Juniper SRX100, acquaintance
The other day I brought the long-awaited Juniper SRX100.
Until that time, I mainly communicated with Cisco and a series of routers, such as 2800, 800.
As far as I understand, I can be mistaken, this equipment is closer to the class of hardware firewalls.
Under the cut, the primary configuration of this piece of iron and Internet access.
Opened, unpacked, connected the console cable, was surprised at the presence of the power button.
The download showed me that this device works on FreeBSD ARM. Loaded with default configuration minutes 3.
No documentation read. I log in.
At the second attempt, I guessed root, without a password.
Here I was waiting for the next surprise. There was a console. No, not cli, but / bin / sh!
Having looked somewhere on the Internet, it turned out that to get into cli JunOS you have to write, no matter how surprisingly “cli”.
')
And so the first thing is recommended to create a user other than root.
Next, change the password root.
In case you want to enter a password after entering the command, use:
plain-text-password instead of encrypted-password
Unlike Cisco, commands are not applied immediately.
To apply the configuration you need to write
commit
If everything is correct, the response will be commit complete.
If there is an error, it will output where it is.
Password root must be given necessarily! Otherwise, the commit will not work.
Until I forgot, as in Cisco IOS, JunOS has two main modes of command interface.
1. to execute commands, the invitation ends with ">"
2. to change the configuration, the prompt ends with "#"
There is also sh, it ends with "%", but in the near future it will not be useful to us.
If you are too lazy to switch from configuration mode to execute a command, you can add to the beginning of the command run .
For example,
Switch to configuration mode, configure command, exit to command mode - exit
Viewing the current configuration is also possible in both modes.
from the team -
from configuration
The output of these commands is the most readable, structured text.
eg:
Readable, but not easily applicable.
To output commands in a mode in which they can be easily transferred between devices, you can add | display set
Example output with display set:
In principle, formatted output can also be copied and applied. Here is an example of how:
further piece of code, and at the end control + d
By default, interfaces are members of vlan0, all but zero. (fe-0/0/0)
I decided to display the first interface from vlan and set it up like this:
Interface where the computer is plugged:
Configure the vlans themselves:
Let the gurus correct me, here the first line includes the possibility of switching between interfaces, while sticking it - assigns vlan by default. How to figure out the normal - accomplish your goal.
Default Gateway:
DNS were spelled out, but for every fireman
Well, that came to the most interesting.
Now I will try to tell you more simply, but I will complicate it in the next article.
Let's start understandably with source nat, that is what most routers need in a home and smb environment.
And so, nevertheless, before telling about nat, it is necessary to mention such a concept as “zones”.
Zones are needed for the description and logical association of networks, as well as for the description of firewall rules within a single zone. By default, we have 2 zones:
the first is trust , is responsible for the local network,
the second is untrust , responsible for the Internet.
I will give an example:
This example describes exactly those 2 zones.
In the trust zone, all traffic on the interfaces is allowed.
In the untrust zone, incoming ssh, ike, https, ping are allowed.
Here we describe for example whether a person will be able to get on the router via ssh if the router has defined its traffic as a untrust zone.
Next, we need to describe the permissions on traffic between zones:
By this we allow the routing of any internal traffic to the outside.
Well, the long-awaited source nat
My second article on Habré.
I will accept any constructive criticism and I will be grateful to her. I am sure that the flow-policy on this equipment is not really figured out yet. For example, about the screens have not even read.
The next step will be setting up an IPSec site-to-site with third-party hardware. And Dynamic-vpn. Already implemented, it remains to write.
Not yet implemented, but I will also try to be in time:
radius authorization
2 wan channel
fail over.
I also have a similar task at 5505 ACA, but this is another story.
www.juniper.net/techpubs/en_US/junos11.4/information-products/pathway-pages/srx-series/index.html the first place to go.
Especially I advise Security Configuration Guide.
www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html
I downloaded its version on the tablet and read hard.
Until that time, I mainly communicated with Cisco and a series of routers, such as 2800, 800.
As far as I understand, I can be mistaken, this equipment is closer to the class of hardware firewalls.
Under the cut, the primary configuration of this piece of iron and Internet access.
Turning on
Opened, unpacked, connected the console cable, was surprised at the presence of the power button.
The download showed me that this device works on FreeBSD ARM. Loaded with default configuration minutes 3.
No documentation read. I log in.
At the second attempt, I guessed root, without a password.
Here I was waiting for the next surprise. There was a console. No, not cli, but / bin / sh!
Having looked somewhere on the Internet, it turned out that to get into cli JunOS you have to write, no matter how surprisingly “cli”.
screen /dev/ttyUSB0
root@hostname% whoami
--- JUNOS 11.2R4.3 built 2011-11-24 08:11:51 UTC
root
root@hostname% cli
root@hostname>
')
Primary setup
And so the first thing is recommended to create a user other than root.
Next, change the password root.
> show configuration system | display set
set system root-authentication encrypted-password ""
set system login user admin class super-user
set system login user admin authentication encrypted-password ""In case you want to enter a password after entering the command, use:
plain-text-password instead of encrypted-password
Unlike Cisco, commands are not applied immediately.
To apply the configuration you need to write
commit
If everything is correct, the response will be commit complete.
If there is an error, it will output where it is.
Password root must be given necessarily! Otherwise, the commit will not work.
View configuration and operation modes
Until I forgot, as in Cisco IOS, JunOS has two main modes of command interface.
1. to execute commands, the invitation ends with ">"
2. to change the configuration, the prompt ends with "#"
There is also sh, it ends with "%", but in the near future it will not be useful to us.
If you are too lazy to switch from configuration mode to execute a command, you can add to the beginning of the command run .
For example,
#run ping ya.ruSwitch to configuration mode, configure command, exit to command mode - exit
Viewing the current configuration is also possible in both modes.
from the team -
show configurefrom configuration
showThe output of these commands is the most readable, structured text.
eg:
show configure services
services {
ssh;
telnet;
xnm-clear-text;
web-management {
management-url my-jweb;
http {
interface vlan.0;
}
https {
system-generated-certificate;
}
}
dhcp {
router {
192.168.8.1;
}
pool 192.168.8.0/24 {
address-range low 192.168.8.100 high 192.168.8.200;
}
propagate-settings vlan;
}
} Readable, but not easily applicable.
To output commands in a mode in which they can be easily transferred between devices, you can add | display set
Example output with display set:
show system services | display set
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management management-url my-jweb
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services dhcp router 192.168.8.1
set system services dhcp pool 192.168.8.0/24 address-range low 192.168.8.100
set system services dhcp pool 192.168.8.0/24 address-range high 192.168.8.200
set system services dhcp propagate-settings vlan
In principle, formatted output can also be copied and applied. Here is an example of how:
root @ trans-el-service # show security nat proxy-arp
interface vlan.0 {
address {
192.168.8.2/32;
192.168.8.201/32 to 192.168.8.210/32;
}
}
load merge terminal relativefurther piece of code, and at the end control + d
Network
Interfaces
By default, interfaces are members of vlan0, all but zero. (fe-0/0/0)
I decided to display the first interface from vlan and set it up like this:
set interfaces fe-0/0/1 unit 0 family inet address 11.11.187.104/25 primaryInterface where the computer is plugged:
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trustConfigure the vlans themselves:
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
set interfaces vlan unit 0 family inet address 192.168.8.1/24Let the gurus correct me, here the first line includes the possibility of switching between interfaces, while sticking it - assigns vlan by default. How to figure out the normal - accomplish your goal.
Default Gateway:
show routing-options | display set
set routing-options static route 0.0.0.0/0 next-hop 11.11.187.1DNS were spelled out, but for every fireman
set system name-server 8.8.8.8
set system name-server 8.8.4.4NAT
Well, that came to the most interesting.
Now I will try to tell you more simply, but I will complicate it in the next article.
Let's start understandably with source nat, that is what most routers need in a home and smb environment.
And so, nevertheless, before telling about nat, it is necessary to mention such a concept as “zones”.
Zones are needed for the description and logical association of networks, as well as for the description of firewall rules within a single zone. By default, we have 2 zones:
the first is trust , is responsible for the local network,
the second is untrust , responsible for the Internet.
I will give an example:
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
ssh;
ike;
https;
ping;
}
}
interfaces {
fe-0/0 / 0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
fe-0/0 / 1.0;
}
}
This example describes exactly those 2 zones.
In the trust zone, all traffic on the interfaces is allowed.
In the untrust zone, incoming ssh, ike, https, ping are allowed.
Here we describe for example whether a person will be able to get on the router via ssh if the router has defined its traffic as a untrust zone.
Next, we need to describe the permissions on traffic between zones:
show security policies
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
By this we allow the routing of any internal traffic to the outside.
Well, the long-awaited source nat
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
Completion
My second article on Habré.
I will accept any constructive criticism and I will be grateful to her. I am sure that the flow-policy on this equipment is not really figured out yet. For example, about the screens have not even read.
The next step will be setting up an IPSec site-to-site with third-party hardware. And Dynamic-vpn. Already implemented, it remains to write.
Not yet implemented, but I will also try to be in time:
radius authorization
2 wan channel
fail over.
I also have a similar task at 5505 ACA, but this is another story.
Literature
www.juniper.net/techpubs/en_US/junos11.4/information-products/pathway-pages/srx-series/index.html the first place to go.
Especially I advise Security Configuration Guide.
www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/security/index.html
I downloaded its version on the tablet and read hard.
Source: https://habr.com/ru/post/144218/
All Articles