Juniper vSRX Notes
All these notes are based on configuring JunOS v15.1X49 for Hyper-V and Azure.
Some helpful online resources:
- JunOS Troubleshooting
- JunOS-host Zone
- Configure Dynamic VPN
- Configure Dynamic VPN via J-Web
- Configure Dynamic VPN with LDAP authentication here and here
- NAT examples here and here
- Active Directory LDAP Integration here and here
- Monitoring tips
- Enabling Logging
Configurations:
Enable Management interface:
cliconfigureset system root-authentication plain-text-passwordset system host-name host-nameset interfaces fxp0 unit 0 family inet dhcp-clientset interfaces ge-0/0/0 unit 0 family inet dhcp-clientset security zones security-zone trust interfaces ge-0/0/0.0commit checkcommit
Enable Web HTTPS web interface:
configureedit system servicesset web-management https system-generated-certificatecommit
List all interface IP's:
run show interfaces terse
Display MAC address of interface:
show interfaces
Monitor interface statistics:
monitor interface ge-0/0/0.0monitor traffic interface ge-0/0/1.0 matching "host 192.168.200.4" no-resolvemonitor traffic interface ge-0/0/1.0 matching icmpmonitor traffic interface ge-0/0/1.0 no-resolve detailmonitor traffic interface ge-0/0/1.0 matching "host 192.168.200.4" no-resolve write-file vm1.pcapshow system uptime
NAT'ing examples:
Example: SNAT from internal (Servers) zone to untrust (WAN):
Example: DNAT from untrust (WAN) to DMZ host (dmz1):
set security nat destination pool WAN-to-dmz1 address 10.6.0.2/32
set security nat destination rule-set DNAT-WAN-to-dmz1 from interface ge-0/0/0.0set security nat destination rule-set DNAT-WAN-to-dmz1 rule DNAT-Rule-WAN-to-dmz1 match destination-address 192.168.0.4/32set security nat destination rule-set DNAT-WAN-to-dmz1 rule DNAT-Rule-WAN-to-dmz1 then destination-nat pool WAN-to-dmz1#set security nat proxy-arp interface ge-0/0/0.0 address 192.168.0.4/32set security address-book global address dmz1 10.6.0.2/32set security policies from-zone untrust to-zone DMZ policy WAN-to-dmz1 match source-address anyset security policies from-zone untrust to-zone DMZ policy WAN-to-dmz1 match destination-address dmz1set security policies from-zone untrust to-zone DMZ policy WAN-to-dmz1 match application anyset security policies from-zone untrust to-zone DMZ policy WAN-to-dmz1 then permitcommitStatic Route:
set routing–options static route 0.0.0.0/0 next-hop 192.168.0.1
Configuration Management:
show | compare rollback 1show configurations | display setsave ftp://username:password@host/filename.cfg
Or to be prompted for the password;
save ftp://username@host/filename.cfg
load replace ftp://username:password@host/filename.cfgList all saved configurations:
rollback ?
Or via J-Web:
Administration > Device > Config Management > History
Setting a rescue configuration:
request system configuration rescue save
Restoring a rescue configuration:
rollback rescue
To exclusively configure (master) and to discard uncommitted changes upon exit:
configure exclusive
Find particular phrases in the configuration
show security | find WAN
Monitoring network traffic flows:
show security flow sessionOr via J-Web:
Monitor > Security > Flow Session, select the search parameters > [Search]
View Policy activity:
show security policies hit-count
Set NTP settings:
set system time-zone Australia/Melbourneset system ntp boot-server 0.au.pool.ntp.orgset date ntp 0.au.pool.ntp.org
Renew DHCP address on interface:
request dhcp client renew [all|interface <interface-name>]
Set static IP for Management interface:
delete interfaces fxp0 unit 0 family inet dhcp-client
set interfaces fxp unit 0 family inet address 172.17.17.17/24commit checkcommit
AD LDAP Integration:
edit services user-identificationset active-directory-access domain magrin.local user-group-mapping ldap base DC=magrin,DC=local user Administrator password MySecretPassword6!set active-directory-access domain magrin.local user Administrator password MySecretPassword6!set active-directory-access domain magrin.local domain-controller dc1 address 10.2.0.3exitedit access profile profile1set authentication-order ldapset authentication-order passwordset ldap-options base-distinguished-name CN=Users,DC=magrin,DC=localset ldap-options search search-filter sAMAccountName=set ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=magrin,DC=localset ldap-options search admin-search password MySecretPassword6!set ldap-server 10.2.0.3set ldap-server 10.2.0.3 tls-type start-tlsset ldap-server 10.2.0.3 tls-peer-name peernameset ldap-server 10.2.0.3 tls-timeout 3set ldap-server 10.2.0.3 tls-min-version v1.2set ldap-server 10.2.0.3 no-tls-certificate-checkexitedit security policies from-zone Servers to-zone untrust policy Unauthenticated-Usersset match source-address anyset match destination-address anyset match application anyset match source-identity unauthenticated-userset match source-identity unknown-userset then permit firewall-authentication user-firewall access-profile profile1set then permit firewall-authentication user-firewall domain magrin.localexitedit security policies from-zone Servers to-zone untrust policy AD-Unauthenticated-Usersset match source-address anyset match destination-address anyset match application anyset match source-identity "magrin.local\InternetUsersACL"set then permitexitedit securityset user-identification authentication-source active-directory-authentication-table priority 125
exit
show services user-identification active-directory-access
Running an operational command under a configuration prompt: