Update Juniper stuff

index.md

@@ -115,10 +115,11 @@ _(Alphabetically sorted, so the ordering might seem a bit strange.)_
 - [HPE/Aruba General](/networking/hpe-aruba-general/)
 - [IPv4 Theory](/networking/ipv4/)
 - [IPv6 Theory](/networking/ipv6/)
+- [Juniper EX Series Switches](/networking/juniper-ex/)
 - [Juniper EX3300 Fan Mod](/networking/juniper-ex3300-fanmod/)
 - [Juniper Hardware](/networking/juniper-hardware/)
-- [Juniper Junos General](/networking/juniper-junos-general/)
-- [Juniper EX Series Switches](/networking/juniper-junos-switches/)
+- [Juniper Junos OS](/networking/juniper-junos/)
+- [Juniper SRX Series Firewalls](/networking/juniper-srx/)
 - [Linksys LGS Switches](/networking/linksys-lgs/)
 - [Linux Switching & Routing](/networking/linux/)
 - [Network Authentication](/networking/net-auth/)

networking/cisco-ios-general.md

@@ -5,12 +5,6 @@ breadcrumbs:
 ---
 {% include header.md %}
 
-### Related Pages
-{:.no_toc}
-
-- [Cisco Routers (IOS/IOS XE)](../cisco-ios-routers/)
-- [Cisco Catalyst Switches (IOS/IOS XE)](../cisco-ios-switches/)
-
 ## General Configuration
 
 ### CLI Usage

networking/juniper-junos-switches.md → networking/juniper-ex.md

@@ -11,7 +11,7 @@ breadcrumbs:
 {:.no_toc}
 
 - [Juniper Hardware](/config/network/juniper-hardware/)
-- [Juniper Junos General](/config/network/juniper-junos-general/)
+- [Juniper Junos OS](/config/network/juniper-junos/)
 
 ### Using
 {:.no_toc}
@@ -49,11 +49,6 @@ breadcrumbs:
     - Locally defined users are not required if RADIUS/TACACS is setup. Class etc. is fetched from RADIUS.
 - Config archival:
     - See `system archival` with `transfer-on-commit` and nLogic slides.
-- LAG:
-    - `aggregated-ether-options minimum-links 1`
-    - `aggregated-ether-options lacp active`
-    - `aggregated-ether-options lacp periodic fast`
-- Loopback address for consistent address if multiple routed interfaces.
 - `default-address-selection` to use loopback address for the source address of e.g. pinging.
 - OSPF:
     - Area, router ID, interfaces (with unit).
@@ -165,16 +160,18 @@ breadcrumbs:
     - Add member ports: `member-range <begin-if> to <end-if>`
     - Configure it as a normal interface, which will be applied to all members.
 1. Setup LACP:
-    1. (Note) Make sure you allocate enough LACP interfaces and that the interface numbers are below 512 (empirically discovered on EX3300).
-    1. Set number of available LACP interfaces: `set chassis aggregated-devices ethernet device-count <0-64>` (just set it to some standard large size)
-    1. Add individual Ethernet interfaces (not using interface range):
-        1. Delete logical units (or the whole interfaces): `wildcard range delete interfaces ge-0/0/[0-1] unit 0` (example)
-        1. Set as members: `wildcard range set ge-0/0/[0-1] ether-options 802.3ad ae<n>` (for LACP interface `ae<n>`)
-    1. Enter LACP interface: `edit interface ae<n>`
-    1. Set description: `set desc <desc>`
-    1. Set LACP options: `set aggregated-ether-options lacp active`
-    1. Setup default logical unit: `edit unit 0`
-    1. Setup VLAN/address/etc.
+    1. (Info) Make sure you allocate enough LAG interfaces and that the interface numbers are below some arbitrary power-of-2-limit for the device model. Maybe the CLI auto-complete shows a hint toward the max.
+    1. Set number of available LAG interfaces: `set chassis aggregated-devices ethernet device-count <0-64>`
+    1. Delete old configs for member interface: `wildcard range delete interfaces ge-0/0/[0-1]` (example)
+    1. Add member interfaces: `wildcard range set interfaces ge-0/0/[0-1] ether-options 802.3ad ae<n>`
+    1. Add some description to member interfaces: `wildcard range set interfaces ge-0/0/[0-1] description link:switch`
+    1. Enter LAG interface: `edit interface ae<n>`
+    1. Set description: `set desc link:switch`
+    1. Set LACP active: `set aggregated-ether-options lacp active`
+    1. Set LACP fast: `set aggregated-ether-options lacp periodic fast`
+    1. (Optional) Set minimum links: `aggregated-ether-options minimum-links 1`
+    1. Enter logical unit: `edit unit 0`
+    1. Setup VLAN/address/etc. (see other examples).
 1. Setup VLAN interfaces:
     1. Setup trunk ports:
         1. (Note) `vlan members` supports both numbers and names. Use the `[VLAN1 VLAN2 <...>]` syntax to specify multiple VLANs.

networking/juniper-hardware.md

@@ -8,8 +8,7 @@ breadcrumbs:
 ### Related Pages
 {:.no_toc}
 
-- [Juniper Junos General](/config/network/juniper-junos-general/)
-- [Juniper Junos Switches](/config/network/juniper-junos-switches/)
+- [Juniper Junos OS](/config/network/juniper-junos/)
 
 ## EX3300
 

networking/juniper-junos-general.md → networking/juniper-junos.md

@@ -1,5 +1,5 @@
 ---
-title: Juniper Junos General
+title: Juniper Junos OS
 breadcrumbs:
 - title: Network
 ---
@@ -7,27 +7,13 @@ breadcrumbs:
 
 **TODO** Clean up, reorganize and add remaining stuff.
 
-### Related Pages
-{:.no_toc}
-
-- [Juniper Hardware](/config/network/juniper-hardware/)
-- [Juniper Junos Switches](/config/network/juniper-junos-switches/)
-
 ## Resources
 
 - [Day One Books (Juniper)](https://www.juniper.net/documentation/jnbooks/us/en/day-one-books)
 - [Introduction to Junos – Part 1 (Packet Pushers)](https://packetpushers.net/introduction-to-junos-part-1/)
 - [Introduction to Junos – Part 2 (Packet Pushers)](https://packetpushers.net/introduction-to-junos-part-2/)
 
-## Info
-
-### Junos OS
-
-- Based on FreeBSD.
-- Used on all Juniper devices.
-- Juniper's next-generation OS "Junos OS evolved" (not "Junos OS") is based on Linux.
-
-## General
+## Commands
 
 **TODO** Cleanup.
 
@@ -192,17 +178,20 @@ Change active partition and reboot: `request system reboot slice alternate media
 The devices should be shut down gracefully instead of just pulling the power.
 This will prevent corrupting the file system.
 
+- Oper CLI: `request system <halt|power-off> [local|all-members|member <member-id>]`
 - Shell: `shutdown -h now` or `halt`
-- Op mode: `request system <halt|power-off> [local|all-members|member <member-id>]`
 
 Wait for the "The operating system has halted." text before pulling the power, so that system processess are stopped and disks are synchronized. The system LED turning off and the LCD saying "HALTING..." does *not* mean that the halting process is finished yet.
 
 ### Basics
 
+**TODO** Move this.
+
 - Shut down or reboot: `request system <halt|reboot> [local|all-members]`
     - For `halt`, it will print "please press any key to reboot" when halted.
-- Erase all configuration and data: `request system zeroize`
-- Show alarms: `show chassis alarms`
+- Erase all data and reboot fresh: `request system zeroize`
+- Show system alarms: `show system alarms`
+- Show chassis alarms: `show chassis alarms`
 - Show temperatures and fan speeds: `show chassis environment`
 - Show routing engine usage: `show chassis routing-engine`
 - Show effective configuration (with inheritance): `show <configuration> | display inheritance`
@@ -231,18 +220,24 @@ Wait for the "The operating system has halted." text before pulling the power, s
 - Show event type info: `help syslog SNMP_TRAP_LINK_DOWN` (op mode) (example)
 - Show available event attributes: Use ?-completion.
 - Show log: `run show log escript.log | last`
+- From docs: "Do not use the change-configuration statement to modify the configuration on dual Routing Engine devices that have nonstop active routing (NSR) enabled, because both Routing Engines might attempt to acquire a lock on the configuration database, which can cause the commit to fail."
 
-#### Info
+### Rescue Configuration
 
-- "Do not use the change-configuration statement to modify the configuration on dual Routing Engine devices that have nonstop active routing (NSR) enabled, because both Routing Engines might attempt to acquire a lock on the configuration database, which can cause the commit to fail." (From docs.)
+- The rescue config is a copy of the config, which the system attempts to use if it detects that the main config is corrupted.
+- Show rescue config: `show system configuration rescue`
+- Save current committed config to rescue config: `request system configuration rescue save`
+- Delete rescue config: `request system configuration rescue delete`
+- Rollback to rescue config (config CLI): `rollback rescue`
 
-### Version Names
+### Autorecovery
 
-- Example: `20.4R3-S1.3`
-- Format: `<year>.<quarter>[R1-3][-S...]`
-- There is one main release for each quarter of the year. They may be a bit delayed such that they don't perfectly match the quarter.
-- There are zero to three extra cumulative bug patches `R1` to `R3` (no suffix for the initial release).
-- Each release is supported for exactly three years.
+- Only supported in some dual-partitioned with newer software.
+- Shows an alarm about autorecovery information that needs to be saved if you're configuring a factory reset device.
+- Autorecovery stores disk partitioning, configuration and license information, then validates and attempts to recover corruption during bootup.
+- Show autorecovery status: `show system autorecovery state`
+- Save autorecovery info: `request system autorecovery state save`
+- Delete autorecovery info: `request system autorecovery state clear`
 
 ### Miscellanea
 
@@ -276,56 +271,65 @@ Note: USB3 drives may not work properly. Use USB2 drives.
 
 ### Upgrade Junos
 
-#### Normal Method
-
-1. Backup and clean system:
-    1. Remove old files: `request system storage cleanup [dry-run]` (`dry-run` to show only)
-    1. Create a system backup first (unless virtualized boxes like EX4600 and QFX5100): `request system snapshot` (maybe with `slice alternate`, depending on the box)
-    1. Show system backups: `show system snapshot [media internal]`
-1. Get the file: `file copy <remote-url> /var/tmp/`
-    - If it says it ran out of space, add `staging-directory /var/tmp`. By defaults it's buffered on the root partition, which may be tiny.
-    - Alternatively, copy the file _into_ the device from the remote device.
-1. Prepare upgrade: `request system software add <file>`
-    - Add `no-copy unlink` to remove the file afterwards, typically for systems with little free space.
-    - Add `reboot` to automatically reboot and begin upgrade.
-1. Reboot and start upgrade (may take around 5 minutes): `request system reboot`
-1. **TODO** See further instructions in USB drive method section for verification and copying to alternate partition.
+#### Preparations
 
+1. (Info) For virtualized boxes like EX4600 and QFX5100, skip the `request system snapshot` parts as these boxes are built differently wrt. Junos.
+1. Cleanup old files: `request system storage cleanup`
+1. Make sure the alternate partition contains a working copy of the current version: See [Validate the Upgrade](#validate-the-upgrade).
 
 #### ISSU and NSSU
 
+Just info, no instructions here yet.
+
 - ISSU and NSSU may be used for upgrade without downtime, if the hardware supports it.
 - If using redundant hardware (multiple REs), ISSU may be use for upgrades without downtime. It may blow up. One RE is upgraded first, then state is transferred to it. Normal upgrade with reboot is more reliable if short downtime is acceptable.
 - If using virtual chassis, NSSU is similar to ISSU but doesn't require the same kind of state sync.
 
-#### Using a USB Drive
-
-1. Format the USB drive using FAT32 and copy the software file to the drive.
-1. Enter shell mode on the device (`root@:RE:0%`).
-1. Mount the USB drive:
-    - TL;DR: `mkdir /var/tmp/usb0 && mount_msdosfs <device> /var/tmp/usb0`
-    - See [mount a USB drive](#mount-a-usb-drive).
-1. Check the contents (copy the filename for later): `ls -l /var/tmp/usb0`
-1. Copy the file to internal storage: `cp /var/tmp/usb0/jinstall* /var/tmp/`
-1. Unmount and remove the USB drive: `umount /var/tmp/usb0 && rmdir /var/tmp/usb0`
-1. Enter op CLI: `cli`
-1. Install: `request system software add <file> no-copy reboot`
+#### Normal Method
+
+This should work in most cases and is the most streamlined version, but may not work for major version hops and stuff.
+
+1. If downloading from a remote location:
+    1. Get the file: `file copy <remote-url> /var/tmp/`
+        - If it says it ran out of space, add `staging-directory /var/tmp`. By defaults it's buffered on the root partition, which may be tiny.
+        - Alternatively, copy the file _into_ the device from the remote device, using SCP.
+1. If copying from a USB drive:
+    1. Format the USB drive using FAT32 and copy the software file to the drive.
+    1. Enter shell mode on the device: `start shell user root`
+    1. Mount the USB drive:
+        - See [mount a USB drive](#mount-a-usb-drive).
+        - TL;DR: `mkdir /var/tmp/usb0 && mount_msdosfs <device> /var/tmp/usb0`
+    1. Check the contents (copy the filename for later): `ls -l /var/tmp/usb0`
+    1. Copy the file to internal storage: `cp /var/tmp/usb0/jinstall* /var/tmp/`
+    1. Unmount and remove the USB drive: `umount /var/tmp/usb0 && rmdir /var/tmp/usb0`
+    1. Enter operational CLI again: `exit` (or `cli`)
+1. Prepare upgrade: `request system software add <file> no-copy unlink reboot`
+    - `no-copy` prevents copying the file first (in this case it's pointless).
+    - `unlink` removes the file afterwards.
+    - `reboot` reboots the device, so the upgrade can begin when booting.
     - If it complains about certificate problems, consider disabling verification using `no-validate`.
-    - It will reboot before and after.
     - It may produce some insignificant errors in the process (commands not found etc.).
+1. See [Validate the Upgrade](#validate-the-upgrade).
+
+#### From the Loader
+
+If the normal method did not work, try this instead.
+
+1. Copy the file to the device disk using the "normal" USB method.
+1. Connect using a serial cable.
+1. Reboot the device and press space at the right time to enter the loader.
+    - The message to wait for should look like this: `Hit [Enter] to boot immediately, or space bar for command prompt.`
+1. Format and flash: `install --format file:///jinstall-whatever.tgz` (where you placed it previously)
+1. See [Validate the Upgrade](#validate-the-upgrade).
+
+#### Validate the Upgrade
+
 1. Log into the CLI.
 1. Verify that the system is booted from the active partition of the internal media: `show system storage partitions` (should show `Currently booted from: active`)
 1. Verify that the current Junos version for the *primary* partition is correct: `show system snapshot media internal`
 1. Copy to the alternate root partition (may take several minutes): `request system snapshot slice alternate`
 1. Verify that the primary and backup partitions have the same Junos version: `show system snapshot media internal`
-    - If it fails, wait a bit and try again. The copy may still be happening.
-
-If the method above did not work, try this instead to completely format and flash the device:
-
-1. Prepare the USB drive like above.
-1. Connect using a serial cable.
-1. When the device is booting, press space at the right time.
-1. Format and flash: `install --format file:///jinstall-whatever.tgz` (where you placed it previously)
+    - If the command fails, wait a bit and try again. The copy may still be happening in the background.
 
 ### Copy the Active Root Partition
 
@@ -348,18 +352,82 @@ This can be fixed by cloning the new active partition to the alternate, corrupt
 
 See [Copy the Active Root Partition](#copy-the-active-root-partition) or [[EX] Switch boots from backup root partition after file system corruption occurred on the primary root partition (Juniper)](https://kb.juniper.net/InfoCenter/index?page=content&id=KB23180).
 
-## Miscellanea
+## Info
+
+### Junos OS
 
-### Interface Names
+- Based on FreeBSD.
+- Used on all Juniper devices.
+- Juniper's next-generation OS "Junos OS evolved" (not "Junos OS") is based on Linux.
 
-- `lo`: Loopback.
-- `ge`: Gigabit Ethernet.
-- `xe`: 10G Ethernet.
-- `et`: 40G Ethernet.
-- `em` and `fxp`: Management, possibly OOB.
+### Versions
 
-## Fusion
+- Example: `20.4R3-S1.3`
+- Format: `<year>.<quarter>[R1-3][-S...]`
+- There is one main release for each quarter of the year. They may be a bit delayed such that they don't perfectly match the quarter.
+- There are zero to three extra cumulative bug patches `R1` to `R3` (no suffix for the initial release).
+- Each release is supported for exactly three years.
+
+### Interfaces
 
-**TODO**
+Interface name structure:
+
+- Physical interfaces:
+    - Format: `<type>-<fpc>/<pic>/<port>`
+    - Example: `ge-0/0/0`
+    - See the table for interface types.
+    - The Flexible PIC Concentrator (FPC) is typically 0 for single devices or equal to the member ID if using VC.
+    - The Physical Interface Card (PIC) refers to the line card within a physical chassis, and is typically always 0 for fixed-format devices.
+- Logical interfaces:
+    - Format: `<phys-if>.<unit>`
+    - Example: `ge-0/0/0.0`
+    - The unit number is a non-negative number, often just 0 for physical interfaces that just need one logical interface, or corresponding to subinterface numbers for VLAN trunks.
+- Channelized interfaces (aka breakout interfaces):
+    - Format: `<phys-if>:<channel>`
+    - Example parent: `et-0/0/0`
+    - Example channel: `xe-0/0/0:0` (0-3)
+    - Channelized interfaces allows for splitting e.g. a 40G interface into four 10G interfaces using a breakout cable.
+
+Physical interfaces:
+
+| Prefix | Type | Example |
+| - | - | - |
+| fe | 100M Ethernet | `fe-0/0/0` |
+| ge | 1G Ethernet | `ge-0/0/0` |
+| xe | 10G Ethernet | `xe-0/0/0` |
+| et | 25G/40G/100G Ethernet | `et-0/0/0` |
+| mge | Multi-rate Ethernet | |
+| fxp | Mgmt. interface on RE (0-1) (SRX) | |
+| me | Management Ethernet | |
+| em | Management Ethernet | |
+| fc | Fibre Channel (FC) | |
+| at | ATM | |
+| pt | VDSL2 | |
+| cl | 3G/LTE | |
+| dl | Dialer for LTE (cl) | `dl0.0` |
+| se | Serial | |
+| e1 | E1 | |
+| e3 | E3 | |
+| t1 | T1 | |
+| t2 | T2 | |
+| wx | WXC ISM | |
+| reth | Chassis cluster traffic | |
+
+Special interfaces:
+
+| Prefix | Type | Example |
+| - | - | - |
+| lo | Loopback (some are internal) | `lo0` |
+| ae | Aggregated Ethernet (LAG) | `ae0` |
+| irb | IRB | `irb.0` |
+| dsc | Discard (internal) | `dsc` |
+| tap | Tap (internal) | `tap` |
+| fti | Flexible Tunnel Interface (FTI) | `fti0` |
+| gr | GRE tunnel | `gr-0/0/0` |
+| ip | IP-over-IP tunnel | `ip-0/0/0` |
+| lsq | Link services queueing interface (MLPPP, MLFR, CRTP) | `lsq-0/0/0` |
+| lt | Logical tunnel (SRX) | `lt-0/0/0` |
+| mt | Multicast tunnel | `mt-0/0/0` |
+| sp | Adaptive services (unit 16383 is internal) | `sp-0/0/0` |
 
 {% include footer.md %}

networking/juniper-srx.md

@@ -0,0 +1,120 @@
+---
+title: Juniper SRX Series Firewalls
+breadcrumbs:
+- title: Network
+---
+{% include header.md %}
+
+### Related Pages
+{:.no_toc}
+
+- [Juniper Hardware](/config/network/juniper-hardware/)
+- [Juniper Junos OS](/config/network/juniper-junos/)
+
+### Using
+{:.no_toc}
+
+- SRX320 w/ Junos 19.4R3
+
+## Setup
+
+### Initial Setup
+
+1. Connect to the switch using serial:
+    - RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control.
+1. Log in:
+    1. It should say "Amnesiac" above the login prompt as the name of the switch, to show that it's factory reset.
+    1. Login as `root` with no password to enter the shell.
+    1. Enter the Junos operational CLI by typing `cli`.
+1. Enter configuration mode:
+    - Enter: `configure`
+    - Commit: `commit`
+    - Exit: `exit`
+1. Set host name:
+    1. `set system host-name <host-name>`
+    1. `set system domain-name <domain-name>`
+1. Enable auto snapshotting and restoration on corruption:
+    1. `set system auto-snapshot`
+1. Disable DHCP auto image upgrade:
+    1. `delete chassis auto-image-upgrade`
+1. Set new root password:
+    1. `set system root-authentication plain-text-password` (prompts for password)
+1. (Optional) Commit new config:
+    1. `commit`
+1. Setup a non-root user:
+    1. `set system login user <user> [full-name <full-name>] class super-user authentication plain-text-password` (prompts for password)
+1. Enable IPv6 forwarding (SRX):
+    1. Enable: `set security forwarding-options family inet6 mode flow-based`
+    1. (Info) Verify (after commit): `show security flow status`
+1. Setup SSH:
+    1. Enable server: `set system services ssh`
+    1. Disable root login from SSH: `set system services ssh root-login deny`
+1. Disable licensing and phone-home (for grey-market devices):
+    1. `delete system license`
+    1. `delete system phone-home`
+1. Set DNS servers:
+    1. Delete default: `delete system name-server`
+    1. Set new (for each one): `set system name-server <addr>`
+1. Set time:
+    1. (Optional) Set time manually (UTC): `run set date <YYYYMMDDhhmm.ss>`
+    1. Set server to use while booting (forces initial time): `set system ntp boot-server <address>`
+    1. Set server to use periodically (for tiny, incremental changes): `set system ntp server <address>`
+    1. Set time zone: `set system time-zone Europe/Oslo` (example)
+    1. (Info) After committing, use `show ntp associations` to verify NTP.
+    1. (Info) After committing, use `set date ntp` to force it to update. This may be required if the delta is too large and the NTP client refuses to update.
+1. Configure SNMP:
+    - (Info) SNMP is extremely slow on the Juniper devices I've tested it on.
+    - Enable public RO access (or generate a secret community string): `set snmp community public authorization read-only`
+1. (Optional) Set loopback addresses (if using routing):
+    1. `set interfaces lo0.0 family inet address <address>/32`
+    1. `set interfaces lo0.0 family inet6 address <address>/32`
+1. (Optional) Setup static IP routes:
+    1. IPv4 default gateway: `set routing-options rib inet.0 static route 0.0.0.0/0 next-hop <next-hop>`
+    1. IPv6 default gateway: `set routing-options rib inet6.0 static route ::/0 next-hop <next-hop>`
+1. (Optional) Disable dedicated management port and alarm (if any):
+    1. Disable: `set int me0 disable`
+    1. Delete logical interface: `delete int me0.0`
+    1. Disable link-down alarm: `set chassis alarm management-ethernet link-down ignore`
+1. Delete default interfaces configs (example):
+    1. `wildcard range delete interface ge-0/0/[0-7]`
+1. (Optional) Disable unused interfaces (example):
+    1. `wildcard range set interface ge-0/0/[0-7] disable`
+    1. `set interface cl-1/0/0 disable`
+    1. `set interface dl0 disable`
+1. (Optional) Setup LACP toward upstream/downstream switch:
+    1. (Info) Make sure you allocate enough LAG interfaces and that the interface numbers are below some arbitrary power-of-2-limit for the device model. Maybe the CLI auto-complete shows a hint toward the max.
+    1. Set number of available LAG interfaces: `set chassis aggregated-devices ethernet device-count <0-64>`
+    1. Delete old configs for member interface: `wildcard range delete interfaces ge-0/0/[0-1]` (example)
+    1. Add member interfaces: `wildcard range set interfaces ge-0/0/[0-1] ether-options 802.3ad ae<n>`
+    1. Add some description to member interfaces: `wildcard range set interfaces ge-0/0/[0-1] description link:switch`
+    1. Enter LAG interface: `edit interface ae<n>`
+    1. Set description: `set desc link:switch`
+    1. Set LACP active: `set aggregated-ether-options lacp active`
+    1. Set LACP fast: `set aggregated-ether-options lacp periodic fast`
+    1. (Optional) Set minimum links: `aggregated-ether-options minimum-links 1`
+1. Delete default security (zones, policies, NAT, screens).
+    1. `delete security`
+1. Commit configuration: `commit [confirmed]`
+1. Exit config CLI: `exit`
+1. Save the rescue config: `request system configuration rescue save`
+1. Save the autorecovery info: `request system autorecovery state save`
+
+### Interface Setup
+
+See [Juniper EX](/config/network/juniper-ex/).
+
+### Other Setup
+
+1. Configure sFlow:
+    1. **TODO**
+
+## Theory
+
+### Zone-based Firewalling (SRX)
+
+- On SRX firewalls, you assign interfaces to security zones. **TODO** All interfaces must be assigned a zone and a zone may have zero or multiple interfaces?
+- *Security zones* are the main type of zone.
+- *Function zones* are for special purposes. Only the management zone ("MGT") is currently supported and does not allow exchanging traffic with other zones.
+- The default policy is to deny traffic both intra-zone and inter-zone.
+
+{% include footer.md %}