JNCIA-SEC Open Learning

Stateless FW filters such as ACL, policer, shapers, COS,

1
2
when the first packet arrives (ingress), junos applies ingress stateless processing (policer,CoS, filters) if
the packet didn’t dropped junos applies software session lookup to determine if the packet belongs to
existing session, if not matched, the software creates a new session for it and direct it to first path
processing if match software directs it to fast path.

3
4
 for branch srx default config provides DHCP on irb interface to give access to internet.

mgmt int : fxp0, me0

Internal int: fxp1, em0,

5
6
7
while the standard configure keeps the changes??!!

8
check how to make it (look for videos)

9
10
to commit on multiple devices, this command will prepare the configuration for the devices and once
activated, it will be deployed in a sec.

11
all interfaces by default belong to null zone except fxp0, em0, and chassis clustering interfaces

To create a zone:

12
for Screen Options

13
Zone-Based address object is to be discontinued in future releases. There is option to upgrade zone
addresses to global addresses.

14
Default settings of default policy to silently discard all traffic.

15
To create global security policy

16
17
18
zone in global policy is optional

19
it uses APPID

20
the first packet is allowed as it generally doesn’t contains any payload info, so it will wait untli it identify
the APPID

21
22
23
24
AntiSpam with Sophos and Antivirus with Avira and sophos on cloud

Anti Spam feature is only supported on SMTP, not POP or IMAP

25
26
27
28
29
30
31
Interface-based source NAT

32
Pool-based source NAT

33
34
35
36
The wizard creates the local and remote configuration objects, tunnel interface, static routes, and
security policies needed for complete route based VPN configuration.

37
38
39
Proxy IDs are created at the very beginning of VPN Phase 2 negotiations before protocol communication
is established,

Phase 1 uses pre-shared key or digital certificate for peer endpoint identification (PEI) where as phase 2
uses proxy IDs for PEI, used as final check to verify the peer before IPsec tunnel established, if proxy IDs
don’t match, then phase 2 negotiation fails, and IPsec tunnel down established.

Proxy IDs are a way to identify the traffic traversing the VPN, each peer device identifies local and remote
ip prefix plus a service which must match on both devices,

Proxy ids by default is all zeros, but you can modify it for additional layer of security for additional
method of auth and for interoperability issues.

40
Traffic selectors provides additional method to determine what interesting traffic is allowed to traverse a
tunnel. Where proxy ids are only checked during phase 2 as additional peer auth, traffic selectors are
checked against transit traffic to insure that only network specified by the selectors are allowed to
communicate through the tunnel. Auto configuration of traffic selectors are created (when you select
auto route insertion as routing mode) based on local and remote network defined in the VPN.

41
42
43
44
45
To remove a license

46
47
48
49
50
51
52
53
Review the Hardware architecture (good to understand)

54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
transport mode is implemented between IPSec end systsems, (end systems should understand all IPSec
encryptions)

Tunnel mode (commenly used) is implemented between IPSec GWs or IPSec GWs on remote clients, ( no
need for end systems to understand encryptions as it is all on GWs)

73