Upload
sheik8o
View
233
Download
0
Embed Size (px)
DESCRIPTION
SRX Series Services Gateways
Citation preview
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 1/32
Configuration Guide: Juniper Networks Branch SRX Series Services
GatewaysHow to Configure Branch SRX Series Services Gateways for Several Common Deployment Scenarios.
Introduction
The purpose of this application note is to walk the reader through the steps necessary to configure out-of-the-box
branch Juniper SRX Series Services Gateways out to provide secure connectivity to the Internet and reote
sites! The exaple configurations can be leveraged to build ore coplicated configurations that will eet the
security re"uireents of odern branch and reote offices! #fter reading this docuent$ you should be able to
configure a branch SRX Series gateway to pass traffic and provide several coon security services!
Scope
This paper introduces the Juniper %etworks Junos& operating syste coand-line interface '()I* and helps
the reader configure an SRX Series device for the first tie and provide a building block for ore advanced
configurations! It does not include advanced security configuration exaples or network design guidelines!
Design Considerations
Supported Hardware
Juniper %etworks +ranch SRX Series Services Gateways for the branch '(ertain features described in this
docuent are not available across the entire SRX Series platfor!
Software Requirements
Junos ,S Release .!. or later for all SRX Series Services Gateways '# ore recent release is re"uired for all
SRX Series Services Gateways supported and released after /!0!*!
Description and Deployment Scenario
The included exaples are not intended to be Juniper recoended configurations$ as they only eet the
security re"uireents of the siplest deployents such as a sall hoe office! 1owever$ with soe
odification$ they can be used to connect and secure larger reote and branch offices to a larger central site!
The approach of this docuent is to begin with an SRX Series appliance as it ships fro the factory and
progressively work through the steps necessary to build a usable base configuration!
Default Configuration—Junos OSRelease 100 and !ater
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 2/32
The first configuration is often associated with default firewall behavior! Juniper %etworks SRX.. Services
Gateway$ SRX2. Services Gateway$ and SRX23. Services Gateway have all of their interfaces configured in a
siilar fashion! The interface ge-.4.4. is in )ayer 5 ode$ and all the other interfaces are switched and assigned
to a 6)#%! # 6)#% interface is created to route traffic fro the interfaces in the 6)#%! #ll traffic between the
ports within the 6)#% is locally switched!
SR"100
SR"#10
SR"#$0
The following default configurations apply to the SRX..$ SRX2.$ and SRX23. factory default settings
INTERFACESECURITY
ZONEDHCP STATEIP ADDRESS
ge-000 !for SRX"#0 andSRX"$0% untrust C&ient 'yna(ica&&y )ssigned
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 3/32
fe-000 !for SRX#00%
v&an0 trust Server #*"+#,+#+#"$
SR"%&0
The default configuration for the interfaces on the SRX70. is different! #ll the interfaces are configured as )ayer
5 interfaces! The following table suari8es the default interface configuration on the SRX70.!
INTERFACE SECURITY ZONE DHCP STATE IP ADDRESS
ge-000 untrust C&ient 'yna(ica&&y )ssigned
ge-00# trust Server #*"+#,+#+#"$
ge-00" trust Server #*"+#,+"+#"$
ge-00. trust Server #*"+#,+.+#"$
+y default$ the following security policies and %#T rules are created on the SRX Series security policies!
SOURCE ZONE DESTINATION ZONE POLICY ACTION
trust untrust /er(it
'() Rule
SOURCE ZONE DESTINATION ZONE NAT ACTION
trust untrust Source N) to untrust 1one interface
*sing t+e Default Configuration for 'etwor, (ccess
To illustrate a coon default firewall configuration$ an SRX2. is used$ and the following design assuptions
are ade9
• The protected network is connected to interface ge-.4.4 and fe-.4.42 in the trust 8one!
• (onnectivity to the Internet is through interface ge-.4.4. in the untrust 8one!
• The I: address of interface ge-.4.4. is assigned via ;1(:!
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 4/32
The interfaces ge-.4.4 and fe-.4.42 are a part of the default 6)#%! The protected hosts can be connected to any
one of the ports that are part of the default 6)#%!
Configuration
#n SRX Series device can be configured fro the ()I or through Juniper %etworks J-<eb Software G=I! In this
exaple to use J-<eb$ connect a anageent :( to interface ge-.4.4! The I: address of the :( can be
statically configured or assigned by the factory default ;1(: server enabled on 6)#% interface!
>or this exaple$ the SRX Series device is configured using the ()I$ and the anageent :( is assigned an I:
address fro the ;1(: server process on the SRX Series gateway!
To access an SRX Series device with the Junos ,S ()I9
• (onnect one end of the console cable to the serial port adapter$ plug the adapter into a serial port on the
:( or laptop$ and plug the other end of the cable into the console port on the SRX Series device!
• Start the terinal eulation progra on the :( or laptop$ select the (,? port$ and configure the
following port settings9 /7.. 'bits per second*$ @ 'data bits*$ none 'parity*$ 'stop bits*$ and none 'flow control*!
• :ress the :,<AR button on the router$ and verify that the :,<AR )A; turns green!
• )og in as root$ and press Anter at the :assword propt! '<hen booting the factory default configuration$
you do not need to enter a password!*
• Anter the =%IX shell after you are authenticated through the ()I9
#nesiac 'ttyu.*
login9 root
:assword9
--- J=%,S .!.R!@ built 2../-.@-. ./9259./ =T(
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 5/32
• #t the B propt$ type CcliD to start the ()I and press Anter! The propt changes to an angle bracket 'E*
when you enter ()I operational ode!
rootFB cli
rootE
• #t the 'E* propt$ type CconfigureD and press Anter! The propt changes fro E to when you enter
configuration ode!
rootE configure
Antering configuration ode
Hedit
root
To configure the SRX Series device to be deployed in the network to securely pass traffic using the default
configuration$ use the following two coands9
• (reate a password for the root user to anage the SRX Series device! set syste root authentication
plain-text-password 'will propt for password*
• =se the CcoitD coand at the ()I propt to activate the configuration!
coit
Default -irewall Configuration—Junos OS Release.% and /arlier
The first configuration is often associated with default firewall behavior! #ll outbound traffic fro a private network
is allowed and uses source %#T$ while inbound traffic fro the Internet not atching an established session is
blocked!
The first tie that a branch SRX Series gateway is powered on$ it boots using the factory default configuration as
follows9
• # trust 8one and untrust 8one are created!
• Interface ge-.4.4. is assigned the I: address /2!7@!! and is bound to the trust 8one!
• # ;1(: server instance is enabled on interface ge-.4.4.!
• Three security policies$ one inter-8one and two intra-8one$ are created9
-- trust 8one to trust 8one 'intra-8one*default perit policy -- trust 8one to untrust 8one 'inter-8one*
default perit policy -- untrust 8one to trust 8one 'inter-8one*default deny policy
• illustrate a coon default firewall configuration$ an SRX2. is used$ and the following design
assuptions are ade9
-- The protected network is connected to interface ge-.4.4. in the trust 8one! -- (onnectivity to the Internet is
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 6/32
through interface fe-.4.4K in the untrust 8one! -- The I: address of interface fe-.4.4K is either statically configured
or assigned via ;1(:!
Configuration
#n SRX Series device can be configured fro the ()I or through the J-<eb G=I! To use J-<eb$ connect a
anageent :( to interface ge-.4.4.! The I: address of the :( can be statically configured or assigned by the
factory default ;1(: server enabled on ge-.4.4.!
>or this exaple$ the SRX Series device is configured using the ()I$ and the anageent :( is assigned a
static I: address of /2!7@!!.423 with a default gateway of /2!7@!!!
To access an SRX Series device with the Junos ,S ()I9
• (onnect one end of the console cable to the serial port adapter$ plug the adapter into a serial port on the
:( or laptop$ and plug the other end of the cable into the console port on the SRX Series device!
• Start the terinal eulation progra on the :( or laptop$ select the (,? port$ and configure the
following port settings9 /7.. 'bits per second*$ @ 'data bits*$ none 'parity*$ 'stop bits*$ and none 'flow control*!
• :ress the :,<AR button on the router$ and verify that the :,<AR )A; turns green!
• )og in as root$ and press Anter at the :assword propt! '<hen booting the factory default configuration$
you do not need to enter a password!*
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 7/32
• Anter the =%IX shell after you are authenticated through the ()I9
#nesiac 'ttyu.*
login9 root
:assword9
J=%,S /!3+5 built 2..@-2-/ ..92@90 =T(
rootFB
• #t the B propt$ type CcliD to start the ()I and press Anter! The propt changes to an angle bracket 'E*
when you enter ()I operational ode!
rootFB cli
rootE
• #t the 'E* propt$ type CconfigureD and press Anter! The propt changes fro E to when you enter
configuration ode!
rootE configure
Antering configuration ode
Hedit
root
Configuring anagement (ccess
%ext$ the SRX Series device is configured to allow secure anageent access and apply %#T to all outbound
traffic!
• Set the root user password!
set syste root-authentication plain-text-password'will propt for password*
• Set the syste host nae!
set syste host-nae ysrx
• #ssign interface fe-.4.4K to the untrust 8one '8one naes are case sensitive*!
set security 8one security-8one untrust interface fe-.4.4K
• Set nae server paraeter!
set syste nae-server Lip addressE
• fe-.4.4K I: address and default route configuration!
a To assign the I: address and gateway statically9
set interfaces fe-.4.4K unit . faily inet address !!!45.
set routing-options static route .!.!.!.4. next-hop L ip address of the upstrea routerE
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 8/32
2 To configure interfaces fe-.4.4K to obtain an I: address and default gateway fro a ;1(: server9
set interfaces fe-.4.4K unit . faily inet dhcp
set security 8ones security-8one untrust interfaces fe-.4.4K!. host-inbound-traffic syste-services dhcp
• (reate a %#T rule for source translation of all Internet-bound traffic!
set security nat source rule-set interface-nat fro 8one trust
set security nat source rule-set interface-nat to 8one untrust
set security nat source rule-set interface-nat rule rule atch source-address .!.!.!.4. destination-address
.!.!.!.4.
set security nat source rule-set interface-nat rule rule then source-nat interface
• =se the CcoitD coand at the ()I propt to activate the configuration!
coit
-irewall Configuration for Out2ound (ccess *sing Integrated Routingand 3ridging 4IR3
To eliinate the need for an external switch 'if the SRX Series device has enough available ports*$ an SRX
Series gateway can be configured to provide switching and routing siultaneously! Starting with Junos ,S
Release .!.$ the factory default configuration has integrated routing and bridging 'IR+* enabled!
#n SRX Series device uses virtual )5 interfaces to support IR+$ e"uivalent to routing between a set of switched
and routed interfaces! Today$ this design is widely adopted on enterprise switches! Ipleenting route bridging in
a security device is ore challenging than in a switch because security policies are applied to both inter-8one
and intra-8one traffic! Junos ,S ipleents IR+ with the help of 6)#%s cobined with interfaces! # 6)#% is acollection of interfaces that can be grouped together into a broadcast doain! Junos ,S-based switches
Athernet fraes within a 6)#% rather than routing I: packets! # virtual interface$ called 6)#%$ is used to route
traffic between the switched ports and routed ports! This architectural approach is very siilar to connecting a
standalone switch to a port on the firewall!
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 9/32
Readers ight want to skip this configuration and try it at the end as subse"uent exaples build upon the first
exaple!
• To illustrate this firewall configuration$ ake the following design assuptions9
• Interface fe-.4.4K provides connection to the Internet!
• # 6)#% is created by grouping the following interfaces9 --ge-.4.4. --ge-.4.4 --fe-.4.42 --fe-4.4.45
• # 6)#% interface with an I: address /2!7@!!423 is created to route traffic between switch ports and
the routed interface fe-.4.4K!
Configuration
• Reove the factory default I: address fro the interface ge-.4.4.!
delete interfaces ge-.4.4. unit . faily inet
• (onfigure Athernet switching on the interfaces that are part of the 6)#%!
set interfaces ge-.4.4. unit . faily ethernet-switching
set interfaces ge-.4.4 unit . faily ethernet-switching
set interfaces fe-.4.42 unit . faily ethernet-switching
set interfaces fe-.4.45 unit . faily ethernet-switching
• (onfigure a 6)#% interface to route traffic between the switched ports and routed interface!
set interfaces vlan unit . faily inet address /2!7@!!423
• #ssign a 6)#% interface to the default 6)#%!
set vlans default l5-interface vlan!.
%ote9 SRX Series gateways are preconfigured with a syste-defined 6)#% with nae CdefaultD and 6)#%-
I; C!D
• #ssign the 6)#% interface to the trust security 8one!
set security 8ones security-8one trust interfaces vlan!.
(d5anced Configuration
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 10/32
• (reate an adinistrative user to anage the SRX Series device!
• (reate a read-only adinistrative user!
• Set syste hostnae!
• Set the ;%S server and %T: server paraeters!
• # ;?M 8one is created for securing server access with an I: address of K2!7!!423 and enabling
CpingD service on the 8one!
• Interface ge-.4.4 is assigned to the ;?M 8one!
• Interface ge-.4.4. provides connectivity to the Internet!
• #ll networking paraeters are statically assigned!
• The following security policies are re"uired9 a! #llow 1TT:S traffic fro the untrust 8one to the ;?M
8one! b! #llow ;%S traffic fro the ;?M 8one to the untrust 8one! c! #llow SS1 and 1TT:S traffic fro the host
/2!7@!!2..423 fro the trust 8one to the server in the ;?M 8one!
Configuring Steps
#ll the coands are executed fro the configuration ode unless otherwise noted!
• (reating the adinistrative user to anage the SRX Series device!
set syste login user LusernaeE class super-user
set syste login user LusernaeE authentication plain-text-password 'will propt for password*
• (reating the read-only adinistrative user!
set syste login user LusernaeE class read-only set syste login user LusernaeE authentication plain-text-password 'will propt for password*
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 11/32
• Setting the syste hostnae!
set syste host-nae ysrx
• Setting the ;%S and %T: servers!
set syste nae-server Lip address of serverE
set date ntp LserverNip addressE- This is an operational ode coand! ,perational ode coands can
be executed in the configuration ode by using the key word CrunD
• (reating the ;?M 8one and allowing ping service!
set security 8ones security-8one d8 host-inbound-traffic syste-services ping
• #ssigning interface ge-.4.4 to the ;?M 8one!
set security 8ones security-8one d8 interfaces ge-.4.4
%ote9 If using the factory default with Junos ,S .!. release$ all of the interfaces except ge-.4.4. will have
ethernet switching enabled by default! This configuration is accoplished by applying ethernet switching to a
group Cinterface-trustD and applying the group configuration to the interfaces!
delete interfaces interface-range interfaces-trust eber ge-.4.4
• (onfiguring networking paraeters!
a #ssigning I: address
set interfaces ge-.4.4. unit . faily inet address !!!45.
set interfaces ge-.4.4 unit . faily inet address K2!7!!423
2 (reating a default route
set routing-options static route .!.!.!.4. next-hop Lip addressE
• (onfiguring security policies!
a Security policy fro untrust to ;?M
set security 8ones security-8one d8 address-book address webserver K2!7!!20.423 - (reates an
address book entry for the webserver
set security policies fro-8one untrust to-8one d8 policy webserver-access atch source-address any
set security policies fro-8one untrust to-8one d8 policy webserver-access atch destination-address
webserver
set security policies fro-8one untrust to-8one d8 policy webserver-access atch application Ounos-https
set security policies fro-8one untrust to-8one d8 policy webserver-access then perit 2 Security policy fro ;?M to untrust
set security policies fro-8one d8 to-8one untrust policy dns-access atch source-address webserver
set security policies fro-8one d8 to-8one untrust policy webserver-access atch destination-address any
set security policies fro-8one d8 to-8one untrust policy webserver-access atch application Ounos-dns
set security policies fro-8one d8 to-8one untrust policy webserver-access then perit
c #llow SS1 and 1TT:S traffic fro the host /2!7@!!2..423 fro trust 8one to ;?M 8one server
set security 8ones security-8one trust address-book address gt-pc /2!7@!!2..423 - (reates an address
book entry for the anageent :(
set applications application-set gt-services application Ounos-https
set applications application-set gt-services application Ounos-ssh set security policies fro-8one trust to-8one d8 policy gt-access atch source-address gt-pc
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 12/32
set security policies fro-8one trust to-8one d8 policy gt-access atch destination-address webserver
set security policies fro-8one trust to-8one d8 policy gt-access atch application gt-services
set security policies fro-8one trust to-8one d8 policy gt-access then perit
set security policies fro-8one trust to-8one d8 policy gt-access then log session-init
I6sec 76' Configuration
To illustrate a site-to-site I:sec 6:% configuration$ siply add 6:% specifics to the f irst configuration using the
following design paraeters9
• # route-based I:sec 6:% with preshared keys is used between sites!
• The protected network is connected to interface ge-.4.4. in the trust 8one!
• (onnectivity to the Internet is through fe-.4.4K in the untrust 8one!
• The reote I:sec endpoint I: address is !!!2$ and the protected subnet at the reote site is
.!!!.423!
• #ll traffic to the subnet .!!!.423 is encrypted!
Configuration
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 13/32
To illustrate the siplicity of setting up I:sec tunnels$ the coand se"uence is divided into to four repeatable
steps! Readers should refer to standard Juniper %etworks docuentation to further understand the various
IPA4I:sec configuration options!
• (reate a secure tunnel interface!
set interfaces st. unit . faily inet
set security 8ones security-8one trust interfaces st.!.
• (onfigure routing!
set routing-options static route .!!!.423 next-hop st.!.
• Anable IPA services on the external interface!
set security 8ones security-8one untrust interface ge-.4.4. host-inbound-traffic syste-services ike
• (onfigure IPA :hase paraeters!
set security ike proposal :-#AS authentication-ethod pre-shared-keys
set security ike proposal :-#AS dh-group group2
set security ike proposal :-#AS authentication-algorith sha
set security ike proposal :-#AS encryption-algorith aes-2@-cbc
set security ike policy ike-policy- ode ain
set security ike policy ike-policy- proposals :-#AS
set security ike policy ike-policy- pre-shared-key ascii-text Ouniper
set security ike gateway gw address !!!2
set security ike gateway gw external-interface ge-.4.4.!.
set security ike gateway gw ike-policy ike-policy-
• (onfigure I:sec :hase 2 paraeters!
set security ipsec proposal :2-#AS protocol esp
set security ipsec proposal :2-#AS authentication-algorith hac-sha-/7
set security ipsec proposal :2-#AS encryption-algorith aes-2@-cbc
set security ipsec policy ipsec-policy- proposals :2-#AS
set security ipsec policy ipsec-policy- perfect-forward-secrecy keys group2
set security ipsec vpn vpn ike gateway gw
set security ipsec vpn vpn ike ipsec-policy ipsec-policy-
set security ipsec vpn vpn establish-tunnels iediately
set security ipsec vpn vpn bind-interface st.!.
• =se the CcoitD coand at the ()I propt in the configuration ode to activate the configuration!
(oit!
*) Configuration
The exaple continues with the addition of several coon =T? features to the configuration! +efore
configuring any =T? features$ the =T? feature license ust be installed on the device!
The license keys can be installed using one of the following two ethods! These coands are operational
ode coands
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 14/32
• ;ownload fro )?S server directly 'recoendedaccess to the Internet is re"uired for this
operation*!
• re"uest syste license update
• Install anually 'this process is used when the license keys are available as text file*!
• re"uest syste license add terinal
• Qou can now verify that the license was installed using the operational ode coand Cshow syste
license!D
(nti5irus Configuration
1aving the SRX Series use the express antivirus engine to scan 1TT: traffic is also very easy!
• (onfigure the SRX Series device to use the express antivirus engine!
set security ut feature-profile anti-virus type Ouniper-express-engine
• (onfigure a =T? policy to use the predefined antivirus profile http-profile COunos-eav-defaults!D
set security ut ut-policy custo-ut-policy anti-virus http-profile Ounos-eav-defaults
•
#pply the =T? policy to the existing trust to untrust security policy! set security policies fro-8one trust to-8one untrust policy default-perit then perit application-services
ut-policy custo-ut-policy
• =se the CcoitD coand at the ()I propt in the configuration ode to activate the configuration
(oit! Note: he pre!efine! profile "#unos$eav$!efaults% is preconfigure! with antivirus engine fall&ac'
options( scanning options( an! notification messages. he !efaults can &e viewe! &y using the operational mo!e
comman!:
show configuration groups Ounos-defaults security ut feature-profile anti-virus Ouniper-express-engine profile Ounos-eav-defaults
8e2 -iltering Configuration
=sing the SRX Series to filter <eb traffic is also very straightforward! (onfigure the SRX Series to use the
integrated <eb filtering engine!
• set security ut feature-profile web-filtering type surf-control-integrated
• (onfigure the predefined <eb filtering profile COunos-wf-cpa-defaultD to use the ut-policy configured
earlier!
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 15/32
set security ut ut-policy custo-ut-policy web-filtering http-profile Ounos-wf-cpa-default
• =se the CcoitD coand at the ()I propt in the configuration ode to activate the configuration!
(oit! Note: he pre!efine! profile "#unos$wf$cpa$!efault% is configure! to use the SurfControl C)* +R,
category !ata&ase hoste! &y -e&sense that contains over / million we&sites( classifie! into 01 easy$to$use
categories.
show configuration groups Ounos-defaults security ut feature-profile web-filtering surf-control-integrated
ID6 Series Configuration
The SRX Series offers the sae set of I;: signatures that are available on Juniper %etworks I;: Series
Intrusion ;etection and :revention #ppliances to secure networks against attacks! In this exaple configuration$
the SRX Series device is configured to use a predefined I;: Series policy to secure the network!• ;ownload and install the latest security package!
re"uest security idp security-package download
re"uest security idp security-package install
• ;ownload and install the I;: security policy teplates!
re"uest security idp security-package download policy-teplates
re"uest security idp security-package install policy-teplates
• Anable the teplates!xsl scripts file! '#t coit tie$ the Junos ,S anageent processgd
searches the 4var4db4scripts4coit directory for scripts and runs the script against the candidate configurationdatabase to ensure the configuration confors to the rules dictated by the scripts!*
set syste scripts coit file teplates!xsl
• (oit the configuration!
coit
• (onfigure an active I;: policy!
set security idp active-policy Recoended
Note: -e recommen! a pre!efine! 2D) policy. +se "set security i!p active$policy 3% to view the list of 2D)
policies.
• Anable I;: Series detection on the existing firewall security policy fro the trust 8one to the untrust
8one!
set security policies fro-8one trust to-8one untrust policy default-perit then perit application-services
idp
(ppendi9
>actory ;efault (onfiguration Junos ,S Release .!.
set syste autoinstallation delete-upon-coit
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 16/32
set syste autoinstallation traceoptions level verbose
set syste autoinstallation traceoptions flag all
set syste autoinstallation interfaces ge-.4.4. bootp
set syste nae-server 2.@!7K!222!222
set syste nae-server 2.@!7K!22.!22.
set syste services ssh
set syste services telnet
set syste services web-anageent http interface vlan!.
set syste services web-anageent https syste-generated-certificate
set syste services web-anageent https interface vlan!.
set syste services dhcp router /2!7@!!
set syste services dhcp pool /2!7@!!.423 address-range low /2!7@!!2
set syste services dhcp pool /2!7@!!.423 address-range high /2!7@!!203
set syste services dhcp propagate-settings ge-.4.4.!.
set syste syslog archive si8e ..k
set syste syslog archive files 5
set syste syslog user any eergency
set syste syslog file essages any critical
set syste syslog file essages authori8ation info
set syste syslog file interactive-coands interactive-coands error
set syste ax-configurations-on-flash 0
set syste ax-configuration-rollbacks 0
set syste license autoupdate url https944ae!Ouniper!net4Ounos4keyNretrieval
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 17/32
set interfaces interface-range interfaces-trust eber ge-.4.4
set interfaces interface-range interfaces-trust eber fe-.4.42
set interfaces interface-range interfaces-trust eber fe-.4.45
set interfaces interface-range interfaces-trust eber fe-.4.43
set interfaces interface-range interfaces-trust eber fe-.4.40
set interfaces interface-range interfaces-trust eber fe-.4.47
set interfaces interface-range interfaces-trust eber fe-.4.4K
set interfaces interface-range interfaces-trust unit . faily ethernet-switching vlan ebers vlan-trust
set interfaces ge-.4.4. unit .
set interfaces vlan unit . faily inet address /2!7@!!423
set security nat source rule-set trust-to-untrust fro 8one trust
set security nat source rule-set trust-to-untrust to 8one untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule atch source-address .!.!.!.4.
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security screen ids-option untrust-screen icp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alar-threshold .23
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 2..
set security screen ids-option untrust-screen tcp syn-flood source-threshold .23
set security screen ids-option untrust-screen tcp syn-flood destination-threshold
2.3@
set security screen ids-option untrust-screen tcp syn-flood tieout 2.
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 18/32
set security screen ids-option untrust-screen tcp land
set security 8ones security-8one trust host-inbound-traffic syste-services all
set security 8ones security-8one trust host-inbound-traffic protocols all
set security 8ones security-8one trust interfaces vlan!.
set security 8ones security-8one untrust screen untrust-screen
set security 8ones security-8one untrust interfaces ge-.4.4.!. host-inbound-traffic
syste-services dhcp
set security 8ones security-8one untrust interfaces ge-.4.4.!. host-inbound-traffic
syste-services tftp
set security policies fro-8one trust to-8one untrust policy trust-to-untrust atch
source-address any
set security policies fro-8one trust to-8one untrust policy trust-to-untrust atch
destination-address any
set security policies fro-8one trust to-8one untrust policy trust-to-untrust atch
application any
set security policies fro-8one trust to-8one untrust policy trust-to-untrust then
perit
set vlans vlan-trust vlan-id 5
set vlans vlan-trust l5-interface vlan!.
Summary
+ranch SRX Series Services Gateways provide all the features re"uired to securely connect odern reote and
branch offices in a one-box solution! Junos ,S offers users unparalleled flexibility designed to eet the ost
deanding network re"uireents! #fter reading this docuent$ you can configure a branch SRX Series device to
securely pass traffic! <ith a little practice$ you can create advanced configurations re"uired for ore coplex
deployents!
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 19/32
I was thinking if I should write a short article for beginners to quickly configure an SRX firewall. I
don’t know how many people will find it useful but I hope it will be for those who use SRX for the
first time in their life. Let’s get started.
Our topology in this tutorial is below;
We will configure the followings from scratch:
1.Loading default config and setting the root password
2.Configuring interfaces and default route
3.Configuring security zones
4.Configuring address book entries
5.Creating security policies
6.Creating source nat for internal clients
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 20/32
Loading default config and setting the root password
I assume you are connected to the SRX device via console
1
2
3
4
5
6
7
8
9
1
0
1
1
1
2
1
3
1
4
1
5
1
6
1
[edit]
root# load factory-default
warning: actiating factory con!guration
[edit]
root# "et "y"te root-aut$entication %lain-te&t-%a""word
'ew %a""word:
(ety%e new %a""word:
[edit]
root# "et "y"te $o"t-nae "r&220
[edit]
root# coit
coit co%lete
[edit]
root)"r&220#
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 21/32
7
1
8
Once we commit the changes, we should see the new hostname srx220 in the prompt.
Commit is required to save and activate your changes.
Configuring interfaces and default route
Interfaces
1
2
3
4
#delete interface" ge-0*0*0
#delete interface" ge-0*0*1
#"et interface" ge-0*0*0 unit 0 faily inet addre"" 192+168+100+38*24
#"et interface" ge-0*0*1 unit 0 faily inet addre"" 192+168+239+1*24
Default route
1 #"et routing-o%tion" "tatic route 0+0+0+0*0 ne&t-$o% 192+168+100+1
Configuring security zones
SRX is a zone based firewall hence you have to assign each interface to a zone to be able to
pass traffic through and into it. There may be two default zones trust and untrust coming with the
factory-default config but we will delete them and configure our own zones. Following will be our
zone configuration;
• Our zone facing pc clients is namedinternal
•
zone facing internet is namedinternet
• Internal clients will be able to reach SRX (i.e ping and ssh service will be enabled)
towards SRX
1
2
3
#"et "ecurity ,one" "ecurity-,one internal interface" ge-0*0*1+0 $o"t-inound-tra.c "y"te-
"erice" %ing
#"et "ecurity ,one" "ecurity-,one internal interface" ge-0*0*1+0 $o"t-inound-tra.c "y"te-
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 22/32
"erice" ""$
#"et "ecurity ,one" "ecurity-,one internet interface" ge-0*0*0+0
Now we have assigned interfaces to each zone. To mention again, if you don’t add the services
e.g ssh&ping under internal zone, you can neither connect to the box via ssh nor ping its internal
interface IP.
Configuring address book entries
If you want to configure a security policy you must create an address book entry for the network
ranges you would like to use. We will create one address book entry for our internal network
block 192.168.239.0/24 as follows;
1 #"et "ecurity ,one" "ecurity-,one internal addre""-oo/ addre"" networ/239 192+168+239+0*24
Our address book entry is also ready for security policy. Now it is time to enforce the security
policy to allow internal users to access outside networks.
Note: Address book configuration has evolved over several releases. To better understand the
address book concept on SRX, you can take a look at myother post about address books once
you finish this post.
Creating security policiesAs this is a firewall, if you don’t create a security policy allowing traffic from one zone to the other
one, don’t expect your transit traffic to work. Here, we first start by deleting already existing
policies to make sure no other policies exist.
1
2
3
4
5
#delete "ecurity %olicie"
#"et "ecurity %olicie" fro-,one internal to-,one internet %olicy allow-internal-client" atc$
"ource-addre"" networ/239
#"et "ecurity %olicie" fro-,one internal to-,one internet %olicy allow-internal-client" atc$
de"tination-addre"" any
#"et "ecurity %olicie" fro-,one internal to-,one internet %olicy allow-internal-client" atc$
a%%lication any
#"et "ecurity %olicie" fro-,one internal to-,one internet %olicy allow-internal-client" t$en %erit
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 23/32
A security policy is created within a context. What does this mean? It means the context defines
the direction. For example, policy we have created named “allow-internal-clients” is only matching
any trafficfrom internal zone to internet zone. As our action is “permit”, we allow traffic from
“network_239 address book network i.e 192.168.239.0/24 towards any address.
Creating source nat for internal clients
You may also need to source NAT internal clients with your outside interface IP address. Here is
how we configure source nat in SRX:
First start deleting previous left over nat rules.
1
2
3
4
5
6
7
#delete "ecurity nat
#"et "ecurity nat "ource rule-"et internal-to-internet fro ,one internal
#"et "ecurity nat "ource rule-"et internal-to-internet to ,one internet
#"et "ecurity nat "ource rule-"et internal-to-internet rule internet-acce"" atc$ "ource-addre""
192+168+239+0*24
#"et "ecurity nat "ource rule-"et internal-to-internet rule internet-acce"" atc$ de"tination-
addre"" 0+0+0+0*0
#"et "ecurity nat "ource rule-"et internal-to-internet rule internet-acce"" t$en "ource-nat
interface
#coit
For simplicity we use interface based nat which means if an internal client has an IP address on
192.168.239.0/24 range, its IP packets’ source addresses will be replaced by the interface IP
address 192.168.100.38 when the client wants to reach Internet.
As you can see source NAT is also a context based configuration. You define from which zone
you are coming and to which zone you are heading.After these configuration your internal clients
whose gateway is 192.168.239.1 should be able to reach Internet if I haven’t made any mistake
so far.
( for eginner" #2
2 (e%lie"
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 24/32
After mysrx for beginners post has become the most popular article of this blog, I have decided
to improve it a little bit as it is missing some vital information. Without talking too much let’s
summarize what we will do in this post
•
What is a flow session?
• How can we interpret a flow session entry?
• How can we open a standard port/application on SRX and do destination NAT?
• How can we open a non-standard port and do destination NAT?
• How can we do proxy-arp?
In this post, we will use the same topology like previous post but I have added three new devices
in this new topology so that I can show source/destination nat and proxy arp.
SRX for beginners topology
Let’s get started:
What is a flow session?
Juniper SRX is a stateful firewall hence box doesn’t forward an IP packet and forgets it. It has toremember which IP packets it has received and which packets it is expecting. It isn’t exactly like
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 25/32
this but for the sake of simplicity let’s assume like this now. So what does a session look like on
an SRX firewall. In order to show this from PC1 device, I telnet to TCP port 80 of
www.example.com host which is outside my test network and see how the flow session looks like
on our SRX firewall.
TCP 80 connection is established towards the host 93.184.216.34
1
2
3
4
%c1telnet www+e&a%le+co 80
rying 93+184+216+34+++
onnected to www+e&a%le+co+
"ca%e c$aracter i" ]+
Now let’s see how this session looks like on our firewall
1
2
3
4
5
root)"r&220 "$ow "ecurity ow "e""ion de"tination-%ort 80
e""ion ;: 109< =olicy nae: allow-internal-client"*4< ieout: 294< >alid
n: 192+168+239+3*47715 -- 93+184+216+34*80?tc%< f: ge-0*0*1+0< =/t": 2< @yte": 112
Aut: 93+184+216+34*80 -- 192+168+100+38*20201?tc%< f: ge-0*0*0+0< =/t": 1< @yte": 60
otal "e""ion": 1
As you can see, we can display sessions by “show security flow session” command and by giving
more options e.g destination-port you can filter session table.
How can we interpret a flow session entry?
Now let’s drill down this single flow session entry line by line.
Line 1
• 109 : Each session is given a session identifier by the firewall, here 109
• allow-internal-clients/4 : Security which exactly matches this specific traffic and number
4 is the policy index.
• 294 : When a session is created it starts with default timeout and counts down to zero as
long as no packet is seen. If it reaches 0 session is removed
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 26/32
Line 2
• 192.168.239.3/47715 : Source IP address/Port of the source host which created the
session
• 93.184.216.34/80;tcp : Destination IP address/Port of the destination host and the
transport layer protocol which is tcp here
• ge-0/0/1.0 : The ingress interface of the packet
• Pkts: 2, Bytes: 112 Number of packets and Bytes received on this direction
Line 3
A flow session has two wings and this one is the wing on the reverse direction.
• 93.184.216.34/80 : This is the same as our destination address
• 192.168.100.38/20201 : This is the address to which 93.184.216.34 replies back
but it is different than our source IP address 192.168.239.3 since we are doing source
NAT and port translation
• ge-0/0/0.0 : Ingress interface of the return packets
• Pkts: 1, Bytes: 60 : IP packet and Bytes received from the destination
How can we open a default/standard port/application on SRX and do
destination NAT?
In the topology, we have a Web server and we would like to allow public HTTP service i.e
anyone who types http://192.168.100.38 on their browser from Internet will be redirected
to our internal web server i.e we will create a destination NAT rule and a security policy
allowing this HTTP traffic.
First thing we should go to configuration mode
1
2
root)"r&220 con!gure
ntering con!guration ode
Then we can paste the following commands to configure destination NAT
Destination NAT
1 "et "ecurity nat de"tination %ool we"erer-internal addre"" 192+168+239+10*32
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 27/32
2
3
4
5
"et "ecurity nat de"tination rule-"et internal-"erer" fro ,one internet
"et "ecurity nat de"tination rule-"et internal-"erer" rule we"erer atc$ de"tination-addre""
192+168+100+38*32
"et "ecurity nat de"tination rule-"et internal-"erer" rule we"erer atc$ de"tination-%ort 80
"et "ecurity nat de"tination rule-"et internal-"erer" rule we"erer t$en de"tination-nat %ool
we"erer-internal
Note: In order to forward traffic to the internal server, a pool is required
Security Policy
If you don’t permit the HTTP traffic in a security policy, destination NAT has no use.
On this setup I am moving from zone specific address groups to global addresses for
which I am moving my old address book to global level and I am adding new addressentry for webserver.
1
2
3
delete "ecurity ,one" "ecurity-,one internal addre""-oo/ addre"" networ/239
"et "ecurity addre""-oo/ gloal addre"" networ/239 192+168+239+0*24
"et "ecurity addre""-oo/ gloal addre"" we"erer 192+168+239+10*32
Now we can create the security policy.
1
2
3
4
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-we-"erice atc$ "ource-
addre"" any
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-we-"erice atc$
de"tination-addre"" we"erer
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-we-"erice atc$
a%%lication Buno"-$tt%
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-we-"erice t$en %erit
Note: On SRX, default applications are prefixed by junos- as you can see for junos-http
application.
Finally commit your changes. Now we telnet to the IP 192.168.100.38 from outside
network (10.100.100.10) and check the session table.
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 28/32
1
2
3
4
5
root)"r&220 "$ow "ecurity ow "e""ion de"tination-%ort 80
e""ion ;: 147< =olicy nae: allow-we-"erice*5< ieout: 286< >alid
n: 10+100+100+10*36120 -- 192+168+100+38*80?tc%< f: ge-0*0*0+0< =/t": 3< @yte": 164
Aut: 192+168+239+10*80 -- 10+100+100+10*36120?tc%< f: ge-0*0*1+0< =/t": 2< @yte": 120
otal "e""ion": 1
As you can see request for 192.168.100.38:80 is translated to 192.168.239.10:80 by
SRX.
How can we open a non-standard port and do destination NAT?
Now we have a different requirement. There is an SMTP server which is listening on port
default port 25 but we somehow want everyone to access this host on port 2025 instead
of the default port. Now we will configure this scenario.
First Address book entry
1 "et "ecurity addre""-oo/ gloal addre"" "t%"erer 192+168+239+11
1
2
3
4
5
"et "ecurity nat de"tination %ool "t%"erer-internal addre"" 192+168+239+11*32
"et "ecurity nat de"tination %ool "t%"erer-internal addre"" %ort 25
"et "ecurity nat de"tination rule-"et internal-"erer" rule "t%"erer atc$ de"tination-addre""
192+168+100+38*32
"et "ecurity nat de"tination rule-"et internal-"erer" rule "t%"erer atc$ de"tination-%ort 2025
"et "ecurity nat de"tination rule-"et internal-"erer" rule "t%"erer t$en de"tination-nat %ool
"t%"erer-internal
Note: Pay attention that pool we created is for port 25 but actual port match is for 2025
Now security policy
1
2
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-"t%-"erice atc$ "ource-
addre"" any
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-"t%-"erice atc$
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 29/32
3
4
de"tination-addre"" "t%"erer
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-"t%-"erice atc$
a%%lication Buno"-"t%
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-"t%-"erice t$en %erit
Note: You may be asking why do we use junos-smtp application which has port 25
instead of an application which has destination port 2025. The reason is that security
policy processing is done after destination is processed hence when security policy does
the match, port is already translated to 25 from 2025.
For example, if you were to redirect(port nat) 2025 port to another non-standard port e.g
2000 on this smtp server then you would have to create an application e.g named
custom-smtp and permit this application on this policy.
1
2
"et a%%lication" a%%lication cu"to-"t% %rotocol tc%
"et a%%lication" a%%lication cu"to-"t% de"tination-%ort 2025
But this isn’t what we are configuring now. We just redirect outside 2025 port to internal
25 port.
Now we telnet from our Internet host
1
2
3
4
5
6
root)Co"t2:D# $o"t '('1
'('1telnet 192+168+100+38 2025
rying 192+168+100+38+++
onnected to 192+168+100+38+
"ca%e c$aracter i" ]+
220 Co"t2 E= =o"t!& F;eian*G'HI
Heyyy, we have got the smtp response on non-standard port 2025. Let’s check the flow
session.
1 root)"r&220 "$ow "ecurity ow "e""ion de"tination-%ort 25
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 30/32
2
3
4
5
e""ion ;: 151< =olicy nae: allow-"t%-"erice*6< ieout: 1784< >alid
n: 10+100+100+10*56967 -- 192+168+100+38*2025?tc%< f: ge-0*0*0+0< =/t": 3< @yte": 164
Aut: 192+168+239+11*25 -- 10+100+100+10*56967?tc%< f: ge-0*0*1+0< =/t": 2< @yte": 151
otal "e""ion": 1
Yes, port 2025 is translated to 25 as it can be seen in the flow session too.
You can also check the translation hits by the following command to see if the NAT rule is
really being hit or not.
1
2
3
4
5
6
7
8
9
10
11
12
13
root)"r&220 "$ow "ecurity nat de"tination rule "t%"erer
;e"tination 'J rule: "t%"erer (ule-"et: internal-"erer"
(ule-d : 2
(ule %o"ition : 2
Kro ,one : internet
;e"tination addre""e" : 192+168+100+38 - 192+168+100+38
;e"tination %ort : 2025 - 2025
Jction : "t%"erer-internal
ran"lation $it" : 1 L---Cere we can "ee t$e tran"lation $it"+
ucce""ful "e""ion" : 1
Kailed "e""ion" : 0
'uer of "e""ion" : 1
How can we do proxy-arp?
According to our topology, we have only one WAN IP assigned to the external interface
which is 192.168.100.38 but our ISP has given us a /24 block from which now we also
would like to use IP address 192.168.100.100 for some services. However we don’t want
to assign this IP address to the external interface. The problem is that if you don’t assign
an IP to an interface, you don’t respond to ARP requests for that IP. In order to solve thisproblem we need to configure proxy arp. To demonstrate this, we have a scenario. We
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 31/32
have an application server IP of which is 192.168.239.12 in the internal network and
application is running on TCP port 8080. We would like everyone on Internet to access
this application via TCP port 80 i.e we will redirect TCP80 requests coming to
192.168.100.100 to the internal 192.168.239.12 TCP8080.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#on!gure =ro&y-ar% "o t$at we can re"%ond to J(= reMue"t" to t$i" addre""
"et "ecurity nat %ro&y-ar% interface ge-0*0*0+0 addre"" 192+168+100+100*32
#on!gure =8080 cu"to a%%lication
"et a%%lication" a%%lication =8080 %rotocol tc%
"et a%%lication" a%%lication =8080 de"tination-%ort 8080
#Ne al"o need an addre"" oo/ entry for our %olicy
"et "ecurity addre""-oo/ gloal addre"" a%%"erer 192+168+239+12*32
#Cere we con!gure our %ool for nat
"et "ecurity nat de"tination %ool a%%"erer-internal addre"" 192+168+239+12*32
"et "ecurity nat de"tination %ool a%%"erer-internal addre"" %ort 8080
#;e"tination 'J rule
"et "ecurity nat de"tination rule-"et internal-"erer" rule a%%"erer atc$ de"tination-addre""
192+168+100+100*32
"et "ecurity nat de"tination rule-"et internal-"erer" rule a%%"erer atc$ de"tination-%ort 80
"et "ecurity nat de"tination rule-"et internal-"erer" rule a%%"erer t$en de"tination-nat %ool
a%%"erer-internal
7/18/2019 SRX Series Services Gateways
http://slidepdf.com/reader/full/srx-series-services-gateways 32/32
21
22
23
24
#Jnd !nally "ecurity %olicy allowing =8080
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-a%%"erer atc$ "ource-
addre"" any
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-a%%"erer atc$
de"tination-addre"" a%%"erer
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-a%%"erer atc$
a%%lication =8080
"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-a%%"erer t$en %erit
Now we do connect to TCP80 port of 192.168.100.100 from 10.100.100.10 Internet host
and see the session table
1
2
3
4
5
root)"r&220 "$ow "ecurity ow "e""ion de"tination-%ort 80
e""ion ;: 7< =olicy nae: allow-a%%"erer*7< ieout: 1792< >alid
n: 10+100+100+10*45550 -- 192+168+100+100*80?tc%< f: ge-0*0*0+0< =/t": 3< @yte": 164
Aut: 192+168+239+12*8080 -- 10+100+100+10*45550?tc%< f: ge-0*0*1+0< =/t": 2< @yte": 120
otal "e""ion": 1
Yes it works! we redirect port 80 to internal 8080 port.