Professional Documents
Culture Documents
SRX
2015 5
JUNOS ............................................................................................................ 5
1.1.
........................................................................................................... 5
1.2.
Junos ........................................................................................................... 6
1.3.
Junos ........................................................................................... 7
1.3.1.
CLI .................................................................................... 7
1.3.2.
J-WEB ............................................................................................ 9
1.3.3.
......................................................................................................... 10
1.3.4.
root ....................................................................................... 12
1.3.5.
................................................................................. 13
1.3.6.
................................................................................. 16
1.3.7.
......................................................................................... 24
SRX .................................................................................................... 25
2.1. ........................................................................................................................ 25
2.2. ................................................................................................................ 26
2.3. ........................................................................................................................ 35
SRX .............................................................................................................. 36
3.1. ................................................................................................................. 36
3.2. ................................................................................................. 37
3.3. DHCP ................................................................................................................ 43
3.4. ................................................................................................................. 45
3.4.1. .............................................................................. 45
2 / 171
3.4.2. .............................................................................................. 47
3.4.3. ...................................................................................... 49
3.4.4. ...................................................................................................... 50
3.5. ......................................................................................................... 53
3.5.1. Interface based Nat ..................................................... 54
3.5.2. Pool based Source Nat ............................................. 57
3.5.3. Pool based Destination Nat ................................. 62
3.5.4. Pool based Static Nat ........................................... 69
3.6. IPSEC VPN ................................................................................................................ 76
3.6.1. SITE TO SITE IPSEC VPN ................................................................... 77
3.6.2. SITE TO SITE IPSEC VPN ................................................................... 95
3.6.3. DYNANMIC VPN................................................................................ 99
3.6.4. GROUP VPN ......................................................................................................... 118
3.7. ALG .......................................................................................... 126
3.8. SRX UTM ........................................................................................... 130
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3 / 171
3.9.4.
4 / 171
SRX Branch SRX210 SRX
SRX SRX
CLI WEB
SRX210B*2SRX210-SH*1
WINDOWS 7
JUNOS
JUNOS Juniper
SRX JUNOS
JUNOS
JUNOS FreeBSD CLI WEBUI
1.1.
JUNOS CLI operationalconfigure
config edit
5 / 171
run JUNOS
edit unix cd ,up up
nexit topquit
1.2. Junos
JUNOS set
Candidate Config commit
SRX commit
Active config
JUNOS commit
commit confirmed 2 2
commit 2
SRX
commit show Candidate
Config
commit run show config
Active config
show | compare
Juniper Networks, Inc.
6 / 171
SRX commit 50
rolback commit rollback 0/commit
commit
save configname.conf
load override configname.conf / commit load
factory-default / commit
SRX TFTP/FTP
J-WEB
1.3. Junos
SRX CLI J-WEB
2 CLI J-WEB
CLI
1.3.1.
CLI
console/telnet/ssh CLI
console Telnet SSH ROOT
root SSH
2
1 % root shell
shell SRX cli>
root@srx210% cli
7 / 171
root@srx210>
2 >
config #
root@srx210> con
root@srx210#
show shconfig con
sh
show
8 / 171
Run run
root@srx210#run ping 192.168.1.1
1.3.2.
J-WEB
9 / 171
SRX J-WEB
J-WEB commit
SCREENOS WEB
J-WEB HA J-WEB
SRX HA
(I/O)
J-WEB Javascript
WEB
J-WEB WEB
CLI
1.3.3.
CONSOLE
Console () SRXroot <>
COM
Data bits: 8
Parity: None
Stop bits: 1
10 / 171
/******/
Root#
WEB
ping IP 192.168.1.1
http://192.168.1.1
SRX 192.168.1.1 root Log
In
11 / 171
1.3.4.
root
ROOT
CLI
root
WEB
Start
* root
12 / 171
1.3.5.
HTTP/HTTPS/TELNET/SSH ROOT
HTTP/HTTPS/SSHTELNET Super-User
CLI
root# set system login user lab class super-user authentication plain-text-password
root# new password : lab123
root# retype new password: lab123
/*** lab lab123***/
WEB
System Properties User Management Edit
13 / 171
Add
14 / 171
lab
15 / 171
1.3.6.
CLI
set system services telnet
set system services web-management http
/***telnet/http ***/
WEB
Juniper Networks, Inc.
16 / 171
17 / 171
18 / 171
IP
19 / 171
20 / 171
21 / 171
http http
22 / 171
commit
23 / 171
1.3.7.
2
reset
CLI
Reset
reset 15
Status Status
24 / 171
SRX
2.1.
JUNOS
CLI
1.
user@host> request system power-off
2. JUNOS Console
user@host> request system halt
WEB
WEB halt
25 / 171
2.2.
OS
http://www.juniper.net/support/downloads/junos.html
Juniper 12.1X44-D45.2
CLI
1. OS
WINSCP FTP
3CDaemon FTP
26 / 171
OS G:\FTP
SRX
lab@SRX210B> ftp 192.168.1.3
Connected to 192.168.1.3.
220 3Com 3CDaemon FTP Server Version 2.0
Name (192.168.1.3:lab): anonymous
331 User name ok, need password
Password:
230-The response '' is not valid.
230-Next time, please use your email address as password.
230 User logged in
Remote system type is UNIX.
27 / 171
0 Apr 06 20:26 .
0 Apr 06 20:26 ..
/******/
/***/cf/var/tmp***/
28 / 171
********************************************************************|
131
MB
00:00 ETAA
226 Closing data connection; File transfer successful. /******/
138198178 bytes received in 87.72 seconds (1.50 MB/s)
ftp>
2.
lab@SRX210B> request system snapshot media internal slice alternate
Formatting alternate root (/dev/da0s2a)...
Copying '/dev/da0s1a' to '/dev/da0s2a' .. (this may take a few minutes)
The following filesystems were archived: /
3.
lab@SRX210B> request system software add /cf/var/tmp/junos-srxsme-12.1X44D45.2-domestic.tgz no-copy no-validate reboot
Formatting alternate root (/dev/da0s2a)...
/dev/da0s2a: 297.9MB (610044 sectors) block size 16384, fragment size
2048
using 4 cylinder groups of 74.47MB, 4766 blks, 9600 inodes.
super-block backups (for fsck -b #) at:
32, 152544, 305056, 457568
Installing package '/altroot/cf/packages/install-tmp/junos-12.1X44-D45.2domestic' ...
Verified
junos-boot-srxsme-12.1X44-D45.2.tgz
29 / 171
signed
by
PackageProduction_12_1_0
Verified
junos-srxsme-12.1X44-D45.2-domestic
signed
PackageProduction_12_1_0
JUNOS 12.1X44-D45.2 will become active at next reboot
Saving state for rollback ...
Rebooting ...
shutdown: [pid 5537]
Shutdown NOW!
30 / 171
by
Name
31 / 171
WEB
Maintain Software UploadPackage
tgz Upload
and Install Package
32 / 171
33 / 171
34 / 171
2.3.
console
root
1. CONSOLE
2.
boot -s
Loading /boot/defaults/loader.conf
/kernel data= syms=[ ]
Hit [Enter] to boot immediately, or space bar for command
prompt.
loader>
loader> boot s
Juniper Networks, Inc.
35 / 171
3. Recovery
Enter full pathname of shell or 'recovery' for root password
recovery or RETURN for /bin/sh: recovery
4. root root
user@host> configure
Entering configuration mode
user@host#delete system root-authentication
user@host#set system root-authentication plain-text-password
user@host#New password:
user@host#Retype new password:
user@host# commit
5. commit complete
SRX
3.1.
36 / 171
3.2.
ZONE
SRX IP
type-pim/0/port.logical-unit-number
GE-0/0/0.0 0 0 0
37 / 171
38 / 171
CLI
SRX210B GE-0/0/0.0 192.168.1.239/24 zone
Untrust Vlan.0 172.17.1.1/24 zone Trust
SRX210B IP
root@SRX210B# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.239/24
root@SRX210B# set interfaces vlan unit 0 family inet address 172.17.1.1/24
SRX210B ZONE
root@SRX210B# set security zones security-zone trust interfaces vlan.0
root@SRX210B# set security zones security-zone untrust interfaces ge-0/0/0.0
SRX210B
root@SRX210B# set routing-options static route 0.0.0.0/0 next-hop 192.168.1.253
WEB
ge-0/0/0.0 Untrust
39 / 171
Vlan.0 IP
40 / 171
VLAN.0 Trust
41 / 171
42 / 171
3.3. DHCP
SRX210B DHCP
172.17.1.100-200172.17.1.1DNS 192.168.1.10Vlan.0
CLI
set system services dhcp pool 172.17.1.0/24 address-range low 172.17.1.100
set system services dhcp pool 172.17.1.0/24 address-range high 172.17.1.200
set system services dhcp pool 172.17.1.0/24 name-server 192.168.1.10
set system services dhcp pool 172.17.1.0/24 router 172.17.1.1
set system services dhcp pool 172.17.1.0/24 propagate-settings vlan.0
WEB
Services-DHCP-DHCP Service DHCP Pools DHCP Pools
43 / 171
44 / 171
3.4.
3.4.1.
untrust
DNSGROUP
DNS10192.168.1.10/32 DNS10 DNSGROUP
trust
Lan 172.17.1.0/24
CLI
set security zones security-zone untrust address-book address DNS10
192.168.1.10/32
set security zones security-zone untrust address-book address-set DNSGROUP
address DNS10
set security zones security-zone trust address-book address Lan 172.17.1.0/24
WEB
Security-Policy Elements-Address Book Address untrust
DNS10 DNSGROUP
45 / 171
DNS10
Trust Lan
46 / 171
3.4.2.
TCP-8080
CLI
set applications application tcp-8080 protocol tcp
set applications application tcp-8080 destination-port 8080
Juniper Networks, Inc.
47 / 171
WEB
Security-Policy Elements-Applications Custom-Applicatios
48 / 171
3.4.3.
AllowDNS 1200-1300
CLI
set schedulers scheduler AllowDNS daily start-time 12:00:00 stop-time 13:00:00
WEB
Security-Policy Elements-Scheduler
49 / 171
3.4.4.
zone zone
CLI
set security policies from-zone trust to-zone untrust policy AllowDNS match sourceaddress Lan
set security policies from-zone trust to-zone untrust policy AllowDNS match
50 / 171
destination-address DNSGROUP
set security policies from-zone trust to-zone untrust policy AllowDNS match
application tcp-8080
set security policies from-zone trust to-zone untrust policy AllowDNS then permit
set security policies from-zone trust to-zone untrust policy AllowDNS schedulername AllowDNS
WEB
Security-Policy-Apply Policy
51 / 171
Scheduling AllowDNS
52 / 171
3.5.
SRX NAT ScreenOS
ScreenOSNAT policy MIP/VIP/DIP NATpolicy
NAT untrust Souec-NAT SRX NAT
Policy
Juniper Networks, Inc.
53 / 171
NAT NAT
Policy
SRX NAT Policy
Policy Policy
Policy IP
ScreenOS
SRX MIP/VIP/DIP MIP Static
DIPSource NAT Policy VIP Destination NAT
ScreenOS Untrust zone SRX SRX
Trust Zone NAT ScreenOSStatic NAT
NAT
SRX proxy-arp IP Pool
SRX Pool ARP IP Pool MAC
MAC SRX
172.17.1.0
192.168.1.239
54 / 171
CLI
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match sourceaddress 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat
interface
WEB
Nat-Source NAT Source Rule Set Add
55 / 171
56 / 171
Source Nat
CLI
set security nat source pool snatpool address 192.168.1.220/32 to 192.168.1.230/32
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule snatpool220-230 match sourceaddress 172.17.1.0/24
set security nat source rule-set trust-to-untrust rule snatpool220-230 then sourcenat pool snatpool
Juniper Networks, Inc.
57 / 171
WEB
NAT-Source Nat Source NAT Pool Add POOL
Pool Name
58 / 171
Port
SnatPool
59 / 171
60 / 171
61 / 171
62 / 171
CLI
/***NAT ***/
set security nat destination pool srv11-3389 address 172.16.1.11/32
set security nat destination pool srv11-3389 address port 3389
set security nat destination rule-set utot from zone untrust
set security nat destination rule-set utot rule u236-srv11-3389 match sourceaddress 0.0.0.0/0
set security nat destination rule-set utot rule u236-srv11-3389 match destinationaddress 192.168.1.236/32
set security nat destination rule-set utot rule u236-srv11-3389 match destinationport 3389
set security nat destination rule-set utot rule u236-srv11-3389 then destinationnat pool srv11-3389
63 / 171
WEB
NAT-Destination NAT Destination Nat Pool Add Pool
Pool Name IP
64 / 171
OK Pool
65 / 171
66 / 171
67 / 171
68 / 171
69 / 171
CLI
/***Static Nat ***/
set security nat static rule-set SUTOT from zone untrust
set security nat static rule-set SUTOT rule U237-SRV10 match destination-address
192.168.1.237/32
set security nat static rule-set SUTOT rule U237-SRV10 then static-nat prefix
172.16.1.10/32
set security nat proxy-arp interface ge-0/0/0.0 address 192.168.1.237/32
/***SRV10 ***/
set security zones security-zone trust address-book address SRV10 172.16.1.10/32
/******/
set security policies from-zone untrust to-zone trust policy U237-SRV10 match
source-address any
70 / 171
set security policies from-zone untrust to-zone trust policy U237-SRV10 match
destination-address SRV10
set security policies from-zone untrust to-zone trust policy U237-SRV10 match
application any
set security policies from-zone untrust to-zone trust policy U237-SRV10 then
permit
WEB
NAT-Static NAT Add NAT
71 / 171
72 / 171
73 / 171
Proxy-Arp
74 / 171
75 / 171
76 / 171
172.16.1.0/24 172.17.1.0/24
CLI
SRX210A
set interfaces st0 unit 0 family inet
set security zones security-zone vpn interfaces st0.0
Juniper Networks, Inc.
77 / 171
set security policies from-zone vpn to-zone trust policy vpn-policy match sourceaddress any
set security policies from-zone vpn to-zone trust policy vpn-policy match
destination-address any
set security policies from-zone vpn to-zone trust policy vpn-policy match
78 / 171
application any
set security policies from-zone vpn to-zone trust policy vpn-policy then permit
set security policies from-zone trust to-zone vpn policy vpn-policy match sourceaddress any
set security policies from-zone trust to-zone vpn policy vpn-policy match
destination-address any
set security policies from-zone trust to-zone vpn policy vpn-policy match
application any
set security policies from-zone trust to-zone vpn policy vpn-policy then permit
SRX210B
set interfaces st0 unit 0 family inet
set security zones security-zone vpn interfaces st0.0
set routing-options static route 172.16.1.0/24 next-hop st0.0
st0 tunnel zone VPN
set security ike policy bikemode main
set security ike policy bike proposal-set standard
set security ike policy bike pre-shared-key ascii-text juniper
IKE Phase1 policy main modestandard proposal
set security ike gateway gw1 ike-policy bike
set security ike gateway gw1 address 192.168.1.238
set security ike gateway gw1 external-interface ge-0/0/0.0
79 / 171
80 / 171
policy VPN
WEB
SRX210A
VPN Zone Security-Zones/screens Add
81 / 171
ZONE IP
82 / 171
83 / 171
84 / 171
IKE Policy
85 / 171
Gateway
86 / 171
87 / 171
88 / 171
89 / 171
90 / 171
St0.0
91 / 171
2
Configure Security-Policy-Apply
Policy Add
92 / 171
Policy Name
93 / 171
VPN Trust
SRX210B
VPN
CLI
94 / 171
CLI
SRX210A
set security ike policy aike mode main
set security ike policy aike proposal-set standard
set security ike policy aike pre-shared-key ascii-text juniper
set security ike gateway gw1 ike-policy aike
95 / 171
96 / 171
set security policies from-zone untrust to-zone trust policy vpn-policy then permit
tunnel ipsec-vpn vpn1
set security policies from-zone untrust to-zone trust policy vpn-policy then permit
tunnel pair-policy vpn-policy
set security zones security-zone trust address-book address LanA 172.16.1.0/24
set security zones security-zone untrust address-book address LanB 172.17.1.0/24
SRX210B
VPN
WEB
97 / 171
98 / 171
99 / 171
Web VPN
VPN
1. SRX VPN HTTP HTTPS
Web
2. Web
3.
4.
5. IPsec (XAuth)
RADIUS IP
VPN Web
VPN Juniper Networks
:
IPsec SA
100 / 171
CLI
101 / 171
set
access
address-assignment
pool
dyn-ip-pool
family
inet
network
192.168.100.0/24
set access address-assignment pool dyn-ip-pool family inet range 10to100 low
192.168.100.10
set access address-assignment pool dyn-ip-pool family inet range 10to100 high
192.168.100.100
set access firewall-authentication web-authentication default-profile dyn-profile
VPN
IKE Gateway
set security ike policy DVPN-vpn mode aggressive
set security ike policy DVPN-vpn proposal-set compatible
set security ike policy DVPN-vpn pre-shared-key ascii-text juniper
set security ike gateway DVPN-vpn ike-policy DVPN-vpn
set security ike gateway DVPN-vpn dynamic hostname dynvpn
set security ike gateway DVPN-vpn dynamic connections-limit 50
set security ike gateway DVPN-vpn dynamic ike-user-type group-ike-id
set security ike gateway DVPN-vpn external-interface ge-0/0/0
set security ike gateway DVPN-vpn xauth access-profile dyn-profile
IPSEC
set security ipsec policy DVPN-vpn proposal-set standard
set security ipsec vpn DVPN-vpn ike gateway DVPN-vpn
set security ipsec vpn DVPN-vpn ike ipsec-policy DVPN-vpn
102 / 171
set security policies from-zone untrust to-zone trust policy dyn-vpn match sourceaddress any
set security policies from-zone untrust to-zone trust policy dyn-vpn match
destination-address LanA
set security policies from-zone untrust to-zone trust policy dyn-vpn match
application any
set security policies from-zone untrust to-zone trust policy dyn-vpn then permit
tunnel ipsec-vpn DVPN-vpn
zone IKE HTTPS
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services ping
VPN
set security dynamic-vpn access-profile dyn-profile
set
security
dynamic-vpn
clients
dyn-vpn
remote-protected-resources
172.16.1.0/24
set security dynamic-vpn clients dyn-vpn ipsec-vpn DVPN-vpn
set security dynamic-vpn clients dyn-vpn user vpn1
set security dynamic-vpn clients dyn-vpn user vpn2
103 / 171
WEB
Access Profile Configure Access-Access Profiles Add
Profile dyn-profile Address Assignment Configure
104 / 171
105 / 171
VPN1 VPN2
dyn-profile
106 / 171
107 / 171
dynamic vpn
DYNAMIC VPN
108 / 171
109 / 171
DYNAMIC VPN
110 / 171
111 / 171
Action-Commit
DYN-VPN
IE 192.168.1.238
112 / 171
Pulse
Junos Pulse
https://www.juniper.net/customers/support/#task
113 / 171
114 / 171
115 / 171
VPN1
IP
116 / 171
SRX210 IKE
117 / 171
VPN
SA
SA
1 65,535
VPN
1. UDP 848 IKE 1
2. GDOI groupkey-pull SA
3.
Juniper Networks, Inc.
118 / 171
4. SA
(GDOI groupkey-push) SA
SA
SA
+
2
CLI
SRX210A
Lo0.0
set interfaces lo0 unit 0 family inet address 192.168.1.230/32
119 / 171
group-vpn member
set security group-vpn member ike proposal prop1 authentication-method preshared-keys
set security group-vpn member ike proposal prop1 dh-group group2
set security group-vpn member ike proposal prop1 authentication-algorithm sha1
set security group-vpn member ike proposal prop1 encryption-algorithm 3descbc
set security group-vpn member ike policy pol1 mode main
set security group-vpn member ike policy pol1 proposals prop1
set security group-vpn member ike policy pol1 pre-shared-key ascii-text juniper
set security group-vpn member ike gateway g1 ike-policy pol1
set security group-vpn member ike gateway g1 address 192.168.1.238
set security group-vpn member ike gateway g1 local-address 192.168.1.230
set security group-vpn member ipsec vpn v1 ike-gateway g1
set security group-vpn member ipsec vpn v1 group-vpn-external-interface ge0/0/0.0
set security group-vpn member ipsec vpn v1 group 1
group-VPN server
set security group-vpn server ike proposal srv-prop authentication-method preshared-keys
set security group-vpn server ike proposal srv-prop dh-group group2
set security group-vpn server ike proposal srv-prop authentication-algorithm sha1
120 / 171
security
group-vpn
server
group
grp1
server-member-communication
group
grp1
server-member-communication
communication-type unicast
set
security
group-vpn
server
121 / 171
encryption-algorithm aes-128-cbc
set security group-vpn server group grp1 server-member-communication sig-hashalgorithm md5
set
security
group-vpn
server
group
grp1
server-member-communication
certificate srv-cert
set security group-vpn server group grp1 ipsec-sa group-sa proposal group-prop
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1 source
172.16.1.0/24
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1
destination 172.17.1.0/24
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1
source-port 0
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1
destination-port 0
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p1
protocol 0
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p2 source
172.17.1.0/24
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p2
destination 172.16.1.0/24
set security group-vpn server group grp1 ipsec-sa group-sa match-policy p2
source-port 0
122 / 171
123 / 171
set security policies from-zone trust to-zone untrust policy scope1 match
destination-address Gvpn
set security policies from-zone trust to-zone untrust policy scope1 match
application any
set security policies from-zone trust to-zone untrust policy scope1 then permit
tunnel ipsec-group-vpn v1
SRX210B
Group-VPN member
set security group-vpn member ike proposal prop1 authentication-method preshared-keys
set security group-vpn member ike proposal prop1 dh-group group2
set security group-vpn member ike proposal prop1 authentication-algorithm sha1
set security group-vpn member ike proposal prop1 encryption-algorithm 3des-cbc
set security group-vpn member ike policy pol1 mode main
set security group-vpn member ike policy pol1 proposals prop1
set security group-vpn member ike policy pol1 pre-shared-key ascii-text juniper
set security group-vpn member ike gateway g1 ike-policy pol1
set security group-vpn member ike gateway g1 address 192.168.1.238
set security group-vpn member ike gateway g1 local-address 192.168.1.239
set security group-vpn member ipsec vpn v1 ike-gateway g1
set security group-vpn member ipsec vpn v1 group-vpn-external-interface ge0/0/0.0
124 / 171
125 / 171
tunnel ipsec-group-vpn v1
Srx210A IKE SERVER
Srx210B Ipsec SA
WEB
WEB
3.7. ALG
(ALG) Junos OS Juniper Networks
(SIP) FTP ALG
ALG
TelnetFTPSMTP HTTP
4 TCP UDP TCP UDP
Juniper Networks, Inc.
126 / 171
4 7
7
ALG
ALG ALG
1.
2.
3.
ALG ALG
ALG IP
(NAT) ALG IP
127 / 171
Possible completions:
> alg-manager
> alg-support-lib
+ apply-groups
Configure ALG-MANAGER
Configure ALG-SUPPORT-LIB
Groups from which to inherit configuration data
> mgcp
> msrpc
> pptp
> rsh
> rtsp
> sccp
> sip
> sql
> sunrpc
> talk
> tftp
> traceoptions
[edit]
128 / 171
> traceoptions
ALG
lab@srx210A> show security alg status
ALG Status :
DNS
FTP
H323
: Enabled
: Enabled
: Enabled
MGCP
: Enabled
MSRPC
: Enabled
PPTP
: Enabled
RSH
: Enabled
RTSP
: Enabled
SCCP
: Enabled
SIP
SQL
SUNRPC
: Enabled
: Enabled
: Enabled
TALK
: Enabled
TFTP
: Enabled
IKE-ESP : Disabled
129 / 171
web security-ALG
(SBL)Sophos
IP SBL
Kaspersky Lab
Juniper Networks, Inc.
130 / 171
CPU
Juniper Networks
MIME
3.8.1 UTM
UTM UTM Juniper
https://www.juniper.net/customers/support/#task
131 / 171
1
Internet
lab@srx210h> request system license update trial trial
License
lab@srx210h> show system license
web Maintain-Licenses
UTM
132 / 171
lab@srx210h> request security idp security-package download status
IDP
133 / 171
IDP
lab@srx210h> show security idp status
Antivirus Profile
lab@srx210h# set security utm feature-profile anti-virus type kaspersky-lab-engine
Antivirus
134 / 171
135 / 171
update
,,
news.163.com,, <51JOB >
web-filtering
lab@srx210h# set security utm custom-objects url-pattern url
136 / 171
137 / 171
utm
web
lab@srx210h# run show security utm web-filtering ?
Possible completions:
statistics
status
(SBL)
Juniper Networks, Inc.
138 / 171
: IP
Sophos IP
#
lab@srx210h# set security utm feature-profile anti-spam sbl profile sblprofile1
#SBL
lab@srx210h# set security utm feature-profile anti-spam sbl profile sblprofile1 sbldefault-server
#
lab@srx210h# set security utm feature-profile anti-spam sbl profile sblprofile1 sbldefault-server spam-action block
#UTM
lab@srx210h# set utm utm-policy spampolicy1 anti-spam smtp-profile sblprofile1
#UTM
lab@srx210h# set security policies from-zone trust to-zone untrust policy
utmsecuritypolicy1 match source-address any
139 / 171
3.9. Appsecure
AppSecure SRX AppSecure
AppSecure
AppTrack
AppFirewall
AppDoS
AppQos
Appsecure SRX
UTM
140 / 171
3.9.1.
1. Zone
Juniper Networks, Inc.
141 / 171
3.9.3. AppFirewall
HTTP HTTP
IP
ID
AppFirewall
142 / 171
ID
AppFirewall
ID
IDID
facebook youtube
AppFirewall
set security application-firewall rule-sets allowed-apps rule 1 match dynamicapplication [ junos:FACEBOOK-ACCESS junos:FACEBOOK-APP junos:FACEBOOKCHAT junos:FACEBOOK-FANAPPZ junos:FACEBOOK-MAIL junos:FACEBOOK-MUSIC
junos:FACEBOOK-MUSIKGW
junos:FACEBOOK-SOCIALRSS
junos:FACEBOOK-
YEARBOOK junos:FACEBOOK-YOUTUBEBOX]
set security application-firewall rule-sets allowed-apps rule 1 then permit
set security application-firewall rule-sets allowed-apps rule 2 match dynamicapplication junos:YOUTUBE
set security application-firewall rule-sets allowed-apps rule 2 match dynamic-
143 / 171
application junos:YOUTUBE-COMMENT
set security application-firewall rule-sets allowed-apps rule 2 match dynamicapplication junos:YOUTUBE-STREAM
set security application-firewall rule-sets allowed-apps rule 2 match dynamicapplication junos:YOUTUBEVIDEOBOX
set security application-firewall rule-sets allowed-apps rule 2 then permit
set security application-firewall rule-sets allowed-apps default-rule deny
appfirewall
set security policies from-zone trust to-zone untrust policy allowed-web-apps
match source-address any
set security policies from-zone trust to-zone untrust policy allowed-web-apps
match destination-address any
set security policies from-zone trust to-zone untrust policy allowed-web-apps
match application junos-http
set security policies from-zone trust to-zone untrust policy allowed-web-apps then
permit application-services application-firewall rule-set allowed-apps
3.9.4. APPDDOS
DDoS 7
8053443 L3 / L4
144 / 171
145 / 171
timeout 60
3. APPDDOS
set security idp active-policy AppDoS-Webserver
4. IDP application-service
set security policies from-zone untrust to-zone trust policy appddos match sourceaddress any
set security policies from-zone untrust to-zone trust policy appddos match
destination-address any
set security policies from-zone untrust to-zone trust policy appddos match
application junos-http
set security policies from-zone untrust to-zone trust policy appddos then permit
application-services idp
146 / 171
3.10.1. FBF
FBF SCREEN OS PBR FBF
dual-ISP srx down
SRX down/up
Junos RPM IP DOWN
147 / 171
Filter
set firewall filter FBF term ISP1 from source-address 172.16.1.10/32
set firewall filter FBF term ISP1 then routing-instance ISP1
set firewall filter FBF term ISP2 from source-address 172.16.1.20/32
set firewall filter FBF term ISP2 then routing-instance ISP2
set firewall filter FBF term accept then accept
RIB-GROUP
set routing-options interface-routes rib-group inet rib-fbf
set routing-options rib-groups rib-fbf import-rib inet.0
set routing-options rib-groups rib-fbf import-rib isp1.inet.0
set routing-options rib-groups rib-fbf import-rib isp2.inet.0
FBF C1 ISP1C2 ISP2
RPM
set services rpm probe Probe-isp1 test isp1-gw target address 192.168.1.253
set services rpm probe Probe-isp1 test isp1-gw probe-count 10
set services rpm probe Probe-isp1 test isp1-gw probe-interval 5
set services rpm probe Probe-isp1 test isp1-gw test-interval 10
set services rpm probe Probe-isp1 test isp1-gw thresholds successive-loss 10
set services rpm probe Probe-isp1 test isp1-gw thresholds total-loss 5
148 / 171
IP-Monitoring
set services ip-monitoring policy isp1-Tracking match rpm-probe Probe-isp1
set services ip-monitoring policy isp1-Tracking then preferred-route routing-instances isp1 route
0.0.0.0/0 next-hop 192.168.58.253
set services ip-monitoring policy isp2-Tracking match rpm-probe Probe-isp2
set services ip-monitoring policy isp2-Tracking then preferred-route routing-instances isp2 route
0.0.0.0/0 next-hop 192.168.1.253
ZONE RPM
set security-zone security-zone isp1 interface ge-0/0/0.0 host-inbound-traffic system-services rpm
set security-zone security-zone isp1 interface ge-0/0/0.0 host-inbound-traffic system-services ping
set security-zone security-zone isp2 interface ge-0/0/1.0 host-inbound-traffic system-services rpm
set security-zone security-zone isp2 interface ge-0/0/1.0 host-inbound-traffic system-services ping
149 / 171
3.10.2.
192.168.1.0/26 10M
set firewall family inet filter limit10M term Nolimite from address 192.168.1.0/26
set firewall family inet filter limit10M term Nolimite then accept
# 192.168.1.0/26
set firewall family inet filter limit10M term other-10M from source-address 0.0.0.0/0
set firewall family inet filter limit10M term other-10M then policer Upto10M
# Upto10M
set firewall family inet filter limit10M term other-accept then accept
#
set firewall policer Upto10M if-exceeding bandwidth-limit 10m
set firewall policer Upto10M if-exceeding burst-size-limit 128k
set firewall policer Upto10M then discard
# Upto10M
set interfaces fe-0/0/2 unit 0 family inet filter input limit10M
Input Filter
3.10.3. ACL
denylist-attack
set firewall family inet filter DenyAC term deny-list from prefix-list denylist-attack
Juniper Networks, Inc.
150 / 171
set firewall family inet filter DenyAC term deny-list then discard
# Filter DenyAC denylist-attack prefix-list
set firewall family inet filter DenyAC term other-accept then accept
#
set policy-options prefix-list denylist-attack 124.232.0.0/16
set policy-options prefix-list denylist-attack 182.100.0.0/16
# denylist-attack 2 124.232.0.0/16 182.100.0.0/16
set interfaces fe-0/0/2 unit 0 family inet filter input DenyAC
# Filter Input
3.11. Screen
Juniper SRX
MGT
SCREEN
SCREEN
SCREEN (IDP)
SCREEN Untrust
CLI
151 / 171
152 / 171
}
limit-session {
source-ip-based 128;< IP >
destination-ip-based 128;< IP >
}
}
[edit]
root# show security zones security-zone untrust
screen juniper-srx-screen-test; screen untrust
WEB
ConfigureSecurityZone/Screens Screens list Add
153 / 171
154 / 171
3.12. JSRP HA
JSRP Juniper SRX HA ScreenOS NSRP
A/P A/A JSRP ScreenOS NSRP JUNOS Cluster
NSRP JSRP JSRP NSRP
JSRP Cluster
ScreenOS
ScreenOS NSRP session
JSRP
SRX JSRP ()
(Session ) 3K\5K
Branch
SRX Branch HA
HA
155 / 171
1. SRX110 HA
2. SRX650<4 RJ-45 >SRX650 HA ,
<HA
3 >
JSRP
0 0 1
0
JSRP
22
JSRP 7
Cluster id Node id (ScreenOS NSRP cluster id
id
Control Port
Fabric Link Port session RTO
156 / 171
2 SRX210 HA
FE-0/0/6 FXP0
CONSOLE
SRX210-A
set chassis cluster cluster-id 1 node 0 reboot
157 / 171
SRX210-B
set chassis cluster cluster-id 1 node 1 reboot
SRX210-A
set groups node0 system host-name srx210-a
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.101.1/24
set groups node1 system host-name srx210-b
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.101.2/24
set apply-groups "${node}"
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set interfaces fab0 fabric-options member-interfaces ge-0/0/0
set interfaces fab1 fabric-options member-interfaces ge-2/0/0
set interfaces ge-0/0/1 gigether-options redundant-parent reth0
set interfaces ge-2/0/1 gigether-options redundant-parent reth0
set interfaces fe-0/0/2 gigether-options redundant-parent reth1
set interfaces fe-2/0/2 gigether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
set security zones security-zone Trusted
set security zones security-zone Untrusted
set security zones security-zone Trusted host-inbound-traffic system-services all
set interfaces reth0 unit 0 family inet address 172.16.1.1/24
set security zones security-zone Trusted interfaces reth0.0
set interfaces reth1 unit 0 family inet address 192.168.1.238/24
set security zones security-zone Untrusted interfaces reth1.0
# DOWN
set chassis cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor ge-2/0/1 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-0/0/2 weight 255
set chassis cluster redundancy-group 1 interface-monitor fe-2/0/2 weight 255
HA
>show chassis cluster status
Cluster ID: 1
Node
Priority
Status
Preempt
Manual failover
158 / 171
200
primary
no
node1
100
secondary
no
no
no
200
primary
node1
100
secondary
yes
no
yes
no
Priority
Status
Preempt
Manual failover
200
secondary
no
yes
node1
255
primary
no
yes
200
secondary
yes
yes
node1
255
primary
yes
yes
HA
t> request chassis cluster failover reset redundancy-group 0
node0:
-------------------------------------------------------------------------No reset required for redundancy group 0.
node1:
-------------------------------------------------------------------------Successfully reset manual failover for redundancy group 0
{secondary:node0}
> request chassis cluster failover reset redundancy-group 1
node0:
-------------------------------------------------------------------------No reset required for redundancy group 1.
node1:
--------------------------------------------------------------------------
159 / 171
Priority
Status
Preempt
Manual failover
200
secondary
node1
100
primary
no
no
no
no
200
secondary
no
node1
100
primary
no
no
no
SNMP
160 / 171
161 / 171
SRX Object
162 / 171
ifDescr.22
ifDescr.248
ifDescr.501
ifDescr.502
ifDescr.503
ifDescr.504
ifDescr.505
ifDescr.506
ifDescr.507
ifDescr.508
ifDescr.509
ifDescr.510
ifDescr.511
ifDescr.512
ifDescr.513
ifDescr.514
ifDescr.515
ifDescr.516
ifDescr.517
ifDescr.518
ifDescr.519
ifDescr.520
ifDescr.521
ifDescr.523
ifDescr.524
ifDescr.526
ifDescr.527
ifDescr.529
ifDescr.530
ifDescr.533
ifDescr.534
= lo0.16385
= lo0.32768
= irb
= pp0
= st0
= ppd0
= ppe0
= vlan
= ge-0/0/0
= ge-0/0/1
= ge-0/0/0.0
= fe-0/0/2
= fe-0/0/3
= fe-0/0/4
= fe-0/0/5
= fe-0/0/6
= fe-0/0/7
= ge-0/0/1.0
= sp-0/0/0
= gr-0/0/0
= ip-0/0/0
= lsq-0/0/0
= mt-0/0/0
= lt-0/0/0
= fe-0/0/2.0
= fe-0/0/4.0
= fe-0/0/5.0
= sp-0/0/0.0
= sp-0/0/0.16383
= st0.1
= st0.2
163 / 171
fe-0/0/2.0 524
1.3.6.1.4.1.2636.3.3.1.1.3.524 OID
SNMP OID fe-0/0/2.0 PPS
Troubleshooting
5.1. Flow
164 / 171
1. Traffic
lab@SRX210B> monitor traffic interface ge-0/0/0.0 no-resolve
2. Flow Debug
set security flow traceoptions file flowlog # flowlog
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter to0 source-prefix 192.168.1.61/32
set security flow traceoptions packet-filter to0 destination-prefix 192.168.0.12/32
# 2 packet-filter 192.168.1.61 192.168.0.12
Debug floglog
lab@srx210B>show log filelog # filelog
lab@srx210B>clear log filelog # filelog
3.
show security flow session summary
show security flow session destination-prefix <ip-prefix>
show security flow session session-identifier <value>
show interface extensive
165 / 171
166 / 171
5.3. LOG
/VAR/LOG LOG CLI LOG
DEBUG
167 / 171
#RSI/VAR/LOGRSI_
request support information | save /var/log/rsi_YYYY-MM-DD.txt
#/VAR/LOG/VAR/TMPLOGS_RSI
168 / 171
F5
169 / 171
OS
170 / 171
https://www.juniper.net/customers/support/
http://forums.juniper.net/jnet/
OID
http://contentapps.juniper.net/mib-explorer/navigate.jsp
https://partners.juniper.net/partnercenter/tools-resources/fulfill-order/juniperfirewall-migration-cloud/index.page
http://kb.juniper.net/library/CUSTOMERSERVICE/GLOBAL_JTAC/technotes/JSRXDebugInfo.pdf
VPN Troubleshooting
http://kb.juniper.net/kb/documents/public/resolution_path/J_visio_kb10093.htm
SRX HA
http://www.juniper.net/support/tools/srxha/
171 / 171