SRX JUMP STATION
Based on JUNOS Versions up to 12.1R3last modified Nov 08 2012
Thomas SchmidtConsulting Systems Engineer
2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHAT IS THIS PURPOSE OF THIS QUICK START ?• This collection is for users who already have experience with ScreenOS firewalls and the
underlying concepts and now want to use JUNOS based SRX Firewalls
• This Collection assumes you have already some knowledge of JUNOS (there are free trainings to help you) but need a guide to configure a complete system.
• This Collection is a guide to help you find the commands required for typical features and tasks and give you brief, working examples.
• Navigation: • Click on the in the right Top corner to get to the Jump Station Central
• Click on the Chapter Buttons to get to the desired chapters
• If you need more in depth information or more details of the underlying concepts consult the documentation or participate in trainings.
• This collection can not replace full JUNOS documentation or trainings and can not cover all parameters available with a certain feature.
Login
3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUMP STATION CENTRAL......LoginControll- &
Dataplane
Zones
CLI
MulticastSwitching
PPPoE & DSL
...
AppFirewallAppSecureOverview
AppDDOS
RoutingOSPF,BGP
IDP AppTrackLicenses
Flow & ALGPolicies VirtualizeVR + LSys
Screens & Defense
Packet Flow
Admin UserRole & Auth
Inband orOutband
SNMP &RMON
SoftwareUpgrade
Netflow Space
IPv6
Boot loader& Flash
FurtherInformation
Automation & Scripting
NiceStuff
Logging &Syslog
Trunk & LAG
Docs &Papers
UTM, Antivirus
NSM
…
DHCP DNS UAC Enforcer
Time & NTP Port Mirroring
NAT
Access list
Interfaces Link Redundanc
Reset to Factory Def.
Policy based VPN
...VPNs with Certificates
...VPNDiagnostics
Route based VPN
DynamicVPN
MonitorCommands
Log files Debug Flow
Packet Capture
Debug VPN
InterfaceMonitoring
…
Cluster Overview
Cluster Interfaces
Basics
Network
Firewall
Manage, Log,Monitor
AppFirewall IDP and UTM
More..
Toolbox
VPN
Trouble-shooting
High Availability
FailoverBehavior
ClusterStates
Cluster& NSM
ClusterSetup
…
...
...
TransparentMode
UTM, Webfilter
STRM
…
Class of Service
...
…
…
...
...
...
...
…
…
…
...
…
…
4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNOS BASICS
5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DOCUMENTATION AND GUIDES
6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
THE RIGHT PLACE FOR SRX HARDWARE AND SOFTWARE DOCUMENTATION
Use the following Link
7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ADDITIONAL USEFUL INFORMATION SOURCESDay One Bookletshttp://www.juniper.net/us/en/community/junos/training-certification/day-one/
Feature Explorer and Content Explorerhttp://pathfinder.juniper.net/feature-explorer/http://www.juniper.net/techpubs/content-applications/content-explorer/
Feature Support Reference Guidehttps://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/feature-support-reference.html?chap-feature-support-tables.html
SRX Knowledgebase (Jump Station)http://kb.juniper.net/KB15694
SRX Knowledgebase (Here a list of the latest SRX articles)http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB
SRX Application Notes http://www.juniper.net/us/en/products-services/security/srx-series/#literature
JUNOS Network Configuration Exampleshttp://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/nce/index.html
Juniper Forum • Configuration Library http://forums.juniper.net/t5/Configuration-Library/bd-p/ConfigLib• DayOne Tips http://forums.juniper.net/t5/Day-One-Tips-Contest/bd-p/DayOneContest
8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CONTROLPLANE AND DATAPLANE
9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNOS SOFTWARE FEATURES (1 OF 2)
JUNOS software for SRX-series services gateways includes the following elements:
JUNOS software as the base operating system Session-based forwarding Some ScreenOS-like security features
Packet-based features: Control plane OS Routing protocols Forwarding features:
Per-packet stateless filters Policers CoS
J-Web
10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNOS SOFTWARE FEATURES (2 OF 2)
Session-based features: Implements some ScreenOS features and functionality
through the use of new daemons First packet of flow triggers session creation based on:
Source and destination IP address Source and destination port Protocol Session token
Zone-based security features Packet on the incoming interface is associated with the incoming zone Packet on the outgoing interface is associated with the outgoing zone
Core security features: Firewall, VPN, NAT, ALGs, IDP, and SCREEN options
11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CONTROL PLANE VERSUS DATA PLANE
Control Plane: Implemented on the Routing Engine JUNOS software kernel, daemons, chassis management, user
interface, routing protocols, system monitoring, clustering control
Data Plane: Implemented on the IOCs and SPCs Forwarding packets, session setup and maintenance,
load-balancing, security policy, screen options, IDP, VPN
12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGIN
13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGIN
Login in factory default state as user "root". Password is empty
Amnesiac (ttyd0)
login: root
********************************************************************** Welcome to JUNOS: **** **** To run the console configuration wizard, please run the **** command 'config-wizard' at the 'root%' prompt. **** **** To enter the JUNOS CLI, please run the command 'cli'. **** **********************************************************************
root@% cliroot>
14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGIN Non root users are placed into the CLI automatically
The root user must start the CLI from the shellDo not forget to exit root shell after logging out of the CLI!
Shell Prompt
CLI Prompt
switch (ttyu0)
login: userPassword:
--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTCuser@switch>
switch (ttyu0)
login: rootPassword:
--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTCroot@switch% cliroot@switch>
15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CLI BASICS
16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CLI MODES
Shell - when you login as root
CLI - Operational Mode
CLI - Configuration mode:
user@switch>The > character identifies operational mode
user@switch#exituser@switch>
user@switch> configure[edit]
The # character identifies configuration mode
root%cliroot>
The % character identifies Shell mode
17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CLI HIERARCHY
Execute commands (mainly) from the default CLI level (user@switch>) Can execute from configuration mode with the run command Hierarchy of commands Example: show spanning-tree interface
Less Specific
More Specific bridge mstp statistics
configuration
configure help monitor etc.
interface
dot1x
clear set show
spanning-tree version etc.
18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
EMACS-style editing sequences are supported
A VT100 terminal type also supports the Arrow keys
user@switch> show interfaces
• Ctrl+buser@switch> show interfaces
• Ctrl+auser@switch> show interfaces
• Ctrl+fuser@switch> show interfaces
• Ctrl+euser@switch> show interfaces
CLI EDITING
Cursor Position
Keyboard Sequence
19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
COMMAND AND VARIABLE COMPLETION
Spacebar completes a commanduser@host> sh<space>ow i<space> 'i' is ambiguous.Possible completions: igmp Show Internet Group Management Protocol... ike Show Internet Key Exchange information interfaces Show interface information ipsec Show IP Security information isis Show Intermediate System-to-Intermediate...
user@host> show i
Use the Tab key to complete an assigned variable[edit policy-options]user@host# show policy-statement t<tab>his-is-my-policy then accept;
[edit policy-options]user@host#
Use Tab to complete assigned variables
Enter a space to complete a command
20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Type ? anywhere on the command lineuser@host> ?Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information . . .user@host> clear ?Possible completions: arp Clear address resolution information bfd Clear Bidirectional Forwarding Detection
information bgp Clear Border Gateway Protocol information firewall Clear firewall counters . . .
CONTEXT-SENSITIVE HELP
21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SHOW CURRENT CONFIGURATION
root@J6350> show config | display setset version 9.3R2.8set system host-name J6350set system root-authentication encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."set system name-server 172.30.80.65set system login user lab uid 2000set system login user lab class super-user........
JUNOS Style
ScreenOS Style
root@J6350> show config## Last commit: 2009-03-18 10:27:20 UTC by labversion 9.3R2.8;system { host-name Demo-081-111-J6350; root-authentication { encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."; ## SECRET-DATA } name-server { 172.30.80.65; } login { user lab { uid 2000; class super-user;........
22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CONFIGURATION, CANDIDATE, COMMIT, ROLLBACK
23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
COMMANDS IN CONFIGURATION MODE (1)
24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
COMMANDS IN CONFIGURATION MODE (2)
25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
COPY/PASTE CONFIGURATIONS
To paste and override the whole configuration
To paste and add pieces of configuration
To paste configuration written with "set" commands
SRX# load merge terminal <relative>[Type ^D at a new line to end input]system {........
SRX# load replace terminal[Type ^D at a new line to end input]system {........
SRX# load set terminal <relative>[Type ^D at a new line to end input]set system ….
26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CONTROL AND FORWARDING PLANE OF A JUNOS ROUTER
27 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NETWORK
28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTERFACES
29 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTERFACE NUMBERING Interfaces Names and Numbers
Wildcards - Many commands accept wildcards in ifnames
Interface name = <Interface Type>-<Slot>/<Module>/<Port>.<logical number>
All numbers start from 0
Example : ge-0/1/2.3 - Gigabit Interface (Slot 0, Module 1, Port 2, Logical unit 3)fe-0/1/2.3 - Fast Ethernet Interfacest0.0 - First Secure Tunnel Interface (VPN Tunnel) lo0 - First loopback interface
For a list of Interface Types see http://www.juniper.net/techpubs/software/JUNOS/JUNOS96/swconfig-network-interfaces/frameset.html
show interfaces ge-0/0/*
30 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SWITCHING
31 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SWITCHING ON FIREWALLS ? Switching Features on the Firewall can help to simplify the network by
eliminating additional switches. This can be a commercial and management advantage, especially in small branch offices.
Switching is possible on Branch SRX Models (SRX100….SRX650) and J-Series with UPIM Modules
Switching is not available (and not needed) on High-End SRX
Switching is done in Hardware. Full throughput can be achieved, without consuming CPU-performance
Since JUNOS 10.0 the smaller SRX (100...240) have Switching enabled on all interfaces (except ge-0/0/0) in the Factory Default configuration
32 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SWITCHINGDEFAULT CONFIGURATION ON SRX210 WITH JUNOS 10.0# An internal VLAN (vlan-trust) is defined to allow switching several interfacesset vlans vlan-trust vlan-id 3
# A interface vlan unit 0 is assigned to this vlan as the Layer3 interface in this VLANset vlans vlan-trust l3-interface vlan.0
# This layer 3 interface can has an IP address that is reachable from all # host on it's VLAN. In Branch deployments this is typically the gateway address. set interfaces vlan unit 0 family inet address 192.168.1.1/24
# All physical interfaces - except ge-0/0/0 of the SRX210 are now assigned # to a interface-range with the name interfaces-trustset interfaces interface-range interfaces-trust member ge-0/0/1set interfaces interface-range interfaces-trust member fe-0/0/2set interfaces interface-range interfaces-trust member fe-0/0/3set interfaces interface-range interfaces-trust member fe-0/0/4set interfaces interface-range interfaces-trust member fe-0/0/5set interfaces interface-range interfaces-trust member fe-0/0/6set interfaces interface-range interfaces-trust member fe-0/0/7
# The interface-range is assigned to the VLAN vlan-trust set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
# It's a firewall, so the interface is mapped to zone trust where all services are enabledset security zones security-zone trust interfaces vlan.0set security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols all
33 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SWITCHINGANOTHER CONFIGURATION EXAMPLE# Before you can add an interface to Switching you probably have to remove assignments.# If there is an IP address assigned to the interface you have to remove itdelete interfaces fe-0/0/2 unit 0 family inet# If the interface is member of an interface-group in use, you have to untie it delete interfaces interface-range .... member fe-0/0/2
# You can specify a VLAN, which will be used for Switchingset vlans VLAN-100 vlan-id 100
# Configure Ethernet switching on the interfaces that are part of VLAN. # Default for new switching interfaces is access mode (=untagged)set interfaces fe-0/0/2 unit 0 family ethernet-switchingset interfaces fe-0/0/3 unit 0 family ethernet-switching
# Assign these interface to the desired VLANset vlans VLAN-100 interface fe-0/0/2.0set vlans VLAN-100 interface fe-0/0/3.0
# Configure a VLAN interface with an IP for this VLAN set interfaces vlan unit 100 family inet address 192.168.1.1/24
# Assign this VLAN interface as your Layer3 Interface on this VLANset vlans VLAN-100 l3-interface vlan.100
# It's a firewall, so the VLAN interface must also be in a zone set security zones security-zone trust interfaces vlan.100
# Allow services on the VLAN interface if desiredset security zones security-zone trust interfaces vlan.100 host-inbound-traffic ....
34 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SWITCHINGTROUBLESHOOTING COMMANDS# show which vlans exist and which interfaces are assignedshow vlans [detail]
# history of MACs added and removedshow ethernet-switching mac-learning-log
# Current MAC Tableshow ethernet-switching table
# Current MAC Table from a certain interfaceshow ethernet-switching table interface fe-0/0/2
35 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ETHERNET SWITCHING ON BRANCH SRXINTERFACES SUPPORTED
Platforms On-Board uPIM MPIM XPIM
J2320 û ü û ûJ2350 û ü û ûJ4350 û ü û ûJ6350 û ü û û
SRX100 ü û û ûSRX110 ü û û ûSRX210 ü û û* ûSRX220 ü û û* ûSRX240 ü û û* ûSRX550 ü û û* ü**
SRX650 û û û ü**
* Ethernet switching support is planned for future release for 1 Gigabit Ethernet SFP MPIM on the SRX210,SRX220,SRX240 and SRX550.** As of JUNOS OS Release 12.1, Ethernet switching is not supported on 10G XPIM.
36 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
REMARKS Configuration Syntax for all supported features is exactly the same as
with the EX Switches. The Documentation Feature Support Reference explains which Switching Features are supported
There are some dependencies which Ports can be used for switching (see Documentation )
Before 11.1 Switching was only applicable for single units. Commit in the Cluster was only possible, when all switching configuration was removed. The assumption was, that HA cluster Configurations are usually designed with external Switches
Since 11.1 Switching is also supported on Branch SRX and can even span the two Cluster members. This requires an additional link between the two nodes.
37 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ROUTING
38 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STATIC ROUTESCONFIGURATION
# Host Routeset routing-options static route 10.2.2.1/32 next-hop 10.1.1.254
# Network Routeset routing-options static route 10.2.2.0/24 next-hop 10.1.1.254
# Default Routeset routing-options static route 0.0.0.0/0 next-hop 10.1.1.254
# Route to an Interface # Useful for Point-to-Point Interfaces like pppoe, vpn-tunnel, gre-tunnelset routing-options static route 0.0.0.0/0 next-hop pp0.0set routing-options static route 10.1.1.0/24 next-hop st0.0
# Route to another Virtual Routerset routing-options static route 10.0.0.100/32 next-table Logging.inet.0
# Example for a the Definition of the VR with name Logging referenced aboveset routing-instances Logging instance-type virtual-routerset routing-instances Logging interface ge-0/0/7.0
# A network route to discard any traffic that did not hit a more specific route# Black hole Routes could sometimes save performance for policy lookups or # avoid rerouting in case of interfaces failures (example: VPN is down)set routing-options static route 0.0.0.0/0 discard
39 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STATIC ROUTESROUTE FAILOVER WITH IP-MONITORING
# Since 11.4 all Branch SRX support IP-Monitoring and automatic route failover# Check out KB22052 for configuration details of an dual ISP connection with RPM for # IP-Monitoring and Filter based Forwarding for load distribution
set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Serverset services ip-monitoring policy Server-Tracking then preferred-route routing-instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 ------> Installs route in the First Routing Instance
set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1set services ip-monitoring policy Server-Tracking1 then preferred-route routing-instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1 ------> Installs route in Second Routing Instance
40 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STATIC ROUTESMONITORING
# display Routing tableroot@J2300> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:13:15 > to 172.16.42.1 via fe-0/0/0.010.2.2.0/24 *[Static/5] 00:00:05 > to 172.16.42.1 via fe-0/0/0.0172.16.42.0/24 *[Direct/0] 01:13:15 > via fe-0/0/0.0172.16.42.230/32 *[Local/0] 01:21:12 Local via fe-0/0/0.0224.0.0.9/32 *[RIP/100] 01:21:37, metric 1 MultiRecv
# route lookup for a certain destinationroot@J2300> show route 20.0.0.1
# routing table overview root@J2300> show route summary
# Forwarding table (includes all active routes, visible for the data-plane)root@J2300> show route forwarding-table
41 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
OSPF CONFIGURATION# enable OSPF on a interfaceset protocols ospf area 0.0.0.0 interface ge-0/0/0.0# And permit ospf traffic to this zoneset security zones security-zone host-inbound-traffic protocols ospf
# Recommended: use loopback interfaceset interfaces lo0 unit 0 family inet address 192.168.1.2/32set protocols ospf area 0.0.0.0 interface lo0.0 passive
# Option: specify your own Router-idset routing-options router-id 192.168.1.2
# to get direct interface routes announced you can add them to OSPF in passive mode set protocols ospf area 0.0.0.0 interface vlan.100 passive
# Option: Negotiate graceful restart set routing-options graceful-restart
# On SRX Clusters for RG0 failover, you might have to extend OSPF Timers to survive # a dead interval of 5-20 seconds and also use the following setting:set protocols ospf graceful-restart no-strict-lsa-checking
42 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RIP CONFIGURATION# RIP requires a group, all interface are attached to this groupset protocols rip group RIP ge-0/0/0.0set protocols rip group RIP ge-0/0/1.0
# And permit rip traffic to the zones of these interfacesset security zones security-zone TRUST host-inbound-traffic protocols rip
# You can add IPSEC Tunnel-Interfaces with relaxed RIP-Update-Timers# You can even work with Tunnel-Interfaces with Next-Hop-Tunnel-Binding (NHTB)set protocols rip group RIP neighbour st0.0 interface-type p2mpset protocols rip group RIP neighbour st0.0 dynamic-peers set interface st0 unit 0 multipoint
# Option: Negotiate graceful restart set routing-options graceful-restart
# Import Routes to the RIP group via policy-options filterset policy-options policy-statement FILTER term a from route-filter 1.2.3.0/24 exactset policy-options policy-statement FILTER term a then acceptset policy-options policy-statement FILTER term drop then rejectset protocols rip group RIP export FILTER
43 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
OSPF MONITORING# See Neighbors and Stateroot> show ospf neighbour Address Interface State ID Pri Dead10.222.2.2 ge-0/0/11.0 Full 192.168.36.1 128 36
# Link State Databaseroot> show ospf database
44 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
OSPF IMPORT/EXPORT FILTER (POLICY-OPTIONS)# OSPF default is to import everything (into RT) and export routes only from interfaces # that are (active) members of the same OSPF area
# For export of all other routes or to filter inbound routes you need Routing Policy # Filters
# Example Filter to export all local static and all direct routesset policy-options policy-statement ALL-LOCAL set term 1 from protocol direct set term 1 then accept set term 2 from protocol static set term 2 then accepttop set protocols ospf export ALL-LOCAL
# Example Filter to export only a certain route (which must exist on the routing table)set policy-options policy-statement JUST-ONE set term 1 from route-filter 172.10.0.0/16 exact set term 1 then metric 10 accepttop set protocols ospf export JUST-ONE
45 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
# Example Configuration With Two AS# Permit BGP traffic on the zone or interface(s) where you reach your peer(s)set security zones security-zone trust host-inbound-traffic protocols bgp
# Recommended: use loopback interfaceset interfaces lo0 unit 0 family inet address 1.1.1.2/32
# Specify your own AS and your Router-IDset routing-options autonomous-system 1234set router-id 1.1.1.2
# Specify Peer(s)set protocols bgp group UPSTREAM set local-address 1.1.1.2 set peer-as 64005 set local-as 64006 set neighbor 1.1.1.1 export BGP-EXPORT-POLICYtop
# A Policy how to export the routesset policy-options policy-statement BGP-EXPORT-POLICY from protocol direct set policy-options policy-statement BGP-EXPORT-POLICY then accept
# Option: Set static routes that do not redistribute set routing-options static route 1.1.2.0/24 no-readvertise
# Option: Specify how to aggregate routesset routing-options aggregate 1.1.1.1/20 [policy ... ]
BGP CONFIGURATION
46 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BGPMONITORING
show bgp neighbour show bgp summaryshow route summary
# Which routes did we receive from a neighbourshow route receive-protocol bgp <peer-ip>
# Which routes do we send to a neighbourshow route advertising-protocol bgp <peer-ip>
47 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IS-IS CONFIGURATION set interfaces ge-0/0/1 unit 0 family isoset interfaces ge-0/0/2 unit 0 family iso
set interfaces lo0 unit 0 family iso address 49.0002.0002.0002.00
set protocols isis interface ge-0/0/1.0set protocols isis interface ge-0/0/2.0set protocols isis interface lo0.0 passive
48 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TUNNEL INTERFACES
49 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TUNNEL INTERFACES : GRE - GENERIC ROUTING ENCAPSULATION# Typical Use cases for GRE Tunnels are# - OSPF over GRE with non-Juniper Routers# - Multicast over GRE with non-Juniper Routers
set interfaces gr-0/0/0 unit 0 tunnel source 10.0.0.1set interfaces gr-0/0/0 unit 0 tunnel destination 10.0.0.2set interfaces gr-0/0/0 unit 0 family inet address 10.1.0.1/3set protocols ospf area 0.0.0.0 interface gr-0/0/0.0set security zones security-zone vpn host-inbound-traffic protocols ospfset security zones security-zone vpn interfaces gr-0/0/0.0
# MTU Adjustments might be necessary because GRE Default MTU is ~ 9000
# When Fragementation happens in a GRE Tunnel there are two options for reassembly# a) use IDP Inspection on the traffic leaving the tunnel# b) since JUNOS 11.2 you can apply the following command"set security flow force-ip-reassembly
50 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TUNNEL INTERFACES:LOGICAL TUNNEL # Logical Tunnel can be used like a physical wire between two interfaces of an SRX# Typical use cases are: # - forwarding between VR in packet mode and VR in flow mode# - forwarding between VR to apply two policies to one session# - Intra-Lsys Traffic (all Lsys have one Tunnel to Lsys0)
# Logical Tunnel Interfacesset interfaces lt-0/0/0 unit 0 encapsulation ethernetset interfaces lt-0/0/0 unit 0 peer-unit 1set interfaces lt-0/0/0 unit 0 family inetset interfaces lt-0/0/0 unit 1 encapsulation ethernetset interfaces lt-0/0/0 unit 1 peer-unit 0set interfaces lt-0/0/0 unit 1 family inet
# and now use them between two VRsset routing-instances r1 interface lt-0/0/0.0set routing-instances r2 interface lt-0/0/0.1
51 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TUNNEL INTERFACES: IP OVER IP# This Example is used to forward all IPv6 traffic encapsulated in IPv4 to 10.19.3.1
set interfaces ip-0/0/0 unit 0 tunnel source 10.19.2.1set interfaces ip-0/0/0 unit 0 tunnel destination 10.19.3.1set interfaces ip-0/0/0 unit 0 family inet6 address 7019::1/126set routing-options rib inet6.0 static route ::0/0 next-hop ip-0/0/0
52 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MULTICAST
53 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV4 MULTICAST CONFIGURATION (1)
# IGMP to allow Receivers to join/leave a group, # Version1 had join only and 3 min timeout # Version2 (Default) allows Receiver join and leave # Version3 allows to join and select Source-IP of Sender selectionset protocols igmp interface reth2.0 version 3
# Enable PIM to communicate with Multicast Routers in the Distribution Treeset protocols pim interface reth1.0
# Finding the Rendezvous Point # Option 1: Static Rendezvous point on an other Routerset protocols pim rp static address 192.168.1.1
# Option 2: we are Rendezvous Point by yourself - in this case loopback int. is best pract.set interface lo0.0 <IP-for-RP>set protocols pim rp local address <IP-for-RP>
# Other Options supported for RP selection: Anycast, Bootstrap, Auto-RP# Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP# Check Technote: Multicast Implementation Guide
54 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV4 MULTICAST CONFIGURATION (2)
# Allow igmp on all interfaces where we expect receivers to joinset security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols igmp set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols igmp
# Allow PIM on all interfaces where we expect distribution Routersset security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols pim set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols pim
# All interfaces can also be in a custom VR
# IGMP Configuration is not in VR contextset protocols igmp interface reth20.0 version 3
set routing-instances VR-MCAST instance-type virtual-routeredit routing-instances VR-MCAST set interface vlan.3 set interface vlan.10 set interface vlan.20 set interface vlan.30 set protocols igmp interface vlan.20 set protocols pim rp local address 10.0.42.110 set protocols pim interface vlan.10top
55 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV4 MULTICAST TROUBLESHOOTING# Monitoringshow pim bootstrap [instance VR] show pim interfaces [instance VR] show pim join [instance VR]show pim mdt [instance VR] show pim neighbors [instance VR]show pim rps [instance VR]show pim source [instance VR]show pim statistics [instance VR]
show igmp interfaceshow igmp output-groupshow igmp statistics
show multicast routeshow multicast rpf
# tcpdump to watch PIM and IGMP Packetsmonitor traffic interface vlan.10 no-resolve detail size 1500 matching "pim || igmp"
# DEBUGGINGset protocols pim traceoptions file trace-pim set protocols pim traceoptions flag all set protocols igmp traceoptions file trace-igmp set protocols igmp traceoptions flag all
# PIM to IGMP Proxyshow multicast pim-to-igmp-proxy
56 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV4 MULTICAST FURTHER INFORMATION
# Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP# Check Technote: Multicast Implementation Guide
# IGMP-Proxy is not available, but pim-to-igmp-proxy is availableset pim-to-igmp-proxy upstream-interface ge-0/1/0.1
# Important Hint for Multicast on SRX-Cluster: # Disable IGMP-Snooping on the surrounding switches to avoid outages after failover
# Multicast Configuration Overview and Exampleshttp://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-guide-multicast/config-guide-multicast.html#configuration
# Dense Mode and Debugging Examplehttp://kb.juniper.net/InfoCenter/index?page=content&id=KB24781
# Multicast Implementation Guide (EX and MX)http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/8010062-001-EN.pdf
57 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV6
58 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV6CURRENT STATE (12.1)
IPv6 firewalling - works in route mode with the following Features: - Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth - in Active/Passive Clusters since 10.0 - in Active/Active Clusters since 11.2 - IDP on Ipv6 in route mode since 11.4
- works in transparent mode with the following features since 11.4r3 Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth/Vlan Retagging/SNMP
For more Details on IPv6 Feature Support in JUNOS 12.1 check this Documentationhttp://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-ipv6-support.html
59 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV6 DHCPV6 SERVER
# DHCP-Server for Prefix Delegation is available on High-end-SRX
# Example below offers prefix delegation only (no exact IP assignment)edit system services dhcp-local-server dhcpv6 set overrides interface-client-limit 100 set group GROUP1 interface ge-0/0/0.0top
edit access address-assignment pool TRUSTv6 family inet6 set prefix fd27:9816:dca8:1::/48 set range RANGE1 prefix-length 64top
# For exact IP assignment and DHCP Server assignment use these statementsedit access address-assignment pool TRUSTv6 family inet6 set dhcp-attributes dns-server .... set dhcp-attributes options .... set range RANGE1 high ... set range RANGE1 low ...top
60 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV6DIAGNOSTICS
show interface terse # it will then shows two IPv6 IPs for each interface# 2001:........ = global address# fe80:x:x:x = link local address
# show route <table inet6.0>show ipv6 neighboursshow ipv6 router-advertisement
# Interface Traffic monitor - filtered to IPv6 only monitor traffic interface ge-0/0/0.0 matching ip6 size 200 detail
# ping, we use the same ping for ipv4 and ipv6 ping 2001:638:c:a057::1
# force ping with IPv6ping inet6 www.heise.de
# traceroute, same command as for IPv4traceroute 2001:db8:0:6:202:b300:2215:595 source 2001:db8::5
# Monitoring session tableshow security flow session summary family [inet|inet6]
61 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV6DYNAMIC ROUTING WITH RIPNG
# Enable RIP Listener on the following interfacesedit protocols ripng edit group NEIGHBORS set neighbour ge-0/0/0.0 set neighbour ge-0/0/1.0 set neighbour fe-0/0/2.0 set neighbour fe-0/0/3.0top
# If you want to export routes you need a route filter edit policy-options policy-statement RIPNG-EXPORT set term RIPNG from protocol ripng set term RIPNG then accept set term DIRECT from protocol direct set term DIRECT from route-filter 2001:DB8::/32 orlonger set term DIRECT then accepttop
# The Route Filter must be applied to the RIPNG Groupset protocols ripng group NEIGHBORS export RIPNG-EXPORT
# Monitoringshow route receive-protocol ripngshow route advertising-protocol ripng show route protocol ripng
62 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV6DYNAMIC ROUTING WITH OSPFV3
# Introduction of a loopback Interface is best practice when using Routing protocolsset interface lo0 unit 0 family inet address 10.0.0.210/32 # Specifying the router-id (as IPv4) is also recommendedset routing-options router-id 10.0.0.210
# Enable OSPF Listener on the following interfacesedit protocols ospf3 set area 0 interface lo0.0 passive set area 0 interface ge-0/0/0.0 set area 0 interface ge-0/0/1.0 set area 0 interface fe-0/0/2.0 set area 0 interface fe-0/0/3.0top
# Monitoring Commandsshow ospf3 neighbourshow ospf3 overviewshow ospf3 route show ospf3 statistics
63 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPV6IMPROVED SECURITY
# Off-link malicious IPv6 nodes may spoof Neighbor Discovery messages to poison # the routers ND cache. To mitigate, use
set protocols neighbor-discovery onlink-subnet-only
# reload after commit is suggested to clear out any bogus neighbor entries in the cache
64 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VLAN TRUNKING AND LINK AGGREGATION
65 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VLAN TRUNKS
66 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VLAN TRUNKSNOTES AND LIMITATIONS There are two possible approaches to configure a VLAN trunks on SRX
As part of the "Switching" Configuration (family ethernet-switching)
As part of the "Routing" Configuration (family inet)
"Switching" Configuration
Allows Switching between all interfaces that are part of a VLAN. The member interfaces can be tagged and/or untagged
Supported only on Branch SRX
Not supported on redundant interfaces of a cluster
"Routing" Configuration
Allows to create a sub interface and use it for routing
Supported on all SRX Platforms
Supported also in cluster mode (can be applied to reth Interfaces)
Supported also on aggregate interfaces
67 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VLAN TRUNKCONFIGURATION EXAMPLE FAMILY "INET"
# Enable VLAN-Tagging on a physical interfaceset interfaces ge-0/0/0 vlan-tagging
# Now we can create two sub interfaces on this physical interface# Best practice: use vlan-id also for the unit numberset interfaces ge-0/0/0 unit 11 vlan-id 11set interfaces ge-0/0/0 unit 11 family inet address 10.0.11.1/24
set interfaces ge-0/0/0 unit 12 vlan-id 12set interfaces ge-0/0/0 unit 12 family inet address 10.0.12.1/24
# The different interface can be in different VLANsset security zone security-zone zone11 interface ge-0/0/0.11set security zone security-zone zone12 interface ge-0/0/0.12
68 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VLAN TRUNKCONFIGURATION EXAMPLE FAMILY "SWITCHING"
# Define all Vlans you want to participate in set vlans VLAN-80 vlan-id 80
# For Trunk Ports which have multiple VLANs use the following Syntaxset interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode trunkset interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members all
# For Access Ports which are untagged but mapped to a certain VLAN # use the following syntaxset interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members <name>
# To create a RVI (routed virtual interface) to have an IP on a VLANset interface vlan unit 80 family inet address 80.0.0.1/24
# And assign this interface to the VLANset vlans VLAN-80 l3-interface vlan.80
69 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LINK AGGREGATIONAND LACP
70 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LINK AGGREGATION ON BRANCH SRXNOTES AND LIMITATIONS Standalone Units:
Link Aggregation is possible by configuration of AE interfaces
AE interfaces are supported with family ethernet-switching since JUNOS 9.5
AE interfaces are supported with family inet since JUNOS 10.1r2
LACP on AE interfaces with family switching is supported since JUNOS 9.5
LACP on AE interfaces with family inet are supported since JUNOS 10.2r2
Chassis Clusters (Redundant Interfaces)
Redundant Interfaces (as required in Clusters to failover) can have Aggregate Interfaces as members since JUNOS 10.3r2
Switching across Members of an HA Cluster is available since 11.2 - this requires an additional link between the two Branch SRX
Chassis Cluster (Private Interfaces)
Private Interfaces - that are only active on one Cluster member - are possible in Clusters
Private Interfaces still can be aggregate interfaces (local LAG)
Private Interfaces can not have member interfaces from both Chassis at the same time A configuration with member interfaces from different chassis might commit but it is not supported
71 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LINK AGGREGATION ON DATACENTER SRXNOTES AND LIMITATIONS Standalone Units
Link Aggregation is possible by configuration of AE interfaces
Aggregated Ethernet Interfaces are supported since JUNOS 10.0
Aggregate Ethernet Interfaces can be used with family inet only
LACP support is available on High-End SRX, since JUNOS 10.2r3
Chassis Clusters (Redundant Interfaces)
AE can not be used in Chassis Cluster for redundant interfaces but since JUNOS 10.1 there is another configuration available for link aggregation in chassis clusters.
This configuration can even span cluster members. Only interfaces on the active link will be used to receive and transmit data.
Check Admin Guide for these "Redundant Ethernet Interface Link Aggregation Groups".
Chassis Clusters (Private Interfaces)
Private Interfaces - that are only active on one Cluster member - are possible in Clusters
Private Interfaces still can be aggregate interfaces (local LAG)
Private Interfaces can not have member interfaces from both Chassis at the same time A configuration with member interfaces from different chassis might commit but it is not supported
72 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LINK AGGREGATION ON A SINGLE UNIT
Configuration Example for a Aggregate Ethernet Interface# Set number of Aggregated Interfaces on this device/chassisset chassis aggregated-devices ethernet device-count <number>
# Configure AE interfaces (ae0,ae1….) # On High-End SRX AE can be members of family inet# On Branch SRX AE can be members of family inet and family ethernet-switchingset interfaces <aex> unit 0 family inet address <ip address>
# Associate physical ethernet interfaces to the AEset interfaces <interface-name> gigether-options 802.3ad <aex>
# Minimum number of Links required for this aggregate to be UPset interfaces <aex> aggregated-ether-options minimum-links <n>
# LACP configuration (today only supported on Branch SRX)set interfaces <aex> aggregated-ether-options lacp passive
73 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LINK AGGREGATION ON A CHASSIS CLUSTER
Configuration Example for a Redundant Ethernet Interface# On High End SRX LAG support starts with 10.1r2, LACP starts with 10.2r3# On some Branch SRX LAG support starts with 10.3r2, LACP also starts with 10.3r2# Documentation: "Chassis Cluster Redundant Ethernet Interface Link Aggregation Groups"
set interfaces ge-1/0/1 gigether-options redundant-parent reth1set interfaces ge-1/0/2 gigether-options redundant-parent reth1set interfaces ge-1/0/3 gigether-options redundant-parent reth1set interfaces ge-12/0/1 gigether-options redundant-parent reth1set interfaces ge-12/0/2 gigether-options redundant-parent reth1set interfaces ge-12/0/3 gigether-options redundant-parent reth1set interfaces reth1 redundant-ether-options minimum-links 3
# From the Network Point of view, these are two independent Aggregate Interfaces. # Only the interfaces on the active node are used for transmission
# Further LACP Configuration can be added to the reth Interface now set interfaces reth1 redundant-ether-options lacp periodic fastset interfaces reth1 redundant-ether-options lacp passiveset interfaces reth1 redundant-ether-options lacp active
74 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LINK AGGREGATION ON DATACENTER SRX
Extend lacpd to Support RETHs with JUNOS 10.2
Hitless RG failover for transit traffic
Handle active/standby LAGs independently and simultaneously
Support: A reth is connected to two switches
Support: A reth is connected to one single switch
At remote side: Active LAG and standby LAG each shall be terminated at an AE or equivalent (same as 10.1)
Cluster 1
reth0RLAG
Active LAG
SRX 5600HA
Node 1
SRX 5600HA
Node 0
standby LAG
Switch / Router
ae0
Switch / Router
ae1
75 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LINK REDUNDANCY
76 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IP MONITORING & FAILOVER WITH RPM# Since 11.4r2 Branch SRX allows to use RPM to monitor reachability of a destination # and in response of PASS or FAIL failover route or interface
# Configure Probes for user PING-PROBE# Example probe SERVER1 checks if server responds to pingedit services rpm probe PING-PROBE test SERVER1 set probe-type icmp-ping set target address 192.168.42.1 set probe-count 5 set probe-interval 5 set thresholds successive-loss 5 set test-interval 10top
edit services ip-monitoring policy FAILOVER-Policy set match rpm-probe PING-PROBE # admin state of a back-up interface can be enabled if the RPM fails on the primary # If the normal condition is restored the backup-interface is disabled again set then interface ge-0/0/1/0 enable top
# Monitoring of the ip-monitoring featureshow services ip-monitoring status
77 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BLACKHOLE FORWARDING DETECTION# Black hole Forwarding Detection, Available in OSPF/BGP# Useful for link availability tests with aggressive timing (failover within 300msec)
# Detect OSPF Link Failure after 3x500msecedit protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set bfd-liveness-detection minimum-interval 500; set bfd-liveness-detection multiplier 3; set bfd-liveness-detection full-neighbors-only;top
# Detect BGP Link Failureset protocols bgp bfd-liveness-detection set minimum-interval 800 set multiplier 3 set transmit-interval minimum-interval 150 set transmit-interval threshold 500 set detection-time threshold 200 set holddown-interval 5top
78 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FLOW LOAD BALANCING WITH EQUAL COST MULTIPATH ROUTING# ECMP for Flows is supported on SRX since JUNOS 12.1
# Add multiple routes to the same destinationset static route 26.0.0.0/8 next-hop 23.0.54.111set static route 26.0.0.0/8 next-hop 24.0.44.101set static route 26.0.0.0/8 next-hop 25.0.44.106
# Usually only one of these routes would show up in the forwarding table. # We need a Policy Statement to enable per packet load-balancing. # On SRX this statement enforces in reality per flow balancingset policy-statement LBP then load-balance per-packet
# And we must apply this policy to the forwarding-tableset forwarding-table export LBP
# Forwarding table shows several routes to the same destinationuser@host> show route forwarding-tableRouting table: default.inetInternet:Destination Type RtRef Next hop Type Index NhRef Netif...26.0.0.0/8 user 0 23.0.54.111 rslv 0 1 ge-0/0/4.026.0.0.0/8 user 0 24.0.44.101 rslv 0 1 ge-0/0/6.026.0.0.0/8 user 0 25.0.44.106 rslv 0 1 ge-0/0/7.0
# Finally we might influence the balancing algorithm (L3 = IP only, L4, TCP+UDP too)set forwarding-options hash-key family inet layer-3set forwarding-options hash-key family inet layer-3
79 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VRRPCONFIGURATION# VRRP allows to failover an Interface between two devices - which are not a cluster# Typical use case: Primary and backup Internet access device (each with it's own WAN link)# Remember that VRRP Cluster does not sync sessions - all session must be reestablished
# VRRP - node0edit interfaces fe-0/0/7 unit 0 family inet address 192.168.0.101/24 vrrp-group 150 set virtual-address 192.168.0.150 set priority 100 set no-preempt set authentication-type md5 set authentication-key secrettop # VRRP - node 1set interfaces fe-0/0/7 unit 0 family inet address 192.168.0.102/24 vrrp-group 150 set virtual-address 192.168.0.150 set priority 110 set no-preempt set authentication-type md5 set authentication-key secrettop
# VRRP Troubleshootingrun show vrrp summaryrun show vrrp interface fe-0/0/7
80 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TRANSPARENT MODE
81 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TRANSPARENT MODE OR BRIDGE MODENOTES AND LIMITATIONS
Transparent/Bridge Mode on Datacenter SRX Transparent Mode in A/P Clusters is supported since JUNOS 9.6
Transparent Mode in A/A Clusters is supported since JUNOS 10.0
Interface can either be in trunk mode or in access mode
VLAN Retagging is possible, and requires a per interface statement
Link Aggregation on reth Interfaces in Transparent Mode is supported since 11.4r1
IDP is supported in A/P since 11.2
Transparent/Bridge Mode on Branch SRX Transparent Mode in A/P Clusters is supported since JUNOS 11.2
Interfaces can only be in access mode
Management access requires definiton of an IRB Interface as member of one bridge-domain
Today (12.1) a firewall can either be in pure Layer 2 mode or Layer 3 routed mode, no mix
During a Cluster Failover the physical links on the inactive machine will get bumped (L1 down for some seconds and then up again) to clear CAM tables on the attached Switches.
A number of Features are not available/supported in Transparent Mode (12.1) NAT, IPSEC VPN, GRE, Lsys, VR for IRB, L3/L4 classification for QoS (but 802.1q)
82 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TRANSPARENT MODE / BRIDGE MODEEXAMPLE1: TWO UNTAGGED INTERFACES# A bridge domain is used to assign which interface share a MAC-Tableset bridge-domains BD1 domain-type bridgeset bridge-domains BD1 vlan-id 10set bridge-domains BD1 domain-type bridge interface fe-0/0/0.0 set bridge-domains BD1 domain-type bridge interface fe-0/0/1.0
# This example uses 2 untagged interfacesset interfaces ge-0/0/0 unit 0 family bridge interface-mode accessset interfaces ge-0/0/0 unit 0 family bridge vlan-id 10set interfaces ge-0/0/1 unit 0 family bridge interface-mode accessset interfaces ge-0/0/1 unit 0 family bridge vlan-id 10
# Reuse Zones trust and untrustset security zones security-zone trust host-inbound-traffic system-services ssh # Bind Interface to the Zoneset security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces ge-0/0/1.0
# For Management access, you must attach an irb Interface a bridge domainset interfaces irb unit 0 family inet address 1.1.1.0/24set bridge-domains BD1 routing-interface irb.0
83 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TRANSPARENT MODE / BRIDGE MODEEXAMPLE2: MIXED TAGGED AND UNTAGGED INTERF. # A bridge domain is used to assign which interface share a MAC-Tableset bridge-domains BD1 domain-type bridgeset bridge-domains BD1 vlan-id X (could be set to “none”) set bridge-domains BD1 domain-type bridge interface xe-1/0/0 set bridge-domains BD1 domain-type bridge interface xe-2/0/0
# Example for Trunk Mode Interface (on Datacenter SRX)set interfaces ge-0/0/10 vlan-taggingset interfaces ge-0/0/10 native-vlan-id 10set interfaces ge-0/0/10 unit 0 family bridge interface-mode trunkset interfaces ge-0/0/10 unit 0 family bridge vlan-id-list 40-50# Untagged traffic on Trunk Mode Interface is mapped to native VLAN
# Example for a Interface in Access Modeset interfaces ge-0/0/11 unit 0 family bridge interface-mode accessset interfaces ge-0/0/11 unit 0 family bridge vlan-id 40
# create a layer2 zone and define Permitted System Servicesset security zones security-zone layer2 host-inbound-traffic system-services ssh # Bind Interface to the Zoneset security zones security-zone layer2 interfaces ge-0/0/10.0
# For Management access, you must attach an irb Interface a bridge domainset interfaces irb unit 0 family inet address 1.1.1.0/24set bridge-domains BD1 routing-interface irb.0
84 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TRANSPARENT MODE / BRIDGE MODEHINTS AND MONITORING# By default, family bridge allows forwarding for IPv4-unicasts and L2 broadcasts # The following statement should allows other traffic too (CDP, STP, …)# IPv6 forwarding in transparent mode is currently planned for 11.4r4 (DC-SRX only)set security flow bridge bypass-non-ip-unicast
# Full Documentation for Transparent Modehttps://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/security-layer2-bridging-transparent-mode.html#configuration
# Monitoring Commandsshow bridge-domains show protocols l2-learning
85 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FIREWALL
86 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PACKET FLOW
87 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SECURITY SERVICES PACKET WALK
1) Pull packet from queue
2) Police packet3) Filter packet4) Session lookup
5a) No existing session• FW screen check• Static and destination NAT• Route lookup• Destination zone lookup• Policy lookup• Reverse static and source
NAT• Setup ALG vector• Install session
5b) Established session
• FW screen check• TCP checks• NAT translation• ALG processing
6) Filter packet7) Shape packet8) Transmit
packet
Per Packet Filter
Per Packet Policer
Per Packet Shaper
Per Packet Filter
JUNOS Flow Module
Forwarding Lookup
DestNAT Route Zones Policy
ReverseStaticNAT
Services SessionScreens StaticNAT
SourceNAT
Match Session
?
NO YES
Screens TCP NAT Services
YES
88 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SECURITY SERVICES PACKET WALK
JUNOS Flow Module
DestNAT Route Zones Policy
ReverseStaticNAT
Services SessionScreens StaticNAT
SourceNAT
Match Session
?
NO YES
Screens TCP NAT Services
YES
Services ALG Module
AppID (packet)
IDP (packet)
SSL Proxy
AppID (stream)
IDP (stream) ALG UTM AppFW UserFW
89 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ZONES
90 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ZONES AND INTERFACES
# Zone Names are useful to map existing segmentation# Typical zone names are derived from areas with same trust level (trust/untrust) or # from department names (development, productions ...)
# Interface will not forward any traffic until they are assigned to a zone# Each interface can only be mapped to one zone # All interfaces in the same zone must be mapped to the same VR
# Assign IPv4 IP to an interface set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24
# Create custom zonesset security zones security-zone DEVELOPMENTset security zones security-zone VPN
# Assign Interface to zoneset security zones security-zone VPN interfaces st0.0
91 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
OBJECTS & POLICIES
92 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
OBJECT AND POLICIES OVERVIEW
Current State and Changes over Time• Global Policies and Address Objects are available since JUNOS 11.4
• Logging:To enable Logging for permit Rules use "set then log session-close"To enable Logging for deny/reject Rules use "set then log session-init"
• Counting: Counting with "per time statistics" can be activated per policy (number of policies is limited)Since JUNOS 12.1 there is a hit counter tracked by default for every policy
• DescriptionSince JUNOS 12.1 Policies can have a description
• Nested Groups (Groups of Groups) are supported since JUNOS 11.2Before 11.2 NSM could be used to create nested groups (
• DNS ResolutionDNS names can be resolved either at object creation time or frequently during usage
• Wildcard MaskBitmasks for Address Objects are supported since JUNOS 11.1
• Ranges Address Ranges are not available in JUNOS today (12.1)
• Negation Negated Address Objects are not available in JUNOS today (12.1)
93 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ADDRESS OBJECTS AND GROUPS (JUNOS <11.2)
set security zones security-zone trust address-book address NET10 10.1.1.0/24set security zones security-zone trust address-book address HOST10 10.1.1.1/32
# We can also use DNS names, there are two ways edit security zones security-zone trust address-book # Resolve the Address once at commit time set address JUNIPER-FIX www.juniper.net # Resolve dynamically when policy is used (cached for 24 hours) set address JUNIPER-DNS dns-name www.juniper.nettop
# Groups of Addresses are referenced as address setsset security zones security-zone trust address-book address-set ALL10 set address NET10 set HOST10top
# JUNOS >=11.1 also supports wildcard address masks with non-contiguous bitmasks# for IPv4. The first octets of the mask must be greater than 128set security zones security-zone trust address-book address SERVER4 10.0.0.4/255.0.0.255
94 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ADDRESS OBJECTS AND GROUPS (JUNOS >=11.2)
# Since JUNOS 11.2 Address Book entries can either use the old stanzaset security zones security-zone trust address-book address NET10 10.1.1.0/24
# Or it is possible to create ALL Objects as zone independent address book entriesset security address-book global address NET10 10.1.1.0/24
# JUNOS Op Scripts exist to convert from old to new format and backhttps://www.juniper.net/us/en/community/junos/script-automation/library/
# If both formats are used in one file, the configuration can not be committed
# NSM supports global policies with Version 2012.1# Space Security Design supports global policies since Version 12.1# J-Web supports global address objects and global policies since 11.4
95 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SERVICE OBJECTS# Create Custom Service Objects# Default TCP Timeout is 1800 sec. # Default Timeout for other protocols is 60sec.set applications application my-ssh protocol tcpset applications application my-ssh destination-port 22set applications application my-ssh inactivity-timeout 3600set applications application my-ssh term ssh protocol tcpset applications application my-ssh term ssh destination-port 22set applications application my-ssh term ssh inactivity-timeout 3600
# A number of Service definitions is already built-in - starting with junos-xxxx# To see them you can use the following commandshow configuration groups junos-defaults applicationsortop show groups junos-defaults | match application | match junos
# They also appear when you use Tab completion during writing policiesset security policies from-zone trust to-zone untrust policy X match application ?
96 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ZONE BASED FIREWALL POLICIES (1)# Create a new Policy with the name "FIRST". edit security policies from-zone untrust to-zone trust policy FIRST set match source-address any set match destination-address any set match application any set then permit # Since JUNOS 12.1 you can add a description for this policy set description "First Policy created here" top
# Insert a second policy "NEW"edit security policies from-zone untrust to-zone trust policy NEW set match source-address any set match destination-address NET10 set match application any set then permittop
# New Policies are always added at the end# To move the "NEW" policy before the "FIRST" policyinsert security policies from-zone untrust to-zone trust policy NEW before policy FIRST
97 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ZONE BASED FIREWALL POLICIES (2)# By default all traffic, that is not permitted by policy is denied (without logging)# There is a command to change this - Recommended only for testing !!set security policies default-policy permit-all
# Policy Actions can be permit/deny/reject. # deny means silent drop, reject create response packets to the initiator # for UDP traffic “icmp port unreachable” # for TCP traffic “TCP RST”
# Monitor commandsshow security policiesshow security flow session#Policy lookup is available on CLI and in Web-UI since JUNOS 10.3show security match-policies ....
98 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
GLOBAL FIREWALL POLICIES# Beginning with JUNOS 11.4 Policies can be specified as global policies# These Policies must always reference global address objects # Policy Lookup Order is: # a) zone-to-zone# b) global # c) default policy# NSM can not manage global policies and objects# For JUNOS Space global policy support is currently planned for Release 12.1
set security address-book global address SERVER1 1.1.1.1set security address-book global address SERVER2 2.2.2.2
set security policies global policy GP1 match source-address SERVER1set security policies global policy GP1 match destination-address SERVER2set security policies global policy GP1 match application junos-ftpset security policies global policy GP1 then deny
set security policies global policy GP2 match source-address SERVER1set security policies global policy GP2 match destination-address SERVER2set security policies global policy GP2 match application anyset security policies global policy GP2 then permit
# Count per zone and global policies show security policies zone-context
99 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
GLOBAL POLICIES Global policies take lower precedence than zone-specific policies. If a matching zone-based policy is found, the global policies are not evaluated
…
Zone-specific Policies
Policy N
…
Global Policies
Policy M
Ordered Lookup
OrderedLookup
Policy1
Policy 1No matchGlobal Policy lookup
Zone PolicyLookup
from-zone to-zone context
100 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FIREWALL POLICYMONITORING AND USAGE TRACKING (1/2)# Counting can be enabled on a limited number of policies. Counting includes # Input/Output Bytes & Packets, Session rate, Active & Deleted sessions, Policy lookups edit security policies from-zone trust to-zone untrust policy pol-01 set then count top
# To monitor the policy counters userun security policies from-zone show trust to-zone untrust policy-name pol-01 detail
# Alerts can be enabled per policy to generate alerts if usage exceeds thresholdsedit security policies from-zone trust to-zone untrust policy pol-01 set then count alarm per-minute-threshold 1000 set then count alarm per-second-threshold 50top
# To monitor the policy alerts userun show security alerts
101 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FIREWALL POLICYMONITORING AND USAGE TRACKING (2/2)# Security Policy Overview (Hidden until 12.1)show security policies information
# Since JUNOS 10.3 there is Security Policy Lookup to predict policy decision # The query goes directly to the forwarding plane for evaluationshow security match-policies ....
# Until 11.4 Usage statistics are only available, if counting is enabled (see prev page)show security policies detail
# JUNOS 12.1 introduces usage tracking of Firewall Policies independent from counter# Counter since the last reboot/failover can be retrieved with the following command
srx210> show security policies hit-count from-zone untrust ascending
from-zone to-zone policy hit-countuntrust trust pol-1 10untrust trust pol-2 20untrust trust pol-3 30
102 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FIREWALL POLICY SCHEDULERS (A.K.A. TIME BASED POLICIES)# Create a Scheduler to activate a policy every working day from 9-12 and 13-20set schedulers scheduler "SCHEDULER1" daily start-time 09:00 stop-time 12:00set schedulers scheduler "SCHEDULER1" daily start-time 13:00 stop-time 20:00set schedulers scheduler "SCHEDULER1" sunday exclude
# Create a new Policy with the name "FIRST" and apply the scheduler definition "SCHEDULER1" edit security policies from-zone untrust to-zone trust policy FIRST set match source-address any set match destination-address any set match application any set then permit set scheduler SCHEDULER1top
# Monitoringshow schedulersshow security policies detail
103 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FIREWALL WEB AUTHENTICATION # Firewall Authentcation can Intercept Web Session (redriect) and enforce user authentication first # before allowing traffic (any protocol) to be passed by the firewall. This is like an "unlock" door.
# Add an additional IP to an existing interface, that is used for WebAuth, HTTP to this Interface # gives you a login page set interface vlan unit 0 family inet address 192.168.1.210/24 web-authentication http
# Specify a Profile with 2 local Usersset access profile TESTPROFILE client TESTUSER1 firewall-user password netscreenset access profile TESTPROFILE client TESTUSER2 firewall-user password netscreen
# and use this profile as default for firewall auth (inline in telnet, http, ftp connection) and webauthset access firewall-authentication pass-through default-profile TESTPROFILE set access firewall-authentication web-authentication default-profile TESTPROFILE
# A policy specifies for which Source/Destination Web Auth is required.# Once Addresses have matched, Authentication is required, no Fall through to other rules.set security zones security-zone untrust address-book address PROTECTED 172.16.42.1/32edit security policies from-zone trust to-zone untrust policy WEB-AUTH set match source-address any set match destination-address PROTECTED set match application any set then permit firewall-authentication access-profile TESTPROFILE set then permit firewall-authentication pass-through web-redirectup insert policy WEB-AUTH before policy trust-to-untrusttop
# Monitoring Commandsshow security firewall-authentication usersshow security firewall-authentication history
104 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
REMATCH FOR POLICY CHANGES
# To enable Policy rematching when policy changes are made use the following command # By Default Policy Rematch is disabledset security policies policy-rematch
Action on Policy
DescriptionRematch Flag
Enable Disable (default)
Delete Policy is deleted All existing sessions are
dropped
All existing sessions are
dropped
Insert New policy is inserted
N/A N/A
Modify the action
Action field of policy is
modified from permit to deny
or reject, or vice versa
All existing sessions are
dropped
All existing sessions continue
Modify address Source or destination
address field of policy match is
modified
Policy lookup will be re-evaluated
All existing sessions continue
Modify application
Application field of policy match
is modified
Policy lookup will be re-evaluated
All existing sessions continue
105 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
REMATCH FOR POLICY CHANGESWITH USER IDENTITY BASED FIREWALL
The user/role info is re-retrieved from UI module again for rematch
106 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FLOW & ALG
107 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
# Flow Configuration changes default behavior for a number of topics that influence # session creation/teardown/modification. # Examples are SYN Checking, Sequence Number Checking, Fragmentation, MSS Patching,# Session Aging
# Example: Make sure TCP packets going through VPN tunnels avoid fragmentationset security flow tcp-mss ipsec-vpn mss 1420
# Example: Avoid TCP Split Handshake Attacks by more strict SYN checking set security flow tcp-session strict-syn-check
FLOW
108 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
# ALGs exist for the several protocols. When enabled they either help to open firewall # pinholes (FTP), assist in NAT for inband protocol data (VOIP) or check for protocol # violation (DNS). See next pages for a Table of ALGs and their functions
# Most ALGs are enabled per default. To check which ALGs are there and enabled useshow security alg status
# To disable an ALG either disable ALG completly set security alg msrpc disable# or use custom service with the application service disabledset applications application TEST application-protocol ignore
# Knowlegebase Articles have good hints on monitoring and troubleshooting # or changing behaviour of each ALG. Check the Knowledgebase if you have # trouble with any of the protocols where ALGs are active and disabling ALG # does not solve your problem. Example KB entries: SQL: KB21550MSRPC : KB23730 and KB18346
ALG
109 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BASIC ALGS
ALG Firewall Pinholes NAT Protocol Checking
DNS ✔ ✔ format, length
FTP ✔ ✔ ✔ command
TFTP ✔ ✔
SQL ✔ ✔ ✔ format
Sun RPC ✔ ✔ ✔ format
MS RPC ✔ ✔ ✔ format
RSH ✔ ✔ ✔ format
PPTP ✔ ✔ ✔ format
Talk ✔ ✔ ✔ format
IKE-NAT ✔ ✔ ✔ format
110 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VOIP/STREAMING ALGS
ALG Firewall Pinholes NAT Protocol Checking
SIP ✔ ✔ ✔
H.323 ✔ ✔ ✔
MGCP ✔ ✔ ✔
SCCP ✔ ✔ ✔
RTSP ✔ ✔ ✔
111 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SCREENS & DEFENSE
112 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHAT ARE SCREENS ?
Screens are Filters for Attacks on Layer3/4 (Scans, Floods, IP Option Anomalies, TCP/IP Anomalies, DOS Attacks)
Screens are applied before Routing Lookup and Policy decision
Screens are in many cases implemented in Hardware
Screens can be enabled with Logging only
113 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SCREENS
Descriptions of each of the Screen Parameter are here
# Configure all Screen Options in a Named Profile edit security screen ids-option MY-SCREEN-PROFILE # Best Practice; Start using Screens with Alarm only, but Dropping disabled. set alarm-without-drop set icmp ping-death set ip source-route-option set ip tear-drop set tcp syn-flood alarm-threshold 1024 set tcp syn-flood attack-threshold 200 set tcp syn-flood source-threshold 1024 set tcp syn-flood destination-threshold 2048 set tcp syn-flood queue-size 2000 set tcp syn-flood timeout 20 set tcp land set limit-session destination-ip-based 50top# Finally apply the Profile to the Zones which need protectionset security zones security-zone untrust screen MY-SCREEN-PROFILE
# Monitoring Commandsshow security screen statistics zone untrustshow security screen statistics interface ge-0/0/0
114 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SCREENS FOR FLOOD PROTECTION# Session Limits for Source and Destination IP set security screen ids-option FLOOD limit-session source-ip-based 10000set security screen ids-option FLOOD limit-session destination-ip-based 10000
# ICMP AND UDP FLOOD PROTECTION (threshold is in packets/sec)set security screen ids-option FLOOD icmp flood threshold 10000set security screen ids-option FLOOD udp flood threshold 20000
# TCP SYN Flood Protection, SYN-Cookie has better Performance than SYN-Proxyset security flow syn-flood-protection-mode syn-cookie edit security screen ids-option FLOOD tcp syn-flood # Start using Cookie when we hit more than 20 SYNs/sec set attack-threshold 20 set alarm-threshold 10000 # If we get more than these SYNs per second from a Source-IP we start dropping set source-threshold 1024 # If we get more than these SYNs per to the same Destination-IP we start dropping set destination-threshold 100000 # Time before we start dropping half-open connections from the queue set timeout 5top
# Finally apply the Screen Profile Definitions to the zone(s) where the flood arrivesset security zones security-zone untrust screen FLOOD
# Monitoringshow security screen statistics zone trustshow interfaces ge-0/0/1.0 extensive | match Syn
115 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHITE LISTS FOR SYN COOKIE & SYN PROXY# JUNOS 12.1 will introduce White lists for SYN Cookie and SYN Proxy# The SYN Protection Screens can be active, but certain sources or # destinations can be excluded from this protection.# White lists can included up to 32 IPv4 and IPv6 source and/or destination addresses# Typical Use case: exclude Proxies as Sources, excluded monitored Servers as Destination
root@raticate# set security screen ids-option FLOOD tcp syn-flood WHITE-LIST ipv4 ?Possible completions: <[Enter]> Execute this command+ apply-groups Groups from which to inherit configuration data+ apply-groups-except Don't inherit configuration data from these groups+ destination-address Destination IP based+ source-address Source IP based
116 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FLOOD PROTECTION FOR THE SRX SESSION TABLE# In a Flood Situation, there is still a risk that the session table is filled up # completely and new sessions can't be established any more## A Self Defense Strategy of the SRX for a flood situation is "aggressive aging" # to start removal of sessions which have not been used for x seconds before session# table gets filled up completely ## This overrides the default session timeouts, but might be better # than a overcrowded session table
# Set levels (percent of max session nr) when aggressive aging starts and when it stopsset security flow aging high-watermark 80 low-watermark 60
# Idle time in seconds after which sessions can be purgedset security flow aging early-ageout 30
# Monitoring: If the Thresholds are reached, there are logs for # FLOW_HIGH_WATERMARK_TRIGGERED and FLOW_LOW_WATERMARK_TRIGGERED
117 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FIREWALL USAGE ALARMS
# Create Alerts if Errors exceeds thresholdsedit security alarms potential-violation set authentication 10 set decryption-failures threshold 100 set encryption-failures threshold 100 set ike-phase1-failures threshold 100 set ike-phase2-failures threshold 100 set replay-attacks threshold 100 set security-log-percent-full 90top
# Create Alerts if firewall total policy usage exceeds thresholdsedit security alarms potential-violation policy set application size 10240 set source-ip threshold 1000 duration 20 set destination-ip threshold 1000 duration 10 set policy-match threshold 100 size 100top
# Create Alerts if individual firewall policy usage exceeds thresholdsedit security policies from-zone trust to-zone untrust policy pol-01 set then count alarm per-minute-threshold 1000 set then count alarm per-second-threshold 50top
# Monitoringshow security alarms
118 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHERE ARE SCREENS IMPLEMENTED ?# Screens that are implemented on the NPUblock-frag, fin-no-ack, icmpfragment, icmp-id, icmp-large, ipbad-option, ip-filter-src, ip-loosesrc-route, ip-record-route, ipsecurity-opt, ip-stream-opt, ipstrict-src-route, ip-timestamp-opt, land, ping-death, syn-fin, syn-frag, tcp-no-flag, unknown-protocol, winnuke, icmp-flood, udp-flood, syn-flood destination-threshold / source-threshold
# Screens that are implemented on the SPUteardrop, ipspoofing, syn-ackack-proxy, syn-flood (syncookie/synproxy),
# Screens that are implemented on the CPlimit-session, portscan, ip-sweep, syn-flood (syncookie/syn-proxy)
119 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NAT
120 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NAT BASIC INFORMATION
• Since JUNOS 9.5 NAT uses a separate policy (a.k.a. NAT-ng)
• The Hierarchy for this is under "set security nat ...."
• Older JUNOS Documentation and OJSE Training Materials might still mention the previous method (policy based NAT)
• Destination NAT often requires additional Proxy-ARP rules
• Limitations in the number of NAT rules did exist, but finally even the last (8 rules for destination NAT) disappeared with 10.2. See http://kb.juniper.net/KB14149
• We have a good Application Note on NAThttp://www.juniper.net/us/en/products-services/security/srx-series/#literature
121 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
121
SCREENOS NAT FEATURES AND JUNOS COUNTERPART
For Details and Examples see the Application Note
"Juniper Networks SRX Series and J Series NAT for ScreenOS Users"http://www.juniper.net/us/en/products-services/security/srx-series/#literature
122 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
122
NAT CONFIGURATION INCLUDES 3 FLAVORS
Source NAT Interface based NAT Pool based NAT- with and without port translation IP address shifting
Destination NAT Destination IP and/or port number translation IP address shifting
Static NAT Bi-directional No port translation supported dst-xlate for packets to the host src-xlate for packets initiated from the host
123 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
123
NAT PROCESSING ORDER
Static & Destination NAT are performed before security policies are applied
Reverse Static & Source NAT are performed after security policies are applied
Accordingly, policies always refer to the actual address of the endpoints
124 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NAT ADDRESS POOL CONFIGURATION
Address pools can be Single IP address Range of addresses Range of ports Interface (source NAT only) No port translation
Overflow pools Configured as a fall back Requires pools with no port
translation
[edit security nat source]root# show pool src-nat-pool1 { address { 192.0.0.10/32 to 192.0.0.24/32; }}pool src-nat-pool2 { address { 192.0.0.100/32 to 192.0.0.249/32; } port no-translation; overflow-pool interface;}pool src-nat-pool3 { address { 192.0.0.25/32; }}pool src-nat-pool4 { address { 192.0.0.50/32 to 192.0.0.59/32; } port range 5000 to 6000;
125 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SOURCE NATTWO EXAMPLES
INTERNET
10.1.1.0/24
10.1.2.0/24
ge-0/0/0
ge-0/0/1
UNTRUSTTRUST
192.1.1.0/24
[edit security nat source]}rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat interface }
[edit security nat source]}rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat pool src-nat-pool1 }
126 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SOURCE NATEXAMPLE WITH MULTIPLE RULES
INTERNET
10.1.1.0/24
192.1.1.0/24
ge-0/0/0
ge-0/0/1
UNTRUSTTRUST
10.1.2.0/24
172.1.1.0/24
rule rule2 { match { source-address 192.1.1.0/24; } then { source-nat pool src-nat-pool2; } } rule rule3 { match { source-address 172.1.1.0/24; } then { source-nat off; } }
[edit security nat source]}
rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address [ 10.1.1.0/24 10.1.2.0/24 ]; destination-address 0.0.0.0/0; } then { source-nat pool src-nat-pool1; } }
127 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DESTINATION NATEXAMPLE FOR MANY-TO-MANY
INTERNET
10.1.1.0/24
192.1.1.100/24
ge-0/0/0
ge-0/0/1
UNTRUSTTRUST
10.1.2.0/24
192.1.1.200/24
dnat-pool-1:1:1.1.1.100/80->192.168.1.100/80
dnat-pool-2:1.1.1.101/80->192.168.1.200/8000
[edit security nat destination]
root# show pool dnat-pool-1 { address 192.168.1.100/32;}pool dnat-pool-2 { address 192.168.1.200/32 port 8000;}rule-set dst-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.100/32; } then { destination-nat pool dnat-pool-1; } } rule rule2 { match { destination-address 1.1.1.101/32; } then { destination-nat pool dnat-pool-2; } } }
128 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DESTINATION NAT EXAMPLE FOR ONE-TO-MANY
INTERNET
10.1.1.0/24
192.1.1.100/24
ge-0/0/0
ge-0/0/1
UNTRUSTTRUST
10.1.2.0/24
192.1.1.200/24
dnat-pool-11.1.1.100/80->192.168.1.100/80
dnat-pool-21.1.1.100/8000->192.168.1.200/8000
[edit security nat destination]
root# show pool dnat-pool-1 { address 192.168.1.100/32;}pool dnat-pool-2 { address 192.168.1.200/32 port 8000;}rule-set dst-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.100/32; destination-port 80; } then { destination-nat pool dnat-pool-1; } } rule rule2 { match { destination-address 1.1.1.100/32; destination-port 8000; } then { destination-nat pool dnat-pool-2; }
129 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STATIC NAT
Provides one-to-one mapping of hosts or subnets
Bi-directional NAT dst-xlate for packets to the host src-xlate for packets initiated from the host
INTERNET
10.1.1.0/24
ge-0/0/0
ge-0/0/1
UNTRUSTTRUST
10.1.2.0/24
192.1.1.200/24
[edit security nat]
root# show static rule-set static-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.200/32; } then { static-nat prefix 192.168.1.200/32; }}
130 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PROXY-ARP
Source NAT Proxy-ARP required for all source IP pool addresses in the same subnet as egress
interface –ge-0/0/0 For source pools not in the same subnet as egress interface IP, route to the IP pool
subnet with the SRX device as next-hop is required on the upstream router
Destination/Static NAT Proxy-ARP required for all IP pool addresses in the same subnet as ingress
interface –ge-0/0/0 For static and destination NAT pools not in the same subnet as egress interface IP,
route to the IP pool subnet with the SRX device as next-hop is required on the upstream router
Configuration command set security nat proxy-arp interface <if_name> address <ip_prefix>
INTERNET
10.1.1.0/24
10.1.2.0/24
ge-0/0/0
ge-0/0/11.1.1.1/24
131 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DOUBLE NAT- SOURCE AND DESTINATION NAT
192.168.1.3/24
UNTRUSTTRUST
10.1.1.100/24
[edit security nat source]root# show pool src-pool-1 { address { 1.1.1.10/32 to 1.1.1.14/32; }}rule-set src-rs1 { from zone trust; to zone untrust; rule r1 { match { source-address 0.0.0.0/0; } then { source-nat pool src-pool-1; } }
[edit security nat destination]root# show pool dst-src-pool-1 { address 10.1.1.100/32;}rule-set dst-rs1 { from zone trust; rule rule1 { match { destination-address 1.1.1.100/32; } then { destination-nat pool dst-src-pool-1; } }}
192.168.1.3->1.1.1.100
1.1.1.10-> 10.1.1.100
132 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
132
NAT MONITORING AND TROUBLESHOOTING# NAT session can be identified from the session tableshow security flow session
# Static NAT:show security nat static rule <all|rule-name>
# Source NAT: show security nat source summaryshow security nat source pool <pool-name>show security nat source rule <rule-name>show security nat source persistent-nat-table <all|summary|....>
# Destination NAT:show security nat destination summaryshow security nat destination pool <pool-name>show security nat destination rule <rule-name>show security nat interface-nat-ports
# Incoming NAT:show security nat incoming-table
# ARP tableshow arp no-resolve
# Tracing (output is written to file defined under security->flow-> traceoptions)set security nat traceoptions flag all
133 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION
134 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION BUILDING BLOCKS AND CONCEPTS
SRX Firewalls offer several building blocks and concepts to achieve virtualization Zone based Separation: No traffic can get from one zone to another if there is no policy Virtual Routers based Separation: avoid any traffic leakage between different instances
(usecase: managed service for customers with overlapping address space). Logical Systems : for complete administrative isolation. Create virtual firewalls with individual
administrators and protected resources per firewall (memory, cpu, objects ...) Virtual SRX: Virtual Machine for installation on a Hypervisor (Vmware, KVM)
Zones only Zones and Virtual Routers
Logical Systems Virtual SRX
separate traffic of different instances
yes yes yes yes
separate routing decisions per instance
no yes yes (with VRs) yes
allow different administrators per instance
no no yes yes
protect resources per instance
no no partial yes
more than 32 instances
no no max 32 instance per firewall
yes
135 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ZONE-BASED SEPARATION
Pepsi
CokeUntrust Zone
Coke User
Pepsi User
Pepsi Zone
CokeZone
• Simple design• High scale (no additional overhead)• No overlapping IP addresses• Little to no user-based admin
136 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VR-BASED SEPARATION
• More complex design• High scale (little additional overhead)• Overlapping IP addresses supported• Routing protocols per VR give additional flexibility• Little to no user-based admin
Pepsi
Coke
Coke User
Pepsi User
Coke VR
Pepsi VR
Coke Untrust Zone
CokeTrustZone
Pepsi Untrust Zone
PepsiTrustZone
137 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Pepsi LSYS
Coke LSYS
LSYS-BASED SEPARATION
• Complex design• Lower scale (possible additional overhead)• Overlapping IP addresses supported• Routing protocols per VR give additional flexibility (and
introduce performance caveats)• User-based admin supported
Pepsi
Coke
Coke User
Pepsi User
Coke VR
Pepsi VR
Coke Untrust Zone
CokeTrustZone
Pepsi Untrust Zone
PepsiTrustZone
138 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION:VIRTUAL ROUTERS
139 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DIFFERENCE IN OWNERSHIP HIERARCHY
Virtual Router
Zone
Interface
IP Address
ScreenOS
Routing Instance
Interface
IP Address
JUNOS
Zone
Interface
Virtual router split from zones in JUNOS
140 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
EXAMPLE WITH 2 INDEPENDANT VR
Red-VR
Blue-VR
red-untrust red-trust
blue-trust blue-untrust
141 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Create a Virtual Router and bind interface to this VR
VIRTUAL ROUTERS - SIMPLE EXAMPLE
# Assign Interface IPs like usual set interface fe-0/0/6 unit 0 family inet address 1.0.0.1/24set interface fe-0/0/7 unit 0 family inet address 2.0.0.1/24set interface lo0 unit 0 family inet address 3.0.0.1/32
# Create the Virtual Router, assign two physical and a loopback interfaceset routing-instances red-vr instance-type virtual-routerset routing-instances red-vr interface fe-0/0/6.0set routing-instances red-vr interface fe-0/0/7.0set routing-instances red-vr interface lo0.0
# Also tie all interfaces to security zonesset security zone security-zone red-untrust interface fe-0/0/6.0set security zone security-zone red-trust interface fe-0/0/7.0
# Optional, set a static route in this vrset routing-instances red-vr routing-options static route 4.0.0.0/24 next-hop 1.0.0.2
# Optional: You can set static routes to get from one VR to another# If you need to exchange dynamic routes you will need RIB Groupsset routing-instances red-vr routing-options static route 5.0.0.0/24 next-table blue-vr.inet.0
142 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
EXAMPLE WITH 3 CUSTOM AND ONE SHARED VR
Red-VR
Blue-VR
Green-VR
Inet
.0 V
R
untrust
red-trust
blue-trust
green-trust
143 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Create a Virtual Router and bind interface to this VR
VIRTUAL ROUTERSROUTER DEFINITION
# Assign Interface IPs like usual set interface fe-0/0/5 unit 0 family inet address 1.0.0.1/24set interface fe-0/0/6 unit 0 family inet address 2.0.0.1/24set interface fe-0/0/7 unit 0 family inet address 3.0.0.1/24set interface lo0 unit 0 family inet address 4.0.0.1/32
# Create the Virtual Router, assign one physical interfaceset routing-instances RED-VR instance-type virtual-routerset routing-instances RED-VR interface fe-0/0/5.0
# Create the Virtual Router, assign one physical interfaceset routing-instances BLUE-VR instance-type virtual-routerset routing-instances BLUE-VR interface fe-0/0/6.0
# Create the Virtual Router, assign one physical interfaceset routing-instances GREEN-VR instance-type virtual-routerset routing-instances GREEN-VR interface fe-0/0/7.0
144 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUAL ROUTERSSECURITY ZONES Interface binding to zones is defined independent from the VR
BUT all interfaces in the same zone must be bound to same VR
# Create Zones and assign interfacesset security zones security-zone red-trustset security zones security-zone red-trust interfaces fe-0/0/5.0set security zones security-zone blue-trustset security zones security-zone blue-trust interfaces fe-0/0/6.0set security zones security-zone green-trustset security zones security-zone green-trust interfaces fe-0/0/7.0
# If desired enable managementset security zones security-zone red-trust host-inbound-traffic system-services allset security zones security-zone red-trust host-inbound-traffic protocols allset security zones security-zone blue-trust host-inbound-traffic system-services allset security zones security-zone blue-trust host-inbound-traffic protocols all
# Add policies to permit trafficedit security policies from-zone red-trust to-zone untrust set policy outbound1 match source-address any set policy outbound1 match destination-address any set policy outbound1 match application any set policy outbound1 then permit set policy outbound1 then log session-close session-init exittop
145 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUAL ROUTERSEXCHANGING ROUTES BETWEEN VIRTUAL ROUTERS# To set a route from one VR to another just use the instance name as next-tableedit routing-instances BLUE-VR set routing-options static route 10.0.0.0/8 next-table RED-VR.inet.0top
# To redistribute Routes that exist in one VR into another use Filtersedit policy-options policy-statement SUMMARY-RED set term ACCEPT from instance RED-VR set term ACCEPT from route-filter 10.0.0.0/8 exact set term ACCEPT then tag 5000 set term ACCEPT then accepttop
set routing-instances BLUE-VR routing-options instance-import SUMMARY-RED
146 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RIB Groups (RIB=Routing Information Base) are useful if you want to share static and dynamic routes between multiple VRs
VIRTUAL ROUTERSRIB-GROUPS
# Create a rib-groupset routing-options static rib-group test-rib
# Routes imported into the rib-group are distributed to the ribset routing-options rib-groups test-rib import-rib inet.0set routing-options rib-groups test-rib import-rib RED-VR.inet.0# set routing-options rib-groups test-rib import-rib BLUE-VR.inet.0# set routing-options rib-groups test-rib import-rib GREEN-VR.inet.0
# Only one rib can be used to export (primary-rib by default)set routing-options rib-groups test-rib export-rib inet.0
# Optional: publish interface routes to the RIBset routing-instances RED-VR routing-options interface-routes rib-group inet test-ribset routing-instances BLUE-VR routing-options interface-routes rib-group inet test-ribset routing-instances GREEN-VR routing-options interface-routes rib-group inet test-rib
147 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Filters can be applied to drop unwanted routes
VIRTUAL ROUTERSRIB-GROUPS, FILTER
# Create a policy statementedit policy-options policy-statement into-red set term reject-to-red from family inet protocol ospf set term reject-to-red to rib red-vr.inet.0 set term reject-to-red then rejecttop
# Apply Policy to filter routes from the rib-groups export-rib to the member ribsset routing-options rib-groups test-rib import-policy into-red
148 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUAL ROUTERSNOTES AND LIMITATIONS
RIB Group is useful to share Routes between multiple VRs
Before JUNOS 10.4 IPSEC VPN Interfaces could only be terminated in zones, which are assigned to inet.0 (see KB 12866)
For self initiated management traffic (e.g.. syslog, traps ..) route lookup starts in the default VR (inet.0)
Interfaces that are not explicitly members of any custom VR are members of inet.0
DHCP Server and DHCP Relay inside a VR will require JUNOS 10.4r5 or higher
Static routes from VR1 to VR2 and at the same time from VR2 to VR1 will not commit (potential loop). You have to introduce a third VR as additional hop for one direction.
149 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUALIZATION:LOGICAL SYSTEMS
150 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGICAL SYSTEMS
Root System (=physical firewall) is always there. Root Admin can create new Lsys create user admin(s) for the Lsys create and assign Lsys Profiles create and assign logical interfaces to Lsys configure the interconnect Lsys0
Lsys0 has a special role as the interconnect Lsys all traffic between User Lsys and Rootsys goes through Lsys0 for this purpose Lsys0 has a lt-Interface to each Lsys and Rootsys
Lsys1..32 are the user logical systems itself
Each user logical system can have a number of zones, interfaces and 0, 1 or more Virtual Routers exactly one interface to the Interconnect Lsys0 (lt0.x) one or more users to configure routing and security inside the Lsys
151 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
EXAMPLE SETUP# Example Setup
Root System with - shared Internet Uplink- separate VR vrf-root
Interconnect Lsys0 with -seperate vr-ic- lt interfaces to each root and lsys
Two Custom Lsys with-private interfaces and zones- lt Interfaces to interconnect Lsys0
152 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGICAL SYSTEMS CONFIGURATION 1/4 - PROFILES AND USERS# Define a Profile for the System Limits for each User Logical Systemsset system security-profile USER-LSYS policy maximum 50set system security-profile USER-LSYS policy reserved 25set system security-profile USER-LSYS address-book maximum 100set system security-profile USER-LSYS address-book reserved 50set system security-profile USER-LSYS logical-system [Coke-LSYS Pepsi-LSYS]
# Add the Root System Profile. All off-box logging comes from the Root LSYS. # If this is undefined then syslog/SNMP will not workset system security-profile ROOT-LSYS auth-entry maximum 5set system security-profile ROOT-LSYS policy maximum 5set system security-profile ROOT-LSYS policy reserved 1set system security-profile ROOT-LSYS policy-with-count maximum 0set system security-profile ROOT-LSYS root-logical-system
# Add LSYS to your login classes to assign users to an LSYS# Users are assigned to a ‘login class’ to get their rights, and with LSYS # they also get assigned to an LSYS at the same time set system login class COKE-LOGIN logical-system COKE-LSYSset system login class PEPSI-LOGIN logical-system PEPSI-LSYS
# Create Users for each Lsysset system login user coke class COKE-LOGINset system login user pepsi class PEPSI-LOGIN
153 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGICAL SYSTEMS CONFIGURATION 2/4 - INTERCONNECT# Set up lt-0/0/0.x interfaces in the Interconnect LSYS0 # LSYS0 is layer 2 only and will hold multiple LT interfaces # all other LSYS will only have a single LT interface# LT interfaces are paired one-to-oneset logical-systems LSYS0 interfaces lt-0/0/0 unit 0 encapsulation ethernet-vplsset logical-systems LSYS0 interfaces lt-0/0/0 unit 0 peer-unit 1set logical-systems LSYS0 interfaces lt-0/0/0 unit 2 encapsulation ethernet-vplsset logical-systems LSYS0 interfaces lt-0/0/0 unit 2 peer-unit 3set logical-systems LSYS0 interfaces lt-0/0/0 unit 4 encapsulation ethernet-vplsset logical-systems LSYS0 interfaces lt-0/0/0 unit 4 peer-unit 5
# Set up lt-0/0/0.x interfaces, LT interface in LSYS > 0 need an IP address
# LT Interface in the Rootsysset interfaces lt-0/0/0 unit 1 encapsulation ethernetset interfaces lt-0/0/0 unit 1 peer-unit 0set interfaces lt-0/0/0 unit 1 family inet address 10.0.1.1/24
# LT Interface in the Lsys Cokeset interfaces lt-0/0/0 unit 3 encapsulation ethernetset interfaces lt-0/0/0 unit 3 peer-unit 0set interfaces lt-0/0/0 unit 3 family inet address 10.0.1.2/24
# LT Interface in the Lsys Pepsiset interfaces lt-0/0/0 unit 5 encapsulation ethernetset interfaces lt-0/0/0 unit 5 peer-unit 0set interfaces lt-0/0/0 unit 5 family inet address 10.0.1.3/24
154 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGICAL SYSTEMS CONFIGURATION 3/4 - FIRST USER LSYS# Now setup the COKE-Logical System
edit logical-systems COKE-LSYS set interfaces reth1 unit 1 vlan-id 1 set interfaces reth1 unit 1 family inet address 12.1.1.1/24 edit routing instances COKE-VR set instance-type virtual-router set interface reth1.1 set interface lt-0/0/0.3 set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 up set security zones security-zone Coke-Trust set security zones security-zone Coke-Trust host-inbound-traffic system-services ping set security zones security-zone Coke-Trust interfaces reth1.1 set security zones security-zone Coke-Untrust interfaces lt-0/0/0.1 edit security policies from-zone Coke-Trust to-zone Coke-Untrust set policy to-Inter-LSYS match source-address any set policy to-Inter-LSYS match destination-address any set policy to-Inter-LSYS match application any set policy to-Inter-LSYS then permittop
155 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGICAL SYSTEMS CONFIGURATION 4/4 - SECOND USER LSYS# Now setup the PEPSI-Logical System
edit logical-systems PEPSI-LSYS set interfaces reth1 unit 2 vlan-id 1 set interfaces reth1 unit 2 family inet address 13.1.1.1/24 edit routing instances PEPSI-VR set instance-type virtual-router set interface reth1.2 set interface lt-0/0/0.5 set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 up set security zones security-zone PEPSI-Trust set security zones security-zone PEPSI-Trust host-inbound-traffic system-services ping set security zones security-zone PEPSI-Trust interfaces reth1.2 set security zones security-zone PEPSI-Untrust interfaces lt-0/0/0.5 edit security policies from-zone PEPSI-Trust to-zone PEPSI-Untrust set policy to-Inter-LSYS match source-address any set policy to-Inter-LSYS match destination-address any set policy to-Inter-LSYS match application any set policy to-Inter-LSYS then permittop
156 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGICAL SYSTEMS MONITORING# Flow Statisticsshow security flow statistics root-logical-systemshow security flow statistics logical-system <all|Lsys>
# Assigned Profile and current usage for each individual profile parametershow system security-profile ? logical-system <all|Lsys>
157 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN
158 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPSEC VPN FLAVOURS
Policy Based VPN For site-to-site VPNs Upon match a security Policy sets up a VPN tunnel
Route Based VPN For site-to-site VPNs Specify a VPN tunnel interface (st0.x) Upon match a security policy permits traffic to this tunnel interface
Dynamic VPN For Remote Access of travelling Users Rollout and Update of VPN Client Software Authenticate User and assign IPs during VPN establishment
159 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ROUTED BASED VPN
160 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ROUTE BASED VPN SITE-TO-SITE WITH MAIN MODE (1/3)
# Enable IKE Traffic on the untrust interface edit security zone security-zone untrust interfaces ge-0/0/1.0 set host-inbound-traffic system-services iketop
# Define Phase 1 Proposaledit security ike proposal P1-AES set authentication-method pre-shared-keys set dh-group group2 set authentication-algorithm sha1 set encryption-algorithm aes-128-cbctop
# Define Phase 2 Proposalset security ipsec proposal P2-AES protocol espset security ipsec proposal P2-AES authentication-algorithm hmac-sha1-96set security ipsec proposal P2-AES encryption-algorithm aes-128-cbc
# Predefined Proposals also existlab@srx-210# set security ike policy ike-policy-1 proposal-set ?Possible completions: basic IKE proposal-set for basic compatible IKE proposal-set for compatible standard IKE proposal-set for standard[edit]
161 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ROUTE BASED VPN SITE-TO-SITE WITH MAIN MODE (2/3)
# Phase 1 Gateway Definition set security ike policy IKE-POLICY-1 mode mainset security ike policy IKE-POLICY-1 proposals P1-AESset security ike policy IKE-POLICY-1 pre-shared-key ascii-text juniper
set security ike gateway GW1 address 172.16.42.11set security ike gateway GW1 external-interface ge-0/0/0.0set security ike gateway GW1 ike-policy IKE-POLICY-1
# Phase 2 VPN definition set security ipsec policy IPSEC-POLICY-1 proposals P2-AESset security ipsec policy IPSEC-POLICY-1 perfect-forward-secrecy keys group2
set security ipsec vpn VPN1 ike gateway GW1set security ipsec vpn VPN1 ike ipsec-policy IPSEC-POLICY-1
# Optional VPN Monitor (Phase 2 Keep alive as Ping inside tunnel)set security ipsec vpn VPN1 vpn-monitor optimized
# Use this statement - on one side of the VPN - to get tunnel established fastset security ipsec vpn VPN1 establish-tunnels immediately
162 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ROUTE BASED VPN SITE-TO-SITE WITH MAIN MODE (3/3)
# Create a secure tunnel interface.set interfaces st0 unit 0 family inetset security zones security-zone trust interfaces st0.0
# Optional: If numbered interface is required: set an interface IPset interfaces st0 unit 0 family inet address 1.1.1.1/28
# Configure routing.set routing-options static route 10.1.1.0/24 next-hop st0.0
# Assign IPSEC Configuration to the Interfaceset security ipsec vpn VPN1 bind-interface st0.0
# There are global options (system wide for all Phase 2) to set VPN Monitor thresholds # Default is interval 10, threshold 10 which results in 100 Sec Detection Timeset security ipsec vpn-monitor-options interval 3set security ipsec vpn-monitor-options threshold 3
163 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ROUTE BASED VPN ADDITIONAL OPTIONS
# Interface number for a Second VPN Tunnel Interface# Use Name st0 with another unit set interfaces st0 unit 1 family inet
# By Default we use Proxy-ID local 0.0.0.0/0 remote 0.0.0.0/0 service 0# To override this for third party compatibility you can manually set one proxy-id# When SRX checks incoming proxy-id: then more specific IPs match less specific IPs# Example Remote-ID 192.168.1.0/24 is accepted when Proxy-ID is 0.0.0.0/0set security ipsec vpn vpn-1 ike proxy-identity local <net> remote <net> service <svc>
# Next Hop Tunnel Binding - Allows multiple endpoints on one Tunnel interfaceset interfaces st0 unit 0 multipoint
# Dead-Peer Detection (Phase1 - Keep alive as IKE Message)set security ike gateway GW1 dead-peer-detection
164 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ROUTE BASED VPN BRANCH-TO-CENTRAL WITH AGRESSIVE MODE (1/2)
# Phase 1 Gateway Definition set security ike policy BRANCH-POLICY mode aggressiveset security ike policy BRANCH-POLICY proposal-set standardset security ike policy BRANCH-POLICY pre-shared-key ascii-text secret
set security ike gateway CENTRAL-GW ike-policy BRANCH-POLICYset security ike gateway CENTRAL-GW address 1.1.1.1set security ike gateway CENTRAL-GW local-identity user-at-hostname "[email protected]"set security ike gateway CENTRAL-GW external-interface pp0.0
Branch Site with Dynamic IP
Central Site with Fixed IP (1.1.1.1)
# Phase 1 Gateway Definition set security ike policy BRANCH-POLICY mode aggressiveset security ike policy BRANCH-POLICY proposal-set standardset security ike policy BRANCH-POLICY pre-shared-key ascii-text secret
set security ike gateway BRANCH-GW ike-policy BRANCH-POLICYset security ike gateway BRANCH-GW dynamic user-at-hostname "[email protected]"set security ike gateway BRANCH-GW external-interface ge-0/0/0.0
165 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ROUTE BASED VPN BRANCH-TO-CENTRAL WITH AGRESSIVE MODE (1/2)
# Phase 2 definitions with Tunnel binding and optional Proxy-IDset security ipsec policy BRANCH-POLICY proposal-set standardset security ipsec vpn CENTRAL-VPN bind-interface st0.0set security ipsec vpn CENTRAL-VPN vpn-monitor optimizedset security ipsec vpn CENTRAL-VPN ike gateway CENTRAL-GWset security ipsec vpn CENTRAL-VPN ike proxy-identity local 10.0.0.0/24set security ipsec vpn CENTRAL-VPN ike proxy-identity remote 20.0.0.0/24set security ipsec vpn CENTRAL-VPN ike proxy-identity service anyset security ipsec vpn CENTRAL-VPN ike ipsec-policy BRANCH-POLICYset security ipsec vpn CENTRAL-VPN establish-tunnels immediately# Route into Tunnelset routing-options static route 20.0.0.0/0 next-hop st0.0
Branch Site with Dynamic IP
Central Site with Fixed IP
# Phase 2 definitions with Tunnelbinding and optional Proxy-IDset security ipsec policy BRANCH-POLICY proposal-set standardset security ipsec vpn BRANCH-VPN bind-interface st0.0set security ipsec vpn BRANCH-VPN vpn-monitor optimizedset security ipsec vpn BRANCH-VPN ike gateway BRANCH-GWset security ipsec vpn BRANCH-VPN ike proxy-identity local 20.0.0.0/24set security ipsec vpn BRANCH-VPN ike proxy-identity remote 10.0.0.0/24set security ipsec vpn BRANCH-VPN ike proxy-identity service anyset security ipsec vpn BRANCH-VPN ike ipsec-policy BRANCH-POLICY# Route into Tunnelset routing-options static route 10.0.0.0/0 next-hop st0.0
166 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
POLICY BASED VPN
167 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
POLICY BASED VPN CONFIGURATION
TODO
Technote: http://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf
168 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN WITH CERTIFICATES
169 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN WITH CERTIFICATES (1/6)
PKI Operations
Copy to output of the above command to a file and use it as signing request for your CA.
It is very important to define “X509v3 Subject Alternative Name”. JUNOS supports ip-address, domain-name and email. In this request we define a ip-address and the domain-name. This attribute is used as a IKE-ID and has to match with the IKE configuration.
The signing CA has to support “X509v3 Subject Alternative Name”. E.g. for OpenSSL you have to modify the file “openssl.cnf” in this way:
# Create a CA profile (simplified with CRL Checking disabled)set security pki ca-profile ca-profile-ipsec ca-identity xyz.comset security pki ca-profile ca-profile-ipsec revocation-check disable
# Create a key pairrequest security pki generate-key-pair certificate-id ca-ipsec size 1024
# Create a certificate request for the local device certificaterequest security pki generate-certificate-request certificate-id ca-ipsecsubject "CN=srx210-bot,OU=IT,L=LAB" ip-address 10.1.0.1 domain-name srx210-bot.xyz.com
# Extension copying option: use with caution.copy_extensions = copy
170 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN WITH CERTIFICATES (2/6)
Copy the signed certificate and the CA root certificate from the CA to SRX file system.
# Load the signed certificate from the file systemrequest security pki local-certificate load certificate-id ca-ipsec filename /var/tmp/certnew.cer# Load the CA root certificate from the file systemrequest security pki ca-certificate load ca-profile ca-ipsec filename /var/tmp/CA-certnew.cer
171 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN WITH CERTIFICATES (3/6)lab@SRX210-bot> show security pki ca-certificate Certificate identifier: ca-profile-ipsec Issued to: ic.xyz.com, Issued by: C = US, ST = CA, L = Sunnyvale, O = XYZ, OU = IT, CN = ic.xyz.com, emailAddress = [email protected] Validity: Not before: 09-18-2009 13:25 Not after: 10-27-2013 13:25 Public key algorithm: rsaEncryption(1024 bits)
lab@SRX210-bot> show security pki local-certificate detail Certificate identifier: ca-ipsec Certificate version: 3 Serial number: 00000010 Issuer: Organization: XYZ, Organizational unit: IT, Country: US, State: CA, Locality: Sunnyvale, Common name: ic.xyz.com Subject: Organizational unit: IT, Locality: LAB, Common name: srx210-bot Alternate subject: email empty, srx210-bot.xyz.com, 10.1.0.1 Validity: Not before: 12-28-2010 13:17 Not after: 02- 5-2015 13:17 Public key algorithm: rsaEncryption(1024 bits) 30:81:89:02:81:81:00:aa:e8:f0:49:0f:0d:28:9e:71:5b:a7:c1:64 … bc:b2:7f:6c:26:f3:8c:54:dc:2b:7f:3d:64:0d:09:02:03:01:00:01 Signature algorithm: sha1WithRSAEncryption Fingerprint: 28:1d:f4:b6:96:41:8d:13:fa:dd:7d:fd:26:ed:2b:53:15:88:bd:97 (sha1) e3:1b:af:db:e7:e9:90:99:5a:c7:ac:d4:e2:ef:2a:da (md5) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
172 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN WITH CERTIFICATES (4/6)
VPN Configuration
The “local-identity” has to match with the “X509v3 Subject Alternative Name” of the Gateway local certificate as a IKE-ID.Since 10.2 there is a hidden command “set security ike gateway srx210-top general-ikeid” to ignore a IKE-ID mismatch. Nevertheless the certificate needs a “X509v3 Subject Alternative Name” to get Phase-1 up.
The IPSec configuration is the same as with preshared keys.
# Create IKE proposalset security ike proposal P1-AES-CERT authentication-method rsa-signaturesset security ike proposal P1-AES-CERT dh-group group2set security ike proposal P1-AES-CERT authentication-algorithm sha1set security ike proposal P1-AES-CERT encryption-algorithm aes-256-cbc
# Create IKE policyset security ike policy ike-policy-1 mode mainset security ike policy ike-policy-1 proposals P1-AES-CERTset security ike policy ike-policy-1 certificate local-certificate ca-ipsecset security ike policy ike-policy-1 certificate trusted-ca use-allset security ike policy ike-policy-1 certificate peer-certificate-type x509-signatur
# Create IKE gatewayset security ike gateway srx210-top ike-policy ike-policy-1set security ike gateway srx210-top address 10.1.0.10set security ike gateway srx210-top local-identity inet 10.0.1.10set security ike gateway srx210-top external-interface ge-0/0/1.0
173 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN WITH CERTIFICATES (5/6)
Advanced Features CRL-Checking and SCEP Auto-enrollment
# Create CA Profile with CRL-Checking and SCEPset security pki ca-profile RSA_CA_LAB ca-identity RSA-CA
set security pki ca-profile RSA_CA_LAB enrollment url https://10.100.160.59:446/aca4eeb14189074335ac14b30259698fa8862b66/pkiclient.exe
set security pki ca-profile RSA_CA_LAB revocation-check crl url http://10.100.160.59:447/RSA-CA.crlset security pki ca-profile RSA_CA_LAB revocation-check crl refresh-interval 24
set security pki auto-re-enrollment certificate-id SRX-210-HQ ca-profile-name RSA_CA_LAB
set security pki auto-re-enrollment certificate-id SRX-210-HQ challenge-password "$9$3qaq6/t0ORSyKu0LxdVY2“
set security pki auto-re-enrollment certificate-id SRX-210-HQ re-enroll-trigger-time-percentage 5
174 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN WITH CERTIFICATES (6/6)
root@SRX-210-HQ-1> show security pki crl detail | no-more
CA profile: RSA_CA_LAB CRL version: V00000001 CRL issuer: C = CH, O = SA, OU = Security, CN = RSA-CA Effective date: 11- 9-2010 13:54 Next update: 11-10-2010 13:54 Revocation List: Serial number Revocation date 1b9433a6682555883abf042c15e602da 06-10-2010 07:54 21fffde9d68115b3d9335a97c8744b46 11- 9-2010 13:30 4a5c1a9e624cd522b49f0485272c42b4 06-10-2010 08:28 4de41accc7e4cc606a1dad93cb510092 06-22-2010 06:31 59304b23b9e6f80abd9fe0325af16b80 06- 9-2010 14:16 5b336a94660f5a69e00b48af9662b71d 11- 8-2010 17:36 678a297eccfe78ab0d693ff162e8cdf4 06- 9-2010 15:01 6bf7aff47f68f8687a1f14f0df2b014a 11- 8-2010 15:48 6f4168f96a06957ac769be5465f753a2 06- 9-2010 15:09 8610479e69f64eb08972b27bba24365a 06-10-2010 07:47 89ac59d9df40954feac5c57e4d0739a2 11- 9-2010 13:31 bec78a93e4101f71c782784b34c33ef4 11- 9-2010 10:47 cadd34f4f77f5042198792dd02cbcb1a 06-22-2010 07:35 e87b6aa7ea5562ecdd1379e51bb02ba8 06- 9-2010 13:24
175 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN DIAGNOSTICS
176 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPSEC VPN MONITORING AND TROUBLESHOOTING (1)### Ping through VPN - Sometime you might have to alter the source-interface # or your routing-instance to get the ping into the tunnelping 192.168.1.1 [routing-instance xx] interface fe-0/0/7.0
### Monitoring# Phase 1 - Cookies show security ike security-associations # Phase 2 - Security Associationsshow security ipsec security-associations # IPSEC and Interface Statisticsshow security ipsec statistics show interfaces st0 [terse|detail]# Manually Clear Tunnelsclear security ikeclear security ipsec# Logs and Traces are per Default written to File kmdfile show /var/log/kmd | last
### JUNOS 11.4 and 12.1x44 have several improvements for IPSEC Troubleshooting# 1. extend Output for show security ike|ipsec security-associations# 2. start debugging for a certain session without commit, write output to kmd request security ike debug-enable local 10.1.1.10 remote 10.1.1.30 level 15request security ike debug-disableshow security ike debug-status# 3. Inactive Tunnel informationshow security ipsec inactive-tunnels
177 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPSEC VPN MONITORING AND TROUBLESHOOTING (2)
Tunnel Interface up/down is logged in syslog
If more details are required, use a IKE trace file
ENT <UpDown> st0.0 index 80 <Up Broadcast PointToPoint Multicast>Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 mib2d[921]: SNMP_TRAP_LINK_UP: ifIndex 253, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.0Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 rpd[897]: EVENT UpDown st0.0 index 80 <Up Broadcast PointToPoint Multicast>Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 srx650-1 IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.0"
set security ike traceoptions file VPNtraceset security ike traceoptions file files 3 set security ike traceoptions file size 1mset security ike traceoptions flag ikeset security ike traceoptions flag policy-manager
178 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IPSEC VPN MONITORING AND TROUBLESHOOTING (3)
Example Output from IKE trace fileJul 29 12:32:39 ike_st_o_all_done: MESSAGE: Phase 1 { 0x4a583c5c adb05f96 - 0xebace718 6f0a0626 } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Initiator, cipher = aes-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 3600 sec, key lenJul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 - ebace718 6f0a0626 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 3600 sec, key len = 12Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 - ebace718 6f0a0626 [0] / 0x774c39de } QM; MESSAGE: Phase 2 connection succeeded, Using PFS, group = 2Jul 29 12:32:39 ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, Using PFS, group = 2Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 - ebace718 6f0a0626 [0] / 0x774c39de } QM; MESSAGE: SA[0][0] = ESP aes, life = 0 kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 128, key rounds = 0Jul 29 12:32:39 ike_qm_call_callback: MESSAGE: SA[0][0] = ESP aes, life = 0 kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 128, key rounds = 0
# Example output for proposal mismatch in phase 2 looks like this:Jul 29 12:40:25 10.2.1.1:500 (Responder) <-> 10.2.1.100:500 { a0e2f3a5 e02b5e54 - 9b9f2cf3 bf990db6 [0] / 0xf1d579af } QM; Error = No proposal chosen (14)
# Example output for a Proxy-ID mismatch looks like thisApr 19 12:47:20 KMD_PM_P2_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-2 [responder] failed for p1_local=ipv4(udp:500,[0..3]=172.16.42.210) p1_remote=usr@fqdn(udp:500,[0..14][email protected]) p2_local=ipv4_subnet(any:0,[0..7]=10.0.42.210/24) p2_remote=ipv4_subnet(any:0,[0..7]=192.16.42.220/24)
179 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN CONFIGURATION AND TROUBLESHOOTINGFLOW CHART WITH KNOWLEDGEBASE ENTRIES
180 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DYNAMIC VPN CLIENT
181 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LICENSING FOR DYNAMIC VPN
By default all Branch SRX include a license for up to 2 connections.
If you need more than 2 connections, there are licenses available.
Licenses are additive (two 5 user licenses will give you access for up to 10 users)
The client is included as part of the JUNOS Image and can be downloaded from the SRX. In 11.1 the dynamic VPN client was replaced with the JUNOS Pulse Client
182 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DYNAMIC VPNNOTES AND LIMITATIONS Dynamic VPN feature is available for Branch SRX, not for Datacenter SRX
The following limitations where removed with 10.4
Before 10.4 an external Radius Server was mandatory for Authentication and IP Address Assignment. Local Users and IP-Pools are not supported
Before 10.4 a IKE-Gateway was required for each and every VPN user.10.4 introduces shared/Group-IKE-ID
Before 10.4 Only Hostnames are allowed as ike-id (no FQDN, no Email address)
Before 10.4 Access to the Authentication Page did requires the public interface is opened for web management
In 11.2r3 the capacities for dynamic VPN where increased
SRX-RAC-500-LTU for SRX650 - requires JUNOS 11.2R3
SRX-RAC-250-LTU for SRX240 and 650 - requires JUNOS 11.2R3
SRX-RAC-150-LTU for 650/240/220
SRX-RAC-25-LTU for 210/100
183 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
The following Notes are based on pre 10.4 Releases. You should better use the latest, excellent Configuration Example from http://kb.juniper.net/index?page=content&id=KB14318
Since 11.4 J-Web offers a Wizard to complete the configuration
There is also a good Troubleshooting Guide from http://kb.juniper.net/KB17220
DYNAMIC VPN - PREPARATION
# Set correct time zone, date and time NTP set system time-zone Europe/Berlin
# In Operation Mode srx> set date YYYYMMDDhhmm.ss orsrx> set date ntp de.pool.ntp.org 27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec
# use this configuration statement to activate a self signed certificate (unless you have a signed one)set system services web-management https system-generated-certificate
# and enable https traffic on the desired interfaceset security zones security-zone untrust host-inbound-traffic system-services https
# Since 10.3: if an interface accepts dynamic-vpn connections all http traffic is redirected to # https://<ip>/dynamic-vpn so you can not manage any more on this interface unless you # specify a URL (see KB19411 )set system services web-management management-url admin
184 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Enable IKE Traffic on the untrust interface
Define Phase 1 Proposal
Define Phase 2 Proposal
VPN CONFIGURATION
set security ike proposal P1-Dynamic-AES authentication-method pre-shared-keysset security ike proposal P1-Dynamic-AES dh-group group2set security ike proposal P1-Dynamic-AES authentication-algorithm sha1set security ike proposal P1-Dynamic-AES encryption-algorithm aes-128-cbc
set security ipsec proposal P2-Dynamic-AES protocol espset security ipsec proposal P2-Dynamic-AES authentication-algorithm hmac-sha1-96set security ipsec proposal P2-Dynamic-AES encryption-algorithm aes-128-cbc
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike
185 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN CONFIGURATION
Phase 1 - Gateway Definition
Phase 2 - VPN Definitionset security ipsec policy dynvpn proposals P2-Dynamic-AESset security ipsec policy dynvpn perfect-forward-secrecy keys group2set security ipsec vpn ipsec-dyn ike gateway gw-dynset security ipsec vpn ipsec-dyn ike ipsec-policy dynvpn
set security ike policy dynvpn mode aggressiveset security ike policy dynvpn proposals P1-Dynamic-AESset security ike policy dynvpn pre-shared-key ascii-text juniperset security ike gateway gw-dyn dynamic hostname dynvpn.juniper.netset security ike gateway gw-dyn external-interface ge-0/0/1.0set security ike gateway gw-dyn ike-policy dynvpnset security ike gateway gw-dyn xauth access-profile vpn-users
186 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN CONFIGURATION
Add a Access Profile and Users Definition for theIPSEC client authentication (used with xauth)
Allow the same users from the local profile to login for IPSEC client download
# Create a Profileset access profile vpn-users authentication-order password
# Add two Users to this Profileset access profile vpn-users client thomas firewall-user password secret1set access profile vpn-users client peter firewall-user password secret2
# The above definition with local users may work, but officially we # currently support xauth in IPSEC only together with Radius Authenticationset profile radius_profile authentication-order radius;set profile radius_profile radius-server 10.204.129.50 secret xxx
# Create a Profileset access firewall-authentication pass-through default-profile vpn-users
187 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN CONFIGURATION
Prepare a Policy to permit the Clients Traffic
# Install a Policy for VPN Clientsedit security policies from-zone untrust to-zone trust policy policy-dynvpn set match source-address any set match destination-address any set match application any set then permit tunnel ipsec-vpn ipsec-dyn set then log session-close exit
# And more it to the beginningedit security policies from-zone untrust to-zone trust insert policy policy-dynvpn before policy default-permitexit
188 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN CONFIGURATION
Prepare Security Policy to be delivered to the Client
# Upgrade Policy for VPN Clients (if local policy of client is newer)set security dynamic-vpn force-upgrade
# User profile for loading the Clientset security dynamic-vpn access-profile vpn-users
# Destinations that are reachable through VPNset security dynamic-vpn clients client-1 remote-protected-resources 192.168.1.0/24# Destinations are reachable without going through VPNset security dynamic-vpn clients client-1 remote-exceptions 0.0.0.0/0
# VPN Definitions and Proposals usedset security dynamic-vpn clients client-1 ipsec-vpn ipsec-dyn
# Users that may login with this Profileset security dynamic-vpn clients client-1 user thomasset security dynamic-vpn clients client-1 user peter
189 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGIN TO DOWNLOAD VPN CLIENT
URL is https://<SRXIP>/dynamic-vpn/
190 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGIN TO DOWNLOAD VPN CLIENT
191 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
XAUTH - ACCESS MANAGER PROMPTS FOR USERNAME
192 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ACCESS MANAGER WHEN TUNNEL IS ESTABLISHED
193 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MANAGEMENTLOGGINGMONITORING
194 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ADMIN USERS
AND
MANAGEMENT ACCESS
195 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Set the password of the root user
Add another User
ADMIN USERS
root> configureroot# set system root-authentication plain-text-password New password:Retype new password:
root# set system login user netscreen class super-user authentication plain-text-passwordNew password:Retype new password:
196 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
USER ROLES# Predefined User roles
lab@srx5600# set system login user <username> class ?Possible completions: <class> Login class operator permissions [ clear network reset trace view ] read-only permissions [ view ] super-user permissions [ all ] unauthorized permissions [ none ][edit]
# Define a new User role - even possible to restrict or permit commands
root# set system login class new-role ? Possible completions: allow-commands Regular expression for commands to allow explicitly allow-configuration Regular expression for configure to allow explicitly+ apply-groups Groups from which to inherit configuration data+ apply-groups-except Don't inherit configuration data from these groups deny-commands Regular expression for commands to deny explicitly deny-configuration Regular expression for configure to deny explicitly idle-timeout Maximum idle time before logout (minutes) login-alarms Display system alarms when logging in login-script Execute this login-script when logging in login-tip Display tip when logging in+ permissions Set of permitted operation categories[edit]
197 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CUSTOM ADMINISTRATOR CLASS
# Example for an Admin Class that can configure only certain policiesedit system login class AREA1 set permissions configure set allow-configuration routing-instances VR-1 set allow-configuration security policies from-zone trust-1 to-zone untrust-1 set allow-configuration security policies from-zone untrust-1 to-zone trust-1 set allow-configuration security zones security-zone trust-1 set allow-configuration security zones security-zone untrust-1top
edit system login user admin1 set class AREA1 set authentication encrypted-password "$1$6xZjWBto$6PBu4Yf17rMgd.Gm3OGUo/"top
198 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RADIUS# Define Server IP, Port and Shared Secret set system radius-server 10.0.0.100 port 1812 secret abc
# Define Authentication orderset system authentication-order passwordset system authentication-order radius
# Specify Source-IP, useful when using VPN-Tunnels or non fxp0 set system radius-server 172.30.81.141 source-address 172.30.80.11
# Assign a class to the remote authenticated users # By default all Radius Users are mapped to user "remote"set system login user remote full-name "All Remote Users"set system login user remote class operator......# untested - connection timeout 30 minutesroot# set system login class remote idle-timeout 30
# Online Helphelp topic system server-radiushelp topic system radius
199 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TACACS+# Define Server IP and Shared Secret set system tacplus-server address 172.16.30.1 secret Tacacssecret1
# Define Authentication order (local users first ; then tacplus)set system authentication-order passwordinsert system authentication-order tacplus after password
# Specify Source-IP, useful when using VPN-Tunnels or non fxp0 set system tacplus-server 172.16.30.1 source-address 10.0.0.1
# Assign a class to the remote authenticated users # By default all Tacacs+ Users are mapped to user "remote"set system login user remote full-name "All Remote Users"set system login user remote class operator
# Ste connection timeout for user of this class to 30 minutesroot# set system login class remote idle-timeout 30
# Online Helphelp topic system tacplus
200 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
COOPERATION WITH OTHER USERS ON THE CLI
# Show which other Users are currently logged in on the CLIshow system users
# Write a message to all usersrequest message all message "Anybody logged in ? Please respond with request message"
# Drop a User request system logout user <user>
# Drop a connection on a certain terminalrequest system logout user <user>
# Lock configuration against other editsconfigure exclusive
# Display Message before Loginset system login message "Unauthorized Access is prohibited"
# Display Message after Loginset system login announcement "Don't Forget !!!\nUpgrade is scheduled for Friday noon"
201 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RESTRICTING
MANAGEMENT ACCESS
202 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MANAGEMENT ACCESS OVERVIEW
Current State and Changes over Time• individual protocols must be enabled/disabled per zone or interface (host-inbound-traffic.)
• Stateless firewall filter can be applied to interfaces to restrict protocols or source-IPs
• Since JUNOS 11.4 Self Traffic Policies (firewall policies with zone junos-host) are the easiest way to restrict management traffic. They also allow to use all available inspection techniques (AppFW, AppTrack, IDP ..) on management traffic
203 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PERMIT/RESTRICT MANAGEMENT ACCESS
# First the Desired Service must be running. By default only some services are started # Defaults from JUNOS 9.6 are written in Bold
set system services sshset system services web-management http interface ge-0/0/0.0set system services telnetset system services ftp
# HTTPS Access may use a self signed certificate# Set date and time first (in operational mode) before you activate the self-signed certificatesrx> set date YYYYMMDDhhmm.ss orsrx> set date ntp de.pool.ntp.org 27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec
# use this configuration statement to activate a self signed certificate (unless you have a signed one)set system services web-management https system-generated-certificate
# Finally you can specify allowed services and protocols per Zone edit security zones security-zone trust interfaces set system-services all set protocols alltop# or per interface. Per Interface definitions override all per Zone permissions edit security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic set system-services https set system-services ssh set system-services pingtop
204 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Before 11.4 Management Access to certain Source-IPs had to be restricted with stateless Firewall Filter. The filter can be tied to each interface where host-inbound-traffic is permitted, or directly to the loopback interface lo0.0
RESTRICT SOURCES FOR MANAGEMENT ACCESS
# Example to restrict access to the Routing-Engine to a certain subnet
# A first TERM specifies permitted sourcesset firewall family inet filter PROTECT-RE term 1 from source-address 192.168.42.0/24set firewall family inet filter PROTECT-RE term 1 from source-address <CUSTOMER-NETWORK/24>set firewall family inet filter PROTECT-RE term 1 then accept
# A second term can be used to count all other attempts and fall through to the last termset firewall family inet filter PROTECT-RE term 2 from source-address 0.0.0.0/0set firewall family inet filter PROTECT-RE term 2 then count ACCESS-ATTEMPT-REset firewall family inet filter PROTECT-RE term 2 then next term
# A third term can be written to drop all other attempts (but this is default already)# This is because all chains end with a default "deny all" termset firewall family inet filter PROTECT-RE term 3 from source-address 0.0.0.0/0set firewall family inet filter PROTECT-RE term 3 then reject
# Now we are ready to assign the Filter to an interface# If you bind the filter to lo0.0 the filter is applied to incoming traffic from all interfacesset interfaces lo0 unit 0 family inet filter input PROTECT-RE# To protect out-of band management interface fxp0 you need to assign the firewall there explicitlyset interfaces fxp0 family inet filter input PROTECT-RE
# To monitor access attempts you can later use the counter with the following command show firewall filter PROTECT-RE counter ACCESS-ATTEMPT-RE
205 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
A TEMPLATE FOR MANAGEMENT ACCESS
# Firewall Filter Example to restrict management access
edit firewall filter RE_Protection set term in-ssh from source-address <trusted host or network> set term in-ssh from protocol tcp set term in-ssh from destination-port ssh set term in-ssh then accept set term snmp from source-address <SNMP Poller> set term snmp from protocol udp set term snmp from port snmp set term snmp then accept set term ntp from source-address <NTP SERVER>/32 set term ntp from source-address <NTP SERVER>/32 set term ntp from protocol udp set term ntp from port ntp set term ntp then accept set term deny-any-other-ssh from protocol tcp set term deny-any-other-ssh from port ssh set term deny-any-other-ssh from port telnet set term deny-any-other-ssh from port ftp set term deny-any-other-ssh from port ftp-data set term deny-any-other-ssh then discard set term deny-any-other-udp from protocol udp set term deny-any-other-udp from port snmp set term deny-any-other-udp from port snmptrap set term deny-any-other-udp from port ntp set term deny-any-other-udp then discard set term allow-everything-else then accepttop
206 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SELF TRAFFIC FIREWALL POLICIES# Beginning with JUNOS 11.4 Traffic from and to the SRX itself # can now be permitted/denied firewall policies# This uses the new security-zone "junos-host"## self-traffic is anything from/to the RE with any of the local interfaces## By default all traffic from/to zone junos-host is permitted
# Example: Log and tunnel outbound trafficedit security from-zone junos-host to-zone zone-untrust policy LOG set match ...... set then permit tunnel …… set then log session-closetop
# Example: IDP for inbound trafficedit security from-zone zone-untrust to-zone junos-host policy INSPECT set match ...... set then permit application-services idp set then log session-closetop
207 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IN-BAND OR OUT-BAND
MANAGEMENT
208 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
What is the difference ? Out-band management connections use the management interface fxp0
In-band management connections use an interface which also is used to forward traffic (for example ge-x/x/x, fe-x/x/x or rethx )
What is the Advantage/Disadvantage ? Out-band Management through fxp0
In a HA clusters fxp0 is the only interface which is reachable on the passive node fxp0 is attached to the default virtual router inet.0 fxp0 is attached to the control plane, no traffic can be forwarded from any interface to
fxp0 In Stream Mode - wich is required for high performance logging - security logs can not
be sent out via fxp0
In-band Management In HA clusters the passive node can not communicate on any in-band management
interface - direct access, monitoring, delivery of software updates, scripts, attack database updates for this node is not possible and requires workarounds
In-band Management Interfaces can be assigned to any virtual router In-band Interfaces allow high performance logging (stream mode)
IN-BAND OR OUT-BAND MANAGEMENT
209 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Out-band Management is preferred for any Datacenter SRX Cluster because these SRX
NSM Management as virtual chassis is not possible here for any Branch SRX Cluster installation, where the management systems can connect directly to
the fxp0 interfaces , i.e. are on the same side of the firewall as the management interfaces (see slides on the next pages for details)
In-band Management is preferred in all Branch SRX installations which are not clusters in all Branch SRX cluster installations - where the central management is standing at a central
position and needs to cross the primary SRX first before he can even reach the fxp0 interface of the passive cluster member
Hint for Clusters: Virtual Chassis Management Option is required for NSM to add the cluster with a single in-band management connection.
Hint for Clusters: When using In band Management you can leave the fxp0 interfaces on both members completely unconfigured
WHICH WAY SHOULD I CHOOSE ?
210 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
When In-Band Management is used, the second Node is not directly reachable for management.
This could result in issues for some operations
Software UpdatesUse the ISSU and LICU Cluster Upgrade Procedure. They require the image is copied only to the primary device and is automatically copied to the secondary device
Attack Database Updates Use JUNOS 11.4 or higher. When Attack Database-Updates are installed, they are automatically
updated on the backup node
Script Installations Before they can be enabled in the configuration (commit) the scripts must installed on both
nodes. To achieve this, upload scripts to the primary node first, then copy manually to secondary node
Hint: How to get from one Node of a cluster to the other Node ? If fxp0 interfaces are connected simply use ssh with fxp0-adress of the second node On Branch SRX use "request routing-engine login node x" On Datacenter SRX use shell command "rlogin -Ji nodex"
IN-BAND MANAGEMENTUPDATES FOR THE PASSIVE NODE
211 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IF IN-BAND OR OUT-BAND IS PREFERRED DEPENDS ON THE POSITION OF THE MANAGEMENT SYSTEM
reth1ge-1/0/1
(trust)
reth0ge-1/0/0
(untrust)Controlge-0/0/1
fxp0 =ge-0/0/0 10.0.0.1
fxp0 =ge-0/0/010.0.0.2
reth0ge-8/0/0
(untrust)
Controlge-0/0/1 reth1
ge-8/0/1(trust)
Cluster-IP 20.0.0.1
Cluster-IP 30.0.0.1
Example Setup: SRX650-Cluster with all the Interfaces
212 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MANGEMENT ON THE SAME NETWORK AS FXP0
NSM or Space10.0.0.3
OUT-BAND MANAGEMENT IS RECOMMENDED
No changes required, Setup works immediately
NSM or Space can establish ssh connection to both devices
"Add Device" Workflow is possible
Both Cluster Members use fxp0 to get to Management
fxp0 (node1) =ge-0/0/0 10.0.0.1
fxp0 (node2) =ge-7/0/010.0.0.2
213 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MANAGEMENT ON DIFFERENT NETWORK AS FXP0BUT STILL ON THE SAME FIREWALL SIDE
NSM or Space40.0.0.3
OUT-BAND MANAGEMENT IS RECOMMENDED
Hint for Out-band Management:
Both nodes needs a backuproute set groups node.. system backup-router destination 40.0.0.3/32 next-hop ....
fxp0 (node2) =ge-7/0/010.0.0.2
Router-IP 30.0.0.254
Router-IP 10.0.0.254
Router-IP 40.0.0.254
fxp0 (node1) =ge-0/0/0 10.0.0.1
214 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MANAGEMENT ON EXTERNAL SIDE OF THE FIREWALL
reth1ge-1/0/1
(trust)
reth0ge-1/0/0
(untrust)
fxp0 (node2) =ge-7/0/010.0.0.2
NSM or Space172.16.42.9
Cluster-IP 20.0.0.1
Cluster-IP 30.0.0.1
IN-BAND MANAGEMT IS RECOMMENDED
OUT-BAND MANAGEMENT REQUIRES MORE COMPLEX ROUTING AND DURING CLUSTER FAILOVER (RG0) MANAGEMENT CONNECTIONS HAVE TO BE REESTABLISHED
Hints for In-band Management:
- There is only one connection between SRX and the Management System (using reth0 of the active node) - For NSM use the Virtual Chassis Management Option - For Space add just the active node
Hints for Out-band Management
- use several VRs on SRX. fxp0 must stay in inet.0, all other interfaces go to another VR.
- If you have IKE Traffic this will require JUNOS 10.4 or higher to terminate IKE in a custom VR.
- Both nodes needs a backuproute set groups node.. system backup-router destination 172.16.42.9/32 next-hop ...
Router-IP 30.0.0.254
Router-IP 10.0.0.254
215 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOGGING WITH SYSLOG
216 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX LOGGING INFRASTRUCTURESRX Logs can come from two different sources
From the Control Plane (Management, Routing Daemons ...) From the Data Plane (Firewall, IDP, AppFirewall, UTM, VPN ..)
Control Plane Logs (same behavior on all JUNOS Devices) They can be stored in local files, send to Syslog Servers or NSM Syslogs and NSM connection can leave the SRX via forwarding interfaces or the fxp0 Management
Interface - This is a normal routing decision
Data Plane Logs on the Branch SRX By default Data Plane Logs are sent to the Routing Engine (Event mode) From there they can be stored in local files, send to NSM and send to Syslog Servers
Data Plane Logs on the Datacenter SRX Data Plane Logs are created on each of the SPCs Each SPCs can create a maximum of 40K logs / sec / SPC By Default Data Plane Logs are not sent anywhere
they are not even sent to the Routing Engine
217 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
You have two options to send Dataplane Logs (Firewall, IDP, UTM, AppSecure ...)
Event Mode Logging All Data plane Logs are sent to the Routing-Engine and they are sent further from there This is the default configuration for Branch SRX Event Mode logging can be used if log rates are low
To avoid RE overload rate limits are in place. These will drop logs in event mode
Stream Mode Logging Data plane Logs are not sent to the Routing Engine Data plane Logs can leave the device from every interface
(except fxp0, which is tied to the Routing Engine) This is the default configuration for Datacenter SRX Stream Mode Logging are mandatory for high log rates
WHERE IS THE CHALLENGE ?
218 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STREAM MODE LOGGING TO STRM, OR A SYSLOG SERVER
Controlplane(Process Logs)
Dataplane(Process Logs)
STRM(Syslog Server)
On a single SRX- Control plane and Data plane Logs can use the same egress interface
On SRX Cluster - Control plane Logs come from the Management Interface fxp0 - Data plane Logs need another interface
219 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
EVENT MODE LOGGING TO NSM1)
Controlplane(Process Logs)
Dataplane(Process Logs)
NSM STRM(Syslog Server)
Branch SRX: default mode
Datacenter SRX: possible since 10.0 (1.5kEPS Ratelimit)
1) Uses the normal, encrypted connection from the SRX to NSM
220 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STREAM MODE LOGGING TO NSM2)
Controlplane(Process Logs)
Dataplane(Process Logs)
NSM
2) Dataplane Logs sent as Syslog from SRX to NSM - requires NSM 2011.1 or higher
221 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Simple solution - use two interfaces on SRX and STRM
Looking at the log picture it is obvious that SRX might use different interfaces to send the two types of logs
Since two interfaces of the same VR can not be in the same network, the two interfaces have to be in two different networks or VRs
The easiest solution is, when LOG reciver and SRX both use two interfaces too. STRM can be reconfigured to use two interfaces and IPs.
Still simple solution - use only one interfaces on both sides
If STRM - or another Log-Receiver has only one Interface/IP then the SRX must be reconfigured to send all logs through one interface
This one interface can not be fxp0 - because dataplane logs, can not be delivered through fxp0 - so it must be a forwarding interface
If this forwarding interface is in inet.0 you only need a hostroute to this interface. If it is in another VR you need to hostroute to next-table vr
Worst case - need to add a logging interface in the same network as fxp0
When you migrate from event to stream logs and can not add additonal interfaces on other networks than the one existing on fxp0
So you have to add a second forwarding interface in the same networkThis is only possible when this interface is in another VR than fxp0
See Next Page (Logging with Overlapping Interface IP) for a complete configuration example
STREAM MODEHOW MANY INTERFACES ARE INVOLVED ?
Controlplane(Process Logs)
Dataplane(Process Logs)
STRM(Syslog Server)
222 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DATACENTER SRX LOGGING WITH OVERLAPPING INTERFACE IP# Datacenter SRX uses fxp0 for RE Logs and a Forwarding Interface for Security Logs# If Syslog-Receiver is attached to the same Management LAN as the fxp0, you need a # second interface/VR to that LAN to deliver Security Logs (Firewall Traffic and IDP)
# For this worst case, we have two interfaces in the same networkset interfaces fxp0 unit 0 family inet address 10.0.0.1/24 set interface reth7 unit 0 family inet address 10.0.0.2/24
# Controlplane-Logs , use Source-IP of egress interface to avoid ARP problems !! set system syslog host 10.0.0.100 any any set system syslog host 10.0.0.100 source-address 10.0.0.2
# Dataplane-Logs, from the SPCs leave via an forwarding interface)# also use source-IP of the egress interfaceset security log format sd-syslog set security log source-address 10.0.0.2 set security log stream Log host 10.0.0.100
# To allow two interfaces on the same net, one interface must be moved to a custom VRset routing-instances Logging instance-type virtual-router set routing-instances Logging interface reth7.0 # Now we use a host-route to send all trafic for the Log-Receiver to this VRset routing-options static route 10.0.0.100/32 next-table Logging.inet.0
# Potential other workaround (UNTESTED) # Use Command to set Default Management IP to Loopback interface IPset system default-address-selection ....
223 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SYSLOG ADDITONAL INFORMATION
224 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SYSLOGA LIST OF POSSIBLE EVENTS
Syslog event list (Control plane Events) # List all possible syslog eventssrx> help syslog Syslog tag HelpACCT_ACCOUNTING_FERROR Error occurred during file processingACCT_ACCOUNTING_FOPEN_ERROR Open operation failed on fileACCT_ACCOUNTING_SMALL_FILE_SIZE Maximum file size is smaller than record sizeACCT_BAD_RECORD_FORMAT Record format does not match accounting profileACCT_CU_RTSLIB_ERROR Error occurred obtaining current class usage statisticsACCT_FORK_ERR Could not create child processACCT_FORK_LIMIT_EXCEEDED Could not create child process because of limitACCT_GETHOSTNAME_ERROR gethostname function failedACCT_MALLOC_FAILURE Memory allocation failed
# List severity and parameters included for each eventsrx> help syslog FLOW_SESSION_CREATE Name: FLOW_SESSION_CREATEMessage: session created <source-address>/<source-port>-><destination-address>/<destination-port>,<protocol-id>: <policy-name>Help: Session createDescription: A security session was created.Type: Event: This message reports an event, not an errorSeverity: info
225 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SYSLOG - EVENT MODE: TRAFFIC LOG EXAMPLES
root@srx-210# run monitor start default-log-messages
<14>1 2009-08-28T00:00:03.685+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_CREATE [[email protected] source-address="10.0.101.10" source-port="12288" destination-address="192.168.100.1" destination-port="1280" service-name="icmp" nat-source-address="10.0.101.10" nat-source-port="12288" nat-destination-address="192.168.100.1" nat-destination-port="1280" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="default-permit" session-id-32="841"] session created 10.0.101.10/12288->192.168.100.1/1280 icmp 10.0.101.10/12288->192.168.100.1/1280 None None 1 default-permit 841
<14>1 2009-08-28T00:00:06.581+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="response received" source-address="10.0.101.10" source-port="12288" destination-address="192.168.100.1" destination-port="1280" service-name="icmp" nat-source-address="10.0.101.10" nat-source-port="12288" nat-destination-address="192.168.100.1" nat-destination-port="1280" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="default-permit" session-id-32="841" packets-from-client="1" bytes-from-client="60" packets-from-server="1" bytes-from-server="60" elapsed-time="3"] session closed response received: 10.0.101.10/12288->192.168.100.1/1280 icmp 10.0.101.10/12288->192.168.100.1/1280 None None 1 default-permit 841 1(60) 1(60) 3
<14>1 2009-08-28T00:10:07.682+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_DENY [[email protected] source-address="10.0.101.10" source-port="12544" destination-address="192.168.100.1" destination-port="1280" service-name="icmp" protocol-id="1" icmp-type="8" policy-name="icmp-drop"] session denied 10.0.101.10/12544->192.168.100.1/1280 icmp 1(8) icmp-drop
226 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SNMP AND RMON
227 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SNMP AGENT
Set System Identification and Community
Enable SNMP access on an interface
Restrict SNMP access to certain sources
Restrict SNMP access to certain tables
set snmp location lab-munichset snmp contact "[email protected]"set snmp community public authorization read-only
set security zones security-zone trust host-inbound-traffic system-services snmp
set snmp community public clients 172.26.0.0/16set snmp community public clients 0.0.0.0/0 restrict
# Create a View, defining permitted Objectsset snmp view chassis-info oid jnxBoxAnatomy includeset snmp view chassis-info oid snmpMIBObjects includeset snmp view chassis-info oid system include
# And assign view to communityset snmp community chassis-community view chassis-info
228 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SNMP, CLI QUERIES AND TRICKS# CLI commands exist to make MIB queries or MIB walksshow snmp mib get sysObjectID.0show snmp mib get "sysName.0 sysContact.0 sysLocation.0"show snmp mib walk jnxBoxAnatomyshow snmp mib walk jnxContentsSerialNo
# Display OIDs used for a certain tableshow snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1 | display xml
# Display OIDs for all MIBtablesshow snmp mib walk 1 | display xml
# The following commands create and show a list of registered SNMP Instancesshow snmp registered-objectsfile show /var/log/snmp_reg_objs
# The List of Interface Indices is reboot persistent as it is saved in a filefile show /var/db/dcd.snmp_ix
# Spoof SNMP Traps for simple Testingrequest snmp spoof-trap linkUp variable-bindings “ifIndex[14] = 14, ifAdminStatus[14] = 1, ifOperStatus[14] = 2”
# A SNMP Table (Tablename jnxUtilData) can be used to store user defined content. # Event Scripts can be used to update this table request snmp utility-mib set .....show snmp mib walk jnxUtilData
229 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SNMP, PRIVATE MIBS AND USEFUL TABLES# List of all MIBs (including table, which MIBs exist on which device) and SNMP-Traps
# Chassis Hardware show snmp mib walk [jnxBoxClass|jnxBoxDescr|jnxBoxSerialNo|jnxBoxRevision|jnxBoxInstalled]show snmp mib walk [jnxBoxAnatomy|jnxContainersTable|jnxContentsTable|jnxFilledTable]
# Field Replaceable units(FRU) in the chassis (includes empty slots) show snmp mib walk jnxFruTable
# For a List of Modules installed useshow snmp mib walk jnxContentsDescr
# Interfaces, and Interface Informationshow snmp mib walk ifDescr show snmp mib walk [ifTable | ifChassisTable | ifStackTable ]show snmp mib walk [ipAddrTable | ipAdEntIfIndex ]
# LEDs and Status (primary only)show snmp mib walk jnxLedTable
# State, Memory Usage and CPU Load on all Modules (always reports both RE as active)show snmp mib walk jnxOperatingTable
230 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
USEFUL OIDS# SNMP Walk from the CLI through the complete Private MIB and Display with Name and OIDshow snmp mib walk .1.3.6.1.4.1.2636 | display xml
# Software versionshow snmp mib walk .1.3.6.1.2.1.25.6.3
# Per FPC Statistics on CPU Load, Memory, Temperatureshow snmp mib walk jnxOperatingTable # some columns here are:show snmp mib walk jnxOperatingDescr show snmp mib walk jnxOperatingCPUshow snmp mib walk jnxOperatingTempshow snmp mib walk jnxOperatingBuffer
# On SRX: SPU Monitoring MIB OIDs (Sessions, CPU Load) show snmp mib walk jnxJsSPUMonitoringMIBshow snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1 | display xml
# Disk Usageshow snmp mib walk []show snmp mib walk 1.3.6.1.2.1.25.2.3.1hrStorageSize | hrStorageUsed
231 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RMON
Monitor SNMP OIDs and generate Traps if something is wrong
# Specify a Group and a Target for Trapsset trap-group overtemperatureset trap-group overtemperature categories rmon-alarmset trap-group overtemperature targets 10.0.0.1
edit snmp rmon
# Specify what is monitoredset alarm 1 description "Overtemperature on SRX 5600 Midplane"set alarm 1 variable jnxOperatingTemp.1.1.0.0set alarm 1 interval 300set alarm 1 sample-type absolute-valueset alarm 1 rising-threshold 50set alarm 1 startup-alarm rising-alarmset alarm 1 rising-event-index 1
# and the resulting eventset event 1 description Heat-Eventsset event 1 type log-and-trapset event 1 community heat-traps
232 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NETFLOW
233 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NETFLOW CONFIGURATION
Specify the sample rate and where to sent the Netflow Data
Enable Netflow on the desired interface(s) and directions
Note: Activating Netflow will have significant input on the performance. The smaller the sample rate (input rate), the higher the performance hit
set forwarding-options sampling input rate 10set forwarding-options sampling family inet output flow-server 172.30.80.76 port 2056set forwarding-options sampling family inet output flow-server 172.30.80.76 version 5
set interfaces ge-0/0/0 unit 0 family inet sampling inputset interfaces ge-0/0/0 unit 0 family inet sampling output
234 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX MANAGEMENT WITH NSM
235 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PREPARING JUNOS DEVICES FOR NSM
# sshv2 is mandatory for NSM. SSHv2 is not included in the export restricted # software version. You will always need the domestic version.lab@srx5600> show version | match JUNOS JUNOS Software Release [9.5R2.7]
# For NSM access both ssh and netconf over ssh must be enabledset system services ssh [protocol-version v2]set system services netconf ssh
# Recommendation: Use a dedicated NSM user, # this allow to identify who made certain changes/operationsroot# set system login user nsm class super-user authentication plain-text-passwordNew password:Retype new password:
236 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ENABLE AUTO DISCOVERY WITH NSM# The Auto discovery Feature allows to scan an IP-address range for Juniper Devices # and automatically add and import them NSM. # This feature requires Ping, SSH and SNMP access to the device.
# Enable SSH and netconf via sshset system services ssh protocol-version v2set system services netconf ssh
# Enable SNMP set snmp location lab-munichset snmp contact "[email protected]"set snmp community public authorization read-write
# Make sure all services required for NSM Auto discovery are opened for accessedit security zones security-zone trust interfaces ge-0/0/0.0 set host-inbound-traffic system-services ping set host-inbound-traffic system-services ssh set host-inbound-traffic system-services snmptop
237 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
EXAMPLE:SENDING LOGS TO NSM (EVENT MODE)
# Control plane Logs from the Routing Engine are sent to NSM per Default
# Data plane Logs from Branch SRX are sent to NSM when a Log file "default-log-messages" # is written. NSM adds this configuration automatically to SRX with the "device is# reachable" workflowset system syslog file default-log-messages any anyset system syslog file default-log-messages structured-data
# On Datacenter SRX Traffic Logs are not sent to the Routing-Engine by Default# as the preferred logging method is to stream the logs directly # from a forwarding interface. If Log Volume is low, the Logs can also be sent # to the routing-engine. The following statements allow to do this since JUNOS 10.0set security log mode eventset security log mode event event-rate 1000
238 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
EXAMPLE:SENDING LOGS TO NSM (STREAM MODE)
# Again, Control plane Logs from the Routing Engine are sent to NSM per Default
# Since NSM Version 2011.1 it is possible to send Security Logs via Syslog in stream-mode# Check page 767 of the NSM Admin Guide for the necessary DevSrv Configuration Changes# Add "devSvr.enableSyslogOverUdp true " to /var/netscreen/DevSvr/var/devSvr.cfg file
# On the SRX side use the following configuration statements to send traffic logs # via syslog to NSMset security log mode streamset security log format sd-syslog
# Primary NSMset security log stream NSM1 format sd-syslogset security log stream NSM1 host <primary DevSvr IP>set security log stream NSM1 host port 5140
# If NSM is a HA Cluster use a second feed to send logs to the secondary NSMset security log stream NSM2 format sd-syslogset security log stream NSM2 host <Secondary DevSvr IP>set security log stream NSM2 host port 5140
239 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
When using Out-band Management : Start Import to NSM with the passive Member (RG0) first. Som e NSM versions had trouble when
import started with the active member
When using In-band Management: Don't mix in-band and out-band management.
If you choose in-band Management then leave the fxp0 interfaces on both members unconfigured. This avoids that the passive member ever connects to NSM
When changing between Outband and Inband Management: "delete system services outbound-ssh" - from the normal stanza and from the groups stanza,
Otherwise you might end up with multiple, conflicting entries. In some cases you might have to reboot to make all configuration changes effective
To establish the NSM connection through a VPN Tunnel to implement this, you should use inband management and introduce a loopback IP, or a numbered
VPN-Tunnelinterface. Otherwise the SRX could use an Interface IP where you don't have proper Routing back from the NSM through the VPN tunnel.
ADDITIONAL REMARKS
240 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
You have two options to manage a Cluster in NSM
Out-band Management For out-band management you connect to the fxp0 Interfaces of the cluster members You add a cluster-object to NSM and add both members (start with the node where RG0 is
passive)
In-band Management (Branch SRX only) You connect to the master device via one of reth interfaces You configure the device for cluster-management and add only one device to NSM
MANAGING SRX CLUSTERS WITH NSM WHERE IS THE CHALLENGE ?
241 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
In-band Management Virtual Chassis Representation of SRX Clusters# Virtual-chassis configuration, makes a Cluster manageable in NSM as a single device# This is supported only on Branch SRX since JUNOS 10.1R2 or 10.2R2 or higher. # You need the following configuration statement in JUNOS
set chassis cluster network-management cluster-master # In NSM you add just a single virtual chassi device (the current primary). # Only the master will attempt to establish a session to NSM. # He can use any interface to establish this connection.
242 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
When using Out-band Management : Start Import to NSM with the passive Member (RG0) first.
When using In-band Management: Leave the fxp0 interfaces on both members unconfigured NSM can not be used to perform Software Updates or push Attack Database Updates
When changing between Out-band and In-band Management: "delete system services outbound-ssh" - from the normal stanza and from the groups stanza,
Otherwise you might end up with multiple, conflicting entries. In some cases you might have to reboot to make all configuration changes effective
To establish the NSM connection through a VPN Tunnel to implement this, you should use in band management and introduce a loopback IP, or a numbered
VPN-Tunnel interface. Otherwise the SRX could use an Interface IP where you don't have proper Routing back from the NSM through the VPN tunnel.
ADDITIONAL REMARKS
243 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MANAGEMENT WITH JUNOS SPACE / SECURITY DESIGN
244 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PREPARING JUNOS DEVICES FOR SPACE
# For Space access both ssh and netconf over ssh must be enabledset system services ssh [protocol-version v2]set system services netconf ssh
# Recommendation: Use a dedicated Space user, # this allow to identify who made certain changes/operationsroot# set system login user space class super-user authentication plain-text-passwordNew password:Retype new password:
# Enable SSH and netconf via sshset system services ssh protocol-version v2set system services netconf ssh
# When SNMP is enable before device discovery, Space (OpenNMS) will collect and # visualize SNMP data from the device. It will also reconfigure the device to send # traps to Space. set snmp location lab-munichset snmp contact "[email protected]"set snmp community public authorization read-write
# Make sure all services required for Space Discovery are opened for accessedit security zones security-zone trust interfaces ge-0/0/0.0 set host-inbound-traffic system-services ping set host-inbound-traffic system-services ssh set host-inbound-traffic system-services snmptop
245 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
For initial device discovery Space uses ping and ssh/netconf connection to the device Future direction of management connection depends on Space Application Settings (at the time the
device was discovered). By default Junos Space attemts to establish the connection If the default is changed Space reconfigures the device during discovery to initiate the connection
ADDITIONAL REMARKS (1)
246 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Space can detect and manage a SRX cluster in both ways: - with only one in-band management connection to fxp0 (just add one device)- with two out-band management connections to fxp0 (add both devices in platform, security design creates a cluster view of the security device)
ADDITIONAL REMARKS (2)
247 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MONITORING SRX LOGS WITH STRM
248 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STREAM MODE LOGS FROM SRX TO STRM# In this example we send both Control and Dataplane Logs through one # interface (reth7) which is member of Default VR inet.0# Destination for both logs is 10.0.0.100# Source-IP for both logs is 10.0.0.2
# Interface IP for the interface connected to STRMset interface reth7 unit 0 family inet address 10.0.0.2/24
# Controlplane-Logs , use Source-IP of egress interface to avoid ARP problems !! set system syslog host 10.0.0.100 any any set system syslog host 10.0.0.100 source-address 10.0.0.2
# Dataplane-Logs, from the SPCs leave via an forwarding interface)# also use source-IP of the egress interfaceset security log format sd-syslog set security log source-address 10.0.0.2 set security log stream Log host 10.0.0.100
# Caveat: STRM can no longer reach fxp0 of the SRX, because all routing to # STRM Host IP goes through reth7, and traffic from reth7 to fxp0 is not possible.
249 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MONITORING SRX LOGS WITH J-WEB
250 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ACTIVATE LOGS IN J-WEB
251 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
EXAMINE LOGS FROM EVENT VIEWER
252 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
EXAMINE LOGS FROM POLICY VIEW
253 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FIREWALL ACTIVITY ON J-WEB REPORTING PAGE
254 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TROUBLESHOOTING
255 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NOTES FOR TROUBLESHOOTING
The WEB-UI has a number of useful Pages for Monitoring and Troubleshooting
JUNOS CLI has powerful Monitoring Commands and offer a lot of counters and status information
SNMP and RPM also have a good coverage to allow continuous and ongoing monitoring
Default Log Files exist to track various error conditions
Additional Logs and Debugs can be enabled from the CLI, writing to separate Log Files or to external Servers
OP Scripts can be used to create custom monitor commands
Event Scripts can be used to trigger actions when events occur
256 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WEB-UI FOR MONITORING
257 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IMPORTANT CLI MONITORING COMMANDS
show version Software versionshow chassis hardware detail Hardware and Serial Numbersshow chassis environment Temperatures, Fan and Power Supplyshow chassis routing-engine Temperatures, Memory, CPU Load (Routing Engine)show security monitoring fpc x CPU Load (Flow Processors / SPCs )show system storage Flash and Disk Usageshow system license Display installed Licenses
show interfaces terse Quick Overview of all Interfacesshow interfaces description Quick Overview of all Interfaces with Descriptionshow interfaces extensive Details Interface and Zone Counters
show route <x.x.x.x> Routing Table Lookups (to get to x.x.x.x)
show security policies List Policiesshow security polices detail | find xx Details for a certain IDshow security flow session Current sessionsshow security match-policies ... Policy Lookup (added in JUNOS 10.3)show security zones Security Zones and Interface Binding
show system alarms Alarmsshow chassis alarms Alarms
258 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LIVE COUNTERS FOR ALL INTERFACES
Use "monitor interface traffic" to watch live counters on all available Interfaces. Default Update Interval is 2 seconds
259 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LIVE COUNTERS FOR A CERTAIN INTERFACE
Use monitor interface <ifname> to watch live counters on a certain interface. Default update interval is every 2 seconds
260 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Before you start: – This is not promiscuous mode – You will see Broadcast/Unicast/Multicast traffic to the Routing engine– ICMP Traffic to the Route Engine is excluded (SRX, EX and J-Series)– Use the documentation to detect all options– This Option is available from Web-UI, CLI and Shell
Monitor Traffic on a Interface
The same function is available from the shell
LIVE TRAFFIC FOR A CERTAIN INTERFACE(TCPDUMP OF RE TRAFFIC)
user> monitor traffic interface e1-0/0/0.0 no-resolve verbose output suppressed, use <detail> or <extensive> for full protocol decodeListening on e1-0/0/0.0, capture size 96 bytes03:03:58.025661 Out IP 10.12.0.1 > 224.0.0.13: 10.12.0.1 > 224.0.0.13:PIMv2, Hello (0), length: 3403:03:58.237360 In IS-IS, p2p IIH, src-id 1921.6800.1223, length 5803:03:59.089303 Out IP 10.12.0.1.646 > 224.0.0.2.646: LDP, Label-Space-ID: 192.168.1.222:0, pdu-length: 3803:03:59.555743 Out IP 10.12.0.1 > 224.0.0.1: igmp query v2
user> start shell % suroot@PBR% tcpdump -ni e1-0/0/0.0verbose output suppressed, use <detail> or <extensive> for full protocol decodeListening on e1-0/0/0.0, capture size 96 bytes03:06:47.943726 In IP 10.12.0.2 > 224.0.0.13: 10.12.0.2 > 224.0.0.13:PIMv2, Hello (0), length: 3403:06:49.603895 In IP 10.12.0.2.646 > 224.0.0.2.646: LDP, Label-Space-ID: 192.168.1.223:0, pdu-length: 3803:06:50.200510 Out IS-IS, p2p IIH, src-id 1921.6800.1222, length 58
261 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
LOG FILES AND SYSLOG
All Log files live in /var/log
"show log" or "file list /var/log" List all Log files available (under /var/log)
show log messages Show Log File "messages" from start
show log messages | last 100 List last 100 Log Messages
show log messages | match LOGIN Search within the Log
show log messages | trim 39 Remove first 39 columns from each line
monitor start <file> Send Logs to terminal (like tail -f)
See also Chapter Logging and Syslog
262 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TYPICAL WAY TO ENABLE DEBUGGING
In many sections of the configuration it is possible to activate
traceoptions (example: set system services dhcp traceoptions..)
set traceoptions file filename files (default 10) size (default 128k) read permissions (e.g.. world-readable)
set traceoptions flag What do you want to look at?
monitor start filename like Unix tail –f multiple people can view log files at same time
263 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DEBUGGING A FIREWALL FLOWSEE HTTP://KB.JUNIPER.NET/KB16110 # Specify a file where to save the Tracesedit security flow traceoptions set file flowtrace set file size 1m files 3 set flag basic-datapath # Use filters to reduce the volume of data set packet-filter FILTER1 source-prefix 10.48.255.0/24 # Second condition for same filtername is an AND condition set packet-filter FILTER1 destination-prefix 192.168.210.0/24 # Additional condition with different filtername is an OR condition set packet-filter FILTER2 source-prefix 192.168.210.0/24 set packet-filter FILTER2 destination-prefix 192.168.220.0/24top
# Logging to File starts after commitcommit and-quit
# To start Live Monitoring, just monitor the file monitor start flowtrace
# To quickly pause and resume Output !! This does not stop logging to the File !!Press "ESC-Q"
# To stop Real-Time monitoring !! This does not stop logging to the File !!monitor stop
# To turn off logging to the File you must deactivate or delete the configurationdeactivate security flow traceoptionscommit
264 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DEBUGGING A FIREWALL FLOW EXAMPLE OUTPUT (1/2)lab@Demo-081-113> *** flow-trace ***Aug 2 22:04:36 22:04:35.935844:CID-1:RT:<10.10.20.2/2048->10.10.10.2/49265;1> matched filter f0:Aug 2 22:04:36 22:04:35.935862:CID-1:RT:packet [84] ipid = 0, @4bb0526eAug 2 22:04:36 22:04:35.935872:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0, mbuf 0x4bb05060Aug 2 22:04:36 22:04:35.935881:CID-1:RT: flow process pak fast ifl 67 in_ifp reth1.0Aug 2 22:04:36 22:04:35.935896:CID-1:RT: reth1.0:10.10.20.2->10.10.10.2, icmp, (8/0)Aug 2 22:04:36 22:04:35.935907:CID-1:RT: find flow: table 0x4e789b20, hash 9938(0xffff), sa 10.10.20.2, da 10.10.10.2, sp 1, dp 34861, proto 1, tok 448 Aug 2 22:04:36 22:04:35.935926:CID-1:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - Aug 2 22:04:36 22:04:35.935941:CID-1:RT: flow_first_create_sessionAug 2 22:04:36 22:04:35.935953:CID-1:RT: flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 10.10.10.2, sp 1, dp 34861Aug 2 22:04:36 22:04:35.935965:CID-1:RT: chose interface reth1.0 as incoming nat if.Aug 2 22:04:36 22:04:35.935976:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.10.10.2(34861)Aug 2 22:04:36 22:04:35.935988:CID-1:RT:flow_first_routing: call flow_route_lookup(): src_ip 10.10.20.2, x_dst_ip 10.10.10.2, in ifp reth1.0, out ifp N/A sp 1, dp 34861, ip_proto 1, tos 0Aug 2 22:04:36 22:04:35.936001:CID-1:RT:Doing DESTINATION addr route-lookupAug 2 22:04:36 22:04:35.936017:CID-1:RT: routed (x_dst_ip 10.10.10.2) from untrust (reth1.0 in 1) to reth0.0, Next-hop: 10.10.10.2Aug 2 22:04:36 22:04:35.936030:CID-1:RT: policy search from zone untrust-> zone trustAug 2 22:04:36 22:04:35.936057:CID-1:RT: app 0, timeout 60s, curr ageout 60sAug 2 22:04:36 22:04:35.936095:CID-1:RT:flow_first_src_xlate: src nat 0.0.0.0(1) to 10.10.10.2(34861) returns status 0, rule/pool id 0/0.Aug 2 22:04:36 22:04:35.936110:CID-1:RT: dip id = 0/0, 10.10.20.2/1->10.10.20.2/1Aug 2 22:04:36 22:04:35.936120:CID-1:RT: choose interface reth0.0 as outgoing phy ifAug 2 22:04:36 22:04:35.936127:CID-1:RT:is_loop_pak: No loop: on ifp: reth0.0, addr: 10.10.10.2, rtt_idx:0Aug 2 22:04:36 22:04:35.936136:CID-1:RT: check nsrp pak fwd: in_tun=0x0, VSD 1 for out ifp reth0.0Aug 2 22:04:36 22:04:35.936142:CID-1:RT: vsd 1 is activeAug 2 22:04:36 22:04:35.936151:CID-1:RT:policy is NULL (wx/pim scenario)Aug 2 22:04:36 22:04:35.936160:CID-1:RT:sm_flow_interest_check: app_id 0, policy 6, app_svc_en 1, flags 0x2. interestedAug 2 22:04:36 22:04:35.936171:CID-1:RT:sm_flow_interest_check: app_id 1, policy 6, app_svc_en 0, flags 0x2. not interested..................
265 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DEBUGGING A FIREWALL FLOW EXAMPLE OUTPUT (2/2) .............Aug 2 22:04:36 22:04:35.936178:CID-1:RT:flow_first_service_lookup(): natp(0x5047eb48): app_id, 0(0).Aug 2 22:04:36 22:04:35.936187:CID-1:RT: service lookup identified service 0.Aug 2 22:04:36 22:04:35.936194:CID-1:RT: flow_first_final_check: in <reth1.0>, out <reth0.0>Aug 2 22:04:36 22:04:35.936203:CID-1:RT: existing vector list e20-624fdc28.Aug 2 22:04:36 22:04:35.936212:CID-1:RT: existing vector list 0-6248ba28.Aug 2 22:04:36 22:04:35.936220:CID-1:RT: Session (id:26784) created for first pak e20Aug 2 22:04:36 22:04:35.936229:CID-1:RT: flow_first_install_session======> 0x5047eb48Aug 2 22:04:36 22:04:35.936236:CID-1:RT: nsp 0x5047eb48, nsp2 0x5047ebb8Aug 2 22:04:36 22:04:35.936248:CID-1:RT: make_nsp_ready_no_resolve()Aug 2 22:04:36 22:04:35.936263:CID-1:RT: route lookup: dest-ip 10.10.20.2 orig ifp reth1.0 output_ifp reth1.0 orig-zone 7 out-zone 7 vsd 1Aug 2 22:04:36 22:04:35.936274:CID-1:RT: route to 10.10.20.2Aug 2 22:04:36 22:04:35.936288:CID-1:RT:Installing c2s NP session wingAug 2 22:04:36 22:04:35.936293:CID-1:RT:Installing s2c NP session wingAug 2 22:04:36 22:04:35.936301:CID-1:RT:sm_flow_notify_session_creation: app_id 0, flags 0x0, ifl_in 67, zone_in 7, ifl_out 66, zone_out 6Aug 2 22:04:36 22:04:35.936394:CID-1:RT: flow got session.Aug 2 22:04:36 22:04:35.936399:CID-1:RT: flow session id 26784Aug 2 22:04:36 22:04:35.936411:CID-1:RT: vsd 1 is activeAug 2 22:04:36 22:04:35.936608:CID-1:RT:mbuf 0x4bb05060, exit nh 0x243c1 Aug 2 22:04:36 22:04:35.936621:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)Aug 2 22:04:36 22:04:35.996278:CID-1:RT:<10.10.10.2/0->10.10.20.2/51313;1> matched filter f0:Aug 2 22:04:36 22:04:35.996296:CID-1:RT:packet [84] ipid = 12824, @4ba9f04eAug 2 22:04:36 22:04:35.996307:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0, mbuf 0x4ba9ee40Aug 2 22:04:36 22:04:35.996318:CID-1:RT: flow process pak fast ifl 66 in_ifp reth0.0Aug 2 22:04:36 22:04:35.996330:CID-1:RT: reth0.0:10.10.10.2->10.10.20.2, icmp, (0/0)Aug 2 22:04:36 22:04:35.996341:CID-1:RT: find flow: table 0x4e789b20, hash 33408(0xffff), sa 10.10.10.2, da 10.10.20.2, sp 34861, dp 1, proto 1, tok 384 Aug 2 22:04:36 22:04:35.996362:CID-1:RT: flow got session.Aug 2 22:04:36 22:04:35.996366:CID-1:RT: flow session id 26784Aug 2 22:04:36 22:04:35.996380:CID-1:RT: vsd 1 is activeAug 2 22:04:36 22:04:35.996520:CID-1:RT:mbuf 0x4ba9ee40, exit nh 0x20bc1 Aug 2 22:04:36 22:04:35.996533:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
266 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DEBUGGING PACKET DROPS
# To see Drop Counters per interface for the various drop reasonsshow interfaces ge-4/0/1.0 extensive | find Error
# To create a Log file to log Packet drops for a certain Source-Networkedit security flow traceoptions set file DROPS set flag packet-drops set packet-filter FFILTER1 source-prefix 20.0.81.0/24top
# To see packet drops usemonitor start DROPS
# Search the Log file for packet drops of a certain Source-IP# The trim command improves readability by removing trailing informationroot@srx5600>run file show /var/log/DROPS | find 20.0.81.143 | trim 71
ge-4/2/1.0:20.0.81.143->10.1.80.1, icmp, (8/0)packet dropped, no route to destpacket dropped, ROUTE_REJECT_GEN_ICMP.
ge-4/2/1.0:20.0.81.143->20.0.80.2, icmp, (8/0)packet dropped, denied by policypacket dropped, policy deny.
267 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BRANCH SRX: TAKING FULL PACKET CAPTURES (1/2)# Specify where to write the Packet-Capture# The file specified below, is later created under /var/tmp/# The appearing will be appended with ".interfacename" e.g. MY-PCAP.vlanset forwarding-options packet-capture file filename MY-PCAPset forwarding-options packet-capture file size 1mset forwarding-options packet-capture maximum-capture-size 500
# Specify the interface where you want to take the pcap from set interfaces vlan unit 0 family inet sampling inputset interfaces vlan unit 0 family inet sampling output
# Specify a Filter to collect only certain Packets edit firewall family inet filter PCAP term 1 from source-address 192.168.210.2/32 term 1 then sample accept term 2 from destination-address 192.168.210.2/32 term 2 then sample accepttop
# Apply this filter to the input and output direction (maybe input is obsolete ?)set interfaces vlan unit 0 family inet filter output PCAPset interfaces vlan unit 0 family inet filter input PCAP
# Wipe the old file before taking new pcapsrun file delete /var/tmp/MY-PCAP.vlan# and start the PCAPcommit and-quit
268 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BRANCH SRX: TAKING FULL PACKET CAPTURES (2/2)# CLI Command to copy File to a remote FTP-Server to inspect with wireshark# You can also use scp, tftp and http in the Destination-URL file copy /var/tmp/MY-PCAP.vlan ftp://username:[email protected]/var/tmp
# Tweak to view the pcap file from the shell: start shellcd /var/tmp tcpdump -n -r MY-PCAP.vlan
# Here is CLI Help with more Detailshelp reference forwarding-options packet-capture
# And here is Online Documentationhttp://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-admin-guide/config-pcap-chapter.html#config-pcap-chapter
269 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DATACENTER SRX: TAKING FULL PACKET CAPTURES (1/1)# Since JUNOS 10.4r1 Data Path Debugging on Datacenter SRX # allows to take packet captures
edit security datapath-debug set capture-file SRXPCAP format pcap size 1m files 5 set maximum-capture-size 100 set action-profile do-capture event np-ingress packet-dump set packet-filter PCAP1 source-prefix 192.168.1.1/32 action-profile do-capture set packet-filter PCAP2 destination-prefix 192.168.1.1/32 action-profile do-capturetop # The start/stop of capture is controlled by CLI request security datapath-debug capture (start|stop)
# To inspect the resulting PCAP either copy it to a system with Wireshark installed # or start a shell locally and use "tcpdump -nr /var/log/SRXPCAP"
270 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
USEFUL TROUBLESHOOTING INFORMATION
JUNOS Troubleshooting and Monitoring Day One Booklet
Data Collection Checklist KB21781
ScreenOS Debug Commands and JUNOS equivalent KB14000
SRX Troubleshooting Commands KB15779
Monitor interface and Monitor traffic Admin Guide
Taking Packet Captures Admin Guide
Troubleshooting SRX High Availability KB15911
Debug Flow KB16108
Configuring and Troubleshooting VPN KBGuide
Troubleshooting Dynamic VPN KB17220
271 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TOOLBOX
272 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ACCESS LISTS
273 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PACKETFILTER ON A STATEFUL FIREWALL ? Access lists or Stateless Filters are already in JUNOS for years
Stateless Filters are still useful for three Tasks Filter and Redirect Traffic Classify Traffic for QoS purposes Implement Counters
Configuration uses the "set firewall …." stanza
On many JUNOS interface cards the stateless filters are implemented on Hardware Level and do not consume CPU performance
root# set firewall ....
274 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FIREWALL FILTER EXAMPLE (COUNTING ONLY)# Define a Firewall Filter to count SSH Traffic set firewall family inet filter TEST term 1 from source-address 0.0.0.0/0set firewall family inet filter TEST term 1 from port 22set firewall family inet filter TEST term 1 then count MYCOUNTset firewall family inet filter TEST term 1 then accept
# We need a second term to permit everything else # This is because all firewall filter chains end with a default "deny all" termset firewall family inet filter TEST term 2 from source-address 0.0.0.0/0set firewall family inet filter TEST term 2 then accept
# Now we are ready to assign the Filter to an interfaceset interfaces fe-0/0/7 unit 0 family inet filter input TEST
# Show commands to monitor the counters lab@SRX210> show firewall counter filter TEST MYCOUNT
Filter: TEST Counters:Name Bytes PacketsMYCOUNT 70455 1005
lab@SRX210>
275 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DNS CONFIGURATION
276 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DNS CONFIGURATION# Set your own hostname set system hostname mybox
# specify DNS-Server to resolve DNS requests from the SRX# Example: public DNS Servers from Google set system name-server 8.8.8.8set system name-server 8.8.4.4
# Example: public DNS Servers from OpenDNSset system name-server 208.67.222.222set system name-server 208.67.220.220
# Example: public Servers from UltraDNSset system name-server 156.154.70.1 set system name-server 156.154.71.1
# Set own Domainnameset system domain-name test.de
# Today (12.1) SRX does not neither offer DNS-Server nor DNS-Proxy nr Dynamic DNS Client# DNS-Proxy and Dynaic DNS Client are currently scheduled for 12.1X44
277 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NTP CONFIGURATION
278 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TIME AND NTP CLIENT# set time zone set system time-zone Europe/Berlin
# Manual set time/date or simply poll Timeserversrx> set date YYYYMMDDhhmm.ss orsrx> set date ntp de.pool.ntp.org 27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec
# Specify NTP-Server (here 2 Servers from de.pool.ntp.org)set system ntp server 78.46.194.186 version 4 preferset system ntp server 88.198.34.114 version 4
# Enable NTP reachability during power up and in cluster backup stateset system ntp boot-server 78.46.194.186
# Diagnostics # What time is it ? srx> show system uptime | match CurrentCurrent time: 2009-04-22 17:21:20 CEST
srx> show ntp associations no-resolve remote refid st t when poll reach delay offset jitter==============================================================================*192.53.103.104 .PTB. 1 - 504 1024 377 62.492 6.408 0.120
279 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NTP IN HA CLUSTERS# Define NTP-Server as usual in global context edit system ntp set server 10.0.0.1 set source-address 10.0.0.2top
# Enable NTP on cluster member in backup state (traffic is leaving from fxp0)edit groups node1 system ntp set server 10.0.0.1 set source-address ip of fxp0/node1top
edit groups node1 system ntp set server 10.0.0.1 set source-address ip of fxp0/node1top
# Per Node Backup Routes are required, when NTP-Server is not directly connect to fxp0set groups node0 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254set groups node1 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254
280 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DHCP
281 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DHCP CLIENT# Enable DHCP Client on an interfaceset interfaces fe-0/0/7 unit 0 family inet dhcp
# permit DHCP traffic on this interface or security zoen set security zones security-zone untrust host-inbound-traffic interface fe-0/0/7.0 system-services dhcp
# Option: You can propagate DNS/WINS settings learnt from the DHCP client to be# reused by local DHCP Serversset system services dhcp propagate-settings fe-0/0/7.0
# Monitoring and Controlshow system services dhcp clientrequest system services dhcp renew
282 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DHCP SERVER# Pools have Namesedit system services dhcp pool 192.168.1.0/24 set default-lease-time 3600 set domain-name test.de set router 192.168.1.1 set name-server 192.168.1.1 set address-range low 192.168.1.33 set address-range high 192.168.1.64 # Option - exclude an IP from the Pool set exclude-address 192.168.1.42top
# Option - Static Binding, IP must be member of the Pooledit system services dhcp set static-binding 00:11:22:33:44:55 fixed-address 192.168.1.33 set static-binding 00:11:22:33:44:55 host-name testtop
# Permit DHCP in the incoming zoneset security zones security-zone trust host-inbound-traffic system-services dhcp
# Monitoringshow system services dhcp poolshow system services dhcp bindingshow system services dhcp statistics show system services dhcp conflict
283 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DHCP RELAY
# Allow incoming DHCP traffic # "bootp" service is only available in the interface context , not in the zone contextset security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services bootp
# enable on the desired interfaces and forward to your desired destinationedit forwarding-options helpers bootp set interface ge-0/0/0.0 server 172.18.36.12; #relay the DHCP request with the source-ip of this interface set vpn set relay-agent-optiontop
# Until 10.4 DHCP Relay could not be configured inside virtual Routers # TODO
284 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PPPOE & DSL
285 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PPP OVER ETHERNETEXAMPLE FOR T-ONLINE, GERMANY# Define on which interface to use ppp Encapsulation set fe-0/0/5 unit 0 encapsulation ppp-over-ether
# Use password for authenticationset access profile ppp-profile authentication-order password
# PPP-Interface Settingsset interfaces pp0 unit 0 family inet negotiate-addressset interfaces pp0 unit 0 family inet mtu 1492
# Authentication Credentialsset interfaces pp0 unit 0 ppp-options pap access-profile ppp-profileset interfaces pp0 unit 0 ppp-options pap local-password xxxxxset interfaces pp0 unit 0 ppp-options pap local-name xxxxset interfaces pp0 unit 0 ppp-options pap passive
# PPPoE Settings and bindingset interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/5.0set interfaces pp0 unit 0 pppoe-options auto-reconnect 10set interfaces pp0 unit 0 pppoe-options clientset interfaces pp0 unit 0 pppoe-options idle-timeout 0
# Diagnostic Commandsshow interfaces pp0show pppoe interfacesshow pppoe statisticsshow pppoe statisticsrequest pppoe [connect|disconnect]
286 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PPP OVER ADSL (FOR T-ONLINE, GERMANY)BASED ON JUNOS 10.0 WITH ADSL MINI-PIM# T-Online Germany typically uses the ATM VPI 1 and VCI 32 # Encapsulation is pppoe-over-atm with llc
# ADSL Interface Configurationset interfaces at-1/0/0 encapsulation ethernet-over-atmset interfaces at-1/0/0 atm-options vpi 1set interfaces at-1/0/0 dsl-options operating-mode itu-dmtset interfaces at-1/0/0 unit 0 encapsulation ppp-over-ether-over-atm-llcset interfaces at-1/0/0 unit 0 vci 1.32
# PPPoE Configuration on Top of this ADSL-Interfaceset interfaces pp0 unit 0 ppp-options pap access-profile T-Onlineset interfaces pp0 unit 0 ppp-options pap local-name "[email protected]"set interfaces pp0 unit 0 ppp-options pap local-password "xxxx"set interfaces pp0 unit 0 ppp-options pap passiveset interfaces pp0 unit 0 ppp-options lcp-max-conf-req 0set interfaces pp0 unit 0 ppp-options ncp-max-conf-req 0set interfaces pp0 unit 0 pppoe-options underlying-interface at-1/0/0.0set interfaces pp0 unit 0 pppoe-options idle-timeout 0set interfaces pp0 unit 0 pppoe-options auto-reconnect 1set interfaces pp0 unit 0 pppoe-options clientset interfaces pp0 unit 0 family inet mtu 1450set interfaces pp0 unit 0 family inet negotiate-addressset access profile T-Online client "[email protected]" pap-password "xxxx"
# Default Route (mandatory, because negotiated gateway will not appear in routing table)set routing-options static route 0.0.0.0/0 next-hop pp0.0
287 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX AS UAC ENFORCER
288 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX AS UAC ENFORCER (1/2)
Important to know:• In contrast to ScreenOS, JUNOS does not need a signed certificate on the IC. If not dedicated configured, JUNOS will
ignore the certificate presented by the IC. The communication is than only protected by password.
• Captive Portal support has been added with JUNOS 10.2
• For IPSec enforcement the SRX has to be configured manually in contrast to ScreenOS, where the IC is pushing the IPSec configuration too. Please “RTFM”
• If the IC is configured as cluster you have to configure two ICs on JUNOS using their physical IP addresses. Please do not use the VIP.
Example configuration with a IC cluster:
# create IC connectionsset services unified-access-control infranet-controller uac1 address 10.1.1.1 set services unified-access-control infranet-controller uac1 interface reth2.0 set services unified-access-control infranet-controller uac1 password "<PW-Hash>" set services unified-access-control infranet-controller uac2 address 10.1.1.2 set services unified-access-control infranet-controller uac2 interface reth2.0 set services unified-access-control infranet-controller uac2 password "<PW-Hash>" set services unified-access-control timeout 20 set services unified-access-control interval 5# optional add certificate verification – root Certificate has to be loaded to the SRX (see VPN with Certificates)set services unified-access-control infranet-controller uac1 server-certificate-subject <cert-name>set services unified-access-control infranet-controller uac1 ca-profile <profile-name>set services unified-access-control infranet-controller uac2 server-certificate-subject <cert-name>set services unified-access-control infranet-controller uac2 ca-profile <profile-name>
289 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX AS UAC ENFORCER (2/2)
Enforcer-Options:
# enable test-only-mode (only logging without enforcement)set services unified-access-control test-only-mode
# define timeout-action (if connection to IC is lost)set services unified-access-control timeout-action <close | no-change | open>
Policy Enforcement with captive portal:
# create a captive portal policy – redirect-url is optionalset services unified-access-control captive-portal my-cp-policy redirect-traffic unauthenticatedset services unified-access-control captive-portal my-cp-policy redirect-url https://ic.xyz.com/auth
# create a firewall policy with application-service “uac-policy”set security policies from-zone untrust to-zone trust policy uac-enforcem match source-address any set security policies from-zone untrust to-zone trust policy uac-enforcem match destination-address any set security policies from-zone untrust to-zone trust policy uac-enforcem match application any set security policies from-zone untrust to-zone trust policy uac-enforcem then permit application-services uac-policy captive-portal my-cp-policy set security policies from-zone untrust to-zone trust policy uac-policy then log session-close
290 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Diagnostics
SRX AS UAC ENFORCER
show services unified access-control status
show services unified access-control policies
show services unified access-control rules
show services unified access-control authentication detail
show services unified access-control role-provisioning all
show security flow session ... extensive
291 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PORT MIRRORING
292 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PORT MIRRORING ON BRANCH SRX
# You can mirror traffic from one L3 interface to a Host on another L3 interface. # For configuration start with selecting outbound interface and destination host # Traffic sent, has destination Mac rewritten to his own Mac-Address.edit forwarding-options port-mirroring set input rate 1 run-length 10 set family inet output interface ge-0/0/1.0 next-hop 10.0.210.33top
# Next Configure firewall filter to port mirror. 0.0.0.0/0 is all trafficedit firewall filter port-mirror term 1 set from source-address 0.0.0.0/0 set then port-mirror accepttop
# Finally set filter on the source interface that should be mirrored# This must be a physical L3 interface (family inet, not family switching)set interfaces ge-0/0/0 unit 0 family inet filter input port-mirrorset interfaces ge-0/0/0 unit 0 family inet filter output port-mirror
293 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
PORT MIRRORING ON DATCENTER SRX
# mirror port ge-0/0/1 to port ge-0/0/2
edit forwarding-options port-mirroring set input rate 1 run-length 10 set family any output interface ge-0/0/2 set instance inst1 input rate 1 run-length 10 set instance inst1 family any output interface ge-0/0/2top
set interfaces ge-0/0/1 port-mirror-instance inst1
294 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CLASS OF SERVICE
295 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNOS COS SUMMARY
BAClassifier
Multifield Classifier
Ingress Policing
FWD Policy
Fabric Priority
Egress Policing
Scheduler/WRED
Rewrite/marker
Fab
ric
Forwarding Class &
Loss Priority
296 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Ingress Processing Forwarding Classes and Queues
Classification maps traffic to internal queues The 4 default SRX forwarding-classes map to 4 queues. Additional Forwarding Classes can be specifiedshow class-of-service show interfaces queue ge-0/0/0
IFL Classification (Interface Level Classification of Forwarding Class and Loss Priority)Specify Class based on interface/sub-interface/logical interfaceset class-of-service interfaces <name> unit <x> forwarding-class assured-forwarding
BA Classification (Behavior Aggregate Classification of Forwarding Class and Loss Priority)Specify Class based on DSCP (IP) or EXP (MPLS) Bitsshow class-of-service classifier name dscp-defaultset class-of-service interface fe-0/0/3 unit 0 classifiers dscp default
MF Classification (Multifield Classification of Forwarding Class and Loss Priority)Specify Class based on stateless packet filtersset firewall family inet filter ..... then forwarding-class ... set interfaces fe-0/0/3 unit 0 family inet filter .....
Simple Filters (Implementation on special Hardware)Specify only class, loss-priority and policer - no drop, count action, only one prefixset firewall family inet simple-filter ....set interface <name> unit <x> family inet simple-filter .....
Ingress Policing (Ingress Rate Limiter)Single Rate Policer: establish a data rate , drop or change forwarding class when thresholds are exceededExample on next pages
COS - BUILDING BLOCKS (1/2)
297 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Egress Processing Scheduler & Scheduler Map
packet notifications placed into forwarding class queue. Queues serviced by a scheduler using WRRWRED congestion control operates at the head of the queue
RewriterChanges DSCP / EXP Bitsshow class-of-service rewrite-ruleset class-of-service interface ge-0/0/0 unit 0 rewrite-rules dscp default
PLP (Packet Loss Priority) & Drop-Profiles PLP allows to influence queuing within the same queueset class-of-service drop-profiles ...set class-of-service scheduler .... drop-profile-map .....
Egress Policing Single Rate Policer: establish a data rate , drop or change forwarding class when thresholds are exceededset policer .... if-exceeding bandwidth-limit ... burst-size-limit ... then
COS - BUILDING BLOCKS (2/2)
298 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
The previous page does list all available methods
It is not mandatory to apply all of them to get a working COS configuration
A simple example on the next pages fulfills the following requirements We have a LAN-Interface reth0
We have a WAN-Interface reth1
We have a upstream WAN-Bandwidth of 10Mbps
Traffic from the LAN IP 192.168.1.2 should be able to occupy up to 30% of the WAN bandwidth, even in congestion situations
To achieve this it relies on the following building blocks only Use the 4 default classes
Create a classifier
Create schedulers and assign them to the forwarding classes with a scheduler map
Apply your Classifier to the ingress interface(s)
Apply your Scheduler Map to the egress interface(s)
SIMPLE COS EXAMPLE
299 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SIMPLE COS EXAMPLE (1/3)
# We have a LAN-Interface reth0# We have a WAN-Interface reth1# We have a upstream WAN-Bandwidth of 10Mbps# Traffic from the LAN IP 192.168.1.2 should be able to occupy up to 30% # of the WAN bandwidth, even in congestion situations
# 1. Create a Classifier, that puts traffic from the Source-IP 192.168.1.2 # into the separate forwarding-class (assured forwarding". # Add counters, so we can examine how frequently each decision path is used
edit firewall family inet filter TEST-CLASSIFER set term VOIP from source-address 192.168.1.201/32 set term VOIP then count SPECIAL set term VOIP then forwarding-class assured-forwarding set term VOIP then accept set term ANY then count ANY set term ANY then forwarding-class best-effort set term ANY then accepttop
300 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SIMPLE COS EXAMPLE (2/3)# 2. Specify behaviour for the different Schedulers # Start with af (assured forwarding)# Notes on the scheduler parameters# transmit-rate: can be considered as the "guaranteed bandwidth", you will always get it# shaping-rate: can be considered as the "maximum bandwidth", you can send no more# loss-priority: influences drop behaviour for packets on the same queue (4 priorities)# LP is Tag on each packet created by classifier or additional policers# buffer-size: more buffer size allows bursts, but could introduce higher latenciesedit class-of-service schedulers af set transmit-rate percent 30 set shaping-rate percent 50 set buffer-size percent 5 set priority hightop
# Continue with be (best effort)edit class-of-service schedulers be set transmit-rate percent 60 set buffer-size remainder set priority lowtop
# And don't forget nc (network control)edit class-of-service schedulers nc set transmit-rate percent 10 set buffer-size percent 10 set priority strict-hightop
301 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SIMPLE COS EXAMPLE (3/3)
# 3. Create a Map how the schedulers should be applied # to the different forwarding classesedit class-of-service scheduler-maps TEST-MAP set forwarding-class assured-forwarding scheduler af set forwarding-class best-effort scheduler be set forwarding-class network-control scheduler nctop
# 4. Set a shaping-rate for the WAN interface and # apply the desired Scheduler Map to this interfaceset class-of-service interfaces reth1 unit 0 scheduler-map TEST-MAPset class-of-service interfaces reth1 unit 0 shaping-rate 10m
# 5. Apply Classifiers on the LAN Interface(s), so ingress traffic gets classifiedset interfaces reth0 per-unit-schedulerset interfaces reth0 unit 0 family inet filter input TEST-CLASSIFER
# 6. Enable Scheduler on the WAN Interface, so that egress traffic gets shapedset interfaces reth1 per-unit-scheduler
302 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INGRESS POLICER (FIREWALL FILTER)
# Ingress Policers with simple Filters depend on Interface Hardware and are not # available on all systems. Known systems to support these are # SRX-3K and SRX-5K with Combo Card# simple-filter might be required instead of firewall filter
# The example below limits traffic from a certain source to 1Mbps
edit firewall policer ONE-MBIT set if-exceeding bandwidth-limit 1m set if-exceeding burst-size-limit 63k set then discardtop
edit firewall family inet filter TESTFILTER term TERM1 set from source-address 172.27.60.4/32 set then policer ONE-MBITtop
# apply this filter on the interface (input or outpour is possible)set interface reth0 unit 0 family inet filter input TESTFILTER
303 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INGRESS POLICER (SIMPLE FILTER)
# On some Systems simple Filters can be used instead of firewall filters # Simple Filters are ingress only and have less match options than firewall filters, # but they are better for performance reasons, because Interface Hardware is used to# perform the filtering (and thus does not require Performance on the Central Point).# Known systems that support simple filters are SRX-3K and SRX-5K with Combo-Card
# The example below limits traffic from a certain source to 1Mbps
edit firewall policer ONE-MBIT set if-exceeding bandwidth-limit 1m set if-exceeding burst-size-limit 63k set then discardtop
edit firewall family inet simple-filter TESTFILTER term TERM1 set from source-address 172.27.60.4/32 set then policer ONE-MBITtop
# apply this filter on the interfaceset interface reth0 unit 0 family inet simple-filter input TESTFILTER
304 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TROUBLESHOOTING AND FURTHER INFORMATION
# COS Monitoring and Investigation Commands
show class-of-service …show firewall filter …show policer …show interface queue <if-name>show interface extensive <if-name>
# COS Configuration Guide for Security Deviceshttp://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/security/software-all/class-of-service/junos-security-swconfig-cos.pdf
# SRX Interface Guidehttp://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-interfaces-and-routing/frameset.html
305 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUAL CHANNELS (VC)
VC Concept is only available on Branch SRX and J-Series This approach is useful a central site is sending traffic to several sites
which have limited WAN bandwidth, and the WAN interface of the central site has more bandwidth, than the branches
Up to 64 virtual channels per system can be supported Traffic to each site needs to be assigned to VC using firewall filters Queuing/scheduling/shaping for each VC performed at OUTQ Configuring shaper for each VC is mandatory
NetworkDS3
ADSL
T1
E1
306 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VIRTUAL CHANNEL EXAMPLEedit firewall family inet filter SITE1 set term SITE1 from destination-address 192.2.1.2/32 set term SITE1 then virtual-channel site1;top
set class-of-service virtual-channels site1set class-of-service virtual-channels site2set class-of-service virtual-channels site3
edit virtual-channel-groups WAN set site1 scheduler-map TEST-MAP set site1 shaping-rate 2m; set site2 scheduler-map TEST-MAP set site2 shaping-rate 1500000 set site3 scheduler-map TEST-MAP set site4 shaping-rate 1500000top
# Apply virtual Channels on egress WAN Interface ??set interfaces ge-0/0/0 per-unit-schedulerset interfaces ge-0/0/0 unit 0 virtual-channel-group WAN
# Apply Firewall Filters on ingress LAN Interface ?? set interfaces ge-0/0/1 family inet filter input SITE1
307 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
System Dependencies SRX branch devices support shaping-rate at the logical (unit) level, not on the physical port.
EX switches support shaping-rate at the physical port level, but not at the logical level
On Datacenter SRX, BA classification is done on NPU and MF classification on SPU
On a given interface, queues can be at one (and only one) of the following levels Interface
Sub-interface (e.g.. VLAN, DLCI). This is referred as “per-unit-scheduling”
Virtual-channels (A concept present only in Branch SRX and J series)
Interface Type Dependencies Today (with JUNOS 10.3) Schedulers can not be applied to Secure Tunnel Interface.
Either apply the Map to the underlying physical interface or use GRE-Tunnels or on Branch SRX use virtual channels
On SRX Scheduler can be applied on L3-Interfaces and VLAN sub interfaces
Reth interface have a maximum of 4 queues
Interface Hardware Dependencies Ingress Interface Policing is only available on SRX-5600 and 5800 with Combo Module
COS - NOTES AND LIMITATIONS AND TIPS (1/2)
308 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Default Settings All router initiated control-plane traffic is automatically assigned to network-control.
Packets originating from protocols such as lldp, rstp, ospf, etc are therefore handled by queue 3
All other traffic goes into best-effort queues
Schedulers are disabled on most interfaces and must be enabled to work set interface ge-0/0/0 per-unit-scheduler
per-unit-schedulers are enabled per Default on gr- (GRE) , ip- (IPIP) and ls- (Multilink) Interfaces
Bandwidth Calculations Policers are working on L3 packet sizes
Shapers are working at L2 packet sizes
Tip: Applying Classifiers to multiple Interfaces set class-of-service interfaces ge-0/0/* unit 0 classifiers ieee-802.1 default
COS - NOTES AND LIMITATIONS AND TIPS (2/2)
309 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITY
310 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SOLUTION ARCHITECTURE
GRES provides nonstop failover
Node 0 Node 1
Control Plane DaemonsNode0
Forwarding Daemon
Node0
Control Plane DaemonsNode1
Forwarding Daemon
Node1
fab0 fab1
fxp1 fxp1
Control PlaneData Plane + RTOs
Single device abstraction
Clean separation of control and forwarding planes
Unified configuration with configuration sync
311 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TWO CHASSIS CONNECTED TOGETHER
Control PlaneConnection
Data PlaneConnection
SPC to SPC
IOC to IOC
312 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTERFACE NUMBERING
Interfaces in HA Clusters are renumbered node0(0-11)
node1(12-23)
ge-1/0/0
ge-13/0/0
slot 0
RE 0
slot 12
slot 23
RE 1
313 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CLUSTER INTERFACESMODELL MANAGEMENT
(fxp0)Control-Link(fxp1)
Fabric-Link
SRX 100 fe-0/0/6 fe-0/0/7tagged - Vlan 4094 1)
Any Interface, untagged MTU on SRX100 is 1628
SRX 210 fe-0/0/6 fe-0.0.7tagged - Vlan 4094 1)
Any Interface, untagged Jumbo Frames, MTU 9014
SRX 240 ge-0/0/0 ge-0/0/1tagged - Vlan 4094 1)
Any Interface, untagged Jumbo Frames, MTU 9014
SRX 650 ge-0/0/0 ge-0/0/1tagged - Vlan 4094 1)
Any Interface, untagged Jumbo Frames, MTU 9014
J-Series ge-0/0/2 ge-0/0/3untagged
Any Interface, untagged Jumbo Frames, MTU 9014
SRX 3000 fxp0 on the Routing Engine
onboard HA Port 0 with any type of SFPuntagged
Any Interface, untagged Jumbo Frames, MTU 9014
SRX 5000 fxp0 on the Routing Engine
first Port of any SPC same slot SPC on both SRXFiber SFPs only, untagged
Any Interface,untagged Jumbo Frames, MTU 9014
1) Vlan tagging became configurable with JUNOS 10.3, Syntax
314 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX3000 HARDWARE AND INTERFACE REDUNDANCY
SRX3000 Interface Redundancy Remarks
Management (fxp0)
Yes, on the Routing Engine
No
Control link (fxp1)
built-in on SFB ModuleUse HA Control Port 0
Possible with HA Control Port 1 on SFB , Requires CRM Module & JUNOS 10.2
untagged, Jumbo Frames
Data link (fab0 & fab1)
Yes Possible since JUNOS 10.2
untagged,Jumbo FramesUses LAG
Secondary Switch Fabric
- Not yet supported
Secondary Routing Engine
- Not yet supported
315 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX5000 HARDWARE AND INTERFACE REDUNDANCY
SRX5000 Interface Redundancy Remarks
Management (fxp0) Yes , on the first Routing Engine
Today (10.4) a second Routing Engine is just used for Control-Link Redundancy
Control link (fxp1) first Port of any SPC Requires second Routing Engine, uses second Port on SPC, supported since JUNOS 10.0,
Must be on the same SPC in each Cluster MemberFiber SFPs only !!
Data link (fab0 & fab1)
Yes, can be on any IO-Card, must be configured
Available since JUNOS 10.2 by using LAG configuration
Second Switch Control Board
Second SCB is included in each SRX-5800 Base System and is an option for SRX-5600
Fallback to single switch reduces maximum performance
Third Switch Control Board
Slot exists to install a third SCB on SRX5800 but this is not yet supported
Secondary Routing Engine
- Today (10.4) a second Routing Engine is just used for Control-Link Redundancy
316 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX CLUSTER CREATION - STEP BY STEP
Plug-in the cluster control and fabric links
Set the Cluster ID on Both Members and reboot them
On SRX 5000: Configure the Control Ports on Both Members
From now on both members can be configured as one
Specify the Data links (a.k.a. Fabric Ports)
Define Node Specific configuration in Apply-Groups
Define at least 2 Redundancy Groups
Configure Redundant Ethernet Interfaces for these RGs
Continue with the remaining configuration
317 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYCONTROL AND FABRIC LINKS
Create a Cluster
Define Control Ports (on SRX5K between SPCs, Fiber only) This will become interface fxp1
Define Data Ports (on SRX 5K between IOCs)fab0 and fab1 are the fabric links
# Cluster ID must be between 1 and 15# Cluster ID 0 or "disable chassis cluster" unset the cluster# Each device in the cluster must be given a unique node number# Reboot is required to make change effective# This configuration is required on both cluster members
set chassis cluster cluster-id <0-15> node <0-1> reboot
# At least one Interface from each clusterset interfaces fab0 fabric-options member-interfaces ge-0/0/2set interfaces fab1 fabric-options member-interfaces ge-12/0/2# Since JUNOS 10.2 you can add additional Interfaces set interfaces fab0 fabric-options member-interfaces ge-0/0/3set interfaces fab1 fabric-options member-interfaces ge-12/0/3
set chassis cluster control-ports fpc 0 port 0set chassis cluster control-ports fpc 12 port 0
318 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYNODE SPECIFIC CONFIGURATION
Group Configuration (All settings which are Node specific)
# These are the settings for the first Nodeset groups node0 system host-name SRX5800-1set groups node0 system backup-router 172.26.26.1 destination 0.0.0.0/0set groups node0 interfaces fxp0 unit 0 family inet address 172.26.26.104/24
# These are the settings for the second Nodeset groups node1 system host-name SRX5800-2set groups node1 system backup-router 172.26.26.1 destination 0.0.0.0/0set groups node1 interfaces fxp0 unit 0 family inet address 172.26.26.105/24
# And here we make sure that both data are part of the configuration, # but only the node specific settings are applied on each cluster member
set apply-groups "${node}"
# You can specify a secondary to always reach the master# Don't use this to connect to NSMset groups node1 interfaces fxp0 unit 0 family inet address 172.26.26.106/24 master-onlyset groups node0 interfaces fxp0 unit 0 family inet address 172.26.26.106/24 master-only
319 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYREDUNDANCY GROUPS
Define Two Redundancy Groups for A/P
Option: A second group for A/A (possible since JUNOS 9.5)
# Redundancy Group 0 is required for the Routing Engine
set chassis cluster redundancy-group 0 node 0 priority 200set chassis cluster redundancy-group 0 node 1 priority 100
# Redundancy Group 1 is used for redundant interfaces in A/P configuration
set chassis cluster redundancy-group 1 node 0 priority 200set chassis cluster redundancy-group 1 node 1 priority 100
# Redundancy Group 2 is used for redundant interfaces in A/A configuration
set chassis cluster redundancy-group 2 node 0 priority 100set chassis cluster redundancy-group 2 node 1 priority 200
320 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYREDUNDANT INTERFACES
Define Number of Redundant Interfaces in your Cluster (at least 2)
Configure the redundant Interfaces
Finally assign physical interfaces to them
# The Total number of redundant Ethernet Interfaces# This statement allow to creates reth0,reth1,reth2,reth3set chassis cluster reth-count 4
# Make individual interface members for reth0set interface ge-0/0/3 gigether-options redundant-parent reth0set interface ge-12/0/3 gigether-options redundant-parent reth0
# Make individual interface members for reth1set interface ge-0/0/4 gigether-options redundant-parent reth1set interface ge-12/0/4 gigether-options redundant-parent reth1
set interface reth0 redundant-ether-options redundancy-group 1 set interface reth0 unit 0 family inet address 10.10.1.3/24set interface reth1 redundant-ether-options redundancy-group 1 set interface reth1 unit 0 family inet address 20.10.1.3/24
321 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYADDITIONAL OPTIONS (1)
# Interface Monitoring # We can release Master Role in case of Layer1 Failure on these Interfacesset chassis cluster redundancy-group 1 interface-monitor xe-0/0/0 weight 255set chassis cluster redundancy-group 1 interface-monitor xe-11/0/0 weight 255
# Optional Pre-emption (fallback, when node with better priority returns)set chassis cluster redundancy-group 1 preempt
# Optional Holddowntime to prevent too fast failover if redundancy Groupsset chassis cluster redundancy-group 1 hold-down-interval 900
# Track-IP, IP Address Monitoring Redundancy Group # introduced for Data Center SRX with JUNOS 9.6)set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.1.1 weight 255# Additional Monitoring from Backup Interface was added in JUNOS 10.1set chassis cluster redundancy-group 1 ip-monitoring interface reth0.0 secondary-ip ..
# Optional Control Link Recovery (introduced with JUNOS 9.6)# Recovers System from Hold state, by automatic rebootset chassis cluster control-link-recovery
# Fabric Link Monitoring is disabled per default on High-End SRX since 10.4r4# to avoid "hold" state after link loss. To enable use the following commandset chassis cluster fabric-monitoring
322 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYADDITIONAL OPTIONS (2)
Redundant Interface as a VLAN Trunk
Graceful Restart
Heartbeat Interval Tuning
set interfaces reth1 vlan-taggingset interfaces reth1 redundant-ether-options redundancy-group 1# Best practice: use vlan-id also for the unit numberset interfaces reth1 unit 11 vlan-id 11set interfaces reth1 unit 11 family inet address 10.0.11.1/24set security zone security-zone zone11 interface reth1.11set interfaces reth1 unit 12 vlan-id 12set interfaces reth1 unit 12 family inet address 10.0.12.1/24set security zone security-zone zone12 interface reth1.12
# If all participants of a routing protocol can handle graceful restart, then# use this option to avoid downtimes resulting from OSPF or BGP reestablishmentset routing-options graceful-restart
# Set Heartbeat Interval (1000..2000, Default is 1000) set chassis cluster heartbeat-interval [msec]# Set Heartbeat Threshold (3..8, Default is 3)set chassis cluster heartbeat-threshold [nr]
323 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYADDITIONAL OPTIONS (3)
VLAN-Tagging on the Branch SRX Control Link
Commit Confirm on SRX Cluster
# On Branch SRX the control link traffic per Default uses VLAN ID 4094# Since JUNOS 10.3 there is a command available to remove the VLAN tag# A reboot is required to make the change effectiveset chassis cluster control-link-vlan enable/disable
# To see current configuration use the following commandshow chassis cluster information
# Since a Cluster Configuration can be edited on both Routing-Engines, # there is no "commit confirm" available by default# To allow "commit confirm" you must enter configuration mode withconfigure exclusive
324 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYMONITORING AND TROUBLESHOOTING (1)# Configuration Checkshow config groups show config chassis cluster show config interfaces
# Hardware Checksshow chassis hardware show chassis fpc pic-status show pfe terseshow chassis alarmsshow system alarms
# Monitor Cluster Statusshow chassis cluster status show chassis cluster status redundancy-group <xx>
# Display Information about HA interfaces (11.4 show state of redundant HA links too)show chassis cluster interfaces
# Status informationshow chassis cluster statistics show chassis cluster information show chassis cluster ip-monitoring status
# In case you find a cluster member in disabled state,# here is a place to find root cause informationshow chassis cluster information no-forwarding
325 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYMONITORING AND TROUBLESHOOTING (2)
# Inspect Log Files (For support cases always collect Log files from both Nodes !!)show log jsrpd or file show /var/log/jsrpdshow log messages or file show /var/log/messagesshow log chassisd or file show /var/log/chassid
# For ongoing log file monitoring use monitor start jsprpd
# To enable additional traces in jsrpd you can configure traceoptionsset chassis cluster traceoptions level all flag all
# To jump from one node to the other you can use the following options: # CLI-Command for Branch SRXrequest routing-engine login node x # Shell command for Datacenter SRXrlogin -Ji nodex# Or usually you can also use ssh with fxp0-adress of the second node
# Knowledgebase: Troubleshooting SRX High Availabilityhttp://kb.juniper.net/library/CUSTOMERSERVICE/Resolution_Guides/SRX/Wrapper_SRX_Chassis_Cluster.html
326 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYCLUSTER CONNECTIONS# Requirements for HA Cluster connections
- Latency on HA-Links must be below 100msec
- Bandwidth on Fabric-Link: 1Gbps for A/P is sufficient for A/A with 10GE reth interfaces 10GE fabric links are recommended
- Dual Fabric Links do offer redundancy, but there only one link is used for forwarding and RTO sync
- When the HA connection is traveling over Switches - Control link traffic and Fabric Link traffic must be kept on separate L2 connections (different physical links or different VLANs - Jumbo Frames must be permitted - IGMP Snooping must be disabled on the Switch ports involved - For Branch SRX: disable VLAN-Tagging on Control Link or allow QinQ on Switch "set chassis cluster control-link-vlan disable" - Use the Guideline from the following Knowledgebase Article: SRX Cluster Deployments across L2 Networks http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf
327 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITY MANUAL FAILOVER (1)
Requesting Failover Manually failover redundancy groups between chassis RG0 should only be failed over in emergencies Should only be done after both REs have been up for 5 minutes Rapid failovers will cause RE crash RG1 supports rapid failovers
Clearing Failover Failovers need to be cleared after manually triggered Prevents accidently failover over
328 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYMANUAL FAILOVER (2)
Request Failover
Clear/Reset Failover
{secondary:node1}root@srx> request chassis cluster failover redundancy-group 1 node 1node1:--------------------------------------------------------------------------Initiated manual failover for redundancy group 1
{primary:node1}root@srx> show chassis cluster statusCluster ID: 3Node name Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 1 node0 200 secondary no no node1 1 primary no no
Redundancy group: 1 , Failover count: 0 node0 255 primary yes yes node1 1 secondary yes yes
root@srx> request chassis cluster failover reset redundancy-group 1
329 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HIGH AVAILABILITYMANUAL FAILOVER (3)
Manual Failover can fail if systems are not yet up againManual failover can be difficult if the nodes have not completely recovered from a previous failover. To determine if a device is ready for repeated failovers, perform these recommended best-practice steps before doing a manual failover.
The best practices we recommend to ensure a proper failover are as follows:
• show chassis cluster status Use this command to verify the following for all redundancy groups: • One node is primary ; the other node is secondary. • Both nodes have nonzero priority values unless a monitored interface is down.
• show chassis fpc pic-status Use this command to verify that the PIC status is Online.
• show pfe terse Use this command to verify that the Packet Forwarding Engine status is Ready and to verify the following: • All slots on the RG0 primary node have the status Online. • All slots on the RG0 secondary node, except the Routing Engine slots, have the status Valid.
330 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FAILURE CASES AND EXPECTED BEHAVIORSComponent Expected Behavior
Control Link Secondary node goes into disabled state. Reconnect control link and then reboot secondary node.
Fabric Link Since 10.4r4 fabric-link is no longer monitored by default. Enable fabric monitoring with "set chassis cluster fabric-monitoring"). With monitoring: if Secondary node goes into disabled state. Reconnect fabric link and then reboot secondary node.
Power If all power to unit is lost then all redundancy groups will failover.
Interface Down Redundancy groups that monitor the interface will failover if total weight exceeds 254
CP Will cause RG1+ to failover but the RE will remain on the same chassis.
SPC/SPU Any SPC or SPU failure will trigger RG1+ to failover to secondary chassis
RE or SCB with RE All redundancy groups will failover and chassis goes offline
SCB w/o RE Reduces throughput of device, will not failover to second chassis. Third SCB will activate if installed (SRX 5k only)
331 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FAILURE CASES AND EXPECTED BEHAVIORS (CONTINUED)
Component Expected Behavior
NPC Failure (SRX 3k) The SRX 3k supports NPC monitoring. If the NPC fails then all RG+1 groups will fail over to the other cluster member.
Control Plane Failure/RE Reboot
The data plane will continue to run up to 5 minutes without an RE, or until the RE came back up, when Chassisd comes backup and reinitializes all of the cards.
Control and Data Link (fail at same time)
Both nodes will detect the failure of the links by the loss of the heartbeat messages. In this case secondary node will go disabled
Complete Chassis Failure
Whether caused by a software or hardware issue, The secondary node will look for the gratuitous arp’s of the other node, and in the absence of these will assume mastership.
332 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SRX HA State Transition Diagram
Note: Transition to disabled state will only happen only if the node is RG0 secondary.Note: Once in disabled state the only option to recover is to reboot the device
Hold
SecondaryHold
Disabled Ineligible
Secondary
Primary
BootupHold Timer
Expires
Primary node dies
Failover (manual, i/f failure, ip-mon failure, preempt etc.)
Primary node dies
Fabric-link failure
Fabric-link failure
Ctrl-link failure
Ineligible timer fires
Secondary-hold timer expires
Ctrl-link failure
Primary node dies
333 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION SECURITY,INTRUSION PREVENTION,UNIFIED THREAT MANAGEMENT
334 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FEATURE LICENSES AND CONTENT SUBSCRIPTIONS
335 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FEATURE LICENSES
Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx
Memory upgrade x - - -
Dynamic VPN up to 25 up to 10 up to 50 up to 150 up to 250 up to 500 - - -
Extreme License - - - - - - x
Logical Systems - - - - - - up to 32 (1.5.25)
up to 32 (1.5.25)
up to 32 (1.5.25)
Service Offload (Low Latency)
- - - - - - Free Free Free
Advanced BGP x - - - - - x
1) requires High memory Model2) include IPS License
336 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CONTENT SUBSCRIPTIONS AVAILABLE FOR 1,3 5 YEARS
Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx
IPS x 11.41) 11.4 11.41) 11.41) 11.41) 11.4 x x x
AppSec - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 10.4 2) 10.4 2) 10.4 2)
Kaspersky-AV x x1) x x1) x1) x1) x - - -
Sophos-AV - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 - - -
Webfilter-Websense-Integrated
x x1) x x1) x1) x1) x - - -
Webfilter-Websense-Enhanced
- 11.41) 11.4 11.41) 11.41) 11.41) 11.4 - - -
Sophos-Antispam x x1) x x1) x1) x1) x - - -
1) requires High memory Model2) include IPS License
337 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UTM, IDP AND APPLICATION FIREWALL FEATURES REQUIRE LICENSES# Once ordered, you can download them from the Juniper License Management Server# This method is recommended, DNS and Internet access are required# Default URL, as defined in "show configuration system license", is# https://ae1.juniper.net/JUNOS/key_retrieval
# To download license, that where bought for a certain device executerequest system license update
# Or if you received a license for manual installation use this command to paste it# Install manually, when the license keys are available as a text filerequest system license add terminal
# You can configure a Proxy Server to retrieve the licensesset system proxy server 192.168.1.10set system proxy port 3128set system proxy username user1set system proxy password user123
# To track problems with licenses open a log fileset system license traceoptions file license.logset system license traceoptions flag all
# Trial licenses (valid for 4 weeks) are available# You can only fetch it once per lifetime for each device serial numberrequest system license update trial
338 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MANY LICENSE FEATURES ARE ENABLED PER RULE
In the firewall policy you can decide if the licensed Features are applied
edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services [idp, uac-policy, utm-policy ,services-offload]top
339 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION SECURITY FEATURES- IDP - APP TRACK - APP FIREWALL- IDENTITY BASED APP FIREWALL - APP QOS- APP DDOS
340 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STATE OF APPLICATION SECURITYState of the Application Firewall Feature Set
• All AppSecure Features are available on High End SRX with JUNOS 11.4r1
• All AppSecure Features - except AppDDOS and AppQoS are available for Branch SRX with 11.4r1
Licensing
App-ID Database• On High End SRX the AppID Signatures were moved to a separate Database with 11.4
• On Branch SRX the AppID Signatures where always in a separate Database since 11.2
Management and Logging• Some AppFirewall Features are not supported in NSM Log Viewer or Policy Manager
• Preferred Management Solution: Space or J-Web
• Preferred Log Solution : STRM
SKU Appsec-A (Advanced)High End SRX
AppSec-B (Basic) Branch SRX
Includes Application signature license & IPS license.
Includes Application signature license only. IPS license has to be purchased seperately
341 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION SECURITY AVAILABILITY
High End SRX Branch SRX
(11.4)
(11.4 )
(11.4) Future
Future
AppTrack
AppFW
AppQoS
AppDoS
IPS
342 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPSECURE PERFORMANCE
Source: AppSecure Datasheet
343 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IDPINTRUSION DETECTION AND PREVENTION
344 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ACTIVATE INTRUSION DETECTION AND PREVENTION
Initial Requirement • Install IDP license
• Download and Install the Attack-Database and Detector Engine (a.k.a. security-package)
IDP Policy - Option 1 : Use Juniper Policy Templates• Download policy templates
• Install policy templates
IDP Policy - Option 2 : Write your own IDP Policy• Write a custom policy , use custom attack groups (NSM is the preferred tool for this Job)
Final Steps• Activate the desired policy
• add action "IDP" for all firewall rules where you want to have IDP enabled
345 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SIGNATURE UPDATES
How can Signature Updates be installed pull (Device fetches the Updates itself) push from Space. Space can also pull updates through a proxy connection
Branch SRX can have two different Signature Updates IDP security-package Updates include
Updates for IDP Signatures & Application Identification Signatures Updates & Detector Engine
Application Identification Updates AppID Update do include only AppID Signatures, no IDP Signatures or Detector Engine
346 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTRUSION DETECTION AND PREVENTION ATTACK DATABASE
Download and install the latest attack databasesrx> request security idp security-package download Will be processed in asynchronous mode. Check the status using the status checking CLI
srx> request security idp security-package download status In progress:downloading file ...SignatureUpdate_tmp.xml.gz
srx> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).Version info:1473(Tue Aug 4 13:41:40 2009, Detector=9.2.160090324)
srx> request security idp security-package install Will be processed in asynchronous mode. Check the status using the status checking CLI
srx> request security idp security-package install status In progress:Compiling AI signatures ...
# Takes about 5 minutes on a SRX210 to finish srx> request security idp security-package install status Done;Attack DB update : successful - [UpdateNumber=1473,ExportDate=Tue Aug 4 13:41:40 2009,Detector=9.2.160090324] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no existing running policy found.
347 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTRUSION DETECTION AND PREVENTION POLICY TEMPLATES (1/2)
If you don't want to write custom IDP Policies by yourself, the Juniper Policy Templates give you a simple starting Point. Use the commands below to download and install the latest security policy templates
srx> request security idp security-package download policy-templates Will be processed in asynchronous mode. Check the status using the status checking CLI
srx> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).Version info:2
srx> request security idp security-package install policy-templates Will be processed in asynchronous mode. Check the status using the status checking CLI
[email protected]> request security idp security-package install status Done;policy-templates has been successfully updated into internal repository (=>/var/db/scripts/commit/templates.xsl)!
348 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTRUSION DETECTION AND PREVENTION POLICY TEMPLATES (2/2)
To get the policy Templates added to your configuration you must enable execution of the templates.xsl script with every commit.
Now you can use the Recommended Policy Template
Once the IDP Policy is defined, you can activate it "per rule"
# At commit time, the JUNOS management process (mgd) searches the /var/db/scripts/commit# directory for scripts and runs the script against the candidate configuration database# to ensure the configuration conforms to the rules dictated by the scripts.set system scripts commit file templates.xsl
set security idp active-policy Recommended
edit security policies from-zone trust to-zone untrust policy <policyname> set then permit application-services idptop
349 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTRUSION DETECTION AND PREVENTION CUSTOM POLICY
Instead of Policy Templates you can write Custom IDP Policies, where you specify which signatures or signature-groups to use, and what the desired actions are. The example below uses two INFO Level Signatures so that you will get IDP Logs with each ping or HTTP Request.
Activate this Policy and enable it on a existing firewall rule
NSM is recommended to write Custom IDP Policies, Groups and Signatures
edit security idp idp-policy TEST rulebase-ips rule 1 set match source-address any set match destination-address any set match attacks predefined-attacks HTTP:AUDIT:URL set match attacks predefined-attacks ICMP:INFO:ECHO-REQUEST set then action no-action set then notification log-attackstop
set security idp active-policy TEST
edit security policies from-zone trust to-zone untrust policy <policyname> set then permit application-services idptop
350 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTRUSION DETECTION AND PREVENTION CUSTOM ATTACK GROUPS
You can use custom attack groups to specify which attacks you are looking for.Pay attention, that Server-to-Client signatures have a big performance impact. They should only be applied when you inspect traffic to untrusted Servers edit security idp dynamic-attack-group CRITICAL-C2S set filters severity values critical set filters direction values exclude-server-to-clienttop
edit security idp dynamic-attack-group CRITICAL-ALL set filters severity values criticaltop
edit security idp idp-policy TEST rulebase-ips rule 1 match source-address any set match destination-address MY-OWN-TRUSTED-SERVERS set match attacks dynamic-attack-groups CRITICAL-C2S set then action no-actiontop
edit security idp idp-policy TEST rulebase-ips rule 2 set match source-address any set match destination-except MY-OWN-TRUSTED-SERVERS set match attacks dynamic-attack-groups CRITICAL-ALL set then action ??? set then notification log-attackstop
351 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTRUSION DETECTION AND PREVENTION AUTO UPDATE FOR SIGNATURES
Configure the box to fetch Database Updates automatically# set start time (Old Format until 10.0r2 MM-DD.hh:mm)set security idp security-package automatic start-time 01-02.03:00
# set start time (new Format since 10.0r3 YYYY-MM-DD.HH:MM:SS)set security idp security-package automatic start-time 2010-01-01.02:00:00
# get the update every 24 hours set security idp security-package automatic interval 24
# enable auto updateset security idp security-package automatic enable
# The following situations inhibit that devices can pull Database Updates# * when internet access is not possible at all# * when internet access has to use a Proxy# * in a cluster: when the passive member can not get internet access from fxp0
# The following options can help to solve problems with delivery of automatic updates# * NSM or Space can be used to pull the attack database and push it to the device# both can even use proxy connections# * An offline update Procedure description is available in the Knowledgebase # For clusters where only the active node can pull the update# * After RG0 failover, the second node becomes active and can fetch the update# * A description and a script to perform the sync is posted in forum.juniper.net# * Automatic File sync from the active node to the passive node is planned for JUNOS 12.1
352 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IDP PACKET CAPTURES# Since JUNOS 10.2, the Datacenter SRX support collection and delivery of packet# captures, when an attack is found. On the STRM side you need STRM 2010.0r1 / Patch 3 # and updates of these rpms: PROTOCOL-PCAP, DSM-DSMCommon, DSM-JuniperJunOS
# Additions to IDP rules to take packet capturesedit security idp idp-policy TEST rulebase-ips rule 1 then notification set packet-log pre-attack 4 set packet-log post-attack 6 set packet-log post-attack-timeout 2top
# Specify the destination to deliver these data # The Port Definition must match the DSM Configuration on STRMedit security idp sensor-configuration set packet-log source-address 172.30.81.84 set packet-log host 172.30.80.76 set packet-log host port 515 top
# Resource Consumption Limits can be adjusted# The values below allow for pcaps on 10% of total-memory and 10% of max-sessionsedit security idp sensor-configuration set packet-log total-memory 10 set packet-log max-sessions 10top
# Show Statistics for Packet Loggingshow security idp counters packet-log
353 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IDP PACKET CAPTURES IN STRM
354 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
INTRUSION DETECTION AND PREVENTIONMONITORING AND DIAGNOSTICS# Attack database versionshow security idp security-package-version
# Check if the server connection is ok request security idp security-package download check-server
# Check if IDP is enabled on a Security Policyshow security policies policy-name <name> detail | match Intrusion
# IDP statisticsshow security idp status
# Application Identification, Cache with last connections and per application statsshow security idp application-statisticsshow security idp application-identification application-system-cache
# Attacks detected since last policy loadshow security idp attack table
# IDP countersshow security idp counters ?
# Catch IDP-Logs and write them to a local log file (only possible in log mode event)set system syslog file IDP-Logs user infoset system syslog file IDP-Logs match IDP_ATTACKset system syslog file IDP-Logs archive size 1mset system syslog file IDP-Logs archive files 3set system syslog file IDP-Logs structured-data brief
355 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
IDP FILES AND THEIR LOCATION# Attack Database in XML Formatfile show /var/db/idpd/sec-download/SignatureUpdate.xml
# List of all Attack Groupsfile show /var/db/idpd/sec-download/groups.xml
# List of all Attacksfile show /var/db/idpd/sec-repository/attack.list
# List of all Attack Groupsfile show /var/db/idpd/sec-repository/attack-group.list
# List of all Applications , AppID can identifyfile show /var/db/idpd/sec-repository/application.list
# The final Policy after compilationfile show /var/db/idpd/sets/POLICYNAME.set
356 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SIGNATURE BACKGROUND INFORMATION
LIST OF AVAILABLE SIGNATUREShttp://services.netscreen.com/documentation/signatures/
RSS-FEED ABOUT CHANGEShttps://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml
Signatures with Reference to CVE, Bugtraq and MS-Vulnerability IDshttps://services.netscreen.com/restricted/sigupdates/nsm-updates/CVE-BID-mapping.csv
357 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION VOLUME TRACKING
358 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION VOLUME TRACKING
State of Application Volume Tracking• introduced for High End SRX with JUNOS 10.2
• introduced for Branch SRX with JUNOS 11.2
• STRM can parse and display AVT logs
• NSM today can not parse and display AVT logs
Application Identification Signatures• On High-End SRX: they are still part of the configuration (stanza services application-
identification), but the plan is to move them to a separate database with 11.4
• On Branch SRX the signature database since 11.2 is separate
• Custom Signatures will stay under "service application-identification"
359 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION VOLUME TRACKINGSIGNATURES DOWNLOAD
# AVT is available on Datacenter SRX since 10.2 and on Branch-SRX since JUNOS 11.2# AVT uses Signatures to Identify Applications
# Default URL is https://services.netscreen.com/cgi-bin/index.cgi # Before JUNOS 11.4 the signatures where directly added to the existing configuration# Since JUNOS 11.4 the predefined signatures are saved to an external database # similar to the IDP signature database
# Download the Application Signatures request services application-identification download
# Installation of the downloaded Application Signaturesrequest services application-identification install
360 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION VOLUME TRACKINGCONFIGURATION
# AppTrack is enabled per security zoneset security zone security-zone trust application-tracking
# Configure the remote syslog device to receive AppTrack messages# STRM 2010.0 has predefined reports to handle AppTrack Logsset security log format sd-syslogset security log source-address 172.30.81.82set security log stream STRM host 172.30.80.76
# To generate AppTrack log at session start (disable by default)set security application-tracking first-update
# To generate a first update message 1 minute after session startset security application-tracking first-update-interval 1
# To generate additional update messages every 5 minutesset security application-tracking session-update-interval 5
# A Final log at the session end will be created by default
# Monitoring, Counter and Cacheshow services application-identification countershow services application-identification application-system-cache
# J-Web Support is currently planned for 2H11
361 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION VOLUME TRACKINGMONITORING
# Full monitoring requires users to look at the AVT Logs # STRM (since 2010.0r2) has parsing and reporting capabilities# NSM today can not parse the AVT Logs
# If event Logging was enabled, Logs are available in the local log filefile show /var/log/policy_session | match APPLICATION
# In addition to the logs, a cache is enabled by default and can be used for monitoringshow services application-identification application-system-cache# Since 11.4 there are additional statistics showing per-group/application usageshow services application-identification statistics application-groupsshow services application-identification statistics applications
# To see the Signatures (before 11.4)show config services application-identification application junos:FTPshow config services application-identification nested-application junos:FACEBOOK-CHAT
# Since 11.4 the Signatures are no longer part of the configuration, but still can be seenshow services application-identification version# With 11.4 there where also some groups introduced, which make it easier to # select the AppID Signatures for Application Firewallingshow services application-identification application detail junos:FTPshow services application-identification group summaryshow services application-identification statistics application-groups
362 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION VOLUME TRACKING VISIBILITY OF LOGS IN STRM
363 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION VOLUME TRACKING VISIBILITY IN J-WEB
Monitoring ->Security ->Application Tracking
364 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION FIREWALL
365 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
STATE OF APP FIREWALL
State of the Application Firewall Feature Set• AppFW was introduced for High End SRX with JUNOS 10.4
• AppFW was introduced for Branch SRX officially with JUNOS 11.4
• AppFW can be used together with User Identities for all SRX with JUNOS 12.1
Management of the Application Firewall• Management on CLI is possible today on all platforms
• Management in J-WebUI is available since 11.2
• Support in JUNOS Space Security Designer is available since 11.4
• Support for NSM is currently not available
• Recommended Tool for Application Firewall Configuration is Space or WebUI
Logging and Reporting of Application Firewall• STRM 2010.0 can decode Application Firewall and Application Tracking Logs
both in stream and event mode.
• J-Web UI log visibility and improved reporting is expected with 11.4r2
• Support for NSM is currently not available
366 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION FIREWALLEXAMPLE CONFIGURATION YOUTUBE STREAMINGedit security application-firewall rule-sets APPFW set rule YOUTUBE-STREAM match dynamic-application junos:YOUTUBE-STREAM set rule YOUTUBE-STREAM then deny set default-rule permittop top edit security policies from-zone trust to-zone untrust policy 1 set match source-address any; set match destination-address any; set match application any; set then permit application-services application-firewall rule-set APPFWtop
# List of Applications that can be found with the current Database http://services.netscreen.com/documentation/applications/
367 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION BACKGROUND INFORMATION
List of Applications and Application Groups http://services.netscreen.com/documentation/applications/
RSS-Feed with Changes (same as IDP)https://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml
AppSecure Feature Documentationhttp://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/security-appsecure-index.html
368 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
USER IDENTITY BASED FIREWALL
CLIENTLESS AD INTEGRATION WITH SRX AND UAC
369 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
1. Connect – Push all roles to SRX
SRX
2. User Authenticates to Domain
CLIENTLESS AD INTEGRATION
IC
SRX
AD
Finance
SRX
AD
Finance
IC3. User wants to connect to finance
4. Drop notification sent to IC from SRX
5. User gets re-directed to IC (302)
1
2
3
45
370 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
6. IC challenges user with SPNEGO (401)
7. Endpoint pulls service ticket from KDC
CLIENTLESS AD INTEGRATION
IC
SRX
AD
IC 8. Endpoint re-submits HTTP get request to IC with SPNEGO auth token
6
7
8
371 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
9. After successful authentication, IC pushes an auth table entry to SRX
SRX
10. IC re-directs user back to the protected resource
11. User now can access Finance
CLIENTLESS AD INTEGRATION
IC
SRX
AD
Finance
IC
9
11
10
372 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
USER IDENTITY BASED FIREWALLCONFIGURATION
# User Identity based Firewall was introduced in JUNOS 12.1
# Set UAC infranet connection on SRX (this uses Destination port 11123)set services unified-access-control infranet-controller SERVER address 172.30.81.141set services unified-access-control infranet-controller SERVER interface fxp0.0set services unified-access-control infranet-controller SERVER password # Set captive portaledit services unified-access-control captive-portal PORTAL set redirect-traffic unauthenticated set redirect-url http://172.30.81.141top
edit security user-identification set traceoptions file userid flag all set authentication-source local-authentication-table priority 100 set authentication-source unified-access-control priority 200top
# UAC Policy Enableset security policies ... match source-identity ROLE1 set security policies ... then permit application-services uac-policy
# Captive Portal Enableset security policies ... then permit application-services uac-policy captive-portal PORTAL
# For the full configuration follow the UAC Solution Guide
373 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
USER IDENTITY BASED FIREWALLCOMMANDS FOR UAC
# Commands to monitor uac status and information show services unified-access-control status show services unified-access-control policies detailshow services unified-access-control roles
# Directory for UAC Roles/var/db/uac.roles
# Directory for local Auth Data/var/db/nsd
374 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
USER IDENTITY BASED FIREWALLCOMMANDS FOR LOCAL AUTHENTICATION
# Commands to build and examine the local table request security user-identification local-authentication-table add ? request security user-identification local-authentication-table delete ? clear security user-identification local-authentication-tableshow security user-identification local-authentication-table ?show security user-identification local-authentication-table all ?
# Directory for local Auth Data/var/db/nsd
375 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION DDOS PROTECTION
376 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION DDOS PROTECTION Application DDOS is a technology to identify and mitigate Distributed Denial of Service Attacks, typically generated from Botnets
Application DDOS works in 3 phases Phase 1
if the connection rate exceeds a limit we start protocol analysis Phase 2
track for connection Rate limits (per Destination and/or Context) Phase 3
Classify Clients as Bots when they exceed thresholds
Once Bots have been identified, we can mitigate their activities by dropping their existing connections and/or dropping future connections (for a certain time) and/or rate limiting future connections new connections (for a certain time)
AppDDOS today (12.1) can be used to protect HTTP and DNS Services
AppDDOS is available with AppSec-A License for Datacenter SRX since 10.0
377 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AppDDOS 3-Stage Processing
1. Connections Per Second Administrator defines CPS threshold to a
server to start monitoring for AppDDOS. CPS below this threshold is considered normal activity.
2. Context Rate Monitoring/Limiting Once AppDDOS CPS threshold is
surpassed, AppDDOS will monitor the number of Context Rate. If it exceeds this rate, additional investigation can occur depending if stage 3 is configured. If it is not configured appropriate action can occur.
3. Client Classification (optional) If Time Binding is configured, it will track
not only the rate of the context being matched, but will also the administrator to track this value for individual clients to prevent them from individually surpass the defined limits within the time period.
Connection Rate Exceeded
Context Rate Exceeded
Counter Exceeded
Yes
Access to Monitored
Server
Yes
Access to Monitored Context
Yes
Yes
Context Value Rate Exceeded
No
Yes
Action/Logging
Yes
No
No
No
No
No
Sta
ge 1
: Ser
ver
Mon
itorin
gS
tage
2: P
roto
col P
rofil
ing
Sta
ge 3
: Bot
Clie
nt C
lass
ifica
tion
Time-Binding Configured
Yes
No
378 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AppDDOS Configuration Structure
Firewall Security Policy On a firewall rule by rule basis IDP processing is configured (since AppDDOS is part
of the IDP functionality.) Firewall processing includes matching based on: source zone, destination zone, source ip, source port, destination ip, destination port, and protocol. IDP Security Policy
ApplicationDDOS Profile The ApplicationDDOS profile defines the following:
Context to Match Connections per Second to trigger Phase 2 Contexts Thresholds to trigger Phase 3, or direct actions based only on overall thresholds. Client Contexts per Period
IDP Policy Within the IDP security policy the rulebase-ddos is where the configuration defines
what criteria to match based on: source zone, destination zone, source ip, destination ip, application, and application-ddos profile. This rule will define what to do with the offending connection along with future ip-action connections.
379 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION DDOS PROTECTION (1/3)# AppDDOS is available as licensed feature for Datacenter SRX since JUNOS 10.0
# Define two Servers in a Group for investigationset security zones security-zone trust address-book address SERVER1 172.30.80.132/32set security zones security-zone trust address-book address SERVER2 172.30.80.202/32edit security zones security-zone trust address-book address-set WEBSERVER set address SERVER1 set address SERVER2top
# Firewall Policy # Activate IDP on the Firewall Rules, that permit traffic to these Serversset security policies from-zone trust to-zone untrust policy 1 then permit application-services idp
# Application DDOS Profile# Define the thresholds, we use to look for DDOS attacksedit security idp application-ddos HTTP_DDOS set service http # Phase 1- Start protocol Analysis if we see more than 5 connections per second set connection-rate-threshold 5 # Phase 2 - Start Botnet classification if we see more than 50 URLs per second or 50 different context set context http-url-parsed hit-rate-threshold 50 set context http-url-parsed value-hit-rate-threshold 50 # Phase 3- Classify clients as Bots if they access more than 20 URLs per minute set context http-url-parsed time-binding-count 50 set context http-url-parsed time-binding-period 60 top
380 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION DDOS PROTECTION (2/3)
# Install an IDP Policyset security idp active-policy IDP-POLICY
# Add a DDOS Rule to this IDP-Policy to hunt for DDOS attacks against the two Serversedit security idp idp-policy IDP-POLICY rulebase-ddos rule RULE1 set match from-zone untrust set match to-zone trust set match destination-address WEBSERVER set match application default set match application-ddos HTTP_DDOS set then action no-action set then notification log-attacks
# Use IP-Action to rate limit any bot found to a maximum of 5 connections per second set then ip-action ip-connection-rate-limit 5 set then ip-action log set then ip-action timeout 15 set then ip-action refresh-timeouttop
381 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
APPLICATION DDOS PROTECTION (3/3)
# AppDDOS monitor and control commandsshow security idp counters application-ddosshow security idp application-ddos application show security idp application-ddos application detail
# Show hosts that are targets for ip-actionshow security flow ip-action
# Remove all current IP-actionsclear security flow ip-action
382 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UTM-FEATURESET
383 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UTM FEATURES Antivirus - Sophos or Kaspersky (full and express)
Protect against viruses in e-mail (SMTP, POP, IMAP protocols), Webmail (HTTP) and FTP traffic
Integrated AV engines and virus signature databases—updated periodically, available through AV subscription license
Web filtering—WebSense/SurfControl/Enhanced WF Control (allow/deny) access to Websites based on URL category Off-box (in-the-cloud or on-premise) URL servers/ databases
Content filtering Provides basic DLP functionality—filters traffic based on file/MIME type, file
extension, and protocol commands; keyword matching expected in the future
Antispam - Sophos Stop e-mail spam based on IP address/reputation of sender Off-box spam blacklist database—Sophos SBL/RBL (spam/real-time block
list)—available as a subscription license
384 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HOW UTM PROFILES ARE CHAINED WITH POLICIES UTM Features are activated per firewall rule, by assigning an UTM-Policy
The UTM-Policy has a section for each protocol, that allows UTM-Protection
Each Profile has references to Profiles for the different UTM Features
385 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UTM-FEATURE:ANTIVIRUS
386 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ANTIVIRUS ON SRX
THREE FLAVOURS KASPERSKY ANTIVIRUS
Full Scan Engine
local Execution of Scan
SOPHOS ANTIVIRUS Cloud Based
Verifies Source-URL and File checksums against Malware Database
EXPRESS AV Reduces local Scan Engine
PROCESSING ORDER
387 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ACTIVATE ANTIVIRUS (EXPRESS AV ENGINE)
# Check also Knowledgebase Article KB16620
# Configure the SRX Series device to use the express antivirus engineset security utm feature-profile anti-virus type juniper-express-engine
# Configure a UTM policy to use the predefined antivirus profile # http-profile “junos-eav-defaults.”set security utm utm-policy UTM-POL anti-virus http-profile junos-eav-defaults
# Apply the UTM policy to the existing trust to untrust security policy edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POLtop
388 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ACTIVATE ANTIVIRUS (KASPERSKY LAB ENGINE)
# Configure the SRX Series device to use the express antivirus engineset security utm feature-profile anti-virus type kaspersky-lab-engine
# Configure a UTM policy to use the predefined antivirus profile # http-profile “junos-av-defaults.”set security utm utm-policy UTM-POL anti-virus http-profile junos-av-defaults
# Apply the UTM policy to the existing trust to untrust security policy.edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POLtop
389 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ACTIVATE ANTIVIRUS (SOPHOS CLOUD SERVICE)# Configure the SRX Series device to use the express antivirus engineset security utm feature-profile anti-virus type sophos-engine
edit security utm feature-profile anti-virus sophos-engine # Configure to download engine and updates once per day set pattern-update interval 1440 set pattern update url "http://update.juniper-updates.net/SAV/"top
# Check the URLs against Database that identifies known Malware Sourcesedit security utm feature-profile anti-virus sophos-engine profile SOPHOS set scan-options uri-check # To log all URLs (even those that where not blocked) use set fallback-options default log-and-permittop
# Configure a UTM policy to apply Sophos AV on http connectionset security utm utm-policy UTM-POL anti-virus http-profile SOPHOS
# Apply the UTM policy to the existing trust to untrust security policy.edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POLtop
390 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ANTIVIRUSMONITORING AND DIAGNOSTICS
# Show database version and Update Settings # Default for Kaspersky is every 1h# Default for Sophos is every 24hshow security utm anti-virus status
# Statistics on AV operationshow security utm anti-virus statistics
# Run manual pattern update for Kaspersky Enginerequest security utm anti-virus kaspersky-lab-engine pattern-update
# Run manual pattern update for Sophos Enginerequest security utm anti-virus sophos-engine pattern-update
391 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UTM-FEATURE: URL FILTERING
392 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
URL FILTERING
State of URL Filtering• Local Black and Whitelists can be used for Web filtering
• useful as a response to security problems (Phishing Mails, abuse of applications ...)
• no licenses required to use this feature
• To get a more valuable URL Filter you need a service subscription (license) where URLs are checked against a database • As a response to the query, a list of categories for this URL is returned
• In the Profile it can be defined which categories are permitted/denied
• Before 11.4 there where two flavors of Web filtering Services• Integrated Webfilter (aka surfcontrol-integrated, License: WF)
• Redirect Webfilter (aka WebSense, no License).
• With 11.4 a new option was introduced• Enhanced Webfilter (aka juniper-enhanced, License EWF)
• Main Benefits of the Enhanced Webfilter Solution from 11.4 are• comparable to the Integrated Webfilter Solution - but with the following enhancements :
• more categories (94 vs. 40) and option for custom categories (based on local pattern lists)
• option to activate safe-search to filter Search Engine results
• option to receive and react on reputation information for each URL
• option to redirect access for blocked sites to another URL
• better scalability (up to 64K sessions on SRX 650)
393 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WEBFILTER ON SRXTwo Options for Cloud based URL Checking
Webfilter Integrated(surfcontrol-integrated)
and since 11.4
Enhanced Webfilter(juniper-enhanced)
One Option to redirect Traffic through a Local Websense Server
REDIRECT (WEBSENSE)
394 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HOW TO CHECK THE CLASSIFICATION FOR AN URL ?
CHECK CLASSIFICATION OF A SITE FOR INTEGRATED WEBFILTERING
For the old, integrated Surfcontrol Engine use the following Online URL: http://mtas.surfcontrol.com/mtas/JuniperTest-a-Site.asp
For the new, enhanced Webfilter use this following Online URL: http://aceinsight.websense.com/
A CLI command can be used to return information how the site is treated: test security utm web-filtering profile "EWF-PROFILE" test-string www.facebook.com
395 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WEBFILTERLOCAL BLACKLIST AND WHITELIST (1/2)
With JUNOS 10.0 a local Black- and White list can be configured This Filter Method can even work without Web filter LicenseTo work with wildcards pattern must start with "http://...."
# First specify a list of URLs (up to 20 per list object)
edit security utm custom-objects set url-pattern BAD value [http://www.cisco2.com www.checkpoint2.com] set url-pattern GOOD value "http://*.juniper.net" set url-pattern GOOD value "http://www.acmegizmo.???"top
# Use these Objects to specify new Categoriesedit security utm custom-objects set custom-url-category BLACKLISTED value BAD set custom-url-category WHITELISTED value GOODtop
# Finally apply these Categories to the Web Filtering Profileedit security utm feature-profile web-filtering set url-blacklist BLACKLISTED set url-whitelist WHITELISTEDtop
396 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WEBFILTERLOCAL BLACKLIST AND WHITELIST (2/2)
# If no other Web filtering Profile is selected then use type juniper-local set security utm feature-profile web-filtering type juniper-local
# Define UTM Profileset security utm utm-policy UTM-POL web-filtering http-profile UTM-PROF
# Configure an UTM Policy using this Profileedit security utm feature-profile web-filtering juniper-local profile UTM-PROF set default permit set custom-block-message "Access to this site is not permitted" set fallback-settings default block set fallback-settings too-many-requests blocktop
# Apply this Profile in a firewall ruleedit security policies from-zone trust to-zone untrust policy trust-to-untrust set then permit application-services utm-policy UTM-POLtop
397 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WEBFILTERACTIVATION OF THE INTEGRATED ENGINE
Configure the SRX Series device to use the Integrated Engine
Configure a new utm-policy to use the predefined Web filtering profile “junos-wf-cpa-default”
Apply the UTM policy to the existing trust to untrust security policy.
set security utm feature-profile web-filtering type surf-control-integrated
edit security utm utm-policy UTM-POL set web-filtering http-profile junos-wf-cpa-defaulttop
edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POLtop
398 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WEBFILTEREXAMPLE FOR A CUSTOM PROFILE# Configure the SRX Series device to use the Integrated Engine set security utm feature-profile web-filtering type surf-control-integrated
# Custom categorization and action for this engineedit security utm feature-profile web-filtering surf-control-integrated edit profile TS-BLOCK-SELECTED-SITES set category Violence action block set category Adult_Sexually_Explicit action block set category Gambling action block set Remote_Proxies action block set default log-and-permit set fallback-settings default log-and-permit set fallback-settings server-connectivity log-and-permit set fallback-settings timeout log-and-permit set fallback-settings too-many-requests block set timeout 60top
edit security utm utm-policy POLICY2 set web-filtering http-profile TS-BLOCK-SELECTED-SITEStop
# Apply the new UTM-Policy in a firewall rulesedit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy POLICY2top
399 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WEB-FILTERMONITORING AND DIAGNOSTICS
# Show database version and Update Settings (default: every 60 minutes)show security utm web-filtering status
# Statistics on Web filter operation (not for EWF)show security utm web-filtering statistics
400 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UTM-FEATURE:ANTI-SPAM
401 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
ANTI SPAMACTIVATION OF THE FEATURE
Configure the SRX Series device to use the Anti-Spam Feature
Use the predefined Anti-Spam profile “junos-as-defaults” in a new utm-policy.
Apply this UTM policy to an existing trust to untrust security policy.
Optional Blacklist to drop additional SMTP Traffic from other senders
set security utm feature-profile anti-spam symantec-sbl
set security utm utm-policy UTM-POL anti-spam smtp-profile junos-as-defaults
edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POLdone
set security utm custom-objects url-pattern MYBLACKLIST value mail.cisco.comset security utm feature-profile anti-spam address-blacklist MYBLACKLIST
402 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MORE ....
403 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
RESET TO FACTORY DEFAULT
404 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
The following methods can be used to reset the device to Factory Default Method 1: Reset via Reset PIN Method 2: Load Factory Default configuration Method 3: Wipe Configuration Files and load Default configuration Method 4: Single User Boot Procedure Method 5: Install Factory Default Snapshot from Boot monitor Method 6: Zeroize
The following method can be used to recover the root password Method 4: Single User Boot Procedure
Important Note for Branch SRX:
To recover a Branch SRX which is in cluster mode you must first turn it
back into non cluster mode (set chassis cluster disable reboot).
If you don't have a password any more, you can only use Method 4 or Method 5
See also http://kb.juniper.net/KB12167 and http://kb.juniper.net/KB15725
RESET METHODS
405 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BRANCH SRX PREREQUISITE:YOU MUST ESCAPE CLUSTER MODE FIRST If your device was member of a cluster you will notice an additional line
before the system prompt
To return from cluster mode to a single unit use the following command, which also performs the necessary reboot
If you are in cluster mode but can not login to your system, you have to use Method 4 (Single User Boot Procedure)
{primary:node1}root>
root> set chassis cluster disable reboot
406 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Use the Reset Button On J-Series: Press Configuration Pin for 15sec. to load the factory default On SRX: Press the Reset PIN for 15 sec. follow LED color changes On EX-Switches: Use LCD Menu to load factory default configuration
Notes You have to exit the shell first The node name in the shell prompt appears to be unchanged,
but this will change with the next reboot If you have a Branch SRX which is still in Cluster mode, the factory default
configuration can not commit ,as it includes switching configuration.You then should use method 5 (USB Snapshot) or 4 (Single User Mode)
RESET METHOD 1:RESET VIA RESET BUTTON
407 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Remote Management Consolelogin: userpassword: <none>root@J2300> configureroot@J2300# load factory-default # You have to set at least the root password, otherwise you can not commitroot@J2300# set system root-authentication plain-text-password New password:Retype new password:root@J2300# commit and-quitroot@J2300>
RESET METHOD 2:LOAD FACTORY DEFAULT CONFIGURATION FROM CLI
If Login is still possible you can use commands to load the factory-default configuration.
You have to set a root password to get the configuration committed
408 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
If Login is still possible and you have shell access you can erase the current configuration file(s) and reboot. This will be equal to a reboot with default configuration
RESET METHOD 3:WIPE CONFIGURATION FILES
root> start shellroot@J6350% cd /configroot@J6350% suroot@J6350% rm juniper.conf.gzroot@J6350% reboot
# Remark on JUNOS 11.2 (or probably earlier) # You also have to wipe the rescue configuration. # Otherwise the system will boot the rescue config # if the normal configuration file has disappeared
409 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Single User Mode, from the Boot monitor
For latest information on this method please consult the Knowledgebase http://kb.juniper.net/KB12167
Since JUNOS 10.0 you have to disable a watchdog in the boot monitor.See http://kb.juniper.net/KB17565
RESET METHOD 4:SINGLE USER BOOT PROCEDURE
1. Reboot the device2. When message <Press space bar> appears --> Interrupt boot process2. boot -s --> Device boots in single user mode4. login as root , enter "recover" to load factory default5. enter cli as user root6. enter configure mode7. set system login user authorization plaintext --> Enter <Password>8. Commit9. If the unit was still in cluster mode, you have to remove interface configuration and interface assignments to security zones to commit10. request system reboot11. If the units was in cluster mode, then disable chassis cluster and reboot once more.
410 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
Boot from a Snapshot USB Stick (see Chapter Software Upgrade)
Notes:- The USB Stick must have at least size of internal Flash (SRX100 = 1GB) - This procedure also reformats and partitions flash and copies the software from the stick. All existing information is overwritten
RESET METHOD 5:BOOT AND COPY SNAPSHOT
# First you must copy a snapshot from an existing System to a USB Stick# Keyword factory means, we copy factory default instead of running configsrx> request system snapshot partition media usb factory # Now move the USB Stick to the System you want to recover and power it up# Interrupt the Boot Process to get access to the Boot loader promptloader> nextboot usbSetting next boot dev usbUn-Protected 1 sectorswriting to flash...Protected 1 sectorsloader> reboot # Once the system has booted from the USB Stick, copy the image # with the default configuration back to the internal Flashsrx> request system snapshot factory partition media internal
411 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
If Login is still possible and you have shell access you can completely wipe anything which is not part of the factory default configuration by zeroizing the media.
RESET METHOD 6:ZEROIZE SYSTEM
lab@bnlx-srx220-1> request system zeroize media warning: System will be rebooted and may not boot without configurationErase all data, including configuration and log files? [yes,no] (no)
412 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BOOTLOADER
413 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BOOTLOADER NOTES Boot loader Documentation is included in the Admin Guide To enter the boot monitor
power up and wait for " Loading /boot/defaults/loader.conf" Hit Space at the following prompt
"Hit [Enter] to boot immediately, or space bar for command prompt." The "loader>" prompt appears.
To see the current Boot loader Software Version use this command:show chassis routing-engine bios
Most Methods for Software update do not reformat flash and thus do not upgrade the Boot loader
Since JUNOS 10.0 (with Boot loader 1.5) the Branch SRX JUNOS Package includes the latest Boot loader version and Upgrade of the current boot loader can be performed with this command:bootupgrade –u /boot/uboot –l /boot/loader
Dua Root Partitioning Scheme for Branch SRX requires Bootloader Software Version 1.5
414 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FLASH PARTITIONING
DUAL ROOT
415 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NOTES Since JUNOS 10.0, Branch SRX can have a dual root partitioning scheme
Dual root improves fault tolerance and rollback capabilities and is recommended
Dual root have two partitions with JUNOS software on two different partitions. The configuration is kept in another shared partition
# Since JUNOS 10.2 the following command shows the partitioning and which partition is activeshow system storage partitions
# To switch to the backup partitionrequest system software rollback# If you change your mind you can switch back again request system software rollback
# To copy the software from the current active partition to the backup partition userequest system snapshot slice alternate
416 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNOS installation in a Dual-Root System JUNOS upgrades from CLI and J-Web will work as follows:
Alternate root will be formatted and mounted. New package will be installed into the alternate root Alternate will be marked as the primary root. On next reboot the system will boot with the newly installed image
JUNOS will always be installed to the alternate root: When booted from primary root, the new image will go to the backup root
and it will become the new primary. When booted from the backup root, new image will be installed in the
primary Thus a simple installation can recover the primary root if it is corrupted.
417 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNOS installation in Dual Root (animated Slide)
JUNOS B s1a
Root
s3e
/config
s3f
/var
s2a
Root
s4a
recoveryJUNOS A
Primary Backup
Current Root
JUNOS A
/varrequest system software add junos-c
JUNOS C
Alternate Root
JUNOS C
JUNOS C
Backup Primary
Current Root
418 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SOFTWARE UPGRADES
419 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
JUNOS Software Upgrade on SRX
1. Decide for a Software version and download it Recommend Software version are listed here Information which Feature is available in which Release can be found here Software Downloads are available from here
2. Best Practice: Cleanup Storage before starting the Update
3a. If you have physical access the easiest way is (M1) Autoinstallation from USB-Stick (requires somebody with physical access)
4a. For other updates decide how to bring the software to your SRX (T1) Upload or Download File in Advance (scp or ftp) (T2) Use Controlled Download with the Download Manager (T3) Mount and install from a USB Stick (T4) Reference URL during installation
4b. When you are ready to install you can use (M2) Installation from J-Web (M3) Install from the CLI (M4) Install from CLI with ISSU (for SRX clusters)
5. Best Practice: After completion you can use Flash Hardening
420 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DOWNLOAD SOFTWARE FROM SUPPORT PAGES HTTP://WWW.JUNIPER.NET/SUPPORT/PRODUCTS/
421 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BEST PRACTICE: CLEANUP BEFORE SOFTWARE UPGRADE
Useful steps to perform before starting an Update are: Check Flash size, purge unused files# Check current Flash sizeshow system storage | match cf
# On J-Seriesshow chassis hardware detail | match Flash
# purge log filesrequest system storage cleanup
# If Flash size is still lower than the size of your image:
# if space is not yet sufficient purge software backuprequest system software delete backup # locate directories on the flash with large amount of datashow system directory-usage /cf
# To save space browse directories and erase files manuallyfile list /cf/var/tmp detailfile delete …..
# Or use the shell to find the largest files on your Flashfind -x /cf -type f -exec du {} \; | sort –n
422 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UPGRADE - METHOD 1AUTO INSTALLATION FROM USB STICK# Since 10.4 Branch SRX Devices can be set up from a USB Stick with Auto installation# Step 1 - Prepare- Prepare a USB-Stick (FAT32, <=8GB) with the following files:- A File with the name "autoinstall.conf" must exist. The Content of this File is not important. It can also be an empty File. - One JUNOS Image, Filename must meet "junos-srxsme*"- Optional: You can also add a Configuration File. File name must be "junos-config.conf"# Step 2 - Insert- After the SRX has booted completly , insert the USB Stick - The LEDs will start blinking amber (Alarm, Status, Power and HA)# Step 3 - Reset Button- Press the Reset button for a short time - The LEDs (Alarm, Status, Power and HA) will stop blinking and start glowing amber- Now the new imaged gets copied, existing configuration and rescue configuration are verified against the new software version- finally the image gets installed in the second partition, and this partition becomes the new primary partition- if present on the stick the new configuration gets copied too (but not yet committed)- Step 3 takes about 10-12 Minutes in total - If something goes wrong (insufficient space, image corrupt, configuration not compatible) the LEDs will glow Red. Otherwise the LEDs will glow green# Step 4 - Unplug USB stick- When the LEDs are green, the USB stick can be unplugged - Some seconds after unplug device starts reboot, which takes ~5 minutes to complete- during power up the new configuration is installed and applied
# To avoid that somebody uses this procedure you can use the following command:set system auto installation usb disable
423 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UPGRADE - METHOD 1 AUTO INSTALLATION - FLOW DIAGRAM
424 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TRANSFER METHOD 1 MOUNT A LOCAL USB STICK)
You can add your image from a DOS formatted USB Stick # USB Sticks are not auto mounted, So we must go to the shell as root to mount them
srx> start shell
% su -Password:
# find out the right device name. On SRX210 "da1" is upper USB "da2" is lower USB# Either watch Console Logs during USB plugin or scan the information from the Logfileroot@srx-172% dmesg | grep umassda1 at umass-sim1 bus 1 target 0 lun 0
# Once Devicename is found add "s1" to the device name and mount it to /mnt
root@srx% mount -t msdos /dev/da1s1 /mntroot@srx% exitexit
# Now you can install the image from the USB stick# partition, formats the Flash partition
srx> request system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot
425 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TRANSFER METHOD 2LOAD FILE TO LOCAL FLASH
# prefered destination to store files to local flash is /var/tmp because # several cleanup operations willmake sure, this locations gets purged
# either Push Image from Outside via scp or ftpscp JUNOS-srxsme-10.2R2.8-domestic.tgz user@srx:/var/tmp/
# or use interactive session on SRX CLI via scp or ftp commandcd /var/tmpftp ... or scp ....
# Now you can install the image from the local file srx> request system software add /var/tmp/JUNOS-srxsme-11.1R1.8-domestic.tgz
426 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TRANSFER METHOD 3 USING THE DOWNLOAD MANAGER # Download Manager is available since JUNOS 11.4 and allows to perform rate limited # downloads which is useful to fethc software updates over slow WAN links without# saturating the link# Every Download can also be stopped/paused/resumed # By Default Download Files are stored under /var/tmp
srx240-0> request system download start ftp://172.1.8.1/junos-x.tgz login user: password max-rate 50K
Starting download #1
srx240-0> show system download
Download Status Information: ID Status Start Time Progress URL 1 Active May 23 13:14:27 1% ftp://172.1.8.1/junos-x.tgz
srx240-0> request system download pause 1 Paused download #1
srx240-0> show system download
Download Status Information: ID Status Start Time Progress URL 1 Paused May 23 13:14:27 11% ftp://172.1.8.1/junos-x.tgz
tschmidt@srx240-0> request system download resume 1 Resumed download #1
427 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
TRANSFER METHOD 4: USE URL TO LOAD IMAGE FROM A SERVER# Example fetch from an ftp Server (user username) and reboot after update# Option no-copy allow to save space
J6350> request system software add no-copy reboot ftp://username:[email protected]/JUNOS-jsr-9.5R1.8-domestic.tgz
# Same example for SRX with user anonymous# If validation of configuration reports that your current config is not working# with the new release (e.g.. on downgrade) you can bypass this with no-validate
srx> request system software add no-copy no-validate reboot ftp://172.16.42.8/JUNOS-srxsme-9.5R1.8-domestic.tgz
# Same example for an SSH Serversrx> request system software add no-copy no-validate reboot scp://172.16.42.8/JUNOS-srxsme-9.5R1.8-domestic.tgz
428 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UPGRADE METHOD 2 INSTALL FROM WEB-UI
Use the Web-Interface (requires most RAM and Flash)
429 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UPGRADE METHOD 3INSTALL FROM CLI
# Example: start installation from a local file which is already in /var/tmp# Option reboot forces reboot after succesful installationrequest system software add /var/tmp/JUNOS-srxsme-10.2R2.8-domestic.tgz reboot
# Example: Download and install image from an ftp Server (user username)request system software add no-copy no-validate reboot ftp://username:[email protected]/JUNOS-srxsme-10.2R2.8-domestic.tgz
# Example: start installation from a USB stick previously mounted under /mntrequest system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot
430 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
UPGRADE METHOD 4 - FOR SRX CLUSTERSIN SERVICE SOFTWARE UPGRADE
ISSU stands for In Service Software Upgrades ISSU allows upgrade of cluster members with minimum downtime. ISSU can be used on High-end SRX in most cases since JUNOS 10.4r4 ISSU can be used on Branch SRX in most cases since JUNOS 11.2r2
It is a single command, that you have to run from the RG0 primary device. The following actions are performed during the update:
First upgrade the secondary device then forms a cross version cluster failover to the new device upgrade the old primary
Expected Outage with ISSU on DC-SRX is similar to failover Expected Outage with ISSU on Branch-SRX is about 30 seconds
Check Documentation and KB17946 for more details on ISSU operation and supported features for different releases
request system software in-service-upgrade [package] reboot
431 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
BEST PRACTICE:FLASH HARDENING ON BRANCH SRX
# Once your software version and your configuration is reliable use the following # steps to make the Branch SRX devices more robust against Flash Problems
# Optional: Cleanup storage (Documentation)request system storage cleanup # Optional: Cleanup IDP Cache and Attack Database Download (new command from 11.4)request security idp storage-cleanup
# Show Releases in the primary and the secondary partition of Routing-Engine 1show system snapshot media internal slice 1
# Copy primary partition image to the secondary, so they carry the same release# Check KB22798 for details on dual partitioningrequest system snapshot slice alternate
# Make sure your current configuration is also saved as your rescue configuration# Check KB15788 for details on configuration versions and rollbackrequest system configuration rescue save
# Save License, Partition Data and Recovery Config to the Auto recovery Partition# Check Release notes of JUNOS 11.2 for details on auto recoveryrequest system autorecovery state save
432 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SCRIPTING AND AUTOMATION
433 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AUTOMATION WITH JUNOS SCRIPTS
Commit Scripts Enable automated compliance checks & configuration changes
e.g.. Reject guest VLAN tag configuration on access switch trunk ports – restrict guest access to a floor
Macros allow operators to simplify complex configurations and self-heal errors e.g. Apply pre-defined Data+VoIP port template on any switch port that gets a description matching a
particular string “data-phone”
Operations Scripts Allows custom output for diagnosis and event management
e.g.. Combine 2 different show commands to get a custom output for better analysis
Event Policies & Scripts Automated pre-defined responses to events creating self-monitoring networks
e.g.. When a switch’s trunk port goes up & down, run “show interfaces” and “show alarms” CLI, parse data, save it to a file and send this to a server
434 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HOW TO INTEGRATE SCRIPTS ?
Activation of Commit scripts Copy a script to the /var/db/scripts/commit directory Enable the script by including a file statement at the [edit system scripts
commit] hierarchy level (must be user from super user class). The script will now be executed every time you do a commit Useful: to avoid typical errors (VPN without Monitor, wrong MTU ...)
Activation of Op Scripts Copy the script to the /var/db/scripts/op directory Enable the script by including a file statement at the [edit system scripts
op] hierarchy level (must be user from super user class). Now you can run the script as a command (e.g.. op status overview)
435 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
USEFUL LINKS FOR AUTOMATION
Useful How-to Information is available from this Scripting Guide http://www.juniper.net/solutions/literature/white_papers/200252.pdf
Script Library from Juniper http://JUNOS.juniper.net/scripts/
Script Library on Google http://code.google.com/p/junoscriptorium/
436 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SCRIPT LIBRARY HTTPS://WWW.JUNIPER.NET/US/EN/COMMUNITY/JUNOS/SCRIPT-AUTOMATION/LIBRARY/
437 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
NICE FEATURES YOU WILL LIKE .....
438 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
HELP IS AVAILABLE FROM THE CLI, EVEN WITHOUT INTERNET
Help available from the CLI [ topic reference apropos ] # Full description of certain configuration hierarchiesroot> help reference security address-book address-book
Syntax
address-book { address address-name (ip-prefix | dns-name dns-address-name); address-set address-set-name { address address-name; } }....
# Commands which include the word xyzroot> help apropos proxy-arp...
# Help on certain topicsroot> help topic snmp agent ...
439 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WE HAVE FTP/SCP SERVERS ON BOARD
# Start the FTP Server set system services ftp# Enable inbound ftp on the desired zone and/or interfaceset security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ftpAnd Connect with your favourite FTP Client
440 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
USEFUL EXTENSIONS FOR CONFIGURATION VERSIONING
Configuration Comments
Personal Configuration Files
Load/Save Configuration Files via FTP/HTTP
# Add comment to a configurationcommit comment "Let us try this"
# List comments added during commitshow system commitshow | compare rollback ?
# load via ftp or httpload merge ftp://user:password@host/filenameload merge http://user:password@host/filename# save via ftp or scpshow configuration | save ftp://user:password@host/filename.show configuration | save user@host:filename.
# This will save/load configuration files in the home directory of the usersave mytestconfig.txtload replace mytestconfig.txt
441 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
CONFIGURATION ROLLBACK Automatic rollback if not confirmed within 5 minutes
Rollback Versions , by Default you have 5 (on SRX) to 50 (on EX)
The "Rescue" Configuration
# Automatic rollback if not confirmed within 5 minutescommit confirmed 5
# Commit at desired timecommit at hh:mm:ss
# on SRX Clusters Rollback is only available if you entered "configure exclusive"
# Create a rescue configurationrequest system configuration rescue save
# Manual rollback to rescuerollback rescuecommit
# On J-Series press reset button for more than 5 and less than 15 Seconds # to automatically load and commit the rescue configuration
rollback ?show config | compare rollback <number>
442 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SOFTWARE ROLLBACK Since JUNOS 10.0, Branch SRX have a dual root partitioning scheme, which can hold a copy of the image and the configuration under /altroot and /altconfig
# After a Software Upgrade the new software is in the primary partition and the old # software is in the primary partition. # You can check the current partition content with show system snapshot media internal slice 1
# To switch the primary partition, so that next reboot uses the other image just executeroot@srx100-2> request system software rollback junos-12.1R2.9-domestic will become active at next reboot
# To switch back to the previous partition just execute the same command once more request system software rollback root@srx100-2> request system software rollback junos-12.1R3.5-domestic will become active at next reboot
443 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
REAL-TIME PROBE AND MONITORING (RPM) RPM can track server/application reachability and latencies over the network
Results can be monitored from CLI or via SNMP
RPM Events can also be used to trigger Event-Scripts
# Configure Probes for user THOMAS# Example probe SERVER1 checks if server responds to pingedit services rpm probe THOMAS test SERVER1 set probe-type icmp-ping set target address 172.30.80.1 set test-interval 10top
# Example probe SERVER2 checks if Web-Server responds within 2000 msecedit services rpm probe THOMAS test SERVER2 set probe-type http-get set target url http://172.30.81.70/index.html set test-interval 10 set threshold rtt 2000000top
show services rpm probe-results owner THOMAS test SERVER1
show snmp mib walk 1.3.6.1.4.1.2636.3.50
444 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AUTO ARCHIVING CONFIGURATIONS
Transmit a copy of the current Config file with every commit You can use ftp, http, scp or a copy to a local file
The Target filename is built like this:
It is also possible to run periodic archival
[edit system archival configuration]transfer-on-commit;archive-sites { ftp://username@host:<port>url-path password password; http://username@host:<port>url-path password password; scp://username@host:<port>url-path password password; file://<path>/<filename>;}
<router-name>_juniper.conf[.gz]_YYYYMMDD_HHMMSS
set system archival configuration transfer-interval [interval]
445 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MORE USEFUL STUFF ..... DNS lookup and reverse lookup
Network Clients available on the CLI (route lookup starts in inet.0)
Some clients can be used to pipe command output
CLI Shortcuts
telnet, ssh , ftp, scp, ping, traceroute, mtrace
monitor traffic interface count 100 | ftp://172.16.1.1/capture.txt
lab@SRX3600> show host 193.99.144.85 85.144.99.193.in-addr.arpa domain name pointer www.heise.de.lab@SRX3600> show host www.heise.de www.heise.de has address 193.99.144.85
• CTRL-A takes you to the beginning of the command line• CTRL-E takes you to the end of the command line• CTRL-W deletes backwards to the previous space• CTRL-U deletes the entire command line• CTRL-L redraws the command line (in case it has been interrupted by messages, etc.)• CTRL-R starts CLI history search, start typing and matching results will be displayed and can be executed by simply pressing ENTER
446 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MORE USEFUL STUFF ..... Replace a pattern in the whole configuration
What have you changed so far ?
Configure exclusive (only you have access)
Check if commit is possible (but don't do it yet)
srx# replace pattern fe-0/0/7 with ge-0/0/7
srx# set system host-name SRX srx# show | compare - host-name srx;+ host-name SRX;
srx> configure exclusive warning: uncommitted changes will be discarded on exitEntering configuration mode
[edit]srx#
srx# commit check
447 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AND MORE ......
Add comments anywhere in the configuration
Temporary deactivate sections of the configuration
Generate your own Events (good to combine with Event-Scripts)
srx# annotate security policies from-zone trust to-zone trust "this is an annotation"
srx# show security policies/* this is an annotation */from-zone trust to-zone trust { inactive: policy 1 {.....# To remove the command redo the command with an empty string annotate .... ""
# deactivate whatever you want, but still keep it in the configurationdeactivate protocols ospf
set event-options generate-event backup-config-event time-of-day 23:30:00
448 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AND MORE .....
apply-groups to
Copy a file from one cluster member to the other
Show Configuration with Details
Login Messages
set groups sonet interfaces <so-*> sonet-options rfc-2615set apply-groups sonet
file copy /var/tmp/test node1:/var/tmp/sampled.test
# Use this command to get explanations and range information for each parametershow configuration | display detail
# To make a message appear before loginset system login message “ Welcome \n to \n JUNOS Training\n “# To make a message appear after successful authenticationset system login announcement “Maintenance scheduled 11PM to 2AM tonight”
449 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
AND MORE .....
Get a timestamp on the CLI every time you execute a command
Quick Navigation in Configure Mode
set cli timestamp# To disableset cli timestamp disable
# if you used edit to change your current path in the navigation tree you can still# reach every leaf of the tree by using "top" at the beginning# Tab completion works and this "top" does not change your current position
edit protocols ospftop show interface ge-0/0/0top set interface ge-0/0/0 unit 0 ...
450 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
FURTHER USEFUL INFORMATION
451 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
DOCUMENTATION AND ADDITIONAL SOURCES
Software Documentation for SRX and J-Serieshttp://www.juniper.net/techpubs/software/JUNOS/
Hardware Documentation for SRX und J-Serieshttp://www.juniper.net/techpubs/hardware/srx-series.htmlhttp://www.juniper.net/techpubs/software/jseries/
The JUNOS Pagehttp://JUNOS.juniper.net/
JTAC Knowledgebase http://kb.juniper.net/SRX Channel: http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB
User Forumshttp://forums.juniper.net/jnet/http://www.juniperforum.com/
Bookshttp://www.juniper.net/us/en/training/jnbooks/
452 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
SELF SERVICE TRAININGS
Training: Fasttrack Program (free materials)
http://www.juniper.net/training/fasttrack/
Training: Complete List of all Training and E-Learning Offers
http://www.juniper.net/us/en/training/technical_education/
Training: JUNOS as a second language
http://www.juniper.net/us/en/training/elearning/jsl.html
Training: Virtual Labs for Partner (Hands-on if you have no HW)
https://www.juniper.net/partners/partner_center/common/training/virtual_lab.jsp
Training: JTAC Webcasts for Partner
https://www.juniper.net/partners/partner_center/common/training/post_sales_webcasts.jsp
Discount Vouchers for Certifications
http://JUNOS.juniper.net/prometricvoucher/
453 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
VPN CONFIGURATION GENERATOR Generator for VPN Configurations (route and policy based)
https://www.juniper.net/customers/support/configtools/vpnconfig.html
454 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
MIGRATION TOOLS Convert Cisco or Netscreen configurations to JUNOS
https://migration-tools.juniper.net/tools/index.jsp