Talk:SRX

From Network Security Wiki

SRX training points

no root user ==> no shell prompt Edit is same as Compare

  1. Configre Private ==> used it multiple administrators are editing firewalls

Candidate Config ==> commit ==> Active Config

  1. Rollback 1 ==> revert last config
  1. set system max-config-on-flash 5
 0....49

show | compare rollback 1

request system configuration rescue save

  1. rollback rescue

show | save Juniper1


up up 2 top

set interfaces ge-0/0/2 disable delete interfaces ge-0/0/2 disable

set service telent set service ssh

enable services - ssh,https in the zone from which you want to manage.


Flow ==> first flow ==> decision only taken

    ==> fast flow ==> action taken = like drop packet, etc

session table built in both directions null zone = all traffic dropped

any traffic origination from or goin to self traffic for SRX ==> Junos Host ZOne

== like ping, etc

Day 2

  • [edit security zones]
security-zone untrust
  Interfaecs
    ge-0/0/0.0
    ge-0/0/1.0
        { host-inbound-traffic
         telnet
         bgp  (for bgp neighborship)
         ike   (for vpn traffic)
        }
  • 'all' services = 1-1024 = well known only not 65535
  • security
zones hr
  telnet
  ftp
interfaces
 ge-0/0/0.0
   snmp

will premit only snmp on ge0/0/0.0 not telnet.ftp

  • services
   all;
    telnet {
        except;
          }

will not permit telnet only

  • ping 1.1.1.1 rapid
  • show route
 [static/5]

static= source 5 = preference

  • VPN monitor ==> established on-traffic|always
  • route based vpn ID = ~16254
 Policy based vpn ID = ~13,  32, etc
  • delete security flow ==> delete everything below flow, including flow.
  • commit check
  • commit confirmed 5
  • replace pattern prop1 with prop2 [check hierarchy here, or everthing will be replaced]
  • cntrl+W = 1 word back
  • Show interfaces terse | match inet
  • in SRX need to give exact subnet address not any address from subnet will work
10.12.34.128/26   will work
10.12.34.130/26   will not work
  • Interface ge-0/0/0.0
    host-inbound-traffic
      untrust service
         ike

without this vpn will not work.

Day 3

  • set file flow-trace files 3 size 1M world-readable

Very Important or logs will fill up the entire /var/log disk

  • ping 1.1.1.1 -n 1
  • show | match traceoptions | display set

This will show all debugs

  • Entire config is on the Active box

only changes can be done on the active box because control plane is in active box only.

  • Only 2 boxes can be added in HA
  • fxp1 = control plane interface

fxp0 = out of band management fab = data plane interfaces swfab = switching data plane interface reth = a redundant interface

  • Cluster ID = 0 ==> no HA
  • RG threshold = RG threshold - Interface weight
  • RG0 ==> failover of control plane

may be used in Upgrade in a cluster

  • show chassis cluster status redundant-group 1 # Check status

request chassis cluster failover red-group 1 node 1 # Failover

  • Reset Failover
request chassis cluster failover reset redundant-group 1

cannot failover twice, so have to reset it

  • show log jsrpd | match RG-0 | match "Jan 02" # log created by default
  • JSRPD traceoptions:
flag cli
flag config
flag heartbeat
  • show chassis
  alarm
  hardware
  environment
  routing-engine
  fpc
  • show system
statistics
storage
connections
users
  • show route
protocol
hidden
detail
advertizing-protocol
  • monitor interface traffic # check pps,bps, etc
  • monitor traffic interface ge-0/0/0 layer2-headers detail # traffic to RE
ge-0/0/0.1 ==> traffic for the interface itself, no no pass-through traffic
ge-0/0/0   ==> pass-through traffic also
  • request support information
  • revert uncommitted changes ==> # rollback
  • APP-Secure ==> like palo-alto firewalls - application layer security

Super SRX Packet Capture Filter

egrep ‘matched filter|(ge|fe|reth ) -.*- > .*|session found|Session \(id|session id|create|dst_nat|chose interface|dst_xlate|routed|search|denied|src_xlate|dip id|outgoing phy if|route to|DEST|post’ /var/log/mchtrace | uniq | sed -e ‘s/.*RT://g’ | awk ‘/matched/ {print “\n\t\t\t=== PACKET START ===”} ; {print} ;’ | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’ ; echo | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’

Points to be added

  • Reth count needs to be increased by 1 if new interface is added in JSRP.
  • In NSM, Schema is required only for JunOS devices not SSGs.