Juniper Junos OS Getting Started Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Network Hardware
  5. Junos OS
  6. Getting started manual
Juniper Junos OS Getting Started Manual

Juniper Junos OS Getting Started Manual

For branch srx series
Hide thumbs Also See for Junos OS:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Manual
®
Junos
OS
Getting Started Guide for Branch SRX Series
Release
12.3X48-D10
Modified: 2016-09-01
Copyright © 2016, Juniper Networks, Inc.

Advertisement

Table of Contents
loading

Related Manuals for Juniper Junos OS

Summary of Contents for Juniper Junos OS

  • Page 1 ® Junos Getting Started Guide for Branch SRX Series Release 12.3X48-D10 Modified: 2016-09-01 Copyright © 2016, Juniper Networks, Inc.
  • Page 2 END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at http://www.juniper.net/support/eula.html.

  • Page 3: Table Of Contents

    Verifying the Branch SRX Series Configuration ......24 Copyright © 2016, Juniper Networks, Inc.
  • Page 4 [edit security policies] Hierarchy Level ........93 Copyright © 2016, Juniper Networks, Inc.
  • Page 5 Index ............141 Copyright © 2016, Juniper Networks, Inc.
  • Page 6 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 7: List Of Figures

    Configuring NAT for SRX Series ........39 Figure 4: Destination NAT Single Address Translation ..... . . 41 Copyright © 2016, Juniper Networks, Inc.
  • Page 8 Getting Started Guide for Branch SRX Series viii Copyright © 2016, Juniper Networks, Inc.
  • Page 9 Table 18: show system license Output Fields ......133 Table 19: show system services dhcp client Output Fields ....136 Copyright © 2016, Juniper Networks, Inc.
  • Page 10 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 11: About The Documentation

    ® To obtain the most current version of all Juniper Networks technical documentation, see the product documentation page on the Juniper Networks website at http://www.juniper.net/techpubs/ If the information in the latest release notes differs from the information in the documentation, follow the product Release Notes.

  • Page 12: Merging A Full Example

    /var/tmp on your routing platform. commit { file ex-script-snippet.xsl; } Move to the hierarchy level that is relevant for this snippet by issuing the following configuration mode command: Copyright © 2016, Juniper Networks, Inc.

  • Page 13: Documentation Conventions

    Table 2: Text and Syntax Conventions Convention Description Examples Bold text like this Represents text that you type. To enter configuration mode, type the configure command: user@host> configure Copyright © 2016, Juniper Networks, Inc. xiii...
  • Page 14 A policy term is a named structure new terms. that defines match conditions and actions. Identifies guide names. Junos OS CLI User Guide Identifies RFC and Internet draft titles. RFC 1997, BGP Communities Attribute Italic text like this Represents variables (options for which Configure the machine’s domain name:...

  • Page 15: Documentation Feedback

    We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can provide feedback by using either of the following methods: Online feedback rating system—On any page of the Juniper Networks TechLibrary site , simply click the stars to rate the content, http://www.juniper.net/techpubs/index.html and use the pop-up form to provide us with information about your experience.

  • Page 16: Opening A Case With Jtac

    Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ Search technical bulletins for relevant hardware and software notifications: http://kb.juniper.net/InfoCenter/ Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/...

  • Page 17: Overview

    PART 1 Overview Introduction to SRX Series Devices on page 3 Copyright © 2016, Juniper Networks, Inc.
  • Page 18 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 19: Introduction To Srx Series Devices

    The SRX Series are based on Junos OS, a full-featured networking operating system that is optimized to provide maximum performance and efficient network security. The SRX Series range from lower-end branch devices designed to secure small distributed enterprise locations to high-end devices designed to secure enterprise infrastructure, data centers, and server farms.
  • Page 20 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 21: Setting Up A Branch Srx Series Services Gateway

    Setting Up a Branch SRX Series Services Gateway Understanding Factory Default Configuration Settings on page 7 Configuring an SRX Series Device for the First Time on page 17 Resetting the SRX Series Device on page 27 Copyright © 2016, Juniper Networks, Inc.
  • Page 22 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 23: Understanding Factory Default Configuration Settings

    SRX Series Services Gateway for the first time. This document uses an SRX210 Services Gateway as an example. For additional details, see the SRX210 Services Gateway Hardware Guide at SRX210 Services Gateway Hardware Copyright © 2016, Juniper Networks, Inc.

  • Page 24: Default Port Settings

    System services such as SSH, Telnet, FTP, HTTP, HTTPS, and xnm-clear-text are enabled by default. Default Port Settings When an SRX210 is powered on for the first time, it boots using the factory default configuration. The SRX210 has the following factory default port settings: Copyright © 2016, Juniper Networks, Inc.

  • Page 25: Default Settings For Interfaces, Zones, Policy, And Nat

    Source Zone Destination Zone Policy Action Trust Untrust Permit Untrust Trust Deny NOTE: In default configuration, all LAN interfaces are in Layer 2 mode and they communicate with each other without need of any policy. Copyright © 2016, Juniper Networks, Inc.

  • Page 26: Default System Services

    Understanding Methods to Manage the Branch SRX Series on page 17 SRX210 Factory Default Settings—A Sample The following sample output shows the factory default configuration of an SRX210: [edit] user@srx210-host# show system system { autoinstallation { Copyright © 2016, Juniper Networks, Inc.
  • Page 27 192.168.1.2 high 192.168.1.254; propagate-settings ge-0/0/0.0; syslog { archive size 100k files 3; user * { any emergency; file messages { any critical; authorization info; file interactive-commands { interactive-commands error; max-configurations-on-flash 5; max-configuration-rollbacks 5; license { Copyright © 2016, Juniper Networks, Inc.
  • Page 28 0 { family ethernet-switching { vlan { members vlan-trust; fe-0/0/4 { unit 0 { family ethernet-switching { vlan { members vlan-trust; fe-0/0/5 { unit 0 { family ethernet-switching { vlan { members vlan-trust; fe-0/0/6 { Copyright © 2016, Juniper Networks, Inc.
  • Page 29 { source-route-option; tear-drop; tcp { syn-flood { alarm-threshold 1024; attack-threshold 200; source-threshold 1024; destination-threshold 2048; timeout 20; land; nat { source { rule-set trust-to-untrust { from zone trust; to zone untrust; rule source-nat-rule { Copyright © 2016, Juniper Networks, Inc.
  • Page 30 { security-zone trust { host-inbound-traffic { system-services { all; protocols { all; interfaces { vlan.0; security-zone untrust { screen untrust-screen; interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; vlans { Copyright © 2016, Juniper Networks, Inc.
  • Page 31 { vlan-id 3; l3-interface vlan.0; Related Connecting the Branch SRX Series Through the Console Port for the First Time on Documentation page 19 Understanding Factory Default Configuration Settings of an SRX210 on page 7 Copyright © 2016, Juniper Networks, Inc.
  • Page 32 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 33: Configuring An Srx Series Device For The First Time

    No prior configuration is required. Connecting through SSH and Telnet—Use an RJ-45 Ethernet cable to connect the PC or laptop to one of the Ethernet ports labeled through on the front panel of your services gateway. Copyright © 2016, Juniper Networks, Inc.

  • Page 34: Mandatory Settings To Configure The Branch Srx Series

    (ge-0/0/0). NOTE: If your ISP does not support DHCP, you should ask your ISP what settings (IP address, default gateway, DNS server) to use to configure the WAN interface on your services gateway. Copyright © 2016, Juniper Networks, Inc.

  • Page 35: Configuring An Srx Series Device For The First Time

    At the (>) prompt, type configure and press Enter. The prompt changes from > to # when you enter configuration mode. root> configure Entering configuration mode [edit] root# Create a password for the root user to manage the SRX Series. set system root authentication plain-text-password Copyright © 2016, Juniper Networks, Inc.

  • Page 36: Your Network

    [edit] root@SRX210# NOTE: If after following this procedure you still require further guidance on configuring a branch SRX Series Services Gateway, see Quick Start Guide of your device. Copyright © 2016, Juniper Networks, Inc.

  • Page 37: Configuring Internet Access For The Branch Srx Series

    SRX210 to the Internet. Figure 2: Connecting an SRX210 to the Internet To assign an IP address and gateway through DHCP: Configure interface ge-0/0/0 to obtain an IP address and default gateway from a DHCP server: Copyright © 2016, Juniper Networks, Inc.

  • Page 38: Configuring A Network Time Protocol Server For The Branch Srx Series

    Configure the NTP server and time zone. [edit] root@host# set system ntp server 160.90.182.55 [edit] root@host# set system time-zone GMT-8 Update the system clock to make use of the new NTP server settings from operational mode. root@host>set date NTP Copyright © 2016, Juniper Networks, Inc.

  • Page 39: Validating The Branch Srx Series Configuration

    Verify system name server details. [edit] root@host# show system name-server 208.67.222.222; 208.67.220.220; 10.11.11.11 run show interface terse to verify the acquired IP address. If you are done configuring the device, enter from configuration mode. commit Copyright © 2016, Juniper Networks, Inc.

  • Page 40: Verifying The Branch Srx Series Configuration

    Verify that the login classes you have created are working properly. Log out from the device and log in again using the credentials that you have configured for the newly created user classes. Verify NTP server details. user@srx210-host# show system ntp server 160.90.182.55; Copyright © 2016, Juniper Networks, Inc.
  • Page 41 Configuring Internet Access for the Branch SRX Series on page 21 Configuring a Network Time Protocol Server for the Branch SRX Series on page 22 Validating the Branch SRX Series Configuration on page 23 Copyright © 2016, Juniper Networks, Inc.
  • Page 42 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 43: Resetting The Srx Series Device

    To reset your services gateway to its factory-default configuration, use a small probe, such as a straightened paperclip, to press the button for 15 seconds or RESET CONFIG more. Related Connecting Your Branch SRX Series for the First Time Documentation Copyright © 2016, Juniper Networks, Inc.
  • Page 44 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 45: Configuring Basic Srx Series Features

    Configuring UTM for Branch SRX Series on page 49 Configuring Intrusion Detection and Prevention for SRX Series on page 63 Understanding Stateful Firewall, IPsec VPN, and Chassis Cluster for Branch SRX Series on page 71 Copyright © 2016, Juniper Networks, Inc.
  • Page 46 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 47: Configuring Security Zones And Policies For Srx Series

    Default configuration of the branch SRX Series includes two security zones--trust and untrust. The vlan.0 belongs to the trust zone and ge-0/0/0 belongs to the untrust zone. For more details on security zones, see Building Blocks Feature Guide for Security Devices. Copyright © 2016, Juniper Networks, Inc.

  • Page 48: Security Policy

    Requirements This example uses the following hardware and software components: An SRX210 Junos OS Release 12.1X44-D10 Overview This example uses the network topology shown in Figure 3 on page Copyright © 2016, Juniper Networks, Inc.

  • Page 49: Figure 3: Topology For Security Policy Configuration

    Configure an address book and create addresses for use in the policy as shown in Table 8 on page Table 8: Address Books Configuration Zones Address Book Server IP Address- Server-HTTP-1 192.168.2.2/24 Server-HTTP-2 192.168.2.3/24 Server-SMTP 192.168.2.4/24 Copyright © 2016, Juniper Networks, Inc.

  • Page 50: Table 9: Security Policy Configuration

    DMZ to-zone DMZ policy permit-http-in-DMZ match destination-address DMZ-address-set-http set security policies from-zone DMZ to-zone DMZ policy permit-http-in-DMZ match application junos-http set security policies from-zone DMZ to-zone DMZ policy permit-http-in-DMZ then permit Copyright © 2016, Juniper Networks, Inc.
  • Page 51 Create an intrazone policy to permit HTTP traffic between the two servers in the DMZ zone. [edit] user@srx210-host# set security policies from-zone DMZ to-zone DMZ policy permit-http-in-DMZ match source-address DMZ-address-set-http user@srx210-host# set security policies from-zone DMZ to-zone DMZ policy permit-http-in-DMZ match destination-address DMZ-address-set-http Copyright © 2016, Juniper Networks, Inc.
  • Page 52 { source-address PC-Trust; destination-address Server-SMTP; application junos-smtp; then { permit; [edit] user@srx210-host# show security policies from-zone DMZ to-zone DMZ policy permit-http-in-DMZ { match { source-address DMZ-address-set-http; destination-address DMZ-address-set-http; application junos-http; then { permit; Copyright © 2016, Juniper Networks, Inc.
  • Page 53 Related Understanding Security Zones and Policies for SRX Series on page 31 Documentation Understanding Factory Default Configuration Settings of an SRX210 on page 7 Connecting Your Branch SRX Series for the First Time Copyright © 2016, Juniper Networks, Inc.
  • Page 54 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 55: Configuring Nat For Srx Series

    Internet. For more information, see the Network Address Translation Feature Guide for Security Devices. Related Understanding Factory Default Configuration Settings of an SRX210 on page 7 Documentation Copyright © 2016, Juniper Networks, Inc.

  • Page 56: Example: Configuring Destination Nat For Srx Series

    41, you are applying destination NAT to the traffic destined to 1.1.1.3 coming from the untrust zone. This traffic should be translated into the private IP address of 192.168.2.2 as shown in Table 10 on page Copyright © 2016, Juniper Networks, Inc.

  • Page 57: Configuring Nat For Srx Series

    In this topology, you provide access to the server (Server-HTTP-1) in the DMZ zone from the Internet after translating the public IP address 1.1.1.3 to the private address 192.168.2.2 and forward traffic to the internal network if the request is coming from ge-0/0/0.0. Copyright © 2016, Juniper Networks, Inc.
  • Page 58 Create the destination NAT pool to include the IP address of the server (Server-HTTP-1). [edit] user@srx210-host# set security nat destination pool dst-nat-pool-1 address 192.168.2.2/32 Create a destination NAT rule set. [edit] user@srx210-host# set security nat destination rule-set rs1 from interface ge-0/0/0.0 Copyright © 2016, Juniper Networks, Inc.
  • Page 59 [edit] user@srx210-host# show security nat destination pool dst-nat-pool-1 { address 192.168.2.2/32; rule-set rs1 { from interface ge-0/0/0.0; rule r1 { match { destination-address 1.1.1.3/29; then { destination-nat { pool { dst-nat-pool-1; Copyright © 2016, Juniper Networks, Inc.
  • Page 60 Verify that NAT is being applied to the specified traffic. Action From operational mode, enter the command to display show security flow session information about all currently active security sessions on the device. Related Understanding NAT for SRX Series on page 39 Documentation Copyright © 2016, Juniper Networks, Inc.

  • Page 61: Configuring Nat For Srx Series

    Chapter 6: Configuring NAT for SRX Series Understanding Factory Default Configuration Settings of an SRX210 on page 7 Connecting Your Branch SRX Series for the First Time Copyright © 2016, Juniper Networks, Inc.
  • Page 62 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 63: Managing Licenses For Srx Series

    To install or update your license automatically, your device must be connected to the Internet . user@srx210-host> request system license update Trying to update license keys from https://ae1.juniper.net, use 'show system license' to check status. Install the licenses manually on the device.
  • Page 64 2010-01-04 08:00:00 GMT-8 - 2013-12-31 08:00:00 GMT-8 The output sample is truncated to display some of the UTM features license. Related request system license update on page 108 Documentation show system license (View) on page 133 Copyright © 2016, Juniper Networks, Inc.

  • Page 65: Configuring Utm For Branch Srx Series

    The SRX Series has predefined system profiles (antispam, antivirus, or Web filtering) designed to provide basic protection. You can use a predefined profile to bind to the UTM policy or you can also create a component (antispam, antivirus, Web filtering, or content filtering) profile. Copyright © 2016, Juniper Networks, Inc.

  • Page 66: Table 11: Default Utm Profiles On Branch Srx Series

    For more details on UTM, see UTM Feature Guide for Security Devices. Related Updating Licenses for a Branch SRX Series on page 47 Documentation Example: Configuring Unified Threat Management for a Branch SRX Series on page 51 Copyright © 2016, Juniper Networks, Inc.

  • Page 67: Example: Configuring Unified Threat Management For A Branch Srx Series

    Step-by-Step To configure UTM components: Procedure Create a UTM policy and apply the default antispam profile to the UTM policy. [edit] user@srx210-host# set security utm utm-policy policy-utm-all anti-spam smtp-profile junos-as-defaults Copyright © 2016, Juniper Networks, Inc.
  • Page 68 { http-profile junos-wf-cpa-default; anti-spam { smtp-profile junos-as-defaults; [edit] user@srx210-host# show security policies from-zone trust to-zone untrust policy trust-to-untrust policy trust-to-untrust { match { source-address any; destination-address any; application any; then { permit { Copyright © 2016, Juniper Networks, Inc.
  • Page 69 Verify that the antivirus protection configuration is working properly. Action From operational mode, enter the command. show security utm anti-virus status user@srx210-host>show security utm anti-virus status UTM anti-virus status: Anti-virus key expire date: 2010-12-31 00:00:00 Update server: http://update.juniper-updates.net/AV/SRX210 Copyright © 2016, Juniper Networks, Inc.

  • Page 70: Default Utm Policy For Branch Srx Series

    Predefined UTM Profile Configuration for Branch SRX Series This topic includes the following sections: Antispam on page 54 Antivirus on page 55 Web Filtering on page 56 Antispam sbl { profile junos-as-defaults { sbl-default-server; spam-action block; custom-tag-string ***SPAM***; Copyright © 2016, Juniper Networks, Inc.

  • Page 71: Antivirus

    "VIRUS WARNING"; fallback-block { type message; no-notify-mail-sender; juniper-express-engine { pattern-update { url http://update.juniper-updates.net/EAV/SRX210/; interval 1440; profile junos-eav-defaults { fallback-options { default log-and-permit; content-size log-and-permit; engine-not-ready log-and-permit; timeout log-and-permit; out-of-resources log-and-permit; too-many-requests log-and-permit; scan-options { Copyright © 2016, Juniper Networks, Inc.

  • Page 72: Web Filtering

    { uri-check; content-size-limit 10000; timeout 180; notification-options { virus-detection { type message; no-notify-mail-sender; custom-message "VIRUS WARNING"; fallback-block { type message; no-notify-mail-sender; Web Filtering surf-control-integrated { server { host cpa.surfcpa.com; port 9020; Copyright © 2016, Juniper Networks, Inc.
  • Page 73 Gambling { action block; Games { action block; Glamour_Intimate_Apparel { action permit; Government_Politics { action permit; Hacking { action block; Hate_Speech { action block; Health_Medicine { action permit; Hobbies_Recreation { action permit; Copyright © 2016, Juniper Networks, Inc.
  • Page 74 Religion { action permit; Remote_Proxies { action block; Sex_Education { action block; Search_Engines { action permit; Shopping { action permit; Sports { action permit; Streaming_Media { action permit; Travel { action permit; Usenet_News { Copyright © 2016, Juniper Networks, Inc.
  • Page 75 Violence { action block; Weapons { action block; Web_based_Email { action permit; default log-and-permit; custom-block-message "Juniper Web Filtering has been set to block this site."; fallback-settings { default log-and-permit; server-connectivity log-and-permit; timeout log-and-permit; too-many-requests log-and-permit; websense-redirect { profile junos-wf-websense-default { custom-block-message "Juniper Web Filtering has been set to block this site.";...
  • Page 76 Enhanced_Sex { action block; Enhanced_Hacking { action block; Enhanced_Personals_and_Dating { action block; Enhanced_Alcohol_and_Tobacco { action block; Enhanced_Abused_Drugs { action block; Enhanced_Marijuana { action block; Enhanced_Malicious_Web_Sites { action block; Enhanced_Spyware { action block; Enhanced_Phishing_and_Other_Frauds { Copyright © 2016, Juniper Networks, Inc.
  • Page 77 Enhanced_Malicious_Embedded_Link { action block; Enhanced_Malicious_Embedded_iFrame { action block; Enhanced_Suspicious_Embedded_Link { action block; default log-and-permit; custom-block-message "Juniper Web Filtering has been set to block this site."; fallback-settings { default log-and-permit; server-connectivity log-and-permit; timeout log-and-permit; too-many-requests log-and-permit; Related Understanding Unified Threat Management for Branch SRX Series on page 49...
  • Page 78 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 79: Configuring Intrusion Detection And Prevention For Srx Series

    Download and install the signature database—You must download and install the IDP signature database. The signature databases are available as a security package on the Juniper Networks website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.

  • Page 80: Example: Configuring Intrusion Detection And Prevention For Srx Series

    DMZ zone against the IDP rulebases. As a first step, you must download and install the signature database from the Juniper Networks website. Next, download and install the predefined IDP policy templates and activate the predefined policy Recommended as the active policy.
  • Page 81 Done;Attack DB update : successful - [UpdateNumber=2230,ExportDate=Mon Feb 4 19:40:13 2013 GMT-8,Detector=12.6.160121210] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : successful Confirm your IDP security package version. [edit] Copyright © 2016, Juniper Networks, Inc.
  • Page 82 [edit] user@host# set system scripts commit file templates.xsl Commit the configuration. The downloaded templates are saved to the Junos OS configuration database, and they are available in the CLI at the [edit security idp hierarchy level.
  • Page 83 Keep in mind the following points: Security policy on order on SRX Series device is important because Junos OS performs a policy lookup starting from the top of the list, and when the device finds a match for the traffic received, it stops policy lookup.
  • Page 84 Peak: 0 @ 2013-02-05 23:06:20 GMT-8 Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2013-02-05 23:06:20 GMT-8] Copyright © 2016, Juniper Networks, Inc.
  • Page 85 The sample output shows the Recommended predefined IDP policy as the active policy. Related Updating Licenses for a Branch SRX Series on page 47 Documentation Understanding Intrusion Detection and Prevention for SRX Series on page 63 Copyright © 2016, Juniper Networks, Inc.
  • Page 86 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 87: Branch Srx Series

    Related Understanding Security Zones and Policies for SRX Series on page 31 Documentation Example: Configuring Security Zones and Policies for SRX Series on page 32 Copyright © 2016, Juniper Networks, Inc.

  • Page 88: Understanding Ipsec Vpn For Srx Series

    Chassis clustering provides network node redundancy by grouping a pair of the same kind of supported SRX Series into a cluster. The devices must be running Junos OS. To form a chassis cluster, a pair of the same kind of supported SRX Series are combined to act as a single system that enforces the same overall security.

  • Page 89: Configuration Statements And Operational Commands

    PART 4 Configuration Statements and Operational Commands Configuration Statements on page 75 Operational Commands on page 107 Copyright © 2016, Juniper Networks, Inc.
  • Page 90 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 91: Configuration Statements

    (PKI), policies, resource manager, rules, screens, secure shell known hosts, trace options, user identification, Unified Threat Management (UTM), and zones. Statements that are exclusive to the SRX Series devices running Junos OS are described in this section. Each of the following topics lists the statements at a sub-hierarchy of the [edit security] hierarchy.

  • Page 92: [Edit Security Address-Book] Hierarchy Level

    [edit security zones] Hierarchy Level on page 105 Related CLI User Guide Documentation [edit security address-book] Hierarchy Level security { address-book (book-name | global) { address address-name { ip-prefix { description text; description text; dns-name domain-name { ipv4-only; ipv6-only; Copyright © 2016, Juniper Networks, Inc.

  • Page 93: [Edit Security Idp] Hierarchy Level

    | signature ...same statements as in [edit security idp custom-attack attack-name attack-type signature] hierarchy level); order; protocol-binding { application application-name; icmp; icmpv6; ip { protocol-number transport-layer-protocol-number; ipv6 { protocol-number transport-layer-protocol-number; rpc { Copyright © 2016, Juniper Networks, Inc.
  • Page 94 (equal | greater-than | less-than | not-equal); value checksum-value; code { match (equal | greater-than | less-than | not-equal); value code-value; data-length { match (equal | greater-than | less-than | not-equal); value data-length; Copyright © 2016, Juniper Networks, Inc.
  • Page 95 (equal | greater-than | less-than | not-equal); value type-of-service-in-decimal; total-length { match (equal | greater-than | less-than | not-equal); value total-length-of-ip-datagram; ttl { match (equal | greater-than | less-than | not-equal); value time-to-live; Copyright © 2016, Juniper Networks, Inc.
  • Page 96 (equal | greater-than | less-than | not-equal); value traffic-class-value; tcp { ack-number { match (equal | greater-than | less-than | not-equal); value acknowledgement-number; checksum-validate { match (equal | greater-than | less-than | not-equal); value checksum-value; Copyright © 2016, Juniper Networks, Inc.
  • Page 97 (equal | greater-than | less-than | not-equal); value urgent-pointer; window-scale { match (equal | greater-than | less-than | not-equal); value window-scale-factor; window-size { match (equal | greater-than | less-than | not-equal); value window-size; Copyright © 2016, Juniper Networks, Inc.
  • Page 98 (close | close-client | close-server | drop | drop-packet | ignore | none); severity (critical | info | major | minor | warning); time-binding { count count-value; scope (destination | peer | source); custom-attack-group custom-attack-group-name { group-members [attack-or-attack-group-name]; dynamic-attack-group dynamic-attack-group-name { filters { Copyright © 2016, Juniper Networks, Inc.
  • Page 99 (zone-name | any ); source-address ([address-name] | any | any-ipv4 | any-ipv6); source-except [address-name]; to-zone (zone-name | any); rulebase-ips { rule rule-name { description text; match { application (application-name | any | default); Copyright © 2016, Juniper Networks, Inc.
  • Page 100 { log-attacks { alert; packet-log { post-attack number; post-attack-timeout seconds; pre-attack number; severity (critical | info | major | minor | warning); security-package { automatic { download-timeout minutes; enable; interval hours; start-time start-time; Copyright © 2016, Juniper Networks, Inc.
  • Page 101 (enable-packet-pool | no-enable-packet-pool); gtp (decapsulation | no-decapsulation); memory-limit-percent value; (policy-lookup-cache | no-policy-lookup-cache); high-availability { no-policy-cold-synchronization; disable-low-memory-handling; ips { content-decompression-max-memory-kb value; content-decompression-max-ratio value; (detect-shellcode | no-detect-shellcode); fifo-max-size value; (ignore-regular-expression | no-ignore-regular-expression); log-supercede-min minimum-value; pre-filter-shellcode; (process-ignore-s2c | no-process-ignore-s2c); Copyright © 2016, Juniper Networks, Inc.
  • Page 102 (all | error | info | notice | verbose | warning); no-remote-trace; Related Security Configuration Statement Hierarchy on page 75 Documentation Understanding Intrusion Detection and Prevention for SRX Series on page 63 Copyright © 2016, Juniper Networks, Inc.

  • Page 103: [Edit Security Ike] Hierarchy Level

    (basic | compatible | standard } suiteb-gcm-128 | suiteb-gcm-256); proposals [proposal-name]; proposal proposal-name { authentication-algorithm (md5 | sha-256 | sha-384| sha1); authentication-method (dsa-signatures | ecdsa-signatures-256 | ecdsa-signatures-384 | pre-shared-keys | rsa-signatures); description description; Copyright © 2016, Juniper Networks, Inc.

  • Page 104: [Edit Security Ipsec] Hierarchy Level

    (hmac-md5-96 | hmac-sha-256-128 | hmac-sha-256-96 | hmac-sha1-96); description description; encryption-algorithm (3des-cbc | aes-128-cbc | aes-128-gcm | aes-192-cbc | aes-192-gcm | aes-256-cbc | aes-256-gcm | des-cbc); lifetime-kilobytes kilobytes; lifetime-seconds seconds; protocol (ah | esp); security-association sa-name { Copyright © 2016, Juniper Networks, Inc.
  • Page 105 (ascii-text key | hexadecimal key); encryption { algorithm (3des-cbc | aes-128-cbc | aes-192-cbc | aes-256-cbc | des-cbc); key (ascii-text key | hexadecimal key); external-interface external-interface-name; gateway ip-address; protocol (ah | esp); spi spi-value; Copyright © 2016, Juniper Networks, Inc.

  • Page 106: [Edit Security Nat] Hierarchy Level

    { interface [interface-name]; routing-instance [routing-instance-name]; zone [zone-name]; rule rule-name { description text; match { application { [application]; any; (destination-address ip-address | destination-address-name address-name); destination-port (port-or-low <to high>); protocol [protocol-name-or-number]; source-address [ip-address]; source-address-name [address-name]; Copyright © 2016, Juniper Networks, Inc.
  • Page 107 { port-low <to port-high>; to port-high; twin-port port-low <to port-high>; routing-instance routing-instance-name; pool-default-port-range lower-port-range to upper-port-range; pool-default-twin-port-range lower-port-range to upper-port-range; pool-utilization-alarm (clear-threshold value | raise-threshold value); port-randomization disable; rule-set rule-set-name { description text; Copyright © 2016, Juniper Networks, Inc.
  • Page 108 (clear-threshold value | raise-threshold value); to { interface [interface-name]; routing-instance [routing-instance-name]; zone [zone-name]; static rule-set rule-set-name; description text; from { interface [interface-name]; routing-instance [routing-instance-name]; zone [zone-name]; rule rule-name { description text; match { Copyright © 2016, Juniper Networks, Inc.

  • Page 109: [Edit Security Policies] Hierarchy Level

    Understanding Logical Systems for SRX Series Services Gateways Introduction to NAT [edit security policies] Hierarchy Level security { policies { default-policy (deny-all | permit-all); from-zone zone-name to-zone zone-name { policy policy-name { description description; Copyright © 2016, Juniper Networks, Inc.
  • Page 110 { session-close; session-init; permit { application-services { application-firewall { rule-set rule-set-name; application-traffic-control { rule-set rule-set-name; gprs-gtp-profile profile-name; gprs-sctp-profile profile-name; idp; redirect-wx | reverse-redirect-wx; ssl-proxy { profile-name profile-name; uac-policy { Copyright © 2016, Juniper Networks, Inc.
  • Page 111 { sequence-check-required; syn-check-required; tunnel { ipsec-group-vpn group-vpn; ipsec-vpn vpn-name; pair-policy pair-policy; reject; global { policy policy-name { description description; match { application { [application]; any; destination-address { [address]; any; any-ipv4; any-ipv6; from-zone { [zone-name]; Copyright © 2016, Juniper Networks, Inc.
  • Page 112 { application-services { application-firewall { rule-set rule-set-name; application-traffic-control { rule-set rule-set-name; gprs-gtp-profile profile-name; gprs-sctp-profile profile-name; idp; redirect-wx | reverse-redirect-wx; ssl-proxy { profile-name profile-name; uac-policy { captive-portal captive-portal; utm-policy policy-name; destination-address { drop-translated; drop-untranslated; Copyright © 2016, Juniper Networks, Inc.
  • Page 113 { filename; files number; match regular-expression; (no-world-readable | world-readable); size maximum-file-size; flag flag; no-remote-trace; Related Security Configuration Statement Hierarchy on page 75 Documentation Understanding Security Building Blocks for Security Devices Unified Threat Management Overview Copyright © 2016, Juniper Networks, Inc.

  • Page 114: [Edit Security Utm] Hierarchy Level

    (sbl-default-server | no-sbl-default-server); spam-action (block | tag-header | tag-subject); traceoptions { flag flag; anti-virus { juniper-express-engine { pattern-update { email-notify { admin-email email-address; custom-message message; custom-message-subject message-subject; interval value; no-autoupdate; proxy { password password-string; port port-number; Copyright © 2016, Juniper Networks, Inc.
  • Page 115 (message | protocol-only); scan-options { content-size-limit value; (intelligent-prescreening | no-intelligent-prescreening); timeout value; trickling { timeout value; kaspersky-lab-engine { pattern-update { email-notify { admin-email email-address; custom-message message; custom-message-subject message-subject; interval value; no-autoupdate; proxy { Copyright © 2016, Juniper Networks, Inc.
  • Page 116 (notify-mail-sender | no-notify-mail-sender); type (message | protocol-only); scan-options { content-size-limit value; decompress-layer-limit value; (intelligent-prescreening | no-intelligent-prescreening); scan-extension filename; scan-mode (all | by-extension); timeout value; trickling { timeout value; mime-whitelist { exception listname; Copyright © 2016, Juniper Networks, Inc.
  • Page 117 (message | protocol-only); fallback-non-block { custom-message message; custom-message-subject message-subject; (notify-mail-recipient | no-notify-mail-recipient); virus-detection { custom-message message; custom-message-subject message-subject; (notify-mail-sender | no-notify-mail-sender); type (message | protocol-only); scan-options { content-size-limit value; (no-uri-check | uri-check); timeout value; Copyright © 2016, Juniper Networks, Inc.
  • Page 118 Getting Started Guide for Branch SRX Series trickling { timeout value; sxl-retry value; sxl-timeout seconds; traceoptions { flag flag; type (juniper-express-engine | kaspersky-lab-engine | sophos-engine); url-whitelist listname; content-filtering { profile profile-name { block-command protocol-command-list; block-content-type (activex | exe | http-cookie | java-applet | zip); block-extension extension-list;...
  • Page 119 (block | log-and-permit | permit); custom-block-message value; default (block | log-and-permit | permit); fallback-settings { default (block | log-and-permit); server-connectivity (block | log-and-permit); timeout (block | log-and-permit); too-many-requests (block | log-and-permit); timeout value; Copyright © 2016, Juniper Networks, Inc.
  • Page 120 Getting Started Guide for Branch SRX Series server { host host-name; port number; traceoptions { flag flag; type (juniper-enhanced | juniper-local | surf-control-integrated | websense-redirect); url-blacklist listname; url-whitelist listname; websense-redirect { profile profile-name { account value; custom-block-message value; fallback-settings { default (block | log-and-permit);...

  • Page 121: [Edit Security Zones] Hierarchy Level

    { protocols protocol-name { except; system-services service-name { except; interfaces interface-name { host-inbound-traffic { protocols protocol-name { except; system-services service-name { except; screen screen-name; security-zone zone-name { address-book { address address-name { ip-prefix { Copyright © 2016, Juniper Networks, Inc.
  • Page 122 { protocols protocol-name { except; system-services service-name { except; screen screen-name; tcp-rst; Related Security Configuration Statement Hierarchy on page 75 Documentation Understanding Logical Systems for SRX Series Services Gateways Security Zones and Interfaces Overview Copyright © 2016, Juniper Networks, Inc.

  • Page 123: Chapter 12 Operational Commands

    (View) show system services dhcp client Copyright © 2016, Juniper Networks, Inc.

  • Page 124: Request System License Update

    Sample Output request system license update user@host> request system license update Request to automatically update license keys from https://ae1.juniper.net has been sent, use show system license to check status. request system license update trial user@host> request system license update trial Request to automatically update trial license keys from https://ae1.juniper.net...

  • Page 125: Show Security Flow Session

    Command introduced in Junos OS Release 8.5. Support for filter and view options added in Junos OS Release 10.2. Application firewall, dynamic application, and logical system filters added in Junos OS Release 11.2. Policy ID filter added in Junos OS Release 12.3X48-D10.

  • Page 126: Table 12: Show Security Flow Session Output Fields

    Policy name Idle timeout after which the session expires. Timeout Incoming flow (source and destination IP addresses, application protocol, interface, session token, route, gateway, tunnel, port sequence, FIN sequence, FIN state, packets and bytes). Copyright © 2016, Juniper Networks, Inc.
  • Page 127 Maximum session timeout. Current timeout Remaining time for the session unless traffic exists in the session. Session State Session state. Start time Time when the session was created, offset from the system start time. Copyright © 2016, Juniper Networks, Inc.
  • Page 128 Session ID: 200000001, Policy name: default-policy/2, Timeout: 1794, Valid In: 40.0.0.111/32852 --> 30.0.0.100/21;tcp, If: ge-0/0/2.0, Pkts: 25, Bytes: 1138 Out: 30.0.0.100/21 --> 40.0.0.111/32852;tcp, If: ge-0/0/1.0, Pkts: 20, Bytes: 1152 Total sessions: 1 Flow Sessions on FPC5 PIC1: Total sessions: 0 Copyright © 2016, Juniper Networks, Inc.
  • Page 129 Multicast-sessions: 0 Failed-sessions: 0 Sessions-in-use: 1 Valid sessions: 1 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 819200 Flow Sessions on FPC5 PIC1: Unicast-sessions: 0 Multicast-sessions: 0 Failed-sessions: 0 Sessions-in-use: 0 Copyright © 2016, Juniper Networks, Inc.
  • Page 130 Getting Started Guide for Branch SRX Series Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 819200 Copyright © 2016, Juniper Networks, Inc.

  • Page 131: Show Security Idp Active-Policy

    Syntax show security idp active-policy Release Information Command introduced in Junos OS Release 9.2. Description Display information about the policy name and running detector version with which the policy is compiled from the IDP data plane module.

  • Page 132: Show Security Idp Status

    Release Information Command introduced in Junos OS Release 9.2. Multiple detector information introduced in Junos OS Release 10.1. Output changed to support IDP dedicated mode in Junos OS Release 11.2. Description Display the status of the current IDP policy.
  • Page 133 UDP: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Other: [Current: 0] [Max: 0 @ 2010-02-05 06:49:51 UTC] Session Statistics: [ICMP: 0] [TCP: 1] [UDP: 0] [Other: 0] Policy Name : sample Running Detector Version : 10.4.160091104 Copyright © 2016, Juniper Networks, Inc.

  • Page 134: Show Security Nat Destination Summary

    <logical-system (logical-system-name | all)> <root-logical-system> Release Information Command introduced in Junos OS Release 9.2. Support for IPv6 logical systems added in Junos OS Release 12.1X45-D10. Description Display a summary of Network Address Translation (NAT) destination pool information.
  • Page 135 Total pools: 2 Pool name Address Routing Port Total Range Instance Address dst-p1 1.1.1.1 - 1.1.1.1 default dst-p2 2001::1 - 2001::1 default Total rules: 171 Rule name Rule set From Action dst2-rule dst2 dst3-rule dst3 Copyright © 2016, Juniper Networks, Inc.

  • Page 136: Show Security Policies

    <global> Release Information Command modified in Junos OS Release 9.2. Support for IPv6 addresses added in Junos OS Release 10.2. Support for IPv6 addresses in active/active chassis cluster configurations in addition to the existing support of active/passive chassis cluster configurations added in Junos OS Release 10.4.

  • Page 137: Table 16: Show Security Policies Output Fields

    Name of the source address excluded from the policy. Source addresses (excluded) Name of the destination address excluded from the policy. Destination addresses (excluded) One or more user roles specified for a policy. Source identities Copyright © 2016, Juniper Networks, Inc.
  • Page 138 Session log entry that indicates whether the flags were set at Session log at-create at-close configuration time to log session information. Copyright © 2016, Juniper Networks, Inc.
  • Page 139 From zone: trust, To zone: untrust Policy: p1, State: enabled, Index: 4, Sequence number: 1 Source addresses: sa-1-ipv4: 2.2.2.0/24 sa-2-ipv6: 2001:0db8::/32 sa-3-ipv6: 2001:0db6/24 sa-4-wc: 192.168.0.11/255.255.0.255 Destination addresses: da-1-ipv4: 2.2.2.0/24 da-2-ipv6: 2400:0af8::/32 Copyright © 2016, Juniper Networks, Inc.
  • Page 140 Per policy TCP Options: SYN check: No, SEQ check: No Policy statistics: Input bytes 18144 545 bps Initial direction: 9072 272 bps Reply direction 9072 272 bps Output bytes 18144 545 bps Initial direction: 9072 272 bps Copyright © 2016, Juniper Networks, Inc.
  • Page 141 Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No Policy statistics: Input bytes 18144 545 bps Initial direction: 9072 272 bps Reply direction 9072 272 bps Output bytes 18144 545 bps Copyright © 2016, Juniper Networks, Inc.
  • Page 142 Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No Per policy TCP MSS: initial: 800, reverse: 900 show security policies policy-name p1 (Negated Address) user@host>show security policies policy-name p1 node0: -------------------------------------------------------------------------- Copyright © 2016, Juniper Networks, Inc.
  • Page 143 -------------------------------------------------------------------------- Global policies: Policy: Pa, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1 From zones: zone1, zone2 To zones: zone3, zone4 Source addresses: any Destination addresses: any Applications: any Action: permit Copyright © 2016, Juniper Networks, Inc.

  • Page 144: Show Security Utm Session

    Release Information Command introduced in Junos OS Release 9.5. Support for UTM in chassis cluster added in Junos OS Release 11.4. Description Display general UTM session information including all allocated sessions and active sessions. Also, display information from both nodes in a chassis cluster.

  • Page 145: Show Security Utm Status

    Release Information Command introduced in Junos OS Release 9.5. Support for UTM in chassis cluster added in Junos OS Release 11.4. Description Display whether the UTM service is running or not and status of both the nodes (with full chassis cluster support for UTM).

  • Page 146: Show Security Zones

    Getting Started Guide for Branch SRX Series show security zones Syntax show security zones <detail | terse> < zone-name > Release Information Command introduced in Junos OS Release 8.5. The Description output field added in Junos OS Release 12.1. Description Display information about security zones. Options none—Display information about all zones.
  • Page 147 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Sample Output show security zones abc detail user@host> show security zones abc detail Security zone: abc Description: This is the abc zone. Copyright © 2016, Juniper Networks, Inc.
  • Page 148 Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/1.0 Sample Output show security zones terse user@host> show security zones terse Zone Type my-internal Security my-external Security Security Copyright © 2016, Juniper Networks, Inc.

  • Page 149: Show System License (View)

    Syntax show system license <installed | keys | status | usage> Release Information Command introduced in Junos OS Release 9.5. Logical system status option added in Junos OS Release 11.2. Description Display licenses and information about how licenses are used.
  • Page 150 Valid for device: AG4909AA0080 Features: wf_key_surfcontrol_cpa - Web Filtering date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST show system license installed user@host> show system license installed License identifier: JUNOS301998 License version: 2 Valid for device: AG4909AA0080 Features: Copyright © 2016, Juniper Networks, Inc.
  • Page 151 Logical system license status: logical system name license status root-logical-system enabled LSYS0 enabled LSYS1 enabled LSYS2 enabled Copyright © 2016, Juniper Networks, Inc.

  • Page 152: Show System Services Dhcp Client

    Syntax show system services dhcp client < interface-name > <statistics> Release Information Command introduced in Junos OS Release 8.5. Description Display information about DHCP clients. Options none—Display DHCP information for all interfaces. interface-name —(Optional) Display DHCP information for the specified interface.
  • Page 153 Name: name-server, Value: [ 10.209.194.131, 2.2.2.2, 3.3.3.3 ] Name: server-identifier, Value: 10.1.1.1 Name: router, Value: [ 10.1.1.80 ] Name: domain-name, Value: netscreen-50 Sample Output show system services dhcp client ge-0/0/1.0 user@host> show system services dhcp client ge-0/0/1.0 Copyright © 2016, Juniper Networks, Inc.
  • Page 154 Name: domain-name, Value: mylab.example.net Sample Output show system services dhcp client statistics user@host> show system services dhcp client statistics Packets dropped: Total Messages received: DHCPOFFER DHCPACK DHCPNAK Messages sent: DHCPDECLINE DHCPDISCOVER DHCPREQUEST DHCPINFORM DHCPRELEASE DHCPRENEW DHCPREBIND Copyright © 2016, Juniper Networks, Inc.

  • Page 155: Part 5 Index

    PART 5 Index Index on page 141 Copyright © 2016, Juniper Networks, Inc.
  • Page 156 Getting Started Guide for Branch SRX Series Copyright © 2016, Juniper Networks, Inc.

  • Page 157: Index

    LAN....................7 console port..............19 licenses..................47 console port................17 displaying.................133 conventions text and syntax..............xiii curly braces, in configuration statements.....xiv manuals customer support..............xv comments on..............xv contacting JTAC...............xv network address translation..........39 default configuration server..................22 NAT..................7 policies..................7 Copyright © 2016, Juniper Networks, Inc.
  • Page 158 See technical support syntax conventions..............xiii system services................10 technical support contacting JTAC...............xv unified threat management..........49 UTM.....................49 antispam................49 antivirus................49 configuration..............51 profiles................54 webfilering................49 Copyright © 2016, Juniper Networks, Inc.

Table of Contents