Jsec_12.a-r_lgd

Junos Security 12.a Detailed Lab Guide Worldwide Education Services 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Course Number: EDU-JUN-JSEC EDU-JUN-JSEC This document is produced by Juniper Networks, Inc. This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper Networks Education Services. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.  Junos Security Detailed Lab Guide, Guide , Revision 12.a Copyright © 2012, Juniper Networks, Inc. All rights reserved. Printed in USA. Revision History: Revision 9.a—July 2009 Revision 10.a—May 2010 Revision 10.b--December 2010 Revision 12.a—June 2012 The information in this document is current as of the date listed above. The information in this document has been carefully verified and is believed to be accurate for software Release 12.1R1.9. Juniper Networks assumes no responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental or consequential damages resulting from any defect or omission in this document, even if a dvised of the possibility of such dama ges. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.  YEAR 2000 NOTICE Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has no known time-related limitations through the year 20 38. However, the NTP application is known to have some dif ficulty in the year 2036. SOFTWARE LICENSE The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand a nd agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper Networks software, may contain prohibitions against cer tain uses, and may state conditions under which the license is automatically terminated. You should consult the software license for further details. Part 1: Logging In Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1- 2 Part 2: Verifying Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 Part 3: Configur Configuring ing Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10 Part 4: Monitoring and Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14 Part 1: Accessing Your Device and Monitoring the Default Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2- 2 Part 2: Configuring Address Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Part 3: Configuring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7 Part 4: Monitoring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18 Part 1: Configuring Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2 Part 2: Verifying and Monitoring Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12 Part 1: Accessing Your Device and Configuring Screen Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4- 2 Part 2: Verifying Screen Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 Part 3: Monitoring Screen Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13 Part 1: Interface-Based Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 Part 2: Pool-Based Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7 Part 3: Pool-Based Source NAT with Overflow Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14 Part 1: Configuring a Route-Based IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 Part 2: Verifying and Monitoring IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 Part 1: Retrieving and Installing the Security Package and IDP License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7- 2 Part 2: Installing the IDP License and Security Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 Part 3: Enabling Enabling IDP Policy Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11 Part 1: Loading the Baseline Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2 Part 2: Preparing and Forming a Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3 Part 3: Configuring an Active/Active Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13 Part 4: Monitori Monitoring ng Traffic Traffic Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25 Part 5: Disabling the Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36 www.juniper.net Contents • iii iv • Contents www.juniper.net This three-day course covers the configuration, operation, and implementation of SRX Series Services Gateways in a typical network environment. Key topics within this cour se include security technologies such as security zones, security policies, intrusion detection and prevention (IDP), Network Address Translation (NAT), and high availability clusters, as well as details pertaining to basic implementation, configuration, and management. The course includes extensive hands-on labs, in which you configure and monitor the Junos operating system using SRX Series devices. This course is based on Junos OS Release 12.1R1.9. After successfully completing this course, you should be able to perform the following: • Describe traditional routing and security and the current trends in internetworking. • Provide an overview of SRX Series devices and software architecture. • Describe the logical packet flow and session creation performed by SRX Series devices. • Describe, configure, and monitor zones. • Describe, configure, and monitor security policies. • Describe, configure, and monitor firewall user authentication. • Describe various types of network attacks. • Configure and monitor SCREEN options to prevent network attacks. • Explain, implement, and monitor NAT, as implemented on Junos security platforms. • Explain the purpose and mechanics of IP Security (IPsec) virtual private networks (VPNs). • Implement and monitor policy-based and route-based IPsec VPNs. • Utilize and update the IDP signature database. • Configure and monitor IDP policy with policy templates. • Describe, configure, and monitor high availability chassis clusters. The course content is aimed at operators of SRX Series devices. These operators include network engineers, administrators, support personnel, and reseller support personnel.  Junos Security  is an intermediate-level course. Students should have basic networking knowledge and an under standing of the Open Systems Interconnection (OSI) reference model and the TCP/IP protocol suite. Students should also attend the Introduction to the J unos Operating System (IJOS) course and the Junos Routing Essentials (JRE) course, or have equivalent experience prior to attending this class. www.juniper.net Course Overview • v Chapter 1: Course Introduction Chapter 2: Introduction to Junos Security Chapter 3: Zones Lab 1: Configuring and Monitoring Zones Chapter 4: Security Policies Lab 2: Security Policies Chapter 5: Firewall User Authentication Lab 3: Configuring F irewall Authentication Chapter 6: Screen Options Lab 4: Implementing Screen Options Chapter 7: Network Address Translation Lab 5: Network Address Translation Chapter 8: IPsec VPNs Lab 6: Implementing IPsec VPNs Chapter 9: Introduction to Intrusion Detection and Prevention Lab 7: Implementing IDP Chapter 10: High Availability Clustering Theory Chapter 11: High Availability Clustering Implementation Lab 8: Implementing High Availability Techniques Appendix A: SRX Series Hardware and Interfaces vi • Course Agenda www.juniper.net Frequently throughout this course, we refer to text that appears in a command-line interface (CLI) or a graphical user interface (GUI). To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter text according to the following table. Style Description Franklin Gothic Normal text. Courier New Console text: • Screen captures • Noncommand-related syntax GUI text elements: • Menu names • Text field entry Usage Example Most of what you read in the Lab Guide and Student Guide. commit complete Exiting configuration mode Select File > Open, and then click Configuration.conf in the Filename text box.  You will also frequently see cases where you must enter input text yourself. Often these instances will be shown in the context of where you must enter them. We use bold style to distinguish text that is input versus text that is simply displayed. Style Description Usage Example Normal CLI No distinguishing variant. Physical interface:fxp0, Enabled Normal GUI View configuration history by clicking Configuration > History. CLI Input Text that you must enter. GUI Input [email protected]_Jose> show route Select File > Save, and type config.ini in the Filename field. Finally, this course distinguishes between regular text and syntax variables, and it also distinguishes between syntax variables where the value is already assigned (defined variables) and syntax variables where you must assign the value (undefined variables). Note that these styles can be combined with the input style as well. Style Description Usage Example CLI Variable Text where variable value is already assigned. policy my-peers GUI Variable Click my-peers  in the dialog. CLI Undefined  Text where the variable’s value is the user’s discretion and text where the variable’s value as GUI Undefined  shown in the lab guide might differ from the value the user must input. www.juniper.net Type set policy policy-name  . ping 10.0.x.y  Select File > Save, and type  in the Filename field. filename  Document Conventions • vii  You can obtain information on the latest Education Services o fferings, course dates, and class locations from the World Wide Web by pointing your Web browser to: http://www.juniper.net/training/education/. The Junos Security Detailed Lab Guide  was developed and tested using software Release 12.1R1.9. Previous and later versions o f software might behave differently so you should always consult the documentation and release notes for the version of code you are running before reporting errors. This document is written and maintained by the Juniper Networks Education Ser vices development team. Please send questions and suggestions for improvement to [email protected]  You can print technical manuals and release notes directly from the Internet in a variety of formats: • Go to http://www.juniper.net/techpubs/. • Locate the specific software or hardware release and title you need, and choose the format in which you want to view or print the document. Documentation sets and CDs are available through your local Juniper Networks sales office or account representative. For technical support, contact Juniper Networks at http://www.juniper.net/customers/support/, or at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States). viii • Additional Information www.juniper.net Lab 1 In this lab, you will configure a baseline network for your pod, including interface addressing, routing, and assigning interfaces to zones. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. The lab is also designed for modularity, where you might be directed to load a star ting configuration at the beginning of each lab par t. If you are completing the lab from start to finish, there is no need to load the starting configuration for each lab part. By completing this lab, you will per form the following tasks: www.juniper.net • Use the Junos operating system CLI to setup a baseline network. • Implement routing so that all networks are reachable. • Assign interfaces to security zones. • Monitor the effects of your configuration. Configuring and Monitoring Zones (Detailed) • Lab 1–1 12.a.12.1R1.9 Junos Security In this lab part, you become familiar with the access details used to access the lab equipment. Once you are familiar with the access details, you will use the CLI to log in to your team’s designated station. Depending on the class, the lab equipment used might be remote from your physical location. The instructor will inform you as to the nature of your access and will provide you the details needed to access your assigned device. Ensure that you know to which student device you have been assigned. Check with your instructor if you are not certain. Consult the Management Network Diagram to determine the management address of your student device. Question: What is the management address assigned to your student router? Answer: The answer varies. The sample hostname and IP address used in the output examples in this lab are for srxA-1, which uses 10.210.35.131 as its management IP address. The actual management address varies between delivery environments. Access the command-line interface (CLI) at your station using either the console, Telnet, or SSH as directed by your instructor. Lab 1–2 • Configuring and Monitoring Zones (Detailed) www.juniper.net Junos Security Log in as user lab   with the password lab123. Enter configuration mode and load the lab1-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. srxA-1 (ttyu0) login: lab Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/ lab1-start.config  load complete [edit] [email protected]# commit commit complete [edit] [email protected]#  You might receive a warning message upon committing that you have changed to MPLS flow mode, and that you must reboot the SRX device. If you receive this warning, reboot your assigned SRX device and log back in as user lab   once the device finishes rebooting. View the current configuration of your assigned device. [edit] [email protected]# show security forwarding-options { family { mpls { mode packet-based; } } } www.juniper.net Configuring and Monitoring Zones (Detailed) • Lab 1–3 Junos Security Question: Are any security zones currently configured on your assigned device? Answer: As shown in the output, no zone currently exists in the configuration. Question: What do you notice about the security policy that is set up on your device? Answer: As indicated by the output from srxA-1, currently the device is in packet-based mode that disables the flow-based security feature of Junos. Navigate to the [edit interfaces] hierarchy. Configure the IP address for the ge-0/0/3 interface. Refer to the lab diagram for the appropriate IP address. [edit] [email protected]# edit interfaces [edit interfaces] [email protected]# set ge-0/0/3 unit 0 family inet address local-Internet-interface/   mask [edit interfaces] [email protected]# Configure the lo0 loopback interface IP address. Refer to the lab diagram for the IP address assigned to your device. [edit interfaces] [email protected]# set lo0 unit 0 family inet address local-loopback-address Configure the ge-0/0/4 interface. Enable VLAN-tagging and configure two logical units. Each logical unit number should match its associated VLAN-ID. Refer to the VLAN assignments listed on the network diagram for Labs 1–7. Assign the IP address shown on the lab diagram. Note that the third octet of the IP address should also match the logical unit’s associated VLAN-ID. [edit interfaces] [email protected]# set ge-0/0/4 vlan-tagging [edit interfaces] [email protected]# set ge-0/0/4 unit local-Juniper-unit vlan-id local-Juniper-VLAN  Lab 1–4 • Configuring and Monitoring Zones (Detailed) www.juniper.net Junos Security [edit interfaces] [email protected]# set ge-0/0/4 unit local-Juniper-unit family inet address local-Juniper-interface/mask  [edit interfaces] [email protected]# set ge-0/0/4 unit local-ACME-unit vlan-id local-ACME-VLAN  [edit interfaces] [email protected]# set ge-0/0/4 unit local-ACME-unit family inet address local-ACME-interface/mask Question: Which VLAN-IDs are associated with your assigned device? Answer: The answer varies. The VLAN-IDs associated with srxA-1 are 101 and 201. Configure a static default route that points to the IP address associated with the remote end of the ge-0/0/3 interface for your device. Commit the configuration and return to operational mode. [edit interfaces] [email protected]# up [edit] [email protected]# edit routing-options [edit routing-options] [email protected]# set static route 0/0 next-hop remote-Internet-address [edit routing-options] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> STOP www.juniper.net Configuring and Monitoring Zones (Detailed) • Lab 1–5 Junos Security In this lab part, you verify network connectivity within your pod. Enter configuration mode, or go to the top of the configuration hierarchy if you are already in configuration mode, and load the lab1-part2-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. [edit] [email protected]# load override jsec/ lab1-part2-start.config  load complete [edit] [email protected]# commit commit complete Check the status of your configured interfaces using the run show interfaces terse command. [edit] [email protected]# run show interfaces terse |no-more Interface Admin Link Proto Local ge-0/0/0 up up ge-0/0/0.0 up up inet 10.210.35.131/26 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet sp-0/0/0.16383 up up inet 10.0.0.1 10.0.0.6 128.0.0.1 128.0.0.6 ge-0/0/1 up up ge-0/0/2 up up ge-0/0/3 up up ge-0/0/3.0 up up inet 172.18.1.2/30 ge-0/0/4 up up ge-0/0/4.101 up up inet 172.20.101.1/24 ge-0/0/4.201 up up inet 172.20.201.1/24 ge-0/0/4.32767 up up ge-0/0/5 up down ge-0/0/6 up up ge-0/0/7 up up ge-0/0/8 up up ge-0/0/9 up up ge-0/0/10 up up ge-0/0/11 up up ge-0/0/12 up down ge-0/0/13 up down ge-0/0/14 up up Lab 1–6 • Configuring and Monitoring Zones (Detailed) Remote --> --> --> --> 10.0.0.16 0/0 128.0.1.16 0/0 www.juniper.net Junos Security ge-0/0/15 fxp2 fxp2.0 gre ipip irb lo0 lo0.0 lo0.16384 lo0.16385 up up up up up up up up up up up up up up up up up up up up lo0.32768 lsi mtun pimd pime pp0 ppd0 ppe0 st0 tap vlan up up up up up up up up up up up up up up up up up up up up up up tnp 0x1 inet inet inet 192.168.1.1 127.0.0.1 10.0.0.1 10.0.0.16 128.0.0.1 128.0.0.4 128.0.1.16 --> --> --> --> --> --> --> 0/0 0/0 0/0 0/0 0/0 0/0 0/0 Question: What is the administrative status and link status of your configured interfaces? Answer: As shown in the output taken from srxA-1, the administrative status and link status of the configured interfaces should all indicate a status of up. Question: What is the status of your management interface? (Refer to the Management Network Diagram as needed.) Answer: The management interface is ge-0/0/0.0 and should also indicate an administrative status and link status of up. Verify reachability to the remote peer in your pod across the Internet using the ping command. [edit] [email protected]# run ping remote-srx-Internet-address rapid www.juniper.net Configuring and Monitoring Zones (Detailed) • Lab 1–7 Junos Security PING 172.18.2.2 (172.18.2.2): 56 data bytes !!!!! --- 172.18.2.2 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.973/2.169/2.438/0.156 ms Question: Was the ping to your remote peer successful? Answer: As indicated by the output from srxA-1, the ping should be successful. If the ping is not successful, double-check your configuration and notify your instructor. . The next lab steps require you to log in to the virtual router attached to your team’s device. The virtual routers are logical devices created on a J Series Services Router. Refer to the Management Network Diagram for the IP address of the vr-device. Although you have two virtual routers attached to your student device, you only need to establish a single session. Open a separate Telnet session to the virtual router attached to your team device. Lab 1–8 • Configuring and Monitoring Zones (Detailed) www.juniper.net Junos Security Log in to the virtual router using the login information shown in the following table: srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username  Password: --- JUNOS 11.4R1.6 built 2011-11-15 11:28:05 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> From the Telnet session established with the virtual router, verify reachability to the remote virtual routers connected to the device of your peers using the ping command. Be sure to source your ping from the correct virtual-router routing instance. Keep in mind that when working with virtual routers and routing instances, command syntax is different. If needed, please reference the detailed lab guide for sample command syntax for the individual verification tasks performed within this lab. [email protected]> ping remote-ACME-VR routing-instance local-ACME-VR   rapid PING 172.20.202.10 (172.20.202.10): 56 data bytes !!!!! --- 172.20.202.10 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss www.juniper.net Configuring and Monitoring Zones (Detailed) • Lab 1–9 Junos Security round-trip min/avg/max/stddev = 10.521/14.350/27.952/6.826 ms [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR   rapid PING 172.20.102.10 (172.20.102.10): 56 data bytes !!!!! --- 172.20.102.10 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.032/7.958/25.039/8.568 ms [email protected]> ping remote-ACME-VR routing-instance local-Juniper-VR   rapid PING 172.20.202.10 (172.20.202.10): 56 data bytes !!!!! --- 172.20.202.10 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 4.051/4.551/5.171/0.449 ms [email protected]> ping remote-Juniper-VR routing-instance local-ACME-VR   rapid PING 172.20.102.10 (172.20.102.10): 56 data bytes !!!!! --- 172.20.102.10 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.042/3.559/4.806/0.671 ms Question: Were the pings between remote virtual-routers successful? Answer: As indicated by the output from user a1, the pings should be successful. If the pings are not successful, double-check your configuration and notify your instructor. In this lab part, you remove the current zone configuration and reassign your device interfaces to various security and functional zones. Enter configuration mode, or go to the top of the configuration hierarchy if you are already in configuration mode, and load the lab1-part3-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. [edit] [email protected]# load override jsec/ lab1-part3-start.config  load complete [edit] [email protected]# commit commit complete Lab 1–10 • Configuring and Monitoring Zones (Detailed) www.juniper.net Junos Security Navigate to the [edit security] configuration hierarchy. [edit] [email protected]# edit security [edit security] [email protected]# View the [edit security] configuration stanza and answer the questions that follow. [edit security] [email protected]# show  forwarding-options { family { mpls { mode packet-based; } } } Question: Which configured security zones are on your assigned device and which interfaces are associated with the configured security zones? Answer: As indicated by the output from srxA-1, currently no security zones are configured. Question: Which configured functional zones are on your assigned device and which interfaces are associated with the configured functional zones? Answer: As indicated by the output, the configuration has no functional zones. Question: Should a user be able to telnet to your assigned device? Why or why not? Answer: The configuration allows telnet to each device. No policies exist that deny traffic, and telnet is also enabled under the [edit system services] hierarchy. www.juniper.net Configuring and Monitoring Zones (Detailed) • Lab 1–11 Junos Security Delete the current security policy. You will create a new policy in the next few steps. [edit security] [email protected]# delete Delete everything under this level? [yes,no] (no) yes [edit security] [email protected]# show  Refer to the lab diagram and configure the untrust security zone, as well as your local Juniper   and ACME   security zones, as labeled on the lab diagram. Add the appropriate network interfaces under each security zone. Be sure to configure only the security zones associated with your assigned device. [edit security] [email protected]# set zones security-zone Juniper-local interfaces ge-0/0/4.local-Juniper-unit [edit security] [email protected]# set zones security-zone ACME-local interfaces ge-0/0/4.local-ACME-unit [edit security] [email protected]# set zones security-zone untrust interfaces ge-0/0/3.0 [edit security] [email protected]# show zones { security-zone Juniper-SV { interfaces {   ge-0/0/4.101; } } security-zone ACME-SV { interfaces {   ge-0/0/4.201; } } security-zone untrust { interfaces {   ge-0/0/3.0; } } } Next, configure a functional zone and associate it with your device’s management interface. [edit security] [email protected]# set zones functional-zone ? Possible completions: Lab 1–12 • Configuring and Monitoring Zones (Detailed) www.juniper.net Junos Security > management Host for out of band management interfaces [edit security] [email protected]# set zones functional-zone management interfaces ge-0/0/0.0 Question: What name did you assign to the functional zone of your device? Why? Answer: Each student should assign a functional zone name of management. As shown in the output, the Junos OS predefines this name. management is the only name the Junos OS allows for a functional zone. Configure the functional zone so that it allows SSH, telnet, ping, traceroute, HTTP, and SNMP local inbound traffic. [edit security] [email protected]# edit zones functional-zone management [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services ssh [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services telnet [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services ping [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services traceroute [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services http [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services snmp [edit security zones functional-zone management] [email protected]# show  interfaces {   ge-0/0/0.0; } host-inbound-traffic { system-services {   ssh;   telnet;   ping;   traceroute;   http;   snmp; www.juniper.net Configuring and Monitoring Zones (Detailed) • Lab 1–13 Junos Security } } [edit security zones functional-zone management] [email protected]# Question: If you needed to allow all services but telnet using the host-inbound-traffic statement, what would be the quickest method? Answer: You could use the system-services all and the system-services telnet except configuration statements to achieve this task with the most efficiency. Commit your configuration and exit configuration mode. [edit security zones functional-zone management] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> In this lab par t, you use show commands to monitor the zones you just created. You will also test host inbound traffic. Enter configuration mode, or go to the top of the configuration hierarchy if you are already in configuration mode, and load the lab1-part4-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. [edit] [email protected]# load override jsec/ lab1-part4-start.config  load complete [edit] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Issue the show security zones command and answer the following questions. Lab 1–14 • Configuring and Monitoring Zones (Detailed) www.juniper.net Junos Security [email protected]> show security zones Functional zone: management Policy configurable: No Interfaces bound: 1   Interfaces:   ge-0/0/0.0 Security zone: ACME-SV Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1   Interfaces:   ge-0/0/4.201 Security zone: Juniper-SV Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1   Interfaces:   ge-0/0/4.101 Security zone: untrust Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1   Interfaces:   ge-0/0/3.0 Security zone: junos-host Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0   Interfaces: Question: Does the output list the zones and associated interfaces you configured? Answer: The answer should be yes. An additional security zone named junos-host, used for secure self traffic, appears in the list. Question: What differences do you notice in the output for the management zone? Answer: The output lists the management zone as a functional zone and security policy is not configurable for the management zone. www.juniper.net Configuring and Monitoring Zones (Detailed) • Lab 1–15 Junos Security Issue the show interfaces ge-0/0/0 extensive command to view detailed information regarding management interface of your device. [email protected]> show interfaces ge-0/0/0 extensive Physical interface: ge-0/0/0, Enabled, Physical link is Up Interface index: 134, SNMP ifIndex: 507, Generation: 137 Description: MGMT Interface - DO NOT DELETE Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:26:88:e1:54:80, Hardware address: 00:26:88:e1:54:80 Last flapped : 2012-06-12 15:17:15 UTC (01:08:46 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 297963 536 bps Output bytes : 0 0 bps Input packets: 2219 0 pps Output packets: 0 0 pps Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 8 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 0 0 0 1 expedited-fo 0 0 0 2 assured-forw 0 0 0 3 network-cont 0 0 0 Queue number: Mapped forwarding classes 0 best-effort 1 expedited-forwarding 2 assured-forwarding 3 network-control Active alarms : None Active defects : None MAC statistics: Receive Transmit Total octets 309903 0 Total packets 2256 0 Unicast packets 37 0 Broadcast packets 50 0 Multicast packets 2169 0 CRC/Align errors 0 0 FIFO errors 0 0 MAC control frames 0 0 MAC pause frames 0 0 Lab 1–16 • Configuring and Monitoring Zones (Detailed) www.juniper.net Junos Security Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count 0 Output packet pad count 0 Output packet error count 0 CAM destination filters: 2, CAM source filters: 0 Autonegotiation information: Negotiation status: Complete Link partner: Link mode: Full-duplex, Flow control: None, Remote fault: OK, Link partner Speed: 1000 Mbps Local resolution: Flow control: None, Remote fault: Link OK  Packet Forwarding Engine configuration: Destination slot: 0 CoS information: Direction : Output CoS transmit queue Bandwidth Buffer Priority Limit % bps % usec 0 best-effort 95 950000000 95 0 low none 3 network-control 5 50000000 5 0 low none Interface transmit statistics: Disabled Logical interface ge-0/0/0.0 (Index 69) (SNMP ifIndex 533) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 297963 Output bytes : 0 Input packets: 2219 Output packets: 0 Local statistics: Input bytes : 297963 Output bytes : 0 Input packets: 2219 Output packets: 0 Transit statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Security: Zone: Management Allowed host-inbound traffic : http ping snmp ssh telnet Flow Statistics : Flow Input statistics : Self packets : 0 ICMP packets : 0 www.juniper.net (Generation 134) 0 0 0 0 bps bps pps pps traceroute Configuring and Monitoring Zones (Detailed) • Lab 1–17 Junos Security   VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 0 Connections established : 0 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 0 Flow error statistics (Packets dropped due to):  Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 1500, Generation: 148, Route table: 0 Flags: Sendbcast-pkt-to-re, Is-Primary Addresses, Flags: Is-Preferred Is-Primary Destination: 10.210.35.128/26, Local: 10.210.35.131, Broadcast: 10.210.35.191, Generation: 142 Question: What zone details are you able to ascertain with this output? Answer: The security portion of the output lists logical interface zone assignment, allowed host inbound traffic, and flow statistics. Lab 1–18 • Configuring and Monitoring Zones (Detailed) www.juniper.net Junos Security Verify that you are able to telnet to the management IP address of your assigned device. Refer to the Management Network Diagram as needed. srxA-1 (ttyp0) login: ^C Question: Was the telnet attempt successful? Answer: As shown, the telnet attempt should succeed. If the telnet attempt is not successful, check your configuration and notify the instructor. STOP www.juniper.net Configuring and Monitoring Zones (Detailed) • Lab 1–19 Junos Security Lab 1–20 • Configuring and Monitoring Zones (Detailed) www.juniper.net Lab 2 In this lab, you will implement security policies designed to allow only necessary traffic between zones within your pod. You will configure custom applications, a scheduler, and security logging and monitor the effects of your changes. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. The lab is also designed for modularity, where you might be directed to load a star ting configuration at the beginning of each lab par t. If you are completing the lab from start to finish, there is no need to load the starting configuration for each lab part. By completing this lab, you will per form the following tasks: www.juniper.net • Define zone address books necessary for security policy. • Implement security policies between zones within your assigned pod. • Assign schedulers to security policies. • Implement security logging to a remote syslog server. • Monitor the effects of your configuration. Security Policies (Detailed) • Lab 2–1 12.a.12.1R1.9 Junos Security In this lab part, you become familiar with the access details used to access the lab equipment. Once you are familiar with the access details, you will use the CLI to log in to your designated station. Next, you will load the starting configuration for Lab 2. Then, you will monitor the default policy configuration that denies all traffic between zones. Depending on the class, the lab equipment used might be remote from your physical location. The instructor will inform you as to the nature of your access and will provide you the details needed to access your assigned device. Ensure that you know to which student device you have been assigned. Check with your instructor if you are not certain. Consult the Management Network Diagram to determine the management address of your student device. Question: What is the management address assigned to your station? Answer: The answer varies; in this example the user is assigned to the srxC-1 station, which uses an IP address of 10.210.14.135. Access the CLI at your station using either the console, Telnet, or SSH as directed by your instructor. Refer to the Management Network Diagram for the IP address associated with your workstation. The following example is based on simple Telnet access using the Secure CRT program. Lab 2–2 • Security Policies (Detailed) www.juniper.net Junos Security Log in as user lab   with the password lab123. Enter configuration mode and load the lab2-start.config   from the /var/home/lab/jsec/ directory. After you have finished loading the configuration, commit the changes and exit to operational mode. srxC-1 (ttyu0) login: lab  Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/ lab2-start.config [edit] [email protected]# commit commit complete [edit] [email protected]# The next lab steps require you to log in to the virtual router attached to your team’s device. The virtual routers are logical devices created on a J Series Services Router. Refer to the Management Network Diagram for the IP address of the vr-device. www.juniper.net Security Policies (Detailed) • Lab 2–3 Junos Security Open a separate Telnet session to the virtual router attached to your team device. Log in to the virtual router using the login information shown in the following table: srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 login: c1 Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> Lab 2–4 • Security Policies (Detailed) www.juniper.net Junos Security Attempt to ping the virtual routers attached to the remote student device within your pod. Ensure you source the ping from the appropriate routing instance. Refer to the lab diagram as needed. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR rapid  PING 172.20.106.10 (172.20.106.10): 56 data bytes ..... --- 172.20.106.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss [email protected]> ping remote-ACME-VR routing-instance local-Juniper-VR rapid  PING 172.20.206.10 (172.20.206.10): 56 data bytes ..... --- 172.20.206.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss [email protected]> ping remote-Juniper-VR routing-instance local-ACME-VR rapid  PING 172.20.106.10 (172.20.106.10): 56 data bytes ..... --- 172.20.106.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss [email protected]> ping remote-ACME-VR routing-instance local-ACME-VR rapid  PING 172.20.206.10 (172.20.206.10): 56 data bytes ..... --- 172.20.206.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss Question: Did the ping test succeed? Why or why not? Answer: As demonstrated in the output, the ping test should not succeed. Your assigned device has no configured security policy. The default security policy action is to deny all transit traffic as shown in the following capture: [email protected]> show security policies Default policy: deny-all In this lab part, you configure the address book entries necessary for implementing security policies within your pod. Return to the Telnet session established with your assigned SRX device. www.juniper.net Security Policies (Detailed) • Lab 2–5 Junos Security From the Telnet session established with your assigned, enter configuration mode and configure the networks associated with the remote team’s virtual routers under the untrust zone as address book addresses. Ensure you include the entire /24 network associated with each remote virtual router and name the address book entries after their associated virtual router names. [email protected]> configure Entering configuration mode [edit] [email protected]# edit security zones security-zone untrust [edit security zones security-zone untrust] [email protected]# set address-book address remote-Juniper-vrName remote-Juniper-subnet [edit security zones security-zone untrust] [email protected]# set address-book address remote-ACME-vrName remote-ACME-subnet [edit security zones security-zone untrust] [email protected]# show address-book address vr106 172.20.106.0/24; address vr206 172.20.108.0/24; [edit security zones security-zone untrust] [email protected]# Add the remote /30 network between the Internet and the remote student device in your pod to the untrust zone address book. Configure this address entry to use the same name as the remote student device in your pod. [edit security zones security-zone untrust] [email protected]# set address-book address remote-srx-name remote-srx-Internet-subnet [edit security zones security-zone untrust] [email protected]# show address-book address vr106 172.20.106.0/24; address vr206 172.20.108.0/24; address srxC-2 172.18.2.0/30; Add the Internet host’s address as an address book entr y in the untrust zone. Name this entry internet-host. [edit security zones security-zone untrust] [email protected]# set address-book address internet-host 172.31.15.1/32 [edit security zones security-zone untrust] [email protected]# show address-book address vr108 172.20.108.0/24; address vr208 172.20.208.0/24; address srxC-2 172.18.2.0/30; address internet-host 172.31.15.1/32; Lab 2–6 • Security Policies (Detailed) www.juniper.net Junos Security For the virtual routers attached to your assigned device, configure the /24 network addresses as address book entries within their respective zones. Name these address book entries with the same name as their associated virtual routers. [edit security zones security-zone untrust] [email protected]# up [edit security zones] [email protected]# set security-zone Juniper  -local address-book address local-Juniper-vrName local-Juniper-subnet [edit security zones] [email protected]# set security-zone ACME  -local address-book address local-ACME-vrName local-ACME-subnet [edit security zones] [email protected]# show security-zone Juniper  -local address-book { address vr105 172.20.105.0/24; } interfaces {   ge-0/0/4.105; } [edit security zones] [email protected]# show security-zone ACME  -local address-book { address vr205 172.20.205.0/24; } interfaces {   ge-0/0/4.205; } [edit security zones] [email protected]# STOP In this lab part, you will establish and configure security policies that enable the necessary traffic flow between the security zones. Pay close attention to the instructions throughout this lab. Some tasks might not be relevant to your assigned device. www.juniper.net Security Policies (Detailed) • Lab 2–7 Junos Security Enter configuration mode, or go to the top of the configuration hierarchy if you are already in configuration mode, and load the lab2-part3-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. [edit security zones] [email protected]# top [edit] [email protected]# load override jsec/ lab2-part3-start.config [edit] [email protected]# commit commit complete [edit] [email protected]# Create security policies named intrazone-Juniper-local and intrazone-ACME-local that allows all intra-zone traffic associated with your attached virtual routers to pass through your assigned device. (Hint: Use the any keyword to save keystrokes.) [edit] [email protected]# edit security policies from-zone Juniper  -local to-zone Juniper  -local policy intrazone-Juniper  -local [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# set match source-address any [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# set match destination-address any [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# set match application any [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# set then permit [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# show  match { source-address any; destination-address any; application any; } then {   permit; } Lab 2–8 • Security Policies (Detailed) www.juniper.net Junos Security [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# up 2 [edit security policies] [email protected]# edit from-zone ACME  -local to-zone ACME  -local policy intrazone-ACME  -local [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# set match source-address any [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# set match destination-address any [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# set match application any [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# set then permit [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# show  match { source-address any; destination-address any; application any; } then {   permit; } [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# Configure security policies allowing all traffic from the virtual router zones to the untrust zone. Name these policies internet-Juniper-local and internet-ACME-local. For this step, match on the appropriate source address using the associated virtual router address book entries. [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# up 2 [edit security policies] [email protected]# edit from-zone Juniper  -local to-zone untrust policy internet-Juniper  -local www.juniper.net Security Policies (Detailed) • Lab 2–9 Junos Security [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# set match source-address local-Juniper-vrName  [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# set match destination-address any [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# set match application any [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# set then permit [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# show  match { source-address vr105; destination-address any; application any; } then {   permit; } [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# up 2 [edit security policies] [email protected]1# edit from-zone ACME  -local to-zone untrust policy -local internet-ACME  [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# set match source-address local-ACME-vrName  [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# set match destination-address any [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# set match application any [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# set then permit [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# show  Lab 2–10 • Security Policies (Detailed) www.juniper.net Junos Security match { source-address vr205; destination-address any; application any; } then {   permit; } [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# Next define a security policy the rejects FTP connections sourced from the your local Juniper zone that are destined to the untrust zone. Name this policy deny-ftp-Juniper-local. [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# up 2 [edit security policies] [email protected]# edit from-zone Juniper  -local to-zone untrust policy -local deny-ftp-Juniper  [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# set match source-address any [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# set match destination-address any [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# set match application junos-ftp [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# set then reject [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# show  match { source-address any; destination-address any; application junos-ftp; } then {   reject; } www.juniper.net Security Policies (Detailed) • Lab 2–11 Junos Security Commit the configuration. [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# commit commit complete Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, attempt to open an FTP session to the remote Internet host located at 172.31.15.1. Remember to source the FTP from the routing instance associated with the local Juniper zone. Use the Ctrl+C key sequence to close the FTP connection. [email protected]> ftp 172.31.15.1 routing-instance local-Juniper-VR  Connected to 172.31.15.1. 220 vr-device FTP server (Version 6.00LS) ready. Name (172.31.15.1:c1): ^C [email protected]> Question: Were you able to initiate an FTP session to the Internet host? Why or why not? Answer: As demonstrated in the output, the FTP session should succeed. Although you configured a security policy explicitly rejecting this connection, policy ordering has effectively caused the device to ignore this policy. Return to the Telnet session established with your assigned SRX device. From the Telnet session established with assigned SRX device, reorder the policies so that the deny-ftp-Juniper-local  policy appears in the list before the internet-Juniper-local  policy. Commit your configuration. [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# up [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# show  policy internet-Juniper-SV { match { source-address vr105; destination-address any; application any; } then {   permit; } Lab 2–12 • Security Policies (Detailed) www.juniper.net Junos Security } policy deny-ftp-Juniper-SV { match { source-address any; destination-address any; application junos-ftp; } then {   reject; } } [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# insert policy deny-ftp-Juniper-local before policy internet-Juniper-local [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# show  policy deny-ftp-Juniper-SV { match { source-address any; destination-address any; application junos-ftp; } then {   reject; } } policy internet-Juniper-SV { match { source-address vr107; destination-address any; application any; } then {   permit; } } [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# commit commit complete [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, try the FTP connection again. (Note: Exit the FTP application by issuing the bye command.) www.juniper.net Security Policies (Detailed) • Lab 2–13 Junos Security Keep in mind that when working with virtual routers and routing instances, command syntax can differ. If needed, please reference the Detailed Lab Guide for sample command syntax for the individual verification tasks performed within this lab. [email protected]> ftp 172.31.15.1 routing-instance local-Juniper-VR  ftp: connect: Connection refused ftp> bye [email protected]> Question: Were you able to initiate an FTP session to the Internet host this time? Answer: As demonstrated in the output, the FTP session does not succeed. The reordering of policies produces the expected behavior. Question: Are you able to ping the Internet host? Answer: As demonstrated in the following output, a ping to the Internet host should succeed. If the ping test fails, re-check your configuration and notify your instructor. [email protected]> ping 172.31.15.1 routing-instance local-Juniper-VR   rapid PING 172.31.15.1 (172.31.15.1): 56 data bytes !!!!! --- 172.31.15.1 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 3.080/12.962/47.159/17.112 ms Return to the Telnet session established with your assigned SRX device. From the Telnet session established with assigned SRX device, create a custom application named Juniper-gizmo   that uses UDP, a source port of 50000, and a destination port of 50001. [edit security policies from-zone Juniper to-zone untrust] [email protected]# top [edit] [email protected]# edit applications application Juniper-gizmo  [edit applications application Juniper-gizmo] [email protected]# set source-port 50000 Lab 2–14 • Security Policies (Detailed) www.juniper.net Junos Security [edit applications application Juniper-gizmo] [email protected]# set destination-port 50001 [edit applications application Juniper-gizmo] [email protected]# set protocol udp [edit applications application Juniper-gizmo] [email protected]# show  protocol udp; source-port 50000; destination-port 50001; [edit applications application Juniper-gizmo] [email protected]# Create an application set named internal-apps that includes the , junos-telnet, and junos-ping   applications. Juniper-gizmo  [edit applications application Juniper-gizmo] [email protected]# up [edit applications] [email protected]# edit application-set internal-apps [edit applications application-set internal-apps] [email protected]# set application Juniper-gizmo  [edit applications application-set internal-apps] [email protected]# set application junos-telnet [edit applications application-set internal-apps] [email protected]# set application junos-ping [edit applications application-set internal-apps] [email protected]# show  application Juniper-gizmo; application junos-telnet; application junos-ping; Configure security policies that permit the internal-apps  applications between your local Juniper security zone and the remote Juniper security zones. Because the Juniper zones are separated by the Internet, you must reference the untrust zone when configuring the security policies. Name the policy  matches Juniper-remote-to-Juniper-local, where Juniper-remote  the zone from which traffic is sourced and Juniper-local matches the zone to which the traffic is sent. Do not use the any option in the configuration of this policy. [edit applications application-set internal-apps] [email protected]# top [edit] [email protected]# edit security policies from-zone untrust to-zone Juniper  -local www.juniper.net Security Policies (Detailed) • Lab 2–15 Junos Security [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper  -remote-to-Juniper  -local match source-address remote-Juniper-vrName  [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper  -remote-to-Juniper  -local match destination-address local-Juniper-vrName  [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper  -remote-to-Juniper  -local match application internal-apps [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper  -remote-to-Juniper  -local then permit [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# show  policy Juniper-WF-to-Juniper-SV { match { source-address vr106; destination-address vr105; application internal-apps; } then {   permit; } } [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# Question: How many new policies must you define to allow internal-apps  traffic bi-directionally? Answer: Both devices within your assigned pod already have policies defined allowing all internal traffic destined to the untrust zone (with the exception of FTP traffic). For each device you must configure one policy allowing the internal-apps to the appropriate zone from the untrust zone. Create a scheduler named internal-apps-scheduler  . The scheduler should allow traffic between the hours of 3 a.m. and 11 p.m., Monday through Friday. Apply the new scheduler to the Juniper-remote-to-Juniper-local  security policy. [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# top Lab 2–16 • Security Policies (Detailed) www.juniper.net Junos Security [edit] [email protected]# edit schedulers scheduler internal-apps-scheduler  [edit schedulers scheduler internal-apps-scheduler] [email protected]# set daily start-time 03:00:00 stop-time 23:00:00 [edit schedulers scheduler internal-apps-scheduler] [email protected]# set saturday exclude [edit schedulers scheduler internal-apps-scheduler] [email protected]# set sunday exclude [edit schedulers scheduler internal-apps-scheduler] [email protected]# show  daily { start-time 03:00:00 stop-time 23:00:00; } sunday exclude; saturday exclude; [edit schedulers scheduler internal-apps-scheduler] [email protected]# top [edit] [email protected]# edit security policies from-zone untrust to-zone Juniper-local [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper  -remote-to-Juniper  -local scheduler-name internal-apps-scheduler  [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# show policy Juniper  -remote-to-Juniper  -local match { source-address vr108; destination-address vr107; application internal-apps; } then {   permit; } scheduler-name internal-apps-scheduler; [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# Apply logging to session initiations and session closes in the Juniper-remote-to-Juniper-local  policy. [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper  -remote-to-Juniper  -local then log session-init [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper  -remote  -to-Juniper  -local then log session-close www.juniper.net Security Policies (Detailed) • Lab 2–17 Junos Security [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# show  policy Juniper-WF-to-Juniper-SV { match { source-address vr108; destination-address vr107; application internal-apps; } then {   permit; log {   session-init;   session-close; } } scheduler-name internal-apps-scheduler; } Commit the configuration and return to operational mode. [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Question: Does the commit operation succeed? Answer: As demonstrated in the output, the commit should succeed. If you receive an error, re-check your configuration steps and involve your instructor as needed. STOP In this lab part, you monitor the results of your configuration with command outputs and logging. Enter configuration mode, or go to the top of the configuration hierarchy if you are already in configuration mode, and load the lab2-part4-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. Lab 2–18 • Security Policies (Detailed) www.juniper.net Junos Security [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/ lab2-part4-start.config [edit] [email protected]# commit commit complete [edit] [email protected]# View the security policies in effect on your assigned device by issuing the show security policies command and answer the following questions. [email protected]> show security policies Default policy: deny-all From zone: Juniper-SV, To zone: Juniper-SV Policy: interazone-Juniper-SV, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: permit From zone: Juniper-SV, To zone: untrust Policy: deny-ftp-Juniper-SV, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: junos-ftp Action: reject Policy: internet-Juniper-SV, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2 Source addresses: vr105 Destination addresses: any Applications: any Action: permit From zone: ACME-SV, To zone: ACME-SV Policy: intrazone-ACME-SV, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: permit From zone: ACME-SV, To zone: untrust Policy: internet-ACME-SV, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 1 Source addresses: vr205 Destination addresses: any Applications: any Action: permit From zone: untrust, To zone: Juniper-SV www.juniper.net Security Policies (Detailed) • Lab 2–19 Junos Security Policy: Juniper-SV-to-Juniper-WF, State: disabled, Index: 9, Scope Policy: 0, Sequence number: 1 Source addresses: vr106 Destination addresses: vr105 Applications: internal-apps Action: permit, log, scheduled Question: What is the total number of active security policies on your assigned device? Answer: You should see a total of six enabled security policies. If you do not see six enabled security policies, review your configuration steps. Question: What command can you use to view more detailed information about security policies such as the address book prefixes and application port information? Answer: Use the same command with the detail option to view a more verbose output: [email protected]> show security policies ? Possible completions: Execute this command application-firewall Show the information of application-firewall count Number of policies to show (1..65535) detail Show the detailed information from-zone Show the policy information matching the given source zone global Show the policy information of global policies hit-count Show the hit count of policies   policy-name Show the policy information matching the given policy name start Show the policies from a given position (1..65535) to-zone Show the policy information matching the given destination zone zone-context Show the count of policies in each context (from-zone and to-zone) | Pipe through a command [email protected]> show security policies detail Default policy: deny-all Policy: interazone-Juniper-SV, action-type: permit, State: enabled, Index: 4, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: Juniper-SV, To zone: Juniper-SV Source addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Destination addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Lab 2–20 • Security Policies (Detailed) www.juniper.net Junos Security Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No Policy: deny-ftp-Juniper-SV, action-type: reject, State: enabled, Index: Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: Juniper-SV, To zone: untrust Source addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Destination addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Application: junos-ftp IP protocol: tcp, ALG: ftp, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] Per policy TCP Options: SYN check: No, SEQ check: No Policy: internet-Juniper-SV, action-type: permit, State: enabled, Index: Scope Policy: 0 Policy Type: Configured Sequence number: 2 From zone: Juniper-SV, To zone: untrust Source addresses: vr105: 172.20.105.0/24 Destination addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No Policy: intrazone-ACME-SV, action-type: permit, State: enabled, Index: 5, Policy: 0 Policy Type: Configured Sequence number: 1 From zone: ACME-SV, To zone: ACME-SV Source addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Destination addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No Policy: internet-ACME-SV, action-type: permit, State: enabled, Index: 8, Policy: 0 Policy Type: Configured www.juniper.net 7, 6, Scope Scope Security Policies (Detailed) • Lab 2–21 Junos Security Sequence number: 1 From zone: ACME-SV, To zone: untrust Source addresses: vr205: 172.20.205.0/24 Destination addresses: any-ipv4: 0.0.0.0/0 any-ipv6: ::/0 Application: any IP protocol: 0, ALG: 0, Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No, SEQ check: No Policy: Juniper-SV-to-Juniper-WF, action-type: permit, State: disabled, Index: 9, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: untrust, To zone: Juniper-SV Source addresses: vr106: 172.20.106.0/24 Destination addresses: vr105: 172.20.105.0/24 Application: internal-apps IP protocol: udp, ALG: 0, Inactivity timeout: 60 Source port range: [50000-50000] Destination port range: [50001-50001] IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [23-23] IP protocol: 1, ALG: 0, Inactivity timeout: 60 ICMP Information: type=255, code=0 Per policy TCP Options: SYN check: No, SEQ check: No Session log: at-create, at-close Scheduler name: internal-apps-scheduler Issue the show schedulers command and answer the following questions. [email protected]> show schedulers Scheduler name: internal-apps-scheduler, State: active Next deactivation: Mon Jun 11 23:00:00 2012 Question: Is the scheduler you configured in an active state? Answer: As illustrated by the output from srxC-1, the scheduler should be in an active state. If the scheduler is not currently active, check the time settings on your assigned device. Lab 2–22 • Security Policies (Detailed) www.juniper.net Junos Security Question: When will the scheduler deactivate? Answer: The scheduler should deactivate at 18:00 hours. At this time, any policies associated with this scheduler also deactivate Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, open a Telnet session between the virtual router associated with your local Juniper zone and the virtual router associated with the remote Juniper zone. Be sure to source the Telnet session from the appropriate routing instance. Log in with the same username and password as your current session. [email protected]> telnet remote-Juniper-VR routing-instance local-Juniper-VR  Trying 172.20.106.10... Connected to 172.20.106.10. Escape character is '^]'. vr-device(ttyp0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> Return to the Telnet session established with your assigned SRX device. From the Telnet session established with assigned SRX device, issue the show security flow session command. [email protected]> show security flow session Session ID: 24149, Policy name: Juniper-SV-to-Juniper-WF/9, Timeout: 1766, Valid In: 172.20.106.10/51545 --> 172.20.105.10/23;tcp, If: ge-0/0/3.0, Pkts: 27, Bytes: 1567 Out: 172.20.105.10/23 --> 172.20.106.10/51545;tcp, If: ge-0/0/4.105, Pkts: 22, Bytes: 1596 Session ID: 23920, Policy name: self-traffic-policy/1, Timeout: 28, Valid In: 172.18.1.2/55672 --> 208.87.233.170/9020;udp, If: .local..0, Pkts: 1, Bytes: 132 Out: 208.87.233.170/9020 --> 172.18.1.2/55672;udp, If: ge-0/0/3.0, Pkts: 0, Bytes: 0 www.juniper.net Security Policies (Detailed) • Lab 2–23 Junos Security Session ID: 23925, Policy name: internet-Juniper-SV/6, Timeout: 1786, Valid In: 172.20.105.10/51381 --> 172.20.106.10/23;tcp, If: ge-0/0/4.105, Pkts: 27, Bytes: 1567 Out: 172.20.106.10/23 --> 172.20.105.10/51381;tcp, If: ge-0/0/3.0, Pkts: 22, Bytes: 1596 Total sessions: 3 Question: What is the session ID for the Telnet session you opened? Answer: The answer varies, but in the output from srxC-1, the session ID is 24149. Using the session ID, view a more detailed output of the open Telnet session and answer the following question. Use the session ID identified in the previous step. [email protected]> show security flow session session-identifier session-id  Session ID: 24149, Status: Normal Flag: 0x40 Policy name: Juniper-SV-to-Juniper-WF/9 Source NAT pool: Null, Application: junos-telnet/10 Dynamic application: junos:UNKNOWN, Maximum timeout: 1800, Current timeout: 1716 Session State: Valid Start time: 112401, Duration: 91 In: 172.20.106.10/51545 --> 172.20.105.10/23;tcp, Interface: ge-0/0/3.0, Session token: 0xa, Flag: 0x21 Route: 0x110010, Gateway: 172.18.1.1, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 27, Bytes: 1567 Out: 172.20.105.10/23 --> 172.20.106.10/51545;tcp, Interface: ge-0/0/4.105, Session token: 0x7, Flag: 0x20 Route: 0x120010, Gateway: 172.20.105.10, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 22, Bytes: 1596 Total sessions: 1 Question: How many seconds remain before the Telnet session times out (without further activity)? Answer: The answer varies, but in the output from srxC-1, 1716 seconds remain. If there is no further activity during this period, the session closes. Lab 2–24 • Security Policies (Detailed) www.juniper.net Junos Security Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, end the open Telnet session by entering the exit command. [email protected]> exit Connection closed by foreign host. [email protected]> Return to the Telnet session established with your assigned SRX device. From the Telnet session established with assigned SRX device, view the configuration hierarchy associated with the syslog settings. [email protected]> show configuration system syslog user * { any emergency; } file messages { any any; authorization info; } file interactive-commands { interactive-commands any; } Question: Is your device’s syslog configuration sufficient to record security policy log actions? Answer: Yes. Recall from the classroom discussion that on branch security platforms running the Junos operating system, local data plane logging is enabled by configuring a local syslog with a facility of user and a severity of info. Because the file messages configuration logs any facility at any severity, security policies that are configured with a log action should automatically record entries in the messages log file. View security policy log entries by issuing the show log messages | match  command. RT_FLOW  www.juniper.net Security Policies (Detailed) • Lab 2–25 Junos Security Recall that the security policy log action configuration was only for specific traffic ingressing your assigned device from the untrust zone. To see log entries, you must ensure the other team in your pod has initiated (and exited) the Telnet session associated with this lab part. [email protected]> show log messages | match RT_FLOW  Nov 4 16:22:00 srxC-1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 172.20.108.10/52298->172.20.107.10/23 junos-telnet 172.20.108.10/ 52298->172.20.107.10/23 None None 6 Juniper-WF-to-Juniper-SV untrust Juniper-SV 14965 Nov 4 16:22:05 srxC-1 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 172.20.108.10/52298->172.20.107.10/23 junos-telnet 172.20.108.10/ 52298->172.20.107.10/23 None None 6 Juniper-WF-to-Juniper-SV untrust Juniper-SV 14965 13(828) 12(823) 2 Nov 4 16:29:40 srxC-1 mgd[64844]: UI_CMDLINE_READ_LINE: User 'lab', command 'show log messages | match RT_FLOW ' Question: Do you see the appropriate log entries recording the opening and closing of the remote team’s Telnet session? Answer: Provided the remote team is keeping up with your team, the answer should be yes. Issue the show interfaces extensive command for the ge-0/0/3 interface. [email protected]> show interfaces extensive ge-0/0/3 Physical interface: ge-0/0/3, Enabled, Physical link is Up Interface index: 137, SNMP ifIndex: 509, Generation: 140 Link-level type: Ethernet, MTU: 1514, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported, 8 maximum usable queues Hold-times : Up 0 ms, Down 0 ms Current address: 00:26:88:02:70:83, Hardware address: 00:26:88:02:70:83 Last flapped : 2012-06-08 18:58:16 UTC (2d 19:26 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 146684438 0 bps Output bytes : 141583713 0 bps Input packets: 407769 0 pps Lab 2–26 • Security Policies (Detailed) www.juniper.net Junos Security Output packets: 395543 0 pps Input errors: Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 0, L3 incompletes: 0, L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0 Output errors: Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0, HS link CRC errors: 0, MTU errors: 0, Resource errors: 0 Egress queues: 8 supported, 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 395537 395537 0 1 expedited-fo 0 0 0 2 assured-forw 0 0 0 3 network-cont 0 0 0 Queue number: Mapped forwarding classes 0 best-effort 1 expedited-forwarding 2 assured-forwarding 3 network-control Active alarms : None Active defects : None MAC statistics: Receive Transmit Total octets 154136086 148687961 Total packets 409029 395537 Unicast packets 407893 395491 Broadcast packets 1135 46 Multicast packets 1 0 CRC/Align errors 0 0 FIFO errors 0 0 MAC control frames 0 0 MAC pause frames 0 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count 0 Output packet pad count 0 Output packet error count 0 CAM destination filters: 2, CAM source filters: 0 Autonegotiation information: Negotiation status: Complete Link partner: Link mode: Full-duplex, Flow control: None, Remote fault: OK, Link partner Speed: 1000 Mbps Local resolution: Flow control: None, Remote fault: Link OK  Packet Forwarding Engine configuration: Destination slot: 0 CoS information: www.juniper.net Security Policies (Detailed) • Lab 2–27 Junos Security Direction : Output CoS transmit queue Limit Bandwidth % bps 0 best-effort 95 950000000 95 3 network-control 5 50000000 5 Interface transmit statistics: Disabled Buffer Priority % usec 0 0 low low none none Logical interface ge-0/0/3.0 (Index 67) (SNMP ifIndex 516) (Generation 144) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 834550 Output bytes : 45741 Input packets: 3829 Output packets: 425 Local statistics: Input bytes : 16796 Output bytes : 38756 Input packets: 299 Output packets: 306 Transit statistics: Input bytes : 817754 0 bps Output bytes : 6985 0 bps Input packets: 3530 0 pps Output packets: 119 0 pps Security: Zone: untrust Flow Statistics : Flow Input statistics : Self packets : 286 ICMP packets : 291 VPN packets : 0   Multicast packets : 0 Bytes permitted by policy : 6074 Connections established : 1 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 40881 Flow error statistics (Packets dropped due to):  Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Lab 2–28 • Security Policies (Detailed) www.juniper.net Junos Security Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 1500, Generation: 157, Route table: 0 Flags: Sendbcast-pkt-to-re Addresses, Flags: Is-Preferred Is-Primary Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3, Generation: 162 Question: What is the value of the Policy denied   counter within the interface flow statistics? Answer: The answer might vary, but in the output taken from srxC-1, the value is 0. The purpose of this question is to establish a baseline value. Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, issue a Telnet session to the remote virtual router associated with your partner team’s Juniper zone. But this time, source the Telnet session from the virtual router associated with your local ACME zone. [email protected]> telnet remote-Juniper-VR routing-instance local-ACME-VR  Trying 172.20.106.10... ^C [email protected]> Question: Was the Telnet session successful? Answer: The Telnet session should not be successful. The active security policies applied to traffic from the untrust zone on the remote team’s device do not allow this traffic. STOP Once this has been confirmed, return to your assigned device and issue the show interfaces extensive command for the ge-0/0/3 interface again. [email protected]> show interfaces extensive ge-0/0/3 | find "Flow Statistics" Flow Statistics : www.juniper.net Security Policies (Detailed) • Lab 2–29 Junos Security   Flow Input statistics : Self packets : 298 ICMP packets : 303 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 6074 Connections established : 1 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 42529 Flow error statistics (Packets dropped due to):  Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 2107 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet, MTU: 1500, Generation: 157, Route table: 0 Flags: Sendbcast-pkt-to-re Addresses, Flags: Is-Preferred Is-Primary Destination: 172.18.1.0/30, Local: 172.18.1.2, Broadcast: 172.18.1.3, Generation: 162 Question: Did the value of the Policy denied  counter increment? Answer: The answer should be yes. In the output taken from srxC-1, the value is 2107. Previously, this value was 0. STOP Lab 2–30 • Security Policies (Detailed) www.juniper.net Lab 3 In this lab, you will implement firewall user authentication. You will enable FTP access between networks and secure the access with authentication. You will test and monitor the effects of firewall user authentication. The configuration tasks performed within this lab and subsequent labs will build upon one another. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. The lab is also designed for modularity, where you might be directed to load a star ting configuration at the beginning of each lab par t. If you are completing the lab from start to finish, there is no need to load the starting configuration for each lab part. By completing this lab, you will per form the following tasks: www.juniper.net • Define clients within an access profile. • Create a default client group and associate clients with the group. • Configure firewall user authentication parameters. • Add and alter security policies that have an extended permit action specifying firewall user authentication. • Monitor the effects of your configuration using operational mode commands and traceoptions. Configuring Firewall Authentication (Detailed) • Lab 3–1 12.a.12.1R1.9 Junos Security In this lab part, you define clients within an access profile, create a default client group and associate clients with the group, and configure firewall user authentication parameters. Ensure that you know to which student device you have been assigned. Check with your instructor if you are not certain. Consult the Management Network Diagram to determine the management address of your student device. Question: What is the management address assigned to your student router? Answer: The answer varies. The sample hostname and IP address used in the output examples in this lab are for srxA-1, which uses 10.210.35.131 as its management IP address. The actual management address varies between delivery environments. Access the command-line interface (CLI) at your station using either the console, Telnet, or SSH as directed by your instructor. Log in as user lab   with the password lab123. Enter configuration mode and load the lab3-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration and exit to operational mode when complete. srxA-1 (ttyu0) login: lab  Password: Lab 3–2 • Configuring Firewall Authentication (Detailed) www.juniper.net Junos Security --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/ lab3-start.config  load complete [edit] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Navigate to the [edit access] hierarchy. [edit] [email protected]# edit access [edit access] [email protected]# Create an access profile named ftp-users. Configure two clients named walter  and nancy   with passwords of walter123 and nancy123, respectively. [edit access] [email protected]# edit profile ftp-users [edit access profile ftp-users] [email protected]# set client walter   firewall-user password walter123 [edit access profile ftp-users] [email protected]# set client nancy   firewall-user password nancy123 [edit access profile ftp-users] [email protected]# up [edit access] [email protected]# show  profile ftp-users { client nancy { firewall-user { password "$9$lJ8vLNdVYZUHKMi.PfzFcyrvX7"; ## SECRET-DATA } } client walter { firewall-user { password "$9$a1UqfTQnApB36pBREKv4aJUk.5QF"; ## SECRET-DATA } } } www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–3 Junos Security Associate all clients in the ftp-users  profile with a client group named ftp-group. [edit access] [email protected]# set profile ftp-users session-options client-group ftp-group  [edit access] [email protected]# show  profile ftp-users { client nancy { firewall-user { password "$9$lJ8vLNdVYZUHKMi.PfzFcyrvX7"; ## SECRET-DATA } } client walter { firewall-user { password "$9$a1UqfTQnApB36pBREKv4aJUk.5QF"; ## SECRET-DATA } } session-options { client-group ftp-group; } } Question: What method of associating clients with client groups requires the least amount of keystrokes for this scenario? Answer: You can specify client groups individually with each client. However when all clients within an access profile have the same requirements, the most efficient method would be to assign a default client group as shown in the example. Associate the ftp-users  profile with pass-through firewall user authentication. [edit access] [email protected]# edit firewall-authentication [edit access firewall-authentication] [email protected]# set pass-through default-profile ftp-users [edit access firewall-authentication] [email protected]# show  pass-through { default-profile ftp-users; } [edit access firewall-authentication] [email protected]# Lab 3–4 • Configuring Firewall Authentication (Detailed) www.juniper.net Junos Security Create custom banners for FTP users. Configure your device to display Junos Rocks! when firewall authentication users are prompted for the username and password. The Junos operating system allows multiple words in banners, descriptions, and annotations by enclosing the phrase in quotation marks. [edit access firewall-authentication] [email protected]# set pass-through ftp banner login "Junos Rocks!" [edit access firewall-authentication] [email protected]# show  pass-through { default-profile ftp-users; ftp { banner { login "Junos Rocks!"; } } } The nancy   and walter   clients need FTP access bi-directionally between your local Juniper customer network and the remote team’s Juniper customer network zones. This access should be authenticated using pass-through firewall user authentication and the access should be available at all times. Review the lab diagram and your configuration and answer the question that follows. [edit access firewall-authentication] [email protected]# top [edit] [email protected]# edit security policies [edit security policies] [email protected]# show | no-more from-zone Juniper-SV to-zone Juniper-SV { policy intrazone-Juniper-SV { match { source-address any; destination-address any; application any; } then {   permit; } } } from-zone ACME-SV to-zone ACME-SV { policy intrazone-ACME-SV { www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–5 Junos Security match { source-address any; destination-address any; application any; } then { permit; }   } } from-zone Juniper-SV to-zone untrust { policy deny-ftp-Juniper-SV { match { source-address any; destination-address any; application junos-ftp; } then {   reject; } } policy internet-AMCE-SV { match { source-address vr101; destination-address any; application any; } then {   permit; } } } from-zone ACME-SV to-zone untrust { policy internet-ACME-SV { match { source-address vr201; destination-address any; application any; } then {   permit; } } } from-zone untrust to-zone Juniper-SV { policy Juniper-WF-to-Juniper-SV { match { source-address vr102; destination-address vr101; application internal-apps; } then {   permit; log {   session-init; Lab 3–6 • Configuring Firewall Authentication (Detailed) www.juniper.net Junos Security   session-close; } } scheduler-name internal-apps-scheduler; } } [edit security policies] [email protected]# Question: What security policy changes must you make to accommodate this access? Answer: The answer varies depending upon your assigned device. Both devices in your pod require two new security policies. Although a policy is already in place for traffic destined to the untrust zone from the Juniper-SV and Juniper-WF zones, the current policy configuration prohibits FTP traffic.  You must define a new security policy for the FTP traffic destined to the untrust zone. Insert the policy before the deny-ftp policy. A policy is also in place for traffic destined to the Juniper-SV and Juniper-WF zones from the untrust zone, but this policy is specific to an application set that does not include FTP traffic. Define a security policy to allow the nancy   client and walter   client FTP access from your local Juniper customer network zone to the remote student team’s Juniper customer network zone. Configure the source-address  to match the address-set for your local Juniper customer network. For your policy’s destination-address match, use the existing address book entry for the remote student team’s Juniper customer network. [edit security policies] [email protected]# edit from-zone Juniper-local to-zone untrust policy outbound-ftp-auth  [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# set match source-address local-Juniper-vrName  [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# set match destination-address remote-Juniper-vrName  [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# set match application junos-ftp www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–7 Junos Security [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# set then permit [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# show  match { source-address vr101; destination-address vr102; application junos-ftp; } then {   permit; } Navigate to the [edit security policies from-zone Juniper- local to-zone untrust]  hierarchy. Issue the show   command, review the output, and answer the question below. [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# up [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# show  policy deny-ftp-Juniper-SV { match { source-address any; destination-address any; application junos-ftp; } then {   reject; } } policy internet-Juniper-SV { match { source-address vr101; destination-address any; application any; } then {   permit; } } policy outbound-ftp-auth { match { source-address vr101; destination-address vr102; application junos-ftp; } Lab 3–8 • Configuring Firewall Authentication (Detailed) www.juniper.net Junos Security   then { permit; } } Question: Is any policy reordering necessary for the outbound-ftp-auth  security policy? Answer: Yes. The first policy in the list denies the FTP traffic that you want to allow. Insert the outbound-ftp-auth   policy  policy before the deny-ftp-Juniper-local policy. [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# insert policy outbound-ftp-auth   before  before policy deny-ftp-Juniper-local [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# show  policy outbound-ftp-auth { match { source-address vr101; destination-address destination-address vr102; application junos-ftp; } then {   permit; } } policy deny-ftp-Juniper-SV { match { source-address any; destination-address destination-address any; application junos-ftp; } then {   reject; } } policy internet-Juniper-SV { match { source-address vr101; destination-address destination-address any; application any; } then {   permit; } } www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–9 Junos Security Navigate to the [edit security policies from-zone Juniper-SV to-zone  to  to allow the untrust] hierarchy. Configure a policy named inbound-ftp-auth  nancy   client  client and walter   client FTP access from the remote student team’s  client Juniper customer network zone to your local Juniper customer network zone. Configure the source-address to match the address-set for the remote student team’s Juniper customer network. For your policy’s destination-address match, use the existing address book entry for your local Juniper customer network. Ensure that this session authenticates using pass-through firewall authentication. The firewall authentication should be per formed only for traffic coming from the untrust zone to avoid double authentication. [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# up [edit security policies] [email protected]# edit from-zone untrust to-zone Juniper-local policy inbound-ftp-auth  [edit security policies from-zone untrust to-zone Juniper-SV policy inbound-ftp-auth] [email protected]# set match source-address remote-Juniper-vrName  [edit security policies from-zone untrust to-zone Juniper-SV policy inbound-ftp-auth] [email protected]# set match destination-address destination-address local-Juniper-vrName  [edit security policies from-zone untrust to-zone Juniper-SV policy inbound-ftp-auth] [email protected]# set match application junos-ftp [edit security policies from-zone untrust to-zone Juniper-SV policy inbound-ftp-auth] [email protected]# set then permit firewall-authentication firewall-authentication pass-through client-match ftp-group  Navigate to the [edit security policies from-zone untrust to-zone Juniper-local] hierarchy. Issue the show command, review the output, and answer the question below. [edit security policies from-zone untrust to-zone Juniper-SV policy inbound-ftp-auth] [email protected]# up [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# show  policy Juniper-WF-to-Juniper-SV Juniper-WF-to-Juniper-SV { match { source-address vr102; destination-address destination-address vr101; application internal-apps; } then { Lab 3–10 • Configuring Firewall Authentication (Detailed) www.juniper.net Junos Security   permit; log { session-init; session-close; }     } scheduler-name scheduler-name internal-apps-scheduler; internal-apps-scheduler; } policy inbound-ftp-auth { match { source-address vr102; destination-address destination-address vr101; application junos-ftp; } then { permit { firewall-authentication firewall-authentication { pass-through { client-match ftp-group; } } } } } Question: Is any policy reordering necessary for the inbound-ftp-auth  security policy? Answer: No. The first policy under the associated context does not match on FTP traffic. Therefore FTP traffic passes to the next policy in the chain. Recall that traffic matching no policies under a given context associates with the default policy. pol icy. Commit your configuration and return to operational mode. [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> STOP www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–11 Junos Security In this lab part, par t, you verify the results of your configuration through testing. You will also monitor firewall user authentication using traceoptions and operational mode commands. Enter configuration mode, or go to the top of the configuration hierarchy if you are already in configuration mode, and load the lab3-part2-start.config   from  from the /var/home/lab/jsec/ directory. Commit the configuration when complete. [edit] [email protected]# load override jsec/ lab3-part2-start.config  load complete [edit] [email protected]# commit commit complete This lab step requires you to open a separate Telnet Telnet session to the vir tual router to emulate an external host. Keep the current Telnet session established with your assigned SRX device open to monitor results. The virtual router is a J Series Services Router configured as several logical devices. Refer to the Management Network Diagram for the IP address of the vr-device. Open a separate Telnet session to the virtual router attached to your team device. Lab 3–12 • Configuring Firewall Authentication (Detailed) www.juniper.net Junos Security Log in to the virtual router using the login information shown in the following table: Student Device User Name Password srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> From the Telnet session established with the virtual router, initiate an FTP session between the virtual router associated with your local Juniper customer network zone and the virtual router associated with the remote student team’s Juniper customer network zone. Note that the ftp command is hidden and does not auto-complete. Remember to source the command from the appropriate routing instance. When prompted for firewall user authentication, use the credentials you created for the user nancy  . [email protected]> ftp remote-Juniper-VR routing-instance local-Juniper-VR  Connected to 172.20.108.10. 220 Junos Rocks! Name (172.20.108.10:d1): nancy 331 Password Required Password:  Authentication - Accepted (Closed connection - reconnect to server) ftp: Login failed. 421 Service not available, remote server has closed connection. ftp> www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–13 Junos Security Question: Was the authentication successful? What behavior did you observe? Answer: Although the FTP session failed, authentication was indeed successful. In the Junos OS, for FTP sessions, the observed behavior is expected. For FTP traffic only, the session needs to be re-initiated after performing firewall authentication. If you test the FTP connection multiple times, the remote student device will need to clear out the firewall authentication user session by issuing the operational-mode command clear security firewall-authentication users. Check with the remote team in your pod and ensure they have completed the previous step. Return to the Telnet session established with your assigned SRX device. From the Telnet session established with your assigned SRX device, issue the show security firewall-authentication users command. [email protected]> show security firewall-authentication users Firewall authentication data: Total users in table: 1 Id Source Ip Src zone Dst zone Profile Age Status User 3 172.20.102.10 untrust Juniper-SV ftp-user 1 Success nancy Question: What does the output for this command indicate? Answer: The output indicates that nancy  successfully authenticated. Keep in mind that the Junos OS generates this output because the remote team attempted to establish an FTP session through your student device to the directly attached virtual router. If you do not see the user nancy   in the output, check with the remote team. Lab 3–14 • Configuring Firewall Authentication (Detailed) www.juniper.net Junos Security Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, attempt the FTP session again. If your previous FTP session appears to be hung up, disconnect and reconnect to the vr-device. Log in to the FTP server using your assigned username and password for the vr-device. If needed, refer to the table provided in Step 2.2. (Hint: Use the FTP bye command to exit the service at the ftp> prompt.) Because the previous firewall authentication did not result in an established FTP session, the authentication might have timed out. In this case, perform the firewall authentication again and re-initiate the FTP session immediately thereafter. ftp> bye [email protected]> ftp remote-Juniper-VR routing-instance local-Juniper-VR  Connected to 172.20.102.10. 220 vr-device FTP server (Version 6.00LS) ready. Name (172.20.102.10:root): username  331 Password required for a1. Password: 230 User a1 logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> Question: Were you able to successfully establish an FTP session? Answer: As shown in the output, you should now be able to successfully establish the FTP session. Leave the current session with the vr-device open and open a second session to the vr-device using Telnet. Refer to the Management Network Diagram as needed. vr-device (ttyp1) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–15 Junos Security You must use 'configure private' to configure this router. [email protected]> Attempt another FTP session using the same procedure. This time, use the walter username for firewall authentication and log into the FTP server with your vr-device credentials. [email protected]> ftp remote-Juniper-VR routing-instance local-Juniper-VR  Connected to 172.20.102.10. 220 vr-device FTP server (Version 6.00LS) ready. Name (172.20.102.10:a1):  walter 331 Password required for walter. Password: 530 Login incorrect. ftp: Login failed. ftp> bye 221 Goodbye. [email protected]> ftp remote-Juniper-VR routing-instance local-Juniper-VR  Connected to 172.20.102.10. 220 vr-device FTP server (Version 6.00LS) ready. Name (172.20.102.10:a1): username  331 Password required for a1. Password: 230 User a1 logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> Question: Could you successfully authenticate with the username walter   and establish an FTP session? Answer: If you tried to login with the username walter  , the login will fail. The FTP session is actually successful. However no prompt for firewall authentication occurs for this session. Recall that as long as an authenticated session remains active, any subsequent traffic from the same source IP address bypasses firewall authentication. Exit both FTP sessions and close the second session you opened to the vr-device. ftp> bye [email protected]> ftp> bye [email protected]> exit Lab 3–16 • Configuring Firewall Authentication (Detailed) www.juniper.net Junos Security Return to the Telnet session established with your assigned SRX device. From the Telnet session established with your assigned SRX device, clear the entries in the firewall authentication users table, if any exist. [email protected]> clear security firewall-authentication users [email protected]> show security firewall-authentication users Firewall authentication data: Total users in table: 0 Check with the remote team in your pod and ensure they have completed the previous step. Return to the Telnet session established with the virtual router. From the Telnet session established with the vir tual router, attempt another FTP session between your local Juniper customer zone and the remote team’s Juniper customer zone. When you are prompted for the firewall authentication, use a username of john and a password of doe . [email protected]> ftp remote-Juniper-VR  routing-instance local-Juniper-VR  Connected to 172.20.102.10. 220 Junos Rocks! Name (172.20.102.10:d1): john 331 Password Required Password:  Authentication - Failed ftp: Login failed. 421 Service not available, remote server has closed connection. ftp> Exit the FTP session with the bye command and return to your assigned student device. ftp> bye Check with the remote team in your pod and ensure they have completed the previous step. Return to the Telnet session established with your assigned SRX device. From the Telnet session established with your assigned SRX device, issue the show security firewall-authentication users  command followed by the show security firewall-authentication history  command. www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–17 Junos Security [email protected]> show security firewall-authentication users Firewall authentication data: Total users in table: 1 Id Source Ip Src zone Dst zone Profile Age Status 3 172.20.102.10 untrust Juniper- ftp-user 1 Failed User john [email protected]> show security firewall-authentication history History of firewall authentication data: Authentications: 6 Id Source Ip Date Time Duration 1 172.20.102.10 2012-06-14 03:11:21 0:10:06 2 172.20.102.10 2012-06-14 03:17:23 0:02:01 3 172.20.102.10 2012-06-14 03:22:59 0:11:58 4 172.20.102.10 2012-06-14 03:26:02 0:01:33 5 172.20.102.10 2012-06-01 03:27:40 0:02:08 6 172.20.102.10 2012-06-01 03:29:55 0:01:07 Failed Status Success Success Success Success Success john User nancy nancy walter walter walter Question: Are any failed authentication attempts listed in the outputs? Answer: The outputs may vary, but provided the remote team within your pod attempted an FTP session with the username john, at least one failed attempt should be listed. Question: What is the source IP address of the failed authentication attempts? Answer: The answer varies but the failed attempts should have a source IP address representing the virtual router of the neighboring teams—from the Juniper-SV or Juniper-WF zone. View the firewall user authentication entries in your data plane log by issuing the show log messages | match RT_AUTH   command. If the remote team has not performed the required verification tasks, you will not see any logs. To view log entries from the remote device, reference the name of the remote device instead of your device’s name in the previous sample command. Lab 3–18 • Configuring Firewall Authentication (Detailed) www.juniper.net Junos Security [email protected]> show log messages | match RT_AUTH  Jun 14 03:22:24 srxA-1 RT_AUTH: FWAUTH_FTP_USER_AUTH_ACCEPTED: User nancy of group ftp-group at 172.20.102.10 is accepted. Jun 14 03:37:48 srxA-1 RT_AUTH: FWAUTH_FTP_USER_AUTH_FAIL: User john at 172.20.102.10 is rejected. Jun 14 03:56:09 srxA-1 mgd[1262]: UI_CMDLINE_READ_LINE: User 'lab', command 'show log messages | match RT_AUTH ' Question: What additional information can you derive from the data plane security log? Answer: The security log shows the authentication attempts were made using FTP as well as the source address, username, and firewall authentication action. STOP www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–19 Junos Security Lab 3–20 • Configuring Firewall Authentication (Detailed) www.juniper.net Lab 4 In this lab, you will implement the Junos operating system Screen options. You will set up various Screens to protect your assigned device from suspicious or malicious traffic entering your device from the untrust zone. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. The lab is also designed for modularity, where you might be directed to load a star ting configuration at the beginning of each lab par t. If you are completing the lab from start to finish, there is no need to load the starting configuration for each lab part. By completing this lab, you will per form the following tasks: www.juniper.net • Define various Screen options (called ids-options). • Associate the Screen with a security zone. • Test your your implementation. • Monitor the effects of your configuration. Implementing Screen Options (Detailed) • Lab 4–1 12.a.12.1R1.9 Junos Security In this lab part, you become familiar with the access details used to access the lab equipment. Once you are familiar with the access details, you will use the CLI to log in to your designated station. Then, you will load the starting configuration for Lab 4. Then, In this lab part, you will configure Screen protection. Depending on the class, the lab equipment used might be remote from your physical location. The instructor will inform you as to the nature of your access and will provide you the details needed to access your assigned device. Ensure that you know to which student device you have been assigned. Check with your instructor if you are not certain. Consult the Management Network Diagram to determine the management address of your student device. Question: What is the management address assigned to your station? Answer: The answer varies; in this example the user is assigned to the srxC-1 station, which uses an IP address of 10.210.14.135. Access the CLI at your station using either the console, Telnet, or SSH as directed by your instructor. Refer to the Management Network Diagram for the IP address associated with your workstation. The following example is based on simple Telnet access using the Secure CRT program. Lab 4–2 • Implementing Screen Options (Detailed) www.juniper.net Junos Security Log in as user lab   with the password lab123. Enter configuration mode and load the lab4-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. srxC-1 (ttyu0) login: lab  Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/ lab4-start.config  [edit] [email protected]# commit commit complete [edit] [email protected]# Navigate to the [edit security screen] hierarchy. [edit] [email protected]# edit security screen [edit security screen] [email protected]# Create a Screen that blocks ICMP packets larger than 1024 bytes. Name the Screen internet-protect. [edit security screen] [email protected]# set ids-option internet-protect icmp large [edit security screen] [email protected]# show  ids-option internet-protect { icmp {   large; } } Within the same Screen option, configure the Screen to block ICMP fragments. [edit security screen] [email protected]# set ids-option internet-protect icmp fragment www.juniper.net Implementing Screen Options (Detailed) • Lab 4–3 Junos Security [edit security screen] [email protected]# show  ids-option internet-protect { icmp {   fragment;   large; } } Question: Can you recall a common type of attack blocked by this Screen from the class discussion? Answer: Enabling protection from ICMP packets larger than 1024 bytes and from fragmented ICMP packets provides protection from ICMP Ping of Death attacks. An ICMP Ping of Death attack occurs when ping packets are sent to a host in excess of the maximum IP packet size of 65,535 bytes. These packets are typically fragmented. Add protection from packets that are using the IP Record Route option to the internet-protect  Screen. [edit security screen] [email protected]# set ids-option internet-protect ip record-route-option [edit security screen] [email protected]# show  ids-option internet-protect { icmp {   fragment;   large; } ip {   record-route-option; } } Add additional protection that limits the number of sessions to the same destination IP address to a maximum of one session. Activate the configuration changes by issuing the commit command. [edit security screen] [email protected]# set ids-option internet-protect limit-session destination-ip-based 1 [edit security screen] [email protected]# show  ids-option internet-protect { Lab 4–4 • Implementing Screen Options (Detailed) www.juniper.net Junos Security icmp { fragment; large;     } ip { record-route-option; } limit-session { destination-ip-based 1; }   } [edit security screen] [email protected]# commit commit complete STOP In this lab part, you verify the results of your Screen configuration The next lab steps require you to log in to the virtual router attached to your team’s device. The virtual routers are logical devices created on a J Series Services Router. Refer to the Management Network Diagram for the IP address of the vr-device. Enter configuration mode, or go to the top of the configuration hierarchy if you are already in configuration mode, and load the lab4-part2-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. [edit security screen] [email protected]# top [edit] [email protected]# load override jsec/ lab4-part2-start.config [edit] [email protected]# commit commit complete [edit] [email protected]xC-1# www.juniper.net Implementing Screen Options (Detailed) • Lab 4–5 Junos Security Open a separate Telnet session to the virtual router attached to your team device. Log in to the vr-device using the login information shown in the following table: srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyp0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> Lab 4–6 • Implementing Screen Options (Detailed) www.juniper.net Junos Security Initiate a ping between the virtual router in the Juniper-local zone and the virtual router in the Juniper-remote zone. Remember to reference the appropriate instance name when sourcing ICMP traffic from a virtual router. The instance names match the names of the virtual routers listed on the network diagram. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR   rapid PING 172.20.106.10 (172.20.106.10): 56 data bytes !!!!! --- 172.20.106.10 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 4.197/5.128/6.923/1.027 ms Question: Was the ping successful? What size does an ICMP echo request packet use by request? Answer: The ping should succeed as shown in the output. An ICMP echo request consists of a data size of 56 bytes, plus an ICMP header size of 8 bytes. The output does not show the additional Ethernet overhead of 20 bytes. Issue the same ping request again, but this time specify a size of 1100 bytes. This size is larger than 1024 bytes and should trigger the ICMP large Screen option, provided the remote team properly configured it on their device. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR   rapid size 1100 PING 172.20.106.10 (172.20.106.10): 1100 data bytes !!!!! --- 172.20.106.10 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 4.291/4.762/5.371/0.359 ms www.juniper.net Implementing Screen Options (Detailed) • Lab 4–7 Junos Security Question: What is the result of the ping operation with a specified size of 1100 bytes? Are the results expected? Answer: The output indicates the ping was successful and something is amiss regarding the Screen options configuration. The results are expected. Although the configuration contains the appropriate Screen options, the Screen options have not yet been applied to a security zone. Return to the Telnet session established with your assigned SRX device. From the Telnet session established with assigned SRX device, apply the internet-protect Screen option to the untrust security zone. Commit your configuration and exit configuration mode. [edit] [email protected]# edit security zones security-zone untrust [edit security zones security-zone untrust] [email protected]# set screen internet-protect [edit security zones security-zone untrust] [email protected]# show  address-book { address vr108 172.20.108.0/24; address vr208 172.20.208.0/24; address srxC-2 172.18.2.0/30; address internet-host 172.31.15.1/32; } screen internet-protect; interfaces {   ge-0/0/3.0; } [edit security zones security-zone untrust] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> STOP Lab 4–8 • Implementing Screen Options (Detailed) www.juniper.net Junos Security Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, repeat the ping command between the virtual routers associated with the Juniper-local  and Juniper-remote  security zones. Once again, specify a size of 1100 bytes. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR   rapid size 1100 PING 172.20.106.10 (172.20.106.10): 1100 data bytes ..... --- 172.20.106.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss Question: What is the result of the ping operation with a specified size of 1100 bytes? Are the results expected? Answer: The output indicates the ping was not successful. This behavior is expected and demonstrates the ICMP large Screen option is working as designed. Determine the physical maximum transmission unit (MTU) of your vir tual router’s interface (associated with the your local Juniper zone) that connects to your assigned device by issuing the show interfaces ge-0/0/1 media |  match mtu command. [email protected]> show interfaces ge-0/0/1 media | match mtu Link-level type: Ethernet, MTU: 1518, Link-mode: Full-duplex, Speed: 1000mbps, BPDU Error: None, MAC-REWRITE Error: None, Question: What is the physical MTU size of the interface? Answer: The output indicates the physical MTU is 1518 bytes. Issue another ping between the virtual routers associated with the Juniper-local  and Juniper-remote  security zones. This time specify a size of 2000 bytes, ensuring ICMP packet fragmentation occurs. Do not forget to source the ping from the proper routing instance! [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR   rapid size 2000 PING 172.20.106.10 (172.20.106.10): 2000 data bytes www.juniper.net Implementing Screen Options (Detailed) • Lab 4–9 Junos Security ..... --- 172.20.106.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss Question: What is the result of the ping specifying a size of 2000 bytes? Are the results expected? Answer: The output indicates the ping was not successful. This behavior is expected and demonstrates the ICMP fragment Screen option is working as designed. Issue another ping between the virtual routers associated with the Juniper-local  and Juniper-remote  security zones. This time specify the record-route option. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR   rapid record-route PING 172.20.106.10 (172.20.106.10): 56 data bytes ..... --- 172.20.106.10 ping statistics --5 packets transmitted, 0 packets received, 100% packet loss Question: What is the result of the ping specifying the record-route option? Are the results expected? Answer: The output indicates the ping was not successful. This behavior is expected and demonstrates the ICMP record route Screen option is working as designed. Within your current vr-device Telnet session, open a new Telnet session to the remote virtual router associated with the Juniper-local  and Juniper-remote  security zones. Use the same login credentials as used for your current vr-device Telnet session. Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router. The instance names match the names of the virtual routers listed on the network diagram. Lab 4–10 • Implementing Screen Options (Detailed) www.juniper.net Junos Security [email protected]> telnet remote-Juniper-VR routing-instance local-Juniper-VR  Trying 172.20.108.10... Connected to 172.20.108.10. Escape character is '^]'. vr-device (ttyp0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> Question: Was the Telnet session successfully established? Answer: As indicated in the output, the Telnet session should successfully establish. Open a new, separate Telnet session to the vr-device. www.juniper.net Implementing Screen Options (Detailed) • Lab 4–11 Junos Security Log in to the virtual router using the login information shown in the following table: srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> Within the new vr-device session, attempt to open a second Telnet connection between the virtual routers associated with the Juniper-local  and Juniper-remote  security zones. Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router. The instance names match the names of the virtual routers listed on the network diagram. [email protected]> telnet remote-Juniper-VR routing-instance local-Juniper-VR  Trying 172.20.108.10... telnet: connect to address 172.20.108.10: Operation timed out telnet: Unable to connect to remote host Lab 4–12 • Implementing Screen Options (Detailed) www.juniper.net Junos Security Question: Did the second Telnet session between the remote virtual routers successfully establish? Is the result expected? Answer: As indicated in the output, the Telnet session is unable to establish. This result is expected and demonstrates the destination-based session limit is in effect. Leave both Telnet sessions opened to the vr-device for the time being. You return to these sessions in the next part of the lab. STOP In this lab part, you monitor the effects of Screen protection. You must coordinate some of the monitoring efforts with the remote student team in your pod. Return to the Telnet session established with your assigned SRX device. From the Telnet session established with assigned SRX device, enter configuration mode, or go to the top of the configuration hierarchy if you are already in configuration mode, and load the lab4-part3-start.config   from the  /var/home/lab/jsec/ directory. Commit the configuration when complete. [edit security screen] [email protected]# top [edit] [email protected]# load override jsec/ lab4-part3-start.config [edit] [email protected]# commit commit complete [edit] [email protected]# Issue the run show security screen statistics zone untrust command and review the output. [edit] [email protected]# run show security screen statistics zone untrust www.juniper.net Implementing Screen Options (Detailed) • Lab 4–13 Junos Security Screen statistics: IDS attack type ICMP flood UDP flood TCP winnuke TCP port scan ICMP address sweep TCP sweep UDP sweep IP tear drop TCP SYN flood IP spoofing ICMP ping of death IP source route option TCP land attack TCP SYN fragment TCP no flag IP unknown protocol IP bad options IP record route option IP timestamp option IP security option IP loose source route option IP strict source route option IP stream option ICMP fragment ICMP large packet TCP SYN FIN TCP FIN no ACK Source session limit TCP SYN-ACK-ACK proxy IP block fragment Destination session limit Statistics 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 2 4 0 0 0 0 0 9 Question: Do any of the listed counters show a non-zero value? Answer: Although the counters might vary, the IP record route option, ICMP fragment option, ICMP large packet option and the destination session limit counter should all have non-zero counters. View the Screen option entries in your log by issuing the run show log messages | match RT_SCREEN command. [edit] [email protected]# run show log messages | match RT_SCREEN  Nov 5 14:22:21 srxC-1 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Lab 4–14 • Implementing Screen Options (Detailed) www.juniper.net Junos Security Nov 5 14:22:22 srxC-1 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:24 srxC-1 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:28 srxC-1 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:35 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:53 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:53 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:54 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:54 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:55 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:55 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:56 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:56 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:57 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:57 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:58 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:22:58 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.20.108.10, destination: 172.20.107.10, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:23:09 srxC-1 RT_IDS: RT_SCREEN_IP: Record Route IP option! source: 172.20.108.10, destination: 172.20.107.10, protocol-id: 1, zone name: untrust, interface name: ge-0/0/3.0 Nov 5 14:23:33 srxC-1 mgd[67166]: UI_CMDLINE_READ_LINE: User 'lab', command 'run show log messages | match RT_SCREEN www.juniper.net Implementing Screen Options (Detailed) • Lab 4–15 Junos Security Question: Have Screen option violations logged to your security log? Answer: The answer should be yes. If you do not see any violations logged, check with the remote team in your pod to ensure they have completed Part 2 of the lab. Delete the Screen option internet-protect from the [edit security zone security-zone untrust] configuration hierarchy. Commit the configuration and return to operational mode. [edit] [email protected]# edit security zones security-zone untrust [edit security zones security-zone untrust] [email protected]# delete screen [edit security zones security-zone untrust] [email protected]# show  address-book { address vr108 172.20.108.0/24; address vr208 172.20.208.0/24; address srxC-2 172.18.2.0/30; address internet-host 172.31.15.1/32; } interfaces {   ge-0/0/3.0; } [edit security zones security-zone untrust] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> STOP Return to the Telnet sessions established with the virtual router. From the Telnet sessions established with the vir tual router, attempt to open two Telnet sessions between the virtual routers associated with the Juniper-local and Juniper-remote  zones again. You must re-establish sessions if any of your sessions timed out. Lab 4–16 • Implementing Screen Options (Detailed) www.juniper.net Junos Security Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router. The instance names match the names of the virtual routers listed on the network diagram. [email protected]> telnet remote-Juniper-VR routing-instance local-Juniper-VR  Trying 172.20.108.10... Connected to 172.20.108.10. Escape character is '^]'. vr-device (ttyp0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> [email protected]> telnet remote-Juniper-VR routing-instance local-Juniper-VR  Trying 172.20.108.10... Connected to 172.20.108.10. Escape character is '^]'. vr-device (ttyp0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> Question: Can you establish two Telnet sessions between the remote virtual routers? Answer: The answer should be yes. Now that the Screen is no longer in place, no session limits should be in place. www.juniper.net Implementing Screen Options (Detailed) • Lab 4–17 Junos Security Exit the second Telnet session between the remote virtual routers. Next exit the second Telnet session opened to the vr-device. [email protected]> exit Connection closed by foreign host. [email protected]> exit At this point, you should have only one Telnet session opened to the vr-device. Return to the remaining Telnet session that is established with the vir tual router. From the remaining Telnet session established with the virtual router, type exit to end the Telnet session between the remote virtual routers. [email protected]> exit Connection closed by foreign host. [email protected]> Attempt to ping between the remote virtual routers associated with the Juniper-local  and Juniper-remote  zones. Specify a size of 2000 bytes. Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router. The instance names match the names of the virtual routers listed on the network diagram. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR   rapid size 2000 PING 172.20.106.10 (172.20.106.10): 2000 data bytes !!!!! --- 172.20.106.10 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 8.014/9.225/10.317/0.803 ms Question: Can you ping with a size of 2000 bytes between the remote virtual routers? Answer: The answer should be yes. Now that the internet-protect Screen is no longer in place, no limits should be in place on large or fragmented ICMP packets. Lab 4–18 • Implementing Screen Options (Detailed) www.juniper.net Junos Security STOP www.juniper.net Implementing Screen Options (Detailed) • Lab 4–19 Junos Security Lab 4–20 • Implementing Screen Options (Detailed) www.juniper.net Lab 5 In this lab, you will implement Network Address Translation (NAT). You will configure and monitor both source and destination NAT, including pool-based NAT and interface-based NAT. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. The lab is also designed for modularity, where you might be directed to load a star ting configuration at the beginning of each lab par t. If you are completing the lab from start to finish, there is no need to load the starting configuration for each lab part. By completing this lab, you will per form the following tasks: www.juniper.net • Configure and monitor interface-based source NAT. • Configure and monitor pool-based destination NAT. • Configure and monitor pool-based source NAT. • Configure and verify proxy ARP. Network Address Translation (Detailed) • Lab 5–1 12.a.12.1R1.9 Junos Security In this lab part, you enable interface-based source NAT. Traffic originating from the virtual routers attached to your assigned device and destined for the Internet host will be subject to NAT. Ensure that you know to which student device you have been assigned. Check with your instructor if you are not certain. Consult the Management Network Diagram to determine the management address of your student device. Question: What is the management address assigned to your student router? Answer: The answer varies. The sample hostname and IP address used in the output examples in this lab are for srxD-1, which uses 10.210.14.137 as its management IP address. The actual management address varies between delivery environments. Access the command-line interface (CLI) at your station using either the console, Telnet, or SSH as directed by your instructor. Log in as user lab   with the password lab123. Enter configuration mode and load the lab5-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. srxD-1 (ttyu0) login: lab  Password: Lab 5–2 • Network Address Translation (Detailed) www.juniper.net Junos Security --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/ lab5-start.config  load complete [edit] [email protected]# commit commit complete [edit] [email protected]# Navigate to the [edit security nat source] hierarchy. [edit] [email protected]# edit security nat source [edit security nat source] [email protected]# Create a rule set named internet-bound  . Associate the rule set with a from  context to match traffic from both your local Juniper and ACME customer interfaces. Also configure the rule set with a to context to match traffic destined to the untrust zone. [edit security nat source] [email protected]# set rule-set internet-bound   from interface ge-0/0/4.local-Juniper-unit [edit security nat source] [email protected]# set rule-set internet-bound   from interface ge-0/0/4.local-ACME-unit [edit security nat source] [email protected]# set rule-set internet-bound   to zone untrust Question: What other contexts could you use for the from statement? Answer: You could use a from context referencing the source security zones, but in this case, two rule sets would be necessary. Because no configured routing instances are on your assigned device, the from routing-instance context is not applicable to this step. www.juniper.net Network Address Translation (Detailed) • Lab 5–3 Junos Security Navigate to the [edit security nat source rule-set internet-bound] configuration hierarchy. Create a NAT rule named 1. The rule should apply interface-based NAT to all traffic with a destination address of the Internet host as depicted on your lab diagram. [edit security nat source] [email protected]# edit rule-set internet-bound  [edit security nat source rule-set internet-bound] [email protected]# set rule 1 match destination-address 172.31.15.1/32 [edit security nat source rule-set internet-bound] [email protected]# set rule 1 then source-nat interface [edit security nat source rule-set internet-bound] [email protected]# show  from interface [ ge-0/0/4.107 ge-0/0/4.207 ]; to zone untrust; rule 1 { match { destination-address 172.31.15.1/32; } then { source-nat {   interface; } } } [edit security nat source rule-set internet-bound] [email protected]# Commit your configuration and return to operational mode. [edit security nat source rule-set internet-bound] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> The next lab steps require you to log in to the virtual router attached to your team’s device. The virtual routers are logical devices created on a J Series Services Router. Refer to the Management Network Diagram for the IP address of the vr-device. Open a separate Telnet session to the virtual router attached to your team device. Lab 5–4 • Network Address Translation (Detailed) www.juniper.net Junos Security Log in to the virtual router using the login information shown in the following table: srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> www.juniper.net Network Address Translation (Detailed) • Lab 5–5 Junos Security From the Telnet session established with the virtual router, initiate a Telnet session to the Internet host device. Source the connection from the virtual router’s routing instance associated with your local Juniper customer network. Use the same login credentials as used for your current vr-device Telnet session. [email protected]> telnet 172.31.15.1 routing-instance VR-Juniper-instance  Trying 172.31.15.1... Connected to 172.31.15.1. Escape character is '^]'. vr-device (ttyp0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> Return to the Telnet session established with your assigned SRX device. From the Telnet session established with your assigned SRX device, view the session table. [email protected]> show security flow session Session ID: 58859, Policy name: internet-Juniper-SV/10, Timeout: 1118, Valid In: 172.20.107.10/65026 --> 172.31.15.1/23;tcp, If: ge-0/0/4.107, Pkts: 27, Bytes: 1567 Out: 172.31.15.1/23 --> 172.18.1.2/23879;tcp, If: ge-0/0/3.0, Pkts: 22, Bytes: 1596 Total sessions: 1 Question: Do the session table results indicate expected behavior? Answer: Yes. As indicated by the output taken from srxD-1, the Telnet session sources from the internal IP address 172.20.107.10, but the return traffic has a destination of the WAN interface address. Issue the show security nat source rule all command and answer the question that follows. Lab 5–6 • Network Address Translation (Detailed) www.juniper.net Junos Security [email protected]> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/0 source NAT rule: 1 Rule-Id Rule position From interface Rule-set: internet-bound : : : : : : : 1 1 ge-0/0/4.107 ge-0/0/4.207 To zone untrust Destination addresses 172.31.15.1 - 172.31.15.1 Destination port 0 - 0 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 1 Question: How many hits has this NAT rule received? Answer: The answer might vary, but the Translation hits counter should show one hit at a minimum. Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, exit the extra Telnet session using the exit command. [email protected]> exit Connection closed by foreign host. [email protected]> In this lab part, you configure pool-based destination NAT for traffic originating from the remote device in your assigned pod. You will use the loopback IP address of your assigned device as a public address that will be translated to an internal address belonging to a virtual router attached to your device. If necessary, return to your assigned SRX device. From your assigned SRX device, enter configuration mode, or go to the top of the configuration hierarchy if you are already in configuration mode, and load t he lab5-part2-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. www.juniper.net Network Address Translation (Detailed) • Lab 5–7 Junos Security [edit] [email protected]# load override jsec/ lab5-part2-start.config  load complete [edit] [email protected]# commit commit complete Navigate to the [edit security nat destination] hierarchy. [edit] [email protected]# edit security nat destination [edit security nat destination] [email protected]# Consult your lab diagram to identify the host IP address of the virtual router associated with your local ACME customer zone. Configure a destination NAT pool named webserver   that specifies the virtual router host address. [edit security nat destination] [email protected]# set pool webserver   address local-ACME-VR-host [edit security nat destination] [email protected]# show  pool webserver { address 172.20.207.10/32; } Configure a destination NAT rule set named from-internet. The associated context should be from the untrust zone. [edit security nat destination] [email protected]# set rule-set from-internet from zone untrust Under the from-internet  rule set, configure a destination NAT rule named 1. The rule should apply destination NAT to traffic that originates from the network associated with your remote team’s ge-0/0/3 interface and that has your loopback address as its destination. This translation should utilize the webserver   pool you configured. [edit security nat destination] [email protected]# edit rule-set from-internet rule 1 [edit security nat destination rule-set from-internet rule 1] [email protected]# set match source-address remote-srx-Internet-subnet [edit security nat destination rule-set from-internet rule 1] [email protected]# set match destination-address local-loopback-address Lab 5–8 • Network Address Translation (Detailed) www.juniper.net Junos Security [edit security nat destination rule-set from-internet rule 1] [email protected]# set then destination-nat pool webserver  [edit security nat destination rule-set from-internet rule 1] [email protected]# up 2 [edit security nat destination] [email protected]# show  pool webserver { address 172.20.207.10/32; } rule-set from-internet { from zone untrust; rule 1 { match { source-address 172.18.2.0/30; destination-address 192.168.1.1/32; } then { destination-nat pool webserver; } } } Question: Are any changes required to your security policy configuration to allow this traffic? Answer: Yes. Currently, no security policy exists in the configuration that allows traffic from the untrust zone to your local ACME customer zone. In the next two steps, you will create a security policy to allow traffic from the remote student team destined to your local ACME customer network. Navigate to the [edit security policy from-zone untrust to-zone ACME-local] configuration hierarchy. [edit security nat destination] [email protected]# top edit security policies from-zone untrust to-zone ACME-local [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# Configure a security policy that allows HTTP and Telnet traffic from the remote student device in your pod to reach the vir tual router associated with your local ACME customer network. Configure the source-address  to match the existing address book entry configured under the untrust zone for the remote team’s ge-0/0/3 interface subnet. Configure the destination-address  to match the address-book entry for your local ACME customer network. Name the new security policy webserver  . www.juniper.net Network Address Translation (Detailed) • Lab 5–9 Junos Security [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# top show security zones security-zone untrust address-book address vr108 172.20.108.0/24; address vr208 172.20.208.0/24; address srxD-2 172.18.2.0/30; address internet-host 172.31.15.1/32; [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# top show security zones security-zone zone-name   address-book address vr207 172.20.207.0/24; [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver   match source-address remote-srxName  [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver match destination-address local-ACME-vrName  [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver   match application junos-telnet [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver   match application junos-http  [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver   then permit [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# show  policy webserver { match { source-address srxD-2; destination-address vr207; application [ junos-telnet junos-http ]; } then {   permit; } } Commit your configuration and return to operational mode. [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# commit and-quit commit complete Exiting configuration mode STOP Lab 5–10 • Network Address Translation (Detailed) www.juniper.net Junos Security In this step, you are initiating a Telnet session directly from your assigned device. When both teams in your assigned pod finish performing the above configuration, attempt a Telnet session to the loopback IP address of your remote team’s device. Initiate this Telnet session from your assigned SRX Series device. When prompted for a login, use the login information shown in the following table: srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 [email protected]> telnet remote-loopback-address Trying 192.168.2.1... Connected to 192.168.2.1. Escape character is '^]'. vr-device (ttyp0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> www.juniper.net Network Address Translation (Detailed) • Lab 5–11 Junos Security Question: From your observations, is destination NAT operating correctly on your par tnering team’s assigned device? Answer: Provided the Telnet session successfully established with the vr-device, the output indicates traffic destined to the remote team’s loopback interface IP address is translating to the appropriate IP address. Question: Why did the remote team’s assigned device not respond to the Telnet request instead of the remote virtual router? Answer: Recall that destination NAT occurs before routing and policy checks in the packet flow. Open a second Telnet session to your assigned device for monitoring the sessions in progress. Log in as user lab  . srxD-1 (ttyp0) login: lab  Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC [email protected]> Lab 5–12 • Network Address Translation (Detailed) www.juniper.net Junos Security Issue the show security flow session command and answer the question that follows. [email protected]> show security flow session Session ID: 60816, Policy name: self-traffic-policy/1, Timeout: 1464, Valid In: 172.18.1.2/62411 --> 192.168.2.1/23;tcp, If: .local..0, Pkts: 27, Bytes: 1567 Out: 192.168.2.1/23 --> 172.18.1.2/62411;tcp, If: ge-0/0/3.0, Pkts: 22, Bytes: 1596 Session ID: 60880, Policy name: self-traffic-policy/1, Timeout: 1800, Valid In: 10.210.14.133/61579 --> 10.210.14.137/23;tcp, If: ge-0/0/0.0, Pkts: 67, Bytes: 3672 Out: 10.210.14.137/23 --> 10.210.14.133/61579;tcp, If: .local..0, Pkts: 45, Bytes: 3211 Session ID: 60937, Policy name: webserver/8, Timeout: 1794, Valid In: 172.18.2.2/55028 --> 192.168.1.1/23;tcp, If: ge-0/0/3.0, Pkts: 62, Bytes: 3413 Out: 172.20.207.10/23 --> 172.18.2.2/55028;tcp, If: ge-0/0/4.207, Pkts: 48, Bytes: 3028 Total sessions: 3 Question: What sessions are present in the session table? Answer: Provided the partnering team in your assigned pod initiated a Telnet session destined for your loopback IP address, at least three sessions should display. One session represents the Telnet session initiated by your team. One session represents the additional Telnet session opened directly with your assigned device. One session represents the Telnet session opened by the remote team in your assigned pod. Issue the show security nat destination pool all command and answer the question that follows. [email protected]> show security nat destination pool all Total destination-nat pools: 1 Pool name : Pool id : Total address : Translation hits: www.juniper.net webserver 1 1 1 Network Address Translation (Detailed) • Lab 5–13 Junos Security  Address range 172.20.207.10 - 172.20.207.10 Port 0 Question: Are translation hits present for your destination NAT pool? Answer: Provided the partnering team in your assigned pod initiated a Telnet session destined for your loopback IP address, the translation hits counter should show at least one hit. Return to the initial session established with your assigned SRX device. From the initial session established with your assigned SRX device, exit the Telnet session opened with the remote vir tual router. [email protected]> exit Connection closed by foreign host. [email protected]> In this lab part, you configure pool-based source NAT between the virtual routers attached to your assigned device. You will enable an overflow p ool should the source NAT pool become exhausted. If necessary, return to your assigned SRX device. From your assigned SRX device, enter configuration mode, or go to the top of the configuration hierarchy if you are already in configuration mode, and load the  from the /var/home/lab/jsec/ directory. Commit lab5-part3-start.config  the configuration when complete. [edit] [email protected]# load override jsec/ lab5-part3-start.config  load complete [edit] [email protected]# commit commit complete Navigate to the [edit security nat source] configuration hierarchy. [edit] [email protected]# edit security nat source Lab 5–14 • Network Address Translation (Detailed) www.juniper.net Junos Security [edit security nat source] [email protected]# Create two new source NAT address pools. Name one pool after the name shown on the lab diagram for your local Juniper virtual router, and another pool for your local ACME virtual router. Disable port translation for both pools. Configure each pool to use the egress interface should the NAT pool become exhausted. Each NAT pool should consist of an address range associated with the neighboring  virtual router. Use the address range information shown in the following table. Pay close attention to the instructions in this step. You are creating a source NAT pool for both virtual routers attached to your assigned device. However, the source address pool consists of IP addresses belonging to the subnet of the virtual router opposite for which you are configuring the pool. www.juniper.net srxA-1 vr101 172.20.201.2 172.20.201.9 srxA-1 vr201 172.20.101.2 172.20.101.9 srxA-2 vr102 172.20.202.2 172.20.202.9 srxA-2 vr202 172.20.102.2 172.20.102.9 srxB-1 vr103 172.20.203.2 172.20.203.9 srxB-1 vr203 172.20.103.2 172.20.103.9 srxB-2 vr104 172.20.204.2 172.20.204.9 srxB-2 vr204 172.20.104.2 172.20.104.9 srxC-1 vr105 172.20.205.2 172.20.205.9 srxC-1 vr205 172.20.105.2 172.20.105.9 srxC-2 vr106 172.20.206.2 172.20.206.9 srxC-2 vr206 172.20.106.2 172.20.106.9 srxD-1 vr107 172.20.207.2 172.20.207.9 srxD-1 vr207 172.20.107.2 172.20.107.9 srxD-2 vr108 172.20.208.2 172.20.208.9 srxD-2 vr208 172.20.108.2 172.20.108.9 Network Address Translation (Detailed) • Lab 5–15 Junos Security [edit security nat source] [email protected]# set pool local-Juniper-VR   port no-translation [edit security nat source] [email protected]# set pool local-Juniper-VR   overflow-pool interface [edit security nat source] [email protected]# set pool local-Juniper-VR   address range-start to range-end  [edit security nat source] [email protected]# set pool local-ACME-VR   port no-translation [edit security nat source] [email protected]# set pool local-ACME-VR   overflow-pool interface [edit security nat source] [email protected]# set pool local-ACME-VR   address range-start to range-end  [edit security nat source] [email protected]# show pool vr107 { address { 172.20.207.2/32 to 172.20.207.9/32; } port no-translation; overflow-pool interface; } pool vr207 { address { 172.20.107.2/32 to 172.20.107.9/32; } port no-translation; overflow-pool interface; } ...TRIMMED... Create a source NAT rule-set that assigns a directional context from your local Juniper zone to your local ACME zone. For example, srx1 will use a context of from  and to zone ACME-SV  , and srx2 will use a context of zone JUNIPER-SV   and to zone ACME-WF  . from zone JUNIPER-WF  [edit security nat source] [email protected]# set rule-set rule-set-name   from zone Juniper-local [edit security nat source] [email protected]# set rule-set rule-set-name   to zone ACME-local [edit security nat source] [email protected]# show  ...TRIMMED... rule-set vr107 { from zone Juniper-SV; to zone ACME-SV; } Lab 5–16 • Network Address Translation (Detailed) www.juniper.net Junos Security Create a source NAT rule-set that assigns a directional context from your local ACME zone to your local Juniper zone. For example, srx1 will use a context of from zone ACME-SV   and to zone JUNIPER-SV  . Srx2 will use a context of from zone ACME-WF   and to zone JUNIPER-WF  . [edit security nat source] [email protected]# set rule-set rule-set-name   from zone ACME-local [edit security nat source] [email protected]# set rule-set rule-set-name   to zone Juniper-local [edit security nat source] [email protected]# show  ...TRIMMED... rule-set vr207 { from zone ACME-SV; to zone Juniper-SV; } Within the rule set created in Step 3.4, create a rule named Juniper-to-ACME  . Configure the source address to match traffic from your local Juniper customer network. Configure the then action statement to specify source-nat using the appropriate configured source address pool. (Hint: the pool name matches the rule  set name under which it is configured.) [edit security nat source] [email protected]# edit rule-set rule-set-name  [edit security nat source rule-set vr107] [email protected]# set rule Juniper-to-ACME match source-address local-Juniper-subnet [edit security nat source rule-set vr107] [email protected]# set rule Juniper-to-ACME   then source-nat pool  pool-name  [edit security nat source rule-set vr107] [email protected]# show  from zone Juniper-SV; to zone ACME-SV; rule Juniper-to-ACME { match { source-address 172.20.107.0/24; } then { source-nat { pool {   vr107; } } } } www.juniper.net Network Address Translation (Detailed) • Lab 5–17 Junos Security Within the rule set created in Step 3.5, create a rule named ACME-to-Juniper  . Configure the source address to match traffic from your local ACME customer network. Configure the then action statement to specify source-nat using the appropriate configured source address pool. (Hint: the pool name matches the rule  set name under which which it is configured.) [edit security nat source rule-set vr107] [email protected]# up [edit security nat source] [email protected]# edit rule-set rule-set-name  [edit security nat source rule-set vr207] [email protected]# set rule ACME-to-Juniper   match  match source-address source-address local-ACME-subnet [edit security nat source rule-set vr207] [email protected]# set rule ACME-to-Juniper   then source-nat pool  pool-name   then [edit security nat source rule-set vr207] [email protected]# show  [edit security nat source rule-set vr207] [email protected]# show  from zone ACME-SV; to zone Juniper-SV; rule ACME-to-Juniper { match { source-address 172.20.207.0/24; 172.20.207.0/24; } then { source-nat { pool {   vr207; } } } } Question: You configured source NAT for traffic between the virtual routers attached to your assigned device. Do any existing security policies allow this traffic? Answer: As shown in the following capture from srxD-1, no security policies are in place for traffic between the attached virtual routers. We configure the appropriate security policies next. [edit security nat source rule-set vr207] [email protected]# top show security policies from-zone Juniper-local to-zone ACME-local Lab 5–18 • Network Address Translation (Detailed) www.juniper.net Junos Security [edit security nat source rule-set vr207] [email protected]# top show security policies from-zone ACME-local to-zone Juniper-local [edit security nat source rule-set vr207] [email protected]# Navigate to the [edit security policies] hierarchy. [edit security nat source rule-set vr207] [email protected]# top edit security policies [edit security policies] [email protected]# Create two security policies that allow traffic matching the internal-apps application set to flow between the virtual virt ual routers attached to your assigned device. Name the policies using the same format as the NAT rules you just created,  and  and ACME-to-Juniper  , each corresponding to the Juniper-to-ACME  appropriate source and destination virtual router names. Match on the appropriate source and destination address book entries that exist within the security zone configuration. [edit security policies] [email protected]# edit from-zone Juniper-local to-zone ACME-local policy Juniper-to-ACME  [edit security policies from-zone Juniper-SV to-zone ACME-SV policy Juniper-to-ACME] [email protected]# set match source-address local-Juniper-vrName  [edit security policies from-zone Juniper-SV to-zone ACME-SV policy Juniper-to-ACME] [email protected]# set match destination-address destination-address local-ACME-vrName  [edit security policies from-zone Juniper-SV to-zone ACME-SV policy Juniper-to-ACME] [email protected]# set match application internal-apps [edit security policies from-zone Juniper-SV to-zone ACME-SV policy Juniper-to-ACME] [email protected]# set then permit [edit security policies from-zone Juniper-SV to-zone ACME-SV policy Juniper-to-ACME] [email protected]# up 2 [edit security policies] [email protected]# edit from-zone ACME-local to-zone Juniper-local policy ACME-to-Juniper  [edit security policies from-zone ACME-SV to-zone Juniper-SV policy  ACME-to-Juniper]  ACME-to-Juniper] www.juniper.net Network Address Translation (Detailed) • Lab 5–19 Junos Security [email protected]# set match source-address local-ACME-vrName  [edit security policies from-zone ACME-SV to-zone Juniper-SV policy  ACME-to-Juniper]  ACME-to-Juniper] [email protected]# set match destination-address destination-address local-Juniper-vrName  [edit security policies from-zone ACME-SV to-zone Juniper-SV policy  ACME-to-Juniper]  ACME-to-Juniper] [email protected]# set match application internal-apps [edit security policies from-zone ACME-SV to-zone Juniper-SV policy  ACME-to-Juniper]  ACME-to-Juniper] [email protected]# set then permit [edit security policies from-zone ACME-SV to-zone Juniper-SV policy  ACME-to-Juniper]  ACME-to-Juniper] [email protected]# up 2 [edit security policies] [email protected]# show from-zone Juniper-SV   to-zone  to-zone ACME-SV  policy Juniper-to-ACME { match { source-address vr107; destination-address destination-address vr207; application internal-apps; } then {   permit; } } [edit security policies] [email protected]# show from-zone ACME-SV   to-zone  to-zone Juniper-SV  policy ACME-to-Juniper { match { source-address vr207; destination-address destination-address vr107; application internal-apps; } then {   permit; } } [edit security policies] [email protected]# Commit your configuration and return to operational mode. [edit security policies] [email protected]# commit and-quit commit complete Lab 5–20 • Network Address Translation (Detailed) www.juniper.net Junos Security Exiting configuration mode [email protected]> Open a separate Telnet session to the virtual router attached to your team device. Log in to the virtual vir tual router using the login information shown in the following table: srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC www.juniper.net Network Address Translation (Detailed) • Lab 5–21 Junos Security NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> From the Telnet session established with the virtual router, initiate a Telnet session between the virtual routers attached to your assigned device in either direction. Use the same login credentials used in the previous step. Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router. The instance names match the names of the virtual routers listed on the network diagram. [email protected]> telnet local-ACME-VR routing-instance local-Juniper-VR  Trying 172.20.207.10... telnet: connect to address 172.20.207.10: Operation timed out telnet: Unable to connect to remote host Question: Did the Telnet session successfully establish? Answer: As indicated in the output, the Telnet session could not establish. Return to the Telnet session established with your assigned SRX device. From the Telnet session established with your assigned SRX device, issue the show security flow session command and answer the questions that follow. [email protected]> show security flow session Session ID: 64720, Policy name: Juniper-to-ACME/13, Timeout: 8, Valid In: 172.20.107.10/55688 --> 172.20.207.10/23;tcp, If: ge-0/0/4.107, Pkts: 5, Bytes: 288 Out: 172.20.207.10/23 --> 172.20.207.2/55688;tcp, If: ge-0/0/4.207, Pkts: 0, Bytes: 0 Total sessions: 1 Lab 5–22 • Network Address Translation (Detailed) www.juniper.net Junos Security Because the TCP three-way handshake does not complete, the session only shows in the session table for a few seconds. If you do not see the session, try issuing the Telnet command on the vr-device, immediately followed by the show security flow session command on your assigned device. Question: What does the output of this command indicate? Answer: As shown in the example from srxD-1, the output indicates a session forms and source NAT translation per forms correctly. If you do not see the session in your session table, the session might have timed out. Repeat the Telnet command on the vr-device and immediately issue the command on your assigned device. Question: Because the flow session is populating in your session table, can you think of a routing-related reason why the Telnet session did not establish? Answer: When the remote virtual router attempts to respond to the Telnet request, the response is directed to an IP address belonging to the source NAT pool. This pool consists of addresses that belong to the interface’s directly attached subnet. Recall from the classroom lecture that this situation requires proxy ARP. Enter configuration mode and navigate to the [edit security nat proxy-arp] configuration hierarchy. [email protected]> configure Entering configuration mode [edit] [email protected]# edit security nat proxy-arp www.juniper.net Network Address Translation (Detailed) • Lab 5–23 Junos Security [edit security nat proxy-arp] [email protected]# Under the ge-0/0/4 interface, configure both logical units attached to your virtual routers to perform proxy ARP. Each interface should perform proxy ARP for the range of addresses included in the source NAT pool of the adjacent virtual router. Use the address range information shown in the following table for your assigned SRX device: srxA-1 101 172.20.101.2 172.20.101.9 srxA-1 201 172.20.201.2 172.20.201.9 srxA-2 102 172.20.102.2 172.20.102.9 srxA-2 202 172.20.202.2 172.20.202.9 srxB-1 103 172.20.103.2 172.20.103.9 srxB-1 203 172.20.203.2 172.20.203.9 srxB-2 104 172.20.104.2 172.20.104.9 srxB-2 204 172.20.204.2 172.20.204.9 srxC-1 105 172.20.105.2 172.20.105.9 srxC-1 205 172.20.205.2 172.20.205.9 srxC-2 106 172.20.106.2 172.20.106.9 srxC-2 206 172.20.206.2 172.20.206.9 srxD-1 107 172.20.107.2 172.20.107.9 srxD-1 207 172.20.207.2 172.20.207.9 srxD-2 108 172.20.108.2 172.20.108.9 srxD-2 208 172.20.208.2 172.20.208.9 [edit security nat proxy-arp] [email protected]# edit interface ge-0/0/4.local-Juniper-unit [edit security nat proxy-arp interface ge-0/0/4.107] [email protected]# set unit address range-start to range-end  [edit security nat proxy-arp interface ge-0/0/4.107] [email protected]# up [edit security nat proxy-arp] [email protected]# edit interface ge-0/0/4.local-ACME-unit Lab 5–24 • Network Address Translation (Detailed) www.juniper.net Junos Security [edit security nat proxy-arp interface ge-0/0/4.207] [email protected]# set address range-start to range-end  [edit security nat proxy-arp interface ge-0/0/4.207] [email protected]# up [edit security nat proxy-arp] [email protected]# show  interface ge-0/0/4.107 { address { 172.20.107.2/32 to 172.20.107.9/32; } } interface ge-0/0/4.207 { address { 172.20.207.2/32 to 172.20.207.9/32; } } Commit your configuration and return to operational mode. [edit security nat proxy-arp] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, attempt to establish a Telnet session between the virtual routers once again. Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router. The instance names match the names of the virtual routers listed on the network diagram. [email protected]> telnet local-ACME-VR routing-instance local-Juniper-VR  Trying 172.20.207.10... Connected to 172.20.207.10. Escape character is '^]'. vr-device (ttyp0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC www.juniper.net Network Address Translation (Detailed) • Lab 5–25 Junos Security NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> Question: Did the second Telnet attempt between the attached virtual routers successfully establish? Answer: As indicated in the output, the Telnet session did establish. Return to the terminal session connected to your assigned device and issue the show security flow session command. [email protected]> show security flow session Session ID: 65071, Policy name: Juniper-to-ACME/13, Timeout: 1740, Valid In: 172.20.107.10/65306 --> 172.20.207.10/23;tcp, If: ge-0/0/4.107, Pkts: 28, Bytes: 1631 Out: 172.20.207.10/23 --> 172.20.207.5/65306;tcp, If: ge-0/0/4.207, Pkts: 22, Bytes: 1596 Total sessions: 1 Question: Does the output indicate source NAT between the attached virtual routers is operating normally? Answer: As indicated in the output, the Telnet session established and source NAT is in place. In this example from srxD-1, traffic from vr107   is translating to 172.20.207.5. Question: What IP address did your Telnet session receive from the source NAT pool? Answer: The answer varies. In this example from srxD-1, the session acquired IP address 172.20.207.5. Lab 5–26 • Network Address Translation (Detailed) www.juniper.net Junos Security Issue the show security nat source summary command. [email protected]> show security nat source summary Total port number usage for port translation pool: 0 Maximum port number for port translation pool: 16777216 Total pools: 2 Pool Address Routing Name Range Instance vr107 172.20.207.2-172.20.207.9 default vr207 172.20.107.2-172.20.107.9 default Total rules: 3 Rule name 1 1 Juniper-to-ACME  ACME-to-Juniper Rule set From internet-bound ge-0/0/4.107 ge-0/0/4.207 vr107 Juniper-SV vr207 ACME-SV PAT no no To untrust ACME-SV Juniper-SV Total Address 8 8 Action interface vr107 vr207 Question: How many configured source NAT rules are on your assigned device? Answer: As indicated in the output, a total of three source NAT rules are operating. Issue the show security nat source pool all command. [email protected]> show security nat source pool all Total pools: 2 Pool name : vr107 Pool id : 4 Routing instance : default Host address base : 0.0.0.0 Port : no translation port overloading : 0 Overflow pool : interface Total addresses : 8  Available addresses: 7 Translation hits : 4  Address range 172.20.207.2 - 172.20.207.9 Pool name Pool id Routing instance Host address base Port port overloading Overflow pool www.juniper.net : : : : : : : Single Ports 0 Twin Ports 0 vr207 5 default 0.0.0.0 no translation 0 interface Network Address Translation (Detailed) • Lab 5–27 Junos Security Total addresses : 8  Available addresses: 8 Translation hits : 0  Address range 172.20.107.2 - 172.20.107.9 Single Ports 0 Twin Ports 0 Question: How many addresses are available in each source NAT pool displayed? Answer: Each source NAT pool has eight available addresses. Return to the session opened to the vr-device and exit the Telnet session between virtual routers. [email protected]> exit Connection closed by foreign host. [email protected]> STOP Lab 5–28 • Network Address Translation (Detailed) www.juniper.net Lab 6 In this lab, you will implement a route-based IPsec VPN. You will configure and monitor the IKE phase one and phase two tunnel establishment. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab, you will per form the following tasks: www.juniper.net • Configure a route-based IPsec VPN. • Alter security policies to allow traffic between the ACME security zones. • Configure and monitor a secure tunnel interface. • Verify and monitor an IPsec VPN tunnel. Implementing IPsec VPNs (Detailed) • Lab 6–1 12.a.12.1R1.9 Junos Security In this lab part, you configure a route-based IPsec VPN tunnel. This IPsec VPN tunnel will be utilized for all traffic between the ACME customer security zones. Ensure that you know to which student device you have been assigned. Check with your instructor if you are not certain. Consult the Management Network Diagram to determine the management address of your student device. Question: What is the management address assigned to your student router? Answer: The answer varies. The sample hostname and IP address used in the output examples in this lab are for srxD-1, which uses 10.210.35.137 as its management IP address. The actual management address varies between delivery environments. Access the command-line interface (CLI) at your station using either the console, Telnet, or SSH as directed by your instructor. Log in as user lab   with the password lab123. Enter configuration mode and load the lab6-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration and exit to operational mode when complete. srxD-1 (ttyu0) login: lab  Password: Lab 6–2 • Implementing IPsec VPNs (Detailed) www.juniper.net Junos Security --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/ lab6-start.config  load complete [edit] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Navigate to the [edit interfaces] configuration hierarchy. [edit] [email protected]# edit interfaces [edit interfaces] [email protected]# Configure a secure tunnel interface. If your assigned device is srx1, configure logical unit 0 with an IP address of 192.168.100.1. If your assigned device is srx2, configure logical unit 0 with an IP address of 192.168.100.2. [edit interfaces] [email protected]# set st0 unit 0 family inet address tunnel-interface-address Add the st0.0 interface to the untrust security zone, and allow the interface to accept IKE packets. [edit interfaces] [email protected]# top set security zones security-zone untrust interfaces st0.0 [edit interfaces] [email protected]# top set security zones security-zone untrust interfaces st0.0 host-inbound-traffic system-services ike Navigate to the [edit security ike] configuration hierarchy. Create an Internet Key Exchange (IKE) phase 1 proposal named phase1. The proposal should use the following parameters: www.juniper.net • Authentication method: pre-shared-keys; • dh-group: group2; • authentication algorithm: md5; • encryption algorithm: 3des-cbc; and • lifetime: 86400. Implementing IPsec VPNs (Detailed) • Lab 6–3 Junos Security [edit interfaces] [email protected]# top edit security ike [edit security ike] [email protected]# set proposal phase1 authentication-method pre-shared-keys [edit security ike] [email protected]# set proposal phase1 dh-group group2 [edit security ike] [email protected]# set proposal phase1 authentication-algorithm md5 [edit security ike] [email protected]# set proposal  phase1 encryption-algorithm 3des-cbc [edit security ike] [email protected]# set proposal  phase1 lifetime-seconds 86400 [edit security ike] [email protected]# show proposal  phase1 authentication-method pre-shared-keys; dh-group group2; authentication-algorithm md5; encryption-algorithm 3des-cbc; lifetime-seconds 86400; } } [edit security ike] [email protected]# Configure an IKE phase one policy named phase1-policy  . The policy should use main mode, reference the proposal you created in the previous step, and use an ASCII pre-shared key of juniper  . [edit security ike] [email protected]# set policy  phase1-policy   mode main [edit security ike] [email protected]# set policy  phase1-policy   proposals  phase1 [edit security ike] [email protected]# set policy  phase1-policy   pre-shared-key ascii-text juniper  [edit security ike] [email protected]# show policy  phase1-policy  mode main; proposals phase1; pre-shared-key ascii-text "$9$QkE43/t1RSM87uO87-V4oz36"; ## SECRET-DATA Lab 6–4 • Implementing IPsec VPNs (Detailed) www.juniper.net Junos Security Configure an IKE gateway named phase1-gateway  . Reference the IKE policy you created in the previous step. For the gateway IP address, use the IP address associated with the ge-0/0/3 interface on the remote team’s device. Use your device’s ge-0/0/3 interface as the external interface for establishing an IPsec VPN between srx1 and srx2. Configure your device to send a dead peer detection (DPD) request packet every 20 seconds and to consider the IKE neighbor down after five sequences of waiting 20 seconds and sending a DPD request packet. [edit security ike] [email protected]# set gateway  phase1-gateway   ike-policy  phase1-policy  [edit security ike] [email protected]# set gateway  phase1-gateway   address remote-srx-Internet-address [edit security ike] [email protected]# set gateway  phase1-gateway dead-peer-detection interval 20 [edit security ike] [email protected]# set gateway  phase1-gateway dead-peer-detection threshold 5 [edit security ike] [email protected]# set gateway  phase1-gateway external-interface ge-0/0/3.0 [edit security ike] [email protected]# show gateway  phase1-gateway  ike-policy phase1-policy; address 172.18.2.2; dead-peer-detection { interval 20; threshold 5; } external-interface ge-0/0/3.0; Navigate to the [edit security ipsec] configuration hierarchy. You define IKE phase 2 configuration parameters at this level. [edit security ike] [email protected]# up [edit security] [email protected]# edit ipsec [edit security ipsec] [email protected]# Define an IKE phase two proposal named phase2. Use the Encapsulating Security Payload (ESP) protocol, an authentication algorithm of hmac-md5-96, an encryption algorithm of 3des-cbc, and a lifetime value of 3200 seconds. [edit security ipsec] [email protected]# set proposal  phase2 protocol esp www.juniper.net Implementing IPsec VPNs (Detailed) • Lab 6–5 Junos Security [edit security ipsec] [email protected]# set proposal  phase2 authentication-algorithm hmac-md5-96 [edit security ipsec] [email protected]# set proposal  phase2 encryption-algorithm 3des-cbc [edit security ipsec] [email protected]# set proposal  phase2 lifetime-seconds 3200 [edit security ipsec] [email protected]# show proposal  phase2 protocol esp; authentication-algorithm hmac-md5-96; encryption-algorithm 3des-cbc; lifetime-seconds 3200; Create a phase two policy named phase2-policy  . Configure Perfect Forward Secrecy (PFS) to use Diffie-Helman Group 2 as the method the device uses to generate the encryption key. Use the phase two proposal you created in the last step. [edit security ipsec] [email protected]# set policy  phase2-policy   perfect-forward-secrecy keys group2 [edit security ipsec] [email protected]# set policy  phase2-policy   proposals  phase2 [edit security ipsec] [email protected]# show policy  phase2-policy  perfect-forward-secrecy { keys group2; } proposals phase2; Configure the IPsec VPN tunnel and name the VPN to-remote-SRX  . Bind the st0.0 interface to this tunnel. Associate the IKE gateway and phase two policy with the VPN tunnel. Ensure the VPN tunnel is established without the need for a triggering mechanism. [edit security ipsec] [email protected]# set vpn to-remote-SRX bind-interface st0.0 [edit security ipsec] [email protected]# set vpn to-remote-SRX ike gateway  phase1-gateway  [edit security ipsec] [email protected]# set vpn to-remote-SRX ike ipsec-policy  phase2-policy  [edit security ipsec] [email protected]# set vpn to-remote-SRX establish-tunnels immediately [edit security ipsec] [email protected]# show vpn to-remote-SRX Lab 6–6 • Implementing IPsec VPNs (Detailed) www.juniper.net Junos Security bind-interface st0.0; ike { gateway phase1-gateway; ipsec-policy phase2-policy; } establish-tunnels immediately; All traffic between the ACME   security zones will use the IPsec VPN you created. Navigate to the [edit routing-options] configuration hierarchy. Create a static route for the remote student team’s ACME customer network. The next hop should point to the st0.0 interface. [edit security ipsec] [email protected]# top edit routing-options [edit routing-options] [email protected]# set static route remote-ACME-subnet next-hop st0.0 [edit routing-options] [email protected]# show  static { route 0.0.0.0/0 next-hop 172.18.1.1; route 172.20.208.0/24 next-hop st0.0; } Question: Why is this step necessary? Answer: In a route-based VPN, traffic associates using a route rather than a security policy. Without this step, traffic would not use the IPsec VPN tunnel. Question: What are the two valid next hops for this static route? Answer: The st0.0 interface can be specified as the next-hop as shown in the example. You could also use the remote IP address of the st0 interface. Navigate to the [edit security policies] configuration hierarchy. Review the security policies in place that allow traffic between the untrust zone and your local ACME customer network zone. [edit routing-options] [email protected]# top edit security policies www.juniper.net Implementing IPsec VPNs (Detailed) • Lab 6–7 Junos Security [edit security policies] [email protected]# show from-zone untrust to-zone ACME- local policy webserver { match { source-address srxD-2; destination-address vr207; application [ junos-telnet junos-http ]; } then {   permit; } } [edit security policies] [email protected]# show from-zone ACME- local to-zone untrust policy internet-ACME { match { source-address vr207; destination-address any; application any; } then {   permit; } } Question: What changes must you make to the [edit security policies] hierarchy? Answer: You must make a new policy for traffic coming from the untrust zone that originates on the remote virtual router. A security policy is already in place to allow all traffic to the untrust zone that originates on the local virtual router. Create a new security policy that permits traffic from the untrust zone destined to your local ACME customer zone. Name the security policy ipsec. Configure the source-address  to match the address-book entry for the remote student team’s ACME customer network. Use the configuration option any for the destination address and application. When finished review the configuration, and answer the question below. [edit security policies] [email protected]# edit from-zone untrust to-zone ACME- local [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy ipsec match source-address remote-ACME-vrName  [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy ipsec match destination-address any Lab 6–8 • Implementing IPsec VPNs (Detailed) www.juniper.net Junos Security [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy ipsec match application any [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy ipsec then permit [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# show  policy webserver { match { source-address srxD-2; destination-address vr207; application [ junos-telnet junos-http ]; } then {   permit; } } policy ipsec { match { source-address vr208; destination-address any; application any; } then {   permit; } } [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# Question: Is any policy reordering necessary for this traffic flow? Answer: No. As shown in the output, the first policy does not match on traffic from the remote virtual router. Because no match occurs, traffic from the IPsec tunnel is not evaluated until the second policy. Commit your configuration and return to operational mode. [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> www.juniper.net Implementing IPsec VPNs (Detailed) • Lab 6–9 Junos Security STOP In this lab part, you check IKE phase one and phase two tunnel security associations and monitor the IPsec VPN on your assigned device by initiating traffic from the virtual router. Issue the show interfaces st0 terse command. [email protected]> show interfaces st0 terse Interface Admin Link Proto st0 up up st0.0 up up inet Local Remote 192.168.100.1 --> 0/0 Question: What is the status of the st0.0 interface? Answer: As shown in the output, both the administrative status and link status should be up. Check the state of the IKE phase 1 security association using the show security ike security-associations command. [email protected]> show security ike security-associations Index State Initiator cookie Responder cookie Mode 976176 UP f347d504ef032fcc fed0a0e871ade192 Main Remote Address 172.18.2.2 Question: What is the state of the IKE phase 1 security association? Answer: As shown in the output, the state should be up. If you do not see a security association, try clearing the phase 1 and phase 2 security associations on both devices within your pod. Check the state of the phase 2 security association using the show security ipsec security-associations command. [email protected]> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port 131073 ESP:3des/md5 e9444a8e 3106/ unlim root 500 Lab 6–10 • Implementing IPsec VPNs (Detailed) Gateway 172.18.2.2 172.18.2.2 www.juniper.net Junos Security Question: Is a phase 2 security association present? Answer: As shown in the output, at least one successful phase 2 security association should be present, represented by an inbound row and an outbound row. Question: What is the index number used to represent the phase 2 security association? Answer: The answer can vary. In the example, the index number, represented by the ID column, is 131073. Issue the show security ipsec security-associations index  command, where number   represents the index number obtained in the number  previous step. [email protected]> show security ipsec security-associations index index-number  Virtual-system: root Local Gateway: 172.18.1.2, Remote Gateway: 172.18.2.2 Local Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Remote Identity: ipv4_subnet(any:0,[0..7]=0.0.0.0/0) Version: IKEv1 DF-bit: clear Direction: inbound, SPI: 768fe3ba, AUX-SPI: 0 , VPN Monitoring: Hard lifetime: Expires in 3042 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2464 seconds Mode: Tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 Direction: outbound, SPI: e9444a8e, AUX-SPI: 0 , VPN Monitoring: Hard lifetime: Expires in 3042 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2464 seconds Mode: Tunnel, Type: dynamic, State: installed Protocol: ESP, Authentication: hmac-md5-96, Encryption: 3des-cbc Anti-replay service: counter-based enabled, Replay window size: 64 www.juniper.net Implementing IPsec VPNs (Detailed) • Lab 6–11 Junos Security Question: Is anti-replay enabled for the IPsec VPN tunnel? Answer: The answer should be yes, as shown in the example output. Issue the clear security ipsec statistics command followed by the show security ipsec statistics command. [email protected]> clear security ipsec statistics [email protected]> show security ipsec statistics ESP Statistics: Encrypted bytes: 0 Decrypted bytes: 0 Encrypted packets: 0 Decrypted packets: 0  AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 Question: Do all the counters show a value of 0? Answer: The answer should be yes, as shown in the example output. This lab step requires you to open a separate Telnet session to the vir tual router to emulate an external host. Keep the current Telnet session established with your assigned SRX device open to monitor results. The virtual router is a J Series Services Router configured as several logical devices. Refer to the Management Network Diagram for the IP address of the vr-device. Open a separate Telnet session to the virtual router attached to your team device. Lab 6–12 • Implementing IPsec VPNs (Detailed) www.juniper.net Junos Security Log in to the virtual router using the login information shown in the following table: Student D evice Username Password srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username Password: --- JUNOS 11.4R1.6 built 2011-11-15 11:28:05 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> www.juniper.net Implementing IPsec VPNs (Detailed) • Lab 6–13 Junos Security From the Telnet session established with the virtual router, initiate a Telnet session that traverses the IPsec tunnel. Initiate the Telnet connection to the remote team’s ACME customer network. Source the Telnet session from your vir tual router that is associated with your local ACME customer network. Use the same login credentials as used for your current vr-device Telnet session. Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router. The instance names match the names of the virtual routers listed on the network diagram. [email protected]> telnet remote-ACME-VR routing-instance local-ACME-VR  Trying 172.20.208.10... Connected to 172.20.208.10. Escape character is '^]'. vr-device (ttyp1) login: Return to the Telnet session established with your assigned SRX device. From the Telnet session established with your assigned SRX device, view the flow session table. [email protected]> show security flow session Session ID: 1, Policy name: N/A, Timeout: N/A, Valid In: 172.18.2.2/33021 --> 172.18.1.2/5392;esp, If: ge-0/0/3.0, Pkts: 0, Bytes: 0 Session ID: 2, Policy name: N/A, Timeout: N/A, Valid In: 172.18.2.2/0 --> 172.18.1.2/0;esp, If: ge-0/0/3.0, Pkts: 0, Bytes: 0 Session ID: 848, Policy name: self-traffic-policy/1, Timeout: 4, Valid In: 10.210.35.137/123 --> 10.210.35.130/123;udp, If: .local..0, Pkts: 1, Bytes: 76 Out: 10.210.35.130/123 --> 10.210.35.137/123;udp, If: ge-0/0/0.0, Pkts: 1, Bytes: 76 Session ID: 865, Policy name: internet-ACME-SV/9, Timeout: 1796, Valid In: 172.20.207.10/49161 --> 172.20.208.10/23;tcp, If: ge-0/0/4.207, Pkts: 10, Bytes: 671 Out: 172.20.208.10/23 --> 172.20.207.10/49161;tcp, If: st0.0, Pkts: 9, Bytes: 641 Total sessions: 4 Lab 6–14 • Implementing IPsec VPNs (Detailed) www.juniper.net Junos Security Question: What sessions associate with the secure tunnel interface? Answer: The output can vary, but Telnet sessions, indicated by TCP port 23, that are between virtual routers should show interface st0.0 for either the inbound or outbound flow. Issue the show security ipsec statistics command. [email protected]> show security ipsec statistics ESP Statistics: Encrypted bytes: 3496 Decrypted bytes: 1706 Encrypted packets: 32 Decrypted packets: 24  AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0, Replay errors: 0 ESP authentication failures: 0, ESP decryption failures: 0 Bad headers: 0, Bad trailers: 0 Question: How many packets have received encryption? Answer: The answer varies, but both the encrypted and decrypted packets counters should have a non-zero value. Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, exit the virtual router Telnet session using the exit command. [email protected]> exit Connection closed by foreign host. [email protected]> STOP www.juniper.net Implementing IPsec VPNs (Detailed) • Lab 6–15 Junos Security Lab 6–16 • Implementing IPsec VPNs (Detailed) www.juniper.net Lab 7 In this lab, you will implement intrusion detection and prevention (IDP). You will install the security package from Juniper Networks, customize a policy template and perform verification tasks. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. The lab is also designed for modularity, where you might be directed to load a star ting configuration at the beginning of each lab par t. If you are completing the lab from start to finish, there is no need to load the starting configuration for each lab part. By completing this lab, you will per form the following tasks: www.juniper.net • Install and verify IDP licensing. • Install and verify the Juniper Networks security package, including the attack database and IDP policy templates. • Configure and customize IDP policy using IDP policy templates. • Verify and monitor the IDP implementation. Implementing IDP (Detailed) • Lab 7–1 12.a.12.1R1.9 Junos Security In this lab part, you become familiar with the access details used to access the lab equipment. Once you are familiar with the access details, you will use the CLI to log in to your designated station. Then, you will load the starting configuration for Lab 7. Then, you will download the security package normally made available by Juniper Networks as well as the necessary IDP licensing. Depending on the class, the lab equipment used might be remote from your physical location. The instructor will inform you as to the nature of your access and will provide you the details needed to access your assigned device. Ensure that you know to which student device you have been assigned. Check with your instructor if you are not certain. Consult the Management Network Diagram to determine the management address of your student device. Question: What is the management address assigned to your station? Answer: The answer varies; in this example the user is assigned to the srxC-1 station, which uses an IP address of 10.210.35.135. Access the CLI at your station using either the console, Telnet, or SSH as directed by your instructor. Refer to the Management Network Diagram for the IP address associated with your workstation. The following example is based on simple Telnet access using the Secure CRT program. Lab 7–2 • Implementing IDP (Detailed) www.juniper.net Junos Security Log in as user lab   with the password lab123. Enter configuration mode and load the lab7-start.config   from the /var/home/lab/jsec/ directory. Commit the configuration when complete. srxC-1 (ttyu0) login: lab  Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/ lab7-start.config [edit] [email protected]# commit commit complete [edit] [email protected]# This lab requires that you have root access in the UNIX shell of the device. In the next few steps, you change the root password of your assigned device. Be sure to follow the steps closely to avoid disabling access to the device. www.juniper.net Implementing IDP (Detailed) • Lab 7–3 Junos Security Change the root password of your assigned device to lab123. Use the set system root-authentication plain-text-password command to make this change. [edit] [email protected]# set system root-authentication plain-text-password New password: Retype new password: [edit] [email protected]# Commit your configuration and return to operational mode. [edit] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> In the next series of lab steps, you obtain an IDP license and the IDP security package from the server within your assigned lab rack. Because of differing lab environments, you obtain these files unconventionally. In a non-lab environment, you obtain the license directly from Juniper Networks while you download the security package directly from Juniper Networks using an Internet connection. Enter the UNIX shell mode of your assigned device with the start shell command. [email protected]> start shell % At the % prompt type su root to switch the user to the root user. This level of permissions is necessar y for the next few steps. When prompted for the new password, use the lab123 password you just defined in the configuration. % su root Password: [email protected]% Change your working directory to /var/tmp by entering the cd /var/tmp command at the % prompt. Lab 7–4 • Implementing IDP (Detailed) www.juniper.net Junos Security [email protected]% cd /var/tmp [email protected]% At the % prompt, enter the following command to retrieve the IDP license for your assigned device, where serverIP   is the IP address of the server device and assigned-device is the name of your assigned device. Refer to your Management Network Diagram to determine the IP address of the ser ver device. When prompted to continue connecting, type yes and press the enter key. When prompted for a RADIUS password, use lab123. scp [email protected]  :jsec/assigned-device  .txt . Be sure to include the trailing period in the command. The period in this command instructs SCP to copy the remote files to your current working directory. [email protected]% scp [email protected] serverIP  :jsec/assigned-device  .txt . The authenticity of host '10.210.14.130 (10.210.14.130)' can't be established. DSA key fingerprint is ef:17:5e:05:13:ee:db:cd:ff:84:94:55:ae:e3:1b:e2.  Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.210.14.130' (DSA) to the list of known hosts. RADIUS Password: srxD-1.txt 100% 182 0.2KB/s 00:00 [email protected]% Use the cd /var/db/idpd command to change your current directory to /var/db/idpd. [email protected]% cd /var/db/idpd [email protected]% Issue the ls sec-download command to view the contents of the sec-download directory. [email protected]% ls sec-download detector-capabilities.xml sub-download Question: What does the sec-download directory contain? Answer: As shown in the output, the directory contains another directory named sub-download and no further contents. The sub-download directory does not contain any files. [email protected]% ls sec-download/sub-download [email protected]% www.juniper.net Implementing IDP (Detailed) • Lab 7–5 Junos Security Use SCP to obtain the IDP security package from the server device by entering the following command, where serverIP   is the IP address of the service device on your lab diagram. When prompted for a RADIUS password, use lab123. scp [email protected]  :jsec/idp.tar.tgz . Be sure to include the trailing period in the command. The period in this command instructs SCP to copy the remote files to your current working directory. [email protected]% scp [email protected] serverIP  :jsec/idp.tar.tgz . RADIUS Password: idp.tar.tgz 100% 1717KB 858.3KB/s [email protected]% 00:02 Uncompress the contents of the IDP file by entering the following command: tar xzvf idp.tar.tgz [email protected]% tar xzvf idp.tar.tgz sec-download/ sec-download/sub-download/ sec-download/sub-download/SignatureUpdate.xml sec-download/sub-download/templates.xml sec-download/SignatureUpdate.xml sec-download/applications.xml sec-download/libidp-detector.so.tgz.v sec-download/groups.xml sec-download/platforms.xml sec-download/detector-capabilities.xml [email protected]% Issue the ls sec-download command again to check the contents of the directory. [email protected]% ls sec-download SignatureUpdate.xml applications.xml detector-capabilities.xml groups.xml [email protected]% Lab 7–6 • Implementing IDP (Detailed) libidp-detector.so.tgz.v platforms.xml sub-download www.juniper.net Junos Security Question: What does the sec-download directory contain? Answer: As shown in the output, the directory now has a series of XML files containing the contents of the IDP security package. Exit the UNIX shell by issuing the exit command twice. [email protected]% exit exit % exit exit [email protected]> In this lab part, you install the license required for the IDP attack database and policy template updates. After verifying the validity of the license, you will then proceed with the installation of the IDP security package and policy templates. Issue the show system license command to list the installed licenses on your assigned device. [email protected]> show system license License usage: none Licenses installed: none Question: Does your system currently have any installed licenses? Answer: As shown in the output, currently no licenses are installed. Install the IDP license you downloaded in the last lab part by using the request system license add command. Specify the file as  represents /var/tmp/assigned-device  .txt, where assigned-device  the hostname of your assigned device. [email protected]> request system license add /var/tmp/ assigned-device  .txt JUNOS204211: successfully added add license complete (no errors) www.juniper.net Implementing IDP (Detailed) • Lab 7–7 Junos Security Question: Did the license successfully install? Answer: As shown in the output, the license installed. If you experience an error installing the license, verify that the path and filename are correct and that the file resides in the specified directory. Notify your instructor if you are unable to install the license. View the active licenses on your assigned device using the show system license command. The output shown for this command can vary depending on the device or license type used in your environment. [email protected]> show system license License usage: Feature name idp-sig 19:00:00 CDT ax411-wlan-ap 0 Licenses used 0 2 0 Licenses installed 1 Licenses needed 0 Expiry 2014-09-03 permanent Licenses installed: License identifier: JUNOS220951 License version: 2 Valid for device: AH2909AA0068   Features:   idp-sig - IDP Signature date-based, 2009-09-15 19:00:00 CDT - 2014-09-03 19:00:00 CDT Question: Does the installed license reflect the proper serial number for your assigned device? Answer: The output varies, but the example shows a device serial number of AH2909AA0068. By comparing this value to the serial number reflected in the output of the show chassis hardware command, you can see that this license is correct. If the numbers do not match ensure that you obtained the correct license for your assigned device. [email protected]> show chassis hardware Hardware inventory: Item Version Part number Chassis Lab 7–8 • Implementing IDP (Detailed) Serial number AH2909AA0068 Description SRX240h-poe www.juniper.net Junos Security Routing Engine FPC 0 PIC 0 FPC 1 PIC 0 Power Supply 0 REV 31 750-021794 AAAD8406 REV 02 750-025085 AAAN4046 RE-SRX240H-POE FPC 16x GE Base PIC FPC 1x Serial mPIM Install the IDP attack database using the request security idp security-package install operational mode command. [email protected]> request security idp security-package install Will be processed in async mode. Check the status using the status checking CLI Question: What was the result of this operation? Answer: As shown in the output, the install should begin in async mode. If the output from your device does not match this output, notify your instructor. Check the status of your installation over the next few minutes using the request security idp security-package install status command. Do not continue to the next step until you receive an indication that the installation was successful. [email protected]> request security idp security-package install status In progress:performing DB update for an xml (groups.xml) [email protected]> request security idp security-package install status In progress:performing DB update for an xml (SignatureUpdate.xml) [email protected]> request security idp security-package install status In progress:Compiling AI signatures ... [email protected]> request security idp security-package install status Done;Attack DB update : successful - [UpdateNumber=1449,ExportDate=Tue Jun 23 12:45:25 2009,Detector=9.2.160090324] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no existing running policy found. Question: Did the security package successfully install? Answer: The answer should be yes, as shown in the example output. www.juniper.net Implementing IDP (Detailed) • Lab 7–9 Junos Security Install the IDP policy templates provided by Juniper Networks with the request security idp security-package install policy-templates command. [email protected]> request security idp security-package install policy-templates Will be processed in async mode. Check the status using the status checking CLI Check the policy template installation status using the request security idp security-package install status command. Do not continue to the next step until you receive an indication that the installation was successful. [email protected]> request security idp security-package install status Done;policy-templates has been successfully updated into internal repository   (=>/var/db/scripts/commit/templates.xsl)! The installation of the policy templates results in the creation of a Junos operating system commit script. Enter configuration mode and enter the set system scripts commit file templates.xsl command. Commit the configuration to activate the commit script. The commit script, which inserts the IDP policy templates into the active configuration, is a large file. Expect the commit action to take a few moments. [email protected]> configure Entering configuration mode [edit] [email protected]# set system scripts commit file templates.xsl [edit] [email protected]# commit commit complete [edit] [email protected]# Verify that the policy templates were added to your configuration. You could view the configuration file for verification, but for a quicker check, issue the set security idp active-policy ? configuration mode command. [edit] [email protected]# set security idp active-policy ? Possible completions: Set active policy   DMZ_Services DNS_Service Lab 7–10 • Implementing IDP (Detailed) www.juniper.net Junos Security   File_Server Getting_Started IDP_Default Recommended Web_Server [edit] [email protected]# set security idp active-policy Question: What IDP policy templates are now available? Answer: The DMZ_Services, DNS_Service, File_Server, Getting_Started, IDP_Default, Recommended, and Web_Server IDP policy templates should now be available. In this lab part, you customize the Recommended policy template and apply the modified policy to your assigned device. Navigate to the [edit security idp] configuration hierarchy. [edit] [email protected]# edit security idp [edit security idp] [email protected]# Delete all of the recently added template IDP policies in your configuration except the Recommended IDP policy template. [edit security idp] [email protected]# delete idp-policy ? Possible completions: IDP policy name DMZ_Services IDP policy name DNS_Service IDP policy name File_Server IDP policy name Getting_Started IDP policy name IDP_Default IDP policy name Recommended IDP policy name Web_Server IDP policy name [edit security idp] [email protected]# delete idp-policy DMZ_Services [edit security idp] [email protected]# delete idp-policy DNS_Service www.juniper.net Implementing IDP (Detailed) • Lab 7–11 Junos Security [edit security idp] [email protected]# delete idp-policy File_Server [edit security idp] [email protected]# delete idp-policy Getting_Started [edit security idp] [email protected]# delete idp-policy IDP_Default [edit security idp] [email protected]# delete idp-policy Web_Server View the Recommended IDP policy template. [edit security idp] [email protected]# show idp-policy Recommended | no-more /* This template policy covers the most important vulnerabilities. Use this template as a base line. */ rulebase-ips { rule 1 { /* This rule is designed to protect your networks against important TCP/ IP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]IP - Critical" "[Recommended]IP - Minor" "[Recommended]IP - Major" "[Recommended]TCP Critical" "[Recommended]TCP - Minor" "[Recommended]TCP - Major" ]; } } then { action {   recommended; } notification {   log-attacks; } } } rule 2 { /* This rule is designed to protect your network against important ICMP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { Lab 7–12 • Implementing IDP (Detailed) www.juniper.net Junos Security           predefined-attack-groups [ "[Recommended]ICMP "[Recommended]ICMP - Minor" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 3 { /* This rule is designed to protect your network against attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]HTTP "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 4 { /* This rule is designed to protect your network against attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]SMTP "[Recommended]SMTP - Major" "[Recommended]SMTP - Minor" ]; } } then { action { recommended; } notification { www.juniper.net Major" important HTTP Critical" important SMTP Critical" Implementing IDP (Detailed) • Lab 7–13 Junos Security   log-attacks; } }         } rule 5 { /* This rule is designed to protect your network against important DNS attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]DNS - Critical" "[Recommended]DNS - Minor" "[Recommended]DNS - Major" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 6 { /* This rule is designed to protect your network against important FTP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]FTP - Critical" "[Recommended]FTP - Minor" "[Recommended]FTP - Major" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 7 { /* This rule is designed to protect your network against important POP3 attacks. */ match { from-zone any; Lab 7–14 • Implementing IDP (Detailed) www.juniper.net Junos Security         source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]POP3 - Critical" "[Recommended]POP3 - Minor" "[Recommended]POP3 - Major" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 8 { /* This rule is designed to protect your network against important IMAP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]IMAP - Critical" "[Recommended]IMAP - Major" ]; } } then { action { recommended; } notification { log-attacks; } } } rule 9 { /* This rule is designed to protect your network against common internet malware. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { www.juniper.net Implementing IDP (Detailed) • Lab 7–15 Junos Security     predefined-attack-groups [ "[Recommended]TROJAN - Critical" "[Recommended]TROJAN - Major" "[Recommended]TROJAN - Minor" "[Recommended]VIRUS - Critical" "[Recommended]VIRUS - Major" "[Recommended]VIRUS - Minor" "[Recommended]WORM - Critical" "[Recommended]WORM - Major" "[Recommended]WORM - Minor" ]; } } then { action { recommended; } notification { log-attacks; } } } } Question: Does the Recommended IDP policy provide protection for HTTP? Answer: Rule 3 protects against malicious HTTP traffic. For specific information regarding predefined attacks or attack groups, consult the following link: https://services.netscreen.com/restricted/ sigupdates/nsm-updates/HTML/ index.html Delete all of the rules, except rule 3, from the Recommended IDP policy. [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 1 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 2 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 4 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 5 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 6 Lab 7–16 • Implementing IDP (Detailed) www.juniper.net Junos Security [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 7 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 8 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 9 [edit security idp] [email protected]# show idp-policy Recommended /* This template policy covers the most important vulnerabilities. Use this template as a base line. */ rulebase-ips { rule 3 { /* This rule is designed to protect your network against important HTTP attacks. */ match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attack-groups [ "[Recommended]HTTP - Critical" "[Recommended]HTTP - Major" "[Recommended]HTTP - Minor" ]; } } then { action {   recommended; } notification {   log-attacks; } } } } Set the Recommended IDP policy as the active IDP policy on your assigned device. [edit security idp] [email protected]# set active-policy Recommended Configure your assigned device to perform IDP services on all traffic associated with the webserver security policy. Ensure you reference the appropriate security zone within the policy context. [edit security idp] [email protected]# top edit security policies from-zone untrust to-zone ACME-local www.juniper.net Implementing IDP (Detailed) • Lab 7–17 Junos Security [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver   then permit application-services idp [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# show policy webserver  match { source-address srxD-2; destination-address vr207; application [ junos-telnet junos-http ]; } then { permit { application-services {   idp; } } } [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# To avoid overwriting the IDP policy modifications on subsequent commit operations, delete the commit script from the configuration. After you remove the commit script, commit the configuration and return to operational mode. [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# top [edit] [email protected]# delete system scripts [edit] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Issue the show security policies policy-name webserver   detail command. [email protected]> show security policies policy-name webserver   detail Policy: webserver, action-type: permit, State: enabled, Index: 12, Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: untrust, To zone: ACME-SV Source addresses: srxD-2: 172.18.2.0/30 Destination addresses: vr207: 172.20.207.0/24 Application: junos-telnet IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Lab 7–18 • Implementing IDP (Detailed) www.juniper.net Junos Security Source port range: [0-0] Destination port range: [23-23] Application: junos-http IP protocol: tcp, ALG: 0, Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] Per policy TCP Options: SYN check: No, SEQ check: No Intrusion Detection and Prevention: enabled Unified Access Control: disabled Question: Does the webserver security policy output indicate that IDP is enabled? Answer: Yes. IDP is listed as enabled. View the memory allocation for IDP services using the show security idp memory command. [email protected]> show security idp memory IDP data plane memory statistics: Total IDP data plane memory : 196 MB Used : 12 MB ( 12288 KB ) ( 6.12%) Available : 184 MB ( 188416 KB ) ( 93.88%) Question: How much data plane memory is currently in use for IDP services? Answer: The output varies. In the example from srxD-1, 12 MB of memory is currently in use for IDP services. Check the version of the attack database currently installed on your assigned device using the show security idp security-package-version command. [email protected]> show security idp security-package-version  Attack database version:2125(Thu Apr 26 12:37:13 2012) Detector version :12.6.160120404 Policy template version :N/A www.juniper.net Implementing IDP (Detailed) • Lab 7–19 Junos Security Question: What version number of the attack database is presently on your assigned device? Answer: The answer can vary. In the example from srxD-1, the version number is 1449. STOP Lab 7–20 • Implementing IDP (Detailed) www.juniper.net Lab 8 In this lab, you will implement high availability chassis clustering. You will work with the remote team in your pod to combine your assigned devices into a single chassis cluster. cluster.  You will then generate generate traffic flows from the attached virtual routers. You will monitor the traffic flows to determine the path taken through the chassis cluster. cluster. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. The lab is also designed for modularity, where you might be directed to load a star ting configuration at the beginning of each lab par t. If you are completing the lab from start star t to finish, there is no need to load the starting configuration for each lab part. By completing this lab, you will per form the following tasks: www.juniper.net • Use the Junos Junos comm command and-lin -line e interf interface ace (CLI) (CLI) to load load the the baseli baseline ne conf configu igurat ration ion.. • Build ild th the ch chassi ssis cl cluster. • Conf Config igur ure e an acti active ve/a /act ctiv ive e chas chassi sis s clus cluste terr. • Moni Monito torr tra traffi ffic c flo flows ws thro throug ugh h the the chas chassis sis clus cluste terr. • Disa Disabl ble e the the chas chassi sis s clus clustter. er. Implementing High Availability Techniques (Detailed) • Lab 8–1 12.a.12.1R1.9 Junos Security In this lab part, you become familiar with the access details used to access the lab equipment. Once you are familiar with the access details, you will use the CLI to log in to your designated designated station. Then, you will load the starting configuration for Lab 8. Depending on the class, the lab equipment used might be remote from your physical location. The instructor will inform you as to the nature of your access and will provide you the details needed to access your assigned device. Ensure that you know to which student device you have been assigned. Check with your instructor if you are not certain. cer tain. Consult the Management Network Diagram to determine the management address of your student device. Question: What is the management address assigned to your station? Answer: The answer varies; in this example the user is assigned to the srxC-1 station, which uses an IP address of 10.210.14.13 10.210.14.137 7. Access the CLI at your station using either the t he console, Telnet, or SSH as directed by your instructor. Refer Refer to the Management Network Diagram for the IP address associated with your workstation. The following example is based on simple Telnet access using the Secure CRT program. Lab 8–2 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security Log in as user lab   with  with the password lab123. Enter configuration mode and load the lab8-start.config   from the /var/home/lab/jsec/ directory. Commit the  from configuration when complete. srxC-1 (ttyu0) login: lab  Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/ lab8-start.config [edit] [email protected]# commit commit complete [edit] [email protected]# In this lab part, par t, you adjust the configuration and enable high availability chassis clustering. You will work with the remote team in your assigned pod to make some configuration adjustments and then join your assigned devices into a single virtual device using chassis clustering. Throughout this lab, you work as a team with all the members in your assigned lab pod. Because a chassis cluster combines two physical devices into one logical device, it is important impor tant to follow the steps in order and in tandem as a team. Perform Per form the next several steps on the SRX1 and SRX2 devices. Navigate to the [edit interfaces] hierarchy. [edit] [email protected]# edit interfaces [edit interfaces] [email protected]# www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–3 Junos Security Issue the show   command.  command. [edit interfaces] [email protected]# show  ge-0/0/0 { description "MGMT Interface - DO NOT DELETE"; unit 0 { family inet { address 10.210.14.135/27; 10.210.14.135/27; } } } ge-0/0/3 { unit 0 { family inet { address 172.18.1.2/30; } } } ge-0/0/4 { unit 0 { family ethernet-switching ethernet-switching { port-mode trunk; vlan { members default; } } } } lo0 { unit 0 { family inet { address 192.168.1.1/32; 192.168.1.1/32; } } } [edit interfaces] [email protected]# Lab 8–4 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security Question: You will not be per forming Layer 2 Ethernet switching with the chassis cluster. Are there any interfaces that must be removed before chassis cluster pairing is attempted? Answer: The ge-0/0/4 interface must be deleted. The interface is configured for Layer 2 Ethernet switching, and it will cause a malfunctioning chassis cluster if pairing is attempted without removing it. If it were necessary to perform Layer 2 switching with the chassis cluster, we recommend that you disable any interface that is configured for Layer 2 Ethernet switching before you attempt the clustering. Then, once the chassis cluster has formed, you can prepare it for Layer 2 Ethernet switching by adding the swfab interfaces and enabling the interfaces there were designated for Ethernet switching.  You should also remove the ge-0/0/0 interface. When the chassis cluster is formed, it will be replaced with the fxp0 interface. Leaving the ge-0/0/0 interface configured will cause the chassis cluster formation to fail. Remove the ge-0/0/0 and ge-0/0/4 interfaces. [edit interfaces] [email protected]# delete ge-0/0/0 [edit interfaces] [email protected]# delete ge-0/0/4 Navigate to the [edit system] hierarchy level and delete the host-name statement. [edit interfaces] [email protected]# up 1 edit system  [edit system] [email protected]# delete host-name [edit system] [email protected]# www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–5 Junos Security The steps 2.5 through 2.12 will be performed only on the SRX1 device. From the Telnet session on the SRX1 device, navigate to the [edit groups node0] hierarchy level. [edit system] [email protected]# top edit groups node0 [edit groups node0] [email protected]# Configure a host name of srxY   is the letter of your pod. -1, where Y  [edit groups node0] [email protected]# set system host-name srxY-1 Configure the fxp0 interface with the management IP address for SRX1. Please refer to the Management Network Diagram for this address. [edit groups node0] [email protected]# set interfaces fxp0 unit 0 family inet address address/  mask  Navigate to the [edit groups node1] hierarchy level. [edit groups node0] [email protected]# up 1 edit node1 [edit groups node1] [email protected]# Configure a host name of srxY   is the letter of your pod. -2, where Y  [edit groups node1] [email protected]# set system host-name srx Y  -2 Configure the fxp0 interface with the management IP address for SRX2. Please refer to the Management Network Diagram for this address. [edit groups node1]  mask  [email protected]# set interfaces fxp0 unit 0 family inet address address/ Apply the recently created groups by issuing the command top set apply-groups ${node}. [edit groups node1] [email protected]# top set apply-groups ${node} [edit groups node1] [email protected]# top show groups Lab 8–6 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security node0 { system { host-name srxC-1; } interfaces { fxp0 { unit 0 { family inet address } } } } } node1 { system { host-name srxC-2; } interfaces { fxp0 { unit 0 { family inet address } } } } } { 10.210.14.135/27; { 10.210.14.136/27; Question: What is the purpose of these recently configured groups? Answer: The recently configured groups will apply a different host name and management IP address to each node. You will then be able to telnet or ssh to each node’s management address. The next several steps will be performed on the SRX1 and SRX2 devices. From the Telnet session of your assigned SRX device, commit the configuration and exit to operational mode. [edit groups node1] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–7 Junos Security Initiate the chassis cluster pairing by issuing the command set chassis  is 0 for cluster cluster-id 1 node node-id   reboot, where node-id  SRX1 and node-id   is 1 for SRX2. [email protected]> set chassis cluster cluster-id 1 node node-id   reboot Successfully enabled chassis cluster. Going to reboot now [email protected]> *** FINAL System shutdown message from [email protected] *** System going down IMMEDIATELY FWaiting (max 60 seconds) for system process `vnlru' to Waiting (max 60 seconds) for system process `vnlru_mem' Waiting (max 60 seconds) for system process `bufdaemon' Waiting (max 60 seconds) for system process `syncer' to Syncing disks, vnodes remaining...0 0 0 done stop...done to stop...done to stop...done stop... syncing disks... All buffers synced. Uptime: 9m23s Rebooting... Log in to the device once it has rebooted. Use the username and password provided by your instructor. Once the required processes start, depending on the model of your device, you might see syslog messages indicating that high availability clustering is active. srxC-1 (ttyu0) login: lab Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC {primary:node0} [email protected]> Question: Which host name is shown in the output? Answer: The answer will depend on which SRX device is your assigned device. The host name of SRX1 should be shown, whereas the host name of SRX2 will not be shown. A configuration change and commit must occur before the groups configuration can be passed on to SRX2. Lab 8–8 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security Issue the command show interface fxp0 terse. {primary:node0} [email protected]> show interfaces terse fxp0 Interface Admin Link Proto fxp0 up up fxp0.0 up up inet Local Remote 10.210.14.137/27 Question: Is your local SRX device’s management IP address applied to the fxp0 interface? Answer: As with the previous question, the answer depends on which SRX device is your assigned SRX device. The management IP address of SRX1 should be applied to the interface. The management IP address of SRX2 will not be applied yet. Perform the next several steps only on the SRX1 device. Both teams should be working only from SRX1! The next several steps will be performed on the only on the SRX1 device. From the Telnet session of SRX1, issue the command show chassis cluster status. {primary:node0} [email protected]> show chassis cluster status Cluster ID: 1 Node Priority Status Redundancy group: 0 , Failover count: 1 node0 1 primary node1 1 secondary www.juniper.net Preempt no no Manual failover no no Implementing High Availability Techniques (Detailed) • Lab 8–9 Junos Security Question: Are both nodes present? What statuses are they indicating? Answer: Yes. Both nodes should be present. Node 0 status should display primary for redundancy group 0 and Node 1 status should display secondary for redundancy group 0. If the status of the nodes indicate differently please inform your instructor. Question: Which redundancy groups are shown in the output? Answer: Because no redundancy groups are configured, only redundancy group 0 is shown in the previous output. Question: The output displays that Node 0 is primary for redundancy group 0. Where else can this information be found? Answer: Node 0 is primary for redundancy group 0. The information can also be found by examining the CLI command prompt. Issue the command show chassis cluster interfaces. {primary:node0} [email protected]> show chassis cluster interfaces Control link status: Up Control interfaces: Index Interface 0 fxp1 Status Up Fabric link status: Down Fabric interfaces: Name Child-interface     fab0 fab0 Status (Physical/Monitored) Lab 8–10 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security   fab1 fab1 Question: What is the status of the control link? Answer: The Control link status field should display a value of Up. Question: What is the status of the fabric link? Answer: The fabric link is down and is not operational. Question: Which steps are needed to bring the fabric link to the operational state? Answer: The fab0 and fab1 interfaces must be configured. Enter configuration mode, navigate to the [edit interfaces] hierarchy, and configure the fab0 and fab1 interfaces that comprise the fabric li nk. Refer to your Lab 8 network diagram for the appropriate member interfaces. When you are finished, commit the configuration and return to operational mode. When chassis clustering is enabled commits can only be issued from the top of the configuration hierarchy. {primary:node0} [email protected]> configure warning: Clustering enabled; using private edit warning: uncommitted changes will be discarded on exit Entering configuration mode {primary:node0}[edit] [email protected]# edit interfaces {primary:node0}[edit interfaces] [email protected]# set fab0 fabric-options member-interfaces ge-0/0/2 www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–11 Junos Security {primary:node0}[edit interfaces] [email protected]# set fab1 fabric-options member-interfaces ge-5/0/2 {primary:node0}[edit interfaces] [email protected]# top {primary:node0}[edit] [email protected]# commit and-quit node0: configuration check succeeds node1: commit complete node0: commit complete Exiting configuration mode {primary:node0} [email protected]> Issue the command show chassis cluster interfaces. {primary:node0} [email protected]> show chassis cluster interfaces Control link status: Up Control interfaces: Index Interface 0 fxp1 Status Up Fabric link status: Up Fabric interfaces: Name Child-interface   fab0 ge-0/0/2 fab0 fab1 ge-5/0/2 fab1 Status (Physical/Monitored) Up / Up Up / Up Question: What is the fabric link status? Answer: The fabric link status should be listed as Up. STOP Lab 8–12 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security In this lab part, you configure redundancy group 1 and redundancy group 2 in an active/active cluster configuration. Enter configuration mode and load the lab8-part3-start.config   from the  /var/home/lab/jsec/ directory. Commit the configuration when complete. [email protected]> configure warning: Clustering enabled; using private edit warning: uncommitted changes will be discarded on exit Entering configuration mode [edit] [email protected]# load override jsec/ lab8-part3-start.config [edit] [email protected]# commit commit complete [edit] [email protected]# Navigate to the [edit chassis cluster] hierarchy level. Next configure redundancy group 1 to have Node 0 with a priority of 200 and Node 1 with a priority of 100. {primary:node0}[edit] [email protected]# edit chassis cluster {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 1 node 0 priority 200 {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 1 node 1 priority 100 {primary:node0}[edit chassis cluster] [email protected]# Configure redundancy group 2 to have Node 1 with a priority of 200 and Node 0 with a priority of 100. Then configure Node 1 to automatically reacquire primacy during a failover scenario once the original problem that c aused the failover has been fixed. {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 2 node 1 priority 200 {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 2 node 0 priority 100 {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 2 preempt www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–13 Junos Security Configure the chassis cluster to perform interface monitoring for redundancy group 2. The redundancy group should fail over to Node 0 if the ge-5/0/3 interface goes down. Use a weight value of 255.  You will configure the ge-5/0/3 interface in a later step. {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 2 interface-monitor ge-5/0/3 weight 255 {primary:node0}[edit chassis cluster] [email protected]# show  redundancy-group 1 { node 0 priority 200; node 1 priority 100; } redundancy-group 2 { node 1 priority 200; node 0 priority 100;   preempt; interface-monitor { ## ## Warning: Interface must be defined before configuring monitoring ## ge-5/0/3 weight 255; } } Navigate to the [edit interfaces] hierarchy level. Configure the reth0 interface to consist of interfaces ge-0/0/4 and ge-5/0/4. Next associate reth0 with redundancy group 1.Then configure reth0 to accept and transmit 802.1Q frames, and configure it with the proper VLAN ID and IP address. Please refer to your network diagram for Lab 8 for the correct VLAN and IP address values. {primary:node0}[edit chassis cluster] [email protected]# top edit interfaces {primary:node0}[edit interfaces] [email protected]# set ge-0/0/4 gigether-options redundant-parent reth0 {primary:node0}[edit interfaces] [email protected]# set ge-5/0/4 gigether-options redundant-parent reth0 {primary:node0}[edit interfaces] [email protected]# set reth0 redundant-ether-options redundancy-group 1 {primary:node0}[edit interfaces] [email protected]# set reth0 vlan-tagging Lab 8–14 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security {primary:node0}[edit interfaces] [email protected]# set reth0 unit reth0-vlan-id   vlan-id reth0-vlan-id  {primary:node0}[edit interfaces] [email protected]# set reth0 unit reth0-vlan-id   family inet address reth0-address/mask  Configure the reth1 interface to consist of interfaces ge-0/0/5 and ge-5/0/5. Next associate reth1 with redundancy group 2. Then configure reth1 to accept and transmit 802.1Q frames, and configure it with the proper VLAN ID and IP address. Please refer to your Lab 8 network diagram for the correct VLAN and IP address values. {primary:node0}[edit interfaces] [email protected]# set ge-0/0/5 gigether-options redundant-parent reth1 {primary:node0}[edit interfaces] [email protected]# set ge-5/0/5 gigether-options redundant-parent reth1 {primary:node0}[edit interfaces] [email protected]# set reth1 redundant-ether-options redundancy-group 2 {primary:node0}[edit interfaces] [email protected]# set reth1 vlan-tagging {primary:node0}[edit interfaces] [email protected]# set reth1 unit reth1-vlan-id   vlan-id reth1-vlan-id  {primary:node0}[edit interfaces] [email protected]# set reth1 unit reth1-vlan-id   family inet address reth1-address/mask  Configure the ge-5/0/3 interface with the 172.18.2.2/30 address. Commit the configuration when you are finished. {primary:node0}[edit interfaces] [email protected]# set ge-5/0/3 unit 0 family inet address 172.18.2.2/30 {primary:node0}[edit interfaces] [email protected]# show  ge-0/0/3 { unit 0 { family inet { address 172.18.1.2/30; } } } ge-0/0/4 { gigether-options { redundant-parent reth0; } } ge-0/0/5 { gigether-options { redundant-parent reth1; www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–15 Junos Security } } ge-5/0/3 { unit 0 { family inet { address 172.18.2.2/30; } } } ge-5/0/4 { gigether-options { redundant-parent reth0; } } ge-5/0/5 { gigether-options { redundant-parent reth1; } } ... reth0 {   vlan-tagging; redundant-ether-options { redundancy-group 1; } unit 223 { vlan-id 223; family inet { address 172.20.30.1/24; } } } reth1 {   vlan-tagging; redundant-ether-options { redundancy-group 2; } unit 233 { vlan-id 233; family inet { address 172.30.30.1/24; } } } {primary:node0}[edit interfaces] [email protected]# top {primary:node0}[edit] [email protected]# commit [edit chassis cluster] 'redundancy-group 1' redundancy-group-id (1) cannot exceed reth-count (0) Lab 8–16 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security error: configuration check-out failed {primary:node0}[edit] [email protected]# Question: Were you able to commit the configuration? Answer: No. The configuration will not commit because the reth count of 0 was exceeded. Question: Where can you increase the reth count? Answer: You can increase the reth count under the [edit chassis cluster] hierarchy level. Navigate to the [edit chassis cluster] hierarchy level and increase the reth count to 2. Commit the configuration when you are finished. {primary:node0}[edit] [email protected]# edit chassis cluster {primary:node0}[edit chassis cluster] [email protected]# set reth-count 2 {primary:node0}[edit chassis cluster] [email protected]# top {primary:node0}[edit] [email protected]# commit node0: configuration check succeeds node1: commit complete node0: commit complete Question: Why would you not want to set the reth count to its maximum possible number? Answer: Increasing the reth count increases the number of reth interfaces created by the system, which in turn uses more system resources. www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–17 Junos Security Issue the command run show chassis cluster interfaces. {primary:node0}[edit] [email protected]# run show chassis cluster interfaces Control link status: Up Control interfaces: Index Interface 0 fxp1 Status Up Fabric link status: Up Fabric interfaces: Name Child-interface   fab0 ge-0/0/2 fab0 fab1 ge-5/0/2 fab1 Status (Physical/Monitored) Up / Up Up / Up Redundant-ethernet Information: Name Status Redundancy-group reth0 Down 1 reth1 Down 2 Interface Monitoring: Interface Weight ge-5/0/3 255 Status Up Redundancy-group 2 Question: Within which redundancy groups are reth0 and reth1 contained? Answer: Reth0 is contained within redundancy group 1 and reth1 is contained within redundancy group 2. Issue the command run show chassis cluster status. {primary:node0}[edit] [email protected]# run show chassis cluster status Cluster ID: 1 Node Priority Status Redundancy group: 0 , Failover count: 1 node0 1 primary node1 1 secondary Lab 8–18 • Implementing High Availability Techniques (Detailed) Preempt no no Manual failover no no www.juniper.net Junos Security Redundancy group: 1 , Failover count: 1 node0 200 primary node1 100 secondary no no no no Redundancy group: 2 , Failover count: 2 node0 100 secondary node1 200 primary yes yes no no Question: Which node is primary for redundancy group 2? Answer: Node 1 is primary for redundancy group 2. Question: Why is Node 0 primary for redundancy group 0? Answer: Both nodes have the same priority value and so Node 0 is primary because it has a lower node ID. Question: How would you ensure Node 0 acquires primacy for redundancy group 0 if both nodes reboot around the same time? Answer: You can configure Node 1 with a higher priority value than Node 0 for redundancy group 0. Configure Node 1 to have a higher priority value than Node 0 for redundancy group 0. Commit the configuration when you are finished. {primary:node0}[edit] [email protected]# set chassis cluster redundancy-group 0 node 1 priority 254 {primary:node0}[edit] [email protected]# commit node0: configuration check succeeds node1: commit complete www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–19 Junos Security node0: commit complete Issue the command run show chassis cluster status. {primary:node0}[edit] [email protected]# run show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 1 node0 1 primary node1 254 secondary no no no no Redundancy group: 1 , Failover count: 1 node0 200 primary node1 100 secondary no no no no Redundancy group: 2 , Failover count: 2 node0 100 secondary node1 200 primary yes yes no no {primary:node0}[edit] [email protected]# Question: Which node will acquire primacy for redundancy group 0 if both nodes reboot at the same time? Answer: Node 1 will have primacy for redundancy group 0 if both nodes are rebooted at the same time. Question: Why is node 0 still the primary node for redundancy group 0? Answer: Even though Node 1 has a higher priority value for redundancy group 0, a failover event must occur to cause node 1 to become primary for redundancy group 0. Lab 8–20 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security Navigate to the [edit security] hierarchy level. Then configure the system’s default-policy to allow all traffic. This lab step is for the purpose of simplicity.  You should never use a default security policy to permit all traffic outside of a lab environment. {primary:node0}[edit] [email protected]# edit security {primary:node0}[edit security] [email protected]# set policies default-policy permit-all {primary:node0}[edit security zones] [email protected]# Navigate to the [edit security zones] hierarchy and configure the untrust zone to contain interfaces ge-0/0/3 and ge-5/0/3. No inbound protocols or services should be allowed on these interfaces. {primary:node0}[edit security] [email protected]# edit zones {primary:node0}[edit security zones] [email protected]# set security-zone untrust interfaces ge-0/0/3 {primary:node0}[edit security zones] [email protected]# set security-zone untrust interfaces ge-5/0/3 Configure the trust zone to contain interfaces reth0 and reth1. All system ser vices should be allowed on these interfaces. Commit the configuration and exit to operational mode. The reth interfaces are configured with a different unit number than 0. Make sure to use the correct unit number in this step. {primary:node0}[edit security zones] [email protected]# set security-zone trust interfaces reth0. reth0-vlan-id  host-inbound-traffic system-services all {primary:node0}[edit security zones] [email protected]# set security-zone trust interfaces reth1. reth1-vlan-id  host-inbound-traffic system-services all [email protected]# show  zones { security-zone untrust { www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–21 Junos Security         interfaces { ge-0/0/3.0; ge-5/0/3.0; } } security-zone trust { interfaces { reth0.223 { host-inbound-traffic { system-services { all; } } } reth1.233 { host-inbound-traffic { system-services { all; } } } } } } policies { default-policy {   permit-all; } } Delete the current default static route and configure two default floating st atic routes through the use of the qualified-next-hop option. The route which has a next hop of 172.18.1.1 will have a route preference of 5. The route which has a next hop of 172.18.2.1 will have a route preference of 10. Commit the configuration and exit to operational mode. {primary:node0}[edit security zones] [email protected]# top edit routing-options {primary:node0}[edit routing-options] [email protected]# delete static route 0/0 {primary:node0}[edit routing-options] [email protected]# set static route 0/0 qualified-next-hop 172.18.1.1 {primary:node0}[edit routing-options] [email protected]# set static route 0/0 qualified-next-hop 172.18.2.1 preference 10 {primary:node0}[edit routing-options] [email protected]# top {primary:node0}[edit] [email protected]# commit and-quit node0: Lab 8–22 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security configuration check succeeds node1: commit complete node0: commit complete Exiting configuration mode {primary:node0} [email protected]> Issue the show route 0/0 exact command. [email protected]> show route 0/0 exact inet.0: 12 destinations, 13 routes (12 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 1d 20:53:32 > to 172.18.1.1 via ge-0/0/3.0 [Static/10] 19:41:40 > to 172.18.2.1 via ge-5/0/3.0 Question: Is the correct routing information displayed? Answer: The correct output should display a default static route with two next hops. The next hop with a route preference of 5 directs traffic through the ge-0/0/3 interface. The next hop with a route preference of directs traffic through the ge-5/0/3 interface. Check connectivity by issuing pings to both virtual router interface addresses. Next, ping both interface addresses that belong to the ISP, and then ping the Internet host. Use the detail option to ensure the pings are egressing the correct interface. Please refer to your Lab 8 network diagram for these addresses. {primary:node0} [email protected]> ping reth0-VR   detail count 2 PING 172.20.30.2 (172.20.30.2): 56 data bytes 64 bytes from 172.20.30.2 via reth0.223: icmp_seq=0 ttl=64 time=1.678 ms 64 bytes from 172.20.30.2 via reth0.223: icmp_seq=1 ttl=64 time=1.726 ms --- 172.20.30.2 ping statistics --2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.678/1.702/1.726/0.024 ms {primary:node0} [email protected]> ping reth1-VR   detail count 2 www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–23 Junos Security PING 172.30.30.2 (172.30.30.2): 56 data bytes 64 bytes from 172.30.30.2 via reth1.233: icmp_seq=0 ttl=64 time=16.443 ms 64 bytes from 172.30.30.2 via reth1.233: icmp_seq=1 ttl=64 time=5.211 ms --- 172.30.30.2 ping statistics --2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 5.211/10.827/16.443/5.616 ms {primary:node0} [email protected]> ping 172.18.1.1 detail count 2 PING 172.18.1.1 (172.18.1.1): 56 data bytes 64 bytes from 172.18.1.1 via ge-0/0/3.0: icmp_seq=0 ttl=64 time=1.974 ms 64 bytes from 172.18.1.1 via ge-0/0/3.0: icmp_seq=1 ttl=64 time=1.507 ms --- 172.18.1.1 ping statistics --2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.507/1.740/1.974/0.233 ms {primary:node0} [email protected]> ping 172.18.2.1 detail count 2 PING 172.18.2.1 (172.18.2.1): 56 data bytes 64 bytes from 172.18.2.1 via ge-5/0/3.0: icmp_seq=0 ttl=64 time=8.307 ms 64 bytes from 172.18.2.1 via ge-5/0/3.0: icmp_seq=1 ttl=64 time=17.362 ms --- 172.18.2.1 ping statistics --2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 8.307/12.834/17.362/4.528 ms {primary:node0} [email protected]> ping 172.31.15.1 detail count 2 PING 172.31.15.1 (172.31.15.1): 56 data bytes 64 bytes from 172.31.15.1 via ge-0/0/3.0: icmp_seq=0 ttl=64 time=1.740 ms 64 bytes from 172.31.15.1 via ge-0/0/3.0: icmp_seq=1 ttl=64 time=1.691 ms --- 172.31.15.1 ping statistics --2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.691/1.716/1.740/0.025 ms Question: Were the ping tests successful? Answer: As shown in the output, the ping tests should be successful. STOP Lab 8–24 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security In this lab part, you generate traffic from the attached virtual routers and monitor the traffic flows. You will also examine the path which these flows take and the effect of asymmetric flows on the chassis cluster. Enter configuration mode and load the lab8-part4-start.config   from the  /var/home/lab/jsec/ directory. Commit the configuration when complete. [email protected]> configure warning: Clustering enabled; using private edit warning: uncommitted changes will be discarded on exit Entering configuration mode [edit] [email protected]# load override jsec/ lab8-part4-start.config [edit] [email protected]# commit commit complete [edit] [email protected]# Open a separate Telnet session to the virtual router attached to your team’s device. www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–25 Junos Security Log in to the virtual router using the login information shown in the following table: srxA a1 lab123 srxB b1 lab123 srxC c1 lab123 srxD d1 lab123 vr-device (ttyp0) login: username  Password: --- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router. You must use 'configure private' to configure this router. [email protected]> Generate traffic to the Internet host from the virtual router associated with reth0 by issuing the ping 172.31.15.1 rapid count 1000000  command. routing-instance reth0-VR  [email protected]> ping 172.31.15.1 rapid count 1000000 routing-instance reth0-VR  PING 172.31.15.1 (172.31.15.1): 56 data bytes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ... Return to the Telnet session established with your assigned SRX device. From the Telnet session established with SRX1, issue the run monitor interface traffic command. You must find the correct interfaces in the output to answer the following questions. Press Ctrl + d or Ctrl + u to scroll down or up. Examine the packets -per-second(pps) field to see the current packets traveling through an interface. Lab 8–26 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security {primary:node0}[edit] [email protected]# run monitor interface traffic srxC-1 Interface ge-0/0/0 ge-0/0/1 ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ... ge-5/0/2 ge-5/0/3 ge-5/0/4 ge-5/0/5 ... fab0 fab1 ... reth0 reth1 st0 tap Seconds: 56 Time: 22:18:12 Link Up Up Up Up Up Up Input packets 0 0 0 3637472 1030660 51 (pps) (0) (0) (0) (222) (222) (0) Output packets 0 0 2932819 3633355 1030584 0 (pps) (0) (0) (4) (223) (222) (0) Up Up Up Up 0 4052 108 2602848 (0) (0) (0) (0) 2930341 58 0 2602875 (4) (0) (0) (0) Up Up 0 0 (0) (0) 2928169 2928170 (4) (4) Up Up Up Up 817823 2602898 0 0 (228) (0) (0) 817596 2602875 0 0 (228) (0) (0) Bytes=b, Clear=c, Delta=d, Packets=p, Quit=q or ESC, Rate=r, Up=^U, Down=^D Examine your Lab 8 diagram to help trace the path of the traffic flow. Question: Which reth interface is the traffic traveling through? Answer: The traffic is traveling through reth0. Question: Which child interface of reth0 is being used? Answer: The ge-0/0/4 interface is being used. www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–27 Junos Security Question: What is the next interface being used in the path of the traffic? Answer: The next interface being used is ge-0/0/3 . Question: Is the fabric link being used for this traffic flow? Answer: No. The traffic flow is bypassing the fabric link. Question: When would this traffic flow use the fabric link? Answer: If Node 1 becomes the primar y node for redundancy group 1 the ge-5/0/4 interface would be used to pass traffic for reth0. Then the traffic would travel across the fabric link to reach its destination. Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, press Ctrl + c to stop the ping traffic. ... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!^C --- 172.31.15.1 ping statistics --408110 packets transmitted, 408110 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.750/4.292/23.411/2.107 ms Generate traffic to the Internet host from the virtual router associated with reth1 by issuing the ping 172.31.15.1 rapid count 1000000  command. routing-instance reth1-VR  [email protected]> ping 172.31.15.1 rapid count 1000000 routing-instance reth1-VR  PING 172.31.15.1 (172.31.15.1): 56 data bytes Lab 8–28 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ... Return to the Telnet session established with your assigned SRX device. Find the correct interfaces in the output to answer the following questions. Press Ctrl + d or Ctrl + u to scroll down or up. If you canceled the output previously, you must restart it by issuing the monitor interface traffic command. srxC-1 Seconds: 14 Time: 00:00:45 Interface Link Input packets (pps) Output packets (pps) ge-0/0/0 ge-0/0/1 ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ... ge-5/0/2 ge-5/0/3 ge-5/0/4 ge-5/0/5 ... fab0 fab1 fxp0 fxp1 fxp2 ... ge-5/0/2 ge-5/0/3 ge-5/0/4 ge-5/0/5 ... reth0 reth1 st0 tap Up Up Up Up Up Up 0 0 0 3637472 9 9 (0) (0) (0) (222) (0) (0) 0 0 2989317 3633355 17 0 (0) (0) (215) (223) (0) (0) Up Up Up Up 0 13476 31 36374 (0) (0) (0) (194) 85527 7 0 36384 (200) (0) (0) (194) Up Up Up Up Up 0 0 779 1200337 0 (0) (0) 3139723 3140093 66 2019915 71147 (219) (211) Up Up Up Up 0 4402 112 2633482 (0) (0) (0) (210) 2989317 63 0 2633345 (215) (0) (0) (210) Up Up Up Up 2190832 2604412 0 0 (0) (207) (0) 2190753 2604125 0 0 (0) (207) (0) Bytes=b, Clear=c, Delta=d, Packets=p, Quit=q or ESC, Rate=r, Up=^U, Down=^D www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–29 Junos Security Question: Which reth interface is the traffic traveling through? Answer: The traffic is traveling through reth1. Question: Which child interface of reth1 is being used? Answer: The ge-5/0/5 interface is being used. Question: What is the next interface being used in the path of the traffic? Answer: The next interface being used is fab1 . Question: Is the fabric link being used for this traffic flow? Answer: Yes. The traffic flow is traveling through the fabric link. Question: When would this traffic flow not use the fabric link? Answer: If Node 0 becomes the primar y node for redundancy group 2 the ge-0/0/5 interface would be used to pass traffic for reth1. Then the traffic would bypass the fabric link to reach its destination. Lab 8–30 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security Press the q key to exit the running output. Navigate to the [edit interfaces] hierarchy level. Disable the ge-5/0/3 interface. When you are finished, commit the configuration. ... ge-0/0/8 ge-0/0/9 ge-0/0/10 ge-0/0/11 ge-0/0/12 ge-0/0/13 ge-0/0/14 ge-0/0/15 se-1/0/0 ge-5/0/0 ge-5/0/1 Up Up Up Up Down Down Down Down Down Up Up 0 0 0 0 0 0 0 0 0 0 0 (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) 0 0 0 0 0 0 0 0 0 0 0 (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) (0) Bytes=b, Clear=c, Delta=d, Packets=p, Quit= q or ESC, Rate=r, Up=^U, Down=^D {primary:node0}[edit] [email protected]# edit interfaces {primary:node0}[edit interfaces] [email protected]# set ge-5/0/3 disable {primary:node0}[edit interfaces] [email protected]# top {primary:node0}[edit] [email protected]# commit node0: configuration check succeeds node1: commit complete node0: commit complete {primary:node0}[edit] [email protected]# Issue the run show chassis cluster interfaces command. {primary:node0}[edit] [email protected]# run show chassis cluster interfaces Control link status: Up Control interfaces: Index Interface 0 fxp1 Status Up Fabric link status: Up www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–31 Junos Security Fabric interfaces: Name Child-interface   fab0 ge-0/0/2 fab0 fab1 ge-5/0/2 fab1 Status (Physical/Monitored) Up / Up Up / Up Redundant-ethernet Information: Name Status Redundancy-group reth0 Up 1 reth1 Up 2 Interface Monitoring: Interface Weight ge-5/0/3 255 Status Down Redundancy-group 2 Question: What is the monitoring status of the ge-5/0/3 interface? Answer: The Status field indicates that the ge-5/0/3 interface is down. Issue the run show chassis cluster status command. {primary:node0}[edit] [email protected]# run show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 1 node0 1 primary node1 254 secondary no no no no Redundancy group: 1 , Failover count: 1 node0 200 primary node1 100 secondary no no no no Redundancy group: 2 , Failover count: 3 node0 100 primary node1 0 secondary yes yes no no Lab 8–32 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security Question: Did disabling the ge-5/0/3 interface cause redundancy group 2 to failover primacy? Answer: Yes. Redundancy group 2 has failed over primacy from Node 1 to Node 0. Return to the Telnet session established with the virtual router. If the ping test is still running from the Telnet session established with the virtual router, cancel it with the Ctrl+c key combination. Then issue the ping 172.31.15.1 rapid count 1000000 routing-instance reth1-VR  command. ... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!^C --- 172.31.15.1 ping statistics --166596 packets transmitted, 166594 packets received, 0% packet loss round-trip min/avg/max/stddev = 2.812/4.997/64.120/2.839 ms [email protected]> ping 172.31.15.1 rapid count 1000000 routing-instance reth1-VR  PING 172.31.15.1 (172.31.15.1): 56 data bytes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! ... Return to the Telnet session established with your assigned SRX device. From the Telnet session established with SRX1, issue the run monitor interface traffic command. You must find the correct interfaces in the output to answer the following questions. Press Ctrl + d or Ctrl + u to scroll down or up. {primary:node0}[edit] [email protected]# run monitor interface traffic srxC-1 Interface ... ge-0/0/2 ge-0/0/3 ge-0/0/4 ge-0/0/5 ge-0/0/6 ... www.juniper.net Seconds: 5 Link Input packets (pps) Up Up Up Up Up 0 8006370 3365327 764832 0 (0) (231) (0) (231) (0) Time: 04:04:51 Output packets 4304107 8000898 3365369 763742 0 (pps) (4) (231) (0) (231) (0) Implementing High Availability Techniques (Detailed) • Lab 8–33 Junos Security ge-5/0/3 ge-5/0/4 ge-5/0/5 ge-5/0/6  ... fab0 fab1 ... reth0 reth1 st0 tap Down Up Up Up 5066 128 3872438 0 (0) (0) (0) (0) 602 0 3871958 0 (0) (0) (0) (0) Up Up 0 0 (0) (0) 4301297 4301297 (4) (4) Up Up Up Up 3365455 4664221 0 0 (0) (231) (0) 3365369 4662735 0 0 (0) (231) (0) Bytes=b, Clear=c, Delta=d, Packets=p, Quit=q or ESC, Rate=r, Up=^U, Down=^D Question: Which child interface of reth1 is the traffic traveling through? Answer: The traffic is traveling through the ge-0/0/5 interface. Question: What is the next step in the path for this traffic? Answer: The traffic is traveling through the ge-0/0/3 interface towards the Internet Host. Question: Is the fabric link being used for this traffic? Answer: No. The traffic path does not involve the fabric link. Remove the disable option that was placed on the ge-5/0/3 interface. Once you are finished, commit the configuration and exit to operational mode. {primary:node0}[edit] [email protected]# delete interfaces ge-5/0/3 disable {primary:node0}[edit] [email protected]# commit and-quit Lab 8–34 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security node0: configuration check succeeds node1: commit complete node0: commit complete Exiting configuration mode {primary:node0} [email protected]> Issue the show chassis cluster status command. {primary:node0} [email protected]> show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 , Failover count: 1 node0 1 primary node1 254 secondary no no no no Redundancy group: 1 , Failover count: 1 node0 200 primary node1 100 secondary no no no no Redundancy group: 2 , Failover count: 4 node0 100 secondary node1 200 primary yes yes no no Question: Why did the primacy for redundancy group 2 fail back over to node1? Answer: The preempt command is enabled for redundancy group 2. This command allows the node that originally had primacy to reacquire it when the failure condition is fixed. Return to the Telnet session established with the virtual router. From the Telnet session established with the virtual router, press Ctrl + c to stop the ping traffic. Then, log out of the vr-device. ... !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!^C --- 172.31.15.1 ping statistics --409132 packets transmitted, 409132 packets received, 0% packet loss www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–35 Junos Security round-trip min/avg/max/stddev = 2.750/4.292/23.411/2.107 ms [email protected]> exit In this lab part, you break down the chassis cluster implementation. You will then load the reset configuration on each node. Return to the Telnet session established with your assigned SRX device. From the Telnet session established with SRX1, issue the set chassis cluster disable reboot command. {primary:node0} [email protected]> set chassis cluster disable reboot Successfully disabled chassis cluster. Going to reboot now{primary:node0} [email protected]> *** FINAL System shutdown message from [email protected] *** System going down IMMEDIATELY Once the SRX1 device reboots, log in using the lab user account. The Amnesiac banner is displayed and there is no host name for Node 0. Recall that apply-groups were used to implement the host name during chassis clustering. SrxX  -1 currently has no configured host name.  Amnesiac (ttyu0) login: lab  Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC lab> Enter configuration mode and issue the load override /var/home/lab/ jsec/reset.config   command to load the reset configuration. Commit the configuration and exit to operational mode. lab> configure Entering configuration mode [edit] lab# load override jsec/reset.config  load complete Lab 8–36 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security [edit] lab# commit and-quit commit complete Exiting configuration mode [email protected]> Log in to the SRX2 device using the lab user account. Issue the set chassis cluster disable reboot command. srxC-2 (ttyu0) login: lab  Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC {primary:node1} [email protected]> set chassis cluster disable reboot Successfully disabled chassis cluster. Going to reboot now {primary:node1} [email protected]> *** FINAL System shutdown message from [email protected] *** System going down IMMEDIATELY Once the SRX2 device reboots, log in using the lab user account. The Amnesiac banner is displayed and there is no host name for Node 1. Recall that apply-groups were used to implement the host name during chassis clustering. SrxX  -1 currently has no configured host name.  Amnesiac (ttyu0) login: lab  Password: --- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC lab> Enter configuration mode and issue the load override /var/home/lab/ jsec/reset.config   command to load the reset configuration. Commit the configuration and exit to operational mode. lab> configure Entering configuration mode www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–37 Junos Security [edit] lab# load override jsec/reset.config  load complete [edit] lab# commit and-quit commit complete Exiting configuration mode [email protected]> STOP Lab 8–38 • Implementing High Availability Techniques (Detailed) www.juniper.net Junos Security Appendix A: Lab Diagrams Junos Security A–2 • Lab Diagrams www.juniper.net Junos Security www.juniper.net Lab Diagrams • A–3 Junos Security A–4 • Lab Diagrams www.juniper.net Junos Security www.juniper.net Lab Diagrams • A–5 Junos Security A–6 • Lab Diagrams www.juniper.net Junos Security www.juniper.net Lab Diagrams • A–7
View more...
   EMBED

Share

Preview only show first 6 pages with water mark for full document please download

Transcript

Junos Security

12.a

Detailed Lab Guide

Worldwide Education Services

1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net

Course Number: EDU-JUN-JSEC

This document is produced by Juniper Networks, Inc.
This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper Networks
Education Services.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners.
Junos Security Detailed Lab Guide, Revision 12.a
Copyright © 2012, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History:
Revision 9.a—July 2009
Revision 10.a—May 2010
Revision 10.b--December 2010
Revision 12.a—June 2012
The information in this document is current as of the date listed above.
The information in this document has been carefully verified and is believed to be accurate for software Release 12.1R1.9. Juniper Networks assumes no
responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary, incidental
or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.

Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.

Contents
Lab 1: Configuring and Monitoring Zones (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1
Part 1: Logging In Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Part 2: Verifying Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Part 3: Configuring Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Part 4: Monitoring and Verifying the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Lab 2: Security Policies (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1
Part 1: Accessing Your Device and Monitoring the Default Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Part 2: Configuring Address Books . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Part 3: Configuring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Part 4: Monitoring Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18

Lab 3: Configuring Firewall Authentication (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-1
Part 1: Configuring Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Part 2: Verifying and Monitoring Firewall User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-12

Lab 4: Implementing Screen Options (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-1
Part 1: Accessing Your Device and Configuring Screen Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
Part 2: Verifying Screen Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5
Part 3: Monitoring Screen Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-13

Lab 5: Network Address Translation (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-1
Part 1: Interface-Based Source NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2
Part 2: Pool-Based Destination NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-7
Part 3: Pool-Based Source NAT with Overflow Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-14

Lab 6: Implementing IPsec VPNs (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1
Part 1: Configuring a Route-Based IPsec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2
Part 2: Verifying and Monitoring IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10

Lab 7: Implementing IDP (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7-1
Part 1: Retrieving and Installing the Security Package and IDP License . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2
Part 2: Installing the IDP License and Security Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7
Part 3: Enabling IDP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-11

Lab 8: Implementing High Availability Techniques (Detailed) . . . . . . . . . . . . . . . . . . . . . . . . . . . .8-1
Part 1: Loading the Baseline Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-2
Part 2: Preparing and Forming a Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-3
Part 3: Configuring an Active/Active Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-13
Part 4: Monitoring Traffic Flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-25
Part 5: Disabling the Chassis Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8-36

Appendix A: Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .A-1

www.juniper.net Contents • iii

iv • Contents www.juniper.net

Network Address Translation (NAT). • Provide an overview of SRX Series devices and software architecture. This course is based on Junos OS Release 12.Course Overview This three-day course covers the configuration. implement.1R1.juniper. support personnel. configure. www. and monitor firewall user authentication. security policies. operation. or have equivalent experience prior to attending this class. Course Level Junos Security is an intermediate-level course. • Describe various types of network attacks. • Configure and monitor IDP policy with policy templates. The course includes extensive hands-on labs. administrators. These operators include network engineers. and management.net Course Overview • v . Prerequisites Students should have basic networking knowledge and an understanding of the Open Systems Interconnection (OSI) reference model and the TCP/IP protocol suite. Objectives After successfully completing this course. Key topics within this course include security technologies such as security zones. Intended Audience The course content is aimed at operators of SRX Series devices. • Explain the purpose and mechanics of IP Security (IPsec) virtual private networks (VPNs). • Implement and monitor policy-based and route-based IPsec VPNs. intrusion detection and prevention (IDP). and monitor high availability chassis clusters.9. you should be able to perform the following: • Describe traditional routing and security and the current trends in internetworking. configure. and high availability clusters. • Describe. • Explain. configuration. • Describe the logical packet flow and session creation performed by SRX Series devices. in which you configure and monitor the Junos operating system using SRX Series devices. • Configure and monitor SCREEN options to prevent network attacks. • Describe. as well as details pertaining to basic implementation. and monitor NAT. configure. and monitor zones. and monitor security policies. • Utilize and update the IDP signature database. and implementation of SRX Series Services Gateways in a typical network environment. • Describe. configure. and reseller support personnel. Students should also attend the Introduction to the Junos Operating System (IJOS) course and the Junos Routing Essentials (JRE) course. • Describe. as implemented on Junos security platforms.

net .juniper.Course Agenda Day 1 Chapter 1: Course Introduction Chapter 2: Introduction to Junos Security Chapter 3: Zones Lab 1: Configuring and Monitoring Zones Chapter 4: Security Policies Lab 2: Security Policies Day 2 Chapter 5: Firewall User Authentication Lab 3: Configuring Firewall Authentication Chapter 6: Screen Options Lab 4: Implementing Screen Options Chapter 7: Network Address Translation Lab 5: Network Address Translation Day 3 Chapter 8: IPsec VPNs Lab 6: Implementing IPsec VPNs Chapter 9: Introduction to Intrusion Detection and Prevention Lab 7: Implementing IDP Chapter 10: High Availability Clustering Theory Chapter 11: High Availability Clustering Implementation Lab 8: Implementing High Availability Techniques Appendix A: SRX Series Hardware and Interfaces vi • Course Agenda www.

Physical interface:fxp0. and type config.juniper. [email protected]_Jose> show route GUI Input Select File > Save. is the user’s discretion and text ping 10. Most of what you read in the Lab Guide and Student Guide.conf in the Filename text box. Note that these styles can be combined with the input style as well. Courier New Console text: commit complete • Screen captures • Noncommand-related Exiting configuration mode syntax GUI text elements: Select File > Open. must input. CLI Input Text that you must enter. GUI Variable Click my-peers in the dialog. CLI Undefined Text where the variable’s value Type set policy policy-name. To make the language of these documents easier to read.ini in the Filename field. Style Description Usage Example CLI Variable Text where variable value is policy my-peers already assigned. • Text field entry Input Text Versus Output Text You will also frequently see cases where you must enter input text yourself.x. and it also distinguishes between syntax variables where the value is already assigned (defined variables) and syntax variables where you must assign the value (undefined variables). Often these instances will be shown in the context of where you must enter them. Style Description Usage Example Franklin Gothic Normal text. Defined and Undefined Syntax Variables Finally. We use bold style to distinguish text that is input versus text that is simply displayed. Enabled Normal GUI View configuration history by clicking Configuration > History. Style Description Usage Example Normal CLI No distinguishing variant. and type differ from the value the user filename in the Filename field. we refer to text that appears in a command-line interface (CLI) or a graphical user interface (GUI).0. and then click • Menu names Configuration. this course distinguishes between regular text and syntax variables.y where the variable’s value as GUI Undefined shown in the lab guide might Select File > Save. www. we distinguish GUI and CLI text from chapter text according to the following table.net Document Conventions • vii .Document Conventions CLI and GUI Text Frequently throughout this course.

net/training/education/.juniper. Technical Publications You can print technical manuals and release notes directly from the Internet in a variety of formats: • Go to http://www. Juniper Networks Support For technical support.Additional Information Education Services Offerings You can obtain information on the latest Education Services offerings.juniper. contact Juniper Networks at http://www.juniper. This document is written and maintained by the Juniper Networks Education Services development team. About This Publication The Junos Security Detailed Lab Guide was developed and tested using software Release 12.9.juniper.1R1. course dates. • Locate the specific software or hardware release and title you need. or at 1-888-314-JTAC (within the United States) or 408-745-2121 (from outside the United States).net/customers/support/. Please send questions and suggestions for improvement to [email protected] .net. and class locations from the World Wide Web by pointing your Web browser to: http://www. and choose the format in which you want to view or print the document. Documentation sets and CDs are available through your local Juniper Networks sales office or account representative. Previous and later versions of software might behave differently so you should always consult the documentation and release notes for the version of code you are running before reporting errors.net/techpubs/. viii • Additional Information www.

Lab 1 Configuring and Monitoring Zones (Detailed) Overview In this lab. you will perform the following tasks: • Use the Junos operating system CLI to setup a baseline network. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. • Implement routing so that all networks are reachable. www. you will configure a baseline network for your pod. By completing this lab.net Configuring and Monitoring Zones (Detailed) • Lab 1–1 12.12.1R1. The lab is also designed for modularity. and assigning interfaces to zones. where you might be directed to load a starting configuration at the beginning of each lab part. routing. there is no need to load the starting configuration for each lab part. including interface addressing. • Monitor the effects of your configuration.9 .juniper. If you are completing the lab from start to finish. • Assign interfaces to security zones.a.

or SSH as directed by your instructor. Telnet. which uses 10. Note Depending on the class.juniper. Check with your instructor if you are not certain. The instructor will inform you as to the nature of your access and will provide you the details needed to access your assigned device. Step 1. Step 1. you will use the CLI to log in to your team’s designated station. Lab 1–2 • Configuring and Monitoring Zones (Detailed) www.2 Access the command-line interface (CLI) at your station using either the console.Junos Security Part 1: Logging In Using the CLI In this lab part. Question: What is the management address assigned to your student router? Answer: The answer varies.35. The actual management address varies between delivery environments. you become familiar with the access details used to access the lab equipment. Once you are familiar with the access details.net . The sample hostname and IP address used in the output examples in this lab are for srxA-1. Consult the Management Network Diagram to determine the management address of your student device.131 as its management IP address. the lab equipment used might be remote from your physical location.1 Ensure that you know to which student device you have been assigned.210.

and that you must reboot the SRX device. srxA-1 (ttyu0) login: lab Password: --. Commit the configuration when complete. Enter configuration mode and load the lab1-start. [edit] [email protected]# show security forwarding-options { family { mpls { mode packet-based. reboot your assigned SRX device and log back in as user lab once the device finishes rebooting.net Configuring and Monitoring Zones (Detailed) • Lab 1–3 .1R1.juniper.config from the /var/home/lab/jsec/ directory. Junos Security Step 1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/lab1-start.config load complete [edit] [email protected]# commit commit complete [edit] [email protected]# Note You might receive a warning message upon committing that you have changed to MPLS flow mode. } } } www. If you receive this warning.4 View the current configuration of your assigned device.JUNOS 12.3 Log in as user lab with the password lab123. Step 1.

juniper. Question: What do you notice about the security policy that is set up on your device? Answer: As indicated by the output from srxA-1.7 Configure the ge-0/0/4 interface. Refer to the VLAN assignments listed on the network diagram for Labs 1–7. Refer to the lab diagram for the appropriate IP address. Each logical unit number should match its associated VLAN-ID.Junos Security Question: Are any security zones currently configured on your assigned device? Answer: As shown in the output. Configure the IP address for the ge-0/0/3 interface. Note that the third octet of the IP address should also match the logical unit’s associated VLAN-ID. no zone currently exists in the configuration.6 Configure the lo0 loopback interface IP address.5 Navigate to the [edit interfaces] hierarchy. Refer to the lab diagram for the IP address assigned to your device. Enable VLAN-tagging and configure two logical units. [edit interfaces] [email protected]# set lo0 unit 0 family inet address local-loopback-address Step 1. currently the device is in packet-based mode that disables the flow-based security feature of Junos. [edit interfaces] [email protected]# set ge-0/0/4 vlan-tagging [edit interfaces] [email protected]# set ge-0/0/4 unit local-Juniper-unit vlan-id local-Juniper-VLAN Lab 1–4 • Configuring and Monitoring Zones (Detailed) www.net . [edit] [email protected]# edit interfaces [edit interfaces] [email protected]# set ge-0/0/3 unit 0 family inet address local-Internet-interface/ mask [edit interfaces] [email protected]# Step 1. Assign the IP address shown on the lab diagram. Step 1.

juniper.8 Configure a static default route that points to the IP address associated with the remote end of the ge-0/0/3 interface for your device. Commit the configuration and return to operational mode. www. Junos Security [edit interfaces] [email protected]# set ge-0/0/4 unit local-Juniper-unit family inet address local-Juniper-interface/mask [edit interfaces] [email protected]# set ge-0/0/4 unit local-ACME-unit vlan-id local-ACME-VLAN [edit interfaces] [email protected]# set ge-0/0/4 unit local-ACME-unit family inet address local-ACME-interface/mask Question: Which VLAN-IDs are associated with your assigned device? Answer: The answer varies.net Configuring and Monitoring Zones (Detailed) • Lab 1–5 . The VLAN-IDs associated with srxA-1 are 101 and 201. Step 1. [edit interfaces] [email protected]# up [edit] [email protected]# edit routing-options [edit routing-options] [email protected]# set static route 0/0 next-hop remote-Internet-address [edit routing-options] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> STOP Ensure that the remote student team within your pod has finished Part 2 before continuing.

1 Enter configuration mode.20.0.0.18.1.16 128. or go to the top of the configuration hierarchy if you are already in configuration mode.101 up up inet 172.0.2 Check the status of your configured interfaces using the run show interfaces terse command.1.1 --> 10.32767 up up ge-0/0/5 up down ge-0/0/6 up up ge-0/0/7 up up ge-0/0/8 up up ge-0/0/9 up up ge-0/0/10 up up ge-0/0/11 up up ge-0/0/12 up down ge-0/0/13 up down ge-0/0/14 up up Lab 1–6 • Configuring and Monitoring Zones (Detailed) www. [edit] [email protected]# load override jsec/lab1-part2-start.0.20.1 --> 128.juniper.131/26 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet 10.201.16 10.210.16383 up up inet 10.net .1/24 ge-0/0/4.0. and load the lab1-part2-start. [edit] [email protected]# run show interfaces terse |no-more Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0.101.config load complete [edit] [email protected]# commit commit complete Step 2. Step 2.6 --> 0/0 ge-0/0/1 up up ge-0/0/2 up up ge-0/0/3 up up ge-0/0/3.0. Commit the configuration when complete.config from the /var/home/lab/jsec/ directory.6 --> 0/0 128.2/30 ge-0/0/4 up up ge-0/0/4.0 up up inet sp-0/0/0.0.0.0 up up inet 172. you verify network connectivity within your pod.0.1/24 ge-0/0/4.0.Junos Security Part 2: Verifying Network Connectivity In this lab part.201 up up inet 172.35.

[edit] [email protected]# run ping remote-srx-Internet-address rapid www.0.0.net Configuring and Monitoring Zones (Detailed) • Lab 1–7 .1 --> 0/0 lo0.16385 up up inet 10.1. Step 2.1 --> 0/0 128. Question: What is the status of your management interface? (Refer to the Management Network Diagram as needed.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up up Question: What is the administrative status and link status of your configured interfaces? Answer: As shown in the output taken from srxA-1.0.4 --> 0/0 128.3 Verify reachability to the remote peer in your pod across the Internet using the ping command.16384 up up inet 127.1.168.) Answer: The management interface is ge-0/0/0.16 --> 0/0 lo0.0.0 and should also indicate an administrative status and link status of up. the administrative status and link status of the configured interfaces should all indicate a status of up.1 --> 0/0 lo0.0. Junos Security ge-0/0/15 up up fxp2 up up fxp2.0.0.0 up up tnp 0x1 gre up up ipip up up irb up up lo0 up up lo0.0.0.16 --> 0/0 128.juniper.0.1 --> 0/0 10.0.0 up up inet 192.

438/0. Note The next lab steps require you to log in to the virtual router attached to your team’s device.2): 56 data bytes !!!!! --.973/2.172. Open a separate Telnet session to the virtual router attached to your team device.169/2. double-check your configuration and notify your instructor.net . you only need to establish a single session. Although you have two virtual routers attached to your student device.2. The virtual routers are logical devices created on a J Series Services Router.Junos Security PING 172. 0% packet loss round-trip min/avg/max/stddev = 1.2.156 ms Question: Was the ping to your remote peer successful? Answer: As indicated by the output from srxA-1. If the ping is not successful.18. 5 packets received.2 (172. the ping should be successful. Refer to the Management Network Diagram for the IP address of the vr-device. Lab 1–8 • Configuring and Monitoring Zones (Detailed) www. .2.18.juniper.18.2 ping statistics --- 5 packets transmitted.

Please only configure your own virtual router.net Configuring and Monitoring Zones (Detailed) • Lab 1–9 .20. You must use 'configure private' to configure this router.10 ping statistics --- 5 packets transmitted.5 From the Telnet session established with the virtual router. [email protected]> Step 2.202.4R1.10): 56 data bytes !!!!! --.10 (172. Junos Security Step 2.JUNOS 11.20. please reference the detailed lab guide for sample command syntax for the individual verification tasks performed within this lab.juniper. verify reachability to the remote virtual routers connected to the device of your peers using the ping command. 0% packet loss www.6 built 2011-11-15 11:28:05 UTC NOTE: This router is divided into many virtual routers used by different teams. 5 packets received. Note Keep in mind that when working with virtual routers and routing instances. If needed.20. command syntax is different. Be sure to source your ping from the correct virtual-router routing instance.4 Log in to the virtual router using the login information shown in the following table: Virtual Router Login Details Student Device Username Password srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username Password: --.172.202.202. [email protected]> ping remote-ACME-VR routing-instance local-ACME-VR rapid PING 172.

0% packet loss round-trip min/avg/max/stddev = 3. or go to the top of the configuration hierarchy if you are already in configuration mode.net .202.juniper.202.521/14.102. you remove the current zone configuration and reassign your device interfaces to various security and functional zones.806/0.350/27.826 ms [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR rapid PING 172.171/0.671 ms Question: Were the pings between remote virtual-routers successful? Answer: As indicated by the output from user a1.10 ping statistics --- 5 packets transmitted.449 ms [email protected]> ping remote-Juniper-VR routing-instance local-ACME-VR rapid PING 172.20.10 (172.958/25. and load the lab1-part3-start.551/5. If the pings are not successful.20. Part 3: Configuring Zones In this lab part.20.102.172.20. 5 packets received.102.051/4.039/8. 5 packets received.10): 56 data bytes !!!!! --.config load complete [edit] [email protected]# commit commit complete Lab 1–10 • Configuring and Monitoring Zones (Detailed) www.20. 5 packets received. Step 3.10 (172. double-check your configuration and notify your instructor.config from the /var/home/lab/jsec/ directory.568 ms [email protected]> ping remote-ACME-VR routing-instance local-Juniper-VR rapid PING 172.10 (172.20.102.20. 0% packet loss round-trip min/avg/max/stddev = 4.559/4.032/7. 0% packet loss round-trip min/avg/max/stddev = 3. [edit] [email protected]# load override jsec/lab1-part3-start.952/6.202.1 Enter configuration mode.10): 56 data bytes !!!!! --.Junos Security round-trip min/avg/max/stddev = 10.172.042/3.10 ping statistics --- 5 packets transmitted.102.20.102.172.10 ping statistics --- 5 packets transmitted. the pings should be successful.10): 56 data bytes !!!!! --.20. Commit the configuration when complete.

[edit security] [email protected]# show forwarding-options { family { mpls { mode packet-based. [edit] [email protected]# edit security [edit security] [email protected]# Step 3. Question: Should a user be able to telnet to your assigned device? Why or why not? Answer: The configuration allows telnet to each device. Junos Security Step 3. No policies exist that deny traffic.2 Navigate to the [edit security] configuration hierarchy. Question: Which configured functional zones are on your assigned device and which interfaces are associated with the configured functional zones? Answer: As indicated by the output.net Configuring and Monitoring Zones (Detailed) • Lab 1–11 .3 View the [edit security] configuration stanza and answer the questions that follow. www. and telnet is also enabled under the [edit system services] hierarchy. } } } Question: Which configured security zones are on your assigned device and which interfaces are associated with the configured security zones? Answer: As indicated by the output from srxA-1. currently no security zones are configured. the configuration has no functional zones.juniper.

juniper. } } } Step 3. configure a functional zone and associate it with your device’s management interface. Be sure to configure only the security zones associated with your assigned device.no] (no) yes [edit security] [email protected]# show Step 3. [edit security] [email protected]# delete Delete everything under this level? [yes.101.5 Refer to the lab diagram and configure the untrust security zone. as well as your local Juniper and ACME security zones.Junos Security Step 3. [edit security] [email protected]# set zones functional-zone ? Possible completions: Lab 1–12 • Configuring and Monitoring Zones (Detailed) www.201.6 Next. } } security-zone ACME-SV { interfaces { ge-0/0/4. [edit security] [email protected]# set zones security-zone Juniper-local interfaces ge-0/0/4.4 Delete the current security policy. Add the appropriate network interfaces under each security zone.0 [edit security] [email protected]# show zones { security-zone Juniper-SV { interfaces { ge-0/0/4.local-ACME-unit [edit security] [email protected]# set zones security-zone untrust interfaces ge-0/0/3.0.net . You will create a new policy in the next few steps. as labeled on the lab diagram. } } security-zone untrust { interfaces { ge-0/0/3.local-Juniper-unit [edit security] [email protected]# set zones security-zone ACME-local interfaces ge-0/0/4.

snmp. Step 3.0 Question: What name did you assign to the functional zone of your device? Why? Answer: Each student should assign a functional zone name of management. ping. traceroute. traceroute.net Configuring and Monitoring Zones (Detailed) • Lab 1–13 . [edit security] [email protected]# edit zones functional-zone management [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services ssh [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services telnet [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services ping [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services traceroute [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services http [edit security zones functional-zone management] [email protected]# set host-inbound-traffic system-services snmp [edit security zones functional-zone management] [email protected]# show interfaces { ge-0/0/0. Junos Security > management Host for out of band management interfaces [edit security] [email protected]# set zones functional-zone management interfaces ge-0/0/0.juniper. telnet.0. the Junos OS predefines this name. telnet. www.7 Configure the functional zone so that it allows SSH. management is the only name the Junos OS allows for a functional zone. ping. HTTP. and SNMP local inbound traffic. As shown in the output. http. } host-inbound-traffic { system-services { ssh.

what would be the quickest method? Answer: You could use the system-services all and the system-services telnet except configuration statements to achieve this task with the most efficiency. [edit security zones functional-zone management] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Part 4: Monitoring and Verifying the Configuration In this lab part.net .config load complete [edit] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Step 4. you use show commands to monitor the zones you just created.1 Enter configuration mode.juniper. Commit the configuration when complete. or go to the top of the configuration hierarchy if you are already in configuration mode.8 Commit your configuration and exit configuration mode.Junos Security } } [edit security zones functional-zone management] [email protected]# Question: If you needed to allow all services but telnet using the host-inbound-traffic statement. Step 4. You will also test host inbound traffic. and load the lab1-part4-start.config from the /var/home/lab/jsec/ directory.2 Issue the show security zones command and answer the following questions. [edit] [email protected]# load override jsec/lab1-part4-start. Step 3. Lab 1–14 • Configuring and Monitoring Zones (Detailed) www.

0 Security zone: ACME-SV Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/4. Junos Security [email protected]> show security zones Functional zone: management Policy configurable: No Interfaces bound: 1 Interfaces: ge-0/0/0. used for secure self traffic.juniper. An additional security zone named junos-host. www. Question: What differences do you notice in the output for the management zone? Answer: The output lists the management zone as a functional zone and security policy is not configurable for the management zone. appears in the list.201 Security zone: Juniper-SV Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/4.net Configuring and Monitoring Zones (Detailed) • Lab 1–15 .0 Security zone: junos-host Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Question: Does the output list the zones and associated interfaces you configured? Answer: The answer should be yes.101 Security zone: untrust Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces: ge-0/0/3.

[email protected]> show interfaces ge-0/0/0 extensive Physical interface: ge-0/0/0. Enabled. Collisions: 0. Generation: 137 Description: MGMT Interface . L3 incompletes: 0. Hardware address: 00:26:88:e1:54:80 Last flapped : 2012-06-12 15:17:15 UTC (01:08:46 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 297963 536 bps Output bytes : 0 0 bps Input packets: 2219 0 pps Output packets: 0 0 pps Input errors: Errors: 0. Down 0 ms Current address: 00:26:88:e1:54:80. SNMP ifIndex: 507. Flow control: Enabled. Auto-negotiation: Enabled. Drops: 0. Resource errors: 0 Egress queues: 8 supported.net . Source filtering: Disabled. Resource errors: 0 Output errors: Carrier transitions: 1. Errors: 0. HS link CRC errors: 0.3 Issue the show interfaces ge-0/0/0 extensive command to view detailed information regarding management interface of your device. Drops: 0. MAC-REWRITE Error: None.Junos Security Step 4. Runts: 0. L2 mismatch timeouts: 0. 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 0 0 0 1 expedited-fo 0 0 0 2 assured-forw 0 0 0 3 network-cont 0 0 0 Queue number: Mapped forwarding classes 0 best-effort 1 expedited-forwarding 2 assured-forwarding 3 network-control Active alarms : None Active defects : None MAC statistics: Receive Transmit Total octets 309903 0 Total packets 2256 0 Unicast packets 37 0 Broadcast packets 50 0 Multicast packets 2169 0 CRC/Align errors 0 0 FIFO errors 0 0 MAC control frames 0 0 MAC pause frames 0 0 Lab 1–16 • Configuring and Monitoring Zones (Detailed) www. FIFO errors: 0. Physical link is Up Interface index: 134. Speed: 1000mbps. L2 channel errors: 0. FIFO errors: 0. BPDU Error: None. Link-mode: Full-duplex. Policed discards: 0. Loopback: Disabled.DO NOT DELETE Link-level type: Ethernet. Framing errors: 0.juniper. Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported. 8 maximum usable queues Hold-times : Up 0 ms. Aged packets: 0. MTU: 1514. MTU errors: 0.

Remote fault: Link OK Packet Forwarding Engine configuration: Destination slot: 0 CoS information: Direction : Output CoS transmit queue Bandwidth Buffer Priority Limit % bps % usec 0 best-effort 95 950000000 95 0 low none 3 network-control 5 50000000 5 0 low none Interface transmit statistics: Disabled Logical interface ge-0/0/0.juniper. Link partner Speed: 1000 Mbps Local resolution: Flow control: None. CAM source filters: 0 Autonegotiation information: Negotiation status: Complete Link partner: Link mode: Full-duplex. Junos Security Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count 0 Output packet pad count 0 Output packet error count 0 CAM destination filters: 2.net Configuring and Monitoring Zones (Detailed) • Lab 1–17 . Remote fault: OK.0 (Index 69) (SNMP ifIndex 533) (Generation 134) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 297963 Output bytes : 0 Input packets: 2219 Output packets: 0 Local statistics: Input bytes : 297963 Output bytes : 0 Input packets: 2219 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Security: Zone: Management Allowed host-inbound traffic : http ping snmp ssh telnet traceroute Flow Statistics : Flow Input statistics : Self packets : 0 ICMP packets : 0 www. Flow control: None.

191.juniper.131.210. MTU: 1500.35.net .128/26. Route table: 0 Flags: Sendbcast-pkt-to-re. Is-Primary Addresses. allowed host inbound traffic. Local: 10.210.210.35. Generation: 148. Flags: Is-Preferred Is-Primary Destination: 10. Lab 1–18 • Configuring and Monitoring Zones (Detailed) www. Generation: 142 Question: What zone details are you able to ascertain with this output? Answer: The security portion of the output lists logical interface zone assignment.Junos Security VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 0 Connections established : 0 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 0 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet.35. Broadcast: 10. and flow statistics.

If the telnet attempt is not successful. srxA-1 (ttyp0) login: ^C Question: Was the telnet attempt successful? Answer: As shown. www.4 Verify that you are able to telnet to the management IP address of your assigned device. Refer to the Management Network Diagram as needed. check your configuration and notify the instructor. the telnet attempt should succeed. Junos Security Step 4.net Configuring and Monitoring Zones (Detailed) • Lab 1–19 . STOP Tell your instructor that you have completed Lab 1.juniper.

Junos Security Lab 1–20 • Configuring and Monitoring Zones (Detailed) www.net .juniper.

• Implement security logging to a remote syslog server.net Security Policies (Detailed) • Lab 2–1 12.9 . The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. If you are completing the lab from start to finish. By completing this lab. • Assign schedulers to security policies.juniper. you will implement security policies designed to allow only necessary traffic between zones within your pod. The lab is also designed for modularity. • Monitor the effects of your configuration. a scheduler.12. there is no need to load the starting configuration for each lab part. You will configure custom applications. you will perform the following tasks: • Define zone address books necessary for security policy. where you might be directed to load a starting configuration at the beginning of each lab part. Lab 2 Security Policies (Detailed) Overview In this lab. and security logging and monitor the effects of your changes. www.a.1R1. • Implement security policies between zones within your assigned pod.

Step 1. Note Depending on the class. The following example is based on simple Telnet access using the Secure CRT program. the lab equipment used might be remote from your physical location.2 Access the CLI at your station using either the console.juniper.Junos Security Part 1: Accessing Your Device and Monitoring the Default Policy In this lab part. Telnet.net . or SSH as directed by your instructor. you will load the starting configuration for Lab 2. Once you are familiar with the access details. Check with your instructor if you are not certain.1 Ensure that you know to which student device you have been assigned. you will use the CLI to log in to your designated station. Step 1. The instructor will inform you as to the nature of your access and will provide you the details needed to access your assigned device.135. Next. Consult the Management Network Diagram to determine the management address of your student device. Then.210. Lab 2–2 • Security Policies (Detailed) www. Question: What is the management address assigned to your station? Answer: The answer varies. Refer to the Management Network Diagram for the IP address associated with your workstation.14. in this example the user is assigned to the srxC-1 station. you will monitor the default policy configuration that denies all traffic between zones. which uses an IP address of 10. you become familiar with the access details used to access the lab equipment.

config from the /var/home/lab/jsec/ directory.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/lab2-start. www.3 Log in as user lab with the password lab123. Junos Security Step 1. srxC-1 (ttyu0) login: lab Password: --.config [edit] [email protected]# commit commit complete [edit] [email protected]# Note The next lab steps require you to log in to the virtual router attached to your team’s device. After you have finished loading the configuration. The virtual routers are logical devices created on a J Series Services Router.juniper. Enter configuration mode and load the lab2-start. Refer to the Management Network Diagram for the IP address of the vr-device. commit the changes and exit to operational mode.1R1.net Security Policies (Detailed) • Lab 2–3 .JUNOS 12.

JUNOS 11. You must use 'configure private' to configure this router.4 Open a separate Telnet session to the virtual router attached to your team device.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. [email protected]> Lab 2–4 • Security Policies (Detailed) www.Junos Security Step 1.juniper. Step 1.5 Log in to the virtual router using the login information shown in the following table: Virtual Router Login Details Student Device Username Password srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 login: c1 Password: --. Please only configure your own virtual router.net .4R3.

. 0 packets received.20. --. 0 packets received..206.172. Refer to the lab diagram as needed..10): 56 data bytes .206.. --.20. 100% packet loss [email protected]> ping remote-ACME-VR routing-instance local-Juniper-VR rapid PING 172. 0 packets received.10 (172. The default security policy action is to deny all transit traffic as shown in the following capture: [email protected]> show security policies Default policy: deny-all Part 2: Configuring Address Books In this lab part.106.20..106. the ping test should not succeed. Step 2.172.20.172.20.6 Attempt to ping the virtual routers attached to the remote student device within your pod.20.10 ping statistics --- 5 packets transmitted.206.10 ping statistics --- 5 packets transmitted.20.10 (172..206.20... www. 100% packet loss [email protected]> ping remote-ACME-VR routing-instance local-ACME-VR rapid PING 172. Junos Security Step 1.. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR rapid PING 172.10): 56 data bytes ..206..20.206. --.10 (172.10 (172. you configure the address book entries necessary for implementing security policies within your pod.20. 0 packets received.. Your assigned device has no configured security policy.106. 100% packet loss [email protected]> ping remote-Juniper-VR routing-instance local-ACME-VR rapid PING 172..106.net Security Policies (Detailed) • Lab 2–5 ..10): 56 data bytes .10 ping statistics --- 5 packets transmitted.172.10): 56 data bytes .106.juniper. --.1 Return to the Telnet session established with your assigned SRX device.106.. Ensure you source the ping from the appropriate routing instance.10 ping statistics --- 5 packets transmitted.20.. 100% packet loss Question: Did the ping test succeed? Why or why not? Answer: As demonstrated in the output.20.

0/24. Name this entry internet-host.2. address srxC-2 172.18.1/32 [edit security zones security-zone untrust] [email protected]# show address-book address vr108 172.20. [email protected]> configure Entering configuration mode [edit] [email protected]# edit security zones security-zone untrust [edit security zones security-zone untrust] [email protected]# set address-book address remote-Juniper-vrName remote-Juniper-subnet [edit security zones security-zone untrust] [email protected]# set address-book address remote-ACME-vrName remote-ACME-subnet [edit security zones security-zone untrust] [email protected]# show address-book address vr106 172.1/32. [edit security zones security-zone untrust] [email protected]# set address-book address remote-srx-name remote-srx-Internet-subnet [edit security zones security-zone untrust] [email protected]# show address-book address vr106 172. address internet-host 172. [edit security zones security-zone untrust] [email protected]# Step 2.15.20.31.0/24.2. address vr206 172.0/30.208.106.juniper.20.3 Add the Internet host’s address as an address book entry in the untrust zone.0/30.Junos Security From the Telnet session established with your assigned.20.0/24.20.108.31. Ensure you include the entire /24 network associated with each remote virtual router and name the address book entries after their associated virtual router names.18. address vr208 172. Step 2.0/24. address vr206 172.15.net .20.106. Configure this address entry to use the same name as the remote student device in your pod.2 Add the remote /30 network between the Internet and the remote student device in your pod to the untrust zone address book.108. enter configuration mode and configure the networks associated with the remote team’s virtual routers under the untrust zone as address book addresses. [edit security zones security-zone untrust] [email protected]# set address-book address internet-host 172. Lab 2–6 • Security Policies (Detailed) www.0/24. address srxC-2 172.0/24.108.

20. you will establish and configure security policies that enable the necessary traffic flow between the security zones. } [edit security zones] [email protected]# show security-zone ACME-local address-book { address vr205 172. [edit security zones security-zone untrust] [email protected]# up [edit security zones] [email protected]# set security-zone Juniper-local address-book address local-Juniper-vrName local-Juniper-subnet [edit security zones] [email protected]# set security-zone ACME-local address-book address local-ACME-vrName local-ACME-subnet [edit security zones] [email protected]# show security-zone Juniper-local address-book { address vr105 172. Note Pay close attention to the instructions throughout this lab.net Security Policies (Detailed) • Lab 2–7 .205.205.juniper. Some tasks might not be relevant to your assigned device. } interfaces { ge-0/0/4. } interfaces { ge-0/0/4. www.105. } [edit security zones] [email protected]# Do not proceed to the next lab part until directed by the instructor to do STOP so. Junos Security Step 2. Part 3: Configuring Security Policies In this lab part.0/24. Name these address book entries with the same name as their associated virtual routers. configure the /24 network addresses as address book entries within their respective zones.20.105.4 For the virtual routers attached to your assigned device.0/24.

application any. (Hint: Use the any keyword to save keystrokes.config [edit] [email protected]# commit commit complete [edit] [email protected]# Step 3. destination-address any.1 Enter configuration mode. Commit the configuration when complete.) [edit] [email protected]# edit security policies from-zone Juniper-local to-zone Juniper-local policy intrazone-Juniper-local [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# set match source-address any [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# set match destination-address any [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# set match application any [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# set then permit [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# show match { source-address any.2 Create security policies named intrazone-Juniper-local and intrazone-ACME-local that allows all intra-zone traffic associated with your attached virtual routers to pass through your assigned device. and load the lab2-part3-start.net .Junos Security Step 3. [edit security zones] [email protected]# top [edit] [email protected]# load override jsec/lab2-part3-start.juniper. } then { permit. or go to the top of the configuration hierarchy if you are already in configuration mode.config from the /var/home/lab/jsec/ directory. } Lab 2–8 • Security Policies (Detailed) www.

Junos Security [edit security policies from-zone Juniper-SV to-zone Juniper-SV policy intrazone-Juniper-SV] [email protected]# up 2 [edit security policies] [email protected]# edit from-zone ACME-local to-zone ACME-local policy intrazone-ACME-local [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# set match source-address any [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# set match destination-address any [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# set match application any [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# set then permit [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# show match { source-address any. [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# up 2 [edit security policies] [email protected]# edit from-zone Juniper-local to-zone untrust policy internet-Juniper-local www. } then { permit.juniper. application any. match on the appropriate source address using the associated virtual router address book entries. } [edit security policies from-zone ACME-SV to-zone ACME-SV policy intrazone-ACME-SV] [email protected]# Step 3.net Security Policies (Detailed) • Lab 2–9 . Name these policies internet-Juniper-local and internet-ACME-local. For this step.3 Configure security policies allowing all traffic from the virtual router zones to the untrust zone. destination-address any.

application any.Junos Security [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# set match source-address local-Juniper-vrName [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# set match destination-address any [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# set match application any [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# set then permit [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# show match { source-address vr105.net . } then { permit. } [edit security policies from-zone Juniper-SV to-zone untrust policy internet-Juniper-SV] [email protected]# up 2 [edit security policies] [email protected]# edit from-zone ACME-local to-zone untrust policy internet-ACME-local [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# set match source-address local-ACME-vrName [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# set match destination-address any [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# set match application any [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# set then permit [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# show Lab 2–10 • Security Policies (Detailed) www.juniper. destination-address any.

destination-address any. } www.net Security Policies (Detailed) • Lab 2–11 . application any. destination-address any.juniper. } [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# Step 3.4 Next define a security policy the rejects FTP connections sourced from the your local Juniper zone that are destined to the untrust zone. [edit security policies from-zone ACME-SV to-zone untrust policy internet-ACME-SV] [email protected]# up 2 [edit security policies] [email protected]# edit from-zone Juniper-local to-zone untrust policy deny-ftp-Juniper-local [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# set match source-address any [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# set match destination-address any [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# set match application junos-ftp [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# set then reject [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# show match { source-address any. Junos Security match { source-address vr205. } then { reject. } then { permit. application junos-ftp. Name this policy deny-ftp-Juniper-local.

1.Junos Security Step 3.7 Return to the Telnet session established with your assigned SRX device. Use the Ctrl+C key sequence to close the FTP connection.6 Return to the Telnet session established with the virtual router.31. } Lab 2–12 • Security Policies (Detailed) www.15. application any.15.31. attempt to open an FTP session to the remote Internet host located at 172.5 Commit the configuration.00LS) ready. the FTP session should succeed. Remember to source the FTP from the routing instance associated with the local Juniper zone. } then { permit. [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# up [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# show policy internet-Juniper-SV { match { source-address vr105.31.1.1 routing-instance local-Juniper-VR Connected to 172. reorder the policies so that the deny-ftp-Juniper-local policy appears in the list before the internet-Juniper-local policy.15. Although you configured a security policy explicitly rejecting this connection.15. 220 vr-device FTP server (Version 6. destination-address any.1:c1): ^C [email protected]> Question: Were you able to initiate an FTP session to the Internet host? Why or why not? Answer: As demonstrated in the output. [edit security policies from-zone Juniper-SV to-zone untrust policy deny-ftp-Juniper-SV] [email protected]# commit commit complete Step 3. From the Telnet session established with assigned SRX device. Step 3. [email protected]> ftp 172. From the Telnet session established with the virtual router.net .31. Commit your configuration.juniper. Name (172. policy ordering has effectively caused the device to ignore this policy.

application any. application junos-ftp. } then { permit. } } [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# commit commit complete [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# Step 3. } then { reject. destination-address any. From the Telnet session established with the virtual router.juniper. destination-address any.8 Return to the Telnet session established with the virtual router. } then { reject.net Security Policies (Detailed) • Lab 2–13 . Junos Security } policy deny-ftp-Juniper-SV { match { source-address any. destination-address any. (Note: Exit the FTP application by issuing the bye command. try the FTP connection again.) www. } } policy internet-Juniper-SV { match { source-address vr107. application junos-ftp. } } [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# insert policy deny-ftp-Juniper-local before policy internet-Juniper-local [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# show policy deny-ftp-Juniper-SV { match { source-address any.

please reference the Detailed Lab Guide for sample command syntax for the individual verification tasks performed within this lab.15.9 Return to the Telnet session established with your assigned SRX device. the FTP session does not succeed. 5 packets received.172.net . command syntax can differ. From the Telnet session established with assigned SRX device.15.1): 56 data bytes !!!!! --.31.Junos Security Note Keep in mind that when working with virtual routers and routing instances.962/47. The reordering of policies produces the expected behavior. If needed.159/17. 0% packet loss round-trip min/avg/max/stddev = 3.1 routing-instance local-Juniper-VR ftp: connect: Connection refused ftp> bye [email protected]> Question: Were you able to initiate an FTP session to the Internet host this time? Answer: As demonstrated in the output.1 ping statistics --- 5 packets transmitted. [edit security policies from-zone Juniper to-zone untrust] [email protected]# top [edit] [email protected]# edit applications application Juniper-gizmo [edit applications application Juniper-gizmo] [email protected]# set source-port 50000 Lab 2–14 • Security Policies (Detailed) www.15.080/12.juniper.31. [email protected]> ftp 172.31.15. create a custom application named Juniper-gizmo that uses UDP. re-check your configuration and notify your instructor. If the ping test fails.1 (172.1 routing-instance local-Juniper-VR rapid PING 172.112 ms Step 3. a ping to the Internet host should succeed.31.31.15. Question: Are you able to ping the Internet host? Answer: As demonstrated in the following output. a source port of 50000. [email protected]> ping 172. and a destination port of 50001.

you must reference the untrust zone when configuring the security policies. source-port 50000. junos-telnet. Because the Juniper zones are separated by the Internet. Name the policy Juniper-remote-to-Juniper-local. destination-port 50001. Step 3.10 Create an application set named internal-apps that includes the Juniper-gizmo. Do not use the any option in the configuration of this policy.11 Configure security policies that permit the internal-apps applications between your local Juniper security zone and the remote Juniper security zones. [edit applications application-set internal-apps] [email protected]# top [edit] [email protected]# edit security policies from-zone untrust to-zone Juniper-local www. where Juniper-remote matches the zone from which traffic is sourced and Juniper-local matches the zone to which the traffic is sent. application junos-telnet. application junos-ping. Junos Security [edit applications application Juniper-gizmo] [email protected]# set destination-port 50001 [edit applications application Juniper-gizmo] [email protected]# set protocol udp [edit applications application Juniper-gizmo] [email protected]# show protocol udp. [edit applications application Juniper-gizmo] [email protected]# Step 3.juniper. [edit applications application Juniper-gizmo] [email protected]# up [edit applications] [email protected]# edit application-set internal-apps [edit applications application-set internal-apps] [email protected]# set application Juniper-gizmo [edit applications application-set internal-apps] [email protected]# set application junos-telnet [edit applications application-set internal-apps] [email protected]# set application junos-ping [edit applications application-set internal-apps] [email protected]# show application Juniper-gizmo. and junos-ping applications.net Security Policies (Detailed) • Lab 2–15 .

Monday through Friday.m. Step 3.. } then { permit.juniper. The scheduler should allow traffic between the hours of 3 a. For each device you must configure one policy allowing the internal-apps to the appropriate zone from the untrust zone.12 Create a scheduler named internal-apps-scheduler. Apply the new scheduler to the Juniper-remote-to-Juniper-local security policy. [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# top Lab 2–16 • Security Policies (Detailed) www. application internal-apps. } } [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# Question: How many new policies must you define to allow internal-apps traffic bi-directionally? Answer: Both devices within your assigned pod already have policies defined allowing all internal traffic destined to the untrust zone (with the exception of FTP traffic).Junos Security [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper-remote-to-Juniper-local match source-address remote-Juniper-vrName [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper-remote-to-Juniper-local match destination-address local-Juniper-vrName [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper-remote-to-Juniper-local match application internal-apps [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper-remote-to-Juniper-local then permit [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# show policy Juniper-WF-to-Juniper-SV { match { source-address vr106.net .m. destination-address vr105. and 11 p.

} then { permit. saturday exclude. application internal-apps.juniper. destination-address vr107. [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper-remote-to-Juniper-local then log session-init [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper-remote-to-Juniper-local then log session-close www.net Security Policies (Detailed) • Lab 2–17 . } scheduler-name internal-apps-scheduler. [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# Step 3. Junos Security [edit] [email protected]# edit schedulers scheduler internal-apps-scheduler [edit schedulers scheduler internal-apps-scheduler] [email protected]# set daily start-time 03:00:00 stop-time 23:00:00 [edit schedulers scheduler internal-apps-scheduler] [email protected]# set saturday exclude [edit schedulers scheduler internal-apps-scheduler] [email protected]# set sunday exclude [edit schedulers scheduler internal-apps-scheduler] [email protected]# show daily { start-time 03:00:00 stop-time 23:00:00.13 Apply logging to session initiations and session closes in the Juniper-remote-to-Juniper-local policy. [edit schedulers scheduler internal-apps-scheduler] [email protected]# top [edit] [email protected]# edit security policies from-zone untrust to-zone Juniper-local [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# set policy Juniper-remote-to-Juniper-local scheduler-name internal-apps-scheduler [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# show policy Juniper-remote-to-Juniper-local match { source-address vr108. } sunday exclude.

If you receive an error. } Step 3. destination-address vr107. re-check your configuration steps and involve your instructor as needed. Commit the configuration when complete. Part 4: Monitoring Security Policies In this lab part. you monitor the results of your configuration with command outputs and logging.juniper. and load the lab2-part4-start.1 Enter configuration mode. the commit should succeed.14 Commit the configuration and return to operational mode. Lab 2–18 • Security Policies (Detailed) www.config from the /var/home/lab/jsec/ directory. [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Question: Does the commit operation succeed? Answer: As demonstrated in the output. } } scheduler-name internal-apps-scheduler. Step 4. or go to the top of the configuration hierarchy if you are already in configuration mode. application internal-apps.Junos Security [edit security policies from-zone untrust to-zone Juniper-SV] [email protected]# show policy Juniper-WF-to-Juniper-SV { match { source-address vr108. session-close. } then { permit. STOP Do NOT continue to the next lab part until both teams within your assigned pod have reached this point.net . log { session-init.

State: enabled.net Security Policies (Detailed) • Lab 2–19 . Index: 5. Index: 6. Scope Policy: 0. State: enabled. Index: 7. [email protected]> show security policies Default policy: deny-all From zone: Juniper-SV. State: enabled. Sequence number: 2 Source addresses: vr105 Destination addresses: any Applications: any Action: permit From zone: ACME-SV. Scope Policy: 0. Index: 8. State: enabled. Sequence number: 1 Source addresses: any Destination addresses: any Applications: junos-ftp Action: reject Policy: internet-Juniper-SV.2 View the security policies in effect on your assigned device by issuing the show security policies command and answer the following questions. State: enabled. Sequence number: 1 Source addresses: vr205 Destination addresses: any Applications: any Action: permit From zone: untrust. To zone: ACME-SV Policy: intrazone-ACME-SV. Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: permit From zone: Juniper-SV. Junos Security [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/lab2-part4-start.juniper. Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: permit From zone: ACME-SV. To zone: Juniper-SV Policy: interazone-Juniper-SV. Scope Policy: 0.config [edit] [email protected]# commit commit complete [edit] [email protected]# Step 4. Index: 4. To zone: untrust Policy: internet-ACME-SV. Scope Policy: 0. Scope Policy: 0. To zone: Juniper-SV www. To zone: untrust Policy: deny-ftp-Juniper-SV.

0.0/0 any-ipv6: ::/0 Lab 2–20 • Security Policies (Detailed) www.0. To zone: Juniper-SV Source addresses: any-ipv4: 0. review your configuration steps. Sequence number: 1 Source addresses: vr106 Destination addresses: vr105 Applications: internal-apps Action: permit.Junos Security Policy: Juniper-SV-to-Juniper-WF.0. log. Scope Policy: 0. Index: 4.juniper. Question: What command can you use to view more detailed information about security policies such as the address book prefixes and application port information? Answer: Use the same command with the detail option to view a more verbose output: [email protected]> show security policies ? Possible completions: <[Enter]> Execute this command application-firewall Show the information of application-firewall count Number of policies to show (1...65535) detail Show the detailed information from-zone Show the policy information matching the given source zone global Show the policy information of global policies hit-count Show the hit count of policies policy-name Show the policy information matching the given policy name start Show the policies from a given position (1.0. Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: Juniper-SV.65535) to-zone Show the policy information matching the given destination zone zone-context Show the count of policies in each context (from-zone and to-zone) | Pipe through a command [email protected]> show security policies detail Default policy: deny-all Policy: interazone-Juniper-SV. State: enabled. Index: 9.net . State: disabled. If you do not see six enabled security policies. scheduled Question: What is the total number of active security policies on your assigned device? Answer: You should see a total of six enabled security policies. action-type: permit.0/0 any-ipv6: ::/0 Destination addresses: any-ipv4: 0.

State: enabled. Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No.0.0.0.0/24 Destination addresses: any-ipv4: 0. Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: Juniper-SV.0/0 any-ipv6: ::/0 Destination addresses: any-ipv4: 0. Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No. action-type: permit. ALG: 0. Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: ACME-SV.0/0 any-ipv6: ::/0 Application: any IP protocol: 0.0/0 any-ipv6: ::/0 Application: junos-ftp IP protocol: tcp. Scope Policy: 0 Policy Type: Configured www. SEQ check: No Policy: internet-Juniper-SV. Index: 6.105. Index: 8.20. Scope Policy: 0 Policy Type: Configured Sequence number: 2 From zone: Juniper-SV. SEQ check: No Policy: internet-ACME-SV.0/0 any-ipv6: ::/0 Application: any IP protocol: 0.0. Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No. State: enabled. ALG: ftp. Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [21-21] Per policy TCP Options: SYN check: No. ALG: 0. action-type: permit. Index: 5. ALG: 0. State: enabled. action-type: reject. State: enabled.0. Index: 7. SEQ check: No Policy: deny-ftp-Juniper-SV.0/0 any-ipv6: ::/0 Destination addresses: any-ipv4: 0.0. To zone: ACME-SV Source addresses: any-ipv4: 0. To zone: untrust Source addresses: any-ipv4: 0.0. To zone: untrust Source addresses: vr105: 172.0.0.juniper.0. Junos Security Application: any IP protocol: 0.net Security Policies (Detailed) • Lab 2–21 . SEQ check: No Policy: intrazone-ACME-SV. action-type: permit.

0. Inactivity timeout: 60 ICMP Information: type=255. Inactivity timeout: 60 Source port range: [50000-50000] Destination port range: [50001-50001] IP protocol: tcp.205. SEQ check: No Policy: Juniper-SV-to-Juniper-WF. Inactivity timeout: 0 Source port range: [0-0] Destination port range: [0-0] Per policy TCP Options: SYN check: No. To zone: untrust Source addresses: vr205: 172. ALG: 0. ALG: 0.juniper.20. State: active Next deactivation: Mon Jun 11 23:00:00 2012 Question: Is the scheduler you configured in an active state? Answer: As illustrated by the output from srxC-1. code=0 Per policy TCP Options: SYN check: No. If the scheduler is not currently active. [email protected]> show schedulers Scheduler name: internal-apps-scheduler. Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: untrust.0/0 any-ipv6: ::/0 Application: any IP protocol: 0.net . action-type: permit.0/24 Application: internal-apps IP protocol: udp.0. at-close Scheduler name: internal-apps-scheduler Step 4. To zone: Juniper-SV Source addresses: vr106: 172.106.3 Issue the show schedulers command and answer the following questions. State: disabled. Lab 2–22 • Security Policies (Detailed) www. SEQ check: No Session log: at-create. Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [23-23] IP protocol: 1. ALG: 0.0/24 Destination addresses: vr105: 172.20.20.0/24 Destination addresses: any-ipv4: 0. check the time settings on your assigned device. the scheduler should be in an active state. Index: 9.Junos Security Sequence number: 1 From zone: ACME-SV. ALG: 0.105.

2/55672 --> 208. Bytes: 0 www. At this time.20.106. vr-device(ttyp0) login: username Password: --.JUNOS 11..106. any policies associated with this scheduler also deactivate Step 4.105.juniper.170/9020 --> 172.170/9020. Connected to 172. [email protected]> show security flow session Session ID: 24149.87.20. Pkts: 27.105.0. Please only configure your own virtual router. issue the show security flow session command. Bytes: 132 Out: 208.233. If: ge-0/0/3. [email protected]> telnet remote-Juniper-VR routing-instance local-Juniper-VR Trying 172. Policy name: Juniper-SV-to-Juniper-WF/9.20.233..10.net Security Policies (Detailed) • Lab 2–23 . Timeout: 28. Junos Security Question: When will the scheduler deactivate? Answer: The scheduler should deactivate at 18:00 hours.106. Pkts: 1.0.10/51545. From the Telnet session established with the virtual router. Timeout: 1766.87.10/51545 --> 172.tcp.18. Pkts: 22.5 Return to the Telnet session established with your assigned SRX device. If: . Policy name: self-traffic-policy/1.2/55672.4R3.106.20. Valid In: 172.20.local. If: ge-0/0/4. Bytes: 1596 Session ID: 23920.udp.105. Be sure to source the Telnet session from the appropriate routing instance.10/23. Log in with the same username and password as your current session. If: ge-0/0/3. Escape character is '^]'.0.20..1. Bytes: 1567 Out: 172. Valid In: 172.udp. open a Telnet session between the virtual router associated with your local Juniper zone and the virtual router associated with the remote Juniper zone. [email protected]> Step 4.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. From the Telnet session established with assigned SRX device.18. You must use 'configure private' to configure this router. Pkts: 0.10.tcp.10/23 --> 172.4 Return to the Telnet session established with the virtual router.1.

105.net . Status: Normal Flag: 0x40 Policy name: Juniper-SV-to-Juniper-WF/9 Source NAT pool: Null. Pkts: 22.tcp. but in the output from srxC-1. [email protected]> show security flow session session-identifier session-id Session ID: 24149. Session token: 0xa.1.20.20.juniper. Lab 2–24 • Security Policies (Detailed) www. Timeout: 1786.106.105. Bytes: 1567 Out: 172. Interface: ge-0/0/3. Pkts: 22. Bytes: 1567 Out: 172. Session token: 0x7.10/23 --> 172.20. Valid In: 172. If: ge-0/0/4. Gateway: 172. Bytes: 1596 Total sessions: 1 Question: How many seconds remain before the Telnet session times out (without further activity)? Answer: The answer varies. FIN sequence: 0. Flag: 0x20 Route: 0x120010. Application: junos-telnet/10 Dynamic application: junos:UNKNOWN. Tunnel: 0 Port sequence: 0. Pkts: 27. Gateway: 172. Duration: 91 In: 172.106.10/51381 --> 172.20.tcp.20.0. the session ID is 24149. FIN state: 0. Bytes: 1596 Total sessions: 3 Question: What is the session ID for the Telnet session you opened? Answer: The answer varies.105.20. Flag: 0x21 Route: 0x110010.105. If: ge-0/0/3. FIN sequence: 0.106. If there is no further activity during this period. Use the session ID identified in the previous step. but in the output from srxC-1.Junos Security Session ID: 23925.0.10/23. FIN state: 0.20.18. Policy name: internet-Juniper-SV/6. 1716 seconds remain. Step 4.106.6 Using the session ID.1. the session closes. Tunnel: 0 Port sequence: 0. Pkts: 27.10/23.10/23 --> 172.tcp. view a more detailed output of the open Telnet session and answer the following question.105.20. Current timeout: 1716 Session State: Valid Start time: 112401. Maximum timeout: 1800.10/51545 --> 172.105.105.10.10/51381.tcp.10/51545.20. Interface: ge-0/0/4.

9 View security policy log entries by issuing the show log messages | match RT_FLOW command. } file messages { any any. security policies that are configured with a log action should automatically record entries in the messages log file. [email protected]> Step 4. } Question: Is your device’s syslog configuration sufficient to record security policy log actions? Answer: Yes. authorization info.net Security Policies (Detailed) • Lab 2–25 .8 Return to the Telnet session established with your assigned SRX device. From the Telnet session established with the virtual router. Junos Security Step 4. end the open Telnet session by entering the exit command. } file interactive-commands { interactive-commands any. [email protected]> exit Connection closed by foreign host. Recall from the classroom discussion that on branch security platforms running the Junos operating system. Step 4. www. [email protected]> show configuration system syslog user * { any emergency.juniper.7 Return to the Telnet session established with the virtual router. local data plane logging is enabled by configuring a local syslog with a facility of user and a severity of info. view the configuration hierarchy associated with the syslog settings. From the Telnet session established with assigned SRX device. Because the file messages configuration logs any facility at any severity.

20. MTU: 1514.108.10/23 None None 6 Juniper-WF-to-Juniper-SV untrust Juniper-SV 14965 13(828) 12(823) 2 Nov 4 16:29:40 srxC-1 mgd[64844]: UI_CMDLINE_READ_LINE: User 'lab'.108.20. Loopback: Disabled.107. Auto-negotiation: Enabled. Source filtering: Disabled. Down 0 ms Current address: 00:26:88:02:70:83.10/52298->172.10/ 52298->172. MAC-REWRITE Error: None. Hardware address: 00:26:88:02:70:83 Last flapped : 2012-06-08 18:58:16 UTC (2d 19:26 ago) Statistics last cleared: Never Traffic statistics: Input bytes : 146684438 0 bps Output bytes : 141583713 0 bps Input packets: 407769 0 pps Lab 2–26 • Security Policies (Detailed) www. Speed: 1000mbps. Flow control: Enabled. 8 maximum usable queues Hold-times : Up 0 ms.107.20.10/23 junos-telnet 172. Physical link is Up Interface index: 137. [email protected]> show interfaces extensive ge-0/0/3 Physical interface: ge-0/0/3. Link-mode: Full-duplex. command 'show log messages | match RT_FLOW ' Question: Do you see the appropriate log entries recording the opening and closing of the remote team’s Telnet session? Answer: Provided the remote team is keeping up with your team. Step 4.10/23 junos-telnet 172. you must ensure the other team in your pod has initiated (and exited) the Telnet session associated with this lab part.20.108.107.20.107.juniper.20.20. Remote fault: Online Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Link flags : None CoS queues : 8 supported.10/52298->172.10/ 52298->172.20. SNMP ifIndex: 509. BPDU Error: None. [email protected]> show log messages | match RT_FLOW Nov 4 16:22:00 srxC-1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 172. To see log entries.10/23 None None 6 Juniper-WF-to-Juniper-SV untrust Juniper-SV 14965 Nov 4 16:22:05 srxC-1 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 172.108.Junos Security Note Recall that the security policy log action configuration was only for specific traffic ingressing your assigned device from the untrust zone. the answer should be yes. Enabled.10 Issue the show interfaces extensive command for the ge-0/0/3 interface.net . Generation: 140 Link-level type: Ethernet.

Drops: 0. Aged packets: 0. CAM source filters: 0 Autonegotiation information: Negotiation status: Complete Link partner: Link mode: Full-duplex. Framing errors: 0. FIFO errors: 0. Flow control: None. Drops: 0. 4 in use Queue counters: Queued packets Transmitted packets Dropped packets 0 best-effort 395537 395537 0 1 expedited-fo 0 0 0 2 assured-forw 0 0 0 3 network-cont 0 0 0 Queue number: Mapped forwarding classes 0 best-effort 1 expedited-forwarding 2 assured-forwarding 3 network-control Active alarms : None Active defects : None MAC statistics: Receive Transmit Total octets 154136086 148687961 Total packets 409029 395537 Unicast packets 407893 395491 Broadcast packets 1135 46 Multicast packets 1 0 CRC/Align errors 0 0 FIFO errors 0 0 MAC control frames 0 0 MAC pause frames 0 0 Oversized frames 0 Jabber frames 0 Fragment frames 0 VLAN tagged frames 0 Code violations 0 Filter statistics: Input packet count 0 Input packet rejects 0 Input DA rejects 0 Input SA rejects 0 Output packet count 0 Output packet pad count 0 Output packet error count 0 CAM destination filters: 2. L3 incompletes: 0. Resource errors: 0 Output errors: Carrier transitions: 1. FIFO errors: 0. Resource errors: 0 Egress queues: 8 supported.net Security Policies (Detailed) • Lab 2–27 .juniper. Remote fault: Link OK Packet Forwarding Engine configuration: Destination slot: 0 CoS information: www. L2 channel errors: 0. L2 mismatch timeouts: 0. Collisions: 0. HS link CRC errors: 0. Junos Security Output packets: 395543 0 pps Input errors: Errors: 0. Errors: 0. Remote fault: OK. Runts: 0. Link partner Speed: 1000 Mbps Local resolution: Flow control: None. Policed discards: 0. MTU errors: 0.

0 (Index 67) (SNMP ifIndex 516) (Generation 144) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Traffic statistics: Input bytes : 834550 Output bytes : 45741 Input packets: 3829 Output packets: 425 Local statistics: Input bytes : 16796 Output bytes : 38756 Input packets: 299 Output packets: 306 Transit statistics: Input bytes : 817754 0 bps Output bytes : 6985 0 bps Input packets: 3530 0 pps Output packets: 119 0 pps Security: Zone: untrust Flow Statistics : Flow Input statistics : Self packets : 286 ICMP packets : 291 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 6074 Connections established : 1 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 40881 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 0 Lab 2–28 • Security Policies (Detailed) www.juniper.Junos Security Direction : Output CoS transmit queue Bandwidth Buffer Priority Limit % bps % usec 0 best-effort 95 950000000 95 0 low none 3 network-control 5 50000000 5 0 low none Interface transmit statistics: Disabled Logical interface ge-0/0/3.net .

The purpose of this question is to establish a baseline value. Broadcast: 172. The active security policies applied to traffic from the untrust zone on the remote team’s device do not allow this traffic.12 Once this has been confirmed. Step 4.11 Return to the Telnet session established with the virtual router.1.1. issue a Telnet session to the remote virtual router associated with your partner team’s Juniper zone.18.2. Generation: 157. Local: 172. but in the output taken from srxC-1. source the Telnet session from the virtual router associated with your local ACME zone.1. From the Telnet session established with the virtual router.18.. Generation: 162 Question: What is the value of the Policy denied counter within the interface flow statistics? Answer: The answer might vary. [email protected]> telnet remote-Juniper-VR routing-instance local-ACME-VR Trying 172.juniper. Step 4. But this time.18.20. return to your assigned device and issue the show interfaces extensive command for the ge-0/0/3 interface again. MTU: 1500.106. [email protected]> show interfaces extensive ge-0/0/3 | find "Flow Statistics" Flow Statistics : www. Junos Security Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet.10. Route table: 0 Flags: Sendbcast-pkt-to-re Addresses.0/30.net Security Policies (Detailed) • Lab 2–29 . STOP Ensure that the remote student team within your pod has finished the previous step before proceeding. ^C [email protected]> Question: Was the Telnet session successful? Answer: The Telnet session should not be successful.. Flags: Is-Preferred Is-Primary Destination: 172.3. the value is 0.

Broadcast: 172. the value is 2107.1. Lab 2–30 • Security Policies (Detailed) www.18. Generation: 157. Route table: 0 Flags: Sendbcast-pkt-to-re Addresses. this value was 0. MTU: 1500.3.1. Local: 172.18. STOP Tell your instructor that you have completed Lab 2.net . Flags: Is-Preferred Is-Primary Destination: 172.juniper.0/30.2.1. In the output taken from srxC-1. Generation: 162 Question: Did the value of the Policy denied counter increment? Answer: The answer should be yes.Junos Security Flow Input statistics : Self packets : 298 ICMP packets : 303 VPN packets : 0 Multicast packets : 0 Bytes permitted by policy : 6074 Connections established : 1 Flow Output statistics: Multicast packets : 0 Bytes permitted by policy : 42529 Flow error statistics (Packets dropped due to): Address spoofing: 0 Authentication failed: 0 Incoming NAT errors: 0 Invalid zone received packet: 0 Multiple user authentications: 0 Multiple incoming NAT: 0 No parent for a gate: 0 No one interested in self packets: 0 No minor session: 0 No more sessions: 0 No NAT gate: 0 No route present: 0 No SA for incoming SPI: 0 No tunnel found: 0 No session for a gate: 0 No zone or NULL zone binding 0 Policy denied: 2107 Security association not active: 0 TCP sequence number out of window: 0 Syn-attack protection: 0 User authentication errors: 0 Protocol inet. Previously.18.

net Configuring Firewall Authentication (Detailed) • Lab 3–1 12. • Create a default client group and associate clients with the group. Lab 3 Configuring Firewall Authentication (Detailed) Overview In this lab. where you might be directed to load a starting configuration at the beginning of each lab part. you will perform the following tasks: • Define clients within an access profile. If you are completing the lab from start to finish. • Configure firewall user authentication parameters. You will test and monitor the effects of firewall user authentication. The lab is also designed for modularity.a.12.9 .juniper. www. The configuration tasks performed within this lab and subsequent labs will build upon one another. there is no need to load the starting configuration for each lab part.1R1. By completing this lab. you will implement firewall user authentication. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. • Monitor the effects of your configuration using operational mode commands and traceoptions. • Add and alter security policies that have an extended permit action specifying firewall user authentication. You will enable FTP access between networks and secure the access with authentication.

create a default client group and associate clients with the group.35. Step 1.Junos Security Part 1: Configuring Firewall User Authentication In this lab part.210. Step 1. Check with your instructor if you are not certain. The sample hostname and IP address used in the output examples in this lab are for srxA-1. Consult the Management Network Diagram to determine the management address of your student device. you define clients within an access profile. Commit the configuration and exit to operational mode when complete. and configure firewall user authentication parameters. or SSH as directed by your instructor. srxA-1 (ttyu0) login: lab Password: Lab 3–2 • Configuring Firewall Authentication (Detailed) www. which uses 10. Step 1.config from the /var/home/lab/jsec/ directory.2 Access the command-line interface (CLI) at your station using either the console.net . The actual management address varies between delivery environments.131 as its management IP address. Question: What is the management address assigned to your student router? Answer: The answer varies. Telnet.1 Ensure that you know to which student device you have been assigned.juniper. Enter configuration mode and load the lab3-start.3 Log in as user lab with the password lab123.

Configure two clients named walter and nancy with passwords of walter123 and nancy123. ## SECRET-DATA } } } www.juniper. respectively.net Configuring Firewall Authentication (Detailed) • Lab 3–3 .4 Navigate to the [edit access] hierarchy.PfzFcyrvX7".5QF".1R1.config load complete [edit] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Step 1.JUNOS 12.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/lab3-start. Junos Security --. [edit] [email protected]# edit access [edit access] [email protected]# Step 1. ## SECRET-DATA } } client walter { firewall-user { password "$9$a1UqfTQnApB36pBREKv4aJUk.5 Create an access profile named ftp-users. [edit access] [email protected]# edit profile ftp-users [edit access profile ftp-users] [email protected]# set client walter firewall-user password walter123 [edit access profile ftp-users] [email protected]# set client nancy firewall-user password nancy123 [edit access profile ftp-users] [email protected]# up [edit access] [email protected]# show profile ftp-users { client nancy { firewall-user { password "$9$lJ8vLNdVYZUHKMi.

Step 1. [edit access] [email protected]# edit firewall-authentication [edit access firewall-authentication] [email protected]# set pass-through default-profile ftp-users [edit access firewall-authentication] [email protected]# show pass-through { default-profile ftp-users.7 Associate the ftp-users profile with pass-through firewall user authentication.6 Associate all clients in the ftp-users profile with a client group named ftp-group.juniper. } [edit access firewall-authentication] [email protected]# Lab 3–4 • Configuring Firewall Authentication (Detailed) www.5QF". ## SECRET-DATA } } client walter { firewall-user { password "$9$a1UqfTQnApB36pBREKv4aJUk. } } Question: What method of associating clients with client groups requires the least amount of keystrokes for this scenario? Answer: You can specify client groups individually with each client.Junos Security Step 1. the most efficient method would be to assign a default client group as shown in the example. ## SECRET-DATA } } session-options { client-group ftp-group.PfzFcyrvX7". [edit access] [email protected]# set profile ftp-users session-options client-group ftp-group [edit access] [email protected]# show profile ftp-users { client nancy { firewall-user { password "$9$lJ8vLNdVYZUHKMi.net . However when all clients within an access profile have the same requirements.

destination-address any. descriptions. Review the lab diagram and your configuration and answer the question that follows. } } } from-zone ACME-SV to-zone ACME-SV { policy intrazone-ACME-SV { www. Junos Security Step 1. } then { permit.8 Create custom banners for FTP users. This access should be authenticated using pass-through firewall user authentication and the access should be available at all times. [edit access firewall-authentication] [email protected]# set pass-through ftp banner login "Junos Rocks!" [edit access firewall-authentication] [email protected]# show pass-through { default-profile ftp-users. and annotations by enclosing the phrase in quotation marks.9 The nancy and walter clients need FTP access bi-directionally between your local Juniper customer network and the remote team’s Juniper customer network zones. } } } Step 1. ftp { banner { login "Junos Rocks!".net Configuring Firewall Authentication (Detailed) • Lab 3–5 . Note The Junos operating system allows multiple words in banners.juniper. Configure your device to display Junos Rocks! when firewall authentication users are prompted for the username and password. [edit access firewall-authentication] [email protected]# top [edit] [email protected]# edit security policies [edit security policies] [email protected]# show | no-more from-zone Juniper-SV to-zone Juniper-SV { policy intrazone-Juniper-SV { match { source-address any. application any.

Lab 3–6 • Configuring Firewall Authentication (Detailed) www. application internal-apps.juniper. destination-address vr101. destination-address any. } } policy internet-AMCE-SV { match { source-address vr101. destination-address any. } then { permit. } then { permit.Junos Security match { source-address any. } then { reject. application any. log { session-init. } then { permit. } then { permit. } } } from-zone untrust to-zone Juniper-SV { policy Juniper-WF-to-Juniper-SV { match { source-address vr102. } } } from-zone ACME-SV to-zone untrust { policy internet-ACME-SV { match { source-address vr201. } } } from-zone Juniper-SV to-zone untrust { policy deny-ftp-Juniper-SV { match { source-address any. destination-address any.net . application any. destination-address any. application any. application junos-ftp.

but this policy is specific to an application set that does not include FTP traffic. Junos Security session-close. Although a policy is already in place for traffic destined to the untrust zone from the Juniper-SV and Juniper-WF zones. } } scheduler-name internal-apps-scheduler. } } [edit security policies] [email protected]# Question: What security policy changes must you make to accommodate this access? Answer: The answer varies depending upon your assigned device. Step 1. For your policy’s destination-address match. use the existing address book entry for the remote student team’s Juniper customer network. A policy is also in place for traffic destined to the Juniper-SV and Juniper-WF zones from the untrust zone. [edit security policies] [email protected]# edit from-zone Juniper-local to-zone untrust policy outbound-ftp-auth [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# set match source-address local-Juniper-vrName [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# set match destination-address remote-Juniper-vrName [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# set match application junos-ftp www.10 Define a security policy to allow the nancy client and walter client FTP access from your local Juniper customer network zone to the remote student team’s Juniper customer network zone.net Configuring Firewall Authentication (Detailed) • Lab 3–7 . You must define a new security policy for the FTP traffic destined to the untrust zone. Insert the policy before the deny-ftp policy. Configure the source-address to match the address-set for your local Juniper customer network.juniper. Both devices in your pod require two new security policies. the current policy configuration prohibits FTP traffic.

11 Navigate to the [edit security policies from-zone Juniper-local to-zone untrust] hierarchy. application junos-ftp. } } policy internet-Juniper-SV { match { source-address vr101. } Lab 3–8 • Configuring Firewall Authentication (Detailed) www. } Step 1. } then { reject. destination-address any. [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# up [edit security policies from-zone Juniper-SV to-zone untrust] [email protected]# show policy deny-ftp-Juniper-SV { match { source-address any. application junos-ftp. Issue the show command. } } policy outbound-ftp-auth { match { source-address vr101.juniper. } then { permit. destination-address any. destination-address vr102. review the output. application junos-ftp. application any.Junos Security [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# set then permit [edit security policies from-zone Juniper-SV to-zone untrust policy outbound-ftp-auth] [email protected]# show match { source-address vr101. destination-address vr102.net . } then { permit. and answer the question below.

Junos Security
then {
permit;
}
}

Question: Is any policy reordering necessary for the
outbound-ftp-auth security policy?

Answer: Yes. The first policy in the list denies the
FTP traffic that you want to allow.

Step 1.12
Insert the outbound-ftp-auth policy before the deny-ftp-Juniper-local
policy.
[edit security policies from-zone Juniper-SV to-zone untrust]
[email protected]# insert policy outbound-ftp-auth before policy
deny-ftp-Juniper-local

[edit security policies from-zone Juniper-SV to-zone untrust]
[email protected]# show
policy outbound-ftp-auth {
match {
source-address vr101;
destination-address vr102;
application junos-ftp;
}
then {
permit;
}
}
policy deny-ftp-Juniper-SV {
match {
source-address any;
destination-address any;
application junos-ftp;
}
then {
reject;
}
}
policy internet-Juniper-SV {
match {
source-address vr101;
destination-address any;
application any;
}
then {
permit;
}
}

www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–9

Junos Security
Step 1.13
Navigate to the [edit security policies from-zone Juniper-SV to-zone
untrust] hierarchy. Configure a policy named inbound-ftp-auth to allow the
nancy client and walter client FTP access from the remote student team’s
Juniper customer network zone to your local Juniper customer network zone.
Configure the source-address to match the address-set for the remote student
team’s Juniper customer network. For your policy’s destination-address
match, use the existing address book entry for your local Juniper customer network.
Ensure that this session authenticates using pass-through firewall authentication.
The firewall authentication should be performed only for traffic coming from the
untrust zone to avoid double authentication.
[edit security policies from-zone Juniper-SV to-zone untrust]
[email protected]# up

[edit security policies]
[email protected]# edit from-zone untrust to-zone Juniper-local policy
inbound-ftp-auth

[edit security policies from-zone untrust to-zone Juniper-SV policy
inbound-ftp-auth]
[email protected]# set match source-address remote-Juniper-vrName

[edit security policies from-zone untrust to-zone Juniper-SV policy
inbound-ftp-auth]
[email protected]# set match destination-address local-Juniper-vrName

[edit security policies from-zone untrust to-zone Juniper-SV policy
inbound-ftp-auth]
[email protected]# set match application junos-ftp

[edit security policies from-zone untrust to-zone Juniper-SV policy
inbound-ftp-auth]
[email protected]# set then permit firewall-authentication pass-through client-match
ftp-group
Step 1.14
Navigate to the [edit security policies from-zone untrust to-zone
Juniper-local] hierarchy. Issue the show command, review the output, and
answer the question below.
[edit security policies from-zone untrust to-zone Juniper-SV policy
inbound-ftp-auth]
[email protected]# up

[edit security policies from-zone untrust to-zone Juniper-SV]
[email protected]# show
policy Juniper-WF-to-Juniper-SV {
match {
source-address vr102;
destination-address vr101;
application internal-apps;
}
then {

Lab 3–10 • Configuring Firewall Authentication (Detailed) www.juniper.net

Junos Security
permit;
log {
session-init;
session-close;
}
}
scheduler-name internal-apps-scheduler;
}
policy inbound-ftp-auth {
match {
source-address vr102;
destination-address vr101;
application junos-ftp;
}
then {
permit {
firewall-authentication {
pass-through {
client-match ftp-group;
}
}
}
}
}

Question: Is any policy reordering necessary for the
inbound-ftp-auth security policy?

Answer: No. The first policy under the associated
context does not match on FTP traffic. Therefore
FTP traffic passes to the next policy in the chain.
Recall that traffic matching no policies under a
given context associates with the default policy.

Step 1.15
Commit your configuration and return to operational mode.
[edit security policies from-zone untrust to-zone Juniper-SV]
[email protected]# commit and-quit
commit complete
Exiting configuration mode

[email protected]>

STOP Do NOT continue to the next lab part until both teams within your
assigned pod have reached this point.

www.juniper.net Configuring Firewall Authentication (Detailed) • Lab 3–11

Junos Security

Part 2: Verifying and Monitoring Firewall User Authentication

In this lab part, you verify the results of your configuration through testing. You will
also monitor firewall user authentication using traceoptions and operational mode
commands.
Step 2.1
Enter configuration mode, or go to the top of the configuration hierarchy if you are
already in configuration mode, and load the lab3-part2-start.config from
the /var/home/lab/jsec/ directory. Commit the configuration when complete.
[edit]
[email protected]# load override jsec/lab3-part2-start.config
load complete

[edit]
[email protected]# commit
commit complete
Step 2.2
Note
This lab step requires you to open a
separate Telnet session to the virtual router
to emulate an external host.
Keep the current Telnet session
established with your assigned SRX device
open to monitor results.
The virtual router is a J Series Services
Router configured as several logical
devices. Refer to the Management Network
Diagram for the IP address of the vr-device.

Open a separate Telnet session to the virtual router attached to your team device.

Lab 3–12 • Configuring Firewall Authentication (Detailed) www.juniper.net

Accepted (Closed connection .108.20. ftp> www. use the credentials you created for the user nancy. remote server has closed connection. 421 Service not available. initiate an FTP session between the virtual router associated with your local Juniper customer network zone and the virtual router associated with the remote student team’s Juniper customer network zone. When prompted for firewall user authentication.10:d1): nancy 331 Password Required Password: Authentication .10.net Configuring Firewall Authentication (Detailed) • Lab 3–13 .4R3. Remember to source the command from the appropriate routing instance. Please only configure your own virtual router.JUNOS 11. [email protected]> ftp remote-Juniper-VR routing-instance local-Juniper-VR Connected to 172.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Note that the ftp command is hidden and does not auto-complete. [email protected]> Step 2.4 From the Telnet session established with the virtual router.3 Log in to the virtual router using the login information shown in the following table: Virtual Router Login Details Student Device User Name Password srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username Password: --.juniper.reconnect to server) ftp: Login failed.20. 220 Junos Rocks! Name (172. You must use 'configure private' to configure this router.108. Junos Security Step 2.

the remote student device will need to clear out the firewall authentication user session by issuing the operational-mode command clear security firewall-authentication users. Lab 3–14 • Configuring Firewall Authentication (Detailed) www. issue the show security firewall-authentication users command.10 untrust Juniper-SV ftp-user 1 Success nancy Question: What does the output for this command indicate? Answer: The output indicates that nancy successfully authenticated. For FTP traffic only. for FTP sessions. Keep in mind that the Junos OS generates this output because the remote team attempted to establish an FTP session through your student device to the directly attached virtual router. Step 2.102. In the Junos OS.20. [email protected]> show security firewall-authentication users Firewall authentication data: Total users in table: 1 Id Source Ip Src zone Dst zone Profile Age Status User 3 172. Return to the Telnet session established with your assigned SRX device.5 Note Check with the remote team in your pod and ensure they have completed the previous step. If you do not see the user nancy in the output. check with the remote team. From the Telnet session established with your assigned SRX device. the session needs to be re-initiated after performing firewall authentication. the observed behavior is expected.juniper.net . Note If you test the FTP connection multiple times. authentication was indeed successful.Junos Security Question: Was the authentication successful? What behavior did you observe? Answer: Although the FTP session failed.

00LS) ready. attempt the FTP session again. Step 2. Remote system type is UNIX.102. vr-device (ttyp1) login: username Password: --. ftp> bye [email protected]> ftp remote-Juniper-VR routing-instance local-Juniper-VR Connected to 172. Using binary mode to transfer files. refer to the table provided in Step 2.102.2. Name (172. 220 vr-device FTP server (Version 6.20. Password: 230 User a1 logged in.) Note Because the previous firewall authentication did not result in an established FTP session. perform the firewall authentication again and re-initiate the FTP session immediately thereafter. www. Log in to the FTP server using your assigned username and password for the vr-device.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. In this case.20.7 Leave the current session with the vr-device open and open a second session to the vr-device using Telnet. (Hint: Use the FTP bye command to exit the service at the ftp> prompt.6 Return to the Telnet session established with the virtual router.net Configuring Firewall Authentication (Detailed) • Lab 3–15 . disconnect and reconnect to the vr-device.juniper.4R3. ftp> Question: Were you able to successfully establish an FTP session? Answer: As shown in the output. Refer to the Management Network Diagram as needed. If needed.10:root): username 331 Password required for a1. If your previous FTP session appears to be hung up. Junos Security Step 2. From the Telnet session established with the virtual router. you should now be able to successfully establish the FTP session. the authentication might have timed out. Please only configure your own virtual router.JUNOS 11.10.

Password: 530 Login incorrect.20.juniper.00LS) ready. Name (172. 220 vr-device FTP server (Version 6.9 Exit both FTP sessions and close the second session you opened to the vr-device. The FTP session is actually successful. However no prompt for firewall authentication occurs for this session. Using binary mode to transfer files.102. This time.102. Name (172. 220 vr-device FTP server (Version 6.10:a1): username 331 Password required for a1. ftp: Login failed.Junos Security You must use 'configure private' to configure this router.20. ftp> bye [email protected]> ftp> bye [email protected]> exit Lab 3–16 • Configuring Firewall Authentication (Detailed) www. [email protected]> ftp remote-Juniper-VR routing-instance local-Juniper-VR Connected to 172. ftp> bye 221 Goodbye. any subsequent traffic from the same source IP address bypasses firewall authentication. Password: 230 User a1 logged in.102.102.10:a1): walter 331 Password required for walter. [email protected]> ftp remote-Juniper-VR routing-instance local-Juniper-VR Connected to 172.8 Attempt another FTP session using the same procedure.20. use the walter username for firewall authentication and log into the FTP server with your vr-device credentials. the login will fail.10. [email protected]> Step 2.20. Recall that as long as an authenticated session remains active. Remote system type is UNIX.10.net . ftp> Question: Could you successfully authenticate with the username walter and establish an FTP session? Answer: If you tried to login with the username walter.00LS) ready. Step 2.

220 Junos Rocks! Name (172. issue the show security firewall-authentication users command followed by the show security firewall-authentication history command. Junos Security Step 2.102. ftp> Step 2. Return to the Telnet session established with your assigned SRX device. remote server has closed connection. if any exist.10. When you are prompted for the firewall authentication.20. Return to the Telnet session established with the virtual router.12 Exit the FTP session with the bye command and return to your assigned student device. 421 Service not available. From the Telnet session established with your assigned SRX device. www. [email protected]> clear security firewall-authentication users [email protected]> show security firewall-authentication users Firewall authentication data: Total users in table: 0 Step 2. use a username of john and a password of doe. From the Telnet session established with the virtual router.Failed ftp: Login failed.20. attempt another FTP session between your local Juniper customer zone and the remote team’s Juniper customer zone. [email protected]> ftp remote-Juniper-VR routing-instance local-Juniper-VR Connected to 172.net Configuring Firewall Authentication (Detailed) • Lab 3–17 .11 Note Check with the remote team in your pod and ensure they have completed the previous step.10 Return to the Telnet session established with your assigned SRX device. From the Telnet session established with your assigned SRX device. ftp> bye Step 2.102. clear the entries in the firewall authentication users table.10:d1): john 331 Password Required Password: Authentication .juniper.13 Note Check with the remote team in your pod and ensure they have completed the previous step.

Note If the remote team has not performed the required verification tasks. but provided the remote team within your pod attempted an FTP session with the username john.20.20.10 untrust Juniper. Lab 3–18 • Configuring Firewall Authentication (Detailed) www.102.10 2012-06-01 03:27:40 0:02:08 Success walter 6 172.10 2012-06-14 03:11:21 0:10:06 Success nancy 2 172.juniper.102.20. you will not see any logs.10 2012-06-14 03:26:02 0:01:33 Success walter 5 172.10 2012-06-14 03:17:23 0:02:01 Success nancy 3 172.net .20.102.102.10 2012-06-01 03:29:55 0:01:07 Failed john Question: Are any failed authentication attempts listed in the outputs? Answer: The outputs may vary. Question: What is the source IP address of the failed authentication attempts? Answer: The answer varies but the failed attempts should have a source IP address representing the virtual router of the neighboring teams—from the Juniper-SV or Juniper-WF zone. at least one failed attempt should be listed.10 2012-06-14 03:22:59 0:11:58 Success walter 4 172.ftp-user 1 Failed john [email protected]> show security firewall-authentication history History of firewall authentication data: Authentications: 6 Id Source Ip Date Time Duration Status User 1 172.Junos Security [email protected]> show security firewall-authentication users Firewall authentication data: Total users in table: 1 Id Source Ip Src zone Dst zone Profile Age Status User 3 172.20.14 View the firewall user authentication entries in your data plane log by issuing the show log messages | match RT_AUTH command. To view log entries from the remote device.20.20. Step 2.102.102. reference the name of the remote device instead of your device’s name in the previous sample command.102.

Jun 14 03:56:09 srxA-1 mgd[1262]: UI_CMDLINE_READ_LINE: User 'lab'.102.20. and firewall authentication action. Jun 14 03:37:48 srxA-1 RT_AUTH: FWAUTH_FTP_USER_AUTH_FAIL: User john at 172. Junos Security [email protected]> show log messages | match RT_AUTH Jun 14 03:22:24 srxA-1 RT_AUTH: FWAUTH_FTP_USER_AUTH_ACCEPTED: User nancy of group ftp-group at 172.102.10 is rejected.juniper.20. www.10 is accepted. username. command 'show log messages | match RT_AUTH ' Question: What additional information can you derive from the data plane security log? Answer: The security log shows the authentication attempts were made using FTP as well as the source address. STOP Tell your instructor that you have completed Lab 3.net Configuring Firewall Authentication (Detailed) • Lab 3–19 .

Junos Security Lab 3–20 • Configuring Firewall Authentication (Detailed) www.juniper.net .

where you might be directed to load a starting configuration at the beginning of each lab part. • Monitor the effects of your configuration. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. you will implement the Junos operating system Screen options. there is no need to load the starting configuration for each lab part. Lab 4 Implementing Screen Options (Detailed) Overview In this lab. The lab is also designed for modularity. You will set up various Screens to protect your assigned device from suspicious or malicious traffic entering your device from the untrust zone. If you are completing the lab from start to finish.9 .net Implementing Screen Options (Detailed) • Lab 4–1 12. By completing this lab. www. • Test your your implementation.12.1R1.a. you will perform the following tasks: • Define various Screen options (called ids-options). • Associate the Screen with a security zone.juniper.

14. you will configure Screen protection. The instructor will inform you as to the nature of your access and will provide you the details needed to access your assigned device. Telnet.1 Ensure that you know to which student device you have been assigned.net . which uses an IP address of 10. Consult the Management Network Diagram to determine the management address of your student device. Step 1. in this example the user is assigned to the srxC-1 station.210.135. The following example is based on simple Telnet access using the Secure CRT program. you will load the starting configuration for Lab 4. In this lab part.2 Access the CLI at your station using either the console.Junos Security Part 1: Accessing Your Device and Configuring Screen Protection In this lab part. Lab 4–2 • Implementing Screen Options (Detailed) www. the lab equipment used might be remote from your physical location. Check with your instructor if you are not certain. or SSH as directed by your instructor. you will use the CLI to log in to your designated station.juniper. Then. Step 1. Question: What is the management address assigned to your station? Answer: The answer varies. Then. you become familiar with the access details used to access the lab equipment. Note Depending on the class. Once you are familiar with the access details. Refer to the Management Network Diagram for the IP address associated with your workstation.

juniper.5 Create a Screen that blocks ICMP packets larger than 1024 bytes. configure the Screen to block ICMP fragments. Name the Screen internet-protect.6 Within the same Screen option.net Implementing Screen Options (Detailed) • Lab 4–3 . [edit security screen] [email protected]# set ids-option internet-protect icmp fragment www. srxC-1 (ttyu0) login: lab Password: --.4 Navigate to the [edit security screen] hierarchy.3 Log in as user lab with the password lab123. Commit the configuration when complete. [edit security screen] [email protected]# set ids-option internet-protect icmp large [edit security screen] [email protected]# show ids-option internet-protect { icmp { large.config [edit] [email protected]# commit commit complete [edit] [email protected]# Step 1.1R1. Junos Security Step 1. [edit] [email protected]# edit security screen [edit security screen] [email protected]# Step 1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/lab4-start. Enter configuration mode and load the lab4-start. } } Step 1.JUNOS 12.config from the /var/home/lab/jsec/ directory.

juniper. These packets are typically fragmented. large. large. [edit security screen] [email protected]# set ids-option internet-protect ip record-route-option [edit security screen] [email protected]# show ids-option internet-protect { icmp { fragment. } ip { record-route-option.net . An ICMP Ping of Death attack occurs when ping packets are sent to a host in excess of the maximum IP packet size of 65. } } Question: Can you recall a common type of attack blocked by this Screen from the class discussion? Answer: Enabling protection from ICMP packets larger than 1024 bytes and from fragmented ICMP packets provides protection from ICMP Ping of Death attacks. Activate the configuration changes by issuing the commit command. [edit security screen] [email protected]# set ids-option internet-protect limit-session destination-ip-based 1 [edit security screen] [email protected]# show ids-option internet-protect { Lab 4–4 • Implementing Screen Options (Detailed) www. Step 1.535 bytes.7 Add protection from packets that are using the IP Record Route option to the internet-protect Screen.8 Add additional protection that limits the number of sessions to the same destination IP address to a maximum of one session. } } Step 1.Junos Security [edit security screen] [email protected]# show ids-option internet-protect { icmp { fragment.

large. } limit-session { destination-ip-based 1. Part 2: Verifying Screen Protection In this lab part.1 Enter configuration mode. [edit security screen] [email protected]# top [edit] [email protected]# load override jsec/lab4-part2-start. The virtual routers are logical devices created on a J Series Services Router. Junos Security icmp { fragment.config from the /var/home/lab/jsec/ directory.net Implementing Screen Options (Detailed) • Lab 4–5 .juniper. } } [edit security screen] [email protected]# commit commit complete STOP Before proceeding. ensure that the remote team within your pod is ready to continue on to Part 2.config [edit] [email protected]# commit commit complete [edit] [email protected]# www. Commit the configuration when complete. Step 2. Refer to the Management Network Diagram for the IP address of the vr-device. and load the lab4-part2-start. } ip { record-route-option. you verify the results of your Screen configuration Note The next lab steps require you to log in to the virtual router attached to your team’s device. or go to the top of the configuration hierarchy if you are already in configuration mode.

juniper.4R3.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams.Junos Security Step 2.net . You must use 'configure private' to configure this router.JUNOS 11. Step 2.2 Open a separate Telnet session to the virtual router attached to your team device. [email protected]> Lab 4–6 • Implementing Screen Options (Detailed) www. Please only configure your own virtual router.3 Log in to the vr-device using the login information shown in the following table: Virtual Router Login Details Student Device Username Password srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyp0) login: username Password: --.

provided the remote team properly configured it on their device. 0% packet loss round-trip min/avg/max/stddev = 4.106.20.10): 56 data bytes !!!!! --.net Implementing Screen Options (Detailed) • Lab 4–7 .20.20.291/4.197/5. Junos Security Step 2.10 (172. 5 packets received.128/6.106.762/5.20.359 ms www.10 (172. plus an ICMP header size of 8 bytes. The instance names match the names of the virtual routers listed on the network diagram. 5 packets received.106. An ICMP echo request consists of a data size of 56 bytes. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR rapid PING 172.10 ping statistics --- 5 packets transmitted. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR rapid size 1100 PING 172.10 ping statistics --- 5 packets transmitted.027 ms Question: Was the ping successful? What size does an ICMP echo request packet use by request? Answer: The ping should succeed as shown in the output.106.371/0.106.5 Issue the same ping request again. Step 2.4 Initiate a ping between the virtual router in the Juniper-local zone and the virtual router in the Juniper-remote zone.923/1.juniper.172. This size is larger than 1024 bytes and should trigger the ICMP large Screen option.10): 1100 data bytes !!!!! --. but this time specify a size of 1100 bytes.20.106.172. The output does not show the additional Ethernet overhead of 20 bytes. 0% packet loss round-trip min/avg/max/stddev = 4.20. Note Remember to reference the appropriate instance name when sourcing ICMP traffic from a virtual router.

20. From the Telnet session established with assigned SRX device. address internet-host 172.6 Return to the Telnet session established with your assigned SRX device. address vr208 172.31. the Screen options have not yet been applied to a security zone. address srxC-2 172. Commit your configuration and exit configuration mode. Although the configuration contains the appropriate Screen options. Step 2.2.15. } [edit security zones security-zone untrust] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> STOP Ensure that the remote student team within your pod has finished the previous step before proceeding. Lab 4–8 • Implementing Screen Options (Detailed) www.0/24.1/32.net . } screen internet-protect.108.0/30.208.juniper.20.0/24. The results are expected. interfaces { ge-0/0/3.Junos Security Question: What is the result of the ping operation with a specified size of 1100 bytes? Are the results expected? Answer: The output indicates the ping was successful and something is amiss regarding the Screen options configuration. apply the internet-protect Screen option to the untrust security zone.18.0. [edit] [email protected]# edit security zones security-zone untrust [edit security zones security-zone untrust] [email protected]# set screen internet-protect [edit security zones security-zone untrust] [email protected]# show address-book { address vr108 172.

[email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR rapid size 1100 PING 172. This time specify a size of 2000 bytes..juniper. Once again.106. specify a size of 1100 bytes..10 (172.106.172.20.10): 1100 data bytes . Link-mode: Full-duplex. Step 2. From the Telnet session established with the virtual router.10 (172.20.20. 100% packet loss Question: What is the result of the ping operation with a specified size of 1100 bytes? Are the results expected? Answer: The output indicates the ping was not successful.20.106. Question: What is the physical MTU size of the interface? Answer: The output indicates the physical MTU is 1518 bytes. Junos Security Step 2.. MTU: 1518.net Implementing Screen Options (Detailed) • Lab 4–9 . Step 2.106. This behavior is expected and demonstrates the ICMP large Screen option is working as designed.9 Issue another ping between the virtual routers associated with the Juniper-local and Juniper-remote security zones.8 Determine the physical maximum transmission unit (MTU) of your virtual router’s interface (associated with the your local Juniper zone) that connects to your assigned device by issuing the show interfaces ge-0/0/1 media | match mtu command.20. BPDU Error: None.10 ping statistics --- 5 packets transmitted. [email protected]> show interfaces ge-0/0/1 media | match mtu Link-level type: Ethernet. repeat the ping command between the virtual routers associated with the Juniper-local and Juniper-remote security zones. --.7 Return to the Telnet session established with the virtual router.10): 2000 data bytes www.106. ensuring ICMP packet fragmentation occurs. Speed: 1000mbps.. MAC-REWRITE Error: None. 0 packets received. Do not forget to source the ping from the proper routing instance! [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR rapid size 2000 PING 172.

20.net . 100% packet loss Question: What is the result of the ping specifying the record-route option? Are the results expected? Answer: The output indicates the ping was not successful..20..10): 56 data bytes . Use the same login credentials as used for your current vr-device Telnet session. This time specify the record-route option.106.106.juniper.. Step 2.10 Issue another ping between the virtual routers associated with the Juniper-local and Juniper-remote security zones.Junos Security . --.10 ping statistics --- 5 packets transmitted.20. Step 2.10 (172. --.. 0 packets received.10 ping statistics --- 5 packets transmitted.172. This behavior is expected and demonstrates the ICMP fragment Screen option is working as designed. This behavior is expected and demonstrates the ICMP record route Screen option is working as designed.106.106. The instance names match the names of the virtual routers listed on the network diagram..20. Note Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router. open a new Telnet session to the remote virtual router associated with the Juniper-local and Juniper-remote security zones.11 Within your current vr-device Telnet session. Lab 4–10 • Implementing Screen Options (Detailed) www. 0 packets received. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR rapid record-route PING 172.... 100% packet loss Question: What is the result of the ping specifying a size of 2000 bytes? Are the results expected? Answer: The output indicates the ping was not successful.172.

separate Telnet session to the vr-device. the Telnet session should successfully establish. vr-device (ttyp0) login: username Password: --.JUNOS 11.10.net Implementing Screen Options (Detailed) • Lab 4–11 . Please only configure your own virtual router.juniper.20.20.108.. Connected to 172. You must use 'configure private' to configure this router. Junos Security [email protected]> telnet remote-Juniper-VR routing-instance local-Juniper-VR Trying 172.108.4R3. www.. [email protected]> Question: Was the Telnet session successfully established? Answer: As indicated in the output. Step 2.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams.10. Escape character is '^]'.12 Open a new.

13 Log in to the virtual router using the login information shown in the following table: Virtual Router Login Details Student Device Username Password srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username Password: --.net .Junos Security Step 2. Note Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router.JUNOS 11.4R3.. [email protected]> Step 2.. You must use 'configure private' to configure this router. telnet: connect to address 172. [email protected]> telnet remote-Juniper-VR routing-instance local-Juniper-VR Trying 172. attempt to open a second Telnet connection between the virtual routers associated with the Juniper-local and Juniper-remote security zones.juniper.10: Operation timed out telnet: Unable to connect to remote host Lab 4–12 • Implementing Screen Options (Detailed) www.10.108.108. Please only configure your own virtual router.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams.14 Within the new vr-device session.20. The instance names match the names of the virtual routers listed on the network diagram.20.

you monitor the effects of Screen protection. ensure that the remote team within your pod is ready to continue on to Part 3.config [edit] [email protected]# commit commit complete [edit] [email protected]# Step 3. STOP Before proceeding. Commit the configuration when complete. enter configuration mode. Step 3. Note Leave both Telnet sessions opened to the vr-device for the time being. This result is expected and demonstrates the destination-based session limit is in effect. You return to these sessions in the next part of the lab. or go to the top of the configuration hierarchy if you are already in configuration mode. Junos Security Question: Did the second Telnet session between the remote virtual routers successfully establish? Is the result expected? Answer: As indicated in the output. From the Telnet session established with assigned SRX device. [edit] [email protected]# run show security screen statistics zone untrust www. Part 3: Monitoring Screen Protection In this lab part.2 Issue the run show security screen statistics zone untrust command and review the output.1 Return to the Telnet session established with your assigned SRX device. You must coordinate some of the monitoring efforts with the remote student team in your pod.net Implementing Screen Options (Detailed) • Lab 4–13 . [edit security screen] [email protected]# top [edit] [email protected]# load override jsec/lab4-part3-start. and load the lab4-part3-start.juniper.config from the /var/home/lab/jsec/ directory. the Telnet session is unable to establish.

ICMP large packet option and the destination session limit counter should all have non-zero counters.juniper.107.20.net .3 View the Screen option entries in your log by issuing the run show log messages | match RT_SCREEN command.Junos Security Screen statistics: IDS attack type Statistics ICMP flood 0 UDP flood 0 TCP winnuke 0 TCP port scan 0 ICMP address sweep 0 TCP sweep 0 UDP sweep 0 IP tear drop 0 TCP SYN flood 0 IP spoofing 0 ICMP ping of death 0 IP source route option 0 TCP land attack 0 TCP SYN fragment 0 TCP no flag 0 IP unknown protocol 0 IP bad options 0 IP record route option 2 IP timestamp option 0 IP security option 0 IP loose source route option 0 IP strict source route option 0 IP stream option 0 ICMP fragment 2 ICMP large packet 4 TCP SYN FIN 0 TCP FIN no ACK 0 Source session limit 0 TCP SYN-ACK-ACK proxy 0 IP block fragment 0 Destination session limit 9 Question: Do any of the listed counters show a non-zero value? Answer: Although the counters might vary. the IP record route option. ICMP fragment option.0 Lab 4–14 • Implementing Screen Options (Detailed) www. interface name: ge-0/0/3. Step 3.10. zone name: untrust. [edit] [email protected]# run show log messages | match RT_SCREEN Nov 5 14:22:21 srxC-1 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 172.

10.20. interface name: ge-0/0/3. interface name: ge-0/0/3.10.108.10.107. destination: 172.20.20.net Implementing Screen Options (Detailed) • Lab 4–15 .20. interface name: ge-0/0/3.10. interface name: ge-0/0/3.10.10.10.107.108. destination: 172.108. destination: 172.20. zone name: untrust.0 Nov 5 14:22:53 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.20.0 Nov 5 14:22:24 srxC-1 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 172.108.10.0 Nov 5 14:22:57 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.20.108.10. interface name: ge-0/0/3.20.107.107. zone name: untrust.20.107.107.10.20.10.0 Nov 5 14:22:56 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172. protocol-id: 1.107. zone name: untrust.10. zone name: untrust.20.0 Nov 5 14:23:09 srxC-1 RT_IDS: RT_SCREEN_IP: Record Route IP option! source: 172.20.107.0 Nov 5 14:22:53 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.108.10. interface name: ge-0/0/3.20.108.10. zone name: untrust.20.108. zone name: untrust. interface name: ge-0/0/3. zone name: untrust.0 Nov 5 14:22:54 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.10.108. Junos Security Nov 5 14:22:22 srxC-1 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 172.20.10. zone name: untrust.108.108. interface name: ge-0/0/3. interface name: ge-0/0/3.107.0 Nov 5 14:22:58 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.10.20.10.10. destination: 172. destination: 172.108. interface name: ge-0/0/3. destination: 172. destination: 172. zone name: untrust.10.107.0 Nov 5 14:22:35 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172. zone name: untrust. destination: 172. interface name: ge-0/0/3. zone name: untrust.107. destination: 172. destination: 172.0 Nov 5 14:22:28 srxC-1 RT_IDS: RT_SCREEN_SESSION_LIMIT: Dst IP session limit! destination: 172. zone name: untrust. interface name: ge-0/0/3.10.20.20.20.107.20.107.10.10.20.10.108.10.20.10.0 Nov 5 14:22:55 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172. command 'run show log messages | match RT_SCREEN www. destination: 172.0 Nov 5 14:23:33 srxC-1 mgd[67166]: UI_CMDLINE_READ_LINE: User 'lab'.20.20. zone name: untrust.10.juniper.10.107.0 Nov 5 14:22:57 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172. interface name: ge-0/0/3. destination: 172. interface name: ge-0/0/3. destination: 172. destination: 172.20.20.20.0 Nov 5 14:22:54 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.10.20. zone name: untrust. interface name: ge-0/0/3.10. interface name: ge-0/0/3.20.107.0 Nov 5 14:22:55 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.108.0 Nov 5 14:22:58 srxC-1 RT_IDS: RT_SCREEN_ICMP: Large ICMP packet! source: 172.107.0 Nov 5 14:22:56 srxC-1 RT_IDS: RT_SCREEN_ICMP: ICMP fragment! source: 172.20.20. zone name: untrust.107.10. interface name: ge-0/0/3. zone name: untrust. zone name: untrust.

108.31. address srxC-2 172.208.0/24. From the Telnet sessions established with the virtual router. address vr208 172.1/32. } [edit security zones security-zone untrust] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> STOP Ensure that the remote student team within your pod has finished the previous step before proceeding.15. Commit the configuration and return to operational mode.juniper.20.0/24. Step 3. Lab 4–16 • Implementing Screen Options (Detailed) www.0.4 Delete the Screen option internet-protect from the [edit security zone security-zone untrust] configuration hierarchy. } interfaces { ge-0/0/3. [edit] [email protected]# edit security zones security-zone untrust [edit security zones security-zone untrust] [email protected]# delete screen [edit security zones security-zone untrust] [email protected]# show address-book { address vr108 172. address internet-host 172.18.20. check with the remote team in your pod to ensure they have completed Part 2 of the lab.5 Return to the Telnet sessions established with the virtual router.Junos Security Question: Have Screen option violations logged to your security log? Answer: The answer should be yes. attempt to open two Telnet sessions between the virtual routers associated with the Juniper-local and Juniper-remote zones again.0/30. If you do not see any violations logged. You must re-establish sessions if any of your sessions timed out.net .2. Step 3.

10. Please only configure your own virtual router. Escape character is '^]'.20.net Implementing Screen Options (Detailed) • Lab 4–17 .7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. vr-device (ttyp0) login: username Password: --.juniper.108. www. Connected to 172. [email protected]> [email protected]> telnet remote-Juniper-VR routing-instance local-Juniper-VR Trying 172.. You must use 'configure private' to configure this router.4R3..JUNOS 11.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams.108. The instance names match the names of the virtual routers listed on the network diagram. Now that the Screen is no longer in place. You must use 'configure private' to configure this router.108. [email protected]> Question: Can you establish two Telnet sessions between the remote virtual routers? Answer: The answer should be yes.. Junos Security Note Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router.4R3.20. [email protected]> telnet remote-Juniper-VR routing-instance local-Juniper-VR Trying 172.10. vr-device (ttyp0) login: username Password: --. Connected to 172.10. Escape character is '^]'. no session limits should be in place..10. Please only configure your own virtual router.JUNOS 11.108.20.20.

type exit to end the Telnet session between the remote virtual routers.014/9.6 Exit the second Telnet session between the remote virtual routers.317/0.20. 0% packet loss round-trip min/avg/max/stddev = 8.10): 2000 data bytes !!!!! --. From the remaining Telnet session established with the virtual router.172. [email protected]> Step 3.106. [email protected]> exit Connection closed by foreign host.10 ping statistics --- 5 packets transmitted. Lab 4–18 • Implementing Screen Options (Detailed) www. The instance names match the names of the virtual routers listed on the network diagram.8 Attempt to ping between the remote virtual routers associated with the Juniper-local and Juniper-remote zones. Specify a size of 2000 bytes.7 Return to the remaining Telnet session that is established with the virtual router. Next exit the second Telnet session opened to the vr-device. you should have only one Telnet session opened to the vr-device.20. [email protected]> exit Note At this point. no limits should be in place on large or fragmented ICMP packets.Junos Security Step 3. Now that the internet-protect Screen is no longer in place.803 ms Question: Can you ping with a size of 2000 bytes between the remote virtual routers? Answer: The answer should be yes. Step 3.106.225/10.20. Note Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router.net .juniper.10 (172. [email protected]> ping remote-Juniper-VR routing-instance local-Juniper-VR rapid size 2000 PING 172. 5 packets received. [email protected]evice> exit Connection closed by foreign host.106.

juniper. Junos Security STOP Tell your instructor that you have completed Lab 4.net Implementing Screen Options (Detailed) • Lab 4–19 . www.

Junos Security Lab 4–20 • Implementing Screen Options (Detailed) www.juniper.net .

1R1. you will implement Network Address Translation (NAT). • Configure and verify proxy ARP.net Network Address Translation (Detailed) • Lab 5–1 12. you will perform the following tasks: • Configure and monitor interface-based source NAT. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. • Configure and monitor pool-based source NAT. • Configure and monitor pool-based destination NAT. The lab is also designed for modularity. www. By completing this lab. If you are completing the lab from start to finish. You will configure and monitor both source and destination NAT.a. including pool-based NAT and interface-based NAT.12.9 . where you might be directed to load a starting configuration at the beginning of each lab part. Lab 5 Network Address Translation (Detailed) Overview In this lab.juniper. there is no need to load the starting configuration for each lab part.

2 Access the command-line interface (CLI) at your station using either the console. Consult the Management Network Diagram to determine the management address of your student device.14. Step 1. The actual management address varies between delivery environments.1 Ensure that you know to which student device you have been assigned.config from the /var/home/lab/jsec/ directory.210. Traffic originating from the virtual routers attached to your assigned device and destined for the Internet host will be subject to NAT.net . Enter configuration mode and load the lab5-start. which uses 10. Check with your instructor if you are not certain.3 Log in as user lab with the password lab123.137 as its management IP address.Junos Security Part 1: Interface-Based Source NAT In this lab part. Step 1. Telnet. The sample hostname and IP address used in the output examples in this lab are for srxD-1. Step 1. or SSH as directed by your instructor. Question: What is the management address assigned to your student router? Answer: The answer varies. Commit the configuration when complete. srxD-1 (ttyu0) login: lab Password: Lab 5–2 • Network Address Translation (Detailed) www. you enable interface-based source NAT.juniper.

5 Create a rule set named internet-bound. but in this case. [edit security nat source] [email protected]# set rule-set internet-bound from interface ge-0/0/4.JUNOS 12.1R1. two rule sets would be necessary. Also configure the rule set with a to context to match traffic destined to the untrust zone.config load complete [edit] [email protected]# commit commit complete [edit] [email protected]# Step 1.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/lab5-start. Because no configured routing instances are on your assigned device.4 Navigate to the [edit security nat source] hierarchy. Associate the rule set with a from context to match traffic from both your local Juniper and ACME customer interfaces. [edit] [email protected]# edit security nat source [edit security nat source] [email protected]# Step 1. Junos Security --.juniper.local-ACME-unit [edit security nat source] [email protected]# set rule-set internet-bound to zone untrust Question: What other contexts could you use for the from statement? Answer: You could use a from context referencing the source security zones. www.net Network Address Translation (Detailed) • Lab 5–3 . the from routing-instance context is not applicable to this step.local-Juniper-unit [edit security nat source] [email protected]# set rule-set internet-bound from interface ge-0/0/4.

Refer to the Management Network Diagram for the IP address of the vr-device.6 Navigate to the [edit security nat source rule-set internet-bound] configuration hierarchy. } } } [edit security nat source rule-set internet-bound] [email protected]# Step 1.Junos Security Step 1.31.7 Commit your configuration and return to operational mode. Step 1.juniper.15.107 ge-0/0/4.8 Open a separate Telnet session to the virtual router attached to your team device. The virtual routers are logical devices created on a J Series Services Router. [edit security nat source] [email protected]# edit rule-set internet-bound [edit security nat source rule-set internet-bound] [email protected]# set rule 1 match destination-address 172.15.207 ]. } then { source-nat { interface. to zone untrust. The rule should apply interface-based NAT to all traffic with a destination address of the Internet host as depicted on your lab diagram. Lab 5–4 • Network Address Translation (Detailed) www.1/32 [edit security nat source rule-set internet-bound] [email protected]# set rule 1 then source-nat interface [edit security nat source rule-set internet-bound] [email protected]# show from interface [ ge-0/0/4.1/32. [edit security nat source rule-set internet-bound] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Note The next lab steps require you to log in to the virtual router attached to your team’s device. Create a NAT rule named 1.31.net . rule 1 { match { destination-address 172.

You must use 'configure private' to configure this router.4R3.net Network Address Translation (Detailed) • Lab 5–5 . Junos Security Step 1. [email protected]> www.9 Log in to the virtual router using the login information shown in the following table: Virtual Router Login Details Student Device Username Password srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username Password: --.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Please only configure your own virtual router.juniper.JUNOS 11.

107. the Telnet session sources from the internal IP address 172. vr-device (ttyp0) login: username Password: --.JUNOS 11.Junos Security Step 1.15. Lab 5–6 • Network Address Translation (Detailed) www.31.1/23. but the return traffic has a destination of the WAN interface address.107.10/65026 --> 172.15. view the session table. initiate a Telnet session to the Internet host device.11 Return to the Telnet session established with your assigned SRX device.31.10 From the Telnet session established with the virtual router.31.12 Issue the show security nat source rule all command and answer the question that follows.1. Use the same login credentials as used for your current vr-device Telnet session.tcp. Pkts: 22.juniper.20. Valid In: 172.2/23879. From the Telnet session established with your assigned SRX device.4R3.31.net . Please only configure your own virtual router. You must use 'configure private' to configure this router. Policy name: internet-Juniper-SV/10. [email protected]> telnet 172.15. Source the connection from the virtual router’s routing instance associated with your local Juniper customer network...0. Escape character is '^]'.tcp. Pkts: 27.15. If: ge-0/0/3.1. [email protected]> Step 1.10.15. Step 1.1/23 --> 172. If: ge-0/0/4.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams.20.107.18. [email protected]> show security flow session Session ID: 58859. As indicated by the output taken from srxD-1. Bytes: 1596 Total sessions: 1 Question: Do the session table results indicate expected behavior? Answer: Yes.1 routing-instance VR-Juniper-instance Trying 172. Timeout: 1118. Bytes: 1567 Out: 172.1.31. Connected to 172.

but the Translation hits counter should show one hit at a minimum.0 Action : interface Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 1 Question: How many hits has this NAT rule received? Answer: The answer might vary. You will use the loopback IP address of your assigned device as a public address that will be translated to an internal address belonging to a virtual router attached to your device. or go to the top of the configuration hierarchy if you are already in configuration mode. and load the lab5-part2-start.15.net Network Address Translation (Detailed) • Lab 5–7 . From your assigned SRX device. you configure pool-based destination NAT for traffic originating from the remote device in your assigned pod. From the Telnet session established with the virtual router.1 If necessary. Commit the configuration when complete.15. [email protected]> exit Connection closed by foreign host.juniper. enter configuration mode.172.13 Return to the Telnet session established with the virtual router. Step 2.107 : ge-0/0/4. Step 1. [email protected]> Part 2: Pool-Based Destination NAT In this lab part.207 To zone untrust: Destination addresses : 172.config from the /var/home/lab/jsec/ directory. Junos Security [email protected]> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/0 source NAT rule: 1 Rule-set: internet-bound Rule-Id 1 : Rule position 1 : From interface : ge-0/0/4. www.1 Destination port 0 : . exit the extra Telnet session using the exit command.31.31. return to your assigned SRX device.1 .

4 Configure a destination NAT rule set named from-internet.juniper. } Step 2.3 Consult your lab diagram to identify the host IP address of the virtual router associated with your local ACME customer zone. This translation should utilize the webserver pool you configured. [edit security nat destination] [email protected]# set pool webserver address local-ACME-VR-host [edit security nat destination] [email protected]# show pool webserver { address 172.net .2 Navigate to the [edit security nat destination] hierarchy.5 Under the from-internet rule set.20.10/32. Configure a destination NAT pool named webserver that specifies the virtual router host address.config load complete [edit] [email protected]# commit commit complete Step 2. The rule should apply destination NAT to traffic that originates from the network associated with your remote team’s ge-0/0/3 interface and that has your loopback address as its destination. [edit security nat destination] [email protected]# edit rule-set from-internet rule 1 [edit security nat destination rule-set from-internet rule 1] [email protected]# set match source-address remote-srx-Internet-subnet [edit security nat destination rule-set from-internet rule 1] [email protected]# set match destination-address local-loopback-address Lab 5–8 • Network Address Translation (Detailed) www.Junos Security [edit] [email protected]# load override jsec/lab5-part2-start.207. The associated context should be from the untrust zone. configure a destination NAT rule named 1. [edit] [email protected]# edit security nat destination [edit security nat destination] [email protected]# Step 2. [edit security nat destination] [email protected]# set rule-set from-internet from zone untrust Step 2.

6 In the next two steps. Configure the source-address to match the existing address book entry configured under the untrust zone for the remote team’s ge-0/0/3 interface subnet.1/32. you will create a security policy to allow traffic from the remote student team destined to your local ACME customer network.207.7 Configure a security policy that allows HTTP and Telnet traffic from the remote student device in your pod to reach the virtual router associated with your local ACME customer network.168.2.0/30.1. Name the new security policy webserver. Step 2. } rule-set from-internet { from zone untrust. Configure the destination-address to match the address-book entry for your local ACME customer network. rule 1 { match { source-address 172.juniper.18. [edit security nat destination] [email protected]# top edit security policies from-zone untrust to-zone ACME-local [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# Step 2. } then { destination-nat pool webserver.net Network Address Translation (Detailed) • Lab 5–9 . Navigate to the [edit security policy from-zone untrust to-zone ACME-local] configuration hierarchy. destination-address 192. Junos Security [edit security nat destination rule-set from-internet rule 1] [email protected]# set then destination-nat pool webserver [edit security nat destination rule-set from-internet rule 1] [email protected]# up 2 [edit security nat destination] [email protected]# show pool webserver { address 172.20.10/32. no security policy exists in the configuration that allows traffic from the untrust zone to your local ACME customer zone. } } } Question: Are any changes required to your security policy configuration to allow this traffic? Answer: Yes. Currently. www.

destination-address vr207.8 Commit your configuration and return to operational mode.18. [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# commit and-quit commit complete Exiting configuration mode STOP Before proceeding. } then { permit.108.Junos Security [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# top show security zones security-zone untrust address-book address vr108 172.0/24.0/30.net . [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# top show security zones security-zone zone-name address-book address vr207 172. [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver match source-address remote-srxName [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver match destination-address local-ACME-vrName [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver match application junos-telnet [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver match application junos-http [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver then permit [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# show policy webserver { match { source-address srxD-2. ensure that the remote student team within your pod is ready to continue on to the next step. address vr208 172.juniper.20.1/32.0/24. address srxD-2 172.2. } } Step 2.0/24.20.208.207. application [ junos-telnet junos-http ].15.20. address internet-host 172. Lab 5–10 • Network Address Translation (Detailed) www.31.

[email protected]> www.4R3.2. attempt a Telnet session to the loopback IP address of your remote team’s device. When both teams in your assigned pod finish performing the above configuration.9 Note In this step.2. When prompted for a login. You must use 'configure private' to configure this router... you are initiating a Telnet session directly from your assigned device. use the login information shown in the following table: Virtual Router Login Details Student Device Username Password srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 [email protected]> telnet remote-loopback-address Trying 192. Junos Security Step 2.1. vr-device (ttyp0) login: username Password: --. Escape character is '^]'.net Network Address Translation (Detailed) • Lab 5–11 .168. Initiate this Telnet session from your assigned SRX Series device. Please only configure your own virtual router.168.JUNOS 11.1.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams. Connected to 192.juniper.

the output indicates traffic destined to the remote team’s loopback interface IP address is translating to the appropriate IP address. is destination NAT operating correctly on your partnering team’s assigned device? Answer: Provided the Telnet session successfully established with the vr-device.1R1. srxD-1 (ttyp0) login: lab Password: --.Junos Security Question: From your observations.juniper. Question: Why did the remote team’s assigned device not respond to the Telnet request instead of the remote virtual router? Answer: Recall that destination NAT occurs before routing and policy checks in the packet flow. Step 2.9 built 2012-03-24 12:12:49 UTC [email protected]> Lab 5–12 • Network Address Translation (Detailed) www.net . Log in as user lab.10 Open a second Telnet session to your assigned device for monitoring the sessions in progress.JUNOS 12.

11 Issue the show security flow session command and answer the question that follows.1/23. If: ge-0/0/4.2/55028 --> 192. If: . If: ge-0/0/3. Bytes: 3028 Total sessions: 3 Question: What sessions are present in the session table? Answer: Provided the partnering team in your assigned pod initiated a Telnet session destined for your loopback IP address. Valid In: 10.18.133/61579.0.tcp.2.207.2/62411 --> 192. Bytes: 1567 Out: 192.168.133/61579 --> 10. Pkts: 67.168.210. Bytes: 3672 Out: 10.2/62411.tcp.1.210.. Pkts: 45.210.2. Bytes: 1596 Session ID: 60880.0. Pkts: 27. Valid In: 172. If: ge-0/0/0.137/23. Policy name: self-traffic-policy/1. Timeout: 1800. Policy name: self-traffic-policy/1.137/23 --> 10.1/23 --> 172.14. Timeout: 1464.1/23. Policy name: webserver/8.168.2/55028.210. at least three sessions should display.18. One session represents the Telnet session initiated by your team. Timeout: 1794. Junos Security Step 2.local.1.207. Pkts: 22.20.18.2.0. If: .tcp.1.14.tcp.2. Bytes: 3211 Session ID: 60937. [email protected]> show security nat destination pool all Total destination-nat pools: 1 Pool name : webserver Pool id : 1 Total address : 1 Translation hits: 1 www. If: ge-0/0/3.12 Issue the show security nat destination pool all command and answer the question that follows. [email protected]> show security flow session Session ID: 60816.14. One session represents the additional Telnet session opened directly with your assigned device.0.tcp.0..local. Bytes: 3413 Out: 172.18. Pkts: 62.10/23 --> 172. Step 2. One session represents the Telnet session opened by the remote team in your assigned pod.tcp.net Network Address Translation (Detailed) • Lab 5–13 . Valid In: 172.juniper. Pkts: 48.14.

1 If necessary. Commit the configuration when complete.juniper.172.10 0 Question: Are translation hits present for your destination NAT pool? Answer: Provided the partnering team in your assigned pod initiated a Telnet session destined for your loopback IP address.config from the /var/home/lab/jsec/ directory.13 Return to the initial session established with your assigned SRX device.20. You will enable an overflow pool should the source NAT pool become exhausted. the translation hits counter should show at least one hit. or go to the top of the configuration hierarchy if you are already in configuration mode. From the initial session established with your assigned SRX device. return to your assigned SRX device.config load complete [edit] [email protected]# commit commit complete Step 3.2 Navigate to the [edit security nat source] configuration hierarchy. From your assigned SRX device. [edit] [email protected]# edit security nat source Lab 5–14 • Network Address Translation (Detailed) www. [edit] [email protected]# load override jsec/lab5-part3-start.10 .20.207.Junos Security Address range Port 172.207. exit the Telnet session opened with the remote virtual router. [email protected]> Part 3: Pool-Based Source NAT with Overflow Pool In this lab part. you configure pool-based source NAT between the virtual routers attached to your assigned device. Step 2.net . and load the lab5-part3-start. Step 3. enter configuration mode. [email protected]> exit Connection closed by foreign host.

20.20.104.2 172.2 172.2 172.106.net Network Address Translation (Detailed) • Lab 5–15 .206. You are creating a source NAT pool for both virtual routers attached to your assigned device.202.2 172.20.juniper.3 Create two new source NAT address pools.204.20.108.103.20.20.207.9 srxD-1 vr207 172.101.20. Configure each pool to use the egress interface should the NAT pool become exhausted.201.204.20.101.20.2 172.207.9 srxC-2 vr106 172.2 172.208.20.9 srxC-1 vr205 172.208.9 srxB-1 vr203 172.102. Name one pool after the name shown on the lab diagram for your local Juniper virtual router.20. Each NAT pool should consist of an address range associated with the neighboring virtual router.205. Disable port translation for both pools.203.105. Use the address range information shown in the following table.20.2 172.9 www.20. and another pool for your local ACME virtual router.9 srxB-2 vr204 172.201.20.20.202.20.107.20.20.203.9 srxD-1 vr107 172.20.20.2 172. Junos Security [edit security nat source] [email protected]# Step 3.20.20.9 srxB-2 vr104 172.20.104.108.206. Note Pay close attention to the instructions in this step.9 srxA-2 vr202 172.105.20.9 srxB-1 vr103 172.102.20.20.9 srxA-1 vr201 172.20.2 172.106.9 srxC-1 vr105 172. Proxy Arp Address Ranges Student Device NAT Pool Range Start Range End srxA-1 vr101 172.2 172.205.20.20.103.2 172.2 172.2 172.2 172.9 srxC-2 vr206 172.107.9 srxD-2 vr208 172. the source address pool consists of IP addresses belonging to the subnet of the virtual router opposite for which you are configuring the pool.20.20. However.9 srxD-2 vr108 172.2 172.20.2 172.9 srxA-2 vr102 172.

rule-set vr107 { from zone Juniper-SV. } pool vr207 { address { 172.TRIMMED..TRIMMED.9/32.207. } port no-translation. } . Step 3.. [edit security nat source] [email protected]# set rule-set rule-set-name from zone Juniper-local [edit security nat source] [email protected]# set rule-set rule-set-name to zone ACME-local [edit security nat source] [email protected]# show .20.Junos Security [edit security nat source] [email protected]# set pool local-Juniper-VR port no-translation [edit security nat source] [email protected]# set pool local-Juniper-VR overflow-pool interface [edit security nat source] [email protected]# set pool local-Juniper-VR address range-start to range-end [edit security nat source] [email protected]# set pool local-ACME-VR port no-translation [edit security nat source] [email protected]# set pool local-ACME-VR overflow-pool interface [edit security nat source] [email protected]# set pool local-ACME-VR address range-start to range-end [edit security nat source] [email protected]# show pool vr107 { address { 172. and srx2 will use a context of from zone JUNIPER-WF and to zone ACME-WF. For example.20..2/32 to 172.107.207.. } Lab 5–16 • Network Address Translation (Detailed) www. overflow-pool interface..4 Create a source NAT rule-set that assigns a directional context from your local Juniper zone to your local ACME zone.9/32. } port no-translation..20. srx1 will use a context of from zone JUNIPER-SV and to zone ACME-SV.20.107.juniper.net .. to zone ACME-SV.2/32 to 172. overflow-pool interface..

to zone ACME-SV.4. srx1 will use a context of from zone ACME-SV and to zone JUNIPER-SV. rule Juniper-to-ACME { match { source-address 172. (Hint: the pool name matches the rule set name under which it is configured.juniper.107. For example.5 Create a source NAT rule-set that assigns a directional context from your local ACME zone to your local Juniper zone. Junos Security Step 3..TRIMMED.6 Within the rule set created in Step 3.0/24. to zone Juniper-SV. rule-set vr207 { from zone ACME-SV. } } } } www. [edit security nat source] [email protected]# set rule-set rule-set-name from zone ACME-local [edit security nat source] [email protected]# set rule-set rule-set-name to zone Juniper-local [edit security nat source] [email protected]# show .. } Step 3. Configure the then action statement to specify source-nat using the appropriate configured source address pool. Srx2 will use a context of from zone ACME-WF and to zone JUNIPER-WF.net Network Address Translation (Detailed) • Lab 5–17 . create a rule named Juniper-to-ACME. Configure the source address to match traffic from your local Juniper customer network.. } then { source-nat { pool { vr107..20.) [edit security nat source] [email protected]# edit rule-set rule-set-name [edit security nat source rule-set vr107] [email protected]# set rule Juniper-to-ACME match source-address local-Juniper-subnet [edit security nat source rule-set vr107] [email protected]# set rule Juniper-to-ACME then source-nat pool pool-name [edit security nat source rule-set vr107] [email protected]# show from zone Juniper-SV.

Junos Security
Step 3.7
Within the rule set created in Step 3.5, create a rule named ACME-to-Juniper.
Configure the source address to match traffic from your local ACME customer
network. Configure the then action statement to specify source-nat using the
appropriate configured source address pool. (Hint: the pool name matches the rule
set name under which it is configured.)
[edit security nat source rule-set vr107]
[email protected]# up

[edit security nat source]
[email protected]# edit rule-set rule-set-name

[edit security nat source rule-set vr207]
[email protected]# set rule ACME-to-Juniper match source-address local-ACME-subnet

[edit security nat source rule-set vr207]
[email protected]# set rule ACME-to-Juniper then source-nat pool pool-name

[edit security nat source rule-set vr207]
[email protected]# show
[edit security nat source rule-set vr207]
[email protected]# show
from zone ACME-SV;
to zone Juniper-SV;
rule ACME-to-Juniper {
match {
source-address 172.20.207.0/24;
}
then {
source-nat {
pool {
vr207;
}
}
}
}

Question: You configured source NAT for traffic
between the virtual routers attached to your
assigned device. Do any existing security policies
allow this traffic?

Answer: As shown in the following capture from
srxD-1, no security policies are in place for traffic
between the attached virtual routers. We configure
the appropriate security policies next.

[edit security nat source rule-set vr207]
[email protected]# top show security policies from-zone Juniper-local to-zone
ACME-local

Lab 5–18 • Network Address Translation (Detailed) www.juniper.net

Junos Security
[edit security nat source rule-set vr207]
[email protected]# top show security policies from-zone ACME-local to-zone
Juniper-local

[edit security nat source rule-set vr207]
[email protected]#
Step 3.8
Navigate to the [edit security policies] hierarchy.
[edit security nat source rule-set vr207]
[email protected]# top edit security policies

[edit security policies]
[email protected]#
Step 3.9
Create two security policies that allow traffic matching the internal-apps
application set to flow between the virtual routers attached to your assigned device.
Name the policies using the same format as the NAT rules you just created,
Juniper-to-ACME and ACME-to-Juniper, each corresponding to the
appropriate source and destination virtual router names. Match on the appropriate
source and destination address book entries that exist within the security zone
configuration.
[edit security policies]
[email protected]# edit from-zone Juniper-local to-zone ACME-local policy
Juniper-to-ACME

[edit security policies from-zone Juniper-SV to-zone ACME-SV policy
Juniper-to-ACME]
[email protected]# set match source-address local-Juniper-vrName

[edit security policies from-zone Juniper-SV to-zone ACME-SV policy
Juniper-to-ACME]
[email protected]# set match destination-address local-ACME-vrName

[edit security policies from-zone Juniper-SV to-zone ACME-SV policy
Juniper-to-ACME]
[email protected]# set match application internal-apps

[edit security policies from-zone Juniper-SV to-zone ACME-SV policy
Juniper-to-ACME]
[email protected]# set then permit

[edit security policies from-zone Juniper-SV to-zone ACME-SV policy
Juniper-to-ACME]
[email protected]# up 2

[edit security policies]
[email protected]# edit from-zone ACME-local to-zone Juniper-local policy
ACME-to-Juniper

[edit security policies from-zone ACME-SV to-zone Juniper-SV policy
ACME-to-Juniper]

www.juniper.net Network Address Translation (Detailed) • Lab 5–19

Junos Security
[email protected]# set match source-address local-ACME-vrName

[edit security policies from-zone ACME-SV to-zone Juniper-SV policy
ACME-to-Juniper]
[email protected]# set match destination-address local-Juniper-vrName

[edit security policies from-zone ACME-SV to-zone Juniper-SV policy
ACME-to-Juniper]
[email protected]# set match application internal-apps

[edit security policies from-zone ACME-SV to-zone Juniper-SV policy
ACME-to-Juniper]
[email protected]# set then permit

[edit security policies from-zone ACME-SV to-zone Juniper-SV policy
ACME-to-Juniper]
[email protected]# up 2

[edit security policies]
[email protected]# show from-zone Juniper-SV to-zone ACME-SV
policy Juniper-to-ACME {
match {
source-address vr107;
destination-address vr207;
application internal-apps;
}
then {
permit;
}
}

[edit security policies]
[email protected]# show from-zone ACME-SV to-zone Juniper-SV
policy ACME-to-Juniper {
match {
source-address vr207;
destination-address vr107;
application internal-apps;
}
then {
permit;
}
}

[edit security policies]
[email protected]#
Step 3.10
Commit your configuration and return to operational mode.
[edit security policies]
[email protected]# commit and-quit
commit complete

Lab 5–20 • Network Address Translation (Detailed) www.juniper.net

Junos Security
Exiting configuration mode

[email protected]>
Step 3.11
Open a separate Telnet session to the virtual router attached to your team device.

Step 3.12
Log in to the virtual router using the login information shown in the following table:
Virtual Router Login Details

Student Device Username Password
srxA-1 a1 lab123
srxA-2 a2 lab123
srxB-1 b1 lab123
srxB-2 b2 lab123
srxC-1 c1 lab123
srxC-2 c2 lab123
srxD-1 d1 lab123
srxD-2 d2 lab123

vr-device (ttyd0)

login: username
Password:

--- JUNOS 11.4R3.7 built 2012-05-14 22:22:03 UTC

www.juniper.net Network Address Translation (Detailed) • Lab 5–21

.. If: ge-0/0/4.10.107. Note Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router.2/55688.20.20. [email protected]> show security flow session Session ID: 64720. The instance names match the names of the virtual routers listed on the network diagram. Valid In: 172.tcp.207.Junos Security NOTE: This router is divided into many virtual routers used by different teams. [email protected]> Step 3. You must use 'configure private' to configure this router.10: Operation timed out telnet: Unable to connect to remote host Question: Did the Telnet session successfully establish? Answer: As indicated in the output.net .20. the Telnet session could not establish.20. Bytes: 288 Out: 172.207.20. If: ge-0/0/4.14 Return to the Telnet session established with your assigned SRX device.10/23 --> 172.tcp.10/23. Timeout: 8. [email protected]> telnet local-ACME-VR routing-instance local-Juniper-VR Trying 172. Policy name: Juniper-to-ACME/13. Please only configure your own virtual router. Pkts: 5.13 From the Telnet session established with the virtual router. Step 3. From the Telnet session established with your assigned SRX device.207.10/55688 --> 172. issue the show security flow session command and answer the questions that follow. Bytes: 0 Total sessions: 1 Lab 5–22 • Network Address Translation (Detailed) www. initiate a Telnet session between the virtual routers attached to your assigned device in either direction.20. Use the same login credentials used in the previous step.207.juniper. Pkts: 0.207.207. telnet: connect to address 172.107.

If you do not see the session in your session table. Junos Security Note Because the TCP three-way handshake does not complete. the session might have timed out. can you think of a routing-related reason why the Telnet session did not establish? Answer: When the remote virtual router attempts to respond to the Telnet request. immediately followed by the show security flow session command on your assigned device. try issuing the Telnet command on the vr-device. Step 3. Question: Because the flow session is populating in your session table. the response is directed to an IP address belonging to the source NAT pool. the session only shows in the session table for a few seconds.juniper. Question: What does the output of this command indicate? Answer: As shown in the example from srxD-1. Recall from the classroom lecture that this situation requires proxy ARP. Repeat the Telnet command on the vr-device and immediately issue the command on your assigned device. If you do not see the session.15 Enter configuration mode and navigate to the [edit security nat proxy-arp] configuration hierarchy. [email protected]> configure Entering configuration mode [edit] [email protected]# edit security nat proxy-arp www.net Network Address Translation (Detailed) • Lab 5–23 . This pool consists of addresses that belong to the interface’s directly attached subnet. the output indicates a session forms and source NAT translation performs correctly.

9 srxA-2 102 172.2 172.204.20.106.106.108.208.107. Each interface should perform proxy ARP for the range of addresses included in the source NAT pool of the adjacent virtual router.104.208.104.102.20.2 172.juniper.201.2 172.20.9 srxC-2 106 172.20.206.20.20.202.20.9 srxB-1 103 172.16 Under the ge-0/0/4 interface.2 172.20.107.20.20.2 172.206.107] [email protected]# up [edit security nat proxy-arp] [email protected]# edit interface ge-0/0/4.101.Junos Security [edit security nat proxy-arp] [email protected]# Step 3.205.20.2 172.207.2 172.108.20.20.2 172.9 srxD-1 207 172.20.2 172.20.102.2 172.local-ACME-unit Lab 5–24 • Network Address Translation (Detailed) www.20.9 srxB-2 204 172.9 srxB-2 104 172.9 [edit security nat proxy-arp] [email protected]# edit interface ge-0/0/4.9 srxC-1 205 172.20.105.20.2 172.9 srxC-1 105 172.20.20.103.107] [email protected]# set unit address range-start to range-end [edit security nat proxy-arp interface ge-0/0/4.2 172.201.20.20.20.9 srxD-2 208 172.105.20.207.20.20. configure both logical units attached to your virtual routers to perform proxy ARP.20.2 172.20.9 srxA-1 201 172.103.20.101.20. Use the address range information shown in the following table for your assigned SRX device: Proxy ARP Address Ranges Student Device Logical Unit Range Start Range End srxA-1 101 172.202.9 srxD-2 108 172.20.9 srxC-2 206 172.9 srxD-1 107 172.2 172.20.2 172.2 172.9 srxA-2 202 172.local-Juniper-unit [edit security nat proxy-arp interface ge-0/0/4.205.net .204.203.203.9 srxB-1 203 172.

7 built 2012-05-14 22:22:03 UTC www.net Network Address Translation (Detailed) • Lab 5–25 .107.2/32 to 172.10.20.juniper.207] [email protected]# set address range-start to range-end [edit security nat proxy-arp interface ge-0/0/4.20.4R3.9/32. Connected to 172.107 { address { 172.. Note Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router.18 Return to the Telnet session established with the virtual router.20. [email protected]> telnet local-ACME-VR routing-instance local-Juniper-VR Trying 172.9/32. From the Telnet session established with the virtual router.JUNOS 11.20. attempt to establish a Telnet session between the virtual routers once again.207 { address { 172. Escape character is '^]'.207. } } Step 3.17 Commit your configuration and return to operational mode.207.20.10.20. vr-device (ttyp0) login: username Password: --. } } interface ge-0/0/4. [edit security nat proxy-arp] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Step 3..2/32 to 172.207.107.207.207] [email protected]# up [edit security nat proxy-arp] [email protected]# show interface ge-0/0/4. Junos Security [edit security nat proxy-arp interface ge-0/0/4. The instance names match the names of the virtual routers listed on the network diagram.

20. [email protected]> Question: Did the second Telnet attempt between the attached virtual routers successfully establish? Answer: As indicated in the output.juniper.207. the Telnet session established and source NAT is in place.20. If: ge-0/0/4. [email protected]> show security flow session Session ID: 65071.Junos Security NOTE: This router is divided into many virtual routers used by different teams.tcp. Valid In: 172.107. If: ge-0/0/4.20. the session acquired IP address 172.tcp. Pkts: 28. Lab 5–26 • Network Address Translation (Detailed) www. Step 3.5/65306.10/23 --> 172. In this example from srxD-1.10/23. You must use 'configure private' to configure this router. Policy name: Juniper-to-ACME/13.207.5.207. Bytes: 1631 Out: 172. Bytes: 1596 Total sessions: 1 Question: Does the output indicate source NAT between the attached virtual routers is operating normally? Answer: As indicated in the output. traffic from vr107 is translating to 172.20.5.207.19 Return to the terminal session connected to your assigned device and issue the show security flow session command.10/65306 --> 172.207. Timeout: 1740.207.107. the Telnet session did establish. In this example from srxD-1. Please only configure your own virtual router.net . Question: What IP address did your Telnet session receive from the source NAT pool? Answer: The answer varies.20. Pkts: 22.20.

Junos Security Step 3.107 untrust interface 1 ge-0/0/4.207 Juniper-to-ACME vr107 Juniper-SV ACME-SV vr107 ACME-to-Juniper vr207 ACME-SV Juniper-SV vr207 Question: How many configured source NAT rules are on your assigned device? Answer: As indicated in the output.0 Port : no translation port overloading : 0 Overflow pool : interface www.net Network Address Translation (Detailed) • Lab 5–27 .9 0 0 Pool name : vr207 Pool id : 5 Routing instance : default Host address base : 0. Step 3.juniper.20.0.172.107. [email protected]> show security nat source pool all Total pools: 2 Pool name : vr107 Pool id : 4 Routing instance : default Host address base : 0.107.207.207.0 Port : no translation port overloading : 0 Overflow pool : interface Total addresses : 8 Available addresses: 7 Translation hits : 4 Address range Single Ports Twin Ports 172.9 default no 8 vr207 172.20.20.2 .207. a total of three source NAT rules are operating.9 default no 8 Total rules: 3 Rule name Rule set From To Action 1 internet-bound ge-0/0/4.20 Issue the show security nat source summary command.2-172.207.0.2-172. [email protected]> show security nat source summary Total port number usage for port translation pool: 0 Maximum port number for port translation pool: 16777216 Total pools: 2 Pool Address Routing PAT Total Name Range Instance Address vr107 172.20.20.21 Issue the show security nat source pool all command.20.0.0.

[email protected]> STOP Tell your instructor that you have completed Lab 5.107.22 Return to the session opened to the vr-device and exit the Telnet session between virtual routers.172.9 0 0 Question: How many addresses are available in each source NAT pool displayed? Answer: Each source NAT pool has eight available addresses. Step 3.juniper.20.2 .107.20. Lab 5–28 • Network Address Translation (Detailed) www.net . [email protected]> exit Connection closed by foreign host.Junos Security Total addresses : 8 Available addresses: 8 Translation hits : 0 Address range Single Ports Twin Ports 172.

you will implement a route-based IPsec VPN.12. • Configure and monitor a secure tunnel interface. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. www. • Alter security policies to allow traffic between the ACME security zones.net Implementing IPsec VPNs (Detailed) • Lab 6–1 12.a. You will configure and monitor the IKE phase one and phase two tunnel establishment. By completing this lab.9 . • Verify and monitor an IPsec VPN tunnel.juniper. you will perform the following tasks: • Configure a route-based IPsec VPN.1R1. Lab 6 Implementing IPsec VPNs (Detailed) Overview In this lab.

2 Access the command-line interface (CLI) at your station using either the console. Step 1. Question: What is the management address assigned to your student router? Answer: The answer varies. The sample hostname and IP address used in the output examples in this lab are for srxD-1. The actual management address varies between delivery environments.1 Ensure that you know to which student device you have been assigned.config from the /var/home/lab/jsec/ directory. Check with your instructor if you are not certain.3 Log in as user lab with the password lab123.Junos Security Part 1: Configuring a Route-Based IPsec VPN In this lab part. or SSH as directed by your instructor. Step 1. you configure a route-based IPsec VPN tunnel. Step 1.net .juniper. Commit the configuration and exit to operational mode when complete.210. which uses 10.137 as its management IP address. srxD-1 (ttyu0) login: lab Password: Lab 6–2 • Implementing IPsec VPNs (Detailed) www. Telnet. This IPsec VPN tunnel will be utilized for all traffic between the ACME customer security zones. Consult the Management Network Diagram to determine the management address of your student device. Enter configuration mode and load the lab6-start.35.

1.100.6 Add the st0.JUNOS 12. If your assigned device is srx2.net Implementing IPsec VPNs (Detailed) • Lab 6–3 . and allow the interface to accept IKE packets.1R1.0 host-inbound-traffic system-services ike Step 1. www.100.2. The proposal should use the following parameters: • Authentication method: pre-shared-keys.0 [edit interfaces] [email protected]# top set security zones security-zone untrust interfaces st0.juniper. [edit interfaces] [email protected]# top set security zones security-zone untrust interfaces st0. • encryption algorithm: 3des-cbc. and • lifetime: 86400. • dh-group: group2. If your assigned device is srx1. Create an Internet Key Exchange (IKE) phase 1 proposal named phase1. configure logical unit 0 with an IP address of 192. • authentication algorithm: md5. configure logical unit 0 with an IP address of 192.9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/lab6-start. [edit interfaces] [email protected]# set st0 unit 0 family inet address tunnel-interface-address Step 1. [edit] [email protected]# edit interfaces [edit interfaces] [email protected]# Step 1.5 Configure a secure tunnel interface. Junos Security --.7 Navigate to the [edit security ike] configuration hierarchy.0 interface to the untrust security zone.4 Navigate to the [edit interfaces] configuration hierarchy.168.168.config load complete [edit] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Step 1.

The policy should use main mode. proposals phase1.juniper. lifetime-seconds 86400. reference the proposal you created in the previous step. authentication-algorithm md5. dh-group group2. ## SECRET-DATA Lab 6–4 • Implementing IPsec VPNs (Detailed) www. encryption-algorithm 3des-cbc. and use an ASCII pre-shared key of juniper. } } [edit security ike] [email protected]# Step 1.8 Configure an IKE phase one policy named phase1-policy.net . pre-shared-key ascii-text "$9$QkE43/t1RSM87uO87-V4oz36".Junos Security [edit interfaces] [email protected]# top edit security ike [edit security ike] [email protected]# set proposal phase1 authentication-method pre-shared-keys [edit security ike] [email protected]# set proposal phase1 dh-group group2 [edit security ike] [email protected]# set proposal phase1 authentication-algorithm md5 [edit security ike] [email protected]# set proposal phase1 encryption-algorithm 3des-cbc [edit security ike] [email protected]# set proposal phase1 lifetime-seconds 86400 [edit security ike] [email protected]# show proposal phase1 authentication-method pre-shared-keys. [edit security ike] [email protected]# set policy phase1-policy mode main [edit security ike] [email protected]# set policy phase1-policy proposals phase1 [edit security ike] [email protected]# set policy phase1-policy pre-shared-key ascii-text juniper [edit security ike] [email protected]# show policy phase1-policy mode main.

[edit security ike] [email protected]# set gateway phase1-gateway ike-policy phase1-policy [edit security ike] [email protected]# set gateway phase1-gateway address remote-srx-Internet-address [edit security ike] [email protected]# set gateway phase1-gateway dead-peer-detection interval 20 [edit security ike] [email protected]# set gateway phase1-gateway dead-peer-detection threshold 5 [edit security ike] [email protected]# set gateway phase1-gateway external-interface ge-0/0/3. address 172. Step 1. [edit security ike] [email protected]# up [edit security] [email protected]# edit ipsec [edit security ipsec] [email protected]# Step 1. Junos Security Step 1.0.9 Configure an IKE gateway named phase1-gateway. You define IKE phase 2 configuration parameters at this level.2.2. threshold 5. For the gateway IP address.18.0 [edit security ike] [email protected]# show gateway phase1-gateway ike-policy phase1-policy. and a lifetime value of 3200 seconds. use the IP address associated with the ge-0/0/3 interface on the remote team’s device.10 Navigate to the [edit security ipsec] configuration hierarchy. Use your device’s ge-0/0/3 interface as the external interface for establishing an IPsec VPN between srx1 and srx2. an authentication algorithm of hmac-md5-96. Use the Encapsulating Security Payload (ESP) protocol. } external-interface ge-0/0/3. dead-peer-detection { interval 20. an encryption algorithm of 3des-cbc.net Implementing IPsec VPNs (Detailed) • Lab 6–5 .juniper. Configure your device to send a dead peer detection (DPD) request packet every 20 seconds and to consider the IKE neighbor down after five sequences of waiting 20 seconds and sending a DPD request packet.11 Define an IKE phase two proposal named phase2. Reference the IKE policy you created in the previous step. [edit security ipsec] [email protected]# set proposal phase2 protocol esp www.

[edit security ipsec] [email protected]# set policy phase2-policy perfect-forward-secrecy keys group2 [edit security ipsec] [email protected]# set policy phase2-policy proposals phase2 [edit security ipsec] [email protected]# show policy phase2-policy perfect-forward-secrecy { keys group2.0 [edit security ipsec] [email protected]# set vpn to-remote-SRX ike gateway phase1-gateway [edit security ipsec] [email protected]# set vpn to-remote-SRX ike ipsec-policy phase2-policy [edit security ipsec] [email protected]# set vpn to-remote-SRX establish-tunnels immediately [edit security ipsec] [email protected]# show vpn to-remote-SRX Lab 6–6 • Implementing IPsec VPNs (Detailed) www.12 Create a phase two policy named phase2-policy. Bind the st0. [edit security ipsec] [email protected]# set vpn to-remote-SRX bind-interface st0.Junos Security [edit security ipsec] [email protected]# set proposal phase2 authentication-algorithm hmac-md5-96 [edit security ipsec] [email protected]# set proposal phase2 encryption-algorithm 3des-cbc [edit security ipsec] [email protected]# set proposal phase2 lifetime-seconds 3200 [edit security ipsec] [email protected]# show proposal phase2 protocol esp. Ensure the VPN tunnel is established without the need for a triggering mechanism. Step 1.juniper. } proposals phase2.0 interface to this tunnel. Associate the IKE gateway and phase two policy with the VPN tunnel. authentication-algorithm hmac-md5-96. Use the phase two proposal you created in the last step.13 Configure the IPsec VPN tunnel and name the VPN to-remote-SRX.net . lifetime-seconds 3200. Configure Perfect Forward Secrecy (PFS) to use Diffie-Helman Group 2 as the method the device uses to generate the encryption key. Step 1. encryption-algorithm 3des-cbc.

} Question: Why is this step necessary? Answer: In a route-based VPN.juniper. Review the security policies in place that allow traffic between the untrust zone and your local ACME customer network zone.0/24 next-hop st0.0. ipsec-policy phase2-policy.0. Create a static route for the remote student team’s ACME customer network. The next hop should point to the st0.0. You could also use the remote IP address of the st0 interface. ike { gateway phase1-gateway. Navigate to the [edit routing-options] configuration hierarchy.net Implementing IPsec VPNs (Detailed) • Lab 6–7 .0 interface can be specified as the next-hop as shown in the example. Question: What are the two valid next hops for this static route? Answer: The st0. Without this step.20.1.0 [edit routing-options] [email protected]# show static { route 0. traffic would not use the IPsec VPN tunnel.0. [edit routing-options] [email protected]# top edit security policies www. Junos Security bind-interface st0.0/0 next-hop 172. [edit security ipsec] [email protected]# top edit routing-options [edit routing-options] [email protected]# set static route remote-ACME-subnet next-hop st0.18.15 Navigate to the [edit security policies] configuration hierarchy. Step 1.1. traffic associates using a route rather than a security policy.208.14 All traffic between the ACME security zones will use the IPsec VPN you created. } establish-tunnels immediately. Step 1. route 172.0 interface.

destination-address any. A security policy is already in place to allow all traffic to the untrust zone that originates on the local virtual router. destination-address vr207. } then { permit. and answer the question below. } } [edit security policies] [email protected]# show from-zone ACME-local to-zone untrust policy internet-ACME { match { source-address vr207. Configure the source-address to match the address-book entry for the remote student team’s ACME customer network.16 Create a new security policy that permits traffic from the untrust zone destined to your local ACME customer zone. } } Question: What changes must you make to the [edit security policies] hierarchy? Answer: You must make a new policy for traffic coming from the untrust zone that originates on the remote virtual router. Name the security policy ipsec.Junos Security [edit security policies] [email protected]# show from-zone untrust to-zone ACME-local policy webserver { match { source-address srxD-2. application [ junos-telnet junos-http ]. application any. Step 1. } then { permit. Use the configuration option any for the destination address and application.net . When finished review the configuration. [edit security policies] [email protected]# edit from-zone untrust to-zone ACME-local [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy ipsec match source-address remote-ACME-vrName [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy ipsec match destination-address any Lab 6–8 • Implementing IPsec VPNs (Detailed) www.juniper.

destination-address any.17 Commit your configuration and return to operational mode.net Implementing IPsec VPNs (Detailed) • Lab 6–9 . } then { permit. Junos Security [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy ipsec match application any [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy ipsec then permit [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# show policy webserver { match { source-address srxD-2. traffic from the IPsec tunnel is not evaluated until the second policy. Because no match occurs. application any. Step 1. destination-address vr207. application [ junos-telnet junos-http ]. [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> www.juniper. } } policy ipsec { match { source-address vr208. As shown in the output. the first policy does not match on traffic from the remote virtual router. } then { permit. } } [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# Question: Is any policy reordering necessary for this traffic flow? Answer: No.

root 500 172.2 >131073 ESP:3des/md5 e9444a8e 3106/ unlim .100. Step 2. [email protected]> show interfaces st0 terse Interface Admin Link Proto Local Remote st0 up up st0.2 Lab 6–10 • Implementing IPsec VPNs (Detailed) www. Step 2.168.Junos Security STOP Do NOT continue to the next lab part until both teams within your assigned pod reach this point. the state should be up. both the administrative status and link status should be up.2. you check IKE phase one and phase two tunnel security associations and monitor the IPsec VPN on your assigned device by initiating traffic from the virtual router.0 up up inet 192.2 Check the state of the IKE phase 1 security association using the show security ike security-associations command.2. Part 2: Verifying and Monitoring IPsec In this lab part. root 500 172.1 Issue the show interfaces st0 terse command. Step 2.0 interface? Answer: As shown in the output.1 --> 0/0 Question: What is the status of the st0. [email protected]> show security ipsec security-associations Total active tunnels: 1 ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway <131073 ESP:3des/md5 768fe3ba 3106/ unlim . try clearing the phase 1 and phase 2 security associations on both devices within your pod. If you do not see a security association.18.18.2 Question: What is the state of the IKE phase 1 security association? Answer: As shown in the output.juniper.18. [email protected]> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 976176 UP f347d504ef032fcc fed0a0e871ade192 Main 172.2.net .3 Check the state of the phase 2 security association using the show security ipsec security-associations command.

Type: dynamic.18. State: installed Protocol: ESP. State: installed Protocol: ESP. Remote Gateway: 172. Step 2.2.2 Local Identity: ipv4_subnet(any:0.0. Replay window size: 64 Direction: outbound. Replay window size: 64 www.1.4 Issue the show security ipsec security-associations index number command.7]=0. AUX-SPI: 0 . SPI: e9444a8e.2.0. at least one successful phase 2 security association should be present. AUX-SPI: 0 .0. Type: dynamic. Question: What is the index number used to represent the phase 2 security association? Answer: The answer can vary.0/0) Version: IKEv1 DF-bit: clear Direction: inbound. SPI: 768fe3ba. is 131073. where number represents the index number obtained in the previous step.juniper..18.0/0) Remote Identity: ipv4_subnet(any:0. Authentication: hmac-md5-96. [email protected]> show security ipsec security-associations index index-number Virtual-system: root Local Gateway: 172.7]=0. Junos Security Question: Is a phase 2 security association present? Answer: As shown in the output.[0.net Implementing IPsec VPNs (Detailed) • Lab 6–11 . the index number. In the example.0.[0. represented by the ID column. Encryption: 3des-cbc Anti-replay service: counter-based enabled. Encryption: 3des-cbc Anti-replay service: counter-based enabled. Authentication: hmac-md5-96.. represented by an inbound row and an outbound row. VPN Monitoring: - Hard lifetime: Expires in 3042 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2464 seconds Mode: Tunnel. VPN Monitoring: - Hard lifetime: Expires in 3042 seconds Lifesize Remaining: Unlimited Soft lifetime: Expires in 2464 seconds Mode: Tunnel.

5 Issue the clear security ipsec statistics command followed by the show security ipsec statistics command. Step 2.net . ESP decryption failures: 0 Bad headers: 0. Open a separate Telnet session to the virtual router attached to your team device. as shown in the example output. Keep the current Telnet session established with your assigned SRX device open to monitor results. The virtual router is a J Series Services Router configured as several logical devices. as shown in the example output.6 Note This lab step requires you to open a separate Telnet session to the virtual router to emulate an external host. Replay errors: 0 ESP authentication failures: 0. Refer to the Management Network Diagram for the IP address of the vr-device. [email protected]> clear security ipsec statistics [email protected]> show security ipsec statistics ESP Statistics: Encrypted bytes: 0 Decrypted bytes: 0 Encrypted packets: 0 Decrypted packets: 0 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0. Lab 6–12 • Implementing IPsec VPNs (Detailed) www. Bad trailers: 0 Question: Do all the counters show a value of 0? Answer: The answer should be yes.Junos Security Question: Is anti-replay enabled for the IPsec VPN tunnel? Answer: The answer should be yes. Step 2.juniper.

You must use 'configure private' to configure this router.7 Log in to the virtual router using the login information shown in the following table: Virtual Router Login Details Student Device Username Password srxA-1 a1 lab123 srxA-2 a2 lab123 srxB-1 b1 lab123 srxB-2 b2 lab123 srxC-1 c1 lab123 srxC-2 c2 lab123 srxD-1 d1 lab123 srxD-2 d2 lab123 vr-device (ttyd0) login: username Password: --.juniper.4R1.6 built 2011-11-15 11:28:05 UTC NOTE: This router is divided into many virtual routers used by different teams.net Implementing IPsec VPNs (Detailed) • Lab 6–13 . [email protected]> www. Junos Security Step 2. Please only configure your own virtual router.JUNOS 11.

35.130/123 --> 10. Use the same login credentials as used for your current vr-device Telnet session.137/123 --> 10.207. Source the Telnet session from your virtual router that is associated with your local ACME customer network. Pkts: 1.35.10/49161 --> 172.2. The instance names match the names of the virtual routers listed on the network diagram.210. [email protected]> telnet remote-ACME-VR routing-instance local-ACME-VR Trying 172.20. vr-device (ttyp1) login: Step 2. Bytes: 76 Out: 10. Timeout: 4.esp..137/123. Pkts: 1. Valid In: 10.9 Return to the Telnet session established with your assigned SRX device. Policy name: self-traffic-policy/1.207.10/23 --> 172.35...20. Initiate the Telnet connection to the remote team’s ACME customer network.0.18.net .20. If: st0. initiate a Telnet session that traverses the IPsec tunnel. Timeout: N/A.208. Pkts: 0.2/33021 --> 172.tcp. From the Telnet session established with your assigned SRX device.local.0.udp. If: ge-0/0/4.18. Bytes: 671 Out: 172. Bytes: 0 Session ID: 848. If: .0. Policy name: N/A. Timeout: N/A.20. If: ge-0/0/3. Note Remember to reference the appropriate instance name when sourcing Telnet traffic from a virtual router. Timeout: 1796.130/123. Valid In: 172.208.207.20.tcp.2. [email protected]> show security flow session Session ID: 1.2/5392.8 From the Telnet session established with the virtual router. Valid In: 172.210. Escape character is '^]'.2/0 --> 172.0.18. Bytes: 0 Session ID: 2.udp.Junos Security Step 2.20. Pkts: 9.210.208. If: ge-0/0/0.0.1.2/0. Pkts: 0. If: ge-0/0/3. Connected to 172.208. Valid In: 172. Bytes: 76 Session ID: 865.10/49161. Bytes: 641 Total sessions: 4 Lab 6–14 • Implementing IPsec VPNs (Detailed) www. Pkts: 10.10.1.esp.18.10/23.210.10.35. Policy name: internet-ACME-SV/9. view the flow session table.juniper. Policy name: N/A.

Replay errors: 0 ESP authentication failures: 0.net Implementing IPsec VPNs (Detailed) • Lab 6–15 . exit the virtual router Telnet session using the exit command. Bad trailers: 0 Question: How many packets have received encryption? Answer: The answer varies.11 Return to the Telnet session established with the virtual router. ESP decryption failures: 0 Bad headers: 0. that are between virtual routers should show interface st0. Step 2.10 Issue the show security ipsec statistics command. Step 2. [email protected]> exit Connection closed by foreign host.juniper.0 for either the inbound or outbound flow. [email protected]> STOP Tell your instructor that you have completed Lab 6. From the Telnet session established with the virtual router. indicated by TCP port 23. Junos Security Question: What sessions associate with the secure tunnel interface? Answer: The output can vary. www. but Telnet sessions. but both the encrypted and decrypted packets counters should have a non-zero value. [email protected]> show security ipsec statistics ESP Statistics: Encrypted bytes: 3496 Decrypted bytes: 1706 Encrypted packets: 32 Decrypted packets: 24 AH Statistics: Input bytes: 0 Output bytes: 0 Input packets: 0 Output packets: 0 Errors: AH authentication failures: 0.

juniper.Junos Security Lab 6–16 • Implementing IPsec VPNs (Detailed) www.net .

If you are completing the lab from start to finish.juniper. • Verify and monitor the IDP implementation.9 . You will install the security package from Juniper Networks. • Install and verify the Juniper Networks security package. where you might be directed to load a starting configuration at the beginning of each lab part.12. www. The lab is also designed for modularity. you will perform the following tasks: • Install and verify IDP licensing. you will implement intrusion detection and prevention (IDP). • Configure and customize IDP policy using IDP policy templates. customize a policy template and perform verification tasks. Lab 7 Implementing IDP (Detailed) Overview In this lab.1R1.net Implementing IDP (Detailed) • Lab 7–1 12.a. including the attack database and IDP policy templates. The lab is available in two formats: a high-level format designed to make you think through each step and a detailed format that offers step-by-step instructions complete with sample output from most commands. By completing this lab. there is no need to load the starting configuration for each lab part.

or SSH as directed by your instructor.1 Ensure that you know to which student device you have been assigned. Note Depending on the class. the lab equipment used might be remote from your physical location.Junos Security Part 1: Retrieving and Installing the Security Package and IDP License In this lab part.210. Consult the Management Network Diagram to determine the management address of your student device.juniper. you will load the starting configuration for Lab 7. which uses an IP address of 10.2 Access the CLI at your station using either the console. in this example the user is assigned to the srxC-1 station. Check with your instructor if you are not certain. Question: What is the management address assigned to your station? Answer: The answer varies. The following example is based on simple Telnet access using the Secure CRT program.135. Then. Refer to the Management Network Diagram for the IP address associated with your workstation. The instructor will inform you as to the nature of your access and will provide you the details needed to access your assigned device. Telnet. you will use the CLI to log in to your designated station. Then.net . you will download the security package normally made available by Juniper Networks as well as the necessary IDP licensing. Step 1.35. Lab 7–2 • Implementing IDP (Detailed) www. you become familiar with the access details used to access the lab equipment. Step 1. Once you are familiar with the access details.

In the next few steps. Commit the configuration when complete.config [edit] [email protected]# commit commit complete [edit] [email protected]# Note This lab requires that you have root access in the UNIX shell of the device.config from the /var/home/lab/jsec/ directory. Enter configuration mode and load the lab7-start.juniper. www. Be sure to follow the steps closely to avoid disabling access to the device. you change the root password of your assigned device. srxC-1 (ttyu0) login: lab Password: --.JUNOS 12.3 Log in as user lab with the password lab123.net Implementing IDP (Detailed) • Lab 7–3 .9 built 2012-03-24 12:12:49 UTC [email protected]> configure Entering configuration mode [edit] [email protected]# load override jsec/lab7-start. Junos Security Step 1.1R1.

juniper. [email protected]> start shell % Step 1. you obtain an IDP license and the IDP security package from the server within your assigned lab rack. Use the set system root-authentication plain-text-password command to make this change. In a non-lab environment. This level of permissions is necessary for the next few steps.Junos Security Step 1. [edit] [email protected]# set system root-authentication plain-text-password New password: Retype new password: [edit] [email protected]# Step 1. [edit] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> Note In the next series of lab steps. use the lab123 password you just defined in the configuration. Step 1. Lab 7–4 • Implementing IDP (Detailed) www. you obtain these files unconventionally.5 Commit your configuration and return to operational mode. Because of differing lab environments. % su root Password: [email protected]% Step 1.4 Change the root password of your assigned device to lab123. you obtain the license directly from Juniper Networks while you download the security package directly from Juniper Networks using an Internet connection.6 Enter the UNIX shell mode of your assigned device with the start shell command. When prompted for the new password.7 At the % prompt type su root to switch the user to the root user.net .8 Change your working directory to /var/tmp by entering the cd /var/tmp command at the % prompt.

txt .10 Use the cd /var/db/idpd command to change your current directory to /var/db/idpd. type yes and press the enter key. [email protected]% ls sec-download detector-capabilities.14.130)' can't be established. The sub-download directory does not contain any files. Note Be sure to include the trailing period in the command.210. the directory contains another directory named sub-download and no further contents.11 Issue the ls sec-download command to view the contents of the sec-download directory. DSA key fingerprint is ef:17:5e:05:13:ee:db:cd:ff:84:94:55:ae:e3:1b:e2. Junos Security [email protected]% cd /var/tmp [email protected]% Step 1.2KB/s 00:00 [email protected]% Step 1. When prompted for a RADIUS password.juniper.130 (10.9 At the % prompt. use lab123.210.net Implementing IDP (Detailed) • Lab 7–5 .14. When prompted to continue connecting. enter the following command to retrieve the IDP license for your assigned device. [email protected]% ls sec-download/sub-download [email protected]% www. The authenticity of host '10. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '10.xml sub-download Question: What does the sec-download directory contain? Answer: As shown in the output.210.130' (DSA) to the list of known hosts. where serverIP is the IP address of the server device and assigned-device is the name of your assigned device.txt 100% 182 0.txt . scp [email protected]:jsec/assigned-device.14. Refer to your Management Network Diagram to determine the IP address of the server device. [email protected]% cd /var/db/idpd [email protected]% Step 1. The period in this command instructs SCP to copy the remote files to your current working directory. RADIUS Password: srxD-1. [email protected]% scp [email protected]:jsec/assigned-device.

12 Use SCP to obtain the IDP security package from the server device by entering the following command.xml sec-download/platforms.tar. [email protected]% scp [email protected]:jsec/idp.v applications.xml detector-capabilities. scp [email protected]:jsec/idp.juniper.xml sub-download groups.xml sec-download/applications.tgz [email protected]% tar xzvf idp.tgz sec-download/ sec-download/sub-download/ sec-download/sub-download/SignatureUpdate.tar.tgz 100% 1717KB 858.tar.xml [email protected]% Step 1. The period in this command instructs SCP to copy the remote files to your current working directory.3KB/s 00:02 [email protected]% Step 1.so.tar.so. use lab123.14 Issue the ls sec-download command again to check the contents of the directory.xml sec-download/detector-capabilities.xml sec-download/sub-download/templates.xml sec-download/SignatureUpdate. Note Be sure to include the trailing period in the command. When prompted for a RADIUS password.Junos Security Step 1.xml sec-download/libidp-detector.xml libidp-detector.tgz.tgz. where serverIP is the IP address of the service device on your lab diagram.tgz .xml [email protected]% Lab 7–6 • Implementing IDP (Detailed) www.tar.net .tgz .v sec-download/groups. [email protected]% ls sec-download SignatureUpdate.13 Uncompress the contents of the IDP file by entering the following command: tar xzvf idp.xml platforms. RADIUS Password: idp.

[email protected]> show system license License usage: none Licenses installed: none Question: Does your system currently have any installed licenses? Answer: As shown in the output. you install the license required for the IDP attack database and policy template updates. Step 2. After verifying the validity of the license. Specify the file as /var/tmp/assigned-device. [email protected]> request system license add /var/tmp/assigned-device. you will then proceed with the installation of the IDP security package and policy templates. the directory now has a series of XML files containing the contents of the IDP security package.txt. Step 1.net Implementing IDP (Detailed) • Lab 7–7 . Step 2. [email protected]% exit exit % exit exit [email protected]> Part 2: Installing the IDP License and Security Package In this lab part. currently no licenses are installed. Junos Security Question: What does the sec-download directory contain? Answer: As shown in the output.juniper.2 Install the IDP license you downloaded in the last lab part by using the request system license add command.15 Exit the UNIX shell by issuing the exit command twice.txt JUNOS204211: successfully added add license complete (no errors) www. where assigned-device represents the hostname of your assigned device.1 Issue the show system license command to list the installed licenses on your assigned device.

IDP Signature date-based. you can see that this license is correct. If the numbers do not match ensure that you obtained the correct license for your assigned device.Junos Security Question: Did the license successfully install? Answer: As shown in the output. verify that the path and filename are correct and that the file resides in the specified directory.juniper. By comparing this value to the serial number reflected in the output of the show chassis hardware command. the license installed. Note The output shown for this command can vary depending on the device or license type used in your environment. but the example shows a device serial number of AH2909AA0068. [email protected]> show chassis hardware Hardware inventory: Item Version Part number Serial number Description Chassis AH2909AA0068 SRX240h-poe Lab 7–8 • Implementing IDP (Detailed) www. [email protected]> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed idp-sig 0 1 0 2014-09-03 19:00:00 CDT ax411-wlan-ap 0 2 0 permanent Licenses installed: License identifier: JUNOS220951 License version: 2 Valid for device: AH2909AA0068 Features: idp-sig .net . If you experience an error installing the license.3 View the active licenses on your assigned device using the show system license command.2014-09-03 19:00:00 CDT Question: Does the installed license reflect the proper serial number for your assigned device? Answer: The output varies. 2009-09-15 19:00:00 CDT . Step 2. Notify your instructor if you are unable to install the license.

[email protected]> request security idp security-package install status In progress:performing DB update for an xml (groups.net Implementing IDP (Detailed) • Lab 7–9 . [email protected]> request security idp security-package install Will be processed in async mode.juniper. If the output from your device does not match this output.xml) [email protected]> request security idp security-package install status In progress:performing DB update for an xml (SignatureUpdate.[UpdateNumber=1449. Do not continue to the next step until you receive an indication that the installation was successful. Check the status using the status checking CLI Question: What was the result of this operation? Answer: As shown in the output.xml) [email protected]> request security idp security-package install status In progress:Compiling AI signatures .5 Check the status of your installation over the next few minutes using the request security idp security-package install status command.Attack DB update : successful . Step 2.Detector=9.. as shown in the example output.ExportDate=Tue Jun 23 12:45:25 2009.. www.160090324] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no existing running policy found.2. Question: Did the security package successfully install? Answer: The answer should be yes. [email protected]> request security idp security-package install status Done.4 Install the IDP attack database using the request security idp security-package install operational mode command. Junos Security Routing Engine REV 31 750-021794 AAAD8406 RE-SRX240H-POE FPC 0 FPC PIC 0 16x GE Base PIC FPC 1 REV 02 750-025085 AAAN4046 FPC PIC 0 1x Serial mPIM Power Supply 0 Step 2. the install should begin in async mode. notify your instructor.

7 Check the policy template installation status using the request security idp security-package install status command.8 The installation of the policy templates results in the creation of a Junos operating system commit script.9 Verify that the policy templates were added to your configuration. issue the set security idp active-policy ? configuration mode command.6 Install the IDP policy templates provided by Juniper Networks with the request security idp security-package install policy-templates command.xsl command. but for a quicker check.juniper. [email protected]> request security idp security-package install status Done. Do not continue to the next step until you receive an indication that the installation was successful. Check the status using the status checking CLI Step 2. is a large file. Enter configuration mode and enter the set system scripts commit file templates.net . Expect the commit action to take a few moments.policy-templates has been successfully updated into internal repository (=>/var/db/scripts/commit/templates. Commit the configuration to activate the commit script. Note The commit script. which inserts the IDP policy templates into the active configuration. [edit] [email protected]# set security idp active-policy ? Possible completions: <active-policy> Set active policy DMZ_Services DNS_Service Lab 7–10 • Implementing IDP (Detailed) www.Junos Security Step 2. You could view the configuration file for verification. [email protected]> request security idp security-package install policy-templates Will be processed in async mode. [email protected]> configure Entering configuration mode [edit] [email protected]# set system scripts commit file templates.xsl [edit] [email protected]# commit commit complete [edit] [email protected]# Step 2.xsl)! Step 2.

Recommended. File_Server. IDP_Default. and Web_Server IDP policy templates should now be available. Step 3.net Implementing IDP (Detailed) • Lab 7–11 .1 Navigate to the [edit security idp] configuration hierarchy. [edit] [email protected]# edit security idp [edit security idp] [email protected]# Step 3. Getting_Started. Junos Security File_Server Getting_Started IDP_Default Recommended Web_Server [edit] [email protected]# set security idp active-policy Question: What IDP policy templates are now available? Answer: The DMZ_Services.juniper. [edit security idp] [email protected]# delete idp-policy ? Possible completions: <policy-name> IDP policy name DMZ_Services IDP policy name DNS_Service IDP policy name File_Server IDP policy name Getting_Started IDP policy name IDP_Default IDP policy name Recommended IDP policy name Web_Server IDP policy name [edit security idp] [email protected]# delete idp-policy DMZ_Services [edit security idp] [email protected]# delete idp-policy DNS_Service www. DNS_Service. you customize the Recommended policy template and apply the modified policy to your assigned device.2 Delete all of the recently added template IDP policies in your configuration except the Recommended IDP policy template. Part 3: Enabling IDP Policy In this lab part.

destination-address any.3 View the Recommended IDP policy template. application default.Major" ]. attacks { Lab 7–12 • Implementing IDP (Detailed) www. application default. source-address any.net .Minor" "[Recommended]TCP .Minor" "[Recommended]IP . Use this template as a base line.juniper.Major" "[Recommended]TCP - Critical" "[Recommended]TCP . to-zone any. attacks { predefined-attack-groups [ "[Recommended]IP . */ match { from-zone any. */ match { from-zone any. } } } rule 2 { /* This rule is designed to protect your network against important ICMP attacks. destination-address any. */ rulebase-ips { rule 1 { /* This rule is designed to protect your networks against important TCP/ IP attacks. source-address any. to-zone any. } notification { log-attacks. } } then { action { recommended. [edit security idp] [email protected]# show idp-policy Recommended | no-more /* This template policy covers the most important vulnerabilities.Critical" "[Recommended]IP .Junos Security [edit security idp] [email protected]# delete idp-policy File_Server [edit security idp] [email protected]# delete idp-policy Getting_Started [edit security idp] [email protected]# delete idp-policy IDP_Default [edit security idp] [email protected]# delete idp-policy Web_Server Step 3.

Minor" ]. application default. */ match { from-zone any. to-zone any.Minor" ]. } } } rule 3 { /* This rule is designed to protect your network against important HTTP attacks. Junos Security predefined-attack-groups [ "[Recommended]ICMP .Minor" ]. to-zone any. Major" "[Recommended]ICMP . attacks { predefined-attack-groups [ "[Recommended]HTTP . } notification { log-attacks. } notification { log-attacks. } } } rule 4 { /* This rule is designed to protect your network against important SMTP attacks. application default. destination-address any. source-address any. Critical" "[Recommended]SMTP . } } then { action { recommended.Major" "[Recommended]HTTP . } } then { action { recommended. attacks { predefined-attack-groups [ "[Recommended]SMTP . } notification { www.net Implementing IDP (Detailed) • Lab 7–13 . } } then { action { recommended.Major" "[Recommended]SMTP . Critical" "[Recommended]HTTP . */ match { from-zone any. destination-address any. source-address any.juniper.

} notification { log-attacks. destination-address any. attacks { predefined-attack-groups [ "[Recommended]FTP . } } } rule 7 { /* This rule is designed to protect your network against important POP3 attacks.juniper. source-address any.net . to-zone any. */ match { from-zone any. application default. } } } rule 6 { /* This rule is designed to protect your network against important FTP attacks.Major" ].Minor" "[Recommended]DNS . */ match { from-zone any. } } then { action { recommended. } } } rule 5 { /* This rule is designed to protect your network against important DNS attacks. source-address any.Minor" "[Recommended]FTP .Critical" "[Recommended]FTP . } } then { action { recommended. } notification { log-attacks. */ match { from-zone any. attacks { predefined-attack-groups [ "[Recommended]DNS .Critical" "[Recommended]DNS . application default. to-zone any.Junos Security log-attacks. Lab 7–14 • Implementing IDP (Detailed) www. destination-address any.Major" ].

Critical" "[Recommended]POP3 . } } } rule 9 { /* This rule is designed to protect your network against common internet malware. attacks { predefined-attack-groups [ "[Recommended]POP3 . } notification { log-attacks. */ match { from-zone any. source-address any.juniper. to-zone any.Critical" "[Recommended]IMAP . application default. to-zone any. } notification { log-attacks. destination-address any. Junos Security source-address any. } } then { action { recommended. source-address any. destination-address any. destination-address any. } } then { action { recommended. application default.Major" ]. attacks { www.net Implementing IDP (Detailed) • Lab 7–15 .Major" ]. to-zone any. } } } rule 8 { /* This rule is designed to protect your network against important IMAP attacks. attacks { predefined-attack-groups [ "[Recommended]IMAP . application default.Minor" "[Recommended]POP3 . */ match { from-zone any.

[edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 1 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 2 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 4 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 5 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 6 Lab 7–16 • Implementing IDP (Detailed) www.net .Major" "[Recommended]WORM .Major" "[Recommended]VIRUS .Junos Security predefined-attack-groups [ "[Recommended]TROJAN .Minor" ].Critical" "[Recommended]WORM .4 Delete all of the rules. } } then { action { recommended.juniper.netscreen.Minor" "[Recommended]WORM .Critical" "[Recommended]TROJAN . Note For specific information regarding predefined attacks or attack groups.html Step 3.Critical" "[Recommended]VIRUS . from the Recommended IDP policy. } } } } Question: Does the Recommended IDP policy provide protection for HTTP? Answer: Rule 3 protects against malicious HTTP traffic. consult the following link: https://services.com/restricted/ sigupdates/nsm-updates/HTML/ index. except rule 3.Major" "[Recommended]TROJAN . } notification { log-attacks.Minor" "[Recommended]VIRUS .

[edit security idp] [email protected]# top edit security policies from-zone untrust to-zone ACME-local www. } notification { log-attacks. attacks { predefined-attack-groups [ "[Recommended]HTTP . } } } } Step 3. Junos Security [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 7 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 8 [edit security idp] [email protected]# delete idp-policy Recommended rulebase-ips rule 9 [edit security idp] [email protected]# show idp-policy Recommended /* This template policy covers the most important vulnerabilities. Ensure you reference the appropriate security zone within the policy context. */ rulebase-ips { rule 3 { /* This rule is designed to protect your network against important HTTP attacks. application default. } } then { action { recommended.Critical" "[Recommended]HTTP . Use this template as a base line. source-address any. [edit security idp] [email protected]# set active-policy Recommended Step 3. */ match { from-zone any. to-zone any.net Implementing IDP (Detailed) • Lab 7–17 .5 Set the Recommended IDP policy as the active IDP policy on your assigned device.juniper.Major" "[Recommended]HTTP .6 Configure your assigned device to perform IDP services on all traffic associated with the webserver security policy. destination-address any.Minor" ].

Inactivity timeout: 1800 Lab 7–18 • Implementing IDP (Detailed) www.7 To avoid overwriting the IDP policy modifications on subsequent commit operations. [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# top [edit] [email protected]# delete system scripts [edit] [email protected]srxD-1# commit and-quit commit complete Exiting configuration mode [email protected]> Step 3.8 Issue the show security policies policy-name webserver detail command. [email protected]> show security policies policy-name webserver detail Policy: webserver.0/24 Application: junos-telnet IP protocol: tcp. To zone: ACME-SV Source addresses: srxD-2: 172. } then { permit { application-services { idp.18. destination-address vr207. application [ junos-telnet junos-http ].Junos Security [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# set policy webserver then permit application-services idp [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# show policy webserver match { source-address srxD-2.juniper.207. } } } [edit security policies from-zone untrust to-zone ACME-SV] [email protected]# Step 3. commit the configuration and return to operational mode. Scope Policy: 0 Policy Type: Configured Sequence number: 1 From zone: untrust. delete the commit script from the configuration.2. action-type: permit.net . Index: 12.20.0/30 Destination addresses: vr207: 172. ALG: 0. State: enabled. After you remove the commit script.

Junos Security Source port range: [0-0] Destination port range: [23-23] Application: junos-http IP protocol: tcp. Inactivity timeout: 1800 Source port range: [0-0] Destination port range: [80-80] Per policy TCP Options: SYN check: No. ALG: 0.10 Check the version of the attack database currently installed on your assigned device using the show security idp security-package-version command.88%) Question: How much data plane memory is currently in use for IDP services? Answer: The output varies.net Implementing IDP (Detailed) • Lab 7–19 . IDP is listed as enabled. [email protected]> show security idp memory IDP data plane memory statistics: Total IDP data plane memory : 196 MB Used : 12 MB ( 12288 KB ) ( 6.9 View the memory allocation for IDP services using the show security idp memory command. In the example from srxD-1.12%) Available : 184 MB ( 188416 KB ) ( 93. [email protected]> show security idp security-package-version Attack database version:2125(Thu Apr 26 12:37:13 2012) Detector version :12.juniper.160120404 Policy template version :N/A www. SEQ check: No Intrusion Detection and Prevention: enabled Unified Access Control: disabled Question: Does the webserver security policy output indicate that IDP is enabled? Answer: Yes. Step 3. 12 MB of memory is currently in use for IDP services.6. Step 3.

the version number is 1449.juniper.net . Lab 7–20 • Implementing IDP (Detailed) www. STOP Tell your instructor that you have completed Lab 7.Junos Security Question: What version number of the attack database is presently on your assigned device? Answer: The answer can vary. In the example from srxD-1.

Lab 8
Implementing High Availability Techniques (Detailed)

Overview
In this lab, you will implement high availability chassis clustering. You will work with the
remote team in your pod to combine your assigned devices into a single chassis cluster.
You will then generate traffic flows from the attached virtual routers. You will monitor the
traffic flows to determine the path taken through the chassis cluster.
The lab is available in two formats: a high-level format designed to make you think through
each step and a detailed format that offers step-by-step instructions complete with
sample output from most commands.
The lab is also designed for modularity, where you might be directed to load a starting
configuration at the beginning of each lab part. If you are completing the lab from start to
finish, there is no need to load the starting configuration for each lab part.
By completing this lab, you will perform the following tasks:
• Use the Junos command-line interface (CLI) to load the baseline configuration.
• Build the chassis cluster.
• Configure an active/active chassis cluster.
• Monitor traffic flows through the chassis cluster.
• Disable the chassis cluster.

www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–1
12.a.12.1R1.9

Junos Security

Part 1: Loading the Baseline Configuration

In this lab part, you become familiar with the access details used to access the lab
equipment. Once you are familiar with the access details, you will use the CLI to log
in to your designated station. Then, you will load the starting configuration for Lab 8.
Note
Depending on the class, the lab equipment
used might be remote from your physical
location. The instructor will inform you as to
the nature of your access and will provide
you the details needed to access your
assigned device.

Step 1.1
Ensure that you know to which student device you have been assigned. Check with
your instructor if you are not certain. Consult the Management Network Diagram to
determine the management address of your student device.

Question: What is the management address
assigned to your station?

Answer: The answer varies; in this example the user
is assigned to the srxC-1 station, which uses an
IP address of 10.210.14.137.

Step 1.2
Access the CLI at your station using either the console, Telnet, or SSH as directed by
your instructor. Refer to the Management Network Diagram for the IP address
associated with your workstation. The following example is based on simple Telnet
access using the Secure CRT program.

Lab 8–2 • Implementing High Availability Techniques (Detailed) www.juniper.net

Junos Security
Step 1.3
Log in as user lab with the password lab123. Enter configuration mode and load
the lab8-start.config from the /var/home/lab/jsec/ directory. Commit the
configuration when complete.
srxC-1 (ttyu0)

login: lab
Password:

--- JUNOS 12.1R1.9 built 2012-03-24 12:12:49 UTC
[email protected]> configure
Entering configuration mode

[edit]
[email protected]# load override jsec/lab8-start.config

[edit]
[email protected]# commit
commit complete

[edit]
[email protected]#

Part 2: Preparing and Forming a Chassis Cluster

In this lab part, you adjust the configuration and enable high availability chassis
clustering. You will work with the remote team in your assigned pod to make some
configuration adjustments and then join your assigned devices into a single virtual
device using chassis clustering.
Note
Throughout this lab, you work as a team
with all the members in your assigned lab
pod. Because a chassis cluster combines
two physical devices into one logical device,
it is important to follow the steps in order
and in tandem as a team. Perform the next
several steps on the SRX1 and SRX2
devices.

Step 2.1
Navigate to the [edit interfaces] hierarchy.
[edit]
[email protected]# edit interfaces

[edit interfaces]
[email protected]#

www.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–3

Junos Security
Step 2.2
Issue the show command.
[edit interfaces]
[email protected]# show
ge-0/0/0 {
description "MGMT Interface - DO NOT DELETE";
unit 0 {
family inet {
address 10.210.14.135/27;
}
}
}
ge-0/0/3 {
unit 0 {
family inet {
address 172.18.1.2/30;
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members default;
}
}
}
}
lo0 {
unit 0 {
family inet {
address 192.168.1.1/32;
}
}
}
[edit interfaces]
[email protected]#

Lab 8–4 • Implementing High Availability Techniques (Detailed) www.juniper.net

it will be replaced with the fxp0 interface. we recommend that you disable any interface that is configured for Layer 2 Ethernet switching before you attempt the clustering. If it were necessary to perform Layer 2 switching with the chassis cluster. and it will cause a malfunctioning chassis cluster if pairing is attempted without removing it. The interface is configured for Layer 2 Ethernet switching. Junos Security Question: You will not be performing Layer 2 Ethernet switching with the chassis cluster. You should also remove the ge-0/0/0 interface. you can prepare it for Layer 2 Ethernet switching by adding the swfab interfaces and enabling the interfaces there were designated for Ethernet switching. [edit interfaces] [email protected]# delete ge-0/0/0 [edit interfaces] [email protected]# delete ge-0/0/4 Step 2. Then. When the chassis cluster is formed. Leaving the ge-0/0/0 interface configured will cause the chassis cluster formation to fail.4 Navigate to the [edit system] hierarchy level and delete the host-name statement. Step 2. once the chassis cluster has formed.3 Remove the ge-0/0/0 and ge-0/0/4 interfaces. [edit interfaces] [email protected]# up 1 edit system [edit system] [email protected]# delete host-name [edit system] [email protected]# www.net Implementing High Availability Techniques (Detailed) • Lab 8–5 .juniper. Are there any interfaces that must be removed before chassis cluster pairing is attempted? Answer: The ge-0/0/4 interface must be deleted.

navigate to the [edit groups node0] hierarchy level.juniper.5 through 2. [edit groups node1] [email protected]# set interfaces fxp0 unit 0 family inet address address/mask Step 2. From the Telnet session on the SRX1 device.8 Navigate to the [edit groups node1] hierarchy level.9 Configure a host name of srxY-2. [edit groups node0] [email protected]# up 1 edit node1 [edit groups node1] [email protected]# Step 2. where Y is the letter of your pod.6 Configure a host name of srxY-1.5 The steps 2. Please refer to the Management Network Diagram for this address. [edit groups node0] [email protected]# set interfaces fxp0 unit 0 family inet address address/mask Step 2. [edit groups node0] [email protected]# set system host-name srxY-1 Step 2.12 will be performed only on the SRX1 device.10 Configure the fxp0 interface with the management IP address for SRX2.Junos Security Step 2. [edit groups node1] [email protected]# top set apply-groups ${node} [edit groups node1] [email protected]# top show groups Lab 8–6 • Implementing High Availability Techniques (Detailed) www. [edit groups node1] [email protected]# set system host-name srxY-2 Step 2. [edit system] [email protected]# top edit groups node0 [edit groups node0] [email protected]# Step 2. where Y is the letter of your pod.7 Configure the fxp0 interface with the management IP address for SRX1. Please refer to the Management Network Diagram for this address.net .11 Apply the recently created groups by issuing the command top set apply-groups ${node}.

You will then be able to telnet or ssh to each node’s management address. Step 2.136/27. } interfaces { fxp0 { unit 0 { family inet { address 10.juniper.12 The next several steps will be performed on the SRX1 and SRX2 devices.14. Junos Security node0 { system { host-name srxC-1. [edit groups node1] [email protected]# commit and-quit commit complete Exiting configuration mode [email protected]> www.14.135/27.210. } } } } } Question: What is the purpose of these recently configured groups? Answer: The recently configured groups will apply a different host name and management IP address to each node. } } } } } node1 { system { host-name srxC-2.210.net Implementing High Availability Techniques (Detailed) • Lab 8–7 . From the Telnet session of your assigned SRX device. } interfaces { fxp0 { unit 0 { family inet { address 10. commit the configuration and exit to operational mode.

Junos Security Step 2.. Note Once the required processes start..0 0 0 done syncing disks.. [email protected]> set chassis cluster cluster-id 1 node node-id reboot Successfully enabled chassis cluster. The host name of SRX1 should be shown.. Uptime: 9m23s Rebooting.1R1.. vnodes remaining..done Waiting (max 60 seconds) for system process `syncer' to stop.. Going to reboot now [email protected]> *** FINAL System shutdown message from [email protected] *** System going down IMMEDIATELY FWaiting (max 60 seconds) for system process `vnlru' to stop.. Use the username and password provided by your instructor.JUNOS 12.. whereas the host name of SRX2 will not be shown.juniper. All buffers synced... Step 2. where node-id is 0 for SRX1 and node-id is 1 for SRX2. you might see syslog messages indicating that high availability clustering is active. Lab 8–8 • Implementing High Availability Techniques (Detailed) www.net .14 Log in to the device once it has rebooted.done Waiting (max 60 seconds) for system process `bufdaemon' to stop. Syncing disks.9 built 2012-03-24 12:12:49 UTC {primary:node0} [email protected]> Question: Which host name is shown in the output? Answer: The answer will depend on which SRX device is your assigned device.13 Initiate the chassis cluster pairing by issuing the command set chassis cluster cluster-id 1 node node-id reboot.done Waiting (max 60 seconds) for system process `vnlru_mem' to stop. srxC-1 (ttyu0) login: lab Password: --.. depending on the model of your device. A configuration change and commit must occur before the groups configuration can be passed on to SRX2...

{primary:node0} [email protected]> show interfaces terse fxp0 Interface Admin Link Proto Local Remote fxp0 up up fxp0.net Implementing High Availability Techniques (Detailed) • Lab 8–9 .0 up up inet 10. Both teams should be working only from SRX1! Step 2. From the Telnet session of SRX1.210. the answer depends on which SRX device is your assigned SRX device. Note Perform the next several steps only on the SRX1 device.juniper. The management IP address of SRX1 should be applied to the interface.14.16 The next several steps will be performed on the only on the SRX1 device. Junos Security Step 2.137/27 Question: Is your local SRX device’s management IP address applied to the fxp0 interface? Answer: As with the previous question. {primary:node0} [email protected]> show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 . The management IP address of SRX2 will not be applied yet.15 Issue the command show interface fxp0 terse. issue the command show chassis cluster status. Failover count: 1 node0 1 primary no no node1 1 secondary no no www.

{primary:node0} [email protected]> show chassis cluster interfaces Control link status: Up Control interfaces: Index Interface Status 0 fxp1 Up Fabric link status: Down Fabric interfaces: Name Child-interface Status (Physical/Monitored) fab0 fab0 Lab 8–10 • Implementing High Availability Techniques (Detailed) www. Question: Which redundancy groups are shown in the output? Answer: Because no redundancy groups are configured.Junos Security Question: Are both nodes present? What statuses are they indicating? Answer: Yes. only redundancy group 0 is shown in the previous output. Node 0 status should display primary for redundancy group 0 and Node 1 status should display secondary for redundancy group 0. Step 2. Question: The output displays that Node 0 is primary for redundancy group 0. If the status of the nodes indicate differently please inform your instructor.17 Issue the command show chassis cluster interfaces.net .juniper. Where else can this information be found? Answer: Node 0 is primary for redundancy group 0. Both nodes should be present. The information can also be found by examining the CLI command prompt.

using private edit warning: uncommitted changes will be discarded on exit Entering configuration mode {primary:node0}[edit] [email protected]# edit interfaces {primary:node0}[edit interfaces] [email protected]# set fab0 fabric-options member-interfaces ge-0/0/2 www. Question: What is the status of the fabric link? Answer: The fabric link is down and is not operational. Refer to your Lab 8 network diagram for the appropriate member interfaces.juniper. When you are finished. {primary:node0} [email protected]> configure warning: Clustering enabled. navigate to the [edit interfaces] hierarchy.net Implementing High Availability Techniques (Detailed) • Lab 8–11 . Note When chassis clustering is enabled commits can only be issued from the top of the configuration hierarchy. commit the configuration and return to operational mode. Question: Which steps are needed to bring the fabric link to the operational state? Answer: The fab0 and fab1 interfaces must be configured. Junos Security fab1 fab1 Question: What is the status of the control link? Answer: The Control link status field should display a value of Up. and configure the fab0 and fab1 interfaces that comprise the fabric link.18 Enter configuration mode. Step 2.

juniper. {primary:node0} [email protected]> show chassis cluster interfaces Control link status: Up Control interfaces: Index Interface Status 0 fxp1 Up Fabric link status: Up Fabric interfaces: Name Child-interface Status (Physical/Monitored) fab0 ge-0/0/2 Up / Up fab0 fab1 ge-5/0/2 Up / Up fab1 Question: What is the fabric link status? Answer: The fabric link status should be listed as Up. Lab 8–12 • Implementing High Availability Techniques (Detailed) www.19 Issue the command show chassis cluster interfaces.Junos Security {primary:node0}[edit interfaces] [email protected]# set fab1 fabric-options member-interfaces ge-5/0/2 {primary:node0}[edit interfaces] [email protected]# top {primary:node0}[edit] [email protected]# commit and-quit node0: configuration check succeeds node1: commit complete node0: commit complete Exiting configuration mode {primary:node0} [email protected]> Step 2.net . Do not proceed to the next lab part until directed by the instructor to do STOP so.

Next configure redundancy group 1 to have Node 0 with a priority of 200 and Node 1 with a priority of 100.config from the /var/home/lab/jsec/ directory. Then configure Node 1 to automatically reacquire primacy during a failover scenario once the original problem that caused the failover has been fixed.2 Navigate to the [edit chassis cluster] hierarchy level.net Implementing High Availability Techniques (Detailed) • Lab 8–13 . Commit the configuration when complete. {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 2 node 1 priority 200 {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 2 node 0 priority 100 {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 2 preempt www. using private edit warning: uncommitted changes will be discarded on exit Entering configuration mode [edit] [email protected]# load override jsec/lab8-part3-start. you configure redundancy group 1 and redundancy group 2 in an active/active cluster configuration. {primary:node0}[edit] [email protected]# edit chassis cluster {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 1 node 0 priority 200 {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 1 node 1 priority 100 {primary:node0}[edit chassis cluster] [email protected]# Step 3. Step 3. [email protected]> configure warning: Clustering enabled.config [edit] [email protected]# commit commit complete [edit] [email protected]# Step 3.3 Configure redundancy group 2 to have Node 1 with a priority of 200 and Node 0 with a priority of 100.juniper. Junos Security Part 3: Configuring an Active/Active Cluster In this lab part.1 Enter configuration mode and load the lab8-part3-start.

node 1 priority 100.Then configure reth0 to accept and transmit 802. preempt. node 0 priority 100. {primary:node0}[edit chassis cluster] [email protected]# set redundancy-group 2 interface-monitor ge-5/0/3 weight 255 {primary:node0}[edit chassis cluster] [email protected]# show redundancy-group 1 { node 0 priority 200.4 Configure the chassis cluster to perform interface monitoring for redundancy group 2. interface-monitor { ## ## Warning: Interface must be defined before configuring monitoring ## ge-5/0/3 weight 255.5 Navigate to the [edit interfaces] hierarchy level. The redundancy group should fail over to Node 0 if the ge-5/0/3 interface goes down. Configure the reth0 interface to consist of interfaces ge-0/0/4 and ge-5/0/4. {primary:node0}[edit chassis cluster] [email protected]# top edit interfaces {primary:node0}[edit interfaces] [email protected]# set ge-0/0/4 gigether-options redundant-parent reth0 {primary:node0}[edit interfaces] [email protected]# set ge-5/0/4 gigether-options redundant-parent reth0 {primary:node0}[edit interfaces] [email protected]# set reth0 redundant-ether-options redundancy-group 1 {primary:node0}[edit interfaces] [email protected]# set reth0 vlan-tagging Lab 8–14 • Implementing High Availability Techniques (Detailed) www. Use a weight value of 255.net . Next associate reth0 with redundancy group 1. Note You will configure the ge-5/0/3 interface in a later step. } } Step 3.juniper. } redundancy-group 2 { node 1 priority 200.1Q frames. and configure it with the proper VLAN ID and IP address.Junos Security Step 3. Please refer to your network diagram for Lab 8 for the correct VLAN and IP address values.

18.6 Configure the reth1 interface to consist of interfaces ge-0/0/5 and ge-5/0/5.net Implementing High Availability Techniques (Detailed) • Lab 8–15 . } } ge-0/0/5 { gigether-options { redundant-parent reth1.2.2/30.2.1Q frames.juniper.18. Then configure reth1 to accept and transmit 802. {primary:node0}[edit interfaces] [email protected]# set ge-5/0/3 unit 0 family inet address 172.7 Configure the ge-5/0/3 interface with the 172. } } } ge-0/0/4 { gigether-options { redundant-parent reth0.18.2/30 {primary:node0}[edit interfaces] [email protected]# show ge-0/0/3 { unit 0 { family inet { address 172. Commit the configuration when you are finished.2/30 address. Junos Security {primary:node0}[edit interfaces] [email protected]# set reth0 unit reth0-vlan-id vlan-id reth0-vlan-id {primary:node0}[edit interfaces] [email protected]# set reth0 unit reth0-vlan-id family inet address reth0-address/mask Step 3. and configure it with the proper VLAN ID and IP address. www.1. Please refer to your Lab 8 network diagram for the correct VLAN and IP address values. Next associate reth1 with redundancy group 2. {primary:node0}[edit interfaces] [email protected]# set ge-0/0/5 gigether-options redundant-parent reth1 {primary:node0}[edit interfaces] [email protected]# set ge-5/0/5 gigether-options redundant-parent reth1 {primary:node0}[edit interfaces] [email protected]# set reth1 redundant-ether-options redundancy-group 2 {primary:node0}[edit interfaces] [email protected]# set reth1 vlan-tagging {primary:node0}[edit interfaces] [email protected]# set reth1 unit reth1-vlan-id vlan-id reth1-vlan-id {primary:node0}[edit interfaces] [email protected]# set reth1 unit reth1-vlan-id family inet address reth1-address/mask Step 3.

} unit 223 { vlan-id 223.30. } } } ge-5/0/4 { gigether-options { redundant-parent reth0. reth0 { vlan-tagging.net . } } } {primary:node0}[edit interfaces] [email protected]# top {primary:node0}[edit] [email protected]# commit [edit chassis cluster] 'redundancy-group 1' redundancy-group-id (1) cannot exceed reth-count (0) Lab 8–16 • Implementing High Availability Techniques (Detailed) www.2..30. redundant-ether-options { redundancy-group 2.1/24. } unit 233 { vlan-id 233..1/24.20.30.Junos Security } } ge-5/0/3 { unit 0 { family inet { address 172. redundant-ether-options { redundancy-group 1.18.2/30. } } } reth1 { vlan-tagging.juniper. } } . } } ge-5/0/5 { gigether-options { redundant-parent reth1. family inet { address 172. family inet { address 172.

Question: Where can you increase the reth count? Answer: You can increase the reth count under the [edit chassis cluster] hierarchy level.8 Navigate to the [edit chassis cluster] hierarchy level and increase the reth count to 2. which in turn uses more system resources. {primary:node0}[edit] [email protected]# edit chassis cluster {primary:node0}[edit chassis cluster] [email protected]# set reth-count 2 {primary:node0}[edit chassis cluster] [email protected]# top {primary:node0}[edit] [email protected]# commit node0: configuration check succeeds node1: commit complete node0: commit complete Question: Why would you not want to set the reth count to its maximum possible number? Answer: Increasing the reth count increases the number of reth interfaces created by the system.juniper. The configuration will not commit because the reth count of 0 was exceeded. Step 3. Commit the configuration when you are finished.net Implementing High Availability Techniques (Detailed) • Lab 8–17 . Junos Security error: configuration check-out failed {primary:node0}[edit] [email protected]# Question: Were you able to commit the configuration? Answer: No. www.

{primary:node0}[edit] [email protected]# run show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 .10 Issue the command run show chassis cluster status.9 Issue the command run show chassis cluster interfaces.Junos Security Step 3.net . Failover count: 1 node0 1 primary no no node1 1 secondary no no Lab 8–18 • Implementing High Availability Techniques (Detailed) www. {primary:node0}[edit] [email protected]# run show chassis cluster interfaces Control link status: Up Control interfaces: Index Interface Status 0 fxp1 Up Fabric link status: Up Fabric interfaces: Name Child-interface Status (Physical/Monitored) fab0 ge-0/0/2 Up / Up fab0 fab1 ge-5/0/2 Up / Up fab1 Redundant-ethernet Information: Name Status Redundancy-group reth0 Down 1 reth1 Down 2 Interface Monitoring: Interface Weight Status Redundancy-group ge-5/0/3 255 Up 2 Question: Within which redundancy groups are reth0 and reth1 contained? Answer: Reth0 is contained within redundancy group 1 and reth1 is contained within redundancy group 2.juniper. Step 3.

Step 3.11 Configure Node 1 to have a higher priority value than Node 0 for redundancy group 0. Failover count: 2 node0 100 secondary yes no node1 200 primary yes no Question: Which node is primary for redundancy group 2? Answer: Node 1 is primary for redundancy group 2. {primary:node0}[edit] [email protected]# set chassis cluster redundancy-group 0 node 1 priority 254 {primary:node0}[edit] [email protected]# commit node0: configuration check succeeds node1: commit complete www.juniper. Commit the configuration when you are finished. Question: How would you ensure Node 0 acquires primacy for redundancy group 0 if both nodes reboot around the same time? Answer: You can configure Node 1 with a higher priority value than Node 0 for redundancy group 0.net Implementing High Availability Techniques (Detailed) • Lab 8–19 . Junos Security Redundancy group: 1 . Failover count: 1 node0 200 primary no no node1 100 secondary no no Redundancy group: 2 . Question: Why is Node 0 primary for redundancy group 0? Answer: Both nodes have the same priority value and so Node 0 is primary because it has a lower node ID.

Lab 8–20 • Implementing High Availability Techniques (Detailed) www. {primary:node0}[edit] [email protected]# run show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 .net .12 Issue the command run show chassis cluster status. Question: Why is node 0 still the primary node for redundancy group 0? Answer: Even though Node 1 has a higher priority value for redundancy group 0.Junos Security node0: commit complete Step 3. Failover count: 2 node0 100 secondary yes no node1 200 primary yes no {primary:node0}[edit] [email protected]# Question: Which node will acquire primacy for redundancy group 0 if both nodes reboot at the same time? Answer: Node 1 will have primacy for redundancy group 0 if both nodes are rebooted at the same time.juniper. Failover count: 1 node0 1 primary no no node1 254 secondary no no Redundancy group: 1 . a failover event must occur to cause node 1 to become primary for redundancy group 0. Failover count: 1 node0 200 primary no no node1 100 secondary no no Redundancy group: 2 .

Junos Security Step 3.14 Navigate to the [edit security zones] hierarchy and configure the untrust zone to contain interfaces ge-0/0/3 and ge-5/0/3. All system services should be allowed on these interfaces. Then configure the system’s default-policy to allow all traffic. Make sure to use the correct unit number in this step. {primary:node0}[edit security] [email protected]# edit zones {primary:node0}[edit security zones] [email protected]# set security-zone untrust interfaces ge-0/0/3 {primary:node0}[edit security zones] [email protected]# set security-zone untrust interfaces ge-5/0/3 Step 3. You should never use a default security policy to permit all traffic outside of a lab environment. {primary:node0}[edit security zones] [email protected]# set security-zone trust interfaces reth0.net Implementing High Availability Techniques (Detailed) • Lab 8–21 .reth0-vlan-id host-inbound-traffic system-services all {primary:node0}[edit security zones] [email protected]# set security-zone trust interfaces reth1. Commit the configuration and exit to operational mode.13 Navigate to the [edit security] hierarchy level.15 Configure the trust zone to contain interfaces reth0 and reth1. No inbound protocols or services should be allowed on these interfaces. {primary:node0}[edit] [email protected]# edit security {primary:node0}[edit security] [email protected]# set policies default-policy permit-all {primary:node0}[edit security zones] [email protected]# Step 3.juniper. Note This lab step is for the purpose of simplicity. Note The reth interfaces are configured with a different unit number than 0.reth1-vlan-id host-inbound-traffic system-services all [email protected]# show zones { security-zone untrust { www.

1 will have a route preference of 5. Commit the configuration and exit to operational mode. {primary:node0}[edit security zones] [email protected]# top edit routing-options {primary:node0}[edit routing-options] [email protected]# delete static route 0/0 {primary:node0}[edit routing-options] [email protected]# set static route 0/0 qualified-next-hop 172. The route which has a next hop of 172.1 {primary:node0}[edit routing-options] [email protected]# set static route 0/0 qualified-next-hop 172.233 { host-inbound-traffic { system-services { all.2. } } } reth1.2.1.18.18. } } security-zone trust { interfaces { reth0.1.juniper.Junos Security interfaces { ge-0/0/3.18. } } Step 3. } } } } } } policies { default-policy { permit-all.1 will have a route preference of 10.223 { host-inbound-traffic { system-services { all. The route which has a next hop of 172.18.0.16 Delete the current default static route and configure two default floating static routes through the use of the qualified-next-hop option.0. ge-5/0/3.net .1 preference 10 {primary:node0}[edit routing-options] [email protected]# top {primary:node0}[edit] [email protected]# commit and-quit node0: Lab 8–22 • Implementing High Availability Techniques (Detailed) www.

30. 0 holddown.juniper.20. . Please refer to your Lab 8 network diagram for these addresses.0 [Static/10] 19:41:40 > to 172.678 ms 64 bytes from 172.2 (172.0.223: icmp_seq=0 ttl=64 time=1.2): 56 data bytes 64 bytes from 172.2 via reth0. {primary:node0} [email protected]> ping reth0-VR detail count 2 PING 172.17 Issue the show route 0/0 exact command.223: icmp_seq=1 ttl=64 time=1.18 Check connectivity by issuing pings to both virtual router interface addresses. The next hop with a route preference of directs traffic through the ge-5/0/3 interface. 2 packets received.20.702/1.1 via ge-5/0/3. ping both interface addresses that belong to the ISP. 0 hidden) + = Active Route.0 Question: Is the correct routing information displayed? Answer: The correct output should display a default static route with two next hops.2 via reth0.30.2 ping statistics --- 2 packets transmitted.1 via ge-0/0/3.net Implementing High Availability Techniques (Detailed) • Lab 8–23 .024 ms {primary:node0} [email protected]> ping reth1-VR detail count 2 www.= Last Active. Next.172.20. Step 3. 13 routes (12 active.678/1.726 ms --.20. [email protected]> show route 0/0 exact inet.18.726/0. Use the detail option to ensure the pings are egressing the correct interface.1.0: 12 destinations.30. The next hop with a route preference of 5 directs traffic through the ge-0/0/3 interface.20. Junos Security configuration check succeeds node1: commit complete node0: commit complete Exiting configuration mode {primary:node0} [email protected]> Step 3.0. and then ping the Internet host.18.0/0 *[Static/5] 1d 20:53:32 > to 172.30. 0% packet loss round-trip min/avg/max/stddev = 1. * = Both 0.2.30.

0: icmp_seq=1 ttl=64 time=1. 0% packet loss round-trip min/avg/max/stddev = 1.362 ms --.1 (172. 2 packets received.18.18.30.1 via ge-5/0/3.307/12.30.1.1 via ge-0/0/3.172.827/16.31.15.net . 0% packet loss round-trip min/avg/max/stddev = 8.025 ms Question: Were the ping tests successful? Answer: As shown in the output.1 ping statistics --- 2 packets transmitted.362/4.0: icmp_seq=0 ttl=64 time=8.834/17.30.2.15.740/0.15.18.974/0.507/1.1 via ge-0/0/3.30.30.307 ms 64 bytes from 172.0: icmp_seq=0 ttl=64 time=1.1 ping statistics --- 2 packets transmitted.Junos Security PING 172.31.18.211 ms --.1 via ge-0/0/3.2): 56 data bytes 64 bytes from 172.30.1): 56 data bytes 64 bytes from 172.2.172.30.18.15.1 (172.716/1.31.233: icmp_seq=1 ttl=64 time=5.2.2.1.172.2.1 detail count 2 PING 172.30.1.30.18.1 detail count 2 PING 172.691/1.1.507 ms --. Lab 8–24 • Implementing High Availability Techniques (Detailed) www.1): 56 data bytes 64 bytes from 172.15.691 ms --. 2 packets received.31.18. 0% packet loss round-trip min/avg/max/stddev = 1.2 (172.233 ms {primary:node0} [email protected]> ping 172.233: icmp_seq=0 ttl=64 time=16.1 ping statistics --- 2 packets transmitted.30.211/10.1): 56 data bytes 64 bytes from 172.974 ms 64 bytes from 172. the ping tests should be successful.18.1.31.2 ping statistics --- 2 packets transmitted.2 via reth1. 2 packets received.18.616 ms {primary:node0} [email protected]> ping 172.18.172.18.443 ms 64 bytes from 172.1 (172.740 ms 64 bytes from 172.juniper.2.0: icmp_seq=1 ttl=64 time=1.443/5. 2 packets received.1.1 detail count 2 PING 172. 0% packet loss round-trip min/avg/max/stddev = 5.1 via ge-5/0/3.528 ms {primary:node0} [email protected]> ping 172.0: icmp_seq=1 ttl=64 time=17.1 via ge-0/0/3.18.740/1.0: icmp_seq=0 ttl=64 time=1.31.2 via reth1. Do not proceed to the next lab part until directed by the instructor to do STOP so.15.

You will also examine the path which these flows take and the effect of asymmetric flows on the chassis cluster. www.config from the /var/home/lab/jsec/ directory.1 Enter configuration mode and load the lab8-part4-start. Commit the configuration when complete.juniper.net Implementing High Availability Techniques (Detailed) • Lab 8–25 . Step 4.config [edit] [email protected]# commit commit complete [edit] [email protected]# Step 4. using private edit warning: uncommitted changes will be discarded on exit Entering configuration mode [edit] [email protected]# load override jsec/lab8-part4-start.2 Open a separate Telnet session to the virtual router attached to your team’s device. Junos Security Part 4: Monitoring Traffic Flows In this lab part. [email protected]> configure warning: Clustering enabled. you generate traffic from the attached virtual routers and monitor the traffic flows.

31. Note Examine the packets -per-second(pps) field to see the current packets traveling through an interface. [email protected]> ping 172.15. Step 4.4 Generate traffic to the Internet host from the virtual router associated with reth0 by issuing the ping 172.4R3. Press Ctrl + d or Ctrl + u to scroll down or up.1 (172.15.31.5 Return to the Telnet session established with your assigned SRX device.JUNOS 11.Junos Security Step 4.15.juniper..15.1): 56 data bytes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! . [email protected]> Step 4. issue the run monitor interface traffic command. You must find the correct interfaces in the output to answer the following questions.1 rapid count 1000000 routing-instance reth0-VR PING 172. Lab 8–26 • Implementing High Availability Techniques (Detailed) www.7 built 2012-05-14 22:22:03 UTC NOTE: This router is divided into many virtual routers used by different teams.3 Log in to the virtual router using the login information shown in the following table: Virtual Router Login Details Student Pod Username Password srxA a1 lab123 srxB b1 lab123 srxC c1 lab123 srxD d1 lab123 vr-device (ttyp0) login: username Password: --.1 rapid count 1000000 routing-instance reth0-VR command. Please only configure your own virtual router.net . From the Telnet session established with SRX1.31.31. You must use 'configure private' to configure this router..

Quit=q or ESC.. Question: Which child interface of reth0 is being used? Answer: The ge-0/0/4 interface is being used.. Down=^D Note Examine your Lab 8 diagram to help trace the path of the traffic flow.. fab0 Up 0 (0) 2928169 (4) fab1 Up 0 (0) 2928170 (4) . Rate=r.. www. Junos Security {primary:node0}[edit] [email protected]# run monitor interface traffic srxC-1 Seconds: 56 Time: 22:18:12 Interface Link Input packets (pps) Output packets (pps) ge-0/0/0 Up 0 (0) 0 (0) ge-0/0/1 Up 0 (0) 0 (0) ge-0/0/2 Up 0 (0) 2932819 (4) ge-0/0/3 Up 3637472 (222) 3633355 (223) ge-0/0/4 Up 1030660 (222) 1030584 (222) ge-0/0/5 Up 51 (0) 0 (0) .net Implementing High Availability Techniques (Detailed) • Lab 8–27 . Delta=d. ge-5/0/2 Up 0 (0) 2930341 (4) ge-5/0/3 Up 4052 (0) 58 (0) ge-5/0/4 Up 108 (0) 0 (0) ge-5/0/5 Up 2602848 (0) 2602875 (0) .juniper. Clear=c.. Question: Which reth interface is the traffic traveling through? Answer: The traffic is traveling through reth0.. Packets=p. Up=^U. reth0 Up 817823 (228) 817596 (228) reth1 Up 2602898 (0) 2602875 (0) st0 Up 0 (0) 0 (0) tap Up 0 0 Bytes=b.

31.411/2.. Question: When would this traffic flow use the fabric link? Answer: If Node 1 becomes the primary node for redundancy group 1 the ge-5/0/4 interface would be used to pass traffic for reth0. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!^C --.15.1 rapid count 1000000 routing-instance reth1-VR PING 172. 0% packet loss round-trip min/avg/max/stddev = 2.1 (172.15.6 Return to the Telnet session established with the virtual router. 408110 packets received. Question: Is the fabric link being used for this traffic flow? Answer: No.31. .15.. Then the traffic would travel across the fabric link to reach its destination.1): 56 data bytes Lab 8–28 • Implementing High Availability Techniques (Detailed) www.15. press Ctrl + c to stop the ping traffic.1 rapid count 1000000 routing-instance reth1-VR command.1 ping statistics --- 408110 packets transmitted.31.750/4.31.107 ms Step 4.15.net . Step 4.292/23.31. [email protected]> ping 172.172.7 Generate traffic to the Internet host from the virtual router associated with reth1 by issuing the ping 172.juniper.Junos Security Question: What is the next interface being used in the path of the traffic? Answer: The next interface being used is ge-0/0/3 . From the Telnet session established with the virtual router. The traffic flow is bypassing the fabric link.

..juniper. fab0 Up 0 (0) 3139723 (219) fab1 Up 0 (0) 3140093 (211) fxp0 Up 779 66 fxp1 Up 1200337 2019915 fxp2 Up 0 71147 ..net Implementing High Availability Techniques (Detailed) • Lab 8–29 ... Up=^U. you must restart it by issuing the monitor interface traffic command.. ge-5/0/2 Up 0 (0) 85527 (200) ge-5/0/3 Up 13476 (0) 7 (0) ge-5/0/4 Up 31 (0) 0 (0) ge-5/0/5 Up 36374 (194) 36384 (194) . Quit=q or ESC.8 Return to the Telnet session established with your assigned SRX device. Rate=r. Find the correct interfaces in the output to answer the following questions.. Step 4... Delta=d. ge-5/0/2 Up 0 (0) 2989317 (215) ge-5/0/3 Up 4402 (0) 63 (0) ge-5/0/4 Up 112 (0) 0 (0) ge-5/0/5 Up 2633482 (210) 2633345 (210) .. reth0 Up 2190832 (0) 2190753 (0) reth1 Up 2604412 (207) 2604125 (207) st0 Up 0 (0) 0 (0) tap Up 0 0 Bytes=b. Down=^D www. Clear=c. Press Ctrl + d or Ctrl + u to scroll down or up. Junos Security !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! . Note If you canceled the output previously. srxC-1 Seconds: 14 Time: 00:00:45 Interface Link Input packets (pps) Output packets (pps) ge-0/0/0 Up 0 (0) 0 (0) ge-0/0/1 Up 0 (0) 0 (0) ge-0/0/2 Up 0 (0) 2989317 (215) ge-0/0/3 Up 3637472 (222) 3633355 (223) ge-0/0/4 Up 9 (0) 17 (0) ge-0/0/5 Up 9 (0) 0 (0) . Packets=p.

Then the traffic would bypass the fabric link to reach its destination. The traffic flow is traveling through the fabric link.Junos Security Question: Which reth interface is the traffic traveling through? Answer: The traffic is traveling through reth1. Question: When would this traffic flow not use the fabric link? Answer: If Node 0 becomes the primary node for redundancy group 2 the ge-0/0/5 interface would be used to pass traffic for reth1.net . Question: What is the next interface being used in the path of the traffic? Answer: The next interface being used is fab1 . Question: Which child interface of reth1 is being used? Answer: The ge-5/0/5 interface is being used. Question: Is the fabric link being used for this traffic flow? Answer: Yes. Lab 8–30 • Implementing High Availability Techniques (Detailed) www.juniper.

Quit=q or ESC.juniper. ge-0/0/8 Up 0 (0) 0 (0) ge-0/0/9 Up 0 (0) 0 (0) ge-0/0/10 Up 0 (0) 0 (0) ge-0/0/11 Up 0 (0) 0 (0) ge-0/0/12 Down 0 (0) 0 (0) ge-0/0/13 Down 0 (0) 0 (0) ge-0/0/14 Down 0 (0) 0 (0) ge-0/0/15 Down 0 (0) 0 (0) se-1/0/0 Down 0 (0) 0 (0) ge-5/0/0 Up 0 (0) 0 (0) ge-5/0/1 Up 0 (0) 0 (0) Bytes=b. {primary:node0}[edit] [email protected]# run show chassis cluster interfaces Control link status: Up Control interfaces: Index Interface Status 0 fxp1 Up Fabric link status: Up www. Up=^U. Clear=c.net Implementing High Availability Techniques (Detailed) • Lab 8–31 . . Delta=d. When you are finished.9 Press the q key to exit the running output. Packets=p. Junos Security Step 4. Navigate to the [edit interfaces] hierarchy level. Down=^D {primary:node0}[edit] [email protected]# edit interfaces {primary:node0}[edit interfaces] [email protected]# set ge-5/0/3 disable {primary:node0}[edit interfaces] [email protected]# top {primary:node0}[edit] [email protected]# commit node0: configuration check succeeds node1: commit complete node0: commit complete {primary:node0}[edit] [email protected]# Step 4. Rate=r. commit the configuration. Disable the ge-5/0/3 interface.10 Issue the run show chassis cluster interfaces command...

juniper. Failover count: 1 node0 1 primary no no node1 254 secondary no no Redundancy group: 1 . Failover count: 3 node0 100 primary yes no node1 0 secondary yes no Lab 8–32 • Implementing High Availability Techniques (Detailed) www. {primary:node0}[edit] [email protected]# run show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 .11 Issue the run show chassis cluster status command. Step 4.net .Junos Security Fabric interfaces: Name Child-interface Status (Physical/Monitored) fab0 ge-0/0/2 Up / Up fab0 fab1 ge-5/0/2 Up / Up fab1 Redundant-ethernet Information: Name Status Redundancy-group reth0 Up 1 reth1 Up 2 Interface Monitoring: Interface Weight Status Redundancy-group ge-5/0/3 255 Down 2 Question: What is the monitoring status of the ge-5/0/3 interface? Answer: The Status field indicates that the ge-5/0/3 interface is down. Failover count: 1 node0 200 primary no no node1 100 secondary no no Redundancy group: 2 .

13 Return to the Telnet session established with your assigned SRX device.15.31..839 ms [email protected]> ping 172.31.. You must find the correct interfaces in the output to answer the following questions.1 (172. Redundancy group 2 has failed over primacy from Node 1 to Node 0. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!^C --.1 rapid count 1000000 routing-instance reth1-VR command..1 ping statistics --- 166596 packets transmitted.31. Step 4.. {primary:node0}[edit] [email protected]# run monitor interface traffic srxC-1 Seconds: 5 Time: 04:04:51 Interface Link Input packets (pps) Output packets (pps) . 166594 packets received...15.net Implementing High Availability Techniques (Detailed) • Lab 8–33 . Then issue the ping 172. issue the run monitor interface traffic command.1): 56 data bytes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! .juniper. From the Telnet session established with SRX1.12 Return to the Telnet session established with the virtual router. cancel it with the Ctrl+c key combination.15.. www.997/64..1 rapid count 1000000 routing-instance reth1-VR PING 172. Press Ctrl + d or Ctrl + u to scroll down or up. ge-0/0/2 Up 0 (0) 4304107 (4) ge-0/0/3 Up 8006370 (231) 8000898 (231) ge-0/0/4 Up 3365327 (0) 3365369 (0) ge-0/0/5 Up 764832 (231) 763742 (231) ge-0/0/6 Up 0 (0) 0 (0) . 0% packet loss round-trip min/avg/max/stddev = 2. Junos Security Question: Did disabling the ge-5/0/3 interface cause redundancy group 2 to failover primacy? Answer: Yes. If the ping test is still running from the Telnet session established with the virtual router.172.15.31. .15.120/2.812/4.31. Step 4.

Clear=c. Rate=r. Step 4. Delta=d. fab0 Up 0 (0) 4301297 (4) fab1 Up 0 (0) 4301297 (4) . The traffic path does not involve the fabric link... Down=^D Question: Which child interface of reth1 is the traffic traveling through? Answer: The traffic is traveling through the ge-0/0/5 interface. Once you are finished. {primary:node0}[edit] [email protected]# delete interfaces ge-5/0/3 disable {primary:node0}[edit] [email protected]# commit and-quit Lab 8–34 • Implementing High Availability Techniques (Detailed) www. commit the configuration and exit to operational mode. Question: Is the fabric link being used for this traffic? Answer: No. Packets=p. Quit=q or ESC. reth0 Up 3365455 (0) 3365369 (0) reth1 Up 4664221 (231) 4662735 (231) st0 Up 0 (0) 0 (0) tap Up 0 0 Bytes=b.Junos Security ge-5/0/3 Down 5066 (0) 602 (0) ge-5/0/4 Up 128 (0) 0 (0) ge-5/0/5 Up 3872438 (0) 3871958 (0) ge-5/0/6 Up 0 (0) 0 (0) .net ..juniper.14 Remove the disable option that was placed on the ge-5/0/3 interface. Up=^U.. Question: What is the next step in the path for this traffic? Answer: The traffic is traveling through the ge-0/0/3 interface towards the Internet Host.

Failover count: 1 node0 200 primary no no node1 100 secondary no no Redundancy group: 2 ..15 Issue the show chassis cluster status command. press Ctrl + c to stop the ping traffic. {primary:node0} [email protected]> show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failover Redundancy group: 0 .1 ping statistics --- 409132 packets transmitted. 409132 packets received.172. This command allows the node that originally had primacy to reacquire it when the failure condition is fixed.15.net Implementing High Availability Techniques (Detailed) • Lab 8–35 . !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!^C --. Then. log out of the vr-device. Failover count: 1 node0 1 primary no no node1 254 secondary no no Redundancy group: 1 . From the Telnet session established with the virtual router.16 Return to the Telnet session established with the virtual router.. . Step 4. 0% packet loss www.juniper. Junos Security node0: configuration check succeeds node1: commit complete node0: commit complete Exiting configuration mode {primary:node0} [email protected]> Step 4. Failover count: 4 node0 100 secondary yes no node1 200 primary yes no Question: Why did the primacy for redundancy group 2 fail back over to node1? Answer: The preempt command is enabled for redundancy group 2.31.

1R1. From the Telnet session established with SRX1. Step 5.JUNOS 12. You will then load the reset configuration on each node.3 Enter configuration mode and issue the load override /var/home/lab/ jsec/reset. log in using the lab user account.net .config command to load the reset configuration. you break down the chassis cluster implementation.2 Once the SRX1 device reboots. SrxX-1 currently has no configured host name. Going to reboot now{primary:node0} [email protected]> *** FINAL System shutdown message from [email protected] *** System going down IMMEDIATELY Step 5. Commit the configuration and exit to operational mode.Junos Security round-trip min/avg/max/stddev = 2. Amnesiac (ttyu0) login: lab Password: --.juniper.9 built 2012-03-24 12:12:49 UTC lab> Step 5.107 ms [email protected]> exit Part 5: Disabling the Chassis Cluster In this lab part. issue the set chassis cluster disable reboot command. {primary:node0} [email protected]> set chassis cluster disable reboot Successfully disabled chassis cluster.750/4.1 Return to the Telnet session established with your assigned SRX device. Recall that apply-groups were used to implement the host name during chassis clustering. Note The Amnesiac banner is displayed and there is no host name for Node 0. lab> configure Entering configuration mode [edit] lab# load override jsec/reset.411/2.config load complete Lab 8–36 • Implementing High Availability Techniques (Detailed) www.292/23.

Issue the set chassis cluster disable reboot command.net Implementing High Availability Techniques (Detailed) • Lab 8–37 . Note The Amnesiac banner is displayed and there is no host name for Node 1. Junos Security [edit] lab# commit and-quit commit complete Exiting configuration mode [email protected]> Step 5.9 built 2012-03-24 12:12:49 UTC {primary:node1} [email protected]> set chassis cluster disable reboot Successfully disabled chassis cluster.4 Log in to the SRX2 device using the lab user account. Amnesiac (ttyu0) login: lab Password: --.juniper. Recall that apply-groups were used to implement the host name during chassis clustering. SrxX-1 currently has no configured host name. log in using the lab user account.JUNOS 12.1R1. Going to reboot now {primary:node1} [email protected]> *** FINAL System shutdown message from [email protected] *** System going down IMMEDIATELY Step 5. Commit the configuration and exit to operational mode.9 built 2012-03-24 12:12:49 UTC lab> Step 5. srxC-2 (ttyu0) login: lab Password: --.5 Once the SRX2 device reboots. lab> configure Entering configuration mode www.6 Enter configuration mode and issue the load override /var/home/lab/ jsec/reset.JUNOS 12.config command to load the reset configuration.1R1.

Junos Security [edit] lab# load override jsec/reset.net . Lab 8–38 • Implementing High Availability Techniques (Detailed) www.juniper.config load complete [edit] lab# commit and-quit commit complete Exiting configuration mode [email protected]> STOP Tell your instructor that you have completed Lab 8.

Junos Security Appendix A: Lab Diagrams .

net .juniper.Junos Security A–2 • Lab Diagrams www.

Junos Security

www.juniper.net Lab Diagrams • A–3

Junos Security

A–4 • Lab Diagrams www.juniper.net

Junos Security

www.juniper.net Lab Diagrams • A–5

Junos Security

A–6 • Lab Diagrams www.juniper.net

net Lab Diagrams • A–7 . Junos Security www.juniper.

juniper.Junos Security A–8 • Lab Diagrams www.net .