juniper srx quickstart 12.1r3 by thomas schmidt

SRX JUMP STATION

Based on JUNOS Versions up to 12.1R3last modified Nov 08 2012

Thomas SchmidtConsulting Systems Engineer

2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net

WHAT IS THIS PURPOSE OF THIS QUICK START ?• This collection is for users who already have experience with ScreenOS firewalls and the

underlying concepts and now want to use JUNOS based SRX Firewalls

• This Collection assumes you have already some knowledge of JUNOS (there are free trainings to help you) but need a guide to configure a complete system.

• This Collection is a guide to help you find the commands required for typical features and tasks and give you brief, working examples.

• Navigation: • Click on the in the right Top corner to get to the Jump Station Central

• Click on the Chapter Buttons to get to the desired chapters

• If you need more in depth information or more details of the underlying concepts consult the documentation or participate in trainings.

• This collection can not replace full JUNOS documentation or trainings and can not cover all parameters available with a certain feature.

Login


JUMP STATION CENTRAL......LoginControll- &

Dataplane

Zones

CLI

MulticastSwitching

PPPoE & DSL

...

AppFirewallAppSecureOverview

AppDDOS

RoutingOSPF,BGP

IDP AppTrackLicenses

Flow & ALGPolicies VirtualizeVR + LSys

Screens & Defense

Packet Flow

Admin UserRole & Auth

Inband orOutband

SNMP &RMON

SoftwareUpgrade

Netflow Space

IPv6

Boot loader& Flash

FurtherInformation

Automation & Scripting

NiceStuff

Logging &Syslog

Trunk & LAG

Docs &Papers

UTM, Antivirus

NSM

…

DHCP DNS UAC Enforcer

Time & NTP Port Mirroring

NAT

Access list

Interfaces Link Redundanc

Reset to Factory Def.

Policy based VPN

...VPNs with Certificates

...VPNDiagnostics

Route based VPN

DynamicVPN

MonitorCommands

Log files Debug Flow

Packet Capture

Debug VPN

InterfaceMonitoring

…

Cluster Overview

Cluster Interfaces

Basics

Network

Firewall

Manage, Log,Monitor

AppFirewall IDP and UTM

More..

Toolbox

VPN

Trouble-shooting

High Availability

FailoverBehavior

ClusterStates

Cluster& NSM

ClusterSetup

…

...

...

TransparentMode

UTM, Webfilter

STRM

…

Class of Service

...

…

…

...

...

...

...

…

…

…

...

…

…


JUNOS BASICS


DOCUMENTATION AND GUIDES


THE RIGHT PLACE FOR SRX HARDWARE AND SOFTWARE DOCUMENTATION

Use the following Link

https://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.html


ADDITIONAL USEFUL INFORMATION SOURCESDay One Bookletshttp://www.juniper.net/us/en/community/junos/training-certification/day-one/

Feature Explorer and Content Explorerhttp://pathfinder.juniper.net/feature-explorer/http://www.juniper.net/techpubs/content-applications/content-explorer/

Feature Support Reference Guidehttps://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/feature-support-reference.html?chap-feature-support-tables.html

SRX Knowledgebase (Jump Station)http://kb.juniper.net/KB15694

SRX Knowledgebase (Here a list of the latest SRX articles)http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB

SRX Application Notes http://www.juniper.net/us/en/products-services/security/srx-series/#literature

JUNOS Network Configuration Exampleshttp://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/nce/index.html

Juniper Forum • Configuration Library http://forums.juniper.net/t5/Configuration-Library/bd-p/ConfigLib• DayOne Tips http://forums.juniper.net/t5/Day-One-Tips-Contest/bd-p/DayOneContest

http://www.juniper.net/us/en/community/junos/training-certification/day-one/

http://pathfinder.juniper.net/feature-explorer/

http://www.juniper.net/techpubs/content-applications/content-explorer/

https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/feature-support-reference.html?chap-feature-support-tables.html

https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/feature-support-reference.html?chap-feature-support-tables.html

http://kb.juniper.net/KB15694

http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB

http://www.juniper.net/us/en/products-services/security/srx-series/

http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/nce/index.html

http://forums.juniper.net/t5/Configuration-Library/bd-p/ConfigLib

http://forums.juniper.net/t5/Day-One-Tips-Contest/bd-p/DayOneContest


CONTROLPLANE AND DATAPLANE


JUNOS SOFTWARE FEATURES (1 OF 2)

JUNOS software for SRX-series services gateways includes the following elements:

JUNOS software as the base operating system Session-based forwarding Some ScreenOS-like security features

Packet-based features: Control plane OS Routing protocols Forwarding features:

Per-packet stateless filters Policers CoS

J-Web


JUNOS SOFTWARE FEATURES (2 OF 2)

Session-based features: Implements some ScreenOS features and functionality

through the use of new daemons First packet of flow triggers session creation based on:

Source and destination IP address Source and destination port Protocol Session token

Zone-based security features Packet on the incoming interface is associated with the incoming zone Packet on the outgoing interface is associated with the outgoing zone

Core security features: Firewall, VPN, NAT, ALGs, IDP, and SCREEN options


CONTROL PLANE VERSUS DATA PLANE

Control Plane: Implemented on the Routing Engine JUNOS software kernel, daemons, chassis management, user

interface, routing protocols, system monitoring, clustering control

Data Plane: Implemented on the IOCs and SPCs Forwarding packets, session setup and maintenance,

load-balancing, security policy, screen options, IDP, VPN


LOGIN


LOGIN

Login in factory default state as user "root". Password is empty

Amnesiac (ttyd0)

login: root

********************************************************************** Welcome to JUNOS: **** **** To run the console configuration wizard, please run the **** command 'config-wizard' at the 'root%' prompt. **** **** To enter the JUNOS CLI, please run the command 'cli'. **** **********************************************************************

root@% cliroot>


LOGIN Non root users are placed into the CLI automatically

The root user must start the CLI from the shellDo not forget to exit root shell after logging out of the CLI!

Shell Prompt

CLI Prompt

switch (ttyu0)

login: userPassword:

--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTCuser@switch>

switch (ttyu0)

login: rootPassword:

--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTCroot@switch% cliroot@switch>


CLI BASICS


CLI MODES

Shell - when you login as root

CLI - Operational Mode

CLI - Configuration mode:

user@switch>The > character identifies operational mode

user@switch#exituser@switch>

user@switch> configure[edit]

The # character identifies configuration mode

root%cliroot>

The % character identifies Shell mode


CLI HIERARCHY

Execute commands (mainly) from the default CLI level (user@switch>) Can execute from configuration mode with the run command Hierarchy of commands Example: show spanning-tree interface

Less Specific

More Specific bridge mstp statistics

configuration

configure help monitor etc.

interface

dot1x

clear set show

spanning-tree version etc.


EMACS-style editing sequences are supported

A VT100 terminal type also supports the Arrow keys

user@switch> show interfaces

• Ctrl+buser@switch> show interfaces

• Ctrl+auser@switch> show interfaces

• Ctrl+fuser@switch> show interfaces

• Ctrl+euser@switch> show interfaces

CLI EDITING

Cursor Position

Keyboard Sequence


COMMAND AND VARIABLE COMPLETION

Spacebar completes a commanduser@host> sh<space>ow i<space> 'i' is ambiguous.Possible completions: igmp Show Internet Group Management Protocol... ike Show Internet Key Exchange information interfaces Show interface information ipsec Show IP Security information isis Show Intermediate System-to-Intermediate...

user@host> show i

Use the Tab key to complete an assigned variable[edit policy-options]user@host# show policy-statement t<tab>his-is-my-policy then accept;

[edit policy-options]user@host#

Use Tab to complete assigned variables

Enter a space to complete a command


Type ? anywhere on the command lineuser@host> ?Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information . . .user@host> clear ?Possible completions: arp Clear address resolution information bfd Clear Bidirectional Forwarding Detection

information bgp Clear Border Gateway Protocol information firewall Clear firewall counters . . .

CONTEXT-SENSITIVE HELP


SHOW CURRENT CONFIGURATION

root@J6350> show config | display setset version 9.3R2.8set system host-name J6350set system root-authentication encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."set system name-server 172.30.80.65set system login user lab uid 2000set system login user lab class super-user........

JUNOS Style

ScreenOS Style

root@J6350> show config## Last commit: 2009-03-18 10:27:20 UTC by labversion 9.3R2.8;system { host-name Demo-081-111-J6350; root-authentication { encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."; ## SECRET-DATA } name-server { 172.30.80.65; } login { user lab { uid 2000; class super-user;........


CONFIGURATION, CANDIDATE, COMMIT, ROLLBACK


COMMANDS IN CONFIGURATION MODE (1)


COMMANDS IN CONFIGURATION MODE (2)


COPY/PASTE CONFIGURATIONS

To paste and override the whole configuration

To paste and add pieces of configuration

To paste configuration written with "set" commands

SRX# load merge terminal <relative>[Type ^D at a new line to end input]system {........

SRX# load replace terminal[Type ^D at a new line to end input]system {........

SRX# load set terminal <relative>[Type ^D at a new line to end input]set system ….


CONTROL AND FORWARDING PLANE OF A JUNOS ROUTER


NETWORK


INTERFACES


INTERFACE NUMBERING Interfaces Names and Numbers

Wildcards - Many commands accept wildcards in ifnames

Interface name = <Interface Type>-<Slot>/<Module>/<Port>.<logical number>

All numbers start from 0

Example : ge-0/1/2.3 - Gigabit Interface (Slot 0, Module 1, Port 2, Logical unit 3)fe-0/1/2.3 - Fast Ethernet Interfacest0.0 - First Secure Tunnel Interface (VPN Tunnel) lo0 - First loopback interface

For a list of Interface Types see http://www.juniper.net/techpubs/software/JUNOS/JUNOS96/swconfig-network-interfaces/frameset.html

show interfaces ge-0/0/*

http://www.juniper.net/techpubs/software/JUNOS/JUNOS96/swconfig-network-interfaces/frameset.html




SWITCHING


SWITCHING ON FIREWALLS ? Switching Features on the Firewall can help to simplify the network by

eliminating additional switches. This can be a commercial and management advantage, especially in small branch offices.

Switching is possible on Branch SRX Models (SRX100….SRX650) and J-Series with UPIM Modules

Switching is not available (and not needed) on High-End SRX

Switching is done in Hardware. Full throughput can be achieved, without consuming CPU-performance

Since JUNOS 10.0 the smaller SRX (100...240) have Switching enabled on all interfaces (except ge-0/0/0) in the Factory Default configuration


SWITCHINGDEFAULT CONFIGURATION ON SRX210 WITH JUNOS 10.0# An internal VLAN (vlan-trust) is defined to allow switching several interfacesset vlans vlan-trust vlan-id 3

# A interface vlan unit 0 is assigned to this vlan as the Layer3 interface in this VLANset vlans vlan-trust l3-interface vlan.0

# This layer 3 interface can has an IP address that is reachable from all # host on it's VLAN. In Branch deployments this is typically the gateway address. set interfaces vlan unit 0 family inet address 192.168.1.1/24

# All physical interfaces - except ge-0/0/0 of the SRX210 are now assigned # to a interface-range with the name interfaces-trustset interfaces interface-range interfaces-trust member ge-0/0/1set interfaces interface-range interfaces-trust member fe-0/0/2set interfaces interface-range interfaces-trust member fe-0/0/3set interfaces interface-range interfaces-trust member fe-0/0/4set interfaces interface-range interfaces-trust member fe-0/0/5set interfaces interface-range interfaces-trust member fe-0/0/6set interfaces interface-range interfaces-trust member fe-0/0/7

# The interface-range is assigned to the VLAN vlan-trust set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust

# It's a firewall, so the interface is mapped to zone trust where all services are enabledset security zones security-zone trust interfaces vlan.0set security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols all


SWITCHINGANOTHER CONFIGURATION EXAMPLE# Before you can add an interface to Switching you probably have to remove assignments.# If there is an IP address assigned to the interface you have to remove itdelete interfaces fe-0/0/2 unit 0 family inet# If the interface is member of an interface-group in use, you have to untie it delete interfaces interface-range .... member fe-0/0/2

# You can specify a VLAN, which will be used for Switchingset vlans VLAN-100 vlan-id 100

# Configure Ethernet switching on the interfaces that are part of VLAN. # Default for new switching interfaces is access mode (=untagged)set interfaces fe-0/0/2 unit 0 family ethernet-switchingset interfaces fe-0/0/3 unit 0 family ethernet-switching

# Assign these interface to the desired VLANset vlans VLAN-100 interface fe-0/0/2.0set vlans VLAN-100 interface fe-0/0/3.0

# Configure a VLAN interface with an IP for this VLAN set interfaces vlan unit 100 family inet address 192.168.1.1/24

# Assign this VLAN interface as your Layer3 Interface on this VLANset vlans VLAN-100 l3-interface vlan.100

# It's a firewall, so the VLAN interface must also be in a zone set security zones security-zone trust interfaces vlan.100

# Allow services on the VLAN interface if desiredset security zones security-zone trust interfaces vlan.100 host-inbound-traffic ....


SWITCHINGTROUBLESHOOTING COMMANDS# show which vlans exist and which interfaces are assignedshow vlans [detail]

# history of MACs added and removedshow ethernet-switching mac-learning-log

# Current MAC Tableshow ethernet-switching table

# Current MAC Table from a certain interfaceshow ethernet-switching table interface fe-0/0/2


ETHERNET SWITCHING ON BRANCH SRXINTERFACES SUPPORTED

Platforms On-Board uPIM MPIM XPIM

J2320 û ü û ûJ2350 û ü û ûJ4350 û ü û ûJ6350 û ü û û

SRX100 ü û û ûSRX110 ü û û ûSRX210 ü û û* ûSRX220 ü û û* ûSRX240 ü û û* ûSRX550 ü û û* ü**

SRX650 û û û ü**

* Ethernet switching support is planned for future release for 1 Gigabit Ethernet SFP MPIM on the SRX210,SRX220,SRX240 and SRX550.** As of JUNOS OS Release 12.1, Ethernet switching is not supported on 10G XPIM.


REMARKS Configuration Syntax for all supported features is exactly the same as

with the EX Switches. The Documentation Feature Support Reference explains which Switching Features are supported

There are some dependencies which Ports can be used for switching (see Documentation )

Before 11.1 Switching was only applicable for single units. Commit in the Cluster was only possible, when all switching configuration was removed. The assumption was, that HA cluster Configurations are usually designed with external Switches

Since 11.1 Switching is also supported on Branch SRX and can even span the two Cluster members. This requires an additional link between the two nodes.

https://www.juniper.net/techpubs/software/junos-srx/junos-srx10.0/index.html

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-interfaces-and-routing/frameset.html


ROUTING


STATIC ROUTESCONFIGURATION

# Host Routeset routing-options static route 10.2.2.1/32 next-hop 10.1.1.254

# Network Routeset routing-options static route 10.2.2.0/24 next-hop 10.1.1.254

# Default Routeset routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

# Route to an Interface # Useful for Point-to-Point Interfaces like pppoe, vpn-tunnel, gre-tunnelset routing-options static route 0.0.0.0/0 next-hop pp0.0set routing-options static route 10.1.1.0/24 next-hop st0.0

# Route to another Virtual Routerset routing-options static route 10.0.0.100/32 next-table Logging.inet.0

# Example for a the Definition of the VR with name Logging referenced aboveset routing-instances Logging instance-type virtual-routerset routing-instances Logging interface ge-0/0/7.0

# A network route to discard any traffic that did not hit a more specific route# Black hole Routes could sometimes save performance for policy lookups or # avoid rerouting in case of interfaces failures (example: VPN is down)set routing-options static route 0.0.0.0/0 discard


STATIC ROUTESROUTE FAILOVER WITH IP-MONITORING

# Since 11.4 all Branch SRX support IP-Monitoring and automatic route failover# Check out KB22052 for configuration details of an dual ISP connection with RPM for # IP-Monitoring and Filter based Forwarding for load distribution

set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Serverset services ip-monitoring policy Server-Tracking then preferred-route routing-instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 ------> Installs route in the First Routing Instance

set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1set services ip-monitoring policy Server-Tracking1 then preferred-route routing-instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1 ------> Installs route in Second Routing Instance

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22052


STATIC ROUTESMONITORING

# display Routing tableroot@J2300> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 01:13:15 > to 172.16.42.1 via fe-0/0/0.010.2.2.0/24 *[Static/5] 00:00:05 > to 172.16.42.1 via fe-0/0/0.0172.16.42.0/24 *[Direct/0] 01:13:15 > via fe-0/0/0.0172.16.42.230/32 *[Local/0] 01:21:12 Local via fe-0/0/0.0224.0.0.9/32 *[RIP/100] 01:21:37, metric 1 MultiRecv

# route lookup for a certain destinationroot@J2300> show route 20.0.0.1

# routing table overview root@J2300> show route summary

# Forwarding table (includes all active routes, visible for the data-plane)root@J2300> show route forwarding-table


OSPF CONFIGURATION# enable OSPF on a interfaceset protocols ospf area 0.0.0.0 interface ge-0/0/0.0# And permit ospf traffic to this zoneset security zones security-zone host-inbound-traffic protocols ospf

# Recommended: use loopback interfaceset interfaces lo0 unit 0 family inet address 192.168.1.2/32set protocols ospf area 0.0.0.0 interface lo0.0 passive

# Option: specify your own Router-idset routing-options router-id 192.168.1.2

# to get direct interface routes announced you can add them to OSPF in passive mode set protocols ospf area 0.0.0.0 interface vlan.100 passive

# Option: Negotiate graceful restart set routing-options graceful-restart

# On SRX Clusters for RG0 failover, you might have to extend OSPF Timers to survive # a dead interval of 5-20 seconds and also use the following setting:set protocols ospf graceful-restart no-strict-lsa-checking


RIP CONFIGURATION# RIP requires a group, all interface are attached to this groupset protocols rip group RIP ge-0/0/0.0set protocols rip group RIP ge-0/0/1.0

# And permit rip traffic to the zones of these interfacesset security zones security-zone TRUST host-inbound-traffic protocols rip

# You can add IPSEC Tunnel-Interfaces with relaxed RIP-Update-Timers# You can even work with Tunnel-Interfaces with Next-Hop-Tunnel-Binding (NHTB)set protocols rip group RIP neighbour st0.0 interface-type p2mpset protocols rip group RIP neighbour st0.0 dynamic-peers set interface st0 unit 0 multipoint

# Option: Negotiate graceful restart set routing-options graceful-restart

# Import Routes to the RIP group via policy-options filterset policy-options policy-statement FILTER term a from route-filter 1.2.3.0/24 exactset policy-options policy-statement FILTER term a then acceptset policy-options policy-statement FILTER term drop then rejectset protocols rip group RIP export FILTER


OSPF MONITORING# See Neighbors and Stateroot> show ospf neighbour Address Interface State ID Pri Dead10.222.2.2 ge-0/0/11.0 Full 192.168.36.1 128 36

# Link State Databaseroot> show ospf database


OSPF IMPORT/EXPORT FILTER (POLICY-OPTIONS)# OSPF default is to import everything (into RT) and export routes only from interfaces # that are (active) members of the same OSPF area

# For export of all other routes or to filter inbound routes you need Routing Policy # Filters

# Example Filter to export all local static and all direct routesset policy-options policy-statement ALL-LOCAL set term 1 from protocol direct set term 1 then accept set term 2 from protocol static set term 2 then accepttop set protocols ospf export ALL-LOCAL

# Example Filter to export only a certain route (which must exist on the routing table)set policy-options policy-statement JUST-ONE set term 1 from route-filter 172.10.0.0/16 exact set term 1 then metric 10 accepttop set protocols ospf export JUST-ONE


# Example Configuration With Two AS# Permit BGP traffic on the zone or interface(s) where you reach your peer(s)set security zones security-zone trust host-inbound-traffic protocols bgp

# Recommended: use loopback interfaceset interfaces lo0 unit 0 family inet address 1.1.1.2/32

# Specify your own AS and your Router-IDset routing-options autonomous-system 1234set router-id 1.1.1.2

# Specify Peer(s)set protocols bgp group UPSTREAM set local-address 1.1.1.2 set peer-as 64005 set local-as 64006 set neighbor 1.1.1.1 export BGP-EXPORT-POLICYtop

# A Policy how to export the routesset policy-options policy-statement BGP-EXPORT-POLICY from protocol direct set policy-options policy-statement BGP-EXPORT-POLICY then accept

# Option: Set static routes that do not redistribute set routing-options static route 1.1.2.0/24 no-readvertise

# Option: Specify how to aggregate routesset routing-options aggregate 1.1.1.1/20 [policy ... ]

BGP CONFIGURATION


BGPMONITORING

show bgp neighbour show bgp summaryshow route summary

# Which routes did we receive from a neighbourshow route receive-protocol bgp <peer-ip>

# Which routes do we send to a neighbourshow route advertising-protocol bgp <peer-ip>


IS-IS CONFIGURATION set interfaces ge-0/0/1 unit 0 family isoset interfaces ge-0/0/2 unit 0 family iso

set interfaces lo0 unit 0 family iso address 49.0002.0002.0002.00

set protocols isis interface ge-0/0/1.0set protocols isis interface ge-0/0/2.0set protocols isis interface lo0.0 passive


TUNNEL INTERFACES


TUNNEL INTERFACES : GRE - GENERIC ROUTING ENCAPSULATION# Typical Use cases for GRE Tunnels are# - OSPF over GRE with non-Juniper Routers# - Multicast over GRE with non-Juniper Routers

set interfaces gr-0/0/0 unit 0 tunnel source 10.0.0.1set interfaces gr-0/0/0 unit 0 tunnel destination 10.0.0.2set interfaces gr-0/0/0 unit 0 family inet address 10.1.0.1/3set protocols ospf area 0.0.0.0 interface gr-0/0/0.0set security zones security-zone vpn host-inbound-traffic protocols ospfset security zones security-zone vpn interfaces gr-0/0/0.0

# MTU Adjustments might be necessary because GRE Default MTU is ~ 9000

# When Fragementation happens in a GRE Tunnel there are two options for reassembly# a) use IDP Inspection on the traffic leaving the tunnel# b) since JUNOS 11.2 you can apply the following command"set security flow force-ip-reassembly


TUNNEL INTERFACES:LOGICAL TUNNEL # Logical Tunnel can be used like a physical wire between two interfaces of an SRX# Typical use cases are: # - forwarding between VR in packet mode and VR in flow mode# - forwarding between VR to apply two policies to one session# - Intra-Lsys Traffic (all Lsys have one Tunnel to Lsys0)

# Logical Tunnel Interfacesset interfaces lt-0/0/0 unit 0 encapsulation ethernetset interfaces lt-0/0/0 unit 0 peer-unit 1set interfaces lt-0/0/0 unit 0 family inetset interfaces lt-0/0/0 unit 1 encapsulation ethernetset interfaces lt-0/0/0 unit 1 peer-unit 0set interfaces lt-0/0/0 unit 1 family inet

# and now use them between two VRsset routing-instances r1 interface lt-0/0/0.0set routing-instances r2 interface lt-0/0/0.1


TUNNEL INTERFACES: IP OVER IP# This Example is used to forward all IPv6 traffic encapsulated in IPv4 to 10.19.3.1

set interfaces ip-0/0/0 unit 0 tunnel source 10.19.2.1set interfaces ip-0/0/0 unit 0 tunnel destination 10.19.3.1set interfaces ip-0/0/0 unit 0 family inet6 address 7019::1/126set routing-options rib inet6.0 static route ::0/0 next-hop ip-0/0/0


MULTICAST


IPV4 MULTICAST CONFIGURATION (1)

# IGMP to allow Receivers to join/leave a group, # Version1 had join only and 3 min timeout # Version2 (Default) allows Receiver join and leave # Version3 allows to join and select Source-IP of Sender selectionset protocols igmp interface reth2.0 version 3

# Enable PIM to communicate with Multicast Routers in the Distribution Treeset protocols pim interface reth1.0

# Finding the Rendezvous Point # Option 1: Static Rendezvous point on an other Routerset protocols pim rp static address 192.168.1.1

# Option 2: we are Rendezvous Point by yourself - in this case loopback int. is best pract.set interface lo0.0 <IP-for-RP>set protocols pim rp local address <IP-for-RP>

# Other Options supported for RP selection: Anycast, Bootstrap, Auto-RP# Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP# Check Technote: Multicast Implementation Guide

http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/8010062-001-EN.pdf


IPV4 MULTICAST CONFIGURATION (2)

# Allow igmp on all interfaces where we expect receivers to joinset security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols igmp set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols igmp

# Allow PIM on all interfaces where we expect distribution Routersset security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols pim set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols pim

# All interfaces can also be in a custom VR

# IGMP Configuration is not in VR contextset protocols igmp interface reth20.0 version 3

set routing-instances VR-MCAST instance-type virtual-routeredit routing-instances VR-MCAST set interface vlan.3 set interface vlan.10 set interface vlan.20 set interface vlan.30 set protocols igmp interface vlan.20 set protocols pim rp local address 10.0.42.110 set protocols pim interface vlan.10top


IPV4 MULTICAST TROUBLESHOOTING# Monitoringshow pim bootstrap [instance VR] show pim interfaces [instance VR] show pim join [instance VR]show pim mdt [instance VR] show pim neighbors [instance VR]show pim rps [instance VR]show pim source [instance VR]show pim statistics [instance VR]

show igmp interfaceshow igmp output-groupshow igmp statistics

show multicast routeshow multicast rpf

# tcpdump to watch PIM and IGMP Packetsmonitor traffic interface vlan.10 no-resolve detail size 1500 matching "pim || igmp"

# DEBUGGINGset protocols pim traceoptions file trace-pim set protocols pim traceoptions flag all set protocols igmp traceoptions file trace-igmp set protocols igmp traceoptions flag all

# PIM to IGMP Proxyshow multicast pim-to-igmp-proxy


IPV4 MULTICAST FURTHER INFORMATION

# Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP# Check Technote: Multicast Implementation Guide

# IGMP-Proxy is not available, but pim-to-igmp-proxy is availableset pim-to-igmp-proxy upstream-interface ge-0/1/0.1

# Important Hint for Multicast on SRX-Cluster: # Disable IGMP-Snooping on the surrounding switches to avoid outages after failover

# Multicast Configuration Overview and Exampleshttp://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-guide-multicast/config-guide-multicast.html#configuration

# Dense Mode and Debugging Examplehttp://kb.juniper.net/InfoCenter/index?page=content&id=KB24781

# Multicast Implementation Guide (EX and MX)http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/8010062-001-EN.pdf


http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-guide-multicast/config-guide-multicast.html

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-guide-multicast/config-guide-multicast.html




IPV6


IPV6CURRENT STATE (12.1)

IPv6 firewalling - works in route mode with the following Features: - Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth - in Active/Passive Clusters since 10.0 - in Active/Active Clusters since 11.2 - IDP on Ipv6 in route mode since 11.4

- works in transparent mode with the following features since 11.4r3 Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth/Vlan Retagging/SNMP

For more Details on IPv6 Feature Support in JUNOS 12.1 check this Documentationhttp://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-ipv6-support.html

http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-ipv6-support.html


IPV6 DHCPV6 SERVER

# DHCP-Server for Prefix Delegation is available on High-end-SRX

# Example below offers prefix delegation only (no exact IP assignment)edit system services dhcp-local-server dhcpv6 set overrides interface-client-limit 100 set group GROUP1 interface ge-0/0/0.0top

edit access address-assignment pool TRUSTv6 family inet6 set prefix fd27:9816:dca8:1::/48 set range RANGE1 prefix-length 64top

# For exact IP assignment and DHCP Server assignment use these statementsedit access address-assignment pool TRUSTv6 family inet6 set dhcp-attributes dns-server .... set dhcp-attributes options .... set range RANGE1 high ... set range RANGE1 low ...top


IPV6DIAGNOSTICS

show interface terse # it will then shows two IPv6 IPs for each interface# 2001:........ = global address# fe80:x:x:x = link local address

# show route <table inet6.0>show ipv6 neighboursshow ipv6 router-advertisement

# Interface Traffic monitor - filtered to IPv6 only monitor traffic interface ge-0/0/0.0 matching ip6 size 200 detail

# ping, we use the same ping for ipv4 and ipv6 ping 2001:638:c:a057::1

# force ping with IPv6ping inet6 www.heise.de

# traceroute, same command as for IPv4traceroute 2001:db8:0:6:202:b300:2215:595 source 2001:db8::5

# Monitoring session tableshow security flow session summary family [inet|inet6]


IPV6DYNAMIC ROUTING WITH RIPNG

# Enable RIP Listener on the following interfacesedit protocols ripng edit group NEIGHBORS set neighbour ge-0/0/0.0 set neighbour ge-0/0/1.0 set neighbour fe-0/0/2.0 set neighbour fe-0/0/3.0top

# If you want to export routes you need a route filter edit policy-options policy-statement RIPNG-EXPORT set term RIPNG from protocol ripng set term RIPNG then accept set term DIRECT from protocol direct set term DIRECT from route-filter 2001:DB8::/32 orlonger set term DIRECT then accepttop

# The Route Filter must be applied to the RIPNG Groupset protocols ripng group NEIGHBORS export RIPNG-EXPORT

# Monitoringshow route receive-protocol ripngshow route advertising-protocol ripng show route protocol ripng


IPV6DYNAMIC ROUTING WITH OSPFV3

# Introduction of a loopback Interface is best practice when using Routing protocolsset interface lo0 unit 0 family inet address 10.0.0.210/32 # Specifying the router-id (as IPv4) is also recommendedset routing-options router-id 10.0.0.210

# Enable OSPF Listener on the following interfacesedit protocols ospf3 set area 0 interface lo0.0 passive set area 0 interface ge-0/0/0.0 set area 0 interface ge-0/0/1.0 set area 0 interface fe-0/0/2.0 set area 0 interface fe-0/0/3.0top

# Monitoring Commandsshow ospf3 neighbourshow ospf3 overviewshow ospf3 route show ospf3 statistics


IPV6IMPROVED SECURITY

# Off-link malicious IPv6 nodes may spoof Neighbor Discovery messages to poison # the routers ND cache. To mitigate, use

set protocols neighbor-discovery onlink-subnet-only

# reload after commit is suggested to clear out any bogus neighbor entries in the cache


VLAN TRUNKING AND LINK AGGREGATION


VLAN TRUNKS


VLAN TRUNKSNOTES AND LIMITATIONS There are two possible approaches to configure a VLAN trunks on SRX

As part of the "Switching" Configuration (family ethernet-switching)

As part of the "Routing" Configuration (family inet)

"Switching" Configuration

Allows Switching between all interfaces that are part of a VLAN. The member interfaces can be tagged and/or untagged

Supported only on Branch SRX

Not supported on redundant interfaces of a cluster

"Routing" Configuration

Allows to create a sub interface and use it for routing

Supported on all SRX Platforms

Supported also in cluster mode (can be applied to reth Interfaces)

Supported also on aggregate interfaces


VLAN TRUNKCONFIGURATION EXAMPLE FAMILY "INET"

# Enable VLAN-Tagging on a physical interfaceset interfaces ge-0/0/0 vlan-tagging

# Now we can create two sub interfaces on this physical interface# Best practice: use vlan-id also for the unit numberset interfaces ge-0/0/0 unit 11 vlan-id 11set interfaces ge-0/0/0 unit 11 family inet address 10.0.11.1/24

set interfaces ge-0/0/0 unit 12 vlan-id 12set interfaces ge-0/0/0 unit 12 family inet address 10.0.12.1/24

# The different interface can be in different VLANsset security zone security-zone zone11 interface ge-0/0/0.11set security zone security-zone zone12 interface ge-0/0/0.12


VLAN TRUNKCONFIGURATION EXAMPLE FAMILY "SWITCHING"

# Define all Vlans you want to participate in set vlans VLAN-80 vlan-id 80

# For Trunk Ports which have multiple VLANs use the following Syntaxset interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode trunkset interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members all

# For Access Ports which are untagged but mapped to a certain VLAN # use the following syntaxset interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members <name>

# To create a RVI (routed virtual interface) to have an IP on a VLANset interface vlan unit 80 family inet address 80.0.0.1/24

# And assign this interface to the VLANset vlans VLAN-80 l3-interface vlan.80


LINK AGGREGATIONAND LACP


LINK AGGREGATION ON BRANCH SRXNOTES AND LIMITATIONS Standalone Units:

Link Aggregation is possible by configuration of AE interfaces

AE interfaces are supported with family ethernet-switching since JUNOS 9.5

AE interfaces are supported with family inet since JUNOS 10.1r2

LACP on AE interfaces with family switching is supported since JUNOS 9.5

LACP on AE interfaces with family inet are supported since JUNOS 10.2r2

Chassis Clusters (Redundant Interfaces)

Redundant Interfaces (as required in Clusters to failover) can have Aggregate Interfaces as members since JUNOS 10.3r2

Switching across Members of an HA Cluster is available since 11.2 - this requires an additional link between the two Branch SRX

Chassis Cluster (Private Interfaces)

Private Interfaces - that are only active on one Cluster member - are possible in Clusters

Private Interfaces still can be aggregate interfaces (local LAG)

Private Interfaces can not have member interfaces from both Chassis at the same time A configuration with member interfaces from different chassis might commit but it is not supported


LINK AGGREGATION ON DATACENTER SRXNOTES AND LIMITATIONS Standalone Units

Link Aggregation is possible by configuration of AE interfaces

Aggregated Ethernet Interfaces are supported since JUNOS 10.0

Aggregate Ethernet Interfaces can be used with family inet only

LACP support is available on High-End SRX, since JUNOS 10.2r3

Chassis Clusters (Redundant Interfaces)

AE can not be used in Chassis Cluster for redundant interfaces but since JUNOS 10.1 there is another configuration available for link aggregation in chassis clusters.

This configuration can even span cluster members. Only interfaces on the active link will be used to receive and transmit data.

Check Admin Guide for these "Redundant Ethernet Interface Link Aggregation Groups".

Chassis Clusters (Private Interfaces)

Private Interfaces - that are only active on one Cluster member - are possible in Clusters

Private Interfaces still can be aggregate interfaces (local LAG)

Private Interfaces can not have member interfaces from both Chassis at the same time A configuration with member interfaces from different chassis might commit but it is not supported


LINK AGGREGATION ON A SINGLE UNIT

Configuration Example for a Aggregate Ethernet Interface# Set number of Aggregated Interfaces on this device/chassisset chassis aggregated-devices ethernet device-count <number>

# Configure AE interfaces (ae0,ae1….) # On High-End SRX AE can be members of family inet# On Branch SRX AE can be members of family inet and family ethernet-switchingset interfaces <aex> unit 0 family inet address <ip address>

# Associate physical ethernet interfaces to the AEset interfaces <interface-name> gigether-options 802.3ad <aex>

# Minimum number of Links required for this aggregate to be UPset interfaces <aex> aggregated-ether-options minimum-links <n>

# LACP configuration (today only supported on Branch SRX)set interfaces <aex> aggregated-ether-options lacp passive


LINK AGGREGATION ON A CHASSIS CLUSTER

Configuration Example for a Redundant Ethernet Interface# On High End SRX LAG support starts with 10.1r2, LACP starts with 10.2r3# On some Branch SRX LAG support starts with 10.3r2, LACP also starts with 10.3r2# Documentation: "Chassis Cluster Redundant Ethernet Interface Link Aggregation Groups"

set interfaces ge-1/0/1 gigether-options redundant-parent reth1set interfaces ge-1/0/2 gigether-options redundant-parent reth1set interfaces ge-1/0/3 gigether-options redundant-parent reth1set interfaces ge-12/0/1 gigether-options redundant-parent reth1set interfaces ge-12/0/2 gigether-options redundant-parent reth1set interfaces ge-12/0/3 gigether-options redundant-parent reth1set interfaces reth1 redundant-ether-options minimum-links 3

# From the Network Point of view, these are two independent Aggregate Interfaces. # Only the interfaces on the active node are used for transmission

# Further LACP Configuration can be added to the reth Interface now set interfaces reth1 redundant-ether-options lacp periodic fastset interfaces reth1 redundant-ether-options lacp passiveset interfaces reth1 redundant-ether-options lacp active


LINK AGGREGATION ON DATACENTER SRX

Extend lacpd to Support RETHs with JUNOS 10.2

Hitless RG failover for transit traffic

Handle active/standby LAGs independently and simultaneously

Support: A reth is connected to two switches

Support: A reth is connected to one single switch

At remote side: Active LAG and standby LAG each shall be terminated at an AE or equivalent (same as 10.1)

Cluster 1

reth0RLAG

Active LAG

SRX 5600HA

Node 1

SRX 5600HA

Node 0

standby LAG

Switch / Router

ae0

Switch / Router

ae1


LINK REDUNDANCY


IP MONITORING & FAILOVER WITH RPM# Since 11.4r2 Branch SRX allows to use RPM to monitor reachability of a destination # and in response of PASS or FAIL failover route or interface

# Configure Probes for user PING-PROBE# Example probe SERVER1 checks if server responds to pingedit services rpm probe PING-PROBE test SERVER1 set probe-type icmp-ping set target address 192.168.42.1 set probe-count 5 set probe-interval 5 set thresholds successive-loss 5 set test-interval 10top

edit services ip-monitoring policy FAILOVER-Policy set match rpm-probe PING-PROBE # admin state of a back-up interface can be enabled if the RPM fails on the primary # If the normal condition is restored the backup-interface is disabled again set then interface ge-0/0/1/0 enable top

# Monitoring of the ip-monitoring featureshow services ip-monitoring status


BLACKHOLE FORWARDING DETECTION# Black hole Forwarding Detection, Available in OSPF/BGP# Useful for link availability tests with aggressive timing (failover within 300msec)

# Detect OSPF Link Failure after 3x500msecedit protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set bfd-liveness-detection minimum-interval 500; set bfd-liveness-detection multiplier 3; set bfd-liveness-detection full-neighbors-only;top

# Detect BGP Link Failureset protocols bgp bfd-liveness-detection set minimum-interval 800 set multiplier 3 set transmit-interval minimum-interval 150 set transmit-interval threshold 500 set detection-time threshold 200 set holddown-interval 5top


FLOW LOAD BALANCING WITH EQUAL COST MULTIPATH ROUTING# ECMP for Flows is supported on SRX since JUNOS 12.1

# Add multiple routes to the same destinationset static route 26.0.0.0/8 next-hop 23.0.54.111set static route 26.0.0.0/8 next-hop 24.0.44.101set static route 26.0.0.0/8 next-hop 25.0.44.106

# Usually only one of these routes would show up in the forwarding table. # We need a Policy Statement to enable per packet load-balancing. # On SRX this statement enforces in reality per flow balancingset policy-statement LBP then load-balance per-packet

# And we must apply this policy to the forwarding-tableset forwarding-table export LBP

# Forwarding table shows several routes to the same destinationuser@host> show route forwarding-tableRouting table: default.inetInternet:Destination Type RtRef Next hop Type Index NhRef Netif...26.0.0.0/8 user 0 23.0.54.111 rslv 0 1 ge-0/0/4.026.0.0.0/8 user 0 24.0.44.101 rslv 0 1 ge-0/0/6.026.0.0.0/8 user 0 25.0.44.106 rslv 0 1 ge-0/0/7.0

# Finally we might influence the balancing algorithm (L3 = IP only, L4, TCP+UDP too)set forwarding-options hash-key family inet layer-3set forwarding-options hash-key family inet layer-3


VRRPCONFIGURATION# VRRP allows to failover an Interface between two devices - which are not a cluster# Typical use case: Primary and backup Internet access device (each with it's own WAN link)# Remember that VRRP Cluster does not sync sessions - all session must be reestablished

# VRRP - node0edit interfaces fe-0/0/7 unit 0 family inet address 192.168.0.101/24 vrrp-group 150 set virtual-address 192.168.0.150 set priority 100 set no-preempt set authentication-type md5 set authentication-key secrettop # VRRP - node 1set interfaces fe-0/0/7 unit 0 family inet address 192.168.0.102/24 vrrp-group 150 set virtual-address 192.168.0.150 set priority 110 set no-preempt set authentication-type md5 set authentication-key secrettop

# VRRP Troubleshootingrun show vrrp summaryrun show vrrp interface fe-0/0/7


TRANSPARENT MODE


TRANSPARENT MODE OR BRIDGE MODENOTES AND LIMITATIONS

Transparent/Bridge Mode on Datacenter SRX Transparent Mode in A/P Clusters is supported since JUNOS 9.6

Transparent Mode in A/A Clusters is supported since JUNOS 10.0

Interface can either be in trunk mode or in access mode

VLAN Retagging is possible, and requires a per interface statement

Link Aggregation on reth Interfaces in Transparent Mode is supported since 11.4r1

IDP is supported in A/P since 11.2

Transparent/Bridge Mode on Branch SRX Transparent Mode in A/P Clusters is supported since JUNOS 11.2

Interfaces can only be in access mode

Management access requires definiton of an IRB Interface as member of one bridge-domain

Today (12.1) a firewall can either be in pure Layer 2 mode or Layer 3 routed mode, no mix

During a Cluster Failover the physical links on the inactive machine will get bumped (L1 down for some seconds and then up again) to clear CAM tables on the attached Switches.

A number of Features are not available/supported in Transparent Mode (12.1) NAT, IPSEC VPN, GRE, Lsys, VR for IRB, L3/L4 classification for QoS (but 802.1q)


TRANSPARENT MODE / BRIDGE MODEEXAMPLE1: TWO UNTAGGED INTERFACES# A bridge domain is used to assign which interface share a MAC-Tableset bridge-domains BD1 domain-type bridgeset bridge-domains BD1 vlan-id 10set bridge-domains BD1 domain-type bridge interface fe-0/0/0.0 set bridge-domains BD1 domain-type bridge interface fe-0/0/1.0

# This example uses 2 untagged interfacesset interfaces ge-0/0/0 unit 0 family bridge interface-mode accessset interfaces ge-0/0/0 unit 0 family bridge vlan-id 10set interfaces ge-0/0/1 unit 0 family bridge interface-mode accessset interfaces ge-0/0/1 unit 0 family bridge vlan-id 10

# Reuse Zones trust and untrustset security zones security-zone trust host-inbound-traffic system-services ssh # Bind Interface to the Zoneset security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces ge-0/0/1.0

# For Management access, you must attach an irb Interface a bridge domainset interfaces irb unit 0 family inet address 1.1.1.0/24set bridge-domains BD1 routing-interface irb.0


TRANSPARENT MODE / BRIDGE MODEEXAMPLE2: MIXED TAGGED AND UNTAGGED INTERF. # A bridge domain is used to assign which interface share a MAC-Tableset bridge-domains BD1 domain-type bridgeset bridge-domains BD1 vlan-id X (could be set to “none”) set bridge-domains BD1 domain-type bridge interface xe-1/0/0 set bridge-domains BD1 domain-type bridge interface xe-2/0/0

# Example for Trunk Mode Interface (on Datacenter SRX)set interfaces ge-0/0/10 vlan-taggingset interfaces ge-0/0/10 native-vlan-id 10set interfaces ge-0/0/10 unit 0 family bridge interface-mode trunkset interfaces ge-0/0/10 unit 0 family bridge vlan-id-list 40-50# Untagged traffic on Trunk Mode Interface is mapped to native VLAN

# Example for a Interface in Access Modeset interfaces ge-0/0/11 unit 0 family bridge interface-mode accessset interfaces ge-0/0/11 unit 0 family bridge vlan-id 40

# create a layer2 zone and define Permitted System Servicesset security zones security-zone layer2 host-inbound-traffic system-services ssh # Bind Interface to the Zoneset security zones security-zone layer2 interfaces ge-0/0/10.0

# For Management access, you must attach an irb Interface a bridge domainset interfaces irb unit 0 family inet address 1.1.1.0/24set bridge-domains BD1 routing-interface irb.0


TRANSPARENT MODE / BRIDGE MODEHINTS AND MONITORING# By default, family bridge allows forwarding for IPv4-unicasts and L2 broadcasts # The following statement should allows other traffic too (CDP, STP, …)# IPv6 forwarding in transparent mode is currently planned for 11.4r4 (DC-SRX only)set security flow bridge bypass-non-ip-unicast

# Full Documentation for Transparent Modehttps://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/security-layer2-bridging-transparent-mode.html#configuration

# Monitoring Commandsshow bridge-domains show protocols l2-learning

https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/security-layer2-bridging-transparent-mode.html

https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/security-layer2-bridging-transparent-mode.html


FIREWALL


PACKET FLOW


SECURITY SERVICES PACKET WALK

1) Pull packet from queue

2) Police packet3) Filter packet4) Session lookup

5a) No existing session• FW screen check• Static and destination NAT• Route lookup• Destination zone lookup• Policy lookup• Reverse static and source

NAT• Setup ALG vector• Install session

5b) Established session

• FW screen check• TCP checks• NAT translation• ALG processing

6) Filter packet7) Shape packet8) Transmit

packet

Per Packet Filter

Per Packet Policer

Per Packet Shaper

Per Packet Filter

JUNOS Flow Module

Forwarding Lookup

DestNAT Route Zones Policy

ReverseStaticNAT

Services SessionScreens StaticNAT

SourceNAT

Match Session

?

NO YES

Screens TCP NAT Services

YES


SECURITY SERVICES PACKET WALK

JUNOS Flow Module

DestNAT Route Zones Policy

ReverseStaticNAT

Services SessionScreens StaticNAT

SourceNAT

Match Session

?

NO YES

Screens TCP NAT Services

YES

Services ALG Module

AppID (packet)

IDP (packet)

SSL Proxy

AppID (stream)

IDP (stream) ALG UTM AppFW UserFW


ZONES


ZONES AND INTERFACES

# Zone Names are useful to map existing segmentation# Typical zone names are derived from areas with same trust level (trust/untrust) or # from department names (development, productions ...)

# Interface will not forward any traffic until they are assigned to a zone# Each interface can only be mapped to one zone # All interfaces in the same zone must be mapped to the same VR

# Assign IPv4 IP to an interface set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24

# Create custom zonesset security zones security-zone DEVELOPMENTset security zones security-zone VPN

# Assign Interface to zoneset security zones security-zone VPN interfaces st0.0


OBJECTS & POLICIES


OBJECT AND POLICIES OVERVIEW

Current State and Changes over Time• Global Policies and Address Objects are available since JUNOS 11.4

• Logging:To enable Logging for permit Rules use "set then log session-close"To enable Logging for deny/reject Rules use "set then log session-init"

• Counting: Counting with "per time statistics" can be activated per policy (number of policies is limited)Since JUNOS 12.1 there is a hit counter tracked by default for every policy

• DescriptionSince JUNOS 12.1 Policies can have a description

• Nested Groups (Groups of Groups) are supported since JUNOS 11.2Before 11.2 NSM could be used to create nested groups (

• DNS ResolutionDNS names can be resolved either at object creation time or frequently during usage

• Wildcard MaskBitmasks for Address Objects are supported since JUNOS 11.1

• Ranges Address Ranges are not available in JUNOS today (12.1)

• Negation Negated Address Objects are not available in JUNOS today (12.1)


ADDRESS OBJECTS AND GROUPS (JUNOS <11.2)

set security zones security-zone trust address-book address NET10 10.1.1.0/24set security zones security-zone trust address-book address HOST10 10.1.1.1/32

# We can also use DNS names, there are two ways edit security zones security-zone trust address-book # Resolve the Address once at commit time set address JUNIPER-FIX www.juniper.net # Resolve dynamically when policy is used (cached for 24 hours) set address JUNIPER-DNS dns-name www.juniper.nettop

# Groups of Addresses are referenced as address setsset security zones security-zone trust address-book address-set ALL10 set address NET10 set HOST10top

# JUNOS >=11.1 also supports wildcard address masks with non-contiguous bitmasks# for IPv4. The first octets of the mask must be greater than 128set security zones security-zone trust address-book address SERVER4 10.0.0.4/255.0.0.255


ADDRESS OBJECTS AND GROUPS (JUNOS >=11.2)

# Since JUNOS 11.2 Address Book entries can either use the old stanzaset security zones security-zone trust address-book address NET10 10.1.1.0/24

# Or it is possible to create ALL Objects as zone independent address book entriesset security address-book global address NET10 10.1.1.0/24

# JUNOS Op Scripts exist to convert from old to new format and backhttps://www.juniper.net/us/en/community/junos/script-automation/library/

# If both formats are used in one file, the configuration can not be committed

# NSM supports global policies with Version 2012.1# Space Security Design supports global policies since Version 12.1# J-Web supports global address objects and global policies since 11.4

https://www.juniper.net/us/en/community/junos/script-automation/library/


SERVICE OBJECTS# Create Custom Service Objects# Default TCP Timeout is 1800 sec. # Default Timeout for other protocols is 60sec.set applications application my-ssh protocol tcpset applications application my-ssh destination-port 22set applications application my-ssh inactivity-timeout 3600set applications application my-ssh term ssh protocol tcpset applications application my-ssh term ssh destination-port 22set applications application my-ssh term ssh inactivity-timeout 3600

# A number of Service definitions is already built-in - starting with junos-xxxx# To see them you can use the following commandshow configuration groups junos-defaults applicationsortop show groups junos-defaults | match application | match junos

# They also appear when you use Tab completion during writing policiesset security policies from-zone trust to-zone untrust policy X match application ?


ZONE BASED FIREWALL POLICIES (1)# Create a new Policy with the name "FIRST". edit security policies from-zone untrust to-zone trust policy FIRST set match source-address any set match destination-address any set match application any set then permit # Since JUNOS 12.1 you can add a description for this policy set description "First Policy created here" top

# Insert a second policy "NEW"edit security policies from-zone untrust to-zone trust policy NEW set match source-address any set match destination-address NET10 set match application any set then permittop

# New Policies are always added at the end# To move the "NEW" policy before the "FIRST" policyinsert security policies from-zone untrust to-zone trust policy NEW before policy FIRST


ZONE BASED FIREWALL POLICIES (2)# By default all traffic, that is not permitted by policy is denied (without logging)# There is a command to change this - Recommended only for testing !!set security policies default-policy permit-all

# Policy Actions can be permit/deny/reject. # deny means silent drop, reject create response packets to the initiator # for UDP traffic “icmp port unreachable” # for TCP traffic “TCP RST”

# Monitor commandsshow security policiesshow security flow session#Policy lookup is available on CLI and in Web-UI since JUNOS 10.3show security match-policies ....


GLOBAL FIREWALL POLICIES# Beginning with JUNOS 11.4 Policies can be specified as global policies# These Policies must always reference global address objects # Policy Lookup Order is: # a) zone-to-zone# b) global # c) default policy# NSM can not manage global policies and objects# For JUNOS Space global policy support is currently planned for Release 12.1

set security address-book global address SERVER1 1.1.1.1set security address-book global address SERVER2 2.2.2.2

set security policies global policy GP1 match source-address SERVER1set security policies global policy GP1 match destination-address SERVER2set security policies global policy GP1 match application junos-ftpset security policies global policy GP1 then deny

set security policies global policy GP2 match source-address SERVER1set security policies global policy GP2 match destination-address SERVER2set security policies global policy GP2 match application anyset security policies global policy GP2 then permit

# Count per zone and global policies show security policies zone-context


GLOBAL POLICIES Global policies take lower precedence than zone-specific policies. If a matching zone-based policy is found, the global policies are not evaluated

…

Zone-specific Policies

Policy N

…

Global Policies

Policy M

Ordered Lookup

OrderedLookup

Policy1

Policy 1No matchGlobal Policy lookup

Zone PolicyLookup

from-zone to-zone context


FIREWALL POLICYMONITORING AND USAGE TRACKING (1/2)# Counting can be enabled on a limited number of policies. Counting includes # Input/Output Bytes & Packets, Session rate, Active & Deleted sessions, Policy lookups edit security policies from-zone trust to-zone untrust policy pol-01 set then count top

# To monitor the policy counters userun security policies from-zone show trust to-zone untrust policy-name pol-01 detail

# Alerts can be enabled per policy to generate alerts if usage exceeds thresholdsedit security policies from-zone trust to-zone untrust policy pol-01 set then count alarm per-minute-threshold 1000 set then count alarm per-second-threshold 50top

# To monitor the policy alerts userun show security alerts


FIREWALL POLICYMONITORING AND USAGE TRACKING (2/2)# Security Policy Overview (Hidden until 12.1)show security policies information

# Since JUNOS 10.3 there is Security Policy Lookup to predict policy decision # The query goes directly to the forwarding plane for evaluationshow security match-policies ....

# Until 11.4 Usage statistics are only available, if counting is enabled (see prev page)show security policies detail

# JUNOS 12.1 introduces usage tracking of Firewall Policies independent from counter# Counter since the last reboot/failover can be retrieved with the following command

srx210> show security policies hit-count from-zone untrust ascending

from-zone to-zone policy hit-countuntrust trust pol-1 10untrust trust pol-2 20untrust trust pol-3 30


FIREWALL POLICY SCHEDULERS (A.K.A. TIME BASED POLICIES)# Create a Scheduler to activate a policy every working day from 9-12 and 13-20set schedulers scheduler "SCHEDULER1" daily start-time 09:00 stop-time 12:00set schedulers scheduler "SCHEDULER1" daily start-time 13:00 stop-time 20:00set schedulers scheduler "SCHEDULER1" sunday exclude

# Create a new Policy with the name "FIRST" and apply the scheduler definition "SCHEDULER1" edit security policies from-zone untrust to-zone trust policy FIRST set match source-address any set match destination-address any set match application any set then permit set scheduler SCHEDULER1top

# Monitoringshow schedulersshow security policies detail


FIREWALL WEB AUTHENTICATION # Firewall Authentcation can Intercept Web Session (redriect) and enforce user authentication first # before allowing traffic (any protocol) to be passed by the firewall. This is like an "unlock" door.

# Add an additional IP to an existing interface, that is used for WebAuth, HTTP to this Interface # gives you a login page set interface vlan unit 0 family inet address 192.168.1.210/24 web-authentication http

# Specify a Profile with 2 local Usersset access profile TESTPROFILE client TESTUSER1 firewall-user password netscreenset access profile TESTPROFILE client TESTUSER2 firewall-user password netscreen

# and use this profile as default for firewall auth (inline in telnet, http, ftp connection) and webauthset access firewall-authentication pass-through default-profile TESTPROFILE set access firewall-authentication web-authentication default-profile TESTPROFILE

# A policy specifies for which Source/Destination Web Auth is required.# Once Addresses have matched, Authentication is required, no Fall through to other rules.set security zones security-zone untrust address-book address PROTECTED 172.16.42.1/32edit security policies from-zone trust to-zone untrust policy WEB-AUTH set match source-address any set match destination-address PROTECTED set match application any set then permit firewall-authentication access-profile TESTPROFILE set then permit firewall-authentication pass-through web-redirectup insert policy WEB-AUTH before policy trust-to-untrusttop

# Monitoring Commandsshow security firewall-authentication usersshow security firewall-authentication history


REMATCH FOR POLICY CHANGES

# To enable Policy rematching when policy changes are made use the following command # By Default Policy Rematch is disabledset security policies policy-rematch

Action on Policy

DescriptionRematch Flag

Enable Disable (default)

Delete Policy is deleted All existing sessions are

dropped

All existing sessions are

dropped

Insert New policy is inserted

N/A N/A

Modify the action

Action field of policy is

modified from permit to deny

or reject, or vice versa

All existing sessions are

dropped

All existing sessions continue

Modify address Source or destination

address field of policy match is

modified

Policy lookup will be re-evaluated


Modify application

Application field of policy match

is modified

Policy lookup will be re-evaluated



REMATCH FOR POLICY CHANGESWITH USER IDENTITY BASED FIREWALL

The user/role info is re-retrieved from UI module again for rematch


FLOW & ALG


# Flow Configuration changes default behavior for a number of topics that influence # session creation/teardown/modification. # Examples are SYN Checking, Sequence Number Checking, Fragmentation, MSS Patching,# Session Aging

# Example: Make sure TCP packets going through VPN tunnels avoid fragmentationset security flow tcp-mss ipsec-vpn mss 1420

# Example: Avoid TCP Split Handshake Attacks by more strict SYN checking set security flow tcp-session strict-syn-check

FLOW


# ALGs exist for the several protocols. When enabled they either help to open firewall # pinholes (FTP), assist in NAT for inband protocol data (VOIP) or check for protocol # violation (DNS). See next pages for a Table of ALGs and their functions

# Most ALGs are enabled per default. To check which ALGs are there and enabled useshow security alg status

# To disable an ALG either disable ALG completly set security alg msrpc disable# or use custom service with the application service disabledset applications application TEST application-protocol ignore

# Knowlegebase Articles have good hints on monitoring and troubleshooting # or changing behaviour of each ALG. Check the Knowledgebase if you have # trouble with any of the protocols where ALGs are active and disabling ALG # does not solve your problem. Example KB entries: SQL: KB21550MSRPC : KB23730 and KB18346

ALG





BASIC ALGS

ALG Firewall Pinholes NAT Protocol Checking

DNS ✔ ✔ format, length

FTP ✔ ✔ ✔ command

TFTP ✔ ✔

SQL ✔ ✔ ✔ format

Sun RPC ✔ ✔ ✔ format

MS RPC ✔ ✔ ✔ format

RSH ✔ ✔ ✔ format

PPTP ✔ ✔ ✔ format

Talk ✔ ✔ ✔ format

IKE-NAT ✔ ✔ ✔ format


VOIP/STREAMING ALGS

ALG Firewall Pinholes NAT Protocol Checking

SIP ✔ ✔ ✔

H.323 ✔ ✔ ✔

MGCP ✔ ✔ ✔

SCCP ✔ ✔ ✔

RTSP ✔ ✔ ✔


SCREENS & DEFENSE


WHAT ARE SCREENS ?

Screens are Filters for Attacks on Layer3/4 (Scans, Floods, IP Option Anomalies, TCP/IP Anomalies, DOS Attacks)

Screens are applied before Routing Lookup and Policy decision

Screens are in many cases implemented in Hardware

Screens can be enabled with Logging only


SCREENS

Descriptions of each of the Screen Parameter are here

# Configure all Screen Options in a Named Profile edit security screen ids-option MY-SCREEN-PROFILE # Best Practice; Start using Screens with Alarm only, but Dropping disabled. set alarm-without-drop set icmp ping-death set ip source-route-option set ip tear-drop set tcp syn-flood alarm-threshold 1024 set tcp syn-flood attack-threshold 200 set tcp syn-flood source-threshold 1024 set tcp syn-flood destination-threshold 2048 set tcp syn-flood queue-size 2000 set tcp syn-flood timeout 20 set tcp land set limit-session destination-ip-based 50top# Finally apply the Profile to the Zones which need protectionset security zones security-zone untrust screen MY-SCREEN-PROFILE

# Monitoring Commandsshow security screen statistics zone untrustshow security screen statistics interface ge-0/0/0

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/id-74994.html


SCREENS FOR FLOOD PROTECTION# Session Limits for Source and Destination IP set security screen ids-option FLOOD limit-session source-ip-based 10000set security screen ids-option FLOOD limit-session destination-ip-based 10000

# ICMP AND UDP FLOOD PROTECTION (threshold is in packets/sec)set security screen ids-option FLOOD icmp flood threshold 10000set security screen ids-option FLOOD udp flood threshold 20000

# TCP SYN Flood Protection, SYN-Cookie has better Performance than SYN-Proxyset security flow syn-flood-protection-mode syn-cookie edit security screen ids-option FLOOD tcp syn-flood # Start using Cookie when we hit more than 20 SYNs/sec set attack-threshold 20 set alarm-threshold 10000 # If we get more than these SYNs per second from a Source-IP we start dropping set source-threshold 1024 # If we get more than these SYNs per to the same Destination-IP we start dropping set destination-threshold 100000 # Time before we start dropping half-open connections from the queue set timeout 5top

# Finally apply the Screen Profile Definitions to the zone(s) where the flood arrivesset security zones security-zone untrust screen FLOOD

# Monitoringshow security screen statistics zone trustshow interfaces ge-0/0/1.0 extensive | match Syn


WHITE LISTS FOR SYN COOKIE & SYN PROXY# JUNOS 12.1 will introduce White lists for SYN Cookie and SYN Proxy# The SYN Protection Screens can be active, but certain sources or # destinations can be excluded from this protection.# White lists can included up to 32 IPv4 and IPv6 source and/or destination addresses# Typical Use case: exclude Proxies as Sources, excluded monitored Servers as Destination

root@raticate# set security screen ids-option FLOOD tcp syn-flood WHITE-LIST ipv4 ?Possible completions: <[Enter]> Execute this command+ apply-groups Groups from which to inherit configuration data+ apply-groups-except Don't inherit configuration data from these groups+ destination-address Destination IP based+ source-address Source IP based


FLOOD PROTECTION FOR THE SRX SESSION TABLE# In a Flood Situation, there is still a risk that the session table is filled up # completely and new sessions can't be established any more## A Self Defense Strategy of the SRX for a flood situation is "aggressive aging" # to start removal of sessions which have not been used for x seconds before session# table gets filled up completely ## This overrides the default session timeouts, but might be better # than a overcrowded session table

# Set levels (percent of max session nr) when aggressive aging starts and when it stopsset security flow aging high-watermark 80 low-watermark 60

# Idle time in seconds after which sessions can be purgedset security flow aging early-ageout 30

# Monitoring: If the Thresholds are reached, there are logs for # FLOW_HIGH_WATERMARK_TRIGGERED and FLOW_LOW_WATERMARK_TRIGGERED


FIREWALL USAGE ALARMS

# Create Alerts if Errors exceeds thresholdsedit security alarms potential-violation set authentication 10 set decryption-failures threshold 100 set encryption-failures threshold 100 set ike-phase1-failures threshold 100 set ike-phase2-failures threshold 100 set replay-attacks threshold 100 set security-log-percent-full 90top

# Create Alerts if firewall total policy usage exceeds thresholdsedit security alarms potential-violation policy set application size 10240 set source-ip threshold 1000 duration 20 set destination-ip threshold 1000 duration 10 set policy-match threshold 100 size 100top

# Create Alerts if individual firewall policy usage exceeds thresholdsedit security policies from-zone trust to-zone untrust policy pol-01 set then count alarm per-minute-threshold 1000 set then count alarm per-second-threshold 50top

# Monitoringshow security alarms


WHERE ARE SCREENS IMPLEMENTED ?# Screens that are implemented on the NPUblock-frag, fin-no-ack, icmpfragment, icmp-id, icmp-large, ipbad-option, ip-filter-src, ip-loosesrc-route, ip-record-route, ipsecurity-opt, ip-stream-opt, ipstrict-src-route, ip-timestamp-opt, land, ping-death, syn-fin, syn-frag, tcp-no-flag, unknown-protocol, winnuke, icmp-flood, udp-flood, syn-flood destination-threshold / source-threshold

# Screens that are implemented on the SPUteardrop, ipspoofing, syn-ackack-proxy, syn-flood (syncookie/synproxy),

# Screens that are implemented on the CPlimit-session, portscan, ip-sweep, syn-flood (syncookie/syn-proxy)


NAT


NAT BASIC INFORMATION

• Since JUNOS 9.5 NAT uses a separate policy (a.k.a. NAT-ng)

• The Hierarchy for this is under "set security nat ...."

• Older JUNOS Documentation and OJSE Training Materials might still mention the previous method (policy based NAT)

• Destination NAT often requires additional Proxy-ARP rules

• Limitations in the number of NAT rules did exist, but finally even the last (8 rules for destination NAT) disappeared with 10.2. See http://kb.juniper.net/KB14149

• We have a good Application Note on NAThttp://www.juniper.net/us/en/products-services/security/srx-series/#literature






121

SCREENOS NAT FEATURES AND JUNOS COUNTERPART

For Details and Examples see the Application Note

"Juniper Networks SRX Series and J Series NAT for ScreenOS Users"http://www.juniper.net/us/en/products-services/security/srx-series/#literature



122

NAT CONFIGURATION INCLUDES 3 FLAVORS

Source NAT Interface based NAT Pool based NAT- with and without port translation IP address shifting

Destination NAT Destination IP and/or port number translation IP address shifting

Static NAT Bi-directional No port translation supported dst-xlate for packets to the host src-xlate for packets initiated from the host


123

NAT PROCESSING ORDER

Static & Destination NAT are performed before security policies are applied

Reverse Static & Source NAT are performed after security policies are applied

Accordingly, policies always refer to the actual address of the endpoints


NAT ADDRESS POOL CONFIGURATION

Address pools can be Single IP address Range of addresses Range of ports Interface (source NAT only) No port translation

Overflow pools Configured as a fall back Requires pools with no port

translation

[edit security nat source]root# show pool src-nat-pool1 { address { 192.0.0.10/32 to 192.0.0.24/32; }}pool src-nat-pool2 { address { 192.0.0.100/32 to 192.0.0.249/32; } port no-translation; overflow-pool interface;}pool src-nat-pool3 { address { 192.0.0.25/32; }}pool src-nat-pool4 { address { 192.0.0.50/32 to 192.0.0.59/32; } port range 5000 to 6000;


SOURCE NATTWO EXAMPLES

INTERNET

10.1.1.0/24

10.1.2.0/24

ge-0/0/0

ge-0/0/1

UNTRUSTTRUST

192.1.1.0/24

[edit security nat source]}rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat interface }

[edit security nat source]}rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat pool src-nat-pool1 }


SOURCE NATEXAMPLE WITH MULTIPLE RULES

INTERNET

10.1.1.0/24

192.1.1.0/24

ge-0/0/0

ge-0/0/1

UNTRUSTTRUST

10.1.2.0/24

172.1.1.0/24

rule rule2 { match { source-address 192.1.1.0/24; } then { source-nat pool src-nat-pool2; } } rule rule3 { match { source-address 172.1.1.0/24; } then { source-nat off; } }

[edit security nat source]}

rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address [ 10.1.1.0/24 10.1.2.0/24 ]; destination-address 0.0.0.0/0; } then { source-nat pool src-nat-pool1; } }


DESTINATION NATEXAMPLE FOR MANY-TO-MANY

INTERNET

10.1.1.0/24

192.1.1.100/24

ge-0/0/0

ge-0/0/1

UNTRUSTTRUST

10.1.2.0/24

192.1.1.200/24

dnat-pool-1:1:1.1.1.100/80->192.168.1.100/80

dnat-pool-2:1.1.1.101/80->192.168.1.200/8000

[edit security nat destination]

root# show pool dnat-pool-1 { address 192.168.1.100/32;}pool dnat-pool-2 { address 192.168.1.200/32 port 8000;}rule-set dst-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.100/32; } then { destination-nat pool dnat-pool-1; } } rule rule2 { match { destination-address 1.1.1.101/32; } then { destination-nat pool dnat-pool-2; } } }


DESTINATION NAT EXAMPLE FOR ONE-TO-MANY

INTERNET

10.1.1.0/24

192.1.1.100/24

ge-0/0/0

ge-0/0/1

UNTRUSTTRUST

10.1.2.0/24

192.1.1.200/24

dnat-pool-11.1.1.100/80->192.168.1.100/80

dnat-pool-21.1.1.100/8000->192.168.1.200/8000

[edit security nat destination]

root# show pool dnat-pool-1 { address 192.168.1.100/32;}pool dnat-pool-2 { address 192.168.1.200/32 port 8000;}rule-set dst-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.100/32; destination-port 80; } then { destination-nat pool dnat-pool-1; } } rule rule2 { match { destination-address 1.1.1.100/32; destination-port 8000; } then { destination-nat pool dnat-pool-2; }


STATIC NAT

Provides one-to-one mapping of hosts or subnets

Bi-directional NAT dst-xlate for packets to the host src-xlate for packets initiated from the host

INTERNET

10.1.1.0/24

ge-0/0/0

ge-0/0/1

UNTRUSTTRUST

10.1.2.0/24

192.1.1.200/24

[edit security nat]

root# show static rule-set static-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.200/32; } then { static-nat prefix 192.168.1.200/32; }}


PROXY-ARP

Source NAT Proxy-ARP required for all source IP pool addresses in the same subnet as egress

interface –ge-0/0/0 For source pools not in the same subnet as egress interface IP, route to the IP pool

subnet with the SRX device as next-hop is required on the upstream router

Destination/Static NAT Proxy-ARP required for all IP pool addresses in the same subnet as ingress

interface –ge-0/0/0 For static and destination NAT pools not in the same subnet as egress interface IP,

route to the IP pool subnet with the SRX device as next-hop is required on the upstream router

Configuration command set security nat proxy-arp interface <if_name> address <ip_prefix>

INTERNET

10.1.1.0/24

10.1.2.0/24

ge-0/0/0

ge-0/0/11.1.1.1/24


DOUBLE NAT- SOURCE AND DESTINATION NAT

192.168.1.3/24

UNTRUSTTRUST

10.1.1.100/24

[edit security nat source]root# show pool src-pool-1 { address { 1.1.1.10/32 to 1.1.1.14/32; }}rule-set src-rs1 { from zone trust; to zone untrust; rule r1 { match { source-address 0.0.0.0/0; } then { source-nat pool src-pool-1; } }

[edit security nat destination]root# show pool dst-src-pool-1 { address 10.1.1.100/32;}rule-set dst-rs1 { from zone trust; rule rule1 { match { destination-address 1.1.1.100/32; } then { destination-nat pool dst-src-pool-1; } }}

192.168.1.3->1.1.1.100

1.1.1.10-> 10.1.1.100


132

NAT MONITORING AND TROUBLESHOOTING# NAT session can be identified from the session tableshow security flow session

# Static NAT:show security nat static rule <all|rule-name>

# Source NAT: show security nat source summaryshow security nat source pool <pool-name>show security nat source rule <rule-name>show security nat source persistent-nat-table <all|summary|....>

# Destination NAT:show security nat destination summaryshow security nat destination pool <pool-name>show security nat destination rule <rule-name>show security nat interface-nat-ports

# Incoming NAT:show security nat incoming-table

# ARP tableshow arp no-resolve

# Tracing (output is written to file defined under security->flow-> traceoptions)set security nat traceoptions flag all


VIRTUALIZATION


VIRTUALIZATION BUILDING BLOCKS AND CONCEPTS

SRX Firewalls offer several building blocks and concepts to achieve virtualization Zone based Separation: No traffic can get from one zone to another if there is no policy Virtual Routers based Separation: avoid any traffic leakage between different instances

(usecase: managed service for customers with overlapping address space). Logical Systems : for complete administrative isolation. Create virtual firewalls with individual

administrators and protected resources per firewall (memory, cpu, objects ...) Virtual SRX: Virtual Machine for installation on a Hypervisor (Vmware, KVM)

Zones only Zones and Virtual Routers

Logical Systems Virtual SRX

separate traffic of different instances

yes yes yes yes

separate routing decisions per instance

no yes yes (with VRs) yes

allow different administrators per instance

no no yes yes

protect resources per instance

no no partial yes

more than 32 instances

no no max 32 instance per firewall

yes


ZONE-BASED SEPARATION

Pepsi

CokeUntrust Zone

Coke User

Pepsi User

Pepsi Zone

CokeZone

• Simple design• High scale (no additional overhead)• No overlapping IP addresses• Little to no user-based admin


VR-BASED SEPARATION

• More complex design• High scale (little additional overhead)• Overlapping IP addresses supported• Routing protocols per VR give additional flexibility• Little to no user-based admin

Pepsi

Coke

Coke User

Pepsi User

Coke VR

Pepsi VR

Coke Untrust Zone

CokeTrustZone

Pepsi Untrust Zone

PepsiTrustZone


Pepsi LSYS

Coke LSYS

LSYS-BASED SEPARATION

• Complex design• Lower scale (possible additional overhead)• Overlapping IP addresses supported• Routing protocols per VR give additional flexibility (and

introduce performance caveats)• User-based admin supported

Pepsi

Coke

Coke User

Pepsi User

Coke VR

Pepsi VR

Coke Untrust Zone

CokeTrustZone

Pepsi Untrust Zone

PepsiTrustZone


VIRTUALIZATION:VIRTUAL ROUTERS


DIFFERENCE IN OWNERSHIP HIERARCHY

Virtual Router

Zone

Interface

IP Address

ScreenOS

Routing Instance

Interface

IP Address

JUNOS

Zone

Interface

Virtual router split from zones in JUNOS


EXAMPLE WITH 2 INDEPENDANT VR

Red-VR

Blue-VR

red-untrust red-trust

blue-trust blue-untrust


Create a Virtual Router and bind interface to this VR

VIRTUAL ROUTERS - SIMPLE EXAMPLE

# Assign Interface IPs like usual set interface fe-0/0/6 unit 0 family inet address 1.0.0.1/24set interface fe-0/0/7 unit 0 family inet address 2.0.0.1/24set interface lo0 unit 0 family inet address 3.0.0.1/32

# Create the Virtual Router, assign two physical and a loopback interfaceset routing-instances red-vr instance-type virtual-routerset routing-instances red-vr interface fe-0/0/6.0set routing-instances red-vr interface fe-0/0/7.0set routing-instances red-vr interface lo0.0

# Also tie all interfaces to security zonesset security zone security-zone red-untrust interface fe-0/0/6.0set security zone security-zone red-trust interface fe-0/0/7.0

# Optional, set a static route in this vrset routing-instances red-vr routing-options static route 4.0.0.0/24 next-hop 1.0.0.2

# Optional: You can set static routes to get from one VR to another# If you need to exchange dynamic routes you will need RIB Groupsset routing-instances red-vr routing-options static route 5.0.0.0/24 next-table blue-vr.inet.0


EXAMPLE WITH 3 CUSTOM AND ONE SHARED VR

Red-VR

Blue-VR

Green-VR

Inet

.0 V

R

untrust

red-trust

blue-trust

green-trust


Create a Virtual Router and bind interface to this VR

VIRTUAL ROUTERSROUTER DEFINITION

# Assign Interface IPs like usual set interface fe-0/0/5 unit 0 family inet address 1.0.0.1/24set interface fe-0/0/6 unit 0 family inet address 2.0.0.1/24set interface fe-0/0/7 unit 0 family inet address 3.0.0.1/24set interface lo0 unit 0 family inet address 4.0.0.1/32

# Create the Virtual Router, assign one physical interfaceset routing-instances RED-VR instance-type virtual-routerset routing-instances RED-VR interface fe-0/0/5.0

# Create the Virtual Router, assign one physical interfaceset routing-instances BLUE-VR instance-type virtual-routerset routing-instances BLUE-VR interface fe-0/0/6.0

# Create the Virtual Router, assign one physical interfaceset routing-instances GREEN-VR instance-type virtual-routerset routing-instances GREEN-VR interface fe-0/0/7.0


VIRTUAL ROUTERSSECURITY ZONES Interface binding to zones is defined independent from the VR

BUT all interfaces in the same zone must be bound to same VR

# Create Zones and assign interfacesset security zones security-zone red-trustset security zones security-zone red-trust interfaces fe-0/0/5.0set security zones security-zone blue-trustset security zones security-zone blue-trust interfaces fe-0/0/6.0set security zones security-zone green-trustset security zones security-zone green-trust interfaces fe-0/0/7.0

# If desired enable managementset security zones security-zone red-trust host-inbound-traffic system-services allset security zones security-zone red-trust host-inbound-traffic protocols allset security zones security-zone blue-trust host-inbound-traffic system-services allset security zones security-zone blue-trust host-inbound-traffic protocols all

# Add policies to permit trafficedit security policies from-zone red-trust to-zone untrust set policy outbound1 match source-address any set policy outbound1 match destination-address any set policy outbound1 match application any set policy outbound1 then permit set policy outbound1 then log session-close session-init exittop


VIRTUAL ROUTERSEXCHANGING ROUTES BETWEEN VIRTUAL ROUTERS# To set a route from one VR to another just use the instance name as next-tableedit routing-instances BLUE-VR set routing-options static route 10.0.0.0/8 next-table RED-VR.inet.0top

# To redistribute Routes that exist in one VR into another use Filtersedit policy-options policy-statement SUMMARY-RED set term ACCEPT from instance RED-VR set term ACCEPT from route-filter 10.0.0.0/8 exact set term ACCEPT then tag 5000 set term ACCEPT then accepttop

set routing-instances BLUE-VR routing-options instance-import SUMMARY-RED


RIB Groups (RIB=Routing Information Base) are useful if you want to share static and dynamic routes between multiple VRs

VIRTUAL ROUTERSRIB-GROUPS

# Create a rib-groupset routing-options static rib-group test-rib

# Routes imported into the rib-group are distributed to the ribset routing-options rib-groups test-rib import-rib inet.0set routing-options rib-groups test-rib import-rib RED-VR.inet.0# set routing-options rib-groups test-rib import-rib BLUE-VR.inet.0# set routing-options rib-groups test-rib import-rib GREEN-VR.inet.0

# Only one rib can be used to export (primary-rib by default)set routing-options rib-groups test-rib export-rib inet.0

# Optional: publish interface routes to the RIBset routing-instances RED-VR routing-options interface-routes rib-group inet test-ribset routing-instances BLUE-VR routing-options interface-routes rib-group inet test-ribset routing-instances GREEN-VR routing-options interface-routes rib-group inet test-rib


Filters can be applied to drop unwanted routes

VIRTUAL ROUTERSRIB-GROUPS, FILTER

# Create a policy statementedit policy-options policy-statement into-red set term reject-to-red from family inet protocol ospf set term reject-to-red to rib red-vr.inet.0 set term reject-to-red then rejecttop

# Apply Policy to filter routes from the rib-groups export-rib to the member ribsset routing-options rib-groups test-rib import-policy into-red


VIRTUAL ROUTERSNOTES AND LIMITATIONS

RIB Group is useful to share Routes between multiple VRs

Before JUNOS 10.4 IPSEC VPN Interfaces could only be terminated in zones, which are assigned to inet.0 (see KB 12866)

For self initiated management traffic (e.g.. syslog, traps ..) route lookup starts in the default VR (inet.0)

Interfaces that are not explicitly members of any custom VR are members of inet.0

DHCP Server and DHCP Relay inside a VR will require JUNOS 10.4r5 or higher

Static routes from VR1 to VR2 and at the same time from VR2 to VR1 will not commit (potential loop). You have to introduce a third VR as additional hop for one direction.



VIRTUALIZATION:LOGICAL SYSTEMS


LOGICAL SYSTEMS

Root System (=physical firewall) is always there. Root Admin can create new Lsys create user admin(s) for the Lsys create and assign Lsys Profiles create and assign logical interfaces to Lsys configure the interconnect Lsys0

Lsys0 has a special role as the interconnect Lsys all traffic between User Lsys and Rootsys goes through Lsys0 for this purpose Lsys0 has a lt-Interface to each Lsys and Rootsys

Lsys1..32 are the user logical systems itself

Each user logical system can have a number of zones, interfaces and 0, 1 or more Virtual Routers exactly one interface to the Interconnect Lsys0 (lt0.x) one or more users to configure routing and security inside the Lsys


EXAMPLE SETUP# Example Setup

Root System with - shared Internet Uplink- separate VR vrf-root

Interconnect Lsys0 with -seperate vr-ic- lt interfaces to each root and lsys

Two Custom Lsys with-private interfaces and zones- lt Interfaces to interconnect Lsys0


LOGICAL SYSTEMS CONFIGURATION 1/4 - PROFILES AND USERS# Define a Profile for the System Limits for each User Logical Systemsset system security-profile USER-LSYS policy maximum 50set system security-profile USER-LSYS policy reserved 25set system security-profile USER-LSYS address-book maximum 100set system security-profile USER-LSYS address-book reserved 50set system security-profile USER-LSYS logical-system [Coke-LSYS Pepsi-LSYS]

# Add the Root System Profile. All off-box logging comes from the Root LSYS. # If this is undefined then syslog/SNMP will not workset system security-profile ROOT-LSYS auth-entry maximum 5set system security-profile ROOT-LSYS policy maximum 5set system security-profile ROOT-LSYS policy reserved 1set system security-profile ROOT-LSYS policy-with-count maximum 0set system security-profile ROOT-LSYS root-logical-system

# Add LSYS to your login classes to assign users to an LSYS# Users are assigned to a ‘login class’ to get their rights, and with LSYS # they also get assigned to an LSYS at the same time set system login class COKE-LOGIN logical-system COKE-LSYSset system login class PEPSI-LOGIN logical-system PEPSI-LSYS

# Create Users for each Lsysset system login user coke class COKE-LOGINset system login user pepsi class PEPSI-LOGIN


LOGICAL SYSTEMS CONFIGURATION 2/4 - INTERCONNECT# Set up lt-0/0/0.x interfaces in the Interconnect LSYS0 # LSYS0 is layer 2 only and will hold multiple LT interfaces # all other LSYS will only have a single LT interface# LT interfaces are paired one-to-oneset logical-systems LSYS0 interfaces lt-0/0/0 unit 0 encapsulation ethernet-vplsset logical-systems LSYS0 interfaces lt-0/0/0 unit 0 peer-unit 1set logical-systems LSYS0 interfaces lt-0/0/0 unit 2 encapsulation ethernet-vplsset logical-systems LSYS0 interfaces lt-0/0/0 unit 2 peer-unit 3set logical-systems LSYS0 interfaces lt-0/0/0 unit 4 encapsulation ethernet-vplsset logical-systems LSYS0 interfaces lt-0/0/0 unit 4 peer-unit 5

# Set up lt-0/0/0.x interfaces, LT interface in LSYS > 0 need an IP address

# LT Interface in the Rootsysset interfaces lt-0/0/0 unit 1 encapsulation ethernetset interfaces lt-0/0/0 unit 1 peer-unit 0set interfaces lt-0/0/0 unit 1 family inet address 10.0.1.1/24

# LT Interface in the Lsys Cokeset interfaces lt-0/0/0 unit 3 encapsulation ethernetset interfaces lt-0/0/0 unit 3 peer-unit 0set interfaces lt-0/0/0 unit 3 family inet address 10.0.1.2/24

# LT Interface in the Lsys Pepsiset interfaces lt-0/0/0 unit 5 encapsulation ethernetset interfaces lt-0/0/0 unit 5 peer-unit 0set interfaces lt-0/0/0 unit 5 family inet address 10.0.1.3/24


LOGICAL SYSTEMS CONFIGURATION 3/4 - FIRST USER LSYS# Now setup the COKE-Logical System

edit logical-systems COKE-LSYS set interfaces reth1 unit 1 vlan-id 1 set interfaces reth1 unit 1 family inet address 12.1.1.1/24 edit routing instances COKE-VR set instance-type virtual-router set interface reth1.1 set interface lt-0/0/0.3 set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 up set security zones security-zone Coke-Trust set security zones security-zone Coke-Trust host-inbound-traffic system-services ping set security zones security-zone Coke-Trust interfaces reth1.1 set security zones security-zone Coke-Untrust interfaces lt-0/0/0.1 edit security policies from-zone Coke-Trust to-zone Coke-Untrust set policy to-Inter-LSYS match source-address any set policy to-Inter-LSYS match destination-address any set policy to-Inter-LSYS match application any set policy to-Inter-LSYS then permittop


LOGICAL SYSTEMS CONFIGURATION 4/4 - SECOND USER LSYS# Now setup the PEPSI-Logical System

edit logical-systems PEPSI-LSYS set interfaces reth1 unit 2 vlan-id 1 set interfaces reth1 unit 2 family inet address 13.1.1.1/24 edit routing instances PEPSI-VR set instance-type virtual-router set interface reth1.2 set interface lt-0/0/0.5 set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 up set security zones security-zone PEPSI-Trust set security zones security-zone PEPSI-Trust host-inbound-traffic system-services ping set security zones security-zone PEPSI-Trust interfaces reth1.2 set security zones security-zone PEPSI-Untrust interfaces lt-0/0/0.5 edit security policies from-zone PEPSI-Trust to-zone PEPSI-Untrust set policy to-Inter-LSYS match source-address any set policy to-Inter-LSYS match destination-address any set policy to-Inter-LSYS match application any set policy to-Inter-LSYS then permittop


LOGICAL SYSTEMS MONITORING# Flow Statisticsshow security flow statistics root-logical-systemshow security flow statistics logical-system <all|Lsys>

# Assigned Profile and current usage for each individual profile parametershow system security-profile ? logical-system <all|Lsys>


VPN


IPSEC VPN FLAVOURS

Policy Based VPN For site-to-site VPNs Upon match a security Policy sets up a VPN tunnel

Route Based VPN For site-to-site VPNs Specify a VPN tunnel interface (st0.x) Upon match a security policy permits traffic to this tunnel interface

Dynamic VPN For Remote Access of travelling Users Rollout and Update of VPN Client Software Authenticate User and assign IPs during VPN establishment


ROUTED BASED VPN


ROUTE BASED VPN SITE-TO-SITE WITH MAIN MODE (1/3)

# Enable IKE Traffic on the untrust interface edit security zone security-zone untrust interfaces ge-0/0/1.0 set host-inbound-traffic system-services iketop

# Define Phase 1 Proposaledit security ike proposal P1-AES set authentication-method pre-shared-keys set dh-group group2 set authentication-algorithm sha1 set encryption-algorithm aes-128-cbctop

# Define Phase 2 Proposalset security ipsec proposal P2-AES protocol espset security ipsec proposal P2-AES authentication-algorithm hmac-sha1-96set security ipsec proposal P2-AES encryption-algorithm aes-128-cbc

# Predefined Proposals also existlab@srx-210# set security ike policy ike-policy-1 proposal-set ?Possible completions: basic IKE proposal-set for basic compatible IKE proposal-set for compatible standard IKE proposal-set for standard[edit]



# Phase 1 Gateway Definition set security ike policy IKE-POLICY-1 mode mainset security ike policy IKE-POLICY-1 proposals P1-AESset security ike policy IKE-POLICY-1 pre-shared-key ascii-text juniper

set security ike gateway GW1 address 172.16.42.11set security ike gateway GW1 external-interface ge-0/0/0.0set security ike gateway GW1 ike-policy IKE-POLICY-1

# Phase 2 VPN definition set security ipsec policy IPSEC-POLICY-1 proposals P2-AESset security ipsec policy IPSEC-POLICY-1 perfect-forward-secrecy keys group2

set security ipsec vpn VPN1 ike gateway GW1set security ipsec vpn VPN1 ike ipsec-policy IPSEC-POLICY-1

# Optional VPN Monitor (Phase 2 Keep alive as Ping inside tunnel)set security ipsec vpn VPN1 vpn-monitor optimized

# Use this statement - on one side of the VPN - to get tunnel established fastset security ipsec vpn VPN1 establish-tunnels immediately



# Create a secure tunnel interface.set interfaces st0 unit 0 family inetset security zones security-zone trust interfaces st0.0

# Optional: If numbered interface is required: set an interface IPset interfaces st0 unit 0 family inet address 1.1.1.1/28

# Configure routing.set routing-options static route 10.1.1.0/24 next-hop st0.0

# Assign IPSEC Configuration to the Interfaceset security ipsec vpn VPN1 bind-interface st0.0

# There are global options (system wide for all Phase 2) to set VPN Monitor thresholds # Default is interval 10, threshold 10 which results in 100 Sec Detection Timeset security ipsec vpn-monitor-options interval 3set security ipsec vpn-monitor-options threshold 3


ROUTE BASED VPN ADDITIONAL OPTIONS

# Interface number for a Second VPN Tunnel Interface# Use Name st0 with another unit set interfaces st0 unit 1 family inet

# By Default we use Proxy-ID local 0.0.0.0/0 remote 0.0.0.0/0 service 0# To override this for third party compatibility you can manually set one proxy-id# When SRX checks incoming proxy-id: then more specific IPs match less specific IPs# Example Remote-ID 192.168.1.0/24 is accepted when Proxy-ID is 0.0.0.0/0set security ipsec vpn vpn-1 ike proxy-identity local <net> remote <net> service <svc>

# Next Hop Tunnel Binding - Allows multiple endpoints on one Tunnel interfaceset interfaces st0 unit 0 multipoint

# Dead-Peer Detection (Phase1 - Keep alive as IKE Message)set security ike gateway GW1 dead-peer-detection


ROUTE BASED VPN BRANCH-TO-CENTRAL WITH AGRESSIVE MODE (1/2)

# Phase 1 Gateway Definition set security ike policy BRANCH-POLICY mode aggressiveset security ike policy BRANCH-POLICY proposal-set standardset security ike policy BRANCH-POLICY pre-shared-key ascii-text secret

set security ike gateway CENTRAL-GW ike-policy BRANCH-POLICYset security ike gateway CENTRAL-GW address 1.1.1.1set security ike gateway CENTRAL-GW local-identity user-at-hostname "[email protected]"set security ike gateway CENTRAL-GW external-interface pp0.0

Branch Site with Dynamic IP

Central Site with Fixed IP (1.1.1.1)

# Phase 1 Gateway Definition set security ike policy BRANCH-POLICY mode aggressiveset security ike policy BRANCH-POLICY proposal-set standardset security ike policy BRANCH-POLICY pre-shared-key ascii-text secret

set security ike gateway BRANCH-GW ike-policy BRANCH-POLICYset security ike gateway BRANCH-GW dynamic user-at-hostname "[email protected]"set security ike gateway BRANCH-GW external-interface ge-0/0/0.0


ROUTE BASED VPN BRANCH-TO-CENTRAL WITH AGRESSIVE MODE (1/2)

# Phase 2 definitions with Tunnel binding and optional Proxy-IDset security ipsec policy BRANCH-POLICY proposal-set standardset security ipsec vpn CENTRAL-VPN bind-interface st0.0set security ipsec vpn CENTRAL-VPN vpn-monitor optimizedset security ipsec vpn CENTRAL-VPN ike gateway CENTRAL-GWset security ipsec vpn CENTRAL-VPN ike proxy-identity local 10.0.0.0/24set security ipsec vpn CENTRAL-VPN ike proxy-identity remote 20.0.0.0/24set security ipsec vpn CENTRAL-VPN ike proxy-identity service anyset security ipsec vpn CENTRAL-VPN ike ipsec-policy BRANCH-POLICYset security ipsec vpn CENTRAL-VPN establish-tunnels immediately# Route into Tunnelset routing-options static route 20.0.0.0/0 next-hop st0.0

Branch Site with Dynamic IP

Central Site with Fixed IP

# Phase 2 definitions with Tunnelbinding and optional Proxy-IDset security ipsec policy BRANCH-POLICY proposal-set standardset security ipsec vpn BRANCH-VPN bind-interface st0.0set security ipsec vpn BRANCH-VPN vpn-monitor optimizedset security ipsec vpn BRANCH-VPN ike gateway BRANCH-GWset security ipsec vpn BRANCH-VPN ike proxy-identity local 20.0.0.0/24set security ipsec vpn BRANCH-VPN ike proxy-identity remote 10.0.0.0/24set security ipsec vpn BRANCH-VPN ike proxy-identity service anyset security ipsec vpn BRANCH-VPN ike ipsec-policy BRANCH-POLICY# Route into Tunnelset routing-options static route 10.0.0.0/0 next-hop st0.0


POLICY BASED VPN


POLICY BASED VPN CONFIGURATION

TODO

Technote: http://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf

http://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf


VPN WITH CERTIFICATES


VPN WITH CERTIFICATES (1/6)

PKI Operations

Copy to output of the above command to a file and use it as signing request for your CA.

It is very important to define “X509v3 Subject Alternative Name”. JUNOS supports ip-address, domain-name and email. In this request we define a ip-address and the domain-name. This attribute is used as a IKE-ID and has to match with the IKE configuration.

The signing CA has to support “X509v3 Subject Alternative Name”. E.g. for OpenSSL you have to modify the file “openssl.cnf” in this way:

# Create a CA profile (simplified with CRL Checking disabled)set security pki ca-profile ca-profile-ipsec ca-identity xyz.comset security pki ca-profile ca-profile-ipsec revocation-check disable

# Create a key pairrequest security pki generate-key-pair certificate-id ca-ipsec size 1024

# Create a certificate request for the local device certificaterequest security pki generate-certificate-request certificate-id ca-ipsecsubject "CN=srx210-bot,OU=IT,L=LAB" ip-address 10.1.0.1 domain-name srx210-bot.xyz.com

# Extension copying option: use with caution.copy_extensions = copy



Copy the signed certificate and the CA root certificate from the CA to SRX file system.

# Load the signed certificate from the file systemrequest security pki local-certificate load certificate-id ca-ipsec filename /var/tmp/certnew.cer# Load the CA root certificate from the file systemrequest security pki ca-certificate load ca-profile ca-ipsec filename /var/tmp/CA-certnew.cer


VPN WITH CERTIFICATES (3/6)lab@SRX210-bot> show security pki ca-certificate Certificate identifier: ca-profile-ipsec Issued to: ic.xyz.com, Issued by: C = US, ST = CA, L = Sunnyvale, O = XYZ, OU = IT, CN = ic.xyz.com, emailAddress = [email protected] Validity: Not before: 09-18-2009 13:25 Not after: 10-27-2013 13:25 Public key algorithm: rsaEncryption(1024 bits)

lab@SRX210-bot> show security pki local-certificate detail Certificate identifier: ca-ipsec Certificate version: 3 Serial number: 00000010 Issuer: Organization: XYZ, Organizational unit: IT, Country: US, State: CA, Locality: Sunnyvale, Common name: ic.xyz.com Subject: Organizational unit: IT, Locality: LAB, Common name: srx210-bot Alternate subject: email empty, srx210-bot.xyz.com, 10.1.0.1 Validity: Not before: 12-28-2010 13:17 Not after: 02- 5-2015 13:17 Public key algorithm: rsaEncryption(1024 bits) 30:81:89:02:81:81:00:aa:e8:f0:49:0f:0d:28:9e:71:5b:a7:c1:64 … bc:b2:7f:6c:26:f3:8c:54:dc:2b:7f:3d:64:0d:09:02:03:01:00:01 Signature algorithm: sha1WithRSAEncryption Fingerprint: 28:1d:f4:b6:96:41:8d:13:fa:dd:7d:fd:26:ed:2b:53:15:88:bd:97 (sha1) e3:1b:af:db:e7:e9:90:99:5a:c7:ac:d4:e2:ef:2a:da (md5) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started



VPN Configuration

The “local-identity” has to match with the “X509v3 Subject Alternative Name” of the Gateway local certificate as a IKE-ID.Since 10.2 there is a hidden command “set security ike gateway srx210-top general-ikeid” to ignore a IKE-ID mismatch. Nevertheless the certificate needs a “X509v3 Subject Alternative Name” to get Phase-1 up.

The IPSec configuration is the same as with preshared keys.

# Create IKE proposalset security ike proposal P1-AES-CERT authentication-method rsa-signaturesset security ike proposal P1-AES-CERT dh-group group2set security ike proposal P1-AES-CERT authentication-algorithm sha1set security ike proposal P1-AES-CERT encryption-algorithm aes-256-cbc

# Create IKE policyset security ike policy ike-policy-1 mode mainset security ike policy ike-policy-1 proposals P1-AES-CERTset security ike policy ike-policy-1 certificate local-certificate ca-ipsecset security ike policy ike-policy-1 certificate trusted-ca use-allset security ike policy ike-policy-1 certificate peer-certificate-type x509-signatur

# Create IKE gatewayset security ike gateway srx210-top ike-policy ike-policy-1set security ike gateway srx210-top address 10.1.0.10set security ike gateway srx210-top local-identity inet 10.0.1.10set security ike gateway srx210-top external-interface ge-0/0/1.0



Advanced Features CRL-Checking and SCEP Auto-enrollment

# Create CA Profile with CRL-Checking and SCEPset security pki ca-profile RSA_CA_LAB ca-identity RSA-CA

set security pki ca-profile RSA_CA_LAB enrollment url https://10.100.160.59:446/aca4eeb14189074335ac14b30259698fa8862b66/pkiclient.exe

set security pki ca-profile RSA_CA_LAB revocation-check crl url http://10.100.160.59:447/RSA-CA.crlset security pki ca-profile RSA_CA_LAB revocation-check crl refresh-interval 24

set security pki auto-re-enrollment certificate-id SRX-210-HQ ca-profile-name RSA_CA_LAB

set security pki auto-re-enrollment certificate-id SRX-210-HQ challenge-password "$9$3qaq6/t0ORSyKu0LxdVY2“

set security pki auto-re-enrollment certificate-id SRX-210-HQ re-enroll-trigger-time-percentage 5



root@SRX-210-HQ-1> show security pki crl detail | no-more

CA profile: RSA_CA_LAB CRL version: V00000001 CRL issuer: C = CH, O = SA, OU = Security, CN = RSA-CA Effective date: 11- 9-2010 13:54 Next update: 11-10-2010 13:54 Revocation List: Serial number Revocation date 1b9433a6682555883abf042c15e602da 06-10-2010 07:54 21fffde9d68115b3d9335a97c8744b46 11- 9-2010 13:30 4a5c1a9e624cd522b49f0485272c42b4 06-10-2010 08:28 4de41accc7e4cc606a1dad93cb510092 06-22-2010 06:31 59304b23b9e6f80abd9fe0325af16b80 06- 9-2010 14:16 5b336a94660f5a69e00b48af9662b71d 11- 8-2010 17:36 678a297eccfe78ab0d693ff162e8cdf4 06- 9-2010 15:01 6bf7aff47f68f8687a1f14f0df2b014a 11- 8-2010 15:48 6f4168f96a06957ac769be5465f753a2 06- 9-2010 15:09 8610479e69f64eb08972b27bba24365a 06-10-2010 07:47 89ac59d9df40954feac5c57e4d0739a2 11- 9-2010 13:31 bec78a93e4101f71c782784b34c33ef4 11- 9-2010 10:47 cadd34f4f77f5042198792dd02cbcb1a 06-22-2010 07:35 e87b6aa7ea5562ecdd1379e51bb02ba8 06- 9-2010 13:24


VPN DIAGNOSTICS


IPSEC VPN MONITORING AND TROUBLESHOOTING (1)### Ping through VPN - Sometime you might have to alter the source-interface # or your routing-instance to get the ping into the tunnelping 192.168.1.1 [routing-instance xx] interface fe-0/0/7.0

### Monitoring# Phase 1 - Cookies show security ike security-associations # Phase 2 - Security Associationsshow security ipsec security-associations # IPSEC and Interface Statisticsshow security ipsec statistics show interfaces st0 [terse|detail]# Manually Clear Tunnelsclear security ikeclear security ipsec# Logs and Traces are per Default written to File kmdfile show /var/log/kmd | last

### JUNOS 11.4 and 12.1x44 have several improvements for IPSEC Troubleshooting# 1. extend Output for show security ike|ipsec security-associations# 2. start debugging for a certain session without commit, write output to kmd request security ike debug-enable local 10.1.1.10 remote 10.1.1.30 level 15request security ike debug-disableshow security ike debug-status# 3. Inactive Tunnel informationshow security ipsec inactive-tunnels


IPSEC VPN MONITORING AND TROUBLESHOOTING (2)

Tunnel Interface up/down is logged in syslog

If more details are required, use a IKE trace file

ENT <UpDown> st0.0 index 80 <Up Broadcast PointToPoint Multicast>Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 mib2d[921]: SNMP_TRAP_LINK_UP: ifIndex 253, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.0Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 rpd[897]: EVENT UpDown st0.0 index 80 <Up Broadcast PointToPoint Multicast>Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 srx650-1 IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.0"

set security ike traceoptions file VPNtraceset security ike traceoptions file files 3 set security ike traceoptions file size 1mset security ike traceoptions flag ikeset security ike traceoptions flag policy-manager


IPSEC VPN MONITORING AND TROUBLESHOOTING (3)

Example Output from IKE trace fileJul 29 12:32:39 ike_st_o_all_done: MESSAGE: Phase 1 { 0x4a583c5c adb05f96 - 0xebace718 6f0a0626 } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Initiator, cipher = aes-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 3600 sec, key lenJul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 - ebace718 6f0a0626 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 3600 sec, key len = 12Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 - ebace718 6f0a0626 [0] / 0x774c39de } QM; MESSAGE: Phase 2 connection succeeded, Using PFS, group = 2Jul 29 12:32:39 ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, Using PFS, group = 2Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 - ebace718 6f0a0626 [0] / 0x774c39de } QM; MESSAGE: SA[0][0] = ESP aes, life = 0 kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 128, key rounds = 0Jul 29 12:32:39 ike_qm_call_callback: MESSAGE: SA[0][0] = ESP aes, life = 0 kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 128, key rounds = 0

# Example output for proposal mismatch in phase 2 looks like this:Jul 29 12:40:25 10.2.1.1:500 (Responder) <-> 10.2.1.100:500 { a0e2f3a5 e02b5e54 - 9b9f2cf3 bf990db6 [0] / 0xf1d579af } QM; Error = No proposal chosen (14)

# Example output for a Proxy-ID mismatch looks like thisApr 19 12:47:20 KMD_PM_P2_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-2 [responder] failed for p1_local=ipv4(udp:500,[0..3]=172.16.42.210) p1_remote=usr@fqdn(udp:500,[0..14][email protected]) p2_local=ipv4_subnet(any:0,[0..7]=10.0.42.210/24) p2_remote=ipv4_subnet(any:0,[0..7]=192.16.42.220/24)


VPN CONFIGURATION AND TROUBLESHOOTINGFLOW CHART WITH KNOWLEDGEBASE ENTRIES

http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_SRX_VPN_Config_or_Trblsh.htm


DYNAMIC VPN CLIENT


LICENSING FOR DYNAMIC VPN

By default all Branch SRX include a license for up to 2 connections.

If you need more than 2 connections, there are licenses available.

Licenses are additive (two 5 user licenses will give you access for up to 10 users)

The client is included as part of the JUNOS Image and can be downloaded from the SRX. In 11.1 the dynamic VPN client was replaced with the JUNOS Pulse Client


DYNAMIC VPNNOTES AND LIMITATIONS Dynamic VPN feature is available for Branch SRX, not for Datacenter SRX

The following limitations where removed with 10.4

Before 10.4 an external Radius Server was mandatory for Authentication and IP Address Assignment. Local Users and IP-Pools are not supported

Before 10.4 a IKE-Gateway was required for each and every VPN user.10.4 introduces shared/Group-IKE-ID

Before 10.4 Only Hostnames are allowed as ike-id (no FQDN, no Email address)

Before 10.4 Access to the Authentication Page did requires the public interface is opened for web management

In 11.2r3 the capacities for dynamic VPN where increased

SRX-RAC-500-LTU for SRX650 - requires JUNOS 11.2R3

SRX-RAC-250-LTU for SRX240 and 650 - requires JUNOS 11.2R3

SRX-RAC-150-LTU for 650/240/220

SRX-RAC-25-LTU for 210/100


The following Notes are based on pre 10.4 Releases. You should better use the latest, excellent Configuration Example from http://kb.juniper.net/index?page=content&id=KB14318

Since 11.4 J-Web offers a Wizard to complete the configuration

There is also a good Troubleshooting Guide from http://kb.juniper.net/KB17220

DYNAMIC VPN - PREPARATION

# Set correct time zone, date and time NTP set system time-zone Europe/Berlin

# In Operation Mode srx> set date YYYYMMDDhhmm.ss orsrx> set date ntp de.pool.ntp.org 27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec

# use this configuration statement to activate a self signed certificate (unless you have a signed one)set system services web-management https system-generated-certificate

# and enable https traffic on the desired interfaceset security zones security-zone untrust host-inbound-traffic system-services https

# Since 10.3: if an interface accepts dynamic-vpn connections all http traffic is redirected to # https://<ip>/dynamic-vpn so you can not manage any more on this interface unless you # specify a URL (see KB19411 )set system services web-management management-url admin

http://kb.juniper.net/index?page=content&id=KB14318






Enable IKE Traffic on the untrust interface

Define Phase 1 Proposal

Define Phase 2 Proposal

VPN CONFIGURATION

set security ike proposal P1-Dynamic-AES authentication-method pre-shared-keysset security ike proposal P1-Dynamic-AES dh-group group2set security ike proposal P1-Dynamic-AES authentication-algorithm sha1set security ike proposal P1-Dynamic-AES encryption-algorithm aes-128-cbc

set security ipsec proposal P2-Dynamic-AES protocol espset security ipsec proposal P2-Dynamic-AES authentication-algorithm hmac-sha1-96set security ipsec proposal P2-Dynamic-AES encryption-algorithm aes-128-cbc

set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike


VPN CONFIGURATION

Phase 1 - Gateway Definition

Phase 2 - VPN Definitionset security ipsec policy dynvpn proposals P2-Dynamic-AESset security ipsec policy dynvpn perfect-forward-secrecy keys group2set security ipsec vpn ipsec-dyn ike gateway gw-dynset security ipsec vpn ipsec-dyn ike ipsec-policy dynvpn

set security ike policy dynvpn mode aggressiveset security ike policy dynvpn proposals P1-Dynamic-AESset security ike policy dynvpn pre-shared-key ascii-text juniperset security ike gateway gw-dyn dynamic hostname dynvpn.juniper.netset security ike gateway gw-dyn external-interface ge-0/0/1.0set security ike gateway gw-dyn ike-policy dynvpnset security ike gateway gw-dyn xauth access-profile vpn-users


VPN CONFIGURATION

Add a Access Profile and Users Definition for theIPSEC client authentication (used with xauth)

Allow the same users from the local profile to login for IPSEC client download

# Create a Profileset access profile vpn-users authentication-order password

# Add two Users to this Profileset access profile vpn-users client thomas firewall-user password secret1set access profile vpn-users client peter firewall-user password secret2

# The above definition with local users may work, but officially we # currently support xauth in IPSEC only together with Radius Authenticationset profile radius_profile authentication-order radius;set profile radius_profile radius-server 10.204.129.50 secret xxx

# Create a Profileset access firewall-authentication pass-through default-profile vpn-users


VPN CONFIGURATION

Prepare a Policy to permit the Clients Traffic

# Install a Policy for VPN Clientsedit security policies from-zone untrust to-zone trust policy policy-dynvpn set match source-address any set match destination-address any set match application any set then permit tunnel ipsec-vpn ipsec-dyn set then log session-close exit

# And more it to the beginningedit security policies from-zone untrust to-zone trust insert policy policy-dynvpn before policy default-permitexit


VPN CONFIGURATION

Prepare Security Policy to be delivered to the Client

# Upgrade Policy for VPN Clients (if local policy of client is newer)set security dynamic-vpn force-upgrade

# User profile for loading the Clientset security dynamic-vpn access-profile vpn-users

# Destinations that are reachable through VPNset security dynamic-vpn clients client-1 remote-protected-resources 192.168.1.0/24# Destinations are reachable without going through VPNset security dynamic-vpn clients client-1 remote-exceptions 0.0.0.0/0

# VPN Definitions and Proposals usedset security dynamic-vpn clients client-1 ipsec-vpn ipsec-dyn

# Users that may login with this Profileset security dynamic-vpn clients client-1 user thomasset security dynamic-vpn clients client-1 user peter


LOGIN TO DOWNLOAD VPN CLIENT

URL is https://<SRXIP>/dynamic-vpn/


LOGIN TO DOWNLOAD VPN CLIENT


XAUTH - ACCESS MANAGER PROMPTS FOR USERNAME


ACCESS MANAGER WHEN TUNNEL IS ESTABLISHED


MANAGEMENTLOGGINGMONITORING


ADMIN USERS

AND

MANAGEMENT ACCESS


Set the password of the root user

Add another User

ADMIN USERS

root> configureroot# set system root-authentication plain-text-password New password:Retype new password:

root# set system login user netscreen class super-user authentication plain-text-passwordNew password:Retype new password:


USER ROLES# Predefined User roles

lab@srx5600# set system login user <username> class ?Possible completions: <class> Login class operator permissions [ clear network reset trace view ] read-only permissions [ view ] super-user permissions [ all ] unauthorized permissions [ none ][edit]

# Define a new User role - even possible to restrict or permit commands

root# set system login class new-role ? Possible completions: allow-commands Regular expression for commands to allow explicitly allow-configuration Regular expression for configure to allow explicitly+ apply-groups Groups from which to inherit configuration data+ apply-groups-except Don't inherit configuration data from these groups deny-commands Regular expression for commands to deny explicitly deny-configuration Regular expression for configure to deny explicitly idle-timeout Maximum idle time before logout (minutes) login-alarms Display system alarms when logging in login-script Execute this login-script when logging in login-tip Display tip when logging in+ permissions Set of permitted operation categories[edit]


CUSTOM ADMINISTRATOR CLASS

# Example for an Admin Class that can configure only certain policiesedit system login class AREA1 set permissions configure set allow-configuration routing-instances VR-1 set allow-configuration security policies from-zone trust-1 to-zone untrust-1 set allow-configuration security policies from-zone untrust-1 to-zone trust-1 set allow-configuration security zones security-zone trust-1 set allow-configuration security zones security-zone untrust-1top

edit system login user admin1 set class AREA1 set authentication encrypted-password "$1$6xZjWBto$6PBu4Yf17rMgd.Gm3OGUo/"top


RADIUS# Define Server IP, Port and Shared Secret set system radius-server 10.0.0.100 port 1812 secret abc

# Define Authentication orderset system authentication-order passwordset system authentication-order radius

# Specify Source-IP, useful when using VPN-Tunnels or non fxp0 set system radius-server 172.30.81.141 source-address 172.30.80.11

# Assign a class to the remote authenticated users # By default all Radius Users are mapped to user "remote"set system login user remote full-name "All Remote Users"set system login user remote class operator......# untested - connection timeout 30 minutesroot# set system login class remote idle-timeout 30

# Online Helphelp topic system server-radiushelp topic system radius


TACACS+# Define Server IP and Shared Secret set system tacplus-server address 172.16.30.1 secret Tacacssecret1

# Define Authentication order (local users first ; then tacplus)set system authentication-order passwordinsert system authentication-order tacplus after password

# Specify Source-IP, useful when using VPN-Tunnels or non fxp0 set system tacplus-server 172.16.30.1 source-address 10.0.0.1

# Assign a class to the remote authenticated users # By default all Tacacs+ Users are mapped to user "remote"set system login user remote full-name "All Remote Users"set system login user remote class operator

# Ste connection timeout for user of this class to 30 minutesroot# set system login class remote idle-timeout 30

# Online Helphelp topic system tacplus


COOPERATION WITH OTHER USERS ON THE CLI

# Show which other Users are currently logged in on the CLIshow system users

# Write a message to all usersrequest message all message "Anybody logged in ? Please respond with request message"

# Drop a User request system logout user <user>

# Drop a connection on a certain terminalrequest system logout user <user>

# Lock configuration against other editsconfigure exclusive

# Display Message before Loginset system login message "Unauthorized Access is prohibited"

# Display Message after Loginset system login announcement "Don't Forget !!!\nUpgrade is scheduled for Friday noon"


RESTRICTING

MANAGEMENT ACCESS


MANAGEMENT ACCESS OVERVIEW

Current State and Changes over Time• individual protocols must be enabled/disabled per zone or interface (host-inbound-traffic.)

• Stateless firewall filter can be applied to interfaces to restrict protocols or source-IPs

• Since JUNOS 11.4 Self Traffic Policies (firewall policies with zone junos-host) are the easiest way to restrict management traffic. They also allow to use all available inspection techniques (AppFW, AppTrack, IDP ..) on management traffic



PERMIT/RESTRICT MANAGEMENT ACCESS

# First the Desired Service must be running. By default only some services are started # Defaults from JUNOS 9.6 are written in Bold

set system services sshset system services web-management http interface ge-0/0/0.0set system services telnetset system services ftp

# HTTPS Access may use a self signed certificate# Set date and time first (in operational mode) before you activate the self-signed certificatesrx> set date YYYYMMDDhhmm.ss orsrx> set date ntp de.pool.ntp.org 27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec

# use this configuration statement to activate a self signed certificate (unless you have a signed one)set system services web-management https system-generated-certificate

# Finally you can specify allowed services and protocols per Zone edit security zones security-zone trust interfaces set system-services all set protocols alltop# or per interface. Per Interface definitions override all per Zone permissions edit security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic set system-services https set system-services ssh set system-services pingtop


Before 11.4 Management Access to certain Source-IPs had to be restricted with stateless Firewall Filter. The filter can be tied to each interface where host-inbound-traffic is permitted, or directly to the loopback interface lo0.0

RESTRICT SOURCES FOR MANAGEMENT ACCESS

# Example to restrict access to the Routing-Engine to a certain subnet

# A first TERM specifies permitted sourcesset firewall family inet filter PROTECT-RE term 1 from source-address 192.168.42.0/24set firewall family inet filter PROTECT-RE term 1 from source-address <CUSTOMER-NETWORK/24>set firewall family inet filter PROTECT-RE term 1 then accept

# A second term can be used to count all other attempts and fall through to the last termset firewall family inet filter PROTECT-RE term 2 from source-address 0.0.0.0/0set firewall family inet filter PROTECT-RE term 2 then count ACCESS-ATTEMPT-REset firewall family inet filter PROTECT-RE term 2 then next term

# A third term can be written to drop all other attempts (but this is default already)# This is because all chains end with a default "deny all" termset firewall family inet filter PROTECT-RE term 3 from source-address 0.0.0.0/0set firewall family inet filter PROTECT-RE term 3 then reject

# Now we are ready to assign the Filter to an interface# If you bind the filter to lo0.0 the filter is applied to incoming traffic from all interfacesset interfaces lo0 unit 0 family inet filter input PROTECT-RE# To protect out-of band management interface fxp0 you need to assign the firewall there explicitlyset interfaces fxp0 family inet filter input PROTECT-RE

# To monitor access attempts you can later use the counter with the following command show firewall filter PROTECT-RE counter ACCESS-ATTEMPT-RE


A TEMPLATE FOR MANAGEMENT ACCESS

# Firewall Filter Example to restrict management access

edit firewall filter RE_Protection set term in-ssh from source-address <trusted host or network> set term in-ssh from protocol tcp set term in-ssh from destination-port ssh set term in-ssh then accept set term snmp from source-address <SNMP Poller> set term snmp from protocol udp set term snmp from port snmp set term snmp then accept set term ntp from source-address <NTP SERVER>/32 set term ntp from source-address <NTP SERVER>/32 set term ntp from protocol udp set term ntp from port ntp set term ntp then accept set term deny-any-other-ssh from protocol tcp set term deny-any-other-ssh from port ssh set term deny-any-other-ssh from port telnet set term deny-any-other-ssh from port ftp set term deny-any-other-ssh from port ftp-data set term deny-any-other-ssh then discard set term deny-any-other-udp from protocol udp set term deny-any-other-udp from port snmp set term deny-any-other-udp from port snmptrap set term deny-any-other-udp from port ntp set term deny-any-other-udp then discard set term allow-everything-else then accepttop


SELF TRAFFIC FIREWALL POLICIES# Beginning with JUNOS 11.4 Traffic from and to the SRX itself # can now be permitted/denied firewall policies# This uses the new security-zone "junos-host"## self-traffic is anything from/to the RE with any of the local interfaces## By default all traffic from/to zone junos-host is permitted

# Example: Log and tunnel outbound trafficedit security from-zone junos-host to-zone zone-untrust policy LOG set match ...... set then permit tunnel …… set then log session-closetop

# Example: IDP for inbound trafficedit security from-zone zone-untrust to-zone junos-host policy INSPECT set match ...... set then permit application-services idp set then log session-closetop


IN-BAND OR OUT-BAND

MANAGEMENT


What is the difference ? Out-band management connections use the management interface fxp0

In-band management connections use an interface which also is used to forward traffic (for example ge-x/x/x, fe-x/x/x or rethx )

What is the Advantage/Disadvantage ? Out-band Management through fxp0

In a HA clusters fxp0 is the only interface which is reachable on the passive node fxp0 is attached to the default virtual router inet.0 fxp0 is attached to the control plane, no traffic can be forwarded from any interface to

fxp0 In Stream Mode - wich is required for high performance logging - security logs can not

be sent out via fxp0

In-band Management In HA clusters the passive node can not communicate on any in-band management

interface - direct access, monitoring, delivery of software updates, scripts, attack database updates for this node is not possible and requires workarounds

In-band Management Interfaces can be assigned to any virtual router In-band Interfaces allow high performance logging (stream mode)

IN-BAND OR OUT-BAND MANAGEMENT


Out-band Management is preferred for any Datacenter SRX Cluster because these SRX

NSM Management as virtual chassis is not possible here for any Branch SRX Cluster installation, where the management systems can connect directly to

the fxp0 interfaces , i.e. are on the same side of the firewall as the management interfaces (see slides on the next pages for details)

In-band Management is preferred in all Branch SRX installations which are not clusters in all Branch SRX cluster installations - where the central management is standing at a central

position and needs to cross the primary SRX first before he can even reach the fxp0 interface of the passive cluster member

Hint for Clusters: Virtual Chassis Management Option is required for NSM to add the cluster with a single in-band management connection.

Hint for Clusters: When using In band Management you can leave the fxp0 interfaces on both members completely unconfigured

WHICH WAY SHOULD I CHOOSE ?


When In-Band Management is used, the second Node is not directly reachable for management.

This could result in issues for some operations

Software UpdatesUse the ISSU and LICU Cluster Upgrade Procedure. They require the image is copied only to the primary device and is automatically copied to the secondary device

Attack Database Updates Use JUNOS 11.4 or higher. When Attack Database-Updates are installed, they are automatically

updated on the backup node

Script Installations Before they can be enabled in the configuration (commit) the scripts must installed on both

nodes. To achieve this, upload scripts to the primary node first, then copy manually to secondary node

Hint: How to get from one Node of a cluster to the other Node ? If fxp0 interfaces are connected simply use ssh with fxp0-adress of the second node On Branch SRX use "request routing-engine login node x" On Datacenter SRX use shell command "rlogin -Ji nodex"

IN-BAND MANAGEMENTUPDATES FOR THE PASSIVE NODE


IF IN-BAND OR OUT-BAND IS PREFERRED DEPENDS ON THE POSITION OF THE MANAGEMENT SYSTEM

reth1ge-1/0/1

(trust)

reth0ge-1/0/0

(untrust)Controlge-0/0/1

fxp0 =ge-0/0/0 10.0.0.1

fxp0 =ge-0/0/010.0.0.2

reth0ge-8/0/0

(untrust)

Controlge-0/0/1 reth1

ge-8/0/1(trust)

Cluster-IP 20.0.0.1

Cluster-IP 30.0.0.1

Example Setup: SRX650-Cluster with all the Interfaces


MANGEMENT ON THE SAME NETWORK AS FXP0

NSM or Space10.0.0.3

OUT-BAND MANAGEMENT IS RECOMMENDED

No changes required, Setup works immediately

NSM or Space can establish ssh connection to both devices

"Add Device" Workflow is possible

Both Cluster Members use fxp0 to get to Management

fxp0 (node1) =ge-0/0/0 10.0.0.1

fxp0 (node2) =ge-7/0/010.0.0.2


MANAGEMENT ON DIFFERENT NETWORK AS FXP0BUT STILL ON THE SAME FIREWALL SIDE


OUT-BAND MANAGEMENT IS RECOMMENDED

Hint for Out-band Management:

Both nodes needs a backuproute set groups node.. system backup-router destination 40.0.0.3/32 next-hop ....

fxp0 (node2) =ge-7/0/010.0.0.2

Router-IP 30.0.0.254



fxp0 (node1) =ge-0/0/0 10.0.0.1


MANAGEMENT ON EXTERNAL SIDE OF THE FIREWALL

reth1ge-1/0/1

(trust)

reth0ge-1/0/0

(untrust)

fxp0 (node2) =ge-7/0/010.0.0.2


Cluster-IP 20.0.0.1

Cluster-IP 30.0.0.1

IN-BAND MANAGEMT IS RECOMMENDED

OUT-BAND MANAGEMENT REQUIRES MORE COMPLEX ROUTING AND DURING CLUSTER FAILOVER (RG0) MANAGEMENT CONNECTIONS HAVE TO BE REESTABLISHED

Hints for In-band Management:

- There is only one connection between SRX and the Management System (using reth0 of the active node) - For NSM use the Virtual Chassis Management Option - For Space add just the active node

Hints for Out-band Management

- use several VRs on SRX. fxp0 must stay in inet.0, all other interfaces go to another VR.

- If you have IKE Traffic this will require JUNOS 10.4 or higher to terminate IKE in a custom VR.

- Both nodes needs a backuproute set groups node.. system backup-router destination 172.16.42.9/32 next-hop ...




LOGGING WITH SYSLOG


SRX LOGGING INFRASTRUCTURESRX Logs can come from two different sources

From the Control Plane (Management, Routing Daemons ...) From the Data Plane (Firewall, IDP, AppFirewall, UTM, VPN ..)

Control Plane Logs (same behavior on all JUNOS Devices) They can be stored in local files, send to Syslog Servers or NSM Syslogs and NSM connection can leave the SRX via forwarding interfaces or the fxp0 Management

Interface - This is a normal routing decision

Data Plane Logs on the Branch SRX By default Data Plane Logs are sent to the Routing Engine (Event mode) From there they can be stored in local files, send to NSM and send to Syslog Servers

Data Plane Logs on the Datacenter SRX Data Plane Logs are created on each of the SPCs Each SPCs can create a maximum of 40K logs / sec / SPC By Default Data Plane Logs are not sent anywhere

they are not even sent to the Routing Engine


You have two options to send Dataplane Logs (Firewall, IDP, UTM, AppSecure ...)

Event Mode Logging All Data plane Logs are sent to the Routing-Engine and they are sent further from there This is the default configuration for Branch SRX Event Mode logging can be used if log rates are low

To avoid RE overload rate limits are in place. These will drop logs in event mode

Stream Mode Logging Data plane Logs are not sent to the Routing Engine Data plane Logs can leave the device from every interface

(except fxp0, which is tied to the Routing Engine) This is the default configuration for Datacenter SRX Stream Mode Logging are mandatory for high log rates

WHERE IS THE CHALLENGE ?


STREAM MODE LOGGING TO STRM, OR A SYSLOG SERVER

Controlplane(Process Logs)

Dataplane(Process Logs)

STRM(Syslog Server)

On a single SRX- Control plane and Data plane Logs can use the same egress interface

On SRX Cluster - Control plane Logs come from the Management Interface fxp0 - Data plane Logs need another interface


EVENT MODE LOGGING TO NSM1)



NSM STRM(Syslog Server)

Branch SRX: default mode

Datacenter SRX: possible since 10.0 (1.5kEPS Ratelimit)

1) Uses the normal, encrypted connection from the SRX to NSM


STREAM MODE LOGGING TO NSM2)



NSM

2) Dataplane Logs sent as Syslog from SRX to NSM - requires NSM 2011.1 or higher


Simple solution - use two interfaces on SRX and STRM

Looking at the log picture it is obvious that SRX might use different interfaces to send the two types of logs

Since two interfaces of the same VR can not be in the same network, the two interfaces have to be in two different networks or VRs

The easiest solution is, when LOG reciver and SRX both use two interfaces too. STRM can be reconfigured to use two interfaces and IPs.

Still simple solution - use only one interfaces on both sides

If STRM - or another Log-Receiver has only one Interface/IP then the SRX must be reconfigured to send all logs through one interface

This one interface can not be fxp0 - because dataplane logs, can not be delivered through fxp0 - so it must be a forwarding interface

If this forwarding interface is in inet.0 you only need a hostroute to this interface. If it is in another VR you need to hostroute to next-table vr

Worst case - need to add a logging interface in the same network as fxp0

When you migrate from event to stream logs and can not add additonal interfaces on other networks than the one existing on fxp0

So you have to add a second forwarding interface in the same networkThis is only possible when this interface is in another VR than fxp0

See Next Page (Logging with Overlapping Interface IP) for a complete configuration example

STREAM MODEHOW MANY INTERFACES ARE INVOLVED ?



STRM(Syslog Server)


DATACENTER SRX LOGGING WITH OVERLAPPING INTERFACE IP# Datacenter SRX uses fxp0 for RE Logs and a Forwarding Interface for Security Logs# If Syslog-Receiver is attached to the same Management LAN as the fxp0, you need a # second interface/VR to that LAN to deliver Security Logs (Firewall Traffic and IDP)

# For this worst case, we have two interfaces in the same networkset interfaces fxp0 unit 0 family inet address 10.0.0.1/24 set interface reth7 unit 0 family inet address 10.0.0.2/24

# Controlplane-Logs , use Source-IP of egress interface to avoid ARP problems !! set system syslog host 10.0.0.100 any any set system syslog host 10.0.0.100 source-address 10.0.0.2

# Dataplane-Logs, from the SPCs leave via an forwarding interface)# also use source-IP of the egress interfaceset security log format sd-syslog set security log source-address 10.0.0.2 set security log stream Log host 10.0.0.100

# To allow two interfaces on the same net, one interface must be moved to a custom VRset routing-instances Logging instance-type virtual-router set routing-instances Logging interface reth7.0 # Now we use a host-route to send all trafic for the Log-Receiver to this VRset routing-options static route 10.0.0.100/32 next-table Logging.inet.0

# Potential other workaround (UNTESTED) # Use Command to set Default Management IP to Loopback interface IPset system default-address-selection ....


SYSLOG ADDITONAL INFORMATION


SYSLOGA LIST OF POSSIBLE EVENTS

Syslog event list (Control plane Events) # List all possible syslog eventssrx> help syslog Syslog tag HelpACCT_ACCOUNTING_FERROR Error occurred during file processingACCT_ACCOUNTING_FOPEN_ERROR Open operation failed on fileACCT_ACCOUNTING_SMALL_FILE_SIZE Maximum file size is smaller than record sizeACCT_BAD_RECORD_FORMAT Record format does not match accounting profileACCT_CU_RTSLIB_ERROR Error occurred obtaining current class usage statisticsACCT_FORK_ERR Could not create child processACCT_FORK_LIMIT_EXCEEDED Could not create child process because of limitACCT_GETHOSTNAME_ERROR gethostname function failedACCT_MALLOC_FAILURE Memory allocation failed

# List severity and parameters included for each eventsrx> help syslog FLOW_SESSION_CREATE Name: FLOW_SESSION_CREATEMessage: session created <source-address>/<source-port>-><destination-address>/<destination-port>,<protocol-id>: <policy-name>Help: Session createDescription: A security session was created.Type: Event: This message reports an event, not an errorSeverity: info


SYSLOG - EVENT MODE: TRAFFIC LOG EXAMPLES

root@srx-210# run monitor start default-log-messages

<14>1 2009-08-28T00:00:03.685+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_CREATE [[email protected] source-address="10.0.101.10" source-port="12288" destination-address="192.168.100.1" destination-port="1280" service-name="icmp" nat-source-address="10.0.101.10" nat-source-port="12288" nat-destination-address="192.168.100.1" nat-destination-port="1280" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="default-permit" session-id-32="841"] session created 10.0.101.10/12288->192.168.100.1/1280 icmp 10.0.101.10/12288->192.168.100.1/1280 None None 1 default-permit 841

<14>1 2009-08-28T00:00:06.581+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_CLOSE [[email protected] reason="response received" source-address="10.0.101.10" source-port="12288" destination-address="192.168.100.1" destination-port="1280" service-name="icmp" nat-source-address="10.0.101.10" nat-source-port="12288" nat-destination-address="192.168.100.1" nat-destination-port="1280" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="1" policy-name="default-permit" session-id-32="841" packets-from-client="1" bytes-from-client="60" packets-from-server="1" bytes-from-server="60" elapsed-time="3"] session closed response received: 10.0.101.10/12288->192.168.100.1/1280 icmp 10.0.101.10/12288->192.168.100.1/1280 None None 1 default-permit 841 1(60) 1(60) 3

<14>1 2009-08-28T00:10:07.682+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_DENY [[email protected] source-address="10.0.101.10" source-port="12544" destination-address="192.168.100.1" destination-port="1280" service-name="icmp" protocol-id="1" icmp-type="8" policy-name="icmp-drop"] session denied 10.0.101.10/12544->192.168.100.1/1280 icmp 1(8) icmp-drop


SNMP AND RMON


SNMP AGENT

Set System Identification and Community

Enable SNMP access on an interface

Restrict SNMP access to certain sources

Restrict SNMP access to certain tables

set snmp location lab-munichset snmp contact "[email protected]"set snmp community public authorization read-only

set security zones security-zone trust host-inbound-traffic system-services snmp

set snmp community public clients 172.26.0.0/16set snmp community public clients 0.0.0.0/0 restrict

# Create a View, defining permitted Objectsset snmp view chassis-info oid jnxBoxAnatomy includeset snmp view chassis-info oid snmpMIBObjects includeset snmp view chassis-info oid system include

# And assign view to communityset snmp community chassis-community view chassis-info


SNMP, CLI QUERIES AND TRICKS# CLI commands exist to make MIB queries or MIB walksshow snmp mib get sysObjectID.0show snmp mib get "sysName.0 sysContact.0 sysLocation.0"show snmp mib walk jnxBoxAnatomyshow snmp mib walk jnxContentsSerialNo

# Display OIDs used for a certain tableshow snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1 | display xml

# Display OIDs for all MIBtablesshow snmp mib walk 1 | display xml

# The following commands create and show a list of registered SNMP Instancesshow snmp registered-objectsfile show /var/log/snmp_reg_objs

# The List of Interface Indices is reboot persistent as it is saved in a filefile show /var/db/dcd.snmp_ix

# Spoof SNMP Traps for simple Testingrequest snmp spoof-trap linkUp variable-bindings “ifIndex[14] = 14, ifAdminStatus[14] = 1, ifOperStatus[14] = 2”

# A SNMP Table (Tablename jnxUtilData) can be used to store user defined content. # Event Scripts can be used to update this table request snmp utility-mib set .....show snmp mib walk jnxUtilData

https://www.juniper.net/techpubs/en_US/junos11.1/information-products/topic-collections/nce/snmp-best-practices/index.html?topic-48852.html


SNMP, PRIVATE MIBS AND USEFUL TABLES# List of all MIBs (including table, which MIBs exist on which device) and SNMP-Traps

# Chassis Hardware show snmp mib walk [jnxBoxClass|jnxBoxDescr|jnxBoxSerialNo|jnxBoxRevision|jnxBoxInstalled]show snmp mib walk [jnxBoxAnatomy|jnxContainersTable|jnxContentsTable|jnxFilledTable]

# Field Replaceable units(FRU) in the chassis (includes empty slots) show snmp mib walk jnxFruTable

# For a List of Modules installed useshow snmp mib walk jnxContentsDescr

# Interfaces, and Interface Informationshow snmp mib walk ifDescr show snmp mib walk [ifTable | ifChassisTable | ifStackTable ]show snmp mib walk [ipAddrTable | ipAdEntIfIndex ]

# LEDs and Status (primary only)show snmp mib walk jnxLedTable

# State, Memory Usage and CPU Load on all Modules (always reports both RE as active)show snmp mib walk jnxOperatingTable

http://www.juniper.net/techpubs/en_US/junos10.3/topics/reference/standards/snmp-std-mibs-junos-nm.html

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-network-mgm/chap-enterprise-traps.html


USEFUL OIDS# SNMP Walk from the CLI through the complete Private MIB and Display with Name and OIDshow snmp mib walk .1.3.6.1.4.1.2636 | display xml

# Software versionshow snmp mib walk .1.3.6.1.2.1.25.6.3

# Per FPC Statistics on CPU Load, Memory, Temperatureshow snmp mib walk jnxOperatingTable # some columns here are:show snmp mib walk jnxOperatingDescr show snmp mib walk jnxOperatingCPUshow snmp mib walk jnxOperatingTempshow snmp mib walk jnxOperatingBuffer

# On SRX: SPU Monitoring MIB OIDs (Sessions, CPU Load) show snmp mib walk jnxJsSPUMonitoringMIBshow snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1 | display xml

# Disk Usageshow snmp mib walk []show snmp mib walk 1.3.6.1.2.1.25.2.3.1hrStorageSize | hrStorageUsed

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/config-guide-network-mgm/mib-jnx-js-spu-monitoring.txt


RMON

Monitor SNMP OIDs and generate Traps if something is wrong

# Specify a Group and a Target for Trapsset trap-group overtemperatureset trap-group overtemperature categories rmon-alarmset trap-group overtemperature targets 10.0.0.1

edit snmp rmon

# Specify what is monitoredset alarm 1 description "Overtemperature on SRX 5600 Midplane"set alarm 1 variable jnxOperatingTemp.1.1.0.0set alarm 1 interval 300set alarm 1 sample-type absolute-valueset alarm 1 rising-threshold 50set alarm 1 startup-alarm rising-alarmset alarm 1 rising-event-index 1

# and the resulting eventset event 1 description Heat-Eventsset event 1 type log-and-trapset event 1 community heat-traps


NETFLOW


NETFLOW CONFIGURATION

Specify the sample rate and where to sent the Netflow Data

Enable Netflow on the desired interface(s) and directions

Note: Activating Netflow will have significant input on the performance. The smaller the sample rate (input rate), the higher the performance hit

set forwarding-options sampling input rate 10set forwarding-options sampling family inet output flow-server 172.30.80.76 port 2056set forwarding-options sampling family inet output flow-server 172.30.80.76 version 5

set interfaces ge-0/0/0 unit 0 family inet sampling inputset interfaces ge-0/0/0 unit 0 family inet sampling output


SRX MANAGEMENT WITH NSM


PREPARING JUNOS DEVICES FOR NSM

# sshv2 is mandatory for NSM. SSHv2 is not included in the export restricted # software version. You will always need the domestic version.lab@srx5600> show version | match JUNOS JUNOS Software Release [9.5R2.7]

# For NSM access both ssh and netconf over ssh must be enabledset system services ssh [protocol-version v2]set system services netconf ssh

# Recommendation: Use a dedicated NSM user, # this allow to identify who made certain changes/operationsroot# set system login user nsm class super-user authentication plain-text-passwordNew password:Retype new password:


ENABLE AUTO DISCOVERY WITH NSM# The Auto discovery Feature allows to scan an IP-address range for Juniper Devices # and automatically add and import them NSM. # This feature requires Ping, SSH and SNMP access to the device.

# Enable SSH and netconf via sshset system services ssh protocol-version v2set system services netconf ssh

# Enable SNMP set snmp location lab-munichset snmp contact "[email protected]"set snmp community public authorization read-write

# Make sure all services required for NSM Auto discovery are opened for accessedit security zones security-zone trust interfaces ge-0/0/0.0 set host-inbound-traffic system-services ping set host-inbound-traffic system-services ssh set host-inbound-traffic system-services snmptop


EXAMPLE:SENDING LOGS TO NSM (EVENT MODE)

# Control plane Logs from the Routing Engine are sent to NSM per Default

# Data plane Logs from Branch SRX are sent to NSM when a Log file "default-log-messages" # is written. NSM adds this configuration automatically to SRX with the "device is# reachable" workflowset system syslog file default-log-messages any anyset system syslog file default-log-messages structured-data

# On Datacenter SRX Traffic Logs are not sent to the Routing-Engine by Default# as the preferred logging method is to stream the logs directly # from a forwarding interface. If Log Volume is low, the Logs can also be sent # to the routing-engine. The following statements allow to do this since JUNOS 10.0set security log mode eventset security log mode event event-rate 1000


EXAMPLE:SENDING LOGS TO NSM (STREAM MODE)

# Again, Control plane Logs from the Routing Engine are sent to NSM per Default

# Since NSM Version 2011.1 it is possible to send Security Logs via Syslog in stream-mode# Check page 767 of the NSM Admin Guide for the necessary DevSrv Configuration Changes# Add "devSvr.enableSyslogOverUdp true " to /var/netscreen/DevSvr/var/devSvr.cfg file

# On the SRX side use the following configuration statements to send traffic logs # via syslog to NSMset security log mode streamset security log format sd-syslog

# Primary NSMset security log stream NSM1 format sd-syslogset security log stream NSM1 host <primary DevSvr IP>set security log stream NSM1 host port 5140

# If NSM is a HA Cluster use a second feed to send logs to the secondary NSMset security log stream NSM2 format sd-syslogset security log stream NSM2 host <Secondary DevSvr IP>set security log stream NSM2 host port 5140

http://www.juniper.net/techpubs/software/management/security-manager/nsm2011_1/nsm-admin-guide.pdf


When using Out-band Management : Start Import to NSM with the passive Member (RG0) first. Som e NSM versions had trouble when

import started with the active member

When using In-band Management: Don't mix in-band and out-band management.

If you choose in-band Management then leave the fxp0 interfaces on both members unconfigured. This avoids that the passive member ever connects to NSM

When changing between Outband and Inband Management: "delete system services outbound-ssh" - from the normal stanza and from the groups stanza,

Otherwise you might end up with multiple, conflicting entries. In some cases you might have to reboot to make all configuration changes effective

To establish the NSM connection through a VPN Tunnel to implement this, you should use inband management and introduce a loopback IP, or a numbered

VPN-Tunnelinterface. Otherwise the SRX could use an Interface IP where you don't have proper Routing back from the NSM through the VPN tunnel.

ADDITIONAL REMARKS


You have two options to manage a Cluster in NSM

Out-band Management For out-band management you connect to the fxp0 Interfaces of the cluster members You add a cluster-object to NSM and add both members (start with the node where RG0 is

passive)

In-band Management (Branch SRX only) You connect to the master device via one of reth interfaces You configure the device for cluster-management and add only one device to NSM

MANAGING SRX CLUSTERS WITH NSM WHERE IS THE CHALLENGE ?


In-band Management Virtual Chassis Representation of SRX Clusters# Virtual-chassis configuration, makes a Cluster manageable in NSM as a single device# This is supported only on Branch SRX since JUNOS 10.1R2 or 10.2R2 or higher. # You need the following configuration statement in JUNOS

set chassis cluster network-management cluster-master # In NSM you add just a single virtual chassi device (the current primary). # Only the master will attempt to establish a session to NSM. # He can use any interface to establish this connection.


When using Out-band Management : Start Import to NSM with the passive Member (RG0) first.

When using In-band Management: Leave the fxp0 interfaces on both members unconfigured NSM can not be used to perform Software Updates or push Attack Database Updates

When changing between Out-band and In-band Management: "delete system services outbound-ssh" - from the normal stanza and from the groups stanza,

Otherwise you might end up with multiple, conflicting entries. In some cases you might have to reboot to make all configuration changes effective

To establish the NSM connection through a VPN Tunnel to implement this, you should use in band management and introduce a loopback IP, or a numbered

VPN-Tunnel interface. Otherwise the SRX could use an Interface IP where you don't have proper Routing back from the NSM through the VPN tunnel.

ADDITIONAL REMARKS


MANAGEMENT WITH JUNOS SPACE / SECURITY DESIGN


PREPARING JUNOS DEVICES FOR SPACE

# For Space access both ssh and netconf over ssh must be enabledset system services ssh [protocol-version v2]set system services netconf ssh

# Recommendation: Use a dedicated Space user, # this allow to identify who made certain changes/operationsroot# set system login user space class super-user authentication plain-text-passwordNew password:Retype new password:

# Enable SSH and netconf via sshset system services ssh protocol-version v2set system services netconf ssh

# When SNMP is enable before device discovery, Space (OpenNMS) will collect and # visualize SNMP data from the device. It will also reconfigure the device to send # traps to Space. set snmp location lab-munichset snmp contact "[email protected]"set snmp community public authorization read-write

# Make sure all services required for Space Discovery are opened for accessedit security zones security-zone trust interfaces ge-0/0/0.0 set host-inbound-traffic system-services ping set host-inbound-traffic system-services ssh set host-inbound-traffic system-services snmptop


For initial device discovery Space uses ping and ssh/netconf connection to the device Future direction of management connection depends on Space Application Settings (at the time the

device was discovered). By default Junos Space attemts to establish the connection If the default is changed Space reconfigures the device during discovery to initiate the connection

ADDITIONAL REMARKS (1)


Space can detect and manage a SRX cluster in both ways: - with only one in-band management connection to fxp0 (just add one device)- with two out-band management connections to fxp0 (add both devices in platform, security design creates a cluster view of the security device)

ADDITIONAL REMARKS (2)


MONITORING SRX LOGS WITH STRM


STREAM MODE LOGS FROM SRX TO STRM# In this example we send both Control and Dataplane Logs through one # interface (reth7) which is member of Default VR inet.0# Destination for both logs is 10.0.0.100# Source-IP for both logs is 10.0.0.2

# Interface IP for the interface connected to STRMset interface reth7 unit 0 family inet address 10.0.0.2/24

# Controlplane-Logs , use Source-IP of egress interface to avoid ARP problems !! set system syslog host 10.0.0.100 any any set system syslog host 10.0.0.100 source-address 10.0.0.2

# Dataplane-Logs, from the SPCs leave via an forwarding interface)# also use source-IP of the egress interfaceset security log format sd-syslog set security log source-address 10.0.0.2 set security log stream Log host 10.0.0.100

# Caveat: STRM can no longer reach fxp0 of the SRX, because all routing to # STRM Host IP goes through reth7, and traffic from reth7 to fxp0 is not possible.


MONITORING SRX LOGS WITH J-WEB


ACTIVATE LOGS IN J-WEB


EXAMINE LOGS FROM EVENT VIEWER


EXAMINE LOGS FROM POLICY VIEW


FIREWALL ACTIVITY ON J-WEB REPORTING PAGE


TROUBLESHOOTING


NOTES FOR TROUBLESHOOTING

The WEB-UI has a number of useful Pages for Monitoring and Troubleshooting

JUNOS CLI has powerful Monitoring Commands and offer a lot of counters and status information

SNMP and RPM also have a good coverage to allow continuous and ongoing monitoring

Default Log Files exist to track various error conditions

Additional Logs and Debugs can be enabled from the CLI, writing to separate Log Files or to external Servers

OP Scripts can be used to create custom monitor commands

Event Scripts can be used to trigger actions when events occur


WEB-UI FOR MONITORING


IMPORTANT CLI MONITORING COMMANDS

show version Software versionshow chassis hardware detail Hardware and Serial Numbersshow chassis environment Temperatures, Fan and Power Supplyshow chassis routing-engine Temperatures, Memory, CPU Load (Routing Engine)show security monitoring fpc x CPU Load (Flow Processors / SPCs )show system storage Flash and Disk Usageshow system license Display installed Licenses

show interfaces terse Quick Overview of all Interfacesshow interfaces description Quick Overview of all Interfaces with Descriptionshow interfaces extensive Details Interface and Zone Counters

show route <x.x.x.x> Routing Table Lookups (to get to x.x.x.x)

show security policies List Policiesshow security polices detail | find xx Details for a certain IDshow security flow session Current sessionsshow security match-policies ... Policy Lookup (added in JUNOS 10.3)show security zones Security Zones and Interface Binding

show system alarms Alarmsshow chassis alarms Alarms


LIVE COUNTERS FOR ALL INTERFACES

Use "monitor interface traffic" to watch live counters on all available Interfaces. Default Update Interval is 2 seconds


LIVE COUNTERS FOR A CERTAIN INTERFACE

Use monitor interface <ifname> to watch live counters on a certain interface. Default update interval is every 2 seconds


Before you start: – This is not promiscuous mode – You will see Broadcast/Unicast/Multicast traffic to the Routing engine– ICMP Traffic to the Route Engine is excluded (SRX, EX and J-Series)– Use the documentation to detect all options– This Option is available from Web-UI, CLI and Shell

Monitor Traffic on a Interface

The same function is available from the shell

LIVE TRAFFIC FOR A CERTAIN INTERFACE(TCPDUMP OF RE TRAFFIC)

user> monitor traffic interface e1-0/0/0.0 no-resolve verbose output suppressed, use <detail> or <extensive> for full protocol decodeListening on e1-0/0/0.0, capture size 96 bytes03:03:58.025661 Out IP 10.12.0.1 > 224.0.0.13: 10.12.0.1 > 224.0.0.13:PIMv2, Hello (0), length: 3403:03:58.237360 In IS-IS, p2p IIH, src-id 1921.6800.1223, length 5803:03:59.089303 Out IP 10.12.0.1.646 > 224.0.0.2.646: LDP, Label-Space-ID: 192.168.1.222:0, pdu-length: 3803:03:59.555743 Out IP 10.12.0.1 > 224.0.0.1: igmp query v2

user> start shell % suroot@PBR% tcpdump -ni e1-0/0/0.0verbose output suppressed, use <detail> or <extensive> for full protocol decodeListening on e1-0/0/0.0, capture size 96 bytes03:06:47.943726 In IP 10.12.0.2 > 224.0.0.13: 10.12.0.2 > 224.0.0.13:PIMv2, Hello (0), length: 3403:06:49.603895 In IP 10.12.0.2.646 > 224.0.0.2.646: LDP, Label-Space-ID: 192.168.1.223:0, pdu-length: 3803:06:50.200510 Out IS-IS, p2p IIH, src-id 1921.6800.1222, length 58

https://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-admin-guide/jd0e48759.html


LOG FILES AND SYSLOG

All Log files live in /var/log

"show log" or "file list /var/log" List all Log files available (under /var/log)

show log messages Show Log File "messages" from start

show log messages | last 100 List last 100 Log Messages

show log messages | match LOGIN Search within the Log

show log messages | trim 39 Remove first 39 columns from each line

monitor start <file> Send Logs to terminal (like tail -f)

See also Chapter Logging and Syslog


TYPICAL WAY TO ENABLE DEBUGGING

In many sections of the configuration it is possible to activate

traceoptions (example: set system services dhcp traceoptions..)

set traceoptions file filename files (default 10) size (default 128k) read permissions (e.g.. world-readable)

set traceoptions flag What do you want to look at?

monitor start filename like Unix tail –f multiple people can view log files at same time


DEBUGGING A FIREWALL FLOWSEE HTTP://KB.JUNIPER.NET/KB16110 # Specify a file where to save the Tracesedit security flow traceoptions set file flowtrace set file size 1m files 3 set flag basic-datapath # Use filters to reduce the volume of data set packet-filter FILTER1 source-prefix 10.48.255.0/24 # Second condition for same filtername is an AND condition set packet-filter FILTER1 destination-prefix 192.168.210.0/24 # Additional condition with different filtername is an OR condition set packet-filter FILTER2 source-prefix 192.168.210.0/24 set packet-filter FILTER2 destination-prefix 192.168.220.0/24top

# Logging to File starts after commitcommit and-quit

# To start Live Monitoring, just monitor the file monitor start flowtrace

# To quickly pause and resume Output !! This does not stop logging to the File !!Press "ESC-Q"

# To stop Real-Time monitoring !! This does not stop logging to the File !!monitor stop

# To turn off logging to the File you must deactivate or delete the configurationdeactivate security flow traceoptionscommit



DEBUGGING A FIREWALL FLOW EXAMPLE OUTPUT (1/2)lab@Demo-081-113> *** flow-trace ***Aug 2 22:04:36 22:04:35.935844:CID-1:RT:<10.10.20.2/2048->10.10.10.2/49265;1> matched filter f0:Aug 2 22:04:36 22:04:35.935862:CID-1:RT:packet [84] ipid = 0, @4bb0526eAug 2 22:04:36 22:04:35.935872:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0, mbuf 0x4bb05060Aug 2 22:04:36 22:04:35.935881:CID-1:RT: flow process pak fast ifl 67 in_ifp reth1.0Aug 2 22:04:36 22:04:35.935896:CID-1:RT: reth1.0:10.10.20.2->10.10.10.2, icmp, (8/0)Aug 2 22:04:36 22:04:35.935907:CID-1:RT: find flow: table 0x4e789b20, hash 9938(0xffff), sa 10.10.20.2, da 10.10.10.2, sp 1, dp 34861, proto 1, tok 448 Aug 2 22:04:36 22:04:35.935926:CID-1:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - Aug 2 22:04:36 22:04:35.935941:CID-1:RT: flow_first_create_sessionAug 2 22:04:36 22:04:35.935953:CID-1:RT: flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 10.10.10.2, sp 1, dp 34861Aug 2 22:04:36 22:04:35.935965:CID-1:RT: chose interface reth1.0 as incoming nat if.Aug 2 22:04:36 22:04:35.935976:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.10.10.2(34861)Aug 2 22:04:36 22:04:35.935988:CID-1:RT:flow_first_routing: call flow_route_lookup(): src_ip 10.10.20.2, x_dst_ip 10.10.10.2, in ifp reth1.0, out ifp N/A sp 1, dp 34861, ip_proto 1, tos 0Aug 2 22:04:36 22:04:35.936001:CID-1:RT:Doing DESTINATION addr route-lookupAug 2 22:04:36 22:04:35.936017:CID-1:RT: routed (x_dst_ip 10.10.10.2) from untrust (reth1.0 in 1) to reth0.0, Next-hop: 10.10.10.2Aug 2 22:04:36 22:04:35.936030:CID-1:RT: policy search from zone untrust-> zone trustAug 2 22:04:36 22:04:35.936057:CID-1:RT: app 0, timeout 60s, curr ageout 60sAug 2 22:04:36 22:04:35.936095:CID-1:RT:flow_first_src_xlate: src nat 0.0.0.0(1) to 10.10.10.2(34861) returns status 0, rule/pool id 0/0.Aug 2 22:04:36 22:04:35.936110:CID-1:RT: dip id = 0/0, 10.10.20.2/1->10.10.20.2/1Aug 2 22:04:36 22:04:35.936120:CID-1:RT: choose interface reth0.0 as outgoing phy ifAug 2 22:04:36 22:04:35.936127:CID-1:RT:is_loop_pak: No loop: on ifp: reth0.0, addr: 10.10.10.2, rtt_idx:0Aug 2 22:04:36 22:04:35.936136:CID-1:RT: check nsrp pak fwd: in_tun=0x0, VSD 1 for out ifp reth0.0Aug 2 22:04:36 22:04:35.936142:CID-1:RT: vsd 1 is activeAug 2 22:04:36 22:04:35.936151:CID-1:RT:policy is NULL (wx/pim scenario)Aug 2 22:04:36 22:04:35.936160:CID-1:RT:sm_flow_interest_check: app_id 0, policy 6, app_svc_en 1, flags 0x2. interestedAug 2 22:04:36 22:04:35.936171:CID-1:RT:sm_flow_interest_check: app_id 1, policy 6, app_svc_en 0, flags 0x2. not interested..................


DEBUGGING A FIREWALL FLOW EXAMPLE OUTPUT (2/2) .............Aug 2 22:04:36 22:04:35.936178:CID-1:RT:flow_first_service_lookup(): natp(0x5047eb48): app_id, 0(0).Aug 2 22:04:36 22:04:35.936187:CID-1:RT: service lookup identified service 0.Aug 2 22:04:36 22:04:35.936194:CID-1:RT: flow_first_final_check: in <reth1.0>, out <reth0.0>Aug 2 22:04:36 22:04:35.936203:CID-1:RT: existing vector list e20-624fdc28.Aug 2 22:04:36 22:04:35.936212:CID-1:RT: existing vector list 0-6248ba28.Aug 2 22:04:36 22:04:35.936220:CID-1:RT: Session (id:26784) created for first pak e20Aug 2 22:04:36 22:04:35.936229:CID-1:RT: flow_first_install_session======> 0x5047eb48Aug 2 22:04:36 22:04:35.936236:CID-1:RT: nsp 0x5047eb48, nsp2 0x5047ebb8Aug 2 22:04:36 22:04:35.936248:CID-1:RT: make_nsp_ready_no_resolve()Aug 2 22:04:36 22:04:35.936263:CID-1:RT: route lookup: dest-ip 10.10.20.2 orig ifp reth1.0 output_ifp reth1.0 orig-zone 7 out-zone 7 vsd 1Aug 2 22:04:36 22:04:35.936274:CID-1:RT: route to 10.10.20.2Aug 2 22:04:36 22:04:35.936288:CID-1:RT:Installing c2s NP session wingAug 2 22:04:36 22:04:35.936293:CID-1:RT:Installing s2c NP session wingAug 2 22:04:36 22:04:35.936301:CID-1:RT:sm_flow_notify_session_creation: app_id 0, flags 0x0, ifl_in 67, zone_in 7, ifl_out 66, zone_out 6Aug 2 22:04:36 22:04:35.936394:CID-1:RT: flow got session.Aug 2 22:04:36 22:04:35.936399:CID-1:RT: flow session id 26784Aug 2 22:04:36 22:04:35.936411:CID-1:RT: vsd 1 is activeAug 2 22:04:36 22:04:35.936608:CID-1:RT:mbuf 0x4bb05060, exit nh 0x243c1 Aug 2 22:04:36 22:04:35.936621:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)Aug 2 22:04:36 22:04:35.996278:CID-1:RT:<10.10.10.2/0->10.10.20.2/51313;1> matched filter f0:Aug 2 22:04:36 22:04:35.996296:CID-1:RT:packet [84] ipid = 12824, @4ba9f04eAug 2 22:04:36 22:04:35.996307:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0, mbuf 0x4ba9ee40Aug 2 22:04:36 22:04:35.996318:CID-1:RT: flow process pak fast ifl 66 in_ifp reth0.0Aug 2 22:04:36 22:04:35.996330:CID-1:RT: reth0.0:10.10.10.2->10.10.20.2, icmp, (0/0)Aug 2 22:04:36 22:04:35.996341:CID-1:RT: find flow: table 0x4e789b20, hash 33408(0xffff), sa 10.10.10.2, da 10.10.20.2, sp 34861, dp 1, proto 1, tok 384 Aug 2 22:04:36 22:04:35.996362:CID-1:RT: flow got session.Aug 2 22:04:36 22:04:35.996366:CID-1:RT: flow session id 26784Aug 2 22:04:36 22:04:35.996380:CID-1:RT: vsd 1 is activeAug 2 22:04:36 22:04:35.996520:CID-1:RT:mbuf 0x4ba9ee40, exit nh 0x20bc1 Aug 2 22:04:36 22:04:35.996533:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)


DEBUGGING PACKET DROPS

# To see Drop Counters per interface for the various drop reasonsshow interfaces ge-4/0/1.0 extensive | find Error

# To create a Log file to log Packet drops for a certain Source-Networkedit security flow traceoptions set file DROPS set flag packet-drops set packet-filter FFILTER1 source-prefix 20.0.81.0/24top

# To see packet drops usemonitor start DROPS

# Search the Log file for packet drops of a certain Source-IP# The trim command improves readability by removing trailing informationroot@srx5600>run file show /var/log/DROPS | find 20.0.81.143 | trim 71

ge-4/2/1.0:20.0.81.143->10.1.80.1, icmp, (8/0)packet dropped, no route to destpacket dropped, ROUTE_REJECT_GEN_ICMP.

ge-4/2/1.0:20.0.81.143->20.0.80.2, icmp, (8/0)packet dropped, denied by policypacket dropped, policy deny.


BRANCH SRX: TAKING FULL PACKET CAPTURES (1/2)# Specify where to write the Packet-Capture# The file specified below, is later created under /var/tmp/# The appearing will be appended with ".interfacename" e.g. MY-PCAP.vlanset forwarding-options packet-capture file filename MY-PCAPset forwarding-options packet-capture file size 1mset forwarding-options packet-capture maximum-capture-size 500

# Specify the interface where you want to take the pcap from set interfaces vlan unit 0 family inet sampling inputset interfaces vlan unit 0 family inet sampling output

# Specify a Filter to collect only certain Packets edit firewall family inet filter PCAP term 1 from source-address 192.168.210.2/32 term 1 then sample accept term 2 from destination-address 192.168.210.2/32 term 2 then sample accepttop

# Apply this filter to the input and output direction (maybe input is obsolete ?)set interfaces vlan unit 0 family inet filter output PCAPset interfaces vlan unit 0 family inet filter input PCAP

# Wipe the old file before taking new pcapsrun file delete /var/tmp/MY-PCAP.vlan# and start the PCAPcommit and-quit


BRANCH SRX: TAKING FULL PACKET CAPTURES (2/2)# CLI Command to copy File to a remote FTP-Server to inspect with wireshark# You can also use scp, tftp and http in the Destination-URL file copy /var/tmp/MY-PCAP.vlan ftp://username:[email protected]/var/tmp

# Tweak to view the pcap file from the shell: start shellcd /var/tmp tcpdump -n -r MY-PCAP.vlan

# Here is CLI Help with more Detailshelp reference forwarding-options packet-capture

# And here is Online Documentationhttp://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-admin-guide/config-pcap-chapter.html#config-pcap-chapter

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-admin-guide/config-pcap-chapter.html

http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos-security-admin-guide/config-pcap-chapter.html


DATACENTER SRX: TAKING FULL PACKET CAPTURES (1/1)# Since JUNOS 10.4r1 Data Path Debugging on Datacenter SRX # allows to take packet captures

edit security datapath-debug set capture-file SRXPCAP format pcap size 1m files 5 set maximum-capture-size 100 set action-profile do-capture event np-ingress packet-dump set packet-filter PCAP1 source-prefix 192.168.1.1/32 action-profile do-capture set packet-filter PCAP2 destination-prefix 192.168.1.1/32 action-profile do-capturetop # The start/stop of capture is controlled by CLI request security datapath-debug capture (start|stop)

# To inspect the resulting PCAP either copy it to a system with Wireshark installed # or start a shell locally and use "tcpdump -nr /var/log/SRXPCAP"


USEFUL TROUBLESHOOTING INFORMATION

JUNOS Troubleshooting and Monitoring Day One Booklet

Data Collection Checklist KB21781

ScreenOS Debug Commands and JUNOS equivalent KB14000

SRX Troubleshooting Commands KB15779

Monitor interface and Monitor traffic Admin Guide

Taking Packet Captures Admin Guide

Troubleshooting SRX High Availability KB15911

Debug Flow KB16108

Configuring and Troubleshooting VPN KBGuide

Troubleshooting Dynamic VPN KB17220

http://www.juniper.net/us/en/community/junos/training-certification/day-one/




http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-admin-guide/diagnostic-tools-ov-section.html

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-admin-guide/configure-pcap-config-editor-section.html






TOOLBOX


ACCESS LISTS


PACKETFILTER ON A STATEFUL FIREWALL ? Access lists or Stateless Filters are already in JUNOS for years

Stateless Filters are still useful for three Tasks Filter and Redirect Traffic Classify Traffic for QoS purposes Implement Counters

Configuration uses the "set firewall …." stanza

On many JUNOS interface cards the stateless filters are implemented on Hardware Level and do not consume CPU performance

root# set firewall ....


FIREWALL FILTER EXAMPLE (COUNTING ONLY)# Define a Firewall Filter to count SSH Traffic set firewall family inet filter TEST term 1 from source-address 0.0.0.0/0set firewall family inet filter TEST term 1 from port 22set firewall family inet filter TEST term 1 then count MYCOUNTset firewall family inet filter TEST term 1 then accept

# We need a second term to permit everything else # This is because all firewall filter chains end with a default "deny all" termset firewall family inet filter TEST term 2 from source-address 0.0.0.0/0set firewall family inet filter TEST term 2 then accept

# Now we are ready to assign the Filter to an interfaceset interfaces fe-0/0/7 unit 0 family inet filter input TEST

# Show commands to monitor the counters lab@SRX210> show firewall counter filter TEST MYCOUNT

Filter: TEST Counters:Name Bytes PacketsMYCOUNT 70455 1005

lab@SRX210>


DNS CONFIGURATION


DNS CONFIGURATION# Set your own hostname set system hostname mybox

# specify DNS-Server to resolve DNS requests from the SRX# Example: public DNS Servers from Google set system name-server 8.8.8.8set system name-server 8.8.4.4

# Example: public DNS Servers from OpenDNSset system name-server 208.67.222.222set system name-server 208.67.220.220

# Example: public Servers from UltraDNSset system name-server 156.154.70.1 set system name-server 156.154.71.1

# Set own Domainnameset system domain-name test.de

# Today (12.1) SRX does not neither offer DNS-Server nor DNS-Proxy nr Dynamic DNS Client# DNS-Proxy and Dynaic DNS Client are currently scheduled for 12.1X44


NTP CONFIGURATION


TIME AND NTP CLIENT# set time zone set system time-zone Europe/Berlin

# Manual set time/date or simply poll Timeserversrx> set date YYYYMMDDhhmm.ss orsrx> set date ntp de.pool.ntp.org 27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec

# Specify NTP-Server (here 2 Servers from de.pool.ntp.org)set system ntp server 78.46.194.186 version 4 preferset system ntp server 88.198.34.114 version 4

# Enable NTP reachability during power up and in cluster backup stateset system ntp boot-server 78.46.194.186

# Diagnostics # What time is it ? srx> show system uptime | match CurrentCurrent time: 2009-04-22 17:21:20 CEST

srx> show ntp associations no-resolve remote refid st t when poll reach delay offset jitter==============================================================================*192.53.103.104 .PTB. 1 - 504 1024 377 62.492 6.408 0.120


NTP IN HA CLUSTERS# Define NTP-Server as usual in global context edit system ntp set server 10.0.0.1 set source-address 10.0.0.2top

# Enable NTP on cluster member in backup state (traffic is leaving from fxp0)edit groups node1 system ntp set server 10.0.0.1 set source-address ip of fxp0/node1top

edit groups node1 system ntp set server 10.0.0.1 set source-address ip of fxp0/node1top

# Per Node Backup Routes are required, when NTP-Server is not directly connect to fxp0set groups node0 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254set groups node1 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254


DHCP


DHCP CLIENT# Enable DHCP Client on an interfaceset interfaces fe-0/0/7 unit 0 family inet dhcp

# permit DHCP traffic on this interface or security zoen set security zones security-zone untrust host-inbound-traffic interface fe-0/0/7.0 system-services dhcp

# Option: You can propagate DNS/WINS settings learnt from the DHCP client to be# reused by local DHCP Serversset system services dhcp propagate-settings fe-0/0/7.0

# Monitoring and Controlshow system services dhcp clientrequest system services dhcp renew


DHCP SERVER# Pools have Namesedit system services dhcp pool 192.168.1.0/24 set default-lease-time 3600 set domain-name test.de set router 192.168.1.1 set name-server 192.168.1.1 set address-range low 192.168.1.33 set address-range high 192.168.1.64 # Option - exclude an IP from the Pool set exclude-address 192.168.1.42top

# Option - Static Binding, IP must be member of the Pooledit system services dhcp set static-binding 00:11:22:33:44:55 fixed-address 192.168.1.33 set static-binding 00:11:22:33:44:55 host-name testtop

# Permit DHCP in the incoming zoneset security zones security-zone trust host-inbound-traffic system-services dhcp

# Monitoringshow system services dhcp poolshow system services dhcp bindingshow system services dhcp statistics show system services dhcp conflict


DHCP RELAY

# Allow incoming DHCP traffic # "bootp" service is only available in the interface context , not in the zone contextset security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services bootp

# enable on the desired interfaces and forward to your desired destinationedit forwarding-options helpers bootp set interface ge-0/0/0.0 server 172.18.36.12; #relay the DHCP request with the source-ip of this interface set vpn set relay-agent-optiontop

# Until 10.4 DHCP Relay could not be configured inside virtual Routers # TODO


PPPOE & DSL


PPP OVER ETHERNETEXAMPLE FOR T-ONLINE, GERMANY# Define on which interface to use ppp Encapsulation set fe-0/0/5 unit 0 encapsulation ppp-over-ether

# Use password for authenticationset access profile ppp-profile authentication-order password

# PPP-Interface Settingsset interfaces pp0 unit 0 family inet negotiate-addressset interfaces pp0 unit 0 family inet mtu 1492

# Authentication Credentialsset interfaces pp0 unit 0 ppp-options pap access-profile ppp-profileset interfaces pp0 unit 0 ppp-options pap local-password xxxxxset interfaces pp0 unit 0 ppp-options pap local-name xxxxset interfaces pp0 unit 0 ppp-options pap passive

# PPPoE Settings and bindingset interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/5.0set interfaces pp0 unit 0 pppoe-options auto-reconnect 10set interfaces pp0 unit 0 pppoe-options clientset interfaces pp0 unit 0 pppoe-options idle-timeout 0

# Diagnostic Commandsshow interfaces pp0show pppoe interfacesshow pppoe statisticsshow pppoe statisticsrequest pppoe [connect|disconnect]


PPP OVER ADSL (FOR T-ONLINE, GERMANY)BASED ON JUNOS 10.0 WITH ADSL MINI-PIM# T-Online Germany typically uses the ATM VPI 1 and VCI 32 # Encapsulation is pppoe-over-atm with llc

# ADSL Interface Configurationset interfaces at-1/0/0 encapsulation ethernet-over-atmset interfaces at-1/0/0 atm-options vpi 1set interfaces at-1/0/0 dsl-options operating-mode itu-dmtset interfaces at-1/0/0 unit 0 encapsulation ppp-over-ether-over-atm-llcset interfaces at-1/0/0 unit 0 vci 1.32

# PPPoE Configuration on Top of this ADSL-Interfaceset interfaces pp0 unit 0 ppp-options pap access-profile T-Onlineset interfaces pp0 unit 0 ppp-options pap local-name "[email protected]"set interfaces pp0 unit 0 ppp-options pap local-password "xxxx"set interfaces pp0 unit 0 ppp-options pap passiveset interfaces pp0 unit 0 ppp-options lcp-max-conf-req 0set interfaces pp0 unit 0 ppp-options ncp-max-conf-req 0set interfaces pp0 unit 0 pppoe-options underlying-interface at-1/0/0.0set interfaces pp0 unit 0 pppoe-options idle-timeout 0set interfaces pp0 unit 0 pppoe-options auto-reconnect 1set interfaces pp0 unit 0 pppoe-options clientset interfaces pp0 unit 0 family inet mtu 1450set interfaces pp0 unit 0 family inet negotiate-addressset access profile T-Online client "[email protected]" pap-password "xxxx"

# Default Route (mandatory, because negotiated gateway will not appear in routing table)set routing-options static route 0.0.0.0/0 next-hop pp0.0


SRX AS UAC ENFORCER


SRX AS UAC ENFORCER (1/2)

Important to know:• In contrast to ScreenOS, JUNOS does not need a signed certificate on the IC. If not dedicated configured, JUNOS will

ignore the certificate presented by the IC. The communication is than only protected by password.

• Captive Portal support has been added with JUNOS 10.2

• For IPSec enforcement the SRX has to be configured manually in contrast to ScreenOS, where the IC is pushing the IPSec configuration too. Please “RTFM”

• If the IC is configured as cluster you have to configure two ICs on JUNOS using their physical IP addresses. Please do not use the VIP.

Example configuration with a IC cluster:

# create IC connectionsset services unified-access-control infranet-controller uac1 address 10.1.1.1 set services unified-access-control infranet-controller uac1 interface reth2.0 set services unified-access-control infranet-controller uac1 password "<PW-Hash>" set services unified-access-control infranet-controller uac2 address 10.1.1.2 set services unified-access-control infranet-controller uac2 interface reth2.0 set services unified-access-control infranet-controller uac2 password "<PW-Hash>" set services unified-access-control timeout 20 set services unified-access-control interval 5# optional add certificate verification – root Certificate has to be loaded to the SRX (see VPN with Certificates)set services unified-access-control infranet-controller uac1 server-certificate-subject <cert-name>set services unified-access-control infranet-controller uac1 ca-profile <profile-name>set services unified-access-control infranet-controller uac2 server-certificate-subject <cert-name>set services unified-access-control infranet-controller uac2 ca-profile <profile-name>


SRX AS UAC ENFORCER (2/2)

Enforcer-Options:

# enable test-only-mode (only logging without enforcement)set services unified-access-control test-only-mode

# define timeout-action (if connection to IC is lost)set services unified-access-control timeout-action <close | no-change | open>

Policy Enforcement with captive portal:

# create a captive portal policy – redirect-url is optionalset services unified-access-control captive-portal my-cp-policy redirect-traffic unauthenticatedset services unified-access-control captive-portal my-cp-policy redirect-url https://ic.xyz.com/auth

# create a firewall policy with application-service “uac-policy”set security policies from-zone untrust to-zone trust policy uac-enforcem match source-address any set security policies from-zone untrust to-zone trust policy uac-enforcem match destination-address any set security policies from-zone untrust to-zone trust policy uac-enforcem match application any set security policies from-zone untrust to-zone trust policy uac-enforcem then permit application-services uac-policy captive-portal my-cp-policy set security policies from-zone untrust to-zone trust policy uac-policy then log session-close


Diagnostics

SRX AS UAC ENFORCER

show services unified access-control status

show services unified access-control policies

show services unified access-control rules

show services unified access-control authentication detail

show services unified access-control role-provisioning all

show security flow session ... extensive


PORT MIRRORING


PORT MIRRORING ON BRANCH SRX

# You can mirror traffic from one L3 interface to a Host on another L3 interface. # For configuration start with selecting outbound interface and destination host # Traffic sent, has destination Mac rewritten to his own Mac-Address.edit forwarding-options port-mirroring set input rate 1 run-length 10 set family inet output interface ge-0/0/1.0 next-hop 10.0.210.33top

# Next Configure firewall filter to port mirror. 0.0.0.0/0 is all trafficedit firewall filter port-mirror term 1 set from source-address 0.0.0.0/0 set then port-mirror accepttop

# Finally set filter on the source interface that should be mirrored# This must be a physical L3 interface (family inet, not family switching)set interfaces ge-0/0/0 unit 0 family inet filter input port-mirrorset interfaces ge-0/0/0 unit 0 family inet filter output port-mirror


PORT MIRRORING ON DATCENTER SRX

# mirror port ge-0/0/1 to port ge-0/0/2

edit forwarding-options port-mirroring set input rate 1 run-length 10 set family any output interface ge-0/0/2 set instance inst1 input rate 1 run-length 10 set instance inst1 family any output interface ge-0/0/2top

set interfaces ge-0/0/1 port-mirror-instance inst1


CLASS OF SERVICE


JUNOS COS SUMMARY

BAClassifier

Multifield Classifier

Ingress Policing

FWD Policy

Fabric Priority

Egress Policing

Scheduler/WRED

Rewrite/marker

Fab

ric

Forwarding Class &

Loss Priority


Ingress Processing Forwarding Classes and Queues

Classification maps traffic to internal queues The 4 default SRX forwarding-classes map to 4 queues. Additional Forwarding Classes can be specifiedshow class-of-service show interfaces queue ge-0/0/0

IFL Classification (Interface Level Classification of Forwarding Class and Loss Priority)Specify Class based on interface/sub-interface/logical interfaceset class-of-service interfaces <name> unit <x> forwarding-class assured-forwarding

BA Classification (Behavior Aggregate Classification of Forwarding Class and Loss Priority)Specify Class based on DSCP (IP) or EXP (MPLS) Bitsshow class-of-service classifier name dscp-defaultset class-of-service interface fe-0/0/3 unit 0 classifiers dscp default

MF Classification (Multifield Classification of Forwarding Class and Loss Priority)Specify Class based on stateless packet filtersset firewall family inet filter ..... then forwarding-class ... set interfaces fe-0/0/3 unit 0 family inet filter .....

Simple Filters (Implementation on special Hardware)Specify only class, loss-priority and policer - no drop, count action, only one prefixset firewall family inet simple-filter ....set interface <name> unit <x> family inet simple-filter .....

Ingress Policing (Ingress Rate Limiter)Single Rate Policer: establish a data rate , drop or change forwarding class when thresholds are exceededExample on next pages

COS - BUILDING BLOCKS (1/2)


Egress Processing Scheduler & Scheduler Map

packet notifications placed into forwarding class queue. Queues serviced by a scheduler using WRRWRED congestion control operates at the head of the queue

RewriterChanges DSCP / EXP Bitsshow class-of-service rewrite-ruleset class-of-service interface ge-0/0/0 unit 0 rewrite-rules dscp default

PLP (Packet Loss Priority) & Drop-Profiles PLP allows to influence queuing within the same queueset class-of-service drop-profiles ...set class-of-service scheduler .... drop-profile-map .....

Egress Policing Single Rate Policer: establish a data rate , drop or change forwarding class when thresholds are exceededset policer .... if-exceeding bandwidth-limit ... burst-size-limit ... then

COS - BUILDING BLOCKS (2/2)


The previous page does list all available methods

It is not mandatory to apply all of them to get a working COS configuration

A simple example on the next pages fulfills the following requirements We have a LAN-Interface reth0

We have a WAN-Interface reth1

We have a upstream WAN-Bandwidth of 10Mbps

Traffic from the LAN IP 192.168.1.2 should be able to occupy up to 30% of the WAN bandwidth, even in congestion situations

To achieve this it relies on the following building blocks only Use the 4 default classes

Create a classifier

Create schedulers and assign them to the forwarding classes with a scheduler map

Apply your Classifier to the ingress interface(s)

Apply your Scheduler Map to the egress interface(s)

SIMPLE COS EXAMPLE


SIMPLE COS EXAMPLE (1/3)

# We have a LAN-Interface reth0# We have a WAN-Interface reth1# We have a upstream WAN-Bandwidth of 10Mbps# Traffic from the LAN IP 192.168.1.2 should be able to occupy up to 30% # of the WAN bandwidth, even in congestion situations

# 1. Create a Classifier, that puts traffic from the Source-IP 192.168.1.2 # into the separate forwarding-class (assured forwarding". # Add counters, so we can examine how frequently each decision path is used

edit firewall family inet filter TEST-CLASSIFER set term VOIP from source-address 192.168.1.201/32 set term VOIP then count SPECIAL set term VOIP then forwarding-class assured-forwarding set term VOIP then accept set term ANY then count ANY set term ANY then forwarding-class best-effort set term ANY then accepttop


SIMPLE COS EXAMPLE (2/3)# 2. Specify behaviour for the different Schedulers # Start with af (assured forwarding)# Notes on the scheduler parameters# transmit-rate: can be considered as the "guaranteed bandwidth", you will always get it# shaping-rate: can be considered as the "maximum bandwidth", you can send no more# loss-priority: influences drop behaviour for packets on the same queue (4 priorities)# LP is Tag on each packet created by classifier or additional policers# buffer-size: more buffer size allows bursts, but could introduce higher latenciesedit class-of-service schedulers af set transmit-rate percent 30 set shaping-rate percent 50 set buffer-size percent 5 set priority hightop

# Continue with be (best effort)edit class-of-service schedulers be set transmit-rate percent 60 set buffer-size remainder set priority lowtop

# And don't forget nc (network control)edit class-of-service schedulers nc set transmit-rate percent 10 set buffer-size percent 10 set priority strict-hightop


SIMPLE COS EXAMPLE (3/3)

# 3. Create a Map how the schedulers should be applied # to the different forwarding classesedit class-of-service scheduler-maps TEST-MAP set forwarding-class assured-forwarding scheduler af set forwarding-class best-effort scheduler be set forwarding-class network-control scheduler nctop

# 4. Set a shaping-rate for the WAN interface and # apply the desired Scheduler Map to this interfaceset class-of-service interfaces reth1 unit 0 scheduler-map TEST-MAPset class-of-service interfaces reth1 unit 0 shaping-rate 10m

# 5. Apply Classifiers on the LAN Interface(s), so ingress traffic gets classifiedset interfaces reth0 per-unit-schedulerset interfaces reth0 unit 0 family inet filter input TEST-CLASSIFER

# 6. Enable Scheduler on the WAN Interface, so that egress traffic gets shapedset interfaces reth1 per-unit-scheduler


INGRESS POLICER (FIREWALL FILTER)

# Ingress Policers with simple Filters depend on Interface Hardware and are not # available on all systems. Known systems to support these are # SRX-3K and SRX-5K with Combo Card# simple-filter might be required instead of firewall filter

# The example below limits traffic from a certain source to 1Mbps

edit firewall policer ONE-MBIT set if-exceeding bandwidth-limit 1m set if-exceeding burst-size-limit 63k set then discardtop

edit firewall family inet filter TESTFILTER term TERM1 set from source-address 172.27.60.4/32 set then policer ONE-MBITtop

# apply this filter on the interface (input or outpour is possible)set interface reth0 unit 0 family inet filter input TESTFILTER


INGRESS POLICER (SIMPLE FILTER)

# On some Systems simple Filters can be used instead of firewall filters # Simple Filters are ingress only and have less match options than firewall filters, # but they are better for performance reasons, because Interface Hardware is used to# perform the filtering (and thus does not require Performance on the Central Point).# Known systems that support simple filters are SRX-3K and SRX-5K with Combo-Card

# The example below limits traffic from a certain source to 1Mbps

edit firewall policer ONE-MBIT set if-exceeding bandwidth-limit 1m set if-exceeding burst-size-limit 63k set then discardtop

edit firewall family inet simple-filter TESTFILTER term TERM1 set from source-address 172.27.60.4/32 set then policer ONE-MBITtop

# apply this filter on the interfaceset interface reth0 unit 0 family inet simple-filter input TESTFILTER


TROUBLESHOOTING AND FURTHER INFORMATION

# COS Monitoring and Investigation Commands

show class-of-service …show firewall filter …show policer …show interface queue <if-name>show interface extensive <if-name>

# COS Configuration Guide for Security Deviceshttp://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/security/software-all/class-of-service/junos-security-swconfig-cos.pdf

# SRX Interface Guidehttp://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-interfaces-and-routing/frameset.html

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/security/software-all/class-of-service/junos-security-swconfig-cos.pdf

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic-collections/security/software-all/class-of-service/junos-security-swconfig-cos.pdf

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-interfaces-and-routing/frameset.html

http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-swconfig-interfaces-and-routing/frameset.html


VIRTUAL CHANNELS (VC)

VC Concept is only available on Branch SRX and J-Series This approach is useful a central site is sending traffic to several sites

which have limited WAN bandwidth, and the WAN interface of the central site has more bandwidth, than the branches

Up to 64 virtual channels per system can be supported Traffic to each site needs to be assigned to VC using firewall filters Queuing/scheduling/shaping for each VC performed at OUTQ Configuring shaper for each VC is mandatory

NetworkDS3

ADSL

T1

E1


VIRTUAL CHANNEL EXAMPLEedit firewall family inet filter SITE1 set term SITE1 from destination-address 192.2.1.2/32 set term SITE1 then virtual-channel site1;top

set class-of-service virtual-channels site1set class-of-service virtual-channels site2set class-of-service virtual-channels site3

edit virtual-channel-groups WAN set site1 scheduler-map TEST-MAP set site1 shaping-rate 2m; set site2 scheduler-map TEST-MAP set site2 shaping-rate 1500000 set site3 scheduler-map TEST-MAP set site4 shaping-rate 1500000top

# Apply virtual Channels on egress WAN Interface ??set interfaces ge-0/0/0 per-unit-schedulerset interfaces ge-0/0/0 unit 0 virtual-channel-group WAN

# Apply Firewall Filters on ingress LAN Interface ?? set interfaces ge-0/0/1 family inet filter input SITE1


System Dependencies SRX branch devices support shaping-rate at the logical (unit) level, not on the physical port.

EX switches support shaping-rate at the physical port level, but not at the logical level

On Datacenter SRX, BA classification is done on NPU and MF classification on SPU

On a given interface, queues can be at one (and only one) of the following levels Interface

Sub-interface (e.g.. VLAN, DLCI). This is referred as “per-unit-scheduling”

Virtual-channels (A concept present only in Branch SRX and J series)

Interface Type Dependencies Today (with JUNOS 10.3) Schedulers can not be applied to Secure Tunnel Interface.

Either apply the Map to the underlying physical interface or use GRE-Tunnels or on Branch SRX use virtual channels

On SRX Scheduler can be applied on L3-Interfaces and VLAN sub interfaces

Reth interface have a maximum of 4 queues

Interface Hardware Dependencies Ingress Interface Policing is only available on SRX-5600 and 5800 with Combo Module

COS - NOTES AND LIMITATIONS AND TIPS (1/2)


Default Settings All router initiated control-plane traffic is automatically assigned to network-control.

Packets originating from protocols such as lldp, rstp, ospf, etc are therefore handled by queue 3

All other traffic goes into best-effort queues

Schedulers are disabled on most interfaces and must be enabled to work set interface ge-0/0/0 per-unit-scheduler

per-unit-schedulers are enabled per Default on gr- (GRE) , ip- (IPIP) and ls- (Multilink) Interfaces

Bandwidth Calculations Policers are working on L3 packet sizes

Shapers are working at L2 packet sizes

Tip: Applying Classifiers to multiple Interfaces set class-of-service interfaces ge-0/0/* unit 0 classifiers ieee-802.1 default

COS - NOTES AND LIMITATIONS AND TIPS (2/2)


HIGH AVAILABILITY


SOLUTION ARCHITECTURE

GRES provides nonstop failover

Node 0 Node 1

Control Plane DaemonsNode0

Forwarding Daemon

Node0

Control Plane DaemonsNode1

Forwarding Daemon

Node1

fab0 fab1

fxp1 fxp1

Control PlaneData Plane + RTOs

Single device abstraction

Clean separation of control and forwarding planes

Unified configuration with configuration sync


TWO CHASSIS CONNECTED TOGETHER

Control PlaneConnection

Data PlaneConnection

SPC to SPC

IOC to IOC


INTERFACE NUMBERING

Interfaces in HA Clusters are renumbered node0(0-11)

node1(12-23)

ge-1/0/0

ge-13/0/0

slot 0

RE 0

slot 12

slot 23

RE 1


CLUSTER INTERFACESMODELL MANAGEMENT

(fxp0)Control-Link(fxp1)

Fabric-Link

SRX 100 fe-0/0/6 fe-0/0/7tagged - Vlan 4094 1)

Any Interface, untagged MTU on SRX100 is 1628

SRX 210 fe-0/0/6 fe-0.0.7tagged - Vlan 4094 1)

Any Interface, untagged Jumbo Frames, MTU 9014

SRX 240 ge-0/0/0 ge-0/0/1tagged - Vlan 4094 1)


SRX 650 ge-0/0/0 ge-0/0/1tagged - Vlan 4094 1)


J-Series ge-0/0/2 ge-0/0/3untagged


SRX 3000 fxp0 on the Routing Engine

onboard HA Port 0 with any type of SFPuntagged


SRX 5000 fxp0 on the Routing Engine

first Port of any SPC same slot SPC on both SRXFiber SFPs only, untagged

Any Interface,untagged Jumbo Frames, MTU 9014

1) Vlan tagging became configurable with JUNOS 10.3, Syntax


SRX3000 HARDWARE AND INTERFACE REDUNDANCY

SRX3000 Interface Redundancy Remarks

Management (fxp0)

Yes, on the Routing Engine

No

Control link (fxp1)

built-in on SFB ModuleUse HA Control Port 0

Possible with HA Control Port 1 on SFB , Requires CRM Module & JUNOS 10.2

untagged, Jumbo Frames

Data link (fab0 & fab1)

Yes Possible since JUNOS 10.2

untagged,Jumbo FramesUses LAG

Secondary Switch Fabric

- Not yet supported

Secondary Routing Engine

- Not yet supported


SRX5000 HARDWARE AND INTERFACE REDUNDANCY

SRX5000 Interface Redundancy Remarks

Management (fxp0) Yes , on the first Routing Engine

Today (10.4) a second Routing Engine is just used for Control-Link Redundancy

Control link (fxp1) first Port of any SPC Requires second Routing Engine, uses second Port on SPC, supported since JUNOS 10.0,

Must be on the same SPC in each Cluster MemberFiber SFPs only !!

Data link (fab0 & fab1)

Yes, can be on any IO-Card, must be configured

Available since JUNOS 10.2 by using LAG configuration

Second Switch Control Board

Second SCB is included in each SRX-5800 Base System and is an option for SRX-5600

Fallback to single switch reduces maximum performance

Third Switch Control Board

Slot exists to install a third SCB on SRX5800 but this is not yet supported

Secondary Routing Engine

- Today (10.4) a second Routing Engine is just used for Control-Link Redundancy


SRX CLUSTER CREATION - STEP BY STEP

Plug-in the cluster control and fabric links

Set the Cluster ID on Both Members and reboot them

On SRX 5000: Configure the Control Ports on Both Members

From now on both members can be configured as one

Specify the Data links (a.k.a. Fabric Ports)

Define Node Specific configuration in Apply-Groups

Define at least 2 Redundancy Groups

Configure Redundant Ethernet Interfaces for these RGs

Continue with the remaining configuration


HIGH AVAILABILITYCONTROL AND FABRIC LINKS

Create a Cluster

Define Control Ports (on SRX5K between SPCs, Fiber only) This will become interface fxp1

Define Data Ports (on SRX 5K between IOCs)fab0 and fab1 are the fabric links

# Cluster ID must be between 1 and 15# Cluster ID 0 or "disable chassis cluster" unset the cluster# Each device in the cluster must be given a unique node number# Reboot is required to make change effective# This configuration is required on both cluster members

set chassis cluster cluster-id <0-15> node <0-1> reboot

# At least one Interface from each clusterset interfaces fab0 fabric-options member-interfaces ge-0/0/2set interfaces fab1 fabric-options member-interfaces ge-12/0/2# Since JUNOS 10.2 you can add additional Interfaces set interfaces fab0 fabric-options member-interfaces ge-0/0/3set interfaces fab1 fabric-options member-interfaces ge-12/0/3

set chassis cluster control-ports fpc 0 port 0set chassis cluster control-ports fpc 12 port 0


HIGH AVAILABILITYNODE SPECIFIC CONFIGURATION

Group Configuration (All settings which are Node specific)

# These are the settings for the first Nodeset groups node0 system host-name SRX5800-1set groups node0 system backup-router 172.26.26.1 destination 0.0.0.0/0set groups node0 interfaces fxp0 unit 0 family inet address 172.26.26.104/24

# These are the settings for the second Nodeset groups node1 system host-name SRX5800-2set groups node1 system backup-router 172.26.26.1 destination 0.0.0.0/0set groups node1 interfaces fxp0 unit 0 family inet address 172.26.26.105/24

# And here we make sure that both data are part of the configuration, # but only the node specific settings are applied on each cluster member

set apply-groups "${node}"

# You can specify a secondary to always reach the master# Don't use this to connect to NSMset groups node1 interfaces fxp0 unit 0 family inet address 172.26.26.106/24 master-onlyset groups node0 interfaces fxp0 unit 0 family inet address 172.26.26.106/24 master-only


HIGH AVAILABILITYREDUNDANCY GROUPS

Define Two Redundancy Groups for A/P

Option: A second group for A/A (possible since JUNOS 9.5)

# Redundancy Group 0 is required for the Routing Engine

set chassis cluster redundancy-group 0 node 0 priority 200set chassis cluster redundancy-group 0 node 1 priority 100

# Redundancy Group 1 is used for redundant interfaces in A/P configuration


# Redundancy Group 2 is used for redundant interfaces in A/A configuration



HIGH AVAILABILITYREDUNDANT INTERFACES

Define Number of Redundant Interfaces in your Cluster (at least 2)

Configure the redundant Interfaces

Finally assign physical interfaces to them

# The Total number of redundant Ethernet Interfaces# This statement allow to creates reth0,reth1,reth2,reth3set chassis cluster reth-count 4

# Make individual interface members for reth0set interface ge-0/0/3 gigether-options redundant-parent reth0set interface ge-12/0/3 gigether-options redundant-parent reth0

# Make individual interface members for reth1set interface ge-0/0/4 gigether-options redundant-parent reth1set interface ge-12/0/4 gigether-options redundant-parent reth1

set interface reth0 redundant-ether-options redundancy-group 1 set interface reth0 unit 0 family inet address 10.10.1.3/24set interface reth1 redundant-ether-options redundancy-group 1 set interface reth1 unit 0 family inet address 20.10.1.3/24


HIGH AVAILABILITYADDITIONAL OPTIONS (1)

# Interface Monitoring # We can release Master Role in case of Layer1 Failure on these Interfacesset chassis cluster redundancy-group 1 interface-monitor xe-0/0/0 weight 255set chassis cluster redundancy-group 1 interface-monitor xe-11/0/0 weight 255

# Optional Pre-emption (fallback, when node with better priority returns)set chassis cluster redundancy-group 1 preempt

# Optional Holddowntime to prevent too fast failover if redundancy Groupsset chassis cluster redundancy-group 1 hold-down-interval 900

# Track-IP, IP Address Monitoring Redundancy Group # introduced for Data Center SRX with JUNOS 9.6)set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.1.1 weight 255# Additional Monitoring from Backup Interface was added in JUNOS 10.1set chassis cluster redundancy-group 1 ip-monitoring interface reth0.0 secondary-ip ..

# Optional Control Link Recovery (introduced with JUNOS 9.6)# Recovers System from Hold state, by automatic rebootset chassis cluster control-link-recovery

# Fabric Link Monitoring is disabled per default on High-End SRX since 10.4r4# to avoid "hold" state after link loss. To enable use the following commandset chassis cluster fabric-monitoring



Redundant Interface as a VLAN Trunk

Graceful Restart

Heartbeat Interval Tuning

set interfaces reth1 vlan-taggingset interfaces reth1 redundant-ether-options redundancy-group 1# Best practice: use vlan-id also for the unit numberset interfaces reth1 unit 11 vlan-id 11set interfaces reth1 unit 11 family inet address 10.0.11.1/24set security zone security-zone zone11 interface reth1.11set interfaces reth1 unit 12 vlan-id 12set interfaces reth1 unit 12 family inet address 10.0.12.1/24set security zone security-zone zone12 interface reth1.12

# If all participants of a routing protocol can handle graceful restart, then# use this option to avoid downtimes resulting from OSPF or BGP reestablishmentset routing-options graceful-restart

# Set Heartbeat Interval (1000..2000, Default is 1000) set chassis cluster heartbeat-interval [msec]# Set Heartbeat Threshold (3..8, Default is 3)set chassis cluster heartbeat-threshold [nr]



VLAN-Tagging on the Branch SRX Control Link

Commit Confirm on SRX Cluster

# On Branch SRX the control link traffic per Default uses VLAN ID 4094# Since JUNOS 10.3 there is a command available to remove the VLAN tag# A reboot is required to make the change effectiveset chassis cluster control-link-vlan enable/disable

# To see current configuration use the following commandshow chassis cluster information

# Since a Cluster Configuration can be edited on both Routing-Engines, # there is no "commit confirm" available by default# To allow "commit confirm" you must enter configuration mode withconfigure exclusive


HIGH AVAILABILITYMONITORING AND TROUBLESHOOTING (1)# Configuration Checkshow config groups show config chassis cluster show config interfaces

# Hardware Checksshow chassis hardware show chassis fpc pic-status show pfe terseshow chassis alarmsshow system alarms

# Monitor Cluster Statusshow chassis cluster status show chassis cluster status redundancy-group <xx>

# Display Information about HA interfaces (11.4 show state of redundant HA links too)show chassis cluster interfaces

# Status informationshow chassis cluster statistics show chassis cluster information show chassis cluster ip-monitoring status

# In case you find a cluster member in disabled state,# here is a place to find root cause informationshow chassis cluster information no-forwarding


HIGH AVAILABILITYMONITORING AND TROUBLESHOOTING (2)

# Inspect Log Files (For support cases always collect Log files from both Nodes !!)show log jsrpd or file show /var/log/jsrpdshow log messages or file show /var/log/messagesshow log chassisd or file show /var/log/chassid

# For ongoing log file monitoring use monitor start jsprpd

# To enable additional traces in jsrpd you can configure traceoptionsset chassis cluster traceoptions level all flag all

# To jump from one node to the other you can use the following options: # CLI-Command for Branch SRXrequest routing-engine login node x # Shell command for Datacenter SRXrlogin -Ji nodex# Or usually you can also use ssh with fxp0-adress of the second node

# Knowledgebase: Troubleshooting SRX High Availabilityhttp://kb.juniper.net/library/CUSTOMERSERVICE/Resolution_Guides/SRX/Wrapper_SRX_Chassis_Cluster.html

http://kb.juniper.net/library/CUSTOMERSERVICE/Resolution_Guides/SRX/Wrapper_SRX_Chassis_Cluster.html


HIGH AVAILABILITYCLUSTER CONNECTIONS# Requirements for HA Cluster connections

- Latency on HA-Links must be below 100msec

- Bandwidth on Fabric-Link: 1Gbps for A/P is sufficient for A/A with 10GE reth interfaces 10GE fabric links are recommended

- Dual Fabric Links do offer redundancy, but there only one link is used for forwarding and RTO sync

- When the HA connection is traveling over Switches - Control link traffic and Fabric Link traffic must be kept on separate L2 connections (different physical links or different VLANs - Jumbo Frames must be permitted - IGMP Snooping must be disabled on the Switch ports involved - For Branch SRX: disable VLAN-Tagging on Control Link or allow QinQ on Switch "set chassis cluster control-link-vlan disable" - Use the Guideline from the following Knowledgebase Article: SRX Cluster Deployments across L2 Networks http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf

http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf


HIGH AVAILABILITY MANUAL FAILOVER (1)

Requesting Failover Manually failover redundancy groups between chassis RG0 should only be failed over in emergencies Should only be done after both REs have been up for 5 minutes Rapid failovers will cause RE crash RG1 supports rapid failovers

Clearing Failover Failovers need to be cleared after manually triggered Prevents accidently failover over


HIGH AVAILABILITYMANUAL FAILOVER (2)

Request Failover

Clear/Reset Failover

{secondary:node1}root@srx> request chassis cluster failover redundancy-group 1 node 1node1:--------------------------------------------------------------------------Initiated manual failover for redundancy group 1

{primary:node1}root@srx> show chassis cluster statusCluster ID: 3Node name Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 1 node0 200 secondary no no node1 1 primary no no

Redundancy group: 1 , Failover count: 0 node0 255 primary yes yes node1 1 secondary yes yes

root@srx> request chassis cluster failover reset redundancy-group 1


HIGH AVAILABILITYMANUAL FAILOVER (3)

Manual Failover can fail if systems are not yet up againManual failover can be difficult if the nodes have not completely recovered from a previous failover. To determine if a device is ready for repeated failovers, perform these recommended best-practice steps before doing a manual failover.

The best practices we recommend to ensure a proper failover are as follows:

• show chassis cluster status Use this command to verify the following for all redundancy groups: • One node is primary ; the other node is secondary. • Both nodes have nonzero priority values unless a monitored interface is down.

• show chassis fpc pic-status Use this command to verify that the PIC status is Online.

• show pfe terse Use this command to verify that the Packet Forwarding Engine status is Ready and to verify the following: • All slots on the RG0 primary node have the status Online. • All slots on the RG0 secondary node, except the Routing Engine slots, have the status Valid.


FAILURE CASES AND EXPECTED BEHAVIORSComponent Expected Behavior

Control Link Secondary node goes into disabled state. Reconnect control link and then reboot secondary node.

Fabric Link Since 10.4r4 fabric-link is no longer monitored by default. Enable fabric monitoring with "set chassis cluster fabric-monitoring"). With monitoring: if Secondary node goes into disabled state. Reconnect fabric link and then reboot secondary node.

Power If all power to unit is lost then all redundancy groups will failover.

Interface Down Redundancy groups that monitor the interface will failover if total weight exceeds 254

CP Will cause RG1+ to failover but the RE will remain on the same chassis.

SPC/SPU Any SPC or SPU failure will trigger RG1+ to failover to secondary chassis

RE or SCB with RE All redundancy groups will failover and chassis goes offline

SCB w/o RE Reduces throughput of device, will not failover to second chassis. Third SCB will activate if installed (SRX 5k only)


FAILURE CASES AND EXPECTED BEHAVIORS (CONTINUED)

Component Expected Behavior

NPC Failure (SRX 3k) The SRX 3k supports NPC monitoring. If the NPC fails then all RG+1 groups will fail over to the other cluster member.

Control Plane Failure/RE Reboot

The data plane will continue to run up to 5 minutes without an RE, or until the RE came back up, when Chassisd comes backup and reinitializes all of the cards.

Control and Data Link (fail at same time)

Both nodes will detect the failure of the links by the loss of the heartbeat messages. In this case secondary node will go disabled

Complete Chassis Failure

Whether caused by a software or hardware issue, The secondary node will look for the gratuitous arp’s of the other node, and in the absence of these will assume mastership.


SRX HA State Transition Diagram

Note: Transition to disabled state will only happen only if the node is RG0 secondary.Note: Once in disabled state the only option to recover is to reboot the device

Hold

SecondaryHold

Disabled Ineligible

Secondary

Primary

BootupHold Timer

Expires

Primary node dies

Failover (manual, i/f failure, ip-mon failure, preempt etc.)

Primary node dies

Fabric-link failure

Fabric-link failure

Ctrl-link failure

Ineligible timer fires

Secondary-hold timer expires

Ctrl-link failure

Primary node dies


APPLICATION SECURITY,INTRUSION PREVENTION,UNIFIED THREAT MANAGEMENT


FEATURE LICENSES AND CONTENT SUBSCRIPTIONS


FEATURE LICENSES

Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx

Memory upgrade x - - -

Dynamic VPN up to 25 up to 10 up to 50 up to 150 up to 250 up to 500 - - -

Extreme License - - - - - - x

Logical Systems - - - - - - up to 32 (1.5.25)

up to 32 (1.5.25)

up to 32 (1.5.25)

Service Offload (Low Latency)

- - - - - - Free Free Free

Advanced BGP x - - - - - x

1) requires High memory Model2) include IPS License


CONTENT SUBSCRIPTIONS AVAILABLE FOR 1,3 5 YEARS

Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx

IPS x 11.41) 11.4 11.41) 11.41) 11.41) 11.4 x x x

AppSec - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 10.4 2) 10.4 2) 10.4 2)

Kaspersky-AV x x1) x x1) x1) x1) x - - -

Sophos-AV - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 - - -

Webfilter-Websense-Integrated

x x1) x x1) x1) x1) x - - -

Webfilter-Websense-Enhanced

- 11.41) 11.4 11.41) 11.41) 11.41) 11.4 - - -

Sophos-Antispam x x1) x x1) x1) x1) x - - -

1) requires High memory Model2) include IPS License


UTM, IDP AND APPLICATION FIREWALL FEATURES REQUIRE LICENSES# Once ordered, you can download them from the Juniper License Management Server# This method is recommended, DNS and Internet access are required# Default URL, as defined in "show configuration system license", is# https://ae1.juniper.net/JUNOS/key_retrieval

# To download license, that where bought for a certain device executerequest system license update

# Or if you received a license for manual installation use this command to paste it# Install manually, when the license keys are available as a text filerequest system license add terminal

# You can configure a Proxy Server to retrieve the licensesset system proxy server 192.168.1.10set system proxy port 3128set system proxy username user1set system proxy password user123

# To track problems with licenses open a log fileset system license traceoptions file license.logset system license traceoptions flag all

# Trial licenses (valid for 4 weeks) are available# You can only fetch it once per lifetime for each device serial numberrequest system license update trial


MANY LICENSE FEATURES ARE ENABLED PER RULE

In the firewall policy you can decide if the licensed Features are applied

edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services [idp, uac-policy, utm-policy ,services-offload]top


APPLICATION SECURITY FEATURES- IDP - APP TRACK - APP FIREWALL- IDENTITY BASED APP FIREWALL - APP QOS- APP DDOS


STATE OF APPLICATION SECURITYState of the Application Firewall Feature Set

• All AppSecure Features are available on High End SRX with JUNOS 11.4r1

• All AppSecure Features - except AppDDOS and AppQoS are available for Branch SRX with 11.4r1

Licensing

App-ID Database• On High End SRX the AppID Signatures were moved to a separate Database with 11.4

• On Branch SRX the AppID Signatures where always in a separate Database since 11.2

Management and Logging• Some AppFirewall Features are not supported in NSM Log Viewer or Policy Manager

• Preferred Management Solution: Space or J-Web

• Preferred Log Solution : STRM

SKU Appsec-A (Advanced)High End SRX

AppSec-B (Basic) Branch SRX

Includes Application signature license & IPS license.

Includes Application signature license only. IPS license has to be purchased seperately


APPLICATION SECURITY AVAILABILITY

High End SRX Branch SRX

(11.4)

(11.4 )

(11.4) Future

Future

AppTrack

AppFW

AppQoS

AppDoS

IPS


APPSECURE PERFORMANCE

Source: AppSecure Datasheet

http://www.juniper.net/us/en/local/pdf/datasheets/1000327-en.pdf


IDPINTRUSION DETECTION AND PREVENTION


ACTIVATE INTRUSION DETECTION AND PREVENTION

Initial Requirement • Install IDP license

• Download and Install the Attack-Database and Detector Engine (a.k.a. security-package)

IDP Policy - Option 1 : Use Juniper Policy Templates• Download policy templates

• Install policy templates

IDP Policy - Option 2 : Write your own IDP Policy• Write a custom policy , use custom attack groups (NSM is the preferred tool for this Job)

Final Steps• Activate the desired policy

• add action "IDP" for all firewall rules where you want to have IDP enabled


SIGNATURE UPDATES

How can Signature Updates be installed pull (Device fetches the Updates itself) push from Space. Space can also pull updates through a proxy connection

Branch SRX can have two different Signature Updates IDP security-package Updates include

Updates for IDP Signatures & Application Identification Signatures Updates & Detector Engine

Application Identification Updates AppID Update do include only AppID Signatures, no IDP Signatures or Detector Engine


INTRUSION DETECTION AND PREVENTION ATTACK DATABASE

Download and install the latest attack databasesrx> request security idp security-package download Will be processed in asynchronous mode. Check the status using the status checking CLI

srx> request security idp security-package download status In progress:downloading file ...SignatureUpdate_tmp.xml.gz

srx> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).Version info:1473(Tue Aug 4 13:41:40 2009, Detector=9.2.160090324)

srx> request security idp security-package install Will be processed in asynchronous mode. Check the status using the status checking CLI

srx> request security idp security-package install status In progress:Compiling AI signatures ...

# Takes about 5 minutes on a SRX210 to finish srx> request security idp security-package install status Done;Attack DB update : successful - [UpdateNumber=1473,ExportDate=Tue Aug 4 13:41:40 2009,Detector=9.2.160090324] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no existing running policy found.


INTRUSION DETECTION AND PREVENTION POLICY TEMPLATES (1/2)

If you don't want to write custom IDP Policies by yourself, the Juniper Policy Templates give you a simple starting Point. Use the commands below to download and install the latest security policy templates

srx> request security idp security-package download policy-templates Will be processed in asynchronous mode. Check the status using the status checking CLI

srx> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).Version info:2

srx> request security idp security-package install policy-templates Will be processed in asynchronous mode. Check the status using the status checking CLI

[email protected]> request security idp security-package install status Done;policy-templates has been successfully updated into internal repository (=>/var/db/scripts/commit/templates.xsl)!


INTRUSION DETECTION AND PREVENTION POLICY TEMPLATES (2/2)

To get the policy Templates added to your configuration you must enable execution of the templates.xsl script with every commit.

Now you can use the Recommended Policy Template

Once the IDP Policy is defined, you can activate it "per rule"

# At commit time, the JUNOS management process (mgd) searches the /var/db/scripts/commit# directory for scripts and runs the script against the candidate configuration database# to ensure the configuration conforms to the rules dictated by the scripts.set system scripts commit file templates.xsl

set security idp active-policy Recommended

edit security policies from-zone trust to-zone untrust policy <policyname> set then permit application-services idptop


INTRUSION DETECTION AND PREVENTION CUSTOM POLICY

Instead of Policy Templates you can write Custom IDP Policies, where you specify which signatures or signature-groups to use, and what the desired actions are. The example below uses two INFO Level Signatures so that you will get IDP Logs with each ping or HTTP Request.

Activate this Policy and enable it on a existing firewall rule

NSM is recommended to write Custom IDP Policies, Groups and Signatures

edit security idp idp-policy TEST rulebase-ips rule 1 set match source-address any set match destination-address any set match attacks predefined-attacks HTTP:AUDIT:URL set match attacks predefined-attacks ICMP:INFO:ECHO-REQUEST set then action no-action set then notification log-attackstop

set security idp active-policy TEST

edit security policies from-zone trust to-zone untrust policy <policyname> set then permit application-services idptop


INTRUSION DETECTION AND PREVENTION CUSTOM ATTACK GROUPS

You can use custom attack groups to specify which attacks you are looking for.Pay attention, that Server-to-Client signatures have a big performance impact. They should only be applied when you inspect traffic to untrusted Servers edit security idp dynamic-attack-group CRITICAL-C2S set filters severity values critical set filters direction values exclude-server-to-clienttop

edit security idp dynamic-attack-group CRITICAL-ALL set filters severity values criticaltop

edit security idp idp-policy TEST rulebase-ips rule 1 match source-address any set match destination-address MY-OWN-TRUSTED-SERVERS set match attacks dynamic-attack-groups CRITICAL-C2S set then action no-actiontop

edit security idp idp-policy TEST rulebase-ips rule 2 set match source-address any set match destination-except MY-OWN-TRUSTED-SERVERS set match attacks dynamic-attack-groups CRITICAL-ALL set then action ??? set then notification log-attackstop


INTRUSION DETECTION AND PREVENTION AUTO UPDATE FOR SIGNATURES

Configure the box to fetch Database Updates automatically# set start time (Old Format until 10.0r2 MM-DD.hh:mm)set security idp security-package automatic start-time 01-02.03:00

# set start time (new Format since 10.0r3 YYYY-MM-DD.HH:MM:SS)set security idp security-package automatic start-time 2010-01-01.02:00:00

# get the update every 24 hours set security idp security-package automatic interval 24

# enable auto updateset security idp security-package automatic enable

# The following situations inhibit that devices can pull Database Updates# * when internet access is not possible at all# * when internet access has to use a Proxy# * in a cluster: when the passive member can not get internet access from fxp0

# The following options can help to solve problems with delivery of automatic updates# * NSM or Space can be used to pull the attack database and push it to the device# both can even use proxy connections# * An offline update Procedure description is available in the Knowledgebase # For clusters where only the active node can pull the update# * After RG0 failover, the second node becomes active and can fetch the update# * A description and a script to perform the sync is posted in forum.juniper.net# * Automatic File sync from the active node to the passive node is planned for JUNOS 12.1

http://forums.juniper.net/jnet/attachments/jnet/srx/4659/1/SRX_IDP_Local_Update.pdf

http://forums.juniper.net/jnet/attachments/jnet/srx/7541/1/updating-the-idp-security-package-in-a-cluster-with-no-fxp0-access-to-the-internet.pdf

http://forums.juniper.net/jnet/attachments/jnet/srx/7541/2/idp-update.xslt.zip


IDP PACKET CAPTURES# Since JUNOS 10.2, the Datacenter SRX support collection and delivery of packet# captures, when an attack is found. On the STRM side you need STRM 2010.0r1 / Patch 3 # and updates of these rpms: PROTOCOL-PCAP, DSM-DSMCommon, DSM-JuniperJunOS

# Additions to IDP rules to take packet capturesedit security idp idp-policy TEST rulebase-ips rule 1 then notification set packet-log pre-attack 4 set packet-log post-attack 6 set packet-log post-attack-timeout 2top

# Specify the destination to deliver these data # The Port Definition must match the DSM Configuration on STRMedit security idp sensor-configuration set packet-log source-address 172.30.81.84 set packet-log host 172.30.80.76 set packet-log host port 515 top

# Resource Consumption Limits can be adjusted# The values below allow for pcaps on 10% of total-memory and 10% of max-sessionsedit security idp sensor-configuration set packet-log total-memory 10 set packet-log max-sessions 10top

# Show Statistics for Packet Loggingshow security idp counters packet-log


IDP PACKET CAPTURES IN STRM


INTRUSION DETECTION AND PREVENTIONMONITORING AND DIAGNOSTICS# Attack database versionshow security idp security-package-version

# Check if the server connection is ok request security idp security-package download check-server

# Check if IDP is enabled on a Security Policyshow security policies policy-name <name> detail | match Intrusion

# IDP statisticsshow security idp status

# Application Identification, Cache with last connections and per application statsshow security idp application-statisticsshow security idp application-identification application-system-cache

# Attacks detected since last policy loadshow security idp attack table

# IDP countersshow security idp counters ?

# Catch IDP-Logs and write them to a local log file (only possible in log mode event)set system syslog file IDP-Logs user infoset system syslog file IDP-Logs match IDP_ATTACKset system syslog file IDP-Logs archive size 1mset system syslog file IDP-Logs archive files 3set system syslog file IDP-Logs structured-data brief


IDP FILES AND THEIR LOCATION# Attack Database in XML Formatfile show /var/db/idpd/sec-download/SignatureUpdate.xml

# List of all Attack Groupsfile show /var/db/idpd/sec-download/groups.xml

# List of all Attacksfile show /var/db/idpd/sec-repository/attack.list

# List of all Attack Groupsfile show /var/db/idpd/sec-repository/attack-group.list

# List of all Applications , AppID can identifyfile show /var/db/idpd/sec-repository/application.list

# The final Policy after compilationfile show /var/db/idpd/sets/POLICYNAME.set


SIGNATURE BACKGROUND INFORMATION

LIST OF AVAILABLE SIGNATUREShttp://services.netscreen.com/documentation/signatures/

RSS-FEED ABOUT CHANGEShttps://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml

Signatures with Reference to CVE, Bugtraq and MS-Vulnerability IDshttps://services.netscreen.com/restricted/sigupdates/nsm-updates/CVE-BID-mapping.csv

http://services.netscreen.com/documentation/signatures/

https://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml

https://services.netscreen.com/restricted/sigupdates/nsm-updates/CVE-BID-mapping.csv


APPLICATION VOLUME TRACKING


APPLICATION VOLUME TRACKING

State of Application Volume Tracking• introduced for High End SRX with JUNOS 10.2

• introduced for Branch SRX with JUNOS 11.2

• STRM can parse and display AVT logs

• NSM today can not parse and display AVT logs

Application Identification Signatures• On High-End SRX: they are still part of the configuration (stanza services application-

identification), but the plan is to move them to a separate database with 11.4

• On Branch SRX the signature database since 11.2 is separate

• Custom Signatures will stay under "service application-identification"


APPLICATION VOLUME TRACKINGSIGNATURES DOWNLOAD

# AVT is available on Datacenter SRX since 10.2 and on Branch-SRX since JUNOS 11.2# AVT uses Signatures to Identify Applications

# Default URL is https://services.netscreen.com/cgi-bin/index.cgi # Before JUNOS 11.4 the signatures where directly added to the existing configuration# Since JUNOS 11.4 the predefined signatures are saved to an external database # similar to the IDP signature database

# Download the Application Signatures request services application-identification download

# Installation of the downloaded Application Signaturesrequest services application-identification install


APPLICATION VOLUME TRACKINGCONFIGURATION

# AppTrack is enabled per security zoneset security zone security-zone trust application-tracking

# Configure the remote syslog device to receive AppTrack messages# STRM 2010.0 has predefined reports to handle AppTrack Logsset security log format sd-syslogset security log source-address 172.30.81.82set security log stream STRM host 172.30.80.76

# To generate AppTrack log at session start (disable by default)set security application-tracking first-update

# To generate a first update message 1 minute after session startset security application-tracking first-update-interval 1

# To generate additional update messages every 5 minutesset security application-tracking session-update-interval 5

# A Final log at the session end will be created by default

# Monitoring, Counter and Cacheshow services application-identification countershow services application-identification application-system-cache

# J-Web Support is currently planned for 2H11


APPLICATION VOLUME TRACKINGMONITORING

# Full monitoring requires users to look at the AVT Logs # STRM (since 2010.0r2) has parsing and reporting capabilities# NSM today can not parse the AVT Logs

# If event Logging was enabled, Logs are available in the local log filefile show /var/log/policy_session | match APPLICATION

# In addition to the logs, a cache is enabled by default and can be used for monitoringshow services application-identification application-system-cache# Since 11.4 there are additional statistics showing per-group/application usageshow services application-identification statistics application-groupsshow services application-identification statistics applications

# To see the Signatures (before 11.4)show config services application-identification application junos:FTPshow config services application-identification nested-application junos:FACEBOOK-CHAT

# Since 11.4 the Signatures are no longer part of the configuration, but still can be seenshow services application-identification version# With 11.4 there where also some groups introduced, which make it easier to # select the AppID Signatures for Application Firewallingshow services application-identification application detail junos:FTPshow services application-identification group summaryshow services application-identification statistics application-groups


APPLICATION VOLUME TRACKING VISIBILITY OF LOGS IN STRM


APPLICATION VOLUME TRACKING VISIBILITY IN J-WEB

Monitoring ->Security ->Application Tracking


APPLICATION FIREWALL


STATE OF APP FIREWALL

State of the Application Firewall Feature Set• AppFW was introduced for High End SRX with JUNOS 10.4

• AppFW was introduced for Branch SRX officially with JUNOS 11.4

• AppFW can be used together with User Identities for all SRX with JUNOS 12.1

Management of the Application Firewall• Management on CLI is possible today on all platforms

• Management in J-WebUI is available since 11.2

• Support in JUNOS Space Security Designer is available since 11.4

• Support for NSM is currently not available

• Recommended Tool for Application Firewall Configuration is Space or WebUI

Logging and Reporting of Application Firewall• STRM 2010.0 can decode Application Firewall and Application Tracking Logs

both in stream and event mode.

• J-Web UI log visibility and improved reporting is expected with 11.4r2

• Support for NSM is currently not available


APPLICATION FIREWALLEXAMPLE CONFIGURATION YOUTUBE STREAMINGedit security application-firewall rule-sets APPFW set rule YOUTUBE-STREAM match dynamic-application junos:YOUTUBE-STREAM set rule YOUTUBE-STREAM then deny set default-rule permittop top edit security policies from-zone trust to-zone untrust policy 1 set match source-address any; set match destination-address any; set match application any; set then permit application-services application-firewall rule-set APPFWtop

# List of Applications that can be found with the current Database http://services.netscreen.com/documentation/applications/

http://services.netscreen.com/documentation/applications/


APPLICATION BACKGROUND INFORMATION

List of Applications and Application Groups http://services.netscreen.com/documentation/applications/

RSS-Feed with Changes (same as IDP)https://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml

AppSecure Feature Documentationhttp://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/security-appsecure-index.html

http://services.netscreen.com/documentation/applications/

https://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/security-appsecure-index.html

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/security-appsecure-index.html


USER IDENTITY BASED FIREWALL

CLIENTLESS AD INTEGRATION WITH SRX AND UAC


1. Connect – Push all roles to SRX

SRX

2. User Authenticates to Domain

CLIENTLESS AD INTEGRATION

IC

SRX

AD

Finance

SRX

AD

Finance

IC3. User wants to connect to finance

4. Drop notification sent to IC from SRX

5. User gets re-directed to IC (302)

1

2

3

45


6. IC challenges user with SPNEGO (401)

7. Endpoint pulls service ticket from KDC


IC

SRX

AD

IC 8. Endpoint re-submits HTTP get request to IC with SPNEGO auth token

6

7

8


9. After successful authentication, IC pushes an auth table entry to SRX

SRX

10. IC re-directs user back to the protected resource

11. User now can access Finance


IC

SRX

AD

Finance

IC

9

11

10


USER IDENTITY BASED FIREWALLCONFIGURATION

# User Identity based Firewall was introduced in JUNOS 12.1

# Set UAC infranet connection on SRX (this uses Destination port 11123)set services unified-access-control infranet-controller SERVER address 172.30.81.141set services unified-access-control infranet-controller SERVER interface fxp0.0set services unified-access-control infranet-controller SERVER password # Set captive portaledit services unified-access-control captive-portal PORTAL set redirect-traffic unauthenticated set redirect-url http://172.30.81.141top

edit security user-identification set traceoptions file userid flag all set authentication-source local-authentication-table priority 100 set authentication-source unified-access-control priority 200top

# UAC Policy Enableset security policies ... match source-identity ROLE1 set security policies ... then permit application-services uac-policy

# Captive Portal Enableset security policies ... then permit application-services uac-policy captive-portal PORTAL

# For the full configuration follow the UAC Solution Guide

http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/unified-access-control.html


USER IDENTITY BASED FIREWALLCOMMANDS FOR UAC

# Commands to monitor uac status and information show services unified-access-control status show services unified-access-control policies detailshow services unified-access-control roles

# Directory for UAC Roles/var/db/uac.roles

# Directory for local Auth Data/var/db/nsd


USER IDENTITY BASED FIREWALLCOMMANDS FOR LOCAL AUTHENTICATION

# Commands to build and examine the local table request security user-identification local-authentication-table add ? request security user-identification local-authentication-table delete ? clear security user-identification local-authentication-tableshow security user-identification local-authentication-table ?show security user-identification local-authentication-table all ?

# Directory for local Auth Data/var/db/nsd


APPLICATION DDOS PROTECTION


APPLICATION DDOS PROTECTION Application DDOS is a technology to identify and mitigate Distributed Denial of Service Attacks, typically generated from Botnets

Application DDOS works in 3 phases Phase 1

if the connection rate exceeds a limit we start protocol analysis Phase 2

track for connection Rate limits (per Destination and/or Context) Phase 3

Classify Clients as Bots when they exceed thresholds

Once Bots have been identified, we can mitigate their activities by dropping their existing connections and/or dropping future connections (for a certain time) and/or rate limiting future connections new connections (for a certain time)

AppDDOS today (12.1) can be used to protect HTTP and DNS Services

AppDDOS is available with AppSec-A License for Datacenter SRX since 10.0


AppDDOS 3-Stage Processing

1. Connections Per Second Administrator defines CPS threshold to a

server to start monitoring for AppDDOS. CPS below this threshold is considered normal activity.

2. Context Rate Monitoring/Limiting Once AppDDOS CPS threshold is

surpassed, AppDDOS will monitor the number of Context Rate. If it exceeds this rate, additional investigation can occur depending if stage 3 is configured. If it is not configured appropriate action can occur.

3. Client Classification (optional) If Time Binding is configured, it will track

not only the rate of the context being matched, but will also the administrator to track this value for individual clients to prevent them from individually surpass the defined limits within the time period.

Connection Rate Exceeded

Context Rate Exceeded

Counter Exceeded

Yes

Access to Monitored

Server

Yes

Access to Monitored Context

Yes

Yes

Context Value Rate Exceeded

No

Yes

Action/Logging

Yes

No

No

No

No

No

Sta

ge 1

: Ser

ver

Mon

itorin

gS

tage

2: P

roto

col P

rofil

ing

Sta

ge 3

: Bot

Clie

nt C

lass

ifica

tion

Time-Binding Configured

Yes

No


AppDDOS Configuration Structure

Firewall Security Policy On a firewall rule by rule basis IDP processing is configured (since AppDDOS is part

of the IDP functionality.) Firewall processing includes matching based on: source zone, destination zone, source ip, source port, destination ip, destination port, and protocol. IDP Security Policy

ApplicationDDOS Profile The ApplicationDDOS profile defines the following:

Context to Match Connections per Second to trigger Phase 2 Contexts Thresholds to trigger Phase 3, or direct actions based only on overall thresholds. Client Contexts per Period

IDP Policy Within the IDP security policy the rulebase-ddos is where the configuration defines

what criteria to match based on: source zone, destination zone, source ip, destination ip, application, and application-ddos profile. This rule will define what to do with the offending connection along with future ip-action connections.


APPLICATION DDOS PROTECTION (1/3)# AppDDOS is available as licensed feature for Datacenter SRX since JUNOS 10.0

# Define two Servers in a Group for investigationset security zones security-zone trust address-book address SERVER1 172.30.80.132/32set security zones security-zone trust address-book address SERVER2 172.30.80.202/32edit security zones security-zone trust address-book address-set WEBSERVER set address SERVER1 set address SERVER2top

# Firewall Policy # Activate IDP on the Firewall Rules, that permit traffic to these Serversset security policies from-zone trust to-zone untrust policy 1 then permit application-services idp

# Application DDOS Profile# Define the thresholds, we use to look for DDOS attacksedit security idp application-ddos HTTP_DDOS set service http # Phase 1- Start protocol Analysis if we see more than 5 connections per second set connection-rate-threshold 5 # Phase 2 - Start Botnet classification if we see more than 50 URLs per second or 50 different context set context http-url-parsed hit-rate-threshold 50 set context http-url-parsed value-hit-rate-threshold 50 # Phase 3- Classify clients as Bots if they access more than 20 URLs per minute set context http-url-parsed time-binding-count 50 set context http-url-parsed time-binding-period 60 top


APPLICATION DDOS PROTECTION (2/3)

# Install an IDP Policyset security idp active-policy IDP-POLICY

# Add a DDOS Rule to this IDP-Policy to hunt for DDOS attacks against the two Serversedit security idp idp-policy IDP-POLICY rulebase-ddos rule RULE1 set match from-zone untrust set match to-zone trust set match destination-address WEBSERVER set match application default set match application-ddos HTTP_DDOS set then action no-action set then notification log-attacks

# Use IP-Action to rate limit any bot found to a maximum of 5 connections per second set then ip-action ip-connection-rate-limit 5 set then ip-action log set then ip-action timeout 15 set then ip-action refresh-timeouttop


APPLICATION DDOS PROTECTION (3/3)

# AppDDOS monitor and control commandsshow security idp counters application-ddosshow security idp application-ddos application show security idp application-ddos application detail

# Show hosts that are targets for ip-actionshow security flow ip-action

# Remove all current IP-actionsclear security flow ip-action


UTM-FEATURESET


UTM FEATURES Antivirus - Sophos or Kaspersky (full and express)

Protect against viruses in e-mail (SMTP, POP, IMAP protocols), Webmail (HTTP) and FTP traffic

Integrated AV engines and virus signature databases—updated periodically, available through AV subscription license

Web filtering—WebSense/SurfControl/Enhanced WF Control (allow/deny) access to Websites based on URL category Off-box (in-the-cloud or on-premise) URL servers/ databases

Content filtering Provides basic DLP functionality—filters traffic based on file/MIME type, file

extension, and protocol commands; keyword matching expected in the future

Antispam - Sophos Stop e-mail spam based on IP address/reputation of sender Off-box spam blacklist database—Sophos SBL/RBL (spam/real-time block

list)—available as a subscription license


HOW UTM PROFILES ARE CHAINED WITH POLICIES UTM Features are activated per firewall rule, by assigning an UTM-Policy

The UTM-Policy has a section for each protocol, that allows UTM-Protection

Each Profile has references to Profiles for the different UTM Features


UTM-FEATURE:ANTIVIRUS


ANTIVIRUS ON SRX

THREE FLAVOURS KASPERSKY ANTIVIRUS

Full Scan Engine

local Execution of Scan

SOPHOS ANTIVIRUS Cloud Based

Verifies Source-URL and File checksums against Malware Database

EXPRESS AV Reduces local Scan Engine

PROCESSING ORDER


ACTIVATE ANTIVIRUS (EXPRESS AV ENGINE)

# Check also Knowledgebase Article KB16620

# Configure the SRX Series device to use the express antivirus engineset security utm feature-profile anti-virus type juniper-express-engine

# Configure a UTM policy to use the predefined antivirus profile # http-profile “junos-eav-defaults.”set security utm utm-policy UTM-POL anti-virus http-profile junos-eav-defaults

# Apply the UTM policy to the existing trust to untrust security policy edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POLtop



ACTIVATE ANTIVIRUS (KASPERSKY LAB ENGINE)

# Configure the SRX Series device to use the express antivirus engineset security utm feature-profile anti-virus type kaspersky-lab-engine

# Configure a UTM policy to use the predefined antivirus profile # http-profile “junos-av-defaults.”set security utm utm-policy UTM-POL anti-virus http-profile junos-av-defaults

# Apply the UTM policy to the existing trust to untrust security policy.edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POLtop


ACTIVATE ANTIVIRUS (SOPHOS CLOUD SERVICE)# Configure the SRX Series device to use the express antivirus engineset security utm feature-profile anti-virus type sophos-engine

edit security utm feature-profile anti-virus sophos-engine # Configure to download engine and updates once per day set pattern-update interval 1440 set pattern update url "http://update.juniper-updates.net/SAV/"top

# Check the URLs against Database that identifies known Malware Sourcesedit security utm feature-profile anti-virus sophos-engine profile SOPHOS set scan-options uri-check # To log all URLs (even those that where not blocked) use set fallback-options default log-and-permittop

# Configure a UTM policy to apply Sophos AV on http connectionset security utm utm-policy UTM-POL anti-virus http-profile SOPHOS

# Apply the UTM policy to the existing trust to untrust security policy.edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POLtop


ANTIVIRUSMONITORING AND DIAGNOSTICS

# Show database version and Update Settings # Default for Kaspersky is every 1h# Default for Sophos is every 24hshow security utm anti-virus status

# Statistics on AV operationshow security utm anti-virus statistics

# Run manual pattern update for Kaspersky Enginerequest security utm anti-virus kaspersky-lab-engine pattern-update

# Run manual pattern update for Sophos Enginerequest security utm anti-virus sophos-engine pattern-update


UTM-FEATURE: URL FILTERING


URL FILTERING

State of URL Filtering• Local Black and Whitelists can be used for Web filtering

• useful as a response to security problems (Phishing Mails, abuse of applications ...)

• no licenses required to use this feature

• To get a more valuable URL Filter you need a service subscription (license) where URLs are checked against a database • As a response to the query, a list of categories for this URL is returned

• In the Profile it can be defined which categories are permitted/denied

• Before 11.4 there where two flavors of Web filtering Services• Integrated Webfilter (aka surfcontrol-integrated, License: WF)

• Redirect Webfilter (aka WebSense, no License).

• With 11.4 a new option was introduced• Enhanced Webfilter (aka juniper-enhanced, License EWF)

• Main Benefits of the Enhanced Webfilter Solution from 11.4 are• comparable to the Integrated Webfilter Solution - but with the following enhancements :

• more categories (94 vs. 40) and option for custom categories (based on local pattern lists)

• option to activate safe-search to filter Search Engine results

• option to receive and react on reputation information for each URL

• option to redirect access for blocked sites to another URL

• better scalability (up to 64K sessions on SRX 650)


WEBFILTER ON SRXTwo Options for Cloud based URL Checking

Webfilter Integrated(surfcontrol-integrated)

and since 11.4

Enhanced Webfilter(juniper-enhanced)

One Option to redirect Traffic through a Local Websense Server

REDIRECT (WEBSENSE)


HOW TO CHECK THE CLASSIFICATION FOR AN URL ?

CHECK CLASSIFICATION OF A SITE FOR INTEGRATED WEBFILTERING

For the old, integrated Surfcontrol Engine use the following Online URL: http://mtas.surfcontrol.com/mtas/JuniperTest-a-Site.asp

For the new, enhanced Webfilter use this following Online URL: http://aceinsight.websense.com/

A CLI command can be used to return information how the site is treated: test security utm web-filtering profile "EWF-PROFILE" test-string www.facebook.com

http://mtas.surfcontrol.com/mtas/JuniperTest-a-Site.asp

http://aceinsight.websense.com/


WEBFILTERLOCAL BLACKLIST AND WHITELIST (1/2)

With JUNOS 10.0 a local Black- and White list can be configured This Filter Method can even work without Web filter LicenseTo work with wildcards pattern must start with "http://...."

# First specify a list of URLs (up to 20 per list object)

edit security utm custom-objects set url-pattern BAD value [http://www.cisco2.com www.checkpoint2.com] set url-pattern GOOD value "http://*.juniper.net" set url-pattern GOOD value "http://www.acmegizmo.???"top

# Use these Objects to specify new Categoriesedit security utm custom-objects set custom-url-category BLACKLISTED value BAD set custom-url-category WHITELISTED value GOODtop

# Finally apply these Categories to the Web Filtering Profileedit security utm feature-profile web-filtering set url-blacklist BLACKLISTED set url-whitelist WHITELISTEDtop


WEBFILTERLOCAL BLACKLIST AND WHITELIST (2/2)

# If no other Web filtering Profile is selected then use type juniper-local set security utm feature-profile web-filtering type juniper-local

# Define UTM Profileset security utm utm-policy UTM-POL web-filtering http-profile UTM-PROF

# Configure an UTM Policy using this Profileedit security utm feature-profile web-filtering juniper-local profile UTM-PROF set default permit set custom-block-message "Access to this site is not permitted" set fallback-settings default block set fallback-settings too-many-requests blocktop

# Apply this Profile in a firewall ruleedit security policies from-zone trust to-zone untrust policy trust-to-untrust set then permit application-services utm-policy UTM-POLtop


WEBFILTERACTIVATION OF THE INTEGRATED ENGINE

Configure the SRX Series device to use the Integrated Engine

Configure a new utm-policy to use the predefined Web filtering profile “junos-wf-cpa-default”

Apply the UTM policy to the existing trust to untrust security policy.

set security utm feature-profile web-filtering type surf-control-integrated

edit security utm utm-policy UTM-POL set web-filtering http-profile junos-wf-cpa-defaulttop

edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POLtop


WEBFILTEREXAMPLE FOR A CUSTOM PROFILE# Configure the SRX Series device to use the Integrated Engine set security utm feature-profile web-filtering type surf-control-integrated

# Custom categorization and action for this engineedit security utm feature-profile web-filtering surf-control-integrated edit profile TS-BLOCK-SELECTED-SITES set category Violence action block set category Adult_Sexually_Explicit action block set category Gambling action block set Remote_Proxies action block set default log-and-permit set fallback-settings default log-and-permit set fallback-settings server-connectivity log-and-permit set fallback-settings timeout log-and-permit set fallback-settings too-many-requests block set timeout 60top

edit security utm utm-policy POLICY2 set web-filtering http-profile TS-BLOCK-SELECTED-SITEStop

# Apply the new UTM-Policy in a firewall rulesedit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy POLICY2top


WEB-FILTERMONITORING AND DIAGNOSTICS

# Show database version and Update Settings (default: every 60 minutes)show security utm web-filtering status

# Statistics on Web filter operation (not for EWF)show security utm web-filtering statistics


UTM-FEATURE:ANTI-SPAM


ANTI SPAMACTIVATION OF THE FEATURE

Configure the SRX Series device to use the Anti-Spam Feature

Use the predefined Anti-Spam profile “junos-as-defaults” in a new utm-policy.

Apply this UTM policy to an existing trust to untrust security policy.

Optional Blacklist to drop additional SMTP Traffic from other senders

set security utm feature-profile anti-spam symantec-sbl

set security utm utm-policy UTM-POL anti-spam smtp-profile junos-as-defaults

edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POLdone

set security utm custom-objects url-pattern MYBLACKLIST value mail.cisco.comset security utm feature-profile anti-spam address-blacklist MYBLACKLIST


MORE ....


RESET TO FACTORY DEFAULT


The following methods can be used to reset the device to Factory Default Method 1: Reset via Reset PIN Method 2: Load Factory Default configuration Method 3: Wipe Configuration Files and load Default configuration Method 4: Single User Boot Procedure Method 5: Install Factory Default Snapshot from Boot monitor Method 6: Zeroize

The following method can be used to recover the root password Method 4: Single User Boot Procedure

Important Note for Branch SRX:

To recover a Branch SRX which is in cluster mode you must first turn it

back into non cluster mode (set chassis cluster disable reboot).

If you don't have a password any more, you can only use Method 4 or Method 5

See also http://kb.juniper.net/KB12167 and http://kb.juniper.net/KB15725

RESET METHODS




BRANCH SRX PREREQUISITE:YOU MUST ESCAPE CLUSTER MODE FIRST If your device was member of a cluster you will notice an additional line

before the system prompt

To return from cluster mode to a single unit use the following command, which also performs the necessary reboot

If you are in cluster mode but can not login to your system, you have to use Method 4 (Single User Boot Procedure)

{primary:node1}root>

root> set chassis cluster disable reboot


Use the Reset Button On J-Series: Press Configuration Pin for 15sec. to load the factory default On SRX: Press the Reset PIN for 15 sec. follow LED color changes On EX-Switches: Use LCD Menu to load factory default configuration

Notes You have to exit the shell first The node name in the shell prompt appears to be unchanged,

but this will change with the next reboot If you have a Branch SRX which is still in Cluster mode, the factory default

configuration can not commit ,as it includes switching configuration.You then should use method 5 (USB Snapshot) or 4 (Single User Mode)

RESET METHOD 1:RESET VIA RESET BUTTON


Remote Management Consolelogin: userpassword: <none>root@J2300> configureroot@J2300# load factory-default # You have to set at least the root password, otherwise you can not commitroot@J2300# set system root-authentication plain-text-password New password:Retype new password:root@J2300# commit and-quitroot@J2300>

RESET METHOD 2:LOAD FACTORY DEFAULT CONFIGURATION FROM CLI

If Login is still possible you can use commands to load the factory-default configuration.

You have to set a root password to get the configuration committed


If Login is still possible and you have shell access you can erase the current configuration file(s) and reboot. This will be equal to a reboot with default configuration

RESET METHOD 3:WIPE CONFIGURATION FILES

root> start shellroot@J6350% cd /configroot@J6350% suroot@J6350% rm juniper.conf.gzroot@J6350% reboot

# Remark on JUNOS 11.2 (or probably earlier) # You also have to wipe the rescue configuration. # Otherwise the system will boot the rescue config # if the normal configuration file has disappeared


Single User Mode, from the Boot monitor

For latest information on this method please consult the Knowledgebase http://kb.juniper.net/KB12167

Since JUNOS 10.0 you have to disable a watchdog in the boot monitor.See http://kb.juniper.net/KB17565

RESET METHOD 4:SINGLE USER BOOT PROCEDURE

1. Reboot the device2. When message <Press space bar> appears --> Interrupt boot process2. boot -s --> Device boots in single user mode4. login as root , enter "recover" to load factory default5. enter cli as user root6. enter configure mode7. set system login user authorization plaintext --> Enter <Password>8. Commit9. If the unit was still in cluster mode, you have to remove interface configuration and interface assignments to security zones to commit10. request system reboot11. If the units was in cluster mode, then disable chassis cluster and reboot once more.




Boot from a Snapshot USB Stick (see Chapter Software Upgrade)

Notes:- The USB Stick must have at least size of internal Flash (SRX100 = 1GB) - This procedure also reformats and partitions flash and copies the software from the stick. All existing information is overwritten

RESET METHOD 5:BOOT AND COPY SNAPSHOT

# First you must copy a snapshot from an existing System to a USB Stick# Keyword factory means, we copy factory default instead of running configsrx> request system snapshot partition media usb factory # Now move the USB Stick to the System you want to recover and power it up# Interrupt the Boot Process to get access to the Boot loader promptloader> nextboot usbSetting next boot dev usbUn-Protected 1 sectorswriting to flash...Protected 1 sectorsloader> reboot # Once the system has booted from the USB Stick, copy the image # with the default configuration back to the internal Flashsrx> request system snapshot factory partition media internal


If Login is still possible and you have shell access you can completely wipe anything which is not part of the factory default configuration by zeroizing the media.

RESET METHOD 6:ZEROIZE SYSTEM

lab@bnlx-srx220-1> request system zeroize media warning: System will be rebooted and may not boot without configurationErase all data, including configuration and log files? [yes,no] (no)


BOOTLOADER


BOOTLOADER NOTES Boot loader Documentation is included in the Admin Guide To enter the boot monitor

power up and wait for " Loading /boot/defaults/loader.conf" Hit Space at the following prompt

"Hit [Enter] to boot immediately, or space bar for command prompt." The "loader>" prompt appears.

To see the current Boot loader Software Version use this command:show chassis routing-engine bios

Most Methods for Software update do not reformat flash and thus do not upgrade the Boot loader

Since JUNOS 10.0 (with Boot loader 1.5) the Branch SRX JUNOS Package includes the latest Boot loader version and Upgrade of the current boot loader can be performed with this command:bootupgrade –u /boot/uboot –l /boot/loader

Dua Root Partitioning Scheme for Branch SRX requires Bootloader Software Version 1.5

http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-admin-guide/section-srx-series-tftp-loader.html


FLASH PARTITIONING

DUAL ROOT


NOTES Since JUNOS 10.0, Branch SRX can have a dual root partitioning scheme

Dual root improves fault tolerance and rollback capabilities and is recommended

Dual root have two partitions with JUNOS software on two different partitions. The configuration is kept in another shared partition

# Since JUNOS 10.2 the following command shows the partitioning and which partition is activeshow system storage partitions

# To switch to the backup partitionrequest system software rollback# If you change your mind you can switch back again request system software rollback

# To copy the software from the current active partition to the backup partition userequest system snapshot slice alternate

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/release-notes/10/topic-41441.html


JUNOS installation in a Dual-Root System JUNOS upgrades from CLI and J-Web will work as follows:

Alternate root will be formatted and mounted. New package will be installed into the alternate root Alternate will be marked as the primary root. On next reboot the system will boot with the newly installed image

JUNOS will always be installed to the alternate root: When booted from primary root, the new image will go to the backup root

and it will become the new primary. When booted from the backup root, new image will be installed in the

primary Thus a simple installation can recover the primary root if it is corrupted.


JUNOS installation in Dual Root (animated Slide)

JUNOS B s1a

Root

s3e

/config

s3f

/var

s2a

Root

s4a

recoveryJUNOS A

Primary Backup

Current Root

JUNOS A

/varrequest system software add junos-c

JUNOS C

Alternate Root

JUNOS C

JUNOS C

Backup Primary

Current Root


SOFTWARE UPGRADES


JUNOS Software Upgrade on SRX

1. Decide for a Software version and download it Recommend Software version are listed here Information which Feature is available in which Release can be found here Software Downloads are available from here

2. Best Practice: Cleanup Storage before starting the Update

3a. If you have physical access the easiest way is (M1) Autoinstallation from USB-Stick (requires somebody with physical access)

4a. For other updates decide how to bring the software to your SRX (T1) Upload or Download File in Advance (scp or ftp) (T2) Use Controlled Download with the Download Manager (T3) Mount and install from a USB Stick (T4) Reference URL during installation

4b. When you are ready to install you can use (M2) Installation from J-Web (M3) Install from the CLI (M4) Install from CLI with ISSU (for SRX clusters)

5. Best Practice: After completion you can use Flash Hardening


http://pathfinder.juniper.net/home/

http://www.juniper.net/support/products/


DOWNLOAD SOFTWARE FROM SUPPORT PAGES HTTP://WWW.JUNIPER.NET/SUPPORT/PRODUCTS/

http://www.juniper.net/support/products/


BEST PRACTICE: CLEANUP BEFORE SOFTWARE UPGRADE

Useful steps to perform before starting an Update are: Check Flash size, purge unused files# Check current Flash sizeshow system storage | match cf

# On J-Seriesshow chassis hardware detail | match Flash

# purge log filesrequest system storage cleanup

# If Flash size is still lower than the size of your image:

# if space is not yet sufficient purge software backuprequest system software delete backup # locate directories on the flash with large amount of datashow system directory-usage /cf

# To save space browse directories and erase files manuallyfile list /cf/var/tmp detailfile delete …..

# Or use the shell to find the largest files on your Flashfind -x /cf -type f -exec du {} \; | sort –n


UPGRADE - METHOD 1AUTO INSTALLATION FROM USB STICK# Since 10.4 Branch SRX Devices can be set up from a USB Stick with Auto installation# Step 1 - Prepare- Prepare a USB-Stick (FAT32, <=8GB) with the following files:- A File with the name "autoinstall.conf" must exist. The Content of this File is not important. It can also be an empty File. - One JUNOS Image, Filename must meet "junos-srxsme*"- Optional: You can also add a Configuration File. File name must be "junos-config.conf"# Step 2 - Insert- After the SRX has booted completly , insert the USB Stick - The LEDs will start blinking amber (Alarm, Status, Power and HA)# Step 3 - Reset Button- Press the Reset button for a short time - The LEDs (Alarm, Status, Power and HA) will stop blinking and start glowing amber- Now the new imaged gets copied, existing configuration and rescue configuration are verified against the new software version- finally the image gets installed in the second partition, and this partition becomes the new primary partition- if present on the stick the new configuration gets copied too (but not yet committed)- Step 3 takes about 10-12 Minutes in total - If something goes wrong (insufficient space, image corrupt, configuration not compatible) the LEDs will glow Red. Otherwise the LEDs will glow green# Step 4 - Unplug USB stick- When the LEDs are green, the USB stick can be unplugged - Some seconds after unplug device starts reboot, which takes ~5 minutes to complete- during power up the new configuration is installed and applied

# To avoid that somebody uses this procedure you can use the following command:set system auto installation usb disable


UPGRADE - METHOD 1 AUTO INSTALLATION - FLOW DIAGRAM


TRANSFER METHOD 1 MOUNT A LOCAL USB STICK)

You can add your image from a DOS formatted USB Stick # USB Sticks are not auto mounted, So we must go to the shell as root to mount them

srx> start shell

% su -Password:

# find out the right device name. On SRX210 "da1" is upper USB "da2" is lower USB# Either watch Console Logs during USB plugin or scan the information from the Logfileroot@srx-172% dmesg | grep umassda1 at umass-sim1 bus 1 target 0 lun 0

# Once Devicename is found add "s1" to the device name and mount it to /mnt

root@srx% mount -t msdos /dev/da1s1 /mntroot@srx% exitexit

# Now you can install the image from the USB stick# partition, formats the Flash partition

srx> request system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot


TRANSFER METHOD 2LOAD FILE TO LOCAL FLASH

# prefered destination to store files to local flash is /var/tmp because # several cleanup operations willmake sure, this locations gets purged

# either Push Image from Outside via scp or ftpscp JUNOS-srxsme-10.2R2.8-domestic.tgz user@srx:/var/tmp/

# or use interactive session on SRX CLI via scp or ftp commandcd /var/tmpftp ... or scp ....

# Now you can install the image from the local file srx> request system software add /var/tmp/JUNOS-srxsme-11.1R1.8-domestic.tgz


TRANSFER METHOD 3 USING THE DOWNLOAD MANAGER # Download Manager is available since JUNOS 11.4 and allows to perform rate limited # downloads which is useful to fethc software updates over slow WAN links without# saturating the link# Every Download can also be stopped/paused/resumed # By Default Download Files are stored under /var/tmp

srx240-0> request system download start ftp://172.1.8.1/junos-x.tgz login user: password max-rate 50K

Starting download #1

srx240-0> show system download

Download Status Information: ID Status Start Time Progress URL 1 Active May 23 13:14:27 1% ftp://172.1.8.1/junos-x.tgz

srx240-0> request system download pause 1 Paused download #1

srx240-0> show system download

Download Status Information: ID Status Start Time Progress URL 1 Paused May 23 13:14:27 11% ftp://172.1.8.1/junos-x.tgz

tschmidt@srx240-0> request system download resume 1 Resumed download #1


TRANSFER METHOD 4: USE URL TO LOAD IMAGE FROM A SERVER# Example fetch from an ftp Server (user username) and reboot after update# Option no-copy allow to save space

J6350> request system software add no-copy reboot ftp://username:[email protected]/JUNOS-jsr-9.5R1.8-domestic.tgz

# Same example for SRX with user anonymous# If validation of configuration reports that your current config is not working# with the new release (e.g.. on downgrade) you can bypass this with no-validate

srx> request system software add no-copy no-validate reboot ftp://172.16.42.8/JUNOS-srxsme-9.5R1.8-domestic.tgz

# Same example for an SSH Serversrx> request system software add no-copy no-validate reboot scp://172.16.42.8/JUNOS-srxsme-9.5R1.8-domestic.tgz


UPGRADE METHOD 2 INSTALL FROM WEB-UI

Use the Web-Interface (requires most RAM and Flash)


UPGRADE METHOD 3INSTALL FROM CLI

# Example: start installation from a local file which is already in /var/tmp# Option reboot forces reboot after succesful installationrequest system software add /var/tmp/JUNOS-srxsme-10.2R2.8-domestic.tgz reboot

# Example: Download and install image from an ftp Server (user username)request system software add no-copy no-validate reboot ftp://username:[email protected]/JUNOS-srxsme-10.2R2.8-domestic.tgz

# Example: start installation from a USB stick previously mounted under /mntrequest system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot


UPGRADE METHOD 4 - FOR SRX CLUSTERSIN SERVICE SOFTWARE UPGRADE

ISSU stands for In Service Software Upgrades ISSU allows upgrade of cluster members with minimum downtime. ISSU can be used on High-end SRX in most cases since JUNOS 10.4r4 ISSU can be used on Branch SRX in most cases since JUNOS 11.2r2

It is a single command, that you have to run from the RG0 primary device. The following actions are performed during the update:

First upgrade the secondary device then forms a cross version cluster failover to the new device upgrade the old primary

Expected Outage with ISSU on DC-SRX is similar to failover Expected Outage with ISSU on Branch-SRX is about 30 seconds

Check Documentation and KB17946 for more details on ISSU operation and supported features for different releases

request system software in-service-upgrade [package] reboot

http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/command-summary/request-system-software-in-service-upgrade.html



BEST PRACTICE:FLASH HARDENING ON BRANCH SRX

# Once your software version and your configuration is reliable use the following # steps to make the Branch SRX devices more robust against Flash Problems

# Optional: Cleanup storage (Documentation)request system storage cleanup # Optional: Cleanup IDP Cache and Attack Database Download (new command from 11.4)request security idp storage-cleanup

# Show Releases in the primary and the secondary partition of Routing-Engine 1show system snapshot media internal slice 1

# Copy primary partition image to the secondary, so they carry the same release# Check KB22798 for details on dual partitioningrequest system snapshot slice alternate

# Make sure your current configuration is also saved as your rescue configuration# Check KB15788 for details on configuration versions and rollbackrequest system configuration rescue save

# Save License, Partition Data and Recovery Config to the Auto recovery Partition# Check Release notes of JUNOS 11.2 for details on auto recoveryrequest system autorecovery state save

http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-admin-guide/jd0e41519.html?searchid=1332917096535



http://www.juniper.net/techpubs/en_US/junos11.2/information-products/topic-collections/release-notes/11.2/junos-release-notes-11.2.pdf


SCRIPTING AND AUTOMATION


AUTOMATION WITH JUNOS SCRIPTS

Commit Scripts Enable automated compliance checks & configuration changes

e.g.. Reject guest VLAN tag configuration on access switch trunk ports – restrict guest access to a floor

Macros allow operators to simplify complex configurations and self-heal errors e.g. Apply pre-defined Data+VoIP port template on any switch port that gets a description matching a

particular string “data-phone”

Operations Scripts Allows custom output for diagnosis and event management

e.g.. Combine 2 different show commands to get a custom output for better analysis

Event Policies & Scripts Automated pre-defined responses to events creating self-monitoring networks

e.g.. When a switch’s trunk port goes up & down, run “show interfaces” and “show alarms” CLI, parse data, save it to a file and send this to a server


HOW TO INTEGRATE SCRIPTS ?

Activation of Commit scripts Copy a script to the /var/db/scripts/commit directory Enable the script by including a file statement at the [edit system scripts

commit] hierarchy level (must be user from super user class). The script will now be executed every time you do a commit Useful: to avoid typical errors (VPN without Monitor, wrong MTU ...)

Activation of Op Scripts Copy the script to the /var/db/scripts/op directory Enable the script by including a file statement at the [edit system scripts

op] hierarchy level (must be user from super user class). Now you can run the script as a command (e.g.. op status overview)


USEFUL LINKS FOR AUTOMATION

Useful How-to Information is available from this Scripting Guide http://www.juniper.net/solutions/literature/white_papers/200252.pdf

Script Library from Juniper http://JUNOS.juniper.net/scripts/

Script Library on Google http://code.google.com/p/junoscriptorium/

http://www.juniper.net/solutions/literature/white_papers/200252.pdf

http://junos.juniper.net/scripts/

http://code.google.com/p/junoscriptorium/


SCRIPT LIBRARY HTTPS://WWW.JUNIPER.NET/US/EN/COMMUNITY/JUNOS/SCRIPT-AUTOMATION/LIBRARY/




NICE FEATURES YOU WILL LIKE .....


HELP IS AVAILABLE FROM THE CLI, EVEN WITHOUT INTERNET

Help available from the CLI [ topic reference apropos ] # Full description of certain configuration hierarchiesroot> help reference security address-book address-book

Syntax

address-book { address address-name (ip-prefix | dns-name dns-address-name); address-set address-set-name { address address-name; } }....

# Commands which include the word xyzroot> help apropos proxy-arp...

# Help on certain topicsroot> help topic snmp agent ...


WE HAVE FTP/SCP SERVERS ON BOARD

# Start the FTP Server set system services ftp# Enable inbound ftp on the desired zone and/or interfaceset security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ftpAnd Connect with your favourite FTP Client


USEFUL EXTENSIONS FOR CONFIGURATION VERSIONING

Configuration Comments

Personal Configuration Files

Load/Save Configuration Files via FTP/HTTP

# Add comment to a configurationcommit comment "Let us try this"

# List comments added during commitshow system commitshow | compare rollback ?

# load via ftp or httpload merge ftp://user:password@host/filenameload merge http://user:password@host/filename# save via ftp or scpshow configuration | save ftp://user:password@host/filename.show configuration | save user@host:filename.

# This will save/load configuration files in the home directory of the usersave mytestconfig.txtload replace mytestconfig.txt

http://user:password@host/filename


CONFIGURATION ROLLBACK Automatic rollback if not confirmed within 5 minutes

Rollback Versions , by Default you have 5 (on SRX) to 50 (on EX)

The "Rescue" Configuration

# Automatic rollback if not confirmed within 5 minutescommit confirmed 5

# Commit at desired timecommit at hh:mm:ss

# on SRX Clusters Rollback is only available if you entered "configure exclusive"

# Create a rescue configurationrequest system configuration rescue save

# Manual rollback to rescuerollback rescuecommit

# On J-Series press reset button for more than 5 and less than 15 Seconds # to automatically load and commit the rescue configuration

rollback ?show config | compare rollback <number>


SOFTWARE ROLLBACK Since JUNOS 10.0, Branch SRX have a dual root partitioning scheme, which can hold a copy of the image and the configuration under /altroot and /altconfig

# After a Software Upgrade the new software is in the primary partition and the old # software is in the primary partition. # You can check the current partition content with show system snapshot media internal slice 1

# To switch the primary partition, so that next reboot uses the other image just executeroot@srx100-2> request system software rollback junos-12.1R2.9-domestic will become active at next reboot

# To switch back to the previous partition just execute the same command once more request system software rollback root@srx100-2> request system software rollback junos-12.1R3.5-domestic will become active at next reboot

http://www.juniper.net/techpubs/en_US/junos10.0/information-products/topic-collections/release-notes/10/topic-41441.html


REAL-TIME PROBE AND MONITORING (RPM) RPM can track server/application reachability and latencies over the network

Results can be monitored from CLI or via SNMP

RPM Events can also be used to trigger Event-Scripts

# Configure Probes for user THOMAS# Example probe SERVER1 checks if server responds to pingedit services rpm probe THOMAS test SERVER1 set probe-type icmp-ping set target address 172.30.80.1 set test-interval 10top

# Example probe SERVER2 checks if Web-Server responds within 2000 msecedit services rpm probe THOMAS test SERVER2 set probe-type http-get set target url http://172.30.81.70/index.html set test-interval 10 set threshold rtt 2000000top

show services rpm probe-results owner THOMAS test SERVER1

show snmp mib walk 1.3.6.1.4.1.2636.3.50


AUTO ARCHIVING CONFIGURATIONS

Transmit a copy of the current Config file with every commit You can use ftp, http, scp or a copy to a local file

The Target filename is built like this:

It is also possible to run periodic archival

[edit system archival configuration]transfer-on-commit;archive-sites { ftp://username@host:<port>url-path password password; http://username@host:<port>url-path password password; scp://username@host:<port>url-path password password; file://<path>/<filename>;}

<router-name>_juniper.conf[.gz]_YYYYMMDD_HHMMSS

set system archival configuration transfer-interval [interval]


MORE USEFUL STUFF ..... DNS lookup and reverse lookup

Network Clients available on the CLI (route lookup starts in inet.0)

Some clients can be used to pipe command output

CLI Shortcuts

telnet, ssh , ftp, scp, ping, traceroute, mtrace

monitor traffic interface count 100 | ftp://172.16.1.1/capture.txt

lab@SRX3600> show host 193.99.144.85 85.144.99.193.in-addr.arpa domain name pointer www.heise.de.lab@SRX3600> show host www.heise.de www.heise.de has address 193.99.144.85

• CTRL-A takes you to the beginning of the command line• CTRL-E takes you to the end of the command line• CTRL-W deletes backwards to the previous space• CTRL-U deletes the entire command line• CTRL-L redraws the command line (in case it has been interrupted by messages, etc.)• CTRL-R starts CLI history search, start typing and matching results will be displayed and can be executed by simply pressing ENTER


MORE USEFUL STUFF ..... Replace a pattern in the whole configuration

What have you changed so far ?

Configure exclusive (only you have access)

Check if commit is possible (but don't do it yet)

srx# replace pattern fe-0/0/7 with ge-0/0/7

srx# set system host-name SRX srx# show | compare - host-name srx;+ host-name SRX;

srx> configure exclusive warning: uncommitted changes will be discarded on exitEntering configuration mode

[edit]srx#

srx# commit check


AND MORE ......

Add comments anywhere in the configuration

Temporary deactivate sections of the configuration

Generate your own Events (good to combine with Event-Scripts)

srx# annotate security policies from-zone trust to-zone trust "this is an annotation"

srx# show security policies/* this is an annotation */from-zone trust to-zone trust { inactive: policy 1 {.....# To remove the command redo the command with an empty string annotate .... ""

# deactivate whatever you want, but still keep it in the configurationdeactivate protocols ospf

set event-options generate-event backup-config-event time-of-day 23:30:00


AND MORE .....

apply-groups to

Copy a file from one cluster member to the other

Show Configuration with Details

Login Messages

set groups sonet interfaces <so-*> sonet-options rfc-2615set apply-groups sonet

file copy /var/tmp/test node1:/var/tmp/sampled.test

# Use this command to get explanations and range information for each parametershow configuration | display detail

# To make a message appear before loginset system login message “ Welcome \n to \n JUNOS Training\n “# To make a message appear after successful authenticationset system login announcement “Maintenance scheduled 11PM to 2AM tonight”


AND MORE .....

Get a timestamp on the CLI every time you execute a command

Quick Navigation in Configure Mode

set cli timestamp# To disableset cli timestamp disable

# if you used edit to change your current path in the navigation tree you can still# reach every leaf of the tree by using "top" at the beginning# Tab completion works and this "top" does not change your current position

edit protocols ospftop show interface ge-0/0/0top set interface ge-0/0/0 unit 0 ...


FURTHER USEFUL INFORMATION


DOCUMENTATION AND ADDITIONAL SOURCES

Software Documentation for SRX and J-Serieshttp://www.juniper.net/techpubs/software/JUNOS/

Hardware Documentation for SRX und J-Serieshttp://www.juniper.net/techpubs/hardware/srx-series.htmlhttp://www.juniper.net/techpubs/software/jseries/

The JUNOS Pagehttp://JUNOS.juniper.net/

JTAC Knowledgebase http://kb.juniper.net/SRX Channel: http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB

User Forumshttp://forums.juniper.net/jnet/http://www.juniperforum.com/

Bookshttp://www.juniper.net/us/en/training/jnbooks/

http://www.juniper.net/techpubs/software/junos/

http://www.juniper.net/techpubs/hardware/srx-series.html

http://www.juniper.net/techpubs/software/jseries/

http://junos.juniper.net/

http://kb.juniper.net/

http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB

http://forums.juniper.net/jnet/

http://www.juniperforum.com/

http://www.juniper.net/us/en/training/jnbooks/


SELF SERVICE TRAININGS

Training: Fasttrack Program (free materials)

http://www.juniper.net/training/fasttrack/

Training: Complete List of all Training and E-Learning Offers

http://www.juniper.net/us/en/training/technical_education/

Training: JUNOS as a second language

http://www.juniper.net/us/en/training/elearning/jsl.html

Training: Virtual Labs for Partner (Hands-on if you have no HW)

https://www.juniper.net/partners/partner_center/common/training/virtual_lab.jsp

Training: JTAC Webcasts for Partner

https://www.juniper.net/partners/partner_center/common/training/post_sales_webcasts.jsp

Discount Vouchers for Certifications

http://JUNOS.juniper.net/prometricvoucher/

http://www.juniper.net/training/fasttrack/



http://www.juniper.net/us/en/training/elearning/jsl.html

https://www.juniper.net/partners/partner_center/common/training/virtual_lab.jsp

https://www.juniper.net/partners/partner_center/common/training/post_sales_webcasts.jsp

http://junos.juniper.net/prometricvoucher/


VPN CONFIGURATION GENERATOR Generator for VPN Configurations (route and policy based)

https://www.juniper.net/customers/support/configtools/vpnconfig.html

https://www.juniper.net/customers/support/configtools/vpnconfig.html


MIGRATION TOOLS Convert Cisco or Netscreen configurations to JUNOS

https://migration-tools.juniper.net/tools/index.jsp

https://migration-tools.juniper.net/tools/index.jsp

juniper srx quickstart 12.1r3 by thomas schmidt

Technology