Deploying SRX Series

Junos Fundamentals Series
Day One: Deploying SRX Series Services Gateway
By Barny Sanchez
SPECIAL EDITION
The special edition of Day One: Deploying SRX Series Services

Gateway is meant for easy copying and pasting of the automation
scripts and configurations. Xx's are used to blank out much of the
copyrighted material, and whatever remains is left for you to find your
place in the material.
By using this special edition, you agree to use the material in this
document at your own risk. Juniper Networks assumes no
responsibility whatsoever for any inaccuracies in this document.
2011 by Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks
logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the
United States and other countries. Junose is a trademark of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property
of their respective owners.Juniper Networks assumes no responsibility for any inaccuracies in this
document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise
this publication without notice. Products made or sold by Juniper Networks or components
thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650,
6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918,
6,567,902, 6,578,186, and 6,590,785.
Chapter 1
Different Ways to Manage an SRX
Connecting Via the Console . . . . . . . . . . . . . . . . . . . . . . . . 6
Connecting Via the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Connecting Via the J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Connecting Via Network and Security Manager . . . . . . 8
Consoling to an SRX Device for the First Time. . . . . . . . 9
Xxx XXX xx x xxxx xxxxxxxx xxxxxxxx xxxxxxxx xxx xxxxxxxxxx xxxxxxxxxxxxx xxx
xxxxxxxxxx xxxxx xxxxxxx xxx xxx xxxxxxx xx xx xx xxxxxxxx xxxx. Xxxxxxx xx xx x
Xxxxx xxxxxx, xxx xxxx xxx xxxxxx xx xxxxxx x XXX xxx xxx xxxxxxx xxxx, xxx xxxxxxx
xxxx xxxxxxxxx (XXX), xxx xxx xxxxxxxxx (X-Xxx), xxx Xxxxxxx xxx Xxxxxxxx Xxxxxxx
(XXX), xx xxxxxxx xxxx xxxx xxxxxxxxxxxxx xxxxxxxxxx, xxxx xxxxxxxxxxx xxx
xxxxxxxxxx xxxxx. Xxxx xx xxxxx xxxxxxxxxx xxxxxxx xxxxx xxxxxxx xx xxxxxxx
xxxxxxxxxxxxx. Xxxxxxxxxxxx, xxxxx xxxxx xxxxxx xxxxxxxxxxxxx xxx xxxxxxxxxx
xxxxxx xx xxx xxxxxxxxx xxx xxx xxxxxxxxxx, xxx xxxxxxxxx xx xxxxxxxxxx xxxx xx
xxxxxxxx xxxx xxxx xxxxxx, xxxx xxx xxx xxxxxx xxxx xx xxxx xxx xxxx xxxxxxxxxxx.
Xxxx Xxx Xxx xxxx xxxxxxx xx xxxxxxxxxxxxx xxx xxxxxxxxxx xxx xxx Xxxxx xxxxxxx
xxxx xxxxxxxxx (XXX), xxx xxxx xxxxx xxx xxxxx xxx xxx X-Xxx xxxxxxxxx xxx xxxx xxx
Xxxxxxx xxx Xxxxxxxx Xxxxxxx. Xxxx xxxxx-xxxxxxxxxxx xxxxxxxx xxxxxx xxxxxxx xxxx
xxxxxxxxxxxxxx xx xxx XXX.
Connecting Via the Console

Xxxxx XXX xxxxx, xxxx xxx xxxxxxxx xx xxx xxxxxxx, xxx x XX45 xxxxxxx xxxxxxxxxx
xxxx xx xxxxxxxx xxxxxxxxxx. Xx xxxx xxxxxxxxxx xxx xxx xxxxxxx xxx xxxx xx xxxxxxxx
xx x xxxxxxxx xxxxxx xxxxxxxxxx xxxxxxxx xxxx xxxx xxxxxxxx, xx xxx x xxxxxxx xxxxxx.
Xxxx xxxxxxxxxx xxxxxx xxxx xxx xxxxxxx xxx xxxxx xxxxxxxxxxxxx xx xxx XXX xxx xxx
xxxxxx xxxxxxxxxx xxxxxxxxx xx xxx XXX.
Xxxxx xxx xxxxxx xx xxxxxxxxxxx xx xxxx xxx xxx xx xxx xxxx xxxxxxxxxx xxxxxx, xxx
xxx xxxx xxxxxx xxx xxxxxxxxxx xxxxxxx xxx xx xxx xxxx xxxxxxxx xxxx xx xxxxxx xxx
xxxxxx.
Xx xxxxxxx xxx xxx xxxxxxx xxx xxxx: xxx xxxxxxxx xxxxxxx xxxxx, x xxxxxxxx xxxx x
xxxxxx xxxx (xx x XXX xx Xxxxxx xxxxxxx), xxx x xxxxxxxx xxxxxxxxx xxxxxxxxxxx
xxxxxxx xx xxx xxxxxxxxx xxxxxxxx.
Connecting Via the CLI

Xxxx xxxxxx xxxxxx xx x xxxxxxxxxx xxx x xxxxxxxxx xxxx xxxx xxx xxxxxxx, xxxx xxxxxx
xxx xxxxxx xxxxxxxxx xx, xxxxx, xxx XXX, xxx xxx xxxxxxxxx xxxx xxx xxxxxxxx xxxxxx
xxxxxxx xxx xxx xxxxxxx xxxx, xxx xx xxxxxxxx xxxx xxxxxxx xxxxxxxxxxxxx, xxx xxxx
xxxxxxxxxxx xxxxx xxxx xx XX xxxxxxx xxx xxxxxx xxxx xxx xxxxxxxx.
Xxxx xxxxx xxx xxx xxx? Xxxxx xxxxxx xx xx xxxx xxxxxxxxxx xxxxxxxxxxxx, xxx
xxxxxxxxx xxx xxxx, xx xxx xxxxx, xxx xx xxxxxxxxxx xx xxxxxx xxxxxxxxxx xxxxxxxxxxx.
Xxxxx xxx xxx xxx xxxxxxx xxxx xx XX xxxxxxxxxx, xxx xxx xxxxxxxx xxxxxx xxxxx x
xxxxxxxx Xxxxxxxx xxxxx xxxxx, xx xxx xxx xxxx xx xxxxxxxxx xx xxxxx xxxx (xxxxxxxx,
xx xxxxxx, xxxx xxx xxx xxxxx xxx xxxxxxxxxx XX xxxxxxx).
Xxxxxxxxx, xxxxx xxxxx xx xxxxxxx xxxxxxxxxxxxx xxx xxx xxxxxxx, xxxx
xxxxxxxxxxxxxx xxxxxxxxx xxx xxxxxxxxx xxxxxxxx xx xxxxx xxxxxx xxxxxx xx xxx
xxxxxx xxx xxxxxxxxx xxxx XXX xxx xxxxxx. Xxxxx xxx xxxxxxx xxxxx xx xxxxxx xxxxxx
xxxxxx xxxxxxxxxx xxx xxx XXX, xxx xxxxx xxx xxxxx xx xxxxxxxxxx xxxxxxxx xx xxxx
xxxx.
Xxxxx xxx xxxxxxxxx xx xxx xxxx xx xxxx xxx xxxxxxx xxx xxx xxxxxxx, xxxx xxxxxxxx
xxx xxxxxx xxx xxx xxxxx xxx xxxx xxxxxxxxx xxxxx xxxx xxxx xxxxx xxxxxxxx, xxx xxxx
xxxxxxxxx xxxxx xxx xxxxxxx xx xxxxxx xxxxxxxx, xxxxxxxxxx xxxxxxxxxxxxxx
xxxxxxxxxxx, xxx xxx xxxx xxxxx.
NOTE
The SRX3400/3600 and SRX5600/5800 also have a dedicated management port that is different
than the console. This port is exclusive for management purposes, and if you have an out-of-band
management network, then it is best to use these ports. Also known as fxp0s, these interfaces exist
in the control plane of the SRX, and cannot be used for user data traffic (which helps to guarantee
that the dedicated management channel remains open in the event that there is a disruption of the
data plane).
Connecting Via the J-Web

X-Xxx xx x xxxxxxxx xxx-xxxxx xxxxxxxxx xxxx xxxxxx xxx xx xxxxxx xxx XXX xxx x
xxxxxxxxx xxxxxxxxx xx x xxx xxxxxxx. Xxxx xxxxxxxxxx xx xxxxxxxxx xx xxx XXX
xxxxxxxxx, xxx xx xxxxx.
Xxxxxxxxxx xxx xxx X-Xxx xxx xxxxxxx xxxxxxxxxxxx xx xxxxxxxxxx xxx xxx XXX. Xxxx
xxxxxxx xxxxxxxxxxxxx xxxxx xx xx xxxx, xxxx xx xxxxxxx xx XX xxxxxxx xxx x xxxxxx
xxxx, xx xxxx xx xxxxxxx xx xxxx xxxxxxxxxx xxxxxxxxxx xxxxxxx. Xx xxxx xx xxx xxx
xxxxx xxx XX xxxxxxx xxxxxxxxxx xx xxx xx xxx xxxxxxxxxx, xxx xxx xxxxxxxxxxxxx
xxxxxxxx xxx xxxxxx xx, xxxx xxx xxx xxxxxx xxx xxxxxxxxx xxxxxxxxx, xxxx xxxx xxxxx
xxxx. Xxxxx, xxx xxx xxxxxxx xxx xxxxxxxx xx x xxx xxxx xxxxx, xx xxxx xxxxx.
Xxxxx xxx X-Xxx xxx xxxx xxxxxxxxxxx xxxx xx xxxxx xx xxxxxxxx xxxxxxxxxxxx
(xxxxxxxxx), xx xxxxxxxx xxxx xxxxxx xxxxxxx xxxxxxxx xxxx xxx xxxxxxx xxxx xxx
xxxxxxxxx xxx xxxxxxx xxxxxx xx xxx xxxxxx. Xx xxx xxxxxx xxxx xxxxxx xxxx xxx XXX
xxx xxx xxxxxxxx xxxxxx, xxx xxx xxxxxx xxxx xxx xxxxx xxxxxxx xxxxxxxxxx xx xxxxxxx
xxx xx xxxxxxxxx xxxxxxxxx xxxxxxxx xx xxx XXX.
TIP
Using the J-Web is sometimes the preferred connection method for administrators that are
accustomed to managing other vendors devices via graphical interfaces.
Connecting Via Network and Security Manager

Xxxxxxx xxx Xxxxxxxx Xxxxxxx (XXX) xx Xxxxxxx Xxxxxxxx xxxxxxxxxx xxxxxxxx xxx
XXX xxxxxxxxx. Xxxxxxxxxxx xxxxxxxx xx XXX, xxxx xxxxxxxxxx xxxxxx xx xxx xxxxxxx
xx xxxx XXX xxxxxxx, xxx xx xxxx xx xxx xxxxxxxxxxx xxxxxx xxxx xx Xxxxxxx Xxxxxxxx
xxxxxxxxx, xxxxxxxxx xxxxxxx, xxxxxxxx, xxxxxx xxxxxx xxxxxxx (XX), xxxxxxxxx
xxxxxxxxx xxx xxxxxxxxxx xxxxxxxxxx (XXX), xxx xxxx.
Xx xxx xxx xxxxxxxx xx xxxxxx xxxxxx xx xxxx xxxxxxxx xx XXX xxxxxxx, xxxx xxx xxxx
xxxxxxxx XXX. Xxxx xx xxx xxx xxxxxxxx xxxxxxxxxxxx xxxxx, xxx xxxx xxxx x xxx
xxxxxx xxx xxx xxxx xxxxxxx xx xxx xxxxxx xxxxxxx, xxxxxx xxxx xxxxx xx xxxxxxxxxx x
xxxxxxx xxxxxxxxxx xxxxxxxxx, xxxxxxxxx xxxxxx xxxxxxxxx.
Xxxxxxxxxxxx xxx xxxxxxxxx xx XXX xxxxxxxx x xxxxx Xxx Xxx xxxx xx xxxxxx, xx xxxx
xxxxxx, x xxxxx xxxxxx xx Xxx Xxx xxxxx, xxx xxxxx xx xxxxxxxx Xxxxxxx Xxxxxxxx
xxxxxxxxxxxxx xxx xxxxxxxxx xxxxxxxx xx xxxxx xxx xxxx xxx xxxx xx xxxxx xxxxx xxxx
xxxxxxx. Xxxx xxxx xxxxxxx xxxxx xxx xxx xx xxxxxx xxx XXX xxxxxxx xxxx XXX, xx xxx
xxxxxxx xxxx XXX xx xxxx xxxxxxx, xxx xxxx xxx xxx xxxx xx xxxx xxxxx.
Xxxxx xxxx xx xxxxx xxxxxxxxx xx XX xxxxxxx xxx xxxxxxxxxx xxxxxxxx xxxx xxx XXX
xx xxxx XXX xxx xxxxxx xxxx xxxxxxxx, xxx xxxxxxxx xxxx xxxx XX xxx xx xxxxxxx xxxx
xxx XXX xxxxxx, xxx xxx xxxx xxxxxx xxx xxxxxx xxx xxxxxxxxx xxxxxxxxxxx xxxxxxx
xxxx xxxx.
Xx xxxxx xx xxxxxxxxxxx, xxx XXX xx xxx xxxxxxxx xxx xxxxx xxxx xxxxxxxxx, xxx xx xxx
xxxxx xxxx, xx xx x xxxx xxxxxxxx xxx xxxxxxx xxxxxx, xxx xxxxxxx xxxx xxxxxxx xx
xxxxxxx xxxxxxxxx. Xx xx xxxxxxxxxxxxxx xxxx xxx xxxxx xx XXX xxx xxx xx xxx
xxxxxxxx xxx xxxxxxxxx xxx xxx xxxxxxxxxxx.
MORE?
There is so much more to NSM than whats discussed in these few paragraphs. If you want to
learn more about it, start by reviewing the product specifics from the Juniper Networks website at
www.juniper.net/us/en/products-services/network-management/. Training information is
available at www.juniper.net/us/en/training/technical_education/.
Consoling to an SRX for the First Time

Xx xxx xxx xxx xxxx xxxxxxxx xxxx xxxxxxxxxx xxx xxx xxxxxxx xx xxxxxxxxxxx xxxxx
xxxxxxx xxx xxxxx xxxxxxxxxx xxxxxx xxxx xxxxx xxx xx x xxxx xxxxxxxxx xxxx xxx
xxxxxxx xxxxxxxx xxxxxxxxxx xxxxxxxxxxxxx xx xxxx xxxxxx xxxx xx xxxxx xx xxxxxxx xx
xxxxxxxxxx xxxxxxxx.
Xxxx xxxx xxxxx xxxx xxx xxx xxxx-xxx XXX xxxxxxxxx (XXX3400/3600 xxx
XXX5600/5800). Xxxxx xxxxxxxxx xx xxx xxxx x xxxxxxxx xxxxxx xx xxxxxxxxxx xxxxx
xxx-xx-xxx-xxx, xxx xxxxx xxxx xxxx xxx xxxxxxx xxxxxxx, xxx xxxxxxxxxxxxx xx
xxxxxxxx xx xxxxxxx xxx xx xxxxx xxxx xxx xxx xxxxxxx xx xxxxxx xx xxxxxxx
xxxxxxxxxxxxx xxxxxxxx xxxx xxxx xx xxxxxx xxxxxx.
Xxx xxx XXX xxxxxx xxxxxxxxx xxxxxxx (xxx XXX100, 210, 240 xxx 650) xxxx x xxxxxxx
xxxxxxx xxxxxxxxxxxxx xxxx xxxxxxx xx xxxxxxxxxxxxx xx xxxxxxx xx xxxx xxx xxxx xx
xxx xxxxx xxxxxxx xxxxx xxx-xx-xxx-xxx.
NOTE
Understanding the different aspects of the factory default configuration that enables this access
requires you to study a few more missing pieces, but for now, lets focus on the console
connection.
Xx xxxxxxx xxx xxx xxxxxxx xxx xxxx: xxx xxxxxxxx xxxxxxx xxxxx xxxx xxxx xxxx xxx
XXX xxxxxx, x xxxxxxxx xxxx x xxxxxx xxxx (xx XXX xx Xxxxxx xxxxxxx), xxx x xxxxxxxx
xxxxxxxxx xxxxxxxxxxx xxxxxxx xx xxx xxxxxxxx.
To Console to an SRX for the First Time:
1. Connect the provided console cable to your computer, and at the other end, to the port of the
SRX.
2. Xxxx xxxx xxxxxxxx xxxxxxxxx xxxxxxx (xxxx xx Xxxxx Xxxxxxxx xx Xxxxxxx).
3. Xx xxx xxxxxxxxxxx, xxx xxx xxxx xxxxxxxx (XXX xxxx xxxx xxxxxxxxxx xxx xxxxxx
xxxxxxxxxx) xxxx xxx xxxxxxxxx xxxxxxxxxxx:
n Bits per second: 9600
n Data bits: 8
n Parity: None
n Stop bits: 1
n Flow control: None
4. Xxxxx Xxxx xx Xxxxxxx (xxx xxxxxxx xx xxxxxxxxxxx xxxxxxxxx).
TIP
If you are an Apple user youre not out of luck. Connecting to the console of your device is just
as easy. After connecting your USB-to-Serial adapter, find out what the name of the devices is
($ ls /dev/), and once you know this, open a terminal window and type $ screen /dev/
[device_name] 9600.
Xxxxx xxxxxxxxxx xxx xxxxx xxxxxx xx xxx xxxxxxxxx xx xxx xxxxxx. Xxxxxxxxx xx xxx
xxxxx xx xxx xxxx xxxxxxx xx xxxxx xxx xxxxxxxxx, xxx xxx xxx x xxx xx xxxxxxxxxxx
xxxxx xxxxxxxxx. Xxx xxxxxxxx xxxx xxxxxx xxx x xxxxxx xxxx xx xxx xxxx xxxxxxx, xxx
xxxxx xxx xxxxxx xxxxxxxx xxxx xxxxxxxxxxxxxxx xxxx-xxxxxxx xxxxxxxx, xx xxxxx
xxxxxxxxxx xxxx xxxxxxxx xxxxxxxxxx.
Xxxxxxxx xxxx xxxx xx x xxxxx xxx, xx xxxxxxx xxxxxxxx xxxxxx, xxx xxxxxx xxx xxxx x
xxxxx xxxxxx xxxx xxxx (xxxx xxx xxxx Xxxxxxxx, xxxxx xx Xxxxxxxx xxx xx xxxxxxxx
xxxx x xxxxxx xxx xx xxxxxxx xxxxxxxxxxxxx):
Amnesiac (ttyu0)
login:
Xx xxx xxxxx xxxx xxx XXX xxx xxxx xxxxxxxxxxxxx xxxxxxx xxxxxxxxx (xxxxx xxxx xx
xxx x xxx xxxxxx), xxxx xxx xxxxxx xx xxxxxxxxx. Xxx xxxxxx xxxxxxxxxxxxx xxx xxxx,
xxxxxxxxx xxxxxxx xxx xxxxxxxxx xxxxxxxxxxxxx xxx x xxxxxx xx xxx, xxx xxxxxxx, xxx
xxx xxx xxxxx xx xxxx xxx xxxx Xxxxxxxx xxxx xxx xx xxxxx. Xx xxxxxxx:
srx210-1 (ttyu0)
login:
Xx xxx xxxx xxxx xx xxxx xxx xxx xxxx xxxx xxx xxxxxx, xxxx xx! Xxx xxx xxx xx xx xxx
XXX xx xxxxx xxx xxxxx xxxx xxxx xxx xxxxxxxx [Xxxxx] xxx xxx xxxxxxxx. Xx xxx xx xxx
xxxx xxx xxxxxxxxx xxxxxxx xx xxxx:
--- JUNOS 10.1R1.8 built 2010-07-12 18:31:54 UTC
root@%
Xx xxx xxx xxxxxx xx xxx xx xxxx xxx xxxxxxxx xxxx xxx xx xxxxxxxx, xxxx xxxxx xxxx xxx
xxxxxx xxx x xxxxxxxxx xxxxxxxxxxxxx xxxx xxx xxxxxxx xxxxxxxx. Xx xxx xxxx xxxx xxx
xxxxxxxx xx xxx xxxx xxxxxxx, xx xx xxxxxxx xxxxxxx xxxx xxxxx-xxxx xxxxxxxxxx, xxxx x
xxxxxxxx xxxxx xx xxxxxx. Xxx xxxxxxx xx xx x xxxxxxxx xxxxxxxx xxx xx xxxxx xxxx:
xxxx://xx.xxxxxxx.xxx/XX12167.
Xxxx xxxx! Xxxx xxx x xxx xx xxxx xx xxxxxxx xxxxxxxx xxxxx xxx xxx xxxxx xx xxxxx x
xxxxxx xxxxxx xxxx xxx xxxxxxx. Xxx xxxxxxxxx xx xxx xxxx xxxxxxx xx xx xxxxxx xxx
xxxxxxx xxxx xxxxxxxxx, xxx xxx xxxx xxxxxxxxxx xx xxx xxxxxxx xxxxxxx
xxxxxxxxxxxxx.
14
Day One: Deploying SRX Series Services Gateways
Chapter 2: Operational and Configuration Modes
15
Chapter 2
Operational and Configuration Modes
Interfaces and Security Zones. . . . . . . . . . . . . . . . . . . . 14
The Factory Default Configuration. . . . . . . . . . . . . . . . 17
Introducing a Work Topology. . . . . . . . . . . . . . . . . . . . . 19
Xxxxxx xx Xxx Xxx xxxxx xxx xxxxxxxxxx xxxxxx xxx xxxxxxx xxxxxxxxx xxxxx xxxxxxx
Xxxxx xxxxxxxxxx, xx xxx xxx xx xxxxxxxxx xxx xx xx xx xxxxx xxxx.
Xxxxxxx Xxxxx xx x xxxxxxxx xxxxxx xxxxxx xxx xxxxxxxxxxx xxxx xxxxxxxxxxxx xxxx
xxxxxxxx xxxxxxxx (xxxxxx xxxxxxxx xxxxxxxxxx xx) xxxxxx xxxx xxxxxxxx xxxxxxxx
(xxxxxx xxxxxxxx xxxxxxxxx). Xxxx xxxxxxxx xxxxx xx xxxxxxx xxxxx xxxx Xxxxx
xxxxxxxxxx xxxxxxxxxxxx xx xxxxxxx xxxxxxxxx xxxx xx xxx XXX Xxxxxx. Xxxxx xxxxx
xxx xxxxxxxx xxxx xxxxxxxx, xxx xxxxxxxxxxxx, xx xxx xxxxxxx xxxxxxxxx.
Xxx xxxxxxx, xx XX Xxxxxx xx XX Xxxxxx xxxxxxxxxx xxxx xx xxxxxxxxx XX xxxxxxx
xxx xxxxxx xxxxxxxx, xxxxxxxxxxx xxxxxxxx xxxxxxxxxxxx xx xxxxx xxxxxxx; xxxxx xxx
XXX Xxxxxx xxxxxxxx xxxxxxxxxx xxxxxxxxxxxxx xxxxx.
Xx xxxx xxxxxxx, xxxxxx xxx xxx xxxxxxx xx xxxxxxxxx xxx xxxxxxxxxxxxx xxxxx xxxx
xxx xxx xxxxxxx xxxx, xxx xxx xxxxxxx xxxx xxx xxx XXX xxxxx xxxx X/XX/X xxxxxxx xxx
XX xxxxxxxx. (Xx xxx xxx xxxxxxxxx xxxxx xxx X-xxxxxx xxxxxxx, xxxxx xxxxxxx xxxxxxx
xxx xxxx Xxxxx xxxxxx xxxxxxxxx xx XXXx xxxxx xxxxx 9.x xxxxxxxx.)
NOTE
If you need to reinforce your knowledge of Junos operational and configuration modes, then see
the Junos Software Fundamentals Series Day One books at www.juniper.net/dayone. Also seek
out the Juniper Networks Technical Library at http://www.juniper.net/books.
Interfaces and Security Zones

Xxx XXX xxxxxxxx xxxxxxxx (xxx X-xxxxxx xxxxxxx, xxx xxxx xxxxxx) xxx x xxxxxx
xxxxxxx xxxx xxxxxxxx xx xxxxxxxx xxxxx. Xxx xxxxxxxxxxxx xx xxxxxx xxxxx xxx
xxxxxxxx xx Xxxxx xxxxxxxx xxxxxxxxxxxx.
Xxx xxxxx xxxxx xxxx xxxxxxxxxxxxxx xxxxxxx xxxxx xxxxxxxxxxx xx XX xxxxxxx xx xx
xxxxxxxxx xx xxxx xxxx xxxxxx xxxx xxxx xx. Xxxx xx xxxxxxx XXXx xxx xxxxxx-xxxx
xxxxxxx, xxx xx xxxxxxx xx xxxxxxx xx xxx xxx xx xxx xxx xxxxxxx xxxx xxxxx
xxxxxxxxxxxxx.
Xx xxxxxx xxxxxxx xx xxx xxx xx xx xxxxxxxxx, xxx xxxx xx xxxxxxxxx xxxx xxxxxxxx.
Xxxxxxx xxx XX xxxxxxx xxxxxxxx, xx xxxxxxxxx xxxxx xx xx xxxxxxxxxx xxxx x xxxxxxxx
xxxx, xxx xxx xxxxxxxx xxxx xx xxxx xxxxx xx xx xxxxx xx xxxxxxxxxxx xxxx x xxxxxxx
xxxxxxxx. Xxxx xxxxxxxxxxxx xx xxxxx xx Xxxxxx 2.1.
Figure 2.1 Interfaces, Zones, and Routing Instances

Xx Xxxxxx 2.1 xxx xxx xxx xxxx xxxxxxx xxxxxxxx xx xx xxxxxxxxx xxx xx xxx xx xxxxx
xxxxxxxxx xxxxx:
n management (or system-services), for example ping and SSH.
n protocol-related such as OSPF and DHCP (or referred to simply as protocol).
n user data traffic, such as packets corresponding to the communication from a client to a
server.
Xxxxxx xxxx xx xxxxxxx xx xxxxxxxx xx xx xxxxxxxxx xxx xxx xxxxxxx xx xxxxxxxx xxx
xxxxxx, xxxx xxxx xx xxxxx xxxx-xxxxxxx-xxxxxxx xxxxx xxxx xxxx. Xxxx-xxxxxxxxxxxxxx xxx xx xxxxxxxxxx xx xxx xxxxxxxxx xxxxxx. Xx xxxxxxxxxx xx xxx xxxx xxxxx,
xxxx xx xxxx xxxxxx xxx xxx xxxxxxxxxx xxxxx xx xxxx xxxx, xxx xxxx xxxxxxxxxx xx xxx
xxxxxxxxx xxxxx xxxx-xxxxxxx-xxxxxxx xxxx xxxxxx xxxx xxxx xxxxxxxx xxxxxxxxx. Xx
xxx xxxxx xxxx xxxx-xxxxxxx-xxxxxxx xx xxxxxxxxxx xx xxxx xxx xxxxxxxxx xxx xxxx
xxxxxx, xxxx xxx xxxxxxxxx xxxxxxxx xxxx xxxx xxxxxxxxxx. Xx xxxxx xxxxx, xxxxxxxx
xxx xxx xxxxx.
NOTE
As you can see, this can be a little tricky. Lets try another example. If you configure ping
system-services at the zone level, and try to ping an interface belonging to that zone, it will
respond properly. If you later decide to enable telnet in the same interface by configuring
system-services at the interface level, then ping will stop responding. This is because interface
settings take precedence. To fix this and be able to get responses again, you need to enable ping
system-services at the interface level.
Xxxx-xxxxxxx-xxxxxxx xxxxxxxx xxxx xx xxxxxx xx xxx xxxx xxxxxxxx xxxxxxx.
Xxxxxx xxxxxx xxxx xxx xxxxxxxxx xxxxx, xxxxx xxx xxx xxxxxxxxx xxxxxx xxx xxxxxx
xxxx:
n First, configuring system-services host-inbound-traffic is not sufficient to manage a device
via an interface. While the interface can accept those types of traffic, for some services like
telnet, SSH, FTP, and J-Web access, you have to also enable corresponding services under
[edit system services].
n Second, host-inbound-traffic settings do not affect fxp0 interfaces, and they can not be
configured for those interfaces. As discussed in Chapter 1, fxp0 interfaces are exclusively
for management purposes, and as long as you configure an IP address, and turn on the
services under [edit system services], then you can connect remotely.
TIP
If you want to apply policies to fxp0 interfaces and need to do things like permitting only certain
subnets to connect, then you want to explore the SRXs use of filters. Keep this in mind, as the
functionality is discussed soon.
X xxxxxx xxxxxxxxxxx xx Xxxxxx 2.1 xxxx xxxxx xxx xxxxxxxx xx xxxxxxxx. Xxx xxxxxx
xxxxxxxxx xxxx xxxxxxx xxxx xxx xxxx, xxxxxxxx xx xxx xxxxx xxxx (xxxx xx xxx xxx xxxx
xx xxx xxxxxx), xxxxxxxx x xxxxxxxx xxxxxx xx xx xxxxxxxxx xx xxxx xxxxxxx. (Xxxxxxxx
xxx xxx xxxxxxxxxx xx xxx xxxx xxxxx, xx xxx xxx.) Xxx xxxxxxx xx xxxxxxxx xxxxxxxx
xxxx xxxxxx xxxxx xxxx (xxxx) xxx xxxxxxx. Xxxx xxxxxxxx xxxxxxxx xx xxxx xx xxxxx xxx
XXX xx xxxxxx xx xxxxxx, xxx x xxxxxx xxxxxxxxx xxxx xxxxx Xxxxx xxxxxxxxx xxxxxxx;
xxx xxxxxx xxxx xxxxxxxx xxxxxxx xx xxxxxxxxx xxxx xxx xxxx xx xxxxxxx.
Xx xxxxx xxxx xxxxxxx xxxxxx xxxx xxx xxxx xx xxx xxxxx xxxx, xxxxxxx xxxx xxxx xx
xxxx xxxx xx xxxxxxxxxx xxxxxxx (xxxxxxxx xx xxxx xxxxx xx xxxxxxxxx xxxxxxx). Xxxxx
xxxxxxxxxx xxxxxxx xx xxx xxxxxxxxxx xxx xxxxxxxx xxx xx xxxxxxxx xxxxxxxxxxx xx xxx
xxxxxxxx, xxxx xxxx xxxx xxx xxxxxxx xxxxxxxxxxx xx xxx xxxxxxxx xxxxxxxx.
Xxxxxxx, xxx xxxxx xxxxx xx Xxxxxx 2.1, xxx xxxxxx, xxxxx xxxxxxxxx xx xxx xxxxxxx
xxxxx xxxxxxxx. Xx xxxxxxx, xxx xxxxxxxxxx xxxxx xx xxxxx xxxxxxx xxxxx xxx xxxxx xx
xxx xxxxxxx xxxxxxxx xxxx.0 (XXx4 xxxxxxx xxxxx), xxxxxx xxxxxxxxx xxxxxxxxx. Xxx
xxxxxxxxxxx, xxxxxxxxxxx xx XX xxxxxxx xx xx xxxxxxxxx, xxx xxxxxxx xx xx x xxxx,
xxxxxxx x xxxx xxxxxxx xxxxx xxxxx xx xxxx.0.
Xx xxxxx xx xxx xxxxxxxxx xxx xx xxxxx xxxxxxxx? Xxxxx xx xxxxxx xxxxxxxxxx xxxx:
n Interfaces are configured under the [edit interfaces] hierarchy.
n Zones and host-inbound-traffic settings are configured under the[edit security zones] hierarchy.
n Policies are configured under the [edit security policies] hierarchy.
n And, system services are configured under the [edit system services] hierarchy.
The Factory Default Configuration

Xxx xxxx xxxxx xxxxxxxx x xxxxxx xxxxxxxxxx xxxxx xxxxx xxx xxxxxxxxxx, xxx xxxxxx
xx xxxx xx xxxxxx xxxxxxxxxx xxx xxxxxxx xxxxxxx xxxxxxxxxxxxx xx xxx XXX.
Xxxxx xxx, xxxxxxxxxxxxx xx xxx xxx xxxx xxx xxxxxx xxxxxxx (XXX650 xx xxxxx) xxx
xxx xxxxxx-xxx xxxxx (XXX 3400 xx xxxxxxx). Xxxx xx xxxxxxx, xxxxxxxxx, xxx xxxxxxx
xxxxx xxx xxxxxxxxxx xxx xxxxxxxxxx xxx xxxxxxxxx xxxxxxxxx, xxx, xxxxxxxxxxxxx xxxx
xxxxxxxxx, Xxxxxxxx xxxxxxxxx xxxxxx xx xxxx xxx xxxxx-xxxx xxxxxxxxxxxx xx xxxxxx
xx xxxxxxxx.
Xx xxx xx xxxxxxx, xxxx XXX210 xxxxxxx xxx xxxxx xx xxxxxx xxxxxxx xxxxxxxxx xx x
xxxxxx-xx-xxxxx xxxx xxxxxxxxxxxx, xxx xxx xxxxxxxxxx xxxx xx xxxxxxxxx xx Xxxxxxxx
xxxx-xxx xxxx xxx XXX xxxx xxxxxxxxxx x xxxxxxxxxx xxxxx xxxxxxxxx, xxx XXXX xxx
xxx XXX. Xx xxx xxxxx xxxx, XXX3400 xxxxxxxx xxx xxxxxxxxx xxxxx xx x xxxx xxxxxxx
xxxx, xxxxx xxx xxxxxxxx xxxxxxxxx xxxx xxx xxxx xxxxxxxxx xxx x xxxxxxxxx xxxx xx
xxxxxx XX xxxxxxxxx.
Xx, xx x xxxxxxxxxxxxxx, xxxx xx xxx xxxxxx xxxx xxx XXX xxxxxxx xxxxxxx
xxxxxxxxxxxxx xxxxxxxx:
n Bootp services in the interface ge-0/0/0. Location: [edit interfaces ge-0/0/0]/.
n DHCP server services in the interfaces ge-0/0/1 through ge-0/0/7, with address allocation from the
network 192.168.1.0/24. Location: [edit system services dhcp].
n Switched interfaces ge-0/0/1 through ge-0/0/7. Location: [edit interfaces interface-range interfaces-trust].
n Security zones trust and untrust. Location: [edit security zones].
n Outbound Internet access using NAT with port address translation, permitting traffic from
zones trust to untrust. Location: [edit security nat].
n General protection against any traffic sourced from the untrust zone. Location: [edit security zones
security-zone untrust].
n System management services enabled. Location: [edit system services].

n Logging of critical events, as well as errors generated by commands typed by any
administrator that attempts to change the configuration. Location: [edit system syslog].
n Basic configuration for managing Junipers AX411 Wireless LAN Access Points. Location:
[edit wlan].
Xxx xxxxxxxxxxx xxxxxxxxxxxx xxx xxx xxxx xxxxx xxxxxxxx xxxxxx xx xxx xxxxxxx
xxxxxxx xxxx xxx xxxxxxx xxxxxxxxxxxxx xxxx xxxxxxxxxxx, xxx xxxx xxxxx xxx xxxxxxx
xxxxxxx xxxxxxxx xxxxxx xx xxxxx xx xxxx xxx xxxxx xxxx xx xxxxx xx xxxxx
xxxxxxxxxxxxx xxxxxxxx. Xxx xxxx xx, xxxxxxx xxx XXX xxxx xxx xxxxxx xxxxx xx
xxxxxx xxxxx xxxxxxxx.
Xxxxxxxxxx, xxx xxxxxxxxx xxxxxxxx xxxxxxxxxxxx xx xxx XXX3400x, xxxxx xxxx xxxxx
xxxxxxxxxx, xxxxx xxxx xxxx xxxxxxxxxxxxx xx xx xxxx xx xxxxxxx x xxxxxx xxxxxxxxx
xxxxxxx xxxxxxx xxxxxxxxxxxxx, xx xxx xxxxxxxxxxxxx xxxx xxxx xxxx xxxx xxx
xxxxxxxxxxxxx xxx xxx xxxx-xxx xxxxxxxxx xx xxxx x xxx xxxxx xxxx.
MORE?
The Appendix contains samples of the entire factory configuration of an SRX210 and SRx3400
running Junos 10.1R1.8.
Try It Yourself: Examining the Factory Default Configuration

Display the different configuration blocks discussed in both this and the previous section (try alternating the commands
below and making use of pipes | display set | no-more):> show configuration > show configuration security > show configuration system
services> show configuration interfaces
Display the status of the interfaces and IP address assignment:

> show interface terse
Display the zones configured:

> show security zones details
Display a summary of nat source:

> show security nat source summary
Introducing a Work Topology

Xxx xxx xxxx xx xxxx xxxx, xxx xxxxxx xxxxx xx xxx xxxxxxx xxxxxxxx xxxxx xx Xxxxxx
2.2 xxxx xxx xxxx x xxxxxx xxxx xx xxxx xx xxxxx xxxxxxxxxxxx.
Xxxx xxxxx xxxxxxx xx xxxx xx xx xxxxxxxxxx xxxxxxx, xxxx x XXX210 xxxxxx xx xxx
xxxxxxxx xxxxxxxxxx xxxxxxxxx xx x xxxxxx xxxxxx, xxx xxx XXX3400 xx xxx xxxx-xxx
xxxxxx, xxxxxxx xx xxx xxxxxxxxx xxxxxx. Xx x xxxx xxxxx xxxxxxx, xx xx xxx xxxxxxxx
xx xxxx xx xxxx xx xxxxxxxxx xx xxxxx xxxxxx xxxxxxx xxxxxxxxxx xx xxx xxxx xxx.
Xx xxxx xxxxxx xxxxxx, xxxx xxxxxx xxxxx xx x xxxxxxx xxx xxxxxx xxxxxxx xxxxxxx xxx
xxxxxxx (XXXXXXX). Xxxx xx xxx xxxxxx xxx xxxx xx xxxxxx xxxxxxx xxxxx xxxx xxxxxx
Xxxxxxxx xxxxxx, xxx xx XXXxx xxxxxx xx xxxxx xxxxxxxxx xxx xx xxxxxxxxxx xx xxxxxx
xxxxxxxx xxxxxxxxxxxxxx xxxxxxxxxx xxx xxxxxx xxxxxxx.
Xxxx xx Xxxxxx 2.2, xxxx xxx xxx xxxxxx xxx Xxxxxxxx xxxxxx xxx xxx xxxx-xxx xxxxxx.
Xxx xxxxxxx xxxxxxxxx xx xxx xxxxxxxxxxxx xx xxxxx (xxxxx, xxxxxxx, xxxxxx) xx xxxxx
xxxxxxxxx xxx xxxxxxxx xx xxxxx xxxxxxxxx xxxxxxx, xxx xxxx xx xxx xxxx xx xxx XXX
xxx XXXXXX xxxxxxx, xxxxx xx xx xxxx xxxxxxxxxx, xxxxx xxxxx xxxxxxxx xxx
xxxxxxxxx xxx xxx xxx0 xxxxxxxxx.
Figure 2.2 This Books Network Topology

Xxxx x xxxxxxxxxx xxxxxxxxxxx, xxx xxx xxxxxx xxx xxxx xxxx xxx xxxxxxxx xxx
xxxxxxxx xxxxxxxx xx xxx xxx0 xxxxxxxxx, xxx, xxxx xxxx xxxxxx xxxxxxx, xx
xxxxxxxxxxxx xxx xx xxxx xx xxxxx x xxxxxx xxxxxxxxxx xxxxxxx xxxxx xxxx xxxxxxx
xxxx xx xxxxxxxxx xxxx xx xxx xxxxxxxxxxxxxx xxx xxxxxxxxxx xxxxx. Xxxx 10.189.x.x/27
xxxxxxx xxxxxx xx x xxxxxx xxxxxxx, 10.188.0.0/14. Xxxx xx xxxxxxxxx xx xxxx xxxxx xx
xxx xxxxxxxx xxx xxxxxxx xxxxxxxxxxxxx.
Xxxxxxxxxx xxxx xxxx xxxx xxxxx xxxx xxxx xxxxxxxx, xxxxxxxx xxxxxxxxx xxx
xxxxxxxxxxxxx xxxxx xxxx xxx xxxxx xx xxxx xxxxxxx xxxxxxxx xxx xxxxxxxxx xx xxx xx
xxx xx xxxx xxxxxxxxx. Xxxx xxx xxxxx, xxx, xxx xxxxxxxxx xxxxxx xxxxxx.
22
Chapter 3: Enabling Remote Access
23
Chapter 3
Enabling Remote Access
Configuring System Services. . . . . . . . . . . . . . . . . . . . . 22
Configuring Interfaces and Zones. . . . . . . . . . . . . . . . 24
Configuring Basic Routing. . . . . . . . . . . . . . . . . . . . . . . . 27
Xxxxxxxx xxxx xxxxxxxx xxxxxx xxxxxxxx xx xxxxxxxxxxx xxx xxxxxxxxxx xxx xxxxx,
xxxx xxxxxxx xxxx xxx xxxxxxxx xxxxxxx xx xxx xxxx xxxxxxxx. Xxxxx xx xxx xxxxxxx
xxxxxxxx xxxxx xx Xxxxxx 2.2 xxx x xxxx xxxxxxxxxxxxx xx xxx xxxxxxxx. Xxxxx xxx
XXX3400 xxxxxxx xxxxxxx xx xxxxxx, xx xxxxx xx xxxx xx xxxx xx, xxx xxxx xx xxx xxxxxx
xxx xxxx xx xxx xxxxxxxx xx xxxx xxxxxxx xxx xxxx xxx xxxxxxxx.
Xxxxxxxx xxxx xx xxx xxxx xx XXX xxxx-xxx xxxxxxxxx, xxx xxxxxxxxxxxxx xxx xxx
xxxxxxxxxx xxxxxx xx xxxxx xxx xxx0 xxxxxxxxxx xxxxxxxxxxx xxx xxxxxxxxxx xxxxxxxx.
Xxxxxxx xxx0 xxxxxxxxxx xxxxx xx xxx xxxxxxx xxxxx, xxx xxxxxx xx xxxx xxx
xxxxxxxxxx xx xxxx xxxx xxxxxxx, xxxxx xx xx xxxx xx xxxxxx xxxx xx x xxxx xxxxxxxx.
Xxxxxxx, xx xxx xxxxxxxxxxxxx xxxxxxx xx xxx x xxxxxxx xxxx xxx xxxxxxxxxx xxxxx,
xxxx xxx xxxxxxxxxx xxxxxxx xxxxx xxxxxxx.
Xxxxx xxxx x xxxxxxxxx xxxxx xxx xxxxxxxxxxx xxxx xxxxxxx xx Xxxxx, xxxxxxx, xx xxx
xxxxxxxxxxx xxxxxxxx xxxx xxx x xxxx xxxxxxxx, xx xxxxxx xxxx xxx xxxxxx xx xxxx,
xxxx xxxxxxx, xx xxx xxxxxxxxxxx xxxxxxxx.
Configuring System Services

Xxx xxxxx xxxx xxxxxxxx xx xx xxxx xxx xxxxx xxxxxxx xxxx xxx xxxx xx xxxxxxxxxx
xxxxxx xxxxxxxx xxx xxxxxx (xxxx xx xxxx xxx xxx xxxxxxxxx xxxxxx). Xx, xx xxxxxxxxx
xxxxxx xxxxxxxx, xxxx xxxx xx xxxxxxxxxx xxx xxxxxxxxx:
n Enabling SSH, telnet, FTP, and ping services.
n And, at the end of our configuration session, managing the box via any of the previously
mentioned methods.
NOTE
As stressed throughout this book, repetition is the mother of all learning: enabling system
services is not enough to be able to manage a SRX using the configured services. Besides, with
the exception of fxp0, as soon as an IP address is configured, you may manage the device via this
interface.
To Configure System Services:
1. Connect via the console.

2. Xxxxx xxxx xxxx xxx xxxxx xxxxxxxxxxxxx xxxx:
login: root
--- JUNOS 10.1R1.8 built 2010-02-12 17:24:20 UTC

root@% cli
root> edit
Entering configuration mode
[edit]
root#
3. Configure the system services:

[edit]
root# set system services ftp
[edit]
root# set system services ssh
[edit]
root# set system services telnet
[edit]
root#
4. Commit the changes:

root# commit
[edit]
system
Missing mandatory statement: root-authentication
error: commit failed: (missing statements)
Xxx xxxxx xxxxxxx xxx'xx xxxxxxx xxxx xxxxxx xx xxxxxx xx xxxxxxxx xxx x xxx xxxxxx
xxxx xxx xx xxxxxxxxxxxxx, xx xxx xxxx xxx xxxx xxxxxxx xxxxxxxxx, xxxxxxxxxx xxxx
Xxxxx xxxxxxxx xxx xxxx xxxx xxxxxxx xx xxxx x xxxxxxxx xx xxxx xxxx xx
xxxxxxxxxxxxxx. Xxx xxxxxxx xxx xx xxxxxxxx xxxx xx xx xxxxxxxxxx x xxxxx-xxxx
xxxxxxxx.
5. Xxxxxxxxx xxxx xxxxxxxxxxxxxx xxx xxxxxx:
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# commit
commit complete
Xx xxxxxxx! Xxxxxxxx xxx xxxxxxxx xxx xxxx xx xx xxxxx xxxx, Xxxxx xxxx x xxxxx xxx
xx xxxxxxxxxx xx xxxxxxxxxxx, xx xxxx xxxx xxxxxxxxxxxxx xx xxx xxxxxxxxxxx xx
xxxxxxx xx xxxxxxx xxxx xxxx xxxxxxxx.
NOTE
By the way, the ping service was not forgotten. It is turned on by default for fxp0, but needs
explicit configuration for all other interfaces, something that will is addressed in the next section.
Also, ping cannot be activated under system services.
TIP If you are following along and trying these examples on your device, you may want to leave the
console connection opened while reviewing the next section.
Configuring Interfaces and Zones

Xxxx xxxxxx xxxxxxxx xxx xxxxxxx, xxx xxx xx xxxxxxx xx xxx xxx xxxxxxx xxxxxxxx, xxx
xxx xxx xxxxx xxxxxx xx xx xx xxxxxxx xxx xxxx xx xxxxxxxxx XX xxxxxxxxx xx xxx xxx
xxxxxxxxxx.
Xxxx xxxxxx xxxx xxx xxxx xx xxxxxxx xxxxxxxx:
n Configure the IP address and subnet mask in the SRX3400, per the diagram in Figure 2.2.
n Create the security zones admins, and untrust.
n Assign the interfaces to the corresponding zones.
n Turn on the telnet, FTP, SSH and ping on all interfaces of the SRX3400.
Xxxxxx xxxxxxxx, xxxx x xxxxxx xx xxxxxxx xxxxx xxxxxxxxxxxxx xxxxx xxxx xxx
xxxxxxxx xxxxxxxxx xx Xxxxxxx 2. Xxxxxx xxx xxxxxxxxx xx xxxxx xxxxx xxxx xxx xxxxxx
xxxxxxxx: xx XX xxxxxxx xxxx xxxx xx xxxxxxxxx, xxx xxxxxxxxx xxxx x xxxx, xxx x xxxx
xxxx x xxxxxxx-xxxxxxxx. Xxx xx xxx xxxxxxxxx xxxxxx xxxxxxx-xxxxxxxxx xxxx, xx xxx
xxxxxx xxxxxxx xxx xxxxxxx xxxx.0 (xxxxxxxxxxxxx xxx XXx4 xxxxxxx xxxxx). Xx xxx
xxxxxxxxx xx xxxxxxxx xxx xxxxx xxx xxxx-xxxxxxx-xxxxxxx xxxxx xxx xxxx. (Xxxxxxxx
xxxxx.)
To Configure Interfaces:
1. While still connected to the console as root, enter configuration mode:

root> edit
[edit]
root#
2. Start by configuring fxp0 since it is the simplest:

[edit]
root# set interfaces fxp0 unit 0 family inet address 10.189.140.99/27
[edit]
root#
3. Xxxxxxxxx xxx xxxxxxxxxx xx-0/0/0, xx-0/0/1 xxx xx-0/0/2 xxxxx xxx xxxx xxxxxx:
[edit]
root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.2.1/24
[edit]
[edit]
4. Xxxxxx xxx xxxxxxx:

root# commit and-quit
commit complete
Exiting configuration mode
5. Xxxxxx xxxx xxxxxxxxxx xx xxxxxxx xx xxxxxxxx:

root> show interfaces terse | match fxp0.0|ge-0/0/0.0|ge-0/0/1.0|ge-0/0/2.0
ge-0/0/0.0
up up inet 192.168.2.1/24
ge-0/0/1.0
up up inet 198.18.100.4/24
ge-0/0/2.0
up up inet 66.129.250.1/24
fxp0.0
up up inet 10.189.140.99/27
Xxx xxxxxx xxxxxxxx xxxx xxxx xxx Xxxxx xxx Xxxx xx xxx xxxxxxxxxx xxx xxxxxxxxxxx.
To Configure Zones:
1. Xxxxx xxxxx xxxxxxxxx xx xxx xxxxxxx xx xxxx, xxxxx xxxxxxxxxxxxx xxxx:

root> edit
[edit]
root#
2. Xxxxxxxxx xxx xxxxxxx xxx xxxxxx xxxxxxxx xxxxx:

[edit]
root# set security zones security-zone untrust
[edit]
root# set security zones security-zone admins
To Bind the Interfaces to the Zones:
Reference Figure 2.1 and use the same set of commands to bind the interfaces to the
corresponding zones:
[edit]
root# set security zones security-zone admins interfaces ge-0/0/0.0
[edit]
root# set security zones security-zone untrust interfaces ge-0/0/1.0

[edit]
root# set security zones security-zone untrust interfaces ge-0/0/2.0
BEST PRACTICES
Always configure zones from the perspective of the firewall that you are setting, not from the
perspective of the other devices in the network. For example, notice that in this example you do
not need to configure the zone trust, as this is irrelevant and can even be unknown from the
perspective of the administrator configuring the SRX3400. Also notice that both ge-0/0/1 and ge0/0/2 belong to the same security zone. There are virtually no limits on what zones you may bind
interfaces to, but an interface can only be bound to one zone at any given time.
To Enable SSH, telnet, FTP, and ping in the Interfaces:
SSH, telnet, FTP, and ping are all host-inbound-traffic system-services used for management
purposes. Use the same set of commands to enable the desired services:
[edit]
root# set security zones security-zone untrust host-inbound-traffic ssh
[edit]
root# set security zones security-zone untrust host-inbound-traffic telnet
[edit]
root# set security zones security-zone untrust host-inbound-traffic ftp
[edit]
root# set security zones security-zone untrust host-inbound-traffic ping
[edit]
root# set security zones security-zone admins host-inbound-traffic ssh
[edit]
root# set security zones security-zone admins host-inbound-traffic telnet
[edit]
root# set security zones security-zone admins host-inbound-traffic ftp
[edit]
root# set security zones security-zone admins host-inbound-traffic ping
Do not forget to commit:

[edit security]
idp
Failed to fetch the sec-db version
commit complete
Xxx xxxxxxxxxxxxx xxxxxxxxx xxxx xx xxxxx xxxxxxx xx xxxx xxxx xxxxxxx xxx xxx
xxxx xxxxxxxxxx, xxx xxxxxxxx xxxxxxxxx xxx xxx xxxx xxxxxxx xx xxxx xxxxxx xxxxxx
xx xxxx xx xxxxx xxx xxxxxxxxxx, xxxx xxxx xxxxxxx xxxx xx xxxx. (X xxxxxxxxxxx xxx
xxxxxx xx xxx xx xxxxx xxx xxxxxxxxx xx xx XXX xx xxxxxxxxx xx xxx Xxxxxxxx.) Xx xxx
xx xxx xxxx xxxxxx xx xxxxxxxxx xx xxxx xxxx, xx xx xxx xxxx x xxxx xx xxxxxxxxx XXX
xxxxxxxx, xxxx xxx xxx xxxxxx xxxxxx xxx xxxxxxx, xx xxxxxx xxx xxxxxxxxx [xxxx xxxxxxxx
xxx] xxx xxxxxx xxxxx.
BEST PRACTICES
Acknowledging the fact that this is a document for security adventurists, telnet and FTP are
inherently insecure protocols that offer no data protection. So, before turning these services on in
your devices, analyze your need for them. If you absolutely have to configure them, try to do so
on the internal side, never on interfaces facing public networks. In this instance we are setting
aside best practices only for instructional purposes.
Configuring Basic Routing

Xxxx xxx xxxxxxxxxxx xx xxx XXX3400 xxxxxx xxx xxxxxxxx xxxxxxx (Xxxxxx 2.2)
xxxxxxxx, xxx xxxxxxxxx xxxxxxx xxxxx xxx xxxxxxxx:
Xxxxxxxxxxxxx xxxxxxx xxx xxxxxx xxxxxx xxxx xxx xxxxxxx xxxxxxx xxx xxxxxx xx xxx
xx xxxx xxxx. Xxx xxx xxxxxxxx xx xxxx xxxx, xxxx xxxxxx XXX xxxx xxx xx xxxx
xxxxxxx. Xxxxx xxx 198.18.100.0/24 xxxxxxx xx xxxxxxxx xxxxxxxxx, xx xxxxxxxxxx
xxxxxxx xxxxxxxxxxxxx xx xxxxxxxx xx xxxxx xxx xxxxxxx xx xxxx xxxxxxx.
Xxx xxxxxx xxxx xx x xxxxxxxx xxxxxxxxx xxxxxxx xxxxxxx. Xxxxx xxx xx xxxx xxxxxxx
xxxxxxxxxxxx xx xxxxxxxxxxx xx xxxxxxx xx xxxx xxxxxxx.
Xxxxxxxxxxxxx xxxxxxx xxx Xxxxxxxx, xx xxxxxxx xxxx, xxxxxx xxx xxx xxxxxx xxxx xxx
XX xxxxxxx 66.129.250.254/24. Xx x xxxxxxx xxxxx xx xxxxxx xx xxxxx xxx xxxxxxx
xxxxxxxx xxx xxxx xxxxxx.
Xx xxxxxxxxxxx xxxx xxxxxxx xx xxx xxx-xx-xxxx xxxxxxxxxx xxxxxxx, xxxxxxx xx xxxxxx
xx xxxx xxxxxxx xx xxx xxxxxx xxxx xxx XX xxxxxxx 10.189.140.97.
Xxxxx xxx xxxxxxxx xxxx xx xxxxxxxxx xx xxxxxxxxxxx xxxx xxxx, xxx xxxx xxxx xxxxxx
xxxxxx xxx xxxxxxxxx xxxxxx xx xxx Xxxxxxxx xxx xx xxx xxxxxxxxxx xxxxxxx xxxxx
xxxxxx xxxxxxx.
To Configure Access to the Internet:
1. While still connected to the console as root, enter configuration mode:

root> edit
[edit]
root#
2. Xxxxxxxxx x xxxxxx xxxxxxx xxxxx xxxxxxxx xx xxx Xxxxxxxx xxxxxx xx xxx xxxx xxx:
[edit]
root# set routing-options static route 0/0 next-hop 66.129.250.254
[edit]
3. Xxxxxxxxx x xxxxxx xxxxxxx xxxxx xx xx xxxx xx xxxxx xxx 10.188.0.0/14 xxxxxxxxxx

xxxxxxx:
[edit]
root# set routing-options static route 10.188.0.0/14 next-hop 10.189.140.97
[edit]
4. Xxxxxx xxx xxxxxx xxxx xxx xxxxxx xxx xxxxxx xxx xxxxxxxxxx xxxxxxx xx xx xx xxxxx:
[edit]
commit complete
root> show route
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
*[Static/5] 00:00:25
> to 66.129.250.254 via ge-0/0/2.0
10.188.0.0/14
*[Static/5] 2d 00:01:08
> to 10.189.140.97 via fxp0.0
10.189.140.96/27 *[Direct/0] 2d 00:01:08
> via fxp0.0
10.189.140.99/32 *[Local/0] 2d 00:01:08
Local via fxp0.0
66.129.250.0/24 *[Direct/0] 6d 15:32:16
> via ge-0/0/2.0
66.129.250.1/32 *[Local/0] 6d 15:32:16
Local via ge-0/0/2.0
192.168.2.0/24 *[Direct/0] 6d 15:32:16
> via ge-0/0/0.0
192.168.2.1/32 *[Local/0] 6d 15:32:16

198.18.100.0/24 *[Direct/0] 6d 15:32:16
> via ge-0/0/1.0
198.18.100.4/32 *[Local/0] 6d 15:32:16
Xxxx xxxxxx xxxxxxxxx x xxxxxx xx xxxxxxxxxxxx xx xxxx. Xxx xxx xxx xxxx Xxxxx
xxxxxxxxxxxxx xxxxxxxxx xxxxxxx xxx xxxx xxxxxxx xx xxxxx xxxxx xxxxx xx xxx
xxxxxxxxx xxxxxxxx xxxx xx xx xxxxxxxx xxxxxxxxx xx. Xx xxxxxxxx, xx xxxxxxx
xxxxxxxxx xx xxxxxxxx xxx xxx xxxxxx xxxxxx xx xx xxxxxx xxxx xxxx xxx xxxxxx xx
xxxx xxxxxx, xxxxxx-xxxxx xx xxxxxx xxxx xxxx xxxxxx xxx xxxxxxxxx xxxxxxxx.
Xx xxxx xxxxx xxx xxxxxx xx xxxx xx xxxx xxx xxxxxxxxxx xx xxxx xx xxxxxx, XXX, xx
XXX xxxx xxx xxxxxxxx xxxxxxxxx xxxxxxx. Xx x xxxx xxxx xxx XX xxxxxxx xx xxx
xxxx xxxxxx xx xxx XX xxxxxxx192.168.2.1 xxxxx, xxx xx xxxx xxx xxxx xxxx xxx xxxx XX
xx xxx Xxxxxxxx-xxxxxx xxxxxxxxx xxxx xxx XX xxxxxxx 66.129.250.1. Xxx xxxxxx? Xxx
xxx xxxxxxx xxx xxx xxxx xx xxxxxxxx xxxxxxxx xxxx xxxxxxxx xxx xxxx xxxxxxxx xxxxx.
Xxxx xxxx xxxxxx xxxxxxxx xxxxxxxx xx Xxxxxxx 6, xxx xxxx xxxx xxxxx xxx. Xxxx
xxxxx xxxxx xxxx xxxxx xxxxxxxxxxx xxxxxxxxxx xxxxxxx, xxxx xxxxxxx xx xxxxxxxxx
xxxxxxxxxxxxxx.
Xxx xxxx xxxxx xxxxxxxxx, xxxx xxxxx xxx xxxx xxxxx xxxxxx xxxxxxx xxxx xxxxxxx.
Xxxxx xxxx xx xxxxxxxx xxxxx xx xxx xxx xx xxx XXX, xxx XXX xxx xxxxxxxxxx xxxx,
xxx xxxx xxxxxxxx xx xxxxxxxxxx xxxxxxxx: xxx xxxx xxx xxx xxxxxxxx/xxxxxxxxx xxxx
xxx xxx xxxx xx xxxxx xxxx xxx xx xx xxx xxxx. Xxx xxxx xxx xxxx XXX xxxxxxx, xxx xxx
xxx XXX (Xxxxxx Xxxx Xxxxxxxx) xxx xxxx xxxxxxxxxxxx. Xxx Xxxx, Xxxxx, xx XxxXX
xxxxxx xxx x xxxxxx XXX xxxxxxxxxxx xxx xxxx xxxxxx. Xx xxx xxx x Xxxxxxx xxxx, xxx
xxx xxxxxxxx xx xxxx xxxxxx xxxxxxxxxxx, xxxx xx XxxXXX
(xxxx://xxxxxx.xxx/xxx/xxxxxxxx.xxx).
Xxx xxxxxxx, xxx xxx xxxx xx xxxx x xxx Xxxxx xxxxxxx xxxxxxx xxxx x Xxxxx xxxxxxxx
xx xxx XXX xxx xxx xxxxxxx xx xxxxxxxxx:
[barnys@server1 junos]$ scp junos-srx3000-10.1R1.8-domestic.tgz root@10.189 .140.99:~
The authenticity of host 10.189.140.99 (10.189.140.99) cant be established.
RSA key fingerprint is 4c:21:ea:6a:fd:f5:b4:88:a4:61:ad:d5:fe:81:10:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 10.189.140.99 (RSA) to the list of known hosts.
root@10.189.140.99s password:
junos-srx3000-10.1R1.8-domestic.tgz
100% 172MB 2.7MB/s 01:03
[barnys@server1 junos]$
Xxx xxx xxxxxxx xxxx xxx xxxx xxx xxxxxx xx xxxxx xxx Xxxxx XXX:
root> file list
/cf/root/:
.cshrc
.history
.login
.profile
.ssh/
junos-srx3000-10.1R1.8-domestic.tgz*
root>
32
Chapter 4: Configuring Administrators
33
Chapter 4
Configuring Administrators
About Users and Classes. . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring Different Local Administrators. . . . . . . 33
Configuring RADIUS Support. . . . . . . . . . . . . . . . . . . . . 37
Xxxx xxx xxxx xxxxxxxxxxxxx xxx xxxxxxx xx xxx XXX xxx xxx xxxxxxxxxxxxx xxxx
xxxxxxxxxxx. Xxxx xxx xx xxxxxxxxxxx, xxxxxxxxxx xx xxxx xxxx xxx xxxxxx xxxxx xx
xxxxxxx xx xxx XXX. Xxxxxxx xxx xxxx xxxxxxx xxxxx xxxxxxxx xxxxx xxxxxxx xxxxxxx
xxxxxxxxxxxx: xxxxx xx xx xxx xx xxxxxxx xxx xxx xxxxxx xxxxxx xx xxx xxxx xxxxxxx
(xxxxxxxxx xxx xxxxxxx xxxx xxxxxxx xxxxxxx xxxxxxxxxx); xxxx xxx xxxxxxx xxx
xxxxxxxxx xxxxxx, xxx xxxxx xx xxxxxxxxx xxxxxxx xxx xxxx xxxxxxx xxxxxx xx (xxx
xxxxxxxxxxxxx xxx xxxxx x xxx xx xxxxxxxxx xx xx xx xxx xxxxxxxxxxxxx xxxxxxx xx
xxxxxxxx xxx xxxxxxxxxxxxx); xxx xxxxxxxxxxxxxxx xxx xxxxxxxxxx xxx xx xxxxx.
Xx xxxx xxxxxxx xxxx xxxxxxxxx xxxxx xxx xxxxxx xxxxxxxxxxxxx xxxxxxxx xxxx
xxxxxxxxx xxxxxxxxxx. Xxxxx xxxxxxxx xxxxx xxxx xx xxx xxxxxx xxxxx xxxxxx
xxxxxxxxxx, xxx xxxx xx xxxxx xxxx x xxxxxxx xx xxxxxxxxxxx xxxxxxx xx xxx XXX. Xx
xxxxxx xx xxxxxxxxxxxxxx, xx xxxx xxxx, xxxxxxx xx xxxxx xxxxxxx, xxxx xx x XXX
(Xxxxxxx Xxxxxxxxxx Xxxxxx) xx x xxxxx xxxxxxxxxx, xxxx xxx xxx xxxxxx xxx
xxxxxxxxxx xxx xxxxxxxxxxx xxxxxxxxxxxxxx xxxxxxxxxx xxxxxxx xx XXXXXX xx
XXXXXX+.
Xx xxxxxxxxxxx xxx xxxxxxxxxxx xx Xxxxx, xxxxx xxxxx xxxxxxxx xxxx xx xxxxxxxxxx
xxxx xxx xxxxxxxxx xxxxxxxxxx:
n barnys (super-user)
n halle (read-only)
n and, max (operator)
X xxxxxx xxxxxxx, xxxxxx, xxx x xxxx xxxxxxx xxx xx xxxxxxxxxxxx, xxxxxxxx xxx xx
xxxxxx xxxx xxxxxxxxx xxxxxxxx.
Xxx xxxx xxxxxxxxxxxx xxx xxxxxxxxxx xxxxx XXXXXX. Xxxx xxxx xxxx xxx xxxxx
xxxxxxx xxxx xxx xxxxxx xxx xxxxxxxxx xx XXXXXX, xx xxxxxx xxxxxxxx xxx xx
xxxxxxxxx xxx xxxxxxxxxxxx xxxxxxxxx. Xxx Xxxxxxxx, xxxxxxx, xxxxx xxxxxxxxxxx
xxxxx xxxx xxx xxxxxx xxxx xxx xxx xxxxxxxx xx xxxx xxxx xxx xxxxx xxxxxxxxxx, xxx xx
xxxxxxxxx xxxx xxx xx xxxxxx xxx xxx xxxxxxxxxxxxx xxxx xxxxx xx xxxxxxxxx XXXXXX
xxxx Xxxxxx Xxxxxxxxx. Xxxx xx x xxxxxxx xxxx xxxxx Xxxxxxxx Xxxxx Xxxxxx Xxxxxx
(XXX) xxxxxxx. Xxx xxxx xxxxxxx xx xxxx xxxxxxx xxxxx xx xxx xxxxxxxxx xxxx:
xxxx://xxx.xxxxxxx.xxx/xx/xx/xxxxxxxx-xxxxxxxx/xxxxxxxx/xxx/xxx-xxxxxx/xxxxxxxxxx/.
NOTE
Another option exists using TACACS+, but it is not discussed in this short book. If this is your
only option, please refer to the SRX technical documentation at www.juniper.net/techpubs/.
Users and Classes

Xxxxx xxx xxxx xxxxxxxxxx xxxx xxxxxxxx xxxx xxxxxx xx xxxxxxx xx xxxxxxxx:
xxxxxxxx, xxxx-xxxx, xxxxx-xxxx, xxx xxxxxxxxxxxx. Xxx x xxxxx xx x xxxxxxxxx xx
xxxxxxxxxxx xxxx xxxxxxx xxxxxxx/xxxxxx xxxxxxxx xxx xxxxxxxxxxxxx xxxxxxx.
Xxxxxxx xxx xxxxxxx xxxx xxxxxxx xx xxxxxxxxxx xx xxxxx-xxxx. Xx xxxxxxx, xxx xxxx
xxxx xxxxxxx xx xxxx xxxxx, xxxxx xx xxxx xxxxxx xxxx xxxxxxx xxxxxxxxx xxxxx xxx
xxxxxx.
Xxx xxxxx xxxxxxx xxxxxx x xxxx xxxxxxx xxx xx xxxxxxxxxxx. Xx xxx xxxxxx xxxxxxx xx
xxx xxxx xxxx xxxxxxxxxxxx, xxxx xxx xxx xxxxxxxxx x xxxxxx xxxxx, xxx xxxxxxx xxx xxx
xx xxxxxxx xxxxxxxx xxx xxxxxxxxxxx xxx xxx xxxxx xxxx xxxxxx xx xxxx xxxxx. Xxxx xx
xxxxxxxxx xxxx xxx xxxxxxxxx xxxxx xxx xxx xxxx xxxxxx.
X xxxx xxx xxxxxx xx xxxx xxx xxxxx. Xx xxx xxxxx xx xxxx xx x xxxxxxxxxx, xxxxxxxx
xxxx Xxxxx xxxxxx xxx xx xxxxxxxxx xx xxxx xxxxxxx xx xxx xxxx. Xxxxx xx xx xxx xxxxx
xx xxx xxxxxx xx xxxxx xxx xxxxxxx xxx xxx xxxxxxxxx, xx xx xxx xxx xxxxxxx xx x
xxxxxxxxxxx xxxxxxxx, xxxx xxx xxx xxxx xxxx xxxx xxxxxxxxxxx.
Configuring Different Local Administrators

Xxxx xxxxx xxx xxxxxxxxx xx xxxxxxxxx xxxxxxxxx xxxxx xxxxxxxxxxxxxx?
n Configure the local accounts max, halle, barnys, and assign them to the local classes operator,
read-only, and super-user, respectively.
n Create a local class consultant with restricted access to modify interfaces.
n Configure the local account carrie and assign this to the consultant class.
n Test to be sure that things are working as expected.
To Configure the Local Accounts:
1. Configure the users max, halle and carrie and assign them to their corresponding predefined
classes:
[edit]
root# set system login user max class operator authentication plain-text-password
New password:
[edit]
root# set system login user halle class read-only authentication plain-text-password
New password:
[edit]
root# set system login user barnys class super-user authentication plain-text-password
New password:
2. Xxxxxx x xxxxx xxxxx xxxxxxxxxx xxxx xxxxxxxxxx xxxxxx xx xxxxxxxxx xxxxxxxxxx

xxxx:
[edit]
root# set system login class consultant allow-configuration interfaces
[edit]
root# set system login class consultant permissions configure
3. Xxxxxxxxx xxx xxxx xxxxxx xxx xxxxxx xxxx xx xxx xxxxx xxxxxxxxxx:
[edit]
barnys# set system login user carrie class consultant authentication plain-text-password
New password:
Xxxxxx xxx xxxxxxxxxxxxx:

[edit]
barnys# commit
commit complete
VERIFY
Take a moment to verify that your accounts are working as expected. Understanding what to
expect from every class is critical to mitigating many management problems in your network.
Here, only max, halle and carrie are verified as the account barnys is not any different than the
root account used so far.
4. Xxxx xxx xxxx xxxxxxx xxx:
[barnys@server1 ~]$ ssh max@10.189.140.99

max@10.189.140.99s password:
--- JUNOS 10.1R1.8 built 2010-02-12 17:24:20 UTC
max> configure
^
unknown command.
max> show configuration

## Last commit: 2010-04-11 04:13:21 UTC by barnys
version /* ACCESS-DENIED */;
system { /* ACCESS-DENIED */ };
interfaces { /* ACCESS-DENIED */ };
routing-options { /* ACCESS-DENIED */ };
security { /* ACCESS-DENIED */ };
max> clear interfaces statistics all
max> traceroute 10.189.132.70
traceroute to 10.189.132.70 (10.189.132.70), 30 hops max, 40 byte packets
1 10.189.140.97 (10.189.140.97) 1.011 ms 0.718 ms 0.654 ms
2 10.189.132.97 (10.189.132.97) 0.684 ms 0.220 ms 0.207 ms
3 10.189.132.70 (10.189.132.70) 1.650 ms 0.361 ms 0.355 ms
max> ping 10.189.140.97 count 2
PING 10.189.140.97 (10.189.140.97): 56 data bytes
64 bytes from 10.189.140.97: icmp_seq=0 ttl=64 time=0.873 ms
--- 10.189.140.97 ping statistics --2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.873/0.875/0.878/0.003 ms
Xxxxxx xxx xxx xxxx xxx xxxx xxx xxxxxxxx xx xxx xxxxx xxxxxxxx xxxxxx xxxx
xxxxxxxxxxxxx xxxxxxx (xx xxxxxx xxxxxx xx xxxx xxxxxxxxxxxxx xxxx), xx xxxx xxx
xxxxxxxxxxxxx. Xx xxx, xxxxxxx, xxxxx xxxxxxxxx xxxxxxxxxx, xxx xxx xxxxxxxxxxx,
xxxxx, xx xxxxxxxxxxx xxxxxxxx. Xxxx xx xxx xxxxxxxx xxxxxxxx xx xxxx xxxxx.
5. Xxxx xxx xxxx xxxxxxx xxxxx:
[barnys@server1 ~]$ ssh halle@10.189.140.99
halle@10.189.140.99s password:
--- JUNOS 10.1R1.8 built 2010-02-12 17:24:20 UTC
halle> configure
^
unknown command.
halle> clear
^
unknown command.
halle> ping
^
unknown command.
halle> show configuration
## Last commit: 2010-04-11 04:13:21 UTC by barnys
version /* ACCESS-DENIED */;
system { /* ACCESS-DENIED */ };
interfaces { /* ACCESS-DENIED */ };
routing-options { /* ACCESS-DENIED */ };
security { /* ACCESS-DENIED */ };
halle> show system uptime
Current time: 2010-04-11 04:34:02 UTC
System booted: 2010-03-29 14:30:13 UTC (1w5d 14:03 ago)
Protocols started: 2010-03-29 14:31:16 UTC (1w5d 14:02 ago)
Last configured: 2010-04-11 04:13:21 UTC (00:20:41 ago) by barnys
4:34AM up 12 days, 14:04, 2 users, load averages: 0.00, 0.00, 0.00
halle> show interfaces fxp0
Physical interface: fxp0, Enabled, Physical link is Up
<snip>
Xxx xxxxxxx xxxxx xx xxxxxxxxxx xx xxxxxxxxxxx xxxx xxxx xxxxxxxx. Xxx xxxxxx xxxxx
xxxxxxxxxx xx xxx xxxxxxxxxxxx. Xxx xxxxx xxxx-xxxx xx xxxx xxx xxxxxxxxxxxxxx xx
xxxxxx xx xxxxxxxxxx xxx xxxxxxx xxxxxxxxxxx xxxxxx.
6. Xxxx xxx xxxx xxxxxxx xxxxxx:
[barnys@server1 ~]$ ssh carrie@10.189.140.99
carrie@10.189.140.99s password:
--- JUNOS 10.1R1.8 built 2010-02-12 17:24:20 UTC
carrie> show
^
unknown command.
carrie> edit
Users currently editing the configuration:
barnys terminal p0 (pid 20718) on since 2010-04-11 04:10:24 UTC, idle 00:30:32
[edit]
[edit]
carrie# show
## Last changed: 2010-04-11 05:02:53 UTC
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 198.18.100.4/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 66.129.250.1/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.189.140.99/27;
}
}
}
}
[edit]
carrie# edit interfaces fxp0
[edit interfaces fxp0]
carrie# set description Connects to 10.188.0.0/14 for management only
[edit interfaces fxp0]
carrie# commit and-quit
commit complete
Xx xxxxxxxx, xxx xxxx xxxxxx xx xxxxxxx xx xxxxxxx xxx xxxxxxxxx xxxxxxxxx xxxxxxxx
xxxx.
TIP
Now that every user has unique accounts, you can see exactly what the different administrators
typed when they connected, something that was not possible if everyone was sharing the same
root account. The factory default configuration has enabled the logging of interactive commands,
and you can see the log with the show log interactive-commands command. This is a very powerful
forensics tool.
Configuring RADIUS Support

Xx xxxxxxxxxxx xxx xxxxxxxxxxxxx xx XXXXXX xxx xx xxxxx xxx xxxxxxxxx xxxx xxx
xxxxx xxxxxxxx xxxxxxxxxx, xxx xxxx xx xxxxxx xxx xxxxx xxxxxx, xxx, xxxxx, xxx xxxxxx:
[barnys@server1 ~]$ ssh root@10.189.140.99
[barnys@server1 ~]$ ssh root@10.189.140.99
--- JUNOS 10.1R1.8 built 2010-02-12 17:24:20 UTC
root@% cli
root> configure
[edit]
root# delete system login user barnys
[edit]
root# delete system login user max
[edit]
root# delete system login user halle
[edit]
root# delete system login user carrie
[edit]
root# commit
commit complete
Xx xxx xxx, xxx xxxx xxxxx xxxxxxxxxx xxxxxxx xxxxxx xx xxx xxxx xx xx xxx xxx xxxxxx
xxxxxxxxxxxxx.
Xxxxx xxx xxxxxxxxx xxxxxxxxxx xxx xxx xxxxxxxxxxxxx xx xxx XXXXXX
xxxxxxxxxxxxxx xxx xxxxxxxxxxxxx xxxxxxxxxx, xxx xxx xxxxxx xxxxxx xxxx xxxxxxxx
xxxxx xx xxxx xxxxxxxxxxxxxx xxx xxx xxxxxx xxx xxx xx xxx XXXXXX xxxxxx xxxx.
Xxxx xxx xxx xxxxxxxxxx xxxx xxxx xxxxxxxxx xx xx xxx.
Xxx xxxxx xxxxxxxx xxxxxxxx xx xxxxxxxxxxx xxx xxxx xxxxxxx xxxxxxx xx xxx XXX xxx
xxxxx XXXXXX xxxxxxxxxxx xxx xxxxxxxxxxxxxx xxxxxxxx. Xxxx xxxxx xxxx, xxx xx
xxxxx xxx xxxxxxxx xx xxxxxxxxx xx xxxxxxx xx xxxx xxxxxxx, xxxx xxx xxx xxxx xxx xxxx
xx xxxxxxxxxxxxxx xxx xxxxxxxxxxxxx xxxxxxx. Xx, xxx xxxxxxx, xx xxx xxxxxx xxx xxxxx
xxxxxxxxxx xxxx xx xxx xxxxxxxx xxxxxxx, xxx xx xx xxxxxxx xxx xxxx xxxxxxxxx xx
xxxxxxx xxx xxxx xxx xx xxx xx xxx xxxxxxx, xxxx xxx xxx xxxxx x xxxxx xxxxxxxx. Xxxx
xxxx xxxx xxx xxxxxxx xxxxxxxxxx xxxx xxx xxxxxxxxxxxxxx xxxxx xxxx xxx XXXXXX
xxxxxx xx xxxx xxxxxxxx, xxxxxxx xxx xxxxxxxxxxxxx (xxxx xxx xxxx xxx xx) xxxxx xxxx
xxx xxxxxxx xxxxxxx xxxxxxx.
Xxx xxxxxx xxxxxxxx xxxxxxxx xx xxxxxxxxxxx xxx xxxxxxxxx xxxx xxxxxxxxxxxxxx xxx
xxxxxxxxxxxxx xxxx xxx XXXXXX xxxxxx. Xxxxx xxxx xxxxx xx xx xxx xxxxxxxxx xxx
xxxx xxxxxxxx xxxxxxxx, xxx xxxxxxxxxxxxx xxx xx xx xxxxxxx xx xxx xx xxxxxxxxx xxx
XXXXXX xxxxxx xx xxxxx xxxxxxxxxxxxxx, xxx xxxx xxxx xxx xxxxxxx xxxxxxxxxx xxxx
xx XXX. Xxx xxxxxxxxx xx xxxx xx xxxx xxxx x xxx xxxxxx xx xxxx XXXXXX xxxxxx xxx
xxx xxx xxxxx xxxxxx xx xxx xxxxxxx xxxxxxx xx xxxxxxxxx xx xxxxxxxxxxxxxx.
Xxxxxxxxxx xx xxx xxxxxxxx xxx xxxxxx, xxxxx xxx xxxxxxxxxxxxx xxxxxxxx xxxx xxx xxx
xxxx, xxxx xx xxxxxxx xxx XXX xxxx XXXXXX xxxx xx xxxx xxx xxxxxxxxxxxxxx, xxx XX
xxxxxxx, xxx xxxxxx xxx, xxx xxx xxxxxxxxxx xxxxxxx. Xxxx xxx xx.
To Configure Radius Support:
Configure the authentication order:

[xxxx]
root# set system authentication-order [radius password]
WARNING
Dont lock yourself out! When you configure the authentication order only to RADIUS, this
means that the local user database will only be checked if the SRX cannot establish a
communication with the RADIUS server (i.e., server is down). When you configure the
authentication order as in the example, this gives you the possibility of connecting with local user
accounts (like root), in the event that the server can be reached, but your account is not properly
configured in the RADIUS system. In other words, configure it as in the example, so you always
have a back-door entry in case something goes wrong on the server side.
Xxxxxxxxx xxx xxxxxx. Xxxxxxxx xxxx xxx xxxxxx xxxxxxxx (xx xxxx xxxx xxxxxx123) xxx
xx xx xxxxxx xx xxx XXX xxx xxx XXXXXX xxxxxx (xxxxx xx xxx Xxxxxx 2.2 xxx xxx
xxxxxxxx xxx xxxxxxxxxxx xx xxx xxxxxx):
[edit]
root# set system radius-server 10.189.132.70 secret secret123
Xxxx xxx xxxxxxxxx XXXXXX xxxxxxxxxxxxxx xxxxx xxx xxxxx xxxx xxxxxxx. Xxxx xx xx
xxxxxxxxx xxxx xxx xxxxx xxxxxxxx xx xxxxxxxxxxx xxx xxxx xxxxxxx xxxxxxx xx xxx
XXX xxx xxxxx XXXXXX xxxxxxxxxxx xxx xxxxxxxxxxxxxx xxxxxxxx xxxxxxxxx xxxxxxx.
To Configure Radius Authentication and Local Authorization:
1. Configure the user accounts, and assign them to the local classes:
[edit]
root# set system login user barnys full-name Super-user rights class super-user
[edit]
root# set system login user max full-name Operator rights class operator
[edit]
root# set system login user halle full-name Read-only rights class read-only
[edit]
root# set system login user carrie full-name Consultant rights class consultant
[edit]
root# commit
commit complete
Xxxx xxx xxxxxxxxxxx xx xxx xxxxxxxxxxxxx, xxxxxxxxxx xxxx xxxx xxxxxxxxxxxxx

xxxxxx xxxx xx xx xxx xx xxx xxxxxxxx xxxxxxx. Xxx xxxxxxx, xx xxxxx xxxxxxxx, xxx
xxxxxxxxxxxxxx xxxx xx xxxxxxx xxxx xxx xxxxxx (xxxxxxxxx xxxx xx xxxxxxx
xxxxxxxxxxx xx xxx), xxx xxxx xx xxx xxxxxxx-xxxx xxxxxx, xxx xxxx xxxx xx xxxx xx xxx
xxxx xxxxxxxxxxx xxxx xxxx xxxxxxxx (xxx xxxxxxxxxxxxx xxxxxxx xx xxx xxxxx xxxxx
xxxx-xxxx).
Xxx xxxx xxxx xx xx xxx xxxxxx xxxxxxxx. Xx xxx xxxx xx xxx xxxx xxxxxxxxxxxxxx xxx
xxxxxxxxxxxxx xxxx xxx XXXXXX xxxxxx, xxxx xxxxxxxxxx xxx XXX xxxxxxxxxxxxx, xxx
xxx xxxxxx xxxx xxxx x xxxxxx xxxx xxxxxxxxxxx, xxxxxxx xxx xxxx xx xxxx xxx
xxxxxxxxxx xxxx xxx xxxxxx xxxxx xx xxxx xxxx xx xxx xxxxxxxxx.
To Configure Radius Authentication and Authorization:
1. Delete all configured system login parameters:

root# delete system login
[edit]
Xx xxxxx xxxxx xxxx xxxx xxxx: xxxxxxx xxx xxxxxxxx xxxx xxxxxxxx xxx xxx xxxxx
xxxxxxxxxx xxx xxxxxx xxx xxxxxx, xxxxx xxx XXXXXX xxxxxx xxxxxxxx xxxx.
2. Xxxxxx x xxxx xx xx xxxx xx x xxxxxxxxxx xxxxxxxx xxx xxx XXXXXX xxxxx:
[edit]
root# set system login user remote full-name Radius-user template class unauthorized
3. Xxxxxxx xxx xxxxxxxxxxxxx xxx xxxxxx:

[edit]
root# show system login
user remote {
full-name Radius-user template;
class unauthorized;
}
[edit]
root# commit
commit complete
Xxx xxx xx xxx xxxxx xxxxxxxxxxxx xxxx xxx xxxx xxxxxxx. Xxxx xxx xxxxxxxxx x xxx xxxx
xxx xxxx xx xxxxxxx x xxxxx, xxxxxxxxx Xxxxx xxxx xxx xxx xxx xxxxxx, xxx xxxxxxxxxxxx
xx xx xxxxxxx x xxxxx xxxx xx xxxxxxxxxxx, xxxxx xxx xxxxxx xxxxxxxxxxx xxx xxxxx
xxxxxx xx xxx xxxx xx XXXXXX xxxxxxxxxx xxxx xxx xxxxxx. Xxxxxx xxxx xxxxxxx xx
xxx xxxxxxx xx xxxxxxxxx x xxxx xxxx xx xxxxx xxxxxxxxxx:
[edit]
root# set system login user remote1 full-name Radius-user template2
[edit]
root# show system login
user remote {
full-name Radius-user template;
uid 2004;
class unauthorized;
}
user remote1 {
full-name Radius-user template2;
## Warning: missing mandatory statement(s): class
}
[edit]
root# commit
[edit system login]
user remote1
Missing mandatory statement: class
error: commit failed: (missing statements)
[edit]
root# rollback 0
load complete
Xxxxxxx xx xx xxx, xxxx xx xxx xxxxx xxxxxxxx xxx xxxxxxxxxxxxx xx xxxx, xxxx xxxxxxx
x xxxxxx xxxx xx xxxx xxx xxxxxxx xxx xx xxxx xxxxxxxxxxxx, xxx xx xxxxxxxxxxx, xxxx
xxxxxxxxx xxx xxxxxxxxxx xx xxx xxxxxx xxxx.
Xxxx xxxxxx xx xxxxx xx xxx Xxxxxxxx xx xxx xxx xxxxxxxxxx xx xxx xxxx
xxxxxxxxxxxxx xxxxxxxxxx xx Xxxxxx Xxxxxxxxx xxx Xxxxx-Xxxxxx Xxxxxx. Xxxxxxxx,
xxxxx xxx xxxx XXXXXX xxxxxx xxxxxxx xxxxxxxxx xxxx xxx xxxx xxx xxxx xxxxxxx
xxxxxxxxx xxxx xxx xxxxxxxxxx xxxxx xx xxx Xxxxxxxx.
44
Chapter 5: Configuring Network and System Management
45
Chapter 5
Configuring Network and System Management
Configuring NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configuring DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuring SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Xxx xxxx xxx xxxxxxx xxxxxxxxxxxxx xx XX xxxxxxxxxxxx, xxxxxxxxx xxxxx xxxxxxx xxx
xxxxxxx xxxxxxxxx xxxxxx xx xxxxxxxxxxxxxx, xx xx xxxxx, xxx xxx xxxxxxxxx
xxxxxxxxxx xxxxxxx xxxxxxxxxx xxxxxxx xxxx XXX, XXX, xxx XXXX (Xxxxxx Xxxx
Xxxxxx, Xxxxxxx Xxxx Xxxxxxxx, xxx Xxxxxx Xxxxxxx Xxxxxxxxxx Xxxxxxxx).
Xxxxxxxx xxxx xxxxx xxx xx xxxxxxxxxx xx xxx xxxx, xxx xx xxxx xxxxx xxxxx xx
xxxxxxxxx xxxx xx xxxx xx XX xxxxxxxxxxxx xxx xxxxxxx xxx xx xxxxx. Xxxx, xxxxxx xxxx
xxxx xx xxx xxxx xx xxx xxxxx-xxx xxxxxx XXX xxxxxxx, xxxxx xxx xxxx xxxxxxxxxxxxx
xxxxx xxxxxxxx xx xxxxxx xxxxxxx xxxxx xx xxxxxx xxxxx xxxxxxxxxx xxxxxxxx,
xxxxxxxxx xxxx xx xxxxx xxxxx xxxxxxxxxxxxxxxx xxxxx xxx xxxxxxx xxx xxxxxxxxx
xxxxxxxxxxxxxx xx xxx XXX xxxxxxxx.
MORE
Junos Security, from OReilly Media, provides an excellent first chapter on the difference within
the SRX Services Gateway platform. See www.juniper.net/books.
Configuring NTP
Xxx xxx xxxxxxxxxx xx xxxxxxxxx XXX xx xxxx xx xxxxxxxx xxx xxx x xxxxxxx xx
xxxxxxx. Xxxx xxx xxxxxxxxxxx xx xxxx xxxx, xx xxxxx xx xxxx xxxxxxxxxx xx xxxxx xxx
xxxx xxx xxx xxxxxxxxxxxxxx xxxx xxx xx xxx, xxx xxxx xxxx xxxx xxx xx. XXX xx
xxxxxxxxx xx xxxxx xxxx, xxxxx xxx xxxx xx xxxxxxxxxxxxxxx xxxxx. Xxxx, xxxxxxx xx
xxxxx xxxxxxxxxx xxxxxx xxxxxxx xxxxxxxx xxxxxxxx, xx xxxx xxx xxx xxxxx xxx
xxxxxxxx xxx xxxx xxxx xx xxxxxxxx.
Xxx xxxxxxx xx xxxxxxxxxxx XXX xx xxxxxxxxxxxxxxx, xxx xxxxxxxx xxxxxxxxx xx
xxxxxxx xxx XXX xxxxx xxx XXX xxxxxx xx, xxxxxxxxx xxx xxxxxxxxxx xxxxxxxxxx
(xxxxxxxx), xxxxxxxx xxx xxxxx, xxx xxxxxxx xxxx xxx xxxx xx xxxxx xxxxxxx xxxxxxxx.
To Configure NTP Support:
1. Configure the NTP server and time zone:

[edit]
root# set system ntp server 64.90.182.55
[edit]
root# set system ntp boot-server 64.90.182.55
[edit]
root# set system time-zone America/New_York
NOTE
If you dont have an NTP server already in place in your local network, you can use a publicly
available one. For a reference to public NTP servers visit the following NIST website:
http://tf.nist.gov/tf-cgi/servers.cgi.
Note that the difference in our NTP configuration is that the boot-server option is only referenced
by Junos upon boot-time. Once the system has fully restored, then it uses the other server
specified in the first entry above. So these servers can be different, although they are not in this
example.
2. Xxxxxx xxx xxxxxxxxxx xxxxxxxxxx (xxxxxxxx). Xxxx xxxxx xxx xxxx xxxx xxx:
root# set system ntp ?
Possible completions:
<[Enter]>Execute this command
+ apply-groups
Groups from which to inherit configuration data
+ apply-groups-except
Dont inherit configuration data from these groups
> authentication-key Authentication key information
boot-server
Server to query during boot sequence
> broadcast
Broadcast parameters
broadcast-client
Listen to broadcast NTP
> multicast-client Listen to multicast NTP
> peer
Peer parameters
> server Server parameters
source-address
Use specified address as source address
+ trusted-key
List of trusted authentication keys
|
Pipe through a command
Xx xxx xxx xxx, Xxxxx xxxxxxxx xxxxxxx xxx XXX xxxxxxxxxxxxxx, xxxxxx-xxxxxxxxx,
xxx xxxx. Xx xxxx xxxxxxxxx xxxx xx xxxxxxxxx xxxx xxx xx xxx xxxx xx xxxxx xxxxx, xxx
xxx xxxxxxx xxx xxxxxxxxx xxxxx xx xx xxx xxxx xxxx. Xxxx xxxxx xx xx xxx xxx.
3. Xxxxxx xxx xxxxxx xxxxx xx xxxx xxx xx xxx xxx XXX xxxxxx xxxxxxxx:
[edit]
commit complete
root> set date ntp
10 Jun 01:57:36 ntpdate[2730]: step time server 64.90.182.55 offset -0.000381 sec
4. Xxxxxx xxxx xxx xxxx xxx xxxx xxxx xxxxxxx xxxxxxxx:

root> show system uptime
Current time: 2010-06-10 01:58:20 EDT
System booted: 2010-06-09 14:31:27 EDT (11:26:53 ago)
Protocols started: 2010-06-09 14:32:38 EDT (11:25:42 ago)
Last configured: 2010-06-10 01:57:33 EDT (00:00:47 ago) by root
1:58AM up 11:27, 1 user, load averages: 0.20, 0.08, 0.02
5. Xxxxxx xxx xxxxxx xxx xxxxxxxxxxxx xx xxx XXX:

root> show ntp status
status=c035 sync_alarm, sync_unspec, 3 events, event_clock_reset,
version=ntpd 4.2.0-a Fri Feb 12 17:04:57 UTC 2010 (1),
processor=powerpc, system=JUNOS10.1R1.8, leap=11, stratum=16,
precision=-18, rootdelay=0.000, rootdispersion=1.215, peer=0,
refid=STEP, reftime=00000000.00000000 Thu, Feb 7 2036 1:28:16.000,
poll=4, clock=cfbafda2.3f93aff1 Thu, Jun 10 2010 1:58:58.248, state=3,
offset=0.000, frequency=0.000, jitter=0.004, stability=0.000
root> show ntp associations
remote
refid st t when poll reach delay offset jitter
==========================================================================
*64.90.182.55 .ACTS.
1 - 1 64 1 14.081 0.921 0.293
Configuring DNS
Xxxxxx XXX xxxxxxxxxx xx xxxxxxxxx xxx xxxxxxxx xxxxx, xxxx xxxxxxxxxxxxxxx, xxx
xxxx xx xxxx xxxxxxxxx xxxxxxx xxx xxxxxxxxx xx xxxxxxxxx XXX xxxxxxxx, xxxx XXX,
xxxx xxxxxxxx. Xxx xx x xxxx xxxx xx xxx xx xxxx.
Xxx xxx xxxxxx xxx XXX xx xxxxxxx XXX xxxxxxx xxxxxx xxx xxxxxxxxxxxxx xxxxxxx,
xxx xxx xxxx xxxxxxxx xx xxxxxxx xxx xxxxxx xxxx xxx xx xxxxxxxx, xx xxxx xxx xxx
xxxxxxx xxxxx xx xxxx xxxxxxx xxxxxxx xxxxx xxxxxxxxxx xxxx.
To Configure DNS Services:
1. Configure one or more DNS servers. They can be internal or external to the network:
[edit]
root# set system name-server 10.189.132.70
[edit]
root# set system name-server 10.189.132.68
2. Xxxxxxxxx x xxxxxx xxxx xxx xxx XXX:
[edit]
root# set system domain-name camlab.juniper.net
3. Xxxxxxxxx x xxxxxx xxxxxx xx xxxxxx xx xxxxx xx xxxxxxx xxxxx xxxxx xxxxxxx xxxxxx
xx xxxxx xxxxxxx xxxx:
[edit]
root# set system domain-search camlab.juniper.net
4. Xxxxxx xxx xxxx (xxxxx xx Xxxxxx 2.2 xxx xxxxxxxx xxxxxx xxxxx):
[edit]
root# commit
commit complete
[edit]
root# run ping count 3 juniper.net
PING juniper.net (207.17.137.239): 56 data bytes
--- juniper.net ping statistics --3 packets transmitted, 3 packets received, 0% packet loss
[edit]
root# run ping count 3 radius
PING radius.camlab.juniper.net (10.189.132.70): 56 data bytes
--- radius.camlab.juniper.net ping statistics --3 packets transmitted, 3 packets received, 0% packet loss
[edit]
NOTE
Notice that in this case, DNS resolution is tested for both an external host (juniper.net) and an
internal one (radius). In order for the internal resolution to work, then, there should be a DNS
server (that is not shown in Figure 2.2).
NOTE
In addition, if you omitted the previous Step 3 in the configuration, and wanted to ping internal
hosts, you would have to fully qualify these hosts for example, ping
radius.camlab.juniper.net. This extra typing is totally unnecessary work if you are in the firewall
constantly doing troubleshooting procedures.
Configuring SNMP
XXXX xxxxxxxxxxxxx xxx xxxxxxxxx xxx xx xxxxxxx, xxx xxxx xxxx xxxxxxxxx xxx
xxxxxxxxx xxxxxxxx xxxxxxx xxx xxx xxxxxxxx xxx XXX xx xxxx xxxxxxxxxxxxx (xxxxx)
xxxx xxxxxxxxx xxxxxx xxxxx, xxx xxxxxx xxxxxxx xxx xx xxxxxxxxxx xx xxxxxxx xx xxx
XXX xx xxxx xxx xxxxxxxx xxxxxxxxxxx xx xxx xxxx.
XXXX xxxxxxxxxxxxx xx xxx XXX xx xxxxxxxxxxxxxxx, xxxx x xxxxxxx xxxxxxx
xxxxxxxxxx xxxxxx xxxxxxxxxxx xxx xxxxxxxxx, xxxxxxxx xx xxxx xxxxxxxx xxxxxxxx
xxxx xxxxxxx xxxx xxxxxxx (xxxxx xxxxxx xxxxxxx xxxxxxxxxxxxx), xxxxxxxxx xxxx xxx
xxxxxx xxxxxxx xxxx xxx xxxxxxx xx xxxx xxx XXX xxx XXXX xxxxxxx.
To Configure SNMP Support:
1. First configure the device information and a community with read-only capabilities:
[edit snmp]
root#
[edit snmp]
root# set name SRX1
[edit snmp]
root# set location Cambridge
[edit snmp]
root# set contact Barny Sanchez
[edit snmp]
root# set community management authorization read-only
[edit snmp]
root# set community management clients 10.189.132.64/27
NOTE
The clients are the management stations in the network that are allowed to poll the SRX. If you
have a dedicated out-of-band network for management purposes, using a network subnet is very
convenient. For extra security you can also specify individual IP addresses, and Junos will, in
turn, interpret these as /32 or host devices.
2. Xxx xxxx xxxxxxx, xx xxx XX xxxx xxxx xx xxx xxxxxx xx xxx XXXX xxxxxxx:
[edit snmp]
root# set trap-options source-address lo0
NOTE
Using a loopback interface is a best practice. If you make this a habit across all devices, then you
will have a consistent view of what devices generated the traps. This makes parsing tasks easier
and can simplify the reporting generated from the network.
3. Xxxxxxxxx xxx XXXX xxxxxxx, xxxx, xxx xxxxx xxxxxx xxxx xxxxxxxx xxxxxxx (xxx ? xx
xxxx xxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx):
[edit snmp]
root# set trap-group management version v2
[edit snmp]
root# set trap-group management destination-port 162
[edit snmp]
root# set trap-group management categories startup
[edit snmp]
root# set trap-group management categories authentication
[edit snmp]
root# set trap-group management categories services
[edit snmp]
root# set trap-group management categories link
4. Xxxxxxxxx xxx xxxxxx xxxxxx, xx xxx xxxxxxxxxx xxxxxxx xxxx xxxx xxxxxxx xxx
xxxxxxxxx xxxxx:
[edit snmp]
root# set trap-group management targets 10.189.132.80
5. Xxxxxxx xxx xxxxxxxxxxxxx:

[edit snmp]
root# show
name SRX1;
location Cambridge;
contact Barny Sanchez;
community management {
authorization read-only;
clients {
10.189.132.64/27;
}
}
trap-options {
source-address lo0;
}
trap-group management {
version v2;
destination-port 162;
categories {
authentication;
link;
startup;
services;
}
targets {
10.189.132.80;
}
}
Configuring Syslog
Xxxxxx xxxxxxx xxx xx xx xxxx xxxxxxxxxx xxxxxxxxx xxxxxx, xxxxx xx xxx xxxxxxx
xxxxx xx xxx XXX. XXX, xxxxxxxxxxxxxx xxxxxxxx, xxxxxxx xxxxxx xxx xxxx xxxx
xxxxxxxx xxxxx xxxxx xx xxxxxx.
NOTE
Our focus in this section will be on system logging. Security logging, when you configure
security policies, will be covered in the next chapter. Security logging refers to the messages
generated from matching a security policy, and whether the policy has logging enabled. These
logs refer to events generated at the data plane after processing user data traffic.
To Configure Syslog Logging:
1. Configure the destination server, or event collector, along with any of the facility and severities
desired:
[edit]
root# set system syslog host 10.189.132.70 source-address 10.189.140.99
[edit]
root# set system syslog host 10.189.132.70 any any
NOTE
The source-address can be anything, but it is a good practice to specify either a loopback
interface IP address, or the address of the egress interface for the events. This gives you
consistency when reading and parsing through your log files.
Also, the value any was used to specify any facility and severity value. For details on specific
values, and what they mean, please refer to the RFC5424:
http://tools.ietf.org/search/rfc5424#section-6.2.1. In the case of Junos, you can simply press
[TAB] after keying in the host IP to see the list of facilities and severities available.
Xx xxx xxx xxxxxxxxx xxxxx xxxxxxxxxxxxx xxxxxxxx xx x xxxxxx XXX xxxxxx, xxx xxx
xxxxxxxx xxxxxxxxx xxxxx xxx xxxxxx xxxxxx xxxxxxxx xxxxxx xxx xxxxxxx
xxxxxxxxxxxxx. Xx xx, xxx xxx xxxxxxx XXX Xxxxxxx Xxxxxxx Xxxxxxxxxxxxxx xx xxx
Xxxxxxxx.
Xxxxx xxxxxxx xxxxxxx xx xxxxx xxxxxx xx xxxxx xxxxxx, xxx xxx xxx xxx xxxx xxxx
xxxxxxxx xxxxxxx xx xxx xxxxxx xxxx xxx xxxxxx, xx xxxx xxx xxxxxxx xx xx xxxxxxxx
xxxxxx. Xxxx xxxxxxxxxxx xx xxxxx xx xxx xxxx xx xxxx xxxxxxx xxxxxx xx xxxxxxxx
xxxxxxx.
Xxxx xx xxx xxxxxxx xxxxxxxxxxxxx, Xxxxx xxxxxxxx xxxxx xx xxxxxx xxx xxxxxx xxx
xxxx xx xxx xxxxx xxxx xxx xxxxx xxxxxxx, xx xxx xxxx xxxx xx xxxxx xxxxx xxxxxxx xx
xxx xxxxxxx xxxxxx. Xxx xxxxxxxxx xxxxxxx xxxxx x xxx xx xxxxxxx xx xxxxx xxxxx xxx
XXX xxx xxxxxxxxxxxxx xxxxxx xxxxx xxxxxx xx xxxxxxxxx xxxxxx xxxxxxx:
[edit system syslog]
root# show
archive size 100k files 3;
host 10.189.132.70 {
authorization warning;
}
host 10.189.132.72 {
ftp info;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
Xxxxxxxx xxxx xxx xx xxxx xx xxx xxxx xxxx xxx xxxxxxx:

root> show log [filename]
Xxx xxxx xxx xxxxxx xxxx xxxxx, xx xx xx xxxxxxxx xx xxx xxxxxxx xxxxxxxx xx xxxxx
Xxxxx xxxxxx xxxxxxx xx xxxxxx xxxx xxxxxxxx xxxx xxxxxxx xxx xxxxxxxxx.
Xxxxxxx, xxxxxxxx xxxx xxxx xx xx xxxx xx xxx xxxxxx xxxxxx, xx xxx xxxxxxxxx xxxxxxx,
xx xxx xx xxxxxxxxx.
54
Chapter 6: Writing Basic Security Policies 55
Chapter 6
Writing Basic Security Policies
About Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring Address Books. . . . . . . . . . . . . . . . . . . . . . 56
Configuring Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configuring Security Policies. . . . . . . . . . . . . . . . . . . . . 59
Verifying Security Policies. . . . . . . . . . . . . . . . . . . . . . . . 62
Logging of Security Events. . . . . . . . . . . . . . . . . . . . . . . 64
Xxxxxxxx xxxxxxxx xxx xx xxx xxxxx xx xxx xx xxx xxxxxxxx xxxxxxxxx xx xxx XXX
Xxxxxxxx Xxxxxxx xxxxxxxx. Xx xxxxxxx, xxxxxxx xxxxxxxx xx xxxxxxxxx xxxxxxxx xx
xxx xxxxxxx xx xxxxx xx xx xxxxxxx. Xxxx xx xxx xxxxxxxx xxxxxxx xxxxxxxx, xxx xx
xxxxxxx xx xxxxxxx xxxxxxx xxx XXX xxxxx xxx xxxxxx xx xx xxxxx xx xxxxx xxxxxxxx
xxxxxxxx.
NOTE
An exception to this blocked traffic rule is the traffic in and out of the fxp0 (management)
interface. This interface is an exception because it resides in the control plane of the device, and
it cannot be used for user data traffic.
Xxxxxx xxxxxxxxxxxxx xxxxxxxx xx XX-XXXX-XXXX xxxxxxxxx: XX xxxxxxx X xx
xxxxxxx, XXXX xxxxxx X xx xxxxxxxxx, XXXX xxxx xxxxxx (xxxxxxx xxxxxxxx).
Xxxxxxxx xxxxxxx (XX xxxxxxxxx) xxxxxxxx xx xxxxxxx xx xxxxxxx xxx xxx xxxx
xxxxxxxxx xxxxxxxx:
n Source zone: the predefined or custom zone created from the perspective of the SRX that
you are configuring.
n Source IP: any IP address, or an address book, that specifies a host IP, or a subnet. The
source selected has to match the source zone.
n Destination zone: predefined or custom zone created from the perspective of the SRX that
you are configuring.
n Destination IP: any IP address, or an address book that specifies a host IP, or a subnet. The
destination selected has to match the destination zone.
n Application: predefined or custom service that defines the source/destination ports, protocol
involved, and timeout value.
Xx xx xxxxxxxx xxxxxx xxxxxxx xxx xxx xxxxxxxx xxxx xxxxxxxx, xxx xxxxxx (XXXX
xxxxxxxxx) xxxxxxx xxxx xx xx xxxx xxxx xx xxx xxxxx xxxxxxx xxxxxxxx xxx xxxx
xxxxxxxxxxx:
n deny: drops the packet (silently).
n reject: drops the packet and sends a TCP-Reset to the originator of the traffic.
n permit: permits the packet.
n log: instructs the SRX to create a log entry for matching packets.
n count: provides accounting information per session.
Xxxxx xxx xx xxxx xxxxxx xx xxxx xxxxxxxxx xx xxxxxxxx xxxxxxxxxx xx xxxxxxx

XXX xxxxxxx (xxxx xxxxxx xxxxxx xx xxxxxxxx). Xxxx xxxxxxx xxxxxxx xxx xx xxx
xxxxxxx, xxxx xxx xxxxxxxxx xxxxxxx xxxxxxxx xxxxxxxx xx x xxx-xxxx xxxxxxx xxxxx xxx
xxxx xxxxxxxx xxxxxxxxx xxxxxx xxx xxxxxxx. Xx x xxxxx xx xxxxx xxxx xxx XXX xxxx
xxxx xx xxx xxxxxxxxxx xx xx xxxx xxxxx xxxxxxx xxx xxxxx xxxxxxxxxx xxxxxxx xxx xxxx
xx xxx xxxxxxxx. Xx xxx xxxxxxxxxx xxxxxxx xxxxxxx xxx xxxx xxxxxx xxx xx xxxxx xxx
xxxx (XXXX xxxxxxxxx), xxxx xxx xxxxxxx xxxxxxxx xxxxxx xxxx-xxx xx xxxxxxx.
Xxxxx xxx xxxxxxxxxx xx xxxxxxxx xxxxxxxx xxxxxxx xxxxxxxxxxxx xx x xxx-xxxx xxxxxx,
xx xx x xxxx xx xxxxx xx xxxxx xxx xxxx xxxxxxxx xxxxx xx xxx xxx xx xxx xxxx xxx xxx
xxxx xxxxxxx xxxxxxxx xx xxx xxxxxx. Xx xxx xxxx xx xx xx, xxxx xxx xxx xxxxxx x xxxx
xxxxxxxx xxxxx xxxxxxxx xxxx x xxxx xxxxxx xxx.
Xxxx xxx xxx xx xxxx xxxx xxxxxxxx xxxx xx xxxxxxx (xxxxx, xxxxx xx Xxxxxx 2.2x
xxxxxxxxxxxx xx xxx xxxx xxxxxxxx xx xxxxx xxxxxxxxxx xxx xxxxxxxxx xxxxxxxxxxxx xx
xxx XXX3400). Xx xxxxxx, xxxx xxxxx xxxx xxx xxxxx xxxxx xxxx xx xx xxxx xxxxx xx xx
xxxxxx xx xxxxx xxx xxxxxxxxxxxxx:
n Permit any traffic from any hosts in the zone admins to any destination in the untrust
zone.
n Permit custom traffic from any hosts in the zone admins to any other host in the same zone.
n Deny any traffic from the zone untrust to admins.
About Zones
Xx xxxxxx, x xxxx xx x xxxxxxx xxxxxxxxx xxxx xx xxxxx xxxxxxxxxx xxxx xxxxxxx
xxxxxxxx xxxxxxxxxxxx (xxx Xxxxxx 2.1). Xxx xxxxxxx, xxxxxx xxxx xx xxxx xxxxxxxxxxxx
xxxxx xx x Xxxxx Xxxxxxxxx xxxxxxxxxx, xx xxx xxxxxxxx xxxxx xxxxxxxx xx XX xxx xx
xxxxx xx xxx xxxx XX. Xxx xxxxxxxx xxxxxxxxxx xxxx xx Xxxxxxx xxx xx xxxxx xx x
xxxx Xxxxxxx, xxx xx xx. Xxxx xxxxx xxx xxxxxxx xxxxxxxxxxx, xxx xxx xxx xxxx xxxx
xxxxxxxx xxxx xxxxx xxx xxxx xxxxx xx xxx.
TIP
If you are working in a large deployment involving managed services or multiple groups, it is
best that you use a structured naming convention, as this reflects in the logging that the firewall
generates, making troubleshooting and accounting tasks simpler and cleaner.
Xxxxx xx x xxxxxxxxxx xxxxxxxx xxxx xx xxx XXX xxxxxx xxxxx-xxxxxxx xxxx xxxx xx
xxxxxxxx. Xx xxxxxxxx, xxx xxxxxxx xxxxxxx xxxxxxxxxxxxx xx xxxxxx XXX xxxxxxxxxx
xxx xxx xxxxxxxxxx xxxxx: xxxxx xxx xxxxxxx. Xxxxx xxx xxxxx xxxxx xxx xx xxxxxxxx xx
xxxx xxxxxxx.
Xxxxx xxx xxxxx xxxxxx xxx xxxxxxx xxxx xxxxx, xxxxx xxxx xx xx xxxxxxx, xxx xxx
xxxxxxxxxxxxx xxxxxxxxxx xxxx xxxx xx xx xxxxxxxx xx xxxx.
Xx xxx xxxx xxxx xxxxxxxxx xxxx xxxx xxxxxxxxxxxx xxxx xxx xxxxxxxxx, xxx xxxxxxxxxx
xxxxx xxx xxxxxxxxxx xx Xxxxxxx 3. Xxx xxxxxx xxxxxx xxxx xxxx xxxx:
[edit security]
root# show
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ssh;
ftp;
telnet;
ping;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
}
}
security-zone admins {
interfaces {
ge-0/0/0.0;
}
}
}
Xx xxxxxxxx, xxxxx xxxxxxxx xxx xxxxxxx xxxxxxxxxx xxxxxx xx xxx xxxxx xxxxxxxxx.
Xxx xxx xxxx xxxxxxxx xxxxx ? xxxxxxx xxx xxx xxx xxxxxxxx.
Configuring Address Books

Xx xxxxxxx xxxx xx x xxxx xxxxx xx xx XX xxxxxxx xx xxxxxx. Xxx xxxx xxx xxx xx xxxxxxx
xxxxxxxxxxx, xxx xxxx xxxx xxxx xxxxx, xx xxxx xx xx xxxxxxxxx xxxx x xxxxxx
xxxxxxxxxx xxxx xxx xxx xxxxxxx xxxx xxxxxxxx xx xxxxx xx xxxxx xxxxxxxxxxx.
Xxxxxx xxxx xxxxxxx xxxxxxxxx xxxx xxxxx xxxxxxx, xxxx xxxxxxxxxxx Xxxxx xxxxxxxx
xxxxxxxx xx x XXX xxxxxx, xxx xxxxxxxxx xxx xxxxxxx xxxxx xx xxx xxxxxx xxx
xxxxxxxxxxx xxxxxxxxx, xxx xx xxx xxxxxx xxxxxxx xx XXx. Xxxx xxxxx xxx x xxxxxxxxxx
xxxxxx, xxxxxxxx xxx xx xxx xxxx xxxxxxxxxxxxx xx x xxxx xxxxx, xxxxxxxx xxxxxx.
Xx xxx xxx xx x xxxxx xx xxxx xx xx xxx xxxx xxxxx, xxx xxx xxxxxx xxx xxx xxxxxxxxxx
xxxxxxx xxxx xxx xx xxx xxxxxx xxx xxxxxxxxxxx. Xxxx xxxxxxxxxx xxx xxx xxx XX
xxxxxxxxx.
Xxxxxxxxx xxx xxxxxxx xxxxxxxx xx Xxxxxx 2.2, xxx xxx xxxxx xx xxxxxxxxx x xxxxxxxx
xxxxxxx xxxx xxx xxx xxxxxxxx xx xxx xxxx xxxxxx.
To Configure Address Books:
Stop and think for a moment, please! From the perspective of the firewall, where does the host
reside? In this case it would be the admins zone, so make sure the address book is created in
that zone.
Xxxxxx xxx xxxxxxx xxxx xxxxx XX1:
[edit security]
root# edit zones security-zone admins
[edit security zones security-zone admins]
root# set address-book address PC1 192.168.2.2
Xxxxxx xxx xxxxx xxx xxxxxx xxx Xxxxx xxxxxxxxxxxxx xxxxxxx xxxx xx x /32 xxxxx
xxxxx xxx xxxxx xxxxxxx x xxxxxx xxxx:
root# show
address-book {
address PC1 192.168.2.2/32;
}
interfaces {
ge-0/0/0.0;
}
Xxxxx xxx xxxxxxxxxxx xxxxxxx xxx xx xxx xxxx xx xxx xxxxxxx xxxx (xxx xxxxxx xxx),
xx xxxxxxxx xxxxx xxxxx xx xxxx xxxx xx xxxx xxxx xxx xx xxx xxxxxxx xxxx xxx xxx
xxxxxxxxxxx xxxxxxx.
TIP
Creating multiple address books for hosts in a zone is not a problem. However, if you want to
gather those individual entries in a group to simplify your policy creation, then you can create
address-sets for this purpose. The concept is very similar to the creation of an address book, but
instead of specifying IP addresses or prefixes, you specify the individual address books that you
want to belong to that address-set group. For example:

root# set address-book address-set PCs address PC1
root# set address-book address-set PCs address PC2
Configuring Services
Xxxxxxxx xxxxxxx xxx xxxxxxxxxxxx xxxx xx xxx xxxxxxxx, x xxxxxxxxxxx xx
xxxxxx/xxxxxxxxxxx xxxxx, xxxxxxxx, xxx xxxxxxx. Xxx xxxxx xxx xxxxxxxx xxx xxxx xx
xxx XXX/XX xxxxxx xxxxxx, xxx xxx xxxxxxx xxxxxx xx xxx xxxx xxxx x xxxxxxxxxx
xxxxxx xxxx xx xxxx xx xxxxxx xxxxxx xx xx xxxxxx, xx xx xxxxxxxxxx xxxxxxx xxxxx xxx
xxxx xxxxxxxx xxxxxx.
Xxx XXX Xxxxxxxx Xxxxxxx xxxxxxx xxx xxxxxxxx xxxxxxxxx. Xxxx xx xxxxxxxx xxxxxx
xx xxxxxxx xxx xx xxxxxx xx xxxxx, xxxx xx xxxxx xxxxxxxxxxx xxxx xxxxxx xxx xxx
xxxxxxxxxxxxx xxxxxx xx xxxx xx xxxxxx (xxxxxxx xxxxx) xx xxxx xxxxxxxxxx xxxxxxx xxx
xxxxxxxxx xxxxxx. Xx, xxxxx x xxxxx (xxx xxxxxxx xxxxx), xx xxxxxxxxxx xxxxxxx xxxxx
xxx xxxx xxxxxxxx, xxx xxxxx xx xxxxxx xxxx xxxxxx. X xxxxxx xxxxxx xx xxxxxxx xxx xx
xxxx xx xxxxxx, xxx xxxx xx xxx xxx xxxxxxxx xxx xx xx xxxxxxxxx xxxxx xxxx xx xxxx
xxxxx.
Xxx xxxx xxxxxx xxxx xx xxxxxxxxx xxxxxxxx. Xx xxxx, xxxxx xx x xxxx xx xxx-xxxxxxx
xxxxxxxx, xxx xxx xxx xxx xxxxx xxxxxxx xxxx xxxxxxxxxxxxx xxxx xxxx xxx xxxxxxx:
[edit]
root# show groups junos-defaults applications
Xx xxx xxxx xxxxxx xxx xxxx xx xxxxxx x xxxxxxx xx xxxxxxxxxxx x xxxxxxxxxx

xxxxxxxxxxx xx xxxx xxxxxxx, xxxx xxx xxxxxxx xx xx xxxxxx xx xxx xxxxx xxx xxxxxxxx
xxxxxxxx, xxxxxxxx xxx xxxxxxx xxxxxxx xxx xxxx x xxxxxxxx xxxxx xxxx xx xx, xxx
xxxxxxxxx x xxx xxxxxxx. Xxx xxxxxxx, xxxx xxxxxx xxx xxxx xx xxxxxxxxx x xxxxxx
xxxxxxx XXXXXXX1 xx xxxxxxxxxxx xxxxxxx xxxx xxxxxxx xxx xxxxxxxxx xxxxxxxx:
n Source ports: range from 2000 to 4000
n Destination port: 1111
n Protocol: TCP
n Timeout: 1800 seconds
To Configure a Custom Service:
1. One single line of code allows you to create a new service. If youre following on your device,
try keying in the following. Note that there are many options available to you as you key each
command segment. Use the ? prompt as you are typing the following command:
[edit]
root# set applications application SERVICE1 source-port 2000-4000 destination-port 1111 protocol tcp inactivity-timeout 1800
2. Xxxxxx xxx xxxxxxxxxxx xxxxxxxxxxxxx:

root# show applications
application SERVICE1 {
protocol tcp;
source-port 2000-4000;
destination-port 1111;
inactivity-timeout 1800;
}
Xxx xxx xxxxxxxxx xxxx xxxxxx xxxxxxxxxxxx; xxxxx xx xx xxxx-xxx xxxxx xx xxx xxxxxx
xx xxxxxxxxxxxx xxxx xxx xx xxxxxxx.
Xxxx xxxx xx xxx xxxxxxx-xxx xxxxxx, xx xx xxxxxxxx xx xxxxx xxxxxxxx xxxxxxxx
xxxxxxxx xx xxxxxxxxxxx xxxxxxx-xxxx, xxxxxx xxx xxxxxxxxxxxxx xx xxxxxxxx xxxxxxxx
xxxxxx xx xxx. Xxx xxx xx xxxxxxxxxx xxx xxxxxx xxxxxxxx xx xxxxxxxxx, xxx xxxxxxx:
[edit]
root# set applications application-set MYSERVICES application SERVICE1
[edit]
root# set applications application-set MYSERVICES application junos-http
[edit]
root# set applications application-set MYSERVICES application junos-ping
[edit]
root# set applications application-set MYSERVICES application junos-dns-udp
[edit]
root# set applications application-set MYSERVICES application junos-dns-tcp
Configuring Security Policies

Xxxxxxxxxxx x xxxxxxxx xxxxxx xxxxx xxx xxx xxxxxxxx xxxxxxxxxx xxxxxxxx. Xxxx
xxxxxxxx xxxx xxxx xxx xxxxxxxxxxx xx xxx xxxxxx, xxxxxxx xx xxxxxxxx x xxxx xxx
xxxxxxx x xxxx. Xxxxxxx xxx xx xxxxxxxx xxx xxxxxxx xxxxxxxxxx xxxxx xx xxx xxxx xxxx
(xxxxx-xxxx xxxxxxx), xx xxxxxxxx xxxxx (xxxxx-xxxx xxxxxxx) xxxxxxxxxx xx xxx
xxxxxx xxx xxxxxxxxxxx xxxxx, xxx xxxxxxx xxxx xx xxxxxxx, xx xxxxxxx xxxx xxx, xx xxx
xxxx xxxxxxxxx x xxxxxx xx xxxx xx xxxxxxxxx.
Xxx xxxxxxxxxxx xx xxx xxxx-xxxx xxx xxxxxxxxxxx-xxxx xx x xxxxxxx. Xxxx xxxxxxx

xxxxxxx xx xx xxxxxxxxx xxx XXX xxxxxxxxxxx xxxxx xxx xxxxxxxx xxxx xx xxxx xx
xxxxxxxxxx xx xxx xxxxxxxxx-xxxx xxxxxxx. Xxx xxxxxxxxxxx xxxx, xx xxxxxxxxxx xx
xxxxxxxxxx x xxxxx xxxxxx xx xxx xxxxxxxxxxx XX xxxxxxx. Xxxx xxx xxxxxxx xx
xxxxxxxxxx, xxx XXX xxxx xxxxxxxx xx xxxxxxx xxxxxx xx x xxx-xxxx xxxxxxx xx xxx
xxxxxxxx xxxxxx xx xxxx x xxxxx xxx xxx xxxxxx. Xx x xxxxx xx xxxxx, xxx xxxxxxxxxxxxx
xxxxxxxxxx xxxxxx xx xxxxxxxxx, xx xxx, xxx xxxx-xxx xxxxxxx xx xxxxxxx. Xxxxxx 6.1 xxx
xxxx xxx xxxxxx xxxxxxxxxx xxxx xxxx.
TIP
For a detailed explanation of processing packets through the SRX, please refer to the Junos
Security Configuration Guide. Version 10.1 can be located at:
https://www.juniper.net/techpubs/software/junos-srx/junos-srx10.1/index.html. The book Junos
Security, published by O'Reilly Media, also contains excellent descriptions and examples of the
processing of packets through the SRX.
Figure 6.1 Context and Policy Lookup

Xxxx xx xxxx xx xxx xxxxxxxxxxxx xxxxxxxxx xx xxx xxxxxxxxx xx xxxx xxxxxxx, xxx
xxxxxxxxx x xxxxxxxx xxxxxx:
Xxxxxx xxx xxxxxxx xxxx xxx xxxxx xx xxx xxxx xxxxxx xx xxx xxxxxxxxxxx xx xxx
xxxxxxx xxxx.
To Configure the Security Policy:
1. Identify the context:

[edit]
root# edit security policies from-zone admins to-zone untrust
2. Xxxxxx x xxxxxx, xxxxxx xx x xxxx xxxx xxxxx xxxxx. Xx xxxx xxxx, xxx xxx xxxxx xx
xxxxxx x xxxxxx xx xxxxx xxx xxxxxx/xxxxxxxxxxx xxx xxxxxxxxxxx. Xxxxxx xxxx xxxx
xxxx xxxxxxxxxxx xx xxx XX xxxxxx:
[edit security policies from-zone admins to-zone untrust]

root# set policy admins_to_untrust match source-address any destination-address any application any
3. Xxx xxxxxxxxx xxxx xx xx (XXXX xxxxxx) xx xxx xxxxxxxx xxxxxxxxxx xxx xxxxxxx xx
xx xxxxxxxx xxxxxx. Xxx xxxxxxxxxxx xx xx xxxxxx xxx xxxxxxx:
root# set policy admins_to_untrust then permit
Xx xxxx xxxx xxx xxxx xxxxxxx xxxxxxxxx xxx xxxxx xxxxxxxxxxx. Xxxx xxx x xxxx
xxxxxxxxxx xxxxxxx, xxx xxx xxx xxxx xxxxxxxxxx xxxx xxxxxxx, xxxx xx xxxxxxxx
xxxxxxxx xxx xxxxxxxxxx xxxxxxxx, xx xxxxxxx xx xxxxxx xxxx x xxxxxxx xx xxxxxxx, xx
xxxxxx, xxxxx xxxxxxxx xxxx xxxxxx.
Xxxxx xxxxxxxx xxxx xx xxxxx xxxxx xxxxxxx xxx xxxxxx xxxxx xxx xx xxxxxxx xxxx xxxx:
root# show
policy admins_to_untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
Xxxx xxx xxxxxxxxx xxx xxxxxx xxxxxxxxxxx xxxx xxx xxxx xx xxx xxxxxxxxx xx xxxx
xxxxxxx:
Xxxxxx xxxxxx xxxxxxx xxxx xxx xxxxx xx xxx xxxx xxxxxx xx xxx xxxxx xxxx xx xxx
xxxx xxxx.
To Configure the Second Security Policy:
1. Identify the context:

root# up
[edit security policies]

root# edit from-zone admins to-zone admins
[edit security policies from-zone admins to-zone admins]
2. Xxxxxx x xxxxxx, xxxxxx xx x xxxx xxxx xxxxx xxxxx. Xx xxxx xxxx, xxx xxx xxxxx xx
xxxxxx x xxxxxx xx xxxxx xxxxxx xxxxxxx xxxx xxx xxxxx xx xxx xxxx xxxx. Xxx xxx
xxxxxx xxxxxxx xxx xxx xxx xxx xxxxxx XXXXXXXXXX xxxxxxxx-xxx, xxxxxxxxxx
xxxxxxxxxx:
root# set policy intra_zone_traffic match source-address any destination-address any application MYSERVICES
3. Xxx xxxxxxxxx xxxx xx xx (XXXX xxxxxx) xx xxx xxxxxxxx xxxxxxxxxx xxx xxxxxxx xx
xx xxxxxxxx xxxxxx. Xxx xxxxxxxxxxx xx xx xxxxxx xxx xxxxxxx, xxx xxx xxx xxxx xxxxxx
xxxxxxx xxx xxxxxxxx:
root# set policy intra_zone_traffic then permit
root# set policy intra_zone_traffic then log session-init
root# set policy intra_zone_traffic then log session-close
root# set policy intra_zone_traffic then count
Xxx xxxxxx xxxxxx xxxxxxxxxxx xxx xxxx xxxxxxxxx. Xx xxx xxx xxxxx xxxxxxxxxxx,
xxxxx xx xx xxxxxxxxxxxxx xxxxxx, xxxxx xxx xxxxxxx xxxxxx xxxx-xxx xxxx xxxxxxxx xxxx
xxx xxxxxxxx xxxxxxxxxx xxx xxxxxxx xx xxx xxxxxxx (xxxx-xxxx xxxxxxx xx-xxxx xxxxx).
Verifying Security Policies

Xxxxx xxx xxxxxxxx xxxx xx xxxxxx xxxxxxxx xxxxxxxx. Xxxxxx xxxxxxxxxx xx xxx xxx,
xxx xx x xxxx xxxxxx-xxxxx xxxx xxx xxxx xxxx xxx xxxxx, xx xxxxxxxxxx xxxxxxxx, xx
xxxx xxxxxxxxxxxxx.
Try It Yourself: Examining Security Policies

Use show commands to verify the policies configured. Pay close attention to the output. The detail option is a favorite since it
displays policy statistics.
> show configuration security policies> show security policies ?> show security policies to-zone untrust> show security policies detail
Xxxxxxx xxx xx xxxxxx xxxx xxx xxxxxxxx xxxxxxxx xxx xxxxxxx xx xxxxxxxx xx xx xxxx
xxxx xxxxxxx. Xx x xxxxxxxxxx xxxxxxx, xxx xxx xxxx xxxxxxx xxx xxxxxxx xxxxx xxxx
xxx XXX xxxxxxx xxx xxxxx xxx xxxxxxxx xxxxxxxxxxx.
Xxxxx xxxxxxx xxxx xxx XX xx xxx xxxxxx xxxx xxx xxxxxxxxxx xxxxxxxx xxxxxxx
xxxxxxxx, xxxxxxx xxxx xxx XXX xx xxxxxxx xx xxx xxxxxxx xxxxx xxxx xxxx xxxxxxxx:
root# run show security flow session
Session ID: 100001782, Policy name: admins_to_untrust/4, Timeout: 1796
In: 192.168.2.2/4777 --> 216.52.233.201/443;tcp, If: ge-0/0/0.0
Out: 216.52.233.201/443 --> 192.168.2.2/4777;tcp, If: ge-0/0/2.0
In: 192.168.2.2/4781 --> 209.239.112.126/80;tcp, If: ge-0/0/0.0
Out: 209.239.112.126/80 --> 192.168.2.2/4781;tcp, If: ge-0/0/2.0
In: 192.168.2.2/4788 --> 66.235.120.98/80;tcp, If: ge-0/0/0.0
Out: 66.235.120.98/80 --> 192.168.2.2/4788;tcp, If: ge-0/0/2.0
In: 192.168.2.2/47621 --> 24.47.122.98/43519;udp, If: ge-0/0/0.0
Out: 24.47.122.98/43519 --> 192.168.2.2/47621;udp, If: ge-0/0/2.0
<snip>
Xxxxx xxx xxxxxx xxxx xxxxxxx xxx xxxxxxxx xx x xxxxxx xxxx xx xxxxxx xx xxxxxx xxxx
xxxxxxxx xx xxxxx xx xxxx xxxxx. Xxx xxx xxxxxxx xxx xxxxxx/xxxxxxxxxxx XXx, xxxxx,
xxxxxxxx, xxxx-xxx xxxxxx, xxxxxxxxxx xxxxxxxx, xxx xxxxxx xxxx xxxxxxx xxx xxxxxxx,
xxx xxxx. Xxxxxx xxxx xxxxxxx xxx xxxxxxx xx xxxxx xxxxx xx xxx xxxx, xxxxxxxxxxxx
xxx xxxxxxxxxxxxx xxxxxxxxxxx xx x xxxxxxx (x xxxx). Xx xxxxxxx xxxxxxxxx, xxx XXX
xxxxxxx xxxxxxxxxxxxx xxxxxxx xx xxxxxx xx xxxxx xxx xxxxxx xxxxxxx xxxx xxxxxxx
(xxxx xx xxxx xx xxxxx xx xxxxxxxx xxxxxxxx).
Xx x xxxxxxxxxx xxxxxxx xxxxx xxxx-xxx XXXx, xx xx xxxxxxxxx xx xxxx xxxxx xx

xxxxxxxx xx xxxxxxxx, xx xxxxxxx xxxx xxxxxxx xxxxx xxxxxx xxx xxxx xxxxxxxxxxx. Xx
xxxxxx xxxx xxxxxx, xxx xxx xxx xxxxxxxxx xxxxxxxxxx xx xxxxxx xxx xxxxxxx xxxxxxxx
xx x xxxxxxxxxx XX, xx xxxx, xx xxxxxx xxxx x xxxxx xxxxxxxxx. Xxx Xxxxx xxxxxxx 10.1
xxxxxx xxx xxxxxxxxx xxxxxxx:
root# run show security flow session ?
<[Enter]>
Execute this command
application
Show session for specified application or application set
destination-port
Show each session that uses specified destination port
destination-prefix Show each session that matches destination prefix
idp
Show IDP sessions
interface
Show each session that uses specified interface
protocol
Show each session that uses specified IP protocol
resource-manager Show resource-manager sessions
session-identifier
Show session with specified session identifier
source-port
Show each session that uses specified source port
source-prefix
Show each session that matches source prefix
summary Show summary of sessions
tunnel Show tunnel sessions
|
Logging of Security Events

Xxxxxxx 5 xxxxxxxxx xxxx xxx XXX xxxxx xxxxxxxx xxxxxx xxxxxxxx xxx xxxxxx xxxxxx,
xxx xxxx xxx xxxxxxxx xxxxxx. Xxxxxxxx xxxxxx xxx xxxxxxxxx xxxx xxxxxxx xxxxxxx x
xxxxxx xxxx xxx xxxxxxx xxxxxxx.
Xxx xxxxxxxx xxxxxxxxxx xxxxxxx xx xxxx xxxxxxx xxxx xxxxxxx xxxxxxx xxx xxxxxxx-xxxx
xxx xxxxxxx-xxxxx. Xxxx xxxxxxxxx xxxxxx xxxx xxxxxxxx xxx xxxxxxx xxx xxxxxx. Xx xxxx
xxxxx, xx xx xxxx xxxxxx xx xxx xx xxxxxxx-xxxxx, xxxxx xxxx xxxxxxx xxxxxx xxx xxxxxx xx
xxxxxx xxxxxxx. Xxx xxxxx xxxxx xxxxxxx xx xxx xxxxxxxx xxxxxx xxxxxxxxxxxxx xxx xxx
xxxxxx xx xx xxxxxxx.
Xxxxxxx xxxxxxx xxxxxxxxxxx xx xxx xxxxxx XXX xxxxxxxx xxx xxx xxxx-xxx xxxx
xxxxxx XXX xxxxxxx xxx xx xxxxx xxxxxxxx xxxxxxxxxxxx. Xxxxxxxx xxxx xxxxxx
xxxxxxxxx xxxx xxxx xxx xxxxxxx xxxxxx, xxx xxxx-xxx xxxxxxxx xxxxxxx xxxx xxxx
xxxxxxxx xx xxxxxxxx: xxxxx xxx xxxxxxx xxxxxxxxx xx xxx xxxxxxx xxxxx xxx xxx xxxx
xxxxxx xx xxxxxxx xxxx xxxxx xxxxxxx xxx xxxxxxxxxxx xxxxxxxx, xxx xx xxxxxxxxx
xxxxxxxxxxxxx xxxx xxxxxxxxxxx xxxxxxxx xxxxxxx xx xxx xxxx-xxx xxxxxxxxx. Xxx xxxxxxx XXXx xxx xxxxxxx xx xx xxxx xxxxxxx, xxxx xxxx xxx xxxxxxx xxxxxxxxx xxx xxxxxxx
xxxxxx xx xxxxxxxx xxxxxxx xx xxxxxxxxx xxx xxx xxxxxxx xxxxx (xxx xxx xxx0
xxxxxxxxx).
Xx xxxxxxxx xxxx xxxxxxxxx xxxxxx xx xxxxxxx xxxxxxxx xxxxxx, xx xxxxxxxxxxxxx xxx

xxxxxxxx x xxxxxxx xxxx xxx xxxxxxx xxxxx. Xxxxx xx xxxx xxxxx xxxxxxx xxx xxxxxxxx
xxxxxx xx xx xxxx xxx xxx XXX xxxx xxx xxxx xxxxx, xxxxxx xxxx xxx xxxxxxx xxxxx,
xxxxxxxxxx xxx xxxxxxxx xx xxx xxxxxx XXX xxxxxxx xxxx xxxx xxxx x xxxxxxxxx
xxxxxxxx xxxxxxx xxxxx.
Xxx xxxxxxx xxxxxxxxxx xxxxxxxxxx xx xxx xxxxxxxx xxxxxxxx xxx xxxxxxxxx
xxxxxxxxxx xx xxx xxx xxx xx xxx xxxxxxx, xxxxxxxxx xxx xxxxx xxx xx xxxxxxxxx xxxxx
xxxxx xxxxx xxxxxxxxxxxxx:
n Logging via a revenue port (applicable to SRX branch and high-end).
n Logging via the control plane (applicable to SRX high-end).
n Logging to a NSM server (applicable to SRX branch and high-end).
To Configure Logging Via a Revenue Port (data plane):
1. Configure the logging mode and format. Typical formats used are syslog (standard) and sd-syslog
(structured):
[edit]
root# set security log mode stream
[edit]
root# set security log format sd-syslog
2. Xxxxxxxxx xxx xxxxxx xx xxxxxxxx xxx xxx xxxxxx xxxxxx. X xxxx xx xxxxxxxx xxx xxx
xxxxxx, xxx xxxx xx xxxxxxx xxxxxxxxxxx, xxx xxx xxx xxxxxxxxxx xx xxx xxxxxxxxx
xxxxxxxxxx xx xxxxxxxxxx xxx xxxxxxxxxxxxxx xxxx xxxxxxxxxxxxxxx xx xxxxxxxx xxx
xxxxxxxx xxxxxx:
[edit]
root# set security log source-address 192.168.2.1
[edit]
root# set security log stream SYSLOG_SERVER host 192.168.2.2
NOTE
Other options, such as the destination port, can be configured in case you are not using the default
(UDP port 1514). Also note that the host 192.168.2.2, does not have any syslog services, but it is
being configured here for example purposes.
To Configure Logging Via the Control Plane (out fxp0):
1. Configure the logging format. Options available are syslog (standard) and sd-syslog (structured):
[edit]
2. Xxxxxxxxx xxx xxxxxx xx xxxxxxxx xxx xxx xxxxxx xxxxxx. Xxxx xxxxx, x xxxx xx
xxxxxxxx xxx xxx xxxxxx, xxx xx xx xxxxxxx xxxxxxxxxxx xxx xxx xxx xxxxxxxxxx xx xxx
xxxxxxxxx xxxxxxxxxx xx xxxxxxxxxx xxx xxxxxxxxxxxxxx xxxx xxxxxxxxxxxxxxx xx
xxxxxxxx xxx xxxxxxxx xxxxxx:
[edit]
[edit]
3. Xxxxxxxxx xxxxxxx xxx xxx xxxxxxx xxxxx, xx xxx xxxx xxxxxxxxx xx xxx xxxx xxxxx xx
x xxxxxxxxxxx xx x xxxxxxxx xxxxxx xxxxx, xxx xxxx xx xxx xxxxxxx xxxxx:
[edit]
root# set security log mode event
4. Xxxxxxxxx xxxx xxxxxxxx xx xxxxx xxxx xx xxx xxxxxxx xxxxx. X xxxx xxxxxxxx xx xx
xxxxx xx xxxx xxxx 1,000 xxx xxxxxxx xxx xxxxxx:
[edit]
root# set security log mode event event-rate 1000
To Configure Logging to NSM:
NOTE
By default, SRX devices do not send native syslog messages to NSM, only the logs stored in two
files in the SRX. If logging is from a high-end SRX, then security logs must be sent to the control
plane first.
1. Configure the logging mode and format. Options available for the format are syslog (standard)
and sd-syslog (structured):
[edit]
root# set security log mode event
[edit]
2. Xxxxxxxxx xxx xxxxxx xx xxxxxxx xxx XXX xx xxx xxxxxx xxxxxx xxxxxx. X xxxx xx
xxxxxxxx xxx xxx xxxxxx, xxx xx xx xxxxxxx xxxxxxxxxxx, xxx xxx xxx xxxxxxxxxx xx xxx
xxxxxxxxx xx xxxxxxxxxx xxx xxxxxxxxxxxxxx xxxx xxxxxxxxxxxxxxx xx xxxxxxxx xxx
xxxxxxxx xxxxxx:
[edit]
[edit]
3. Xxxxxxxxx xxxxxxx xxx xxx xxxxxxx xxxxx xxx xxxx xxxxx xxx xxxxxxx (xxxx xxxx xx
xxxx xxxxxxxx xxx xxxx-xxx XXX, xx xxxx xx xxx xxx xxxxxxxxxxx x xxxxxx xxxxxx):
[edit]
root# set security log mode event event-rate 1000
4. Xxxxxxxxx xxxxxxx xx XXX. Xxx xxxxxxxxx xxxxxxx xxx xxxxxxxxx xxx xxxxxxxx
xxxxxxx xxxxxx xxx xxxxxxxx xxxx:
[edit]
root# set system syslog file default-log-messages structured-data
[edit]
root# set system syslog file default-log-messages any any
Xxxxx xx. Xxx xxxxxx xxxx xxxx xxxxx xxxxxxxx xxxxxxxx xxxxxxx xxx x xxxxxx xx xxx
xxxx. Xxxx xxxx xx xxx xx xxxxxxxx xxx xx xxxxxxx xxxxx xxxxxxx xxxx xxx xxxxxxx xxx
xxxxxx xx xxxxx xxx xxxxx xxxxxxxxxxxx.
70
Chapter 7: Configuring NAT Source
71
Chapter 7
Configuring NAT Source
NAT Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Configuring Source NAT Using the Egress Interface. . . . . 73
Configuring Source NAT Using Translation Pools. . . . . . 75
Xx xxxxxxx, xxxxxxxx xxxxxxx xx xxx XXX xxx xxxxxx xx xxx xxxxxxxxxxx. Xxx xxx
xxxxxx xxxxxxx xxxx xx xxxxxxxxxx xxx xxxxxxx xxxxx. Xxx xxxxxxx, xxx (xxxxxxxxx)
xxxxxxx xx xxx xxxx xxxxxxxx xxxx xxxxxxx xxxxxxx xxxx xxx xxxx xxxxxxxxx xxxxxxx,
xxxxxxxx xxx xxxxxxxxx xxx xxx xx xxx xxxxx:
root# run show security flow session
In: 192.168.2.2/4781 --> 209.239.112.126/80;tcp, If: ge-0/0/0.0
Out: 209.239.112.126/80 --> 192.168.2.2/4781;tcp, If: ge-0/0/2.0
<snip>
Xxx xxxxxx xxxxxxxxx xxxx xxxxx xx xx xxxxxxxx xxxxxx xxxx x xxxxxx XX xxxxxxx xx
192.168.2.2, xxxxxxxx xx 209.239.112.126. Xxx xxxxxx xxxxxxx xxxxx x xxxxxx xxxxx
xxxxxxx xxxx 209.239.112.126, xxxxxxxx xx xxx xxxxx XX xxxxxxx xxxx xxxxxxxxxx xxx
xxxxxxxxxxx, 192.168.2.2.
Xxxx xxx xxxxxx xxx xxxxxxxxxxx XX xxxxxxxxx xxxxxx xxxxxxxxx, xx xx xxxx xxxxxxx,
xx xx xxxxxxxxxx xxxx xxx xxxxxxx xxx xxxxxx xx xxxxxxx xx xxxxxxxxxx (XXXxx).
NAT Types
Xxx XXX xx xxxxxxx xx xxxxxxxxxx xxxxxxxxx xxxxx xx xxxxxxxxxxx xx xxx xxxxxx xxx
xxxxxxxxxxx xxxxxxx. Xxx xxxxxxx xxx: xxxxxx, xxxxxxxxxxx, xxx xxxxxx.
Xxxx xxxxxxx xxxxx xxx xxx xx xxxxxxxxx xxxxxx XXX xx xxxxxxxxx xxx xxxxxx XX xx
xxxxxxxx xxxxxxx xx xxxx xxxxx xxx XXX. Xxxxx xxx xxxxxxx xxxxxxx xxxxxxxxx xxxx
xxxxxxxxx xxxx xxxx xx xxxxxxxxxxx. Xxx xxxxxxx, xxx xxx xxxxxxxxx xx xx xxxx xxx
xxxxxx XX xx xxxxxxxxxx xx xxx XX xx xxx xxxxxx xxxxxxxxx, xxx xxx xxx x xxxxxxxxx
xxxx xx XX xxxxxxxxx xxx xx xxxx xxxxxxx xxxxxxxxxxx, xxx xxxxx xxx xxxx x xxx xxxx
xxxxxxx.
Xxxxxx 7.1 xxxxxxxxxxx xx xxxxxxx xx xxxxxx XXX. Xxxxx xxxx xxxxxxxxxxx xxx xxxxxx
XX xx xxxx xx xxx xxxxxxxxx xx-0/0/2, xxx XXX xxxx xxxxxxxxxx xxx xxxxxx xxxx
(xxxxxxxx xxxx xxxxxxx xxxxxxxxxxx xx XXX xx xxxxxxx). Xxxxxxxxxxx xxx xxxxxx XX
xxxxxx xxxxxxx x xxxxxx XX xxxxxxx xxxxxxx xxxxxxxxx xx xxxxx, xxxxx xxxxxxxxxxx xxx
xxxxxx xxxx xxxxx xxx XXX xxx xxxxxxxxxxx xx xxxxxxxx xxx xxxxxxxxx x xxxxxxxxxx
xxxx, xxx xxx xxxxxxx xx xxxx xxx xxx xxxxxx xxxxxxx xx xxx xxxxxxxxxxxxx xxxx xxxx
xxxxxx xxx xxxxxxxxxx.
Figure 7.1 Source NAT Using Egress Interface

Xxxxxx XXX xx xxx xxxxxxxxxx xx xxxxxx Xxxxxxxx xxxxxx xx xxxx xxxxx. Xx xxxx, xxx
xx xxx xxxxxxxxxxx xxxxx xxxxxxx xx xxx XXX xxxx xx xxxxxxx xx Xxxxxxxx xx
xxxxxxx xxxxxxx. Xxx XXX xxxxxxx xx xxxxx, xxx xxxx xxxx xxxxxxxxxxx xxxx xxx
xxxxxxxxx xxxxxxxxx XXX xxxxxxxx xxxxx xxxxx xxx xxxxxxx xx xxx xxxxxxx (xxx xxxxxxxx xxx xx-xxxx). Xxxx xxx xxxx xxxxxxx xxx xxxxxxx, xxxx xxxxxx xxxx xx xx xxxx xxx
xxxx xx xx, xx xx xxxxxxxxxxx xx xxx xxxxxx XXx? Xx xx xxxxxxxxxxx xx xxx xxxxxxxxxxx
XXx? Xxxxx xxxx? Xxx xxxxxx xx xxxxx xxxxxxxxx xxxxx xxx xxxxxx xx xxx xxxx xx XXX
xxxx xxx xxxx xx xxxxxxxxx.
Xxxxxx xxxxxxx xxxx xxx xxxxxxx xxxxx, xx xx xxxxxxxxx xx xxxx xxxx XXX xx xxxxxxxxx
xxxx xxx xxxxxxxx xxxxxxxx. Xxxx xxxxx xxxx xxx xxxxxxxxxxxxx xx xxxx xx x xxxxxxxxx
xxxxxxxxx, xxxxx [xxxx xxxxxxxx xxx]. Xxxx xxxxxx xx xxxxxxxxxx xxxxx xx xxxxxxxxxxx xx
xxx xxxxxxxxxxxxxx xx xxxxxxxxxx xxxxxxxxxxxxxxx xx Xxxxx 3 xxxxxxxxxx xxxxxxx xxx
xxxxxx xx xxxxxxxx xxxxxxxx.
WARNING
Do not be confused here. Remember that in order for traffic to go across the SRX you need to
configure a security policy. A source NAT configuration looks very similar to a security policy,
but this will not allow the traffic through, it will only manipulate the traffic once it has been
permitted by the security policy.
Xxxx xxxxxxxxx xxx xxxxxxxxx xxxxxx XXX xxxxxxxxx:
n Using the IP address of the egress interface.
n Using a translation pool.
n Creating a rule to except traffic.
Xx xxx xxxxxx xxx xxxxxxxxx xxxxxxxxx xxxx xxx xx xxxx xxxxxxxx xx xxxxxx xxxxx
xxxxxxxxxxx xxx xxxxxxxxx. Xx xxxxxx xxxxxxxxxxx xxx xxx xxx xxx xxxxxxxxx xxxxxxx
xxx xxx xx xxx xxxxxxxxx xxxxxxxxxx:
root# run show security nat source ?

persistent-nat-table Show persistent NAT table information
pool
Show source NAT information of this pool
rule
Show source NAT rule-set information
summary
Show source NAT summary information
Xxx xxxxxx xxxxxxxxx xxx xx xxxxxxxxxxxx xxxx xxx xxxx xxxxxxxx xxxx xxxxxxx xxxxxxx xx
xxxx xxxxxxxxxx xx xxxx xxxx. Xx xxx xxxxxx xx xxx xxxx xxxxxxx, xxxx xxx xxxxx
xxxxxxxxx xx xxx xxx xxxxxxxxxxx XX xxxxxxx xxx xxx xxxxxxxx xxxxxxx. Xxxxxxxx xxxx
xxxx xxxxxxx xxxxxx xxx xxxxxxxxx xxxxxxxx xxxxxxxxxx xxxx xxx xxx xxx xx xxxxxx xxx
xxxxxx:
root# run show security flow session ?
<[Enter]>Execute this command
application
Show session for specified application or application set
destination-port
Show each session that uses specified destination port
destination-prefix Show each session that matches destination prefix
idp
Show IDP sessions
interface Show each session that uses specified interface
protocol Show each session that uses specified IP protocol
resource-manager Show resource-manager sessions
session-identifier
Show session with specified session identifier
source-port
Show each session that uses specified source port
source-prefix
Show each session that matches source prefix
summary
Show summary of sessions
tunnel Show tunnel sessions
|
Configuring Source NAT Using the Egress Interface

Xxx xxx xxxxx xx xxxxxxxxx xxxxxx XXX xx xxxxxx xxxxx xx xxx xxxxxx xxxx Xxxxxxxx
xxxxxx, xxxxxxxxxxx xxx xxxxxx XX xxxxxxx xx xxx xxxxxxxx xxxxxxx xx xxx XX xxxxxxx
xx xxx xxxxxx xxxxxxxxx xx xxx xxxxxxx xxxx (xx-0/0/2).
Xxxxxx xxxxx xx Xxxxxx 2.2 , xxx xxxxx xxxxxxx xxxxxxxx, xxx x xxxx xxxxxxxxxxxxx xx
xxx xxxxxxxxx xxxxxxx.
To Configure Source NAT Using the Egress Interface:
1. Create a NAT source rule-set. Give this a meaningful name that describes what the rule-set will
do:
[edit]
root# edit security nat source rule-set internet_nat
2. Xxxxxx xxx xxxxxxx xx xxx xxxxxxx. Xxxxx xx xx xxxxxx xxxx xxx xxxxx xx xxxxx xx?
[edit security nat source rule-set internet_nat]
root# set from zone admins
root# set to zone untrust
3. Xxx xxxx xxx xxxx xxxxxxx x xxxx-xxx, xxx xxxxxxx xxx xxxxxxx xx xxx xxxxxxx,
xxxxxxxxx xx xxxxxx xxxx xxxx xxxxxxx xxx xxx xxxxxxxx xxxxxxx xxxx xxx xxxxxx
xxxxxx xxxxx xx xxx xxxxxxxx, xxx XXX xxxxxx xxxx xxxxx xxx xxxxxx xxxxxxxxx. Xxxxx,
xxxxxx x xxxx xxx xxx xxxx xxxx xx xxxxxxxxxx xx xxx:
root# edit rule admins_access
[edit security nat source rule-set internet_nat rule admins_access]
root# set match source-address 192.168.2.0/24
root# set match destination-address all
root# set then source-nat interface
root# commit
commit complete
Xxxxxx xxxxxxxxxx, xxxx x xxxxxx xx xxxxxxx xxxx xxx xxxx xxxxxxxxxx.

Xxxxx xx x xxxx-xxx xx x xxxxxxxxx xxxxx xxx xxx xxx xxxxxxxxxx xxxxx. Xxxx xxxx-xxx
xxx x xxxxxxx, xx xxxx xxxx xxx xxxxxxxxx xxxxx xxx xxx xxxxxxx (xxxx xxxx xxxxxx xx
xxxx xxxxxxx), xxx xxx xxxxx xxxx xxx xxxxxxxxxx xx xxxxxxx xxxxxxx.
Xxx xxxxx xxx xxx xxxxxxxxxx xxxxxxxxxx xxxx xx xxx xxxxxxx xxx, xxx xx xxxxx, xxxx x
xxxxxxxx xxxxxx xx xxxxx. X xx xxxxx xx xxx xxxx xxxxx xxxx xxx XXX xxxx xxx xxxxxx
xxx xxxxxxx, xxxx xx xxxx xxxxxxx xxx xxxxx xxxxxx.
Xxxx XX-XXXX-XXXX xxxxxxxxx xx xxxxxxx xx xxx xxxxxxxxxxxxx xx xxxxxxxx
xxxxxxxx. Xx xxx xxx xxxxxxx, xxxxx xxxxxx x xxxx-xxx xxx xxxxxxxxx xx x xxx-xxxx
xxxxxxx, xx xxxxx xxxxxxxx xxxxx xx xxxxxxxxx. Xxxx xxxx xxxx xxx xxxxx xxx xxxx
xxxxxxxx xxxxx xx xxx. Xxx xxxxx xxxxxx xxxx xxxxxxx xx xxxxxxxx xxxxx xx xxxx
xxxxxxx.
4. Xx xxxx xxxx, xxx xxxxx xxxxxxxx x xxx xxxxxxxxxxx xx xxx Xxxxxxxx xxxx xxx XX xx
xxx xxxxxx xxxx, xxx xxxx xxxxxxx xxx xxxxxxx xxxxx xxx xxxxxxx:
root> show security flow session
In: 192.168.2.2/3520 --> 64.94.18.157/443;tcp, If: ge-0/0/0.0
Out: 64.94.18.157/443 --> 66.129.250.1/64507;tcp, If: ge-0/0/2.0
In: 192.168.2.2/3525 --> 77.223.130.61/5938;tcp, If: ge-0/0/0.0
Out: 77.223.130.61/5938 --> 66.129.250.1/64509;tcp, If: ge-0/0/2.0
In: 192.168.2.2/47621 --> 66.56.36.86/27374;udp, If: ge-0/0/0.0
Out: 66.56.36.86/27374 --> 66.129.250.1/64507;udp, If: ge-0/0/2.0
In: 192.168.2.2/47621 --> 66.57.86.100/40644;udp, If: ge-0/0/0.0
Out: 66.57.86.100/40644 --> 66.129.250.1/41683;udp, If: ge-0/0/2.0
<snip>
Xxxxxx xxx Xxx xxxx xxx xxxxx xxxxxxx xxx xxxxxxxxx xxx xxxxx xxxxxxxx xx xxx XX
xxxxxxx 66.129.250.1. Xxxx XX xxxxxxx xxxxxxxxxxx xx xxx XXX xxxxxx xxxxxxxxx,
xxxxxxxxxx xxx xxxxxx xxxxxxxxx xx xxxxxx XXX.
Configuring Source NAT Using Translation Pools

Xxxxxxxxx xx xxx xxxx xx xxx xxxxxxxxxxxx, xxx XX xxxxxxx xxx xxxx xxxxxxx
xxxxxxxxxxx (XXX) xxxxx xx xxxxxxxxxxxx, xx x xxxx xx XX xxxxxxxxx xx xxxxxx xx
xxxxxxxxxxx xxxx xxxxxx.
Xxxxxxx xxxxxxxx xxx xxxxxxx xxx xxxxxxxxxxx xx xx xxxxxx xxxxxx xx x xxxxxxxxxx
xxxxxxxxx xxxxxxxxxx xxxxxx. Xxxx xxxxxxxxxxx xx xxxxxx xx xxxxxxxxxxxx xxxx
xxxxxxx xxxxxxxxxxxx xxxxxxx xxxxxxxxxxx xxxxxxxx, xxxx xx xxxxxxx xxxxxxx.
Xxxx xxxxxxxxxxx xxx xxxxxxxx xxxxxxx xx xxxxxxx xxx xxxxxxxxxxx xxxxx x xxxx xx
XX xxxxxxxxx. Xxxx xxxxx, xxxxx xx Xxxxxx 2.2, xxxx xxxxx xxxxxxx xxxxxxxx, xxx x
xxxx xxxxxxxxxxxxx xx xxx xxxxxxx.
To Configure Source NAT Using a Translation Pool:
1. Create a pool of addresses (66.129.250.10 - 66.129.250.15) that will be used as the source IP
for the outgoing packets. Give this pool a meaningful name, describing its purpose for future
reference:
[edit security nat source]
root# set pool public_NAT_range address 66.129.250.10 to 66.129.250.15
2. Xxxxx xxx xxxx xxxx xxxxxxx. Xxxxx xxx xx xxxxxx xxxxxx xxxxxxxx xxxxx, xx xxxxx
xxxxxxx xxxxx xxxx xxxxxxxxxxx xxxx xxx xxxx xx xxxxxx xxx xxxx xxxxx_xxxxxx xxxxx
xxx xxxxxxxx_xxx xxxx-xxx:
[edit security nat source]
root# edit rule-set internet_nat rule admins_access
root# set then source-nat pool public_NAT_range
3. Xxxxxx xxxx xxx xxxxxxxxxxxxx xxxxx xxxxxxx xx xxxx:

root# show
match {
source-address 192.168.2.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
public_NAT_range;
}
}
}
4. Xxxxxx xxx xxxxxxx xxx xxxxxxxxx:

root# commit
commit complete
Xxx xxxxxx xx xxxx xxxxxxxxxxxxx xxxxxx xx xxxx xxxxxxxx xxxxxxx xxx xxx xxxx xx xxx
xxxxxx xxxx xxx xxxxxxxxxx xxxxxxxx xx xxx xx xxx XX xxxxxxxxx xx xxx
xxxxxx_XXX_xxxxx.
Xx xxxxxxxxxx xxx xxxxxxxxxxx xxx xxxxx xx xxxxx xxx xxxx-xxxx, xxxx xxx xxxxxxxxx
Xxxxxxxx 3 xxxx xxx xxxxxxxxx xx xxxx xxxxxxx: Xxxxxx x xxxx xx xxxxxx xxxxxxx.
Xxx xxxx xxx xxxxxxxxx xx xxxxxx x xxxx xx xxxx xxxxxxx xxxxxxxxx xx x xxxx
(192.168.2.2) xx xxx xxxxxxxxxx xx xxx xxx xxxxx_xxxxxx xxxx.
To Configure a Source NAT Exception Rule:
1. Create a new rule under the internet_nat rule-set. Give the new rule a descriptive name:
root# up
root# set rule NO_translate
root# edit rule NO_translate
2. Define the match criteria (what you are going to except from translation):
[edit security nat source rule-set internet_nat rule NO_translate]
root# set match source-address 192.168.2.2/32
root# set match destination-address all
3. Configure the action when that particular source/destination is identified:

root# set then source-nat off
4. Reorganize the rules so that NO_translate is evaluated first:

root# up

root# insert rule NO_translate before rule admins_access
IMPORTANT
This step is crucial, and if you forget about it or ignore it, then the host 192.168.2.2 will continue
to be translated. Remember that rules in NAT rule-sets are evaluated in a top-down fashion like a
security policy, so there is always a need to analyze and reorganize the rules when necessary.
5. Verify the configuration. This should look similar to the following:

root# show
from zone admins;
to zone untrust;
rule NO_translate {
match {
}
then {
source-nat {
off;
}
}
}
rule admins_access {
match {
}
then {
source-nat {
interface;
}
Xxxxx. Xxxx xxxxxxxxxxxx xxx xxxxx xxxxx xxx XXX. Xxx XXX xx xxxxxxxx xxxxxxxxx
xxx xxxxxxx xxxxxxx xxxxxxxxx xx xxx xxxxxxx xxxxxxxx xx xxxxx xxx xxxx xx Xxxxxxx 2.
Xxxxx xxxxxxxxxx xxx xxxxxxx xxxxxxxxxxxxx xxx xxx xxxxxxxx xxx xxxxxxxxxxxxx xx
xxxx xxxxxxxx xxxxxxxxx xx xxx XXX. Xxxx xx xxxxx xxxxxxxx xxx: XXX, XXXxx, XXX,
xxxx-xxxxxxxxxxxx, xxx xxxx xxxxxxxx xxxxxxx xxxxxxxxxxxxxx. Xxx xxxxxx
xxxxxxxxxxxxx xxxxxxxxx xxxxxxxx x xxx xx xxxxxxx xx xxx xx xxxxxxxxx xxxxx xxxxxxx,
xxx xxxx xxxxxxxxxxxxx xxxx xxxxxxx xxxx xxxxx xxx Xxxxx xxxxxxx. Xxxx xxx xx xxxx:
xxxx://xxx.xxxxxxx.xxx/xxxxxxxx/xxxxxxxx/xxxxx-xxx/xxxxx.xxxx.
Xxxx Xxx Xxx xxxxx xxx xxxx xxxxx xxxxxxxxx, xxxxxxxxxx xxx xxx XXX xxxxxxxx xx
xxxxxxxx xxxxxxx. Xxxx xxxxxxxx xxx xxxxxxx xxx xxx xxxxxxxxx xx
xxx.xxxxxxx.xxx/xxxxxxx.
Xxx xxxxxxx, xx xxx xxxx xxxx xxxx, xxx xxx Xxxxx Xxxxxxxx xxxx xxxx XXxxxxx
xxxxxxxxxx. Xxxx xxx xx xxxx: xxx.xxxxxxx.xxx/xxxxx.
Xxx xxxx xxxxx xxxx xxxx xxxx xx xxxxxxxx XXX xxxxxxx xx xxxxxxxxxxx xx xxxxxxxx.
80
Chapter 8: Importing the SRX into NSM
81
Chapter 8
Importing the SRX into NSM
Preparing the SRX for NSM Connectivity. . . . . . . . . 80
Importing the SRX into NSM. . . . . . . . . . . . . . . . . . . . . .81
Xx xxx xxx xxxxxxxxxx xxx xxxxxxxx xxxxxxxx XXX xxxxxxx xxx xxxxx Xxxxxxx
xxxxxxxx, xxx Xxxxxxx xxx Xxxxxxxx Xxxxxxx (XXX) xxxx xxxx xxx xxxx x xxxx
xxxxxxxxxx xxxx xx xxx xxxxxxx, xxx xxxx xxxxxxxx xxxx xxxxxxxxxxxxx xxx
xxxxxxxxxxxxxxx xxxxx. Xx xxxx xxxxxxx xxxxx xxxxx xxx xx xxxxxx xxxx XXX xxxx
XXX. Xxx xxxxxxxxxxxx xxx xxxxxxxxxxxxx xx XXX, xxx xxx xxxxxxx xxxxxxx xxxxxxxx,
xxx xxx xx xxx xxxxx xx xxxx xxxx. Xxx xxxxxxxxx xxxx xx xx xxxx xxxxx XXX xxxxx xx
xxxxxxxxxx xxxx XXX xxx XXX, xxx xx xxxxxx xxxx xxx XXX xx xxxxxxxx xxxxxxxx xx
xxxx xxx xxx xxxxxxxx xxxxxxxx xx xxx XXX.
Preparing the SRX for NSM Connectivity

Xxxxxxxxx xxx XXX xxx XXX xxxxxxxxxxxx xx x xxxxxx xxxxxxx. Xx xxxx, xx xxx xxxx
xxxx xxxxxxx xxxxxxxxx xxx xxxxxxxx xx xxxxxx xx xxxx xxxx, xxx xxxx xxxxxx xxxxxxxxx
xxx xxx xxxxx xxxxxxxx.
Xx xxxxx, xxx xxxx xx xxxxxxxxx:
n A user account with administrator privileges
n IP addressing and routing reachability
n SSH access
n Netconf access
Xxx xxxxxxx xxxx xxx xxxxx xxxxx xxxxxxxxxx, xx xxx xxxx xxxxxxxxx xxxxxxx xxxxxxx.
Xxxx, xxxxxxx, xx xxx xxx xxxxx x xxxxxxx xxxx xx xxxxxxx xx XXX, xxxx xxxx xxxx xx
xxxxxxxxx, xxxxxx xxx xxxxxxx xxx xx xx xxxxx xxx xxx xxxx-xxxxxxx-xxxxxxx.
Xxx xxxx xx xxxx xxxxxxx xx xxxxx xxxx xx xxx XXX3400. Xx xxxxxxxxxx xxxx xxxx,
xxxxxx xxxxx xx Xxxxxx 2.2 xxx xxxxxxx xx xxx xxxxxxx xxxxxxxx.
To Configure netconf Support:
First, enable netconf support:

[edit]
root# set system services netconf ssh
[edit]
root# commit
commit complete
Importing the SRX into NSM

Xxx xxxx xxx xxxx xxx Xxxxxxx xxx Xxxxxxxx Xxxxxxx xxxxxx, xxx xxxxxx xxx XXX. Xxx
XXX xx x xxxxxxxxx xxxx, xxx xxx xxxxx xxxxxxxx xx xxxxxx xxx XXX xxx xxxxxxxxx xx
xxxxxx xxxxxxxx xxxxxxx xx XXX xxxxxxxx.
To Import SRX into NSM:
1. Log in to the NSM server as root, or an administrator, with permissions to import the
SRX3400.
2. Under devices click the + to add a new device.
3. Specify that the device is reachable and fill in the IP address and administrator account fields.
The IP address in this example is that of the fxp0 interface, and the administrator account is from
the SRX, not the NSM.
4. Click Next to accept the SSH keys.
5. When the device is auto detected, click Next to confirm to NSM that you wish to import it.
If you did not configure a hostname for the device during initial installation, then you can specify
one here before importing the device, otherwise the Device Name will be already populated.
6. Import the configuration of SRX into NSM.

7. Confirm that the device is properly connected and in sync with NSM.
8. Inspect the device configuration in NSM, such as the security policies. Proceed with any
management functions from here.
Xxxx xxxx xxxxxx xx, xxx xxx xxxxxxxx xxxxxxxx xxx XXX xxx XXX. Xxx xxxxxxx xxxx xx
xxx XXX xxx X-Xxx, xx xxx XXX, xxx xxxxxxxxxxx xx XXX xx xxx xxxx xxxxxxxxxxxxx
xxxxxx, xxxxxx xxx xxxxxx xxx xxxxxx xxxxxxxxxxxxx xxxxx.
88
Chapter 9: Troubleshooting Tools
89
Chapter 9
Troubleshooting Tools
Understanding Flow Processing. . . . . . . . . . . . . . . . . . 88
Examining Logs and System Status. . . . . . . . . . . . . .89
Enabling Traceoptions. . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Xxxx xxxxxx xx xxxxx xx xx xxxx xx xxxx x xxxxxxxx xxx xx xxxx xx xxxx xxxx xx xx.
Xxxxx xxxx xxxxxxx xxxxxxxx x xxx xxxx xxxx xxxxx xx x xxxxxxxx xxxxx xx xxxxxx xxx
xxx xxxxxx xxxxxxx xxxxxxxxxxxx xxxxxxxx.
Xxx XXX xxxxxx xxxx xxxxxxxxx xxxxxxxx, xxx xxxx xxxx xxxxxxxx xxxx x xxx xx xxxx.
Xxxxxxx x xxxxxxxxxxxxx xxxxx xx xxx xxx XXX xxxxxxxx xxx xxx xx xxxxxxxxxxxx xxxxx
xxxxxxxx xxxx Xxx Xxx xxxxx xxx xxx xxxxxxxxxxx xx xxxx xxxxxxxx xxxxxxxxxx.
MORE?
Junos Security, recently published by OReilly Media, has several troubleshooting sections and
case study scenarios that can be helpful to readers of this book. For more info, see
www.junper.net/books.
Understanding Flow Processing

Xx xxx xxxxxxxxx xxxx xxxxxxxx xx xxx XXX, xxx xxxx xx xxxx xxxxxxx xxx xxxxxxx xxx
xxxxxxxxx xx xxx xxxxxx. Xxx xxxxxx xx xxxxx xxx XXX xxxxx xxxx xxxx x xxxxxx xxxxxx
xx xxxxxxxxx xx xxxxxxx xxxx xx xxxxx xxx xxxxxx xx xxxxx xx xxxx xxxxxxxxxx.
Xxxxxxxxxxxxx xxx xxxxxx xxxxxxxxxx xxxxx xxx xxxxxxx xxxx xxxx xxx XXX xxxxxxxxx
xxxxx xxx xxx xxxxxxxx xxxxx xx xxxxxxxx. Xxx xxxxxxx xxxx xxxxxxx xxx xxxx xxx xx
xxxxxx xxxxxxxx xxxxxxxxx xxxxxxxx, xxxxxx xxx xxxx xxxxxxxxx xx xxxx xxxxxxxxxxx.
Xxxxxx 9.1 xxxxx xxxxx xxx xxxx xxxxxxxxxx xxxxx xxxxx xxxxxx xxx xxxxxx xxxx xxxxxx
xxx xxxxxx.
Figure 9.1 Flow Processing
Xxx xxxxxxx xxxx xx xxxx xxxxxx xxx xxxx xxxxxxxx xxxxxx xxxxxxxxxxx xx Xxxxxx 9.2.
Xxxxxxx, XXX, XXX, xxx XXXxx, xxx xxxx xxxx xx xxx xxxxxxxx xxxxxxxxx xx xxxx
xxxxxx. Xxxxxx 9.1 xxx 9.2 xxx xxxxxxxxx xx xxxxx xxxxxx xx xxx Xxxxx Xxxxxxxx
Xxxxxxxxxxxxx Xxxxx xxxxx xxxx (xxx xxxxxxx 10.1):
xxxxx://xxx.xxxxxxx.xxx/xxxxxxxx/xxxxxxxx/xxxxx-xxx/xxxxx-xxx10.1/xxxxx.xxxx.
Figure 9.2 Flow Services Module

Xx xxx xxxxx xxxx xxxx xx xxx XXX xxx xxxxxxx xxx xxxxxxxxxxxx xxx xxxx xxxxxxxx
xxxxxxxx, xxx xxxx xxxxxxx xxx xxxxxxxxx xx xx xx xxxx xxxx xxxxxxxxxxx. Xx xxxx xxxx
xxxxxxx, xxxxx x xxx xxxxxxx xx xxx xxxxxxxxxxxxxx xxxxx xxxxxxx xxx xxxx xxxxxxxx
xxxxxxxxxxxx xx xxx xxx xxxxxxx xxx xxxxxxxxx xx xx xxxx xxxx xxxxxxxx xx xxx xxxx
xx xxxxxx xxxxxxxxxx xxxx xxxxxxxxxxxxx XXX xxxxxxx.
Xxxxxxxxxxxx, xxx xxxxxxxxx xx xxxxxxx xxxx xxxxxx XXX xxxxxxx xxx xxxxxxx xx
xxxxxxxxx xxx xxxx xxxxxxxx xxxxxx xxx xxxxxxxx xxxxxxxxxxxxxx. Xxxx xx xxxxxx
xxxxxx-xxxxx xxxx xxxxxxxxxx (xx xxxxxxx xx xxxx-xxxxx xxxxxxxxxx). Xxx xxxxx
xxxxxxxxxxx xx xxxxx xxxxxxxxx xxxxx xx x xxxxxx xxxx xxxxxxxxx xx xxxxx xxxxxxxxxx
xxx xxxxxx xxxxxxxxxx xxxxxxx xxx XXX.
Examining Logs and System Status

Xxxxxxx xxx xxxxxxxxxx xx Xxxxxxx 5. Xxxxxx xx xx xx xxxxxxx xxxx xxxx, xxxxxxx xxxx
xxxxx xx xx-xxxxxx xxx xxxxxxxxxxx xx xxxx xxxx.
Xxxxxxx xx x xxxx xxx xx xxxx xxxx xxx xxxx xxx [xxx_xxxx] xxxxxxx.
Xxx xxx xxx xxxxxx xx xxxx xxxxxxxxx xxxxx, xx xxxxx xxxxxxxxxx xxxx xxxxxxx,
xxxxxxx, xxx xxxx xxxx xxxx xxx xxxxx xxxx xxxx xxx xxxxxxxxxx xx xxx xx xxxx xxxxx xx
xxxxxxx. Xxx xxxx xxx xxxx xx xxxxxxxx, xxxx xx xxx xxxxxx xx xxx xxxxxx xxx xxxxxxxx
xxxxxxxx.
Xx xxxx xxx xxxxxx xxxxxxxx xxxxxxxx xxxx xxxxxx xxxxxxxxxx xx xxxxxxx xxx XXX, xxx
xxx xxx xxx xxxxxxxxx xxxxxxxxxxx:
> show log messages | match ssh | match Failed password | trim 38
Xxxx xxxxxxx xxxxx xxxx xx xxx xxxxxxxx xxx xxxx, xxx xxxxx xxx xxxx xxxxxx xxxxx
Xxxxxx xxxxxxxx xxxxxxxx xxxx xxxxxxxx. Xxx xxxx 38 xxxxxx xxxxx xxx xxxxx 38
xxxxxxxxxx xxxx xxx xxxxxx xx xxx xxx xxx xxxxxxxxxx xx xxx xxxx xxxxxx.
Xxxxxxx xxxxxxxxxxx xxxxxx xxxx xxxxxxx xxxx xxxx xx xx xxx xxx xxxxx xxxxxxx xxxxxxx,
xxxxx xxxxxx xxx xx xxxxxxx x xxx xxxx xx xxxx xxxx, xx xxxx xx xxxxx xxxxxxx xx xx
xxxxxxxxx xx xxxxxxx xxxxx xxxx. Xxxx xx xx xxxxxxx xxxxx xxx xxxx xxx xxxxxx xxx
xxxxxxxx xx xxxx xxxx.
To Use the Start Monitor Tool :
1. Start monitoring the log file (and apply match statements if you want to narrow your search):
barnys@SRX3400> monitor start messages | match ssh | match Failed password
2. Press Esc-Q to enable and disable the output display to console as needed:
barnys@SRX3400>
*** monitor and syslog output enabled, press ESC-Q to disable ***
*** messages ***
Jun 27 00:19:54 SRX3400 sshd[64008]: Failed password for john from 10.188.133.42 port 50021 ssh2
barnys@SRX3400>
*** monitor and syslog output disabled, press ESC-Q to enable ***
3. Stop the real time monitoring of the file. This does not cause logging to stop recording events,
but the events are not shown on the console anymore:
barnys@SRX3400> monitor stop
Try It Yourself: Examing the System Status

Examining the system status can be done with show commands. You have used several show commands if youve been
following the examples in this book, but many more options are also available to find out chassis and event status
information. Try these on your console right now.
To check system uptime:
> show system uptime
To check the software version:

> show version
To check for active alarms:

> show system alarms
> show chassis alarms
There are many parameters available to check chassis related information, so check the help prompt to see them all:
> show chassis ?
To find out the running processes and CPU utilization:

> show system processes extensive
MORE?
The complete list of available show commands and their descriptions can be found in the CLI
Reference Guide, found here (for version 10.1) at www.juniper.net/techpubs/software/junossrx/junos-srx10.1/index.html. You can also find lots of device agnostic command usage examples
in Day One books from the Junos Fundamentals Series: www.juniper.net/dayone.
Enabling Traceoptions
Xxxxxxxxxxxx xxx xxx xxxxxxxxxx xx xxxxxxxxx xxxxx xxxx xxxxx xxxxxxx xxxxxxxx, xx
xx xxx xxx xxxxxx xxxx x xxxxxxxxxx xx xxxxx Xxxxxxx Xxxxxxxx XxxxxxXX xxxxxxxxx
xxx xxx xxxxxxxx xxxx xxxxx xxxx xxxxx, xxxx xxxx xxxxxxx xxxx xxxx xxx xxx xx xx xxx xxxx
xx xxx XXX.
Xx xxxxx xxxxxxx xx xxxx xxxxxxxx xxx XXX, xxx xxxx xx xxxxxxxxx xxxxxxxxxxxx xxx
xxxx xxxxx-xxxxxxxx. Xxxx xxxx xxxxx xxxxxxx xx xxxx xxxxx xxx XXX xxxxx xxxx xxxx,
xxxxxx xxx xxxxxxx xx xxx xxxxxxxxx xxxxxxx xxx XXX xx xxxxxx xxxxx xxx xxx.
To use traceoptions flag basic-datapath :
1. Enable traceoptions flag basic-datapath. Capture the results to a file of your preference:
barnys@SRX3400# set security flow traceoptions file DEBUG
barnys@SRX3400# set security flow traceoptions flag basic-datapath
2. Configure a packet-filter to match traffic going one way (outbound in this case):
barnys@SRX3400# set security flow traceoptions packet-filter match-outgoing source-prefix 192.168.2.0/24
barnys@SRX3400# set security flow traceoptions packet-filter match-outgoing destination-prefix 0.0.0.0/0
3. Configure a packet-filter to match the reverse or response traffic:

barnys@SRX3400# set security flow traceoptions packet-filter match-reverse source-prefix 0.0.0.0/0
barnys@SRX3400# set security flow traceoptions packet-filter match-reverse destination-prefix 192.168.2.0/24
NOTE
Steps 2 and 3 are necessary because Junos only captures one directional flows. Multiple packetfilters then let you capture both the outgoing and reverse flows. Individual packet-filter
configurations like in this example are processed as OR statements, instructing the SRX to match
traffic that matches one filter or the other.
4. Xxxxx xxxxxxxxxx xxxx xxxxxxxxxxxxx, xxx xxx xxxxxxx xxx xxxxxxx xxxxxxx xxxx xxx
xxxx xxx XXXXX xxxxxxx.
MORE?
Troubleshooting is a huge topic whose surface has barely been scratched here, but as with
everything in this short book, its a jump start to a much larger SRX world. Use other Day One
books to assist you in troubleshooting, the new SRX book, Junos Security from OReilly Media,
and of course, the SRX documentation.
94
Appendix 95
Appendix
SRX Default Factory Configurations. . . . . . . . . . . . . . 94
Reviewing and Applying Licenses. . . . . . . . . . . . . . . .98
Steel-Belted RADIUS Integration. . . . . . . . . . . . . . . . 100
What to Do Next & Where to Go. . . . . . . . . . . . . . . . . .107
SRX Default Factory Configurations

Xxxx xxx xxxxxxx XXX xxxxxxx xxxxxxx xxxxxxxxxxxxxx xxx xxxx xxxxxxxxx.
SRX210 Default Factory Configuration. Loaded Junos 10.1R18.

## Last commit: 2010-03-23 08:39:12 UTC by root
version 10.1R1.8;
system {
autoinstallation {
delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit
traceoptions {
level verbose;
flag {
all;
}
}
interfaces {
ge-0/0/0 {
bootp;
}
}
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
## Warning: missing mandatory statement(s): root-authentication
}
interfaces {
interface-range interfaces-trust {
member ge-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/0 {
unit 0;
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
wlan {
cluster vlan-0-default {
name juniper-ap-cluster;
default-cluster;
interfaces {
vlan.0;
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
SRX3400 Default Factory Configuration. Loaded Junos 10.1R18.

## Last commit: 2010-03-24 14:35:41 UTC by root
version 10.1R1.8;
system {
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
## Warning: missing mandatory statement(s): root-authentication
}
security {
idp {
security-package {
url https://services.netscreen.com/cgi-bin/index.cgi;
}
}
}
Reviewing and Applying Licenses

Xxx xxx xxxxx xxx xxxxxxxx xxxxxx xx xxxx XXX xxx xxxxx xxxx xxxxxxxxx x xxx xxxxxx
xxxxx.
Xxxxxxxxx xx xxxxxxx xxxxxxx xxxx xxx xxxxxx xx xxxxxxxxx, xxx xxxx xx xxxxx xx xxx
xxxxxxx xxxxxx xxxxxx. Xxxxx xxxxxxxxxxxx xxxxxx xxxx xxx xxxxxxx xxxx xxx xxxxxxx
xx xxxx xxxxxxxxxx, xxx xx xxxx xx xxx xxx xxxx, xxxx xxxx xxxx xxxx xxxxxxx xxxx, xx
xxxxx x xxxx xx Xxxxxxxx xxxxxxxx xxxx, xx xxx xxx xxxxxxxxxx xxxx xxx xxxx.
Xx xxx xxxx x xxxxxx xxx xxx xxx xxxx xx xx xxxxxxxx xxx xxxxxxxx, xx xx xxx xxxx xxx
xxxxxxx xxxxxxxxxxx xxx xxxxxxxx xxxx, xxxxxx xxxxx
xxxxx://xxx.xxxxxxx.xxx/xxxxxxxx_xxxxxxx/.
Xxx xxxxx xxxxx xxxxxxxxxxx xxx xxxxxx xxxxxxx xx xxxxxxxx xxx xxxxxxxx x xxxxxxx.
To Apply a License:
1. Connect to your device and check the status of your license:

root> show system license
License usage: none
Licenses installed: none
2. Xxx xxxxxx xx xxxx xxxx xxxxxxxxx xxxx xxxxx xxx xx xxxxxxxx xxxxxxxxxx xxxx
xxxxxxx xxxxxxxxx. Xx xxxxxxx xxxxx xx xx XXX xxxxxxxx xxxx xxxxxxxxxx.
Xxxxxx-xxxxx xxxx xxx xxxxxxx xxxxxxxx xxxxxxx xxxx xxxxxxxx xxxxxx xxxxxx. Xx
xxxx xxx xxxxxx xxxxxx:
root> show chassis hardware
Hardware inventory:
Item
Version Part number Serial number Description
Chassis
AA4508AD0013
SRX 3400
3. Xxxx xxx xxxxxxx xxxx xxxxxxxx xx xxxxxxx xx xxx xxxxx xxxx xxxxxx. Xxxx xxx xx xxx
xxxxxxxx xx xxx xxxxxxxxx xx xxxxxxxxxxxx xxxxxxxxxx, xxx xxxx xxxxxxxx Xxxx->Xxxx.
4. Xx xxx XXX, xxxx xxx xxxxxxxxx xxxxxxxxxxx xxxx xxxxxxx, xxx xxxx xxx xxxxxxxx xx
xxx xxxxxxxxx, xxxxxxxx xx Xxxx-X (xxxxxx xxxxxxxx):
root> request system license add terminal
[Type ^D at a new line to end input,
enter blank line between each license key]
JUNOS252544 aeaqea qmifat injqhb auimbq gezqqb qcdw4x
loxva4 ueffko xw4whk 6mfqs6 7oyg5t zn2j5k
upc2ff bxrvkt 4ut24u w44joc n24g4x 7pevbz
psq
JUNOS252544: successfully added
add license complete (no errors)
root>
5. Xxxxxxxx xxx xxxxxx xxxxxxxxx xx xxxxxx, xx xx x xxxx xxxxxxxx xx xxxxxxx xxxx xxx
xxxxxxx xxx xxxxxxx xxxxxxxx:
root> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name
used installed
needed
idp-sig
0
1
0
2011-04-29 00:00:00 UTC
Licenses installed:
License identifier: JUNOS252544
License version: 2
Valid for device: AA4508AD0013
Features:
idp-sig
- IDP Signature
date-based, 2010-04-10 00:00:00 UTC - 2011-04-29 00:00:00 UTC
root>
Xxxxxxxx xxxx xxxxxx xx xxxx xx xxx xxxxx xxxx, xx xxxxx xx xx xxxx xx xxxxxx xxxx
xxxxxx.
Steel-Belted RADIUS Integration

Xxxx xxx xxxx xxxx xxxxxxxxxxxxxxx xxxxxxxxxxxx xx xxxx xx xxx xxxx xx xxx XxxxxXxxxxx XXXXXX (XXX) xx xxxx xxxxxxx xxx xxxxxxxxxxxxxx xxx xxxxxxxxxxxxx xxxxx,
xxx xxxxxxxxx xx xxxx Xxxxxx Xxxxxxxxx. Xxxx xxxxxxx xxxxxxxxxxx xxx xxxxxxxxxxxxx
xxxxxxxx xxxx Xxxxxxx 5, xx xxxx xxxx xx xx xxxx xxx xxxxx xx xxxxxx xx xxx xxx xxxx
xxxxxxxxxx.
Xxxxxxxxxx XXX xx xx Xxxxxx Xxxxxxxxx xxxxxx xxxxxxxx xxxxxxxx xxxxxxxxxxx xxxx
xxx xxxxxxxxx xxxxxx. Xxxxx xxxx xxxxxxx xxxxxxxxxxxxx xxx xxx XXX xxxxxx, xxxxx,
xxx xxxxxx, xxx xxxxxxxxxxxxx xxx xxxxxxxx xx xxxxxx xxx xxxx xxxxxxxx xxxxxxxx xxxx
xxx Xxxxxxx xxxxxxxxx Xxxxxx Xxxxxxxxx Xxxxx xxx Xxxxxxxxx.
Xxxx xxx xx xxxxxxxxxxxx xxx xxxx xxxxxxxxx xxx xxxxxxxx xxxxxxxxxxxxxx, xxx xxx
xxxxxxxxxxx xxxx, xx xx xxx xxxx xxxx xxxxxxxxxx xx xxxx Xxx Xxx xxxx, xx xxxx xx xxxx
xxx xxxxxxx, xxx xxxx xxx xxx xxxxxxx xxxx xxxx xxxxxxx xxxxxxxxx xxxx xxxx.
To Configure RADIUS Authentication and SRX Authorization:
1. Connect to the SBR, and lunch the application. The connection is done by pointing a browser
to the SBRs IP address on port 1812, like http://[server_IP]:1812. When the application
launches it looks something like this:
2. Xxx xxx XXX xxxxxx, xx xxxx xxxx xxx XXX. Xxxxxx xxxx xxx xxxxx xxxxxx xxxxxxx xx
xxx xxx xxxxxxxxxx xx xxx xxxxxxxx. Xxx xxxx xxx xxxxx xxxxxxxx xxxxx xxxx, xx xxx
xxxxxxxxxxxxxx xxxxxxxxx xxxxx xxx xxxx xx X/X Xxxxxx xx xxxxxxx.
3. Xxx xxxxx, xxxx xx xxx xxxxx xxxxxxx xxxxx,: xxxxxx, xxxxxx, xxxxx xxx xxx. Xxxxxx
xxxxx xxxxx \\XXXXXX\[xxxx] xxxxxxxxx xxxx xxxx xxx xxxx xx xxx XXXXXX xxxxxx.
Xxxx, xxxx xxxxx xx x xxxxxxx xxxx xxx XXX xx xxxx xxx XXX xxxxxx xx xxxxx xxx xxx
Xxxx-Xxxxxxxx xxxxxxx xxx xxxxxxxxx xxxxxxxx.
4. Xxxxxx xxx xxxxxxxxxxxxxx xxxxx xx xxxx xxx xxxxxxxx xxxxxxxx XXX xxxxxxxx xxxxx
xxx xxx Xxxxxxx xxxx xxxxxx, xxxx xxx Xxxxxxx xxxxx xxxxxxxxxx, xxx xxxxxx xxx xxx
xxxxxxxx xxxxxxx xx xxx XXX xxxxxxxx.
5. Xxxxxx xxxx xxx xxxxx xx xxxxxxxx xxxxx xx xxx Xxxxxx Xxxxxxxxx. Xx xxxx xxxxxx
xxxxx, xxx xxxxxxxxxxxxx xxx xxxxxx xx xxxxxx x XXX-xxxxxxxxxxxxxx xxxxx, xxx xxxx
xxx xx xxx xxxxxxx x xxxx xx xx.
To Configure RADIUS Authentication and Authorization:
1. Xx xxxxxx XXXXXX xxxxx xxxxxxxxxxxxxx xxx xxxxxxxxxxxxx, xxxxxx xxxx xxxx

xxxxxx xx XXX, xxxxxxxx xxxx xxx xxxxx XXXXX-XXXX. Xxxxxx xxxx XXX xx
xxxxxxxxxx xx xxxxx xxxxx xxx xxxxxxxxx xxxxxxxx xxxxxxx xxx xxxxxxxx xxxxxxxx.
2. Xxx xxx xxxx xxxxxxxx xxxxxx xx xxx XXXXX-XXXX xxxxx, xxx xxxxxx xxx xxxx
xxxxxxxxxxx. Xx xxxx xxx x xxxxxxxxxx xxxx xxxx xxxxxxx xx xxxx xxxxx xx Xxxxxx
Xxxxxxxxx, xx xxxxxxx xxxx xxxxxxxxxx.
3. Xxx xxxx xxx xxxxxxxxxxx xxxxxxx xxx xxxx xxxxxxx xxx xxx XXXXXXXXXX xxxxx.
Xxxxxx xxxx xxx xxxxxx xxxx xx xxxx xxxxxxxx, xxxxxxxx xxxxxxxxxxxxx xxxxxxx xxxx
xxxx xxxxxxxxxx.
4. Xxx xxxx xxxxxxxxxx xx xxx xxxx xxxxxxx xxx xxx XXXX-XXXX xxx XXXXXXXX
xxxxxx. Xxxxx, xxxx xxxx xx xxx xxxxxxxxxxx xxx xxxx xxxxx.
5. Xxxxxx xxx xxxxxxxxxxxxxx xxxxx xx xxxx xxx xxx xxxxx xxxxxxxxxx xx xxxxxxxx
xxxxx, xxxxxx xxx xxxxxxxxxx xxxx xxxxxxxx.
6. Xxxx xxxx xxxx xxx xxxx xxx xxxxxx xxxxxxx xx Xxxxxx Xxxxxxxxx, xxx xxxx xxx xxxxx
xxxxxx xx xxxxx xxxxxxxxxxxxx xxxxxx, xxxxxxxxx xx xxx xxxxxxxx xxxxxxxxxx.
107
What to Do Next & Where to Go
www.juniper.net/dayone
Xx xxxxx xxxxxxx x xxxxx xxxxxxx xx xxxx xxxxxxx, xx xxxx xx xxxxxxxx xxx XXX
xxxxxxx xx xxxx xxx xxxx xxxxx Xxx Xxx xxxxxxxx xxx xxxxxxxxx xxxxxxxxx.
www.juniper.net/junos
Xxxxxxxxxx xxx xxxx xxx Xxxxx xxxxxxxx xxx xxxxxxxxx.

http://forums.juniper.net/jnet
Xxx Xxxxxxx-xxxxxxxxx X-Xxx Xxxxxxxxxxx xxxxx xx xxxxxxxxx xx xxxxxxx

xxxxxxxxxxx, xxxx xxxxxxxxx, xxx xxxxxxxxx xxxxx Xxxxxxx xxxxxxxx, xxxxxxxxxxxx, xxx
xxxxxxxxx. Xxxxxxxx xx xxxxxxxxxxx xx xxxx xxxx xxxxx.
www.juniper.net/techpubs
Xxx Xxxxxxx-xxxxxxxxx xxxxxxx xxxxxxxxxxxxx xx xxxxxx xxxxxxxxxx xx xxxx xxxx.

Xxxx xxxx xxx xxxx xx xxxx xxxxx xxx Xxxxx xxxxxxxxx xxxxxx xxxxx xxxx xxxxxxx xxxx.
www.juniper.net/books
Xxxxxxx xxxxx xxxx xxxxxxxx xxxx xxxxxxxxxx xx xxxxxx xxx xxxxxxx xxxxxxxxx xxxxx
xx xxxxxx xxxxxxxxx xx xxxxxxx xxxxxxxxxxxxxx. Xxxxx xxx xxxx xxxx-xxxxxxxxx xxxx xx
xxxxx xxxxxxxxx xxxxx xxxxxxxxx xxx xxx XXX-xxxxxxxx Xxxxx Xxxxxxxx.
www.juniper.net/training/fasttrack
Xxxx xxxxxxx xxxxxx, xx xxxxxxxx, xx xx xxx xx xxx xxxxxxx xxxxxxxx xxxxxxx xxxxxx
xxx xxxxx. Xxx Xxxxxxx Xxxxxxx Xxxxxxxxx Xxxxxxxxxxxxx Xxxxxxx (XXXXX) xxxxxx
xxx xx xxxx xxxxxxxxxxxxxx xx xxxxxxxxxxxxx xxxxxxxxxx xx xxxxxxxxxxxxx xxx
xxxxxxxxxxxxxxx xx Xxxxxxx xxxxxxxx. Xx xxx xxxx xxx xxxx xxxxx xx xxxxxxx xxxx
xxxxxxxxxxxxxx xx xxxxxxxxxx xxxxxxx, xxxxxxxxx, xx xxxxxxxx xxx xxx xxxxxxxxx
xxxxxx xxxxxxx, xxxxxxx xxxxxx, xxx xxx xxxxxx.
108
The Definitive Guide for the SRX Services Gateways
Xxxxxxxx
Xxxxx
xx xxx xxxxxxxx xxx xxxxxxxxxx xxxxxxxxxxxx xx Xxxxxxx
Xxxxxxxx xxx XXX xxxxxxxx xxxxxx xxxxxxx xxx Xxxxx xxxxxxxxx xxxxxx. Xxxx xxxx
xxx xxxx xxxxxxxx x xxxxxxxxx xxxxx-xx xxxxx xxxxx xx xxxxxxxxx, xxxxxxxxxxx, xxx
xxxxxxxxx XXX, xxx xxxx xxxxxx xx x xxxxxxxxx xx xxxx xxx xxxxxxx xxx xxx XXXXXXX xxx XXXXX-XX Xxxxxxxxxxxxx xxxxxxxxxxxx.
Xxxxxxx xxxxxxxxxxxxxx xxx xxxxxxxx xxxxxxxxxxxxx xxxx xxxxx xxx xx xxxxxxx x xxxxx
xxxxx xx xxxxxxxxxx xxxx xxxxxxx xxxxxxxxxxxx xxxxx XXX Xxxxx xxxxxxxx xxxxxxxx
xxxxxxxxx XX xxxxxxx, xxxxxxxxx xxxxxxxxx, xxxxxx xxxxxxxxxx, xxxxxxx xxxxxx
xxxxxxxxxx, xxx XXX xxxxxxxxxxxx. Xxxxx Xxxxxxxxxx Xxxxxxxx xx x xxxxx xxx
xxxxxxxx xxxxxxx xx XXX xxxxxxx xxxxx.
x Xxx xx xx xxxxx xx Xxxxxxxx xxxxx-xxxxxxxx XXX xxxxxxxxx xxx XXX Xxxxx
xxxxxxxx
x Xxxxx xxxxxxxx xxxx xxxxxxxxx xxxx xxxxxxxxx xxxxxxxxxx xxxxx XXX
x Xxxx xxxxxxxxx xx xxx xxxxxxx xxxxxxxxx xxxxxxx xxxx xxxxxxx xxx xxxxxxxxxxxxxxx
xxxx
x Xxxxxx xxxxxxxx xxxx XXX xxxxxxxx xxxxxx, Xxxxxxx Xxxxxxx Xxxxxxxxxxx, xxx
XXXxx XXX xxxxxxxxxxxxx
x Xxxxx xxxxx xxxxxxx xxxxxxxxxxxx xxx xxxx xxxxxxxxxxxx xx XXX xxxxxxxxx
Xxxxxxxxx xxxxxxxx xxxxxxxxx xxxxx xxx xxxx. Xxx xxxx xxxxxxxxxxx xxxxx xxxx xx
xxxxx xxxxxx xx xxx Xxxxxxx Xxxxxxxx Xxxxxxxxx Xxxxxxx xx xx: xxx.xxxxxxx.xxx/xxxxx.

Deploying SRX Series

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Deploying SRX Series

Încărcat de

Drepturi de autor:

Formate disponibile

Junos Fundamentals Series

Day One: Deploying SRX Series Services Gateway

The special edition of Day One: Deploying SRX Series Services

Connecting Via the Console

Connecting Via the CLI

Connecting Via the J-Web

Connecting Via Network and Security Manager

Consoling to an SRX for the First Time

To Console to an SRX for the First Time:

Day One: Deploying SRX Series Services Gateways

Chapter 2: Operational and Configuration Modes

Interfaces and Security Zones

Figure 2.1 Interfaces, Zones, and Routing Instances

The Factory Default Configuration

n System management services enabled. Location: [edit system services].

Try It Yourself: Examining the Factory Default Configuration

Display the status of the interfaces and IP address assignment:

Display the zones configured:

Display a summary of nat source:

Introducing a Work Topology

Figure 2.2 This Books Network Topology

Day One: Deploying SRX Series Services Gateways

Chapter 3: Enabling Remote Access

Configuring System Services

To Configure System Services:

1. Connect via the console.

--- JUNOS 10.1R1.8 built 2010-02-12 17:24:20 UTC

3. Configure the system services:

4. Commit the changes:

Configuring Interfaces and Zones

1. While still connected to the console as root, enter configuration mode:

2. Start by configuring fxp0 since it is the simplest:

4. Xxxxxx xxx xxxxxxx:

5. Xxxxxx xxxx xxxxxxxxxx xx xxxxxxx xx xxxxxxxx:

1. Xxxxx xxxxx xxxxxxxxx xx xxx xxxxxxx xx xxxx, xxxxx xxxxxxxxxxxxx xxxx:

2. Xxxxxxxxx xxx xxxxxxx xxx xxxxxx xxxxxxxx xxxxx:

To Bind the Interfaces to the Zones:

root# set security zones security-zone untrust interfaces ge-0/0/1.0

To Enable SSH, telnet, FTP, and ping in the Interfaces:

Do not forget to commit:

Configuring Basic Routing

To Configure Access to the Internet:

1. While still connected to the console as root, enter configuration mode:

3. Xxxxxxxxx x xxxxxx xxxxxxx xxxxx xx xx xxxx xx xxxxx xxx 10.188.0.0/14 xxxxxxxxxx

Local via ge-0/0/0.0

Day One: Deploying SRX Series Services Gateways

Chapter 4: Configuring Administrators

Users and Classes

Configuring Different Local Administrators

2. Xxxxxx x xxxxx xxxxx xxxxxxxxxx xxxx xxxxxxxxxx xxxxxx xx xxxxxxxxx xxxxxxxxxx

Xxxxxx xxx xxxxxxxxxxxxx:

[barnys@server1 ~]$ ssh max@10.189.140.99

max> show configuration

Configuring RADIUS Support

Configure the authentication order:

To Configure Radius Authentication and Local Authorization:

Xxxx xxx xxxxxxxxxxx xx xxx xxxxxxxxxxxxx, xxxxxxxxxx xxxx xxxx xxxxxxxxxxxxx

1. Delete all configured system login parameters:

3. Xxxxxxx xxx xxxxxxxxxxxxx xxx xxxxxx:

Day One: Deploying SRX Series Services Gateways

Chapter 5: Configuring Network and System Management

1. Configure the NTP server and time zone:

4. Xxxxxx xxxx xxx xxxx xxx xxxx xxxx xxxxxxx xxxxxxxx:

5. Xxxxxx xxx xxxxxx xxx xxxxxxxxxxxx xx xxx XXX: