Начало Каталог Помощ
Регистрация Вход
jeremy
/
HON95-wiki
огледало от https://github.com/HON95/wiki
1
0
Разклонения 0
Файлове Задачи 0 Уики
ИН на ревизия: 74a4bd14a5
Клонове Маркери
HON95-wiki
/
networking
/
juniper-srx.md

juniper-srx.md 7.1 KB
История Директен файл

title: Juniper SRX Series Firewalls breadcrumbs:

  • title: Network --- {% include header.md %}

Related Pages

{:.no_toc}

Using

{:.no_toc}

  • SRX320 w/ Junos 19.4R3

Setup

Initial Setup

  1. Connect to the switch using serial:
    • RS-232 w/ RJ45, baud 9600, 8 data bits, no parity, 1 stop bits, no flow control.
  2. Log in:
    1. It should say "Amnesiac" above the login prompt as the name of the switch, to show that it's factory reset.
    2. Login as root with no password to enter the shell.
    3. Enter the Junos operational CLI by typing cli.
  3. Enter configuration mode:
    • Enter: configure
    • Commit: commit
    • Exit: exit
  4. Set host name:
    1. set system host-name <host-name>
    2. set system domain-name <domain-name>
  5. Enable auto snapshotting and restoration on corruption:
    1. set system auto-snapshot
  6. Disable DHCP auto image upgrade:
    1. delete chassis auto-image-upgrade
  7. Set new root password:
    1. set system root-authentication plain-text-password (prompts for password)
  8. (Optional) Commit new config:
    1. commit
  9. Setup a non-root user:
    1. set system login user <user> [full-name <full-name>] class super-user authentication plain-text-password (prompts for password)
  10. Enable IPv6 forwarding (SRX):
    1. Enable: set security forwarding-options family inet6 mode flow-based
    2. (Info) Verify (after commit): show security flow status
  11. Setup SSH:
    1. Enable server: set system services ssh
    2. Disable root login from SSH: set system services ssh root-login deny
  12. Disable licensing and phone-home (for grey-market devices):
    1. delete system license
    2. delete system phone-home
  13. Set DNS servers:
    1. Delete default: delete system name-server
    2. Set new (for each one): set system name-server <addr>
  14. Set time:
    1. (Optional) Set time manually (UTC): run set date <YYYYMMDDhhmm.ss>
    2. Set server to use while booting (forces initial time): set system ntp boot-server <address>
    3. Set server to use periodically (for tiny, incremental changes): set system ntp server <address>
    4. Set time zone: set system time-zone Europe/Oslo (example)
    5. (Info) After committing, use show ntp associations to verify NTP.
    6. (Info) After committing, use set date ntp to force it to update. This may be required if the delta is too large and the NTP client refuses to update.
  15. Configure SNMP:
    • (Info) SNMP is extremely slow on the Juniper devices I've tested it on.
    • Enable public RO access (or generate a secret community string): set snmp community public authorization read-only
  16. (Optional) Set loopback addresses (if using routing):
    1. set interfaces lo0.0 family inet address <address>/32
    2. set interfaces lo0.0 family inet6 address <address>/32
  17. (Optional) Setup static IP routes:
    1. IPv4 default gateway: set routing-options rib inet.0 static route 0.0.0.0/0 next-hop <next-hop>
    2. IPv6 default gateway: set routing-options rib inet6.0 static route ::/0 next-hop <next-hop>
  18. (Optional) Disable dedicated management port and alarm (if any):
    1. Disable: set int me0 disable
    2. Delete logical interface: delete int me0.0
    3. Disable link-down alarm: set chassis alarm management-ethernet link-down ignore
  19. Delete default interfaces configs (example):
    1. wildcard range delete interface ge-0/0/[0-7]
  20. (Optional) Disable unused interfaces (example):
    1. wildcard range set interface ge-0/0/[0-7] disable
    2. set interface cl-1/0/0 disable
    3. set interface dl0 disable
  21. (Optional) Setup LACP toward upstream/downstream switch:
    1. (Info) Make sure you allocate enough LAG interfaces and that the interface numbers are below some arbitrary power-of-2-limit for the device model. Maybe the CLI auto-complete shows a hint toward the max.
    2. Set number of available LAG interfaces: set chassis aggregated-devices ethernet device-count <0-64>
    3. Delete old configs for member interface: wildcard range delete interfaces ge-0/0/[0-1] (example)
    4. Add member interfaces: wildcard range set interfaces ge-0/0/[0-1] ether-options 802.3ad ae<n>
    5. Add some description to member interfaces: wildcard range set interfaces ge-0/0/[0-1] description link:switch
    6. Enter LAG interface: edit interface ae<n>
    7. Set description: set desc link:switch
    8. Set LACP active: set aggregated-ether-options lacp active
    9. Set LACP fast: set aggregated-ether-options lacp periodic fast
    10. (Optional) Set minimum links: aggregated-ether-options minimum-links 1
  22. Delete default security (zones, policies, NAT, screens).
    1. delete security
  23. Commit configuration: commit [confirmed]
  24. Exit config CLI: exit
  25. Save the rescue config: request system configuration rescue save
  26. Save the autorecovery info: request system autorecovery state save
  27. Reboot the device to change forwarding mode and stuff (if changed): request system reboot

Interface Setup

See Juniper EX.

Other Setup

  1. Configure sFlow:
    1. TODO

Theory

SRX-specific information, see the Junos page for general information.

Packet Forwarding Mode (Packet-based and Flow-based)

  • Packet-based forwarding handles packets one by one, also called stateless forwarding (similar to router ACLs). This does not handle connection tracking and other advanced features.
  • Flow-based forwarding handles packets as streams, also called stateful forwarding. This is the default for IPv4 (IPv6 forwarding is disabled by default).
  • Commands:
    • Configured using set security forwarding-options family inet6 mode flow-based (example).
    • Run show security flow status to show forwarding modes.

L2 Forwarding Mode (Transparent and Switching)

  • The default mode on most newer devices/versions is switching mode.
  • Switching mode:
    • Basically L3 mode. Pretty similar to L3 switches, with VLANs and RVIs.
    • Uses IRB interfaces in security zones.
    • Does not enforce policy on intra-VLAN traffic.
    • Supports LACP.
  • Transparent mode:
    • Basically L2 mode.
    • The firewall acts like an L2 switch connected inline in the infrastructure, allowing simple integration without modifying routing and protocols.
    • Does not support STP, IGMP snooping, Q-in-Q, NAT and VPNs.
    • Uses physical interfaces in security zones.
    • Also called L2 transparent mode (L2TM).
  • Commands:
    • Configured using set protocols l2-learning global-mode {transparent-bridge|switching}.
    • Show using show ethernet-switching global-information.

Security Zones

  • On SRX firewalls, you assign interfaces to security zones. TODO All interfaces must be assigned a zone and a zone may have zero or multiple interfaces?
  • Security zones are the main type of zone.
  • Function zones are for special purposes. Only the management zone ("MGT") is currently supported and does not allow exchanging traffic with other zones.
  • The default policy is to deny traffic both intra-zone and inter-zone.

{% include footer.md %}