name Domain
No Conflicts to Show 1 50 V
Display
Step 1.9
Navigate to Administration->Policy Enforcer->Settings.
Consult the management diagram and configure the Policy Enforcer connection with the following
settings:
IP Address: 172.25.11.101
Username: root
Password: Junlp3rl23!
Sky ATP Configuration Type: Sky ATP/JATP with Juniper Connected Security
Leave all other settings at default. Click ok.
Note
My Profile
Settings®
Users & Roles > IP Address* 172.25.11.101
NSM Migration
Poll Site wide endpoints* 0 5 mlns
Policy Sync Settings
OK Reset
In this lab part, you will enroll your devices with ATP cloud through the Policy Enforcer device. You will then
enable the Office 365 feed and configure a security policy to allow outbound access to all Office 365 IP
addresses. You will then use the Junos OLI to verify the functionality of this policy.
Step 2.1
Open a new web browser tab and navigate to https: //sky. junipersecurity. net. Login to the
ATP realm using the credentials provided by your instructor.
Sky ATP
Version 3.0 | Login
student@juniper.net
ajsec-realm-1
□ Remember me
Log In
Step 2.2
Navigate to Conf igure->Third Party Feeds. Check the box for Enable feed next to
of f ice365.
Blacklists
office365 D Enable feed
Third Party Feeds Go to feed site
H ! The accuracy of these feeds cannot be guaranteed, and false positives generated by these feeds will not be
X
investigated by Juniper Networks. Security policies will block malicious IP addresses and domains based on
enabled third parry feeds, but these events do not affect host threat scores.
IP Feed
Go to feed site C?
Go to feed site
Go to feed site
Step 2.3
Open a web browser and navigate to the management IP for Junos Space Security Director.
From the web browser, log in with the username super and password Junlp3rl2 3 !
juniper NFTWOPr.;,
NFTWORr;.
a
(.
r
I
I super
Log In
II
ffte.
Copydi luniper Networks, inc. AM ‘mark Nooce | Privacy Polky
k
I
Step 2.4
Navigate to Conf igure->Threat Prevention->Feed Sources. Make sure the Sky ATP tab is
selected, then click the + icon to add a new feed source.
Unified Policies
□ Devices
Schedules
Sky ATP JATP Custom Feeds
Profiles
More *
Templates
Environment
■gW User Firewall Management > □ Realm Sites Devices Location Enrollment Status Token Expiry Feed Status Last Downloaded
Threat Prevention
Policies
Feed Sources
Step 2.5
In the Sky ATP Realm Credential dialog, enter the Username, Password and Realm provided by your
instructor. Click Next.
Username ajsec_sky_atp@juniper.net
Password •••••••••••
Realm ® ajsec-student-01
No Sky ATP account? Select your region using the Location in the menu above, then click here to create an account.
You will be redirected to the SkyATP account page.
Cancel Next
step 2.6
In the Site dialog, click Create new site. In the Create Site dialog, enter a Site name of
a j sec-lab. Click OK.
Unified Policies
o Seal— Crcce—.4 Site
Devices
Sky ATP JATP
Schedules
C31 Profiles
Environment
Threat Prevention
Policies
Feed Sources
IPSeeVPN >
Shared Objects >
Cancel OK
Change Management
Step 2.7
Insure the a jsec-lab site is selected. Click Next. In the Global Configuration dialog, check
the boxes to enable logging for Malware and Host Status. Click Finish.
Q Global V a s
I Configure / Threat Prevention / feed Sources
Unified Policies
o-----
Sk)-aTP ^esirn Crese—.i
o
Srte Global Configuration
Devices
E Sky ATP JATP
Schedules 7
Threat level Threshold
Profiles
6 8
More
Templates
Environment
No data available
NAT Policy >
UTM Policy >
Application Policy Based Routi... Logging
Threat Prevention
Policies
Matware □ Enable logging
Feed Sources
Host Status Q Enable Logging
IPSecVPN >
Shared Objects >
Change Management > Proxy Servers © +
Guided Setup >
□ Server IP
No data available
Cancel Finish
Note
Step 2.8
Navigate to Devices->Secure Fabric and click on Add Enforcement Points for the
a j sec-lab site. Select vSRX-1 and vSRX-2 and click the Arrow to select both devices. Click ok.
vCenter Servers
[SI
□ Site Enforcement Points IP Model Feed Source Feed Source... Last Updated Descrip...
1 items O
O Assigning a device to the site will cause a change in the device configuration.
Specify the enforcement points to assign to the site. The site cannot contain both switches and connectors.
No available items
Cancel OK
Step 2.9
Navigate to Devices->Security Devices. Verify that the Feed Source column has a value of
SKYATP and the Feed Source Status column shows the name of your assigned ATP realm.
X Security Devices
Security Devices ©
Device Discovery
[Bl
vCenier Servers
□ Device Name ▼ IP Address OS Version CPU Storage Connection Status Feed Source Feed Source Status Managed Status
B
items 1 of 1 Display 50 V
Note
Step 2.10
Navigate to Conf igure->Firewall Policy->Standard Policy and click + to create a new
policy.
Assign the policy a name of vSRX-1. For Type select Device Policy. Under Device Selection,
selection vSRX-1. Click ok.
Global
Configure ! Firewall Pokey / Standard Policies Q V 0 s 9
Profiles
□ Seq. Name Rules Devices Publish State Last Modified Created By Modified By Domain
Templates
POLICIES APPLIED BEFORE DEVICE SPECIFIC POLICIES' (1 policy)
Environment
> □ 1 All Devices Policy Pre Add Rule 1 Not Published wed Jun 03.20206:19 PM System Global
H User Firewall Management
SSL Profiles > □ vSRX-2 4 vSRX-2 Not Published Thu Jun 04,2020 8:21 PM super Super Global
IPS Policy > V POLICIES APPLIED AFTER DEVICE SPECIFIC POLICIES' (1 policy)
NAT Policy >
UTM Policy > □ 2 All Devices Policy Post Add Rule 1 Not Published Wed Jun 03.20206:19 PM System Global
Configure / Firewall
fewai^oj^ ! Standard Policies Q Global V C s ?
□
Unified Policies
Templates
V POLIC Name* vSRX-1
Environment
Clear All
Cancel OK
Step 2.11
In the standard Policies screen, click Add Rule on the line defining the vSRX-1 policy.
In the General dialog, assign a Rule Name of allow-of fice-365.
Create Rule @
General
o
So-rce
General Information
Description ©
Allows outbound Office 365 traffic
Cancel Next
Step 2.12
In the Source dialog, select a Zone of Juniper-sv. Click Next.
Create Rule ©
o—
Gft'va Source
Source
Zone © »Juniper-SV
Clear All
Addressees) © Select
Any
User IO © Select
Clear All
Step 2.13
In the Destination dialog, select a Zone of untrust.
Click Select for Addresses. Click the Include Specific option for Address Selection.
Under Addresses, check the box for ipf ilter_of f ice365 and click the arrow button to choose
this address. Click ok. Click Next.
Create Rule©
o o riACtanjHnn
Destination Address®
Select the destinatic- ' pu'i OU'" Si book en:*. f c ’' bheA • aoie iistbs'r/-'or yc-t--':?i j crerc ;
seieciiri the 'Asc
® Include Specific
O Excl ude Specific
O By Metadata Filter
□ Any-iPv6 SYSTEM
□ lab-peg_l0.10.l0l.1/... Global
□ lab-peg.10.10.101.10... Global
Cancel OK
Step 2.14
In the Advanced Security dialog, select an Action of Permit. Click Next.
Create Rule®
o—
Gei'era
o—
Soizce
o—
Cestiraxcr Advanced Security
o Rj e Options
Advanced Security
Rule Action
Aaion @ Permit
Advanced Security
App Firewall ® Select an option Clear All Add New
SSL Proxy (2) Select an option Clear All Add Forward Proxy Add Reverse Proxy
IPS ® Off
Supported in Junos OS verS">* 18.' oer
Step 2.15
In the Rule Options dialog, leave all options at default and click Next.
Create Rule©
o— o— c-- o
Crnrrat Sourer Drst*tat«n Mvanerd Sreurry Rule Options
Rule Options
Profile ® Select
Inherited from policy
Clear All
step 2.16
In the Rule Analysis dialog, click Next.
Create Rule @
o—
Geriera
o—
Sovxe CeSt'f^K'Ort
o
Ao.iriwc Secu*^'
oft., e—
Optiorts Rule Analysts
Step 2.17
In the Rule Placement dialog, click Finish. Click OK at the Summary screen.
Create Rule®
a o o o o o
Hui* Ptoc«in*ftt
Analysis
Results No rutoar:*,=5^5 was performed When ruto analy* rrx performed, the ST^tem w££?st a placement xcordrg
to the information provided m steps 1 to 5
Rule Placing
Create Rule©
Summary
General information
Edit
Name allow>ofrice-365
Zone juniper-SV
Address Any
Zone untrust
Address ipfilter_office36S
Service Any
Advanced Security
Edit
IPS Off
Action PERMIT
Rule Options
Edit
Rule Analysis
Edit
Rule Placement
Edit
Cancel Back OK
Step 2.18
Review the new rule. Click ok, then Update. In the Update Firewall Policy screen, click
Pxiblish and Update. Click Yes to confirm
Global
configure / Rrewall Policy t standard Policies Q V Q s
X Firewall Policy
vSRX-1 / Rules . '“sdJ seconds ago
Standard Policies
© Unified Policies Pubi-;; Update ‘.'□re
71
Q V’ :
C4jjec» V. 2)
Devices
Templates
Threat Prevention > vSRX-1 Required View O In... up vSRX-1 Global 172.25.11.1 VSRX 20.1 RI.11
Step 2.19
Review the Job Status result. Click OK.
Job Status ©
♦
Snapshot Policy Publish Policy Update Devices
229601 229602 229603
@ ®
Export to CSV q Y
vSRX-1 (vSRX-1) Success vSRX-1 (FWPolicy] Vievr View Thu. 04 Jun 2020 21:42:10 PST
1 Rows
OK
Step 2.20
Access the command line interface (CLI) on the vSRX-1 device.
From the CLI session with vSRX-1, verify that the Office 365 feed category has been created by issuing
the show services security-intelligence category summary command.
lab@vSRX-l> show services security-intelligence category summary
lab@vSRX-l>
Step 2.21
From the CLI session with the vSRX-1 device, view the entries in the Office 365 feed by issuing the show
security dynamic-address address-name ipfilter_office365 command. Choose an address from this list
and write it down for a future step.
lab@vSRX-l> show security dynamic-address address-name ipfilter_office365 |
no-more
No . IP-start IP-end Feed Address
1 13.70.151.216 13.70.151.216 IPFilter/ipfliter office365
ipfilter_office365
2 13.71.127.197 13.71.127.197 IPFilter/ipfliter office365
ipfilter_office365
3 13.72.245.115 13.72.245.115 IPFilter/ipfliter office365
ipfilter office365
4 13.73.1.120 13.73.1.120 IPFilter/ipfliter office365
ipfilter_office365
5 13.75.126.169 13.75.126.169 IPFilter/ipfliter office365
ipfilter_office365
6 13.80.125.22 13.80.125.22 IPFilter/ipfliter office365
ipfilter_office365
7 13.89.240.113 13.89.240.113 IPFilter/ipfliter office365
ipfilter_office365
8 13.91.91.243 13.91.91.243 IPFilter/ipfliter office365
ipfilter office365
9 13.107.3.0 13.107.3.255 IPFilter/ipfliter office365
ipfilter_office365
10 13.107.6.152 13.107.6.153 IPFilter/ipfliter office365
ipfilter office365
lab@vSRX-l>
Step 2.22
From the CLI session with the vSRX-1, check the configurations generated as a result of enabling a policy
with the 0ffice365 dynamic address group.
lab@vSRX-l> configure
Entering configuration mode
[edit]
lab@vSRX-l# show services security-intelligence
url https://172.25.11.101:443/api/vl/manifest.xml;
authentication {
auth-token 6XYNM4KKLPSI16FOC1LYKIDOD2K9GYKO;
}
[edit]
lab@vSRX-l# show security dynamic-address
address-name ipfilter office365 {
description n Policy Enforcer feeds.";
profile {
category IPFilter {
feed ipfilter office365;
}
}
}
[edit]
lab@vSRX-l# show security policies
from-zone Juniper-SV to-zone untrust {
policy allow-office-365 {
description n Allows outbound Office 365 traffic";
match {
source-address any;
destination-address ipfilter_office365;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
[edit]
lab@vSRX-l# exit
Exiting configuration mode
lab@vSRX-l>
Step 2.23
Open a new session with the vSRX-VR device.
From the CLI session with the vSRX-VR device, test the functionality of the 0ffice365 policy by issuing a
ping to the IP address you recorded in step 2.21 sourced from the vrlOl routing instance. Leave the
ping running and proceed to the next step.
lab@vSRX-VR> ping 13.107.127.255 routing-instance vrlOl
PING 13.107.127.255 (13.107.127.255): 56 data bytes
Answer: The result will vary. Not all Office 365 end points will respond
to pings. We will verify that the traffic is allowed in the next step.
Step 2.24
Return to the existing session with the vSRX-1 device.
From the vSRX-1 session, verify that the ping from the vrlOl routing instance is permitted by the
allow-office-365 policy by issuing the show security flow session
destination-prefix <office-365-ip> command
Session ID: 329897, Policy name: allow-office-3 65/4, Timeout: 44, Valid
In: 10.10.101.10/20511 — 13.107.127.255/5;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1< Bytes: 84,
Out: 13.107.127.255/5 172.18.1.2/26579;icmp. Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 0, Bytes: 0,
Session ID: 329903, Policy name: allow-office-3 65/4, Timeout: 46, Valid
In: 10.10.101.10/20511 — 13.107.127.255/6;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1< Bytes: 84,
Out: 13.107.127.255/6 172.18.1.2/21436;icmp. Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 0, Bytes: 0,
Session ID: 329904, Policy name: allow-office-3 65/4, Timeout: 46, Valid
In: 10.10.101.10/20511 — 13.107.127.255/7;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1< Bytes: 84,
Out: 13.107.127.255/7 172.18.1.2/32607;icmp. Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 0, Bytes: 0,
Session ID: 329907, Policy name: allow-office-3 65/4, Timeout: 48, Valid
In: 10.10.101.10/20511 — 13.107.127.255/8;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1< Bytes: 84,
Out: 13.107.127.255/8 172.18.1.2/26684;icmp. Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 0, Bytes: 0,
Session ID: 329911, Policy name: allow-office-3 65/4, Timeout: 48, Valid
In: 10.10.101.10/20511 — 13.107.127.255/9;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1< Bytes: 84,
Out: 13.107.127.255/9 172.18.1.2/2066;icmp. Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 0, Bytes: 0,
Session ID: 329914, Policy name: allow-office-3 65/4, Timeout: 50, Valid
In: 10.10.101.10/20511 — 13.107.127.255/10;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1< Bytes: 84,
Out: 13.107.127.255/10 — 172.18.1.2/12278;icmp. Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 0, Bytes: 0,
Session ID: 329917, Policy name: allow-office-3 65/4, Timeout: 50, Valid
In: 10.10.101.10/20511 — 13.107.127.255/11;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1< Bytes: 84,
Out: 13.107.127.255/11 172.18.1.2/9820;icmp, Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 0, Bytes: 0,
Session ID: 329919, Policy name: allow-office-3 65/4, Timeout: 52, Valid
In: 10.10.101.10/20511 — 13.107.127.255/12;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1< Bytes: 84,
Out: 13.107.127.255/12 172.18.1.2/14853;icmp. Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 0, Bytes: 0,
Session ID: 329922, Policy name: allow-office-3 65/4, Timeout: 52, Valid
In: 10.10.101.10/20511 — 13.107.127.255/13;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1< Bytes: 84,
Out: 13.107.127.255/13 — 172.18.1.2/23911;icmp. Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 0, Bytes: 0,
Session ID: 329923, Policy name: allow-office-3 65/4, Timeout: 54, Valid
lab@vSRX-l>
Answer: Yes. You should see one or more icmp sessions to the
0ffice365 destination being allowed by the policy.
Step 2.25
Return to the session with the vSRX-VR device.
www.juniper.net SecIntel • Lab 10-23
Advanced Juniper Security
From the session with the vSRX-VR device, end the ping by issuing ctrl+c.
lab@vSRX-VR> ping 13.107.127.255 routing-instance vrlOl
PING 13.107.127.255 (13.107.127.255): 56 data bytes
C
- 13.107.127.255 ping statistics --
104 packets transmitted. 0 packets received. 100% packet loss
Step 2.26
Open a web browser and return to the session with the Junos Space Security Director.
From the Security Director GUI, navigate to Conf igure->Firewall Policy->Standard
Policies. Click on the vSRX-1 policy.
Unified Policies
Devices
Global Options Locking w More *■ Q V’
Schedules
Profiles □ Seq. Name Rules Devices Publish State Last Modified Created By Modified By Domain
Templates
V POLICIES APPLIED BEFORE DEVICE SPECIFIC POLICIES' (1 policy)
Environment
SSL Profiles > □ vSRX-1 1 vSRX-1 Not Published Frijun 05,2020 10:48 AM super super Global
IPS Policy > □ vSRX-2 4 vSRX-2 Not Published Thujun 04,2020 8:21 PM super super Global
NAT Policy >
POLICIES APPLIED AFTER DEVICE SPECIFIC POLICIES' (1 policy)
UTM Policy >
Application Policy Based Rouli... □ 2 All Devices Policy Post Add Rule 2 Not Published Wed Jun 03,2020 6:19 PM System Global
IPSecVPN >
Shared Objects >
Change Management >
Guided Setup >
Step 2.27
In the Rules screen, check the box for the allow-office-365 policy and click the trash bin icon.
Click Yes to confirm the delete.
Firewall Policy
vSRX-1 / Rules Ldited few seconds ago
Standard Policies
Schedules
Seq.
Hit Co... Rule Name Src. Zone Src. Address Src. Expression UserID End User Profile best. Zone
Profiles
Step 2.28
Open a web browser and navigate to https: //sky. junipersecurity. net.
Login with the realm credentials provided by your instructor.
SkyATP
Version 3.0 | Login
student@juniper.net
ajsec-realm-l
□ Remember me
Log In
Step 2.29
From the SkyATP interface, navigate to Conf igure->Third Party Feeds.
Uncheck the Enable feed checkbox next to of f ice 3 6 5.
H I The accuracy of these feeds cannot be guaranteed, and false positives generated by these feeds will not be
investigated by Juniper Networks. Security policies will block malicious IPaddresses and domains based on
X
enabled third party feeds, but these events do not affect host threat scores.
s?
IP Feed
In this lab party, you will create a custom HTTP feed. You will then configure this as a custom feed in the
Security Director interface and create a Firewall Policy using this feed as a dynamic address group. You
will then validate the function of this policy using the JunOS CLI
Step 3.1
Open a command line interface (CLI) session to the Virtual Desktop device.
From the CLI session with the Virtual Desktop device, issue the curl localhost command.
labQdesktop:~$ curl localhost
<hl>Welcome to the AJSEC IPFilter feed server!</hl
To enable a custom feed. create a file with one IP address per line
and save to the /var/www/html directory. You can then configure
This as a custom feed in Security director at the URL:
http://<desktop ip>/<feed filename>
</p>
labOdesktop:
Step 3.2
From the Virtual Desktop session, create a new feed file by navigating to the /var/www/html directory
and issuing sudo touch myfeed.
lab@desktop:cd /var/www/html
lab@desktop :/var/www/htinl$ sudo touch myfeed
Step 3.3
Open the myf eed file for editing by issuing nano myfeed.
Add the following IP addresses to the file, adding a newline between each entry:
203.0.113.100
203.0.113.101
203.0.113.102
203.0.113.103
Press ctrl+o, followed by enter, then ctrl+x to save the file and exit nano.
lab@desktop :/var/www/htinl$ nano myfeed
I GNU nano 2.5.3 File; myfeed Modified |
203.0.113.100
203.0.113.101
203.0.113.102
203.0.113.103Q
Get Help
Exit E Write Out
Read File
Where Is
Replace
Cut Text
Uncut Text
Justify
To Spell
Cur Pos
Go To Line B
Prev Page
Next Page
Step 3.4
From the Virtual Desktop CLI, verify your custom feed by issuing curl localhost/myfeed.
lab@desktop:/var/www/html$ curl localhost/myfeed
203.0.113.100
203.0.113.101
203.0.113.102
203.0.113.103
Step 3.5
Open a web browser and navigate to the address of the Junos Space Security Director.
Login with the username super and password Junlp3rl23!
juniper
I super
1
I
Log In
I
(
r
I L J
Copyrli 11^ X19, luniper Networks, me All ! frnci‘mark Notice | Privacy Policy
Step 3.6
Navigate Conf igure->Threat Prevention->Feed Sources. Click on the Custom Feeds
tab. Click Create->Feed with remote file server.
Unified Policies
Devices
Sky ATP JATP Custom Feeds
Schedules
Profiles
Templates
Settir^gs Create Q 7
Environment
Feeds with local files
User Firewall Management > Feeds with remote file server
Q A Name Feed Type Last updated Days to Become inactive Remote Download Status Description
Application Firewall Policy >
No data available
SSL Profiles >
IPS Policy >
NAT Policy >
UTM Policy >
Application Policy Based Routi...
Threat Prevention
Step 3.7
In the Create remote custom feed dialog, configure the feed with the following options
Name: aj secfeed
Feed Type: Dynamic Address
Type of server url: http
Server File URL: http: //172.25.11.254/myfeed
Username: <blank>
Password: <blank>
Username (2)
Password (2)
□ aJsec-student-01
Cancel OK
Step 3.8
Navigate to Conf igure->Firewall Policy->Standard Policies. Click on the vSRX-1 policy.
Click + to add a new rule.
X Firewall Policy
vSRX-1 / Rules Edited 34 minute<s) ago
Step 3.9
In the General dialog, configure a Rule Name of allow-myfeed. Click Next.
Create Rule ©
General
General Information
Description ©
Cancel Next
Step 3.10
In the Source dialog, select a Zone of Juniper-sv. Click Next.
Create Rule ©
o—
General Source
Source
Zone © »Juniper-SV
Clear All
Address(es) © Select
Any
User ID © Select
Clear All
Step 3.11
In the Destination dialog, select a Zone of untrust.
Click the Select button for Addresses.
Create Rule®
o— o—
Gei'ers' Soizte Destin«tk»n
Destination
Zone ® « untrust
Clear All
Addressees) ® Select
Any
Service Protocols
Service(s) O Select
Any
Step 3.12
Check the Include Specific radio button.
Check the box for aj secfeed and click the arrow to select a j secfeed. Click OK. Click Next.
Create Rule ®
o o
Destination Address ®
® Include Specific
O Exclude Specific
O Sy Metadata Filter
□ Any-IPv6 SYSTEM
□ ipfitter_office365 Global
□ lab-peg.10.10.101.1/... Global
Cancel OK
Step 3.13
In the Advanced Security dialog, select the action of Permit. Click Next.
Create Rule ©
o— o- o—
Ge“e'’8' Sowfce Oesti-afor Advanced Security
Advanced Security
Rule Action
Aaion © Permit
Advanced Security
App Firewall ® Select an option Clear All Add New
SSL Proxy O Select an option Clear All Add Forward Proxy Add Reverse Proxy
IPS ® Off
Step 3.14
In the Rule Analysis dialog click Next. In the Rule Placement dialog click Finish. In the
Create Rule summary screen, click OK.
Create Rule ©
o— o— c---- Q o
Ge“e'3' So_r:e Desti“atcr Ad.arcec Seounty Rule Options Rule Analysis R-'e Placer-er:
Create Rule ©
o— o— o— o------- o— o—
Ge“e*8 Sowfce 0esTi“a:ior Ac\-3“cec Sec-nr/ Rwie Op:«rs (U'e Ara'-yss Rule Placement
Analysis
Results No rule analysis was performed, when rule analysis Is not performed, the system will suggest a placement according
to the information provided in steps 1 to 5.
Rule Placing
Rule Type ZONE
Create Rule ©
Summary
General Information
Edit
Name allow-myfeed
Zone Juniper-SV
Address Any
Zone untrust
Address ajsecfeed
Service Any
IPS Off
Action PERMIT
Cancel Back OK
Step 3.15
In the Rules page, click Save, then Update. In the Update Firewall Policy screen, click
Publish and Update. Click Yes to confirm.
1 selected Q :
□ Device Name Publish Req... Configure... Ma... Connection S... Services Domain Device ip Platform OS version
vSRX-1 Required View O In... up vSRX-1 Global 172.25.11.1 VSRX 20.1 RI.11
1 items
Step 3.16
In the Job Status screen, wait until the Job State shows a state of Success. Click OK.
Job Status®
♦ ♦
Snapshot Policy Publish Policy Update Devices
229614 229615 229616
© ©
Export to CSV Q Y
vSRX-1 (vSRX-1) Success vSRX-1 [FWPolicy] View View Fri, 05 Jun 2020 11:33^>5 PST
1 Rows
OK
Step 3.17
Log in to the command line interface (CLI) for vSRX-1.
From the vSRX-1 CLI session, verify that the custom feed has been added by issuing the show
services security-intelligence category summary command.
lab@vSRX-l> show services security-intelligence category summary
Expired :No
Status :Active
Options :N/A
lab@vSRX-l>
Step 3.18
From the vSRX-1 session, verify that the ajsec-custom-feed dynamic address group contains the correct
addresses by issuing the show security dynamic-address address-name ajsec-custom-feed command.
lab@vSRX-l> show security dynamic-address address-name ajsecfeed
No. IP-start IP-end Feed Address
1 203.0.113.100 203.0.113.100 IPFiIter/ajsecfeed aj secfeed
2 203.0.113.101 203.0.113.101 IPFiIter/ajsecfeed aj secfeed
3 203.0.113.102 203.0.113.102 IPFiIter/ajsecfeed aj secfeed
4 203.0.113.103 203.0.113.103 IPFiIter/ajsecfeed aj secfeed
lab@vSRX-l>
Step 3.19
Verify the security intelligence configuration by entering configuration mode and issuing show services
security-intelligence.
lab@vSRX-l> configure
[edit]
lab@vSRX-l# show services security-intelligence
url https://172.25.11.101:443/api/vl/manifest.xml;
authentication {
auth-token 6XYNM4KKLPSI16FOC1LYKIDOD2K9GYKO;
}
[edit]
lab@vSRX-l#
Step 3.20
Verify that the correct security policy has been configure by issuing show security policies
[edit]
lab@vSRX-l# show security policies
from-zone Juniper-SV to-zone untrust {
policy allow-myfeed {
match {
source-address any;
destination-address ajsecfeed;
application any;
}
then {
permit;
}
}
}
default-policy {
deny-all;
}
[edit]
lab@vSRX-l#
Step 3.21
Open a new session with the vSRX-VR device.
From the CLI session with the vSRX-VR device, test the functionality of the ajsec-custom-feed policy by
issuing a ping to the 203.0.113.101 address in your custom feed.
lab@vSRX-VR> ping 203.0.113.101 routing-instance vrlOl
PING 203.0.113.101 (203.0.113.101): 56 data bytes
64 bytes from 203.0.113.101: icmp_seq=0 ttl=63 time=3.013 ms
64 bytes from 203.0.113.101: icmp_seq=l ttl=63 time=1.467 ms
64 bytes from 203.0.113.101: icmp_seq=2 ttl=63 time=1.288 ms
64 bytes from 203.0.113.101: icmp_seq=3 ttl=63 time=1.593 ms
64 bytes from 203.0.113.101: icmp seq=4 ttl=63 time=1.532 ms
Answer: Yes, the ping should succeed. If it does not, verify your
configuration and notify your instructor.
Step 3.22
Return to the existing session with the vSRX-1 device.
From the vSRX-1 session, verify that the ping from the vrlOl routing instance is permitted by the
allow-myfeed policy by issuing the show security flow session destination-prefix 203.0.113.101
command
[edit]
lab@vSRX-l# run show security flow session destination-prefix 203.0.113.101
Session ID: 338211, Policy name: allow-myfeed/5, Timeout: 2, Valid
In: 10.10.101.10/23336 203.0.113.101/6;icmp. Conn Tag: 0x0, If: ge-0/0/4.0.
Pkts : 1, Bytes: 84,
Out: 203.0.113.101/6 172.18.1.2/3356;icmp. Conn Tag: 0x0, If: ge-0/0/1.0.
Pkts : 1, Bytes: 84,
lab@vSRX-VR>
Part 4: Cleaning Up
In this lab part, you will return the lab environment to its starting state.
Step 4.1
Open a web browser and navigate to the address of the Junos Space Security Director.
If the session has expired, login with user super and password Junlp3rl23!
juniper
NCTWOP':. a
r
(. I
/ super
Log In
II
r^i
Copyrli Juniper Networks, loc. AW emark Nooce | Privacy Polky
p”
I
Step 4.2
Navigate to Devices->Security Devices. Select all Devices. Right click and select
Operations->Delete Devices. Click OK to confirm the deletion.
Reboot Devices
Q . V5RX-2 172.25.11.2 20.1 RI .11 ▲ up 'ged
Resynchronize with Network
□ .
■ vSRX-1 172.25.11.1 20.1 RI .11 ▲ up
View Inventory Details
IC
items 1 >0 V
Update Changes
Upload Keys
Import
Refresh Certificate
Step 4.3
Wait for the Job Details screen to show a Job State of Success.
lob ID 229620 Scheduled Stan Ti... Fri. 05 Jun 2020 11:48:44 PDT
Job Name Delete Device-229620 Actual Start Time Fri, 05 Jun 202011:48;44 POT
Owner super
Q ;
2 Rows
OK
Step 4.4
Navigate to Conf igure->Firewall Policy->Standard Policies. Select the vSRX-1 and
vSRX-2 policies. Click the trash bin icon to delete. Click Yes to confirm.
Devices
2 selected Publish Update Global Options Lockir>g More Q Y’
Schedules
Profiles
□ Seq. Name Rules Devices Publish State Last Modified Created By Modified By Domain
Templates
POLICIES APPLIED BEFORE DEVICE SPECIFIC POLICIES' (1 policy)
Environment
User Firewall Management > □ 1 All Devices Policy Pre Add Rule Not Published Wed Jun 03,2020 6:19 PM System Global
SSL Profiles > a vSRX-1 1 Published Frijun 05,202011:32 AM super super Global
IPS Policy > a vSRX-2 4 Not Published Thu Jun 04,2020 8:21 PM super super Global
NAT Policy >
POLICIES APPLIED AFTER DEVICE SPECIFIC POLICIES' (1 policy)
UTM Policy >
Application Policy Based Routi... □ 2 All Devices Policy Post Add Rule Not Published Wed Jun 03,2020 6:19 PM System Global
Threat Prevention
4 items
Policies
Feed Sources
Step 4.5
Navigate to Conf igure->Threat Prevention->Feed Sources. In the SkyATP tab, check the box
for your SkyATP realm and click the trash bin icon to delete. Click Yes to confirm.
Unified Policies
Devices
s Sky ATP JATP Custom Feeds
Schedules
Delete
Profiles
Templates
1 selected More '«■' + z ©
Environment
H User Firewall Management > □ Realm Sites Devices Location Enrollment Status Token Expiry Feed Status Last Downloaded
Application Firewall Policy > □ > ajsec-rea1m-1 ajsec-lab vSRX-1 +1 North America SUCCESS Jun 4, 2021 0OK Jun 5, 2020,11:50:06
® SSL Profiles > 1 items C
IPS Policy >
NAT Policy >
UTM Policy >
Application Policy Based Routi...
Threat Prevention
Step 4.6
Click the Custom Feeds tab. Check the box for a j secfeed and click the trash bin icon to delete.
Click Yes to confirm.
Global
Configure / Threat Prevention / Feed Sources q s
Devices
Sky ATP JATP Custom Feeds
Schedules
Profiles
Delete
Templates
1 selected Settings Create Z 0 q Y
Environment
Step 4.7
Return to the CLI session with the Virtual Desktop.
Remove the myfeed file by issuing rm myfeed.
lab@desktop:/var/www/html$ rm myfeed
Step 4.8
On the Virtual Desktop device, terminate the CLI session by issuing the exit command.
labOdesktop:/var/www/htinl$ exit
Step 4.9
Return to the established session with the vSRX-1 device.
On the vSRX-1 device, terminate the CLI session by issuing the exit command.
lab@vSRX-l> exit
login:
Step 4.10
Return to the active session with the vSRX-2 device.
On the vSRX-2 device, issue the exit command to terminate the session.
lab@vSRX-2 exit
login:
Step 4.11
Return to the active session with the vSRX-VR device.
On the vSRX-VR device, issue the exit command to terminate the session.
lab@vSRX-VR> exit
login:
STOP Tell your instructor that you have completed this lab.
vSRX-VR
loO: 192.168.9.1
•<?
<3/^
10.10.101.0/24 10.10.102.0/24
(.10) (•loy
vr101 vr102
Overview
In this lab, you go through the setup process on both the Juniper ATP On-Prem Core and Web Traffic
Collector and then run diagnostics to verify that the devices are working correctly. You will then configure
the collector to collect SMB and SSH traffic. After the configuration phase you will use the GUI to see
incidents that you created.
By completing this lab, you will perform the following tasks:
• Setup the main components to Juniper ATP On-Prem.
• Diagnose the setup to verify connections to components.
• Configure and test SMB collection.
• Configure and test Honey Pot collection.
step 1.1
You will pri ma ri ly configure the vSRX-1, vQFX ATP-OnPrem and the ATP-Coll devices. The vSRX-2 and
vSRX-VR devices are already configured for you. Consult the Management Network Diagram to determine
the management addresses of your devices.
Step 1.2
Access the CLI on the vSRX-1 device as directed by your instructor. Log in with the username lab and
password labl23. Enter configuration mode and load the labll-start.config from the ajsec
directory. Commit the configuration when complete and exit to operational mode.
FreeBSD/amd64 (vSRX-1) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-l# load override ajsec/labll-start.config
[edit]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 1.3
Open a new session with the vSRX-2 device.
On the vSRX-2 device, login with the username lab and password labl23. Enter configuration mode
and load the reset configuration file using the load override a jsec/labll-start. config
command. After the configuration has been loaded, commit the changes before proceeding.
FreeBSD/amd64 (vSRX-2) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-2# load override ajsec/labll-start.config
[edit]
lab@vSRX-2# commit
commit complete
[edit]
lab@vSRX-2#
Step 1.4
Open a new session with the vSRX-VR device.
On the vSRX-VR device, login with the username lab and password labl23. Enter configuration mode
and load the reset configuration file using the load override a jsec/labll-start. config
command. After the configuration has been loaded, commit the changes before proceeding.
FreeBSD/amd64 (vSRX-VR) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-VR# load override ajsec/labll-start.config
[edit]
lab@vSRX-VR# commit
commit complete
[edit]
lab@vSRX-VR#
Step 1.5
Open a new session with the vQFX-1 device.
On the vQFX-1 device, login with the username lab and password labl23. Enter configuration mode
and load the reset configuration file using the load override ajsec/labll-s tart .config
command. After the configuration has been loaded, commit the changes before proceeding.
login: lab
Password:
Last login: Thu Jun 4 22:00:18 2020 from 172.25.11.254
{master:0}[edit]
lab@vQFX-l# load override ajsec/labll-start.config
load complete
{master:0}[edit]
lab@vQFX-l# commit
configuration check succeeds
commit complete
{master:0}[edit]
lab@vQFX-l#
Step 1.6
Open a new session with the ATP-OnPrem device.
On the ATP-OnPrem device, login with the username admin and password Jiiniperl23.
■k k
Juniper Networks Advanced Threat Prevention Appliance
k k
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
Step 1.7
Open a new session with the ATP-Coll device.
On the ATP-Coll device, login with the username admin and password Juniperl23.
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
k k
Juniper Networks Advanced Threat Prevention Appliance
k k
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
In this part you will configure the Juniper ATP On-Prem with an initial configuration. You will then verify the
installation and connectivity to make sure it is running. Once you have verified it is working, attach a web
collector to the core.
Step 2.1
Return to the open session to the Juniper ATP On-Prem Core device, ATP-OnPrem, and type in a ? to bring
up the list of options.
ATP-OnPrem:Core# ?
cm Change to the Central Manager configuration mode
core Change to the Core configuration mode
diagnosis Change to the diagnosis mode
exit Exit the Juniper ATP Appliance CLI session
help Display an overview of the CLI syntax
history Display the current session’s command line history
server Change to the server configuration mode
wizard Run the configuration wizard
ATP-OnPrem:Core#
Step 2.2
Run the wizard command to setup the Juniper JATP On-Prem Core. It has already been setup so answer
yes, to the questions about re-running the wizard. Then answer no to the using DHCP on the
management address, so that we can enter in our static IP information.
'k k
Juniper Networks Advanced Threat Prevention Appliance
kr k
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
ATP-OnPrem:Core# wizard
The basic system configuration has been done already. Do you want to re-run the
configuration wizard again (Yes/No)? Yes
Step 2.3
Enter the following options about the management (ethO) interface. When asked to for a secondary DNS
server answer yes, and then restart the management interface.
IP address: 172.25.11.120
netmask: 255.255.255.0
Gateway IP address: 172.25.11.254
Primary DNS Server: 172.25.11.130
Secondary DNS Server: 8.8.8.8
Search Domains: No
Step 2.5
Enter the following server attributes.
Central Manager: Yes
Device name: cm-atp
Device Description: AJSEC Lab
Device key passphrase: juniper
k k k -k
Setting the device basic attributes ■:Ar •:Ar •:Ar ■:Ar ■:Ar
ATP-OnPrem:Core#
Step 2.6
Return tho the ATP-Coll device and run the setup wizard on the collector to pair it with the ATP Core we
just set up. Answer yes to re-running the configuration wizard and no to using DHCP to obtain an IP
address.
ATP-Coll:WebCol# wizard
kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
k
Juniper Networks Advanced Threat Prevention Appliance k
k k
The basic system configuration has been done already. Do you want to re-run the
configuration wizard again (Yes/No)? Yes
Use DHCP to obtain the IP address and DNS server address for the management (ethO)
interface (Yes/No)? No
Step 2.1
Enter the following options about the management (ethO) interface. When asked for a secondary DNS
server answer yes, and then restart the management interface.
IP address: 172.25.11.121
netmask: 255.255.255.0
Gateway IP address: 172.25.11.254
Primary DNS Server: 172.25.11.130
Secondary DNS Server: 8.8.8.8
Search Domains: No
ATP-Coll:WebCol#
Step 2.9
Verify that the collector can ping the management interface of the Central Manager. You must first move
to the server hierarchy to run the ping command.
ATP-Coll:WebCol# server
Entering the server configuration mode...
ATP-Coll:WebCol#(server)# ping 172.25.11.120
PING 172.25.11.120 (172.25.11.120) 56(84) bytes of data.
64 bytes from 172.25.11.120: icmp_seq=l ttl=64 time=0.378 ms
64 bytes from 172.25.11.120: icmp_seq=2 ttl=64 time=0.403 ms
64 bytes from 172.25.11.120: icmp_seq=3 ttl=64 time=0.374 ms
64 bytes from 172.25.11.120: icmp_seq=4 ttl=64 time=0.370 ms
64 bytes from 172.25.11.120: icmp seq=5 ttl=64 time=0.370 ms
Answer: As, you can see in the output the ping should have been
successful. If not please notify your instructor.
Step 2.10
List the interfaces on the collector by issuing the show interface ? command. Use the names of the
interfaces to look at the management interface and the honeypot interface.
ATP-Coll:WebCol#(server)# show interface ?
management Show the management interface
monitoring Show the monitoring interface
ATP-Coll:WebCol#(server)#
Step 2.11
Exit out of the server hierarchy and enter the diagnosis hierarchy. Let’s verify that everything is working
on our collector with the setupcheck all command. Since we do not have any traffic flowing at this
time when it monitors ethl break out of the test using Ctrl + c.
ATP-Coll:WebCol#(server)# exit
ATP-Coll:WebCol# diagnosis
ATP-Coll:WebCol#(diagnosis)#
Step 2.12
View the report created by the setupcheck all command with the setupcheck report
command. Press ‘q’ to quit the report.
ATP-Coll:WebCol#(diagnosis)# setupcheck report
[RESULT]:
[interface], [2020-06-05 10:57:24.532624]
ethO is up
ethl is up
[RESULT]:
[autoupdatetest] , [2020-06-05 10:57:24.533396]
[RESULT]:
[file], [2020-06-05 10:57:24.534155]
Found SSL client certificate
Found SSL CA certificate
Found SSL private key
All CyOS packages are properly installed.
[RESULT]:
[service], [2020-06-05 10:57:24.534207]
Test Collector service success
[RESULT]:
[api], [2020-06-05 10:57:24.534235]
GSS API test success
Central Manager web service API test (from Web Collector Agent) success
Step 2.13
Exit out of the diagnosis hierarchy and enter the collector hierarchy. Turn on the honeypot feature on the
collector using the set honeypot ssh-honeypot enable address 10.10.100.111
netmask 255.255.255.0 gateway 10.10.100.1 command
Question: Are both the HTTP and the SMB parser enabled?
Answer: No, the HTTP parser is enabled but the SMB parser is
disabled.
Step 2.16
Enable the SMB parser using the set protocols smb on command. Then re-verify the protocols
parsers that are enabled.
ATP-Coll:WebCol#(collector)# set protocols smb on
ATP-Coll:WebCol#(collector)# show protocols
http parser is enabled
smb parser is enabled
ATP-Coll:WebCol#(collector)#
Step 2.17
Return to the open session on ATP-OnPrem device move to the diagnosis hierarchy and run the
setupcheck all command. There are a few tests that might not complete for licensing reasons. You
may use ctrl-c to break out of individual tests.
ATP-OnPrem:Core# diagnosis
Entering the diagnosis mode...
ATP-OnPrem:Core#(diagnosis)#
Answer: Yes, the one for GSS API test failed. This is because of the way
the lab is licensed to run Juniper ATP On-Prem Core. Also, the sandbox
tests for Windows 7 and Windows 10 fail.
Question: Why did some of the test return “skip” as the result?
Answer: When a feature is not configured the test for that feature is
skipped. An example is the first line of output, when if tries to verify
the active directory domain controller. That feature has not been
configured yet.
step 2.18
Verify that the collector configuations worked and that it is communicating with the ATP-OnPrem device.
Use the show device collectorstatus to see all the collectors.
ATP-OnPrem:Core#(diagnosis)# show device collectorstatus
WEB COLLECTOR
IP : 172.25.11.121
Enabled : True
Last Seen : 2020-06-05 14:36:33.390000-07:00
Install Date : 2018-09-12 11:59:22-07:00
ATP-OnPrem:Core#(diagnosis)#
jumper NETWORKS
MIZT\A/r\DtZC I
admin
Password:
Login
Powered by jiwper vemoo 5X17.15 corten wenaoo ia?Ji suspen I Resources ) contaaus
Step 3.2
Click on the incident tab.
You should see a table of all recent events.
ADVANCED THREAT PREVENTION APPLIANCE Refresh Data O System Health A J-ATP Admin
Complete 11 HIGH Virus.OC DL 1010.100.3 1010.100140 Default Zone Windows NT 63 web coilecior Jun 614 49 07 Pacific Daylight Time
Complete 10 EICAR-TEST-SIGNATURE DL 213.211.198.58 10.10.100.140 lab unknown vSRX-i Jun 614 43 56 Pacific Daylight Time
Complete 9 EICAR-TEST-SIGNATURE DL 10.10.100.3 10.10.100.140 Default Zone web collector Jun 6 14:36:20 Pacific Daylight Time
Complete 8 EICAR-TEST-SIGNATURE DL ^3 1010100.3 10 10.100140 Defautt Zone web collector Jun 6 14 20 06 Pacific Daylight Time
Complete 7 [HIGH] Virus.DC DL 10.10.100.3 10.10.100.140 Default Zone Windows NT 6.3 web coilector Jun 613:36:17 Pacific Daylight Time
Complete 6 EICAR-TEST-SIGNATURE DL 10.10100.3 10 10.1004 Default Zone web collector Jun 612 34 05 Pacific Daylight T ime
Complete 5 Susplclous.SSH.HP LS web-col lector-ssh-honeypot 10.10.100.6 Default Zone web collector Jun 612:31:00 Pacific Daylight Time
Complete 4 rHIGHi Virus.DC DL 10.10.100.3 10.10.100.4 Default Zone unknown web collector Jun 610:35:13 Pacific Daylight Time
Complete 3 EICAR-TEST-SIGNATURE DL ^3 2016.etcar.org 10 10.100 140 Default Zone Windows NT 6 3 web collector Jun 5 20 39 54 Pacific Daylight Time
Details forviru$.DC
SUMHARV DOWnujwn
Progression:
Actions
Target:
If A ih
COMMANDACONTROL
* 9
e
Phishing Exploits Downloads Executions Infections Custom Rules Lateral Spread
Incident id. 13
0 0 1 0 0 0 0
Hostname
Triggers:
Username:
Answer: You should notice that all pre-existing events have a status of
Complete, indicating the incident has been resolved. In the next step
you will generate an event by downloading simulated malware.
Note
Step 3.3
Open a virtual console session with the WindowsClient device.
Within the WindowsClient session login with the user Administrator password trainlngl.
Open the Firefox web browser and navigate to http: //lO .10.100.3/fakemalware. When
prompted, insure the Save File option is checked, and click ok.
lO.IO.IOO.JfakemaIvvare C 0 Qoogle P @ 4^ *
0
Opening fakemalware X
fakemalware
which is: application/octet-stream (398 KB)
from: http:/Z10.10.100.3
®[^eTile3
OK Cancel
Search
Downloads Bookmarks
©
History Add-ons
oSync Options
Restore Previous Session
5:34 PM
IB
- <b ® Ite 6/8/2020
step 3.4
Return to the browser session with the Juniper ATP On-Prem GUI and click on the incidents tab.
Within the Juniper ATP GUI, click the Refresh Data option. Verify that an incident has been created
with a status of New.
Complete 12 HIGH VirusDC DL 10.10100.3 10 10.100.140 Default Zone Windows NT 6 3 web collector Jun 713 35 53 Pacific Daylight Time
Complete 11 HIGH virus.OC DL 10,10.100.3 10.10.100.140 Default Zone Windows NT 6.3 web collector Jun 614:49:07 Pacific Daylight Time
Complete 10 EICAR-TEST-SIGNATURE DL
^3 213 211198 58 10 10.100140 lab unknown vSRX-1 Jun 614 43 56 Pacific Daylight Time
Complete 9 EICAR-TEST-SIGNATURE DL 10,10.100.3 10.10.100.140 Default Zone web collector Jun f, 14:36:20 Pacific Daylight Time
Complete 8 EICAR-TEST-SIGNATURE DL
CO 10101003 10 10100.140 Default Zone web colleaor Jun 614 20:06 Pacific Daylight Time
Complete 7 HIGH Virus.OC DL 10.10.100.3 10.10.100.140 Default Zone Windows NT 6.3 web collector Jun 613:36:17 Pacific Daylight Time
Complete 6 EICAR-TEST-SIGNATURE DL 10.10.100.3 10.10.100.4 Default Zone web collector Jun i 12'34:0$ Pacific Daylight Time
Complete 5 Suspicious.SSH HP LS web-collector-ssh-honey pot 10.10.100.6 Default Zone web collector Jun 612:31:00 Pacific Daylight Time
Complete 4 HIGH Virus.OC DL 10.10.100.3 10.10.100.4 Default Zone unknown web colleaor Jun 610:35:13 Pacific Daylight Time
Complete 3 EICAR-TEST-SIGNATURE DL ^I6.e*car.org 10.10.100.140 Default Zone Windows NT 6.3 web collector Jun 520.39.54 Pacific Daylight Time
SUMMARY DOWNLOADS
Progression:
Actions
Target; DELIVERY
e EXPtXXTATlpN&
INSTALLATION COMMAND A CONTROL
e
Zone Default Zone tr nt A * 9
Phishing Exploits Downloads Executions infections Custom Rules Lateral Spread
incident Id: 13
0 0 1 0 0 0 0
Hostname:
Triggers:
Username
FQON: 10.10.100140
Step 3.5
Click on the Incident ID associated with the new incident.
This will open a new tab containing details of this incident. Examine the details of the event under the
Summary tab.
SUMMARY OCWmkUAuS
Progression:
Aaions
Targ«: DELIVERY
e COMMAND&CONTROL
w
Zone: Default zone
ti IP A lA * 9
FQDN: 10.10.100.140
Lateral Spread
Destination Email ID
Infection
Execution
Risk High
Downloads 4s
Threat Category: Virus Exploit
Phishing
Asset Value Medium
T 1
Target OS Windows NT 6 3
Progression: Download
Protocol: HTTP
OS Matched Yes
source: 10.10.100.3(10.10.100.3}
Step 3.6
Click the Downloads tab.
In the Downloads page, examine the details of the detected malware download.
When complete, close the new incident tab.
OOWNLOAOS
Seerdv
Severity
0.75
♦ Threat Name
Virus.OC
File Type
wet> collector
1^ Findon VirusTotal
Threat Name: Virus. DC
File Type: PE32 executable (console) Intel 80386, for MS Windows Screenshot
Golden Images:
SHAl: 4dSe39cc99e444029a84f^a7a9935d346a770c
History
Process graph
rrocess grapn
csrss.exe
]
Sample svnhost exe
isassexe
Malware Indicators
Anu Sandbox Checks the disk enum registry key for sandbox artifacts \REGlSTRY\MACHlNE\STSTEM\CootrolSet001\service5\0»sk\EnumV0"
\REGISTRY\MACHINE\SYSTEH\ContrOlSet001\servlces\0iSk\Enum
Checks the System BiOS/Processor registry key for sandbox artifacts \REGISTRy\MACHlNE\HAR0WARE\0ESCRIPTION\SystemV-SystemBiosVerswn-
Sleeps for an excessive amount of time n/a. mouse over for trace locations
Anti Debug Checks to see if a remote debugger is attached n/a, mouse over for trace locations
Checks to see if the Just In Time debugger is set (also known as post mortem debugger) \REGISTRY\MACHINE\SOFTWARE\Microsoft\WindowsNT\CurTenlVersion\AeOebug
Suspicious Code Injection Behaviors Allocates committed memory with execute brt set • could be a process of injecting code 4096
Sets a page of memory to enable execution n/a. mouse over for trace locations
Another Behaviors Allocates and commits memory n/a, mouse over for trace locations
Memory Artifacts
control
security
IP Strings: None
Encryption Keys:
Step 3.7
From the JATP Web UI, click on the Mitigation tab, then click on the Hosts sub tab.
Verify that the 10.10.100.140 host is listed in the infected Hosts list, state of
Investigation should be Open.
ADVANCED THREAT PREVENTION APPLIANCE Refresh Data O System Health A J-ATP Admin
IP Filtering URL Filtering IPS Signatures Endpoint infection VerrfKation Emails Hosts
Infected Hosts
SMTrft All Zones Displaying Hosts with Threat Level at or above Threat Level 0.5
State of
Host IP Threat Level Threat First Seen Threat Last Seen Zone T
♦ CACHits Malware Hits Host Status Investigation MAC Address
♦
10 10.100140 0.5 2020-06-0603 39 54 024435*00 2020-06-07 23 03 09.772236*00 Default Zone 0 1 High threat level, recommend blocking host and investigating further Open
Step 3.8
Click on Open in the state of Investigation field for the new incident.
Change the Investigation Status value to Resolved - Ignored. Click Submit. Click OK to
confirm Added/updated item.
"Fn THREAT PRE*. ':NT''?\' \ Refresh Data O System Health A J-ATP Admin
State of
HostlP Thrust Level Threat first Seen Threat Last Seen zone T C&CHits Malv.- ?HiU Host Status Investigation
iC iff itri II 0-5 2e2iMM617 QefaaMene 0 1 Hijh thnaMeveaaeeemmm^BQduBg^aand invmgaxing further ■Mee- Rsrt
Host 10.10.100.140
SutNnk Caral
Step 3.9
Click on the incidents tab.
In the incidents table, click on the New status field for the new incident. Set the Status field to
Complete and enter a comment of incident ignored. Click Submit. Click OK.
ADVA'.CLC THREAT PREVENTIO.\' ' \CE Refresh Data O System Health A J-ATP Admin
L.v. . Ri.
Com^fste HIGH WrusUC DL IC 10 100 3 10 10 Tfrrjf: Default Zone Winde*»s MT 6 3 web collector Jun 7 IS 35 S3 Pacific Di,:;ght Time
Ce m^ m ii HIGH DL M.lO lOO I 10 lo.aaasBO oefauirTone wmtiowMiT $=3 wetMiieewr Jun«14 4»07Pa<jrn i,T ifle
Co^plMe 10 EICAR-TEST-SIGMATURE DL 213 211^58 10 lO 1«“4C lab unknoaB vW-1 Jun $ 14 43 sfLEanfiEBay^ght Time
B ElCAR-TESSSKSiW DL I Report Jun 7,202016:03.-09 PscMc Daylight Time K wtaMiteetor ttPacific Dij'light Time
User Com ments for Virus. DC
Risk Level High
HIGH DL le tttRieeurrv.s weDeciiMwwi JWkA13 3517 EUi*K Deylig^t Time
Status: Complete
QCJriSBfifiSMlMUJJK DL u>eb coltector J**£fcS 12 34 #5 Patifti! Da,light Time
Submit Cancel
^aUtfftfVltnc nf
History
Jun 7.20201(03 29 P»(i6c 0«7l<gnt Tiine • Cyptwrt appliance mom b new (on«n«nt
Actions
Cve«t 101 was added w this incident
Taiget:
O
e JtfTIONON
targets
In this lab part you will verify the function of the web collector in scanning SMB file transfers.
Step 4.1
Return to the virtual console connection to the WindowsClient device.
From the WindowsClient session, open the File Explorer. Expand This PC. Click on sambashare, and if
prompted, login with password laJbl23.
Recycle Bin
V I
Drive Tools sambashare <\\10.10.100.3) (Z:) I-1°[ X
□ I
Home Share View Manage
L
<- t > This PC ► sambashare (\\10.10.100.3)(Z:) V O Search sambashare (\\10.10.1... P
Firefox
Name Date modified Type Size
Favorites
> Documents
Q > Ju Downloads
Q : i > Music
WinSCP
> Pictures
P ■ Videos
P jb l-ocal Disk (C;)
1
P sambashare <\\10-10.100.3) (Z:)
t> Network
6 items
Step 4.2
The sambashare folder contains several simulated malware files. For this lab step, you will download the
eicar. txt file. Click and drag this file onto the desktop. Click ok on the Windows Security warning.
I
Recycle Bin
D X
4-1 D sambashare (\\10.10.1003) (Z:)
Home Share View e
T V This PC ► sambashare (\\10.10.100.3) (Z) Search sambashare (\\10.10.1... P
Firefox
'if Favorites Name Date modified Type Size
PuTTY I I ] These files might be harmful to your PM Firefox HTML Doc... 398 KB
:■ This PC PM Text Document 398 KB
computer
li Desktop kM File 0 KB
jl Documents Your Internet security settings suggest that one or more
files may be harmful. Do you want to use it anyway?
Ji Downloads
Music
WinSCP
Show details OK Cancel
Pictures
B Videos
How do I decide whether to unblock these files?
b Local Disk (C:)
sambashare (\\10.10.100,3) (Z;)
Network
,- ISI e 4:34 PM
6/7/2020
step 4.3
Return to the session opened to the Juniper ATP Web UI.
In the Juniper ATP Web UI, click on the incidents tab. Click Refresh Data to load the latest
incidents.
Examine the contents of the Incidents table.
Step 4.4
Click on the Incident ID associated with the new incident.
This will open a new tab containing details of this incident. Examine the details of the event under the
Summary tab.
f
Details for EICAR TEST- SIGNATURE
SUUKAftV
Progression:
Actions
Target:
*
e A
COMMAND&CONTROL
* 0
WPs'^
Progression: Download
Protocol: SMB
OS Matched No
Collectors: webcoiieaof
Source: 10.10.100.3(10.10.100.3)
Step 4.5
Click the Downloads tab.
In the Downloads page, examine the details of the detected malware download.
When complete, close the new incident tab.
Smk*
10101003(1010100 Jl
ASCXMrt
GoUonimaeM
AtoSi» ({e.MMET)ip*nua
PikHMhM WS $0430M5T4«(<790230e091caM3auO
SNAL dlH»0<Mm07TTS«l(*c2w«a00S(M317c(2
91A2SC. Ulf»SeSlcc01»*(«blTS7f$«Md»»«»*oo«ff4«o3mT3MS)lboio82$7
SienMOy KA
History
Mttaor* InttcMorv
VMNoMorfcCtltoKlu. Nono
Mutton Nono
ranOpcnott Nono
Step 4.6
In the Incidents table, click on the New status field for the eicar-test incident. Set the Status
field to Complete and enter a comment of incident ignored. Click Submit. Click OK.
[-■i
14 DL W19JM3 10 10m IIO 0eUuh29ne web cotMUbi ;uti T ifcw 'fiq t»ay<i?hsiime
Coiwp*«w. tt HIGH viru««C QL 1010M3 10 10 >101110 oeUutt zone mntlows MT 6.3 web cotieetc? ftn < &a0'Ethafia&
Compttite U HIGH HL 1010100 3 10 IMOBB Default Zone Wine^vfcbT6 3 vsMfiMor Jua.£ 14 4$ •*? Panfic tla)<«fl*a irne
€efnpiet« M EKAR-TEST>»6tt»l«E QL 210 2111MS8 lO lO HOillO lae unknown vSRxn Jim 61 •-•?.: ri B>r<r
QettfS forSCAft-TESr-^GHATURE
SubfnK Cancel
SUM^^
History
Actions Jun *. 2010 }4 96-00 P*t if< Da/l-fnt r<in« ■ CypiMn AppMAcn mom • nnw eonwnnnt'
Tatgeti
UxtSe'il !SJ
Event 102 was added totals incident
I *eea
?. fONTROt
O
e
IMmmds "meamBulM ■ -^"Tf
Hwwiin'ie:
« 9 Q «
Jseer'iam*:
IPA^^'SSi i8,i0',mi,40-
Step 5.2
In the next several steps you will load the metasploit framework and execute a brute force attack to
determine the password for the root account on the 10.10.100.111 host.
From the CLI session, load the metasploit framework by issuing the msf console command.
$ msfconsole
+
I METASPLOIT by Rapid? I
+ +
n n If ff ff ff ff ff ff IT ff ff
==c ( (o ( ( 0 I
EXPLOIT
// W
// W ==[msf ]
// W
// RECON \\ \ (@) (@) (@) (@) (@) (@) (@) /
// W *********************
+ +
o 0 o \'\/\/\/'/
o 0 ) (
I I
o LOOT
I AAAAAAAAAAAAAA 11 _l l
ff ff
I PAYLOAD I f (_l l_
I I I) I I _l l_) I
I (@) (@) I(@)(@)** I (@)
II II II * * II
I I II
I I
+ +
=[ metasploit v4.16.48-dev ]
--=[ 1749 exploits - 1002 auxiliary - 302 post ]
—=[ 536 payloads - 40 encoders - 10 nops ]
--=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf
Step 5.3
From the metasploit console command line, load the ssh_login module by issuing the use
auxiliary/scanner/ssh/ssh_login command. Issue the options command to view available
options.
msf use auxiliary/scanner/ssh/ssh_login
msf auxiliary(scanner/ssh/ssh_login)
msf auxiliary(scanner/ssh/ssh login) options
Step 5.4
Configure the ssh_login module with the following settings:
rhosts: 10.10.100.111
stop_on_success: true
pass_file: passwords. txt
username: root
verbose: true
msf auxiliary(scanner/ssh/ssh login) set rhosts 10.10.100.111
rhosts 10.10.100.111
Step 5.5
Initiate the brute force login attack by issuing the run command.
step 5.6
Return to the browser open to the Juniper ATP Web UI. If necessary, login with username admin and
password Juniper 123
From the WebUI browser session, click on the incidents tab. Click Refresh Data and examine the
incidents table and verify that a new incident has been recorded.
ADVANCED THREAT PREVENTION APPLIANCE Refresh Data O System Health lA J-ATP Admin
Complete 14 EICAR-TEST-SIGNATURE DL
CO 1010 100 3 1010 100 140 Default Zone web collector Jun 7 16 34'37 Pacific Daylight Time
Complete 13 HIGH Virus.DC DL 10.10.100.3 10.10.100.140 Default Zone Windows NT 6.3 web collector Jun 71603:09 Pacific Daylight Time
Complete 12 HIGH Virus DC DL 1010 100 3 10.10100 140 Default Zone Windows NT 6 3 web collector Jun 7 13'35:53 Pacific Daylight Time
Complete 11 HIGH Virus.DC DL 10.10.100.3 10.10.100.140 Default Zone Windows NT 6.3 web collector Jun 614:49:07 Pacific Daylight Time
Complete 10 EICAR-TEST-SIGNATURE DL 213 211 198 58 10.10100.140 lab unknown vSRX-1 Jun 6 14 43:56 Pacific Daylight Time
Complete 9 EICAR-TEST-SIGNATURE DL 10.10.100.3 10.10.100.140 Default Zone web collector Jun 614:36:20 Pacific Daylight Time
Complete 8 EICAR-TEST-SIGNATURE DL 23 10.10.100.3 10.10.100.140 Default Zone web collector Jun 614'20:06 Pacific Daylight Time
Complete 7 HIGH Virus.DC DL 23 10.10.100.3 10.10.100.140 Default Zone Windows NT 6.3 web collector Jun 613 36:17 Pacific Daylight Time
Complete 6 EICAR-TEST-SIGNATURE DL BJ3 10.10.100.3 10.10.100.4 Default Zone web collector Jun 6 12'34:05 Pacific Daylight Time
Complete 5 Suspicious_SSH.HP LS 23 web-collector-ssh-honeypot 10.10.100 6 Default Zone web collector Jun 612 31:00 Pacific Daylight Time
SUMMARY lATEP'. —•
Target: Progression:
Answer: Yes, there should be a new incident with Status of New, Risk
of Med, Threat of Suspicious_SSH.HP, Collector Type of LAN, Threat
Source of ATP-Coll-ssh-honeypot and Threat Target of 10.10.100.6.
Step 5.7
Click on the Incident ID associated with the new incident.
This will open a new tab containing details of this incident. Examine the details of the event under the
Summary tab. When complete, close the new incident browser tab.
Target: Progression:
Zone:
Incident id:
Default zone
15 tf
DELIVERY
e e COMMAND&CONTROL
If A 9
Phishing Exploits Executions Infections Custom Rules Lateral Spread
Hostname
0 0 0 0 0 26
Username:
Source Email ID
T T T T T 1
Progression: Lateral Spread
01 J..”"
Protocol SSH joO luo' JU’''01
OS Matched No
Step 5.8
In the Incidents table, click on the New status field for the new incident. Set the Status field to
Complete and enter a comment of incident ignored. Click Submit. Click OK.
ADVANCED THREAT PREVENTION .APPLIANCE Refresh Data O System Health A J-ATP Admin '
1^
Coni^btt 14
Miu <
EICAR-TE$T-Sl&hiATURE DL
■'J
OefatitZoi^
(eb collector
wee<ix:e:tcr
Jun 717 21 01 Pacific Daylight Time
Cors^lotfr Thigh MrusOC DL 10 100 3 :c 10100140 Default Zone WineeneWT 6 3 kseb collector Jun 716'5 WPacifi; Oa>1ight Tine
Caripim 12 Thigh Virus.OC DL 10.10 100.3 lv.10.100.14C Default Zone winoes^T 6 3 web co.:ector Jur. ’ 13:35 53Pxtfic OaylightTime
GMV^iace 11 HIGH DL 10 100 3 IC 10 ICO 14C Default Zone WinOovrS-fft^ web-collector Jur 614 49 OTP.v ific Oa-, light T;r-ie
10 EICAR-TEST>£ieaUimRE DL 213211194 5$ 10 10.100.140 lab vSRX-l Jon 6 14:43:56 Pacific Daylight T-me
Comments:
Complete 6 EICAR-TEST-SIGNATURE DL e web collector Jun 612 34 05 Pac fic Daylight Time
Incident Ignored
Cempieie 5 TuepieioijfaSSH HP TS web collector Jun 612 3100 Pacific Oa,night T rme
History
Targp**-
Jon 7.20201* 21.05 bajlignt Tinx • Cyphon AeeKance mom « "♦« cenme*
hEldMKM:
BeSiutsMti
15
Event 120 was aOOeO to tnis incident
1
e
Jun 20201T2L0* Aacific b»,ign: Turw - Cyphort Applunn iootc a naw convnant.
Rules Ldioial Spread
na'Jname
Event 117 was added to this incident
jsemanre
Jun T.2020 }71t-0«Paci6( Oaihpn ri->M ■ CypMnAppttanca aooM a new comment
iPAeeress- 1O103M£
Event )2S was added to this incident
ISJA.1W6
Jun *. 20201* iLOa Eeci^ bejlgnt Time • Cyphen Aeptiance eooM » new commex
DesUnlian £iiwil Q.
Event 125 was added to this incident
Step 5.9
Exit out of the Juniper ATP Web GUI, the Juniper ATP Collector CLI, the WindowsClient, and the
KaliPentester.
STOP Tell your instructor that you have completed this lab.
Internet
vQFX-1 ] Console and
VNC Connections
Junos
Space
Management Addressing
Policy
Enforcer vSRX-1 172.25.11.1
Hypervisor
vSRX-2 172.25.11.2
Virtual Switch
Core ATP On-Prem
MGMT vSRX-VR 172.25.11.9
Network
vQFX-1 172.25.11.10
ATP Web Collector 172.25.11.0/24
Junos Space 172.25.11.100
Student Policy Enforcer 172.25.11.101
AD/NTP/DNS Server Lab Environment ATP On-Prem 172.25.11.120
ATP Web Collector 172.25.11.121
AD/NTPZDNS Server 172.25.11.130
Gateway 172.25.11.254
ge-0/0/1
vSRX-1
ATP Appliance
loO: 192.168.1.1
(•120)
(.1) ge-0/0/3
172.25.11.0/24
10.11.10.0/24
clientszone
(.2) xe-0/0/1
(.121) ethO
vQFX-1 xe-0/0/3 (SPAN) eth2
Web Collector
irb.lO
(.1) eth3
(.100)
xe-0/0/2 (HONEYPOT)
VLAN 10
10.10.100.0/24
Overview
In this lab, you will configure and deploy a secure network configuration using the ATP Cloud to scan for
malware threats. You will then simulate the actions of infected and compromised hosts and demonstrate
the automated isolation features of Juniper Connected security.
In this lab, you will perform the following tasks:
• Configure and threat prevention policy with AAMW and C«&C profile.
• Simulate a host downloading a malware file.
• Simulate a host attempting to contact a known C«&C server.
• Monitor the effects of malware detection and compromised host isolation.
step 1.1
You will primarily configure the vSRX-1 and vQFX-1 devices. You will also load baseline configurations on
vSRX-2 and vSRX-VR. Consult the Management Network Diagram to determine the management
addresses of your devices.
Step 1.2
On the vSRX-1 device, log in with the username lab and password labl23. Enter configuration mode
and load the labl 3-s tart, config trom the a j s e c directory. Commit the configuration when
complete and exit to operational mode.
FreeBSD/amd64 (vSRX-1) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-l# load override ajsec/labl3-start.config
[edit]
lab@vSRX-l# commit and-quit
commit complete
Exiting configuration mode
lab@vSRX-l>
Step 1.3
Open a new session with the vSRX-2 device.
On the vSRX-2 device, login with the username lab and password labl23. Enter configuration mode
and load the reset configuration file using the load override ajsec/lablS-start. config
command. After the configuration has been loaded, commit the changes before proceeding.
FreeBSD/amd64 (vSRX-2) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-2# load override ajsec/labl3-start.config
[edit]
lab@vSRX-2# commit
commit complete
[edit]
lab@vSRX-2#
Step 1.4
Open a new session with the vSRX-VR device.
On the vSRX-VR device, login with the username lab and password labl23. Enter configuration mode
and load the reset configuration file using the load override a jsec/labl3-start. config
command. After the configuration has been loaded, commit the changes before proceeding.
FreeBSD/amd64 (vSRX-VR) (ttyuO)
login: lab
Password:
Last login: Sat May 30 18:20:56 2020 from 172.25.11.254
[edit]
lab@vSRX-VR# load override ajsec/lablS-start.config
[edit]
lab@vSRX-VR# commit
commit complete
[edit]
lab@vSRX-VR#
Step 1.5
Open a console session to the student desktop and open a Web browser, then navigate to the web
management IP address for Junos Space Security Director.
From the web browser, login with the username of super and the password of Junlp3rl231.
Step 1.6
Mouse over the blue navigation bar on the left to expand it. Click on Devices->Device Discovery.
nX
Devices / Device Discovery
Device Discovery®
Q Global a s ?
Security Devices
Device Discovery
Q
Secure Fabric 1 selected Clone
I Run Now
J More + / 0 q Y :
NSX Managers
vCenter Servers
□ Device Discovery Profile Target Type Target Details Probes Username Credential T... Schedule Recurrence
ea AJEC-DEViCES IP Range 172.25.11.V172.25.11.2 N/A lab Credential Ba- Thu, 20 Jun 2030 20:12:33 POT
□ vQFX IP Address 172.25.11.10 N/A lab Credential Ba... Sat. 06 Jun 2020 13:49:19 POT
■BB
2 items
Step 1.7
In the Device Discovery dialog, select the ajsec-devices discovery job. Click Run Now.
Global V C s
Devices / Device Discovery Q 9
X Security Devices
Device Discovery®
Device Discovery
sc
□ lob Name Discover Network Elements-229656 Actual Start Time Sun, 07 Jun 2020 18:18:46 PDT
«l20Jun 2030 20:12:33 POT
□ |ob State
& Success
End Time Sun, 07 Jun 2020 18:19X>5 PDT II. 06 Jun 2020 13:49:19 PDT
■n
Owner super
2 items
2 Rows
OK
Step 1.8
In the Device Discovery dialog, select the vQFX discovery job. Click Run Now.
X Security Devices
Device Discovery®
Device Discovery
Secure Fabric 1 selected Clone Run Now
] More V + z © q ¥ ;
NSX Managers
vCenter Servers
□ Device Discovery Profile Target Type Target Details Probes Username Credential T... Schedule Recurrence
SC
□ AJEC-OEViCeS IP Range 172.25.11.1-172.25.11.2 N/A lab Credential 6a... Thu, 20 Jun 2030 20:12:33 POT
□ vQRC IP Address 172.25.11.10 N/A lab Credential Ba... sat, oejun 2020 13:49:19 PDT
2 items
Secure Fabric q ¥ :
NSX Managers Job Details:Discover Network Elements
vCenter Servers
□ lob ID 229659 Scheduled Start Ti... Sun, 07 Jun 2020 18:20:49 PDT
Zhedule Recurrence
sc
□ Job Name Discover Network Elements-229659 ACTual Start Time Sun, 07 Jun 2020 18:20:49 POT
tu, 20Jun 2030 20:12:33 PDT
(il
□ Job State
0 Success
End Time Sun, 07 Jun 2020 18:21:11 POT n, 06 Jun 2020 13:49:19 POT
I I
Owner super
2 items
(3 :
1 Rows
OK
Step 1.9
Mouse over the blue navigation bar on the left to expand it.
Navigate to Devices->Security Devices. Check the boxes next to vSRX-1 and vSRX-2. Right
click on any device name and select import from the drop-down list.
X Security Devices
Security Devices ©
Device Discovery
vCenier Servers Q Device Name ▼ IP Address OS Version CPU Storage Connection Status Feed Source Feed Source Status Managed Status
Configuration
Q vSRX-1 20.1 RI .11 A up Not Registered Managed
s Operations
items 1 of 1 Display 50 V
Update Changes
Upload Keys
Import
Refresh Certificate
Step 1.10
Check the boxes next to all Firewall and nat policies and click Next.
vCenter Servers O For devices with Junos OS Release 18.2 and later, IPS policy is auto imported along with the assigned Arewall Policy. Feed Source Status Managed Status
For devices with Junos OS Release 18.2 and later. Deprecated AppFw configuration will rx>tbe imported.
hot Registered Managed
3 selected
Wot Registered Managed
Firewall Policy
Q vSRX-1 3 0
Q vSRX-2 4 0
NAT Policy
D vSRX-1 1 0
3 items
Cancel Next F
Step 1.11
In the Conflict Resolution dialog, click Finish.
Rrn.iw Overwrite witb Imported Vjlue Keep I »i‘,Ting Object Q 7 Not Registered “ Managed
■i o Object Name Object Type Value Imported Value Conflict Resolution New Object Name Domain ►
1 Display 50 V
No Conflicts to Show
Step 1.12
In the Summary page, click ok.
Report SummaryReport.zip
Click OK to con-e'ete
Cancel Back OK
Step 1.13
Navigate to Administration->Policy Enforcer->Settings.
Consult the management diagram and configure the Policy Enforcer connection with the following
settings:
IP Address: 172.25.11.101
Username: root
Password: Junlp3rl23!
Sky ATP Configuration Type: Sky ATP/JATP with Juniper Connected Security
Leave all other settings at default. Click ok.
X My Profile Settings ®
Users & Roles >
6^
Logging Management > O The Policy Enforcer space API user (pe.user) password is currently valid, it will expire on 2020-09-02.
S Monitor Settings
The Policy Enforcer is active.
Signature Database
It is configured with version 19.4R1-975.
License Management >
Policy Enforcer
IP Address* 172.25.11.101
Settings
Policy Sync Settings Sky ATP Configuration Ty... © Sky ATP/JATP with Juniper Connected Security v
OK Reset
a s
♦ Configure / Gutded Setup ! Threat Prevention Q Global
X Firewall Policy
Threat Prevention Policy Setup ®
Standard Policies
IPS Policy > 4. Threat policies for the following threat types
a) C&C Server (Command and Control
NAT Policy > Server)
Juniper Swnche* I nrd Party Swecnet
UTM Policy > b) Infected Hosts
Policy Enforcement Group
c) Malware
1
Application Policy Based Routi...
Threat Prevention
IPSec VPN
>
>
d) Geo IP
□ □
Shared Objects > Start Setup
J
Change Management >
Guided Setup
Threat Prevention
Step 2.2
In the Secure Fabric dialog, click + to create a new secure fabric object.
In the Create Site dialog, configure a name of a j sec-lab. Click OK.
Secure Fabric
Siti
Create Site ©
□ Ml...
Site* ajsec-lab
Nod
Cancel OK
Cancel Next
Step 2.3
In the Secure Fabric dialog, click Add Enforcement Points.
Check the boxes for all devices. Click the arrow icon to select the devices. Click ok. Click Next.
Secure Fabric
Assigning a device to the site will cause a change in the device configuration.
Specify the enforcement points to assign to the site. The site cannot contain both switches and connectors.
Cancel OK
Cancel Next
Step 2.4
In the Policy Enforcement Groups dialog, click + to create a Policy Enforcement Group object.
Name the PEG a j sec-group. Check the boxes for all subnets, except for 172.25.11.1/24,
172.25.11.2/24 and 172.25.11.9/24. Click the arrow button to select these subnets. Click ok. Click
Next.
Name* isec-group
Description
Group Type ®
Cancel OK
1
Cancel Back Next
Step 2.5
In the Sky ATP Realm dialog, click the + icon to create a new Sky atp realm.
Enter the SkyATP Realm credentials provided by your instructor. Click ok.
Pc, ..
0 items O
Location* North Amerka v
Username studentS»juniper.net
Password
Realm O xxxxxxxj
No Sky ATP account? Select your region using the Location in the menu above, then click here to create an account.
You will be redirected to the Sky ATP account page.
Cancel OK
Step 2.6
In the Sky ATP Realm dialog, click Assign Sites. In the Site dialog, select the a jsec-lab site.
Click OK. Click Next.
□ O Assigning a site to the realm will cause a change in the device configuration in the associated devices.
oaded
□
1 itel
Site
ajsec-realm-1
Cancel OK
Step 2.7
In the Policies dialog, click + to create a new Threat Prevention Policy.
In the Create Threat Prevention Policy dialog, set a name of a j sec-tpp. Check the box for
Include C&C profile in policy. Leave Threat Score and Actions at default settings.
Check the Include infected hosts profile in policy box. Leave Actions at default
setting.
Check the box for Include malware profile in policy. Select the SkyATP Feed Type.
Enable HTTP File Download and in Device Prof ile expand ajsec-realm-l and check the
default profile box.
Leave all other settings at their default values and click ok.
Name* © ajsec-tpp
Description
Profiles
Q include C&C profile In policy
SHect the threat sccre »a**gesto appty v.+ien men try to access a C&C ?e'vpr
5 8
Threat Score
4 E
Select a file scanning device profile and threat score range to appy to HTTP and HTTPS traffic
Scan HTTPS O
o
Device Profile
1 selected
'*'ajsec-realm-i
1 items
SMTP Attachments ®
IMAP Attachments ®
Cancel OK
Step 2.8
Click the Assign to Groups link.
Check the box for a j sec-group and click the arrow icon to select the group. Click ok.
View the Change List and click Update.
Wait until the Job Status Job State shows Success. Click OK. Click Next.
□ Name
Select c-e ; ef ;c>iient g'* -e
□ DPRK
1 seieaed
Policy Enforcement Groups 0 Available q Q
1 items O
□ Groups
□ Groups
□ ajsec-group
No available items
Cancel
□ Global
vSRX-2 S Rules Added vSRX-2
1 itei
4 Rules Added Global
vSRX-1 vSRX-l
2 Rows
Cancel Update
♦
Snapshot Policy Publish Policy Update Devices
229665 229666 229667
@ @
o
□ Job Type:
Job ID:
Update Devices
229667
Job State:
Percent Complete:
Success
100%
n
□ Job Name:
User:
Update Devices-229667
super
Scheduled Start Time:
Actual Start Time:
Sun. 07 Jun 2020 18:46:51 POT
Sun. 07 Jun 2020 18:46:51 POT
End Time: Sun. 07 Jun 2020 18:47:01 POT
1 iten
Export to csv Q 7
vSRX-1 (vSRX-l) Success vSRX-1 (FWPolicyl View View Sun. 07 Jun 2020 18:46:S6 PST
vSRX-2 (vSRX-2) Success vSRX-2 (FWPolicyJ View View Sun, 07 Jun 2020 18:46:56 PST
2 Rows
Cancel OK Next
Step 2.9
In the Geo IP dialog, click + to create a Geo IP address group.
Assign a name of dprk. Check the box for Korea, Democratic People's Republic of and
click the arrow button to select. Leave all other settings at default and click OK.
Create GeoIP®
Name* ® DPRK
Deunpoon
u Jordan
Korea. Democraoc People’S Republic of
I Kazakhstan
Kenya
LJ Ktnbaci
U Korea. Republic of
Cancel nK
Step 2.10
Click Assign to Groups.
Check the box for a j sec-group and click the arrow icon to select the group. Click ok.
to !•
□ ajseC'group
No available items
Cancel OK
; tc . se
2 Rows
Cancel Update
Job Status ®
f 2 }
♦
Snapshot Policy Publish Policy Update Devices
327734 327735 327736
© ® ®
Export to CSV Q Y
vSRX-2 (vSRX-2) Success vSRX-2 [FWPolicy] View View Tue, 07 Jul 2020 19:34:22 CUT
vSRX-1 (vSRX-1) Success vSRX-1 (FWPolicy] View View Tue. 07 Jul 2020 19:34:22 CUT
2 Rows
1 OK
Step 2.11
Click Finish. Review the configurations and click ok.
Citck OK to con-pie:e
Cancel Back OK
Step 2.12
Navigate to Devices->Secure Fabric.
Expand the row for ajsec-lab and verify that Feed Source shows Success for both vSRX-1 and
vSRX-2.
Secure Fabric®
Sites + /
□ Site Enforcement... IP Model Feed Source Feed Source Status Last U... Des...
Q ’ ajsec-lab
vSRX-2 172.25.11.2 VSftX skyatp ^Success July 07,...
172.25.11.10 VQFX-10000
vQFX-1
1 items C
Global
Configure / Firewsl Policy / Standard Policies Q V o S 9
Unified Policies
[Bl Profiles □ Seq. Name Rules Devices Publish State Last Modified Created By Modified By Domain
Templates
V POLICIES APPLIED BEFORE DEVICE SPECIFIC POLICIES' (1 policy)
Environment
> □ 1 All Devices Policy Pre Add Rule 2 Not Published wed Jun 03.20206:19 PM System Global
H User Firewall Management
SSL Profiles > □ vSRX-2 14 vSRX-2 Published Sun Jun 07,2020 6;S0PM super super Global
IPS Policy > □ vSRX-1 11 vSRX-1 Published Sun Jun 07,2020 6:50 PM super super Global
NAT Policy >
POLICIES APPLIED AFTER DEVICE SPECIFIC POLICIES' (1 policy)
UTM Policy >
Application Policy Based Routi... □ 2 AJI Devices Policy Post Add Rule 2 Not Published wed Jun 03,20206:19 pm System Global
Step 3.2
In the vSRX-l/Rules dialog, select all current rules and click the trash bin icon to delete. Click Yes to
confirm.
Global V C 1^ s
Configure ! Firewall Pokey ! Standard Policies Q
X Firewall Policy
vSRX-1 / Rules Edited 5 minute(s) ago
□ 8 NA PolicyEnforcer-Rulel-6 DPRK
Step 3.3
In the next several steps, you will configure the security policies for the vSRX-1 device. Detailed
instructions will be presented for the first policy. Summaries will be given for the remainder.
Click the + icon. In the General screen, configure a Rule Name of Juniper-SV-to-internet.
Click Next.
Create Rule ©
General
General Information
Description ®
Cancel Next
Step 3.4
In the Source dialog. Select Juniper-svforthe zone. Click Next.
Create Rule®
o—
Gerera Source
Source
Zone ® »Junlper-sv V
Clear All
Addresstes) © Select
Any
User ID 0 Select
Clear All
Step 3.5
In the Destination dialog. Select untrust for the zone. Click Next.
Create Rule®
o o
Destination
Clear All
Service Protocols
Servke(s) Select
Any
Cancel •^exi
Step 3.6
In the Advanced Security dialog, select Permit for Action.
For the Threat Prevention Security option, select the ajsec-tpp policy.
Click Next.
Create Rule ©
o—
Ge-e-ai
o-
So_rce
o--
Desti“a:.or Advanced Security
c
Oo:«rs
Advanced Security
Rule Action
Action ® Permit
Advanced Security
App Firewall Select an option Clear All Add New
SSL Proxy <3) Select an option Clear All Add Forward Proxy Add Reverse Proxy
IPS © Off
Step 3.7
Leave the settings at default values for Rule Options, Rule Analysis, and Rule Placement
dialogs.
Click Finish. Click OK in the Summary dialog.
Create Rule ©
o—
Genera’
o—
Source
o—
Desti“at»on
oA0\-ancec Sec-nr/ Rule Options
Rule Options
Profile ® Select
Inherited from policy
Clear /Ml
Create Rule ©
o— o- o
Genera Source Destiniation AO-.-anze; Secun^- RJe Optons Rule Analysis
Create Rule ©
a— o— o--- c o— c----
Ge“e*3 So-fee Destrat’or AO-.-ancec Secjnty Rule Options RJe Araij-sis Rule Placement
Analysis
Results No rule analysis was performed. When rule analysis is not performed, the system will suggest a placement according
to the information provided in steps 1 to 5.
Rule Placing
Rule Type ZONE
Create Rule ©
Summary
'ne 'umrary o* r cha'
General Information
Edit
Name Juniper-SV-to-internet
Zone Juniper-SV
Address Any
Zone untnjst
Address Any
Service Any
Advanced Security
Edit
IPS Off
Action PERMIT
Rule Options
Edit
Rule Analysis
Edit
Rule Placement
Edit
Cancel Back OK
Step 3.8
Create a new rule with the following settings (leave settings at default if unspecified):
Rule Name: dients-to-internet
Source Zone: clients
Destination Zone: untrust
Action: Permit
Threat Prevention Policy: ajsec-tpp
Step 3.9
Create a new rule with the following settings (leave settings at default if unspecified):
Rule Name: block-Juniper-SV-DPRK
Source Zone: Juniper-sv
Global s ?
Configure ! Firewall Policy / Standard Policies Q
X Firewall Policy
vSRX-1 / Rules Currently editing this poBcy .
Standard Policies
Unified Policies
( Save Discard Shared Objects v More V Id
71
7, Q ¥• :
Devices
3
Schedules
Seq.
Hit Co... Rule Name Src. Zone Src. Address Src. Expression User IO End User Profile Oest. Zone
lewll Profiles
IPSecVPN >
Shared Objects >
Change Management >
Guided Setup >
Step 3.14
Click Save. Click Update.
In the Update Firewall Policy dialog, click Piiblish and Update. Click Yes.
1 selected Q :
ea Device Name Publish Req... Configura... Ma... Connection S... Services Domain Device IP Platform OS Version
11tems
Step 3.15
Review the Job Status screen.
Wait until the Job State shows Success. Click OK.
Job Status©
* ♦
Snapshot Policy Publish Policy Update Devices
229683 229684 229685
© © ©
Export to csv Q ¥
vSRX-1 (VSRX-I) Success vSRX-1 [FWPolicyl View view Sun, 07 Jun 2020 19:19:15 PST
1 Rows
OK
In this lab part, you will simulate a compromised host by downloading simulated malware from a web
server. You will then verify that the malware is detected by ATP cloud and the host is added to the infected
host’s feed.
Step 4.1
Open a web browser and navigate to sky.junipersecurity.net.
Login with the credentials and realm settings provided by your instructor.
juniper KicrxjuoDirC
NETWORKS
r’
(. I Sky ATP
Version 3.0 | Login
(* 1
♦ student@juniper.net
XXXX)^
Q Remember me
Log In
Step 4.2
In the Sky ATP browser session, navigate to Monitor.
Examine the Hosts table.
X Hosts
Hosts©
C&C Servers
Threat level: O High EO Medium Low None; clean
File Scanning
HTTP File Downloads
Export Set Policy Override v Set Investigation Status v q Y’
Email Attachments
Manual Uploads
□ Host Identifier Host IP Threat Level Infected Host Feed ▼ Last Host Activity C&C Hits Malware... Policy State of Investigation
No data available
Blocked Email >
Telemetry >
■H
©
Step 4.3
Open a virtual console session with the WindowsClient device.
Open the Firefox web browser and navigate to http ://172.17.0.2/fakemalware and download
the file.
Opening eic^xom ED
You h*v« chosen to open:
53 f««xom
SeveFite
[ Caned
T V '-i I L I I IM
: TryAgkn J|
/h'.’i
1.',
Bl - cb ® 0^ 6fVia»
Step 4.4
Return to the session with the SkyATP web UI.
Navigate to Monitor->Hosts and examine the infected host entries.
X Hosts
Hosts®
C&C Servers
Threat level: (D High Q Medium
Q Low None; clean
File Scanning >
Export Set Policy Override Set Investigation Status Q Y-
Blocked Email >
Telemetry > Host Identifier Host IP Threat Level Infected Host Feed ’ Last Host Activity C&C Hits Malware... Policy State of Investigation
■
Question: Is there a host in the infected host feed?
Answer: Yes, you should see the 10.10.100.140 host in the infected
host feed. Note that the Threat Level may differ from the number
shown in this lab guide.
Step 4.5
Return to the CLI session with the vSRX-1 device.
Verify that the infected host entry is added to the infected hosts dynamic address group by issuing the
show security dynamic-address category-name Infected-Hosts command.
lab@vSRX-l> show security dynamic-address category-name Infected-Hosts
No . IP-start IP-end Feed Address
1 10.10.100.140 10.10.100.140 Infected-Hosts/1 ID-fffcl81a
Step 4.6
Return to the CLI session with the vQFX-1 device.
Verify that the firewall filter to block the infected host as been generated and applied to the VLAN
containing the infected host by issuing the show configuration firewall family
ethernet-switching command followed by the show configuration vlans command.
lab@vQFX-l> show configuration firewall family ethernet-switching
filter SDSN_INPUT_vQFX-l_vlO {
term MAC_00:50:56:a9:70:5d {
from {
source-mac-address {
00:50:56:a9:70:5d/48;
}
}
then {
discard;
log;
}
}
term ALLOW_ALL_OTHER_HOST_SDSN {
then accept;
}
}
filter SDSN_OUTPUT_vQFX-l_vlO {
term MAC_00:50:56:a9:70:5d {
from {
destination-mac-address {
00:50:56:a9:70:5d/48;
}
}
then discard;
}
term ALLOW ALL OTHER HOST SDSN {
then accept;
}
}
input SDSN_INPUT_vQFX-l_vlO;
output SDSN OUTPUT vQFX-1 vlO;
}
}
}
v50 {
vlan-id 50;
}
v55 {
vlan-id 55;
}
v60 {
vlan-id 60;
}
In this lab part, you will simulate a host device attempt to contact a known command and control server.
You will observe the effects of this behavior in the Juniper ATP Cloud GUI.
Step 5.1
Return to the session with the Juniper ATP Cloud GUI.
Navigate to Conf iguration->Third Party Feed and click the toggle to enable the Block List
feed.
IP Filter Feed
File Inspection Profiles
office365 □ Enable feed
Email Management >
Go to feed site
Whitelists
Command and Control Feeds
{vg Blacklists
Select to enable open source feeds managed by third parties.
Third Party Feeds
Global Configuration > I The accuracy of these feeds cannot be guaranteed, and false positives generated by these feeds will not be
investigated by juniper Networks. Security policies will block malicious IP addresses and domains based on
X
enabled third party feeds, but these events do not affect host threat scores.
IP Feed
Go to feed site
Go to feed site
Go to feed site
Go to feed site
Go to feed site Cj
Step 5.2
Return to the CLI session with the vSRX-1 device.
View the feeds active on the vSRX-1 device by issuing the show services
security-intelligence category summary command.
Note
Category name cc
Status Enable
Description Coininand and Control data schema
Update interval 1800s
TTL 3456000s
Feed name cc_ip_data
Version 20200608.7
Objects number 89988
Create time 2020-06-08 06:40:18 UTC
Update time 2020-06-08 07:04:07 UTC
Update status Store succeeded
Expired No
Status Active
Options N/A
Feed name cc_url_data
Version 20200608.2
Objects number 42184
Create time 2020-06-08 06:20:21 UTC
Update time 2020-06-08 07:04:10 UTC
Update status Store succeeded
Expired No
Status Active
Options :N/A
Feed name :cc_ip_blocklist
Version :20200607.1
Objects niimber: 2 6438
Create time :2020-06-08 06:53:42 UTC
Update time :2020-06-08 07:04:20 UTC
Update status :Store succeeded
Expired :No
Status :Active
Options :N/A
lab@vSRX-l>
Step 5.3
View the contents of the current C&C server feed by issuing the show services
security-intelligence category-name CC command
Step 5.4
Open a CLI session with the KaliPentester device.
From the CLI session with the KaliPentester device, attempt to ping the IP you noted in the previous step.
After a few seconds, use ctrl-c to cancel.
lab@kali:~$ ping 1.32.218.157
PING 1.32.218.157 (1.32.218.157) 56(84) bytes of data.
A
C
-- 1.32.218.157 ping statistics --
8 packets transmitted. 0 received. 100% packet loss, time 7169ms
Step 5.5
Return to the CLI session with the vSRX-1 device.
Verify that C&C block actions have taken place by issuing the show services
security-intelligence statistics command.
lab@vSRX-l> show services security-intelligence statistics
Logical system: root-logical-system
Category Whitelist:
Profile Whitelist:
Total processed sessions: 280
Permit sessions: 0
Category Blacklist:
Profile Blacklist:
Total processed sessions: 280
Block drop sessions: 0
Category CC:
Profile ajsec-tpp_CC:
Total processed sessions: 280
Permit sessions: 0
Block drop sessions: 8
Block close sessions: 0
Close redirect sessions: 0
Profile feed-cc-log-only:
Total processed sessions: 0
Permit sessions: 0
Block drop sessions: 0
Block close sessions: 0
Close redirect sessions: 0
Category Infected-Hosts:
Profile ajsec-tpp Infected-Hosts:
Total processed sessions: 280
Permit sessions: 0
Block drop sessions: 31
Block close sessions: 0
Close redirect sessions: 0
Step 5.6
Return to the SkyATP GUI
Navigate to Monitor->Hosts and examine the Hosts table.
Hosts
Hosts®
C&C Servers
Threat level: (D High EO Medium Low None; clean
File Scanning >
Export Set Policy Override Set Investigation Status Q Y-
Blocked Email >
CT
Telemetry > □ Host Identifier Host IP Threat Level Infected Host Feed ’ Last Host Activity C&C Hits Malware... Policy State of Investigation
H
Si
step 5.7
Navigate to Monitor->C&C Servers
Examine the contents of the C&C servers table. Take note of the current threat level of the
10.10.100.6 host.
Hosts
Command & Control (C&C) Servers ©
C&C Servers
Threat level: O High [B Medium Low None; clean
File Scanning
H
step 5.8
Return to the CLI session with the KaliPentester device.
Launch a script that will attempt to contact 50 different known C&C servers by executing sudo . /
cc feeds.sh.
lab@kali:~$ sudo ./cc feeds.sh
-2020-06-08 00:34:08 — http://lists.blocklist.de/lists/all.txt
Resolving lists.blocklist.de (lists.blocklist.de)... 185.21.103.31,
2a00:1158:2:6d00::2
Connecting to lists.blocklist.de (lists.blocklist.de) |185.21.103.31 | : 80 .. .
connected.
HTTP request sent, awaiting response... 200 OK
Length: 424851 (415K) [text/plain]
Saving to: 'CCS.txt'
1.0.156.44 is unreachable
1.1.158.178 is unreachable
1.1.172.69 is unreachable
1.10.220.251 is unreachable
1.119.131.102 is unreachable
1.121.155.18 is unreachable
1.143.90.244 is unreachable
1.157.168.10 is unreachable
1.163.10.103 is unreachable
1.163.171.155 is unreachable
1.163.63.25 is unreachable
1.173.167.128 is unreachable
1.173.34.7 is unreachable
1.179.137.10 is unreachable
1.179.185.50 is unreachable
1.186.40.2 is unreachable
1.186.45.162 is unreachable
1.186.57.150 is unreachable
1.186.61.253 is unreachable
1.186.63.133 is unreachable
1.192.121.238 is unreachable
1.192.138.203 is unreachable
1.192.138.230 is unreachable
1.192.138.24 is unreachable
1.192.139.146 is unreachable
1.192.94.60 is unreachable
1.192.94.61 is unreachable
1.193.100.38 is unreachable
1.193.101.115 is unreachable
1.193.160.164 is unreachable
1.193.200.154 is unreachable
1.193.76.18 is unreachable
1.194.238.187 is unreachable
1.194.238.226 is unreachable
1.194.48.98 is unreachable
1.196.223.50 is unreachable
1.199.42.34 is unreachable
1.199.43.81 is unreachable
1.202.115.173 is unreachable
1.202.185.76 is unreachable
1.202.76.226 is unreachable
1.202.77.210 is unreachable
1.203.115.140 is unreachable
1.203.115.141 is unreachable
1.203.115.64 is unreachable
1.209.171.34 is unreachable
1.212.181.131 is unreachable
1.213.182.68 is unreachable
1.214.156.163 is unreachable
1.214.215.236 is unreachable
1.214.220.227 is unreachable
labOkali:
Step 5.9
Return to the session with the SkyATP Web UI.
Navigate to Dashboard. Examine the chart of C&C Server and Malware Source Locations.
My Dashboard
C&C Server and Malware Source Locations Top Infected File Categories
A Show; C&C Servers Previous: 1 month Show; Med. High Threat Previous: 1 month
+
1
‘A
B
/ !
z.
V .•y
t
o
f*
Io I
•4
■n A
% .h'
k
0
.y f
I
5 A. f
z ys 'f
Updated Jun & 2020,10 ;5,2o AM, UTC -07 00 POT More DeUi s
?•
*.T J
V,
Threat Count
1-49 /
100499
500*
■ 50-99
If
0 I
'.f^r.riFd
Upceird Jun 8^ 2020,10:23 28 AM, UTC -07 00 POT More Detai s Updated Jun & 7070.1023:28 AM UTC -07 00 POT More DeUi s
Step 5.10
Navigate to Monitor->Hosts. Examine the Hosts table. Note the updated Threat Level and C&C
Hits values.
Hosts
Hosts©
C&C Servers
Q Threat level: O High Q Medium Low None; clean
File Scanning >
Export Set Policy Override Set Investigation Status q Y-
Blocked Email >
IBB]
Telemetry > Host Identifier Host IP Threat Level Infected Host Feed ’ Last Host Activity C&C Hits Malware... Policy State of Investigation
■
Eg
Step 5.11
Check the box for Host ip 10.10.100.6 in the Hosts table. Click the dropdown for Set Policy
Override and Select Always include in Infected Host Feed.
Examine the updated Hosts table.
Hosts
Hosts©
C&C Servers
Threat level: O High Q Medium Low None; clean
File Scanning >
Export Sot Policy Override Set Investigation Status v Q Y’
Blocked Email >
E3
Telemetry > □ Host Identifier Host IP Threat Level Infected Host Feed ▼ Last Host Activity C&C Hits Malware,
Never include host(s) in infected host feed
■
s?
step 5.12
Return to the CLI session with the vSRX-1 device.
View the current content of the Infected Hosts feed by issuing the show security
dynamic-address category-name Infected-Hosts command.
lab@vSRX-l> show security dynamic-address category-name Infected-Hosts
No. IP-start IP-end Feed Address
1 10.10.100.6 10.10.100.6 Infected-Hosts/1 ID-fffcl81a
2 10.10.100.140 10.10.100.140 Infected-Hosts/1 ID-fffcl81a
Step 5.13
Return to the CLI session with the vQFX-1 device.
View the updated firewall filter settings by issuing the show configuration firewall family
ethernet-switching command.
Part 6: Cleaning Up
In this lab part, you will return the lab environment to its starting state.
Step 6.1
Open a web browser and navigate to sky.junipersecurity.net.
If not already logged in to the SkyATP web UI, authenticate with the credentials provided by your instructor.
jumper NETVrjh«c
Sky ATP
Version 3.0 | Login
♦ student@juniper.net
xxxxj
Q Remember me
Login
«
/
Create a semrwy realm Supported JUNOS Software
<
Forgot password and Documentation
Copyrig^ O 2015-2020, Juniper Metworks. In^ k 3 ><35^ wd I Trademark Notice | Privacy Polcy
step 6.2
Navigate to Monitor->Hosts. Check the box for the 10.10.100.6 host. In the Set Policy
Override dropdown, select Use Configured Policy.
Wait for the host to reappear in the Hosts table before continuing. You may need to refresh the page.
A
MOTMCOr Z Hmu What’S new ajsec-realm-1 J ?
X Hosts
Hosts ®
C8tC Servers
Threat level: ©High [1] Medium ...Low None: clean
Q
Ale Scanning >
Export Set Policy Override w Set mvestigabon Status
S Blocked Email >
Telemetry > □ Host Identifier Host IP Threat Level Infected Host Feed * Last Host Activity C&C Hits Malware
Never irxludc host(s) in infected host feed
□ n/a^00:50:56:a... 10.10.100.6 m 6 Included manually Jun 8.2020 12:37 AM SO 0 Use configured policy
00:SO:S6:a9:70:Sd 10.10.100.140 O 7 Included Jun 7.2020 10:22 PM 0 2 Use configured pokey Open
Step 6.3
Check the boxes for both hosts. In the Set investigation Status drop down menu select
Resolved Fixed.
X Hosts
Hosts®
C&C Servers
Threat level: O High Q Medium Low None; dean
Ale Scanning >
Export Set Pokiy Override Set inveMigatlon Sut 71 q Y’
Blocked Email >
In Progress
Telemetry > Q Host Mentirier Host IP Threat Level Infected Host Feed ▼ Last Host Activity C&C Hits Malware Policy tion
Resolved • False positive
Resolved • Ignored
Q 00:50;56;a9:70:5d 10.10.100.140 O 7 Included Jun 7. 2020 10:22 PM 0 2 Use configured poli
1
<s>
step 6.4
Open a web browser and navigate to the IP address of the Junos Space Security Director.
Navigate to Devices->Secure Fabric. Check the box for ajsec-lab. Click the recycle bin icon.
Click Yes to confirm the delete.
Global
OiWB I q Q t5 1 9
Secure Fabrk
Sites 1 iiriflFi Add Enforcement Ponts + Z 0
NSX Managers
vCenter Servers
Q Site Enforcement Points IP Model Feed Source Feed Source last Updated Oeser ip—
1 terns O
Ho Yes
Step 6.5
Navigate to Conf igure->Firewall Policy->Standarci Policies.
Check the boxes for the vSRX-1 and vSRX-2 policies. Click the recycle bin icon and click Yes to
confirm the delete.
Global '7
ConilBvr? > rr!..jfPBecy > StandardPeaciet Q O 8
Firewall Policy V
Standard Policies®
Standard Pohcles
UntRed Poboes
Devices
2setKSd [ Ugdate [ G>^a< ] •‘.fcxe + 0 Q Y’
Schedules
Profiles □ Sect. Name Rules Devices Publish State Last Modified Created By Modified By Domain
Templates
V POLICIIS APPLIED BEFORE DEVICE SPECIFIC POLICIES (1 polky]
Environment
AppKation Policy Based Routi o 2 Al Devices Policy Post edjun 03.2020 6'19 PM System Global
Step 6.6
Navigate to Conf igure->Threat Prevention->Policies.
Check the box for ajsec-tpp and click the recycle bin icon to delete. Click Yes to confirm the delete.
X Firewall Policy
Threat Prevention Policies®
Standard
umfwd
Oewces
'< MtacBid t-5 Oovps + / 0
Scheduler
B Profiles ea Name Feed Type C« Server infected Host Malwere HTTP DOoS Melware SM... Melware IMAP Status Policy enforcement 6— Description
Templates
□ ► ajsec ipp SKYATP Block: •2 Block Drop default_profile Updated aiiec-froup Log all traffic
Environment
1 items C
I»1 User Firewall Management >
Application Firewall Pokey >
SSL Profiles > Delete Threat Management Policy
IPS Pokey >
Are you sure you went to delete the selected Threat Menagement
NAT Policy > PoScy<s>?
Threat Prevention
Step 6.7
Navigate to Conf igure->Threat Prevention->Feed Sources.
Check the box for the ajsec-realm-l SkyATP realm. Click the recycle bin icon and click Yes to confirm
the delete.
Global 9
Conftfur* ! Tb^aat Pi»»»nK»r ! Taod Sourcaa Q sr O 15 s
ufvftad Ppbeios
Devices
Sky ATP JATP Custom Feeds
Schedules
Profiles
Templates
isMected
[ Mor, 3 + z s
Environment
User Firewall Management > □ Realm Sites Devices Location ervpilment Status Token Expiry Feed Status last Downipaded
Threat Prevention
Poaces
Feed Sources
iPSeeVPN >
Shared Objects >
Change Management >
Guided Setup >
Step 6.8
Navigate to Devices->Security Devices.
Check the boxes for both vSRX devices. Right click and select Operations->Delete Devices. Click
OK to confirm the delete.
In the Job Details dialog, insure that the Job State reaches Success. Click OK.
Global
Q G 13 s 9
vCenter Servers
Q Device N»me * IF Address OS Version CFU Storage ConneCTion Status Feed Source Feed Source Status Managed Status
Configuration
□ > vSRXd ▲ up Not Registered SO Changed Device...
□ Oparatiom Delete Derices
Reboot Devices
cents 1 of 1 Display SO V
ResyixhrorMze wim Networic
inventory DetaHs
Update Changes
Upload Keys
import
Refresh Certifkace
Asr|r^e^y^^T^
Step 6.9
Return to the CLI Session with the vSRX-1 device.
Terminate the session by issuing the exit command.
lab0vSRX-l> exit
Step 6.10
Return to the CLI session with the vQFX-1 device.
Terminate the session by issuing the exit command
{master:0}
lab0vQFX-l> exit
Step 6.11
Return to the CLI session with the KaliPentester device.
Terminate the session by issuing the exit command
lab0kali:~$ exit
STOP Tell your instructor that you have completed this lab.
ge-0/0/1
vSRX-1
loO: 192.168.1.1
(.1) ge-0/0/3
10.11.10.0/24
clientszone
(2}
vQFX-1 xe-0/0/3
irb.10
(-1)
VLAN 10
10.10.100.0/24
(-140)
■3
Copyright 2020
' A • Juniper Networks, Inc. All rights reserved.
Juniper Networks, the Juniper Networks logo, Junos, NetScreen,
and ScreenOS are registered trademarks of Juniper Networks, Inc.
in the United States and other countries. All other trademarks,
services marks, registered marks, or registered services marks
are the property of their respective owners.
Engineering
Simplicity
EDU-JUN-AJSEC, Revision V20A