SRX JUMP STATION
Based on JUNOS Versions up to 12.1R3
last modified Nov 08 2012
Thomas Schmidt
Consulting Systems Engineer

2 Copyright © 2011 Juniper Networks, Inc. www.juniper.net
WHAT IS THIS PURPOSE OF THIS QUICK START ?
• This collection is for users who already have experience with ScreenOS firewalls and the
underlying concepts and now want to use JUNOS based SRX Firewalls
• This Collection assumes you have already some knowledge of JUNOS (there are free
trainings to help you) but need a guide to configure a complete system.
• This Collection is a guide to help you find the commands required for typical features and
tasks and give you brief, working examples.
• Navigation:
• Click on the in the right Top corner to get to the Jump Station Central
• Click on the Chapter Buttons to get to the desired chapters
• If you need more in depth information or more details of the underlying concepts consult the
documentation or participate in trainings.
• This collection can not replace full JUNOS documentation or trainings and can not cover all
parameters available with a certain feature.
Login

JUMP STATION CENTRAL
......LoginControll- &
Dataplane
Zones
CLI
MulticastSwitching
PPPoE
& DSL
...
AppFirewallAppSecure
Overview
AppDDOS
Routing
OSPF,BGP
IDP AppTrackLicenses
Flow & ALGPolicies Virtualize
VR + LSys
Screens &
Defense
Packet Flow
Admin User
Role & Auth
Inband or
Outband
SNMP &
RMON
Software
Upgrade
Netflow Space
IPv6
Boot loader
& Flash
Further
Information
Automation
& Scripting
Nice
Stuff
Logging &
Syslog
Trunk &
LAG
Docs &
Papers
UTM, Antivi
rus
NSM
…
DHCP DNS UAC
Enforcer
Time & NTP Port
Mirroring
NAT
Access list
Interfaces Link
Redundanc
Reset to
Factory Def.
Policy
based VPN
...VPNs with
Certificates
...VPN
Diagnostics
Route
based VPN
Dynamic
VPN
Monitor
Commands
Log files Debug
Flow
Packet
Capture
Debug
VPN
Interface
Monitoring
…
Cluster
Overview
Cluster
Interfaces
Basics
Network
Firewall
Manage, Log
,Monitor
AppFirewall
IDP and UTM
More..
Toolbox
VPN
Trouble-
shooting
High
Availability
Failover
Behavior
Cluster
States
Cluster
& NSM
Cluster
Setup
…
...
...
Transparent
Mode
UTM,
Webfilter
STRM
…
Class of
Service
...
…
…
...
...
...
...
…
…
…
...
…
…

JUNOS BASICS

DOCUMENTATION AND GUIDES

THE RIGHT PLACE FOR
SRX HARDWARE AND SOFTWARE DOCUMENTATION
Use the following Link

ADDITIONAL USEFUL INFORMATION SOURCES
Day One Booklets
http://www.juniper.net/us/en/community/junos/training-certification/day-one/
Feature Explorer and Content Explorer
http://pathfinder.juniper.net/feature-explorer/
http://www.juniper.net/techpubs/content-applications/content-explorer/
Feature Support Reference Guide
https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/security/feature-support-
reference.html?chap-feature-support-tables.html
SRX Knowledgebase (Jump Station)
http://kb.juniper.net/KB15694
SRX Knowledgebase (Here a list of the latest SRX articles)
http://kb.juniper.net/index?page=content&cat=SRX_SERIES&channel=KB
SRX Application Notes
http://www.juniper.net/us/en/products-services/security/srx-series/#literature
JUNOS Network Configuration Examples
http://www.juniper.net/techpubs/en_US/junos/information-products/pathway-pages/nce/index.html
Juniper Forum
• Configuration Library http://forums.juniper.net/t5/Configuration-Library/bd-p/ConfigLib
• DayOne Tips http://forums.juniper.net/t5/Day-One-Tips-Contest/bd-p/DayOneContest

CONTROLPLANE AND DATAPLANE

JUNOS SOFTWARE FEATURES (1 OF 2)
JUNOS software for SRX-series services gateways includes the
following elements:
 JUNOS software as the base operating system
 Session-based forwarding
 Some ScreenOS-like security features
Packet-based features:
 Control plane OS
 Routing protocols
 Forwarding features:
 Per-packet stateless filters
 Policers
 CoS
 J-Web

JUNOS SOFTWARE FEATURES (2 OF 2)
Session-based features:
 Implements some ScreenOS features and functionality
through the use of new daemons
 First packet of flow triggers session creation based on:
 Source and destination IP address
 Source and destination port
 Protocol
 Session token
 Zone-based security features
 Packet on the incoming interface is associated with the incoming zone
 Packet on the outgoing interface is associated with the outgoing zone
 Core security features:
 Firewall, VPN, NAT, ALGs, IDP, and SCREEN options

CONTROL PLANE VERSUS DATA PLANE
Control Plane:
 Implemented on the Routing Engine
 JUNOS software kernel, daemons, chassis management, user
interface, routing protocols, system monitoring, clustering control
Data Plane:
 Implemented on the IOCs and SPCs
 Forwarding packets, session setup and maintenance,
load-balancing, security policy, screen options, IDP, VPN

LOGIN

LOGIN
Login in factory default state as user "root". Password is empty
Amnesiac (ttyd0)
login: root
********************************************************************
** Welcome to JUNOS: **
** **
** To run the console configuration wizard, please run the **
** command 'config-wizard' at the 'root%' prompt. **
** **
** To enter the JUNOS CLI, please run the command 'cli'. **
** **
********************************************************************
root@% cli
root>

LOGIN
Non root users are placed into the CLI automatically
The root user must start the CLI from the shell
Do not forget to exit root shell after logging out of the CLI!
Shell Prompt
CLI Prompt
switch (ttyu0)
login: user
Password:
--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC
user@switch>
switch (ttyu0)
login: root
Password:
--- JUNOS 9.1R2.10 built 2008-07-01 04:34:43 UTC
root@switch% cli
root@switch>

CLI BASICS

CLI MODES
Shell - when you login as root
CLI - Operational Mode
CLI - Configuration mode:
user@switch> The > character identifies
operational mode
user@switch#
exit
user@switch>
user@switch> configure
[edit]
The # character identifies
configuration mode
root%
cli
root>
The % character identifies
Shell mode

CLI HIERARCHY
Execute commands (mainly) from the default CLI level (user@switch>)
 Can execute from configuration mode with the run command
 Hierarchy of commands
 Example: show spanning-tree interface
Less Specific
More Specificbridge mstp statistics
configuration
configure help monitor etc.
interface
dot1x
clear set show
spanning-tree version etc.

EMACS-style editing sequences are supported
A VT100 terminal type also supports the Arrow keys
user@switch> show interfaces
• Ctrl+b
• Ctrl+a
• Ctrl+f
• Ctrl+e
CLI EDITING
Cursor Position
Keyboard
Sequence

COMMAND AND VARIABLE COMPLETION
Spacebar completes a command
user@host> sh<space>ow i<space>
'i' is ambiguous.
Possible completions:
igmp Show Internet Group Management Protocol...
ike Show Internet Key Exchange information
interfaces Show interface information
ipsec Show IP Security information
isis Show Intermediate System-to-Intermediate...
user@host> show i
Use the Tab key to complete an assigned variable
[edit policy-options]
user@host# show policy-statement t<tab>his-is-my-policy
then accept;
[edit policy-options]
user@host#
Use Tab to complete
assigned variables
Enter a space to
complete a command

Type ? anywhere on the command line
user@host> ?
clear Clear information in the system
configure Manipulate software configuration information
file Perform file operations
help Provide help information
. . .
user@host> clear ?
arp Clear address resolution information
bfd Clear Bidirectional Forwarding Detection
information
bgp Clear Border Gateway Protocol information
firewall Clear firewall counters
. . .
CONTEXT-SENSITIVE HELP

SHOW CURRENT CONFIGURATION
root@J6350> show config | display set
set version 9.3R2.8
set system host-name J6350
set system root-authentication encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."
set system name-server 172.30.80.65
set system login user lab uid 2000
set system login user lab class super-user
........
JUNOS Style
 ScreenOS Style
root@J6350> show config
## Last commit: 2009-03-18 10:27:20 UTC by lab
version 9.3R2.8;
system {
host-name Demo-081-111-J6350;
root-authentication {
encrypted-password "$1$QOLKoFKc$D/rIuLTkLP1BX9/GjQ.yN."; ## SECRET-DATA
}
name-server {
172.30.80.65;
}
login {
user lab {
uid 2000;
class super-user;
........

CONFIGURATION, CANDIDATE, COMMIT, ROLLBACK

COMMANDS IN CONFIGURATION MODE (1)

COMMANDS IN CONFIGURATION MODE (2)

COPY/PASTE CONFIGURATIONS
To paste and override the whole configuration
To paste and add pieces of configuration
To paste configuration written with "set" commands
SRX# load merge terminal <relative>
[Type ^D at a new line to end input]
system {
........
SRX# load replace terminal
system {
........
SRX# load set terminal <relative>
set system ….

CONTROL AND FORWARDING PLANE OF A JUNOS
ROUTER

NETWORK

INTERFACES

INTERFACE NUMBERING
Interfaces Names and Numbers
Wildcards - Many commands accept wildcards in ifnames
Interface name = <Interface Type>-<Slot>/<Module>/<Port>.<logical number>
All numbers start from 0
Example :
ge-0/1/2.3 - Gigabit Interface (Slot 0, Module 1, Port 2, Logical unit 3)
fe-0/1/2.3 - Fast Ethernet Interface
st0.0 - First Secure Tunnel Interface (VPN Tunnel)
lo0 - First loopback interface
For a list of Interface Types see
http://www.juniper.net/techpubs/software/JUNOS/JUNOS96/swconfig-network-
interfaces/frameset.html
show interfaces ge-0/0/*

SWITCHING

SWITCHING ON FIREWALLS ?
 Switching Features on the Firewall can help to simplify the network by
eliminating additional switches. This can be a commercial and
management advantage, especially in small branch offices.
 Switching is possible on Branch SRX Models (SRX100….SRX650)
and J-Series with UPIM Modules
 Switching is not available (and not needed) on High-End SRX
 Switching is done in Hardware. Full throughput can be
achieved, without consuming CPU-performance
 Since JUNOS 10.0 the smaller SRX (100...240) have Switching
enabled on all interfaces (except ge-0/0/0) in the Factory Default
configuration

SWITCHING
DEFAULT CONFIGURATION ON SRX210 WITH JUNOS 10.0
# An internal VLAN (vlan-trust) is defined to allow switching several interfaces
set vlans vlan-trust vlan-id 3
# A interface vlan unit 0 is assigned to this vlan as the Layer3 interface in this VLAN
set vlans vlan-trust l3-interface vlan.0
# This layer 3 interface can has an IP address that is reachable from all
# host on it's VLAN. In Branch deployments this is typically the gateway address.
set interfaces vlan unit 0 family inet address 192.168.1.1/24
# All physical interfaces - except ge-0/0/0 of the SRX210 are now assigned
# to a interface-range with the name interfaces-trust
set interfaces interface-range interfaces-trust member ge-0/0/1
set interfaces interface-range interfaces-trust member fe-0/0/2
# The interface-range is assigned to the VLAN vlan-trust
set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan
members vlan-trust
# It's a firewall, so the interface is mapped to zone trust where all services are enabled
set security zones security-zone trust interfaces vlan.0
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all

SWITCHING
ANOTHER CONFIGURATION EXAMPLE
# Before you can add an interface to Switching you probably have to remove assignments.
# If there is an IP address assigned to the interface you have to remove it
delete interfaces fe-0/0/2 unit 0 family inet
# If the interface is member of an interface-group in use, you have to untie it
delete interfaces interface-range .... member fe-0/0/2
# You can specify a VLAN, which will be used for Switching
set vlans VLAN-100 vlan-id 100
# Configure Ethernet switching on the interfaces that are part of VLAN.
# Default for new switching interfaces is access mode (=untagged)
set interfaces fe-0/0/2 unit 0 family ethernet-switching
set interfaces fe-0/0/3 unit 0 family ethernet-switching
# Assign these interface to the desired VLAN
set vlans VLAN-100 interface fe-0/0/2.0
set vlans VLAN-100 interface fe-0/0/3.0
# Configure a VLAN interface with an IP for this VLAN
set interfaces vlan unit 100 family inet address 192.168.1.1/24
# Assign this VLAN interface as your Layer3 Interface on this VLAN
set vlans VLAN-100 l3-interface vlan.100
# It's a firewall, so the VLAN interface must also be in a zone
set security zones security-zone trust interfaces vlan.100
# Allow services on the VLAN interface if desired
set security zones security-zone trust interfaces vlan.100 host-inbound-traffic ....

SWITCHING
TROUBLESHOOTING COMMANDS
# show which vlans exist and which interfaces are assigned
show vlans [detail]
# history of MACs added and removed
show ethernet-switching mac-learning-log
# Current MAC Table
show ethernet-switching table
# Current MAC Table from a certain interface
show ethernet-switching table interface fe-0/0/2

ETHERNET SWITCHING ON BRANCH SRX
INTERFACES SUPPORTED
Platforms On-Board uPIM MPIM XPIM
J2320    
J2350    
J4350    
J6350    
SRX100    
SRX110    
SRX210   * 
SRX220   * 
SRX240   * 
SRX550   * **
SRX650    **
* Ethernet switching support is planned for future release for 1 Gigabit Ethernet SFP MPIM on the SRX210,SRX220,SRX240 and SRX550.
** As of JUNOS OS Release 12.1, Ethernet switching is not supported on 10G XPIM.

REMARKS
 Configuration Syntax for all supported features is exactly the same
as with the EX Switches. The Documentation Feature Support
Reference explains which Switching Features are supported
 There are some dependencies which Ports can be used for
switching (see Documentation )
 Before 11.1 Switching was only applicable for single units.
Commit in the Cluster was only possible, when all switching
configuration was removed. The assumption was, that HA cluster
Configurations are usually designed with external Switches
 Since 11.1 Switching is also supported on Branch SRX and can
even span the two Cluster members. This requires an additional
link between the two nodes.

ROUTING

STATIC ROUTES
CONFIGURATION
# Host Route
set routing-options static route 10.2.2.1/32 next-hop 10.1.1.254
# Network Route
# Default Route
# Route to an Interface
# Useful for Point-to-Point Interfaces like pppoe, vpn-tunnel, gre-tunnel
set routing-options static route 0.0.0.0/0 next-hop pp0.0
set routing-options static route 10.1.1.0/24 next-hop st0.0
# Route to another Virtual Router
set routing-options static route 10.0.0.100/32 next-table Logging.inet.0
# Example for a the Definition of the VR with name Logging referenced above
set routing-instances Logging instance-type virtual-router
set routing-instances Logging interface ge-0/0/7.0
# A network route to discard any traffic that did not hit a more specific route
# Black hole Routes could sometimes save performance for policy lookups or
# avoid rerouting in case of interfaces failures (example: VPN is down)
set routing-options static route 0.0.0.0/0 discard

STATIC ROUTES
ROUTE FAILOVER WITH IP-MONITORING
# Since 11.4 all Branch SRX support IP-Monitoring and automatic route failover
# Check out KB22052 for configuration details of an dual ISP connection with RPM for
# IP-Monitoring and Filter based Forwarding for load distribution
set services ip-monitoring policy Server-Tracking match rpm-probe Probe-Server
set services ip-monitoring policy Server-Tracking then preferred-route routing-
instances FBF-1 route 0.0.0.0/0 next-hop 2.2.2.2 ------> Installs route in the First
Routing Instance
set services ip-monitoring policy Server-Tracking1 match rpm-probe Probe-Server1
set services ip-monitoring policy Server-Tracking1 then preferred-route routing-
instances FBF-2 route 0.0.0.0/0 next-hop 1.1.1.1 ------> Installs route in Second
Routing Instance

STATIC ROUTES
MONITORING
# display Routing table
root@J2300> show route
inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:13:15
> to 172.16.42.1 via fe-0/0/0.0
10.2.2.0/24 *[Static/5] 00:00:05
> to 172.16.42.1 via fe-0/0/0.0
172.16.42.0/24 *[Direct/0] 01:13:15
> via fe-0/0/0.0
172.16.42.230/32 *[Local/0] 01:21:12
Local via fe-0/0/0.0
224.0.0.9/32 *[RIP/100] 01:21:37, metric 1
MultiRecv
# route lookup for a certain destination
root@J2300> show route 20.0.0.1
# routing table overview
root@J2300> show route summary
# Forwarding table (includes all active routes, visible for the data-plane)
root@J2300> show route forwarding-table

OSPF
CONFIGURATION
# enable OSPF on a interface
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0
# And permit ospf traffic to this zone
set security zones security-zone host-inbound-traffic protocols ospf
# Recommended: use loopback interface
set interfaces lo0 unit 0 family inet address 192.168.1.2/32
set protocols ospf area 0.0.0.0 interface lo0.0 passive
# Option: specify your own Router-id
set routing-options router-id 192.168.1.2
# to get direct interface routes announced you can add them to OSPF in passive mode
set protocols ospf area 0.0.0.0 interface vlan.100 passive
# Option: Negotiate graceful restart
set routing-options graceful-restart
# On SRX Clusters for RG0 failover, you might have to extend OSPF Timers to survive
# a dead interval of 5-20 seconds and also use the following setting:
set protocols ospf graceful-restart no-strict-lsa-checking

RIP
CONFIGURATION
# RIP requires a group, all interface are attached to this group
set protocols rip group RIP ge-0/0/0.0
set protocols rip group RIP ge-0/0/1.0
# And permit rip traffic to the zones of these interfaces
set security zones security-zone TRUST host-inbound-traffic protocols rip
# You can add IPSEC Tunnel-Interfaces with relaxed RIP-Update-Timers
# You can even work with Tunnel-Interfaces with Next-Hop-Tunnel-Binding (NHTB)
set protocols rip group RIP neighbour st0.0 interface-type p2mp
set protocols rip group RIP neighbour st0.0 dynamic-peers
set interface st0 unit 0 multipoint
# Option: Negotiate graceful restart
set routing-options graceful-restart
# Import Routes to the RIP group via policy-options filter
set policy-options policy-statement FILTER term a from route-filter 1.2.3.0/24 exact
set policy-options policy-statement FILTER term a then accept
set policy-options policy-statement FILTER term drop then reject
set protocols rip group RIP export FILTER

OSPF
MONITORING
# See Neighbors and State
root> show ospf neighbour
Address Interface State ID Pri Dead
10.222.2.2 ge-0/0/11.0 Full 192.168.36.1 128 36
# Link State Database
root> show ospf database

OSPF IMPORT/EXPORT FILTER (POLICY-OPTIONS)
# OSPF default is to import everything (into RT) and export routes only from interfaces
# that are (active) members of the same OSPF area
# For export of all other routes or to filter inbound routes you need Routing Policy
# Filters
# Example Filter to export all local static and all direct routes
set policy-options policy-statement ALL-LOCAL
set term 1 from protocol direct
set term 1 then accept
set term 2 from protocol static
set term 2 then accept
top
set protocols ospf export ALL-LOCAL
# Example Filter to export only a certain route (which must exist on the routing table)
set policy-options policy-statement JUST-ONE
set term 1 from route-filter 172.10.0.0/16 exact
set term 1 then metric 10 accept
top
set protocols ospf export JUST-ONE

# Example Configuration With Two AS
# Permit BGP traffic on the zone or interface(s) where you reach your peer(s)
set security zones security-zone trust host-inbound-traffic protocols bgp
# Recommended: use loopback interface
set interfaces lo0 unit 0 family inet address 1.1.1.2/32
# Specify your own AS and your Router-ID
set routing-options autonomous-system 1234
set router-id 1.1.1.2
# Specify Peer(s)
set protocols bgp group UPSTREAM
set local-address 1.1.1.2
set peer-as 64005
set local-as 64006
set neighbor 1.1.1.1 export BGP-EXPORT-POLICY
top
# A Policy how to export the routes
set policy-options policy-statement BGP-EXPORT-POLICY from protocol direct
set policy-options policy-statement BGP-EXPORT-POLICY then accept
# Option: Set static routes that do not redistribute
set routing-options static route 1.1.2.0/24 no-readvertise
# Option: Specify how to aggregate routes
set routing-options aggregate 1.1.1.1/20 [policy ... ]
BGP
CONFIGURATION

BGP
MONITORING
show bgp neighbour
show bgp summary
show route summary
# Which routes did we receive from a neighbour
show route receive-protocol bgp <peer-ip>
# Which routes do we send to a neighbour
show route advertising-protocol bgp <peer-ip>

IS-IS
CONFIGURATION
set interfaces ge-0/0/1 unit 0 family iso
set interfaces ge-0/0/2 unit 0 family iso
set interfaces lo0 unit 0 family iso address 49.0002.0002.0002.00
set protocols isis interface ge-0/0/1.0
set protocols isis interface ge-0/0/2.0
set protocols isis interface lo0.0 passive

TUNNEL INTERFACES

TUNNEL INTERFACES :
GRE - GENERIC ROUTING ENCAPSULATION
# Typical Use cases for GRE Tunnels are
# - OSPF over GRE with non-Juniper Routers
# - Multicast over GRE with non-Juniper Routers
set interfaces gr-0/0/0 unit 0 tunnel source 10.0.0.1
set interfaces gr-0/0/0 unit 0 tunnel destination 10.0.0.2
set interfaces gr-0/0/0 unit 0 family inet address 10.1.0.1/3
set protocols ospf area 0.0.0.0 interface gr-0/0/0.0
set security zones security-zone vpn host-inbound-traffic protocols ospf
set security zones security-zone vpn interfaces gr-0/0/0.0
# MTU Adjustments might be necessary because GRE Default MTU is ~ 9000
# When Fragementation happens in a GRE Tunnel there are two options for reassembly
# a) use IDP Inspection on the traffic leaving the tunnel
# b) since JUNOS 11.2 you can apply the following command
"set security flow force-ip-reassembly

TUNNEL INTERFACES:
LOGICAL TUNNEL
# Logical Tunnel can be used like a physical wire between two interfaces of an SRX
# Typical use cases are:
# - forwarding between VR in packet mode and VR in flow mode
# - forwarding between VR to apply two policies to one session
# - Intra-Lsys Traffic (all Lsys have one Tunnel to Lsys0)
# Logical Tunnel Interfaces
set interfaces lt-0/0/0 unit 0 encapsulation ethernet
set interfaces lt-0/0/0 unit 0 peer-unit 1
set interfaces lt-0/0/0 unit 0 family inet
set interfaces lt-0/0/0 unit 1 family inet
# and now use them between two VRs
set routing-instances r1 interface lt-0/0/0.0
set routing-instances r2 interface lt-0/0/0.1

TUNNEL INTERFACES:
IP OVER IP
# This Example is used to forward all IPv6 traffic encapsulated in IPv4 to 10.19.3.1
set interfaces ip-0/0/0 unit 0 tunnel source 10.19.2.1
set interfaces ip-0/0/0 unit 0 tunnel destination 10.19.3.1
set interfaces ip-0/0/0 unit 0 family inet6 address 7019::1/126
set routing-options rib inet6.0 static route ::0/0 next-hop ip-0/0/0

MULTICAST

IPV4 MULTICAST CONFIGURATION (1)
# IGMP to allow Receivers to join/leave a group,
# Version1 had join only and 3 min timeout
# Version2 (Default) allows Receiver join and leave
# Version3 allows to join and select Source-IP of Sender selection
set protocols igmp interface reth2.0 version 3
# Enable PIM to communicate with Multicast Routers in the Distribution Tree
set protocols pim interface reth1.0
# Finding the Rendezvous Point
# Option 1: Static Rendezvous point on an other Router
set protocols pim rp static address 192.168.1.1
# Option 2: we are Rendezvous Point by yourself - in this case loopback int. is best pract.
set interface lo0.0 <IP-for-RP>
set protocols pim rp local address <IP-for-RP>
# Other Options supported for RP selection: Anycast, Bootstrap, Auto-RP
# Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP
# Check Technote: Multicast Implementation Guide

IPV4 MULTICAST CONFIGURATION (2)
# Allow igmp on all interfaces where we expect receivers to join
set security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols igmp
set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols igmp
# Allow PIM on all interfaces where we expect distribution Routers
set security zones security-zone A interfaces reth1.0 host-inbound-traffic protocols pim
set security zones security-zone B interfaces reth2.0 host-inbound-traffic protocols pim
# All interfaces can also be in a custom VR
# IGMP Configuration is not in VR context
set protocols igmp interface reth20.0 version 3
set routing-instances VR-MCAST instance-type virtual-router
edit routing-instances VR-MCAST
set interface vlan.3
set protocols igmp interface vlan.20
set protocols pim rp local address 10.0.42.110
set protocols pim interface vlan.10
top

IPV4 MULTICAST TROUBLESHOOTING
# Monitoring
show pim bootstrap [instance VR]
show pim interfaces [instance VR]
show pim join [instance VR]
show pim mdt [instance VR]
show pim neighbors [instance VR]
show pim rps [instance VR]
show pim source [instance VR]
show pim statistics [instance VR]
show igmp interface
show igmp output-group
show igmp statistics
show multicast route
show multicast rpf
# tcpdump to watch PIM and IGMP Packets
monitor traffic interface vlan.10 no-resolve detail size 1500 matching "pim || igmp"
# DEBUGGING
set protocols pim traceoptions file trace-pim
set protocols pim traceoptions flag all
set protocols igmp traceoptions file trace-igmp
set protocols igmp traceoptions flag all
# PIM to IGMP Proxy
show multicast pim-to-igmp-proxy

IPV4 MULTICAST FURTHER INFORMATION
# Best Practice for Multicast Routing: PIM Dense Mode with Anycast RP
# Check Technote: Multicast Implementation Guide
# IGMP-Proxy is not available, but pim-to-igmp-proxy is available
set pim-to-igmp-proxy upstream-interface ge-0/1/0.1
# Important Hint for Multicast on SRX-Cluster:
# Disable IGMP-Snooping on the surrounding switches to avoid outages after failover
# Multicast Configuration Overview and Examples
http://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-pages/config-
guide-multicast/config-guide-multicast.html#configuration
# Dense Mode and Debugging Example
http://kb.juniper.net/InfoCenter/index?page=content&id=KB24781
# Multicast Implementation Guide (EX and MX)
http://kb.juniper.net/library/CUSTOMERSERVICE/technotes/8010062-001-EN.pdf

IPV6

IPV6
CURRENT STATE (12.1)
IPv6 firewalling
- works in route mode with the following Features:
- Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth
- in Active/Passive Clusters since 10.0
- in Active/Active Clusters since 11.2
- IDP on Ipv6 in route mode since 11.4
- works in transparent mode with the following features since 11.4r3
Policy/Zones/Flow/Fragment/HA/ [ FTP/TFTP/DNS ALG]/FW Auth/Vlan Retagging/SNMP
For more Details on IPv6 Feature Support in JUNOS 12.1 check this Documentation
http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/general/security-feature-ipv6-support.html

IPV6 DHCPV6 SERVER
# DHCP-Server for Prefix Delegation is available on High-end-SRX
# Example below offers prefix delegation only (no exact IP assignment)
edit system services dhcp-local-server dhcpv6
set overrides interface-client-limit 100
set group GROUP1 interface ge-0/0/0.0
top
edit access address-assignment pool TRUSTv6 family inet6
set prefix fd27:9816:dca8:1::/48
set range RANGE1 prefix-length 64
top
# For exact IP assignment and DHCP Server assignment use these statements
edit access address-assignment pool TRUSTv6 family inet6
set dhcp-attributes dns-server ....
set dhcp-attributes options ....
set range RANGE1 high ...
set range RANGE1 low ...
top

IPV6
DIAGNOSTICS
show interface terse
# it will then shows two IPv6 IPs for each interface
# 2001:........ = global address
# fe80:x:x:x = link local address
#
show route <table inet6.0>
show ipv6 neighbours
show ipv6 router-advertisement
# Interface Traffic monitor - filtered to IPv6 only
monitor traffic interface ge-0/0/0.0 matching ip6 size 200 detail
# ping, we use the same ping for ipv4 and ipv6
ping 2001:638:c:a057::1
# force ping with IPv6
ping inet6 www.heise.de
# traceroute, same command as for IPv4
traceroute 2001:db8:0:6:202:b300:2215:595 source 2001:db8::5
# Monitoring session table
show security flow session summary family [inet|inet6]

IPV6
DYNAMIC ROUTING WITH RIPNG
# Enable RIP Listener on the following interfaces
edit protocols ripng
edit group NEIGHBORS
set neighbour ge-0/0/0.0
set neighbour ge-0/0/1.0
set neighbour fe-0/0/2.0
set neighbour fe-0/0/3.0
top
# If you want to export routes you need a route filter
edit policy-options policy-statement RIPNG-EXPORT
set term RIPNG from protocol ripng
set term RIPNG then accept
set term DIRECT from protocol direct
set term DIRECT from route-filter 2001:DB8::/32 orlonger
set term DIRECT then accept
top
# The Route Filter must be applied to the RIPNG Group
set protocols ripng group NEIGHBORS export RIPNG-EXPORT
# Monitoring
show route receive-protocol ripng
show route advertising-protocol ripng
show route protocol ripng

IPV6
DYNAMIC ROUTING WITH OSPFV3
# Introduction of a loopback Interface is best practice when using Routing protocols
set interface lo0 unit 0 family inet address 10.0.0.210/32
# Specifying the router-id (as IPv4) is also recommended
set routing-options router-id 10.0.0.210
# Enable OSPF Listener on the following interfaces
edit protocols ospf3
set area 0 interface lo0.0 passive
set area 0 interface ge-0/0/0.0
set area 0 interface ge-0/0/1.0
set area 0 interface fe-0/0/2.0
set area 0 interface fe-0/0/3.0
top
# Monitoring Commands
show ospf3 neighbour
show ospf3 overview
show ospf3 route
show ospf3 statistics

IPV6
IMPROVED SECURITY
# Off-link malicious IPv6 nodes may spoof Neighbor Discovery messages to poison
# the routers ND cache. To mitigate, use
set protocols neighbor-discovery onlink-subnet-only
# reload after commit is suggested to clear out any bogus neighbor entries in the cache

VLAN TRUNKING AND
LINK AGGREGATION

VLAN TRUNKS

VLAN TRUNKS
NOTES AND LIMITATIONS
 There are two possible approaches to configure a VLAN trunks on SRX
 As part of the "Switching" Configuration (family ethernet-switching)
 As part of the "Routing" Configuration (family inet)
 "Switching" Configuration
 Allows Switching between all interfaces that are part of a VLAN. The
member interfaces can be tagged and/or untagged
 Supported only on Branch SRX
 Not supported on redundant interfaces of a cluster
 "Routing" Configuration
 Allows to create a sub interface and use it for routing
 Supported on all SRX Platforms
 Supported also in cluster mode (can be applied to reth Interfaces)
 Supported also on aggregate interfaces

VLAN TRUNK
CONFIGURATION EXAMPLE FAMILY "INET"
# Enable VLAN-Tagging on a physical interface
set interfaces ge-0/0/0 vlan-tagging
# Now we can create two sub interfaces on this physical interface
# Best practice: use vlan-id also for the unit number
set interfaces ge-0/0/0 unit 11 vlan-id 11
set interfaces ge-0/0/0 unit 11 family inet address 10.0.11.1/24
set interfaces ge-0/0/0 unit 12 vlan-id 12
# The different interface can be in different VLANs
set security zone security-zone zone11 interface ge-0/0/0.11
set security zone security-zone zone12 interface ge-0/0/0.12

VLAN TRUNK
CONFIGURATION EXAMPLE FAMILY "SWITCHING"
# Define all Vlans you want to participate in
set vlans VLAN-80 vlan-id 80
# For Trunk Ports which have multiple VLANs use the following Syntax
set interfaces xe-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members all
# For Access Ports which are untagged but mapped to a certain VLAN
# use the following syntax
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members <name>
# To create a RVI (routed virtual interface) to have an IP on a VLAN
set interface vlan unit 80 family inet address 80.0.0.1/24
# And assign this interface to the VLAN
set vlans VLAN-80 l3-interface vlan.80

LINK AGGREGATION
AND LACP

LINK AGGREGATION ON BRANCH SRX
 Standalone Units:
 Link Aggregation is possible by configuration of AE interfaces
 AE interfaces are supported with family ethernet-switching since JUNOS 9.5
 AE interfaces are supported with family inet since JUNOS 10.1r2
 LACP on AE interfaces with family switching is supported since JUNOS 9.5
 LACP on AE interfaces with family inet are supported since JUNOS 10.2r2
 Chassis Clusters (Redundant Interfaces)
 Redundant Interfaces (as required in Clusters to failover) can have Aggregate Interfaces as
members since JUNOS 10.3r2
 Switching across Members of an HA Cluster is available since 11.2 - this requires an
additional link between the two Branch SRX
 Chassis Cluster (Private Interfaces)
 Private Interfaces - that are only active on one Cluster member - are possible in Clusters
 Private Interfaces still can be aggregate interfaces (local LAG)
 Private Interfaces can not have member interfaces from both Chassis at the same time
A configuration with member interfaces from different chassis might commit but it is not
supported

LINK AGGREGATION ON DATACENTER SRX
 Standalone Units
 Link Aggregation is possible by configuration of AE interfaces
 Aggregated Ethernet Interfaces are supported since JUNOS 10.0
 Aggregate Ethernet Interfaces can be used with family inet only
 LACP support is available on High-End SRX, since JUNOS 10.2r3
 Chassis Clusters (Redundant Interfaces)
 AE can not be used in Chassis Cluster for redundant interfaces but since JUNOS 10.1 there
is another configuration available for link aggregation in chassis clusters.
 This configuration can even span cluster members. Only interfaces on the active link will be
used to receive and transmit data.
 Check Admin Guide for these "Redundant Ethernet Interface Link Aggregation Groups".
 Chassis Clusters (Private Interfaces)
 Private Interfaces - that are only active on one Cluster member - are possible in Clusters
 Private Interfaces still can be aggregate interfaces (local LAG)
 Private Interfaces can not have member interfaces from both Chassis at the same time
A configuration with member interfaces from different chassis might commit but it is not
supported

LINK AGGREGATION ON A SINGLE UNIT
 Configuration Example for a Aggregate Ethernet Interface
# Set number of Aggregated Interfaces on this device/chassis
set chassis aggregated-devices ethernet device-count <number>
# Configure AE interfaces (ae0,ae1….)
# On High-End SRX AE can be members of family inet
# On Branch SRX AE can be members of family inet and family ethernet-switching
set interfaces <aex> unit 0 family inet address <ip address>
# Associate physical ethernet interfaces to the AE
set interfaces <interface-name> gigether-options 802.3ad <aex>
# Minimum number of Links required for this aggregate to be UP
set interfaces <aex> aggregated-ether-options minimum-links <n>
# LACP configuration (today only supported on Branch SRX)
set interfaces <aex> aggregated-ether-options lacp passive

LINK AGGREGATION ON A CHASSIS CLUSTER
 Configuration Example for a Redundant Ethernet Interface
# On High End SRX LAG support starts with 10.1r2, LACP starts with 10.2r3
# On some Branch SRX LAG support starts with 10.3r2, LACP also starts with 10.3r2
# Documentation: "Chassis Cluster Redundant Ethernet Interface Link Aggregation Groups"
set interfaces ge-1/0/1 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options minimum-links 3
# From the Network Point of view, these are two independent Aggregate Interfaces.
# Only the interfaces on the active node are used for transmission
# Further LACP Configuration can be added to the reth Interface now
set interfaces reth1 redundant-ether-options lacp periodic fast
set interfaces reth1 redundant-ether-options lacp passive
set interfaces reth1 redundant-ether-options lacp active

LINK AGGREGATION ON DATACENTER SRX
Extend lacpd to Support RETHs with JUNOS 10.2
 Hitless RG failover for transit
traffic
 Handle active/standby LAGs
independently and simultaneously
 Support: A reth is connected to
two switches
 Support: A reth is connected to
one single switch
 At remote side: Active LAG and
standby LAG each shall be
terminated at an AE or equivalent
(same as 10.1)
Cluster 1
reth0
RLAG
Active LAG
SRX 5600
HA
Node 1
SRX 5600
HA
Node 0
standby LAG
Switch / Router
ae0
Switch / Router
ae1

LINK REDUNDANCY

IP MONITORING & FAILOVER WITH RPM
# Since 11.4r2 Branch SRX allows to use RPM to monitor reachability of a destination
# and in response of PASS or FAIL failover route or interface
# Configure Probes for user PING-PROBE
# Example probe SERVER1 checks if server responds to ping
edit services rpm probe PING-PROBE test SERVER1
set probe-type icmp-ping
set target address 192.168.42.1
set probe-count 5
set probe-interval 5
set thresholds successive-loss 5
set test-interval 10
top
edit services ip-monitoring policy FAILOVER-Policy
set match rpm-probe PING-PROBE
# admin state of a back-up interface can be enabled if the RPM fails on the primary
# If the normal condition is restored the backup-interface is disabled again
set then interface ge-0/0/1/0 enable
top
# Monitoring of the ip-monitoring feature
show services ip-monitoring status

BLACKHOLE FORWARDING DETECTION
# Black hole Forwarding Detection, Available in OSPF/BGP
# Useful for link availability tests with aggressive timing (failover within 300msec)
# Detect OSPF Link Failure after 3x500msec
edit protocols ospf area 0.0.0.0 interface ge-0/0/0.0
set bfd-liveness-detection minimum-interval 500;
set bfd-liveness-detection multiplier 3;
set bfd-liveness-detection full-neighbors-only;
top
# Detect BGP Link Failure
set protocols bgp bfd-liveness-detection
set minimum-interval 800
set multiplier 3
set transmit-interval minimum-interval 150
set transmit-interval threshold 500
set detection-time threshold 200
set holddown-interval 5
top

FLOW LOAD BALANCING WITH
EQUAL COST MULTIPATH ROUTING
# ECMP for Flows is supported on SRX since JUNOS 12.1
# Add multiple routes to the same destination
set static route 26.0.0.0/8 next-hop 23.0.54.111
# Usually only one of these routes would show up in the forwarding table.
# We need a Policy Statement to enable per packet load-balancing.
# On SRX this statement enforces in reality per flow balancing
set policy-statement LBP then load-balance per-packet
# And we must apply this policy to the forwarding-table
set forwarding-table export LBP
# Forwarding table shows several routes to the same destination
user@host> show route forwarding-table
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
...
26.0.0.0/8 user 0 23.0.54.111 rslv 0 1 ge-0/0/4.0
26.0.0.0/8 user 0 24.0.44.101 rslv 0 1 ge-0/0/6.0
26.0.0.0/8 user 0 25.0.44.106 rslv 0 1 ge-0/0/7.0
# Finally we might influence the balancing algorithm (L3 = IP only, L4, TCP+UDP too)
set forwarding-options hash-key family inet layer-3
set forwarding-options hash-key family inet layer-3

VRRP
CONFIGURATION
# VRRP allows to failover an Interface between two devices - which are not a cluster
# Typical use case: Primary and backup Internet access device (each with it's own WAN link)
# Remember that VRRP Cluster does not sync sessions - all session must be reestablished
# VRRP - node0
edit interfaces fe-0/0/7 unit 0 family inet address 192.168.0.101/24 vrrp-group 150
set virtual-address 192.168.0.150
set priority 100
set no-preempt
set authentication-type md5
set authentication-key secret
top
# VRRP - node 1
set interfaces fe-0/0/7 unit 0 family inet address 192.168.0.102/24 vrrp-group 150
set virtual-address 192.168.0.150
set priority 110
set no-preempt
set authentication-type md5
set authentication-key secret
top
# VRRP Troubleshooting
run show vrrp summary
run show vrrp interface fe-0/0/7

TRANSPARENT MODE

TRANSPARENT MODE OR BRIDGE MODE
 Transparent/Bridge Mode on Datacenter SRX
 Transparent Mode in A/P Clusters is supported since JUNOS 9.6
 Transparent Mode in A/A Clusters is supported since JUNOS 10.0
 Interface can either be in trunk mode or in access mode
 VLAN Retagging is possible, and requires a per interface statement
 Link Aggregation on reth Interfaces in Transparent Mode is supported since 11.4r1
 IDP is supported in A/P since 11.2
 Transparent/Bridge Mode on Branch SRX
 Transparent Mode in A/P Clusters is supported since JUNOS 11.2
 Interfaces can only be in access mode
 Management access requires definiton of an IRB Interface as member of one bridge-domain
 Today (12.1) a firewall can either be in pure Layer 2 mode or Layer 3 routed mode, no mix
 During a Cluster Failover the physical links on the inactive machine will get bumped (L1 down for some seconds and
then up again) to clear CAM tables on the attached Switches.
 A number of Features are not available/supported in Transparent Mode (12.1)
 NAT, IPSEC VPN, GRE, Lsys, VR for IRB, L3/L4 classification for QoS (but 802.1q)

TRANSPARENT MODE / BRIDGE MODE
EXAMPLE1: TWO UNTAGGED INTERFACES
# A bridge domain is used to assign which interface share a MAC-Table
set bridge-domains BD1 domain-type bridge
set bridge-domains BD1 vlan-id 10
set bridge-domains BD1 domain-type bridge interface fe-0/0/0.0
set bridge-domains BD1 domain-type bridge interface fe-0/0/1.0
# This example uses 2 untagged interfaces
set interfaces ge-0/0/0 unit 0 family bridge interface-mode access
set interfaces ge-0/0/0 unit 0 family bridge vlan-id 10
# Reuse Zones trust and untrust
set security zones security-zone trust host-inbound-traffic system-services ssh
# Bind Interface to the Zone
set security zones security-zone trust interfaces ge-0/0/0.0
set security zones security-zone untrust interfaces ge-0/0/1.0
# For Management access, you must attach an irb Interface a bridge domain
set interfaces irb unit 0 family inet address 1.1.1.0/24
set bridge-domains BD1 routing-interface irb.0

EXAMPLE2: MIXED TAGGED AND UNTAGGED INTERF.
# A bridge domain is used to assign which interface share a MAC-Table
set bridge-domains BD1 domain-type bridge
set bridge-domains BD1 vlan-id X (could be set to “none”)
set bridge-domains BD1 domain-type bridge interface xe-1/0/0
set bridge-domains BD1 domain-type bridge interface xe-2/0/0
# Example for Trunk Mode Interface (on Datacenter SRX)
set interfaces ge-0/0/10 vlan-tagging
set interfaces ge-0/0/10 native-vlan-id 10
set interfaces ge-0/0/10 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/10 unit 0 family bridge vlan-id-list 40-50
# Untagged traffic on Trunk Mode Interface is mapped to native VLAN
# Example for a Interface in Access Mode
# create a layer2 zone and define Permitted System Services
set security zones security-zone layer2 host-inbound-traffic system-services ssh
# Bind Interface to the Zone
set security zones security-zone layer2 interfaces ge-0/0/10.0
# For Management access, you must attach an irb Interface a bridge domain
set interfaces irb unit 0 family inet address 1.1.1.0/24
set bridge-domains BD1 routing-interface irb.0

HINTS AND MONITORING
# By default, family bridge allows forwarding for IPv4-unicasts and L2 broadcasts
# The following statement should allows other traffic too (CDP, STP, …)
# IPv6 forwarding in transparent mode is currently planned for 11.4r4 (DC-SRX only)
set security flow bridge bypass-non-ip-unicast
# Full Documentation for Transparent Mode
https://www.juniper.net/techpubs/en_US/junos12.1/information-products/pathway-
pages/security/security-layer2-bridging-transparent-mode.html#configuration
show bridge-domains
show protocols l2-learning

FIREWALL

PACKET FLOW

SECURITY SERVICES PACKET WALK
1) Pull packet from queue
2) Police packet
3) Filter packet
4) Session lookup
5a) No existing session
• FW screen check
• Static and destination NAT
• Route lookup
• Destination zone lookup
• Policy lookup
• Reverse static and source NAT
• Setup ALG vector
• Install session
5b) Established session
• FW screen check
• TCP checks
• NAT translation
• ALG processing
6) Filter packet
7) Shape packet
8) Transmit packet
Per
Packet
Filter
Per
Packet
Policer
Per
Packet
Shaper
Per
Packet
Filter
JUNOS Flow Module
Forwarding
Lookup
Dest
NAT
Route Zones Policy
Reverse
Static
NAT
Services SessionScreens
Static
NAT
Source
NAT
Match
Session?
NO YES
Screens TCP NAT Services
YES

SECURITY SERVICES PACKET WALK
JUNOS Flow Module
Dest
NAT
Route Zones Policy
Reverse
Static
NAT
Services SessionScreens
Static
NAT
Source
NAT
Match
Session?
NO YES
Screens TCP NAT Services
YES
Services ALG Module
AppID
(packet)
IDP
(packet)
SSL
Proxy
AppID
(stream)
IDP
(stream)
ALG UTM AppFW UserFW

ZONES

ZONES AND INTERFACES
# Zone Names are useful to map existing segmentation
# Typical zone names are derived from areas with same trust level (trust/untrust) or
# from department names (development, productions ...)
# Interface will not forward any traffic until they are assigned to a zone
# Each interface can only be mapped to one zone
# All interfaces in the same zone must be mapped to the same VR
# Assign IPv4 IP to an interface
# Create custom zones
set security zones security-zone DEVELOPMENT
set security zones security-zone VPN
# Assign Interface to zone
set security zones security-zone VPN interfaces st0.0

OBJECTS & POLICIES

OBJECT AND POLICIES OVERVIEW
Current State and Changes over Time
• Global Policies and Address Objects are available since JUNOS 11.4
• Logging:
To enable Logging for permit Rules use "set then log session-close"
To enable Logging for deny/reject Rules use "set then log session-init"
• Counting:
Counting with "per time statistics" can be activated per policy (number of policies is limited)
Since JUNOS 12.1 there is a hit counter tracked by default for every policy
• Description
Since JUNOS 12.1 Policies can have a description
• Nested Groups (Groups of Groups) are supported since JUNOS 11.2
Before 11.2 NSM could be used to create nested groups (
• DNS Resolution
DNS names can be resolved either at object creation time or frequently during usage
• Wildcard Mask
Bitmasks for Address Objects are supported since JUNOS 11.1
• Ranges
Address Ranges are not available in JUNOS today (12.1)
• Negation
Negated Address Objects are not available in JUNOS today (12.1)

ADDRESS OBJECTS AND GROUPS (JUNOS <11.2)
set security zones security-zone trust address-book address NET10 10.1.1.0/24
set security zones security-zone trust address-book address HOST10 10.1.1.1/32
# We can also use DNS names, there are two ways
edit security zones security-zone trust address-book
# Resolve the Address once at commit time
set address JUNIPER-FIX www.juniper.net
# Resolve dynamically when policy is used (cached for 24 hours)
set address JUNIPER-DNS dns-name www.juniper.net
top
# Groups of Addresses are referenced as address sets
set security zones security-zone trust address-book address-set ALL10
set address NET10
set HOST10
top
# JUNOS >=11.1 also supports wildcard address masks with non-contiguous bitmasks
# for IPv4. The first octets of the mask must be greater than 128
set security zones security-zone trust address-book address SERVER4 10.0.0.4/255.0.0.255

ADDRESS OBJECTS AND GROUPS (JUNOS >=11.2)
# Since JUNOS 11.2 Address Book entries can either use the old stanza
set security zones security-zone trust address-book address NET10 10.1.1.0/24
# Or it is possible to create ALL Objects as zone independent address book entries
set security address-book global address NET10 10.1.1.0/24
# JUNOS Op Scripts exist to convert from old to new format and back
https://www.juniper.net/us/en/community/junos/script-automation/library/
# If both formats are used in one file, the configuration can not be committed
# NSM supports global policies with Version 2012.1
# Space Security Design supports global policies since Version 12.1
# J-Web supports global address objects and global policies since 11.4

SERVICE OBJECTS
# Create Custom Service Objects
# Default TCP Timeout is 1800 sec.
# Default Timeout for other protocols is 60sec.
set applications application my-ssh protocol tcp
set applications application my-ssh destination-port 22
set applications application my-ssh inactivity-timeout 3600
set applications application my-ssh term ssh protocol tcp
set applications application my-ssh term ssh destination-port 22
set applications application my-ssh term ssh inactivity-timeout 3600
# A number of Service definitions is already built-in - starting with junos-xxxx
# To see them you can use the following command
show configuration groups junos-defaults applications
or
top show groups junos-defaults | match application | match junos
# They also appear when you use Tab completion during writing policies
set security policies from-zone trust to-zone untrust policy X match application ?

ZONE BASED FIREWALL POLICIES (1)
# Create a new Policy with the name "FIRST".
edit security policies from-zone untrust to-zone trust policy FIRST
set match source-address any
set match destination-address any
set match application any
set then permit
# Since JUNOS 12.1 you can add a description for this policy
set description "First Policy created here"
top
# Insert a second policy "NEW"
edit security policies from-zone untrust to-zone trust policy NEW
set match destination-address NET10
set then permit
top
# New Policies are always added at the end
# To move the "NEW" policy before the "FIRST" policy
insert security policies from-zone untrust to-zone trust policy NEW before policy FIRST

ZONE BASED FIREWALL POLICIES (2)
# By default all traffic, that is not permitted by policy is denied (without logging)
# There is a command to change this - Recommended only for testing !!
set security policies default-policy permit-all
# Policy Actions can be permit/deny/reject.
# deny means silent drop, reject create response packets to the initiator
# for UDP traffic “icmp port unreachable”
# for TCP traffic “TCP RST”
# Monitor commands
show security policies
show security flow session
#Policy lookup is available on CLI and in Web-UI since JUNOS 10.3
show security match-policies ....

GLOBAL FIREWALL POLICIES
# Beginning with JUNOS 11.4 Policies can be specified as global policies
# These Policies must always reference global address objects
# Policy Lookup Order is:
# a) zone-to-zone
# b) global
# c) default policy
# NSM can not manage global policies and objects
# For JUNOS Space global policy support is currently planned for Release 12.1
set security address-book global address SERVER1 1.1.1.1
set security address-book global address SERVER2 2.2.2.2
set security policies global policy GP1 match source-address SERVER1
set security policies global policy GP1 match destination-address SERVER2
set security policies global policy GP1 match application junos-ftp
set security policies global policy GP1 then deny
set security policies global policy GP2 match source-address SERVER1
set security policies global policy GP2 match destination-address SERVER2
set security policies global policy GP2 match application any
set security policies global policy GP2 then permit
# Count per zone and global policies
show security policies zone-context

GLOBAL POLICIES
Global policies take lower precedence than zone-specific
policies. If a matching zone-based policy is found, the global
policies are not evaluated
…
Zone-specific Policies
Policy N
…
Global Policies
Policy M
Ordered
Lookup
Ordered
Lookup
Policy1
Policy 1No match
Global Policy lookup
Zone Policy
Lookup
from-zone to-zone context

FIREWALL POLICY
MONITORING AND USAGE TRACKING (1/2)
# Counting can be enabled on a limited number of policies. Counting includes
# Input/Output Bytes & Packets, Session rate, Active & Deleted sessions, Policy lookups
edit security policies from-zone trust to-zone untrust policy pol-01
set then count
top
# To monitor the policy counters use
run security policies from-zone show trust to-zone untrust policy-name pol-01 detail
# Alerts can be enabled per policy to generate alerts if usage exceeds thresholds
set then count alarm per-minute-threshold 1000
set then count alarm per-second-threshold 50
top
# To monitor the policy alerts use
run show security alerts

FIREWALL POLICY
MONITORING AND USAGE TRACKING (2/2)
# Security Policy Overview (Hidden until 12.1)
show security policies information
# Since JUNOS 10.3 there is Security Policy Lookup to predict policy decision
# The query goes directly to the forwarding plane for evaluation
show security match-policies ....
# Until 11.4 Usage statistics are only available, if counting is enabled (see prev page)
show security policies detail
# JUNOS 12.1 introduces usage tracking of Firewall Policies independent from counter
# Counter since the last reboot/failover can be retrieved with the following command
srx210> show security policies hit-count from-zone untrust ascending
from-zone to-zone policy hit-count
untrust trust pol-1 10

FIREWALL POLICY SCHEDULERS
(A.K.A. TIME BASED POLICIES)
# Create a Scheduler to activate a policy every working day from 9-12 and 13-20
set schedulers scheduler "SCHEDULER1" daily start-time 09:00 stop-time 12:00
set schedulers scheduler "SCHEDULER1" daily start-time 13:00 stop-time 20:00
set schedulers scheduler "SCHEDULER1" sunday exclude
# Create a new Policy with the name "FIRST" and apply the scheduler definition "SCHEDULER1"
edit security policies from-zone untrust to-zone trust policy FIRST
set match destination-address any
set then permit
set scheduler SCHEDULER1
top
# Monitoring
show schedulers
show security policies detail

FIREWALL WEB AUTHENTICATION
# Firewall Authentcation can Intercept Web Session (redriect) and enforce user authentication first
# before allowing traffic (any protocol) to be passed by the firewall. This is like an "unlock" door.
# Add an additional IP to an existing interface, that is used for WebAuth, HTTP to this Interface
# gives you a login page
set interface vlan unit 0 family inet address 192.168.1.210/24 web-authentication http
# Specify a Profile with 2 local Users
set access profile TESTPROFILE client TESTUSER1 firewall-user password netscreen
set access profile TESTPROFILE client TESTUSER2 firewall-user password netscreen
# and use this profile as default for firewall auth (inline in telnet, http, ftp connection) and webauth
set access firewall-authentication pass-through default-profile TESTPROFILE
set access firewall-authentication web-authentication default-profile TESTPROFILE
# A policy specifies for which Source/Destination Web Auth is required.
# Once Addresses have matched, Authentication is required, no Fall through to other rules.
set security zones security-zone untrust address-book address PROTECTED 172.16.42.1/32
edit security policies from-zone trust to-zone untrust policy WEB-AUTH
set match destination-address PROTECTED
set then permit firewall-authentication access-profile TESTPROFILE
set then permit firewall-authentication pass-through web-redirect
up
insert policy WEB-AUTH before policy trust-to-untrust
top
show security firewall-authentication users
show security firewall-authentication history

REMATCH FOR POLICY CHANGES
# To enable Policy rematching when policy changes are made use the following command
# By Default Policy Rematch is disabled
set security policies policy-rematch
Action on Policy Description
Rematch Flag
Enable Disable (default)
Delete Policy is deleted All existing
sessions are
dropped
All existing
sessions are
dropped
Insert New policy is
inserted
N/A N/A
Modify the action Action field of
policy is modified
from permit to deny
or reject, or vice
versa
All existing
sessions are
dropped
All existing
sessions continue
Modify address Source or
destination
address field of
policy match is
modified
Policy lookup will
be re-evaluated
All existing
sessions continue
Modify application Application field of
policy match is
modified
Policy lookup will
be re-evaluated
All existing
sessions continue

REMATCH FOR POLICY CHANGES
WITH USER IDENTITY BASED FIREWALL
The user/role info is re-retrieved from UI module again for rematch

FLOW & ALG

# Flow Configuration changes default behavior for a number of topics that influence
# session creation/teardown/modification.
# Examples are SYN Checking, Sequence Number Checking, Fragmentation, MSS Patching,
# Session Aging
# Example: Make sure TCP packets going through VPN tunnels avoid fragmentation
set security flow tcp-mss ipsec-vpn mss 1420
# Example: Avoid TCP Split Handshake Attacks by more strict SYN checking
set security flow tcp-session strict-syn-check
FLOW

# ALGs exist for the several protocols. When enabled they either help to open firewall
# pinholes (FTP), assist in NAT for inband protocol data (VOIP) or check for protocol
# violation (DNS). See next pages for a Table of ALGs and their functions
# Most ALGs are enabled per default. To check which ALGs are there and enabled use
show security alg status
# To disable an ALG either disable ALG completly
set security alg msrpc disable
# or use custom service with the application service disabled
set applications application TEST application-protocol ignore
# Knowlegebase Articles have good hints on monitoring and troubleshooting
# or changing behaviour of each ALG. Check the Knowledgebase if you have
# trouble with any of the protocols where ALGs are active and disabling ALG
# does not solve your problem. Example KB entries:
SQL: KB21550
MSRPC : KB23730 and KB18346
ALG

BASIC ALGS
ALG Firewall Pinholes NAT Protocol
Checking
DNS ✔ ✔ format, length
FTP ✔ ✔ ✔ command
TFTP ✔ ✔
SQL ✔ ✔ ✔ format
Sun RPC ✔ ✔ ✔ format
MS RPC ✔ ✔ ✔ format
RSH ✔ ✔ ✔ format
PPTP ✔ ✔ ✔ format
Talk ✔ ✔ ✔ format
IKE-NAT ✔ ✔ ✔ format

VOIP/STREAMING ALGS
ALG Firewall Pinholes NAT Protocol
Checking
SIP ✔ ✔ ✔
H.323 ✔ ✔ ✔
MGCP ✔ ✔ ✔
SCCP ✔ ✔ ✔
RTSP ✔ ✔ ✔

SCREENS & DEFENSE

WHAT ARE SCREENS ?
Screens are Filters for Attacks on Layer3/4 (Scans, Floods, IP
Option Anomalies, TCP/IP Anomalies, DOS Attacks)
Screens are applied before Routing Lookup and Policy decision
Screens are in many cases implemented in Hardware
Screens can be enabled with Logging only

SCREENS
Descriptions of each of the Screen Parameter are here
# Configure all Screen Options in a Named Profile
edit security screen ids-option MY-SCREEN-PROFILE
# Best Practice; Start using Screens with Alarm only, but Dropping disabled.
set alarm-without-drop
set icmp ping-death
set ip source-route-option
set ip tear-drop
set tcp syn-flood alarm-threshold 1024
set tcp syn-flood attack-threshold 200
set tcp syn-flood source-threshold 1024
set tcp syn-flood destination-threshold 2048
set tcp syn-flood queue-size 2000
set tcp syn-flood timeout 20
set tcp land
set limit-session destination-ip-based 50
top
# Finally apply the Profile to the Zones which need protection
set security zones security-zone untrust screen MY-SCREEN-PROFILE
show security screen statistics zone untrust
show security screen statistics interface ge-0/0/0

SCREENS FOR FLOOD PROTECTION
# Session Limits for Source and Destination IP
set security screen ids-option FLOOD limit-session source-ip-based 10000
set security screen ids-option FLOOD limit-session destination-ip-based 10000
# ICMP AND UDP FLOOD PROTECTION (threshold is in packets/sec)
set security screen ids-option FLOOD icmp flood threshold 10000
set security screen ids-option FLOOD udp flood threshold 20000
# TCP SYN Flood Protection, SYN-Cookie has better Performance than SYN-Proxy
set security flow syn-flood-protection-mode syn-cookie
edit security screen ids-option FLOOD tcp syn-flood
# Start using Cookie when we hit more than 20 SYNs/sec
set attack-threshold 20
set alarm-threshold 10000
# If we get more than these SYNs per second from a Source-IP we start dropping
set source-threshold 1024
# If we get more than these SYNs per to the same Destination-IP we start dropping
set destination-threshold 100000
# Time before we start dropping half-open connections from the queue
set timeout 5
top
# Finally apply the Screen Profile Definitions to the zone(s) where the flood arrives
set security zones security-zone untrust screen FLOOD
# Monitoring
show security screen statistics zone trust
show interfaces ge-0/0/1.0 extensive | match Syn

WHITE LISTS FOR SYN COOKIE & SYN PROXY
# JUNOS 12.1 will introduce White lists for SYN Cookie and SYN Proxy
# The SYN Protection Screens can be active, but certain sources or
# destinations can be excluded from this protection.
# White lists can included up to 32 IPv4 and IPv6 source and/or destination addresses
# Typical Use case: exclude Proxies as Sources, excluded monitored Servers as Destination
root@raticate# set security screen ids-option FLOOD tcp syn-flood WHITE-LIST ipv4 ?
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
+ destination-address Destination IP based
+ source-address Source IP based

FLOOD PROTECTION FOR THE SRX SESSION TABLE
# In a Flood Situation, there is still a risk that the session table is filled up
# completely and new sessions can't be established any more
#
# A Self Defense Strategy of the SRX for a flood situation is "aggressive aging"
# to start removal of sessions which have not been used for x seconds before session
# table gets filled up completely
#
# This overrides the default session timeouts, but might be better
# than a overcrowded session table
# Set levels (percent of max session nr) when aggressive aging starts and when it stops
set security flow aging high-watermark 80 low-watermark 60
# Idle time in seconds after which sessions can be purged
set security flow aging early-ageout 30
# Monitoring: If the Thresholds are reached, there are logs for
# FLOW_HIGH_WATERMARK_TRIGGERED and FLOW_LOW_WATERMARK_TRIGGERED

FIREWALL USAGE ALARMS
# Create Alerts if Errors exceeds thresholds
edit security alarms potential-violation
set authentication 10
set decryption-failures threshold 100
set encryption-failures threshold 100
set ike-phase1-failures threshold 100
set ike-phase2-failures threshold 100
set replay-attacks threshold 100
set security-log-percent-full 90
top
# Create Alerts if firewall total policy usage exceeds thresholds
edit security alarms potential-violation policy
set application size 10240
set source-ip threshold 1000 duration 20
set destination-ip threshold 1000 duration 10
set policy-match threshold 100 size 100
top
# Create Alerts if individual firewall policy usage exceeds thresholds
set then count alarm per-minute-threshold 1000
set then count alarm per-second-threshold 50
top
# Monitoring
show security alarms

WHERE ARE SCREENS IMPLEMENTED ?
# Screens that are implemented on the NPU
block-frag, fin-no-ack, icmpfragment, icmp-id, icmp-large, ipbad-option, ip-filter-
src, ip-loosesrc-route, ip-record-route, ipsecurity-opt, ip-stream-opt, ipstrict-src-
route, ip-timestamp-opt, land, ping-death, syn-fin, syn-frag, tcp-no-flag, unknown-
protocol, winnuke, icmp-flood, udp-flood, syn-flood destination-threshold / source-
threshold
# Screens that are implemented on the SPU
teardrop, ipspoofing, syn-ackack-proxy, syn-flood (syncookie/synproxy),
# Screens that are implemented on the CP
limit-session, portscan, ip-sweep, syn-flood (syncookie/syn-proxy)

NAT

NAT
BASIC INFORMATION
•Since JUNOS 9.5 NAT uses a separate policy (a.k.a. NAT-ng)
•The Hierarchy for this is under "set security nat ...."
•Older JUNOS Documentation and OJSE Training Materials might still mention
the previous method (policy based NAT)
•Destination NAT often requires additional Proxy-ARP rules
•Limitations in the number of NAT rules did exist, but finally even the last (8
rules for destination NAT) disappeared with 10.2.
See http://kb.juniper.net/KB14149
•We have a good Application Note on NAT

121
SCREENOS NAT FEATURES AND JUNOS COUNTERPART
For Details and Examples see the Application Note
"Juniper Networks SRX Series and J Series NAT for ScreenOS Users"

122
NAT
CONFIGURATION INCLUDES 3 FLAVORS
Source NAT
 Interface based NAT
 Pool based NAT- with and without port translation
 IP address shifting
Destination NAT
 Destination IP and/or port number translation
 IP address shifting
Static NAT
 Bi-directional
 No port translation supported
 dst-xlate for packets to the host
 src-xlate for packets initiated from the host

123
NAT
PROCESSING ORDER
Static & Destination NAT are performed before security policies are
applied
Reverse Static & Source NAT are performed after security policies
are applied
Accordingly, policies always refer to the actual address of the
endpoints

NAT
ADDRESS POOL CONFIGURATION
Address pools can be
 Single IP address
 Range of addresses
 Range of ports
 Interface (source NAT only)
 No port translation
Overflow pools
 Configured as a fall back
 Requires pools with no port
translation
[edit security nat source]
root# show
pool src-nat-pool1 {
address {
192.0.0.10/32 to 192.0.0.24/32;
}
}
address {
192.0.0.100/32 to 192.0.0.249/32;
}
port no-translation;
overflow-pool interface;
}
address {
192.0.0.25/32;
}
}
address {
192.0.0.50/32 to 192.0.0.59/32;
}
port range 5000 to 6000;

SOURCE NAT
TWO EXAMPLES
INTERNET
10.1.1.0/24
10.1.2.0/24
ge-0/0/0
ge-0/0/1
UNTRUSTTRUST
192.1.1.0/24
}
rule-set nat-internet {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat interface
}
}
from zone trust;
to zone untrust;
rule rule1 {
match {
}
then {
source-nat pool src-nat-pool1
}

SOURCE NAT
EXAMPLE WITH MULTIPLE RULES
INTERNET
10.1.1.0/24
192.1.1.0/24
ge-0/0/0
ge-0/0/1
UNTRUSTTRUST
10.1.2.0/24
172.1.1.0/24
rule rule2 {
match {
}
then {
source-nat pool src-nat-pool2;
}
}
rule rule3 {
match {
}
then {
source-nat off;
}
}
}
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address [ 10.1.1.0/24 10.1.2.0/24 ];
}
then {
source-nat pool src-nat-pool1;
}
}

DESTINATION NAT
EXAMPLE FOR MANY-TO-MANY
INTERNET
10.1.1.0/24
192.1.1.100/24
ge-0/0/0
ge-0/0/1
UNTRUSTTRUST
10.1.2.0/24
192.1.1.200/24
dnat-pool-1:
1:1.1.1.100/80->192.168.1.100/80
dnat-pool-2:
1.1.1.101/80->192.168.1.200/8000
[edit security nat destination]
root# show
pool dnat-pool-1 {
address 192.168.1.100/32;
}
pool dnat-pool-2 {
address 192.168.1.200/32 port 8000;
}
rule-set dst-nat {
from zone untrust;
rule rule1 {
match {
}
then {
destination-nat pool dnat-pool-1;
}
}
rule rule2 {
match {
}
then {
}
}
}

DESTINATION NAT
EXAMPLE FOR ONE-TO-MANY
INTERNET
10.1.1.0/24
192.1.1.100/24
ge-0/0/0
ge-0/0/1
UNTRUSTTRUST
10.1.2.0/24
192.1.1.200/24
dnat-pool-1
1.1.1.100/80->192.168.1.100/80
dnat-pool-2
1.1.1.100/8000->192.168.1.200/8000
root# show
pool dnat-pool-1 {
address 192.168.1.100/32;
}
pool dnat-pool-2 {
address 192.168.1.200/32 port 8000;
}
rule-set dst-nat {
from zone untrust;
rule rule1 {
match {
destination-port 80;
}
then {
}
}
rule rule2 {
match {
destination-port 8000;
}
then {
}

STATIC NAT
Provides one-to-one mapping of hosts or subnets
Bi-directional NAT
 dst-xlate for packets to the host
 src-xlate for packets initiated from the host
INTERNET
10.1.1.0/24
ge-0/0/0
ge-0/0/1
UNTRUSTTRUST
10.1.2.0/24
192.1.1.200/24
[edit security nat]
root# show static
rule-set static-nat {
from zone untrust;
rule rule1 {
match {
}
then {
static-nat prefix 192.168.1.200/32;
}
}

PROXY-ARP
Source NAT
 Proxy-ARP required for all source IP pool addresses in the same subnet as egress
interface –ge-0/0/0
 For source pools not in the same subnet as egress interface IP, route to the IP pool
subnet with the SRX device as next-hop is required on the upstream router
Destination/Static NAT
 Proxy-ARP required for all IP pool addresses in the same subnet as ingress
interface –ge-0/0/0
 For static and destination NAT pools not in the same subnet as egress interface IP,
route to the IP pool subnet with the SRX device as next-hop is required on the
upstream router
Configuration command
 set security nat proxy-arp interface <if_name> address <ip_prefix>
INTERNET
10.1.1.0/24
10.1.2.0/24
ge-0/0/0
ge-0/0/1
1.1.1.1/24

DOUBLE NAT- SOURCE AND DESTINATION NAT
192.168.1.3/24
UNTRUSTTRUST
10.1.1.100/24
root# show
pool src-pool-1 {
address {
1.1.1.10/32 to 1.1.1.14/32;
}
}
rule-set src-rs1 {
from zone trust;
to zone untrust;
rule r1 {
match {
}
then {
source-nat pool src-pool-1;
}
}
root# show
pool dst-src-pool-1 {
address 10.1.1.100/32;
}
rule-set dst-rs1 {
from zone trust;
rule rule1 {
match {
}
then {
destination-nat pool dst-src-pool-1;
}
}
}
192.168.1.3->1.1.1.100
1.1.1.10-> 10.1.1.100

132
NAT
MONITORING AND TROUBLESHOOTING
# NAT session can be identified from the session table
show security flow session
# Static NAT:
show security nat static rule <all|rule-name>
# Source NAT:
show security nat source summary
show security nat source pool <pool-name>
show security nat source rule <rule-name>
show security nat source persistent-nat-table <all|summary|....>
# Destination NAT:
show security nat destination summary
show security nat destination pool <pool-name>
show security nat destination rule <rule-name>
show security nat interface-nat-ports
# Incoming NAT:
show security nat incoming-table
# ARP table
show arp no-resolve
# Tracing (output is written to file defined under security->flow-> traceoptions)
set security nat traceoptions flag all

VIRTUALIZATION

VIRTUALIZATION
BUILDING BLOCKS AND CONCEPTS
 SRX Firewalls offer several building blocks and concepts to achieve virtualization
 Zone based Separation: No traffic can get from one zone to another if there is no policy
 Virtual Routers based Separation: avoid any traffic leakage between different instances
(usecase: managed service for customers with overlapping address space).
 Logical Systems : for complete administrative isolation. Create virtual firewalls with individual
administrators and protected resources per firewall (memory, cpu, objects ...)
 Virtual SRX: Virtual Machine for installation on a Hypervisor (Vmware, KVM)
Zones only Zones and
Virtual Routers
Logical Systems Virtual
SRX
separate traffic of
different instances
yes yes yes yes
separate routing
decisions per
instance
no yes yes (with VRs) yes
allow different
administrators per
instance
no no yes yes
protect resources per
instance
no no partial yes
more than 32
instances
no no max 32 instance per
firewall
yes

ZONE-BASED SEPARATION
Pepsi
Coke
Untrust
Zone
Coke
User
Pepsi
User
Pepsi
Zone
Coke
Zone
• Simple design
• High scale (no additional overhead)
• No overlapping IP addresses
• Little to no user-based admin

VR-BASED SEPARATION
• More complex design
• High scale (little additional overhead)
• Overlapping IP addresses supported
• Routing protocols per VR give additional flexibility
• Little to no user-based admin
Pepsi
Coke
Coke
User
Pepsi
User
Coke VR
Pepsi VR
Coke
Untrust
Zone
Coke
Trust
Zone
Pepsi
Untrust
Zone
Pepsi
Trust
Zone

Pepsi LSYS
Coke LSYS
LSYS-BASED SEPARATION
• Complex design
• Lower scale (possible additional overhead)
• Overlapping IP addresses supported
• Routing protocols per VR give additional flexibility (and
introduce performance caveats)
• User-based admin supported
Pepsi
Coke
Coke
User
Pepsi
User
Coke VR
Pepsi VR
Coke
Untrust
Zone
Coke
Trust
Zone
Pepsi
Untrust
Zone
Pepsi
Trust
Zone

VIRTUALIZATION:
VIRTUAL ROUTERS

DIFFERENCE IN OWNERSHIP HIERARCHY
Virtual
Router
Zone
Interface
IP Address
ScreenOS
Routing
Instance
Interface
IP
Address
JUNOS
Zone
Interface
Virtual router
split from zones
in JUNOS

EXAMPLE WITH 2 INDEPENDANT VR
Red-VR
Blue-VR
red-untrustred-trust
blue-trust blue-untrust

Create a Virtual Router and bind interface to this VR
VIRTUAL ROUTERS - SIMPLE EXAMPLE
# Assign Interface IPs like usual
set interface fe-0/0/6 unit 0 family inet address 1.0.0.1/24
# Create the Virtual Router, assign two physical and a loopback interface
set routing-instances red-vr instance-type virtual-router
set routing-instances red-vr interface fe-0/0/6.0
set routing-instances red-vr interface fe-0/0/7.0
set routing-instances red-vr interface lo0.0
# Also tie all interfaces to security zones
set security zone security-zone red-untrust interface fe-0/0/6.0
set security zone security-zone red-trust interface fe-0/0/7.0
# Optional, set a static route in this vr
set routing-instances red-vr routing-options static route 4.0.0.0/24 next-hop 1.0.0.2
# Optional: You can set static routes to get from one VR to another
# If you need to exchange dynamic routes you will need RIB Groups
set routing-instances red-vr routing-options static route 5.0.0.0/24 next-table blue-
vr.inet.0

EXAMPLE WITH 3 CUSTOM AND ONE SHARED VR
Red-VR
Blue-VR
Green-VR
Inet.0VR
untrust
red-trust
blue-trust
green-trust

Create a Virtual Router and bind interface to this VR
VIRTUAL ROUTERS
ROUTER DEFINITION
# Assign Interface IPs like usual
# Create the Virtual Router, assign one physical interface
set routing-instances RED-VR instance-type virtual-router
set routing-instances RED-VR interface fe-0/0/5.0
set routing-instances BLUE-VR instance-type virtual-router
set routing-instances BLUE-VR interface fe-0/0/6.0
set routing-instances GREEN-VR instance-type virtual-router
set routing-instances GREEN-VR interface fe-0/0/7.0

VIRTUAL ROUTERS
SECURITY ZONES
 Interface binding to zones is defined independent from the VR
BUT all interfaces in the same zone must be bound to same VR
# Create Zones and assign interfaces
set security zones security-zone red-trust
set security zones security-zone red-trust interfaces fe-0/0/5.0
set security zones security-zone blue-trust
set security zones security-zone blue-trust interfaces fe-0/0/6.0
set security zones security-zone green-trust
set security zones security-zone green-trust interfaces fe-0/0/7.0
# If desired enable management
set security zones security-zone red-trust host-inbound-traffic system-services all
set security zones security-zone red-trust host-inbound-traffic protocols all
set security zones security-zone blue-trust host-inbound-traffic system-services all
set security zones security-zone blue-trust host-inbound-traffic protocols all
# Add policies to permit traffic
edit security policies from-zone red-trust to-zone untrust
set policy outbound1 match source-address any
set policy outbound1 match destination-address any
set policy outbound1 match application any
set policy outbound1 then permit
set policy outbound1 then log session-close session-init
exit
top

VIRTUAL ROUTERS
EXCHANGING ROUTES BETWEEN VIRTUAL ROUTERS
# To set a route from one VR to another just use the instance name as next-table
edit routing-instances BLUE-VR
set routing-options static route 10.0.0.0/8 next-table RED-VR.inet.0
top
# To redistribute Routes that exist in one VR into another use Filters
edit policy-options policy-statement SUMMARY-RED
set term ACCEPT from instance RED-VR
set term ACCEPT from route-filter 10.0.0.0/8 exact
set term ACCEPT then tag 5000
set term ACCEPT then accept
top
set routing-instances BLUE-VR routing-options instance-import SUMMARY-RED

RIB Groups (RIB=Routing Information Base) are useful if you want to
share static and dynamic routes between multiple VRs
VIRTUAL ROUTERS
RIB-GROUPS
# Create a rib-group
set routing-options static rib-group test-rib
# Routes imported into the rib-group are distributed to the rib
set routing-options rib-groups test-rib import-rib inet.0
set routing-options rib-groups test-rib import-rib RED-VR.inet.0
# set routing-options rib-groups test-rib import-rib BLUE-VR.inet.0
# set routing-options rib-groups test-rib import-rib GREEN-VR.inet.0
# Only one rib can be used to export (primary-rib by default)
set routing-options rib-groups test-rib export-rib inet.0
# Optional: publish interface routes to the RIB
set routing-instances RED-VR routing-options interface-routes rib-group inet test-rib
set routing-instances BLUE-VR routing-options interface-routes rib-group inet test-rib
set routing-instances GREEN-VR routing-options interface-routes rib-group inet test-rib

Filters can be applied to drop unwanted routes
VIRTUAL ROUTERS
RIB-GROUPS, FILTER
# Create a policy statement
edit policy-options policy-statement into-red
set term reject-to-red from family inet protocol ospf
set term reject-to-red to rib red-vr.inet.0
set term reject-to-red then reject
top
# Apply Policy to filter routes from the rib-groups export-rib to the member ribs
set routing-options rib-groups test-rib import-policy into-red

VIRTUAL ROUTERS
 RIB Group is useful to share Routes between multiple VRs
 Before JUNOS 10.4 IPSEC VPN Interfaces could only be terminated in
zones, which are assigned to inet.0 (see KB 12866)
 For self initiated management traffic (e.g.. syslog, traps ..) route lookup
starts in the default VR (inet.0)
 Interfaces that are not explicitly members of any custom VR are
members of inet.0
 DHCP Server and DHCP Relay inside a VR will require JUNOS 10.4r5
or higher
 Static routes from VR1 to VR2 and at the same time from VR2 to VR1
will not commit (potential loop). You have to introduce a third VR as
additional hop for one direction.

VIRTUALIZATION:
LOGICAL SYSTEMS

LOGICAL SYSTEMS
 Root System (=physical firewall) is always there. Root Admin can
 create new Lsys
 create user admin(s) for the Lsys
 create and assign Lsys Profiles
 create and assign logical interfaces to Lsys
 configure the interconnect Lsys0
 Lsys0 has a special role as the interconnect Lsys
 all traffic between User Lsys and Rootsys goes through Lsys0
 for this purpose Lsys0 has a lt-Interface to each Lsys and Rootsys
 Lsys1..32 are the user logical systems itself
 Each user logical system can have
 a number of zones, interfaces and 0, 1 or more Virtual Routers
 exactly one interface to the Interconnect Lsys0 (lt0.x)
 one or more users to configure routing and security inside the Lsys

EXAMPLE SETUP
# Example Setup
Root System with
- shared Internet Uplink
- separate VR vrf-root
Interconnect Lsys0 with
-seperate vr-ic
- lt interfaces to each root and lsys
Two Custom Lsys with
-private interfaces and zones
- lt Interfaces to interconnect Lsys0

LOGICAL SYSTEMS
CONFIGURATION 1/4 - PROFILES AND USERS
# Define a Profile for the System Limits for each User Logical Systems
set system security-profile USER-LSYS policy maximum 50
set system security-profile USER-LSYS policy reserved 25
set system security-profile USER-LSYS address-book maximum 100
set system security-profile USER-LSYS address-book reserved 50
set system security-profile USER-LSYS logical-system [Coke-LSYS Pepsi-LSYS]
# Add the Root System Profile. All off-box logging comes from the Root LSYS.
# If this is undefined then syslog/SNMP will not work
set system security-profile ROOT-LSYS auth-entry maximum 5
set system security-profile ROOT-LSYS policy maximum 5
set system security-profile ROOT-LSYS policy reserved 1
set system security-profile ROOT-LSYS policy-with-count maximum 0
set system security-profile ROOT-LSYS root-logical-system
# Add LSYS to your login classes to assign users to an LSYS
# Users are assigned to a „login class‟ to get their rights, and with LSYS
# they also get assigned to an LSYS at the same time
set system login class COKE-LOGIN logical-system COKE-LSYS
set system login class PEPSI-LOGIN logical-system PEPSI-LSYS
# Create Users for each Lsys
set system login user coke class COKE-LOGIN
set system login user pepsi class PEPSI-LOGIN

LOGICAL SYSTEMS
CONFIGURATION 2/4 - INTERCONNECT
# Set up lt-0/0/0.x interfaces in the Interconnect LSYS0
# LSYS0 is layer 2 only and will hold multiple LT interfaces
# all other LSYS will only have a single LT interface
# LT interfaces are paired one-to-one
set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 encapsulation ethernet-vpls
set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 peer-unit 1
# Set up lt-0/0/0.x interfaces, LT interface in LSYS > 0 need an IP address
# LT Interface in the Rootsys
set interfaces lt-0/0/0 unit 1 family inet address 10.0.1.1/24
# LT Interface in the Lsys Coke
# LT Interface in the Lsys Pepsi

LOGICAL SYSTEMS
CONFIGURATION 3/4 - FIRST USER LSYS
# Now setup the COKE-Logical System
edit logical-systems COKE-LSYS
set interfaces reth1 unit 1 vlan-id 1
set interfaces reth1 unit 1 family inet address 12.1.1.1/24
edit routing instances COKE-VR
set instance-type virtual-router
set interface reth1.1
set interface lt-0/0/0.3
up
set security zones security-zone Coke-Trust
set security zones security-zone Coke-Trust host-inbound-traffic system-services ping
set security zones security-zone Coke-Trust interfaces reth1.1
set security zones security-zone Coke-Untrust interfaces lt-0/0/0.1
edit security policies from-zone Coke-Trust to-zone Coke-Untrust
set policy to-Inter-LSYS match source-address any
set policy to-Inter-LSYS match destination-address any
set policy to-Inter-LSYS match application any
set policy to-Inter-LSYS then permit
top

LOGICAL SYSTEMS
CONFIGURATION 4/4 - SECOND USER LSYS
# Now setup the PEPSI-Logical System
edit logical-systems PEPSI-LSYS
set interfaces reth1 unit 2 vlan-id 1
set interfaces reth1 unit 2 family inet address 13.1.1.1/24
edit routing instances PEPSI-VR
set instance-type virtual-router
set interface reth1.2
set interface lt-0/0/0.5
up
set security zones security-zone PEPSI-Trust
set security zones security-zone PEPSI-Trust host-inbound-traffic system-services ping
set security zones security-zone PEPSI-Trust interfaces reth1.2
set security zones security-zone PEPSI-Untrust interfaces lt-0/0/0.5
edit security policies from-zone PEPSI-Trust to-zone PEPSI-Untrust
set policy to-Inter-LSYS match source-address any
set policy to-Inter-LSYS match destination-address any
set policy to-Inter-LSYS match application any
set policy to-Inter-LSYS then permit
top

LOGICAL SYSTEMS
MONITORING
# Flow Statistics
show security flow statistics root-logical-system
show security flow statistics logical-system <all|Lsys>
# Assigned Profile and current usage for each individual profile parameter
show system security-profile ? logical-system <all|Lsys>

VPN

Here are some tips for copy/pasting configurations in Junos:- To paste and override the whole configuration, use "load merge" from the edit hierarchy level:edit load merge terminal- To paste and add pieces of configuration without overriding existing config, use "load merge" from within the hierarchy level you want to edit: edit interfacesload merge - To paste configuration written with "set" commands, use "load override":editload override - You can also paste directly into configuration mode without using load. Junos will parse the configuration and add/merge as needed.- Be careful of unintended side

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (10)

Recently uploaded

Recently uploaded (20)