Documente Academic
Documente Profesional
Documente Cultură
By Barny Sanchez
SPECIAL EDITION
By using this special edition, you agree to use the material in this
document at your own risk. Juniper Networks assumes no
responsibility whatsoever for any inaccuracies in this document.
2011 by Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks
logo, Junos, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the
United States and other countries. Junose is a trademark of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property
of their respective owners.Juniper Networks assumes no responsibility for any inaccuracies in this
document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise
this publication without notice. Products made or sold by Juniper Networks or components
thereof might be covered by one or more of the following patents that are owned by or licensed
to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650,
6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918,
6,567,902, 6,578,186, and 6,590,785.
Chapter 1
Different Ways to Manage an SRX
Connecting Via the Console . . . . . . . . . . . . . . . . . . . . . . . . 6
Connecting Via the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Connecting Via the J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Connecting Via Network and Security Manager . . . . . . 8
Consoling to an SRX Device for the First Time. . . . . . . . 9
Xxx XXX xx x xxxx xxxxxxxx xxxxxxxx xxxxxxxx xxx xxxxxxxxxx xxxxxxxxxxxxx xxx
xxxxxxxxxx xxxxx xxxxxxx xxx xxx xxxxxxx xx xx xx xxxxxxxx xxxx. Xxxxxxx xx xx x
Xxxxx xxxxxx, xxx xxxx xxx xxxxxx xx xxxxxx x XXX xxx xxx xxxxxxx xxxx, xxx xxxxxxx
xxxx xxxxxxxxx (XXX), xxx xxx xxxxxxxxx (X-Xxx), xxx Xxxxxxx xxx Xxxxxxxx Xxxxxxx
(XXX), xx xxxxxxx xxxx xxxx xxxxxxxxxxxxx xxxxxxxxxx, xxxx xxxxxxxxxxx xxx
xxxxxxxxxx xxxxx. Xxxx xx xxxxx xxxxxxxxxx xxxxxxx xxxxx xxxxxxx xx xxxxxxx
xxxxxxxxxxxxx. Xxxxxxxxxxxx, xxxxx xxxxx xxxxxx xxxxxxxxxxxxx xxx xxxxxxxxxx
xxxxxx xx xxx xxxxxxxxx xxx xxx xxxxxxxxxx, xxx xxxxxxxxx xx xxxxxxxxxx xxxx xx
xxxxxxxx xxxx xxxx xxxxxx, xxxx xxx xxx xxxxxx xxxx xx xxxx xxx xxxx xxxxxxxxxxx.
Xxxx Xxx Xxx xxxx xxxxxxx xx xxxxxxxxxxxxx xxx xxxxxxxxxx xxx xxx Xxxxx xxxxxxx
xxxx xxxxxxxxx (XXX), xxx xxxx xxxxx xxx xxxxx xxx xxx X-Xxx xxxxxxxxx xxx xxxx xxx
Xxxxxxx xxx Xxxxxxxx Xxxxxxx. Xxxx xxxxx-xxxxxxxxxxx xxxxxxxx xxxxxx xxxxxxx xxxx
xxxxxxxxxxxxxx xx xxx XXX.
Xxxx xxxxx xxx xxx xxx? Xxxxx xxxxxx xx xx xxxx xxxxxxxxxx xxxxxxxxxxxx, xxx
xxxxxxxxx xxx xxxx, xx xxx xxxxx, xxx xx xxxxxxxxxx xx xxxxxx xxxxxxxxxx xxxxxxxxxxx.
Xxxxx xxx xxx xxx xxxxxxx xxxx xx XX xxxxxxxxxx, xxx xxx xxxxxxxx xxxxxx xxxxx x
xxxxxxxx Xxxxxxxx xxxxx xxxxx, xx xxx xxx xxxx xx xxxxxxxxx xx xxxxx xxxx (xxxxxxxx,
xx xxxxxx, xxxx xxx xxx xxxxx xxx xxxxxxxxxx XX xxxxxxx).
Xxxxxxxxx, xxxxx xxxxx xx xxxxxxx xxxxxxxxxxxxx xxx xxx xxxxxxx, xxxx
xxxxxxxxxxxxxx xxxxxxxxx xxx xxxxxxxxx xxxxxxxx xx xxxxx xxxxxx xxxxxx xx xxx
xxxxxx xxx xxxxxxxxx xxxx XXX xxx xxxxxx. Xxxxx xxx xxxxxxx xxxxx xx xxxxxx xxxxxx
xxxxxx xxxxxxxxxx xxx xxx XXX, xxx xxxxx xxx xxxxx xx xxxxxxxxxx xxxxxxxx xx xxxx
xxxx.
Xxxxx xxx xxxxxxxxx xx xxx xxxx xx xxxx xxx xxxxxxx xxx xxx xxxxxxx, xxxx xxxxxxxx
xxx xxxxxx xxx xxx xxxxx xxx xxxx xxxxxxxxx xxxxx xxxx xxxx xxxxx xxxxxxxx, xxx xxxx
xxxxxxxxx xxxxx xxx xxxxxxx xx xxxxxx xxxxxxxx, xxxxxxxxxx xxxxxxxxxxxxxx
xxxxxxxxxxx, xxx xxx xxxx xxxxx.
NOTE
The SRX3400/3600 and SRX5600/5800 also have a dedicated management port that is different
than the console. This port is exclusive for management purposes, and if you have an out-of-band
management network, then it is best to use these ports. Also known as fxp0s, these interfaces exist
in the control plane of the SRX, and cannot be used for user data traffic (which helps to guarantee
that the dedicated management channel remains open in the event that there is a disruption of the
data plane).
Xxxxx xxx X-Xxx xxx xxxx xxxxxxxxxxx xxxx xx xxxxx xx xxxxxxxx xxxxxxxxxxxx
(xxxxxxxxx), xx xxxxxxxx xxxx xxxxxx xxxxxxx xxxxxxxx xxxx xxx xxxxxxx xxxx xxx
xxxxxxxxx xxx xxxxxxx xxxxxx xx xxx xxxxxx. Xx xxx xxxxxx xxxx xxxxxx xxxx xxx XXX
xxx xxx xxxxxxxx xxxxxx, xxx xxx xxxxxx xxxx xxx xxxxx xxxxxxx xxxxxxxxxx xx xxxxxxx
xxx xx xxxxxxxxx xxxxxxxxx xxxxxxxx xx xxx XXX.
TIP
Using the J-Web is sometimes the preferred connection method for administrators that are
accustomed to managing other vendors devices via graphical interfaces.
Xx xxxxx xx xxxxxxxxxxx, xxx XXX xx xxx xxxxxxxx xxx xxxxx xxxx xxxxxxxxx, xxx xx xxx
xxxxx xxxx, xx xx x xxxx xxxxxxxx xxx xxxxxxx xxxxxx, xxx xxxxxxx xxxx xxxxxxx xx
xxxxxxx xxxxxxxxx. Xx xx xxxxxxxxxxxxxx xxxx xxx xxxxx xx XXX xxx xxx xx xxx
xxxxxxxx xxx xxxxxxxxx xxx xxx xxxxxxxxxxx.
MORE?
There is so much more to NSM than whats discussed in these few paragraphs. If you want to
learn more about it, start by reviewing the product specifics from the Juniper Networks website at
www.juniper.net/us/en/products-services/network-management/. Training information is
available at www.juniper.net/us/en/training/technical_education/.
Understanding the different aspects of the factory default configuration that enables this access
requires you to study a few more missing pieces, but for now, lets focus on the console
connection.
Xx xxxxxxx xxx xxx xxxxxxx xxx xxxx: xxx xxxxxxxx xxxxxxx xxxxx xxxx xxxx xxxx xxx
XXX xxxxxx, x xxxxxxxx xxxx x xxxxxx xxxx (xx XXX xx Xxxxxx xxxxxxx), xxx x xxxxxxxx
xxxxxxxxx xxxxxxxxxxx xxxxxxx xx xxx xxxxxxxx.
1. Connect the provided console cable to your computer, and at the other end, to the port of the
SRX.
2. Xxxx xxxx xxxxxxxx xxxxxxxxx xxxxxxx (xxxx xx Xxxxx Xxxxxxxx xx Xxxxxxx).
3. Xx xxx xxxxxxxxxxx, xxx xxx xxxx xxxxxxxx (XXX xxxx xxxx xxxxxxxxxx xxx xxxxxx
xxxxxxxxxx) xxxx xxx xxxxxxxxx xxxxxxxxxxx:
n Bits per second: 9600
n Data bits: 8
n Parity: None
n Stop bits: 1
n Flow control: None
4. Xxxxx Xxxx xx Xxxxxxx (xxx xxxxxxx xx xxxxxxxxxxx xxxxxxxxx).
TIP
If you are an Apple user youre not out of luck. Connecting to the console of your device is just
as easy. After connecting your USB-to-Serial adapter, find out what the name of the devices is
($ ls /dev/), and once you know this, open a terminal window and type $ screen /dev/
[device_name] 9600.
Xxxxx xxxxxxxxxx xxx xxxxx xxxxxx xx xxx xxxxxxxxx xx xxx xxxxxx. Xxxxxxxxx xx xxx
xxxxx xx xxx xxxx xxxxxxx xx xxxxx xxx xxxxxxxxx, xxx xxx xxx x xxx xx xxxxxxxxxxx
xxxxx xxxxxxxxx. Xxx xxxxxxxx xxxx xxxxxx xxx x xxxxxx xxxx xx xxx xxxx xxxxxxx, xxx
xxxxx xxx xxxxxx xxxxxxxx xxxx xxxxxxxxxxxxxxx xxxx-xxxxxxx xxxxxxxx, xx xxxxx
xxxxxxxxxx xxxx xxxxxxxx xxxxxxxxxx.
Xxxxxxxx xxxx xxxx xx x xxxxx xxx, xx xxxxxxx xxxxxxxx xxxxxx, xxx xxxxxx xxx xxxx x
xxxxx xxxxxx xxxx xxxx (xxxx xxx xxxx Xxxxxxxx, xxxxx xx Xxxxxxxx xxx xx xxxxxxxx
xxxx x xxxxxx xxx xx xxxxxxx xxxxxxxxxxxxx):
Amnesiac (ttyu0)
login:
Xx xxx xxxxx xxxx xxx XXX xxx xxxx xxxxxxxxxxxxx xxxxxxx xxxxxxxxx (xxxxx xxxx xx
xxx x xxx xxxxxx), xxxx xxx xxxxxx xx xxxxxxxxx. Xxx xxxxxx xxxxxxxxxxxxx xxx xxxx,
xxxxxxxxx xxxxxxx xxx xxxxxxxxx xxxxxxxxxxxxx xxx x xxxxxx xx xxx, xxx xxxxxxx, xxx
xxx xxx xxxxx xx xxxx xxx xxxx Xxxxxxxx xxxx xxx xx xxxxx. Xx xxxxxxx:
srx210-1 (ttyu0)
login:
Xx xxx xxxx xxxx xx xxxx xxx xxx xxxx xxxx xxx xxxxxx, xxxx xx! Xxx xxx xxx xx xx xxx
XXX xx xxxxx xxx xxxxx xxxx xxxx xxx xxxxxxxx [Xxxxx] xxx xxx xxxxxxxx. Xx xxx xx xxx
xxxx xxx xxxxxxxxx xxxxxxx xx xxxx:
--- JUNOS 10.1R1.8 built 2010-07-12 18:31:54 UTC
root@%
Xx xxx xxx xxxxxx xx xxx xx xxxx xxx xxxxxxxx xxxx xxx xx xxxxxxxx, xxxx xxxxx xxxx xxx
xxxxxx xxx x xxxxxxxxx xxxxxxxxxxxxx xxxx xxx xxxxxxx xxxxxxxx. Xx xxx xxxx xxxx xxx
xxxxxxxx xx xxx xxxx xxxxxxx, xx xx xxxxxxx xxxxxxx xxxx xxxxx-xxxx xxxxxxxxxx, xxxx x
xxxxxxxx xxxxx xx xxxxxx. Xxx xxxxxxx xx xx x xxxxxxxx xxxxxxxx xxx xx xxxxx xxxx:
xxxx://xx.xxxxxxx.xxx/XX12167.
Xxxx xxxx! Xxxx xxx x xxx xx xxxx xx xxxxxxx xxxxxxxx xxxxx xxx xxx xxxxx xx xxxxx x
xxxxxx xxxxxx xxxx xxx xxxxxxx. Xxx xxxxxxxxx xx xxx xxxx xxxxxxx xx xx xxxxxx xxx
xxxxxxx xxxx xxxxxxxxx, xxx xxx xxxx xxxxxxxxxx xx xxx xxxxxxx xxxxxxx
xxxxxxxxxxxxx.
14
15
Chapter 2
Operational and Configuration Modes
Interfaces and Security Zones. . . . . . . . . . . . . . . . . . . . 14
The Factory Default Configuration. . . . . . . . . . . . . . . . 17
Introducing a Work Topology. . . . . . . . . . . . . . . . . . . . . 19
Xxxxxx xx Xxx Xxx xxxxx xxx xxxxxxxxxx xxxxxx xxx xxxxxxx xxxxxxxxx xxxxx xxxxxxx
Xxxxx xxxxxxxxxx, xx xxx xxx xx xxxxxxxxx xxx xx xx xx xxxxx xxxx.
Xxxxxxx Xxxxx xx x xxxxxxxx xxxxxx xxxxxx xxx xxxxxxxxxxx xxxx xxxxxxxxxxxx xxxx
xxxxxxxx xxxxxxxx (xxxxxx xxxxxxxx xxxxxxxxxx xx) xxxxxx xxxx xxxxxxxx xxxxxxxx
(xxxxxx xxxxxxxx xxxxxxxxx). Xxxx xxxxxxxx xxxxx xx xxxxxxx xxxxx xxxx Xxxxx
xxxxxxxxxx xxxxxxxxxxxx xx xxxxxxx xxxxxxxxx xxxx xx xxx XXX Xxxxxx. Xxxxx xxxxx
xxx xxxxxxxx xxxx xxxxxxxx, xxx xxxxxxxxxxxx, xx xxx xxxxxxx xxxxxxxxx.
Xxx xxxxxxx, xx XX Xxxxxx xx XX Xxxxxx xxxxxxxxxx xxxx xx xxxxxxxxx XX xxxxxxx
xxx xxxxxx xxxxxxxx, xxxxxxxxxxx xxxxxxxx xxxxxxxxxxxx xx xxxxx xxxxxxx; xxxxx xxx
XXX Xxxxxx xxxxxxxx xxxxxxxxxx xxxxxxxxxxxxx xxxxx.
Xx xxxx xxxxxxx, xxxxxx xxx xxx xxxxxxx xx xxxxxxxxx xxx xxxxxxxxxxxxx xxxxx xxxx
xxx xxx xxxxxxx xxxx, xxx xxx xxxxxxx xxxx xxx xxx XXX xxxxx xxxx X/XX/X xxxxxxx xxx
XX xxxxxxxx. (Xx xxx xxx xxxxxxxxx xxxxx xxx X-xxxxxx xxxxxxx, xxxxx xxxxxxx xxxxxxx
xxx xxxx Xxxxx xxxxxx xxxxxxxxx xx XXXx xxxxx xxxxx 9.x xxxxxxxx.)
NOTE
If you need to reinforce your knowledge of Junos operational and configuration modes, then see
the Junos Software Fundamentals Series Day One books at www.juniper.net/dayone. Also seek
out the Juniper Networks Technical Library at http://www.juniper.net/books.
NOTE
As you can see, this can be a little tricky. Lets try another example. If you configure ping
system-services at the zone level, and try to ping an interface belonging to that zone, it will
respond properly. If you later decide to enable telnet in the same interface by configuring
system-services at the interface level, then ping will stop responding. This is because interface
settings take precedence. To fix this and be able to get responses again, you need to enable ping
system-services at the interface level.
Xxxx-xxxxxxx-xxxxxxx xxxxxxxx xxxx xx xxxxxx xx xxx xxxx xxxxxxxx xxxxxxx.
Xxxxxx xxxxxx xxxx xxx xxxxxxxxx xxxxx, xxxxx xxx xxx xxxxxxxxx xxxxxx xxx xxxxxx
xxxx:
n First, configuring system-services host-inbound-traffic is not sufficient to manage a device
via an interface. While the interface can accept those types of traffic, for some services like
telnet, SSH, FTP, and J-Web access, you have to also enable corresponding services under
[edit system services].
n Second, host-inbound-traffic settings do not affect fxp0 interfaces, and they can not be
configured for those interfaces. As discussed in Chapter 1, fxp0 interfaces are exclusively
for management purposes, and as long as you configure an IP address, and turn on the
services under [edit system services], then you can connect remotely.
TIP
If you want to apply policies to fxp0 interfaces and need to do things like permitting only certain
subnets to connect, then you want to explore the SRXs use of filters. Keep this in mind, as the
functionality is discussed soon.
X xxxxxx xxxxxxxxxxx xx Xxxxxx 2.1 xxxx xxxxx xxx xxxxxxxx xx xxxxxxxx. Xxx xxxxxx
xxxxxxxxx xxxx xxxxxxx xxxx xxx xxxx, xxxxxxxx xx xxx xxxxx xxxx (xxxx xx xxx xxx xxxx
xx xxx xxxxxx), xxxxxxxx x xxxxxxxx xxxxxx xx xx xxxxxxxxx xx xxxx xxxxxxx. (Xxxxxxxx
xxx xxx xxxxxxxxxx xx xxx xxxx xxxxx, xx xxx xxx.) Xxx xxxxxxx xx xxxxxxxx xxxxxxxx
xxxx xxxxxx xxxxx xxxx (xxxx) xxx xxxxxxx. Xxxx xxxxxxxx xxxxxxxx xx xxxx xx xxxxx xxx
XXX xx xxxxxx xx xxxxxx, xxx x xxxxxx xxxxxxxxx xxxx xxxxx Xxxxx xxxxxxxxx xxxxxxx;
xxx xxxxxx xxxx xxxxxxxx xxxxxxx xx xxxxxxxxx xxxx xxx xxxx xx xxxxxxx.
Xx xxxxx xxxx xxxxxxx xxxxxx xxxx xxx xxxx xx xxx xxxxx xxxx, xxxxxxx xxxx xxxx xx
xxxx xxxx xx xxxxxxxxxx xxxxxxx (xxxxxxxx xx xxxx xxxxx xx xxxxxxxxx xxxxxxx). Xxxxx
xxxxxxxxxx xxxxxxx xx xxx xxxxxxxxxx xxx xxxxxxxx xxx xx xxxxxxxx xxxxxxxxxxx xx xxx
xxxxxxxx, xxxx xxxx xxxx xxx xxxxxxx xxxxxxxxxxx xx xxx xxxxxxxx xxxxxxxx.
Xxxxxxx, xxx xxxxx xxxxx xx Xxxxxx 2.1, xxx xxxxxx, xxxxx xxxxxxxxx xx xxx xxxxxxx
xxxxx xxxxxxxx. Xx xxxxxxx, xxx xxxxxxxxxx xxxxx xx xxxxx xxxxxxx xxxxx xxx xxxxx xx
xxx xxxxxxx xxxxxxxx xxxx.0 (XXx4 xxxxxxx xxxxx), xxxxxx xxxxxxxxx xxxxxxxxx. Xxx
xxxxxxxxxxx, xxxxxxxxxxx xx XX xxxxxxx xx xx xxxxxxxxx, xxx xxxxxxx xx xx x xxxx,
xxxxxxx x xxxx xxxxxxx xxxxx xxxxx xx xxxx.0.
Xx xxxxx xx xxx xxxxxxxxx xxx xx xxxxx xxxxxxxx? Xxxxx xx xxxxxx xxxxxxxxxx xxxx:
n Interfaces are configured under the [edit interfaces] hierarchy.
n Zones and host-inbound-traffic settings are configured under the[edit security zones] hierarchy.
n Policies are configured under the [edit security policies] hierarchy.
n And, system services are configured under the [edit system services] hierarchy.
Xx xxx xx xxxxxxx, xxxx XXX210 xxxxxxx xxx xxxxx xx xxxxxx xxxxxxx xxxxxxxxx xx x
xxxxxx-xx-xxxxx xxxx xxxxxxxxxxxx, xxx xxx xxxxxxxxxx xxxx xx xxxxxxxxx xx Xxxxxxxx
xxxx-xxx xxxx xxx XXX xxxx xxxxxxxxxx x xxxxxxxxxx xxxxx xxxxxxxxx, xxx XXXX xxx
xxx XXX. Xx xxx xxxxx xxxx, XXX3400 xxxxxxxx xxx xxxxxxxxx xxxxx xx x xxxx xxxxxxx
xxxx, xxxxx xxx xxxxxxxx xxxxxxxxx xxxx xxx xxxx xxxxxxxxx xxx x xxxxxxxxx xxxx xx
xxxxxx XX xxxxxxxxx.
Xx, xx x xxxxxxxxxxxxxx, xxxx xx xxx xxxxxx xxxx xxx XXX xxxxxxx xxxxxxx
xxxxxxxxxxxxx xxxxxxxx:
n Bootp services in the interface ge-0/0/0. Location: [edit interfaces ge-0/0/0]/.
n DHCP server services in the interfaces ge-0/0/1 through ge-0/0/7, with address allocation from the
network 192.168.1.0/24. Location: [edit system services dhcp].
n Switched interfaces ge-0/0/1 through ge-0/0/7. Location: [edit interfaces interface-range interfaces-trust].
n Security zones trust and untrust. Location: [edit security zones].
n Outbound Internet access using NAT with port address translation, permitting traffic from
zones trust to untrust. Location: [edit security nat].
n General protection against any traffic sourced from the untrust zone. Location: [edit security zones
security-zone untrust].
Xxx xxxxxxxxxxx xxxxxxxxxxxx xxx xxx xxxx xxxxx xxxxxxxx xxxxxx xx xxx xxxxxxx
xxxxxxx xxxx xxx xxxxxxx xxxxxxxxxxxxx xxxx xxxxxxxxxxx, xxx xxxx xxxxx xxx xxxxxxx
xxxxxxx xxxxxxxx xxxxxx xx xxxxx xx xxxx xxx xxxxx xxxx xx xxxxx xx xxxxx
xxxxxxxxxxxxx xxxxxxxx. Xxx xxxx xx, xxxxxxx xxx XXX xxxx xxx xxxxxx xxxxx xx
xxxxxx xxxxx xxxxxxxx.
Xxxxxxxxxx, xxx xxxxxxxxx xxxxxxxx xxxxxxxxxxxx xx xxx XXX3400x, xxxxx xxxx xxxxx
xxxxxxxxxx, xxxxx xxxx xxxx xxxxxxxxxxxxx xx xx xxxx xx xxxxxxx x xxxxxx xxxxxxxxx
xxxxxxx xxxxxxx xxxxxxxxxxxxx, xx xxx xxxxxxxxxxxxx xxxx xxxx xxxx xxxx xxx
xxxxxxxxxxxxx xxx xxx xxxx-xxx xxxxxxxxx xx xxxx x xxx xxxxx xxxx.
MORE?
The Appendix contains samples of the entire factory configuration of an SRX210 and SRx3400
running Junos 10.1R1.8.
Xxxx xx Xxxxxx 2.2, xxxx xxx xxx xxxxxx xxx Xxxxxxxx xxxxxx xxx xxx xxxx-xxx xxxxxx.
Xxx xxxxxxx xxxxxxxxx xx xxx xxxxxxxxxxxx xx xxxxx (xxxxx, xxxxxxx, xxxxxx) xx xxxxx
xxxxxxxxx xxx xxxxxxxx xx xxxxx xxxxxxxxx xxxxxxx, xxx xxxx xx xxx xxxx xx xxx XXX
xxx XXXXXX xxxxxxx, xxxxx xx xx xxxx xxxxxxxxxx, xxxxx xxxxx xxxxxxxx xxx
xxxxxxxxx xxx xxx xxx0 xxxxxxxxx.
22
23
Chapter 3
Enabling Remote Access
Configuring System Services. . . . . . . . . . . . . . . . . . . . . 22
Configuring Interfaces and Zones. . . . . . . . . . . . . . . . 24
Configuring Basic Routing. . . . . . . . . . . . . . . . . . . . . . . . 27
Xxxxxxxx xxxx xxxxxxxx xxxxxx xxxxxxxx xx xxxxxxxxxxx xxx xxxxxxxxxx xxx xxxxx,
xxxx xxxxxxx xxxx xxx xxxxxxxx xxxxxxx xx xxx xxxx xxxxxxxx. Xxxxx xx xxx xxxxxxx
xxxxxxxx xxxxx xx Xxxxxx 2.2 xxx x xxxx xxxxxxxxxxxxx xx xxx xxxxxxxx. Xxxxx xxx
XXX3400 xxxxxxx xxxxxxx xx xxxxxx, xx xxxxx xx xxxx xx xxxx xx, xxx xxxx xx xxx xxxxxx
xxx xxxx xx xxx xxxxxxxx xx xxxx xxxxxxx xxx xxxx xxx xxxxxxxx.
Xxxxxxxx xxxx xx xxx xxxx xx XXX xxxx-xxx xxxxxxxxx, xxx xxxxxxxxxxxxx xxx xxx
xxxxxxxxxx xxxxxx xx xxxxx xxx xxx0 xxxxxxxxxx xxxxxxxxxxx xxx xxxxxxxxxx xxxxxxxx.
Xxxxxxx xxx0 xxxxxxxxxx xxxxx xx xxx xxxxxxx xxxxx, xxx xxxxxx xx xxxx xxx
xxxxxxxxxx xx xxxx xxxx xxxxxxx, xxxxx xx xx xxxx xx xxxxxx xxxx xx x xxxx xxxxxxxx.
Xxxxxxx, xx xxx xxxxxxxxxxxxx xxxxxxx xx xxx x xxxxxxx xxxx xxx xxxxxxxxxx xxxxx,
xxxx xxx xxxxxxxxxx xxxxxxx xxxxx xxxxxxx.
Xxxxx xxxx x xxxxxxxxx xxxxx xxx xxxxxxxxxxx xxxx xxxxxxx xx Xxxxx, xxxxxxx, xx xxx
xxxxxxxxxxx xxxxxxxx xxxx xxx x xxxx xxxxxxxx, xx xxxxxx xxxx xxx xxxxxx xx xxxx,
xxxx xxxxxxx, xx xxx xxxxxxxxxxx xxxxxxxx.
As stressed throughout this book, repetition is the mother of all learning: enabling system
services is not enough to be able to manage a SRX using the configured services. Besides, with
the exception of fxp0, as soon as an IP address is configured, you may manage the device via this
interface.
Xxx xxxxx xxxxxxx xxx'xx xxxxxxx xxxx xxxxxx xx xxxxxx xx xxxxxxxx xxx x xxx xxxxxx
xxxx xxx xx xxxxxxxxxxxxx, xx xxx xxxx xxx xxxx xxxxxxx xxxxxxxxx, xxxxxxxxxx xxxx
Xxxxx xxxxxxxx xxx xxxx xxxx xxxxxxx xx xxxx x xxxxxxxx xx xxxx xxxx xx
xxxxxxxxxxxxxx. Xxx xxxxxxx xxx xx xxxxxxxx xxxx xx xx xxxxxxxxxx x xxxxx-xxxx
xxxxxxxx.
5. Xxxxxxxxx xxxx xxxxxxxxxxxxxx xxx xxxxxx:
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# commit
commit complete
Xx xxxxxxx! Xxxxxxxx xxx xxxxxxxx xxx xxxx xx xx xxxxx xxxx, Xxxxx xxxx x xxxxx xxx
xx xxxxxxxxxx xx xxxxxxxxxxx, xx xxxx xxxx xxxxxxxxxxxxx xx xxx xxxxxxxxxxx xx
xxxxxxx xx xxxxxxx xxxx xxxx xxxxxxxx.
NOTE
By the way, the ping service was not forgotten. It is turned on by default for fxp0, but needs
explicit configuration for all other interfaces, something that will is addressed in the next section.
Also, ping cannot be activated under system services.
TIP If you are following along and trying these examples on your device, you may want to leave the
console connection opened while reviewing the next section.
3. Xxxxxxxxx xxx xxxxxxxxxx xx-0/0/0, xx-0/0/1 xxx xx-0/0/2 xxxxx xxx xxxx xxxxxx:
[edit]
root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.2.1/24
[edit]
root# set interfaces ge-0/0/1 unit 0 family inet address 198.18.100.4/24
[edit]
root# set interfaces ge-0/0/2 unit 0 family inet address 66.129.250.1/24
Xxx xxxxxx xxxxxxxx xxxx xxxx xxx Xxxxx xxx Xxxx xx xxx xxxxxxxxxx xxx xxxxxxxxxxx.
To Configure Zones:
Reference Figure 2.1 and use the same set of commands to bind the interfaces to the
corresponding zones:
[edit]
root# set security zones security-zone admins interfaces ge-0/0/0.0
[edit]
BEST PRACTICES
Always configure zones from the perspective of the firewall that you are setting, not from the
perspective of the other devices in the network. For example, notice that in this example you do
not need to configure the zone trust, as this is irrelevant and can even be unknown from the
perspective of the administrator configuring the SRX3400. Also notice that both ge-0/0/1 and ge0/0/2 belong to the same security zone. There are virtually no limits on what zones you may bind
interfaces to, but an interface can only be bound to one zone at any given time.
SSH, telnet, FTP, and ping are all host-inbound-traffic system-services used for management
purposes. Use the same set of commands to enable the desired services:
[edit]
root# set security zones security-zone untrust host-inbound-traffic ssh
[edit]
root# set security zones security-zone untrust host-inbound-traffic telnet
[edit]
root# set security zones security-zone untrust host-inbound-traffic ftp
[edit]
root# set security zones security-zone untrust host-inbound-traffic ping
[edit]
root# set security zones security-zone admins host-inbound-traffic ssh
[edit]
root# set security zones security-zone admins host-inbound-traffic telnet
[edit]
root# set security zones security-zone admins host-inbound-traffic ftp
[edit]
root# set security zones security-zone admins host-inbound-traffic ping
Xxx xxxxxxxxxxxxx xxxxxxxxx xxxx xx xxxxx xxxxxxx xx xxxx xxxx xxxxxxx xxx xxx
xxxx xxxxxxxxxx, xxx xxxxxxxx xxxxxxxxx xxx xxx xxxx xxxxxxx xx xxxx xxxxxx xxxxxx
xx xxxx xx xxxxx xxx xxxxxxxxxx, xxxx xxxx xxxxxxx xxxx xx xxxx. (X xxxxxxxxxxx xxx
xxxxxx xx xxx xx xxxxx xxx xxxxxxxxx xx xx XXX xx xxxxxxxxx xx xxx Xxxxxxxx.) Xx xxx
xx xxx xxxx xxxxxx xx xxxxxxxxx xx xxxx xxxx, xx xx xxx xxxx x xxxx xx xxxxxxxxx XXX
xxxxxxxx, xxxx xxx xxx xxxxxx xxxxxx xxx xxxxxxx, xx xxxxxx xxx xxxxxxxxx [xxxx xxxxxxxx
xxx] xxx xxxxxx xxxxx.
BEST PRACTICES
Acknowledging the fact that this is a document for security adventurists, telnet and FTP are
inherently insecure protocols that offer no data protection. So, before turning these services on in
your devices, analyze your need for them. If you absolutely have to configure them, try to do so
on the internal side, never on interfaces facing public networks. In this instance we are setting
aside best practices only for instructional purposes.
2. Xxxxxxxxx x xxxxxx xxxxxxx xxxxx xxxxxxxx xx xxx Xxxxxxxx xxxxxx xx xxx xxxx xxx:
[edit]
root# set routing-options static route 0/0 next-hop 66.129.250.254
[edit]
4. Xxxxxx xxx xxxxxx xxxx xxx xxxxxx xxx xxxxxx xxx xxxxxxxxxx xxxxxxx xx xx xx xxxxx:
[edit]
root# commit and-quit
commit complete
Exiting configuration mode
root> show route
inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0
*[Static/5] 00:00:25
> to 66.129.250.254 via ge-0/0/2.0
10.188.0.0/14
*[Static/5] 2d 00:01:08
> to 10.189.140.97 via fxp0.0
10.189.140.96/27 *[Direct/0] 2d 00:01:08
> via fxp0.0
10.189.140.99/32 *[Local/0] 2d 00:01:08
Local via fxp0.0
66.129.250.0/24 *[Direct/0] 6d 15:32:16
> via ge-0/0/2.0
66.129.250.1/32 *[Local/0] 6d 15:32:16
Local via ge-0/0/2.0
192.168.2.0/24 *[Direct/0] 6d 15:32:16
> via ge-0/0/0.0
192.168.2.1/32 *[Local/0] 6d 15:32:16
Xxxx xxxxxx xxxxxxxxx x xxxxxx xx xxxxxxxxxxxx xx xxxx. Xxx xxx xxx xxxx Xxxxx
xxxxxxxxxxxxx xxxxxxxxx xxxxxxx xxx xxxx xxxxxxx xx xxxxx xxxxx xxxxx xx xxx
xxxxxxxxx xxxxxxxx xxxx xx xx xxxxxxxx xxxxxxxxx xx. Xx xxxxxxxx, xx xxxxxxx
xxxxxxxxx xx xxxxxxxx xxx xxx xxxxxx xxxxxx xx xx xxxxxx xxxx xxxx xxx xxxxxx xx
xxxx xxxxxx, xxxxxx-xxxxx xx xxxxxx xxxx xxxx xxxxxx xxx xxxxxxxxx xxxxxxxx.
Xx xxxx xxxxx xxx xxxxxx xx xxxx xx xxxx xxx xxxxxxxxxx xx xxxx xx xxxxxx, XXX, xx
XXX xxxx xxx xxxxxxxx xxxxxxxxx xxxxxxx. Xx x xxxx xxxx xxx XX xxxxxxx xx xxx
xxxx xxxxxx xx xxx XX xxxxxxx192.168.2.1 xxxxx, xxx xx xxxx xxx xxxx xxxx xxx xxxx XX
xx xxx Xxxxxxxx-xxxxxx xxxxxxxxx xxxx xxx XX xxxxxxx 66.129.250.1. Xxx xxxxxx? Xxx
xxx xxxxxxx xxx xxx xxxx xx xxxxxxxx xxxxxxxx xxxx xxxxxxxx xxx xxxx xxxxxxxx xxxxx.
Xxxx xxxx xxxxxx xxxxxxxx xxxxxxxx xx Xxxxxxx 6, xxx xxxx xxxx xxxxx xxx. Xxxx
xxxxx xxxxx xxxx xxxxx xxxxxxxxxxx xxxxxxxxxx xxxxxxx, xxxx xxxxxxx xx xxxxxxxxx
xxxxxxxxxxxxxx.
Xxx xxxx xxxxx xxxxxxxxx, xxxx xxxxx xxx xxxx xxxxx xxxxxx xxxxxxx xxxx xxxxxxx.
Xxxxx xxxx xx xxxxxxxx xxxxx xx xxx xxx xx xxx XXX, xxx XXX xxx xxxxxxxxxx xxxx,
xxx xxxx xxxxxxxx xx xxxxxxxxxx xxxxxxxx: xxx xxxx xxx xxx xxxxxxxx/xxxxxxxxx xxxx
xxx xxx xxxx xx xxxxx xxxx xxx xx xx xxx xxxx. Xxx xxxx xxx xxxx XXX xxxxxxx, xxx xxx
xxx XXX (Xxxxxx Xxxx Xxxxxxxx) xxx xxxx xxxxxxxxxxxx. Xxx Xxxx, Xxxxx, xx XxxXX
xxxxxx xxx x xxxxxx XXX xxxxxxxxxxx xxx xxxx xxxxxx. Xx xxx xxx x Xxxxxxx xxxx, xxx
xxx xxxxxxxx xx xxxx xxxxxx xxxxxxxxxxx, xxxx xx XxxXXX
(xxxx://xxxxxx.xxx/xxx/xxxxxxxx.xxx).
Xxx xxxxxxx, xxx xxx xxxx xx xxxx x xxx Xxxxx xxxxxxx xxxxxxx xxxx x Xxxxx xxxxxxxx
xx xxx XXX xxx xxx xxxxxxx xx xxxxxxxxx:
[barnys@server1 junos]$ scp junos-srx3000-10.1R1.8-domestic.tgz root@10.189 .140.99:~
The authenticity of host 10.189.140.99 (10.189.140.99) cant be established.
RSA key fingerprint is 4c:21:ea:6a:fd:f5:b4:88:a4:61:ad:d5:fe:81:10:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 10.189.140.99 (RSA) to the list of known hosts.
root@10.189.140.99s password:
junos-srx3000-10.1R1.8-domestic.tgz
100% 172MB 2.7MB/s 01:03
[barnys@server1 junos]$
Xxx xxx xxxxxxx xxxx xxx xxxx xxx xxxxxx xx xxxxx xxx Xxxxx XXX:
root> file list
/cf/root/:
.cshrc
.history
.login
.profile
.ssh/
junos-srx3000-10.1R1.8-domestic.tgz*
root>
32
33
Chapter 4
Configuring Administrators
About Users and Classes. . . . . . . . . . . . . . . . . . . . . . . . 33
Configuring Different Local Administrators. . . . . . . 33
Configuring RADIUS Support. . . . . . . . . . . . . . . . . . . . . 37
Xxxx xxx xxxx xxxxxxxxxxxxx xxx xxxxxxx xx xxx XXX xxx xxx xxxxxxxxxxxxx xxxx
xxxxxxxxxxx. Xxxx xxx xx xxxxxxxxxxx, xxxxxxxxxx xx xxxx xxxx xxx xxxxxx xxxxx xx
xxxxxxx xx xxx XXX. Xxxxxxx xxx xxxx xxxxxxx xxxxx xxxxxxxx xxxxx xxxxxxx xxxxxxx
xxxxxxxxxxxx: xxxxx xx xx xxx xx xxxxxxx xxx xxx xxxxxx xxxxxx xx xxx xxxx xxxxxxx
(xxxxxxxxx xxx xxxxxxx xxxx xxxxxxx xxxxxxx xxxxxxxxxx); xxxx xxx xxxxxxx xxx
xxxxxxxxx xxxxxx, xxx xxxxx xx xxxxxxxxx xxxxxxx xxx xxxx xxxxxxx xxxxxx xx (xxx
xxxxxxxxxxxxx xxx xxxxx x xxx xx xxxxxxxxx xx xx xx xxx xxxxxxxxxxxxx xxxxxxx xx
xxxxxxxx xxx xxxxxxxxxxxxx); xxx xxxxxxxxxxxxxxx xxx xxxxxxxxxx xxx xx xxxxx.
Xx xxxx xxxxxxx xxxx xxxxxxxxx xxxxx xxx xxxxxx xxxxxxxxxxxxx xxxxxxxx xxxx
xxxxxxxxx xxxxxxxxxx. Xxxxx xxxxxxxx xxxxx xxxx xx xxx xxxxxx xxxxx xxxxxx
xxxxxxxxxx, xxx xxxx xx xxxxx xxxx x xxxxxxx xx xxxxxxxxxxx xxxxxxx xx xxx XXX. Xx
xxxxxx xx xxxxxxxxxxxxxx, xx xxxx xxxx, xxxxxxx xx xxxxx xxxxxxx, xxxx xx x XXX
(Xxxxxxx Xxxxxxxxxx Xxxxxx) xx x xxxxx xxxxxxxxxx, xxxx xxx xxx xxxxxx xxx
xxxxxxxxxx xxx xxxxxxxxxxx xxxxxxxxxxxxxx xxxxxxxxxx xxxxxxx xx XXXXXX xx
XXXXXX+.
Xx xxxxxxxxxxx xxx xxxxxxxxxxx xx Xxxxx, xxxxx xxxxx xxxxxxxx xxxx xx xxxxxxxxxx
xxxx xxx xxxxxxxxx xxxxxxxxxx:
n barnys (super-user)
n halle (read-only)
n and, max (operator)
X xxxxxx xxxxxxx, xxxxxx, xxx x xxxx xxxxxxx xxx xx xxxxxxxxxxxx, xxxxxxxx xxx xx
xxxxxx xxxx xxxxxxxxx xxxxxxxx.
Xxx xxxx xxxxxxxxxxxx xxx xxxxxxxxxx xxxxx XXXXXX. Xxxx xxxx xxxx xxx xxxxx
xxxxxxx xxxx xxx xxxxxx xxx xxxxxxxxx xx XXXXXX, xx xxxxxx xxxxxxxx xxx xx
xxxxxxxxx xxx xxxxxxxxxxxx xxxxxxxxx. Xxx Xxxxxxxx, xxxxxxx, xxxxx xxxxxxxxxxx
xxxxx xxxx xxx xxxxxx xxxx xxx xxx xxxxxxxx xx xxxx xxxx xxx xxxxx xxxxxxxxxx, xxx xx
xxxxxxxxx xxxx xxx xx xxxxxx xxx xxx xxxxxxxxxxxxx xxxx xxxxx xx xxxxxxxxx XXXXXX
xxxx Xxxxxx Xxxxxxxxx. Xxxx xx x xxxxxxx xxxx xxxxx Xxxxxxxx Xxxxx Xxxxxx Xxxxxx
(XXX) xxxxxxx. Xxx xxxx xxxxxxx xx xxxx xxxxxxx xxxxx xx xxx xxxxxxxxx xxxx:
xxxx://xxx.xxxxxxx.xxx/xx/xx/xxxxxxxx-xxxxxxxx/xxxxxxxx/xxx/xxx-xxxxxx/xxxxxxxxxx/.
NOTE
Another option exists using TACACS+, but it is not discussed in this short book. If this is your
only option, please refer to the SRX technical documentation at www.juniper.net/techpubs/.
1. Configure the users max, halle and carrie and assign them to their corresponding predefined
classes:
[edit]
root# set system login user max class operator authentication plain-text-password
New password:
Retype new password:
[edit]
root# set system login user halle class read-only authentication plain-text-password
New password:
Retype new password:
[edit]
root# set system login user barnys class super-user authentication plain-text-password
New password:
Retype new password:
3. Xxxxxxxxx xxx xxxx xxxxxx xxx xxxxxx xxxx xx xxx xxxxx xxxxxxxxxx:
[edit]
barnys# set system login user carrie class consultant authentication plain-text-password
New password:
Retype new password:
VERIFY
Take a moment to verify that your accounts are working as expected. Understanding what to
expect from every class is critical to mitigating many management problems in your network.
Here, only max, halle and carrie are verified as the account barnys is not any different than the
root account used so far.
4. Xxxx xxx xxxx xxxxxxx xxx:
Xxxxxx xxx xxx xxxx xxx xxxx xxx xxxxxxxx xx xxx xxxxx xxxxxxxx xxxxxx xxxx
xxxxxxxxxxxxx xxxxxxx (xx xxxxxx xxxxxx xx xxxx xxxxxxxxxxxxx xxxx), xx xxxx xxx
xxxxxxxxxxxxx. Xx xxx, xxxxxxx, xxxxx xxxxxxxxx xxxxxxxxxx, xxx xxx xxxxxxxxxxx,
xxxxx, xx xxxxxxxxxxx xxxxxxxx. Xxxx xx xxx xxxxxxxx xxxxxxxx xx xxxx xxxxx.
5. Xxxx xxx xxxx xxxxxxx xxxxx:
[barnys@server1 ~]$ ssh halle@10.189.140.99
halle@10.189.140.99s password:
--- JUNOS 10.1R1.8 built 2010-02-12 17:24:20 UTC
halle> configure
^
unknown command.
halle> clear
^
unknown command.
halle> ping
^
unknown command.
halle> show configuration
## Last commit: 2010-04-11 04:13:21 UTC by barnys
version /* ACCESS-DENIED */;
system { /* ACCESS-DENIED */ };
interfaces { /* ACCESS-DENIED */ };
routing-options { /* ACCESS-DENIED */ };
security { /* ACCESS-DENIED */ };
halle> show system uptime
Current time: 2010-04-11 04:34:02 UTC
System booted: 2010-03-29 14:30:13 UTC (1w5d 14:03 ago)
Protocols started: 2010-03-29 14:31:16 UTC (1w5d 14:02 ago)
Last configured: 2010-04-11 04:13:21 UTC (00:20:41 ago) by barnys
4:34AM up 12 days, 14:04, 2 users, load averages: 0.00, 0.00, 0.00
halle> show interfaces fxp0
Physical interface: fxp0, Enabled, Physical link is Up
<snip>
Xxx xxxxxxx xxxxx xx xxxxxxxxxx xx xxxxxxxxxxx xxxx xxxx xxxxxxxx. Xxx xxxxxx xxxxx
xxxxxxxxxx xx xxx xxxxxxxxxxxx. Xxx xxxxx xxxx-xxxx xx xxxx xxx xxxxxxxxxxxxxx xx
xxxxxx xx xxxxxxxxxx xxx xxxxxxx xxxxxxxxxxx xxxxxx.
6. Xxxx xxx xxxx xxxxxxx xxxxxx:
[barnys@server1 ~]$ ssh carrie@10.189.140.99
carrie@10.189.140.99s password:
--- JUNOS 10.1R1.8 built 2010-02-12 17:24:20 UTC
carrie> show
^
unknown command.
carrie> edit
Entering configuration mode
Users currently editing the configuration:
barnys terminal p0 (pid 20718) on since 2010-04-11 04:10:24 UTC, idle 00:30:32
[edit]
[edit]
carrie# show
## Last changed: 2010-04-11 05:02:53 UTC
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.2.1/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 198.18.100.4/24;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 66.129.250.1/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.189.140.99/27;
}
}
}
}
[edit]
carrie# edit interfaces fxp0
[edit interfaces fxp0]
carrie# set description Connects to 10.188.0.0/14 for management only
[edit interfaces fxp0]
carrie# commit and-quit
commit complete
Exiting configuration mode
Xx xxxxxxxx, xxx xxxx xxxxxx xx xxxxxxx xx xxxxxxx xxx xxxxxxxxx xxxxxxxxx xxxxxxxx
xxxx.
TIP
Now that every user has unique accounts, you can see exactly what the different administrators
typed when they connected, something that was not possible if everyone was sharing the same
root account. The factory default configuration has enabled the logging of interactive commands,
and you can see the log with the show log interactive-commands command. This is a very powerful
forensics tool.
root@10.189.140.99s password:
[barnys@server1 ~]$ ssh root@10.189.140.99
root@10.189.140.99s password:
--- JUNOS 10.1R1.8 built 2010-02-12 17:24:20 UTC
root@% cli
root> configure
Entering configuration mode
[edit]
root# delete system login user barnys
[edit]
root# delete system login user max
[edit]
root# delete system login user halle
[edit]
root# delete system login user carrie
[edit]
root# commit
commit complete
Xx xxx xxx, xxx xxxx xxxxx xxxxxxxxxx xxxxxxx xxxxxx xx xxx xxxx xx xx xxx xxx xxxxxx
xxxxxxxxxxxxx.
Xxxxx xxx xxxxxxxxx xxxxxxxxxx xxx xxx xxxxxxxxxxxxx xx xxx XXXXXX
xxxxxxxxxxxxxx xxx xxxxxxxxxxxxx xxxxxxxxxx, xxx xxx xxxxxx xxxxxx xxxx xxxxxxxx
xxxxx xx xxxx xxxxxxxxxxxxxx xxx xxx xxxxxx xxx xxx xx xxx XXXXXX xxxxxx xxxx.
Xxxx xxx xxx xxxxxxxxxx xxxx xxxx xxxxxxxxx xx xx xxx.
Xxx xxxxx xxxxxxxx xxxxxxxx xx xxxxxxxxxxx xxx xxxx xxxxxxx xxxxxxx xx xxx XXX xxx
xxxxx XXXXXX xxxxxxxxxxx xxx xxxxxxxxxxxxxx xxxxxxxx. Xxxx xxxxx xxxx, xxx xx
xxxxx xxx xxxxxxxx xx xxxxxxxxx xx xxxxxxx xx xxxx xxxxxxx, xxxx xxx xxx xxxx xxx xxxx
xx xxxxxxxxxxxxxx xxx xxxxxxxxxxxxx xxxxxxx. Xx, xxx xxxxxxx, xx xxx xxxxxx xxx xxxxx
xxxxxxxxxx xxxx xx xxx xxxxxxxx xxxxxxx, xxx xx xx xxxxxxx xxx xxxx xxxxxxxxx xx
xxxxxxx xxx xxxx xxx xx xxx xx xxx xxxxxxx, xxxx xxx xxx xxxxx x xxxxx xxxxxxxx. Xxxx
xxxx xxxx xxx xxxxxxx xxxxxxxxxx xxxx xxx xxxxxxxxxxxxxx xxxxx xxxx xxx XXXXXX
xxxxxx xx xxxx xxxxxxxx, xxxxxxx xxx xxxxxxxxxxxxx (xxxx xxx xxxx xxx xx) xxxxx xxxx
xxx xxxxxxx xxxxxxx xxxxxxx.
Xxx xxxxxx xxxxxxxx xxxxxxxx xx xxxxxxxxxxx xxx xxxxxxxxx xxxx xxxxxxxxxxxxxx xxx
xxxxxxxxxxxxx xxxx xxx XXXXXX xxxxxx. Xxxxx xxxx xxxxx xx xx xxx xxxxxxxxx xxx
xxxx xxxxxxxx xxxxxxxx, xxx xxxxxxxxxxxxx xxx xx xx xxxxxxx xx xxx xx xxxxxxxxx xxx
XXXXXX xxxxxx xx xxxxx xxxxxxxxxxxxxx, xxx xxxx xxxx xxx xxxxxxx xxxxxxxxxx xxxx
xx XXX. Xxx xxxxxxxxx xx xxxx xx xxxx xxxx x xxx xxxxxx xx xxxx XXXXXX xxxxxx xxx
xxx xxx xxxxx xxxxxx xx xxx xxxxxxx xxxxxxx xx xxxxxxxxx xx xxxxxxxxxxxxxx.
Xxxxxxxxxx xx xxx xxxxxxxx xxx xxxxxx, xxxxx xxx xxxxxxxxxxxxx xxxxxxxx xxxx xxx xxx
xxxx, xxxx xx xxxxxxx xxx XXX xxxx XXXXXX xxxx xx xxxx xxx xxxxxxxxxxxxxx, xxx XX
xxxxxxx, xxx xxxxxx xxx, xxx xxx xxxxxxxxxx xxxxxxx. Xxxx xxx xx.
To Configure Radius Support:
WARNING
Dont lock yourself out! When you configure the authentication order only to RADIUS, this
means that the local user database will only be checked if the SRX cannot establish a
communication with the RADIUS server (i.e., server is down). When you configure the
authentication order as in the example, this gives you the possibility of connecting with local user
accounts (like root), in the event that the server can be reached, but your account is not properly
configured in the RADIUS system. In other words, configure it as in the example, so you always
have a back-door entry in case something goes wrong on the server side.
Xxxxxxxxx xxx xxxxxx. Xxxxxxxx xxxx xxx xxxxxx xxxxxxxx (xx xxxx xxxx xxxxxx123) xxx
xx xx xxxxxx xx xxx XXX xxx xxx XXXXXX xxxxxx (xxxxx xx xxx Xxxxxx 2.2 xxx xxx
xxxxxxxx xxx xxxxxxxxxxx xx xxx xxxxxx):
[edit]
root# set system radius-server 10.189.132.70 secret secret123
Xxxx xxx xxxxxxxxx XXXXXX xxxxxxxxxxxxxx xxxxx xxx xxxxx xxxx xxxxxxx. Xxxx xx xx
xxxxxxxxx xxxx xxx xxxxx xxxxxxxx xx xxxxxxxxxxx xxx xxxx xxxxxxx xxxxxxx xx xxx
XXX xxx xxxxx XXXXXX xxxxxxxxxxx xxx xxxxxxxxxxxxxx xxxxxxxx xxxxxxxxx xxxxxxx.
1. Configure the user accounts, and assign them to the local classes:
[edit]
root# set system login user barnys full-name Super-user rights class super-user
[edit]
root# set system login user max full-name Operator rights class operator
[edit]
root# set system login user halle full-name Read-only rights class read-only
[edit]
root# set system login user carrie full-name Consultant rights class consultant
[edit]
root# commit
commit complete
Xx xxxxx xxxxx xxxx xxxx xxxx: xxxxxxx xxx xxxxxxxx xxxx xxxxxxxx xxx xxx xxxxx
xxxxxxxxxx xxx xxxxxx xxx xxxxxx, xxxxx xxx XXXXXX xxxxxx xxxxxxxx xxxx.
2. Xxxxxx x xxxx xx xx xxxx xx x xxxxxxxxxx xxxxxxxx xxx xxx XXXXXX xxxxx:
[edit]
root# set system login user remote full-name Radius-user template class unauthorized
Xxx xxx xx xxx xxxxx xxxxxxxxxxxx xxxx xxx xxxx xxxxxxx. Xxxx xxx xxxxxxxxx x xxx xxxx
xxx xxxx xx xxxxxxx x xxxxx, xxxxxxxxx Xxxxx xxxx xxx xxx xxx xxxxxx, xxx xxxxxxxxxxxx
xx xx xxxxxxx x xxxxx xxxx xx xxxxxxxxxxx, xxxxx xxx xxxxxx xxxxxxxxxxx xxx xxxxx
xxxxxx xx xxx xxxx xx XXXXXX xxxxxxxxxx xxxx xxx xxxxxx. Xxxxxx xxxx xxxxxxx xx
xxx xxxxxxx xx xxxxxxxxx x xxxx xxxx xx xxxxx xxxxxxxxxx:
[edit]
root# set system login user remote1 full-name Radius-user template2
[edit]
root# show system login
user remote {
full-name Radius-user template;
uid 2004;
class unauthorized;
}
user remote1 {
full-name Radius-user template2;
## Warning: missing mandatory statement(s): class
}
[edit]
root# commit
[edit system login]
user remote1
Missing mandatory statement: class
error: commit failed: (missing statements)
[edit]
root# rollback 0
load complete
Xxxxxxx xx xx xxx, xxxx xx xxx xxxxx xxxxxxxx xxx xxxxxxxxxxxxx xx xxxx, xxxx xxxxxxx
x xxxxxx xxxx xx xxxx xxx xxxxxxx xxx xx xxxx xxxxxxxxxxxx, xxx xx xxxxxxxxxxx, xxxx
xxxxxxxxx xxx xxxxxxxxxx xx xxx xxxxxx xxxx.
Xxxx xxxxxx xx xxxxx xx xxx Xxxxxxxx xx xxx xxx xxxxxxxxxx xx xxx xxxx
xxxxxxxxxxxxx xxxxxxxxxx xx Xxxxxx Xxxxxxxxx xxx Xxxxx-Xxxxxx Xxxxxx. Xxxxxxxx,
xxxxx xxx xxxx XXXXXX xxxxxx xxxxxxx xxxxxxxxx xxxx xxx xxxx xxx xxxx xxxxxxx
xxxxxxxxx xxxx xxx xxxxxxxxxx xxxxx xx xxx Xxxxxxxx.
44
45
Chapter 5
Configuring Network and System Management
Configuring NTP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configuring DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Configuring SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Configuring Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Xxx xxxx xxx xxxxxxx xxxxxxxxxxxxx xx XX xxxxxxxxxxxx, xxxxxxxxx xxxxx xxxxxxx xxx
xxxxxxx xxxxxxxxx xxxxxx xx xxxxxxxxxxxxxx, xx xx xxxxx, xxx xxx xxxxxxxxx
xxxxxxxxxx xxxxxxx xxxxxxxxxx xxxxxxx xxxx XXX, XXX, xxx XXXX (Xxxxxx Xxxx
Xxxxxx, Xxxxxxx Xxxx Xxxxxxxx, xxx Xxxxxx Xxxxxxx Xxxxxxxxxx Xxxxxxxx).
Xxxxxxxx xxxx xxxxx xxx xx xxxxxxxxxx xx xxx xxxx, xxx xx xxxx xxxxx xxxxx xx
xxxxxxxxx xxxx xx xxxx xx XX xxxxxxxxxxxx xxx xxxxxxx xxx xx xxxxx. Xxxx, xxxxxx xxxx
xxxx xx xxx xxxx xx xxx xxxxx-xxx xxxxxx XXX xxxxxxx, xxxxx xxx xxxx xxxxxxxxxxxxx
xxxxx xxxxxxxx xx xxxxxx xxxxxxx xxxxx xx xxxxxx xxxxx xxxxxxxxxx xxxxxxxx,
xxxxxxxxx xxxx xx xxxxx xxxxx xxxxxxxxxxxxxxxx xxxxx xxx xxxxxxx xxx xxxxxxxxx
xxxxxxxxxxxxxx xx xxx XXX xxxxxxxx.
MORE
Junos Security, from OReilly Media, provides an excellent first chapter on the difference within
the SRX Services Gateway platform. See www.juniper.net/books.
Configuring NTP
Xxx xxx xxxxxxxxxx xx xxxxxxxxx XXX xx xxxx xx xxxxxxxx xxx xxx x xxxxxxx xx
xxxxxxx. Xxxx xxx xxxxxxxxxxx xx xxxx xxxx, xx xxxxx xx xxxx xxxxxxxxxx xx xxxxx xxx
xxxx xxx xxx xxxxxxxxxxxxxx xxxx xxx xx xxx, xxx xxxx xxxx xxxx xxx xx. XXX xx
xxxxxxxxx xx xxxxx xxxx, xxxxx xxx xxxx xx xxxxxxxxxxxxxxx xxxxx. Xxxx, xxxxxxx xx
xxxxx xxxxxxxxxx xxxxxx xxxxxxx xxxxxxxx xxxxxxxx, xx xxxx xxx xxx xxxxx xxx
xxxxxxxx xxx xxxx xxxx xx xxxxxxxx.
Xxx xxxxxxx xx xxxxxxxxxxx XXX xx xxxxxxxxxxxxxxx, xxx xxxxxxxx xxxxxxxxx xx
xxxxxxx xxx XXX xxxxx xxx XXX xxxxxx xx, xxxxxxxxx xxx xxxxxxxxxx xxxxxxxxxx
(xxxxxxxx), xxxxxxxx xxx xxxxx, xxx xxxxxxx xxxx xxx xxxx xx xxxxx xxxxxxx xxxxxxxx.
To Configure NTP Support:
NOTE
If you dont have an NTP server already in place in your local network, you can use a publicly
available one. For a reference to public NTP servers visit the following NIST website:
http://tf.nist.gov/tf-cgi/servers.cgi.
Note that the difference in our NTP configuration is that the boot-server option is only referenced
by Junos upon boot-time. Once the system has fully restored, then it uses the other server
specified in the first entry above. So these servers can be different, although they are not in this
example.
2. Xxxxxx xxx xxxxxxxxxx xxxxxxxxxx (xxxxxxxx). Xxxx xxxxx xxx xxxx xxxx xxx:
root# set system ntp ?
Possible completions:
<[Enter]>Execute this command
+ apply-groups
Groups from which to inherit configuration data
+ apply-groups-except
Dont inherit configuration data from these groups
> authentication-key Authentication key information
boot-server
Server to query during boot sequence
> broadcast
Broadcast parameters
broadcast-client
Listen to broadcast NTP
> multicast-client Listen to multicast NTP
> peer
Peer parameters
> server Server parameters
source-address
Use specified address as source address
+ trusted-key
List of trusted authentication keys
|
Pipe through a command
Xx xxx xxx xxx, Xxxxx xxxxxxxx xxxxxxx xxx XXX xxxxxxxxxxxxxx, xxxxxx-xxxxxxxxx,
xxx xxxx. Xx xxxx xxxxxxxxx xxxx xx xxxxxxxxx xxxx xxx xx xxx xxxx xx xxxxx xxxxx, xxx
xxx xxxxxxx xxx xxxxxxxxx xxxxx xx xx xxx xxxx xxxx. Xxxx xxxxx xx xx xxx xxx.
3. Xxxxxx xxx xxxxxx xxxxx xx xxxx xxx xx xxx xxx XXX xxxxxx xxxxxxxx:
[edit]
root# commit and-quit
commit complete
Exiting configuration mode
root> set date ntp
10 Jun 01:57:36 ntpdate[2730]: step time server 64.90.182.55 offset -0.000381 sec
Configuring DNS
Xxxxxx XXX xxxxxxxxxx xx xxxxxxxxx xxx xxxxxxxx xxxxx, xxxx xxxxxxxxxxxxxxx, xxx
xxxx xx xxxx xxxxxxxxx xxxxxxx xxx xxxxxxxxx xx xxxxxxxxx XXX xxxxxxxx, xxxx XXX,
xxxx xxxxxxxx. Xxx xx x xxxx xxxx xx xxx xx xxxx.
Xxx xxx xxxxxx xxx XXX xx xxxxxxx XXX xxxxxxx xxxxxx xxx xxxxxxxxxxxxx xxxxxxx,
xxx xxx xxxx xxxxxxxx xx xxxxxxx xxx xxxxxx xxxx xxx xx xxxxxxxx, xx xxxx xxx xxx
xxxxxxx xxxxx xx xxxx xxxxxxx xxxxxxx xxxxx xxxxxxxxxx xxxx.
To Configure DNS Services:
1. Configure one or more DNS servers. They can be internal or external to the network:
[edit]
root# set system name-server 10.189.132.70
[edit]
root# set system name-server 10.189.132.68
[edit]
root# set system domain-name camlab.juniper.net
3. Xxxxxxxxx x xxxxxx xxxxxx xx xxxxxx xx xxxxx xx xxxxxxx xxxxx xxxxx xxxxxxx xxxxxx
xx xxxxx xxxxxxx xxxx:
[edit]
root# set system domain-search camlab.juniper.net
4. Xxxxxx xxx xxxx (xxxxx xx Xxxxxx 2.2 xxx xxxxxxxx xxxxxx xxxxx):
[edit]
root# commit
commit complete
[edit]
root# run ping count 3 juniper.net
PING juniper.net (207.17.137.239): 56 data bytes
64 bytes from 207.17.137.239: icmp_seq=0 ttl=52 time=100.416 ms
64 bytes from 207.17.137.239: icmp_seq=1 ttl=52 time=100.566 ms
64 bytes from 207.17.137.239: icmp_seq=2 ttl=52 time=100.386 ms
--- juniper.net ping statistics --3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 100.386/100.456/100.566/0.079 ms
[edit]
root# run ping count 3 radius
PING radius.camlab.juniper.net (10.189.132.70): 56 data bytes
64 bytes from 10.189.132.70: icmp_seq=0 ttl=126 time=0.441 ms
64 bytes from 10.189.132.70: icmp_seq=1 ttl=126 time=0.538 ms
64 bytes from 10.189.132.70: icmp_seq=2 ttl=126 time=0.828 ms
--- radius.camlab.juniper.net ping statistics --3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.441/0.602/0.828/0.164 ms
[edit]
NOTE
Notice that in this case, DNS resolution is tested for both an external host (juniper.net) and an
internal one (radius). In order for the internal resolution to work, then, there should be a DNS
server (that is not shown in Figure 2.2).
NOTE
In addition, if you omitted the previous Step 3 in the configuration, and wanted to ping internal
hosts, you would have to fully qualify these hosts for example, ping
radius.camlab.juniper.net. This extra typing is totally unnecessary work if you are in the firewall
constantly doing troubleshooting procedures.
Configuring SNMP
XXXX xxxxxxxxxxxxx xxx xxxxxxxxx xxx xx xxxxxxx, xxx xxxx xxxx xxxxxxxxx xxx
xxxxxxxxx xxxxxxxx xxxxxxx xxx xxx xxxxxxxx xxx XXX xx xxxx xxxxxxxxxxxxx (xxxxx)
xxxx xxxxxxxxx xxxxxx xxxxx, xxx xxxxxx xxxxxxx xxx xx xxxxxxxxxx xx xxxxxxx xx xxx
XXX xx xxxx xxx xxxxxxxx xxxxxxxxxxx xx xxx xxxx.
XXXX xxxxxxxxxxxxx xx xxx XXX xx xxxxxxxxxxxxxxx, xxxx x xxxxxxx xxxxxxx
xxxxxxxxxx xxxxxx xxxxxxxxxxx xxx xxxxxxxxx, xxxxxxxx xx xxxx xxxxxxxx xxxxxxxx
xxxx xxxxxxx xxxx xxxxxxx (xxxxx xxxxxx xxxxxxx xxxxxxxxxxxxx), xxxxxxxxx xxxx xxx
xxxxxx xxxxxxx xxxx xxx xxxxxxx xx xxxx xxx XXX xxx XXXX xxxxxxx.
To Configure SNMP Support:
1. First configure the device information and a community with read-only capabilities:
[edit snmp]
root#
[edit snmp]
root# set name SRX1
[edit snmp]
root# set location Cambridge
[edit snmp]
root# set contact Barny Sanchez
[edit snmp]
root# set community management authorization read-only
[edit snmp]
root# set community management clients 10.189.132.64/27
NOTE
The clients are the management stations in the network that are allowed to poll the SRX. If you
have a dedicated out-of-band network for management purposes, using a network subnet is very
convenient. For extra security you can also specify individual IP addresses, and Junos will, in
turn, interpret these as /32 or host devices.
2. Xxx xxxx xxxxxxx, xx xxx XX xxxx xxxx xx xxx xxxxxx xx xxx XXXX xxxxxxx:
[edit snmp]
root# set trap-options source-address lo0
NOTE
Using a loopback interface is a best practice. If you make this a habit across all devices, then you
will have a consistent view of what devices generated the traps. This makes parsing tasks easier
and can simplify the reporting generated from the network.
3. Xxxxxxxxx xxx XXXX xxxxxxx, xxxx, xxx xxxxx xxxxxx xxxx xxxxxxxx xxxxxxx (xxx ? xx
xxxx xxx xxxxxxxxx xxxxxxxxxx xxxxxxxxx):
[edit snmp]
root# set trap-group management version v2
[edit snmp]
root# set trap-group management destination-port 162
[edit snmp]
root# set trap-group management categories startup
[edit snmp]
root# set trap-group management categories authentication
[edit snmp]
root# set trap-group management categories services
[edit snmp]
root# set trap-group management categories link
4. Xxxxxxxxx xxx xxxxxx xxxxxx, xx xxx xxxxxxxxxx xxxxxxx xxxx xxxx xxxxxxx xxx
xxxxxxxxx xxxxx:
[edit snmp]
root# set trap-group management targets 10.189.132.80
services;
}
targets {
10.189.132.80;
}
}
Configuring Syslog
Xxxxxx xxxxxxx xxx xx xx xxxx xxxxxxxxxx xxxxxxxxx xxxxxx, xxxxx xx xxx xxxxxxx
xxxxx xx xxx XXX. XXX, xxxxxxxxxxxxxx xxxxxxxx, xxxxxxx xxxxxx xxx xxxx xxxx
xxxxxxxx xxxxx xxxxx xx xxxxxx.
NOTE
Our focus in this section will be on system logging. Security logging, when you configure
security policies, will be covered in the next chapter. Security logging refers to the messages
generated from matching a security policy, and whether the policy has logging enabled. These
logs refer to events generated at the data plane after processing user data traffic.
1. Configure the destination server, or event collector, along with any of the facility and severities
desired:
[edit]
root# set system syslog host 10.189.132.70 source-address 10.189.140.99
[edit]
root# set system syslog host 10.189.132.70 any any
NOTE
The source-address can be anything, but it is a good practice to specify either a loopback
interface IP address, or the address of the egress interface for the events. This gives you
consistency when reading and parsing through your log files.
Also, the value any was used to specify any facility and severity value. For details on specific
values, and what they mean, please refer to the RFC5424:
http://tools.ietf.org/search/rfc5424#section-6.2.1. In the case of Junos, you can simply press
[TAB] after keying in the host IP to see the list of facilities and severities available.
Xx xxx xxx xxxxxxxxx xxxxx xxxxxxxxxxxxx xxxxxxxx xx x xxxxxx XXX xxxxxx, xxx xxx
xxxxxxxx xxxxxxxxx xxxxx xxx xxxxxx xxxxxx xxxxxxxx xxxxxx xxx xxxxxxx
xxxxxxxxxxxxx. Xx xx, xxx xxx xxxxxxx XXX Xxxxxxx Xxxxxxx Xxxxxxxxxxxxxx xx xxx
Xxxxxxxx.
Xxxxx xxxxxxx xxxxxxx xx xxxxx xxxxxx xx xxxxx xxxxxx, xxx xxx xxx xxx xxxx xxxx
xxxxxxxx xxxxxxx xx xxx xxxxxx xxxx xxx xxxxxx, xx xxxx xxx xxxxxxx xx xx xxxxxxxx
xxxxxx. Xxxx xxxxxxxxxxx xx xxxxx xx xxx xxxx xx xxxx xxxxxxx xxxxxx xx xxxxxxxx
xxxxxxx.
Xxxx xx xxx xxxxxxx xxxxxxxxxxxxx, Xxxxx xxxxxxxx xxxxx xx xxxxxx xxx xxxxxx xxx
xxxx xx xxx xxxxx xxxx xxx xxxxx xxxxxxx, xx xxx xxxx xxxx xx xxxxx xxxxx xxxxxxx xx
xxx xxxxxxx xxxxxx. Xxx xxxxxxxxx xxxxxxx xxxxx x xxx xx xxxxxxx xx xxxxx xxxxx xxx
XXX xxx xxxxxxxxxxxxx xxxxxx xxxxx xxxxxx xx xxxxxxxxx xxxxxx xxxxxxx:
[edit system syslog]
root# show
archive size 100k files 3;
host 10.189.132.70 {
authorization warning;
}
host 10.189.132.72 {
ftp info;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
Xxx xxxx xxx xxxxxx xxxx xxxxx, xx xx xx xxxxxxxx xx xxx xxxxxxx xxxxxxxx xx xxxxx
Xxxxx xxxxxx xxxxxxx xx xxxxxx xxxx xxxxxxxx xxxx xxxxxxx xxx xxxxxxxxx.
Xxxxxxx, xxxxxxxx xxxx xxxx xx xx xxxx xx xxx xxxxxx xxxxxx, xx xxx xxxxxxxxx xxxxxxx,
xx xxx xx xxxxxxxxx.
54
Chapter 6
Writing Basic Security Policies
About Zones. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Configuring Address Books. . . . . . . . . . . . . . . . . . . . . . 56
Configuring Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Configuring Security Policies. . . . . . . . . . . . . . . . . . . . . 59
Verifying Security Policies. . . . . . . . . . . . . . . . . . . . . . . . 62
Logging of Security Events. . . . . . . . . . . . . . . . . . . . . . . 64
Xxxxxxxx xxxxxxxx xxx xx xxx xxxxx xx xxx xx xxx xxxxxxxx xxxxxxxxx xx xxx XXX
Xxxxxxxx Xxxxxxx xxxxxxxx. Xx xxxxxxx, xxxxxxx xxxxxxxx xx xxxxxxxxx xxxxxxxx xx
xxx xxxxxxx xx xxxxx xx xx xxxxxxx. Xxxx xx xxx xxxxxxxx xxxxxxx xxxxxxxx, xxx xx
xxxxxxx xx xxxxxxx xxxxxxx xxx XXX xxxxx xxx xxxxxx xx xx xxxxx xx xxxxx xxxxxxxx
xxxxxxxx.
NOTE
An exception to this blocked traffic rule is the traffic in and out of the fxp0 (management)
interface. This interface is an exception because it resides in the control plane of the device, and
it cannot be used for user data traffic.
Xxxxxx xxxxxxxxxxxxx xxxxxxxx xx XX-XXXX-XXXX xxxxxxxxx: XX xxxxxxx X xx
xxxxxxx, XXXX xxxxxx X xx xxxxxxxxx, XXXX xxxx xxxxxx (xxxxxxx xxxxxxxx).
Xxxxxxxx xxxxxxx (XX xxxxxxxxx) xxxxxxxx xx xxxxxxx xx xxxxxxx xxx xxx xxxx
xxxxxxxxx xxxxxxxx:
n Source zone: the predefined or custom zone created from the perspective of the SRX that
you are configuring.
n Source IP: any IP address, or an address book, that specifies a host IP, or a subnet. The
source selected has to match the source zone.
n Destination zone: predefined or custom zone created from the perspective of the SRX that
you are configuring.
n Destination IP: any IP address, or an address book that specifies a host IP, or a subnet. The
destination selected has to match the destination zone.
n Application: predefined or custom service that defines the source/destination ports, protocol
involved, and timeout value.
Xx xx xxxxxxxx xxxxxx xxxxxxx xxx xxx xxxxxxxx xxxx xxxxxxxx, xxx xxxxxx (XXXX
xxxxxxxxx) xxxxxxx xxxx xx xx xxxx xxxx xx xxx xxxxx xxxxxxx xxxxxxxx xxx xxxx
xxxxxxxxxxx:
n deny: drops the packet (silently).
n reject: drops the packet and sends a TCP-Reset to the originator of the traffic.
n permit: permits the packet.
n log: instructs the SRX to create a log entry for matching packets.
n count: provides accounting information per session.
About Zones
Xx xxxxxx, x xxxx xx x xxxxxxx xxxxxxxxx xxxx xx xxxxx xxxxxxxxxx xxxx xxxxxxx
xxxxxxxx xxxxxxxxxxxx (xxx Xxxxxx 2.1). Xxx xxxxxxx, xxxxxx xxxx xx xxxx xxxxxxxxxxxx
xxxxx xx x Xxxxx Xxxxxxxxx xxxxxxxxxx, xx xxx xxxxxxxx xxxxx xxxxxxxx xx XX xxx xx
xxxxx xx xxx xxxx XX. Xxx xxxxxxxx xxxxxxxxxx xxxx xx Xxxxxxx xxx xx xxxxx xx x
xxxx Xxxxxxx, xxx xx xx. Xxxx xxxxx xxx xxxxxxx xxxxxxxxxxx, xxx xxx xxx xxxx xxxx
xxxxxxxx xxxx xxxxx xxx xxxx xxxxx xx xxx.
TIP
If you are working in a large deployment involving managed services or multiple groups, it is
best that you use a structured naming convention, as this reflects in the logging that the firewall
generates, making troubleshooting and accounting tasks simpler and cleaner.
Xxxxx xx x xxxxxxxxxx xxxxxxxx xxxx xx xxx XXX xxxxxx xxxxx-xxxxxxx xxxx xxxx xx
xxxxxxxx. Xx xxxxxxxx, xxx xxxxxxx xxxxxxx xxxxxxxxxxxxx xx xxxxxx XXX xxxxxxxxxx
xxx xxx xxxxxxxxxx xxxxx: xxxxx xxx xxxxxxx. Xxxxx xxx xxxxx xxxxx xxx xx xxxxxxxx xx
xxxx xxxxxxx.
Xxxxx xxx xxxxx xxxxxx xxx xxxxxxx xxxx xxxxx, xxxxx xxxx xx xx xxxxxxx, xxx xxx
xxxxxxxxxxxxx xxxxxxxxxx xxxx xxxx xx xx xxxxxxxx xx xxxx.
Xx xxx xxxx xxxx xxxxxxxxx xxxx xxxx xxxxxxxxxxxx xxxx xxx xxxxxxxxx, xxx xxxxxxxxxx
xxxxx xxx xxxxxxxxxx xx Xxxxxxx 3. Xxx xxxxxx xxxxxx xxxx xxxx xxxx:
[edit security]
root# show
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ssh;
ftp;
telnet;
ping;
}
}
interfaces {
ge-0/0/1.0;
ge-0/0/2.0;
}
}
security-zone admins {
interfaces {
ge-0/0/0.0;
}
}
}
Xx xxxxxxxx, xxxxx xxxxxxxx xxx xxxxxxx xxxxxxxxxx xxxxxx xx xxx xxxxx xxxxxxxxx.
Xxx xxx xxxx xxxxxxxx xxxxx ? xxxxxxx xxx xxx xxx xxxxxxxx.
Xxxxxx xxxx xxxxxxx xxxxxxxxx xxxx xxxxx xxxxxxx, xxxx xxxxxxxxxxx Xxxxx xxxxxxxx
xxxxxxxx xx x XXX xxxxxx, xxx xxxxxxxxx xxx xxxxxxx xxxxx xx xxx xxxxxx xxx
xxxxxxxxxxx xxxxxxxxx, xxx xx xxx xxxxxx xxxxxxx xx XXx. Xxxx xxxxx xxx x xxxxxxxxxx
xxxxxx, xxxxxxxx xxx xx xxx xxxx xxxxxxxxxxxxx xx x xxxx xxxxx, xxxxxxxx xxxxxx.
Xx xxx xxx xx x xxxxx xx xxxx xx xx xxx xxxx xxxxx, xxx xxx xxxxxx xxx xxx xxxxxxxxxx
xxxxxxx xxxx xxx xx xxx xxxxxx xxx xxxxxxxxxxx. Xxxx xxxxxxxxxx xxx xxx xxx XX
xxxxxxxxx.
Xxxxxxxxx xxx xxxxxxx xxxxxxxx xx Xxxxxx 2.2, xxx xxx xxxxx xx xxxxxxxxx x xxxxxxxx
xxxxxxx xxxx xxx xxx xxxxxxxx xx xxx xxxx xxxxxx.
To Configure Address Books:
Stop and think for a moment, please! From the perspective of the firewall, where does the host
reside? In this case it would be the admins zone, so make sure the address book is created in
that zone.
Xxxxxx xxx xxxxxxx xxxx xxxxx XX1:
[edit security]
root# edit zones security-zone admins
[edit security zones security-zone admins]
root# set address-book address PC1 192.168.2.2
Xxxxxx xxx xxxxx xxx xxxxxx xxx Xxxxx xxxxxxxxxxxxx xxxxxxx xxxx xx x /32 xxxxx
xxxxx xxx xxxxx xxxxxxx x xxxxxx xxxx:
[edit security zones security-zone admins]
root# show
address-book {
address PC1 192.168.2.2/32;
}
interfaces {
ge-0/0/0.0;
}
Xxxxx xxx xxxxxxxxxxx xxxxxxx xxx xx xxx xxxx xx xxx xxxxxxx xxxx (xxx xxxxxx xxx),
xx xxxxxxxx xxxxx xxxxx xx xxxx xxxx xx xxxx xxxx xxx xx xxx xxxxxxx xxxx xxx xxx
xxxxxxxxxxx xxxxxxx.
TIP
Creating multiple address books for hosts in a zone is not a problem. However, if you want to
gather those individual entries in a group to simplify your policy creation, then you can create
address-sets for this purpose. The concept is very similar to the creation of an address book, but
instead of specifying IP addresses or prefixes, you specify the individual address books that you
want to belong to that address-set group. For example:
Configuring Services
Xxxxxxxx xxxxxxx xxx xxxxxxxxxxxx xxxx xx xxx xxxxxxxx, x xxxxxxxxxxx xx
xxxxxx/xxxxxxxxxxx xxxxx, xxxxxxxx, xxx xxxxxxx. Xxx xxxxx xxx xxxxxxxx xxx xxxx xx
xxx XXX/XX xxxxxx xxxxxx, xxx xxx xxxxxxx xxxxxx xx xxx xxxx xxxx x xxxxxxxxxx
xxxxxx xxxx xx xxxx xx xxxxxx xxxxxx xx xx xxxxxx, xx xx xxxxxxxxxx xxxxxxx xxxxx xxx
xxxx xxxxxxxx xxxxxx.
Xxx XXX Xxxxxxxx Xxxxxxx xxxxxxx xxx xxxxxxxx xxxxxxxxx. Xxxx xx xxxxxxxx xxxxxx
xx xxxxxxx xxx xx xxxxxx xx xxxxx, xxxx xx xxxxx xxxxxxxxxxx xxxx xxxxxx xxx xxx
xxxxxxxxxxxxx xxxxxx xx xxxx xx xxxxxx (xxxxxxx xxxxx) xx xxxx xxxxxxxxxx xxxxxxx xxx
xxxxxxxxx xxxxxx. Xx, xxxxx x xxxxx (xxx xxxxxxx xxxxx), xx xxxxxxxxxx xxxxxxx xxxxx
xxx xxxx xxxxxxxx, xxx xxxxx xx xxxxxx xxxx xxxxxx. X xxxxxx xxxxxx xx xxxxxxx xxx xx
xxxx xx xxxxxx, xxx xxxx xx xxx xxx xxxxxxxx xxx xx xx xxxxxxxxx xxxxx xxxx xx xxxx
xxxxx.
Xxx xxxx xxxxxx xxxx xx xxxxxxxxx xxxxxxxx. Xx xxxx, xxxxx xx x xxxx xx xxx-xxxxxxx
xxxxxxxx, xxx xxx xxx xxx xxxxx xxxxxxx xxxx xxxxxxxxxxxxx xxxx xxxx xxx xxxxxxx:
[edit]
root# show groups junos-defaults applications
1. One single line of code allows you to create a new service. If youre following on your device,
try keying in the following. Note that there are many options available to you as you key each
command segment. Use the ? prompt as you are typing the following command:
[edit]
root# set applications application SERVICE1 source-port 2000-4000 destination-port 1111 protocol tcp inactivity-timeout 1800
Xxx xxx xxxxxxxxx xxxx xxxxxx xxxxxxxxxxxx; xxxxx xx xx xxxx-xxx xxxxx xx xxx xxxxxx
xx xxxxxxxxxxxx xxxx xxx xx xxxxxxx.
Xxxx xxxx xx xxx xxxxxxx-xxx xxxxxx, xx xx xxxxxxxx xx xxxxx xxxxxxxx xxxxxxxx
xxxxxxxx xx xxxxxxxxxxx xxxxxxx-xxxx, xxxxxx xxx xxxxxxxxxxxxx xx xxxxxxxx xxxxxxxx
xxxxxx xx xxx. Xxx xxx xx xxxxxxxxxx xxx xxxxxx xxxxxxxx xx xxxxxxxxx, xxx xxxxxxx:
[edit]
root# set applications application-set MYSERVICES application SERVICE1
[edit]
root# set applications application-set MYSERVICES application junos-http
[edit]
root# set applications application-set MYSERVICES application junos-ping
[edit]
root# set applications application-set MYSERVICES application junos-dns-udp
[edit]
root# set applications application-set MYSERVICES application junos-dns-tcp
For a detailed explanation of processing packets through the SRX, please refer to the Junos
Security Configuration Guide. Version 10.1 can be located at:
https://www.juniper.net/techpubs/software/junos-srx/junos-srx10.1/index.html. The book Junos
Security, published by O'Reilly Media, also contains excellent descriptions and examples of the
processing of packets through the SRX.
2. Xxxxxx x xxxxxx, xxxxxx xx x xxxx xxxx xxxxx xxxxx. Xx xxxx xxxx, xxx xxx xxxxx xx
xxxxxx x xxxxxx xx xxxxx xxx xxxxxx/xxxxxxxxxxx xxx xxxxxxxxxxx. Xxxxxx xxxx xxxx
xxxx xxxxxxxxxxx xx xxx XX xxxxxx:
3. Xxx xxxxxxxxx xxxx xx xx (XXXX xxxxxx) xx xxx xxxxxxxx xxxxxxxxxx xxx xxxxxxx xx
xx xxxxxxxx xxxxxx. Xxx xxxxxxxxxxx xx xx xxxxxx xxx xxxxxxx:
[edit security policies from-zone admins to-zone untrust]
root# set policy admins_to_untrust then permit
Xx xxxx xxxx xxx xxxx xxxxxxx xxxxxxxxx xxx xxxxx xxxxxxxxxxx. Xxxx xxx x xxxx
xxxxxxxxxx xxxxxxx, xxx xxx xxx xxxx xxxxxxxxxx xxxx xxxxxxx, xxxx xx xxxxxxxx
xxxxxxxx xxx xxxxxxxxxx xxxxxxxx, xx xxxxxxx xx xxxxxx xxxx x xxxxxxx xx xxxxxxx, xx
xxxxxx, xxxxx xxxxxxxx xxxx xxxxxx.
Xxxxx xxxxxxxx xxxx xx xxxxx xxxxx xxxxxxx xxx xxxxxx xxxxx xxx xx xxxxxxx xxxx xxxx:
[edit security policies from-zone admins to-zone untrust]
root# show
policy admins_to_untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
Xxxx xxx xxxxxxxxx xxx xxxxxx xxxxxxxxxxx xxxx xxx xxxx xx xxx xxxxxxxxx xx xxxx
xxxxxxx:
Xxxxxx xxxxxx xxxxxxx xxxx xxx xxxxx xx xxx xxxx xxxxxx xx xxx xxxxx xxxx xx xxx
xxxx xxxx.
To Configure the Second Security Policy:
2. Xxxxxx x xxxxxx, xxxxxx xx x xxxx xxxx xxxxx xxxxx. Xx xxxx xxxx, xxx xxx xxxxx xx
xxxxxx x xxxxxx xx xxxxx xxxxxx xxxxxxx xxxx xxx xxxxx xx xxx xxxx xxxx. Xxx xxx
xxxxxx xxxxxxx xxx xxx xxx xxx xxxxxx XXXXXXXXXX xxxxxxxx-xxx, xxxxxxxxxx
xxxxxxxxxx:
[edit security policies from-zone admins to-zone admins]
root# set policy intra_zone_traffic match source-address any destination-address any application MYSERVICES
3. Xxx xxxxxxxxx xxxx xx xx (XXXX xxxxxx) xx xxx xxxxxxxx xxxxxxxxxx xxx xxxxxxx xx
xx xxxxxxxx xxxxxx. Xxx xxxxxxxxxxx xx xx xxxxxx xxx xxxxxxx, xxx xxx xxx xxxx xxxxxx
xxxxxxx xxx xxxxxxxx:
[edit security policies from-zone admins to-zone admins]
root# set policy intra_zone_traffic then permit
[edit security policies from-zone admins to-zone admins]
root# set policy intra_zone_traffic then log session-init
[edit security policies from-zone admins to-zone admins]
root# set policy intra_zone_traffic then log session-close
[edit security policies from-zone admins to-zone admins]
root# set policy intra_zone_traffic then count
Xxx xxxxxx xxxxxx xxxxxxxxxxx xxx xxxx xxxxxxxxx. Xx xxx xxx xxxxx xxxxxxxxxxx,
xxxxx xx xx xxxxxxxxxxxxx xxxxxx, xxxxx xxx xxxxxxx xxxxxx xxxx-xxx xxxx xxxxxxxx xxxx
xxx xxxxxxxx xxxxxxxxxx xxx xxxxxxx xx xxx xxxxxxx (xxxx-xxxx xxxxxxx xx-xxxx xxxxx).
Xxxxxxx xxx xx xxxxxx xxxx xxx xxxxxxxx xxxxxxxx xxx xxxxxxx xx xxxxxxxx xx xx xxxx
xxxx xxxxxxx. Xx x xxxxxxxxxx xxxxxxx, xxx xxx xxxx xxxxxxx xxx xxxxxxx xxxxx xxxx
xxx XXX xxxxxxx xxx xxxxx xxx xxxxxxxx xxxxxxxxxxx.
Xxxxx xxxxxxx xxxx xxx XX xx xxx xxxxxx xxxx xxx xxxxxxxxxx xxxxxxxx xxxxxxx
xxxxxxxx, xxxxxxx xxxx xxx XXX xx xxxxxxx xx xxx xxxxxxx xxxxx xxxx xxxx xxxxxxxx:
[edit security policies]
root# run show security flow session
Session ID: 100001782, Policy name: admins_to_untrust/4, Timeout: 1796
In: 192.168.2.2/4777 --> 216.52.233.201/443;tcp, If: ge-0/0/0.0
Out: 216.52.233.201/443 --> 192.168.2.2/4777;tcp, If: ge-0/0/2.0
Session ID: 100001790, Policy name: admins_to_untrust/4, Timeout: 1800
In: 192.168.2.2/4781 --> 209.239.112.126/80;tcp, If: ge-0/0/0.0
Out: 209.239.112.126/80 --> 192.168.2.2/4781;tcp, If: ge-0/0/2.0
Session ID: 100001846, Policy name: admins_to_untrust/4, Timeout: 1404
In: 192.168.2.2/4788 --> 66.235.120.98/80;tcp, If: ge-0/0/0.0
Out: 66.235.120.98/80 --> 192.168.2.2/4788;tcp, If: ge-0/0/2.0
Session ID: 100002381, Policy name: admins_to_untrust/4, Timeout: 6
In: 192.168.2.2/47621 --> 24.47.122.98/43519;udp, If: ge-0/0/0.0
Out: 24.47.122.98/43519 --> 192.168.2.2/47621;udp, If: ge-0/0/2.0
<snip>
Xxxxx xxx xxxxxx xxxx xxxxxxx xxx xxxxxxxx xx x xxxxxx xxxx xx xxxxxx xx xxxxxx xxxx
xxxxxxxx xx xxxxx xx xxxx xxxxx. Xxx xxx xxxxxxx xxx xxxxxx/xxxxxxxxxxx XXx, xxxxx,
xxxxxxxx, xxxx-xxx xxxxxx, xxxxxxxxxx xxxxxxxx, xxx xxxxxx xxxx xxxxxxx xxx xxxxxxx,
xxx xxxx. Xxxxxx xxxx xxxxxxx xxx xxxxxxx xx xxxxx xxxxx xx xxx xxxx, xxxxxxxxxxxx
xxx xxxxxxxxxxxxx xxxxxxxxxxx xx x xxxxxxx (x xxxx). Xx xxxxxxx xxxxxxxxx, xxx XXX
xxxxxxx xxxxxxxxxxxxx xxxxxxx xx xxxxxx xx xxxxx xxx xxxxxx xxxxxxx xxxx xxxxxxx
(xxxx xx xxxx xx xxxxx xx xxxxxxxx xxxxxxxx).
1. Configure the logging mode and format. Typical formats used are syslog (standard) and sd-syslog
(structured):
[edit]
root# set security log mode stream
[edit]
root# set security log format sd-syslog
2. Xxxxxxxxx xxx xxxxxx xx xxxxxxxx xxx xxx xxxxxx xxxxxx. X xxxx xx xxxxxxxx xxx xxx
xxxxxx, xxx xxxx xx xxxxxxx xxxxxxxxxxx, xxx xxx xxx xxxxxxxxxx xx xxx xxxxxxxxx
xxxxxxxxxx xx xxxxxxxxxx xxx xxxxxxxxxxxxxx xxxx xxxxxxxxxxxxxxx xx xxxxxxxx xxx
xxxxxxxx xxxxxx:
[edit]
root# set security log source-address 192.168.2.1
[edit]
root# set security log stream SYSLOG_SERVER host 192.168.2.2
NOTE
Other options, such as the destination port, can be configured in case you are not using the default
(UDP port 1514). Also note that the host 192.168.2.2, does not have any syslog services, but it is
being configured here for example purposes.
1. Configure the logging format. Options available are syslog (standard) and sd-syslog (structured):
[edit]
root# set security log format sd-syslog
2. Xxxxxxxxx xxx xxxxxx xx xxxxxxxx xxx xxx xxxxxx xxxxxx. Xxxx xxxxx, x xxxx xx
xxxxxxxx xxx xxx xxxxxx, xxx xx xx xxxxxxx xxxxxxxxxxx xxx xxx xxx xxxxxxxxxx xx xxx
xxxxxxxxx xxxxxxxxxx xx xxxxxxxxxx xxx xxxxxxxxxxxxxx xxxx xxxxxxxxxxxxxxx xx
xxxxxxxx xxx xxxxxxxx xxxxxx:
[edit]
root# set security log source-address 10.189.140.99
[edit]
root# set security log stream SYSLOG_SERVER host 10.189.132.70
3. Xxxxxxxxx xxxxxxx xxx xxx xxxxxxx xxxxx, xx xxx xxxx xxxxxxxxx xx xxx xxxx xxxxx xx
x xxxxxxxxxxx xx x xxxxxxxx xxxxxx xxxxx, xxx xxxx xx xxx xxxxxxx xxxxx:
[edit]
root# set security log mode event
4. Xxxxxxxxx xxxx xxxxxxxx xx xxxxx xxxx xx xxx xxxxxxx xxxxx. X xxxx xxxxxxxx xx xx
xxxxx xx xxxx xxxx 1,000 xxx xxxxxxx xxx xxxxxx:
[edit]
root# set security log mode event event-rate 1000
NOTE
By default, SRX devices do not send native syslog messages to NSM, only the logs stored in two
files in the SRX. If logging is from a high-end SRX, then security logs must be sent to the control
plane first.
1. Configure the logging mode and format. Options available for the format are syslog (standard)
and sd-syslog (structured):
[edit]
root# set security log mode event
[edit]
root# set security log format sd-syslog
2. Xxxxxxxxx xxx xxxxxx xx xxxxxxx xxx XXX xx xxx xxxxxx xxxxxx xxxxxx. X xxxx xx
xxxxxxxx xxx xxx xxxxxx, xxx xx xx xxxxxxx xxxxxxxxxxx, xxx xxx xxx xxxxxxxxxx xx xxx
xxxxxxxxx xx xxxxxxxxxx xxx xxxxxxxxxxxxxx xxxx xxxxxxxxxxxxxxx xx xxxxxxxx xxx
xxxxxxxx xxxxxx:
[edit]
root# set security log source-address 10.189.140.99
[edit]
root# set security log stream SYSLOG_SERVER host 10.189.132.72
3. Xxxxxxxxx xxxxxxx xxx xxx xxxxxxx xxxxx xxx xxxx xxxxx xxx xxxxxxx (xxxx xxxx xx
xxxx xxxxxxxx xxx xxxx-xxx XXX, xx xxxx xx xxx xxx xxxxxxxxxxx x xxxxxx xxxxxx):
[edit]
root# set security log mode event event-rate 1000
4. Xxxxxxxxx xxxxxxx xx XXX. Xxx xxxxxxxxx xxxxxxx xxx xxxxxxxxx xxx xxxxxxxx
xxxxxxx xxxxxx xxx xxxxxxxx xxxx:
[edit]
root# set system syslog file default-log-messages structured-data
[edit]
root# set system syslog file default-log-messages any any
Xxxxx xx. Xxx xxxxxx xxxx xxxx xxxxx xxxxxxxx xxxxxxxx xxxxxxx xxx x xxxxxx xx xxx
xxxx. Xxxx xxxx xx xxx xx xxxxxxxx xxx xx xxxxxxx xxxxx xxxxxxx xxxx xxx xxxxxxx xxx
xxxxxx xx xxxxx xxx xxxxx xxxxxxxxxxxx.
70
71
Chapter 7
Configuring NAT Source
NAT Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Configuring Source NAT Using the Egress Interface. . . . . 73
Configuring Source NAT Using Translation Pools. . . . . . 75
Xx xxxxxxx, xxxxxxxx xxxxxxx xx xxx XXX xxx xxxxxx xx xxx xxxxxxxxxxx. Xxx xxx
xxxxxx xxxxxxx xxxx xx xxxxxxxxxx xxx xxxxxxx xxxxx. Xxx xxxxxxx, xxx (xxxxxxxxx)
xxxxxxx xx xxx xxxx xxxxxxxx xxxx xxxxxxx xxxxxxx xxxx xxx xxxx xxxxxxxxx xxxxxxx,
xxxxxxxx xxx xxxxxxxxx xxx xxx xx xxx xxxxx:
[edit security policies]
root# run show security flow session
Session ID: 100001790, Policy name: admins_to_untrust/4, Timeout: 1800
In: 192.168.2.2/4781 --> 209.239.112.126/80;tcp, If: ge-0/0/0.0
Out: 209.239.112.126/80 --> 192.168.2.2/4781;tcp, If: ge-0/0/2.0
<snip>
Xxx xxxxxx xxxxxxxxx xxxx xxxxx xx xx xxxxxxxx xxxxxx xxxx x xxxxxx XX xxxxxxx xx
192.168.2.2, xxxxxxxx xx 209.239.112.126. Xxx xxxxxx xxxxxxx xxxxx x xxxxxx xxxxx
xxxxxxx xxxx 209.239.112.126, xxxxxxxx xx xxx xxxxx XX xxxxxxx xxxx xxxxxxxxxx xxx
xxxxxxxxxxx, 192.168.2.2.
Xxxx xxx xxxxxx xxx xxxxxxxxxxx XX xxxxxxxxx xxxxxx xxxxxxxxx, xx xx xxxx xxxxxxx,
xx xx xxxxxxxxxx xxxx xxx xxxxxxx xxx xxxxxx xx xxxxxxx xx xxxxxxxxxx (XXXxx).
NAT Types
Xxx XXX xx xxxxxxx xx xxxxxxxxxx xxxxxxxxx xxxxx xx xxxxxxxxxxx xx xxx xxxxxx xxx
xxxxxxxxxxx xxxxxxx. Xxx xxxxxxx xxx: xxxxxx, xxxxxxxxxxx, xxx xxxxxx.
Xxxx xxxxxxx xxxxx xxx xxx xx xxxxxxxxx xxxxxx XXX xx xxxxxxxxx xxx xxxxxx XX xx
xxxxxxxx xxxxxxx xx xxxx xxxxx xxx XXX. Xxxxx xxx xxxxxxx xxxxxxx xxxxxxxxx xxxx
xxxxxxxxx xxxx xxxx xx xxxxxxxxxxx. Xxx xxxxxxx, xxx xxx xxxxxxxxx xx xx xxxx xxx
xxxxxx XX xx xxxxxxxxxx xx xxx XX xx xxx xxxxxx xxxxxxxxx, xxx xxx xxx x xxxxxxxxx
xxxx xx XX xxxxxxxxx xxx xx xxxx xxxxxxx xxxxxxxxxxx, xxx xxxxx xxx xxxx x xxx xxxx
xxxxxxx.
Xxxxxx 7.1 xxxxxxxxxxx xx xxxxxxx xx xxxxxx XXX. Xxxxx xxxx xxxxxxxxxxx xxx xxxxxx
XX xx xxxx xx xxx xxxxxxxxx xx-0/0/2, xxx XXX xxxx xxxxxxxxxx xxx xxxxxx xxxx
(xxxxxxxx xxxx xxxxxxx xxxxxxxxxxx xx XXX xx xxxxxxx). Xxxxxxxxxxx xxx xxxxxx XX
xxxxxx xxxxxxx x xxxxxx XX xxxxxxx xxxxxxx xxxxxxxxx xx xxxxx, xxxxx xxxxxxxxxxx xxx
xxxxxx xxxx xxxxx xxx XXX xxx xxxxxxxxxxx xx xxxxxxxx xxx xxxxxxxxx x xxxxxxxxxx
xxxx, xxx xxx xxxxxxx xx xxxx xxx xxx xxxxxx xxxxxxx xx xxx xxxxxxxxxxxxx xxxx xxxx
xxxxxx xxx xxxxxxxxxx.
WARNING
Do not be confused here. Remember that in order for traffic to go across the SRX you need to
configure a security policy. A source NAT configuration looks very similar to a security policy,
but this will not allow the traffic through, it will only manipulate the traffic once it has been
permitted by the security policy.
Xxxx xxxxxxxxx xxx xxxxxxxxx xxxxxx XXX xxxxxxxxx:
n Using the IP address of the egress interface.
n Using a translation pool.
n Creating a rule to except traffic.
Xx xxx xxxxxx xxx xxxxxxxxx xxxxxxxxx xxxx xxx xx xxxx xxxxxxxx xx xxxxxx xxxxx
xxxxxxxxxxx xxx xxxxxxxxx. Xx xxxxxx xxxxxxxxxxx xxx xxx xxx xxx xxxxxxxxx xxxxxxx
xxx xxx xx xxx xxxxxxxxx xxxxxxxxxx:
Xxx xxxxxx xxxxxxxxx xxx xx xxxxxxxxxxxx xxxx xxx xxxx xxxxxxxx xxxx xxxxxxx xxxxxxx xx
xxxx xxxxxxxxxx xx xxxx xxxx. Xx xxx xxxxxx xx xxx xxxx xxxxxxx, xxxx xxx xxxxx
xxxxxxxxx xx xxx xxx xxxxxxxxxxx XX xxxxxxx xxx xxx xxxxxxxx xxxxxxx. Xxxxxxxx xxxx
xxxx xxxxxxx xxxxxx xxx xxxxxxxxx xxxxxxxx xxxxxxxxxx xxxx xxx xxx xxx xx xxxxxx xxx
xxxxxx:
root# run show security flow session ?
Possible completions:
<[Enter]>Execute this command
application
Show session for specified application or application set
destination-port
Show each session that uses specified destination port
destination-prefix Show each session that matches destination prefix
idp
Show IDP sessions
interface Show each session that uses specified interface
protocol Show each session that uses specified IP protocol
resource-manager Show resource-manager sessions
session-identifier
Show session with specified session identifier
source-port
Show each session that uses specified source port
source-prefix
Show each session that matches source prefix
summary
Show summary of sessions
tunnel Show tunnel sessions
|
Pipe through a command
1. Create a NAT source rule-set. Give this a meaningful name that describes what the rule-set will
do:
[edit]
root# edit security nat source rule-set internet_nat
2. Xxxxxx xxx xxxxxxx xx xxx xxxxxxx. Xxxxx xx xx xxxxxx xxxx xxx xxxxx xx xxxxx xx?
[edit security nat source rule-set internet_nat]
root# set from zone admins
[edit security nat source rule-set internet_nat]
root# set to zone untrust
3. Xxx xxxx xxx xxxx xxxxxxx x xxxx-xxx, xxx xxxxxxx xxx xxxxxxx xx xxx xxxxxxx,
xxxxxxxxx xx xxxxxx xxxx xxxx xxxxxxx xxx xxx xxxxxxxx xxxxxxx xxxx xxx xxxxxx
xxxxxx xxxxx xx xxx xxxxxxxx, xxx XXX xxxxxx xxxx xxxxx xxx xxxxxx xxxxxxxxx. Xxxxx,
xxxxxx x xxxx xxx xxx xxxx xxxx xx xxxxxxxxxx xx xxx:
[edit security nat source rule-set internet_nat]
root# edit rule admins_access
[edit security nat source rule-set internet_nat rule admins_access]
root# set match source-address 192.168.2.0/24
[edit security nat source rule-set internet_nat rule admins_access]
root# set match destination-address all
[edit security nat source rule-set internet_nat rule admins_access]
root# set then source-nat interface
[edit security nat source rule-set internet_nat rule admins_access]
root# commit
commit complete
Xxxxxx xxx Xxx xxxx xxx xxxxx xxxxxxx xxx xxxxxxxxx xxx xxxxx xxxxxxxx xx xxx XX
xxxxxxx 66.129.250.1. Xxxx XX xxxxxxx xxxxxxxxxxx xx xxx XXX xxxxxx xxxxxxxxx,
xxxxxxxxxx xxx xxxxxx xxxxxxxxx xx xxxxxx XXX.
1. Create a pool of addresses (66.129.250.10 - 66.129.250.15) that will be used as the source IP
for the outgoing packets. Give this pool a meaningful name, describing its purpose for future
reference:
[edit security nat source]
root# set pool public_NAT_range address 66.129.250.10 to 66.129.250.15
2. Xxxxx xxx xxxx xxxx xxxxxxx. Xxxxx xxx xx xxxxxx xxxxxx xxxxxxxx xxxxx, xx xxxxx
xxxxxxx xxxxx xxxx xxxxxxxxxxx xxxx xxx xxxx xx xxxxxx xxx xxxx xxxxx_xxxxxx xxxxx
xxx xxxxxxxx_xxx xxxx-xxx:
[edit security nat source]
root# edit rule-set internet_nat rule admins_access
[edit security nat source rule-set internet_nat rule admins_access]
root# set then source-nat pool public_NAT_range
Xxx xxxxxx xx xxxx xxxxxxxxxxxxx xxxxxx xx xxxx xxxxxxxx xxxxxxx xxx xxx xxxx xx xxx
xxxxxx xxxx xxx xxxxxxxxxx xxxxxxxx xx xxx xx xxx XX xxxxxxxxx xx xxx
xxxxxx_XXX_xxxxx.
Xx xxxxxxxxxx xxx xxxxxxxxxxx xxx xxxxx xx xxxxx xxx xxxx-xxxx, xxxx xxx xxxxxxxxx
Xxxxxxxx 3 xxxx xxx xxxxxxxxx xx xxxx xxxxxxx: Xxxxxx x xxxx xx xxxxxx xxxxxxx.
Xxx xxxx xxx xxxxxxxxx xx xxxxxx x xxxx xx xxxx xxxxxxx xxxxxxxxx xx x xxxx
(192.168.2.2) xx xxx xxxxxxxxxx xx xxx xxx xxxxx_xxxxxx xxxx.
To Configure a Source NAT Exception Rule:
1. Create a new rule under the internet_nat rule-set. Give the new rule a descriptive name:
[edit security nat source rule-set internet_nat rule admins_access]
root# up
[edit security nat source rule-set internet_nat]
root# set rule NO_translate
[edit security nat source rule-set internet_nat]
root# edit rule NO_translate
2. Define the match criteria (what you are going to except from translation):
[edit security nat source rule-set internet_nat rule NO_translate]
root# set match source-address 192.168.2.2/32
[edit security nat source rule-set internet_nat rule NO_translate]
root# set match destination-address all
IMPORTANT
This step is crucial, and if you forget about it or ignore it, then the host 192.168.2.2 will continue
to be translated. Remember that rules in NAT rule-sets are evaluated in a top-down fashion like a
security policy, so there is always a need to analyze and reorganize the rules when necessary.
5. Verify the configuration. This should look similar to the following:
Xxxxx. Xxxx xxxxxxxxxxxx xxx xxxxx xxxxx xxx XXX. Xxx XXX xx xxxxxxxx xxxxxxxxx
xxx xxxxxxx xxxxxxx xxxxxxxxx xx xxx xxxxxxx xxxxxxxx xx xxxxx xxx xxxx xx Xxxxxxx 2.
Xxxxx xxxxxxxxxx xxx xxxxxxx xxxxxxxxxxxxx xxx xxx xxxxxxxx xxx xxxxxxxxxxxxx xx
xxxx xxxxxxxx xxxxxxxxx xx xxx XXX. Xxxx xx xxxxx xxxxxxxx xxx: XXX, XXXxx, XXX,
xxxx-xxxxxxxxxxxx, xxx xxxx xxxxxxxx xxxxxxx xxxxxxxxxxxxxx. Xxx xxxxxx
xxxxxxxxxxxxx xxxxxxxxx xxxxxxxx x xxx xx xxxxxxx xx xxx xx xxxxxxxxx xxxxx xxxxxxx,
xxx xxxx xxxxxxxxxxxxx xxxx xxxxxxx xxxx xxxxx xxx Xxxxx xxxxxxx. Xxxx xxx xx xxxx:
xxxx://xxx.xxxxxxx.xxx/xxxxxxxx/xxxxxxxx/xxxxx-xxx/xxxxx.xxxx.
Xxxx Xxx Xxx xxxxx xxx xxxx xxxxx xxxxxxxxx, xxxxxxxxxx xxx xxx XXX xxxxxxxx xx
xxxxxxxx xxxxxxx. Xxxx xxxxxxxx xxx xxxxxxx xxx xxx xxxxxxxxx xx
xxx.xxxxxxx.xxx/xxxxxxx.
Xxx xxxxxxx, xx xxx xxxx xxxx xxxx, xxx xxx Xxxxx Xxxxxxxx xxxx xxxx XXxxxxx
xxxxxxxxxx. Xxxx xxx xx xxxx: xxx.xxxxxxx.xxx/xxxxx.
Xxx xxxx xxxxx xxxx xxxx xxxx xx xxxxxxxx XXX xxxxxxx xx xxxxxxxxxxx xx xxxxxxxx.
80
81
Chapter 8
Importing the SRX into NSM
Preparing the SRX for NSM Connectivity. . . . . . . . . 80
Importing the SRX into NSM. . . . . . . . . . . . . . . . . . . . . .81
Xx xxx xxx xxxxxxxxxx xxx xxxxxxxx xxxxxxxx XXX xxxxxxx xxx xxxxx Xxxxxxx
xxxxxxxx, xxx Xxxxxxx xxx Xxxxxxxx Xxxxxxx (XXX) xxxx xxxx xxx xxxx x xxxx
xxxxxxxxxx xxxx xx xxx xxxxxxx, xxx xxxx xxxxxxxx xxxx xxxxxxxxxxxxx xxx
xxxxxxxxxxxxxxx xxxxx. Xx xxxx xxxxxxx xxxxx xxxxx xxx xx xxxxxx xxxx XXX xxxx
XXX. Xxx xxxxxxxxxxxx xxx xxxxxxxxxxxxx xx XXX, xxx xxx xxxxxxx xxxxxxx xxxxxxxx,
xxx xxx xx xxx xxxxx xx xxxx xxxx. Xxx xxxxxxxxx xxxx xx xx xxxx xxxxx XXX xxxxx xx
xxxxxxxxxx xxxx XXX xxx XXX, xxx xx xxxxxx xxxx xxx XXX xx xxxxxxxx xxxxxxxx xx
xxxx xxx xxx xxxxxxxx xxxxxxxx xx xxx XXX.
1. Log in to the NSM server as root, or an administrator, with permissions to import the
SRX3400.
2. Under devices click the + to add a new device.
3. Specify that the device is reachable and fill in the IP address and administrator account fields.
The IP address in this example is that of the fxp0 interface, and the administrator account is from
the SRX, not the NSM.
4. Click Next to accept the SSH keys.
5. When the device is auto detected, click Next to confirm to NSM that you wish to import it.
If you did not configure a hostname for the device during initial installation, then you can specify
one here before importing the device, otherwise the Device Name will be already populated.
8. Inspect the device configuration in NSM, such as the security policies. Proceed with any
management functions from here.
Xxxx xxxx xxxxxx xx, xxx xxx xxxxxxxx xxxxxxxx xxx XXX xxx XXX. Xxx xxxxxxx xxxx xx
xxx XXX xxx X-Xxx, xx xxx XXX, xxx xxxxxxxxxxx xx XXX xx xxx xxxx xxxxxxxxxxxxx
xxxxxx, xxxxxx xxx xxxxxx xxx xxxxxx xxxxxxxxxxxxx xxxxx.
88
89
Chapter 9
Troubleshooting Tools
Understanding Flow Processing. . . . . . . . . . . . . . . . . . 88
Examining Logs and System Status. . . . . . . . . . . . . .89
Enabling Traceoptions. . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Xxxx xxxxxx xx xxxxx xx xx xxxx xx xxxx x xxxxxxxx xxx xx xxxx xx xxxx xxxx xx xx.
Xxxxx xxxx xxxxxxx xxxxxxxx x xxx xxxx xxxx xxxxx xx x xxxxxxxx xxxxx xx xxxxxx xxx
xxx xxxxxx xxxxxxx xxxxxxxxxxxx xxxxxxxx.
Xxx XXX xxxxxx xxxx xxxxxxxxx xxxxxxxx, xxx xxxx xxxx xxxxxxxx xxxx x xxx xx xxxx.
Xxxxxxx x xxxxxxxxxxxxx xxxxx xx xxx xxx XXX xxxxxxxx xxx xxx xx xxxxxxxxxxxx xxxxx
xxxxxxxx xxxx Xxx Xxx xxxxx xxx xxx xxxxxxxxxxx xx xxxx xxxxxxxx xxxxxxxxxx.
MORE?
Junos Security, recently published by OReilly Media, has several troubleshooting sections and
case study scenarios that can be helpful to readers of this book. For more info, see
www.junper.net/books.
Xxx xxx xxx xxxxxx xx xxxx xxxxxxxxx xxxxx, xx xxxxx xxxxxxxxxx xxxx xxxxxxx,
xxxxxxx, xxx xxxx xxxx xxxx xxx xxxxx xxxx xxxx xxx xxxxxxxxxx xx xxx xx xxxx xxxxx xx
xxxxxxx. Xxx xxxx xxx xxxx xx xxxxxxxx, xxxx xx xxx xxxxxx xx xxx xxxxxx xxx xxxxxxxx
xxxxxxxx.
Xx xxxx xxx xxxxxx xxxxxxxx xxxxxxxx xxxx xxxxxx xxxxxxxxxx xx xxxxxxx xxx XXX, xxx
xxx xxx xxx xxxxxxxxx xxxxxxxxxxx:
> show log messages | match ssh | match Failed password | trim 38
Xxxx xxxxxxx xxxxx xxxx xx xxx xxxxxxxx xxx xxxx, xxx xxxxx xxx xxxx xxxxxx xxxxx
Xxxxxx xxxxxxxx xxxxxxxx xxxx xxxxxxxx. Xxx xxxx 38 xxxxxx xxxxx xxx xxxxx 38
xxxxxxxxxx xxxx xxx xxxxxx xx xxx xxx xxx xxxxxxxxxx xx xxx xxxx xxxxxx.
Xxxxxxx xxxxxxxxxxx xxxxxx xxxx xxxxxxx xxxx xxxx xx xx xxx xxx xxxxx xxxxxxx xxxxxxx,
xxxxx xxxxxx xxx xx xxxxxxx x xxx xxxx xx xxxx xxxx, xx xxxx xx xxxxx xxxxxxx xx xx
xxxxxxxxx xx xxxxxxx xxxxx xxxx. Xxxx xx xx xxxxxxx xxxxx xxx xxxx xxx xxxxxx xxx
xxxxxxxx xx xxxx xxxx.
To Use the Start Monitor Tool :
1. Start monitoring the log file (and apply match statements if you want to narrow your search):
barnys@SRX3400> monitor start messages | match ssh | match Failed password
2. Press Esc-Q to enable and disable the output display to console as needed:
barnys@SRX3400>
*** monitor and syslog output enabled, press ESC-Q to disable ***
*** messages ***
Jun 27 00:19:54 SRX3400 sshd[64008]: Failed password for john from 10.188.133.42 port 50021 ssh2
barnys@SRX3400>
*** monitor and syslog output disabled, press ESC-Q to enable ***
3. Stop the real time monitoring of the file. This does not cause logging to stop recording events,
but the events are not shown on the console anymore:
barnys@SRX3400> monitor stop
There are many parameters available to check chassis related information, so check the help prompt to see them all:
> show chassis ?
MORE?
The complete list of available show commands and their descriptions can be found in the CLI
Reference Guide, found here (for version 10.1) at www.juniper.net/techpubs/software/junossrx/junos-srx10.1/index.html. You can also find lots of device agnostic command usage examples
in Day One books from the Junos Fundamentals Series: www.juniper.net/dayone.
Enabling Traceoptions
Xxxxxxxxxxxx xxx xxx xxxxxxxxxx xx xxxxxxxxx xxxxx xxxx xxxxx xxxxxxx xxxxxxxx, xx
xx xxx xxx xxxxxx xxxx x xxxxxxxxxx xx xxxxx Xxxxxxx Xxxxxxxx XxxxxxXX xxxxxxxxx
xxx xxx xxxxxxxx xxxx xxxxx xxxx xxxxx, xxxx xxxx xxxxxxx xxxx xxxx xxx xxx xx xx xxx xxxx
xx xxx XXX.
Xx xxxxx xxxxxxx xx xxxx xxxxxxxx xxx XXX, xxx xxxx xx xxxxxxxxx xxxxxxxxxxxx xxx
xxxx xxxxx-xxxxxxxx. Xxxx xxxx xxxxx xxxxxxx xx xxxx xxxxx xxx XXX xxxxx xxxx xxxx,
xxxxxx xxx xxxxxxx xx xxx xxxxxxxxx xxxxxxx xxx XXX xx xxxxxx xxxxx xxx xxx.
1. Enable traceoptions flag basic-datapath. Capture the results to a file of your preference:
barnys@SRX3400# set security flow traceoptions file DEBUG
barnys@SRX3400# set security flow traceoptions flag basic-datapath
2. Configure a packet-filter to match traffic going one way (outbound in this case):
barnys@SRX3400# set security flow traceoptions packet-filter match-outgoing source-prefix 192.168.2.0/24
barnys@SRX3400# set security flow traceoptions packet-filter match-outgoing destination-prefix 0.0.0.0/0
NOTE
Steps 2 and 3 are necessary because Junos only captures one directional flows. Multiple packetfilters then let you capture both the outgoing and reverse flows. Individual packet-filter
configurations like in this example are processed as OR statements, instructing the SRX to match
traffic that matches one filter or the other.
4. Xxxxx xxxxxxxxxx xxxx xxxxxxxxxxxxx, xxx xxx xxxxxxx xxx xxxxxxx xxxxxxx xxxx xxx
xxxx xxx XXXXX xxxxxxx.
MORE?
Troubleshooting is a huge topic whose surface has barely been scratched here, but as with
everything in this short book, its a jump start to a much larger SRX world. Use other Day One
books to assist you in troubleshooting, the new SRX book, Junos Security from OReilly Media,
and of course, the SRX documentation.
94
Appendix 95
Appendix
SRX Default Factory Configurations. . . . . . . . . . . . . . 94
Reviewing and Applying Licenses. . . . . . . . . . . . . . . .98
Steel-Belted RADIUS Integration. . . . . . . . . . . . . . . . 100
What to Do Next & Where to Go. . . . . . . . . . . . . . . . . .107
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
## Warning: missing mandatory statement(s): root-authentication
}
interfaces {
interface-range interfaces-trust {
member ge-0/0/1;
member fe-0/0/2;
member fe-0/0/3;
member fe-0/0/4;
member fe-0/0/5;
member fe-0/0/6;
member fe-0/0/7;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/0 {
unit 0;
}
vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
}
security {
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
}
wlan {
cluster vlan-0-default {
name juniper-ap-cluster;
default-cluster;
interfaces {
vlan.0;
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
Xxx xxxxx xxxxx xxxxxxxxxxx xxx xxxxxx xxxxxxx xx xxxxxxxx xxx xxxxxxxx x xxxxxxx.
To Apply a License:
2. Xxx xxxxxx xx xxxx xxxx xxxxxxxxx xxxx xxxxx xxx xx xxxxxxxx xxxxxxxxxx xxxx
xxxxxxx xxxxxxxxx. Xx xxxxxxx xxxxx xx xx XXX xxxxxxxx xxxx xxxxxxxxxx.
Xxxxxx-xxxxx xxxx xxx xxxxxxx xxxxxxxx xxxxxxx xxxx xxxxxxxx xxxxxx xxxxxx. Xx
xxxx xxx xxxxxx xxxxxx:
root> show chassis hardware
Hardware inventory:
Item
Version Part number Serial number Description
Chassis
AA4508AD0013
SRX 3400
3. Xxxx xxx xxxxxxx xxxx xxxxxxxx xx xxxxxxx xx xxx xxxxx xxxx xxxxxx. Xxxx xxx xx xxx
xxxxxxxx xx xxx xxxxxxxxx xx xxxxxxxxxxxx xxxxxxxxxx, xxx xxxx xxxxxxxx Xxxx->Xxxx.
4. Xx xxx XXX, xxxx xxx xxxxxxxxx xxxxxxxxxxx xxxx xxxxxxx, xxx xxxx xxx xxxxxxxx xx
xxx xxxxxxxxx, xxxxxxxx xx Xxxx-X (xxxxxx xxxxxxxx):
root> request system license add terminal
[Type ^D at a new line to end input,
enter blank line between each license key]
JUNOS252544 aeaqea qmifat injqhb auimbq gezqqb qcdw4x
loxva4 ueffko xw4whk 6mfqs6 7oyg5t zn2j5k
upc2ff bxrvkt 4ut24u w44joc n24g4x 7pevbz
psq
JUNOS252544: successfully added
add license complete (no errors)
root>
5. Xxxxxxxx xxx xxxxxx xxxxxxxxx xx xxxxxx, xx xx x xxxx xxxxxxxx xx xxxxxxx xxxx xxx
xxxxxxx xxx xxxxxxx xxxxxxxx:
Xxxxxxxx xxxx xxxxxx xx xxxx xx xxx xxxxx xxxx, xx xxxxx xx xx xxxx xx xxxxxx xxxx
xxxxxx.
1. Connect to the SBR, and lunch the application. The connection is done by pointing a browser
to the SBRs IP address on port 1812, like http://[server_IP]:1812. When the application
launches it looks something like this:
2. Xxx xxx XXX xxxxxx, xx xxxx xxxx xxx XXX. Xxxxxx xxxx xxx xxxxx xxxxxx xxxxxxx xx
xxx xxx xxxxxxxxxx xx xxx xxxxxxxx. Xxx xxxx xxx xxxxx xxxxxxxx xxxxx xxxx, xx xxx
xxxxxxxxxxxxxx xxxxxxxxx xxxxx xxx xxxx xx X/X Xxxxxx xx xxxxxxx.
3. Xxx xxxxx, xxxx xx xxx xxxxx xxxxxxx xxxxx,: xxxxxx, xxxxxx, xxxxx xxx xxx. Xxxxxx
xxxxx xxxxx \\XXXXXX\[xxxx] xxxxxxxxx xxxx xxxx xxx xxxx xx xxx XXXXXX xxxxxx.
Xxxx, xxxx xxxxx xx x xxxxxxx xxxx xxx XXX xx xxxx xxx XXX xxxxxx xx xxxxx xxx xxx
Xxxx-Xxxxxxxx xxxxxxx xxx xxxxxxxxx xxxxxxxx.
4. Xxxxxx xxx xxxxxxxxxxxxxx xxxxx xx xxxx xxx xxxxxxxx xxxxxxxx XXX xxxxxxxx xxxxx
xxx xxx Xxxxxxx xxxx xxxxxx, xxxx xxx Xxxxxxx xxxxx xxxxxxxxxx, xxx xxxxxx xxx xxx
xxxxxxxx xxxxxxx xx xxx XXX xxxxxxxx.
5. Xxxxxx xxxx xxx xxxxx xx xxxxxxxx xxxxx xx xxx Xxxxxx Xxxxxxxxx. Xx xxxx xxxxxx
xxxxx, xxx xxxxxxxxxxxxx xxx xxxxxx xx xxxxxx x XXX-xxxxxxxxxxxxxx xxxxx, xxx xxxx
xxx xx xxx xxxxxxx x xxxx xx xx.
2. Xxx xxx xxxx xxxxxxxx xxxxxx xx xxx XXXXX-XXXX xxxxx, xxx xxxxxx xxx xxxx
xxxxxxxxxxx. Xx xxxx xxx x xxxxxxxxxx xxxx xxxx xxxxxxx xx xxxx xxxxx xx Xxxxxx
Xxxxxxxxx, xx xxxxxxx xxxx xxxxxxxxxx.
3. Xxx xxxx xxx xxxxxxxxxxx xxxxxxx xxx xxxx xxxxxxx xxx xxx XXXXXXXXXX xxxxx.
Xxxxxx xxxx xxx xxxxxx xxxx xx xxxx xxxxxxxx, xxxxxxxx xxxxxxxxxxxxx xxxxxxx xxxx
xxxx xxxxxxxxxx.
4. Xxx xxxx xxxxxxxxxx xx xxx xxxx xxxxxxx xxx xxx XXXX-XXXX xxx XXXXXXXX
xxxxxx. Xxxxx, xxxx xxxx xx xxx xxxxxxxxxxx xxx xxxx xxxxx.
5. Xxxxxx xxx xxxxxxxxxxxxxx xxxxx xx xxxx xxx xxx xxxxx xxxxxxxxxx xx xxxxxxxx
xxxxx, xxxxxx xxx xxxxxxxxxx xxxx xxxxxxxx.
6. Xxxx xxxx xxxx xxx xxxx xxx xxxxxx xxxxxxx xx Xxxxxx Xxxxxxxxx, xxx xxxx xxx xxxxx
xxxxxx xx xxxxx xxxxxxxxxxxxx xxxxxx, xxxxxxxxx xx xxx xxxxxxxx xxxxxxxxxx.
107
www.juniper.net/dayone
Xx xxxxx xxxxxxx x xxxxx xxxxxxx xx xxxx xxxxxxx, xx xxxx xx xxxxxxxx xxx XXX
xxxxxxx xx xxxx xxx xxxx xxxxx Xxx Xxx xxxxxxxx xxx xxxxxxxxx xxxxxxxxx.
www.juniper.net/junos
Xxxxxxx xxxxx xxxx xxxxxxxx xxxx xxxxxxxxxx xx xxxxxx xxx xxxxxxx xxxxxxxxx xxxxx
xx xxxxxx xxxxxxxxx xx xxxxxxx xxxxxxxxxxxxxx. Xxxxx xxx xxxx xxxx-xxxxxxxxx xxxx xx
xxxxx xxxxxxxxx xxxxx xxxxxxxxx xxx xxx XXX-xxxxxxxx Xxxxx Xxxxxxxx.
www.juniper.net/training/fasttrack
Xxxx xxxxxxx xxxxxx, xx xxxxxxxx, xx xx xxx xx xxx xxxxxxx xxxxxxxx xxxxxxx xxxxxx
xxx xxxxx. Xxx Xxxxxxx Xxxxxxx Xxxxxxxxx Xxxxxxxxxxxxx Xxxxxxx (XXXXX) xxxxxx
xxx xx xxxx xxxxxxxxxxxxxx xx xxxxxxxxxxxxx xxxxxxxxxx xx xxxxxxxxxxxxx xxx
xxxxxxxxxxxxxxx xx Xxxxxxx xxxxxxxx. Xx xxx xxxx xxx xxxx xxxxx xx xxxxxxx xxxx
xxxxxxxxxxxxxx xx xxxxxxxxxx xxxxxxx, xxxxxxxxx, xx xxxxxxxx xxx xxx xxxxxxxxx
xxxxxx xxxxxxx, xxxxxxx xxxxxx, xxx xxx xxxxxx.
108
Xxxxxxxx
Xxxxx
xx xxx xxxxxxxx xxx xxxxxxxxxx xxxxxxxxxxxx xx Xxxxxxx
Xxxxxxxx xxx XXX xxxxxxxx xxxxxx xxxxxxx xxx Xxxxx xxxxxxxxx xxxxxx. Xxxx xxxx
xxx xxxx xxxxxxxx x xxxxxxxxx xxxxx-xx xxxxx xxxxx xx xxxxxxxxx, xxxxxxxxxxx, xxx
xxxxxxxxx XXX, xxx xxxx xxxxxx xx x xxxxxxxxx xx xxxx xxx xxxxxxx xxx xxx XXXXXXX xxx XXXXX-XX Xxxxxxxxxxxxx xxxxxxxxxxxx.
Xxxxxxx xxxxxxxxxxxxxx xxx xxxxxxxx xxxxxxxxxxxxx xxxx xxxxx xxx xx xxxxxxx x xxxxx
xxxxx xx xxxxxxxxxx xxxx xxxxxxx xxxxxxxxxxxx xxxxx XXX Xxxxx xxxxxxxx xxxxxxxx
xxxxxxxxx XX xxxxxxx, xxxxxxxxx xxxxxxxxx, xxxxxx xxxxxxxxxx, xxxxxxx xxxxxx
xxxxxxxxxx, xxx XXX xxxxxxxxxxxx. Xxxxx Xxxxxxxxxx Xxxxxxxx xx x xxxxx xxx
xxxxxxxx xxxxxxx xx XXX xxxxxxx xxxxx.
x Xxx xx xx xxxxx xx Xxxxxxxx xxxxx-xxxxxxxx XXX xxxxxxxxx xxx XXX Xxxxx
xxxxxxxx
x Xxxxx xxxxxxxx xxxx xxxxxxxxx xxxx xxxxxxxxx xxxxxxxxxx xxxxx XXX
x Xxxx xxxxxxxxx xx xxx xxxxxxx xxxxxxxxx xxxxxxx xxxx xxxxxxx xxx xxxxxxxxxxxxxxx
xxxx
x Xxxxxx xxxxxxxx xxxx XXX xxxxxxxx xxxxxx, Xxxxxxx Xxxxxxx Xxxxxxxxxxx, xxx
XXXxx XXX xxxxxxxxxxxxx
x Xxxxx xxxxx xxxxxxx xxxxxxxxxxxx xxx xxxx xxxxxxxxxxxx xx XXX xxxxxxxxx
Xxxxxxxxx xxxxxxxx xxxxxxxxx xxxxx xxx xxxx. Xxx xxxx xxxxxxxxxxx xxxxx xxxx xx
xxxxx xxxxxx xx xxx Xxxxxxx Xxxxxxxx Xxxxxxxxx Xxxxxxx xx xx: xxx.xxxxxxx.xxx/xxxxx.