juniperconnectedsecuritysolutionusing third ...€¦ · srx1500configuration...

Juniper Connected Security Solution UsingThird-Party Devices and Aruba ClearPass PolicyManager

Modified: 2019-05-09

Copyright © 2019, Juniper Networks, Inc.

Juniper Networks, Inc.1133 InnovationWaySunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United Statesand other countries. All other trademarks, service marks, registeredmarks, or registered service marks are the property of their respectiveowners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.

Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy ManagerCopyright © 2019 Juniper Networks, Inc. All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through theyear 2038. However, the NTP application is known to have some difficulty in the year 2036.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted athttps://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions ofthat EULA.

Copyright © 2019, Juniper Networks, Inc.ii

https://support.juniper.net/support/eula/

Table of Contents

Chapter 1 Network Configuration Example - Juniper Connected Security UsingThird-Party Devices and Aruba ClearPass Policy Manager . . . . . . . . . . . . . . . 5

About This Network Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Use Case Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Coping with a Changing Threat Landscape . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Securing the Network with Juniper Connected Security Building Blocks . . . . . 6

Technical Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Juniper Connected Security Workflow for Infected Host Detection and

Tracking with Third-Party Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Example: Configuring Juniper Connected Security Using Third-Party Switches

and Aruba ClearPass Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Appendix: SRX Series Device and Cisco Catalyst Switch Configurations . . . . . . . 58

SRX1500 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Cisco Catalyst 6509 Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

iiiCopyright © 2019, Juniper Networks, Inc.

Copyright © 2019, Juniper Networks, Inc.iv

Juniper Connected Security Solution Using Third-Party Devices and Aruba ClearPass Policy Manager

CHAPTER 1

Network Configuration Example - JuniperConnected Security Using Third-PartyDevices and Aruba ClearPass PolicyManager

• About This Network Configuration Example on page 5

• Use Case Overview on page 6

• Technical Overview on page 8

• Example: Configuring Juniper Connected Security Using Third-Party Switches and

Aruba ClearPass Policy Manager on page 10

• Appendix: SRX Series Device and Cisco Catalyst Switch Configurations on page 58

About This Network Configuration Example

This network configuration example (NCE) provides an overview and a step-by-step

example for configuring and deploying Juniper Networks’ connected security solution

using third-party switches and wireless access controllers with Aruba ClearPass Policy

Manager (CPPM) and 802.1X integration.

ThisNCEdefines JuniperConnectedSecuritydeployment for anenterpriseand illustrates

how Juniper Connected Security secures your network.

The instructions in this NCE describe configuration scenarios for traffic blocking, infected

host tracking, andmonitoring using Policy Enforcer, Sky Advanced Threat Prevention

(ATP), and Security Director. The instructions also describe how to configure the Aruba

ClearPass Connector, aWindows 7 supplicant, SRX Series devices (acting as firewalls),

and the Cisco Catalyst WS-C6509 switch.

This document is intended for security and IT engineers, as well as network architects

and system administrators.

RelatedDocumentation

Use Case Overview on page 6•


5Copyright © 2019, Juniper Networks, Inc.

Use Case Overview

• Coping with a Changing Threat Landscape on page 6

• Securing the Network with Juniper Connected Security Building Blocks on page 6

Coping with a Changing Threat Landscape

Copingwith today’s broad and evolving threat landscape requires threat intelligence and

immediate threat enforcement, as well as a method of providing a simpler policy

mechanism across multivendor security environments.

The paradigm is changing from traditional perimeter security defenses to end-to-end

security solutions that can deliver comprehensive yet coordinated protection by:

• Integrating and deploying advanced security features to protect systems and data

from spyware, viruses, malicious code, denial-of-service attacks, and so on.

• Enabling every part of the network to be both a detection and enforcement point, to

respond to suspicious activity anywhere in the network, which is the most effective

way to deal with threats and intruders.

• Closing the gap between threat intelligence and enforcement, because threat

intelligence loses most of its value if it is distributed too slowly, or if it does not reach

all of an enterprise’s enforcement points.

• Using policy automation to adapt and enforce policy in real time, improving both

compliance and business agility.

• Centralizing the security policy engine so that it can determine trust levels between

network segments by collecting real-time threat information and creating a unified

security policy, with distributed new policies implemented in real time from a central

location.

• Providing the centralizedmanagement capabilities critical for regulatory compliance,

reducing costs, and streamlining operations.

Securing the Network with Juniper Connected Security Building Blocks

The Juniper Connected Security solution provides end-to-end network visibility, allowing

enterprises to secure their entire network, both physical and virtual.

Juniper Connected Security solution is comprised of the following components:

• Threatdetectionengine—Cloud-basedSkyATPdetects knownandunknownmalware.

Known threats are detected by consolidating threat feed information from a variety

of sources—command and control (C&C) servers, GeoIP, and information acquired

from in-house log servers.

Unknown threats are identified using methods such as sandboxing, machine learning,

and threat deception.

• Centralized policy management—Junos Space Security Director, which also manages

SRX Series devices, provides amanagement interface for the Juniper Connected

Copyright © 2019, Juniper Networks, Inc.6


Security solution called Policy Enforcer. Policy Enforcer communicates with Juniper

devices and third-party devices across the network, globally enforcing security policies

and consolidating threat intelligence from different sources. With monitoring

capabilities, it can also act as a sensor, providing visibility for intra- and inter-network

communications.

• Expansivepolicy enforcement—Inamultivendor enterprise, JuniperConnectedSecurity

enforces securityacross Juniperdevices, cloud-basedsolutions, and third-partydevices.

Bycommunicatingwithall enforcementpoints, JuniperConnectedSecurity canquickly

block or quarantine threats, preventing the spread of bi-lateral attacks within the

network.

• User intent-basedpolicies—JuniperConnectedSecurity supports thecreationofpolicies

according to logical business structures, such as: users, user groups, geographical

locations, sites, tenants, applications, or threat risks. This allows network devices

(switches, routers, firewalls, andother security devices) to share information, resources,

and when threats are detected, remediation actions within the network.

The Juniper Connected Security solution provides the following benefits:

• Provides dynamic, automated threat remediation—Juniper Connected Security

accurately detects knownand unknown threats and delivers the ability to rapidly block

or quarantine threats to prevent north-south or east-west threat propagation.

• Extends security to each layer of the network—Juniper Connected Security uses an

inside-out securitymodelbecause it leveragesanynetworkelementasanenforcement

pointandthendynamicallyenforcessecuritypolicywithsoftware-definedsegmentation

designed to provide robust security.

• Works within a multivendor ecosystem—Juniper Connected Security adopts an open,

multivendor ecosystem to detect and enforce security across Juniper products and

solutions. JuniperConnectedSecurity integrates third-party capabilities, enablingusers

to leverage existing, trusted threat feed sources to provide consistent, automated

defense across diverse environments. An open architecture and suite of APIs enable

you to select your preferred threat intelligence information sources and remediate

across amultivendor network infrastructure.

The Juniper Connected Security solution also enforces threat prevention policies on

third-party devices by integrating with 802.1X network access control (NAC) solutions

such as Cisco Identity Services Engine (ISE), Aruba ClearPass, and ForeScout

CounterACT. This provides a collaborative and comprehensive approach toward

complete network security.

• Provides centralized policy and security management—Juniper Connected Security

communicateswithnetworkelementsandsecurityproducts togloballyenforcesecurity

policies and enables security policy administration through a single pane of glass. This

reduces administrative overhead and facilitates a faster, more manageable approach

to security as the network grows .


Technical Overview on page 8•


Chapter 1: Network Configuration Example - Juniper Connected Security Using Third-Party Devices and Aruba ClearPass Policy Manager



• Juniper Connected Security Solution for Juniper Networks Devices

Technical Overview

This section provides an overview of how the Juniper Connected Security building blocks

work together to provide a comprehensive security solution for your enterprise. Threats

are detectedmore quickly by leveraging threat intelligence frommultiple sources

(including third-party feeds). Network security canadapt dynamically to real-time threat

information so that security policies are enforced consistently.

In the JuniperConnectedSecurity solution,PolicyEnforcerorchestrates threat remediation

workflows based on threats detected by Juniper’s Sky ATP solution or custom threat

feeds, and enforces these policies on firewalls, in particular, SRX Series devices, and

switches such as EX Series and QFX Series devices. The Juniper Connected Security

solution also supports 802.1X-enabled third-party switches. Any switch that adheres to

RADIUS IETF attributes and supports RADIUS Change of Authorization (CoA)messages

is supported by Policy Enforcer for threat remediation.

Juniper Connected Security alters the security breach landscape considerably when a

Juniper-secured network is attacked. Consider the following use cases:

• Auser tries to downloada file that contains knownmalware. In this case, thedownload

is blocked by the SRX Series device, and the endpoint is not infected.

• A user tries to download a file that contains unknownmalware. In this case, the

download to the endpoint succeeds. However, once Sky ATP identifies the malware,

the infected endpoint is quarantined or blocked by the local access switch. This action

prevents malware from propagating to other endpoints on the network.

JuniperConnectedSecurityWorkflowfor InfectedHostDetectionandTrackingwithThird-PartySwitches

Let’s take a look at a typical enterprise with clients, endpoints, access switches, and

wireless access points. When an endpoint becomes compromised, it becomes a threat

to other hosts within the network. It is important to control the infected host to ensure

the problem doesn’t spread.

Figure 1 on page 9 shows an example of how Policy Enforcer quarantines infected hosts,

when the host is connected to a third-party switch.



Figure 1: Automated Threat Remediation on Third-Party Switches

EX Series/QFX Series Third Party Switches EX Series /Third Party

Switch

Sky ATP

g200

058

Aggregation Layer

RADIUSAccess Server

SRX Series

3

4

56

2

Policy Enforcer

PolicyController

ConnectorFramework

ConnectorAPI

FeedCollector

CloudFeed Server

RemoteFeed Server

Third PartySwitch

Connector

8

7

1

In this example, the endpoint is connected to a third-party switch. The switch has 802.1X

authentication enabled. The switch authenticates 802.1X requests through a RADIUS

server.

1. The endpoint authenticates to the network through 802.1X or through MAC-based

authentication and downloads a file from the Internet.

2. The perimeter firewall (SRX Series device) scans the file and, based on user-defined

policies, sends the file to Sky ATP for analysis.

3. Sky ATP detects that the file containsmalware, identifies the endpoint as an infected

host, and notifies the SRX Series device and Policy Enforcer.

4. Policy Enforcer downloads the infected host feed and enforces the threat prevention

policy using the third-party connector.

5. The connector uses an API to gather information about the endpoint (MAC address

as well as switch port it is connected to) from the RADIUS server. The connector then

uses the API to update the endpoint’s status on the RADIUS server from “healthy” to

“block” (or “quarantine”).

6. The RADIUS server enforces the appropriate profile and initiates CoAmessages to

the switch to terminate the session of the infected host.

7. The switch enforces the CoA instructions and blocks the infected host.

8. Policy Enforcer communicates the infected host’s details back to Sky ATP.

When the session of the authenticated endpoint is terminated, the endpoint attempts

to re-connect. Based on the enforcement policy configured on the RADIUS server, the

endpoint status changes to blocked state, or it can be assigned to a quarantine VLAN.

Once the threat has beenmitigated, the host’s status in Policy Enforcer changes from

blocked to allowed, the threat level lowers to 0, and the endpoint can connect to the

network again.







• Policy Enforcer

Example: Configuring Juniper Connected Security Using Third-Party Switches andAruba ClearPass Policy Manager

This configuration example provides step-by-step instructions to configure the Juniper

Connected Security solution and help simplify security policy creation, threat detection,

and policy enforcement across the network. This example includes a Cisco Catalyst

WS-C6509 switch as the third-party device, and uses Aruba ClearPass Policy Manager

for policy enforcement.

Requirements

This example uses the following hardware and software components:

• SRX1500 running Junos OS Release 15.1X49-D80 or later

• Cisco Catalyst WS-C6509, 12.2(33)SXI14

• Aruba ClearPass Policy Manager, 6.6.0.81015

• VMware ESXi server, and vSphere client

• Sky Advanced Threat Prevention (ATP)

• Junos Space Network Management Platform, Release 17.1 or later

• Junos Space Security Director, Release 17.1R1 or later

• Log Collector, Release 17.1R1 or later

• Policy Enforcer, Release 17.1R1 or later

• Policy Enforcer Patch for Security Director, Release 17.1R2

• VM runningWindows 7 with dual NICs

For a list of supported devices, please refer to the Policy Enforcer Release Notes.

NOTE: We recommend using the latest versions of Cisco IOS ED andMDreleases for Cisco switches, which support 802.1X, RADIUS CoA, RADIUSAccounting, and DHCP snooping features.

Overview and Topology

Figure 2 on page 11 shows the lab setup used for this network configuration example.



https://www.juniper.net/documentation/en_US/junos-space17.1/policy-enforcer/information-products/pathway-pages/junos-space-policy-enforcer-pwp.html

https://www.juniper.net/documentation/en_US/release-independent/policy-enforcer/information-products/topic-collections/release-notes/17.1/policy-enforce-release-notes-17.1.pdf

Figure 2: Juniper Connected Security Topology Using a Third-Party Switch and ArubaClearPass Policy Manager

g200

299

SRX1500

Cisco C6509

Firewall

Switch

Win7 Client (802.1X-enabled)192.168.11.13

VLAN13

VLAN14

VLAN10-QuarantineVLAN14-Finance

ge-0/0/2

ge-0/0/1

ge-0/0/0VLAN12

irb.14 - 192.168.11.1DHCP Server (.10-.20)

irb.12 - 192.168.10.1Logging Interfaceirb.13 - 192.168.231.1

10.13.107.186

10.13.107.168GigabitEthernet1/48

VLAN14-Finance00:50:56:a8:1c:ca

INTERNET

Sky ATP

LabManagement

10.13.107.163 (Management)192.168.10.4 (Logs)

Log Collector

10.13.107.167HP/Aruba ClearPass Policy Manager

10.13.107.164Policy Enforcer

10.13.107.161 (Junos Space Network Management)10.13.107.162 (Security Director UI)

Security Director

GigabitEthernet1/47

10.13.107.x

In this example, the endpoint is placed in the VLAN14-Finance group on the Cisco C6509

switch. The switch has802.1X authentication enabled onGigabit Ethernet interface 1/48,

and Aruba CCPM configured as its RADIUS server. The SRX device is configured with an

IRB interface that acts at the gateway for the endpoint.

The endpoint authenticates to the network using 802.1X. It becomes infected, andwhen

it tries to contact a C&C server, Sky ATP detects the infected endpoint. Policy Enforcer

downloads the infected host feed, and then enforces the infected host policy by advising

ArubaCPPMtoblock(orquarantine) theendpoint.ArubaCPPMsendsaRADIUSChange

of Authorization (CoA)message to the switch, telling it to terminate the session by

blocking the endpoint or quarantining it to VLAN 10.

ImplementationOverview

The following set of installation, configuration, and verification steps are required to

implement this example:

• Install and configure Junos Space and Security Director

• Install and configure the SRX Series device and Cisco Catalyst switch

• Download, deploy, and configure the Policy Enforcer virtual machine

• Connect Policy Enforcer to Security Director

• Obtain a Sky ATP license and create a Sky ATP cloudWeb portal account

• Install the root CA on the Sky ATP-supported SRX Series devices



• Download, deploy, and configure the Aruba ClearPass Policy Manager (CPPM) virtual

machine

• Configure the Policy Enforcer connector for third-party switches

• Configure theWindows 7 supplicant

• Configure Sky ATP with Juniper Connected Security

• Verify the enrollment of devices on Sky ATP

• Verify Juniper Connected Security functionality once the enrollment is successful

Install and Configure Junos Space and Security Director

Install Junos Space, Security Director, and Log Collector

Step-by-StepProcedure

To install Junos Space, Security Director, and Log Collector:

1. Download the Junos Space Network Management Platform image from

https://www.juniper.net/support/downloads/?p=space#sw.

2. Install Junos Space using the instructions at Junos Space Software, Release 17.1.

3. Install JunosSecurity Director using the instructions at JunosSpaceSecurityDirector,

Release 17.1.

4. Install LogCollector using the instructionsatSettingUpSecurityDirectorLogCollector.

Configure Networking


To configure networking for Junos Space and its components, perform the following

tasks:

1. Configure relevant routes, netmask, gateway,DNS, andNTPso that all components

except Log Collector can connect to the Internet.

2. Ensure all components are configured with the same time zone.

3. Ensure that SSH is enabled.

4. Ensure that Security Director can connect to the Sky ATP cloud server, Policy

Enforcer, and all devices.



https://www.juniper.net/support/downloads/?p=space#sw

https://www.juniper.net/documentation/en_US/junos-space17.1/index.html

http://www.juniper.net/documentation/en_US/junos-space17.1/information-products/pathway-pages/junos-space-security-director-index.html

http://www.juniper.net/documentation/en_US/junos-space17.1/information-products/pathway-pages/junos-space-security-director-index.html

https://www.juniper.net/documentation/en_US/junos-space17.1/topics/task/multi-task/junos-space-sd-log-collector-installing.html

Install the Required DMI Schemas on Security Director


Download and install the matching Junos OS schemas to manage SRX Series devices.

To download and install the correct schemas, perform the following task:

1. Install the DMI schemas for Junos OS Releases 15.1X49-D80 using the instructions

at Adding Missing DMI Schemas or Updating Outdated DMI Schemas in Junos Space

Network Management Platform

2. After the schemas are installed, set them as the default schema for each relevant

platform.

Install and Configure the SRX Series Device and Cisco Catalyst Switch

Configure SRX Series Device


Configure the SRX device(s) per your requirements. See “Appendix: SRX Series Device

and Cisco Catalyst Switch Configurations” on page 58 for details.

NOTE: For this example, configure the SRX device to act as a DHCP serverfor hosts in VLAN 14 (JNPR FINANCE VLAN).

Configure Cisco Catalyst Switch


Configure the switch per your requirements. See “Appendix: SRXSeries Device andCisco

Catalyst Switch Configurations” on page 58 for details.

Configure Networking


To configure basic networking on the devices, perform the following tasks:

Configure the necessary routing and DNS settings to enable Internet access, both

in-band and out-of-band.

1.

2. Ensure the SRX Series device has connectivity to Junos Space, Policy Enforcer, and

the Sky ATP cloud server.

Device Discovery in Junos Space


To add the SRX device to the Junos Space Network Management platform, perform the

following tasks:

1. In Junos Space, discover and import the SRX Series device.



https://www.juniper.net/documentation/en_US/junos-space17.1/platform/topics/task/operational/dmi-schemas-adding-updating.html

https://www.juniper.net/documentation/en_US/junos-space17.1/platform/topics/task/operational/dmi-schemas-adding-updating.html

2. In Security Director, assign, publish, and update any existing firewall policies to

ensure Security Director and the SRX device is in sync.

Download, Deploy, and Configure the Policy Enforcer Virtual Machine


To deploy and configure the Policy Enforcer virtualmachine, perform the following tasks:

1. Download the Policy Enforcer virtual machine image from

https://www.juniper.net/support/downloads/?p=sdpe to the management station

where the vSphere client is installed.

2. On the vSphere client, select File > Deploy OVF Template from themenu bar.

3. Click Browse to locate the OVA file that was downloaded.

4. Click Next and follow the instructions in the installation wizard.

5. Once the installation is complete, log in to the virtual machine using the following

credentials:

• User Name: root

• Password: abc123

6. Configure the network settings, NTP information, and customer information, and

complete the wizard.

NOTE: Formore detailed instructions, seeDeploying andConfiguring the

Policy Enforcer Virtual Machine.



https://www.juniper.net/support/downloads/?p=sdpe

https://www.juniper.net/documentation/en_US/release-independent/policy-enforcer/topics/task/installation/policy-enforcer-vm-config.html

https://www.juniper.net/documentation/en_US/release-independent/policy-enforcer/topics/task/installation/policy-enforcer-vm-config.html

Install Policy Enforcer Patch


If you are using Policy Enforcer Release 17.1R2, youmust install a software patch to

address some ClearPass issues.

NOTE: This patch is not needed for Release 17.1R1.

This patch is not needed for Release 17.2 and higher.

To install the Policy Enforcer patch:

1. Download the Policy-Enforcer-16.2R1-Patch.sh file from

https://www.juniper.net/support/downloads/?p=sdpe#sw and put it in the /tmp

folder of the Junos Space Network Management Platform server.

2. Log in to the Junos Space CLI using an SSH or console connection, and change

directory to the /tmp folder.

3. Change the permissions of the Policy-Enforcer-16.2R1-Patch.sh file so that anyone

can read, write, and execute the file using the following command:

chmod 777 Policy-Enforcer-16.2R1-Patch.sh

4. Execute the installation script using the following command:

sh Policy-Enforcer-16.2R1-Patch.sh

It might take fewminutes for the script to complete.

Connect Policy Enforcer to Security Director


Youmust identify the Policy Enforcer virtual machine in Security Director so that they

can communicate with each other. To do so, follow these steps:

1. Log in to Security Director and select Administration > PE Settings.

2. Enter the IP address of the Policy Enforcer virtual machine and the root password,

and clickOK.

3. Select Threat Prevention Type as Sky ATPwith PE.

NOTE: Do not run the wizard/guided setup at this point.



https://www.juniper.net/support/downloads/?p=sdpe#sw

Obtain a Sky ATP License and Create a Sky ATP CloudWeb Portal Account


To obtain a Sky ATP license and create a Sky ATP cloudWeb portal account, follow

these steps:

1. Sky ATPhas three service levels: free, basic, and premium. The free license provides

limited functionality and is included with the base software. To obtain and install

aSkyATPbasicorpremiumlicense, seeManagingtheSkyAdvancedThreatPrevention

License.

For more details on Sky ATP service levels and license types, see Sky Advanced

Threat Prevention License Types.

2. CreateaSkyATPcloudWebportal accountby clickinghttps://sky.junipersecurity.net

and filling in the required information.

Install the Root CA on the Sky ATP-Supported SRX Series Devices

NOTE: This section is required only if you are enabling HTTPS inspection aspart of amalware profile/threat prevention policy.

Generate Root CA Certificate Using Junos OS CLI or OpenSSL on a Linux Device


NOTE: Use only one of the these options.

To generate a root CA certificate using the Junos OS CLI on the SRX Series device:

1. Generate a PKI public or private key pair for a local digital certificate.

user@host> request security pki generate-key-pair certificate-id ssl-inspect-ca size 2048type rsa

2. Using the key pair, define a self-signed certificate by providing FQDN and other

details.

user@host> request security pki local-certificate generate-self-signed certificate-idssl-inspect-cadomain-namedomain-namesubjectsubjectemailemail-idadd-ca-constraint

OR



https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/topic-map/sky-atp-license-mgmt.html

https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/topic-map/sky-atp-license-mgmt.html

https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/reference/general/sky-atp-licenses-overview.html

https://www.juniper.net/documentation/en_US/release-independent/sky-atp/topics/reference/general/sky-atp-licenses-overview.html

https://sky.junipersecurity.net


To generate a root CA certificate using the OpenSSL on a Linux device:

1. Generate a PKI public or private key pair for a local digital certificate.

%openssl req-x509-nodes-sha256-days365-newkeyrsa:2048-keyoutssl-inspect-ca.key-out ssl-inspect-ca.crt

2. Copy the key pair onto the SRX Series device.

3. On the SRX Series device, import the key pair.

user@host> request security pki local-certificate load key ssl-inspect-ca.key filenamessl-inspect-ca.crt certificate-id ssl-inspect-ca

4. Apply the loaded certificate as root-ca in the SSL proxy profile.

user@host> set services ssl proxy profile ssl-inspect-profile root-ca ssl-inspect-ca

Configure a CA Profile Group


To configure a CA profile group:

Create the CA profile.1.

user@host# set security pki ca-profile ssl-inspect-ca ca-identity ssl-inspect-causer@host# commit

2. Junos OS provides a default list of trusted CA certificates that you can load on your

system using the default command option.

user@host> request security pki ca-certificate ca-profile-group load ca-group-nameAll-Trusted-CA-Def filename default

Do you want to load this CA certificate ? [yes,no] (no) yes

Loading 155 certificates for group 'All-Trusted-CA-Def'.All-Trusted-CA-Def_1: Loading done.All-Trusted-CA-Def_2: Loading done.All-Trusted-CA-Def_3: Loading done.All-Trusted-CA-Def_4: Loading done.All-Trusted-CA-Def_5: Loading done....

3. Verify that the All-Trusted-CA-Def certificates are loaded.

user@host> show security pki ca-certificate brief

...Certificate identifier: All-Trusted-CA-Def_1...



Import Root CA Certificate into a Browser


To export the root CA certificate:

On the SRX Series device, export the certificate to a .pem file.1.

user@host> request security pki local-certificate export certificate-id ssl-inspect-ca typepem filename /var/tmp/ssl-inspect-ca.pem

2. Transfer the .pem file to your Windows client.

NOTE: If you are using the Linux device with OpenSSL, the certificateis already available on the device and no action is required.




To import the certificate into a browser:

1. On theWindows client, instruct the browser to trust the CA root certificate.

Internet Explorer (version 8.0):

• From the Toolsmenu, choose Internet Options.

• On the Content tab, click Certificates.

• Select the Trusted Root Certification Authorities tab, and click Import.

• In the Certificate Importwizard, navigate to the required root CA certificate and

select it.

Firefox (version 39.0):

• From the Toolsmenu, chooseOptions.

• From the Advancedmenu, select the Certificates tab and click View Certificate.

• In the Certificate Managerwindow, select the Authorities tab and click Import.

• Navigate to the required root CA certificate and select it.

Google Chrome (version 45.0):

• From the Settingsmenu, choose ShowAdvanced Settings.

• From the Advancedmenu, select the Certificates tab and click View Certificate.

• Under HTTPS/SSL, clickManage Certificates.

• In the Certificatewindow, select Trusted Root Certification Authorities and click

Import.

• In the Certificate ImportWizard, navigate to the required root CA certificate and

select it.

For more details, see Configuring SSL Proxy.

OR


1. On the Linux device, import the certificate into the browser using the following

commands:

%sudo cp ssl-inspect-ca.crt /usr/local/share/ca-certificates/ ssl-inspect-ca.crt% sudo update-ca-certificates

Download,Deploy,andConfigure theArubaClearPassPolicyManager (CPPM)VirtualMachine




https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/ssl-proxy-workflow-configuring.html

Before you install Aruba CPPM version 6.6.0.81015 on a VMware ESXi server, complete

the following tasks:

1. Download and deploy the CPPMOVF file on a ESX (i) host.

2. Obtain a license key from an HP/Aruba representative.

3. CPPM requires a minimum of 80GB free disk space to operate; ensure enough disk

space is available. If possible, also add an additional 16 GB of VMmemory.

To install Aruba CPPM version 6.6.0.81015 on a VMware ESXi server:

1. Power on the VM and follow the instructions on the console.

2. Log in with the following credentials:

• User Name: appadmin

• Password: eTIPS123

3. Configure the network and system settings.

NOTE: The RADIUS configuration on the Cisco switch will be pointing tothe IP address of the CPPMmanagement port. Ensure that the devicescan reach each other.

4. Useabrowser toconnect to theCPPMmanagement IPaddress:https://CPPM_MGT_IP.



5. Click ClearPass Policy Manager and enter the license key, agree to the terms and

conditions, and click Add License.

6. Log in to the system using user name admin and password eTIPS123.

7. Go to Administration > Server Manager > Server Configuration, and select the CPPM

server.



8. Select the Enable Insight and Enable as Insight Master check boxes, and click Save.

9. On the Service Parameters tab, select service RADIUS Server. Then select TRUE for

Log Accounting Interim-Update Packets, and click Save.



10. Go to Configuration > Network > Devices and add the third-party switch details.



11. Go to Configuration > Identity > Local Users and create a new user, as follows:

• User Name: ccl

• Password: ccl123

• Role: Employee

• Enable User: Yes (check the box)

• Attribute: Department; Value: Finance

12. GotoAdministration>Dictionaries>Attributes, andaddanewattribute sdsnEpStatus.

Enter the details as shown below.



13. Go to Configuration > Enforcement > Profiles, and create three enforcement profiles,

as follows:

a. Quarantine VLAN

• Name: JNPR SDSNQuarantine

• Type: RADIUS

• Action: Accept

• RADIUS Attributes: as shown below; use VLAN ID 10

b. Terminate Session

• Name: JNPR SDSN Terminate Session

• Type: RADIUS_CoA

• Action: Disconnect

• On the Attributes tab, select the IETF - Terminate-Session-IETF template.



c. Finance VLAN

• Name: JNPR FINANCE VLAN

• Type: RADIUS

• Action: Accept

• RADIUS Attributes: as shown below; use VLAN ID 14



14. Go to Configuration > Enforcement > Policies, and create an enforcement policy, as

follows:

• Name: JNPR 802.1x Policy

• Enforcement Type: RADIUS

• Default Profile: Allow Access Profile

• Add Conditions as shown below.



15. Go to Configuration > Services, and create a new service, as follows:

• Name: JNPR 802.1XWired Access Service

• Type 802.1xWired

• Add other details as shown below.



16. At thispoint, enable theWindowsSupplicant for802.1Xauthenticationontheendpoint.

Complete the tasks in the “Configure theWindows 7 Supplicant” on page 31 section,

then return here and continue to the next step.

NOTE:

• Ensure that a DHCP server is available to hosts in VLAN 14 (JNPRFINANCE VLAN). In this example, the SRX1500 device acts as a DHCPserver.

17. With the endpoint authenticated, open a new tab on same browser to connect to the

CPPMManagement IP address: https://CPPM-management-ip-address, and click

ClearPass Guest.



18. Go to Administration > API Services > API Clients, and create an API client using the

details shown below.

NOTE: Take note of theClient ID andClient Secret values, as youwill need

these when configuring the Policy Enforcer connector.



Configure the Policy Enforcer Connector for Third-Party Switches


Configure the Policy Enforcer connector.

1. Log in to Security Director and go to Administration > Policy Enforcer > Connectors,

and create a new connector, as follows:

• Connector for: Third Party Switch

• Name: ArubaCPPM

• Identify Server Type: HPClearPass

• IP Address: CPPMmanagement IP (10.13.107.167 in this example)

• Port: 443 (default)

• Client ID: Client ID createdwhile settingup theHPClearPassAPI client (sdsnclient

in this example)

• Client Secret: Client Secret string created while setting up the HP ClearPass API

client

A blue loading/wait circle indicates that creation of the connector is in progress.

Configure theWindows 7 Supplicant


Configure theWindows 7 Supplicant.



1. In the Services panel, ensure that theWired AutoConfig service is started.

2. On the Network Connections page, select the LAN connection and enable 802.1X

PEAP authentication, as shown below.



3. Click Settings and clear the Validate server certificate check box, if set.



4. Configure the user credentials settings. Clear the Automatically usemyWindows

logon name and password check box, as the user is configured locally in CPPM.



5. Back on the Authentication tab, select Additional Settings.



6. Click Replace credentials and enter the user ID and password of the local user that

was added in CPPM (ccl/ccl123 in this example).



7. On the Cisco switch, verify that the endpoint (which is attached to interface

GigabitEthernet1/48) is identifiedandassigned to thecorrectVLAN(VLAN14-Finance

in this example).

8. InArubaCPPM,navigate toGuest>ActiveSessionsandverify theendpoint’s session

information appears.



Configure Juniper Connected Security with Sky ATP and Policy Enforcer


The tasks required to configure Juniper Connected Security include:

• Configure a secure fabric

• Define a site and add endpoints to it (switches and firewalls)

• Configure policy enforcement groups

• Create a threat prevention policy

• Apply the threat prevention policy to policy enforcement groups

When using Policy Enforcer for threat preventionwith Sky ATP, Guided Setup is themost

efficient way to complete the initial configuration, as follows:

1. In Security Director, go to Configure > Guided Setup > Sky ATPwith PE.

2. Click Start Setup and follow the wizard.



3. Createasecure fabric siteandadd theSRXdeviceandArubaCPPMasenforcement

points.

4. Create a policy enforcement group. Select Location from the drop-downmenu and

add the site configured above.

NOTE: In Release 17.1R1, only the Location type is supported.



5. Add theSkyATP realmby providing the relevant details fromyour SkyATPaccount.

See “Obtain a Sky ATP License and Create a Sky ATP CloudWeb Portal Account”

on page 16.

6. Verify that the Sky ATP realm has been added.

The value 1 should appear in the Perimeter Firewall in Sites column, indicating that

Sky ATP has detected the SRX Series device.



NOTE: If the realm addition is not successful, it is likely due to aconnectivity issuewithSecurityDirector’s access to the Internet. Ensureall devices/components can reach the Internet and each other.

7. Create a threat prevention policy.



8. Add a profile for HTTP file downloads.

Click Change and select the profile to indicate which file types need to be scanned

for threats. In the Device Profile area, expand the Realm, and select the desired

profile (default_profile, in this example).



9. Assign the threat prevention policy to the policy enforcement group by clicking

Assign to Groups.

10. Select the policy enforcement group, and clickOK.



11. Thesystemperformsa ruleanalysis, andpreparesdeviceconfigurations that include

the threat prevention policies.

12. Once the analysis is complete, instruct the system to push the updated policy to

the SRX device by clicking the Update button.



13. When the push is complete, the Job Statewill show Success.

NOTE: If the update fails, try the following steps:

• ClickOK, then click Finish to complete the Guided Setup.

• Go to Devices > Security Devices and re-synchronize the SRX device.

• Go toConfigure> Threat Prevention>Policies, clickViewAnalysis, and

push the update again.

TIP: For further troubleshooting, go toMonitor > JobManagement.



14. To see the configuration that was pushed to the SRX device, click View in the

Configuration column.

15. ClickOK, and click Finish to complete the Guided Setup.



Verification

• Verify Sky ATP Device Enrollment on SRX Device on page 48

• Verify Sky ATP Device Enrollment in Sky ATP on page 48

• Verify Sky ATP Device Enrollment in Security Director on page 49

• Test Juniper ConnectedSecurity Functionality - Blocking InfectedEndpoint onpage49

• Test Juniper Connected Security Functionality - Quarantining Infected

Endpoint on page 54

Verify Sky ATP Device Enrollment on SRX Device

Purpose Verify that the SRX Series device is connected to, and enrolled with, the Sky ATP cloud

server.

Action On the SRX device, verify that a connection is established with Sky ATP.

user@host> show services advanced-anti-malware status

Server connection status:Server hostname: srxapi.us-west-2.sky.junipersecurity.net

Server port: 443 Control Plane: Connection time: 2017-08-15 17:43:36 EDT

Connection status: Connected Service Plane: fpc0 Connection active number: 4 Connection retry statistics: 1210

Meaning The output displays the Connection status as Connected. The Server hostname field

displays the Sky ATP cloud server hostname.

Verify Sky ATP Device Enrollment in Sky ATP

Purpose Verify that the SRX device and Policy Enforcer are enrolled with Sky ATP.



Action In Sky ATP, navigate to the Enrolled Devices page and verify that both elements have

been added.

Meaning The Host field displays entries for Policy Enforcer and the SRX device. You can click the

serial number for more details.

Verify Sky ATP Device Enrollment in Security Director

Purpose Verify that the SRX Series device is enrolled with Sky ATP in Security Director.

Action In Security Director, navigate to Devices > Secure Fabric.

Meaning The Enforcement Points field shows the SRX device, and the SKYATP Enroll Status field

shows theSkyATP realmnameandagreencheckmark, confirming thedevice is enrolled

with the Sky ATP realm.

Test Juniper Connected Security Functionality - Blocking Infected Endpoint

Purpose With the Juniper Connected Security solution configured, verify how it detects and reacts

to problems.

In the following scenario, the endpoint (192.168.11.13) on the LAN simulates a threat by

contacting a C&C server on the Internet. This event is determined to exceed the threat

prevention policy’s threat score threshold, and as a result the endpoint is blocked.



Before simulating the attack, confirm the following steps:

• In Security Director, go to Policy Enforcer > Threat Prevention Policy and verify that the

C&C server and infected host profile actions are set to Drop connection silently.

• On the Cisco switch, confirm that the endpoint (192.168.11.13) is assigned to VLAN 14

(VLAN14-Finance).



• Confirm, using continuous pings, that the endpoint can reach another host on the LAN

(192.168.11.1, the default gateway) and the Internet (8.8.8.8).

• In Aruba CPPM, go toMonitoring > LiveMonitoring > Access Tracker, and confirm that

the endpoint appears and is associated to the appropriate service. Note that the

enforcement profile is currently JNPR FINANCE VLAN.

Action In this scenario, the endpoint contacts (pings) the C&C server (in this example, a server

upstream from the SRX device with IP address 1.1.1.3).

The Juniper ConnectedSecurity solution elements then detect and react to the situation:



• Sky ATP analyzes the traffic; it exceeds the threat prevention policy’s threat score

threshold.

• Policy Enforcer communicateswith CPPM,which sends RADIUSCoAmessages to the

Cisco switch to terminate the endpoint's session.

• The SRX blocks the endpoint’s access to the Internet.

• The Cisco switch blocks the endpoint’s access to other points on the LAN.

On the Cisco switch, the console shows the RADIUS CoA disconnect message.

The switch’s show vlan output shows that the endpoint is no longer part of

VLAN14-Finance.



In ArubaCPPM, on theMonitoring> LiveMonitoring>AccessTrackerpage, the endpoint’s

enforcementprofile is now JNPRSDSNTerminateSession. This profile sent thedisconnect

messages to the Cisco switch.

On the SRX device, the endpoint is identified as an infected host. The output shows that

theSkyATP infectedhost feedcontaining theendpoint’s IPaddresshasbeensuccessfully

downloaded, resulting in the SRX device taking an action to block Internet access for the

infected host.

In the Sky ATP portal, on theMonitor > Hosts page, the endpoint is identified as a

compromised host and has a status of Blocked.



Clicking on the endpoint’s IP address opens the Hosts page, which showsmore details

about the endpoint.

Test Juniper Connected Security Functionality - Quarantining Infected Endpoint

Purpose The following scenario is similar to the blocking scenario above, however this timewhen

theendpoint’s contactwith theC&Cserver is determined to exceed the threat prevention

policy’s threat score threshold, the endpoint is assigned to a quarantine VLAN.



Before simulating the attack, perform or confirm the following steps:

• If you performed the endpoint blocking test above, release the infected host in either

the Sky ATP cloud portal or Security Director (Monitor > Threat Prevention > Host).

Ensure that LAN and Internet access are restored for the endpoint.

• In Security Director, go to Policy Enforcer > Threat Prevention Policy and edit the policy.

Change the infectedhostprofile action toQuarantineandadd theVLANnameVLAN10.

• On the Cisco switch, confirm that the endpoint (192.168.11.13) is assigned to VLAN 14

(VLAN14-Finance).



• Confirm that the endpoint can reach another host on the LAN (192.168.11.1) and the

Internet (8.8.8.8).

• In Aruba CPPM, go toMonitoring > LiveMonitoring > Access Tracker and confirm that

the endpoint is associated to the JNPR FINANCE VLAN enforcement profile.

Action Once again, the endpoint contacts (pings) the C&C server (1.1.1.3).

The JuniperConnectedSecurity solutionelementsagaindetect and react to the situation:

• Sky ATP analyzes the traffic; it exceeds the threat prevention policy’s threat score

threshold.

• Policy Enforcer communicateswith CPPM,which sends RADIUSCoAmessages to the

Cisco switch to terminate the endpoint's session.



• The SRX blocks the endpoint’s access to the Internet.

• The Cisco switch blocks the endpoint’s access to other points on the LAN.

On theCisco switch, theconsole shows theRADIUSCoAdisconnectmessage. In addition,

the console shows the endpoint re-authenticating and being assigned to the quarantine

VLAN (10).

The switch’s show vlan output confirms that the endpoint is now assigned to

VLAN10-Quarantine.



In ArubaCPPM, on theMonitoring> LiveMonitoring>AccessTrackerpage, the endpoint’s

enforcement profile is now JNPR SDSNQuarantine. This profile sent the VLAN

re-assignment messages to the Cisco switch.

On the SRX device, the endpoint is identified as an infected host and the device has

blocked Internet access for the infected host.




• Appendix: SRX Series Device and Cisco Catalyst Switch Configurations on page 58

Appendix: SRX Series Device and Cisco Catalyst Switch Configurations

Configuration files for the devices used to build this configuration example are provided

below.

NOTE: The following configurations below are captured from a labenvironment, and are provided for reference only. Actual configurationsmayvary based on the specific requirements of your environment.



SRX1500 Configuration

The following sample shows the configuration for the SRX1500 device used in this

configuration example.

set version 15.1X49-D80.4set system host-name SRX1500-WFset system time-zone America/New_Yorkset system root-authentication encrypted-password "$ABC123"set system name-server 8.8.8.8set system services sshmax-sessions-per-connection 32set system services telnetset system services xnm-clear-textset system services netconf sshset system services dhcp-local-server groupwan-dhcp2 interface irb.14set system syslog user * any emergencyset system syslog host 192.168.10.4 structured-dataset system syslog file messages any anyset system syslog file messages authorization infoset system syslog file interactive-commands interactive-commands anyset system syslog file default-log-messages any infoset system syslog file default-log-messagesmatch "(requested 'commit'operation)|(requested 'commit synchronize' operation)|(copying configuration tojuniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRUinsertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(licensedelete)|(package-Xupdate)|(package-Xdelete)|(FRUOnline)|(FRUOffline)|(pluggedin)|(unplugged)|GRES"

set system syslog file default-log-messages structured-dataset systemmax-configurations-on-flash 5set system license autoupdate url https://ae1.juniper.net/junos/key_retrievalset system ntp server 203.0.113.1set services application-identificationset services ssl initiation profile aamw-ssl trusted-ca aamw-secintel-caset services ssl initiation profile aamw-ssl trusted-ca aamw-cloud-caset services ssl initiation profile aamw-ssl client-certificate aamw-srx-certset services ssl initiation profile aamw-ssl actions crl disableset services security-intelligence url https://10.13.107.164:443/api/v1/manifest.xmlset services security-intelligence authentication auth-tokenRL520JGQ1DJQQI0ZZN2DALB0I0DP7HCL

set services security-intelligence profile TP_CC category CCset services security-intelligence profile TP_CC rule Rule-1 match threat-level 1set services security-intelligence profile TP_CC rule Rule-1 match threat-level 2set services security-intelligence profile TP_CC rule Rule-1 then action permitset services security-intelligence profile TP_CC rule Rule-1 then logset services security-intelligence profile TP_CC rule Rule-2match threat-level 3set services security-intelligence profile TP_CC rule Rule-2match threat-level 4set services security-intelligence profile TP_CC rule Rule-2 then action permitset services security-intelligence profile TP_CC rule Rule-2 then logset services security-intelligence profile TP_CC rule Rule-3match threat-level 5set services security-intelligence profile TP_CC rule Rule-3match threat-level 6set services security-intelligence profile TP_CC rule Rule-3match threat-level 7set services security-intelligence profile TP_CC rule Rule-3match threat-level 8set services security-intelligence profile TP_CC rule Rule-3match threat-level 9set services security-intelligence profile TP_CC rule Rule-3match threat-level 10



set services security-intelligence profile TP_CC rule Rule-3 then action block dropset services security-intelligence profile TP_CC rule Rule-3 then logset services security-intelligence profile TP_Infected-Hosts category Infected-Hostssetservicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-1match threat-level1

set servicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-1match threat-level2

setservicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-1match threat-level3




set services security-intelligenceprofileTP_Infected-Hosts ruleRule-1 thenactionpermitset services security-intelligence profile TP_Infected-Hosts rule Rule-1 then logset servicessecurity-intelligenceprofileTP_Infected-Hosts ruleRule-2match threat-level7




set services security-intelligence profile TP_Infected-Hosts rule Rule-2 then action blockdrop

set services security-intelligence profile TP_Infected-Hosts rule Rule-2 then logset services security-intelligence policy TP CC TP_CCset services security-intelligence policy TP Infected-Hosts TP_Infected-Hostsset services advanced-anti-malware connection urlhttps://srxapi.us-west-2.sky.junipersecurity.net

set services advanced-anti-malware connection authentication tls-profile aamw-sslset services advanced-anti-malware policy TP http inspection-profile default_profileset services advanced-anti-malware policy TP http action blockset services advanced-anti-malware policy TP http notification logset services advanced-anti-malware policy TP verdict-threshold 5set services advanced-anti-malware policy TP fallback-options action permitset services advanced-anti-malware policy TP fallback-options notification logset services advanced-anti-malware policy TP default-notification logset services advanced-anti-malware policy TPwhitelist-notification logset services advanced-anti-malware policy TP blacklist-notification logset security logmode streamset security log format sd-syslogset security log source-address 192.168.10.1set security log stream TRAFFIC category allset security log stream TRAFFIC host 192.168.10.4set security log stream TRAFFIC host port 514set security pki ca-profile aamw-ca ca-identity deviceCAset security pki ca-profile aamw-ca enrollment urlhttp://ca.junipersecurity.net:8080/ejbca/publicweb/apply/scep/SRX/pkiclient.exe

set security pki ca-profile aamw-ca revocation-check disableset security pki ca-profile aamw-ca revocation-check crl urlhttp://va.junipersecurity.net/ca/deviceCA.crl

set security pki ca-profile aamw-secintel-ca ca-identity JUNIPER



set security pki ca-profile aamw-secintel-ca revocation-check crl urlhttp://va.junipersecurity.net/ca/current.crl

set security pki ca-profile aamw-cloud-ca ca-identity JUNIPER_CLOUDset security pki ca-profile aamw-cloud-ca revocation-check crl urlhttp://va.junipersecurity.net/ca/cloudCA.crl

set security policies global policy PolicyEnforcer-Rule1-1 match source-address anyset security policies global policy PolicyEnforcer-Rule1-1 match destination-address anyset security policies global policy PolicyEnforcer-Rule1-1 match application anysetsecuritypoliciesglobalpolicyPolicyEnforcer-Rule1-1 thenpermitapplication-servicessecurity-intelligence-policy TP

setsecuritypoliciesglobalpolicyPolicyEnforcer-Rule1-1 thenpermitapplication-servicesadvanced-anti-malware-policy TP

set security policies global policy GlobalPermit match source-address anyset security policies global policy GlobalPermit match destination-address anyset security policies global policy GlobalPermit match application anyset security policies global policy GlobalPermit match from-zone anyset security policies global policy GlobalPermit match to-zone anyset security policies global policy GlobalPermit then permitset security policies global policy GlobalPermit then log session-initset security policies global policy GlobalPermit then log session-closeset security zones security-zone trust host-inbound-traffic system-services allset security zones security-zone trust host-inbound-traffic protocols allset security zones security-zone trust interfaces irb.14set security zones security-zone trust interfaces irb.12set security zones security-zone untrust host-inbound-traffic system-services allset security zones security-zone untrust host-inbound-traffic protocols allset security zones security-zone untrust interfaces irb.13set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunkset interfaces ge-0/0/0 unit 0 family ethernet-switching vlanmembers VLAN12set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunkset interfaces ge-0/0/1 unit 0 family ethernet-switching vlanmembers VLAN14set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode accessset interfaces ge-0/0/2 unit 0 family ethernet-switching vlanmembers VLAN13set interfaces fxp0 unit 0 family inet address 10.13.107.186/23set interfaces irb unit 12 family inet address 192.168.10.1/24set interfaces irb unit 13 family inet address 192.168.231.1/24set interfaces irb unit 14 family inet address 192.168.11.1/24set snmp trap-group space targets 10.13.107.162set routing-options static route 172.28.0.0/16 next-hop 10.13.106.1set routing-options static route 10.13.0.0/16 next-hop 10.13.106.1set routing-options static route 0.0.0.0/0 next-hop 192.168.231.10set routing-options static route 172.29.0.0/16 next-hop 10.13.106.1set routing-options static route 172.30.76.0/23 next-hop 10.13.106.1set routing-options static route 10.163.69.44/30 next-hop 10.13.106.1set protocols l2-learning global-mode switchingset access address-assignment pool wan-2 family inet network 192.168.11.1/24setaccessaddress-assignmentpoolwan-2family inet rangewan-2-range low192.168.11.10set access address-assignment pool wan-2 family inet rangewan-2-range high192.168.11.20

set access address-assignment pool wan-2 family inet dhcp-attributesmaximum-lease-time 86400

set access address-assignment pool wan-2 family inet dhcp-attributes name-server8.8.8.8

set access address-assignment poolwan-2 family inet dhcp-attributes router 192.168.11.1set vlans VLAN12 vlan-id 12



set vlans VLAN12 l3-interface irb.12set vlans VLAN13 vlan-id 13set vlans VLAN13 l3-interface irb.13set vlans VLAN14 vlan-id 14set vlans VLAN14 l3-interface irb.14

Cisco Catalyst 6509 Switch Configuration

The following sample shows the configuration for the Cisco Catalyst 6509 switch used

in this configuration example.

HIAGATE#HIAGATE#show runnBuilding configuration...Current configuration : 14664 bytes!! Last configuration change at 20:44:49 UTC Fri Aug 18 2017 by cisco! NVRAM config last updated at 20:33:43 UTC Fri Aug 18 2017 by cisco!upgrade fpd autoversion 12.2service timestamps debug uptimeservice timestamps log datetimeno service password-encryptionservice counters max age 10!hostname HIAGATE!boot-start-markerboot system flash disk0:s72033-advipservicesk9_wan-vz.122-33.SXI14.binboot-end-marker!logging buffered informational!aaa new-model!!aaa authentication dot1x default group radiusaaa authorization network default group radiusaaa accounting dot1x default start-stop group radiusaaa accounting system default start-stop group radius!aaa server radius dynamic-author client 10.13.107.167 server-key cisco123 port 3799 auth-type all!aaa session-id common!no ip domain-lookupip domain-name hiagate-sdsn.com!ip dhcp snoopingno ip bootp serverip ssh version 2ip scp server enableip device tracking!



dot1x system-auth-control!vlan 10 name VLAN10-Quarantine!vlan 14 name VLAN14-Finance!interface GigabitEthernet1/47 description SRX1500 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 14 switchport mode trunk!interface GigabitEthernet1/48 description ESXiServer switchport switchport mode access speed 1000 duplex full authentication host-mode multi-host authentication port-control auto authentication periodic authentication timer reauthenticate server dot1x pae authenticator dot1x timeout server-timeout 30 dot1x timeout tx-period 10 dot1x max-req 3 dot1x max-reauth-req 10 spanning-tree portfast edge!interface Vlan1 ip address 10.13.107.168 255.255.254.0!ip route 0.0.0.0 0.0.0.0 10.13.106.1!radius-server attribute 8 include-in-access-reqradius-server host 10.13.107.167 auth-port 1812 acct-port 1813 key cisco123radius-server vsa send accountingradius-server vsa send authentication!line con 0 exec-timeout 0 0 logging synchronousline vty 0 4 exec-timeout 0 0 logging synchronous transport input sshline vty 5 15!exception core-filentp authentication-key 1 md5 123310191B1B0916 7ntp trusted-key 1ntp source Loopback0ntp master 1!endHIAGATE#



juniperconnectedsecuritysolutionusing third ...€¦ · srx1500configuration...

Documents