Talk:SRX
SRX training points
no root user ==> no shell prompt Edit is same as Compare
- Configre Private ==> used it multiple administrators are editing firewalls
Candidate Config ==> commit ==> Active Config
- Rollback 1 ==> revert last config
- set system max-config-on-flash 5
0....49
show | compare rollback 1
request system configuration rescue save
- rollback rescue
show | save Juniper1
up
up 2
top
set interfaces ge-0/0/2 disable delete interfaces ge-0/0/2 disable
set service telent set service ssh
enable services - ssh,https in the zone from which you want to manage.
Flow ==> first flow ==> decision only taken
==> fast flow ==> action taken = like drop packet, etc
session table built in both directions null zone = all traffic dropped
any traffic origination from or goin to self traffic for SRX ==> Junos Host ZOne
== like ping, etc
Day 2
- [edit security zones]
security-zone untrust Interfaecs ge-0/0/0.0 ge-0/0/1.0 { host-inbound-traffic telnet bgp (for bgp neighborship) ike (for vpn traffic) }
- 'all' services = 1-1024 = well known only not 65535
- security
zones hr telnet ftp interfaces ge-0/0/0.0 snmp
will premit only snmp on ge0/0/0.0 not telnet.ftp
- services
all; telnet { except; }
will not permit telnet only
- ping 1.1.1.1 rapid
- show route
[static/5]
static= source 5 = preference
- VPN monitor ==> established on-traffic|always
- route based vpn ID = ~16254
Policy based vpn ID = ~13, 32, etc
- delete security flow ==> delete everything below flow, including flow.
- commit check
- commit confirmed 5
- replace pattern prop1 with prop2 [check hierarchy here, or everthing will be replaced]
- cntrl+W = 1 word back
- Show interfaces terse | match inet
- in SRX need to give exact subnet address not any address from subnet will work
10.12.34.128/26 will work 10.12.34.130/26 will not work
- Interface ge-0/0/0.0
host-inbound-traffic untrust service ike
without this vpn will not work.
Day 3
- set file flow-trace files 3 size 1M world-readable
Very Important or logs will fill up the entire /var/log disk
- ping 1.1.1.1 -n 1
- show | match traceoptions | display set
This will show all debugs
- Entire config is on the Active box
only changes can be done on the active box because control plane is in active box only.
- Only 2 boxes can be added in HA
- fxp1 = control plane interface
fxp0 = out of band management fab = data plane interfaces swfab = switching data plane interface reth = a redundant interface
- Cluster ID = 0 ==> no HA
- RG threshold = RG threshold - Interface weight
- RG0 ==> failover of control plane
may be used in Upgrade in a cluster
- show chassis cluster status redundant-group 1 # Check status
request chassis cluster failover red-group 1 node 1 # Failover
- Reset Failover
request chassis cluster failover reset redundant-group 1
cannot failover twice, so have to reset it
- show log jsrpd | match RG-0 | match "Jan 02" # log created by default
- JSRPD traceoptions:
flag cli flag config flag heartbeat
- show chassis
alarm hardware environment routing-engine fpc
- show system
statistics storage connections users
- show route
protocol hidden detail advertizing-protocol
- monitor interface traffic # check pps,bps, etc
- monitor traffic interface ge-0/0/0 layer2-headers detail # traffic to RE
ge-0/0/0.1 ==> traffic for the interface itself, no no pass-through traffic ge-0/0/0 ==> pass-through traffic also
- request support information
- revert uncommitted changes ==> # rollback
- APP-Secure ==> like palo-alto firewalls - application layer security
Super SRX Packet Capture Filter
egrep ‘matched filter|(ge|fe|reth ) -.*- > .*|session found|Session \(id|session id|create|dst_nat|chose interface|dst_xlate|routed|search|denied|src_xlate|dip id|outgoing phy if|route to|DEST|post’ /var/log/mchtrace | uniq | sed -e ‘s/.*RT://g’ | awk ‘/matched/ {print “\n\t\t\t=== PACKET START ===”} ; {print} ;’ | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’ ; echo | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’
Points to be added
- Reth count needs to be increased by 1 if new interface is added in JSRP.
- In NSM, Schema is required only for JunOS devices not SSGs.