Juniper SRX Crash Course

Quelle: http://3fives.com/juniper-srx-crash-course/

The first thing you want to do is console in, login as root (no password), jump into the CLI with the “cli” command, and delete the current configuration:

root@R1> edit
Entering configuration mode

[edit]
root@R1# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

Now show your configuration to be sure it’s clean:

[edit]
root@R1# show 

[edit]
root@R1#

Without setting a root password, Junos will not allow you to commit your configuration:

root@R1# set system root-authentication plain-text-password
New password:
Retype new password:

Of course, we’ll want to set a hostname, and configure the router for SSH authentication, and add a user:

[edit]
root@R1# set system host-name R1 

[edit]
root@R1# set system services ssh 

root@R1# set system login user cjones class super-user full-name "Chris Jones" authentication plain-text-password
New password:
Retype new password:

Let’s have a look at our config so far:

[edit]
cjones@R1# show
## Last changed: 2011-08-08 21:26:28 UTC
system {
    host-name R1;
    root-authentication {
        encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"; ## SECRET-DATA
    }
    login {
        user cjones {
            full-name "Chris Jones";
            class super-user;
            authentication {
                encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
    }
}

Looks good! We can also see the commands that would be required to re-create the configuration:

[edit]
cjones@R1# show | display set
set system host-name R1
set system root-authentication encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"
set system login user cjones full-name "Chris Jones"
set system login user cjones class super-user
set system login user cjones authentication encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."
set system services ssh

NOTE: If you wanted to paste in a section of “set-based” configuration, you would use:

load set terminal

NOTE: If you wanted to paste in a section of “standard” configuration, you would use:

load merge terminal

NOTE: If you wanted to paste in an entire “standard” configuration, you would use:

load override terminal

Back to our config. The next thing you might want to do is set up an interface on a management subnet. For this we will use virtual-routers in order to keep the management routes separate from the main RIB. In this case, our management network is 10.255.255.0/24 with a gateway of .254

Configure the interface (fe-0/0/7.0 in this case) and assign the IP address:

[edit]
cjones@R1# set interfaces fe-0/0/7 unit 0 family inet address 10.255.255.1/24

Create the VR and assign fe-0/0/7.0 to it:

[edit]
cjones@R1# set routing-instances MANAGEMENT instance-type virtual-router interface fe-0/0/7.0

Add a static default route to the MANAGEMENT VR:

[edit]
cjones@R1# set routing-instances MANAGEMENT routing-options static route 0.0.0.0/0 next-hop 10.255.255.254

NOTE: The configuration heirarchy within a VR is the same as always, for example OSPF configuration would be found under “routing-instances protocols ospf” just as it would usually be under “protocols ospf”

Again, let’s take a look at our configuration:

[edit]
cjones@R1# show
## Last changed: 2011-08-08 21:56:40 UTC
system {
    host-name R1;
    root-authentication {
        encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"; ## SECRET-DATA
    }
    login {
        user cjones {
            full-name "Chris Jones";
            class super-user;
            authentication {
                encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
    }
}
interfaces {
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 10.255.255.1/24;
            }
        }
    }
}
routing-instances {
    MANAGEMENT {
        instance-type virtual-router;
        interface fe-0/0/7.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.255.255.254;
            }
        }
    }
}

[edit]
cjones@R1# show | display set
set system host-name R1
set system root-authentication encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"
set system login user cjones full-name "Chris Jones"
set system login user cjones class super-user
set system login user cjones authentication encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."
set system services ssh
set interfaces fe-0/0/7 unit 0 family inet address 10.255.255.1/24
set routing-instances MANAGEMENT instance-type virtual-router
set routing-instances MANAGEMENT interface fe-0/0/7.0
set routing-instances MANAGEMENT routing-options static route 0.0.0.0/0 next-hop 10.255.255.254

NOTE: You’ll notice the “set” display format is significantly shorter, and is therefore a good way of using a text editor to edit repetitive tasks, which can be pasted in using “load set terminal”

Now we add untrust (outside) and trust (inside) interfaces. Our link to the service provider is 1.2.2.2/30 with a gateway of 1.2.2.1, and our link facing our internal network is 10.0.0.1/24:

[edit]
cjones@R1# set interfaces ge-0/0/1 unit 0 family inet address 1.2.2.2/30 

[edit]
cjones@R1# set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.1/24

Add a default route:

[edit]
cjones@R1# set routing-options static route 0.0.0.0/0 next-hop 1.2.2.1

Now, if you were running in packet mode, you’d be done. Assuming you want your shiny new SRX to function as a firewall too, you will need to set up security.

NOTE: Packet mode is what most Juniper routers run (M/MX, and older J-Series). Flow mode is what new J-Series and branch SRX run. Packet mode works as a traditional router, whereas flow mode integrates features from ScreenOS such as a stateful firewall. To convert your SRX to packet mode (which you don’t want to do in this case), issue the following commands:

delete security
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based

To start the firewall configuration, you first need to create your zones. In our case we will create two zones, one called UNTRUST and one called TRUST. Assign interfaces, as appropriate:

[edit]
cjones@R1# set security zones security-zone UNTRUST interfaces ge-0/0/1.0              

[edit]
cjones@R1# set security zones security-zone TRUST interfaces ge-0/0/2.0

Next we need to create policies. Unless you have Internet accessible services in the TRUST zone, you will typically want the default from UNTRUST -> TRUST, which is to deny traffic. Since this is the default, no policy is required to be configured.

To allow traffic to pass through your firewall from the TRUST zone to the Internet (UNTRUST), you will need to create a policy. In this case, we’re going to allow all outbound traffic.

[edit]
cjones@R1# set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match source-address any destination-address any application any

[edit]
cjones@R1# set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL then permit

While not necessary in this case, as we only have one interface in the TRUST zone, we will go ahead and add a policy that allows intra-zone traffic from TRUST -> TRUST:

[edit]
cjones@R1# set security policies from-zone TRUST to-zone TRUST policy PERMIT_ALL match source-address any destination-address any application any

[edit]
cjones@R1# set security policies from-zone TRUST to-zone TRUST policy PERMIT_ALL then permit

Now the next part is a bit tricky, and commonly confuses Junos newbies. While your traffic will now flow, if you want to be able to ping your interfaces (among other things, including routing protocols like OSPF), you will need to allow host-inbound-traffic in the zone. Let’s allow ping to all interfaces in the TRUST zone:

[edit]
cjones@R1# set security zones security-zone TRUST host-inbound-traffic system-services ping

You can configure host-inbound-traffic more specifically per interface as well (we aren’t going to be using OSPF here, but we’ll include it as an example):

[edit]
cjones@R1# set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping 

[edit]
cjones@R1# set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf

NOTE: interface-level host-inbound-traffic configuration completely overrides the zone-level configuration, which means we must configure both ping and OSPF to be allowed at the interface-level.

Now, if you think back to what we have done so far… what are we missing? Of course! We’re missing the ability to send SSH host-inbound-traffic to the management interface we had configured! Let’s add this to our configuration:

[edit]
cjones@R1# set security zones security-zone MANAGEMENT interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh

NOTE: Since there will never be traffic THROUGH the MANAGEMENT VR, we have no need for an inter-zone or intra-zone firewall policy.

Finally, we will need to add NAT to our configuration. Configuring simple source NAT on the SRX in flow mode is easy. In packet mode, not so much. Here we are going to simply NAT everything in the TRUST zone to the IP address of the UNTRUST interface ge-0/0/1.0:

[edit]
cjones@R1# set security nat source rule-set ALL_TRUST from zone TRUST 

[edit]
cjones@R1# set security nat source rule-set ALL_TRUST to zone UNTRUST 

[edit]
cjones@R1# set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 

[edit]
cjones@R1# set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface

Let’s take a look at our NAT configuration:

cjones@R1# show security nat
source {
    rule-set ALL_TRUST {
        from zone TRUST;
        to zone UNTRUST;
        rule RULE_1 {
            match {
                source-address 0.0.0.0/0;
                destination-address 0.0.0.0/0;
            }
            then {
                source-nat {
                    interface;
                }
            }
        }
    }
}

[edit]
cjones@R1# show security nat | display set
set security nat source rule-set ALL_TRUST from zone TRUST
set security nat source rule-set ALL_TRUST to zone UNTRUST
set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 match destination-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface

And our entire security section:

[edit]
cjones@R1# show security
nat {
    source {
        rule-set ALL_TRUST {
            from zone TRUST;
            to zone UNTRUST;
            rule RULE_1 {
                match {
                    source-address 0.0.0.0/0;
                    destination-address 0.0.0.0/0;
                }
                then {
                    source-nat {
                        interface;
                    }
                }
            }
        }
    }
}
policies {
    from-zone TRUST to-zone UNTRUST {
        policy PERMIT_ALL {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
}
zones {
    security-zone UNTRUST {
        interfaces {
            ge-0/0/1.0;
        }
    }
    security-zone TRUST {
        host-inbound-traffic {
            system-services {
                ping;
            }
        }
        interfaces {
            ge-0/0/2.0 {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                    protocols {
                        ospf;
                    }
                }
            }
        }
    }
    security-zone MANAGEMENT {
        interfaces {
            fe-0/0/7.0 {
                host-inbound-traffic {
                    system-services {
                        ssh;
                    }
                }
            }
        }
    }
}

[edit]
cjones@R1# show security | display set
set security nat source rule-set ALL_TRUST from zone TRUST
set security nat source rule-set ALL_TRUST to zone UNTRUST
set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 match destination-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match application any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL then permit
set security zones security-zone UNTRUST interfaces ge-0/0/1.0
set security zones security-zone TRUST host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf
set security zones security-zone MANAGEMENT interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh

And that’s it! You now have a fully functional and (mostly) secure firewall! There are plenty of other options that could be configured, including critical system services like NTP and AAA, but this is definitely a good start.

Let’s have a look at our final configuration before committing:

[edit]
cjones@R1# show
## Last changed: 2011-08-08 22:35:43 UTC
system {
    host-name R1;
    root-authentication {
        encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"; ## SECRET-DATA
    }
    login {
        user cjones {
            full-name "Chris Jones";
            class super-user;
            authentication {
                encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."; ## SECRET-DATA
            }
        }
    }
    services {
        ssh;
    }
}
interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 1.2.2.2/30;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 10.0.0.1/24;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                address 10.255.255.1/24;
            }
        }
    }
}
security {
    nat {
        source {
            rule-set ALL_TRUST {
                from zone TRUST;
                to zone UNTRUST;
                rule RULE_1 {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone TRUST to-zone UNTRUST {
            policy PERMIT_ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone UNTRUST {
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone TRUST {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/2.0 {
                    host-inbound-traffic {
                        system-services {
                            ping;
                        }
                        protocols {
                            ospf;
                        }
                    }
                }
            }
        }
        security-zone MANAGEMENT {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                        }
                    }
                }
            }
        }
    }
}
routing-instances {
    MANAGEMENT {
        instance-type virtual-router;
        interface fe-0/0/7.0;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.255.255.254;
            }
        }
    }
}

[edit]
cjones@R1# show |display set
set system host-name R1
set system root-authentication encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"
set system login user cjones full-name "Chris Jones"
set system login user cjones class super-user
set system login user cjones authentication encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."
set system services ssh
set interfaces ge-0/0/1 unit 0 family inet address 1.2.2.2/30
set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.1/24
set interfaces fe-0/0/7 unit 0 family inet address 10.255.255.1/24
set security nat source rule-set ALL_TRUST from zone TRUST
set security nat source rule-set ALL_TRUST to zone UNTRUST
set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 match destination-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match application any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL then permit
set security zones security-zone UNTRUST interfaces ge-0/0/1.0
set security zones security-zone TRUST host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf
set security zones security-zone MANAGEMENT interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
set routing-instances MANAGEMENT instance-type virtual-router
set routing-instances MANAGEMENT interface fe-0/0/7.0
set routing-instances MANAGEMENT routing-options static route 0.0.0.0/0 next-hop 10.255.255.254

Let’s try to check our work:

[edit]
cjones@R1# commit check
configuration check succeeds

Looks good! Go ahead and commit:

[edit]
cjones@R1# commit and-quit
commit complete
Exiting configuration mode

cjones@R1>

Hope that helps!