You are on page 1of 7

Juniper SRX -- Concepts: Understand and explain our supported SRX offerings

*********THIS ONE ***********


===========================================================================
2nd tier device
NO NATS OR VPNS
Will have segment T1_T2 on ASA to send to juniper.
Typically used when in depth defense is required. IE PCI
Current Support Version SRX 12.1X44-D45.2
SRX100 - 700 MBPS throughput 384 security Policies
SRX240 - 1.8 GBPS throughput 4096 security Policies
SRX1400 - 10 GPBS throughput 40,000 security Policies
do show int --->run show interface terse
Supported Features
Feature Description IPv4 IPv6 General
Multiple Segments The ability to host more than one internal segment behind the
device Y Y N/A
Traffic Filtering Permit/Deny traffic via the use of traffic policies Y Y N/A
NAT/PAT Address translation Y N/A N/A
Interface Trunking Multiple segments/vlans on a shared interface N/A N/A Y
ALG / Layer 7 inspection Support for built in Application Inspection ( dns, ftp
etc.. ) Y Y Y
Screens ( Mitigation ) Attack Mitigation policies ( Assuming they have passed th
e 1st tier FW) Y Y Y
Syslog Offloaded syslog monitoring N/A N/A Y
SNMP snmp r/o monitoring N/A N/A Y
Backup Configuration backup integration with torq Y - Y
HA Active/Standy Hardware availability Active/Standy Y Y Y
Unsupported Features
Feature Description
VPN IPsec/SSL Termination of encrypted traffic on the Juniper device
Multi-tenancy Context/Virtualization of Juniper devices
HA Active/Active Hardware availability Active/Active
Dynamic routing protocols ( RIP, EIGRP, OSPF, BGP ).
Application Firewall/IPS High level layer 7 filtering
Transparent Mode Layer 2 firewall configuration
Multicast Multicast
Unified threat management . Anti-Virus/Web Filtering
Stand-Alone
SRX 240H2
Port Use Cable Type Switchport Mode
0 DRAC Standard Access
1 Reserved*** N/A N/A
2 T1-T2-XCONN* Standard Trunk
3 INSIDE** Standard Trunk
4 DMZ Standard Trunk
5 Reserved*** N/A N/A
6 - 15 Additional Segments Standard Trunk
High Availability
SRX 240H2
Port Use Cable Type Switchport Mode

0
1
2
3
4
5
6

DRAC Standard Access


Control Link X - Over Direct to peer
T1-T2-XCONN* Standard Trunk
INSIDE** Standard Trunk
DMZ Standard Trunk
Fabric (Data) Link X - Over Direct to peer
- 15 Addional Segments Standard Trunk

Juniper SRX -- Concepts: Understand and explain the configuration management sys
tem
***********THIS ONE************
================================================================================
===
https://www.juniper.net/documentation/en_US/junos12.1/topics/concept/junos-cli-o
perational-configuration-modes-switching-overview.html
Rene Juniper PPT
configure or edit to go into configuration mode user@host#
user@host> is Operation mode
To run Operational mode commands in configuration mode type run before the comma
nd. (IE run show interfaces terse)
RUN UNIX SHELL
start shell
To move security policies
insert security policies from-zone A to-zone B policy NEW before policy OLD
***************
I messed up too much with the configuration and I don t know if it s safe to commit
anymore! What can I do?
If you don t want to lose a lot of work: show | compare
It will show you the pending changes
If you just want to start from scratch: rollback 0
Similar to copy start run on Cisco
Or you just can exit the appliance and don t save when asked
***************

juniper srx -- configurations: configure static routes


********THIS ONE*************
======================================================
http://www.juniper.net/techpubs/en_US/junos15.1/topics/example/routing-protocolstatic-security-basic-set-of-route-configuring-cli.html
Loopbacks
10.0.0.1
10.0.0.2
o o
o o
o
o 172.16.1.0
172.16.1.2 o
o
o
o================================o
o
o
A
o
o
B
o
o
o
o
o

o o

o o

Customer networks
192.168.47.5
192.168.47.5
SRX A
set interfaces ge-1/2/0 unit 0 description A->B
set interfaces ge-1/2/0 unit 0 family inet address 172.16.1.1/24
set interfaces lo0 unit 57 family inet address 10.0.0.1/32
set interfaces lo0 unit 57 family inet address 10.0.0.2/32
set routing-options static route 192.168.47.0/24 next-hop 172.16.1.2
SRX
set
set
set
set
set

B
interfaces ge-1/2/0 unit 1 description B->A
interfaces ge-1/2/0 unit 1 family inet address 172.16.1.2/24
interfaces lo0 unit 2 family inet address 192.168.47.5/32
interfaces lo0 unit 2 family inet address 192.168.47.6/32
routing-options static route 0.0.0.0/0 next-hop 172.16.1.1

Show route
show routing-options
Juniper SRX -- Troubleshoot: Troubleshoot using log entries
===========================================================
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15779&actp=search#Log_f
iles_and_Syslog
Log Files
System messages can be viewed in the log files with the 'show log messages' comm
and. Variations of the command are as follows:
Commands:
show log:
List all Logfiles available
show log messages:
Show Log File from beginning
show log messages | last:
List last Log Messages
show log messages | match LOGIN:
Search within the Log
monitor start <file>:
Send Logs to terminal (like tail -f)

Logs play an important role in identifying and fixing troubles. In Juniper devic
es, there are different ways to configure logs. You can configure a Juniper devi
ce to send log messages to log server in the network or within the device.
JunOS is heart of Juniper devices and works just perfect. Today I will show you
how to configure logs in Juniper SRX within the device.
Configure Logs in Juniper SRX

Configure Logs in Juniper SRX


You can configure logs in JunOS at [edit system syslog] hierarchy. Different typ
es of logs can be configured to check different logs. Now, let s start with the fa
ctory default logs configuration. When the device is fresh installed
with latest version of JunOS, there are three types of logs configured by defau
lt. You can view the log by typing show system syslog command in configuration m
ode.
[edit]
root@MustBeGeek# show system syslog
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
As you can see the factory default configuration has 3 default log configured. T
wo logs are sent to files whereas one log is displayed to user logged in. Every
log has facility level and severity level. Facility level means the type
of log message being sent and severity level means type of importance of the lo
g. The first log defined above shows facility level of any with severity level o
f emergency which is displayed to user logged in the device. The second
log has facility level as Authorization and severity level of Info and sent to
the file named messages. The third log has facility level of interactive-command
s and severity level of any and is sent to the file named
interactive-commands.
Apart from default logs, you might want to have your own control on logs being s
ent to files. Let s create log for policy sessions from untrust zone to trust zone
. First you have to specify session-init, session-close command under security p
olicy.
[edit security policies from-zone untrust to-zone trust policy MailAccess]
root@MustBeGeek# show
match {
source-address any;
destination-address ExchangeServer;
}
then {
permit;
log {
session-init;
session-close;
}
}
Now let s configure log file under [edit system syslog] hierarchy. We will configu
re the file named SessionsLog that will have RT_FLOW_SESSION keyword. You can co
nfigure different parameters for different types of logs. You can also configure
different expressions for meeting your need. Here we will use match RT_FLOW_SES
SION expression to log session messages.
[edit system syslog]
root@MustBeGeek# set file SessionsLog any any
[edit system syslog]
root@MustBeGeek# set file SessionsLog match RT_FLOW_SESSION
[edit system syslog]
root@MustBeGeek# set file SessionsLog archive size 1m files 3

[edit system syslog]


root@MustBeGeek# show
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file SessionsLog {
any any;
match RT_FLOW_SESSION;
archive size 1m files 3;
}
Some useful commands for viewing and maintaining logs are:1. You can now view the logs by typing following commands in operational mode.
root@MustBeGeek> show log SessionsLog
2. You can also view real-time log messages of the log file by typing following
command in operational mode.
root@MustBeGeek> monitor start SessionsLog
3. The log files are in /cf/var/log location. You can view the log files by typi
ng following command. The command will show the list of configured log files.
root@MustBeGeek> file list /cf/var/log
4. To delete log files from here issue following command,
root@MustBeGeek> file delete /cf/var/log/SessionsLog
5. You can also delete log files and some temporary files by typing following co
mmand.
root@MustBeGeek> request system storage cleanup

Possible traceoptions

Overview
For SRX High-End devices, security logs such as traffic and IDP logs are streame
d through the traffic interface ports to a remote syslog server. You can configu
re that security logs are handled through the eventd process and sent with
system logs.
SRX High-End devices do not send session logs to the Routing Engine (RE). Becaus
e system logging is performed on the RE, session or traffic logs cannot be writt
en to the RE file system. Therefore, all traffic logging must be sent to
a remote syslog server. Because fxp0 belongs to the RE, the remote syslog serve
r must be reachable by an interface on an IOC. Traffic logging cannot be sent ou
t through fxp0.
CLI Configuration
To send traffic (security policy) logs to a remote syslog server, you must confi
gure the following:
Send security log messages to a remote syslog server.

Enable logging on security policies.


1. Send Security Log Messages to a Remote Syslog Server
The following example specifies that security log messages in structured-data fo
rmat are sent from 10.30.30.1 to a remote syslog server at 192.30.80.76
Specify that the IP address of the source system is 10.30.30.1 (for example, the
SRX Series device's loopback or other interface IP address).
user@host# set security log source-address 10.30.30.1
Specify that the messages are streamed to a remote log server with an IP address
of 192.30.80.76.
user@host# set security log stream trafficlogs host 192.30.80.76
Overview
You can use traffic logs to track usage patterns or troubleshoot issues for a sp
ecific policy. You can configure a policy so that traffic information is logged
when a session begins (session-init) and/or closes (session-close).
To generate traffic logs for multiple policies, you must configure each policy t
o log traffic information. You also must configure syslog messages with a severi
ty level of info or any. In the default configuration,
these messages and all other logging messages are sent to a local log file name
d messages.

Juniper SRX -- Troubleshoot: Troubleshoot connectivity by verifying security pol


icy allow/deny actions (match policies)
================================================================================
=======================================
https://www.juniper.net/documentation/en_US/junos12.1/topics/reference/c
ommand-summary/show-security-match-policies.html
show security match-policies from-zone z1 to-zone Z2 source-ip 8.8.8.8 destinati
on-ip 192.168.100.50 source-port 5555 destination-port 443 protocol tcp
Juniper SRX -- Troubleshoot: Restore a configuration from a TORQ backup
*********THIS ONE*********
=======================================================================
start shell ---> get into unix
Copy a File Using Secure Copy Protocol (scp)
To use scp to copy a local file to a remote system, enter the following command:
root@host> file copy filename scp://user@hostname/path/filename
In the following example, /config/juniper.conf is the local file, user is the us
ername, and ssh-host is the scp server:
root@host> file copy /config/juniper.conf scp://user@ssh-host/tmp/juniper.conf
user@ssh-host's password: ******
juniper.conf
100% |*****| 2198
00:00
scp configname sso@ip:disk0:configname
load override /var/tmp/filename

commit
http://kb.juniper.net/InfoCenter/index?page=content&id=KB21134&actp=search
They give nothing
============================================================================
Juniper
An SSH connection is established using the TACACS ID backups to the device's DRA
C IP from the applicable DC's IP range on port 22
There are three phases to backing these devices up:
Version - show version to get the configuraiton
running-config - show configuration | display set
finalize - Perform a commit to save the configuration and then properly
close the SSH connection.