Juniper Srx quickstart-12.1r3

31,184 views
30,981 views

Published on

Published in: Technology
1 Comment
18 Likes
Statistics
Notes
No Downloads
Views
Total views
31,184
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
1,000
Comments
1
Likes
18
Embeds 0
No embeds

No notes for slide

Juniper Srx quickstart-12.1r3

  1. 1. SRX JUMP STATION Based on JUNOS Versions up to 12.1R3 last modified Nov 08 2012 Thomas Schmidt Consulting Systems Engineer
  2. 2. 2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WHAT IS THIS PURPOSE OF THIS QUICK START ? • This collection is for users who already have experience with ScreenOS firewalls and the underlying concepts and now want to use JUNOS based SRX Firewalls • This Collection assumes you have already some knowledge of JUNOS (there are free trainings to help you) but need a guide to configure a complete system. • This Collection is a guide to help you find the commands required for typical features and tasks and give you brief, working examples. • Navigation: • Click on the in the right Top corner to get to the Jump Station Central • Click on the Chapter Buttons to get to the desired chapters • If you need more in depth information or more details of the underlying concepts consult the documentation or participate in trainings. • This collection can not replace full JUNOS documentation or trainings and can not cover all parameters available with a certain feature. Login
  3. 3. 3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUMP STATION CENTRAL ......LoginControll- & Dataplane Zones CLI MulticastSwitching PPPoE & DSL ... AppFirewallAppSecure Overview AppDDOS Routing OSPF,BGP IDP AppTrackLicenses Flow & ALGPolicies Virtualize VR + LSys Screens & Defense Packet Flow Admin User Role & Auth Inband or Outband SNMP & RMON Software Upgrade Netflow Space IPv6 Boot loader & Flash Further Information Automation & Scripting Nice Stuff Logging & Syslog Trunk & LAG Docs & Papers UTM, Antivi rus NSM … DHCP DNS UAC Enforcer Time & NTP Port Mirroring NAT Access list Interfaces Link Redundanc Reset to Factory Def. Policy based VPN ...VPNs with Certificates ...VPN Diagnostics Route based VPN Dynamic VPN Monitor Commands Log files Debug Flow Packet Capture Debug VPN Interface Monitoring … Cluster Overview Cluster Interfaces Basics Network Firewall Manage, Log ,Monitor AppFirewall IDP and UTM More.. Toolbox VPN Trouble- shooting High Availability Failover Behavior Cluster States Cluster & NSM Cluster Setup … ... ... Transparent Mode UTM, Webfilter STRM … Class of Service ... … … ... ... ... ... … … … ... … …
  4. 4. 4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUNOS BASICS
  5. 5. 5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DOCUMENTATION AND GUIDES
  6. 6. 6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net THE RIGHT PLACE FOR SRX HARDWARE AND SOFTWARE DOCUMENTATION Use the following Link
  7. 7. 7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ADDITIONAL USEFUL INFORMATION SOURCES Day One Booklets http://www.juniper.net/us/en/community/junos/training-certification/day-one/ Feature Explorer and Content Explorer http://pathfinder.juniper.net/feature-explorer/ http://www.juniper.net/techpubs/content-applications/content-explorer/ Feature Support Reference Guide https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/feature-support- reference.html?chap-feature-support-tables.html SRX Knowledgebase (Jump Station) http://kb.juniper.net/KB15694 SRX Knowledgebase (Here a list of the latest SRX articles) http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB SRX Application Notes http://www.juniper.net/us/en/products-services/security/srx-series/#literature JUNOS Network Configuration Examples http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/nce/index.html Juniper Forum • Configuration Library http://forums.juniper.net/t5/Configuration-Library/bd-p/ConfigLib • DayOne Tips http://forums.juniper.net/t5/Day-One-Tips-Contest/bd-p/DayOneContest
  8. 8. 8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CONTROLPLANE AND DATAPLANE
  9. 9. 9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUNOS SOFTWARE FEATURES (1 OF 2) JUNOS software for SRX-series services gateways includes the following elements:  JUNOS software as the base operating system  Session-based forwarding  Some ScreenOS-like security features Packet-based features:  Control plane OS  Routing protocols  Forwarding features:  Per-packet stateless filters  Policers  CoS  J-Web
  10. 10. 10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUNOS SOFTWARE FEATURES (2 OF 2) Session-based features:  Implements some ScreenOS features and functionality through the use of new daemons  First packet of flow triggers session creation based on:  Source and destination IP address  Source and destination port  Protocol  Session token  Zone-based security features  Packet on the incoming interface is associated with the incoming zone  Packet on the outgoing interface is associated with the outgoing zone  Core security features:  Firewall, VPN, NAT, ALGs, IDP, and SCREEN options
  11. 11. 11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CONTROL PLANE VERSUS DATA PLANE Control Plane:  Implemented on the Routing Engine  JUNOS software kernel, daemons, chassis management, user interface, routing protocols, system monitoring, clustering control Data Plane:  Implemented on the IOCs and SPCs  Forwarding packets, session setup and maintenance, load-balancing, security policy, screen options, IDP, VPN
  12. 12. 12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGIN
  13. 13. 13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGIN Login in factory default state as user "root". Password is empty Amnesiac (ttyd0) login: root ******************************************************************** ** Welcome to JUNOS: ** ** ** ** To run the console configuration wizard, please run the ** ** command 'config-wizard' at the 'root%' prompt. ** ** ** ** To enter the JUNOS CLI, please run the command 'cli'. ** ** ** ******************************************************************** root@% cli root>
  14. 14. 14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGIN Non root users are placed into the CLI automatically The root user must start the CLI from the shell Do not forget to exit root shell after logging out of the CLI! Shell Prompt CLI Prompt switch (ttyu0) login: user Password: --- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC user@switch> switch (ttyu0) login: root Password: --- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC root@switch% cli root@switch>
  15. 15. 15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CLI BASICS
  16. 16. 16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CLI MODES Shell - when you login as root CLI - Operational Mode CLI - Configuration mode: user@switch> The > character identifies operational mode user@switch# exit user@switch> user@switch> configure [edit] The # character identifies configuration mode root% cli root> The % character identifies Shell mode
  17. 17. 17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CLI HIERARCHY Execute commands (mainly) from the default CLI level (user@switch>)  Can execute from configuration mode with the run command  Hierarchy of commands  Example: show spanning-tree interface Less Specific More Specificbridge mstp statistics configuration configure help monitor etc. interface dot1x clear set show spanning-tree version etc.
  18. 18. 18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EMACS-style editing sequences are supported A VT100 terminal type also supports the Arrow keys user@switch> show interfaces • Ctrl+b user@switch> show interfaces • Ctrl+a user@switch> show interfaces • Ctrl+f user@switch> show interfaces • Ctrl+e user@switch> show interfaces CLI EDITING Cursor Position Keyboard Sequence
  19. 19. 19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net COMMAND AND VARIABLE COMPLETION Spacebar completes a command user@host> sh<space>ow i<space> 'i' is ambiguous. Possible completions: igmp Show Internet Group Management Protocol... ike Show Internet Key Exchange information interfaces Show interface information ipsec Show IP Security information isis Show Intermediate System-to-Intermediate... user@host> show i Use the Tab key to complete an assigned variable [edit policy-options] user@host# show policy-statement t<tab>his-is-my-policy then accept; [edit policy-options] user@host# Use Tab to complete assigned variables Enter a space to complete a command
  20. 20. 20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Type ? anywhere on the command line user@host> ? Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information . . . user@host> clear ? Possible completions: arp Clear address resolution information bfd Clear Bidirectional Forwarding Detection information bgp Clear Border Gateway Protocol information firewall Clear firewall counters . . . CONTEXT-SENSITIVE HELP
  21. 21. 21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SHOW CURRENT CONFIGURATION root@J6350> show config | display set set version 9.3R2.8 set system host-name J6350 set system root-authentication encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN." set system name-server 172.30.80.65 set system login user lab uid 2000 set system login user lab class super-user ........ JUNOS Style  ScreenOS Style root@J6350> show config ## Last commit: 2009-03-18 10:27:20 UTC by lab version 9.3R2.8; system { host-name Demo-081-111-J6350; root-authentication { encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."; ## SECRET-DATA } name-server { 172.30.80.65; } login { user lab { uid 2000; class super-user; ........
  22. 22. 22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CONFIGURATION, CANDIDATE, COMMIT, ROLLBACK
  23. 23. 23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net COMMANDS IN CONFIGURATION MODE (1)
  24. 24. 24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net COMMANDS IN CONFIGURATION MODE (2)
  25. 25. 25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net COPY/PASTE CONFIGURATIONS To paste and override the whole configuration To paste and add pieces of configuration To paste configuration written with "set" commands SRX# load merge terminal <relative> [Type ^D at a new line to end input] system { ........ SRX# load replace terminal [Type ^D at a new line to end input] system { ........ SRX# load set terminal <relative> [Type ^D at a new line to end input] set system ….
  26. 26. 26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CONTROL AND FORWARDING PLANE OF A JUNOS ROUTER
  27. 27. 27 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NETWORK
  28. 28. 28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTERFACES
  29. 29. 29 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTERFACE NUMBERING Interfaces Names and Numbers Wildcards - Many commands accept wildcards in ifnames Interface name = <Interface Type>-<Slot>/<Module>/<Port>.<logical number> All numbers start from 0 Example : ge-0/1/2.3 - Gigabit Interface (Slot 0, Module 1, Port 2, Logical unit 3) fe-0/1/2.3 - Fast Ethernet Interface st0.0 - First Secure Tunnel Interface (VPN Tunnel) lo0 - First loopback interface For a list of Interface Types see http://www.juniper.net/techpubs/software/JUNOS/JUNOS96/swconfig-network- interfaces/frameset.html show interfaces ge-0/0/*
  30. 30. 30 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SWITCHING
  31. 31. 31 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SWITCHING ON FIREWALLS ?  Switching Features on the Firewall can help to simplify the network by eliminating additional switches. This can be a commercial and management advantage, especially in small branch offices.  Switching is possible on Branch SRX Models (SRX100….SRX650) and J-Series with UPIM Modules  Switching is not available (and not needed) on High-End SRX  Switching is done in Hardware. Full throughput can be achieved, without consuming CPU-performance  Since JUNOS 10.0 the smaller SRX (100...240) have Switching enabled on all interfaces (except ge-0/0/0) in the Factory Default configuration
  32. 32. 32 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SWITCHING DEFAULT CONFIGURATION ON SRX210 WITH JUNOS 10.0 # An internal VLAN (vlan-trust) is defined to allow switching several interfaces set vlans vlan-trust vlan-id 3 # A interface vlan unit 0 is assigned to this vlan as the Layer3 interface in this VLAN set vlans vlan-trust l3-interface vlan.0 # This layer 3 interface can has an IP address that is reachable from all # host on it's VLAN. In Branch deployments this is typically the gateway address. set interfaces vlan unit 0 family inet address 192.168.1.1/24 # All physical interfaces - except ge-0/0/0 of the SRX210 are now assigned # to a interface-range with the name interfaces-trust set interfaces interface-range interfaces-trust member ge-0/0/1 set interfaces interface-range interfaces-trust member fe-0/0/2 set interfaces interface-range interfaces-trust member fe-0/0/3 set interfaces interface-range interfaces-trust member fe-0/0/4 set interfaces interface-range interfaces-trust member fe-0/0/5 set interfaces interface-range interfaces-trust member fe-0/0/6 set interfaces interface-range interfaces-trust member fe-0/0/7 # The interface-range is assigned to the VLAN vlan-trust set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust # It's a firewall, so the interface is mapped to zone trust where all services are enabled set security zones security-zone trust interfaces vlan.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all
  33. 33. 33 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SWITCHING ANOTHER CONFIGURATION EXAMPLE # Before you can add an interface to Switching you probably have to remove assignments. # If there is an IP address assigned to the interface you have to remove it delete interfaces fe-0/0/2 unit 0 family inet # If the interface is member of an interface-group in use, you have to untie it delete interfaces interface-range .... member fe-0/0/2 # You can specify a VLAN, which will be used for Switching set vlans VLAN-100 vlan-id 100 # Configure Ethernet switching on the interfaces that are part of VLAN. # Default for new switching interfaces is access mode (=untagged) set interfaces fe-0/0/2 unit 0 family ethernet-switching set interfaces fe-0/0/3 unit 0 family ethernet-switching # Assign these interface to the desired VLAN set vlans VLAN-100 interface fe-0/0/2.0 set vlans VLAN-100 interface fe-0/0/3.0 # Configure a VLAN interface with an IP for this VLAN set interfaces vlan unit 100 family inet address 192.168.1.1/24 # Assign this VLAN interface as your Layer3 Interface on this VLAN set vlans VLAN-100 l3-interface vlan.100 # It's a firewall, so the VLAN interface must also be in a zone set security zones security-zone trust interfaces vlan.100 # Allow services on the VLAN interface if desired set security zones security-zone trust interfaces vlan.100 host-inbound-traffic ....
  34. 34. 34 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SWITCHING TROUBLESHOOTING COMMANDS # show which vlans exist and which interfaces are assigned show vlans [detail] # history of MACs added and removed show ethernet-switching mac-learning-log # Current MAC Table show ethernet-switching table # Current MAC Table from a certain interface show ethernet-switching table interface fe-0/0/2
  35. 35. 35 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ETHERNET SWITCHING ON BRANCH SRX INTERFACES SUPPORTED Platforms On-Board uPIM MPIM XPIM J2320     J2350     J4350     J6350     SRX100     SRX110     SRX210   *  SRX220   *  SRX240   *  SRX550   * ** SRX650    ** * Ethernet switching support is planned for future release for 1 Gigabit Ethernet SFP MPIM on the SRX210,SRX220,SRX240 and SRX550. ** As of JUNOS OS Release 12.1, Ethernet switching is not supported on 10G XPIM.
  36. 36. 36 Copyright © 2011 Juniper Networks, Inc. www.juniper.net REMARKS  Configuration Syntax for all supported features is exactly the same as with the EX Switches. The Documentation Feature Support Reference explains which Switching Features are supported  There are some dependencies which Ports can be used for switching (see Documentation )  Before 11.1 Switching was only applicable for single units. Commit in the Cluster was only possible, when all switching configuration was removed. The assumption was, that HA cluster Configurations are usually designed with external Switches  Since 11.1 Switching is also supported on Branch SRX and can even span the two Cluster members. This requires an additional link between the two nodes.
  37. 37. 37 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ROUTING
  38. 38. 38 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STATIC ROUTES CONFIGURATION # Host Route set routing-options static route 10.2.2.1/32 next-hop 10.1.1.254 # Network Route set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254 # Default Route set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254 # Route to an Interface # Useful for Point-to-Point Interfaces like pppoe, vpn-tunnel, gre-tunnel set routing-options static route 0.0.0.0/0 next-hop pp0.0 set routing-options static route 10.1.1.0/24 next-hop st0.0 # Route to another Virtual Router set routing-options static route 10.0.0.100/32 next-table Logging.inet.0 # Example for a the Definition of the VR with name Logging referenced above set routing-instances Logging instance-type virtual-router set routing-instances Logging interface ge-0/0/7.0 # A network route to discard any traffic that did not hit a more specific route # Black hole Routes could sometimes save performance for policy lookups or # avoid rerouting in case of interfaces failures (example: VPN is down) set routing-options static route 0.0.0.0/0 discard
  39. 39. 39 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STATIC ROUTES ROUTE FAILOVER WITH IP-MONITORING # Since 11.4 all Branch SRX support IP-Monitoring and automatic route failover # Check out KB22052 for configuration details of an dual ISP connection with RPM for # IP-Monitoring and Filter based Forwarding for load distribution set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server set services ip-monitoring policy Server-Tracking then preferred-route routing- instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 ------> Installs route in the First Routing Instance set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1 set services ip-monitoring policy Server-Tracking1 then preferred-route routing- instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1 ------> Installs route in Second Routing Instance
  40. 40. 40 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STATIC ROUTES MONITORING # display Routing table root@J2300> show route inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 01:13:15 > to 172.16.42.1 via fe-0/0/0.0 10.2.2.0/24 *[Static/5] 00:00:05 > to 172.16.42.1 via fe-0/0/0.0 172.16.42.0/24 *[Direct/0] 01:13:15 > via fe-0/0/0.0 172.16.42.230/32 *[Local/0] 01:21:12 Local via fe-0/0/0.0 224.0.0.9/32 *[RIP/100] 01:21:37, metric 1 MultiRecv # route lookup for a certain destination root@J2300> show route 20.0.0.1 # routing table overview root@J2300> show route summary # Forwarding table (includes all active routes, visible for the data-plane) root@J2300> show route forwarding-table
  41. 41. 41 Copyright © 2011 Juniper Networks, Inc. www.juniper.net OSPF CONFIGURATION # enable OSPF on a interface set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 # And permit ospf traffic to this zone set security zones security-zone host-inbound-traffic protocols ospf # Recommended: use loopback interface set interfaces lo0 unit 0 family inet address 192.168.1.2/32 set protocols ospf area 0.0.0.0 interface lo0.0 passive # Option: specify your own Router-id set routing-options router-id 192.168.1.2 # to get direct interface routes announced you can add them to OSPF in passive mode set protocols ospf area 0.0.0.0 interface vlan.100 passive # Option: Negotiate graceful restart set routing-options graceful-restart # On SRX Clusters for RG0 failover, you might have to extend OSPF Timers to survive # a dead interval of 5-20 seconds and also use the following setting: set protocols ospf graceful-restart no-strict-lsa-checking
  42. 42. 42 Copyright © 2011 Juniper Networks, Inc. www.juniper.net RIP CONFIGURATION # RIP requires a group, all interface are attached to this group set protocols rip group RIP ge-0/0/0.0 set protocols rip group RIP ge-0/0/1.0 # And permit rip traffic to the zones of these interfaces set security zones security-zone TRUST host-inbound-traffic protocols rip # You can add IPSEC Tunnel-Interfaces with relaxed RIP-Update-Timers # You can even work with Tunnel-Interfaces with Next-Hop-Tunnel-Binding (NHTB) set protocols rip group RIP neighbour st0.0 interface-type p2mp set protocols rip group RIP neighbour st0.0 dynamic-peers set interface st0 unit 0 multipoint # Option: Negotiate graceful restart set routing-options graceful-restart # Import Routes to the RIP group via policy-options filter set policy-options policy-statement FILTER term a from route-filter 1.2.3.0/24 exact set policy-options policy-statement FILTER term a then accept set policy-options policy-statement FILTER term drop then reject set protocols rip group RIP export FILTER
  43. 43. 43 Copyright © 2011 Juniper Networks, Inc. www.juniper.net OSPF MONITORING # See Neighbors and State root> show ospf neighbour Address Interface State ID Pri Dead 10.222.2.2 ge-0/0/11.0 Full 192.168.36.1 128 36 # Link State Database root> show ospf database
  44. 44. 44 Copyright © 2011 Juniper Networks, Inc. www.juniper.net OSPF IMPORT/EXPORT FILTER (POLICY-OPTIONS) # OSPF default is to import everything (into RT) and export routes only from interfaces # that are (active) members of the same OSPF area # For export of all other routes or to filter inbound routes you need Routing Policy # Filters # Example Filter to export all local static and all direct routes set policy-options policy-statement ALL-LOCAL set term 1 from protocol direct set term 1 then accept set term 2 from protocol static set term 2 then accept top set protocols ospf export ALL-LOCAL # Example Filter to export only a certain route (which must exist on the routing table) set policy-options policy-statement JUST-ONE set term 1 from route-filter 172.10.0.0/16 exact set term 1 then metric 10 accept top set protocols ospf export JUST-ONE
  45. 45. 45 Copyright © 2011 Juniper Networks, Inc. www.juniper.net # Example Configuration With Two AS # Permit BGP traffic on the zone or interface(s) where you reach your peer(s) set security zones security-zone trust host-inbound-traffic protocols bgp # Recommended: use loopback interface set interfaces lo0 unit 0 family inet address 1.1.1.2/32 # Specify your own AS and your Router-ID set routing-options autonomous-system 1234 set router-id 1.1.1.2 # Specify Peer(s) set protocols bgp group UPSTREAM set local-address 1.1.1.2 set peer-as 64005 set local-as 64006 set neighbor 1.1.1.1 export BGP-EXPORT-POLICY top # A Policy how to export the routes set policy-options policy-statement BGP-EXPORT-POLICY from protocol direct set policy-options policy-statement BGP-EXPORT-POLICY then accept # Option: Set static routes that do not redistribute set routing-options static route 1.1.2.0/24 no-readvertise # Option: Specify how to aggregate routes set routing-options aggregate 1.1.1.1/20 [policy ... ] BGP CONFIGURATION
  46. 46. 46 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BGP MONITORING show bgp neighbour show bgp summary show route summary # Which routes did we receive from a neighbour show route receive-protocol bgp <peer-ip> # Which routes do we send to a neighbour show route advertising-protocol bgp <peer-ip>
  47. 47. 47 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IS-IS CONFIGURATION set interfaces ge-0/0/1 unit 0 family iso set interfaces ge-0/0/2 unit 0 family iso set interfaces lo0 unit 0 family iso address 49.0002.0002.0002.00 set protocols isis interface ge-0/0/1.0 set protocols isis interface ge-0/0/2.0 set protocols isis interface lo0.0 passive
  48. 48. 48 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TUNNEL INTERFACES
  49. 49. 49 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TUNNEL INTERFACES : GRE - GENERIC ROUTING ENCAPSULATION # Typical Use cases for GRE Tunnels are # - OSPF over GRE with non-Juniper Routers # - Multicast over GRE with non-Juniper Routers set interfaces gr-0/0/0 unit 0 tunnel source 10.0.0.1 set interfaces gr-0/0/0 unit 0 tunnel destination 10.0.0.2 set interfaces gr-0/0/0 unit 0 family inet address 10.1.0.1/3 set protocols ospf area 0.0.0.0 interface gr-0/0/0.0 set security zones security-zone vpn host-inbound-traffic protocols ospf set security zones security-zone vpn interfaces gr-0/0/0.0 # MTU Adjustments might be necessary because GRE Default MTU is ~ 9000 # When Fragementation happens in a GRE Tunnel there are two options for reassembly # a) use IDP Inspection on the traffic leaving the tunnel # b) since JUNOS 11.2 you can apply the following command "set security flow force-ip-reassembly
  50. 50. 50 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TUNNEL INTERFACES: LOGICAL TUNNEL # Logical Tunnel can be used like a physical wire between two interfaces of an SRX # Typical use cases are: # - forwarding between VR in packet mode and VR in flow mode # - forwarding between VR to apply two policies to one session # - Intra-Lsys Traffic (all Lsys have one Tunnel to Lsys0) # Logical Tunnel Interfaces set interfaces lt-0/0/0 unit 0 encapsulation ethernet set interfaces lt-0/0/0 unit 0 peer-unit 1 set interfaces lt-0/0/0 unit 0 family inet set interfaces lt-0/0/0 unit 1 encapsulation ethernet set interfaces lt-0/0/0 unit 1 peer-unit 0 set interfaces lt-0/0/0 unit 1 family inet # and now use them between two VRs set routing-instances r1 interface lt-0/0/0.0 set routing-instances r2 interface lt-0/0/0.1
  51. 51. 51 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TUNNEL INTERFACES: IP OVER IP # This Example is used to forward all IPv6 traffic encapsulated in IPv4 to 10.19.3.1 set interfaces ip-0/0/0 unit 0 tunnel source 10.19.2.1 set interfaces ip-0/0/0 unit 0 tunnel destination 10.19.3.1 set interfaces ip-0/0/0 unit 0 family inet6 address 7019::1/126 set routing-options rib inet6.0 static route ::0/0 next-hop ip-0/0/0
  52. 52. 52 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MULTICAST
  53. 53. 53 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV4 MULTICAST CONFIGURATION (1) # IGMP to allow Receivers to join/leave a group, # Version1 had join only and 3 min timeout # Version2 (Default) allows Receiver join and leave # Version3 allows to join and select Source-IP of Sender selection set protocols igmp interface reth2.0 version 3 # Enable PIM to communicate with Multicast Routers in the Distribution Tree set protocols pim interface reth1.0 # Finding the Rendezvous Point # Option 1: Static Rendezvous point on an other Router set protocols pim rp static address 192.168.1.1 # Option 2: we are Rendezvous Point by yourself - in this case loopback int. is best pract. set interface lo0.0 <IP-for-RP> set protocols pim rp local address <IP-for-RP> # Other Options supported for RP selection: Anycast, Bootstrap, Auto-RP # Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP # Check Technote: Multicast Implementation Guide
  54. 54. 54 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV4 MULTICAST CONFIGURATION (2) # Allow igmp on all interfaces where we expect receivers to join set security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols igmp set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols igmp # Allow PIM on all interfaces where we expect distribution Routers set security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols pim set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols pim # All interfaces can also be in a custom VR # IGMP Configuration is not in VR context set protocols igmp interface reth20.0 version 3 set routing-instances VR-MCAST instance-type virtual-router edit routing-instances VR-MCAST set interface vlan.3 set interface vlan.10 set interface vlan.20 set interface vlan.30 set protocols igmp interface vlan.20 set protocols pim rp local address 10.0.42.110 set protocols pim interface vlan.10 top
  55. 55. 55 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV4 MULTICAST TROUBLESHOOTING # Monitoring show pim bootstrap [instance VR] show pim interfaces [instance VR] show pim join [instance VR] show pim mdt [instance VR] show pim neighbors [instance VR] show pim rps [instance VR] show pim source [instance VR] show pim statistics [instance VR] show igmp interface show igmp output-group show igmp statistics show multicast route show multicast rpf # tcpdump to watch PIM and IGMP Packets monitor traffic interface vlan.10 no-resolve detail size 1500 matching "pim || igmp" # DEBUGGING set protocols pim traceoptions file trace-pim set protocols pim traceoptions flag all set protocols igmp traceoptions file trace-igmp set protocols igmp traceoptions flag all # PIM to IGMP Proxy show multicast pim-to-igmp-proxy
  56. 56. 56 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV4 MULTICAST FURTHER INFORMATION # Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP # Check Technote: Multicast Implementation Guide # IGMP-Proxy is not available, but pim-to-igmp-proxy is available set pim-to-igmp-proxy upstream-interface ge-0/1/0.1 # Important Hint for Multicast on SRX-Cluster: # Disable IGMP-Snooping on the surrounding switches to avoid outages after failover # Multicast Configuration Overview and Examples http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config- guide-multicast/config-guide-multicast.html#configuration # Dense Mode and Debugging Example http://kb.juniper.net/InfoCenter/index?page=content&id=KB24781 # Multicast Implementation Guide (EX and MX) http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/8010062-001-EN.pdf
  57. 57. 57 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6
  58. 58. 58 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 CURRENT STATE (12.1) IPv6 firewalling - works in route mode with the following Features: - Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth - in Active/Passive Clusters since 10.0 - in Active/Active Clusters since 11.2 - IDP on Ipv6 in route mode since 11.4 - works in transparent mode with the following features since 11.4r3 Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth/Vlan Retagging/SNMP For more Details on IPv6 Feature Support in JUNOS 12.1 check this Documentation http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-ipv6-support.html
  59. 59. 59 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 DHCPV6 SERVER # DHCP-Server for Prefix Delegation is available on High-end-SRX # Example below offers prefix delegation only (no exact IP assignment) edit system services dhcp-local-server dhcpv6 set overrides interface-client-limit 100 set group GROUP1 interface ge-0/0/0.0 top edit access address-assignment pool TRUSTv6 family inet6 set prefix fd27:9816:dca8:1::/48 set range RANGE1 prefix-length 64 top # For exact IP assignment and DHCP Server assignment use these statements edit access address-assignment pool TRUSTv6 family inet6 set dhcp-attributes dns-server .... set dhcp-attributes options .... set range RANGE1 high ... set range RANGE1 low ... top
  60. 60. 60 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 DIAGNOSTICS show interface terse # it will then shows two IPv6 IPs for each interface # 2001:........ = global address # fe80:x:x:x = link local address # show route <table inet6.0> show ipv6 neighbours show ipv6 router-advertisement # Interface Traffic monitor - filtered to IPv6 only monitor traffic interface ge-0/0/0.0 matching ip6 size 200 detail # ping, we use the same ping for ipv4 and ipv6 ping 2001:638:c:a057::1 # force ping with IPv6 ping inet6 www.heise.de # traceroute, same command as for IPv4 traceroute 2001:db8:0:6:202:b300:2215:595 source 2001:db8::5 # Monitoring session table show security flow session summary family [inet|inet6]
  61. 61. 61 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 DYNAMIC ROUTING WITH RIPNG # Enable RIP Listener on the following interfaces edit protocols ripng edit group NEIGHBORS set neighbour ge-0/0/0.0 set neighbour ge-0/0/1.0 set neighbour fe-0/0/2.0 set neighbour fe-0/0/3.0 top # If you want to export routes you need a route filter edit policy-options policy-statement RIPNG-EXPORT set term RIPNG from protocol ripng set term RIPNG then accept set term DIRECT from protocol direct set term DIRECT from route-filter 2001:DB8::/32 orlonger set term DIRECT then accept top # The Route Filter must be applied to the RIPNG Group set protocols ripng group NEIGHBORS export RIPNG-EXPORT # Monitoring show route receive-protocol ripng show route advertising-protocol ripng show route protocol ripng
  62. 62. 62 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 DYNAMIC ROUTING WITH OSPFV3 # Introduction of a loopback Interface is best practice when using Routing protocols set interface lo0 unit 0 family inet address 10.0.0.210/32 # Specifying the router-id (as IPv4) is also recommended set routing-options router-id 10.0.0.210 # Enable OSPF Listener on the following interfaces edit protocols ospf3 set area 0 interface lo0.0 passive set area 0 interface ge-0/0/0.0 set area 0 interface ge-0/0/1.0 set area 0 interface fe-0/0/2.0 set area 0 interface fe-0/0/3.0 top # Monitoring Commands show ospf3 neighbour show ospf3 overview show ospf3 route show ospf3 statistics
  63. 63. 63 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 IMPROVED SECURITY # Off-link malicious IPv6 nodes may spoof Neighbor Discovery messages to poison # the routers ND cache. To mitigate, use set protocols neighbor-discovery onlink-subnet-only # reload after commit is suggested to clear out any bogus neighbor entries in the cache
  64. 64. 64 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VLAN TRUNKING AND LINK AGGREGATION
  65. 65. 65 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VLAN TRUNKS
  66. 66. 66 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VLAN TRUNKS NOTES AND LIMITATIONS  There are two possible approaches to configure a VLAN trunks on SRX  As part of the "Switching" Configuration (family ethernet-switching)  As part of the "Routing" Configuration (family inet)  "Switching" Configuration  Allows Switching between all interfaces that are part of a VLAN. The member interfaces can be tagged and/or untagged  Supported only on Branch SRX  Not supported on redundant interfaces of a cluster  "Routing" Configuration  Allows to create a sub interface and use it for routing  Supported on all SRX Platforms  Supported also in cluster mode (can be applied to reth Interfaces)  Supported also on aggregate interfaces
  67. 67. 67 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VLAN TRUNK CONFIGURATION EXAMPLE FAMILY "INET" # Enable VLAN-Tagging on a physical interface set interfaces ge-0/0/0 vlan-tagging # Now we can create two sub interfaces on this physical interface # Best practice: use vlan-id also for the unit number set interfaces ge-0/0/0 unit 11 vlan-id 11 set interfaces ge-0/0/0 unit 11 family inet address 10.0.11.1/24 set interfaces ge-0/0/0 unit 12 vlan-id 12 set interfaces ge-0/0/0 unit 12 family inet address 10.0.12.1/24 # The different interface can be in different VLANs set security zone security-zone zone11 interface ge-0/0/0.11 set security zone security-zone zone12 interface ge-0/0/0.12
  68. 68. 68 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VLAN TRUNK CONFIGURATION EXAMPLE FAMILY "SWITCHING" # Define all Vlans you want to participate in set vlans VLAN-80 vlan-id 80 # For Trunk Ports which have multiple VLANs use the following Syntax set interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members all # For Access Ports which are untagged but mapped to a certain VLAN # use the following syntax set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members <name> # To create a RVI (routed virtual interface) to have an IP on a VLAN set interface vlan unit 80 family inet address 80.0.0.1/24 # And assign this interface to the VLAN set vlans VLAN-80 l3-interface vlan.80
  69. 69. 69 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION AND LACP
  70. 70. 70 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION ON BRANCH SRX NOTES AND LIMITATIONS  Standalone Units:  Link Aggregation is possible by configuration of AE interfaces  AE interfaces are supported with family ethernet-switching since JUNOS 9.5  AE interfaces are supported with family inet since JUNOS 10.1r2  LACP on AE interfaces with family switching is supported since JUNOS 9.5  LACP on AE interfaces with family inet are supported since JUNOS 10.2r2  Chassis Clusters (Redundant Interfaces)  Redundant Interfaces (as required in Clusters to failover) can have Aggregate Interfaces as members since JUNOS 10.3r2  Switching across Members of an HA Cluster is available since 11.2 - this requires an additional link between the two Branch SRX  Chassis Cluster (Private Interfaces)  Private Interfaces - that are only active on one Cluster member - are possible in Clusters  Private Interfaces still can be aggregate interfaces (local LAG)  Private Interfaces can not have member interfaces from both Chassis at the same time A configuration with member interfaces from different chassis might commit but it is not supported
  71. 71. 71 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION ON DATACENTER SRX NOTES AND LIMITATIONS  Standalone Units  Link Aggregation is possible by configuration of AE interfaces  Aggregated Ethernet Interfaces are supported since JUNOS 10.0  Aggregate Ethernet Interfaces can be used with family inet only  LACP support is available on High-End SRX, since JUNOS 10.2r3  Chassis Clusters (Redundant Interfaces)  AE can not be used in Chassis Cluster for redundant interfaces but since JUNOS 10.1 there is another configuration available for link aggregation in chassis clusters.  This configuration can even span cluster members. Only interfaces on the active link will be used to receive and transmit data.  Check Admin Guide for these "Redundant Ethernet Interface Link Aggregation Groups".  Chassis Clusters (Private Interfaces)  Private Interfaces - that are only active on one Cluster member - are possible in Clusters  Private Interfaces still can be aggregate interfaces (local LAG)  Private Interfaces can not have member interfaces from both Chassis at the same time A configuration with member interfaces from different chassis might commit but it is not supported
  72. 72. 72 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION ON A SINGLE UNIT  Configuration Example for a Aggregate Ethernet Interface # Set number of Aggregated Interfaces on this device/chassis set chassis aggregated-devices ethernet device-count <number> # Configure AE interfaces (ae0,ae1….) # On High-End SRX AE can be members of family inet # On Branch SRX AE can be members of family inet and family ethernet-switching set interfaces <aex> unit 0 family inet address <ip address> # Associate physical ethernet interfaces to the AE set interfaces <interface-name> gigether-options 802.3ad <aex> # Minimum number of Links required for this aggregate to be UP set interfaces <aex> aggregated-ether-options minimum-links <n> # LACP configuration (today only supported on Branch SRX) set interfaces <aex> aggregated-ether-options lacp passive
  73. 73. 73 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION ON A CHASSIS CLUSTER  Configuration Example for a Redundant Ethernet Interface # On High End SRX LAG support starts with 10.1r2, LACP starts with 10.2r3 # On some Branch SRX LAG support starts with 10.3r2, LACP also starts with 10.3r2 # Documentation: "Chassis Cluster Redundant Ethernet Interface Link Aggregation Groups" set interfaces ge-1/0/1 gigether-options redundant-parent reth1 set interfaces ge-1/0/2 gigether-options redundant-parent reth1 set interfaces ge-1/0/3 gigether-options redundant-parent reth1 set interfaces ge-12/0/1 gigether-options redundant-parent reth1 set interfaces ge-12/0/2 gigether-options redundant-parent reth1 set interfaces ge-12/0/3 gigether-options redundant-parent reth1 set interfaces reth1 redundant-ether-options minimum-links 3 # From the Network Point of view, these are two independent Aggregate Interfaces. # Only the interfaces on the active node are used for transmission # Further LACP Configuration can be added to the reth Interface now set interfaces reth1 redundant-ether-options lacp periodic fast set interfaces reth1 redundant-ether-options lacp passive set interfaces reth1 redundant-ether-options lacp active
  74. 74. 74 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION ON DATACENTER SRX Extend lacpd to Support RETHs with JUNOS 10.2  Hitless RG failover for transit traffic  Handle active/standby LAGs independently and simultaneously  Support: A reth is connected to two switches  Support: A reth is connected to one single switch  At remote side: Active LAG and standby LAG each shall be terminated at an AE or equivalent (same as 10.1) Cluster 1 reth0 RLAG Active LAG SRX 5600 HA Node 1 SRX 5600 HA Node 0 standby LAG Switch / Router ae0 Switch / Router ae1
  75. 75. 75 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK REDUNDANCY
  76. 76. 76 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IP MONITORING & FAILOVER WITH RPM # Since 11.4r2 Branch SRX allows to use RPM to monitor reachability of a destination # and in response of PASS or FAIL failover route or interface # Configure Probes for user PING-PROBE # Example probe SERVER1 checks if server responds to ping edit services rpm probe PING-PROBE test SERVER1 set probe-type icmp-ping set target address 192.168.42.1 set probe-count 5 set probe-interval 5 set thresholds successive-loss 5 set test-interval 10 top edit services ip-monitoring policy FAILOVER-Policy set match rpm-probe PING-PROBE # admin state of a back-up interface can be enabled if the RPM fails on the primary # If the normal condition is restored the backup-interface is disabled again set then interface ge-0/0/1/0 enable top # Monitoring of the ip-monitoring feature show services ip-monitoring status
  77. 77. 77 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BLACKHOLE FORWARDING DETECTION # Black hole Forwarding Detection, Available in OSPF/BGP # Useful for link availability tests with aggressive timing (failover within 300msec) # Detect OSPF Link Failure after 3x500msec edit protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set bfd-liveness-detection minimum-interval 500; set bfd-liveness-detection multiplier 3; set bfd-liveness-detection full-neighbors-only; top # Detect BGP Link Failure set protocols bgp bfd-liveness-detection set minimum-interval 800 set multiplier 3 set transmit-interval minimum-interval 150 set transmit-interval threshold 500 set detection-time threshold 200 set holddown-interval 5 top
  78. 78. 78 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FLOW LOAD BALANCING WITH EQUAL COST MULTIPATH ROUTING # ECMP for Flows is supported on SRX since JUNOS 12.1 # Add multiple routes to the same destination set static route 26.0.0.0/8 next-hop 23.0.54.111 set static route 26.0.0.0/8 next-hop 24.0.44.101 set static route 26.0.0.0/8 next-hop 25.0.44.106 # Usually only one of these routes would show up in the forwarding table. # We need a Policy Statement to enable per packet load-balancing. # On SRX this statement enforces in reality per flow balancing set policy-statement LBP then load-balance per-packet # And we must apply this policy to the forwarding-table set forwarding-table export LBP # Forwarding table shows several routes to the same destination user@host> show route forwarding-table Routing table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif ... 26.0.0.0/8 user 0 23.0.54.111 rslv 0 1 ge-0/0/4.0 26.0.0.0/8 user 0 24.0.44.101 rslv 0 1 ge-0/0/6.0 26.0.0.0/8 user 0 25.0.44.106 rslv 0 1 ge-0/0/7.0 # Finally we might influence the balancing algorithm (L3 = IP only, L4, TCP+UDP too) set forwarding-options hash-key family inet layer-3 set forwarding-options hash-key family inet layer-3
  79. 79. 79 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VRRP CONFIGURATION # VRRP allows to failover an Interface between two devices - which are not a cluster # Typical use case: Primary and backup Internet access device (each with it's own WAN link) # Remember that VRRP Cluster does not sync sessions - all session must be reestablished # VRRP - node0 edit interfaces fe-0/0/7 unit 0 family inet address 192.168.0.101/24 vrrp-group 150 set virtual-address 192.168.0.150 set priority 100 set no-preempt set authentication-type md5 set authentication-key secret top # VRRP - node 1 set interfaces fe-0/0/7 unit 0 family inet address 192.168.0.102/24 vrrp-group 150 set virtual-address 192.168.0.150 set priority 110 set no-preempt set authentication-type md5 set authentication-key secret top # VRRP Troubleshooting run show vrrp summary run show vrrp interface fe-0/0/7
  80. 80. 80 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSPARENT MODE
  81. 81. 81 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSPARENT MODE OR BRIDGE MODE NOTES AND LIMITATIONS  Transparent/Bridge Mode on Datacenter SRX  Transparent Mode in A/P Clusters is supported since JUNOS 9.6  Transparent Mode in A/A Clusters is supported since JUNOS 10.0  Interface can either be in trunk mode or in access mode  VLAN Retagging is possible, and requires a per interface statement  Link Aggregation on reth Interfaces in Transparent Mode is supported since 11.4r1  IDP is supported in A/P since 11.2  Transparent/Bridge Mode on Branch SRX  Transparent Mode in A/P Clusters is supported since JUNOS 11.2  Interfaces can only be in access mode  Management access requires definiton of an IRB Interface as member of one bridge-domain  Today (12.1) a firewall can either be in pure Layer 2 mode or Layer 3 routed mode, no mix  During a Cluster Failover the physical links on the inactive machine will get bumped (L1 down for some seconds and then up again) to clear CAM tables on the attached Switches.  A number of Features are not available/supported in Transparent Mode (12.1)  NAT, IPSEC VPN, GRE, Lsys, VR for IRB, L3/L4 classification for QoS (but 802.1q)
  82. 82. 82 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSPARENT MODE / BRIDGE MODE EXAMPLE1: TWO UNTAGGED INTERFACES # A bridge domain is used to assign which interface share a MAC-Table set bridge-domains BD1 domain-type bridge set bridge-domains BD1 vlan-id 10 set bridge-domains BD1 domain-type bridge interface fe-0/0/0.0 set bridge-domains BD1 domain-type bridge interface fe-0/0/1.0 # This example uses 2 untagged interfaces set interfaces ge-0/0/0 unit 0 family bridge interface-mode access set interfaces ge-0/0/0 unit 0 family bridge vlan-id 10 set interfaces ge-0/0/1 unit 0 family bridge interface-mode access set interfaces ge-0/0/1 unit 0 family bridge vlan-id 10 # Reuse Zones trust and untrust set security zones security-zone trust host-inbound-traffic system-services ssh # Bind Interface to the Zone set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces ge-0/0/1.0 # For Management access, you must attach an irb Interface a bridge domain set interfaces irb unit 0 family inet address 1.1.1.0/24 set bridge-domains BD1 routing-interface irb.0
  83. 83. 83 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSPARENT MODE / BRIDGE MODE EXAMPLE2: MIXED TAGGED AND UNTAGGED INTERF. # A bridge domain is used to assign which interface share a MAC-Table set bridge-domains BD1 domain-type bridge set bridge-domains BD1 vlan-id X (could be set to “none”) set bridge-domains BD1 domain-type bridge interface xe-1/0/0 set bridge-domains BD1 domain-type bridge interface xe-2/0/0 # Example for Trunk Mode Interface (on Datacenter SRX) set interfaces ge-0/0/10 vlan-tagging set interfaces ge-0/0/10 native-vlan-id 10 set interfaces ge-0/0/10 unit 0 family bridge interface-mode trunk set interfaces ge-0/0/10 unit 0 family bridge vlan-id-list 40-50 # Untagged traffic on Trunk Mode Interface is mapped to native VLAN # Example for a Interface in Access Mode set interfaces ge-0/0/11 unit 0 family bridge interface-mode access set interfaces ge-0/0/11 unit 0 family bridge vlan-id 40 # create a layer2 zone and define Permitted System Services set security zones security-zone layer2 host-inbound-traffic system-services ssh # Bind Interface to the Zone set security zones security-zone layer2 interfaces ge-0/0/10.0 # For Management access, you must attach an irb Interface a bridge domain set interfaces irb unit 0 family inet address 1.1.1.0/24 set bridge-domains BD1 routing-interface irb.0
  84. 84. 84 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSPARENT MODE / BRIDGE MODE HINTS AND MONITORING # By default, family bridge allows forwarding for IPv4-unicasts and L2 broadcasts # The following statement should allows other traffic too (CDP, STP, …) # IPv6 forwarding in transparent mode is currently planned for 11.4r4 (DC-SRX only) set security flow bridge bypass-non-ip-unicast # Full Documentation for Transparent Mode https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway- pages/security/security-layer2-bridging-transparent-mode.html#configuration # Monitoring Commands show bridge-domains show protocols l2-learning
  85. 85. 85 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL
  86. 86. 86 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PACKET FLOW
  87. 87. 87 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SECURITY SERVICES PACKET WALK 1) Pull packet from queue 2) Police packet 3) Filter packet 4) Session lookup 5a) No existing session • FW screen check • Static and destination NAT • Route lookup • Destination zone lookup • Policy lookup • Reverse static and source NAT • Setup ALG vector • Install session 5b) Established session • FW screen check • TCP checks • NAT translation • ALG processing 6) Filter packet 7) Shape packet 8) Transmit packet Per Packet Filter Per Packet Policer Per Packet Shaper Per Packet Filter JUNOS Flow Module Forwarding Lookup Dest NAT Route Zones Policy Reverse Static NAT Services SessionScreens Static NAT Source NAT Match Session? NO YES Screens TCP NAT Services YES
  88. 88. 88 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SECURITY SERVICES PACKET WALK JUNOS Flow Module Dest NAT Route Zones Policy Reverse Static NAT Services SessionScreens Static NAT Source NAT Match Session? NO YES Screens TCP NAT Services YES Services ALG Module AppID (packet) IDP (packet) SSL Proxy AppID (stream) IDP (stream) ALG UTM AppFW UserFW
  89. 89. 89 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ZONES
  90. 90. 90 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ZONES AND INTERFACES # Zone Names are useful to map existing segmentation # Typical zone names are derived from areas with same trust level (trust/untrust) or # from department names (development, productions ...) # Interface will not forward any traffic until they are assigned to a zone # Each interface can only be mapped to one zone # All interfaces in the same zone must be mapped to the same VR # Assign IPv4 IP to an interface set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24 # Create custom zones set security zones security-zone DEVELOPMENT set security zones security-zone VPN # Assign Interface to zone set security zones security-zone VPN interfaces st0.0
  91. 91. 91 Copyright © 2011 Juniper Networks, Inc. www.juniper.net OBJECTS & POLICIES
  92. 92. 92 Copyright © 2011 Juniper Networks, Inc. www.juniper.net OBJECT AND POLICIES OVERVIEW Current State and Changes over Time • Global Policies and Address Objects are available since JUNOS 11.4 • Logging: To enable Logging for permit Rules use "set then log session-close" To enable Logging for deny/reject Rules use "set then log session-init" • Counting: Counting with "per time statistics" can be activated per policy (number of policies is limited) Since JUNOS 12.1 there is a hit counter tracked by default for every policy • Description Since JUNOS 12.1 Policies can have a description • Nested Groups (Groups of Groups) are supported since JUNOS 11.2 Before 11.2 NSM could be used to create nested groups ( • DNS Resolution DNS names can be resolved either at object creation time or frequently during usage • Wildcard Mask Bitmasks for Address Objects are supported since JUNOS 11.1 • Ranges Address Ranges are not available in JUNOS today (12.1) • Negation Negated Address Objects are not available in JUNOS today (12.1)
  93. 93. 93 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ADDRESS OBJECTS AND GROUPS (JUNOS <11.2) set security zones security-zone trust address-book address NET10 10.1.1.0/24 set security zones security-zone trust address-book address HOST10 10.1.1.1/32 # We can also use DNS names, there are two ways edit security zones security-zone trust address-book # Resolve the Address once at commit time set address JUNIPER-FIX www.juniper.net # Resolve dynamically when policy is used (cached for 24 hours) set address JUNIPER-DNS dns-name www.juniper.net top # Groups of Addresses are referenced as address sets set security zones security-zone trust address-book address-set ALL10 set address NET10 set HOST10 top # JUNOS >=11.1 also supports wildcard address masks with non-contiguous bitmasks # for IPv4. The first octets of the mask must be greater than 128 set security zones security-zone trust address-book address SERVER4 10.0.0.4/255.0.0.255
  94. 94. 94 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ADDRESS OBJECTS AND GROUPS (JUNOS >=11.2) # Since JUNOS 11.2 Address Book entries can either use the old stanza set security zones security-zone trust address-book address NET10 10.1.1.0/24 # Or it is possible to create ALL Objects as zone independent address book entries set security address-book global address NET10 10.1.1.0/24 # JUNOS Op Scripts exist to convert from old to new format and back https://www.juniper.net/us/en/community/junos/script-automation/library/ # If both formats are used in one file, the configuration can not be committed # NSM supports global policies with Version 2012.1 # Space Security Design supports global policies since Version 12.1 # J-Web supports global address objects and global policies since 11.4
  95. 95. 95 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SERVICE OBJECTS # Create Custom Service Objects # Default TCP Timeout is 1800 sec. # Default Timeout for other protocols is 60sec. set applications application my-ssh protocol tcp set applications application my-ssh destination-port 22 set applications application my-ssh inactivity-timeout 3600 set applications application my-ssh term ssh protocol tcp set applications application my-ssh term ssh destination-port 22 set applications application my-ssh term ssh inactivity-timeout 3600 # A number of Service definitions is already built-in - starting with junos-xxxx # To see them you can use the following command show configuration groups junos-defaults applications or top show groups junos-defaults | match application | match junos # They also appear when you use Tab completion during writing policies set security policies from-zone trust to-zone untrust policy X match application ?
  96. 96. 96 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ZONE BASED FIREWALL POLICIES (1) # Create a new Policy with the name "FIRST". edit security policies from-zone untrust to-zone trust policy FIRST set match source-address any set match destination-address any set match application any set then permit # Since JUNOS 12.1 you can add a description for this policy set description "First Policy created here" top # Insert a second policy "NEW" edit security policies from-zone untrust to-zone trust policy NEW set match source-address any set match destination-address NET10 set match application any set then permit top # New Policies are always added at the end # To move the "NEW" policy before the "FIRST" policy insert security policies from-zone untrust to-zone trust policy NEW before policy FIRST
  97. 97. 97 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ZONE BASED FIREWALL POLICIES (2) # By default all traffic, that is not permitted by policy is denied (without logging) # There is a command to change this - Recommended only for testing !! set security policies default-policy permit-all # Policy Actions can be permit/deny/reject. # deny means silent drop, reject create response packets to the initiator # for UDP traffic “icmp port unreachable” # for TCP traffic “TCP RST” # Monitor commands show security policies show security flow session #Policy lookup is available on CLI and in Web-UI since JUNOS 10.3 show security match-policies ....
  98. 98. 98 Copyright © 2011 Juniper Networks, Inc. www.juniper.net GLOBAL FIREWALL POLICIES # Beginning with JUNOS 11.4 Policies can be specified as global policies # These Policies must always reference global address objects # Policy Lookup Order is: # a) zone-to-zone # b) global # c) default policy # NSM can not manage global policies and objects # For JUNOS Space global policy support is currently planned for Release 12.1 set security address-book global address SERVER1 1.1.1.1 set security address-book global address SERVER2 2.2.2.2 set security policies global policy GP1 match source-address SERVER1 set security policies global policy GP1 match destination-address SERVER2 set security policies global policy GP1 match application junos-ftp set security policies global policy GP1 then deny set security policies global policy GP2 match source-address SERVER1 set security policies global policy GP2 match destination-address SERVER2 set security policies global policy GP2 match application any set security policies global policy GP2 then permit # Count per zone and global policies show security policies zone-context
  99. 99. 99 Copyright © 2011 Juniper Networks, Inc. www.juniper.net GLOBAL POLICIES Global policies take lower precedence than zone-specific policies. If a matching zone-based policy is found, the global policies are not evaluated … Zone-specific Policies Policy N … Global Policies Policy M Ordered Lookup Ordered Lookup Policy1 Policy 1No match Global Policy lookup Zone Policy Lookup from-zone to-zone context
  100. 100. 100 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL POLICY MONITORING AND USAGE TRACKING (1/2) # Counting can be enabled on a limited number of policies. Counting includes # Input/Output Bytes & Packets, Session rate, Active & Deleted sessions, Policy lookups edit security policies from-zone trust to-zone untrust policy pol-01 set then count top # To monitor the policy counters use run security policies from-zone show trust to-zone untrust policy-name pol-01 detail # Alerts can be enabled per policy to generate alerts if usage exceeds thresholds edit security policies from-zone trust to-zone untrust policy pol-01 set then count alarm per-minute-threshold 1000 set then count alarm per-second-threshold 50 top # To monitor the policy alerts use run show security alerts
  101. 101. 101 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL POLICY MONITORING AND USAGE TRACKING (2/2) # Security Policy Overview (Hidden until 12.1) show security policies information # Since JUNOS 10.3 there is Security Policy Lookup to predict policy decision # The query goes directly to the forwarding plane for evaluation show security match-policies .... # Until 11.4 Usage statistics are only available, if counting is enabled (see prev page) show security policies detail # JUNOS 12.1 introduces usage tracking of Firewall Policies independent from counter # Counter since the last reboot/failover can be retrieved with the following command srx210> show security policies hit-count from-zone untrust ascending from-zone to-zone policy hit-count untrust trust pol-1 10 untrust trust pol-2 20 untrust trust pol-3 30
  102. 102. 102 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL POLICY SCHEDULERS (A.K.A. TIME BASED POLICIES) # Create a Scheduler to activate a policy every working day from 9-12 and 13-20 set schedulers scheduler "SCHEDULER1" daily start-time 09:00 stop-time 12:00 set schedulers scheduler "SCHEDULER1" daily start-time 13:00 stop-time 20:00 set schedulers scheduler "SCHEDULER1" sunday exclude # Create a new Policy with the name "FIRST" and apply the scheduler definition "SCHEDULER1" edit security policies from-zone untrust to-zone trust policy FIRST set match source-address any set match destination-address any set match application any set then permit set scheduler SCHEDULER1 top # Monitoring show schedulers show security policies detail
  103. 103. 103 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL WEB AUTHENTICATION # Firewall Authentcation can Intercept Web Session (redriect) and enforce user authentication first # before allowing traffic (any protocol) to be passed by the firewall. This is like an "unlock" door. # Add an additional IP to an existing interface, that is used for WebAuth, HTTP to this Interface # gives you a login page set interface vlan unit 0 family inet address 192.168.1.210/24 web-authentication http # Specify a Profile with 2 local Users set access profile TESTPROFILE client TESTUSER1 firewall-user password netscreen set access profile TESTPROFILE client TESTUSER2 firewall-user password netscreen # and use this profile as default for firewall auth (inline in telnet, http, ftp connection) and webauth set access firewall-authentication pass-through default-profile TESTPROFILE set access firewall-authentication web-authentication default-profile TESTPROFILE # A policy specifies for which Source/Destination Web Auth is required. # Once Addresses have matched, Authentication is required, no Fall through to other rules. set security zones security-zone untrust address-book address PROTECTED 172.16.42.1/32 edit security policies from-zone trust to-zone untrust policy WEB-AUTH set match source-address any set match destination-address PROTECTED set match application any set then permit firewall-authentication access-profile TESTPROFILE set then permit firewall-authentication pass-through web-redirect up insert policy WEB-AUTH before policy trust-to-untrust top # Monitoring Commands show security firewall-authentication users show security firewall-authentication history
  104. 104. 104 Copyright © 2011 Juniper Networks, Inc. www.juniper.net REMATCH FOR POLICY CHANGES # To enable Policy rematching when policy changes are made use the following command # By Default Policy Rematch is disabled set security policies policy-rematch Action on Policy Description Rematch Flag Enable Disable (default) Delete Policy is deleted All existing sessions are dropped All existing sessions are dropped Insert New policy is inserted N/A N/A Modify the action Action field of policy is modified from permit to deny or reject, or vice versa All existing sessions are dropped All existing sessions continue Modify address Source or destination address field of policy match is modified Policy lookup will be re-evaluated All existing sessions continue Modify application Application field of policy match is modified Policy lookup will be re-evaluated All existing sessions continue
  105. 105. 105 Copyright © 2011 Juniper Networks, Inc. www.juniper.net REMATCH FOR POLICY CHANGES WITH USER IDENTITY BASED FIREWALL The user/role info is re-retrieved from UI module again for rematch
  106. 106. 106 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FLOW & ALG
  107. 107. 107 Copyright © 2011 Juniper Networks, Inc. www.juniper.net # Flow Configuration changes default behavior for a number of topics that influence # session creation/teardown/modification. # Examples are SYN Checking, Sequence Number Checking, Fragmentation, MSS Patching, # Session Aging # Example: Make sure TCP packets going through VPN tunnels avoid fragmentation set security flow tcp-mss ipsec-vpn mss 1420 # Example: Avoid TCP Split Handshake Attacks by more strict SYN checking set security flow tcp-session strict-syn-check FLOW
  108. 108. 108 Copyright © 2011 Juniper Networks, Inc. www.juniper.net # ALGs exist for the several protocols. When enabled they either help to open firewall # pinholes (FTP), assist in NAT for inband protocol data (VOIP) or check for protocol # violation (DNS). See next pages for a Table of ALGs and their functions # Most ALGs are enabled per default. To check which ALGs are there and enabled use show security alg status # To disable an ALG either disable ALG completly set security alg msrpc disable # or use custom service with the application service disabled set applications application TEST application-protocol ignore # Knowlegebase Articles have good hints on monitoring and troubleshooting # or changing behaviour of each ALG. Check the Knowledgebase if you have # trouble with any of the protocols where ALGs are active and disabling ALG # does not solve your problem. Example KB entries: SQL: KB21550 MSRPC : KB23730 and KB18346 ALG
  109. 109. 109 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BASIC ALGS ALG Firewall Pinholes NAT Protocol Checking DNS ✔ ✔ format, length FTP ✔ ✔ ✔ command TFTP ✔ ✔ SQL ✔ ✔ ✔ format Sun RPC ✔ ✔ ✔ format MS RPC ✔ ✔ ✔ format RSH ✔ ✔ ✔ format PPTP ✔ ✔ ✔ format Talk ✔ ✔ ✔ format IKE-NAT ✔ ✔ ✔ format
  110. 110. 110 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VOIP/STREAMING ALGS ALG Firewall Pinholes NAT Protocol Checking SIP ✔ ✔ ✔ H.323 ✔ ✔ ✔ MGCP ✔ ✔ ✔ SCCP ✔ ✔ ✔ RTSP ✔ ✔ ✔
  111. 111. 111 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SCREENS & DEFENSE
  112. 112. 112 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WHAT ARE SCREENS ? Screens are Filters for Attacks on Layer3/4 (Scans, Floods, IP Option Anomalies, TCP/IP Anomalies, DOS Attacks) Screens are applied before Routing Lookup and Policy decision Screens are in many cases implemented in Hardware Screens can be enabled with Logging only
  113. 113. 113 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SCREENS Descriptions of each of the Screen Parameter are here # Configure all Screen Options in a Named Profile edit security screen ids-option MY-SCREEN-PROFILE # Best Practice; Start using Screens with Alarm only, but Dropping disabled. set alarm-without-drop set icmp ping-death set ip source-route-option set ip tear-drop set tcp syn-flood alarm-threshold 1024 set tcp syn-flood attack-threshold 200 set tcp syn-flood source-threshold 1024 set tcp syn-flood destination-threshold 2048 set tcp syn-flood queue-size 2000 set tcp syn-flood timeout 20 set tcp land set limit-session destination-ip-based 50 top # Finally apply the Profile to the Zones which need protection set security zones security-zone untrust screen MY-SCREEN-PROFILE # Monitoring Commands show security screen statistics zone untrust show security screen statistics interface ge-0/0/0
  114. 114. 114 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SCREENS FOR FLOOD PROTECTION # Session Limits for Source and Destination IP set security screen ids-option FLOOD limit-session source-ip-based 10000 set security screen ids-option FLOOD limit-session destination-ip-based 10000 # ICMP AND UDP FLOOD PROTECTION (threshold is in packets/sec) set security screen ids-option FLOOD icmp flood threshold 10000 set security screen ids-option FLOOD udp flood threshold 20000 # TCP SYN Flood Protection, SYN-Cookie has better Performance than SYN-Proxy set security flow syn-flood-protection-mode syn-cookie edit security screen ids-option FLOOD tcp syn-flood # Start using Cookie when we hit more than 20 SYNs/sec set attack-threshold 20 set alarm-threshold 10000 # If we get more than these SYNs per second from a Source-IP we start dropping set source-threshold 1024 # If we get more than these SYNs per to the same Destination-IP we start dropping set destination-threshold 100000 # Time before we start dropping half-open connections from the queue set timeout 5 top # Finally apply the Screen Profile Definitions to the zone(s) where the flood arrives set security zones security-zone untrust screen FLOOD # Monitoring show security screen statistics zone trust show interfaces ge-0/0/1.0 extensive | match Syn
  115. 115. 115 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WHITE LISTS FOR SYN COOKIE & SYN PROXY # JUNOS 12.1 will introduce White lists for SYN Cookie and SYN Proxy # The SYN Protection Screens can be active, but certain sources or # destinations can be excluded from this protection. # White lists can included up to 32 IPv4 and IPv6 source and/or destination addresses # Typical Use case: exclude Proxies as Sources, excluded monitored Servers as Destination root@raticate# set security screen ids-option FLOOD tcp syn-flood WHITE-LIST ipv4 ? Possible completions: <[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups + destination-address Destination IP based + source-address Source IP based
  116. 116. 116 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FLOOD PROTECTION FOR THE SRX SESSION TABLE # In a Flood Situation, there is still a risk that the session table is filled up # completely and new sessions can't be established any more # # A Self Defense Strategy of the SRX for a flood situation is "aggressive aging" # to start removal of sessions which have not been used for x seconds before session # table gets filled up completely # # This overrides the default session timeouts, but might be better # than a overcrowded session table # Set levels (percent of max session nr) when aggressive aging starts and when it stops set security flow aging high-watermark 80 low-watermark 60 # Idle time in seconds after which sessions can be purged set security flow aging early-ageout 30 # Monitoring: If the Thresholds are reached, there are logs for # FLOW_HIGH_WATERMARK_TRIGGERED and FLOW_LOW_WATERMARK_TRIGGERED
  117. 117. 117 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL USAGE ALARMS # Create Alerts if Errors exceeds thresholds edit security alarms potential-violation set authentication 10 set decryption-failures threshold 100 set encryption-failures threshold 100 set ike-phase1-failures threshold 100 set ike-phase2-failures threshold 100 set replay-attacks threshold 100 set security-log-percent-full 90 top # Create Alerts if firewall total policy usage exceeds thresholds edit security alarms potential-violation policy set application size 10240 set source-ip threshold 1000 duration 20 set destination-ip threshold 1000 duration 10 set policy-match threshold 100 size 100 top # Create Alerts if individual firewall policy usage exceeds thresholds edit security policies from-zone trust to-zone untrust policy pol-01 set then count alarm per-minute-threshold 1000 set then count alarm per-second-threshold 50 top # Monitoring show security alarms
  118. 118. 118 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WHERE ARE SCREENS IMPLEMENTED ? # Screens that are implemented on the NPU block-frag, fin-no-ack, icmpfragment, icmp-id, icmp-large, ipbad-option, ip-filter- src, ip-loosesrc-route, ip-record-route, ipsecurity-opt, ip-stream-opt, ipstrict-src- route, ip-timestamp-opt, land, ping-death, syn-fin, syn-frag, tcp-no-flag, unknown- protocol, winnuke, icmp-flood, udp-flood, syn-flood destination-threshold / source- threshold # Screens that are implemented on the SPU teardrop, ipspoofing, syn-ackack-proxy, syn-flood (syncookie/synproxy), # Screens that are implemented on the CP limit-session, portscan, ip-sweep, syn-flood (syncookie/syn-proxy)
  119. 119. 119 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NAT
  120. 120. 120 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NAT BASIC INFORMATION •Since JUNOS 9.5 NAT uses a separate policy (a.k.a. NAT-ng) •The Hierarchy for this is under "set security nat ...." •Older JUNOS Documentation and OJSE Training Materials might still mention the previous method (policy based NAT) •Destination NAT often requires additional Proxy-ARP rules •Limitations in the number of NAT rules did exist, but finally even the last (8 rules for destination NAT) disappeared with 10.2. See http://kb.juniper.net/KB14149 •We have a good Application Note on NAT http://www.juniper.net/us/en/products-services/security/srx-series/#literature
  121. 121. 121 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 121 SCREENOS NAT FEATURES AND JUNOS COUNTERPART For Details and Examples see the Application Note "Juniper Networks SRX Series and J Series NAT for ScreenOS Users" http://www.juniper.net/us/en/products-services/security/srx-series/#literature
  122. 122. 122 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 122 NAT CONFIGURATION INCLUDES 3 FLAVORS Source NAT  Interface based NAT  Pool based NAT- with and without port translation  IP address shifting Destination NAT  Destination IP and/or port number translation  IP address shifting Static NAT  Bi-directional  No port translation supported  dst-xlate for packets to the host  src-xlate for packets initiated from the host
  123. 123. 123 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 123 NAT PROCESSING ORDER Static & Destination NAT are performed before security policies are applied Reverse Static & Source NAT are performed after security policies are applied Accordingly, policies always refer to the actual address of the endpoints
  124. 124. 124 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NAT ADDRESS POOL CONFIGURATION Address pools can be  Single IP address  Range of addresses  Range of ports  Interface (source NAT only)  No port translation Overflow pools  Configured as a fall back  Requires pools with no port translation [edit security nat source] root# show pool src-nat-pool1 { address { 192.0.0.10/32 to 192.0.0.24/32; } } pool src-nat-pool2 { address { 192.0.0.100/32 to 192.0.0.249/32; } port no-translation; overflow-pool interface; } pool src-nat-pool3 { address { 192.0.0.25/32; } } pool src-nat-pool4 { address { 192.0.0.50/32 to 192.0.0.59/32; } port range 5000 to 6000;
  125. 125. 125 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SOURCE NAT TWO EXAMPLES INTERNET 10.1.1.0/24 10.1.2.0/24 ge-0/0/0 ge-0/0/1 UNTRUSTTRUST 192.1.1.0/24 [edit security nat source] } rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat interface } [edit security nat source] } rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat pool src-nat-pool1 }
  126. 126. 126 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SOURCE NAT EXAMPLE WITH MULTIPLE RULES INTERNET 10.1.1.0/24 192.1.1.0/24 ge-0/0/0 ge-0/0/1 UNTRUSTTRUST 10.1.2.0/24 172.1.1.0/24 rule rule2 { match { source-address 192.1.1.0/24; } then { source-nat pool src-nat-pool2; } } rule rule3 { match { source-address 172.1.1.0/24; } then { source-nat off; } } [edit security nat source] } rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address [ 10.1.1.0/24 10.1.2.0/24 ]; destination-address 0.0.0.0/0; } then { source-nat pool src-nat-pool1; } }
  127. 127. 127 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DESTINATION NAT EXAMPLE FOR MANY-TO-MANY INTERNET 10.1.1.0/24 192.1.1.100/24 ge-0/0/0 ge-0/0/1 UNTRUSTTRUST 10.1.2.0/24 192.1.1.200/24 dnat-pool-1: 1:1.1.1.100/80->192.168.1.100/80 dnat-pool-2: 1.1.1.101/80->192.168.1.200/8000 [edit security nat destination] root# show pool dnat-pool-1 { address 192.168.1.100/32; } pool dnat-pool-2 { address 192.168.1.200/32 port 8000; } rule-set dst-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.100/32; } then { destination-nat pool dnat-pool-1; } } rule rule2 { match { destination-address 1.1.1.101/32; } then { destination-nat pool dnat-pool-2; } } }
  128. 128. 128 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DESTINATION NAT EXAMPLE FOR ONE-TO-MANY INTERNET 10.1.1.0/24 192.1.1.100/24 ge-0/0/0 ge-0/0/1 UNTRUSTTRUST 10.1.2.0/24 192.1.1.200/24 dnat-pool-1 1.1.1.100/80->192.168.1.100/80 dnat-pool-2 1.1.1.100/8000->192.168.1.200/8000 [edit security nat destination] root# show pool dnat-pool-1 { address 192.168.1.100/32; } pool dnat-pool-2 { address 192.168.1.200/32 port 8000; } rule-set dst-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.100/32; destination-port 80; } then { destination-nat pool dnat-pool-1; } } rule rule2 { match { destination-address 1.1.1.100/32; destination-port 8000; } then { destination-nat pool dnat-pool-2; }
  129. 129. 129 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STATIC NAT Provides one-to-one mapping of hosts or subnets Bi-directional NAT  dst-xlate for packets to the host  src-xlate for packets initiated from the host INTERNET 10.1.1.0/24 ge-0/0/0 ge-0/0/1 UNTRUSTTRUST 10.1.2.0/24 192.1.1.200/24 [edit security nat] root# show static rule-set static-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.200/32; } then { static-nat prefix 192.168.1.200/32; } }
  130. 130. 130 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PROXY-ARP Source NAT  Proxy-ARP required for all source IP pool addresses in the same subnet as egress interface –ge-0/0/0  For source pools not in the same subnet as egress interface IP, route to the IP pool subnet with the SRX device as next-hop is required on the upstream router Destination/Static NAT  Proxy-ARP required for all IP pool addresses in the same subnet as ingress interface –ge-0/0/0  For static and destination NAT pools not in the same subnet as egress interface IP, route to the IP pool subnet with the SRX device as next-hop is required on the upstream router Configuration command  set security nat proxy-arp interface <if_name> address <ip_prefix> INTERNET 10.1.1.0/24 10.1.2.0/24 ge-0/0/0 ge-0/0/1 1.1.1.1/24
  131. 131. 131 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DOUBLE NAT- SOURCE AND DESTINATION NAT 192.168.1.3/24 UNTRUSTTRUST 10.1.1.100/24 [edit security nat source] root# show pool src-pool-1 { address { 1.1.1.10/32 to 1.1.1.14/32; } } rule-set src-rs1 { from zone trust; to zone untrust; rule r1 { match { source-address 0.0.0.0/0; } then { source-nat pool src-pool-1; } } [edit security nat destination] root# show pool dst-src-pool-1 { address 10.1.1.100/32; } rule-set dst-rs1 { from zone trust; rule rule1 { match { destination-address 1.1.1.100/32; } then { destination-nat pool dst-src-pool-1; } } } 192.168.1.3->1.1.1.100 1.1.1.10-> 10.1.1.100
  132. 132. 132 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 132 NAT MONITORING AND TROUBLESHOOTING # NAT session can be identified from the session table show security flow session # Static NAT: show security nat static rule <all|rule-name> # Source NAT: show security nat source summary show security nat source pool <pool-name> show security nat source rule <rule-name> show security nat source persistent-nat-table <all|summary|....> # Destination NAT: show security nat destination summary show security nat destination pool <pool-name> show security nat destination rule <rule-name> show security nat interface-nat-ports # Incoming NAT: show security nat incoming-table # ARP table show arp no-resolve # Tracing (output is written to file defined under security->flow-> traceoptions) set security nat traceoptions flag all
  133. 133. 133 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUALIZATION
  134. 134. 134 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUALIZATION BUILDING BLOCKS AND CONCEPTS  SRX Firewalls offer several building blocks and concepts to achieve virtualization  Zone based Separation: No traffic can get from one zone to another if there is no policy  Virtual Routers based Separation: avoid any traffic leakage between different instances (usecase: managed service for customers with overlapping address space).  Logical Systems : for complete administrative isolation. Create virtual firewalls with individual administrators and protected resources per firewall (memory, cpu, objects ...)  Virtual SRX: Virtual Machine for installation on a Hypervisor (Vmware, KVM) Zones only Zones and Virtual Routers Logical Systems Virtual SRX separate traffic of different instances yes yes yes yes separate routing decisions per instance no yes yes (with VRs) yes allow different administrators per instance no no yes yes protect resources per instance no no partial yes more than 32 instances no no max 32 instance per firewall yes
  135. 135. 135 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ZONE-BASED SEPARATION Pepsi Coke Untrust Zone Coke User Pepsi User Pepsi Zone Coke Zone • Simple design • High scale (no additional overhead) • No overlapping IP addresses • Little to no user-based admin
  136. 136. 136 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VR-BASED SEPARATION • More complex design • High scale (little additional overhead) • Overlapping IP addresses supported • Routing protocols per VR give additional flexibility • Little to no user-based admin Pepsi Coke Coke User Pepsi User Coke VR Pepsi VR Coke Untrust Zone Coke Trust Zone Pepsi Untrust Zone Pepsi Trust Zone
  137. 137. 137 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Pepsi LSYS Coke LSYS LSYS-BASED SEPARATION • Complex design • Lower scale (possible additional overhead) • Overlapping IP addresses supported • Routing protocols per VR give additional flexibility (and introduce performance caveats) • User-based admin supported Pepsi Coke Coke User Pepsi User Coke VR Pepsi VR Coke Untrust Zone Coke Trust Zone Pepsi Untrust Zone Pepsi Trust Zone
  138. 138. 138 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUALIZATION: VIRTUAL ROUTERS
  139. 139. 139 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DIFFERENCE IN OWNERSHIP HIERARCHY Virtual Router Zone Interface IP Address ScreenOS Routing Instance Interface IP Address JUNOS Zone Interface Virtual router split from zones in JUNOS
  140. 140. 140 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EXAMPLE WITH 2 INDEPENDANT VR Red-VR Blue-VR red-untrustred-trust blue-trust blue-untrust
  141. 141. 141 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Create a Virtual Router and bind interface to this VR VIRTUAL ROUTERS - SIMPLE EXAMPLE # Assign Interface IPs like usual set interface fe-0/0/6 unit 0 family inet address 1.0.0.1/24 set interface fe-0/0/7 unit 0 family inet address 2.0.0.1/24 set interface lo0 unit 0 family inet address 3.0.0.1/32 # Create the Virtual Router, assign two physical and a loopback interface set routing-instances red-vr instance-type virtual-router set routing-instances red-vr interface fe-0/0/6.0 set routing-instances red-vr interface fe-0/0/7.0 set routing-instances red-vr interface lo0.0 # Also tie all interfaces to security zones set security zone security-zone red-untrust interface fe-0/0/6.0 set security zone security-zone red-trust interface fe-0/0/7.0 # Optional, set a static route in this vr set routing-instances red-vr routing-options static route 4.0.0.0/24 next-hop 1.0.0.2 # Optional: You can set static routes to get from one VR to another # If you need to exchange dynamic routes you will need RIB Groups set routing-instances red-vr routing-options static route 5.0.0.0/24 next-table blue- vr.inet.0
  142. 142. 142 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EXAMPLE WITH 3 CUSTOM AND ONE SHARED VR Red-VR Blue-VR Green-VR Inet.0VR untrust red-trust blue-trust green-trust
  143. 143. 143 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Create a Virtual Router and bind interface to this VR VIRTUAL ROUTERS ROUTER DEFINITION # Assign Interface IPs like usual set interface fe-0/0/5 unit 0 family inet address 1.0.0.1/24 set interface fe-0/0/6 unit 0 family inet address 2.0.0.1/24 set interface fe-0/0/7 unit 0 family inet address 3.0.0.1/24 set interface lo0 unit 0 family inet address 4.0.0.1/32 # Create the Virtual Router, assign one physical interface set routing-instances RED-VR instance-type virtual-router set routing-instances RED-VR interface fe-0/0/5.0 # Create the Virtual Router, assign one physical interface set routing-instances BLUE-VR instance-type virtual-router set routing-instances BLUE-VR interface fe-0/0/6.0 # Create the Virtual Router, assign one physical interface set routing-instances GREEN-VR instance-type virtual-router set routing-instances GREEN-VR interface fe-0/0/7.0
  144. 144. 144 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUAL ROUTERS SECURITY ZONES  Interface binding to zones is defined independent from the VR BUT all interfaces in the same zone must be bound to same VR # Create Zones and assign interfaces set security zones security-zone red-trust set security zones security-zone red-trust interfaces fe-0/0/5.0 set security zones security-zone blue-trust set security zones security-zone blue-trust interfaces fe-0/0/6.0 set security zones security-zone green-trust set security zones security-zone green-trust interfaces fe-0/0/7.0 # If desired enable management set security zones security-zone red-trust host-inbound-traffic system-services all set security zones security-zone red-trust host-inbound-traffic protocols all set security zones security-zone blue-trust host-inbound-traffic system-services all set security zones security-zone blue-trust host-inbound-traffic protocols all # Add policies to permit traffic edit security policies from-zone red-trust to-zone untrust set policy outbound1 match source-address any set policy outbound1 match destination-address any set policy outbound1 match application any set policy outbound1 then permit set policy outbound1 then log session-close session-init exit top
  145. 145. 145 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUAL ROUTERS EXCHANGING ROUTES BETWEEN VIRTUAL ROUTERS # To set a route from one VR to another just use the instance name as next-table edit routing-instances BLUE-VR set routing-options static route 10.0.0.0/8 next-table RED-VR.inet.0 top # To redistribute Routes that exist in one VR into another use Filters edit policy-options policy-statement SUMMARY-RED set term ACCEPT from instance RED-VR set term ACCEPT from route-filter 10.0.0.0/8 exact set term ACCEPT then tag 5000 set term ACCEPT then accept top set routing-instances BLUE-VR routing-options instance-import SUMMARY-RED
  146. 146. 146 Copyright © 2011 Juniper Networks, Inc. www.juniper.net RIB Groups (RIB=Routing Information Base) are useful if you want to share static and dynamic routes between multiple VRs VIRTUAL ROUTERS RIB-GROUPS # Create a rib-group set routing-options static rib-group test-rib # Routes imported into the rib-group are distributed to the rib set routing-options rib-groups test-rib import-rib inet.0 set routing-options rib-groups test-rib import-rib RED-VR.inet.0 # set routing-options rib-groups test-rib import-rib BLUE-VR.inet.0 # set routing-options rib-groups test-rib import-rib GREEN-VR.inet.0 # Only one rib can be used to export (primary-rib by default) set routing-options rib-groups test-rib export-rib inet.0 # Optional: publish interface routes to the RIB set routing-instances RED-VR routing-options interface-routes rib-group inet test-rib set routing-instances BLUE-VR routing-options interface-routes rib-group inet test-rib set routing-instances GREEN-VR routing-options interface-routes rib-group inet test-rib
  147. 147. 147 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Filters can be applied to drop unwanted routes VIRTUAL ROUTERS RIB-GROUPS, FILTER # Create a policy statement edit policy-options policy-statement into-red set term reject-to-red from family inet protocol ospf set term reject-to-red to rib red-vr.inet.0 set term reject-to-red then reject top # Apply Policy to filter routes from the rib-groups export-rib to the member ribs set routing-options rib-groups test-rib import-policy into-red
  148. 148. 148 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUAL ROUTERS NOTES AND LIMITATIONS  RIB Group is useful to share Routes between multiple VRs  Before JUNOS 10.4 IPSEC VPN Interfaces could only be terminated in zones, which are assigned to inet.0 (see KB 12866)  For self initiated management traffic (e.g.. syslog, traps ..) route lookup starts in the default VR (inet.0)  Interfaces that are not explicitly members of any custom VR are members of inet.0  DHCP Server and DHCP Relay inside a VR will require JUNOS 10.4r5 or higher  Static routes from VR1 to VR2 and at the same time from VR2 to VR1 will not commit (potential loop). You have to introduce a third VR as additional hop for one direction.
  149. 149. 149 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUALIZATION: LOGICAL SYSTEMS
  150. 150. 150 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS  Root System (=physical firewall) is always there. Root Admin can  create new Lsys  create user admin(s) for the Lsys  create and assign Lsys Profiles  create and assign logical interfaces to Lsys  configure the interconnect Lsys0  Lsys0 has a special role as the interconnect Lsys  all traffic between User Lsys and Rootsys goes through Lsys0  for this purpose Lsys0 has a lt-Interface to each Lsys and Rootsys  Lsys1..32 are the user logical systems itself  Each user logical system can have  a number of zones, interfaces and 0, 1 or more Virtual Routers  exactly one interface to the Interconnect Lsys0 (lt0.x)  one or more users to configure routing and security inside the Lsys
  151. 151. 151 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EXAMPLE SETUP # Example Setup Root System with - shared Internet Uplink - separate VR vrf-root Interconnect Lsys0 with -seperate vr-ic - lt interfaces to each root and lsys Two Custom Lsys with -private interfaces and zones - lt Interfaces to interconnect Lsys0
  152. 152. 152 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS CONFIGURATION 1/4 - PROFILES AND USERS # Define a Profile for the System Limits for each User Logical Systems set system security-profile USER-LSYS policy maximum 50 set system security-profile USER-LSYS policy reserved 25 set system security-profile USER-LSYS address-book maximum 100 set system security-profile USER-LSYS address-book reserved 50 set system security-profile USER-LSYS logical-system [Coke-LSYS Pepsi-LSYS] # Add the Root System Profile. All off-box logging comes from the Root LSYS. # If this is undefined then syslog/SNMP will not work set system security-profile ROOT-LSYS auth-entry maximum 5 set system security-profile ROOT-LSYS policy maximum 5 set system security-profile ROOT-LSYS policy reserved 1 set system security-profile ROOT-LSYS policy-with-count maximum 0 set system security-profile ROOT-LSYS root-logical-system # Add LSYS to your login classes to assign users to an LSYS # Users are assigned to a „login class‟ to get their rights, and with LSYS # they also get assigned to an LSYS at the same time set system login class COKE-LOGIN logical-system COKE-LSYS set system login class PEPSI-LOGIN logical-system PEPSI-LSYS # Create Users for each Lsys set system login user coke class COKE-LOGIN set system login user pepsi class PEPSI-LOGIN
  153. 153. 153 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS CONFIGURATION 2/4 - INTERCONNECT # Set up lt-0/0/0.x interfaces in the Interconnect LSYS0 # LSYS0 is layer 2 only and will hold multiple LT interfaces # all other LSYS will only have a single LT interface # LT interfaces are paired one-to-one set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 encapsulation ethernet-vpls set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 peer-unit 1 set logical-systems LSYS0 interfaces lt-0/0/0 unit 2 encapsulation ethernet-vpls set logical-systems LSYS0 interfaces lt-0/0/0 unit 2 peer-unit 3 set logical-systems LSYS0 interfaces lt-0/0/0 unit 4 encapsulation ethernet-vpls set logical-systems LSYS0 interfaces lt-0/0/0 unit 4 peer-unit 5 # Set up lt-0/0/0.x interfaces, LT interface in LSYS > 0 need an IP address # LT Interface in the Rootsys set interfaces lt-0/0/0 unit 1 encapsulation ethernet set interfaces lt-0/0/0 unit 1 peer-unit 0 set interfaces lt-0/0/0 unit 1 family inet address 10.0.1.1/24 # LT Interface in the Lsys Coke set interfaces lt-0/0/0 unit 3 encapsulation ethernet set interfaces lt-0/0/0 unit 3 peer-unit 0 set interfaces lt-0/0/0 unit 3 family inet address 10.0.1.2/24 # LT Interface in the Lsys Pepsi set interfaces lt-0/0/0 unit 5 encapsulation ethernet set interfaces lt-0/0/0 unit 5 peer-unit 0 set interfaces lt-0/0/0 unit 5 family inet address 10.0.1.3/24
  154. 154. 154 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS CONFIGURATION 3/4 - FIRST USER LSYS # Now setup the COKE-Logical System edit logical-systems COKE-LSYS set interfaces reth1 unit 1 vlan-id 1 set interfaces reth1 unit 1 family inet address 12.1.1.1/24 edit routing instances COKE-VR set instance-type virtual-router set interface reth1.1 set interface lt-0/0/0.3 set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 up set security zones security-zone Coke-Trust set security zones security-zone Coke-Trust host-inbound-traffic system-services ping set security zones security-zone Coke-Trust interfaces reth1.1 set security zones security-zone Coke-Untrust interfaces lt-0/0/0.1 edit security policies from-zone Coke-Trust to-zone Coke-Untrust set policy to-Inter-LSYS match source-address any set policy to-Inter-LSYS match destination-address any set policy to-Inter-LSYS match application any set policy to-Inter-LSYS then permit top
  155. 155. 155 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS CONFIGURATION 4/4 - SECOND USER LSYS # Now setup the PEPSI-Logical System edit logical-systems PEPSI-LSYS set interfaces reth1 unit 2 vlan-id 1 set interfaces reth1 unit 2 family inet address 13.1.1.1/24 edit routing instances PEPSI-VR set instance-type virtual-router set interface reth1.2 set interface lt-0/0/0.5 set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 up set security zones security-zone PEPSI-Trust set security zones security-zone PEPSI-Trust host-inbound-traffic system-services ping set security zones security-zone PEPSI-Trust interfaces reth1.2 set security zones security-zone PEPSI-Untrust interfaces lt-0/0/0.5 edit security policies from-zone PEPSI-Trust to-zone PEPSI-Untrust set policy to-Inter-LSYS match source-address any set policy to-Inter-LSYS match destination-address any set policy to-Inter-LSYS match application any set policy to-Inter-LSYS then permit top
  156. 156. 156 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS MONITORING # Flow Statistics show security flow statistics root-logical-system show security flow statistics logical-system <all|Lsys> # Assigned Profile and current usage for each individual profile parameter show system security-profile ? logical-system <all|Lsys>
  157. 157. 157 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN

×