Juniper SRX Firewall – Allow ‘Ping’

KB ID 0000706 

Problem

I was working on an SRX100B Firewall yesterday, and needed to be able to ping the outside interface.

Solution

Note: You can quickly enable ping on a physical interface from CLI like so;

[box] set security zone security-zone trust interface ge-0/0/0 host-inbound-traffic system services ping
[/box]

1. Log into the web console of the Juniper.

2. Navigate to Security > Zones/Screen > Select the ‘Untrust’ Zone > Edit > Host inbound traffic – Interface > Under Interface services add in ‘ping’ > OK.

Note: To allow pinging of the inside interface select the trusted zone.

3. Then to save the change click Action > Commit.

Related Articles, References, Credits, or External Links

Original Article Written 07/11/12

 

Juniper SRX Firewall – Allow Web Management from Outside

KB ID 0000708 

Problem

Assuming you already have web management enabled, and you want to access it from the outside (the untrusted zone).

Solution

1. Log into the web console of the Juniper.

2. Navigate to Security > Zones/Screen > Select the ‘Untrust’ Zone > Edit > Host inbound traffic – Interface > Select the Outside interface > Under Interface services add in ‘http’ > OK.

3. Then to save the change click Action > Commit.

4. Test Externally.

Related Articles, References, Credits, or External Links

NA

 

Juniper SRX – Update the Operating System / Firmware

KB ID 0000989 

Problem

With two brand new SRX240 firewalls on the bench my first task was to get them updated to the latest operating system.

Solution

Before you start get the updated Juniper software.

Option 1 Update the SRX firewall via Command Line

1. Connect to the firewall via either Console cable, telnet, or SSH.

2. Log on and then go to CLI mode, and then configuration mode.

[box] login: root
Password: *******

— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# [/box]

2. The more observant of you will have noticed that it has already shown you the OS version above, but in case there is any doubt.

[box] root@FW-02# show version
## Last changed: 2014-08-26 21:15:09 GMT
version 12.1X44-D30.4;

[edit]
root@FW-02# exit[/box]

3. I’ve always got 3CDeamon on my laptop so I’ll copy the update file over via FTP to the /var/tmp folder. (Note: We’re not at CLI or configure mode!)

[box]root@FW-02% ftp 10.5.0.2
Connected to 10.5.0.2.
220 3Com 3CDaemon FTP Server Version 2.0
Name (10.5.0.2:root): PeteLong
331 User name ok, need password
Password:********
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /var/tmp
Local directory now /cf/var/tmp
ftp> bin
200 Type set to I.
ftp> get junos-srxsme-12.1X47-D10.4-domestic.tgz
local: junos-srxsme-12.1X47-D10.4-domestic.tgz remote: junos-srxsme-12.1X47-D10.
4-domestic.tgz
200 PORT command successful.
150 File status OK ; about to open data connection
100% |**************************************************| 158 MB 00:00 ETA
226 Closing data connection; File transfer successful.
166060642 bytes
received in 64.50 seconds (2.46 MB/s)
ftp> bye
221 Service closing control connection
root@FW-02%[/box]

4. Now perform the upgrade.

[box] root@FW-02% cli
root@FW-02> request system software add no-copy /var/tmp/junos-srxsme-12.1X47-D10.4-domestic.tgz
NOTICE: Validating configuration against junos-srxsme-12.1X47-D10.4-domestic.tgz
.
NOTICE: Use the ‘no-validate’ option to skip this if desired.
Formatting alternate root (/dev/da0s2a)…
/dev/da0s2a: 627.4MB (1284940 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 156.86MB, 10039 blks, 20096 inodes.
super-block backups (for fsck -b #) at:
32, 321280, 642528, 963776
Extracting /var/tmp/junos-srxsme-12.1X47-D10.4-domestic.tgz …
Checking compatibility with configuration
Initializing…
Verified manifest signed by PackageProduction_12_1_0
Verified junos-12.1X44-D30.4-domestic signed by PackageProduction_12_1_0
Using junos-12.1X47-D10.4-domestic from /altroot/cf/packages/install-tmp/junos-1
2.1X47-D10.4-domestic
Copying package …
Verified manifest signed by PackageProduction_12_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
Usage: license-check -f “<features>” -m -p -q -M -u -U -V
Validation succeeded
Installing package ‘/altroot/cf/packages/install-tmp/junos-12.1X47-D10.4-domesti
c’ …
Verified junos-boot-srxsme-12.1X47-D10.4.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1X47-D10.4-domestic signed by PackageProduction_12_1_0
JUNOS 12.1X47-D10.4 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING: Use the ‘request system reboot’ command
WARNING: when software installation is complete
Saving state for rollback …

root@FW-02> [/box]

5. Then reboot the firewall.

[box]

root@FW-02> request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 2749]

root@FW-02>

*** FINAL System shutdown message from root@FW-02 ***

System going down IMMEDIATELY

[/box]

6. Post reboot, check the version again.

[box]

login: root
Password: ********

— JUNOS 12.1X47-D10.4 built 2014-08-14 22:21:50 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# show version
## Last changed: 2014-08-26 21:51:09 GMT
version 12.1X47-D10.4;

[edit]
root@FW-02#

[/box]

 

Option 2 Update the SRX firewall via J-Web

1. To check the current version > Connect to the web console > Dashboard > Software Version.

2. Maintain > Software > Upload Package > Choose File > Browse to the file you downloaded earlier > Upload and Install Package.

Note: Here I have selected ‘Reboot Firewall’, in production you may NOT want to do that until later.

3. It can take a little while, (and look like nothing is happening), time for a coffee.

4. Post reboot, check the version again to make sure it has incremented.

Related Articles, References, Credits, or External Links

NA

Juniper SRX240 – Firewall Cluster (Active / Standby)

KB ID 0000990

Problem

I’ve had very little exposure to JUNOS and Juniper equipment, and later in the year I have to deploy some for a client in a failover cluster. So I had a good look round on the Internet, and found loads of good blog posts and KB articles like this one. The problem is they are all geared to setting up a cluster, they ASSUME you then know about security zones, how to add default routes, and setup NAT etc. So they don’t cover that. Yes you then can set up a cluster, but it has no IP addresses, and you cant pass any traffic though it! Hopefully this will redress the balance.

Solution

Before you start, you obviously need two physical firewalls running the same OS, and this whole procedure is carried out from command line, (I’m using the console cable).

Things that took me a while to grasp, that you need to know.

1. The SRX240 has 16 ports numbered ge-0/0/0 to ge-0/0/15, when you cluster them the ports on the secondary firewall (node1) are renumbered to ge-5/0/0 to ge-5/0/16.

2. As soon as you cluster the firewalls the first port (on both) is reserved for management. That’s ge-0/0/0 and ge-5/0/0 they are then refereed to as fxp0.

3. As soon as you cluster the firewalls the second port (on both) is reserved for the firewalls control plane. That’s ge-0/0/1 and ge-5/0/1 they are then refereed to as fxp1.

4. You need to dedicate another port on both firewalls for the firewalls data link this can be any port, but to keep things simple I’ll use the next free port on both firewalls (ge-0/0/2 and ge-5/0/2). These will then be referred to as fab0 and fab1 (respectively).

Thats the clustering side of things, what about the networks I’m going to connect to the firewall. Take a look at this diagram;

Both the firewalls have a connection to each network (which makes sense if they are going to fail over). I’ve got an ‘outside’ network that connects to the Internet. ‘Inside’ I’ve got two networks, (most people reading this will have one, but remember this is practice for a live client, and they have two data LANS).

As all the networks are connected in two places, where do you assign IP addresses? Well above you can see the outside connections are plugged into ge-0/0/4 and ge-5/0/4. You add both these physical interfaces to a Reth (Redundant Ethernet Interface), and you assign the IP to that. So I have three Reth interfaces, (Reth0 for outside, Reth1 for the first inside network, Reth2 for the second inside interface).

So only Reth interfaces have IP addresses? Well no, the two fxp0 interfaces on each physical firewall, also get an IP address (for out of band management), and it’s a different one for each firewall.

Step 1: SRX240 Setup a Chassis Cluster.

1. Before we start you need to delete the existing interfaces from the config (ALL of them), otherwise you will get some errors later on when you try and commit (save) the firewall config. Also remove the hostname, we will set that in a minute.

[box] delete interfaces ge-0/0/0
delete interfaces ge-0/0/1
—Repeat for the rest of the interfaces—
delete interfaces ge-0/0/14
delete interfaces ge-0/0/15

delete system host-name[/box]

2. Connect ge-0/0/0 to management network > Connect ge-5/0/0 to management network >
Connect ge-0/0/1 on Primary to ge-5/0/1 on Standby, (this can’t be changed and will be the fxp0 connection) > Connect ge-0/0/2 on Primary to ge-5/0/2 on Standby (this can be changed but will be the fab0 and fab1 connection).

3. Carry out the following procedure on BOTH firewalls. This sets the host names of the firewalls and the IP addresses of the management interfaces.

[box]set groups node0 system host-name FW-A
set groups node0 interfaces fxp0 unit 0 family inet address 192.168.254.1/24
set groups node1 system host-name FW-B
set groups node1 interfaces fxp0 unit 0 family inet address 192.168.254.2/24
set apply-groups “${node}”[/box]

4. On FW-A (the primary node0) turn on clustering.

[box]set chassis cluster cluster-id 1 node 0 reboot[/box]

5. On FW-B (the secondary node1) turn on clustering.

[box]set chassis cluster cluster-id 1 node 1 reboot[/box]

6. Back on FW-A (the remainder of the config will be done on node0), set the configuration for the data link, notice I’m deleting the interface again, (I had a lot of bother with this so let’s play it safe). Then I’m saving the changes with a ‘commit’ command, because at this point if something is wrong it will tell you.

[box]delete interfaces ge-0/0/2
set interfaces fab0 fabric-options member-interfaces ge-0/0/2
set interfaces fab1 fabric-options member-interfaces ge-5/0/2
commit[/box]

Step 2 Create Redundancy Groups

1. Redundancy group 0 is created by default so set the priority for that one first.

[box]root@FW-A# set chassis cluster redundancy-group 0 node 0 priority 100
root@FW-A# set chassis cluster redundancy-group 0 node 1 priority 1[/box]

2. Create a new redundancy group that the Reth interfaces will use.

[box]root@FW-A# set chassis cluster redundancy-group 1 node 0 priority 100
root@FW-A# set chassis cluster redundancy-group 1 node 1 priority 1[/box]

Step 3 Define and Add Physical Interfaces to the Reth Interfaces

1. Define the number of Reth interfaces (two inside and one outside).

[box]root@FW-A# set chassis cluster reth-count 3[/box]

2. Allocate Reth0 to the physical interfaces (for outside).

[box] {primary:node0}[edit]
root@FW-A# edit interfaces

{primary:node0}[edit interfaces]
root@FW-A# set ge-0/0/4 gigether-options redundant-parent reth0
root@FW-A# set ge-5/0/4 gigether-options redundant-parent reth0 [/box]

3. Apply Redundancy group 1 to Reth0 and give it an IP Address.

[box]root@FW-A# set reth0 redundant-ether-options redundancy-group 1
root@FW-A# set reth0 unit 0 family inet address 123.123.123.123/24[/box]

4. Let’s see if that worked.

[box]root@FW-A# show chassis cluster
reth-count 3;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
}[/box]

5. Setup Reth1 (inside). Add the physical interfaces, and apply redundancy group 1 (again).

[box] {primary:node0}[edit]
root@FW-A# edit interfaces

{primary:node0}[edit interfaces]
root@FW-A# set ge-0/0/8 gigether-options redundant-parent reth1
root@FW-A# set ge-5/0/8 gigether-options redundant-parent reth1
root@FW-A# set reth1 redundant-ether-options redundancy-group 1
root@FW-A# set reth1 unit 0 family inet address 192.168.20.1/24 [/box]

6. Setup Reth2 (inside). Add the physical interfaces, and apply redundancy group 1 (again) then save the changes.

[box] {primary:node0}[edit]
root@FW-A# edit interfaces

{primary:node0}[edit interfaces]
root@FW-A# set ge-0/0/12 gigether-options redundant-parent reth2
root@FW-A# set ge-5/0/12 gigether-options redundant-parent reth2
root@FW-A# set reth2 redundant-ether-options redundancy-group 1
root@FW-A# set reth2 unit 0 family inet address 192.168.50./24
{primary:node0}[edit interfaces]
root@FW-A# exit

{primary:node0}[edit]
root@FW-A# commit
node0:
commit complete

{primary:node0}[edit]
root@FW-A# [/box]

7. Then add the six physical interfaces that make up all the Reth interfaces to the redundancy group 1, and give each interface a ‘weighting’ of 255.

[box] {primary:node0}[edit]
root@FW-A#

set chassis cluster redundancy-group 1 interface-monitor ge-0/0/4 weight 255

{primary:node0}[edit]
root@FW-A# set chassis cluster redundancy-group 1 interface-monitor ge-0/0/8 weight 255

{primary:node0}[edit]
root@FW-A# set chassis cluster redundancy-group 1 interface-monitor ge-0/0/12 weight 255

{primary:node0}[edit]
root@FW-A# set chassis cluster redundancy-group 1 interface-monitor ge-5/0/4 weight 255

{primary:node0}[edit]
root@FW-A# set chassis cluster redundancy-group 1 interface-monitor ge-5/0/8 weight 255

{primary:node0}[edit]
root@FW-A# set chassis cluster redundancy-group 1 interface-monitor ge-5/0/12 weight 255 [/box]

Step 4 Add a ‘Default Route’ to the Internet.

1. To get traffic out to the Internet. the cluster needs the IP of its ‘next-hop’, (usually the router supplied by your ISP).

Note: If you’re anything like me after you enter this you will try and ‘ping’ the router from the firewall, or ping an Internet. IP address, at this point that wont work, (you need to allocate interfaces to security zones first).

[box]root@FW-A# set routing-options static route 0.0.0.0/0 next-hop 123.123.123.1[/box]

Step 5 Add interfaces to Security Zones and Allow Traffic Out

Note: I’m simply allowing all traffic out.

1. Make sure the Security Zones ‘Trust’ and ‘Untrusted’ Exist

[box]root@FW-A# show security zones
or
root@FW-A# run show security zones[/box]

2. Add the Reth0 Interface to the Untrusted zone.

[box]root@FW-A# set security zones security-zone untrust interfaces reth0.0 [/box]

3. Allow traffic.

[box]{primary:node0}[edit]
root@FW-A# set security zones security-zone untrust host-inbound-traffic system-services all
root@FW-A# set security zones security-zone untrust host-inbound-traffic protocols all[/box]

4. You can check the changes before you commit them.

[box] {primary:node0}[edit]
root@FW-A# show | compare
[edit security zones security-zone untrust]
+ host-inbound-traffic {
+ system-services {
+ all;
+ }
+ protocols {
+ all;
+ }
+ }
+ interfaces {
+ reth0.0;
+ }

Save the changes

{primary:node0}[edit]
root@FW-A# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

[/box]

5. Then add Reth1 and Reth2 to the Trusted zone and repeat the process to allow all traffic.

[box]root@FW-A# set security zones security-zone trust interfaces reth1.0
root@FW-A# set security zones security-zone trust interfaces reth2.0
root@FW-A# set security zones security-zone trust host-inbound-traffic system-services all
root@FW-A# set security zones security-zone trust host-inbound-traffic protocols all[/box]

6. Let’s check to see all that worked.

[box]

{primary:node0}[edit]
root@FW-A# show security policies from-zone trust to-zone untrust
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}

{primary:node0}[edit]
root@FW-A# show security policies
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}

[/box]

Step 6 Allow Remote Management

1. We have two interfaces dedicated to out of band management, and we gave them an IP address earlier. Here I’m allowing remote administration via web to the J-Web console.

[box]root@FW-A# set system services web-management https interface fxp0.0[/box]

Step 7 Perform NAT on ‘Outgoing’ traffic.

1. Here we are doing what Juniper call ‘Source NAT‘ where we translate many addresses to one, (as in this case, but it can be a ‘pool’ of IP addresses). For the Cisco heads (like me) we are doing PAT.

Note: If you see Juniper mention ‘Destination NAT‘ they are usually talking about NATTING inbound traffic to one (or more) internal IP addresses.

[box] set security nat source rule-set TRUST-TO-UNTRUST from zone untrust
set security nat source rule-set TRUST-TO-UNTRUST to zone trust

set security nat source rule-set TRUST-TO-UNTRUST rule PAT-INTERFACE match source-address 192.168.0.0/16
set security nat source rule-set TRUST-TO-UNTRUST rule PAT-INTERFACE match destination-address 0.0.0.0/0
set security nat source rule-set TRUST-TO-UNTRUST rule PAT-INTERFACE then source-nat interface [/box]

 

Related Articles, References, Credits, or External Links

NA

Juniper SRX Firewall Alarm Light Lit

KB ID 0000993

Problem

I noticed the alarm light was lit amber on an SRX240 Juniper firewall.

Solution

This will not serve as a solution to every alarm on the SRX, but it should point you where to look, and show you how to resolve the two problems I identified on my firewall.

View SRX Alarm Status in J-Web

The status is displayed on the ‘Dashboard’ tab, here you can see I’ve got two minor alarms.

View SRX Alarm Status at Command Line

If connected via console cable or SSH.

[box]

root@FW-02> show system alarms
2 alarms currently active
Alarm time Class Description
2014-08-26 21:52:14 GMT Minor Autorecovery information needs to be saved
2014-08-26 21:52:14 GMT Minor Rescue configuration is not set

[/box]

 

Juniper SRX – Rescue Information Is Not Set (J-Web)

This one is easy to fix in J-Web, Maintain > Config Management Rescue > Set Rescue Configuration.

Then click OK.

Juniper SRX – Rescue Information Is Not Set (Command Line)

To do the same via console cable or SSH.

[box]

root@FW-02> request system configuration rescue save

[/box]

Juniper SRX – Autorecovery Information Needs To Be Saved (Command Line)

Despite my best efforts I could not locate how to do this in the GUI, so I had to use command line.

[box]

root@FW-02> show system alarms
1 alarms currently active
Alarm time Class Description
2014-08-26 21:52:14 GMT Minor Autorecovery information needs to be saved

root@FW-02> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving BSD label recovery information

root@FW-02>

[/box]

Related Articles, References, Credits, or External Links

NA

Juniper (JUNOS) SRX – Static ‘One-to-One’ NAT

KB ID 0000995 

Problem

Setting up ‘Static NAT’ is the process of taking one of your ‘spare’ public IP addresses, and permanently mapping that public IP to a private IP address on your network.

In the example above I want to give my web sever which has an internal IP address of 192.168.1.10/24, the public IP address of 1.1.1.5/24. So if someone out on the Internet wants to view my website, they can browse to http://1.1.1.5 (or a URL that I’ve pointed to 1.1.1.5 like http://www.mywebsite.com). Then that traffic will be NATTED, on the firewall for me.

Solution

1. Create a rule-set from the ‘untrust’ zone. Then add a rule to that rule-set, that has a destination of 1.1.1.5/32, and finally set it to NAT that traffic to 192.168.1.10/32.

[box]login: root
Password: *******

— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST from zone untrust

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 match destination-address 1.1.1.5/32

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 then static-nat prefix 192.168.1.10/32

[/box]

2. Set the firewall to proxy-arp (advertise your pubic IP address with is MAC address), then add the web server to the global address book.

Note: ge-0/0/0.0 is the physical address you are advertising the new IP address from, on firewalls in a failover cluster you would use the Reth address i.e. reth0.0

[box] [edit]
root@FW-02# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.5/32

[edit]
root@FW-02# set security address-book global address WEB-SERVER 192.168.1.10/32

[/box]

3. Allow traffic OUT from the web server. Here I’m letting out all ports, if you wanted just web traffic then use the keyword junos-http (TCP Port 80 (http)).

[box]

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match source-address WEB-SERVER

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match destination-address any

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match application any

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT then permit

[/box]

4. Then allow traffic IN to the web server, (here I’m locking it down to just http).

[box] [edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match source-address any

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match destination-address WEB-SERVER

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match application junos-http

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN then permit

[/box]

5. Save the changes.

[box][edit]
root@FW-02# commit
commit complete[/box]

Juniper Allowing Traffic To Custom Ports And Applications

1. Although Juniper have a lot of built in ‘applications’ you can allow, what if you want to create your own? Below I’ll create a custom application for Remote Desktop Protocol (TCP port 3389).

[box] [edit]
root@FW-A# set applications application APP-RDP protocol tcp

[edit]
root@FW-A# set applications application APP-RDP destination-port 3389

[/box]

2. You could now use this application in your security policies e.g.

[box] [edit]
root@FW-A#set security policies from-zone untrust to-zone trust policy TERMINAL-SERVER-IN match application APP-RDP[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Juniper SRX – Commit Errors

KB ID 0000999 

Problem

WARNING: This article is not to cover every problem that will stop you committing the firewall config. It just serves to document problems I’ve encountered, and I how I overcame them.

Solution

I came across the following two problems whilst attempting to setup a ‘chassis cluster‘. both were related to configuration existing on interfaces that I wanted to use as Reth interfaces. essentially I didn’t delete ALL the settings for these interfaces before I started configuring clustering.

Problem 1

[box]root# commit
[edit security zones security-zone untrust]
‘interfaces ge-0/0/0.0’
Interface ge-0/0/0.0 must be configured under interfaces
error: configuration check-out failed
[/box]

This was because ge-0/0/0 was automatically converted to fxp0, (which is the management interface). The error is telling me that that physical interface is part of the ‘untrust’ zone, so I need to remove that.

[box]{hold:node0}[edit]
root# delete security zones security-zone untrust interfaces ge-0/0/0.0[/box]

Now it let me commit the configuration.

[box] {hold:node0}[edit]
root# commit
node0:
commit complete

{hold:node0}[edit]
root#[/box]

Problem 2

[box]root@FWA# commit
[edit interfaces ge-0/0/4 gigether-options]
‘redundant-parent’
Logical unit is not allowed on redundant-ethernet member
error: commit failed: (statements constraint check failed)
[/box]

This was because ge-0/0/0 was part of Reth0, (which was my outside facing redundant interface), had some configuration on it that shouldn’t be there, to find out what I needed to search the configuration.

[box]{primary:node0}[edit]
root@FWA# show | display set | match ge-0/0/4
set interfaces ge-0/0/4 gigether-options redundant-parent reth0
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust[/box]

The first setting tells me its part of Reth0, which is good, but the second one should not be there. I could just delete that one, but I’ll simply delete all configuration for that interface, then add the correct line back like so;

[box] {primary:node0}[edit]
root@FWA# delete interfaces ge-0/0/4

{primary:node0}[edit]
root@FWA# set ge-0/0/4 gigether-options redundant-parent reth0 [/box]

Now it let me commit the configuration.

[box] {hold:node0}[edit]
root# commit
node0:
commit complete

{hold:node0}[edit]
root#

[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Factory Reset Juniper SRX Firewall

KB ID 0001003 

Problem

If you manage to stuff up your firewall, or you have just done some testing and want to revert back to ‘as new’ here is how to do it.

Solution

1. Connect to the firewall either by console cable or via SSH, go to CLI mode then configuration mode.

[box] login: PeteL
Password: ************

— JUNOS 12.1X47-D10.4 built 2014-08-14 22:21:50 UTC

PeteL@Petes-SRX> cli

PeteL@Petes-SRX> configure
Entering configuration mode

[edit]
PeteL@Petes-SRX#

[/box]

2. Load factory defaults, at this point you cannot commit/save the configuration unless you set a password, so do that next.

[box]

[edit]
PeteL@Petes-SRX# set system root-authentication plain-text-password
New password: Password123
Retype new password: Pasword123

[edit]
PeteL@Petes-SRX#

[/box]

3. Save the changes then reboot.

[box] [edit]
PeteL@Petes-SRX# commit and-quit

commit complete
Exiting configuration mode

PeteL@Petes-SRX> request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 1904]

PeteL@Petes-SRX>

*** FINAL System shutdown message from root@FW-01 ***

System going down IMMEDIATELY

[/box]

Reset To Factory Settings if the SRX is part of a Chassis Cluster (is in Failover mode)

1. If the firewall is part of the Chassis cluster then you need to the following before you can carry out the procedure above.

[box]

PeteL@Petes-SRX> set chassis cluster disable reboot

For cluster-ids greater than 15 and when deploying more than one
cluster in a single Layer 2 BROADCAST domain, it is mandatory that
fabric and control links are either connected back-to-back or
are connected on separate private VLANS.

{primary:node0}
PeteL@Petes-SRX>

*** FINAL System shutdown message from root@FWA ***

System going down IMMEDIATELY

[/box]

Completely Wipe the Juniper SRX

Alternatively you can also do the following.

[box]

root> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes

warning: zeroizing re0

root>

[/box]

 

Related Articles, References, Credits, or External Links

NA

 

JunOS – Using TACACS+ With Cisco ACS

KB ID 0001040 

Problem

I’ve been configuring a client’s Juniper SRX chassis cluster, for a while now. Their ACS was deployed last week so my task was to configure it to use the TACACS+ from the Cisco ACS server.

The client’s setup required them to use their fxp0 management interfaces to perform the authentication. After it was configured and working, (due in no small part, to the ACS skills of Mr Steve Housego). I decided that because of the lack of decent info, I would run it up at home on the test bench.

This procedure uses a Juniper Firefly Perimeter vSRX, and a Cisco ACS virtual appliance (v5.5). I’m going to create a read only group (JUNOS-RO), and a read write group (JUNOS-RW) for different levels of authentication.

Solution

Step 1 – Configure Cisco ACS For Juniper JunOS

1. Log into ACS > Network Resources > Network Devices and AAA Clients > Create.

2. Add the SRX as a device > Submit.

3. Policy Elements > Device Administration > Shell Profiles > Create.

4. Create a new shell profile for our read only profile.

5. Custom Attributes tab > Add in an attribute called local-user-name and set its value to JUNOS-RO > Submit.

6. Repeat the process and create a new shell profile for the read/write profile.

7. This time on the custom attributes tab add local-user-name but this time set its value to JUNOS-RW > Submit.

8. Access Policies > Access Services > Create.

9. Create a new access service profile for your JunOS device(s) > Next.

10. Select Process host lookup > Select PAP/ASCII > Finish.

11. You will be prompted to create a service selection rule > Create.

12. Ensure you select TACACS and the service is set to the one that you have just created > OK.

13. Save Changes, (at this point your JunOS access service should ‘go green’).

14. Select your ‘JunOS Device Admin’ access service > Identity > Select your AD > Save Changes.

15. Ive created some AD groups for my two roles > to Add them into ACS > Users and Identity Stores > External Identity Stores > Active Directory > Directory Groups > Add in the groups as applicable.

16. Access Policies > ‘JunOS Device Admin’ access service > Authorization > Customize > Set as shown below > OK.

17. Create.

18. Create a new element for the read only role > OK.

19. Then repeat for the read/write role > OK.

20. Save Changes.

 

Step 2 – Configure SRX for Cisco ACS Access

1. Connect to the SRX and go to configuration mode.

[box] Petes-SRX (ttyd0)

login: petelong
Password: **********
No home directory.
Logging in with home = “/”.

— JUNOS 12.1X47-D10.4 built 2014-08-14 22:59:01 UTC

petelong@Petes-SRX> configure
Entering configuration mode

[edit]
petelong@Petes-SRX#

[/box]

2. I’m going to setup the TACACS server with the following properties;

  • IP of TACACS Server: 10.254.254.22/24
  • IP that the SRX will present to the ACS Server: 10.254.254.26/24
  • Shared secret: s3cr3tp@ssword
  • TACACS Port: 49 (TCP)

[box]

[edit]
petelong@Petes-SRX# set system tacplus-server 10.254.254.22 secret s3cr3tp@ssword

[edit]
petelong@Petes-SRX# set system tacplus-server 10.254.254.22 source-address 10.254.254.26

[edit]
petelong@Petes-SRX# set system tacplus-server 10.254.254.22 port 49

[edit]
petelong@Petes-SRX# set system tacplus-server 10.254.254.22 single-connection

Note: If you are deploying a chassis cluster and you want to use the Fxp0 interface for TACACS that does not failover, so you need to pin each node to a particular ACS server like so;

set groups node0 system tacplus-server 10.254.254.26 secret <secret-password>
set groups node0 system tacplus-server 10.254.254.26 source-address 10.254.254.10
set groups node0 system tacplus-server 10.254.254.26 port 49
set groups node0 system tacplus-server 10.254.254.26 single-connection
set groups node1 system tacplus-server 10.254.254.27 secret <secret-password>
set groups node1 system tacplus-server 10.254.254.27 source-address 10.254.254.11
set groups node1 system tacplus-server 10.254.254.27 port 49
set groups node1 system tacplus-server 10.254.254.27 single-connection

[/box]

3. In the event that TACACS fails, (or cannot be contacted), I want the SRX to ‘fail back’ to its local user database so we can still log in.

[box][edit]
petelong@Petes-SRX# set system authentication-order tacplus authentication-order password[/box]

4. Create a ‘user class’ for our read only group.

[box] [edit]
petelong@Petes-SRX# set system login class RO-CLASS permissions view

[edit]
petelong@Petes-SRX# set system login class RO-CLASS permissions view-configuration

[/box]

5. Create a ‘user class’ for our read write group.

[box][edit]
petelong@Petes-SRX# set system login class RW-CLASS permissions all[/box]

6. Now create two users, and assign each user to the appropriate class.

[box]

[edit]
petelong@Petes-SRX# set system login user JUNOS-RO uid 2100 class RO-CLASS

[edit]
petelong@Petes-SRX# set system login user JUNOS-RW uid 2101 class RW-CLASS

[/box]

7. Finally Save all your hard work.

[box]

[edit]
petelong@Petes-SRX# commit
commit complete

[edit]
petelong@Petes-SRX#

[/box]

8. And test.

Full JunOS (SRX) Config for TACACS+

[box]

set system tacplus-server 10.254.254.22 secret s3cr3tp@ssword
set system tacplus-server 10.254.254.22 source-address 10.254.254.26
set system tacplus-server 10.254.254.22 port 49
set system tacplus-server 10.254.254.22 single-connection
set system authentication-order tacplus authentication-order password
set system login class RO-CLASS permissions view
set system login class RO-CLASS permissions view-configuration
set system login class RW-CLASS permissions all
set system login user JUNOS-RO uid 2100 class RO-CLASS
set system login user JUNOS-RW uid 2101 class RW-CLASS

[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Juniper SRX – Setting the Default Static Route

KB ID 0001008 

Problem

It takes me seconds to do this on an ASA, on every occasion I’ve had to do the same on a Juniper firewall I’ve had to research how to do it again.

Here I’m setting up the ‘default’ route to the Internet, but the syntax is the same for setting up any static route.

Solution

1. Connect to the firewall either by console cable or via SSH, go to CLI mode then configuration mode.

[box]login: PeteL
Password: ************

— JUNOS 12.1X47-D10.4 built 2014-08-14 22:21:50 UTC

PeteL@Petes-SRX> cli

PeteL@Petes-SRX> configure
Entering configuration mode

[edit]
PeteL@Petes-SRX#

[/box]

2.Here is the syntax for adding a route, (0.0.0.0/0 denotes the default route or GOLR).

[box][edit]
PeteL@Petes-SRX# set routing-options static route 0.0.0.0/0 next-hop 123.123.123.123[/box]

3. Save the changes.

[box][edit]
PeteL@Petes-SRX# commit
commit complete[/box]

 

Related Articles, References, Credits, or External Links

NA