Juniper vSRX Notes

All these notes are based on configuring JunOS v15.1X49 for Hyper-V and Azure.

Some helpful online resources:

Configurations: 

Enable Management interface:

cli
configure
set system root-authentication plain-text-password
set system host-name host-name
set interfaces fxp0 unit 0 family inet dhcp-client
set interfaces ge-0/0/0 unit 0 family inet dhcp-client
set security zones security-zone trust interfaces ge-0/0/0.0
commit check
commit


Enable Web HTTPS web interface:


configure
edit system services
set web-management https system-generated-certificate
commit


List all interface IP's:


run show interfaces terse


Display MAC address of interface:


show interfaces


Monitor interface statistics:


monitor interface ge-0/0/0.0
monitor traffic interface ge-0/0/1.0 matching "host 192.168.200.4" no-resolve
monitor traffic interface ge-0/0/1.0 matching icmp
monitor traffic interface ge-0/0/1.0 no-resolve detail
monitor traffic interface ge-0/0/1.0 matching "host 192.168.200.4" no-resolve write-file vm1.pcap
show system uptime


NAT'ing examples:

Example: SNAT from internal (Servers) zone to untrust (WAN):

set security policies from-zone Servers to-zone untrust policy Servers-to-untrust match source-address any
set security policies from-zone Servers to-zone untrust policy Servers-to-untrust match destination-address any
set security policies from-zone Servers to-zone untrust policy Servers-to-untrust match application any
set security policies from-zone Servers to-zone untrust policy Servers-to-untrust then permit
set security nat source rule-set SNAT-Servers-to-untrusted from zone Servers
set security nat source rule-set SNAT-Servers-to-untrusted to zone untrust
set security nat source rule-set SNAT-Servers-to-untrusted rule SNAT-Rule-Servers-to-untrusted match source-address 0.0.0.0/0
set security nat source rule-set SNAT-Servers-to-untrusted rule SNAT-Rule-Servers-to-untrusted then source-nat interface
Commit

Example: DNAT from untrust (WAN) to DMZ host (dmz1):

set security nat destination pool WAN-to-dmz1 address 10.6.0.2/32

set security nat destination rule-set DNAT-WAN-to-dmz1 from interface ge-0/0/0.0
set security nat destination rule-set DNAT-WAN-to-dmz1 rule DNAT-Rule-WAN-to-dmz1 match destination-address 192.168.0.4/32
set security nat destination rule-set DNAT-WAN-to-dmz1 rule DNAT-Rule-WAN-to-dmz1 then destination-nat pool WAN-to-dmz1
#set security nat proxy-arp interface ge-0/0/0.0 address 192.168.0.4/32
set security address-book global address dmz1 10.6.0.2/32
set security policies from-zone untrust to-zone DMZ policy WAN-to-dmz1 match source-address any
set security policies from-zone untrust to-zone DMZ policy WAN-to-dmz1 match destination-address dmz1
set security policies from-zone untrust to-zone DMZ policy WAN-to-dmz1 match application any
set security policies from-zone untrust to-zone DMZ policy WAN-to-dmz1 then permit
commit

Static Route:

 
set routing–options static route 0.0.0.0/0 next-hop 192.168.0.1

Configuration Management:


show | compare rollback 1
show configurations | display set
save ftp://username:password@host/filename.cfg

Or to be prompted for the password;

save ftp://username@host/filename.cfg

load replace ftp://username:password@host/filename.cfg

List all saved configurations:


rollback ?

Or via J-Web:

Administration > Device > Config Management > History

Setting a rescue configuration:


request system configuration rescue save

Restoring a rescue configuration:


rollback rescue

To exclusively configure (master) and to discard uncommitted changes upon exit:


configure exclusive

Find particular phrases in the configuration


show security | find WAN

Monitoring network traffic flows:

 
show security flow session

Or via J-Web:

Monitor > Security > Flow Session, select the search parameters > [Search]

View Policy activity:

show security policies hit-count

Set NTP settings:


set system time-zone Australia/Melbourne
set system ntp boot-server 0.au.pool.ntp.org
set date ntp 0.au.pool.ntp.org


Renew DHCP address on interface:


request dhcp client renew [all|interface <interface-name>]
 

Set static IP for Management interface:

delete interfaces fxp0 unit 0 family inet dhcp-client

set interfaces fxp unit 0 family inet address 172.17.17.17/24
commit check
commit


AD LDAP Integration:


edit services user-identification
set active-directory-access domain magrin.local user-group-mapping ldap base DC=magrin,DC=local user Administrator password MySecretPassword6!
set active-directory-access domain magrin.local user Administrator password MySecretPassword6!
set active-directory-access domain magrin.local domain-controller dc1 address 10.2.0.3
exit
edit access profile profile1
set authentication-order ldap
set authentication-order password
set ldap-options base-distinguished-name CN=Users,DC=magrin,DC=local
set ldap-options search search-filter sAMAccountName=
set ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=magrin,DC=local
set ldap-options search admin-search password MySecretPassword6!
set ldap-server 10.2.0.3
set ldap-server 10.2.0.3 tls-type start-tls
set ldap-server 10.2.0.3 tls-peer-name peername
set ldap-server 10.2.0.3 tls-timeout 3
set ldap-server 10.2.0.3 tls-min-version v1.2
set ldap-server 10.2.0.3 no-tls-certificate-check
exit
edit security policies from-zone Servers to-zone untrust policy Unauthenticated-Users
set match source-address any
set match destination-address any
set match application any
set match source-identity unauthenticated-user
set match source-identity unknown-user
set then permit firewall-authentication user-firewall access-profile profile1
set then permit firewall-authentication user-firewall domain magrin.local
exit
edit security policies from-zone Servers to-zone untrust policy AD-Unauthenticated-Users
set match source-address any
set match destination-address any
set match application any
set match source-identity "magrin.local\InternetUsersACL"
set then permit
exit
edit security
set user-identification authentication-source active-directory-authentication-table priority 125
exit
show services user-identification active-directory-access
 

Running an operational command under a configuration prompt:

root@vsrx> configure
root@vsrx# run ping 1.1.1.1