Juniper Srx quickstart-12.1r3
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Juniper Srx quickstart-12.1r3

on

  • 17,617 views

 

Statistics

Views

Total Views
17,617
Views on SlideShare
17,617
Embed Views
0

Actions

Likes
2
Downloads
457
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Juniper Srx quickstart-12.1r3 Presentation Transcript

  • 1. SRX JUMP STATION Based on JUNOS Versions up to 12.1R3 last modified Nov 08 2012 Thomas Schmidt Consulting Systems Engineer
  • 2. 2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WHAT IS THIS PURPOSE OF THIS QUICK START ? • This collection is for users who already have experience with ScreenOS firewalls and the underlying concepts and now want to use JUNOS based SRX Firewalls • This Collection assumes you have already some knowledge of JUNOS (there are free trainings to help you) but need a guide to configure a complete system. • This Collection is a guide to help you find the commands required for typical features and tasks and give you brief, working examples. • Navigation: • Click on the in the right Top corner to get to the Jump Station Central • Click on the Chapter Buttons to get to the desired chapters • If you need more in depth information or more details of the underlying concepts consult the documentation or participate in trainings. • This collection can not replace full JUNOS documentation or trainings and can not cover all parameters available with a certain feature. Login
  • 3. 3 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUMP STATION CENTRAL ......LoginControll- & Dataplane Zones CLI MulticastSwitching PPPoE & DSL ... AppFirewallAppSecure Overview AppDDOS Routing OSPF,BGP IDP AppTrackLicenses Flow & ALGPolicies Virtualize VR + LSys Screens & Defense Packet Flow Admin User Role & Auth Inband or Outband SNMP & RMON Software Upgrade Netflow Space IPv6 Boot loader & Flash Further Information Automation & Scripting Nice Stuff Logging & Syslog Trunk & LAG Docs & Papers UTM, Antivi rus NSM … DHCP DNS UAC Enforcer Time & NTP Port Mirroring NAT Access list Interfaces Link Redundanc Reset to Factory Def. Policy based VPN ...VPNs with Certificates ...VPN Diagnostics Route based VPN Dynamic VPN Monitor Commands Log files Debug Flow Packet Capture Debug VPN Interface Monitoring … Cluster Overview Cluster Interfaces Basics Network Firewall Manage, Log ,Monitor AppFirewall IDP and UTM More.. Toolbox VPN Trouble- shooting High Availability Failover Behavior Cluster States Cluster & NSM Cluster Setup … ... ... Transparent Mode UTM, Webfilter STRM … Class of Service ... … … ... ... ... ... … … … ... … …
  • 4. 4 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUNOS BASICS
  • 5. 5 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DOCUMENTATION AND GUIDES
  • 6. 6 Copyright © 2011 Juniper Networks, Inc. www.juniper.net THE RIGHT PLACE FOR SRX HARDWARE AND SOFTWARE DOCUMENTATION Use the following Link
  • 7. 7 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ADDITIONAL USEFUL INFORMATION SOURCES Day One Booklets http://www.juniper.net/us/en/community/junos/training-certification/day-one/ Feature Explorer and Content Explorer http://pathfinder.juniper.net/feature-explorer/ http://www.juniper.net/techpubs/content-applications/content-explorer/ Feature Support Reference Guide https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/feature-support- reference.html?chap-feature-support-tables.html SRX Knowledgebase (Jump Station) http://kb.juniper.net/KB15694 SRX Knowledgebase (Here a list of the latest SRX articles) http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB SRX Application Notes http://www.juniper.net/us/en/products-services/security/srx-series/#literature JUNOS Network Configuration Examples http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/nce/index.html Juniper Forum • Configuration Library http://forums.juniper.net/t5/Configuration-Library/bd-p/ConfigLib • DayOne Tips http://forums.juniper.net/t5/Day-One-Tips-Contest/bd-p/DayOneContest
  • 8. 8 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CONTROLPLANE AND DATAPLANE
  • 9. 9 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUNOS SOFTWARE FEATURES (1 OF 2) JUNOS software for SRX-series services gateways includes the following elements:  JUNOS software as the base operating system  Session-based forwarding  Some ScreenOS-like security features Packet-based features:  Control plane OS  Routing protocols  Forwarding features:  Per-packet stateless filters  Policers  CoS  J-Web
  • 10. 10 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUNOS SOFTWARE FEATURES (2 OF 2) Session-based features:  Implements some ScreenOS features and functionality through the use of new daemons  First packet of flow triggers session creation based on:  Source and destination IP address  Source and destination port  Protocol  Session token  Zone-based security features  Packet on the incoming interface is associated with the incoming zone  Packet on the outgoing interface is associated with the outgoing zone  Core security features:  Firewall, VPN, NAT, ALGs, IDP, and SCREEN options
  • 11. 11 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CONTROL PLANE VERSUS DATA PLANE Control Plane:  Implemented on the Routing Engine  JUNOS software kernel, daemons, chassis management, user interface, routing protocols, system monitoring, clustering control Data Plane:  Implemented on the IOCs and SPCs  Forwarding packets, session setup and maintenance, load-balancing, security policy, screen options, IDP, VPN
  • 12. 12 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGIN
  • 13. 13 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGIN Login in factory default state as user "root". Password is empty Amnesiac (ttyd0) login: root ******************************************************************** ** Welcome to JUNOS: ** ** ** ** To run the console configuration wizard, please run the ** ** command 'config-wizard' at the 'root%' prompt. ** ** ** ** To enter the JUNOS CLI, please run the command 'cli'. ** ** ** ******************************************************************** root@% cli root>
  • 14. 14 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGIN Non root users are placed into the CLI automatically The root user must start the CLI from the shell Do not forget to exit root shell after logging out of the CLI! Shell Prompt CLI Prompt switch (ttyu0) login: user Password: --- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC user@switch> switch (ttyu0) login: root Password: --- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC root@switch% cli root@switch>
  • 15. 15 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CLI BASICS
  • 16. 16 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CLI MODES Shell - when you login as root CLI - Operational Mode CLI - Configuration mode: user@switch> The > character identifies operational mode user@switch# exit user@switch> user@switch> configure [edit] The # character identifies configuration mode root% cli root> The % character identifies Shell mode
  • 17. 17 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CLI HIERARCHY Execute commands (mainly) from the default CLI level (user@switch>)  Can execute from configuration mode with the run command  Hierarchy of commands  Example: show spanning-tree interface Less Specific More Specificbridge mstp statistics configuration configure help monitor etc. interface dot1x clear set show spanning-tree version etc.
  • 18. 18 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EMACS-style editing sequences are supported A VT100 terminal type also supports the Arrow keys user@switch> show interfaces • Ctrl+b user@switch> show interfaces • Ctrl+a user@switch> show interfaces • Ctrl+f user@switch> show interfaces • Ctrl+e user@switch> show interfaces CLI EDITING Cursor Position Keyboard Sequence
  • 19. 19 Copyright © 2011 Juniper Networks, Inc. www.juniper.net COMMAND AND VARIABLE COMPLETION Spacebar completes a command user@host> sh<space>ow i<space> 'i' is ambiguous. Possible completions: igmp Show Internet Group Management Protocol... ike Show Internet Key Exchange information interfaces Show interface information ipsec Show IP Security information isis Show Intermediate System-to-Intermediate... user@host> show i Use the Tab key to complete an assigned variable [edit policy-options] user@host# show policy-statement t<tab>his-is-my-policy then accept; [edit policy-options] user@host# Use Tab to complete assigned variables Enter a space to complete a command
  • 20. 20 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Type ? anywhere on the command line user@host> ? Possible completions: clear Clear information in the system configure Manipulate software configuration information file Perform file operations help Provide help information . . . user@host> clear ? Possible completions: arp Clear address resolution information bfd Clear Bidirectional Forwarding Detection information bgp Clear Border Gateway Protocol information firewall Clear firewall counters . . . CONTEXT-SENSITIVE HELP
  • 21. 21 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SHOW CURRENT CONFIGURATION root@J6350> show config | display set set version 9.3R2.8 set system host-name J6350 set system root-authentication encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN." set system name-server 172.30.80.65 set system login user lab uid 2000 set system login user lab class super-user ........ JUNOS Style  ScreenOS Style root@J6350> show config ## Last commit: 2009-03-18 10:27:20 UTC by lab version 9.3R2.8; system { host-name Demo-081-111-J6350; root-authentication { encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."; ## SECRET-DATA } name-server { 172.30.80.65; } login { user lab { uid 2000; class super-user; ........
  • 22. 22 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CONFIGURATION, CANDIDATE, COMMIT, ROLLBACK
  • 23. 23 Copyright © 2011 Juniper Networks, Inc. www.juniper.net COMMANDS IN CONFIGURATION MODE (1)
  • 24. 24 Copyright © 2011 Juniper Networks, Inc. www.juniper.net COMMANDS IN CONFIGURATION MODE (2)
  • 25. 25 Copyright © 2011 Juniper Networks, Inc. www.juniper.net COPY/PASTE CONFIGURATIONS To paste and override the whole configuration To paste and add pieces of configuration To paste configuration written with "set" commands SRX# load merge terminal <relative> [Type ^D at a new line to end input] system { ........ SRX# load replace terminal [Type ^D at a new line to end input] system { ........ SRX# load set terminal <relative> [Type ^D at a new line to end input] set system ….
  • 26. 26 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CONTROL AND FORWARDING PLANE OF A JUNOS ROUTER
  • 27. 27 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NETWORK
  • 28. 28 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTERFACES
  • 29. 29 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTERFACE NUMBERING Interfaces Names and Numbers Wildcards - Many commands accept wildcards in ifnames Interface name = <Interface Type>-<Slot>/<Module>/<Port>.<logical number> All numbers start from 0 Example : ge-0/1/2.3 - Gigabit Interface (Slot 0, Module 1, Port 2, Logical unit 3) fe-0/1/2.3 - Fast Ethernet Interface st0.0 - First Secure Tunnel Interface (VPN Tunnel) lo0 - First loopback interface For a list of Interface Types see http://www.juniper.net/techpubs/software/JUNOS/JUNOS96/swconfig-network- interfaces/frameset.html show interfaces ge-0/0/*
  • 30. 30 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SWITCHING
  • 31. 31 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SWITCHING ON FIREWALLS ?  Switching Features on the Firewall can help to simplify the network by eliminating additional switches. This can be a commercial and management advantage, especially in small branch offices.  Switching is possible on Branch SRX Models (SRX100….SRX650) and J-Series with UPIM Modules  Switching is not available (and not needed) on High-End SRX  Switching is done in Hardware. Full throughput can be achieved, without consuming CPU-performance  Since JUNOS 10.0 the smaller SRX (100...240) have Switching enabled on all interfaces (except ge-0/0/0) in the Factory Default configuration
  • 32. 32 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SWITCHING DEFAULT CONFIGURATION ON SRX210 WITH JUNOS 10.0 # An internal VLAN (vlan-trust) is defined to allow switching several interfaces set vlans vlan-trust vlan-id 3 # A interface vlan unit 0 is assigned to this vlan as the Layer3 interface in this VLAN set vlans vlan-trust l3-interface vlan.0 # This layer 3 interface can has an IP address that is reachable from all # host on it's VLAN. In Branch deployments this is typically the gateway address. set interfaces vlan unit 0 family inet address 192.168.1.1/24 # All physical interfaces - except ge-0/0/0 of the SRX210 are now assigned # to a interface-range with the name interfaces-trust set interfaces interface-range interfaces-trust member ge-0/0/1 set interfaces interface-range interfaces-trust member fe-0/0/2 set interfaces interface-range interfaces-trust member fe-0/0/3 set interfaces interface-range interfaces-trust member fe-0/0/4 set interfaces interface-range interfaces-trust member fe-0/0/5 set interfaces interface-range interfaces-trust member fe-0/0/6 set interfaces interface-range interfaces-trust member fe-0/0/7 # The interface-range is assigned to the VLAN vlan-trust set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust # It's a firewall, so the interface is mapped to zone trust where all services are enabled set security zones security-zone trust interfaces vlan.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all
  • 33. 33 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SWITCHING ANOTHER CONFIGURATION EXAMPLE # Before you can add an interface to Switching you probably have to remove assignments. # If there is an IP address assigned to the interface you have to remove it delete interfaces fe-0/0/2 unit 0 family inet # If the interface is member of an interface-group in use, you have to untie it delete interfaces interface-range .... member fe-0/0/2 # You can specify a VLAN, which will be used for Switching set vlans VLAN-100 vlan-id 100 # Configure Ethernet switching on the interfaces that are part of VLAN. # Default for new switching interfaces is access mode (=untagged) set interfaces fe-0/0/2 unit 0 family ethernet-switching set interfaces fe-0/0/3 unit 0 family ethernet-switching # Assign these interface to the desired VLAN set vlans VLAN-100 interface fe-0/0/2.0 set vlans VLAN-100 interface fe-0/0/3.0 # Configure a VLAN interface with an IP for this VLAN set interfaces vlan unit 100 family inet address 192.168.1.1/24 # Assign this VLAN interface as your Layer3 Interface on this VLAN set vlans VLAN-100 l3-interface vlan.100 # It's a firewall, so the VLAN interface must also be in a zone set security zones security-zone trust interfaces vlan.100 # Allow services on the VLAN interface if desired set security zones security-zone trust interfaces vlan.100 host-inbound-traffic ....
  • 34. 34 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SWITCHING TROUBLESHOOTING COMMANDS # show which vlans exist and which interfaces are assigned show vlans [detail] # history of MACs added and removed show ethernet-switching mac-learning-log # Current MAC Table show ethernet-switching table # Current MAC Table from a certain interface show ethernet-switching table interface fe-0/0/2
  • 35. 35 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ETHERNET SWITCHING ON BRANCH SRX INTERFACES SUPPORTED Platforms On-Board uPIM MPIM XPIM J2320     J2350     J4350     J6350     SRX100     SRX110     SRX210   *  SRX220   *  SRX240   *  SRX550   * ** SRX650    ** * Ethernet switching support is planned for future release for 1 Gigabit Ethernet SFP MPIM on the SRX210,SRX220,SRX240 and SRX550. ** As of JUNOS OS Release 12.1, Ethernet switching is not supported on 10G XPIM.
  • 36. 36 Copyright © 2011 Juniper Networks, Inc. www.juniper.net REMARKS  Configuration Syntax for all supported features is exactly the same as with the EX Switches. The Documentation Feature Support Reference explains which Switching Features are supported  There are some dependencies which Ports can be used for switching (see Documentation )  Before 11.1 Switching was only applicable for single units. Commit in the Cluster was only possible, when all switching configuration was removed. The assumption was, that HA cluster Configurations are usually designed with external Switches  Since 11.1 Switching is also supported on Branch SRX and can even span the two Cluster members. This requires an additional link between the two nodes.
  • 37. 37 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ROUTING
  • 38. 38 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STATIC ROUTES CONFIGURATION # Host Route set routing-options static route 10.2.2.1/32 next-hop 10.1.1.254 # Network Route set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254 # Default Route set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254 # Route to an Interface # Useful for Point-to-Point Interfaces like pppoe, vpn-tunnel, gre-tunnel set routing-options static route 0.0.0.0/0 next-hop pp0.0 set routing-options static route 10.1.1.0/24 next-hop st0.0 # Route to another Virtual Router set routing-options static route 10.0.0.100/32 next-table Logging.inet.0 # Example for a the Definition of the VR with name Logging referenced above set routing-instances Logging instance-type virtual-router set routing-instances Logging interface ge-0/0/7.0 # A network route to discard any traffic that did not hit a more specific route # Black hole Routes could sometimes save performance for policy lookups or # avoid rerouting in case of interfaces failures (example: VPN is down) set routing-options static route 0.0.0.0/0 discard
  • 39. 39 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STATIC ROUTES ROUTE FAILOVER WITH IP-MONITORING # Since 11.4 all Branch SRX support IP-Monitoring and automatic route failover # Check out KB22052 for configuration details of an dual ISP connection with RPM for # IP-Monitoring and Filter based Forwarding for load distribution set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server set services ip-monitoring policy Server-Tracking then preferred-route routing- instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 ------> Installs route in the First Routing Instance set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1 set services ip-monitoring policy Server-Tracking1 then preferred-route routing- instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1 ------> Installs route in Second Routing Instance
  • 40. 40 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STATIC ROUTES MONITORING # display Routing table root@J2300> show route inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 01:13:15 > to 172.16.42.1 via fe-0/0/0.0 10.2.2.0/24 *[Static/5] 00:00:05 > to 172.16.42.1 via fe-0/0/0.0 172.16.42.0/24 *[Direct/0] 01:13:15 > via fe-0/0/0.0 172.16.42.230/32 *[Local/0] 01:21:12 Local via fe-0/0/0.0 224.0.0.9/32 *[RIP/100] 01:21:37, metric 1 MultiRecv # route lookup for a certain destination root@J2300> show route 20.0.0.1 # routing table overview root@J2300> show route summary # Forwarding table (includes all active routes, visible for the data-plane) root@J2300> show route forwarding-table
  • 41. 41 Copyright © 2011 Juniper Networks, Inc. www.juniper.net OSPF CONFIGURATION # enable OSPF on a interface set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 # And permit ospf traffic to this zone set security zones security-zone host-inbound-traffic protocols ospf # Recommended: use loopback interface set interfaces lo0 unit 0 family inet address 192.168.1.2/32 set protocols ospf area 0.0.0.0 interface lo0.0 passive # Option: specify your own Router-id set routing-options router-id 192.168.1.2 # to get direct interface routes announced you can add them to OSPF in passive mode set protocols ospf area 0.0.0.0 interface vlan.100 passive # Option: Negotiate graceful restart set routing-options graceful-restart # On SRX Clusters for RG0 failover, you might have to extend OSPF Timers to survive # a dead interval of 5-20 seconds and also use the following setting: set protocols ospf graceful-restart no-strict-lsa-checking
  • 42. 42 Copyright © 2011 Juniper Networks, Inc. www.juniper.net RIP CONFIGURATION # RIP requires a group, all interface are attached to this group set protocols rip group RIP ge-0/0/0.0 set protocols rip group RIP ge-0/0/1.0 # And permit rip traffic to the zones of these interfaces set security zones security-zone TRUST host-inbound-traffic protocols rip # You can add IPSEC Tunnel-Interfaces with relaxed RIP-Update-Timers # You can even work with Tunnel-Interfaces with Next-Hop-Tunnel-Binding (NHTB) set protocols rip group RIP neighbour st0.0 interface-type p2mp set protocols rip group RIP neighbour st0.0 dynamic-peers set interface st0 unit 0 multipoint # Option: Negotiate graceful restart set routing-options graceful-restart # Import Routes to the RIP group via policy-options filter set policy-options policy-statement FILTER term a from route-filter 1.2.3.0/24 exact set policy-options policy-statement FILTER term a then accept set policy-options policy-statement FILTER term drop then reject set protocols rip group RIP export FILTER
  • 43. 43 Copyright © 2011 Juniper Networks, Inc. www.juniper.net OSPF MONITORING # See Neighbors and State root> show ospf neighbour Address Interface State ID Pri Dead 10.222.2.2 ge-0/0/11.0 Full 192.168.36.1 128 36 # Link State Database root> show ospf database
  • 44. 44 Copyright © 2011 Juniper Networks, Inc. www.juniper.net OSPF IMPORT/EXPORT FILTER (POLICY-OPTIONS) # OSPF default is to import everything (into RT) and export routes only from interfaces # that are (active) members of the same OSPF area # For export of all other routes or to filter inbound routes you need Routing Policy # Filters # Example Filter to export all local static and all direct routes set policy-options policy-statement ALL-LOCAL set term 1 from protocol direct set term 1 then accept set term 2 from protocol static set term 2 then accept top set protocols ospf export ALL-LOCAL # Example Filter to export only a certain route (which must exist on the routing table) set policy-options policy-statement JUST-ONE set term 1 from route-filter 172.10.0.0/16 exact set term 1 then metric 10 accept top set protocols ospf export JUST-ONE
  • 45. 45 Copyright © 2011 Juniper Networks, Inc. www.juniper.net # Example Configuration With Two AS # Permit BGP traffic on the zone or interface(s) where you reach your peer(s) set security zones security-zone trust host-inbound-traffic protocols bgp # Recommended: use loopback interface set interfaces lo0 unit 0 family inet address 1.1.1.2/32 # Specify your own AS and your Router-ID set routing-options autonomous-system 1234 set router-id 1.1.1.2 # Specify Peer(s) set protocols bgp group UPSTREAM set local-address 1.1.1.2 set peer-as 64005 set local-as 64006 set neighbor 1.1.1.1 export BGP-EXPORT-POLICY top # A Policy how to export the routes set policy-options policy-statement BGP-EXPORT-POLICY from protocol direct set policy-options policy-statement BGP-EXPORT-POLICY then accept # Option: Set static routes that do not redistribute set routing-options static route 1.1.2.0/24 no-readvertise # Option: Specify how to aggregate routes set routing-options aggregate 1.1.1.1/20 [policy ... ] BGP CONFIGURATION
  • 46. 46 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BGP MONITORING show bgp neighbour show bgp summary show route summary # Which routes did we receive from a neighbour show route receive-protocol bgp <peer-ip> # Which routes do we send to a neighbour show route advertising-protocol bgp <peer-ip>
  • 47. 47 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IS-IS CONFIGURATION set interfaces ge-0/0/1 unit 0 family iso set interfaces ge-0/0/2 unit 0 family iso set interfaces lo0 unit 0 family iso address 49.0002.0002.0002.00 set protocols isis interface ge-0/0/1.0 set protocols isis interface ge-0/0/2.0 set protocols isis interface lo0.0 passive
  • 48. 48 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TUNNEL INTERFACES
  • 49. 49 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TUNNEL INTERFACES : GRE - GENERIC ROUTING ENCAPSULATION # Typical Use cases for GRE Tunnels are # - OSPF over GRE with non-Juniper Routers # - Multicast over GRE with non-Juniper Routers set interfaces gr-0/0/0 unit 0 tunnel source 10.0.0.1 set interfaces gr-0/0/0 unit 0 tunnel destination 10.0.0.2 set interfaces gr-0/0/0 unit 0 family inet address 10.1.0.1/3 set protocols ospf area 0.0.0.0 interface gr-0/0/0.0 set security zones security-zone vpn host-inbound-traffic protocols ospf set security zones security-zone vpn interfaces gr-0/0/0.0 # MTU Adjustments might be necessary because GRE Default MTU is ~ 9000 # When Fragementation happens in a GRE Tunnel there are two options for reassembly # a) use IDP Inspection on the traffic leaving the tunnel # b) since JUNOS 11.2 you can apply the following command "set security flow force-ip-reassembly
  • 50. 50 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TUNNEL INTERFACES: LOGICAL TUNNEL # Logical Tunnel can be used like a physical wire between two interfaces of an SRX # Typical use cases are: # - forwarding between VR in packet mode and VR in flow mode # - forwarding between VR to apply two policies to one session # - Intra-Lsys Traffic (all Lsys have one Tunnel to Lsys0) # Logical Tunnel Interfaces set interfaces lt-0/0/0 unit 0 encapsulation ethernet set interfaces lt-0/0/0 unit 0 peer-unit 1 set interfaces lt-0/0/0 unit 0 family inet set interfaces lt-0/0/0 unit 1 encapsulation ethernet set interfaces lt-0/0/0 unit 1 peer-unit 0 set interfaces lt-0/0/0 unit 1 family inet # and now use them between two VRs set routing-instances r1 interface lt-0/0/0.0 set routing-instances r2 interface lt-0/0/0.1
  • 51. 51 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TUNNEL INTERFACES: IP OVER IP # This Example is used to forward all IPv6 traffic encapsulated in IPv4 to 10.19.3.1 set interfaces ip-0/0/0 unit 0 tunnel source 10.19.2.1 set interfaces ip-0/0/0 unit 0 tunnel destination 10.19.3.1 set interfaces ip-0/0/0 unit 0 family inet6 address 7019::1/126 set routing-options rib inet6.0 static route ::0/0 next-hop ip-0/0/0
  • 52. 52 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MULTICAST
  • 53. 53 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV4 MULTICAST CONFIGURATION (1) # IGMP to allow Receivers to join/leave a group, # Version1 had join only and 3 min timeout # Version2 (Default) allows Receiver join and leave # Version3 allows to join and select Source-IP of Sender selection set protocols igmp interface reth2.0 version 3 # Enable PIM to communicate with Multicast Routers in the Distribution Tree set protocols pim interface reth1.0 # Finding the Rendezvous Point # Option 1: Static Rendezvous point on an other Router set protocols pim rp static address 192.168.1.1 # Option 2: we are Rendezvous Point by yourself - in this case loopback int. is best pract. set interface lo0.0 <IP-for-RP> set protocols pim rp local address <IP-for-RP> # Other Options supported for RP selection: Anycast, Bootstrap, Auto-RP # Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP # Check Technote: Multicast Implementation Guide
  • 54. 54 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV4 MULTICAST CONFIGURATION (2) # Allow igmp on all interfaces where we expect receivers to join set security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols igmp set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols igmp # Allow PIM on all interfaces where we expect distribution Routers set security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols pim set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols pim # All interfaces can also be in a custom VR # IGMP Configuration is not in VR context set protocols igmp interface reth20.0 version 3 set routing-instances VR-MCAST instance-type virtual-router edit routing-instances VR-MCAST set interface vlan.3 set interface vlan.10 set interface vlan.20 set interface vlan.30 set protocols igmp interface vlan.20 set protocols pim rp local address 10.0.42.110 set protocols pim interface vlan.10 top
  • 55. 55 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV4 MULTICAST TROUBLESHOOTING # Monitoring show pim bootstrap [instance VR] show pim interfaces [instance VR] show pim join [instance VR] show pim mdt [instance VR] show pim neighbors [instance VR] show pim rps [instance VR] show pim source [instance VR] show pim statistics [instance VR] show igmp interface show igmp output-group show igmp statistics show multicast route show multicast rpf # tcpdump to watch PIM and IGMP Packets monitor traffic interface vlan.10 no-resolve detail size 1500 matching "pim || igmp" # DEBUGGING set protocols pim traceoptions file trace-pim set protocols pim traceoptions flag all set protocols igmp traceoptions file trace-igmp set protocols igmp traceoptions flag all # PIM to IGMP Proxy show multicast pim-to-igmp-proxy
  • 56. 56 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV4 MULTICAST FURTHER INFORMATION # Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP # Check Technote: Multicast Implementation Guide # IGMP-Proxy is not available, but pim-to-igmp-proxy is available set pim-to-igmp-proxy upstream-interface ge-0/1/0.1 # Important Hint for Multicast on SRX-Cluster: # Disable IGMP-Snooping on the surrounding switches to avoid outages after failover # Multicast Configuration Overview and Examples http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config- guide-multicast/config-guide-multicast.html#configuration # Dense Mode and Debugging Example http://kb.juniper.net/InfoCenter/index?page=content&id=KB24781 # Multicast Implementation Guide (EX and MX) http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/8010062-001-EN.pdf
  • 57. 57 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6
  • 58. 58 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 CURRENT STATE (12.1) IPv6 firewalling - works in route mode with the following Features: - Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth - in Active/Passive Clusters since 10.0 - in Active/Active Clusters since 11.2 - IDP on Ipv6 in route mode since 11.4 - works in transparent mode with the following features since 11.4r3 Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth/Vlan Retagging/SNMP For more Details on IPv6 Feature Support in JUNOS 12.1 check this Documentation http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-ipv6-support.html
  • 59. 59 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 DHCPV6 SERVER # DHCP-Server for Prefix Delegation is available on High-end-SRX # Example below offers prefix delegation only (no exact IP assignment) edit system services dhcp-local-server dhcpv6 set overrides interface-client-limit 100 set group GROUP1 interface ge-0/0/0.0 top edit access address-assignment pool TRUSTv6 family inet6 set prefix fd27:9816:dca8:1::/48 set range RANGE1 prefix-length 64 top # For exact IP assignment and DHCP Server assignment use these statements edit access address-assignment pool TRUSTv6 family inet6 set dhcp-attributes dns-server .... set dhcp-attributes options .... set range RANGE1 high ... set range RANGE1 low ... top
  • 60. 60 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 DIAGNOSTICS show interface terse # it will then shows two IPv6 IPs for each interface # 2001:........ = global address # fe80:x:x:x = link local address # show route <table inet6.0> show ipv6 neighbours show ipv6 router-advertisement # Interface Traffic monitor - filtered to IPv6 only monitor traffic interface ge-0/0/0.0 matching ip6 size 200 detail # ping, we use the same ping for ipv4 and ipv6 ping 2001:638:c:a057::1 # force ping with IPv6 ping inet6 www.heise.de # traceroute, same command as for IPv4 traceroute 2001:db8:0:6:202:b300:2215:595 source 2001:db8::5 # Monitoring session table show security flow session summary family [inet|inet6]
  • 61. 61 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 DYNAMIC ROUTING WITH RIPNG # Enable RIP Listener on the following interfaces edit protocols ripng edit group NEIGHBORS set neighbour ge-0/0/0.0 set neighbour ge-0/0/1.0 set neighbour fe-0/0/2.0 set neighbour fe-0/0/3.0 top # If you want to export routes you need a route filter edit policy-options policy-statement RIPNG-EXPORT set term RIPNG from protocol ripng set term RIPNG then accept set term DIRECT from protocol direct set term DIRECT from route-filter 2001:DB8::/32 orlonger set term DIRECT then accept top # The Route Filter must be applied to the RIPNG Group set protocols ripng group NEIGHBORS export RIPNG-EXPORT # Monitoring show route receive-protocol ripng show route advertising-protocol ripng show route protocol ripng
  • 62. 62 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 DYNAMIC ROUTING WITH OSPFV3 # Introduction of a loopback Interface is best practice when using Routing protocols set interface lo0 unit 0 family inet address 10.0.0.210/32 # Specifying the router-id (as IPv4) is also recommended set routing-options router-id 10.0.0.210 # Enable OSPF Listener on the following interfaces edit protocols ospf3 set area 0 interface lo0.0 passive set area 0 interface ge-0/0/0.0 set area 0 interface ge-0/0/1.0 set area 0 interface fe-0/0/2.0 set area 0 interface fe-0/0/3.0 top # Monitoring Commands show ospf3 neighbour show ospf3 overview show ospf3 route show ospf3 statistics
  • 63. 63 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPV6 IMPROVED SECURITY # Off-link malicious IPv6 nodes may spoof Neighbor Discovery messages to poison # the routers ND cache. To mitigate, use set protocols neighbor-discovery onlink-subnet-only # reload after commit is suggested to clear out any bogus neighbor entries in the cache
  • 64. 64 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VLAN TRUNKING AND LINK AGGREGATION
  • 65. 65 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VLAN TRUNKS
  • 66. 66 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VLAN TRUNKS NOTES AND LIMITATIONS  There are two possible approaches to configure a VLAN trunks on SRX  As part of the "Switching" Configuration (family ethernet-switching)  As part of the "Routing" Configuration (family inet)  "Switching" Configuration  Allows Switching between all interfaces that are part of a VLAN. The member interfaces can be tagged and/or untagged  Supported only on Branch SRX  Not supported on redundant interfaces of a cluster  "Routing" Configuration  Allows to create a sub interface and use it for routing  Supported on all SRX Platforms  Supported also in cluster mode (can be applied to reth Interfaces)  Supported also on aggregate interfaces
  • 67. 67 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VLAN TRUNK CONFIGURATION EXAMPLE FAMILY "INET" # Enable VLAN-Tagging on a physical interface set interfaces ge-0/0/0 vlan-tagging # Now we can create two sub interfaces on this physical interface # Best practice: use vlan-id also for the unit number set interfaces ge-0/0/0 unit 11 vlan-id 11 set interfaces ge-0/0/0 unit 11 family inet address 10.0.11.1/24 set interfaces ge-0/0/0 unit 12 vlan-id 12 set interfaces ge-0/0/0 unit 12 family inet address 10.0.12.1/24 # The different interface can be in different VLANs set security zone security-zone zone11 interface ge-0/0/0.11 set security zone security-zone zone12 interface ge-0/0/0.12
  • 68. 68 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VLAN TRUNK CONFIGURATION EXAMPLE FAMILY "SWITCHING" # Define all Vlans you want to participate in set vlans VLAN-80 vlan-id 80 # For Trunk Ports which have multiple VLANs use the following Syntax set interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode trunk set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members all # For Access Ports which are untagged but mapped to a certain VLAN # use the following syntax set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members <name> # To create a RVI (routed virtual interface) to have an IP on a VLAN set interface vlan unit 80 family inet address 80.0.0.1/24 # And assign this interface to the VLAN set vlans VLAN-80 l3-interface vlan.80
  • 69. 69 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION AND LACP
  • 70. 70 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION ON BRANCH SRX NOTES AND LIMITATIONS  Standalone Units:  Link Aggregation is possible by configuration of AE interfaces  AE interfaces are supported with family ethernet-switching since JUNOS 9.5  AE interfaces are supported with family inet since JUNOS 10.1r2  LACP on AE interfaces with family switching is supported since JUNOS 9.5  LACP on AE interfaces with family inet are supported since JUNOS 10.2r2  Chassis Clusters (Redundant Interfaces)  Redundant Interfaces (as required in Clusters to failover) can have Aggregate Interfaces as members since JUNOS 10.3r2  Switching across Members of an HA Cluster is available since 11.2 - this requires an additional link between the two Branch SRX  Chassis Cluster (Private Interfaces)  Private Interfaces - that are only active on one Cluster member - are possible in Clusters  Private Interfaces still can be aggregate interfaces (local LAG)  Private Interfaces can not have member interfaces from both Chassis at the same time A configuration with member interfaces from different chassis might commit but it is not supported
  • 71. 71 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION ON DATACENTER SRX NOTES AND LIMITATIONS  Standalone Units  Link Aggregation is possible by configuration of AE interfaces  Aggregated Ethernet Interfaces are supported since JUNOS 10.0  Aggregate Ethernet Interfaces can be used with family inet only  LACP support is available on High-End SRX, since JUNOS 10.2r3  Chassis Clusters (Redundant Interfaces)  AE can not be used in Chassis Cluster for redundant interfaces but since JUNOS 10.1 there is another configuration available for link aggregation in chassis clusters.  This configuration can even span cluster members. Only interfaces on the active link will be used to receive and transmit data.  Check Admin Guide for these "Redundant Ethernet Interface Link Aggregation Groups".  Chassis Clusters (Private Interfaces)  Private Interfaces - that are only active on one Cluster member - are possible in Clusters  Private Interfaces still can be aggregate interfaces (local LAG)  Private Interfaces can not have member interfaces from both Chassis at the same time A configuration with member interfaces from different chassis might commit but it is not supported
  • 72. 72 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION ON A SINGLE UNIT  Configuration Example for a Aggregate Ethernet Interface # Set number of Aggregated Interfaces on this device/chassis set chassis aggregated-devices ethernet device-count <number> # Configure AE interfaces (ae0,ae1….) # On High-End SRX AE can be members of family inet # On Branch SRX AE can be members of family inet and family ethernet-switching set interfaces <aex> unit 0 family inet address <ip address> # Associate physical ethernet interfaces to the AE set interfaces <interface-name> gigether-options 802.3ad <aex> # Minimum number of Links required for this aggregate to be UP set interfaces <aex> aggregated-ether-options minimum-links <n> # LACP configuration (today only supported on Branch SRX) set interfaces <aex> aggregated-ether-options lacp passive
  • 73. 73 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION ON A CHASSIS CLUSTER  Configuration Example for a Redundant Ethernet Interface # On High End SRX LAG support starts with 10.1r2, LACP starts with 10.2r3 # On some Branch SRX LAG support starts with 10.3r2, LACP also starts with 10.3r2 # Documentation: "Chassis Cluster Redundant Ethernet Interface Link Aggregation Groups" set interfaces ge-1/0/1 gigether-options redundant-parent reth1 set interfaces ge-1/0/2 gigether-options redundant-parent reth1 set interfaces ge-1/0/3 gigether-options redundant-parent reth1 set interfaces ge-12/0/1 gigether-options redundant-parent reth1 set interfaces ge-12/0/2 gigether-options redundant-parent reth1 set interfaces ge-12/0/3 gigether-options redundant-parent reth1 set interfaces reth1 redundant-ether-options minimum-links 3 # From the Network Point of view, these are two independent Aggregate Interfaces. # Only the interfaces on the active node are used for transmission # Further LACP Configuration can be added to the reth Interface now set interfaces reth1 redundant-ether-options lacp periodic fast set interfaces reth1 redundant-ether-options lacp passive set interfaces reth1 redundant-ether-options lacp active
  • 74. 74 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK AGGREGATION ON DATACENTER SRX Extend lacpd to Support RETHs with JUNOS 10.2  Hitless RG failover for transit traffic  Handle active/standby LAGs independently and simultaneously  Support: A reth is connected to two switches  Support: A reth is connected to one single switch  At remote side: Active LAG and standby LAG each shall be terminated at an AE or equivalent (same as 10.1) Cluster 1 reth0 RLAG Active LAG SRX 5600 HA Node 1 SRX 5600 HA Node 0 standby LAG Switch / Router ae0 Switch / Router ae1
  • 75. 75 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LINK REDUNDANCY
  • 76. 76 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IP MONITORING & FAILOVER WITH RPM # Since 11.4r2 Branch SRX allows to use RPM to monitor reachability of a destination # and in response of PASS or FAIL failover route or interface # Configure Probes for user PING-PROBE # Example probe SERVER1 checks if server responds to ping edit services rpm probe PING-PROBE test SERVER1 set probe-type icmp-ping set target address 192.168.42.1 set probe-count 5 set probe-interval 5 set thresholds successive-loss 5 set test-interval 10 top edit services ip-monitoring policy FAILOVER-Policy set match rpm-probe PING-PROBE # admin state of a back-up interface can be enabled if the RPM fails on the primary # If the normal condition is restored the backup-interface is disabled again set then interface ge-0/0/1/0 enable top # Monitoring of the ip-monitoring feature show services ip-monitoring status
  • 77. 77 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BLACKHOLE FORWARDING DETECTION # Black hole Forwarding Detection, Available in OSPF/BGP # Useful for link availability tests with aggressive timing (failover within 300msec) # Detect OSPF Link Failure after 3x500msec edit protocols ospf area 0.0.0.0 interface ge-0/0/0.0 set bfd-liveness-detection minimum-interval 500; set bfd-liveness-detection multiplier 3; set bfd-liveness-detection full-neighbors-only; top # Detect BGP Link Failure set protocols bgp bfd-liveness-detection set minimum-interval 800 set multiplier 3 set transmit-interval minimum-interval 150 set transmit-interval threshold 500 set detection-time threshold 200 set holddown-interval 5 top
  • 78. 78 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FLOW LOAD BALANCING WITH EQUAL COST MULTIPATH ROUTING # ECMP for Flows is supported on SRX since JUNOS 12.1 # Add multiple routes to the same destination set static route 26.0.0.0/8 next-hop 23.0.54.111 set static route 26.0.0.0/8 next-hop 24.0.44.101 set static route 26.0.0.0/8 next-hop 25.0.44.106 # Usually only one of these routes would show up in the forwarding table. # We need a Policy Statement to enable per packet load-balancing. # On SRX this statement enforces in reality per flow balancing set policy-statement LBP then load-balance per-packet # And we must apply this policy to the forwarding-table set forwarding-table export LBP # Forwarding table shows several routes to the same destination user@host> show route forwarding-table Routing table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif ... 26.0.0.0/8 user 0 23.0.54.111 rslv 0 1 ge-0/0/4.0 26.0.0.0/8 user 0 24.0.44.101 rslv 0 1 ge-0/0/6.0 26.0.0.0/8 user 0 25.0.44.106 rslv 0 1 ge-0/0/7.0 # Finally we might influence the balancing algorithm (L3 = IP only, L4, TCP+UDP too) set forwarding-options hash-key family inet layer-3 set forwarding-options hash-key family inet layer-3
  • 79. 79 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VRRP CONFIGURATION # VRRP allows to failover an Interface between two devices - which are not a cluster # Typical use case: Primary and backup Internet access device (each with it's own WAN link) # Remember that VRRP Cluster does not sync sessions - all session must be reestablished # VRRP - node0 edit interfaces fe-0/0/7 unit 0 family inet address 192.168.0.101/24 vrrp-group 150 set virtual-address 192.168.0.150 set priority 100 set no-preempt set authentication-type md5 set authentication-key secret top # VRRP - node 1 set interfaces fe-0/0/7 unit 0 family inet address 192.168.0.102/24 vrrp-group 150 set virtual-address 192.168.0.150 set priority 110 set no-preempt set authentication-type md5 set authentication-key secret top # VRRP Troubleshooting run show vrrp summary run show vrrp interface fe-0/0/7
  • 80. 80 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSPARENT MODE
  • 81. 81 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSPARENT MODE OR BRIDGE MODE NOTES AND LIMITATIONS  Transparent/Bridge Mode on Datacenter SRX  Transparent Mode in A/P Clusters is supported since JUNOS 9.6  Transparent Mode in A/A Clusters is supported since JUNOS 10.0  Interface can either be in trunk mode or in access mode  VLAN Retagging is possible, and requires a per interface statement  Link Aggregation on reth Interfaces in Transparent Mode is supported since 11.4r1  IDP is supported in A/P since 11.2  Transparent/Bridge Mode on Branch SRX  Transparent Mode in A/P Clusters is supported since JUNOS 11.2  Interfaces can only be in access mode  Management access requires definiton of an IRB Interface as member of one bridge-domain  Today (12.1) a firewall can either be in pure Layer 2 mode or Layer 3 routed mode, no mix  During a Cluster Failover the physical links on the inactive machine will get bumped (L1 down for some seconds and then up again) to clear CAM tables on the attached Switches.  A number of Features are not available/supported in Transparent Mode (12.1)  NAT, IPSEC VPN, GRE, Lsys, VR for IRB, L3/L4 classification for QoS (but 802.1q)
  • 82. 82 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSPARENT MODE / BRIDGE MODE EXAMPLE1: TWO UNTAGGED INTERFACES # A bridge domain is used to assign which interface share a MAC-Table set bridge-domains BD1 domain-type bridge set bridge-domains BD1 vlan-id 10 set bridge-domains BD1 domain-type bridge interface fe-0/0/0.0 set bridge-domains BD1 domain-type bridge interface fe-0/0/1.0 # This example uses 2 untagged interfaces set interfaces ge-0/0/0 unit 0 family bridge interface-mode access set interfaces ge-0/0/0 unit 0 family bridge vlan-id 10 set interfaces ge-0/0/1 unit 0 family bridge interface-mode access set interfaces ge-0/0/1 unit 0 family bridge vlan-id 10 # Reuse Zones trust and untrust set security zones security-zone trust host-inbound-traffic system-services ssh # Bind Interface to the Zone set security zones security-zone trust interfaces ge-0/0/0.0 set security zones security-zone untrust interfaces ge-0/0/1.0 # For Management access, you must attach an irb Interface a bridge domain set interfaces irb unit 0 family inet address 1.1.1.0/24 set bridge-domains BD1 routing-interface irb.0
  • 83. 83 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSPARENT MODE / BRIDGE MODE EXAMPLE2: MIXED TAGGED AND UNTAGGED INTERF. # A bridge domain is used to assign which interface share a MAC-Table set bridge-domains BD1 domain-type bridge set bridge-domains BD1 vlan-id X (could be set to “none”) set bridge-domains BD1 domain-type bridge interface xe-1/0/0 set bridge-domains BD1 domain-type bridge interface xe-2/0/0 # Example for Trunk Mode Interface (on Datacenter SRX) set interfaces ge-0/0/10 vlan-tagging set interfaces ge-0/0/10 native-vlan-id 10 set interfaces ge-0/0/10 unit 0 family bridge interface-mode trunk set interfaces ge-0/0/10 unit 0 family bridge vlan-id-list 40-50 # Untagged traffic on Trunk Mode Interface is mapped to native VLAN # Example for a Interface in Access Mode set interfaces ge-0/0/11 unit 0 family bridge interface-mode access set interfaces ge-0/0/11 unit 0 family bridge vlan-id 40 # create a layer2 zone and define Permitted System Services set security zones security-zone layer2 host-inbound-traffic system-services ssh # Bind Interface to the Zone set security zones security-zone layer2 interfaces ge-0/0/10.0 # For Management access, you must attach an irb Interface a bridge domain set interfaces irb unit 0 family inet address 1.1.1.0/24 set bridge-domains BD1 routing-interface irb.0
  • 84. 84 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSPARENT MODE / BRIDGE MODE HINTS AND MONITORING # By default, family bridge allows forwarding for IPv4-unicasts and L2 broadcasts # The following statement should allows other traffic too (CDP, STP, …) # IPv6 forwarding in transparent mode is currently planned for 11.4r4 (DC-SRX only) set security flow bridge bypass-non-ip-unicast # Full Documentation for Transparent Mode https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway- pages/security/security-layer2-bridging-transparent-mode.html#configuration # Monitoring Commands show bridge-domains show protocols l2-learning
  • 85. 85 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL
  • 86. 86 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PACKET FLOW
  • 87. 87 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SECURITY SERVICES PACKET WALK 1) Pull packet from queue 2) Police packet 3) Filter packet 4) Session lookup 5a) No existing session • FW screen check • Static and destination NAT • Route lookup • Destination zone lookup • Policy lookup • Reverse static and source NAT • Setup ALG vector • Install session 5b) Established session • FW screen check • TCP checks • NAT translation • ALG processing 6) Filter packet 7) Shape packet 8) Transmit packet Per Packet Filter Per Packet Policer Per Packet Shaper Per Packet Filter JUNOS Flow Module Forwarding Lookup Dest NAT Route Zones Policy Reverse Static NAT Services SessionScreens Static NAT Source NAT Match Session? NO YES Screens TCP NAT Services YES
  • 88. 88 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SECURITY SERVICES PACKET WALK JUNOS Flow Module Dest NAT Route Zones Policy Reverse Static NAT Services SessionScreens Static NAT Source NAT Match Session? NO YES Screens TCP NAT Services YES Services ALG Module AppID (packet) IDP (packet) SSL Proxy AppID (stream) IDP (stream) ALG UTM AppFW UserFW
  • 89. 89 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ZONES
  • 90. 90 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ZONES AND INTERFACES # Zone Names are useful to map existing segmentation # Typical zone names are derived from areas with same trust level (trust/untrust) or # from department names (development, productions ...) # Interface will not forward any traffic until they are assigned to a zone # Each interface can only be mapped to one zone # All interfaces in the same zone must be mapped to the same VR # Assign IPv4 IP to an interface set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24 # Create custom zones set security zones security-zone DEVELOPMENT set security zones security-zone VPN # Assign Interface to zone set security zones security-zone VPN interfaces st0.0
  • 91. 91 Copyright © 2011 Juniper Networks, Inc. www.juniper.net OBJECTS & POLICIES
  • 92. 92 Copyright © 2011 Juniper Networks, Inc. www.juniper.net OBJECT AND POLICIES OVERVIEW Current State and Changes over Time • Global Policies and Address Objects are available since JUNOS 11.4 • Logging: To enable Logging for permit Rules use "set then log session-close" To enable Logging for deny/reject Rules use "set then log session-init" • Counting: Counting with "per time statistics" can be activated per policy (number of policies is limited) Since JUNOS 12.1 there is a hit counter tracked by default for every policy • Description Since JUNOS 12.1 Policies can have a description • Nested Groups (Groups of Groups) are supported since JUNOS 11.2 Before 11.2 NSM could be used to create nested groups ( • DNS Resolution DNS names can be resolved either at object creation time or frequently during usage • Wildcard Mask Bitmasks for Address Objects are supported since JUNOS 11.1 • Ranges Address Ranges are not available in JUNOS today (12.1) • Negation Negated Address Objects are not available in JUNOS today (12.1)
  • 93. 93 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ADDRESS OBJECTS AND GROUPS (JUNOS <11.2) set security zones security-zone trust address-book address NET10 10.1.1.0/24 set security zones security-zone trust address-book address HOST10 10.1.1.1/32 # We can also use DNS names, there are two ways edit security zones security-zone trust address-book # Resolve the Address once at commit time set address JUNIPER-FIX www.juniper.net # Resolve dynamically when policy is used (cached for 24 hours) set address JUNIPER-DNS dns-name www.juniper.net top # Groups of Addresses are referenced as address sets set security zones security-zone trust address-book address-set ALL10 set address NET10 set HOST10 top # JUNOS >=11.1 also supports wildcard address masks with non-contiguous bitmasks # for IPv4. The first octets of the mask must be greater than 128 set security zones security-zone trust address-book address SERVER4 10.0.0.4/255.0.0.255
  • 94. 94 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ADDRESS OBJECTS AND GROUPS (JUNOS >=11.2) # Since JUNOS 11.2 Address Book entries can either use the old stanza set security zones security-zone trust address-book address NET10 10.1.1.0/24 # Or it is possible to create ALL Objects as zone independent address book entries set security address-book global address NET10 10.1.1.0/24 # JUNOS Op Scripts exist to convert from old to new format and back https://www.juniper.net/us/en/community/junos/script-automation/library/ # If both formats are used in one file, the configuration can not be committed # NSM supports global policies with Version 2012.1 # Space Security Design supports global policies since Version 12.1 # J-Web supports global address objects and global policies since 11.4
  • 95. 95 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SERVICE OBJECTS # Create Custom Service Objects # Default TCP Timeout is 1800 sec. # Default Timeout for other protocols is 60sec. set applications application my-ssh protocol tcp set applications application my-ssh destination-port 22 set applications application my-ssh inactivity-timeout 3600 set applications application my-ssh term ssh protocol tcp set applications application my-ssh term ssh destination-port 22 set applications application my-ssh term ssh inactivity-timeout 3600 # A number of Service definitions is already built-in - starting with junos-xxxx # To see them you can use the following command show configuration groups junos-defaults applications or top show groups junos-defaults | match application | match junos # They also appear when you use Tab completion during writing policies set security policies from-zone trust to-zone untrust policy X match application ?
  • 96. 96 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ZONE BASED FIREWALL POLICIES (1) # Create a new Policy with the name "FIRST". edit security policies from-zone untrust to-zone trust policy FIRST set match source-address any set match destination-address any set match application any set then permit # Since JUNOS 12.1 you can add a description for this policy set description "First Policy created here" top # Insert a second policy "NEW" edit security policies from-zone untrust to-zone trust policy NEW set match source-address any set match destination-address NET10 set match application any set then permit top # New Policies are always added at the end # To move the "NEW" policy before the "FIRST" policy insert security policies from-zone untrust to-zone trust policy NEW before policy FIRST
  • 97. 97 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ZONE BASED FIREWALL POLICIES (2) # By default all traffic, that is not permitted by policy is denied (without logging) # There is a command to change this - Recommended only for testing !! set security policies default-policy permit-all # Policy Actions can be permit/deny/reject. # deny means silent drop, reject create response packets to the initiator # for UDP traffic “icmp port unreachable” # for TCP traffic “TCP RST” # Monitor commands show security policies show security flow session #Policy lookup is available on CLI and in Web-UI since JUNOS 10.3 show security match-policies ....
  • 98. 98 Copyright © 2011 Juniper Networks, Inc. www.juniper.net GLOBAL FIREWALL POLICIES # Beginning with JUNOS 11.4 Policies can be specified as global policies # These Policies must always reference global address objects # Policy Lookup Order is: # a) zone-to-zone # b) global # c) default policy # NSM can not manage global policies and objects # For JUNOS Space global policy support is currently planned for Release 12.1 set security address-book global address SERVER1 1.1.1.1 set security address-book global address SERVER2 2.2.2.2 set security policies global policy GP1 match source-address SERVER1 set security policies global policy GP1 match destination-address SERVER2 set security policies global policy GP1 match application junos-ftp set security policies global policy GP1 then deny set security policies global policy GP2 match source-address SERVER1 set security policies global policy GP2 match destination-address SERVER2 set security policies global policy GP2 match application any set security policies global policy GP2 then permit # Count per zone and global policies show security policies zone-context
  • 99. 99 Copyright © 2011 Juniper Networks, Inc. www.juniper.net GLOBAL POLICIES Global policies take lower precedence than zone-specific policies. If a matching zone-based policy is found, the global policies are not evaluated … Zone-specific Policies Policy N … Global Policies Policy M Ordered Lookup Ordered Lookup Policy1 Policy 1No match Global Policy lookup Zone Policy Lookup from-zone to-zone context
  • 100. 100 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL POLICY MONITORING AND USAGE TRACKING (1/2) # Counting can be enabled on a limited number of policies. Counting includes # Input/Output Bytes & Packets, Session rate, Active & Deleted sessions, Policy lookups edit security policies from-zone trust to-zone untrust policy pol-01 set then count top # To monitor the policy counters use run security policies from-zone show trust to-zone untrust policy-name pol-01 detail # Alerts can be enabled per policy to generate alerts if usage exceeds thresholds edit security policies from-zone trust to-zone untrust policy pol-01 set then count alarm per-minute-threshold 1000 set then count alarm per-second-threshold 50 top # To monitor the policy alerts use run show security alerts
  • 101. 101 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL POLICY MONITORING AND USAGE TRACKING (2/2) # Security Policy Overview (Hidden until 12.1) show security policies information # Since JUNOS 10.3 there is Security Policy Lookup to predict policy decision # The query goes directly to the forwarding plane for evaluation show security match-policies .... # Until 11.4 Usage statistics are only available, if counting is enabled (see prev page) show security policies detail # JUNOS 12.1 introduces usage tracking of Firewall Policies independent from counter # Counter since the last reboot/failover can be retrieved with the following command srx210> show security policies hit-count from-zone untrust ascending from-zone to-zone policy hit-count untrust trust pol-1 10 untrust trust pol-2 20 untrust trust pol-3 30
  • 102. 102 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL POLICY SCHEDULERS (A.K.A. TIME BASED POLICIES) # Create a Scheduler to activate a policy every working day from 9-12 and 13-20 set schedulers scheduler "SCHEDULER1" daily start-time 09:00 stop-time 12:00 set schedulers scheduler "SCHEDULER1" daily start-time 13:00 stop-time 20:00 set schedulers scheduler "SCHEDULER1" sunday exclude # Create a new Policy with the name "FIRST" and apply the scheduler definition "SCHEDULER1" edit security policies from-zone untrust to-zone trust policy FIRST set match source-address any set match destination-address any set match application any set then permit set scheduler SCHEDULER1 top # Monitoring show schedulers show security policies detail
  • 103. 103 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL WEB AUTHENTICATION # Firewall Authentcation can Intercept Web Session (redriect) and enforce user authentication first # before allowing traffic (any protocol) to be passed by the firewall. This is like an "unlock" door. # Add an additional IP to an existing interface, that is used for WebAuth, HTTP to this Interface # gives you a login page set interface vlan unit 0 family inet address 192.168.1.210/24 web-authentication http # Specify a Profile with 2 local Users set access profile TESTPROFILE client TESTUSER1 firewall-user password netscreen set access profile TESTPROFILE client TESTUSER2 firewall-user password netscreen # and use this profile as default for firewall auth (inline in telnet, http, ftp connection) and webauth set access firewall-authentication pass-through default-profile TESTPROFILE set access firewall-authentication web-authentication default-profile TESTPROFILE # A policy specifies for which Source/Destination Web Auth is required. # Once Addresses have matched, Authentication is required, no Fall through to other rules. set security zones security-zone untrust address-book address PROTECTED 172.16.42.1/32 edit security policies from-zone trust to-zone untrust policy WEB-AUTH set match source-address any set match destination-address PROTECTED set match application any set then permit firewall-authentication access-profile TESTPROFILE set then permit firewall-authentication pass-through web-redirect up insert policy WEB-AUTH before policy trust-to-untrust top # Monitoring Commands show security firewall-authentication users show security firewall-authentication history
  • 104. 104 Copyright © 2011 Juniper Networks, Inc. www.juniper.net REMATCH FOR POLICY CHANGES # To enable Policy rematching when policy changes are made use the following command # By Default Policy Rematch is disabled set security policies policy-rematch Action on Policy Description Rematch Flag Enable Disable (default) Delete Policy is deleted All existing sessions are dropped All existing sessions are dropped Insert New policy is inserted N/A N/A Modify the action Action field of policy is modified from permit to deny or reject, or vice versa All existing sessions are dropped All existing sessions continue Modify address Source or destination address field of policy match is modified Policy lookup will be re-evaluated All existing sessions continue Modify application Application field of policy match is modified Policy lookup will be re-evaluated All existing sessions continue
  • 105. 105 Copyright © 2011 Juniper Networks, Inc. www.juniper.net REMATCH FOR POLICY CHANGES WITH USER IDENTITY BASED FIREWALL The user/role info is re-retrieved from UI module again for rematch
  • 106. 106 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FLOW & ALG
  • 107. 107 Copyright © 2011 Juniper Networks, Inc. www.juniper.net # Flow Configuration changes default behavior for a number of topics that influence # session creation/teardown/modification. # Examples are SYN Checking, Sequence Number Checking, Fragmentation, MSS Patching, # Session Aging # Example: Make sure TCP packets going through VPN tunnels avoid fragmentation set security flow tcp-mss ipsec-vpn mss 1420 # Example: Avoid TCP Split Handshake Attacks by more strict SYN checking set security flow tcp-session strict-syn-check FLOW
  • 108. 108 Copyright © 2011 Juniper Networks, Inc. www.juniper.net # ALGs exist for the several protocols. When enabled they either help to open firewall # pinholes (FTP), assist in NAT for inband protocol data (VOIP) or check for protocol # violation (DNS). See next pages for a Table of ALGs and their functions # Most ALGs are enabled per default. To check which ALGs are there and enabled use show security alg status # To disable an ALG either disable ALG completly set security alg msrpc disable # or use custom service with the application service disabled set applications application TEST application-protocol ignore # Knowlegebase Articles have good hints on monitoring and troubleshooting # or changing behaviour of each ALG. Check the Knowledgebase if you have # trouble with any of the protocols where ALGs are active and disabling ALG # does not solve your problem. Example KB entries: SQL: KB21550 MSRPC : KB23730 and KB18346 ALG
  • 109. 109 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BASIC ALGS ALG Firewall Pinholes NAT Protocol Checking DNS ✔ ✔ format, length FTP ✔ ✔ ✔ command TFTP ✔ ✔ SQL ✔ ✔ ✔ format Sun RPC ✔ ✔ ✔ format MS RPC ✔ ✔ ✔ format RSH ✔ ✔ ✔ format PPTP ✔ ✔ ✔ format Talk ✔ ✔ ✔ format IKE-NAT ✔ ✔ ✔ format
  • 110. 110 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VOIP/STREAMING ALGS ALG Firewall Pinholes NAT Protocol Checking SIP ✔ ✔ ✔ H.323 ✔ ✔ ✔ MGCP ✔ ✔ ✔ SCCP ✔ ✔ ✔ RTSP ✔ ✔ ✔
  • 111. 111 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SCREENS & DEFENSE
  • 112. 112 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WHAT ARE SCREENS ? Screens are Filters for Attacks on Layer3/4 (Scans, Floods, IP Option Anomalies, TCP/IP Anomalies, DOS Attacks) Screens are applied before Routing Lookup and Policy decision Screens are in many cases implemented in Hardware Screens can be enabled with Logging only
  • 113. 113 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SCREENS Descriptions of each of the Screen Parameter are here # Configure all Screen Options in a Named Profile edit security screen ids-option MY-SCREEN-PROFILE # Best Practice; Start using Screens with Alarm only, but Dropping disabled. set alarm-without-drop set icmp ping-death set ip source-route-option set ip tear-drop set tcp syn-flood alarm-threshold 1024 set tcp syn-flood attack-threshold 200 set tcp syn-flood source-threshold 1024 set tcp syn-flood destination-threshold 2048 set tcp syn-flood queue-size 2000 set tcp syn-flood timeout 20 set tcp land set limit-session destination-ip-based 50 top # Finally apply the Profile to the Zones which need protection set security zones security-zone untrust screen MY-SCREEN-PROFILE # Monitoring Commands show security screen statistics zone untrust show security screen statistics interface ge-0/0/0
  • 114. 114 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SCREENS FOR FLOOD PROTECTION # Session Limits for Source and Destination IP set security screen ids-option FLOOD limit-session source-ip-based 10000 set security screen ids-option FLOOD limit-session destination-ip-based 10000 # ICMP AND UDP FLOOD PROTECTION (threshold is in packets/sec) set security screen ids-option FLOOD icmp flood threshold 10000 set security screen ids-option FLOOD udp flood threshold 20000 # TCP SYN Flood Protection, SYN-Cookie has better Performance than SYN-Proxy set security flow syn-flood-protection-mode syn-cookie edit security screen ids-option FLOOD tcp syn-flood # Start using Cookie when we hit more than 20 SYNs/sec set attack-threshold 20 set alarm-threshold 10000 # If we get more than these SYNs per second from a Source-IP we start dropping set source-threshold 1024 # If we get more than these SYNs per to the same Destination-IP we start dropping set destination-threshold 100000 # Time before we start dropping half-open connections from the queue set timeout 5 top # Finally apply the Screen Profile Definitions to the zone(s) where the flood arrives set security zones security-zone untrust screen FLOOD # Monitoring show security screen statistics zone trust show interfaces ge-0/0/1.0 extensive | match Syn
  • 115. 115 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WHITE LISTS FOR SYN COOKIE & SYN PROXY # JUNOS 12.1 will introduce White lists for SYN Cookie and SYN Proxy # The SYN Protection Screens can be active, but certain sources or # destinations can be excluded from this protection. # White lists can included up to 32 IPv4 and IPv6 source and/or destination addresses # Typical Use case: exclude Proxies as Sources, excluded monitored Servers as Destination root@raticate# set security screen ids-option FLOOD tcp syn-flood WHITE-LIST ipv4 ? Possible completions: <[Enter]> Execute this command + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups + destination-address Destination IP based + source-address Source IP based
  • 116. 116 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FLOOD PROTECTION FOR THE SRX SESSION TABLE # In a Flood Situation, there is still a risk that the session table is filled up # completely and new sessions can't be established any more # # A Self Defense Strategy of the SRX for a flood situation is "aggressive aging" # to start removal of sessions which have not been used for x seconds before session # table gets filled up completely # # This overrides the default session timeouts, but might be better # than a overcrowded session table # Set levels (percent of max session nr) when aggressive aging starts and when it stops set security flow aging high-watermark 80 low-watermark 60 # Idle time in seconds after which sessions can be purged set security flow aging early-ageout 30 # Monitoring: If the Thresholds are reached, there are logs for # FLOW_HIGH_WATERMARK_TRIGGERED and FLOW_LOW_WATERMARK_TRIGGERED
  • 117. 117 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL USAGE ALARMS # Create Alerts if Errors exceeds thresholds edit security alarms potential-violation set authentication 10 set decryption-failures threshold 100 set encryption-failures threshold 100 set ike-phase1-failures threshold 100 set ike-phase2-failures threshold 100 set replay-attacks threshold 100 set security-log-percent-full 90 top # Create Alerts if firewall total policy usage exceeds thresholds edit security alarms potential-violation policy set application size 10240 set source-ip threshold 1000 duration 20 set destination-ip threshold 1000 duration 10 set policy-match threshold 100 size 100 top # Create Alerts if individual firewall policy usage exceeds thresholds edit security policies from-zone trust to-zone untrust policy pol-01 set then count alarm per-minute-threshold 1000 set then count alarm per-second-threshold 50 top # Monitoring show security alarms
  • 118. 118 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WHERE ARE SCREENS IMPLEMENTED ? # Screens that are implemented on the NPU block-frag, fin-no-ack, icmpfragment, icmp-id, icmp-large, ipbad-option, ip-filter- src, ip-loosesrc-route, ip-record-route, ipsecurity-opt, ip-stream-opt, ipstrict-src- route, ip-timestamp-opt, land, ping-death, syn-fin, syn-frag, tcp-no-flag, unknown- protocol, winnuke, icmp-flood, udp-flood, syn-flood destination-threshold / source- threshold # Screens that are implemented on the SPU teardrop, ipspoofing, syn-ackack-proxy, syn-flood (syncookie/synproxy), # Screens that are implemented on the CP limit-session, portscan, ip-sweep, syn-flood (syncookie/syn-proxy)
  • 119. 119 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NAT
  • 120. 120 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NAT BASIC INFORMATION •Since JUNOS 9.5 NAT uses a separate policy (a.k.a. NAT-ng) •The Hierarchy for this is under "set security nat ...." •Older JUNOS Documentation and OJSE Training Materials might still mention the previous method (policy based NAT) •Destination NAT often requires additional Proxy-ARP rules •Limitations in the number of NAT rules did exist, but finally even the last (8 rules for destination NAT) disappeared with 10.2. See http://kb.juniper.net/KB14149 •We have a good Application Note on NAT http://www.juniper.net/us/en/products-services/security/srx-series/#literature
  • 121. 121 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 121 SCREENOS NAT FEATURES AND JUNOS COUNTERPART For Details and Examples see the Application Note "Juniper Networks SRX Series and J Series NAT for ScreenOS Users" http://www.juniper.net/us/en/products-services/security/srx-series/#literature
  • 122. 122 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 122 NAT CONFIGURATION INCLUDES 3 FLAVORS Source NAT  Interface based NAT  Pool based NAT- with and without port translation  IP address shifting Destination NAT  Destination IP and/or port number translation  IP address shifting Static NAT  Bi-directional  No port translation supported  dst-xlate for packets to the host  src-xlate for packets initiated from the host
  • 123. 123 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 123 NAT PROCESSING ORDER Static & Destination NAT are performed before security policies are applied Reverse Static & Source NAT are performed after security policies are applied Accordingly, policies always refer to the actual address of the endpoints
  • 124. 124 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NAT ADDRESS POOL CONFIGURATION Address pools can be  Single IP address  Range of addresses  Range of ports  Interface (source NAT only)  No port translation Overflow pools  Configured as a fall back  Requires pools with no port translation [edit security nat source] root# show pool src-nat-pool1 { address { 192.0.0.10/32 to 192.0.0.24/32; } } pool src-nat-pool2 { address { 192.0.0.100/32 to 192.0.0.249/32; } port no-translation; overflow-pool interface; } pool src-nat-pool3 { address { 192.0.0.25/32; } } pool src-nat-pool4 { address { 192.0.0.50/32 to 192.0.0.59/32; } port range 5000 to 6000;
  • 125. 125 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SOURCE NAT TWO EXAMPLES INTERNET 10.1.1.0/24 10.1.2.0/24 ge-0/0/0 ge-0/0/1 UNTRUSTTRUST 192.1.1.0/24 [edit security nat source] } rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat interface } [edit security nat source] } rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat pool src-nat-pool1 }
  • 126. 126 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SOURCE NAT EXAMPLE WITH MULTIPLE RULES INTERNET 10.1.1.0/24 192.1.1.0/24 ge-0/0/0 ge-0/0/1 UNTRUSTTRUST 10.1.2.0/24 172.1.1.0/24 rule rule2 { match { source-address 192.1.1.0/24; } then { source-nat pool src-nat-pool2; } } rule rule3 { match { source-address 172.1.1.0/24; } then { source-nat off; } } [edit security nat source] } rule-set nat-internet { from zone trust; to zone untrust; rule rule1 { match { source-address [ 10.1.1.0/24 10.1.2.0/24 ]; destination-address 0.0.0.0/0; } then { source-nat pool src-nat-pool1; } }
  • 127. 127 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DESTINATION NAT EXAMPLE FOR MANY-TO-MANY INTERNET 10.1.1.0/24 192.1.1.100/24 ge-0/0/0 ge-0/0/1 UNTRUSTTRUST 10.1.2.0/24 192.1.1.200/24 dnat-pool-1: 1:1.1.1.100/80->192.168.1.100/80 dnat-pool-2: 1.1.1.101/80->192.168.1.200/8000 [edit security nat destination] root# show pool dnat-pool-1 { address 192.168.1.100/32; } pool dnat-pool-2 { address 192.168.1.200/32 port 8000; } rule-set dst-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.100/32; } then { destination-nat pool dnat-pool-1; } } rule rule2 { match { destination-address 1.1.1.101/32; } then { destination-nat pool dnat-pool-2; } } }
  • 128. 128 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DESTINATION NAT EXAMPLE FOR ONE-TO-MANY INTERNET 10.1.1.0/24 192.1.1.100/24 ge-0/0/0 ge-0/0/1 UNTRUSTTRUST 10.1.2.0/24 192.1.1.200/24 dnat-pool-1 1.1.1.100/80->192.168.1.100/80 dnat-pool-2 1.1.1.100/8000->192.168.1.200/8000 [edit security nat destination] root# show pool dnat-pool-1 { address 192.168.1.100/32; } pool dnat-pool-2 { address 192.168.1.200/32 port 8000; } rule-set dst-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.100/32; destination-port 80; } then { destination-nat pool dnat-pool-1; } } rule rule2 { match { destination-address 1.1.1.100/32; destination-port 8000; } then { destination-nat pool dnat-pool-2; }
  • 129. 129 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STATIC NAT Provides one-to-one mapping of hosts or subnets Bi-directional NAT  dst-xlate for packets to the host  src-xlate for packets initiated from the host INTERNET 10.1.1.0/24 ge-0/0/0 ge-0/0/1 UNTRUSTTRUST 10.1.2.0/24 192.1.1.200/24 [edit security nat] root# show static rule-set static-nat { from zone untrust; rule rule1 { match { destination-address 1.1.1.200/32; } then { static-nat prefix 192.168.1.200/32; } }
  • 130. 130 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PROXY-ARP Source NAT  Proxy-ARP required for all source IP pool addresses in the same subnet as egress interface –ge-0/0/0  For source pools not in the same subnet as egress interface IP, route to the IP pool subnet with the SRX device as next-hop is required on the upstream router Destination/Static NAT  Proxy-ARP required for all IP pool addresses in the same subnet as ingress interface –ge-0/0/0  For static and destination NAT pools not in the same subnet as egress interface IP, route to the IP pool subnet with the SRX device as next-hop is required on the upstream router Configuration command  set security nat proxy-arp interface <if_name> address <ip_prefix> INTERNET 10.1.1.0/24 10.1.2.0/24 ge-0/0/0 ge-0/0/1 1.1.1.1/24
  • 131. 131 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DOUBLE NAT- SOURCE AND DESTINATION NAT 192.168.1.3/24 UNTRUSTTRUST 10.1.1.100/24 [edit security nat source] root# show pool src-pool-1 { address { 1.1.1.10/32 to 1.1.1.14/32; } } rule-set src-rs1 { from zone trust; to zone untrust; rule r1 { match { source-address 0.0.0.0/0; } then { source-nat pool src-pool-1; } } [edit security nat destination] root# show pool dst-src-pool-1 { address 10.1.1.100/32; } rule-set dst-rs1 { from zone trust; rule rule1 { match { destination-address 1.1.1.100/32; } then { destination-nat pool dst-src-pool-1; } } } 192.168.1.3->1.1.1.100 1.1.1.10-> 10.1.1.100
  • 132. 132 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 132 NAT MONITORING AND TROUBLESHOOTING # NAT session can be identified from the session table show security flow session # Static NAT: show security nat static rule <all|rule-name> # Source NAT: show security nat source summary show security nat source pool <pool-name> show security nat source rule <rule-name> show security nat source persistent-nat-table <all|summary|....> # Destination NAT: show security nat destination summary show security nat destination pool <pool-name> show security nat destination rule <rule-name> show security nat interface-nat-ports # Incoming NAT: show security nat incoming-table # ARP table show arp no-resolve # Tracing (output is written to file defined under security->flow-> traceoptions) set security nat traceoptions flag all
  • 133. 133 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUALIZATION
  • 134. 134 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUALIZATION BUILDING BLOCKS AND CONCEPTS  SRX Firewalls offer several building blocks and concepts to achieve virtualization  Zone based Separation: No traffic can get from one zone to another if there is no policy  Virtual Routers based Separation: avoid any traffic leakage between different instances (usecase: managed service for customers with overlapping address space).  Logical Systems : for complete administrative isolation. Create virtual firewalls with individual administrators and protected resources per firewall (memory, cpu, objects ...)  Virtual SRX: Virtual Machine for installation on a Hypervisor (Vmware, KVM) Zones only Zones and Virtual Routers Logical Systems Virtual SRX separate traffic of different instances yes yes yes yes separate routing decisions per instance no yes yes (with VRs) yes allow different administrators per instance no no yes yes protect resources per instance no no partial yes more than 32 instances no no max 32 instance per firewall yes
  • 135. 135 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ZONE-BASED SEPARATION Pepsi Coke Untrust Zone Coke User Pepsi User Pepsi Zone Coke Zone • Simple design • High scale (no additional overhead) • No overlapping IP addresses • Little to no user-based admin
  • 136. 136 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VR-BASED SEPARATION • More complex design • High scale (little additional overhead) • Overlapping IP addresses supported • Routing protocols per VR give additional flexibility • Little to no user-based admin Pepsi Coke Coke User Pepsi User Coke VR Pepsi VR Coke Untrust Zone Coke Trust Zone Pepsi Untrust Zone Pepsi Trust Zone
  • 137. 137 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Pepsi LSYS Coke LSYS LSYS-BASED SEPARATION • Complex design • Lower scale (possible additional overhead) • Overlapping IP addresses supported • Routing protocols per VR give additional flexibility (and introduce performance caveats) • User-based admin supported Pepsi Coke Coke User Pepsi User Coke VR Pepsi VR Coke Untrust Zone Coke Trust Zone Pepsi Untrust Zone Pepsi Trust Zone
  • 138. 138 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUALIZATION: VIRTUAL ROUTERS
  • 139. 139 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DIFFERENCE IN OWNERSHIP HIERARCHY Virtual Router Zone Interface IP Address ScreenOS Routing Instance Interface IP Address JUNOS Zone Interface Virtual router split from zones in JUNOS
  • 140. 140 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EXAMPLE WITH 2 INDEPENDANT VR Red-VR Blue-VR red-untrustred-trust blue-trust blue-untrust
  • 141. 141 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Create a Virtual Router and bind interface to this VR VIRTUAL ROUTERS - SIMPLE EXAMPLE # Assign Interface IPs like usual set interface fe-0/0/6 unit 0 family inet address 1.0.0.1/24 set interface fe-0/0/7 unit 0 family inet address 2.0.0.1/24 set interface lo0 unit 0 family inet address 3.0.0.1/32 # Create the Virtual Router, assign two physical and a loopback interface set routing-instances red-vr instance-type virtual-router set routing-instances red-vr interface fe-0/0/6.0 set routing-instances red-vr interface fe-0/0/7.0 set routing-instances red-vr interface lo0.0 # Also tie all interfaces to security zones set security zone security-zone red-untrust interface fe-0/0/6.0 set security zone security-zone red-trust interface fe-0/0/7.0 # Optional, set a static route in this vr set routing-instances red-vr routing-options static route 4.0.0.0/24 next-hop 1.0.0.2 # Optional: You can set static routes to get from one VR to another # If you need to exchange dynamic routes you will need RIB Groups set routing-instances red-vr routing-options static route 5.0.0.0/24 next-table blue- vr.inet.0
  • 142. 142 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EXAMPLE WITH 3 CUSTOM AND ONE SHARED VR Red-VR Blue-VR Green-VR Inet.0VR untrust red-trust blue-trust green-trust
  • 143. 143 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Create a Virtual Router and bind interface to this VR VIRTUAL ROUTERS ROUTER DEFINITION # Assign Interface IPs like usual set interface fe-0/0/5 unit 0 family inet address 1.0.0.1/24 set interface fe-0/0/6 unit 0 family inet address 2.0.0.1/24 set interface fe-0/0/7 unit 0 family inet address 3.0.0.1/24 set interface lo0 unit 0 family inet address 4.0.0.1/32 # Create the Virtual Router, assign one physical interface set routing-instances RED-VR instance-type virtual-router set routing-instances RED-VR interface fe-0/0/5.0 # Create the Virtual Router, assign one physical interface set routing-instances BLUE-VR instance-type virtual-router set routing-instances BLUE-VR interface fe-0/0/6.0 # Create the Virtual Router, assign one physical interface set routing-instances GREEN-VR instance-type virtual-router set routing-instances GREEN-VR interface fe-0/0/7.0
  • 144. 144 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUAL ROUTERS SECURITY ZONES  Interface binding to zones is defined independent from the VR BUT all interfaces in the same zone must be bound to same VR # Create Zones and assign interfaces set security zones security-zone red-trust set security zones security-zone red-trust interfaces fe-0/0/5.0 set security zones security-zone blue-trust set security zones security-zone blue-trust interfaces fe-0/0/6.0 set security zones security-zone green-trust set security zones security-zone green-trust interfaces fe-0/0/7.0 # If desired enable management set security zones security-zone red-trust host-inbound-traffic system-services all set security zones security-zone red-trust host-inbound-traffic protocols all set security zones security-zone blue-trust host-inbound-traffic system-services all set security zones security-zone blue-trust host-inbound-traffic protocols all # Add policies to permit traffic edit security policies from-zone red-trust to-zone untrust set policy outbound1 match source-address any set policy outbound1 match destination-address any set policy outbound1 match application any set policy outbound1 then permit set policy outbound1 then log session-close session-init exit top
  • 145. 145 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUAL ROUTERS EXCHANGING ROUTES BETWEEN VIRTUAL ROUTERS # To set a route from one VR to another just use the instance name as next-table edit routing-instances BLUE-VR set routing-options static route 10.0.0.0/8 next-table RED-VR.inet.0 top # To redistribute Routes that exist in one VR into another use Filters edit policy-options policy-statement SUMMARY-RED set term ACCEPT from instance RED-VR set term ACCEPT from route-filter 10.0.0.0/8 exact set term ACCEPT then tag 5000 set term ACCEPT then accept top set routing-instances BLUE-VR routing-options instance-import SUMMARY-RED
  • 146. 146 Copyright © 2011 Juniper Networks, Inc. www.juniper.net RIB Groups (RIB=Routing Information Base) are useful if you want to share static and dynamic routes between multiple VRs VIRTUAL ROUTERS RIB-GROUPS # Create a rib-group set routing-options static rib-group test-rib # Routes imported into the rib-group are distributed to the rib set routing-options rib-groups test-rib import-rib inet.0 set routing-options rib-groups test-rib import-rib RED-VR.inet.0 # set routing-options rib-groups test-rib import-rib BLUE-VR.inet.0 # set routing-options rib-groups test-rib import-rib GREEN-VR.inet.0 # Only one rib can be used to export (primary-rib by default) set routing-options rib-groups test-rib export-rib inet.0 # Optional: publish interface routes to the RIB set routing-instances RED-VR routing-options interface-routes rib-group inet test-rib set routing-instances BLUE-VR routing-options interface-routes rib-group inet test-rib set routing-instances GREEN-VR routing-options interface-routes rib-group inet test-rib
  • 147. 147 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Filters can be applied to drop unwanted routes VIRTUAL ROUTERS RIB-GROUPS, FILTER # Create a policy statement edit policy-options policy-statement into-red set term reject-to-red from family inet protocol ospf set term reject-to-red to rib red-vr.inet.0 set term reject-to-red then reject top # Apply Policy to filter routes from the rib-groups export-rib to the member ribs set routing-options rib-groups test-rib import-policy into-red
  • 148. 148 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUAL ROUTERS NOTES AND LIMITATIONS  RIB Group is useful to share Routes between multiple VRs  Before JUNOS 10.4 IPSEC VPN Interfaces could only be terminated in zones, which are assigned to inet.0 (see KB 12866)  For self initiated management traffic (e.g.. syslog, traps ..) route lookup starts in the default VR (inet.0)  Interfaces that are not explicitly members of any custom VR are members of inet.0  DHCP Server and DHCP Relay inside a VR will require JUNOS 10.4r5 or higher  Static routes from VR1 to VR2 and at the same time from VR2 to VR1 will not commit (potential loop). You have to introduce a third VR as additional hop for one direction.
  • 149. 149 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUALIZATION: LOGICAL SYSTEMS
  • 150. 150 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS  Root System (=physical firewall) is always there. Root Admin can  create new Lsys  create user admin(s) for the Lsys  create and assign Lsys Profiles  create and assign logical interfaces to Lsys  configure the interconnect Lsys0  Lsys0 has a special role as the interconnect Lsys  all traffic between User Lsys and Rootsys goes through Lsys0  for this purpose Lsys0 has a lt-Interface to each Lsys and Rootsys  Lsys1..32 are the user logical systems itself  Each user logical system can have  a number of zones, interfaces and 0, 1 or more Virtual Routers  exactly one interface to the Interconnect Lsys0 (lt0.x)  one or more users to configure routing and security inside the Lsys
  • 151. 151 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EXAMPLE SETUP # Example Setup Root System with - shared Internet Uplink - separate VR vrf-root Interconnect Lsys0 with -seperate vr-ic - lt interfaces to each root and lsys Two Custom Lsys with -private interfaces and zones - lt Interfaces to interconnect Lsys0
  • 152. 152 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS CONFIGURATION 1/4 - PROFILES AND USERS # Define a Profile for the System Limits for each User Logical Systems set system security-profile USER-LSYS policy maximum 50 set system security-profile USER-LSYS policy reserved 25 set system security-profile USER-LSYS address-book maximum 100 set system security-profile USER-LSYS address-book reserved 50 set system security-profile USER-LSYS logical-system [Coke-LSYS Pepsi-LSYS] # Add the Root System Profile. All off-box logging comes from the Root LSYS. # If this is undefined then syslog/SNMP will not work set system security-profile ROOT-LSYS auth-entry maximum 5 set system security-profile ROOT-LSYS policy maximum 5 set system security-profile ROOT-LSYS policy reserved 1 set system security-profile ROOT-LSYS policy-with-count maximum 0 set system security-profile ROOT-LSYS root-logical-system # Add LSYS to your login classes to assign users to an LSYS # Users are assigned to a „login class‟ to get their rights, and with LSYS # they also get assigned to an LSYS at the same time set system login class COKE-LOGIN logical-system COKE-LSYS set system login class PEPSI-LOGIN logical-system PEPSI-LSYS # Create Users for each Lsys set system login user coke class COKE-LOGIN set system login user pepsi class PEPSI-LOGIN
  • 153. 153 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS CONFIGURATION 2/4 - INTERCONNECT # Set up lt-0/0/0.x interfaces in the Interconnect LSYS0 # LSYS0 is layer 2 only and will hold multiple LT interfaces # all other LSYS will only have a single LT interface # LT interfaces are paired one-to-one set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 encapsulation ethernet-vpls set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 peer-unit 1 set logical-systems LSYS0 interfaces lt-0/0/0 unit 2 encapsulation ethernet-vpls set logical-systems LSYS0 interfaces lt-0/0/0 unit 2 peer-unit 3 set logical-systems LSYS0 interfaces lt-0/0/0 unit 4 encapsulation ethernet-vpls set logical-systems LSYS0 interfaces lt-0/0/0 unit 4 peer-unit 5 # Set up lt-0/0/0.x interfaces, LT interface in LSYS > 0 need an IP address # LT Interface in the Rootsys set interfaces lt-0/0/0 unit 1 encapsulation ethernet set interfaces lt-0/0/0 unit 1 peer-unit 0 set interfaces lt-0/0/0 unit 1 family inet address 10.0.1.1/24 # LT Interface in the Lsys Coke set interfaces lt-0/0/0 unit 3 encapsulation ethernet set interfaces lt-0/0/0 unit 3 peer-unit 0 set interfaces lt-0/0/0 unit 3 family inet address 10.0.1.2/24 # LT Interface in the Lsys Pepsi set interfaces lt-0/0/0 unit 5 encapsulation ethernet set interfaces lt-0/0/0 unit 5 peer-unit 0 set interfaces lt-0/0/0 unit 5 family inet address 10.0.1.3/24
  • 154. 154 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS CONFIGURATION 3/4 - FIRST USER LSYS # Now setup the COKE-Logical System edit logical-systems COKE-LSYS set interfaces reth1 unit 1 vlan-id 1 set interfaces reth1 unit 1 family inet address 12.1.1.1/24 edit routing instances COKE-VR set instance-type virtual-router set interface reth1.1 set interface lt-0/0/0.3 set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 up set security zones security-zone Coke-Trust set security zones security-zone Coke-Trust host-inbound-traffic system-services ping set security zones security-zone Coke-Trust interfaces reth1.1 set security zones security-zone Coke-Untrust interfaces lt-0/0/0.1 edit security policies from-zone Coke-Trust to-zone Coke-Untrust set policy to-Inter-LSYS match source-address any set policy to-Inter-LSYS match destination-address any set policy to-Inter-LSYS match application any set policy to-Inter-LSYS then permit top
  • 155. 155 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS CONFIGURATION 4/4 - SECOND USER LSYS # Now setup the PEPSI-Logical System edit logical-systems PEPSI-LSYS set interfaces reth1 unit 2 vlan-id 1 set interfaces reth1 unit 2 family inet address 13.1.1.1/24 edit routing instances PEPSI-VR set instance-type virtual-router set interface reth1.2 set interface lt-0/0/0.5 set routing-options static route 0.0.0.0/0 next-hop 10.0.0.1 up set security zones security-zone PEPSI-Trust set security zones security-zone PEPSI-Trust host-inbound-traffic system-services ping set security zones security-zone PEPSI-Trust interfaces reth1.2 set security zones security-zone PEPSI-Untrust interfaces lt-0/0/0.5 edit security policies from-zone PEPSI-Trust to-zone PEPSI-Untrust set policy to-Inter-LSYS match source-address any set policy to-Inter-LSYS match destination-address any set policy to-Inter-LSYS match application any set policy to-Inter-LSYS then permit top
  • 156. 156 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGICAL SYSTEMS MONITORING # Flow Statistics show security flow statistics root-logical-system show security flow statistics logical-system <all|Lsys> # Assigned Profile and current usage for each individual profile parameter show system security-profile ? logical-system <all|Lsys>
  • 157. 157 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN
  • 158. 158 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPSEC VPN FLAVOURS  Policy Based VPN  For site-to-site VPNs  Upon match a security Policy sets up a VPN tunnel  Route Based VPN  For site-to-site VPNs  Specify a VPN tunnel interface (st0.x)  Upon match a security policy permits traffic to this tunnel interface  Dynamic VPN  For Remote Access of travelling Users  Rollout and Update of VPN Client Software  Authenticate User and assign IPs during VPN establishment
  • 159. 159 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ROUTED BASED VPN
  • 160. 160 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ROUTE BASED VPN SITE-TO-SITE WITH MAIN MODE (1/3) # Enable IKE Traffic on the untrust interface edit security zone security-zone untrust interfaces ge-0/0/1.0 set host-inbound-traffic system-services ike top # Define Phase 1 Proposal edit security ike proposal P1-AES set authentication-method pre-shared-keys set dh-group group2 set authentication-algorithm sha1 set encryption-algorithm aes-128-cbc top # Define Phase 2 Proposal set security ipsec proposal P2-AES protocol esp set security ipsec proposal P2-AES authentication-algorithm hmac-sha1-96 set security ipsec proposal P2-AES encryption-algorithm aes-128-cbc # Predefined Proposals also exist lab@srx-210# set security ike policy ike-policy-1 proposal-set ? Possible completions: basic IKE proposal-set for basic compatible IKE proposal-set for compatible standard IKE proposal-set for standard [edit]
  • 161. 161 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ROUTE BASED VPN SITE-TO-SITE WITH MAIN MODE (2/3) # Phase 1 Gateway Definition set security ike policy IKE-POLICY-1 mode main set security ike policy IKE-POLICY-1 proposals P1-AES set security ike policy IKE-POLICY-1 pre-shared-key ascii-text juniper set security ike gateway GW1 address 172.16.42.11 set security ike gateway GW1 external-interface ge-0/0/0.0 set security ike gateway GW1 ike-policy IKE-POLICY-1 # Phase 2 VPN definition set security ipsec policy IPSEC-POLICY-1 proposals P2-AES set security ipsec policy IPSEC-POLICY-1 perfect-forward-secrecy keys group2 set security ipsec vpn VPN1 ike gateway GW1 set security ipsec vpn VPN1 ike ipsec-policy IPSEC-POLICY-1 # Optional VPN Monitor (Phase 2 Keep alive as Ping inside tunnel) set security ipsec vpn VPN1 vpn-monitor optimized # Use this statement - on one side of the VPN - to get tunnel established fast set security ipsec vpn VPN1 establish-tunnels immediately
  • 162. 162 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ROUTE BASED VPN SITE-TO-SITE WITH MAIN MODE (3/3) # Create a secure tunnel interface. set interfaces st0 unit 0 family inet set security zones security-zone trust interfaces st0.0 # Optional: If numbered interface is required: set an interface IP set interfaces st0 unit 0 family inet address 1.1.1.1/28 # Configure routing. set routing-options static route 10.1.1.0/24 next-hop st0.0 # Assign IPSEC Configuration to the Interface set security ipsec vpn VPN1 bind-interface st0.0 # There are global options (system wide for all Phase 2) to set VPN Monitor thresholds # Default is interval 10, threshold 10 which results in 100 Sec Detection Time set security ipsec vpn-monitor-options interval 3 set security ipsec vpn-monitor-options threshold 3
  • 163. 163 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ROUTE BASED VPN ADDITIONAL OPTIONS # Interface number for a Second VPN Tunnel Interface # Use Name st0 with another unit set interfaces st0 unit 1 family inet # By Default we use Proxy-ID local 0.0.0.0/0 remote 0.0.0.0/0 service 0 # To override this for third party compatibility you can manually set one proxy-id # When SRX checks incoming proxy-id: then more specific IPs match less specific IPs # Example Remote-ID 192.168.1.0/24 is accepted when Proxy-ID is 0.0.0.0/0 set security ipsec vpn vpn-1 ike proxy-identity local <net> remote <net> service <svc> # Next Hop Tunnel Binding - Allows multiple endpoints on one Tunnel interface set interfaces st0 unit 0 multipoint # Dead-Peer Detection (Phase1 - Keep alive as IKE Message) set security ike gateway GW1 dead-peer-detection
  • 164. 164 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ROUTE BASED VPN BRANCH-TO-CENTRAL WITH AGRESSIVE MODE (1/2) # Phase 1 Gateway Definition set security ike policy BRANCH-POLICY mode aggressive set security ike policy BRANCH-POLICY proposal-set standard set security ike policy BRANCH-POLICY pre-shared-key ascii-text secret set security ike gateway CENTRAL-GW ike-policy BRANCH-POLICY set security ike gateway CENTRAL-GW address 1.1.1.1 set security ike gateway CENTRAL-GW local-identity user-at-hostname "branch@test.de" set security ike gateway CENTRAL-GW external-interface pp0.0 Branch Site with Dynamic IP Central Site with Fixed IP (1.1.1.1) # Phase 1 Gateway Definition set security ike policy BRANCH-POLICY mode aggressive set security ike policy BRANCH-POLICY proposal-set standard set security ike policy BRANCH-POLICY pre-shared-key ascii-text secret set security ike gateway BRANCH-GW ike-policy BRANCH-POLICY set security ike gateway BRANCH-GW dynamic user-at-hostname "branch@test.de" set security ike gateway BRANCH-GW external-interface ge-0/0/0.0
  • 165. 165 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ROUTE BASED VPN BRANCH-TO-CENTRAL WITH AGRESSIVE MODE (1/2) # Phase 2 definitions with Tunnel binding and optional Proxy-ID set security ipsec policy BRANCH-POLICY proposal-set standard set security ipsec vpn CENTRAL-VPN bind-interface st0.0 set security ipsec vpn CENTRAL-VPN vpn-monitor optimized set security ipsec vpn CENTRAL-VPN ike gateway CENTRAL-GW set security ipsec vpn CENTRAL-VPN ike proxy-identity local 10.0.0.0/24 set security ipsec vpn CENTRAL-VPN ike proxy-identity remote 20.0.0.0/24 set security ipsec vpn CENTRAL-VPN ike proxy-identity service any set security ipsec vpn CENTRAL-VPN ike ipsec-policy BRANCH-POLICY set security ipsec vpn CENTRAL-VPN establish-tunnels immediately # Route into Tunnel set routing-options static route 20.0.0.0/0 next-hop st0.0 Branch Site with Dynamic IP Central Site with Fixed IP # Phase 2 definitions with Tunnelbinding and optional Proxy-ID set security ipsec policy BRANCH-POLICY proposal-set standard set security ipsec vpn BRANCH-VPN bind-interface st0.0 set security ipsec vpn BRANCH-VPN vpn-monitor optimized set security ipsec vpn BRANCH-VPN ike gateway BRANCH-GW set security ipsec vpn BRANCH-VPN ike proxy-identity local 20.0.0.0/24 set security ipsec vpn BRANCH-VPN ike proxy-identity remote 10.0.0.0/24 set security ipsec vpn BRANCH-VPN ike proxy-identity service any set security ipsec vpn BRANCH-VPN ike ipsec-policy BRANCH-POLICY # Route into Tunnel set routing-options static route 10.0.0.0/0 next-hop st0.0
  • 166. 166 Copyright © 2011 Juniper Networks, Inc. www.juniper.net POLICY BASED VPN
  • 167. 167 Copyright © 2011 Juniper Networks, Inc. www.juniper.net POLICY BASED VPN CONFIGURATION TODO Technote: http://www.juniper.net/us/en/local/pdf/app-notes/3500175-en.pdf
  • 168. 168 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN WITH CERTIFICATES
  • 169. 169 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN WITH CERTIFICATES (1/6) PKI Operations Copy to output of the above command to a file and use it as signing request for your CA. It is very important to define ―X509v3 Subject Alternative Name‖. JUNOS supports ip-address, domain-name and email. In this request we define a ip-address and the domain-name. This attribute is used as a IKE-ID and has to match with the IKE configuration. The signing CA has to support ―X509v3 Subject Alternative Name‖. E.g. for OpenSSL you have to modify the file ―openssl.cnf‖ in this way: # Create a CA profile (simplified with CRL Checking disabled) set security pki ca-profile ca-profile-ipsec ca-identity xyz.com set security pki ca-profile ca-profile-ipsec revocation-check disable # Create a key pair request security pki generate-key-pair certificate-id ca-ipsec size 1024 # Create a certificate request for the local device certificate request security pki generate-certificate-request certificate-id ca-ipsec subject "CN=srx210-bot,OU=IT,L=LAB" ip-address 10.1.0.1 domain-name srx210-bot.xyz.com # Extension copying option: use with caution. copy_extensions = copy
  • 170. 170 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN WITH CERTIFICATES (2/6) Copy the signed certificate and the CA root certificate from the CA to SRX file system. # Load the signed certificate from the file system request security pki local-certificate load certificate-id ca-ipsec filename /var/tmp/certnew.cer # Load the CA root certificate from the file system request security pki ca-certificate load ca-profile ca-ipsec filename /var/tmp/CA-certnew.cer
  • 171. 171 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN WITH CERTIFICATES (3/6) lab@SRX210-bot> show security pki ca-certificate Certificate identifier: ca-profile-ipsec Issued to: ic.xyz.com, Issued by: C = US, ST = CA, L = Sunnyvale, O = XYZ, OU = IT, CN = ic.xyz.com, emailAddress = user@xyz.com Validity: Not before: 09-18-2009 13:25 Not after: 10-27-2013 13:25 Public key algorithm: rsaEncryption(1024 bits) lab@SRX210-bot> show security pki local-certificate detail Certificate identifier: ca-ipsec Certificate version: 3 Serial number: 00000010 Issuer: Organization: XYZ, Organizational unit: IT, Country: US, State: CA, Locality: Sunnyvale, Common name: ic.xyz.com Subject: Organizational unit: IT, Locality: LAB, Common name: srx210-bot Alternate subject: email empty, srx210-bot.xyz.com, 10.1.0.1 Validity: Not before: 12-28-2010 13:17 Not after: 02- 5-2015 13:17 Public key algorithm: rsaEncryption(1024 bits) 30:81:89:02:81:81:00:aa:e8:f0:49:0f:0d:28:9e:71:5b:a7:c1:64 … bc:b2:7f:6c:26:f3:8c:54:dc:2b:7f:3d:64:0d:09:02:03:01:00:01 Signature algorithm: sha1WithRSAEncryption Fingerprint: 28:1d:f4:b6:96:41:8d:13:fa:dd:7d:fd:26:ed:2b:53:15:88:bd:97 (sha1) e3:1b:af:db:e7:e9:90:99:5a:c7:ac:d4:e2:ef:2a:da (md5) Auto-re-enrollment: Status: Disabled Next trigger time: Timer not started
  • 172. 172 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN WITH CERTIFICATES (4/6) VPN Configuration The ―local-identity‖ has to match with the ―X509v3 Subject Alternative Name‖ of the Gateway local certificate as a IKE- ID. Since 10.2 there is a hidden command ―set security ike gateway srx210-top general-ikeid‖ to ignore a IKE-ID mismatch. Nevertheless the certificate needs a ―X509v3 Subject Alternative Name‖ to get Phase-1 up. The IPSec configuration is the same as with preshared keys. # Create IKE proposal set security ike proposal P1-AES-CERT authentication-method rsa-signatures set security ike proposal P1-AES-CERT dh-group group2 set security ike proposal P1-AES-CERT authentication-algorithm sha1 set security ike proposal P1-AES-CERT encryption-algorithm aes-256-cbc # Create IKE policy set security ike policy ike-policy-1 mode main set security ike policy ike-policy-1 proposals P1-AES-CERT set security ike policy ike-policy-1 certificate local-certificate ca-ipsec set security ike policy ike-policy-1 certificate trusted-ca use-all set security ike policy ike-policy-1 certificate peer-certificate-type x509-signatur # Create IKE gateway set security ike gateway srx210-top ike-policy ike-policy-1 set security ike gateway srx210-top address 10.1.0.10 set security ike gateway srx210-top local-identity inet 10.0.1.10 set security ike gateway srx210-top external-interface ge-0/0/1.0
  • 173. 173 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN WITH CERTIFICATES (5/6) Advanced Features CRL-Checking and SCEP Auto-enrollment # Create CA Profile with CRL-Checking and SCEP set security pki ca-profile RSA_CA_LAB ca-identity RSA-CA set security pki ca-profile RSA_CA_LAB enrollment url https://10.100.160.59:446/aca4eeb14189074335ac14b30259698fa8862b66/pkiclient.exe set security pki ca-profile RSA_CA_LAB revocation-check crl url http://10.100.160.59:447/RSA-CA.crlset security pki ca-profile RSA_CA_LAB revocation- check crl refresh-interval 24 set security pki auto-re-enrollment certificate-id SRX-210-HQ ca-profile-name RSA_CA_LAB set security pki auto-re-enrollment certificate-id SRX-210-HQ challenge-password "$9$3qaq6/t0ORSyKu0LxdVY2“ set security pki auto-re-enrollment certificate-id SRX-210-HQ re-enroll-trigger-time- percentage 5
  • 174. 174 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN WITH CERTIFICATES (6/6) root@SRX-210-HQ-1> show security pki crl detail | no-more CA profile: RSA_CA_LAB CRL version: V00000001 CRL issuer: C = CH, O = SA, OU = Security, CN = RSA-CA Effective date: 11- 9-2010 13:54 Next update: 11-10-2010 13:54 Revocation List: Serial number Revocation date 1b9433a6682555883abf042c15e602da 06-10-2010 07:54 21fffde9d68115b3d9335a97c8744b46 11- 9-2010 13:30 4a5c1a9e624cd522b49f0485272c42b4 06-10-2010 08:28 4de41accc7e4cc606a1dad93cb510092 06-22-2010 06:31 59304b23b9e6f80abd9fe0325af16b80 06- 9-2010 14:16 5b336a94660f5a69e00b48af9662b71d 11- 8-2010 17:36 678a297eccfe78ab0d693ff162e8cdf4 06- 9-2010 15:01 6bf7aff47f68f8687a1f14f0df2b014a 11- 8-2010 15:48 6f4168f96a06957ac769be5465f753a2 06- 9-2010 15:09 8610479e69f64eb08972b27bba24365a 06-10-2010 07:47 89ac59d9df40954feac5c57e4d0739a2 11- 9-2010 13:31 bec78a93e4101f71c782784b34c33ef4 11- 9-2010 10:47 cadd34f4f77f5042198792dd02cbcb1a 06-22-2010 07:35 e87b6aa7ea5562ecdd1379e51bb02ba8 06- 9-2010 13:24
  • 175. 175 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN DIAGNOSTICS
  • 176. 176 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPSEC VPN MONITORING AND TROUBLESHOOTING (1) ### Ping through VPN - Sometime you might have to alter the source-interface # or your routing-instance to get the ping into the tunnel ping 192.168.1.1 [routing-instance xx] interface fe-0/0/7.0 ### Monitoring # Phase 1 - Cookies show security ike security-associations # Phase 2 - Security Associations show security ipsec security-associations # IPSEC and Interface Statistics show security ipsec statistics show interfaces st0 [terse|detail] # Manually Clear Tunnels clear security ike clear security ipsec # Logs and Traces are per Default written to File kmd file show /var/log/kmd | last ### JUNOS 11.4 and 12.1x44 have several improvements for IPSEC Troubleshooting # 1. extend Output for show security ike|ipsec security-associations # 2. start debugging for a certain session without commit, write output to kmd request security ike debug-enable local 10.1.1.10 remote 10.1.1.30 level 15 request security ike debug-disable show security ike debug-status # 3. Inactive Tunnel information show security ipsec inactive-tunnels
  • 177. 177 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPSEC VPN MONITORING AND TROUBLESHOOTING (2) Tunnel Interface up/down is logged in syslog If more details are required, use a IKE trace file ENT <UpDown> st0.0 index 80 <Up Broadcast PointToPoint Multicast> Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 mib2d[921]: SNMP_TRAP_LINK_UP: ifIndex 253, ifAdminStatus up(1), ifOperStatus up(1), ifName st0.0 Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 rpd[897]: EVENT UpDown st0.0 index 80 <Up Broadcast PointToPoint Multicast> Jul 29 11:34:08 192.168.1.1 Jul 29 11:34:08 srx650-1 IFP trace> ifp_ifl_anydown_change_event: IFL anydown change event: "st0.0" set security ike traceoptions file VPNtrace set security ike traceoptions file files 3 set security ike traceoptions file size 1m set security ike traceoptions flag ike set security ike traceoptions flag policy-manager
  • 178. 178 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IPSEC VPN MONITORING AND TROUBLESHOOTING (3) Example Output from IKE trace file Jul 29 12:32:39 ike_st_o_all_done: MESSAGE: Phase 1 { 0x4a583c5c adb05f96 - 0xebace718 6f0a0626 } / 00000000, version = 1.0, xchg = Identity protect, auth_method = Pre shared keys, Initiator, cipher = aes-cbc, hash = sha1, prf = hmac-sha1, life = 0 kB / 3600 sec, key len Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 - ebace718 6f0a0626 [-1] / 0x00000000 } IP; MESSAGE: Phase 1 version = 1.0, auth_method = Pre shared keys, cipher = aes-cbc, hash = sha1, prf = hmac- sha1, life = 0 kB / 3600 sec, key len = 12 Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 - ebace718 6f0a0626 [0] / 0x774c39de } QM; MESSAGE: Phase 2 connection succeeded, Using PFS, group = 2 Jul 29 12:32:39 ike_qm_call_callback: MESSAGE: Phase 2 connection succeeded, Using PFS, group = 2 Jul 29 12:32:39 10.2.1.1:500 (Initiator) <-> 10.2.1.100:500 { 4a583c5c adb05f96 - ebace718 6f0a0626 [0] / 0x774c39de } QM; MESSAGE: SA[0][0] = ESP aes, life = 0 kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 128, key rounds = 0 Jul 29 12:32:39 ike_qm_call_callback: MESSAGE: SA[0][0] = ESP aes, life = 0 kB/28800 sec, group = 2, tunnel, hmac-sha1-96, key len = 128, key rounds = 0 # Example output for proposal mismatch in phase 2 looks like this: Jul 29 12:40:25 10.2.1.1:500 (Responder) <-> 10.2.1.100:500 { a0e2f3a5 e02b5e54 - 9b9f2cf3 bf990db6 [0] / 0xf1d579af } QM; Error = No proposal chosen (14) # Example output for a Proxy-ID mismatch looks like this Apr 19 12:47:20 KMD_PM_P2_POLICY_LOOKUP_FAILURE: Policy lookup for Phase-2 [responder] failed for p1_local=ipv4(udp:500,[0..3]=172.16.42.210) p1_remote=usr@fqdn(udp:500,[0..14]=testvpn@lab.com) p2_local=ipv4_subnet(any:0,[0..7]=10.0.42.210/24) p2_remote=ipv4_subnet(any:0,[0..7]=192.16.42.220/24)
  • 179. 179 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN CONFIGURATION AND TROUBLESHOOTING FLOW CHART WITH KNOWLEDGEBASE ENTRIES
  • 180. 180 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DYNAMIC VPN CLIENT
  • 181. 181 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LICENSING FOR DYNAMIC VPN By default all Branch SRX include a license for up to 2 connections. If you need more than 2 connections, there are licenses available. Licenses are additive (two 5 user licenses will give you access for up to 10 users) The client is included as part of the JUNOS Image and can be downloaded from the SRX. In 11.1 the dynamic VPN client was replaced with the JUNOS Pulse Client
  • 182. 182 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DYNAMIC VPN NOTES AND LIMITATIONS  Dynamic VPN feature is available for Branch SRX, not for Datacenter SRX  The following limitations where removed with 10.4  Before 10.4 an external Radius Server was mandatory for Authentication and IP Address Assignment. Local Users and IP-Pools are not supported  Before 10.4 a IKE-Gateway was required for each and every VPN user. 10.4 introduces shared/Group-IKE-ID  Before 10.4 Only Hostnames are allowed as ike-id (no FQDN, no Email address)  Before 10.4 Access to the Authentication Page did requires the public interface is opened for web management  In 11.2r3 the capacities for dynamic VPN where increased  SRX-RAC-500-LTU for SRX650 - requires JUNOS 11.2R3  SRX-RAC-250-LTU for SRX240 and 650 - requires JUNOS 11.2R3  SRX-RAC-150-LTU for 650/240/220  SRX-RAC-25-LTU for 210/100
  • 183. 183 Copyright © 2011 Juniper Networks, Inc. www.juniper.net The following Notes are based on pre 10.4 Releases. You should better use the latest, excellent Configuration Example from http://kb.juniper.net/index?page=content&id=KB14318 Since 11.4 J-Web offers a Wizard to complete the configuration There is also a good Troubleshooting Guide from http://kb.juniper.net/KB17220 DYNAMIC VPN - PREPARATION # Set correct time zone, date and time NTP set system time-zone Europe/Berlin # In Operation Mode srx> set date YYYYMMDDhhmm.ss or srx> set date ntp de.pool.ntp.org 27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec # use this configuration statement to activate a self signed certificate (unless you have a signed one) set system services web-management https system-generated-certificate # and enable https traffic on the desired interface set security zones security-zone untrust host-inbound-traffic system-services https # Since 10.3: if an interface accepts dynamic-vpn connections all http traffic is redirected to # https://<ip>/dynamic-vpn so you can not manage any more on this interface unless you # specify a URL (see KB19411 ) set system services web-management management-url admin
  • 184. 184 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Enable IKE Traffic on the untrust interface Define Phase 1 Proposal Define Phase 2 Proposal VPN CONFIGURATION set security ike proposal P1-Dynamic-AES authentication-method pre-shared-keys set security ike proposal P1-Dynamic-AES dh-group group2 set security ike proposal P1-Dynamic-AES authentication-algorithm sha1 set security ike proposal P1-Dynamic-AES encryption-algorithm aes-128-cbc set security ipsec proposal P2-Dynamic-AES protocol esp set security ipsec proposal P2-Dynamic-AES authentication-algorithm hmac-sha1-96 set security ipsec proposal P2-Dynamic-AES encryption-algorithm aes-128-cbc set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound- traffic system-services ike
  • 185. 185 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN CONFIGURATION Phase 1 - Gateway Definition Phase 2 - VPN Definition set security ipsec policy dynvpn proposals P2-Dynamic-AES set security ipsec policy dynvpn perfect-forward-secrecy keys group2 set security ipsec vpn ipsec-dyn ike gateway gw-dyn set security ipsec vpn ipsec-dyn ike ipsec-policy dynvpn set security ike policy dynvpn mode aggressive set security ike policy dynvpn proposals P1-Dynamic-AES set security ike policy dynvpn pre-shared-key ascii-text juniper set security ike gateway gw-dyn dynamic hostname dynvpn.juniper.net set security ike gateway gw-dyn external-interface ge-0/0/1.0 set security ike gateway gw-dyn ike-policy dynvpn set security ike gateway gw-dyn xauth access-profile vpn-users
  • 186. 186 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN CONFIGURATION Add a Access Profile and Users Definition for the IPSEC client authentication (used with xauth) Allow the same users from the local profile to login for IPSEC client download # Create a Profile set access profile vpn-users authentication-order password # Add two Users to this Profile set access profile vpn-users client thomas firewall-user password secret1 set access profile vpn-users client peter firewall-user password secret2 # The above definition with local users may work, but officially we # currently support xauth in IPSEC only together with Radius Authentication set profile radius_profile authentication-order radius; set profile radius_profile radius-server 10.204.129.50 secret xxx # Create a Profile set access firewall-authentication pass-through default-profile vpn-users
  • 187. 187 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN CONFIGURATION Prepare a Policy to permit the Clients Traffic # Install a Policy for VPN Clients edit security policies from-zone untrust to-zone trust policy policy-dynvpn set match source-address any set match destination-address any set match application any set then permit tunnel ipsec-vpn ipsec-dyn set then log session-close exit # And more it to the beginning edit security policies from-zone untrust to-zone trust insert policy policy-dynvpn before policy default-permit exit
  • 188. 188 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN CONFIGURATION Prepare Security Policy to be delivered to the Client # Upgrade Policy for VPN Clients (if local policy of client is newer) set security dynamic-vpn force-upgrade # User profile for loading the Client set security dynamic-vpn access-profile vpn-users # Destinations that are reachable through VPN set security dynamic-vpn clients client-1 remote-protected-resources 192.168.1.0/24 # Destinations are reachable without going through VPN set security dynamic-vpn clients client-1 remote-exceptions 0.0.0.0/0 # VPN Definitions and Proposals used set security dynamic-vpn clients client-1 ipsec-vpn ipsec-dyn # Users that may login with this Profile set security dynamic-vpn clients client-1 user thomas set security dynamic-vpn clients client-1 user peter
  • 189. 189 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGIN TO DOWNLOAD VPN CLIENT URL is https://<SRXIP>/dynamic-vpn/
  • 190. 190 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGIN TO DOWNLOAD VPN CLIENT
  • 191. 191 Copyright © 2011 Juniper Networks, Inc. www.juniper.net XAUTH - ACCESS MANAGER PROMPTS FOR USERNAME
  • 192. 192 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ACCESS MANAGER WHEN TUNNEL IS ESTABLISHED
  • 193. 193 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MANAGEMENT LOGGING MONITORING
  • 194. 194 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ADMIN USERS AND MANAGEMENT ACCESS
  • 195. 195 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Set the password of the root user Add another User ADMIN USERS root> configure root# set system root-authentication plain-text-password New password: Retype new password: root# set system login user netscreen class super-user authentication plain-text-password New password: Retype new password:
  • 196. 196 Copyright © 2011 Juniper Networks, Inc. www.juniper.net USER ROLES # Predefined User roles lab@srx5600# set system login user <username> class ? Possible completions: <class> Login class operator permissions [ clear network reset trace view ] read-only permissions [ view ] super-user permissions [ all ] unauthorized permissions [ none ] [edit] # Define a new User role - even possible to restrict or permit commands root# set system login class new-role ? Possible completions: allow-commands Regular expression for commands to allow explicitly allow-configuration Regular expression for configure to allow explicitly + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups deny-commands Regular expression for commands to deny explicitly deny-configuration Regular expression for configure to deny explicitly idle-timeout Maximum idle time before logout (minutes) login-alarms Display system alarms when logging in login-script Execute this login-script when logging in login-tip Display tip when logging in + permissions Set of permitted operation categories [edit]
  • 197. 197 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CUSTOM ADMINISTRATOR CLASS # Example for an Admin Class that can configure only certain policies edit system login class AREA1 set permissions configure set allow-configuration routing-instances VR-1 set allow-configuration security policies from-zone trust-1 to-zone untrust-1 set allow-configuration security policies from-zone untrust-1 to-zone trust-1 set allow-configuration security zones security-zone trust-1 set allow-configuration security zones security-zone untrust-1 top edit system login user admin1 set class AREA1 set authentication encrypted-password "$1$6xZjWBto$6PBu4Yf17rMgd.Gm3OGUo/" top
  • 198. 198 Copyright © 2011 Juniper Networks, Inc. www.juniper.net RADIUS # Define Server IP, Port and Shared Secret set system radius-server 10.0.0.100 port 1812 secret abc # Define Authentication order set system authentication-order password set system authentication-order radius # Specify Source-IP, useful when using VPN-Tunnels or non fxp0 set system radius-server 172.30.81.141 source-address 172.30.80.11 # Assign a class to the remote authenticated users # By default all Radius Users are mapped to user "remote" set system login user remote full-name "All Remote Users" set system login user remote class operator ...... # untested - connection timeout 30 minutes root# set system login class remote idle-timeout 30 # Online Help help topic system server-radius help topic system radius
  • 199. 199 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TACACS+ # Define Server IP and Shared Secret set system tacplus-server address 172.16.30.1 secret Tacacssecret1 # Define Authentication order (local users first ; then tacplus) set system authentication-order password insert system authentication-order tacplus after password # Specify Source-IP, useful when using VPN-Tunnels or non fxp0 set system tacplus-server 172.16.30.1 source-address 10.0.0.1 # Assign a class to the remote authenticated users # By default all Tacacs+ Users are mapped to user "remote" set system login user remote full-name "All Remote Users" set system login user remote class operator # Ste connection timeout for user of this class to 30 minutes root# set system login class remote idle-timeout 30 # Online Help help topic system tacplus
  • 200. 200 Copyright © 2011 Juniper Networks, Inc. www.juniper.net COOPERATION WITH OTHER USERS ON THE CLI # Show which other Users are currently logged in on the CLI show system users # Write a message to all users request message all message "Anybody logged in ? Please respond with request message" # Drop a User request system logout user <user> # Drop a connection on a certain terminal request system logout user <user> # Lock configuration against other edits configure exclusive # Display Message before Login set system login message "Unauthorized Access is prohibited" # Display Message after Login set system login announcement "Don't Forget !!!nUpgrade is scheduled for Friday noon"
  • 201. 201 Copyright © 2011 Juniper Networks, Inc. www.juniper.net RESTRICTING MANAGEMENT ACCESS
  • 202. 202 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MANAGEMENT ACCESS OVERVIEW Current State and Changes over Time • individual protocols must be enabled/disabled per zone or interface (host-inbound-traffic.) • Stateless firewall filter can be applied to interfaces to restrict protocols or source-IPs • Since JUNOS 11.4 Self Traffic Policies (firewall policies with zone junos-host) are the easiest way to restrict management traffic. They also allow to use all available inspection techniques (AppFW, AppTrack, IDP ..) on management traffic
  • 203. 203 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PERMIT/RESTRICT MANAGEMENT ACCESS # First the Desired Service must be running. By default only some services are started # Defaults from JUNOS 9.6 are written in Bold set system services ssh set system services web-management http interface ge-0/0/0.0 set system services telnet set system services ftp # HTTPS Access may use a self signed certificate # Set date and time first (in operational mode) before you activate the self-signed certificate srx> set date YYYYMMDDhhmm.ss or srx> set date ntp de.pool.ntp.org 27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec # use this configuration statement to activate a self signed certificate (unless you have a signed one) set system services web-management https system-generated-certificate # Finally you can specify allowed services and protocols per Zone edit security zones security-zone trust interfaces set system-services all set protocols all top # or per interface. Per Interface definitions override all per Zone permissions edit security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic set system-services https set system-services ssh set system-services ping top
  • 204. 204 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Before 11.4 Management Access to certain Source-IPs had to be restricted with stateless Firewall Filter. The filter can be tied to each interface where host-inbound-traffic is permitted, or directly to the loopback interface lo0.0 RESTRICT SOURCES FOR MANAGEMENT ACCESS # Example to restrict access to the Routing-Engine to a certain subnet # A first TERM specifies permitted sources set firewall family inet filter PROTECT-RE term 1 from source-address 192.168.42.0/24 set firewall family inet filter PROTECT-RE term 1 from source-address <CUSTOMER-NETWORK/24> set firewall family inet filter PROTECT-RE term 1 then accept # A second term can be used to count all other attempts and fall through to the last term set firewall family inet filter PROTECT-RE term 2 from source-address 0.0.0.0/0 set firewall family inet filter PROTECT-RE term 2 then count ACCESS-ATTEMPT-RE set firewall family inet filter PROTECT-RE term 2 then next term # A third term can be written to drop all other attempts (but this is default already) # This is because all chains end with a default "deny all" term set firewall family inet filter PROTECT-RE term 3 from source-address 0.0.0.0/0 set firewall family inet filter PROTECT-RE term 3 then reject # Now we are ready to assign the Filter to an interface # If you bind the filter to lo0.0 the filter is applied to incoming traffic from all interfaces set interfaces lo0 unit 0 family inet filter input PROTECT-RE # To protect out-of band management interface fxp0 you need to assign the firewall there explicitly set interfaces fxp0 family inet filter input PROTECT-RE # To monitor access attempts you can later use the counter with the following command show firewall filter PROTECT-RE counter ACCESS-ATTEMPT-RE
  • 205. 205 Copyright © 2011 Juniper Networks, Inc. www.juniper.net A TEMPLATE FOR MANAGEMENT ACCESS # Firewall Filter Example to restrict management access edit firewall filter RE_Protection set term in-ssh from source-address <trusted host or network> set term in-ssh from protocol tcp set term in-ssh from destination-port ssh set term in-ssh then accept set term snmp from source-address <SNMP Poller> set term snmp from protocol udp set term snmp from port snmp set term snmp then accept set term ntp from source-address <NTP SERVER>/32 set term ntp from source-address <NTP SERVER>/32 set term ntp from protocol udp set term ntp from port ntp set term ntp then accept set term deny-any-other-ssh from protocol tcp set term deny-any-other-ssh from port ssh set term deny-any-other-ssh from port telnet set term deny-any-other-ssh from port ftp set term deny-any-other-ssh from port ftp-data set term deny-any-other-ssh then discard set term deny-any-other-udp from protocol udp set term deny-any-other-udp from port snmp set term deny-any-other-udp from port snmptrap set term deny-any-other-udp from port ntp set term deny-any-other-udp then discard set term allow-everything-else then accept top
  • 206. 206 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SELF TRAFFIC FIREWALL POLICIES # Beginning with JUNOS 11.4 Traffic from and to the SRX itself # can now be permitted/denied firewall policies # This uses the new security-zone "junos-host" # # self-traffic is anything from/to the RE with any of the local interfaces # # By default all traffic from/to zone junos-host is permitted # Example: Log and tunnel outbound traffic edit security from-zone junos-host to-zone zone-untrust policy LOG set match ...... set then permit tunnel …… set then log session-close top # Example: IDP for inbound traffic edit security from-zone zone-untrust to-zone junos-host policy INSPECT set match ...... set then permit application-services idp set then log session-close top
  • 207. 207 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IN-BAND OR OUT-BAND MANAGEMENT
  • 208. 208 Copyright © 2011 Juniper Networks, Inc. www.juniper.net What is the difference ?  Out-band management connections use the management interface fxp0  In-band management connections use an interface which also is used to forward traffic (for example ge-x/x/x, fe-x/x/x or rethx ) What is the Advantage/Disadvantage ?  Out-band Management through fxp0  In a HA clusters fxp0 is the only interface which is reachable on the passive node  fxp0 is attached to the default virtual router inet.0  fxp0 is attached to the control plane, no traffic can be forwarded from any interface to fxp0  In Stream Mode - wich is required for high performance logging - security logs can not be sent out via fxp0  In-band Management  In HA clusters the passive node can not communicate on any in-band management interface - direct access, monitoring, delivery of software updates, scripts, attack database updates for this node is not possible and requires workarounds  In-band Management Interfaces can be assigned to any virtual router  In-band Interfaces allow high performance logging (stream mode) IN-BAND OR OUT-BAND MANAGEMENT
  • 209. 209 Copyright © 2011 Juniper Networks, Inc. www.juniper.net  Out-band Management is preferred  for any Datacenter SRX Cluster because these SRX NSM Management as virtual chassis is not possible here  for any Branch SRX Cluster installation, where the management systems can connect directly to the fxp0 interfaces , i.e. are on the same side of the firewall as the management interfaces (see slides on the next pages for details)  In-band Management is preferred  in all Branch SRX installations which are not clusters  in all Branch SRX cluster installations - where the central management is standing at a central position and needs to cross the primary SRX first before he can even reach the fxp0 interface of the passive cluster member  Hint for Clusters: Virtual Chassis Management Option is required for NSM to add the cluster with a single in-band management connection.  Hint for Clusters: When using In band Management you can leave the fxp0 interfaces on both members completely unconfigured WHICH WAY SHOULD I CHOOSE ?
  • 210. 210 Copyright © 2011 Juniper Networks, Inc. www.juniper.net When In-Band Management is used, the second Node is not directly reachable for management. This could result in issues for some operations  Software Updates Use the ISSU and LICU Cluster Upgrade Procedure. They require the image is copied only to the primary device and is automatically copied to the secondary device  Attack Database Updates  Use JUNOS 11.4 or higher. When Attack Database-Updates are installed, they are automatically updated on the backup node  Script Installations  Before they can be enabled in the configuration (commit) the scripts must installed on both nodes. To achieve this, upload scripts to the primary node first, then copy manually to secondary node  Hint: How to get from one Node of a cluster to the other Node ?  If fxp0 interfaces are connected simply use ssh with fxp0-adress of the second node  On Branch SRX use "request routing-engine login node x"  On Datacenter SRX use shell command "rlogin -Ji nodex" IN-BAND MANAGEMENT UPDATES FOR THE PASSIVE NODE
  • 211. 211 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IF IN-BAND OR OUT-BAND IS PREFERRED DEPENDS ON THE POSITION OF THE MANAGEMENT SYSTEM reth1 ge-1/0/1 (trust) reth0 ge-1/0/0 (untrust) Control ge-0/0/1 fxp0 =ge-0/0/0 10.0.0.1 fxp0 =ge-0/0/0 10.0.0.2 reth0 ge-8/0/0 (untrust) Control ge-0/0/1 reth1 ge-8/0/1 (trust) Cluster-IP 20.0.0.1 Cluster-IP 30.0.0.1 Example Setup: SRX650-Cluster with all the Interfaces
  • 212. 212 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MANGEMENT ON THE SAME NETWORK AS FXP0 NSM or Space 10.0.0.3 OUT-BAND MANAGEMENT IS RECOMMENDED No changes required, Setup works immediately NSM or Space can establish ssh connection to both devices "Add Device" Workflow is possible Both Cluster Members use fxp0 to get to Management fxp0 (node1) =ge-0/0/0 10.0.0.1 fxp0 (node2) =ge-7/0/0 10.0.0.2
  • 213. 213 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MANAGEMENT ON DIFFERENT NETWORK AS FXP0 BUT STILL ON THE SAME FIREWALL SIDE NSM or Space 40.0.0.3 OUT-BAND MANAGEMENT IS RECOMMENDED Hint for Out-band Management: Both nodes needs a backuproute set groups node.. system backup-router destination 40.0.0.3/32 next-hop .... fxp0 (node2) =ge-7/0/0 10.0.0.2 Router-IP 30.0.0.254 Router-IP 10.0.0.254 Router-IP 40.0.0.254 fxp0 (node1) =ge-0/0/0 10.0.0.1
  • 214. 214 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MANAGEMENT ON EXTERNAL SIDE OF THE FIREWALL reth1 ge-1/0/1 (trust) reth0 ge-1/0/0 (untrust) fxp0 (node2) =ge-7/0/0 10.0.0.2 NSM or Space 172.16.42.9 Cluster-IP 20.0.0.1 Cluster-IP 30.0.0.1 IN-BAND MANAGEMT IS RECOMMENDED OUT-BAND MANAGEMENT REQUIRES MORE COMPLEX ROUTING AND DURING CLUSTER FAILOVER (RG0) MANAGEMENT CONNECTIONS HAVE TO BE REESTABLISHED Hints for In-band Management: - There is only one connection between SRX and the Management System (using reth0 of the active node) - For NSM use the Virtual Chassis Management Option - For Space add just the active node Hints for Out-band Management - use several VRs on SRX. fxp0 must stay in inet.0, all other interfaces go to another VR. - If you have IKE Traffic this will require JUNOS 10.4 or higher to terminate IKE in a custom VR. - Both nodes needs a backuproute set groups node.. system backup-router destination 172.16.42.9/32 next-hop ... Router-IP 30.0.0.254 Router-IP 10.0.0.254
  • 215. 215 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOGGING WITH SYSLOG
  • 216. 216 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX LOGGING INFRASTRUCTURE SRX Logs can come from two different sources  From the Control Plane (Management, Routing Daemons ...)  From the Data Plane (Firewall, IDP, AppFirewall, UTM, VPN ..) Control Plane Logs (same behavior on all JUNOS Devices)  They can be stored in local files, send to Syslog Servers or NSM  Syslogs and NSM connection can leave the SRX via forwarding interfaces or the fxp0 Management Interface - This is a normal routing decision Data Plane Logs on the Branch SRX  By default Data Plane Logs are sent to the Routing Engine (Event mode)  From there they can be stored in local files, send to NSM and send to Syslog Servers Data Plane Logs on the Datacenter SRX  Data Plane Logs are created on each of the SPCs  Each SPCs can create a maximum of 40K logs / sec / SPC  By Default Data Plane Logs are not sent anywhere they are not even sent to the Routing Engine
  • 217. 217 Copyright © 2011 Juniper Networks, Inc. www.juniper.net You have two options to send Dataplane Logs (Firewall, IDP, UTM, AppSecure ...)  Event Mode Logging  All Data plane Logs are sent to the Routing-Engine and they are sent further from there  This is the default configuration for Branch SRX  Event Mode logging can be used if log rates are low To avoid RE overload rate limits are in place. These will drop logs in event mode  Stream Mode Logging  Data plane Logs are not sent to the Routing Engine  Data plane Logs can leave the device from every interface (except fxp0, which is tied to the Routing Engine)  This is the default configuration for Datacenter SRX  Stream Mode Logging are mandatory for high log rates WHERE IS THE CHALLENGE ?
  • 218. 218 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STREAM MODE LOGGING TO STRM, OR A SYSLOG SERVER Controlplane (Process Logs) Dataplane (Process Logs) STRM (Syslog Server) On a single SRX - Control plane and Data plane Logs can use the same egress interface On SRX Cluster - Control plane Logs come from the Management Interface fxp0 - Data plane Logs need another interface
  • 219. 219 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EVENT MODE LOGGING TO NSM1) Controlplane (Process Logs) Dataplane (Process Logs) NSM STRM (Syslog Server) Branch SRX: default mode Datacenter SRX: possible since 10.0 (1.5kEPS Ratelimit) 1) Uses the normal, encrypted connection from the SRX to NSM
  • 220. 220 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STREAM MODE LOGGING TO NSM2) Controlplane (Process Logs) Dataplane (Process Logs) NSM 2) Dataplane Logs sent as Syslog from SRX to NSM - requires NSM 2011.1 or higher
  • 221. 221 Copyright © 2011 Juniper Networks, Inc. www.juniper.net  Simple solution - use two interfaces on SRX and STRM  Looking at the log picture it is obvious that SRX might use different interfaces to send the two types of logs  Since two interfaces of the same VR can not be in the same network, the two interfaces have to be in two different networks or VRs  The easiest solution is, when LOG reciver and SRX both use two interfaces too. STRM can be reconfigured to use two interfaces and IPs.  Still simple solution - use only one interfaces on both sides  If STRM - or another Log-Receiver has only one Interface/IP then the SRX must be reconfigured to send all logs through one interface  This one interface can not be fxp0 - because dataplane logs, can not be delivered through fxp0 - so it must be a forwarding interface  If this forwarding interface is in inet.0 you only need a hostroute to this interface. If it is in another VR you need to hostroute to next-table vr  Worst case - need to add a logging interface in the same network as fxp0  When you migrate from event to stream logs and can not add additonal interfaces on other networks than the one existing on fxp0  So you have to add a second forwarding interface in the same network This is only possible when this interface is in another VR than fxp0  See Next Page (Logging with Overlapping Interface IP) for a complete configuration example STREAM MODE HOW MANY INTERFACES ARE INVOLVED ? Controlplane (Process Logs) Dataplane (Process Logs) STRM (Syslog Server)
  • 222. 222 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DATACENTER SRX LOGGING WITH OVERLAPPING INTERFACE IP # Datacenter SRX uses fxp0 for RE Logs and a Forwarding Interface for Security Logs # If Syslog-Receiver is attached to the same Management LAN as the fxp0, you need a # second interface/VR to that LAN to deliver Security Logs (Firewall Traffic and IDP) # For this worst case, we have two interfaces in the same network set interfaces fxp0 unit 0 family inet address 10.0.0.1/24 set interface reth7 unit 0 family inet address 10.0.0.2/24 # Controlplane-Logs , use Source-IP of egress interface to avoid ARP problems !! set system syslog host 10.0.0.100 any any set system syslog host 10.0.0.100 source-address 10.0.0.2 # Dataplane-Logs, from the SPCs leave via an forwarding interface) # also use source-IP of the egress interface set security log format sd-syslog set security log source-address 10.0.0.2 set security log stream Log host 10.0.0.100 # To allow two interfaces on the same net, one interface must be moved to a custom VR set routing-instances Logging instance-type virtual-router set routing-instances Logging interface reth7.0 # Now we use a host-route to send all trafic for the Log-Receiver to this VR set routing-options static route 10.0.0.100/32 next-table Logging.inet.0 # Potential other workaround (UNTESTED) # Use Command to set Default Management IP to Loopback interface IP set system default-address-selection ....
  • 223. 223 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SYSLOG ADDITONAL INFORMATION
  • 224. 224 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SYSLOG A LIST OF POSSIBLE EVENTS Syslog event list (Control plane Events) # List all possible syslog events srx> help syslog Syslog tag Help ACCT_ACCOUNTING_FERROR Error occurred during file processing ACCT_ACCOUNTING_FOPEN_ERROR Open operation failed on file ACCT_ACCOUNTING_SMALL_FILE_SIZE Maximum file size is smaller than record size ACCT_BAD_RECORD_FORMAT Record format does not match accounting profile ACCT_CU_RTSLIB_ERROR Error occurred obtaining current class usage statistics ACCT_FORK_ERR Could not create child process ACCT_FORK_LIMIT_EXCEEDED Could not create child process because of limit ACCT_GETHOSTNAME_ERROR gethostname function failed ACCT_MALLOC_FAILURE Memory allocation failed # List severity and parameters included for each event srx> help syslog FLOW_SESSION_CREATE Name: FLOW_SESSION_CREATE Message: session created <source-address>/<source-port>-><destination- address>/<destination-port>,<protocol-id>: <policy-name> Help: Session create Description: A security session was created. Type: Event: This message reports an event, not an error Severity: info
  • 225. 225 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SYSLOG - EVENT MODE: TRAFFIC LOG EXAMPLES root@srx-210# run monitor start default-log-messages <14>1 2009-08-28T00:00:03.685+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_CREATE [junos@2636.1.1.1.2.36 source-address="10.0.101.10" source-port="12288" destination- address="192.168.100.1" destination-port="1280" service-name="icmp" nat-source- address="10.0.101.10" nat-source-port="12288" nat-destination-address="192.168.100.1" nat-destination-port="1280" src-nat-rule-name="None" dst-nat-rule-name="None" protocol- id="1" policy-name="default-permit" session-id-32="841"] session created 10.0.101.10/12288->192.168.100.1/1280 icmp 10.0.101.10/12288->192.168.100.1/1280 None None 1 default-permit 841 <14>1 2009-08-28T00:00:06.581+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_CLOSE [junos@2636.1.1.1.2.36 reason="response received" source-address="10.0.101.10" source- port="12288" destination-address="192.168.100.1" destination-port="1280" service- name="icmp" nat-source-address="10.0.101.10" nat-source-port="12288" nat-destination- address="192.168.100.1" nat-destination-port="1280" src-nat-rule-name="None" dst-nat- rule-name="None" protocol-id="1" policy-name="default-permit" session-id-32="841" packets-from-client="1" bytes-from-client="60" packets-from-server="1" bytes-from- server="60" elapsed-time="3"] session closed response received: 10.0.101.10/12288- >192.168.100.1/1280 icmp 10.0.101.10/12288->192.168.100.1/1280 None None 1 default-permit 841 1(60) 1(60) 3 <14>1 2009-08-28T00:10:07.682+02:00 srx-101 RT_FLOW - RT_FLOW_SESSION_DENY [junos@2636.1.1.1.2.36 source-address="10.0.101.10" source-port="12544" destination- address="192.168.100.1" destination-port="1280" service-name="icmp" protocol-id="1" icmp- type="8" policy-name="icmp-drop"] session denied 10.0.101.10/12544->192.168.100.1/1280 icmp 1(8) icmp-drop
  • 226. 226 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SNMP AND RMON
  • 227. 227 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SNMP AGENT Set System Identification and Community Enable SNMP access on an interface Restrict SNMP access to certain sources Restrict SNMP access to certain tables set snmp location lab-munich set snmp contact "admin@nirvana.com" set snmp community public authorization read-only set security zones security-zone trust host-inbound-traffic system-services snmp set snmp community public clients 172.26.0.0/16 set snmp community public clients 0.0.0.0/0 restrict # Create a View, defining permitted Objects set snmp view chassis-info oid jnxBoxAnatomy include set snmp view chassis-info oid snmpMIBObjects include set snmp view chassis-info oid system include # And assign view to community set snmp community chassis-community view chassis-info
  • 228. 228 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SNMP, CLI QUERIES AND TRICKS # CLI commands exist to make MIB queries or MIB walks show snmp mib get sysObjectID.0 show snmp mib get "sysName.0 sysContact.0 sysLocation.0" show snmp mib walk jnxBoxAnatomy show snmp mib walk jnxContentsSerialNo # Display OIDs used for a certain table show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1 | display xml # Display OIDs for all MIBtables show snmp mib walk 1 | display xml # The following commands create and show a list of registered SNMP Instances show snmp registered-objects file show /var/log/snmp_reg_objs # The List of Interface Indices is reboot persistent as it is saved in a file file show /var/db/dcd.snmp_ix # Spoof SNMP Traps for simple Testing request snmp spoof-trap linkUp variable-bindings “ifIndex[14] = 14, ifAdminStatus[14] = 1, ifOperStatus[14] = 2” # A SNMP Table (Tablename jnxUtilData) can be used to store user defined content. # Event Scripts can be used to update this table request snmp utility-mib set ..... show snmp mib walk jnxUtilData
  • 229. 229 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SNMP, PRIVATE MIBS AND USEFUL TABLES # List of all MIBs (including table, which MIBs exist on which device) and SNMP-Traps # Chassis Hardware show snmp mib walk [jnxBoxClass|jnxBoxDescr|jnxBoxSerialNo|jnxBoxRevision|jnxBoxInstalled] show snmp mib walk [jnxBoxAnatomy|jnxContainersTable|jnxContentsTable|jnxFilledTable] # Field Replaceable units(FRU) in the chassis (includes empty slots) show snmp mib walk jnxFruTable # For a List of Modules installed use show snmp mib walk jnxContentsDescr # Interfaces, and Interface Information show snmp mib walk ifDescr show snmp mib walk [ifTable | ifChassisTable | ifStackTable ] show snmp mib walk [ipAddrTable | ipAdEntIfIndex ] # LEDs and Status (primary only) show snmp mib walk jnxLedTable # State, Memory Usage and CPU Load on all Modules (always reports both RE as active) show snmp mib walk jnxOperatingTable
  • 230. 230 Copyright © 2011 Juniper Networks, Inc. www.juniper.net USEFUL OIDS # SNMP Walk from the CLI through the complete Private MIB and Display with Name and OID show snmp mib walk .1.3.6.1.4.1.2636 | display xml # Software version show snmp mib walk .1.3.6.1.2.1.25.6.3 # Per FPC Statistics on CPU Load, Memory, Temperature show snmp mib walk jnxOperatingTable # some columns here are: show snmp mib walk jnxOperatingDescr show snmp mib walk jnxOperatingCPU show snmp mib walk jnxOperatingTemp show snmp mib walk jnxOperatingBuffer # On SRX: SPU Monitoring MIB OIDs (Sessions, CPU Load) show snmp mib walk jnxJsSPUMonitoringMIB show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1 | display xml # Disk Usage show snmp mib walk [] show snmp mib walk 1.3.6.1.2.1.25.2.3.1hrStorageSize | hrStorageUsed
  • 231. 231 Copyright © 2011 Juniper Networks, Inc. www.juniper.net RMON Monitor SNMP OIDs and generate Traps if something is wrong # Specify a Group and a Target for Traps set trap-group overtemperature set trap-group overtemperature categories rmon-alarm set trap-group overtemperature targets 10.0.0.1 edit snmp rmon # Specify what is monitored set alarm 1 description "Overtemperature on SRX 5600 Midplane" set alarm 1 variable jnxOperatingTemp.1.1.0.0 set alarm 1 interval 300 set alarm 1 sample-type absolute-value set alarm 1 rising-threshold 50 set alarm 1 startup-alarm rising-alarm set alarm 1 rising-event-index 1 # and the resulting event set event 1 description Heat-Events set event 1 type log-and-trap set event 1 community heat-traps
  • 232. 232 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NETFLOW
  • 233. 233 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NETFLOW CONFIGURATION Specify the sample rate and where to sent the Netflow Data Enable Netflow on the desired interface(s) and directions Note: Activating Netflow will have significant input on the performance. The smaller the sample rate (input rate), the higher the performance hit set forwarding-options sampling input rate 10 set forwarding-options sampling family inet output flow-server 172.30.80.76 port 2056 set forwarding-options sampling family inet output flow-server 172.30.80.76 version 5 set interfaces ge-0/0/0 unit 0 family inet sampling input set interfaces ge-0/0/0 unit 0 family inet sampling output
  • 234. 234 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX MANAGEMENT WITH NSM
  • 235. 235 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PREPARING JUNOS DEVICES FOR NSM # sshv2 is mandatory for NSM. SSHv2 is not included in the export restricted # software version. You will always need the domestic version. lab@srx5600> show version | match JUNOS JUNOS Software Release [9.5R2.7] # For NSM access both ssh and netconf over ssh must be enabled set system services ssh [protocol-version v2] set system services netconf ssh # Recommendation: Use a dedicated NSM user, # this allow to identify who made certain changes/operations root# set system login user nsm class super-user authentication plain-text-password New password: Retype new password:
  • 236. 236 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ENABLE AUTO DISCOVERY WITH NSM # The Auto discovery Feature allows to scan an IP-address range for Juniper Devices # and automatically add and import them NSM. # This feature requires Ping, SSH and SNMP access to the device. # Enable SSH and netconf via ssh set system services ssh protocol-version v2 set system services netconf ssh # Enable SNMP set snmp location lab-munich set snmp contact "labuser@juniper.net" set snmp community public authorization read-write # Make sure all services required for NSM Auto discovery are opened for access edit security zones security-zone trust interfaces ge-0/0/0.0 set host-inbound-traffic system-services ping set host-inbound-traffic system-services ssh set host-inbound-traffic system-services snmp top
  • 237. 237 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EXAMPLE: SENDING LOGS TO NSM (EVENT MODE) # Control plane Logs from the Routing Engine are sent to NSM per Default # Data plane Logs from Branch SRX are sent to NSM when a Log file "default-log-messages" # is written. NSM adds this configuration automatically to SRX with the "device is # reachable" workflow set system syslog file default-log-messages any any set system syslog file default-log-messages structured-data # On Datacenter SRX Traffic Logs are not sent to the Routing-Engine by Default # as the preferred logging method is to stream the logs directly # from a forwarding interface. If Log Volume is low, the Logs can also be sent # to the routing-engine. The following statements allow to do this since JUNOS 10.0 set security log mode event set security log mode event event-rate 1000
  • 238. 238 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EXAMPLE: SENDING LOGS TO NSM (STREAM MODE) # Again, Control plane Logs from the Routing Engine are sent to NSM per Default # Since NSM Version 2011.1 it is possible to send Security Logs via Syslog in stream-mode # Check page 767 of the NSM Admin Guide for the necessary DevSrv Configuration Changes # Add "devSvr.enableSyslogOverUdp true " to /var/netscreen/DevSvr/var/devSvr.cfg file # On the SRX side use the following configuration statements to send traffic logs # via syslog to NSM set security log mode stream set security log format sd-syslog # Primary NSM set security log stream NSM1 format sd-syslog set security log stream NSM1 host <primary DevSvr IP> set security log stream NSM1 host port 5140 # If NSM is a HA Cluster use a second feed to send logs to the secondary NSM set security log stream NSM2 format sd-syslog set security log stream NSM2 host <Secondary DevSvr IP> set security log stream NSM2 host port 5140
  • 239. 239 Copyright © 2011 Juniper Networks, Inc. www.juniper.net When using Out-band Management :  Start Import to NSM with the passive Member (RG0) first. Som e NSM versions had trouble when import started with the active member When using In-band Management:  Don't mix in-band and out-band management. If you choose in-band Management then leave the fxp0 interfaces on both members unconfigured. This avoids that the passive member ever connects to NSM When changing between Outband and Inband Management:  "delete system services outbound-ssh" - from the normal stanza and from the groups stanza, Otherwise you might end up with multiple, conflicting entries.  In some cases you might have to reboot to make all configuration changes effective To establish the NSM connection through a VPN Tunnel  to implement this, you should use inband management and introduce a loopback IP, or a numbered VPN-Tunnelinterface. Otherwise the SRX could use an Interface IP where you don't have proper Routing back from the NSM through the VPN tunnel. ADDITIONAL REMARKS
  • 240. 240 Copyright © 2011 Juniper Networks, Inc. www.juniper.net You have two options to manage a Cluster in NSM  Out-band Management  For out-band management you connect to the fxp0 Interfaces of the cluster members  You add a cluster-object to NSM and add both members (start with the node where RG0 is passive)  In-band Management (Branch SRX only)  You connect to the master device via one of reth interfaces  You configure the device for cluster-management and add only one device to NSM MANAGING SRX CLUSTERS WITH NSM WHERE IS THE CHALLENGE ?
  • 241. 241 Copyright © 2011 Juniper Networks, Inc. www.juniper.net In-band Management Virtual Chassis Representation of SRX Clusters # Virtual-chassis configuration, makes a Cluster manageable in NSM as a single device # This is supported only on Branch SRX since JUNOS 10.1R2 or 10.2R2 or higher. # You need the following configuration statement in JUNOS set chassis cluster network-management cluster-master # In NSM you add just a single virtual chassi device (the current primary). # Only the master will attempt to establish a session to NSM. # He can use any interface to establish this connection.
  • 242. 242 Copyright © 2011 Juniper Networks, Inc. www.juniper.net When using Out-band Management :  Start Import to NSM with the passive Member (RG0) first. When using In-band Management:  Leave the fxp0 interfaces on both members unconfigured  NSM can not be used to perform Software Updates or push Attack Database Updates When changing between Out-band and In-band Management:  "delete system services outbound-ssh" - from the normal stanza and from the groups stanza, Otherwise you might end up with multiple, conflicting entries.  In some cases you might have to reboot to make all configuration changes effective To establish the NSM connection through a VPN Tunnel  to implement this, you should use in band management and introduce a loopback IP, or a numbered VPN-Tunnel interface. Otherwise the SRX could use an Interface IP where you don't have proper Routing back from the NSM through the VPN tunnel. ADDITIONAL REMARKS
  • 243. 243 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MANAGEMENT WITH JUNOS SPACE / SECURITY DESIGN
  • 244. 244 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PREPARING JUNOS DEVICES FOR SPACE # For Space access both ssh and netconf over ssh must be enabled set system services ssh [protocol-version v2] set system services netconf ssh # Recommendation: Use a dedicated Space user, # this allow to identify who made certain changes/operations root# set system login user space class super-user authentication plain-text-password New password: Retype new password: # Enable SSH and netconf via ssh set system services ssh protocol-version v2 set system services netconf ssh # When SNMP is enable before device discovery, Space (OpenNMS) will collect and # visualize SNMP data from the device. It will also reconfigure the device to send # traps to Space. set snmp location lab-munich set snmp contact "labuser@juniper.net" set snmp community public authorization read-write # Make sure all services required for Space Discovery are opened for access edit security zones security-zone trust interfaces ge-0/0/0.0 set host-inbound-traffic system-services ping set host-inbound-traffic system-services ssh set host-inbound-traffic system-services snmp top
  • 245. 245 Copyright © 2011 Juniper Networks, Inc. www.juniper.net  For initial device discovery Space uses ping and ssh/netconf connection to the device  Future direction of management connection depends on Space Application Settings (at the time the device was discovered). By default Junos Space attemts to establish the connection  If the default is changed Space reconfigures the device during discovery to initiate the connection ADDITIONAL REMARKS (1)
  • 246. 246 Copyright © 2011 Juniper Networks, Inc. www.juniper.net  Space can detect and manage a SRX cluster in both ways: - with only one in-band management connection to fxp0 (just add one device) - with two out-band management connections to fxp0 (add both devices in platform, security design creates a cluster view of the security device) ADDITIONAL REMARKS (2)
  • 247. 247 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MONITORING SRX LOGS WITH STRM
  • 248. 248 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STREAM MODE LOGS FROM SRX TO STRM # In this example we send both Control and Dataplane Logs through one # interface (reth7) which is member of Default VR inet.0 # Destination for both logs is 10.0.0.100 # Source-IP for both logs is 10.0.0.2 # Interface IP for the interface connected to STRM set interface reth7 unit 0 family inet address 10.0.0.2/24 # Controlplane-Logs , use Source-IP of egress interface to avoid ARP problems !! set system syslog host 10.0.0.100 any any set system syslog host 10.0.0.100 source-address 10.0.0.2 # Dataplane-Logs, from the SPCs leave via an forwarding interface) # also use source-IP of the egress interface set security log format sd-syslog set security log source-address 10.0.0.2 set security log stream Log host 10.0.0.100 # Caveat: STRM can no longer reach fxp0 of the SRX, because all routing to # STRM Host IP goes through reth7, and traffic from reth7 to fxp0 is not possible.
  • 249. 249 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MONITORING SRX LOGS WITH J-WEB
  • 250. 250 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ACTIVATE LOGS IN J-WEB
  • 251. 251 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EXAMINE LOGS FROM EVENT VIEWER
  • 252. 252 Copyright © 2011 Juniper Networks, Inc. www.juniper.net EXAMINE LOGS FROM POLICY VIEW
  • 253. 253 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL ACTIVITY ON J-WEB REPORTING PAGE
  • 254. 254 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TROUBLESHOOTING
  • 255. 255 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NOTES FOR TROUBLESHOOTING The WEB-UI has a number of useful Pages for Monitoring and Troubleshooting JUNOS CLI has powerful Monitoring Commands and offer a lot of counters and status information SNMP and RPM also have a good coverage to allow continuous and ongoing monitoring Default Log Files exist to track various error conditions Additional Logs and Debugs can be enabled from the CLI, writing to separate Log Files or to external Servers  OP Scripts can be used to create custom monitor commands  Event Scripts can be used to trigger actions when events occur
  • 256. 256 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WEB-UI FOR MONITORING
  • 257. 257 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IMPORTANT CLI MONITORING COMMANDS show version Software version show chassis hardware detail Hardware and Serial Numbers show chassis environment Temperatures, Fan and Power Supply show chassis routing-engine Temperatures, Memory, CPU Load (Routing Engine) show security monitoring fpc x CPU Load (Flow Processors / SPCs ) show system storage Flash and Disk Usage show system license Display installed Licenses show interfaces terse Quick Overview of all Interfaces show interfaces description Quick Overview of all Interfaces with Description show interfaces extensive Details Interface and Zone Counters show route <x.x.x.x> Routing Table Lookups (to get to x.x.x.x) show security policies List Policies show security polices detail | find xx Details for a certain ID show security flow session Current sessions show security match-policies ... Policy Lookup (added in JUNOS 10.3) show security zones Security Zones and Interface Binding show system alarms Alarms show chassis alarms Alarms
  • 258. 258 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LIVE COUNTERS FOR ALL INTERFACES Use "monitor interface traffic" to watch live counters on all available Interfaces. Default Update Interval is 2 seconds
  • 259. 259 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LIVE COUNTERS FOR A CERTAIN INTERFACE Use monitor interface <ifname> to watch live counters on a certain interface. Default update interval is every 2 seconds
  • 260. 260 Copyright © 2011 Juniper Networks, Inc. www.juniper.net  Before you start: – This is not promiscuous mode – You will see Broadcast/Unicast/Multicast traffic to the Routing engine – ICMP Traffic to the Route Engine is excluded (SRX, EX and J-Series) – Use the documentation to detect all options – This Option is available from Web-UI, CLI and Shell  Monitor Traffic on a Interface  The same function is available from the shell LIVE TRAFFIC FOR A CERTAIN INTERFACE (TCPDUMP OF RE TRAFFIC) user> monitor traffic interface e1-0/0/0.0 no-resolve verbose output suppressed, use <detail> or <extensive> for full protocol decode Listening on e1-0/0/0.0, capture size 96 bytes 03:03:58.025661 Out IP 10.12.0.1 > 224.0.0.13: 10.12.0.1 > 224.0.0.13:PIMv2, Hello (0), length: 34 03:03:58.237360 In IS-IS, p2p IIH, src-id 1921.6800.1223, length 58 03:03:59.089303 Out IP 10.12.0.1.646 > 224.0.0.2.646: LDP, Label-Space-ID: 192.168.1.222:0, pdu-length: 38 03:03:59.555743 Out IP 10.12.0.1 > 224.0.0.1: igmp query v2 user> start shell % su root@PBR% tcpdump -ni e1-0/0/0.0 verbose output suppressed, use <detail> or <extensive> for full protocol decode Listening on e1-0/0/0.0, capture size 96 bytes 03:06:47.943726 In IP 10.12.0.2 > 224.0.0.13: 10.12.0.2 > 224.0.0.13:PIMv2, Hello (0), length: 34 03:06:49.603895 In IP 10.12.0.2.646 > 224.0.0.2.646: LDP, Label-Space-ID: 192.168.1.223:0, pdu-length: 38 03:06:50.200510 Out IS-IS, p2p IIH, src-id 1921.6800.1222, length 58
  • 261. 261 Copyright © 2011 Juniper Networks, Inc. www.juniper.net LOG FILES AND SYSLOG All Log files live in /var/log "show log" or "file list /var/log" List all Log files available (under /var/log) show log messages Show Log File "messages" from start show log messages | last 100 List last 100 Log Messages show log messages | match LOGIN Search within the Log show log messages | trim 39 Remove first 39 columns from each line monitor start <file> Send Logs to terminal (like tail -f) See also Chapter Logging and Syslog
  • 262. 262 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TYPICAL WAY TO ENABLE DEBUGGING In many sections of the configuration it is possible to activate traceoptions (example: set system services dhcp traceoptions..) set traceoptions file filename  files (default 10)  size (default 128k)  read permissions (e.g.. world-readable) set traceoptions flag  What do you want to look at? monitor start filename  like Unix tail –f  multiple people can view log files at same time
  • 263. 263 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DEBUGGING A FIREWALL FLOW SEE HTTP://KB.JUNIPER.NET/KB16110 # Specify a file where to save the Traces edit security flow traceoptions set file flowtrace set file size 1m files 3 set flag basic-datapath # Use filters to reduce the volume of data set packet-filter FILTER1 source-prefix 10.48.255.0/24 # Second condition for same filtername is an AND condition set packet-filter FILTER1 destination-prefix 192.168.210.0/24 # Additional condition with different filtername is an OR condition set packet-filter FILTER2 source-prefix 192.168.210.0/24 set packet-filter FILTER2 destination-prefix 192.168.220.0/24 top # Logging to File starts after commit commit and-quit # To start Live Monitoring, just monitor the file monitor start flowtrace # To quickly pause and resume Output !! This does not stop logging to the File !! Press "ESC-Q" # To stop Real-Time monitoring !! This does not stop logging to the File !! monitor stop # To turn off logging to the File you must deactivate or delete the configuration deactivate security flow traceoptions commit
  • 264. 264 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DEBUGGING A FIREWALL FLOW EXAMPLE OUTPUT (1/2) lab@Demo-081-113> *** flow-trace *** Aug 2 22:04:36 22:04:35.935844:CID-1:RT:<10.10.20.2/2048->10.10.10.2/49265;1> matched filter f0: Aug 2 22:04:36 22:04:35.935862:CID-1:RT:packet [84] ipid = 0, @4bb0526e Aug 2 22:04:36 22:04:35.935872:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0, mbuf 0x4bb05060 Aug 2 22:04:36 22:04:35.935881:CID-1:RT: flow process pak fast ifl 67 in_ifp reth1.0 Aug 2 22:04:36 22:04:35.935896:CID-1:RT: reth1.0:10.10.20.2->10.10.10.2, icmp, (8/0) Aug 2 22:04:36 22:04:35.935907:CID-1:RT: find flow: table 0x4e789b20, hash 9938(0xffff), sa 10.10.20.2, da 10.10.10.2, sp 1, dp 34861, proto 1, tok 448 Aug 2 22:04:36 22:04:35.935926:CID-1:RT: no session found, start first path. in_tunnel - 0, from_cp_flag - Aug 2 22:04:36 22:04:35.935941:CID-1:RT: flow_first_create_session Aug 2 22:04:36 22:04:35.935953:CID-1:RT: flow_first_in_dst_nat: in <reth1.0>, out <N/A> dst_adr 10.10.10.2, sp 1, dp 34861 Aug 2 22:04:36 22:04:35.935965:CID-1:RT: chose interface reth1.0 as incoming nat if. Aug 2 22:04:36 22:04:35.935976:CID-1:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 10.10.10.2(34861) Aug 2 22:04:36 22:04:35.935988:CID-1:RT:flow_first_routing: call flow_route_lookup(): src_ip 10.10.20.2, x_dst_ip 10.10.10.2, in ifp reth1.0, out ifp N/A sp 1, dp 34861, ip_proto 1, tos 0 Aug 2 22:04:36 22:04:35.936001:CID-1:RT:Doing DESTINATION addr route-lookup Aug 2 22:04:36 22:04:35.936017:CID-1:RT: routed (x_dst_ip 10.10.10.2) from untrust (reth1.0 in 1) to reth0.0, Next-hop: 10.10.10.2 Aug 2 22:04:36 22:04:35.936030:CID-1:RT: policy search from zone untrust-> zone trust Aug 2 22:04:36 22:04:35.936057:CID-1:RT: app 0, timeout 60s, curr ageout 60s Aug 2 22:04:36 22:04:35.936095:CID-1:RT:flow_first_src_xlate: src nat 0.0.0.0(1) to 10.10.10.2(34861) returns status 0, rule/pool id 0/0. Aug 2 22:04:36 22:04:35.936110:CID-1:RT: dip id = 0/0, 10.10.20.2/1->10.10.20.2/1 Aug 2 22:04:36 22:04:35.936120:CID-1:RT: choose interface reth0.0 as outgoing phy if Aug 2 22:04:36 22:04:35.936127:CID-1:RT:is_loop_pak: No loop: on ifp: reth0.0, addr: 10.10.10.2, rtt_idx:0 Aug 2 22:04:36 22:04:35.936136:CID-1:RT: check nsrp pak fwd: in_tun=0x0, VSD 1 for out ifp reth0.0 Aug 2 22:04:36 22:04:35.936142:CID-1:RT: vsd 1 is active Aug 2 22:04:36 22:04:35.936151:CID-1:RT:policy is NULL (wx/pim scenario) Aug 2 22:04:36 22:04:35.936160:CID-1:RT:sm_flow_interest_check: app_id 0, policy 6, app_svc_en 1, flags 0x2. interested Aug 2 22:04:36 22:04:35.936171:CID-1:RT:sm_flow_interest_check: app_id 1, policy 6, app_svc_en 0, flags 0x2. not interested ..................
  • 265. 265 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DEBUGGING A FIREWALL FLOW EXAMPLE OUTPUT (2/2) ............. Aug 2 22:04:36 22:04:35.936178:CID-1:RT:flow_first_service_lookup(): natp(0x5047eb48): app_id, 0(0). Aug 2 22:04:36 22:04:35.936187:CID-1:RT: service lookup identified service 0. Aug 2 22:04:36 22:04:35.936194:CID-1:RT: flow_first_final_check: in <reth1.0>, out <reth0.0> Aug 2 22:04:36 22:04:35.936203:CID-1:RT: existing vector list e20-624fdc28. Aug 2 22:04:36 22:04:35.936212:CID-1:RT: existing vector list 0-6248ba28. Aug 2 22:04:36 22:04:35.936220:CID-1:RT: Session (id:26784) created for first pak e20 Aug 2 22:04:36 22:04:35.936229:CID-1:RT: flow_first_install_session======> 0x5047eb48 Aug 2 22:04:36 22:04:35.936236:CID-1:RT: nsp 0x5047eb48, nsp2 0x5047ebb8 Aug 2 22:04:36 22:04:35.936248:CID-1:RT: make_nsp_ready_no_resolve() Aug 2 22:04:36 22:04:35.936263:CID-1:RT: route lookup: dest-ip 10.10.20.2 orig ifp reth1.0 output_ifp reth1.0 orig-zone 7 out-zone 7 vsd 1 Aug 2 22:04:36 22:04:35.936274:CID-1:RT: route to 10.10.20.2 Aug 2 22:04:36 22:04:35.936288:CID-1:RT:Installing c2s NP session wing Aug 2 22:04:36 22:04:35.936293:CID-1:RT:Installing s2c NP session wing Aug 2 22:04:36 22:04:35.936301:CID-1:RT:sm_flow_notify_session_creation: app_id 0, flags 0x0, ifl_in 67, zone_in 7, ifl_out 66, zone_out 6 Aug 2 22:04:36 22:04:35.936394:CID-1:RT: flow got session. Aug 2 22:04:36 22:04:35.936399:CID-1:RT: flow session id 26784 Aug 2 22:04:36 22:04:35.936411:CID-1:RT: vsd 1 is active Aug 2 22:04:36 22:04:35.936608:CID-1:RT:mbuf 0x4bb05060, exit nh 0x243c1 Aug 2 22:04:36 22:04:35.936621:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0) Aug 2 22:04:36 22:04:35.996278:CID-1:RT:<10.10.10.2/0->10.10.20.2/51313;1> matched filter f0: Aug 2 22:04:36 22:04:35.996296:CID-1:RT:packet [84] ipid = 12824, @4ba9f04e Aug 2 22:04:36 22:04:35.996307:CID-1:RT:---- flow_process_pkt: (thd 0): flow_ctxt type 0, common flag 0x0, mbuf 0x4ba9ee40 Aug 2 22:04:36 22:04:35.996318:CID-1:RT: flow process pak fast ifl 66 in_ifp reth0.0 Aug 2 22:04:36 22:04:35.996330:CID-1:RT: reth0.0:10.10.10.2->10.10.20.2, icmp, (0/0) Aug 2 22:04:36 22:04:35.996341:CID-1:RT: find flow: table 0x4e789b20, hash 33408(0xffff), sa 10.10.10.2, da 10.10.20.2, sp 34861, dp 1, proto 1, tok 384 Aug 2 22:04:36 22:04:35.996362:CID-1:RT: flow got session. Aug 2 22:04:36 22:04:35.996366:CID-1:RT: flow session id 26784 Aug 2 22:04:36 22:04:35.996380:CID-1:RT: vsd 1 is active Aug 2 22:04:36 22:04:35.996520:CID-1:RT:mbuf 0x4ba9ee40, exit nh 0x20bc1 Aug 2 22:04:36 22:04:35.996533:CID-1:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
  • 266. 266 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DEBUGGING PACKET DROPS # To see Drop Counters per interface for the various drop reasons show interfaces ge-4/0/1.0 extensive | find Error # To create a Log file to log Packet drops for a certain Source-Network edit security flow traceoptions set file DROPS set flag packet-drops set packet-filter FFILTER1 source-prefix 20.0.81.0/24 top # To see packet drops use monitor start DROPS # Search the Log file for packet drops of a certain Source-IP # The trim command improves readability by removing trailing information root@srx5600>run file show /var/log/DROPS | find 20.0.81.143 | trim 71 ge-4/2/1.0:20.0.81.143->10.1.80.1, icmp, (8/0) packet dropped, no route to dest packet dropped, ROUTE_REJECT_GEN_ICMP. ge-4/2/1.0:20.0.81.143->20.0.80.2, icmp, (8/0) packet dropped, denied by policy packet dropped, policy deny.
  • 267. 267 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BRANCH SRX: TAKING FULL PACKET CAPTURES (1/2) # Specify where to write the Packet-Capture # The file specified below, is later created under /var/tmp/ # The appearing will be appended with ".interfacename" e.g. MY-PCAP.vlan set forwarding-options packet-capture file filename MY-PCAP set forwarding-options packet-capture file size 1m set forwarding-options packet-capture maximum-capture-size 500 # Specify the interface where you want to take the pcap from set interfaces vlan unit 0 family inet sampling input set interfaces vlan unit 0 family inet sampling output # Specify a Filter to collect only certain Packets edit firewall family inet filter PCAP term 1 from source-address 192.168.210.2/32 term 1 then sample accept term 2 from destination-address 192.168.210.2/32 term 2 then sample accept top # Apply this filter to the input and output direction (maybe input is obsolete ?) set interfaces vlan unit 0 family inet filter output PCAP set interfaces vlan unit 0 family inet filter input PCAP # Wipe the old file before taking new pcaps run file delete /var/tmp/MY-PCAP.vlan # and start the PCAP commit and-quit
  • 268. 268 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BRANCH SRX: TAKING FULL PACKET CAPTURES (2/2) # CLI Command to copy File to a remote FTP-Server to inspect with wireshark # You can also use scp, tftp and http in the Destination-URL file copy /var/tmp/MY-PCAP.vlan ftp://username:prompt@172.16.42.210/var/tmp # Tweak to view the pcap file from the shell: start shell cd /var/tmp tcpdump -n -r MY-PCAP.vlan # Here is CLI Help with more Details help reference forwarding-options packet-capture # And here is Online Documentation http://www.juniper.net/techpubs/software/junos-security/junos-security10.1/junos- security-admin-guide/config-pcap-chapter.html#config-pcap-chapter
  • 269. 269 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DATACENTER SRX: TAKING FULL PACKET CAPTURES (1/1) # Since JUNOS 10.4r1 Data Path Debugging on Datacenter SRX # allows to take packet captures edit security datapath-debug set capture-file SRXPCAP format pcap size 1m files 5 set maximum-capture-size 100 set action-profile do-capture event np-ingress packet-dump set packet-filter PCAP1 source-prefix 192.168.1.1/32 action-profile do-capture set packet-filter PCAP2 destination-prefix 192.168.1.1/32 action-profile do-capture top # The start/stop of capture is controlled by CLI request security datapath-debug capture (start|stop) # To inspect the resulting PCAP either copy it to a system with Wireshark installed # or start a shell locally and use "tcpdump -nr /var/log/SRXPCAP"
  • 270. 270 Copyright © 2011 Juniper Networks, Inc. www.juniper.net USEFUL TROUBLESHOOTING INFORMATION JUNOS Troubleshooting and Monitoring Day One Booklet Data Collection Checklist KB21781 ScreenOS Debug Commands and JUNOS equivalent KB14000 SRX Troubleshooting Commands KB15779 Monitor interface and Monitor traffic Admin Guide Taking Packet Captures Admin Guide Troubleshooting SRX High Availability KB15911 Debug Flow KB16108 Configuring and Troubleshooting VPN KBGuide Troubleshooting Dynamic VPN KB17220
  • 271. 271 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TOOLBOX
  • 272. 272 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ACCESS LISTS
  • 273. 273 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PACKETFILTER ON A STATEFUL FIREWALL ?  Access lists or Stateless Filters are already in JUNOS for years  Stateless Filters are still useful for three Tasks  Filter and Redirect Traffic  Classify Traffic for QoS purposes  Implement Counters  Configuration uses the "set firewall …." stanza  On many JUNOS interface cards the stateless filters are implemented on Hardware Level and do not consume CPU performance root# set firewall ....
  • 274. 274 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FIREWALL FILTER EXAMPLE (COUNTING ONLY) # Define a Firewall Filter to count SSH Traffic set firewall family inet filter TEST term 1 from source-address 0.0.0.0/0 set firewall family inet filter TEST term 1 from port 22 set firewall family inet filter TEST term 1 then count MYCOUNT set firewall family inet filter TEST term 1 then accept # We need a second term to permit everything else # This is because all firewall filter chains end with a default "deny all" term set firewall family inet filter TEST term 2 from source-address 0.0.0.0/0 set firewall family inet filter TEST term 2 then accept # Now we are ready to assign the Filter to an interface set interfaces fe-0/0/7 unit 0 family inet filter input TEST # Show commands to monitor the counters lab@SRX210> show firewall counter filter TEST MYCOUNT Filter: TEST Counters: Name Bytes Packets MYCOUNT 70455 1005 lab@SRX210>
  • 275. 275 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DNS CONFIGURATION
  • 276. 276 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DNS CONFIGURATION # Set your own hostname set system hostname mybox # specify DNS-Server to resolve DNS requests from the SRX # Example: public DNS Servers from Google set system name-server 8.8.8.8 set system name-server 8.8.4.4 # Example: public DNS Servers from OpenDNS set system name-server 208.67.222.222 set system name-server 208.67.220.220 # Example: public Servers from UltraDNS set system name-server 156.154.70.1 set system name-server 156.154.71.1 # Set own Domainname set system domain-name test.de # Today (12.1) SRX does not neither offer DNS-Server nor DNS-Proxy nr Dynamic DNS Client # DNS-Proxy and Dynaic DNS Client are currently scheduled for 12.1X44
  • 277. 277 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NTP CONFIGURATION
  • 278. 278 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TIME AND NTP CLIENT # set time zone set system time-zone Europe/Berlin # Manual set time/date or simply poll Timeserver srx> set date YYYYMMDDhhmm.ss or srx> set date ntp de.pool.ntp.org 27 Apr 16:10:48 ntpdate[981]: step time server 213.61.224.44 offset 0.000876 sec # Specify NTP-Server (here 2 Servers from de.pool.ntp.org) set system ntp server 78.46.194.186 version 4 prefer set system ntp server 88.198.34.114 version 4 # Enable NTP reachability during power up and in cluster backup state set system ntp boot-server 78.46.194.186 # Diagnostics # What time is it ? srx> show system uptime | match Current Current time: 2009-04-22 17:21:20 CEST srx> show ntp associations no-resolve remote refid st t when poll reach delay offset jitter ============================================================================== *192.53.103.104 .PTB. 1 - 504 1024 377 62.492 6.408 0.120
  • 279. 279 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NTP IN HA CLUSTERS # Define NTP-Server as usual in global context edit system ntp set server 10.0.0.1 set source-address 10.0.0.2 top # Enable NTP on cluster member in backup state (traffic is leaving from fxp0) edit groups node1 system ntp set server 10.0.0.1 set source-address ip of fxp0/node1 top edit groups node1 system ntp set server 10.0.0.1 set source-address ip of fxp0/node1 top # Per Node Backup Routes are required, when NTP-Server is not directly connect to fxp0 set groups node0 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254 set groups node1 routing-options static route 10.0.0.0/24 next-hop 192.168.1.254
  • 280. 280 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DHCP
  • 281. 281 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DHCP CLIENT # Enable DHCP Client on an interface set interfaces fe-0/0/7 unit 0 family inet dhcp # permit DHCP traffic on this interface or security zoen set security zones security-zone untrust host-inbound-traffic interface fe-0/0/7.0 system-services dhcp # Option: You can propagate DNS/WINS settings learnt from the DHCP client to be # reused by local DHCP Servers set system services dhcp propagate-settings fe-0/0/7.0 # Monitoring and Control show system services dhcp client request system services dhcp renew
  • 282. 282 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DHCP SERVER # Pools have Names edit system services dhcp pool 192.168.1.0/24 set default-lease-time 3600 set domain-name test.de set router 192.168.1.1 set name-server 192.168.1.1 set address-range low 192.168.1.33 set address-range high 192.168.1.64 # Option - exclude an IP from the Pool set exclude-address 192.168.1.42 top # Option - Static Binding, IP must be member of the Pool edit system services dhcp set static-binding 00:11:22:33:44:55 fixed-address 192.168.1.33 set static-binding 00:11:22:33:44:55 host-name test top # Permit DHCP in the incoming zone set security zones security-zone trust host-inbound-traffic system-services dhcp # Monitoring show system services dhcp pool show system services dhcp binding show system services dhcp statistics show system services dhcp conflict
  • 283. 283 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DHCP RELAY # Allow incoming DHCP traffic # "bootp" service is only available in the interface context , not in the zone context set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system- services bootp # enable on the desired interfaces and forward to your desired destination edit forwarding-options helpers bootp set interface ge-0/0/0.0 server 172.18.36.12; #relay the DHCP request with the source-ip of this interface set vpn set relay-agent-option top # Until 10.4 DHCP Relay could not be configured inside virtual Routers # TODO
  • 284. 284 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PPPOE & DSL
  • 285. 285 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PPP OVER ETHERNET EXAMPLE FOR T-ONLINE, GERMANY # Define on which interface to use ppp Encapsulation set fe-0/0/5 unit 0 encapsulation ppp-over-ether # Use password for authentication set access profile ppp-profile authentication-order password # PPP-Interface Settings set interfaces pp0 unit 0 family inet negotiate-address set interfaces pp0 unit 0 family inet mtu 1492 # Authentication Credentials set interfaces pp0 unit 0 ppp-options pap access-profile ppp-profile set interfaces pp0 unit 0 ppp-options pap local-password xxxxx set interfaces pp0 unit 0 ppp-options pap local-name xxxx set interfaces pp0 unit 0 ppp-options pap passive # PPPoE Settings and binding set interfaces pp0 unit 0 pppoe-options underlying-interface fe-0/0/5.0 set interfaces pp0 unit 0 pppoe-options auto-reconnect 10 set interfaces pp0 unit 0 pppoe-options client set interfaces pp0 unit 0 pppoe-options idle-timeout 0 # Diagnostic Commands show interfaces pp0 show pppoe interfaces show pppoe statistics show pppoe statistics request pppoe [connect|disconnect]
  • 286. 286 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PPP OVER ADSL (FOR T-ONLINE, GERMANY) BASED ON JUNOS 10.0 WITH ADSL MINI-PIM # T-Online Germany typically uses the ATM VPI 1 and VCI 32 # Encapsulation is pppoe-over-atm with llc # ADSL Interface Configuration set interfaces at-1/0/0 encapsulation ethernet-over-atm set interfaces at-1/0/0 atm-options vpi 1 set interfaces at-1/0/0 dsl-options operating-mode itu-dmt set interfaces at-1/0/0 unit 0 encapsulation ppp-over-ether-over-atm-llc set interfaces at-1/0/0 unit 0 vci 1.32 # PPPoE Configuration on Top of this ADSL-Interface set interfaces pp0 unit 0 ppp-options pap access-profile T-Online set interfaces pp0 unit 0 ppp-options pap local-name "xxxx@t-online.de" set interfaces pp0 unit 0 ppp-options pap local-password "xxxx" set interfaces pp0 unit 0 ppp-options pap passive set interfaces pp0 unit 0 ppp-options lcp-max-conf-req 0 set interfaces pp0 unit 0 ppp-options ncp-max-conf-req 0 set interfaces pp0 unit 0 pppoe-options underlying-interface at-1/0/0.0 set interfaces pp0 unit 0 pppoe-options idle-timeout 0 set interfaces pp0 unit 0 pppoe-options auto-reconnect 1 set interfaces pp0 unit 0 pppoe-options client set interfaces pp0 unit 0 family inet mtu 1450 set interfaces pp0 unit 0 family inet negotiate-address set access profile T-Online client "xxxx@t-online.de" pap-password "xxxx" # Default Route (mandatory, because negotiated gateway will not appear in routing table) set routing-options static route 0.0.0.0/0 next-hop pp0.0
  • 287. 287 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX AS UAC ENFORCER
  • 288. 288 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX AS UAC ENFORCER (1/2) Important to know: • In contrast to ScreenOS, JUNOS does not need a signed certificate on the IC. If not dedicated configured, JUNOS will ignore the certificate presented by the IC. The communication is than only protected by password. • Captive Portal support has been added with JUNOS 10.2 • For IPSec enforcement the SRX has to be configured manually in contrast to ScreenOS, where the IC is pushing the IPSec configuration too. Please ―RTFM‖  • If the IC is configured as cluster you have to configure two ICs on JUNOS using their physical IP addresses. Please do not use the VIP. Example configuration with a IC cluster: # create IC connections set services unified-access-control infranet-controller uac1 address 10.1.1.1 set services unified-access-control infranet-controller uac1 interface reth2.0 set services unified-access-control infranet-controller uac1 password "<PW-Hash>" set services unified-access-control infranet-controller uac2 address 10.1.1.2 set services unified-access-control infranet-controller uac2 interface reth2.0 set services unified-access-control infranet-controller uac2 password "<PW-Hash>" set services unified-access-control timeout 20 set services unified-access-control interval 5 # optional add certificate verification – root Certificate has to be loaded to the SRX (see VPN with Certificates) set services unified-access-control infranet-controller uac1 server-certificate-subject <cert-name> set services unified-access-control infranet-controller uac1 ca-profile <profile-name> set services unified-access-control infranet-controller uac2 server-certificate-subject <cert-name> set services unified-access-control infranet-controller uac2 ca-profile <profile-name>
  • 289. 289 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX AS UAC ENFORCER (2/2) Enforcer-Options: # enable test-only-mode (only logging without enforcement) set services unified-access-control test-only-mode # define timeout-action (if connection to IC is lost) set services unified-access-control timeout-action <close | no-change | open> Policy Enforcement with captive portal: # create a captive portal policy – redirect-url is optional set services unified-access-control captive-portal my-cp-policy redirect-traffic unauthenticated set services unified-access-control captive-portal my-cp-policy redirect-url https://ic.xyz.com/auth # create a firewall policy with application-service ―uac-policy‖ set security policies from-zone untrust to-zone trust policy uac-enforcem match source-address any set security policies from-zone untrust to-zone trust policy uac-enforcem match destination-address any set security policies from-zone untrust to-zone trust policy uac-enforcem match application any set security policies from-zone untrust to-zone trust policy uac-enforcem then permit application-services uac-policy captive-portal my-cp-policy set security policies from-zone untrust to-zone trust policy uac-policy then log session-close
  • 290. 290 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Diagnostics SRX AS UAC ENFORCER show services unified access-control status show services unified access-control policies show services unified access-control rules show services unified access-control authentication detail show services unified access-control role-provisioning all show security flow session ... extensive
  • 291. 291 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PORT MIRRORING
  • 292. 292 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PORT MIRRORING ON BRANCH SRX # You can mirror traffic from one L3 interface to a Host on another L3 interface. # For configuration start with selecting outbound interface and destination host # Traffic sent, has destination Mac rewritten to his own Mac-Address. edit forwarding-options port-mirroring set input rate 1 run-length 10 set family inet output interface ge-0/0/1.0 next-hop 10.0.210.33 top # Next Configure firewall filter to port mirror. 0.0.0.0/0 is all traffic edit firewall filter port-mirror term 1 set from source-address 0.0.0.0/0 set then port-mirror accept top # Finally set filter on the source interface that should be mirrored # This must be a physical L3 interface (family inet, not family switching) set interfaces ge-0/0/0 unit 0 family inet filter input port-mirror set interfaces ge-0/0/0 unit 0 family inet filter output port-mirror
  • 293. 293 Copyright © 2011 Juniper Networks, Inc. www.juniper.net PORT MIRRORING ON DATCENTER SRX # mirror port ge-0/0/1 to port ge-0/0/2 edit forwarding-options port-mirroring set input rate 1 run-length 10 set family any output interface ge-0/0/2 set instance inst1 input rate 1 run-length 10 set instance inst1 family any output interface ge-0/0/2 top set interfaces ge-0/0/1 port-mirror-instance inst1
  • 294. 294 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CLASS OF SERVICE
  • 295. 295 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUNOS COS SUMMARY BA Classifier Multifield Classifier Ingress Policing FWD Policy Fabric Priority Egress Policing Scheduler/ WRED Rewrite/ marker Fabric Forwarding Class & Loss Priority
  • 296. 296 Copyright © 2011 Juniper Networks, Inc. www.juniper.net  Ingress Processing  Forwarding Classes and Queues Classification maps traffic to internal queues The 4 default SRX forwarding-classes map to 4 queues. Additional Forwarding Classes can be specified show class-of-service show interfaces queue ge-0/0/0  IFL Classification (Interface Level Classification of Forwarding Class and Loss Priority) Specify Class based on interface/sub-interface/logical interface set class-of-service interfaces <name> unit <x> forwarding-class assured-forwarding  BA Classification (Behavior Aggregate Classification of Forwarding Class and Loss Priority) Specify Class based on DSCP (IP) or EXP (MPLS) Bits show class-of-service classifier name dscp-default set class-of-service interface fe-0/0/3 unit 0 classifiers dscp default  MF Classification (Multifield Classification of Forwarding Class and Loss Priority) Specify Class based on stateless packet filters set firewall family inet filter ..... then forwarding-class ... set interfaces fe-0/0/3 unit 0 family inet filter .....  Simple Filters (Implementation on special Hardware) Specify only class, loss-priority and policer - no drop, count action, only one prefix set firewall family inet simple-filter .... set interface <name> unit <x> family inet simple-filter .....  Ingress Policing (Ingress Rate Limiter) Single Rate Policer: establish a data rate , drop or change forwarding class when thresholds are exceeded Example on next pages COS - BUILDING BLOCKS (1/2)
  • 297. 297 Copyright © 2011 Juniper Networks, Inc. www.juniper.net  Egress Processing  Scheduler & Scheduler Map packet notifications placed into forwarding class queue. Queues serviced by a scheduler using WRR WRED congestion control operates at the head of the queue  Rewriter Changes DSCP / EXP Bits show class-of-service rewrite-rule set class-of-service interface ge-0/0/0 unit 0 rewrite-rules dscp default  PLP (Packet Loss Priority) & Drop-Profiles PLP allows to influence queuing within the same queue set class-of-service drop-profiles ... set class-of-service scheduler .... drop-profile-map .....  Egress Policing Single Rate Policer: establish a data rate , drop or change forwarding class when thresholds are exceeded set policer .... if-exceeding bandwidth-limit ... burst-size-limit ... then COS - BUILDING BLOCKS (2/2)
  • 298. 298 Copyright © 2011 Juniper Networks, Inc. www.juniper.net  The previous page does list all available methods  It is not mandatory to apply all of them to get a working COS configuration  A simple example on the next pages fulfills the following requirements  We have a LAN-Interface reth0  We have a WAN-Interface reth1  We have a upstream WAN-Bandwidth of 10Mbps  Traffic from the LAN IP 192.168.1.2 should be able to occupy up to 30% of the WAN bandwidth, even in congestion situations  To achieve this it relies on the following building blocks only  Use the 4 default classes  Create a classifier  Create schedulers and assign them to the forwarding classes with a scheduler map  Apply your Classifier to the ingress interface(s)  Apply your Scheduler Map to the egress interface(s) SIMPLE COS EXAMPLE
  • 299. 299 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SIMPLE COS EXAMPLE (1/3) # We have a LAN-Interface reth0 # We have a WAN-Interface reth1 # We have a upstream WAN-Bandwidth of 10Mbps # Traffic from the LAN IP 192.168.1.2 should be able to occupy up to 30% # of the WAN bandwidth, even in congestion situations # 1. Create a Classifier, that puts traffic from the Source-IP 192.168.1.2 # into the separate forwarding-class (assured forwarding". # Add counters, so we can examine how frequently each decision path is used edit firewall family inet filter TEST-CLASSIFER set term VOIP from source-address 192.168.1.201/32 set term VOIP then count SPECIAL set term VOIP then forwarding-class assured-forwarding set term VOIP then accept set term ANY then count ANY set term ANY then forwarding-class best-effort set term ANY then accept top
  • 300. 300 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SIMPLE COS EXAMPLE (2/3) # 2. Specify behaviour for the different Schedulers # Start with af (assured forwarding) # Notes on the scheduler parameters # transmit-rate: can be considered as the "guaranteed bandwidth", you will always get it # shaping-rate: can be considered as the "maximum bandwidth", you can send no more # loss-priority: influences drop behaviour for packets on the same queue (4 priorities) # LP is Tag on each packet created by classifier or additional policers # buffer-size: more buffer size allows bursts, but could introduce higher latencies edit class-of-service schedulers af set transmit-rate percent 30 set shaping-rate percent 50 set buffer-size percent 5 set priority high top # Continue with be (best effort) edit class-of-service schedulers be set transmit-rate percent 60 set buffer-size remainder set priority low top # And don't forget nc (network control) edit class-of-service schedulers nc set transmit-rate percent 10 set buffer-size percent 10 set priority strict-high top
  • 301. 301 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SIMPLE COS EXAMPLE (3/3) # 3. Create a Map how the schedulers should be applied # to the different forwarding classes edit class-of-service scheduler-maps TEST-MAP set forwarding-class assured-forwarding scheduler af set forwarding-class best-effort scheduler be set forwarding-class network-control scheduler nc top # 4. Set a shaping-rate for the WAN interface and # apply the desired Scheduler Map to this interface set class-of-service interfaces reth1 unit 0 scheduler-map TEST-MAP set class-of-service interfaces reth1 unit 0 shaping-rate 10m # 5. Apply Classifiers on the LAN Interface(s), so ingress traffic gets classified set interfaces reth0 per-unit-scheduler set interfaces reth0 unit 0 family inet filter input TEST-CLASSIFER # 6. Enable Scheduler on the WAN Interface, so that egress traffic gets shaped set interfaces reth1 per-unit-scheduler
  • 302. 302 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INGRESS POLICER (FIREWALL FILTER) # Ingress Policers with simple Filters depend on Interface Hardware and are not # available on all systems. Known systems to support these are # SRX-3K and SRX-5K with Combo Card # simple-filter might be required instead of firewall filter # The example below limits traffic from a certain source to 1Mbps edit firewall policer ONE-MBIT set if-exceeding bandwidth-limit 1m set if-exceeding burst-size-limit 63k set then discard top edit firewall family inet filter TESTFILTER term TERM1 set from source-address 172.27.60.4/32 set then policer ONE-MBIT top # apply this filter on the interface (input or outpour is possible) set interface reth0 unit 0 family inet filter input TESTFILTER
  • 303. 303 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INGRESS POLICER (SIMPLE FILTER) # On some Systems simple Filters can be used instead of firewall filters # Simple Filters are ingress only and have less match options than firewall filters, # but they are better for performance reasons, because Interface Hardware is used to # perform the filtering (and thus does not require Performance on the Central Point). # Known systems that support simple filters are SRX-3K and SRX-5K with Combo-Card # The example below limits traffic from a certain source to 1Mbps edit firewall policer ONE-MBIT set if-exceeding bandwidth-limit 1m set if-exceeding burst-size-limit 63k set then discard top edit firewall family inet simple-filter TESTFILTER term TERM1 set from source-address 172.27.60.4/32 set then policer ONE-MBIT top # apply this filter on the interface set interface reth0 unit 0 family inet simple-filter input TESTFILTER
  • 304. 304 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TROUBLESHOOTING AND FURTHER INFORMATION # COS Monitoring and Investigation Commands show class-of-service … show firewall filter … show policer … show interface queue <if-name> show interface extensive <if-name> # COS Configuration Guide for Security Devices http://www.juniper.net/techpubs/en_US/junos12.1/information-products/topic- collections/security/software-all/class-of-service/junos-security-swconfig-cos.pdf # SRX Interface Guide http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos- security-swconfig-interfaces-and-routing/frameset.html
  • 305. 305 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUAL CHANNELS (VC)  VC Concept is only available on Branch SRX and J-Series  This approach is useful a central site is sending traffic to several sites which have limited WAN bandwidth, and the WAN interface of the central site has more bandwidth, than the branches  Up to 64 virtual channels per system can be supported  Traffic to each site needs to be assigned to VC using firewall filters  Queuing/scheduling/shaping for each VC performed at OUTQ  Configuring shaper for each VC is mandatory NetworkDS3 ADSL T1 E1
  • 306. 306 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VIRTUAL CHANNEL EXAMPLE edit firewall family inet filter SITE1 set term SITE1 from destination-address 192.2.1.2/32 set term SITE1 then virtual-channel site1; top set class-of-service virtual-channels site1 set class-of-service virtual-channels site2 set class-of-service virtual-channels site3 edit virtual-channel-groups WAN set site1 scheduler-map TEST-MAP set site1 shaping-rate 2m; set site2 scheduler-map TEST-MAP set site2 shaping-rate 1500000 set site3 scheduler-map TEST-MAP set site4 shaping-rate 1500000 top # Apply virtual Channels on egress WAN Interface ?? set interfaces ge-0/0/0 per-unit-scheduler set interfaces ge-0/0/0 unit 0 virtual-channel-group WAN # Apply Firewall Filters on ingress LAN Interface ?? set interfaces ge-0/0/1 family inet filter input SITE1
  • 307. 307 Copyright © 2011 Juniper Networks, Inc. www.juniper.net  System Dependencies  SRX branch devices support shaping-rate at the logical (unit) level, not on the physical port.  EX switches support shaping-rate at the physical port level, but not at the logical level  On Datacenter SRX, BA classification is done on NPU and MF classification on SPU  On a given interface, queues can be at one (and only one) of the following levels  Interface  Sub-interface (e.g.. VLAN, DLCI). This is referred as ―per-unit-scheduling‖  Virtual-channels (A concept present only in Branch SRX and J series)  Interface Type Dependencies  Today (with JUNOS 10.3) Schedulers can not be applied to Secure Tunnel Interface. Either apply the Map to the underlying physical interface or use GRE-Tunnels or on Branch SRX use virtual channels  On SRX Scheduler can be applied on L3-Interfaces and VLAN sub interfaces  Reth interface have a maximum of 4 queues  Interface Hardware Dependencies  Ingress Interface Policing is only available on SRX-5600 and 5800 with Combo Module COS - NOTES AND LIMITATIONS AND TIPS (1/2)
  • 308. 308 Copyright © 2011 Juniper Networks, Inc. www.juniper.net  Default Settings  All router initiated control-plane traffic is automatically assigned to network-control. Packets originating from protocols such as lldp, rstp, ospf, etc are therefore handled by queue 3  All other traffic goes into best-effort queues  Schedulers are disabled on most interfaces and must be enabled to work set interface ge-0/0/0 per-unit-scheduler  per-unit-schedulers are enabled per Default on gr- (GRE) , ip- (IPIP) and ls- (Multilink) Interfaces  Bandwidth Calculations  Policers are working on L3 packet sizes  Shapers are working at L2 packet sizes  Tip: Applying Classifiers to multiple Interfaces  set class-of-service interfaces ge-0/0/* unit 0 classifiers ieee-802.1 default COS - NOTES AND LIMITATIONS AND TIPS (2/2)
  • 309. 309 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY
  • 310. 310 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SOLUTION ARCHITECTURE GRES provides nonstop failover Node 0 Node 1 Control Plane Daemons Node0 Forwarding Daemon Node0 Control Plane Daemons Node1 Forwarding Daemon Node1 fab0 fab1 fxp1 fxp1 Control Plane Data Plane + RTOs  Single device abstraction  Clean separation of control and forwarding planes  Unified configuration with configuration sync
  • 311. 311 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TWO CHASSIS CONNECTED TOGETHER Control Plane Connection Data Plane Connection SPC to SPC IOC to IOC
  • 312. 312 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTERFACE NUMBERING Interfaces in HA Clusters are renumbered node0 (0-11) node1 (12-23) ge-1/0/0 ge-13/0/0 slot 0 RE 0 slot 12 slot 23 RE 1
  • 313. 313 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CLUSTER INTERFACES MODELL MANAGEMENT (fxp0) Control-Link (fxp1) Fabric-Link SRX 100 fe-0/0/6 fe-0/0/7 tagged - Vlan 4094 1) Any Interface, untagged MTU on SRX100 is 1628 SRX 210 fe-0/0/6 fe-0.0.7 tagged - Vlan 4094 1) Any Interface, untagged Jumbo Frames, MTU 9014 SRX 240 ge-0/0/0 ge-0/0/1 tagged - Vlan 4094 1) Any Interface, untagged Jumbo Frames, MTU 9014 SRX 650 ge-0/0/0 ge-0/0/1 tagged - Vlan 4094 1) Any Interface, untagged Jumbo Frames, MTU 9014 J-Series ge-0/0/2 ge-0/0/3 untagged Any Interface, untagged Jumbo Frames, MTU 9014 SRX 3000 fxp0 on the Routing Engine onboard HA Port 0 with any type of SFP untagged Any Interface, untagged Jumbo Frames, MTU 9014 SRX 5000 fxp0 on the Routing Engine first Port of any SPC same slot SPC on both SRX Fiber SFPs only, untagged Any Interface, untagged Jumbo Frames, MTU 9014 1) Vlan tagging became configurable with JUNOS 10.3, Syntax
  • 314. 314 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX3000 HARDWARE AND INTERFACE REDUNDANCY SRX3000 Interface Redundancy Remarks Management (fxp0) Yes, on the Routing Engine No Control link (fxp1) built-in on SFB Module Use HA Control Port 0 Possible with HA Control Port 1 on SFB , Requires CRM Module & JUNOS 10.2 untagged, Jumbo Frames Data link (fab0 & fab1) Yes Possible since JUNOS 10.2 untagged, Jumbo Frames Uses LAG Secondary Switch Fabric - Not yet supported Secondary Routing Engine - Not yet supported
  • 315. 315 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX5000 HARDWARE AND INTERFACE REDUNDANCY SRX5000 Interface Redundancy Remarks Management (fxp0) Yes , on the first Routing Engine Today (10.4) a second Routing Engine is just used for Control-Link Redundancy Control link (fxp1) first Port of any SPC Requires second Routing Engine, uses second Port on SPC, supported since JUNOS 10.0, Must be on the same SPC in each Cluster Member Fiber SFPs only !! Data link (fab0 & fab1) Yes, can be on any IO- Card, must be configured Available since JUNOS 10.2 by using LAG configuration Second Switch Control Board Second SCB is included in each SRX-5800 Base System and is an option for SRX-5600 Fallback to single switch reduces maximum performance Third Switch Control Board Slot exists to install a third SCB on SRX5800 but this is not yet supported Secondary Routing Engine - Today (10.4) a second Routing Engine is just used for Control-Link Redundancy
  • 316. 316 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX CLUSTER CREATION - STEP BY STEP  Plug-in the cluster control and fabric links  Set the Cluster ID on Both Members and reboot them  On SRX 5000: Configure the Control Ports on Both Members  From now on both members can be configured as one  Specify the Data links (a.k.a. Fabric Ports)  Define Node Specific configuration in Apply-Groups  Define at least 2 Redundancy Groups  Configure Redundant Ethernet Interfaces for these RGs  Continue with the remaining configuration
  • 317. 317 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY CONTROL AND FABRIC LINKS Create a Cluster Define Control Ports (on SRX5K between SPCs, Fiber only) This will become interface fxp1 Define Data Ports (on SRX 5K between IOCs) fab0 and fab1 are the fabric links # Cluster ID must be between 1 and 15 # Cluster ID 0 or "disable chassis cluster" unset the cluster # Each device in the cluster must be given a unique node number # Reboot is required to make change effective # This configuration is required on both cluster members set chassis cluster cluster-id <0-15> node <0-1> reboot # At least one Interface from each cluster set interfaces fab0 fabric-options member-interfaces ge-0/0/2 set interfaces fab1 fabric-options member-interfaces ge-12/0/2 # Since JUNOS 10.2 you can add additional Interfaces set interfaces fab0 fabric-options member-interfaces ge-0/0/3 set interfaces fab1 fabric-options member-interfaces ge-12/0/3 set chassis cluster control-ports fpc 0 port 0 set chassis cluster control-ports fpc 12 port 0
  • 318. 318 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY NODE SPECIFIC CONFIGURATION Group Configuration (All settings which are Node specific) # These are the settings for the first Node set groups node0 system host-name SRX5800-1 set groups node0 system backup-router 172.26.26.1 destination 0.0.0.0/0 set groups node0 interfaces fxp0 unit 0 family inet address 172.26.26.104/24 # These are the settings for the second Node set groups node1 system host-name SRX5800-2 set groups node1 system backup-router 172.26.26.1 destination 0.0.0.0/0 set groups node1 interfaces fxp0 unit 0 family inet address 172.26.26.105/24 # And here we make sure that both data are part of the configuration, # but only the node specific settings are applied on each cluster member set apply-groups "${node}" # You can specify a secondary to always reach the master # Don't use this to connect to NSM set groups node1 interfaces fxp0 unit 0 family inet address 172.26.26.106/24 master-only set groups node0 interfaces fxp0 unit 0 family inet address 172.26.26.106/24 master-only
  • 319. 319 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY REDUNDANCY GROUPS Define Two Redundancy Groups for A/P Option: A second group for A/A (possible since JUNOS 9.5) # Redundancy Group 0 is required for the Routing Engine set chassis cluster redundancy-group 0 node 0 priority 200 set chassis cluster redundancy-group 0 node 1 priority 100 # Redundancy Group 1 is used for redundant interfaces in A/P configuration set chassis cluster redundancy-group 1 node 0 priority 200 set chassis cluster redundancy-group 1 node 1 priority 100 # Redundancy Group 2 is used for redundant interfaces in A/A configuration set chassis cluster redundancy-group 2 node 0 priority 100 set chassis cluster redundancy-group 2 node 1 priority 200
  • 320. 320 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY REDUNDANT INTERFACES Define Number of Redundant Interfaces in your Cluster (at least 2) Configure the redundant Interfaces Finally assign physical interfaces to them # The Total number of redundant Ethernet Interfaces # This statement allow to creates reth0,reth1,reth2,reth3 set chassis cluster reth-count 4 # Make individual interface members for reth0 set interface ge-0/0/3 gigether-options redundant-parent reth0 set interface ge-12/0/3 gigether-options redundant-parent reth0 # Make individual interface members for reth1 set interface ge-0/0/4 gigether-options redundant-parent reth1 set interface ge-12/0/4 gigether-options redundant-parent reth1 set interface reth0 redundant-ether-options redundancy-group 1 set interface reth0 unit 0 family inet address 10.10.1.3/24 set interface reth1 redundant-ether-options redundancy-group 1 set interface reth1 unit 0 family inet address 20.10.1.3/24
  • 321. 321 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY ADDITIONAL OPTIONS (1) # Interface Monitoring # We can release Master Role in case of Layer1 Failure on these Interfaces set chassis cluster redundancy-group 1 interface-monitor xe-0/0/0 weight 255 set chassis cluster redundancy-group 1 interface-monitor xe-11/0/0 weight 255 # Optional Pre-emption (fallback, when node with better priority returns) set chassis cluster redundancy-group 1 preempt # Optional Holddowntime to prevent too fast failover if redundancy Groups set chassis cluster redundancy-group 1 hold-down-interval 900 # Track-IP, IP Address Monitoring Redundancy Group # introduced for Data Center SRX with JUNOS 9.6) set chassis cluster redundancy-group 1 ip-monitoring family inet 1.1.1.1 weight 255 # Additional Monitoring from Backup Interface was added in JUNOS 10.1 set chassis cluster redundancy-group 1 ip-monitoring interface reth0.0 secondary-ip .. # Optional Control Link Recovery (introduced with JUNOS 9.6) # Recovers System from Hold state, by automatic reboot set chassis cluster control-link-recovery # Fabric Link Monitoring is disabled per default on High-End SRX since 10.4r4 # to avoid "hold" state after link loss. To enable use the following command set chassis cluster fabric-monitoring
  • 322. 322 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY ADDITIONAL OPTIONS (2) Redundant Interface as a VLAN Trunk Graceful Restart Heartbeat Interval Tuning set interfaces reth1 vlan-tagging set interfaces reth1 redundant-ether-options redundancy-group 1 # Best practice: use vlan-id also for the unit number set interfaces reth1 unit 11 vlan-id 11 set interfaces reth1 unit 11 family inet address 10.0.11.1/24 set security zone security-zone zone11 interface reth1.11 set interfaces reth1 unit 12 vlan-id 12 set interfaces reth1 unit 12 family inet address 10.0.12.1/24 set security zone security-zone zone12 interface reth1.12 # If all participants of a routing protocol can handle graceful restart, then # use this option to avoid downtimes resulting from OSPF or BGP reestablishment set routing-options graceful-restart # Set Heartbeat Interval (1000..2000, Default is 1000) set chassis cluster heartbeat-interval [msec] # Set Heartbeat Threshold (3..8, Default is 3) set chassis cluster heartbeat-threshold [nr]
  • 323. 323 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY ADDITIONAL OPTIONS (3) VLAN-Tagging on the Branch SRX Control Link Commit Confirm on SRX Cluster # On Branch SRX the control link traffic per Default uses VLAN ID 4094 # Since JUNOS 10.3 there is a command available to remove the VLAN tag # A reboot is required to make the change effective set chassis cluster control-link-vlan enable/disable # To see current configuration use the following command show chassis cluster information # Since a Cluster Configuration can be edited on both Routing-Engines, # there is no "commit confirm" available by default # To allow "commit confirm" you must enter configuration mode with configure exclusive
  • 324. 324 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY MONITORING AND TROUBLESHOOTING (1) # Configuration Check show config groups show config chassis cluster show config interfaces # Hardware Checks show chassis hardware show chassis fpc pic-status show pfe terse show chassis alarms show system alarms # Monitor Cluster Status show chassis cluster status show chassis cluster status redundancy-group <xx> # Display Information about HA interfaces (11.4 show state of redundant HA links too) show chassis cluster interfaces # Status information show chassis cluster statistics show chassis cluster information show chassis cluster ip-monitoring status # In case you find a cluster member in disabled state, # here is a place to find root cause information show chassis cluster information no-forwarding
  • 325. 325 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY MONITORING AND TROUBLESHOOTING (2) # Inspect Log Files (For support cases always collect Log files from both Nodes !!) show log jsrpd or file show /var/log/jsrpd show log messages or file show /var/log/messages show log chassisd or file show /var/log/chassid # For ongoing log file monitoring use monitor start jsprpd # To enable additional traces in jsrpd you can configure traceoptions set chassis cluster traceoptions level all flag all # To jump from one node to the other you can use the following options: # CLI-Command for Branch SRX request routing-engine login node x # Shell command for Datacenter SRX rlogin -Ji nodex # Or usually you can also use ssh with fxp0-adress of the second node # Knowledgebase: Troubleshooting SRX High Availability http://kb.juniper.net/library/CUSTOMERSERVICE/Resolution_Guides/SRX/Wrapper_SRX_Chassis_Cluster.html
  • 326. 326 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY CLUSTER CONNECTIONS # Requirements for HA Cluster connections - Latency on HA-Links must be below 100msec - Bandwidth on Fabric-Link: 1Gbps for A/P is sufficient for A/A with 10GE reth interfaces 10GE fabric links are recommended - Dual Fabric Links do offer redundancy, but there only one link is used for forwarding and RTO sync - When the HA connection is traveling over Switches - Control link traffic and Fabric Link traffic must be kept on separate L2 connections (different physical links or different VLANs - Jumbo Frames must be permitted - IGMP Snooping must be disabled on the Switch ports involved - For Branch SRX: disable VLAN-Tagging on Control Link or allow QinQ on Switch "set chassis cluster control-link-vlan disable" - Use the Guideline from the following Knowledgebase Article: SRX Cluster Deployments across L2 Networks http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/3500165-EN.pdf
  • 327. 327 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY MANUAL FAILOVER (1) Requesting Failover  Manually failover redundancy groups between chassis  RG0 should only be failed over in emergencies  Should only be done after both REs have been up for 5 minutes  Rapid failovers will cause RE crash  RG1 supports rapid failovers Clearing Failover  Failovers need to be cleared after manually triggered  Prevents accidently failover over
  • 328. 328 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY MANUAL FAILOVER (2) Request Failover Clear/Reset Failover {secondary:node1} root@srx> request chassis cluster failover redundancy-group 1 node 1 node1: -------------------------------------------------------------------------- Initiated manual failover for redundancy group 1 {primary:node1} root@srx> show chassis cluster status Cluster ID: 3 Node name Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 1 node0 200 secondary no no node1 1 primary no no Redundancy group: 1 , Failover count: 0 node0 255 primary yes yes node1 1 secondary yes yes root@srx> request chassis cluster failover reset redundancy-group 1
  • 329. 329 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HIGH AVAILABILITY MANUAL FAILOVER (3) Manual Failover can fail if systems are not yet up again Manual failover can be difficult if the nodes have not completely recovered from a previous failover. To determine if a device is ready for repeated failovers, perform these recommended best-practice steps before doing a manual failover. The best practices we recommend to ensure a proper failover are as follows: • show chassis cluster status Use this command to verify the following for all redundancy groups: • One node is primary ; the other node is secondary. • Both nodes have nonzero priority values unless a monitored interface is down. • show chassis fpc pic-status Use this command to verify that the PIC status is Online. • show pfe terse Use this command to verify that the Packet Forwarding Engine status is Ready and to verify the following: • All slots on the RG0 primary node have the status Online. • All slots on the RG0 secondary node, except the Routing Engine slots, have the status Valid.
  • 330. 330 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FAILURE CASES AND EXPECTED BEHAVIORS Component Expected Behavior Control Link Secondary node goes into disabled state. Reconnect control link and then reboot secondary node. Fabric Link Since 10.4r4 fabric-link is no longer monitored by default. Enable fabric monitoring with "set chassis cluster fabric- monitoring"). With monitoring: if Secondary node goes into disabled state. Reconnect fabric link and then reboot secondary node. Power If all power to unit is lost then all redundancy groups will failover. Interface Down Redundancy groups that monitor the interface will failover if total weight exceeds 254 CP Will cause RG1+ to failover but the RE will remain on the same chassis. SPC/SPU Any SPC or SPU failure will trigger RG1+ to failover to secondary chassis RE or SCB with RE All redundancy groups will failover and chassis goes offline SCB w/o RE Reduces throughput of device, will not failover to second chassis. Third SCB will activate if installed (SRX 5k only)
  • 331. 331 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FAILURE CASES AND EXPECTED BEHAVIORS (CONTINUED) Component Expected Behavior NPC Failure (SRX 3k) The SRX 3k supports NPC monitoring. If the NPC fails then all RG+1 groups will fail over to the other cluster member. Control Plane Failure/RE Reboot The data plane will continue to run up to 5 minutes without an RE, or until the RE came back up, when Chassisd comes backup and reinitializes all of the cards. Control and Data Link (fail at same time) Both nodes will detect the failure of the links by the loss of the heartbeat messages. In this case secondary node will go disabled Complete Chassis Failure Whether caused by a software or hardware issue, The secondary node will look for the gratuitous arp’s of the other node, and in the absence of these will assume mastership.
  • 332. 332 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SRX HA State Transition Diagram Note: Transition to disabled state will only happen only if the node is RG0 secondary. Note: Once in disabled state the only option to recover is to reboot the device Hold Secondary Hold Disabled Ineligible Secondary Primary Bootup Hold Timer Expires Primary node dies Failover (manual, i/f failure, ip-mon failure, preempt etc.) Primary node dies Fabric-link failure Fabric-link failure Ctrl-link failure Ineligible timer fires Secondary-hold timer expires Ctrl-link failure Primary node dies
  • 333. 333 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION SECURITY, INTRUSION PREVENTION, UNIFIED THREAT MANAGEMENT
  • 334. 334 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FEATURE LICENSES AND CONTENT SUBSCRIPTIONS
  • 335. 335 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FEATURE LICENSES Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx Memory upgrade x - - - Dynamic VPN up to 25 up to 10 up to 50 up to 150 up to 250 up to 500 - - - Extreme License - - - - - - x Logical Systems - - - - - - up to 32 (1.5.25) up to 32 (1.5.25) up to 32 (1.5.25) Service Offload (Low Latency) - - - - - - Free Free Free Advanced BGP x - - - - - x 1) requires High memory Model 2) include IPS License
  • 336. 336 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CONTENT SUBSCRIPTIONS AVAILABLE FOR 1,3 5 YEARS Feature J SRX100 SRX110 SRX210 SRX220 SRX240 SRX650 SRX1xxx SRX3xxx SRX5xxx IPS x 11.41) 11.4 11.41) 11.41) 11.41) 11.4 x x x AppSec - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 10.4 2) 10.4 2) 10.4 2) Kaspersky-AV x x1) x x1) x1) x1) x - - - Sophos-AV - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 - - - Webfilter- Websense- Integrated x x1) x x1) x1) x1) x - - - Webfilter- Websense- Enhanced - 11.41) 11.4 11.41) 11.41) 11.41) 11.4 - - - Sophos-Antispam x x1) x x1) x1) x1) x - - - 1) requires High memory Model 2) include IPS License
  • 337. 337 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UTM, IDP AND APPLICATION FIREWALL FEATURES REQUIRE LICENSES # Once ordered, you can download them from the Juniper License Management Server # This method is recommended, DNS and Internet access are required # Default URL, as defined in "show configuration system license", is # https://ae1.juniper.net/JUNOS/key_retrieval # To download license, that where bought for a certain device execute request system license update # Or if you received a license for manual installation use this command to paste it # Install manually, when the license keys are available as a text file request system license add terminal # You can configure a Proxy Server to retrieve the licenses set system proxy server 192.168.1.10 set system proxy port 3128 set system proxy username user1 set system proxy password user123 # To track problems with licenses open a log file set system license traceoptions file license.log set system license traceoptions flag all # Trial licenses (valid for 4 weeks) are available # You can only fetch it once per lifetime for each device serial number request system license update trial
  • 338. 338 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MANY LICENSE FEATURES ARE ENABLED PER RULE In the firewall policy you can decide if the licensed Features are applied edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services [idp, uac-policy, utm-policy ,services-offload] top
  • 339. 339 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION SECURITY FEATURES - IDP - APP TRACK - APP FIREWALL - IDENTITY BASED APP FIREWALL - APP QOS - APP DDOS
  • 340. 340 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STATE OF APPLICATION SECURITY State of the Application Firewall Feature Set • All AppSecure Features are available on High End SRX with JUNOS 11.4r1 • All AppSecure Features - except AppDDOS and AppQoS are available for Branch SRX with 11.4r1 Licensing App-ID Database • On High End SRX the AppID Signatures were moved to a separate Database with 11.4 • On Branch SRX the AppID Signatures where always in a separate Database since 11.2 Management and Logging • Some AppFirewall Features are not supported in NSM Log Viewer or Policy Manager • Preferred Management Solution: Space or J-Web • Preferred Log Solution : STRM SKU Appsec-A (Advanced) High End SRX AppSec-B (Basic) Branch SRX Includes Application signature license & IPS license. Includes Application signature license only. IPS license has to be purchased seperately
  • 341. 341 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION SECURITY AVAILABILITY High End SRX Branch SRX   (11.4)  (11.4 )  (11.4) Future Future AppTrack AppFW AppQoS AppDoS IPS 
  • 342. 342 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPSECURE PERFORMANCE Source: AppSecure Datasheet
  • 343. 343 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IDP INTRUSION DETECTION AND PREVENTION
  • 344. 344 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ACTIVATE INTRUSION DETECTION AND PREVENTION Initial Requirement • Install IDP license • Download and Install the Attack-Database and Detector Engine (a.k.a. security-package) IDP Policy - Option 1 : Use Juniper Policy Templates • Download policy templates • Install policy templates IDP Policy - Option 2 : Write your own IDP Policy • Write a custom policy , use custom attack groups (NSM is the preferred tool for this Job) Final Steps • Activate the desired policy • add action "IDP" for all firewall rules where you want to have IDP enabled
  • 345. 345 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SIGNATURE UPDATES How can Signature Updates be installed  pull (Device fetches the Updates itself)  push from Space. Space can also pull updates through a proxy connection Branch SRX can have two different Signature Updates  IDP security-package Updates include  Updates for IDP Signatures &  Application Identification Signatures Updates &  Detector Engine  Application Identification Updates  AppID Update do include only AppID Signatures, no IDP Signatures or Detector Engine
  • 346. 346 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTRUSION DETECTION AND PREVENTION ATTACK DATABASE Download and install the latest attack database srx> request security idp security-package download Will be processed in asynchronous mode. Check the status using the status checking CLI srx> request security idp security-package download status In progress:downloading file ...SignatureUpdate_tmp.xml.gz srx> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1473(Tue Aug 4 13:41:40 2009, Detector=9.2.160090324) srx> request security idp security-package install Will be processed in asynchronous mode. Check the status using the status checking CLI srx> request security idp security-package install status In progress:Compiling AI signatures ... # Takes about 5 minutes on a SRX210 to finish srx> request security idp security-package install status Done;Attack DB update : successful - [UpdateNumber=1473,ExportDate=Tue Aug 4 13:41:40 2009,Detector=9.2.160090324] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no existing running policy found.
  • 347. 347 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTRUSION DETECTION AND PREVENTION POLICY TEMPLATES (1/2) If you don't want to write custom IDP Policies by yourself, the Juniper Policy Templates give you a simple starting Point. Use the commands below to download and install the latest security policy templates srx> request security idp security-package download policy-templates Will be processed in asynchronous mode. Check the status using the status checking CLI srx> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:2 srx> request security idp security-package install policy-templates Will be processed in asynchronous mode. Check the status using the status checking CLI lab@srx-172.16.42.210> request security idp security-package install status Done;policy-templates has been successfully updated into internal repository (=>/var/db/scripts/commit/templates.xsl)!
  • 348. 348 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTRUSION DETECTION AND PREVENTION POLICY TEMPLATES (2/2) To get the policy Templates added to your configuration you must enable execution of the templates.xsl script with every commit. Now you can use the Recommended Policy Template Once the IDP Policy is defined, you can activate it "per rule" # At commit time, the JUNOS management process (mgd) searches the /var/db/scripts/commit # directory for scripts and runs the script against the candidate configuration database # to ensure the configuration conforms to the rules dictated by the scripts. set system scripts commit file templates.xsl set security idp active-policy Recommended edit security policies from-zone trust to-zone untrust policy <policyname> set then permit application-services idp top
  • 349. 349 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTRUSION DETECTION AND PREVENTION CUSTOM POLICY Instead of Policy Templates you can write Custom IDP Policies, where you specify which signatures or signature-groups to use, and what the desired actions are. The example below uses two INFO Level Signatures so that you will get IDP Logs with each ping or HTTP Request. Activate this Policy and enable it on a existing firewall rule NSM is recommended to write Custom IDP Policies, Groups and Signatures edit security idp idp-policy TEST rulebase-ips rule 1 set match source-address any set match destination-address any set match attacks predefined-attacks HTTP:AUDIT:URL set match attacks predefined-attacks ICMP:INFO:ECHO-REQUEST set then action no-action set then notification log-attacks top set security idp active-policy TEST edit security policies from-zone trust to-zone untrust policy <policyname> set then permit application-services idp top
  • 350. 350 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTRUSION DETECTION AND PREVENTION CUSTOM ATTACK GROUPS You can use custom attack groups to specify which attacks you are looking for. Pay attention, that Server-to-Client signatures have a big performance impact. They should only be applied when you inspect traffic to untrusted Servers edit security idp dynamic-attack-group CRITICAL-C2S set filters severity values critical set filters direction values exclude-server-to-client top edit security idp dynamic-attack-group CRITICAL-ALL set filters severity values critical top edit security idp idp-policy TEST rulebase-ips rule 1 match source-address any set match destination-address MY-OWN-TRUSTED-SERVERS set match attacks dynamic-attack-groups CRITICAL-C2S set then action no-action top edit security idp idp-policy TEST rulebase-ips rule 2 set match source-address any set match destination-except MY-OWN-TRUSTED-SERVERS set match attacks dynamic-attack-groups CRITICAL-ALL set then action ??? set then notification log-attacks top
  • 351. 351 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTRUSION DETECTION AND PREVENTION AUTO UPDATE FOR SIGNATURES Configure the box to fetch Database Updates automatically # set start time (Old Format until 10.0r2 MM-DD.hh:mm) set security idp security-package automatic start-time 01-02.03:00 # set start time (new Format since 10.0r3 YYYY-MM-DD.HH:MM:SS) set security idp security-package automatic start-time 2010-01-01.02:00:00 # get the update every 24 hours set security idp security-package automatic interval 24 # enable auto update set security idp security-package automatic enable # The following situations inhibit that devices can pull Database Updates # * when internet access is not possible at all # * when internet access has to use a Proxy # * in a cluster: when the passive member can not get internet access from fxp0 # The following options can help to solve problems with delivery of automatic updates # * NSM or Space can be used to pull the attack database and push it to the device # both can even use proxy connections # * An offline update Procedure description is available in the Knowledgebase # For clusters where only the active node can pull the update # * After RG0 failover, the second node becomes active and can fetch the update # * A description and a script to perform the sync is posted in forum.juniper.net # * Automatic File sync from the active node to the passive node is planned for JUNOS 12.1
  • 352. 352 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IDP PACKET CAPTURES # Since JUNOS 10.2, the Datacenter SRX support collection and delivery of packet # captures, when an attack is found. On the STRM side you need STRM 2010.0r1 / Patch 3 # and updates of these rpms: PROTOCOL-PCAP, DSM-DSMCommon, DSM-JuniperJunOS # Additions to IDP rules to take packet captures edit security idp idp-policy TEST rulebase-ips rule 1 then notification set packet-log pre-attack 4 set packet-log post-attack 6 set packet-log post-attack-timeout 2 top # Specify the destination to deliver these data # The Port Definition must match the DSM Configuration on STRM edit security idp sensor-configuration set packet-log source-address 172.30.81.84 set packet-log host 172.30.80.76 set packet-log host port 515 top # Resource Consumption Limits can be adjusted # The values below allow for pcaps on 10% of total-memory and 10% of max-sessions edit security idp sensor-configuration set packet-log total-memory 10 set packet-log max-sessions 10 top # Show Statistics for Packet Logging show security idp counters packet-log
  • 353. 353 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IDP PACKET CAPTURES IN STRM
  • 354. 354 Copyright © 2011 Juniper Networks, Inc. www.juniper.net INTRUSION DETECTION AND PREVENTION MONITORING AND DIAGNOSTICS # Attack database version show security idp security-package-version # Check if the server connection is ok request security idp security-package download check-server # Check if IDP is enabled on a Security Policy show security policies policy-name <name> detail | match Intrusion # IDP statistics show security idp status # Application Identification, Cache with last connections and per application stats show security idp application-statistics show security idp application-identification application-system-cache # Attacks detected since last policy load show security idp attack table # IDP counters show security idp counters ? # Catch IDP-Logs and write them to a local log file (only possible in log mode event) set system syslog file IDP-Logs user info set system syslog file IDP-Logs match IDP_ATTACK set system syslog file IDP-Logs archive size 1m set system syslog file IDP-Logs archive files 3 set system syslog file IDP-Logs structured-data brief
  • 355. 355 Copyright © 2011 Juniper Networks, Inc. www.juniper.net IDP FILES AND THEIR LOCATION # Attack Database in XML Format file show /var/db/idpd/sec-download/SignatureUpdate.xml # List of all Attack Groups file show /var/db/idpd/sec-download/groups.xml # List of all Attacks file show /var/db/idpd/sec-repository/attack.list # List of all Attack Groups file show /var/db/idpd/sec-repository/attack-group.list # List of all Applications , AppID can identify file show /var/db/idpd/sec-repository/application.list # The final Policy after compilation file show /var/db/idpd/sets/POLICYNAME.set
  • 356. 356 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SIGNATURE BACKGROUND INFORMATION LIST OF AVAILABLE SIGNATURES http://services.netscreen.com/documentation/signatures/ RSS-FEED ABOUT CHANGES https://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml Signatures with Reference to CVE, Bugtraq and MS-Vulnerability IDs https://services.netscreen.com/restricted/sigupdates/nsm-updates/CVE-BID-mapping.csv
  • 357. 357 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION VOLUME TRACKING
  • 358. 358 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION VOLUME TRACKING State of Application Volume Tracking • introduced for High End SRX with JUNOS 10.2 • introduced for Branch SRX with JUNOS 11.2 • STRM can parse and display AVT logs • NSM today can not parse and display AVT logs Application Identification Signatures • On High-End SRX: they are still part of the configuration (stanza services application- identification), but the plan is to move them to a separate database with 11.4 • On Branch SRX the signature database since 11.2 is separate • Custom Signatures will stay under "service application-identification"
  • 359. 359 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION VOLUME TRACKING SIGNATURES DOWNLOAD # AVT is available on Datacenter SRX since 10.2 and on Branch-SRX since JUNOS 11.2 # AVT uses Signatures to Identify Applications # Default URL is https://services.netscreen.com/cgi-bin/index.cgi # Before JUNOS 11.4 the signatures where directly added to the existing configuration # Since JUNOS 11.4 the predefined signatures are saved to an external database # similar to the IDP signature database # Download the Application Signatures request services application-identification download # Installation of the downloaded Application Signatures request services application-identification install
  • 360. 360 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION VOLUME TRACKING CONFIGURATION # AppTrack is enabled per security zone set security zone security-zone trust application-tracking # Configure the remote syslog device to receive AppTrack messages # STRM 2010.0 has predefined reports to handle AppTrack Logs set security log format sd-syslog set security log source-address 172.30.81.82 set security log stream STRM host 172.30.80.76 # To generate AppTrack log at session start (disable by default) set security application-tracking first-update # To generate a first update message 1 minute after session start set security application-tracking first-update-interval 1 # To generate additional update messages every 5 minutes set security application-tracking session-update-interval 5 # A Final log at the session end will be created by default # Monitoring, Counter and Cache show services application-identification counter show services application-identification application-system-cache # J-Web Support is currently planned for 2H11
  • 361. 361 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION VOLUME TRACKING MONITORING # Full monitoring requires users to look at the AVT Logs # STRM (since 2010.0r2) has parsing and reporting capabilities # NSM today can not parse the AVT Logs # If event Logging was enabled, Logs are available in the local log file file show /var/log/policy_session | match APPLICATION # In addition to the logs, a cache is enabled by default and can be used for monitoring show services application-identification application-system-cache # Since 11.4 there are additional statistics showing per-group/application usage show services application-identification statistics application-groups show services application-identification statistics applications # To see the Signatures (before 11.4) show config services application-identification application junos:FTP show config services application-identification nested-application junos:FACEBOOK-CHAT # Since 11.4 the Signatures are no longer part of the configuration, but still can be seen show services application-identification version # With 11.4 there where also some groups introduced, which make it easier to # select the AppID Signatures for Application Firewalling show services application-identification application detail junos:FTP show services application-identification group summary show services application-identification statistics application-groups
  • 362. 362 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION VOLUME TRACKING VISIBILITY OF LOGS IN STRM
  • 363. 363 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION VOLUME TRACKING VISIBILITY IN J-WEB Monitoring ->Security ->Application Tracking
  • 364. 364 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION FIREWALL
  • 365. 365 Copyright © 2011 Juniper Networks, Inc. www.juniper.net STATE OF APP FIREWALL State of the Application Firewall Feature Set • AppFW was introduced for High End SRX with JUNOS 10.4 • AppFW was introduced for Branch SRX officially with JUNOS 11.4 • AppFW can be used together with User Identities for all SRX with JUNOS 12.1 Management of the Application Firewall • Management on CLI is possible today on all platforms • Management in J-WebUI is available since 11.2 • Support in JUNOS Space Security Designer is available since 11.4 • Support for NSM is currently not available • Recommended Tool for Application Firewall Configuration is Space or WebUI Logging and Reporting of Application Firewall • STRM 2010.0 can decode Application Firewall and Application Tracking Logs both in stream and event mode. • J-Web UI log visibility and improved reporting is expected with 11.4r2 • Support for NSM is currently not available
  • 366. 366 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION FIREWALL EXAMPLE CONFIGURATION YOUTUBE STREAMING edit security application-firewall rule-sets APPFW set rule YOUTUBE-STREAM match dynamic-application junos:YOUTUBE-STREAM set rule YOUTUBE-STREAM then deny set default-rule permit top top edit security policies from-zone trust to-zone untrust policy 1 set match source-address any; set match destination-address any; set match application any; set then permit application-services application-firewall rule-set APPFW top # List of Applications that can be found with the current Database http://services.netscreen.com/documentation/applications/
  • 367. 367 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION BACKGROUND INFORMATION List of Applications and Application Groups http://services.netscreen.com/documentation/applications/ RSS-Feed with Changes (same as IDP) https://services.netscreen.com/restricted/sigupdates/nsm-updates/updates.xml AppSecure Feature Documentation http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway- pages/security/security-appsecure-index.html
  • 368. 368 Copyright © 2011 Juniper Networks, Inc. www.juniper.net USER IDENTITY BASED FIREWALL CLIENTLESS AD INTEGRATION WITH SRX AND UAC
  • 369. 369 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 1. Connect – Push all roles to SRX SRX 2. User Authenticates to Domain CLIENTLESS AD INTEGRATION IC SRX AD Finance SRX AD Finance IC 3. User wants to connect to finance 4. Drop notification sent to IC from SRX 5. User gets re-directed to IC (302) 1 2 3 45
  • 370. 370 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 6. IC challenges user with SPNEGO (401) 7. Endpoint pulls service ticket from KDC CLIENTLESS AD INTEGRATION IC SRX AD IC 8. Endpoint re-submits HTTP get request to IC with SPNEGO auth token 6 7 8
  • 371. 371 Copyright © 2011 Juniper Networks, Inc. www.juniper.net 9. After successful authentication, IC pushes an auth table entry to SRX SRX 10. IC re-directs user back to the protected resource 11. User now can access Finance CLIENTLESS AD INTEGRATION IC SRX AD Finance IC 9 11 10
  • 372. 372 Copyright © 2011 Juniper Networks, Inc. www.juniper.net USER IDENTITY BASED FIREWALL CONFIGURATION # User Identity based Firewall was introduced in JUNOS 12.1 # Set UAC infranet connection on SRX (this uses Destination port 11123) set services unified-access-control infranet-controller SERVER address 172.30.81.141 set services unified-access-control infranet-controller SERVER interface fxp0.0 set services unified-access-control infranet-controller SERVER password # Set captive portal edit services unified-access-control captive-portal PORTAL set redirect-traffic unauthenticated set redirect-url http://172.30.81.141 top edit security user-identification set traceoptions file userid flag all set authentication-source local-authentication-table priority 100 set authentication-source unified-access-control priority 200 top # UAC Policy Enable set security policies ... match source-identity ROLE1 set security policies ... then permit application-services uac-policy # Captive Portal Enable set security policies ... then permit application-services uac-policy captive-portal PORTAL # For the full configuration follow the UAC Solution Guide
  • 373. 373 Copyright © 2011 Juniper Networks, Inc. www.juniper.net USER IDENTITY BASED FIREWALL COMMANDS FOR UAC # Commands to monitor uac status and information show services unified-access-control status show services unified-access-control policies detail show services unified-access-control roles # Directory for UAC Roles /var/db/uac.roles # Directory for local Auth Data /var/db/nsd
  • 374. 374 Copyright © 2011 Juniper Networks, Inc. www.juniper.net USER IDENTITY BASED FIREWALL COMMANDS FOR LOCAL AUTHENTICATION # Commands to build and examine the local table request security user-identification local-authentication-table add ? request security user-identification local-authentication-table delete ? clear security user-identification local-authentication-table show security user-identification local-authentication-table ? show security user-identification local-authentication-table all ? # Directory for local Auth Data /var/db/nsd
  • 375. 375 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION DDOS PROTECTION
  • 376. 376 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION DDOS PROTECTION Application DDOS is a technology to identify and mitigate Distributed Denial of Service Attacks, typically generated from Botnets  Application DDOS works in 3 phases  Phase 1 if the connection rate exceeds a limit we start protocol analysis  Phase 2 track for connection Rate limits (per Destination and/or Context)  Phase 3 Classify Clients as Bots when they exceed thresholds  Once Bots have been identified, we can mitigate their activities by  dropping their existing connections and/or  dropping future connections (for a certain time) and/or  rate limiting future connections new connections (for a certain time) AppDDOS today (12.1) can be used to protect HTTP and DNS Services AppDDOS is available with AppSec-A License for Datacenter SRX since 10.0
  • 377. 377 Copyright © 2011 Juniper Networks, Inc. www.juniper.net AppDDOS 3-Stage Processing 1. Connections Per Second  Administrator defines CPS threshold to a server to start monitoring for AppDDOS. CPS below this threshold is considered normal activity. 2. Context Rate Monitoring/Limiting  Once AppDDOS CPS threshold is surpassed, AppDDOS will monitor the number of Context Rate. If it exceeds this rate, additional investigation can occur depending if stage 3 is configured. If it is not configured appropriate action can occur. 3. Client Classification (optional)  If Time Binding is configured, it will track not only the rate of the context being matched, but will also the administrator to track this value for individual clients to prevent them from individually surpass the defined limits within the time period. Connection Rate Exceeded Context Rate Exceeded Counter Exceeded Yes Access to Monitored Server Yes Access to Monitored Context Yes Yes Context Value Rate Exceeded No Yes Action/Logging Yes No No No No No Stage1:ServerMonitoringStage2:ProtocolProfilingStage3:BotClientClassification Time-Binding Configured Yes No
  • 378. 378 Copyright © 2011 Juniper Networks, Inc. www.juniper.net AppDDOS Configuration Structure Firewall Security Policy  On a firewall rule by rule basis IDP processing is configured (since AppDDOS is part of the IDP functionality.) Firewall processing includes matching based on: source zone, destination zone, source ip, source port, destination ip, destination port, and protocol. IDP Security Policy ApplicationDDOS Profile  The ApplicationDDOS profile defines the following:  Context to Match  Connections per Second to trigger Phase 2  Contexts Thresholds to trigger Phase 3, or direct actions based only on overall thresholds.  Client Contexts per Period IDP Policy  Within the IDP security policy the rulebase-ddos is where the configuration defines what criteria to match based on: source zone, destination zone, source ip, destination ip, application, and application-ddos profile. This rule will define what to do with the offending connection along with future ip-action connections.
  • 379. 379 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION DDOS PROTECTION (1/3) # AppDDOS is available as licensed feature for Datacenter SRX since JUNOS 10.0 # Define two Servers in a Group for investigation set security zones security-zone trust address-book address SERVER1 172.30.80.132/32 set security zones security-zone trust address-book address SERVER2 172.30.80.202/32 edit security zones security-zone trust address-book address-set WEBSERVER set address SERVER1 set address SERVER2 top # Firewall Policy # Activate IDP on the Firewall Rules, that permit traffic to these Servers set security policies from-zone trust to-zone untrust policy 1 then permit application-services idp # Application DDOS Profile # Define the thresholds, we use to look for DDOS attacks edit security idp application-ddos HTTP_DDOS set service http # Phase 1- Start protocol Analysis if we see more than 5 connections per second set connection-rate-threshold 5 # Phase 2 - Start Botnet classification if we see more than 50 URLs per second or 50 different context set context http-url-parsed hit-rate-threshold 50 set context http-url-parsed value-hit-rate-threshold 50 # Phase 3- Classify clients as Bots if they access more than 20 URLs per minute set context http-url-parsed time-binding-count 50 set context http-url-parsed time-binding-period 60 top
  • 380. 380 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION DDOS PROTECTION (2/3) # Install an IDP Policy set security idp active-policy IDP-POLICY # Add a DDOS Rule to this IDP-Policy to hunt for DDOS attacks against the two Servers edit security idp idp-policy IDP-POLICY rulebase-ddos rule RULE1 set match from-zone untrust set match to-zone trust set match destination-address WEBSERVER set match application default set match application-ddos HTTP_DDOS set then action no-action set then notification log-attacks # Use IP-Action to rate limit any bot found to a maximum of 5 connections per second set then ip-action ip-connection-rate-limit 5 set then ip-action log set then ip-action timeout 15 set then ip-action refresh-timeout top
  • 381. 381 Copyright © 2011 Juniper Networks, Inc. www.juniper.net APPLICATION DDOS PROTECTION (3/3) # AppDDOS monitor and control commands show security idp counters application-ddos show security idp application-ddos application show security idp application-ddos application detail # Show hosts that are targets for ip-action show security flow ip-action # Remove all current IP-actions clear security flow ip-action
  • 382. 382 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UTM-FEATURESET
  • 383. 383 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UTM FEATURES Antivirus - Sophos or Kaspersky (full and express)  Protect against viruses in e-mail (SMTP, POP, IMAP protocols), Webmail (HTTP) and FTP traffic  Integrated AV engines and virus signature databases—updated periodically, available through AV subscription license Web filtering—WebSense/SurfControl/Enhanced WF  Control (allow/deny) access to Websites based on URL category  Off-box (in-the-cloud or on-premise) URL servers/ databases Content filtering  Provides basic DLP functionality—filters traffic based on file/MIME type, file extension, and protocol commands; keyword matching expected in the future Antispam - Sophos  Stop e-mail spam based on IP address/reputation of sender  Off-box spam blacklist database—Sophos SBL/RBL (spam/real-time block list)—available as a subscription license
  • 384. 384 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HOW UTM PROFILES ARE CHAINED WITH POLICIES UTM Features are activated per firewall rule, by assigning an UTM-Policy The UTM-Policy has a section for each protocol, that allows UTM-Protection Each Profile has references to Profiles for the different UTM Features
  • 385. 385 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UTM-FEATURE: ANTIVIRUS
  • 386. 386 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ANTIVIRUS ON SRX THREE FLAVOURS  KASPERSKY ANTIVIRUS  Full Scan Engine  local Execution of Scan  SOPHOS ANTIVIRUS  Cloud Based  Verifies Source-URL and File checksums against Malware Database  EXPRESS AV  Reduces local Scan Engine PROCESSING ORDER
  • 387. 387 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ACTIVATE ANTIVIRUS (EXPRESS AV ENGINE) # Check also Knowledgebase Article KB16620 # Configure the SRX Series device to use the express antivirus engine set security utm feature-profile anti-virus type juniper-express-engine # Configure a UTM policy to use the predefined antivirus profile # http-profile “junos-eav-defaults.” set security utm utm-policy UTM-POL anti-virus http-profile junos-eav-defaults # Apply the UTM policy to the existing trust to untrust security policy edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POL top
  • 388. 388 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ACTIVATE ANTIVIRUS (KASPERSKY LAB ENGINE) # Configure the SRX Series device to use the express antivirus engine set security utm feature-profile anti-virus type kaspersky-lab-engine # Configure a UTM policy to use the predefined antivirus profile # http-profile “junos-av-defaults.” set security utm utm-policy UTM-POL anti-virus http-profile junos-av-defaults # Apply the UTM policy to the existing trust to untrust security policy. edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POL top
  • 389. 389 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ACTIVATE ANTIVIRUS (SOPHOS CLOUD SERVICE) # Configure the SRX Series device to use the express antivirus engine set security utm feature-profile anti-virus type sophos-engine edit security utm feature-profile anti-virus sophos-engine # Configure to download engine and updates once per day set pattern-update interval 1440 set pattern update url "http://update.juniper-updates.net/SAV/" top # Check the URLs against Database that identifies known Malware Sources edit security utm feature-profile anti-virus sophos-engine profile SOPHOS set scan-options uri-check # To log all URLs (even those that where not blocked) use set fallback-options default log-and-permit top # Configure a UTM policy to apply Sophos AV on http connection set security utm utm-policy UTM-POL anti-virus http-profile SOPHOS # Apply the UTM policy to the existing trust to untrust security policy. edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POL top
  • 390. 390 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ANTIVIRUS MONITORING AND DIAGNOSTICS # Show database version and Update Settings # Default for Kaspersky is every 1h # Default for Sophos is every 24h show security utm anti-virus status # Statistics on AV operation show security utm anti-virus statistics # Run manual pattern update for Kaspersky Engine request security utm anti-virus kaspersky-lab-engine pattern-update # Run manual pattern update for Sophos Engine request security utm anti-virus sophos-engine pattern-update
  • 391. 391 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UTM-FEATURE: URL FILTERING
  • 392. 392 Copyright © 2011 Juniper Networks, Inc. www.juniper.net URL FILTERING State of URL Filtering • Local Black and Whitelists can be used for Web filtering • useful as a response to security problems (Phishing Mails, abuse of applications ...) • no licenses required to use this feature • To get a more valuable URL Filter you need a service subscription (license) where URLs are checked against a database • As a response to the query, a list of categories for this URL is returned • In the Profile it can be defined which categories are permitted/denied • Before 11.4 there where two flavors of Web filtering Services • Integrated Webfilter (aka surfcontrol-integrated, License: WF) • Redirect Webfilter (aka WebSense, no License). • With 11.4 a new option was introduced • Enhanced Webfilter (aka juniper-enhanced, License EWF) • Main Benefits of the Enhanced Webfilter Solution from 11.4 are • comparable to the Integrated Webfilter Solution - but with the following enhancements : • more categories (94 vs. 40) and option for custom categories (based on local pattern lists) • option to activate safe-search to filter Search Engine results • option to receive and react on reputation information for each URL • option to redirect access for blocked sites to another URL • better scalability (up to 64K sessions on SRX 650)
  • 393. 393 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WEBFILTER ON SRX Two Options for Cloud based URL Checking  Webfilter Integrated (surfcontrol-integrated) and since 11.4  Enhanced Webfilter (juniper-enhanced) One Option to redirect Traffic through a Local Websense Server  REDIRECT (WEBSENSE)
  • 394. 394 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HOW TO CHECK THE CLASSIFICATION FOR AN URL ? CHECK CLASSIFICATION OF A SITE FOR INTEGRATED WEBFILTERING  For the old, integrated Surfcontrol Engine use the following Online URL: http://mtas.surfcontrol.com/mtas/JuniperTest-a-Site.asp  For the new, enhanced Webfilter use this following Online URL: http://aceinsight.websense.com/  A CLI command can be used to return information how the site is treated: test security utm web-filtering profile "EWF-PROFILE" test-string www.facebook.com
  • 395. 395 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WEBFILTER LOCAL BLACKLIST AND WHITELIST (1/2) With JUNOS 10.0 a local Black- and White list can be configured This Filter Method can even work without Web filter License To work with wildcards pattern must start with "http://...." # First specify a list of URLs (up to 20 per list object) edit security utm custom-objects set url-pattern BAD value [http://www.cisco2.com www.checkpoint2.com] set url-pattern GOOD value "http://*.juniper.net" set url-pattern GOOD value "http://www.acmegizmo.???" top # Use these Objects to specify new Categories edit security utm custom-objects set custom-url-category BLACKLISTED value BAD set custom-url-category WHITELISTED value GOOD top # Finally apply these Categories to the Web Filtering Profile edit security utm feature-profile web-filtering set url-blacklist BLACKLISTED set url-whitelist WHITELISTED top
  • 396. 396 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WEBFILTER LOCAL BLACKLIST AND WHITELIST (2/2) # If no other Web filtering Profile is selected then use type juniper-local set security utm feature-profile web-filtering type juniper-local # Define UTM Profile set security utm utm-policy UTM-POL web-filtering http-profile UTM-PROF # Configure an UTM Policy using this Profile edit security utm feature-profile web-filtering juniper-local profile UTM-PROF set default permit set custom-block-message "Access to this site is not permitted" set fallback-settings default block set fallback-settings too-many-requests block top # Apply this Profile in a firewall rule edit security policies from-zone trust to-zone untrust policy trust-to-untrust set then permit application-services utm-policy UTM-POL top
  • 397. 397 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WEBFILTER ACTIVATION OF THE INTEGRATED ENGINE Configure the SRX Series device to use the Integrated Engine Configure a new utm-policy to use the predefined Web filtering profile ―junos- wf-cpa-default‖ Apply the UTM policy to the existing trust to untrust security policy. set security utm feature-profile web-filtering type surf-control-integrated edit security utm utm-policy UTM-POL set web-filtering http-profile junos-wf-cpa-default top edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POL top
  • 398. 398 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WEBFILTER EXAMPLE FOR A CUSTOM PROFILE # Configure the SRX Series device to use the Integrated Engine set security utm feature-profile web-filtering type surf-control-integrated # Custom categorization and action for this engine edit security utm feature-profile web-filtering surf-control-integrated edit profile TS-BLOCK-SELECTED-SITES set category Violence action block set category Adult_Sexually_Explicit action block set category Gambling action block set Remote_Proxies action block set default log-and-permit set fallback-settings default log-and-permit set fallback-settings server-connectivity log-and-permit set fallback-settings timeout log-and-permit set fallback-settings too-many-requests block set timeout 60 top edit security utm utm-policy POLICY2 set web-filtering http-profile TS-BLOCK-SELECTED-SITES top # Apply the new UTM-Policy in a firewall rules edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy POLICY2 top
  • 399. 399 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WEB-FILTER MONITORING AND DIAGNOSTICS # Show database version and Update Settings (default: every 60 minutes) show security utm web-filtering status # Statistics on Web filter operation (not for EWF) show security utm web-filtering statistics
  • 400. 400 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UTM-FEATURE: ANTI-SPAM
  • 401. 401 Copyright © 2011 Juniper Networks, Inc. www.juniper.net ANTI SPAM ACTIVATION OF THE FEATURE Configure the SRX Series device to use the Anti-Spam Feature Use the predefined Anti-Spam profile ―junos-as-defaults‖ in a new utm-policy. Apply this UTM policy to an existing trust to untrust security policy. Optional Blacklist to drop additional SMTP Traffic from other senders set security utm feature-profile anti-spam symantec-sbl set security utm utm-policy UTM-POL anti-spam smtp-profile junos-as-defaults edit security policies from-zone trust to-zone untrust policy default-permit set then permit application-services utm-policy UTM-POL done set security utm custom-objects url-pattern MYBLACKLIST value mail.cisco.com set security utm feature-profile anti-spam address-blacklist MYBLACKLIST
  • 402. 402 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MORE ....
  • 403. 403 Copyright © 2011 Juniper Networks, Inc. www.juniper.net RESET TO FACTORY DEFAULT
  • 404. 404 Copyright © 2011 Juniper Networks, Inc. www.juniper.net The following methods can be used to reset the device to Factory Default  Method 1: Reset via Reset PIN  Method 2: Load Factory Default configuration  Method 3: Wipe Configuration Files and load Default configuration  Method 4: Single User Boot Procedure  Method 5: Install Factory Default Snapshot from Boot monitor  Method 6: Zeroize The following method can be used to recover the root password  Method 4: Single User Boot Procedure Important Note for Branch SRX: To recover a Branch SRX which is in cluster mode you must first turn it back into non cluster mode (set chassis cluster disable reboot). If you don't have a password any more, you can only use Method 4 or Method 5 See also http://kb.juniper.net/KB12167 and http://kb.juniper.net/KB15725 RESET METHODS
  • 405. 405 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BRANCH SRX PREREQUISITE: YOU MUST ESCAPE CLUSTER MODE FIRST  If your device was member of a cluster you will notice an additional line before the system prompt  To return from cluster mode to a single unit use the following command, which also performs the necessary reboot  If you are in cluster mode but can not login to your system, you have to use Method 4 (Single User Boot Procedure) {primary:node1} root> root> set chassis cluster disable reboot
  • 406. 406 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Use the Reset Button  On J-Series: Press Configuration Pin for 15sec. to load the factory default  On SRX: Press the Reset PIN for 15 sec. follow LED color changes  On EX-Switches: Use LCD Menu to load factory default configuration Notes  You have to exit the shell first  The node name in the shell prompt appears to be unchanged, but this will change with the next reboot  If you have a Branch SRX which is still in Cluster mode, the factory default configuration can not commit ,as it includes switching configuration. You then should use method 5 (USB Snapshot) or 4 (Single User Mode) RESET METHOD 1: RESET VIA RESET BUTTON
  • 407. 407 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Remote Management Console login: user password: <none> root@J2300> configure root@J2300# load factory-default # You have to set at least the root password, otherwise you can not commit root@J2300# set system root-authentication plain-text-password New password: Retype new password: root@J2300# commit and-quit root@J2300> RESET METHOD 2: LOAD FACTORY DEFAULT CONFIGURATION FROM CLI If Login is still possible you can use commands to load the factory-default configuration. You have to set a root password to get the configuration committed
  • 408. 408 Copyright © 2011 Juniper Networks, Inc. www.juniper.net If Login is still possible and you have shell access you can erase the current configuration file(s) and reboot. This will be equal to a reboot with default configuration RESET METHOD 3: WIPE CONFIGURATION FILES root> start shell root@J6350% cd /config root@J6350% su root@J6350% rm juniper.conf.gz root@J6350% reboot # Remark on JUNOS 11.2 (or probably earlier) # You also have to wipe the rescue configuration. # Otherwise the system will boot the rescue config # if the normal configuration file has disappeared
  • 409. 409 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Single User Mode, from the Boot monitor For latest information on this method please consult the Knowledgebase http://kb.juniper.net/KB12167 Since JUNOS 10.0 you have to disable a watchdog in the boot monitor. See http://kb.juniper.net/KB17565 RESET METHOD 4: SINGLE USER BOOT PROCEDURE 1. Reboot the device 2. When message <Press space bar> appears --> Interrupt boot process 2. boot -s --> Device boots in single user mode 4. login as root , enter "recover" to load factory default 5. enter cli as user root 6. enter configure mode 7. set system login user authorization plaintext --> Enter <Password> 8. Commit 9. If the unit was still in cluster mode, you have to remove interface configuration and interface assignments to security zones to commit 10. request system reboot 11. If the units was in cluster mode, then disable chassis cluster and reboot once more.
  • 410. 410 Copyright © 2011 Juniper Networks, Inc. www.juniper.net Boot from a Snapshot USB Stick (see Chapter Software Upgrade) Notes: - The USB Stick must have at least size of internal Flash (SRX100 = 1GB) - This procedure also reformats and partitions flash and copies the software from the stick. All existing information is overwritten RESET METHOD 5: BOOT AND COPY SNAPSHOT # First you must copy a snapshot from an existing System to a USB Stick # Keyword factory means, we copy factory default instead of running config srx> request system snapshot partition media usb factory # Now move the USB Stick to the System you want to recover and power it up # Interrupt the Boot Process to get access to the Boot loader prompt loader> nextboot usb Setting next boot dev usb Un-Protected 1 sectors writing to flash... Protected 1 sectors loader> reboot # Once the system has booted from the USB Stick, copy the image # with the default configuration back to the internal Flash srx> request system snapshot factory partition media internal
  • 411. 411 Copyright © 2011 Juniper Networks, Inc. www.juniper.net If Login is still possible and you have shell access you can completely wipe anything which is not part of the factory default configuration by zeroizing the media. RESET METHOD 6: ZEROIZE SYSTEM lab@bnlx-srx220-1> request system zeroize media warning: System will be rebooted and may not boot without configuration Erase all data, including configuration and log files? [yes,no] (no)
  • 412. 412 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BOOTLOADER
  • 413. 413 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BOOTLOADER NOTES  Boot loader Documentation is included in the Admin Guide  To enter the boot monitor  power up and wait for " Loading /boot/defaults/loader.conf"  Hit Space at the following prompt "Hit [Enter] to boot immediately, or space bar for command prompt."  The "loader>" prompt appears.  To see the current Boot loader Software Version use this command: show chassis routing-engine bios  Most Methods for Software update do not reformat flash and thus do not upgrade the Boot loader  Since JUNOS 10.0 (with Boot loader 1.5) the Branch SRX JUNOS Package includes the latest Boot loader version and Upgrade of the current boot loader can be performed with this command: bootupgrade –u /boot/uboot –l /boot/loader  Dua Root Partitioning Scheme for Branch SRX requires Bootloader Software Version 1.5
  • 414. 414 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FLASH PARTITIONING DUAL ROOT
  • 415. 415 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NOTES Since JUNOS 10.0, Branch SRX can have a dual root partitioning scheme Dual root improves fault tolerance and rollback capabilities and is recommended Dual root have two partitions with JUNOS software on two different partitions. The configuration is kept in another shared partition # Since JUNOS 10.2 the following command shows the partitioning and which partition is active show system storage partitions # To switch to the backup partition request system software rollback # If you change your mind you can switch back again request system software rollback # To copy the software from the current active partition to the backup partition use request system snapshot slice alternate
  • 416. 416 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUNOS installation in a Dual-Root System JUNOS upgrades from CLI and J-Web will work as follows:  Alternate root will be formatted and mounted.  New package will be installed into the alternate root  Alternate will be marked as the primary root.  On next reboot the system will boot with the newly installed image JUNOS will always be installed to the alternate root:  When booted from primary root, the new image will go to the backup root and it will become the new primary.  When booted from the backup root, new image will be installed in the primary  Thus a simple installation can recover the primary root if it is corrupted.
  • 417. 417 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUNOS installation in Dual Root (animated Slide) JUNOS B s1a Root s3e /config s3f /var s2a Root s4a recovery JUNOS A Primary Backup Current Root JUNOS A /varrequest system software add junos-c JUNOS C Alternate Root JUNOS C JUNOS C Backup Primary Current Root
  • 418. 418 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SOFTWARE UPGRADES
  • 419. 419 Copyright © 2011 Juniper Networks, Inc. www.juniper.net JUNOS Software Upgrade on SRX 1. Decide for a Software version and download it  Recommend Software version are listed here  Information which Feature is available in which Release can be found here  Software Downloads are available from here 2. Best Practice: Cleanup Storage before starting the Update 3a. If you have physical access the easiest way is  (M1) Autoinstallation from USB-Stick (requires somebody with physical access) 4a. For other updates decide how to bring the software to your SRX  (T1) Upload or Download File in Advance (scp or ftp)  (T2) Use Controlled Download with the Download Manager  (T3) Mount and install from a USB Stick  (T4) Reference URL during installation 4b. When you are ready to install you can use  (M2) Installation from J-Web  (M3) Install from the CLI  (M4) Install from CLI with ISSU (for SRX clusters) 5. Best Practice: After completion you can use Flash Hardening
  • 420. 420 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DOWNLOAD SOFTWARE FROM SUPPORT PAGES HTTP://WWW.JUNIPER.NET/SUPPORT/PRODUCTS/
  • 421. 421 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BEST PRACTICE: CLEANUP BEFORE SOFTWARE UPGRADE Useful steps to perform before starting an Update are: Check Flash size, purge unused files # Check current Flash size show system storage | match cf # On J-Series show chassis hardware detail | match Flash # purge log files request system storage cleanup # If Flash size is still lower than the size of your image: # if space is not yet sufficient purge software backup request system software delete backup # locate directories on the flash with large amount of data show system directory-usage /cf # To save space browse directories and erase files manually file list /cf/var/tmp detail file delete ….. # Or use the shell to find the largest files on your Flash find -x /cf -type f -exec du {} ; | sort –n
  • 422. 422 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UPGRADE - METHOD 1 AUTO INSTALLATION FROM USB STICK # Since 10.4 Branch SRX Devices can be set up from a USB Stick with Auto installation # Step 1 - Prepare - Prepare a USB-Stick (FAT32, <=8GB) with the following files: - A File with the name "autoinstall.conf" must exist. The Content of this File is not important. It can also be an empty File. - One JUNOS Image, Filename must meet "junos-srxsme*" - Optional: You can also add a Configuration File. File name must be "junos-config.conf" # Step 2 - Insert - After the SRX has booted completly , insert the USB Stick - The LEDs will start blinking amber (Alarm, Status, Power and HA) # Step 3 - Reset Button - Press the Reset button for a short time - The LEDs (Alarm, Status, Power and HA) will stop blinking and start glowing amber - Now the new imaged gets copied, existing configuration and rescue configuration are verified against the new software version - finally the image gets installed in the second partition, and this partition becomes the new primary partition - if present on the stick the new configuration gets copied too (but not yet committed) - Step 3 takes about 10-12 Minutes in total - If something goes wrong (insufficient space, image corrupt, configuration not compatible) the LEDs will glow Red. Otherwise the LEDs will glow green # Step 4 - Unplug USB stick - When the LEDs are green, the USB stick can be unplugged - Some seconds after unplug device starts reboot, which takes ~5 minutes to complete - during power up the new configuration is installed and applied # To avoid that somebody uses this procedure you can use the following command: set system auto installation usb disable
  • 423. 423 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UPGRADE - METHOD 1 AUTO INSTALLATION - FLOW DIAGRAM
  • 424. 424 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSFER METHOD 1 MOUNT A LOCAL USB STICK) You can add your image from a DOS formatted USB Stick # USB Sticks are not auto mounted, So we must go to the shell as root to mount them srx> start shell % su - Password: # find out the right device name. On SRX210 "da1" is upper USB "da2" is lower USB # Either watch Console Logs during USB plugin or scan the information from the Logfile root@srx-172% dmesg | grep umass da1 at umass-sim1 bus 1 target 0 lun 0 # Once Devicename is found add "s1" to the device name and mount it to /mnt root@srx% mount -t msdos /dev/da1s1 /mnt root@srx% exit exit # Now you can install the image from the USB stick # partition, formats the Flash partition srx> request system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot
  • 425. 425 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSFER METHOD 2 LOAD FILE TO LOCAL FLASH # prefered destination to store files to local flash is /var/tmp because # several cleanup operations willmake sure, this locations gets purged # either Push Image from Outside via scp or ftp scp JUNOS-srxsme-10.2R2.8-domestic.tgz user@srx:/var/tmp/ # or use interactive session on SRX CLI via scp or ftp command cd /var/tmp ftp ... or scp .... # Now you can install the image from the local file srx> request system software add /var/tmp/JUNOS-srxsme-11.1R1.8-domestic.tgz
  • 426. 426 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSFER METHOD 3 USING THE DOWNLOAD MANAGER # Download Manager is available since JUNOS 11.4 and allows to perform rate limited # downloads which is useful to fethc software updates over slow WAN links without # saturating the link # Every Download can also be stopped/paused/resumed # By Default Download Files are stored under /var/tmp srx240-0> request system download start ftp://172.1.8.1/junos-x.tgz login user: password max-rate 50K Starting download #1 srx240-0> show system download Download Status Information: ID Status Start Time Progress URL 1 Active May 23 13:14:27 1% ftp://172.1.8.1/junos-x.tgz srx240-0> request system download pause 1 Paused download #1 srx240-0> show system download Download Status Information: ID Status Start Time Progress URL 1 Paused May 23 13:14:27 11% ftp://172.1.8.1/junos-x.tgz tschmidt@srx240-0> request system download resume 1 Resumed download #1
  • 427. 427 Copyright © 2011 Juniper Networks, Inc. www.juniper.net TRANSFER METHOD 4: USE URL TO LOAD IMAGE FROM A SERVER # Example fetch from an ftp Server (user username) and reboot after update # Option no-copy allow to save space J6350> request system software add no-copy reboot ftp://username:prompt@172.30.80.20/JUNOS-jsr-9.5R1.8-domestic.tgz # Same example for SRX with user anonymous # If validation of configuration reports that your current config is not working # with the new release (e.g.. on downgrade) you can bypass this with no-validate srx> request system software add no-copy no-validate reboot ftp://172.16.42.8/JUNOS- srxsme-9.5R1.8-domestic.tgz # Same example for an SSH Server srx> request system software add no-copy no-validate reboot scp://172.16.42.8/JUNOS- srxsme-9.5R1.8-domestic.tgz
  • 428. 428 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UPGRADE METHOD 2 INSTALL FROM WEB-UI Use the Web-Interface (requires most RAM and Flash)
  • 429. 429 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UPGRADE METHOD 3 INSTALL FROM CLI # Example: start installation from a local file which is already in /var/tmp # Option reboot forces reboot after succesful installation request system software add /var/tmp/JUNOS-srxsme-10.2R2.8-domestic.tgz reboot # Example: Download and install image from an ftp Server (user username) request system software add no-copy no-validate reboot ftp://username:prompt@172.16.42.8/JUNOS-srxsme-10.2R2.8-domestic.tgz # Example: start installation from a USB stick previously mounted under /mnt request system software add /mnt/JUNOS-srxsme-11.1R1.8-domestic.tgz partition reboot
  • 430. 430 Copyright © 2011 Juniper Networks, Inc. www.juniper.net UPGRADE METHOD 4 - FOR SRX CLUSTERS IN SERVICE SOFTWARE UPGRADE ISSU stands for In Service Software Upgrades ISSU allows upgrade of cluster members with minimum downtime. ISSU can be used on High-end SRX in most cases since JUNOS 10.4r4 ISSU can be used on Branch SRX in most cases since JUNOS 11.2r2 It is a single command, that you have to run from the RG0 primary device. The following actions are performed during the update:  First upgrade the secondary device  then forms a cross version cluster  failover to the new device  upgrade the old primary Expected Outage with ISSU on DC-SRX is similar to failover Expected Outage with ISSU on Branch-SRX is about 30 seconds Check Documentation and KB17946 for more details on ISSU operation and supported features for different releases request system software in-service-upgrade [package] reboot
  • 431. 431 Copyright © 2011 Juniper Networks, Inc. www.juniper.net BEST PRACTICE: FLASH HARDENING ON BRANCH SRX # Once your software version and your configuration is reliable use the following # steps to make the Branch SRX devices more robust against Flash Problems # Optional: Cleanup storage (Documentation) request system storage cleanup # Optional: Cleanup IDP Cache and Attack Database Download (new command from 11.4) request security idp storage-cleanup # Show Releases in the primary and the secondary partition of Routing-Engine 1 show system snapshot media internal slice 1 # Copy primary partition image to the secondary, so they carry the same release # Check KB22798 for details on dual partitioning request system snapshot slice alternate # Make sure your current configuration is also saved as your rescue configuration # Check KB15788 for details on configuration versions and rollback request system configuration rescue save # Save License, Partition Data and Recovery Config to the Auto recovery Partition # Check Release notes of JUNOS 11.2 for details on auto recovery request system autorecovery state save
  • 432. 432 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SCRIPTING AND AUTOMATION
  • 433. 433 Copyright © 2011 Juniper Networks, Inc. www.juniper.net AUTOMATION WITH JUNOS SCRIPTS Commit Scripts  Enable automated compliance checks & configuration changes  e.g.. Reject guest VLAN tag configuration on access switch trunk ports – restrict guest access to a floor  Macros allow operators to simplify complex configurations and self-heal errors  e.g. Apply pre-defined Data+VoIP port template on any switch port that gets a description matching a particular string ―data-phone‖ Operations Scripts  Allows custom output for diagnosis and event management  e.g.. Combine 2 different show commands to get a custom output for better analysis Event Policies & Scripts  Automated pre-defined responses to events creating self-monitoring networks  e.g.. When a switch’s trunk port goes up & down, run ―show interfaces‖ and ―show alarms‖ CLI, parse data, save it to a file and send this to a server
  • 434. 434 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HOW TO INTEGRATE SCRIPTS ? Activation of Commit scripts  Copy a script to the /var/db/scripts/commit directory  Enable the script by including a file statement at the [edit system scripts commit] hierarchy level (must be user from super user class).  The script will now be executed every time you do a commit  Useful: to avoid typical errors (VPN without Monitor, wrong MTU ...) Activation of Op Scripts  Copy the script to the /var/db/scripts/op directory  Enable the script by including a file statement at the [edit system scripts op] hierarchy level (must be user from super user class).  Now you can run the script as a command (e.g.. op status overview)
  • 435. 435 Copyright © 2011 Juniper Networks, Inc. www.juniper.net USEFUL LINKS FOR AUTOMATION Useful How-to Information is available from this Scripting Guide  http://www.juniper.net/solutions/literature/white_papers/200252.pdf Script Library from Juniper  http://JUNOS.juniper.net/scripts/ Script Library on Google  http://code.google.com/p/junoscriptorium/
  • 436. 436 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SCRIPT LIBRARY HTTPS://WWW.JUNIPER.NET/US/EN/COMMUNITY/JUNOS/SCRIPT-AUTOMATION/LIBRARY/
  • 437. 437 Copyright © 2011 Juniper Networks, Inc. www.juniper.net NICE FEATURES YOU WILL LIKE .....
  • 438. 438 Copyright © 2011 Juniper Networks, Inc. www.juniper.net HELP IS AVAILABLE FROM THE CLI, EVEN WITHOUT INTERNET Help available from the CLI [ topic reference apropos ] # Full description of certain configuration hierarchies root> help reference security address-book address-book Syntax address-book { address address-name (ip-prefix | dns-name dns-address-name); address-set address-set-name { address address-name; } } .... # Commands which include the word xyz root> help apropos proxy-arp ... # Help on certain topics root> help topic snmp agent ...
  • 439. 439 Copyright © 2011 Juniper Networks, Inc. www.juniper.net WE HAVE FTP/SCP SERVERS ON BOARD # Start the FTP Server set system services ftp # Enable inbound ftp on the desired zone and/or interface set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ftp And Connect with your favourite FTP Client
  • 440. 440 Copyright © 2011 Juniper Networks, Inc. www.juniper.net USEFUL EXTENSIONS FOR CONFIGURATION VERSIONING Configuration Comments Personal Configuration Files Load/Save Configuration Files via FTP/HTTP # Add comment to a configuration commit comment "Let us try this" # List comments added during commit show system commit show | compare rollback ? # load via ftp or http load merge ftp://user:password@host/filename load merge http://user:password@host/filename # save via ftp or scp show configuration | save ftp://user:password@host/filename. show configuration | save user@host:filename. # This will save/load configuration files in the home directory of the user save mytestconfig.txt load replace mytestconfig.txt
  • 441. 441 Copyright © 2011 Juniper Networks, Inc. www.juniper.net CONFIGURATION ROLLBACK Automatic rollback if not confirmed within 5 minutes Rollback Versions , by Default you have 5 (on SRX) to 50 (on EX) The "Rescue" Configuration # Automatic rollback if not confirmed within 5 minutes commit confirmed 5 # Commit at desired time commit at hh:mm:ss # on SRX Clusters Rollback is only available if you entered "configure exclusive" # Create a rescue configuration request system configuration rescue save # Manual rollback to rescue rollback rescue commit # On J-Series press reset button for more than 5 and less than 15 Seconds # to automatically load and commit the rescue configuration rollback ? show config | compare rollback <number>
  • 442. 442 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SOFTWARE ROLLBACK Since JUNOS 10.0, Branch SRX have a dual root partitioning scheme, which can hold a copy of the image and the configuration under /altroot and /altconfig # After a Software Upgrade the new software is in the primary partition and the old # software is in the primary partition. # You can check the current partition content with show system snapshot media internal slice 1 # To switch the primary partition, so that next reboot uses the other image just execute root@srx100-2> request system software rollback junos-12.1R2.9-domestic will become active at next reboot # To switch back to the previous partition just execute the same command once more request system software rollback root@srx100-2> request system software rollback junos-12.1R3.5-domestic will become active at next reboot
  • 443. 443 Copyright © 2011 Juniper Networks, Inc. www.juniper.net REAL-TIME PROBE AND MONITORING (RPM) RPM can track server/application reachability and latencies over the network Results can be monitored from CLI or via SNMP RPM Events can also be used to trigger Event-Scripts # Configure Probes for user THOMAS # Example probe SERVER1 checks if server responds to ping edit services rpm probe THOMAS test SERVER1 set probe-type icmp-ping set target address 172.30.80.1 set test-interval 10 top # Example probe SERVER2 checks if Web-Server responds within 2000 msec edit services rpm probe THOMAS test SERVER2 set probe-type http-get set target url http://172.30.81.70/index.html set test-interval 10 set threshold rtt 2000000 top show services rpm probe-results owner THOMAS test SERVER1 show snmp mib walk 1.3.6.1.4.1.2636.3.50
  • 444. 444 Copyright © 2011 Juniper Networks, Inc. www.juniper.net AUTO ARCHIVING CONFIGURATIONS Transmit a copy of the current Config file with every commit You can use ftp, http, scp or a copy to a local file The Target filename is built like this: It is also possible to run periodic archival [edit system archival configuration] transfer-on-commit; archive-sites { ftp://username@host:<port>url-path password password; http://username@host:<port>url-path password password; scp://username@host:<port>url-path password password; file://<path>/<filename>; } <router-name>_juniper.conf[.gz]_YYYYMMDD_HHMMSS set system archival configuration transfer-interval [interval]
  • 445. 445 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MORE USEFUL STUFF ..... DNS lookup and reverse lookup Network Clients available on the CLI (route lookup starts in inet.0) Some clients can be used to pipe command output CLI Shortcuts telnet, ssh , ftp, scp, ping, traceroute, mtrace monitor traffic interface count 100 | ftp://172.16.1.1/capture.txt lab@SRX3600> show host 193.99.144.85 85.144.99.193.in-addr.arpa domain name pointer www.heise.de. lab@SRX3600> show host www.heise.de www.heise.de has address 193.99.144.85 • CTRL-A takes you to the beginning of the command line • CTRL-E takes you to the end of the command line • CTRL-W deletes backwards to the previous space • CTRL-U deletes the entire command line • CTRL-L redraws the command line (in case it has been interrupted by messages, etc.) • CTRL-R starts CLI history search, start typing and matching results will be displayed and can be executed by simply pressing ENTER
  • 446. 446 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MORE USEFUL STUFF ..... Replace a pattern in the whole configuration What have you changed so far ? Configure exclusive (only you have access) Check if commit is possible (but don't do it yet) srx# replace pattern fe-0/0/7 with ge-0/0/7 srx# set system host-name SRX srx# show | compare - host-name srx; + host-name SRX; srx> configure exclusive warning: uncommitted changes will be discarded on exit Entering configuration mode [edit] srx# srx# commit check
  • 447. 447 Copyright © 2011 Juniper Networks, Inc. www.juniper.net AND MORE ...... Add comments anywhere in the configuration Temporary deactivate sections of the configuration Generate your own Events (good to combine with Event-Scripts) srx# annotate security policies from-zone trust to-zone trust "this is an annotation" srx# show security policies /* this is an annotation */ from-zone trust to-zone trust { inactive: policy 1 { ..... # To remove the command redo the command with an empty string annotate .... "" # deactivate whatever you want, but still keep it in the configuration deactivate protocols ospf set event-options generate-event backup-config-event time-of-day 23:30:00
  • 448. 448 Copyright © 2011 Juniper Networks, Inc. www.juniper.net AND MORE ..... apply-groups to Copy a file from one cluster member to the other Show Configuration with Details Login Messages set groups sonet interfaces <so-*> sonet-options rfc-2615 set apply-groups sonet file copy /var/tmp/test node1:/var/tmp/sampled.test # Use this command to get explanations and range information for each parameter show configuration | display detail # To make a message appear before login set system login message “ Welcome n to n JUNOS Trainingn “ # To make a message appear after successful authentication set system login announcement “Maintenance scheduled 11PM to 2AM tonight”
  • 449. 449 Copyright © 2011 Juniper Networks, Inc. www.juniper.net AND MORE ..... Get a timestamp on the CLI every time you execute a command Quick Navigation in Configure Mode set cli timestamp # To disable set cli timestamp disable # if you used edit to change your current path in the navigation tree you can still # reach every leaf of the tree by using "top" at the beginning # Tab completion works and this "top" does not change your current position edit protocols ospf top show interface ge-0/0/0 top set interface ge-0/0/0 unit 0 ...
  • 450. 450 Copyright © 2011 Juniper Networks, Inc. www.juniper.net FURTHER USEFUL INFORMATION
  • 451. 451 Copyright © 2011 Juniper Networks, Inc. www.juniper.net DOCUMENTATION AND ADDITIONAL SOURCES Software Documentation for SRX and J-Series http://www.juniper.net/techpubs/software/JUNOS/ Hardware Documentation for SRX und J-Series http://www.juniper.net/techpubs/hardware/srx-series.html http://www.juniper.net/techpubs/software/jseries/ The JUNOS Page http://JUNOS.juniper.net/ JTAC Knowledgebase http://kb.juniper.net/ SRX Channel: http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB User Forums http://forums.juniper.net/jnet/ http://www.juniperforum.com/ Books http://www.juniper.net/us/en/training/jnbooks/
  • 452. 452 Copyright © 2011 Juniper Networks, Inc. www.juniper.net SELF SERVICE TRAININGS Training: Fasttrack Program (free materials) http://www.juniper.net/training/fasttrack/ Training: Complete List of all Training and E-Learning Offers http://www.juniper.net/us/en/training/technical_education/ Training: JUNOS as a second language http://www.juniper.net/us/en/training/elearning/jsl.html Training: Virtual Labs for Partner (Hands-on if you have no HW) https://www.juniper.net/partners/partner_center/common/training/virtual_lab.jsp Training: JTAC Webcasts for Partner https://www.juniper.net/partners/partner_center/common/training/post_sales_webcasts.jsp Discount Vouchers for Certifications http://JUNOS.juniper.net/prometricvoucher/
  • 453. 453 Copyright © 2011 Juniper Networks, Inc. www.juniper.net VPN CONFIGURATION GENERATOR Generator for VPN Configurations (route and policy based) https://www.juniper.net/customers/support/configtools/vpnconfig.html
  • 454. 454 Copyright © 2011 Juniper Networks, Inc. www.juniper.net MIGRATION TOOLS Convert Cisco or Netscreen configurations to JUNOS https://migration-tools.juniper.net/tools/index.jsp