SRX Series Services Gateways

7/18/2019 SRX Series Services Gateways

http://slidepdf.com/reader/full/srx-series-services-gateways 1/32

Configuration Guide: Juniper Networks Branch SRX Series Services

GatewaysHow to Configure Branch SRX Series Services Gateways for Several Common Deployment Scenarios.

Introduction

The purpose of this application note is to walk the reader through the steps necessary to configure out-of-the-box

branch Juniper SRX Series Services Gateways out to provide secure connectivity to the Internet and reote

sites! The exaple configurations can be leveraged to build ore coplicated configurations that will eet the

security re"uireents of odern branch and reote offices! #fter reading this docuent$ you should be able to

configure a branch SRX Series gateway to pass traffic and provide several coon security services!

Scope

This paper introduces the Juniper %etworks Junos& operating syste coand-line interface '()I* and helps

the reader configure an SRX Series device for the first tie and provide a building block for ore advanced

configurations! It does not include advanced security configuration exaples or network design guidelines!

Design Considerations

Supported Hardware

Juniper %etworks +ranch SRX Series Services Gateways for the branch '(ertain features described in this

docuent are not available across the entire SRX Series platfor!

Software Requirements

Junos ,S Release .!. or later for all SRX Series Services Gateways '# ore recent release is re"uired for all

SRX Series Services Gateways supported and released after /!0!*!

Description and Deployment Scenario

The included exaples are not intended to be Juniper recoended configurations$ as they only eet the

security re"uireents of the siplest deployents such as a sall hoe office! 1owever$ with soe

odification$ they can be used to connect and secure larger reote and branch offices to a larger central site!

The approach of this docuent is to begin with an SRX Series appliance as it ships fro the factory and

progressively work through the steps necessary to build a usable base configuration!

Default Configuration—Junos OSRelease 100 and !ater

http://www.vology.com/juniper/network-security-hardware?series=SRX





The first configuration is often associated with default firewall behavior! Juniper %etworks SRX.. Services

Gateway$ SRX2. Services Gateway$ and SRX23. Services Gateway have all of their interfaces configured in a

siilar fashion! The interface ge-.4.4. is in )ayer 5 ode$ and all the other interfaces are switched and assigned

to a 6)#%! # 6)#% interface is created to route traffic fro the interfaces in the 6)#%! #ll traffic between the

ports within the 6)#% is locally switched!

SR"100

SR"#10

SR"#$0

The following default configurations apply to the SRX..$ SRX2.$ and SRX23. factory default settings

INTERFACESECURITY

ZONEDHCP STATEIP ADDRESS

ge-000 !for SRX"#0 andSRX"$0% untrust C&ient 'yna(ica&&y )ssigned



fe-000 !for SRX#00%

v&an0 trust Server #*"+#,+#+#"$

SR"%&0

The default configuration for the interfaces on the SRX70. is different! #ll the interfaces are configured as )ayer

5 interfaces! The following table suari8es the default interface configuration on the SRX70.!

INTERFACE SECURITY ZONE DHCP STATE IP ADDRESS

ge-000 untrust C&ient 'yna(ica&&y )ssigned

ge-00# trust Server #*"+#,+#+#"$

ge-00" trust Server #*"+#,+"+#"$

ge-00. trust Server #*"+#,+.+#"$

+y default$ the following security policies and %#T rules are created on the SRX Series security policies!

SOURCE ZONE DESTINATION ZONE POLICY ACTION

trust untrust /er(it

'() Rule

SOURCE ZONE DESTINATION ZONE NAT ACTION

trust untrust Source N) to untrust 1one interface

*sing t+e Default Configuration for 'etwor, (ccess

To illustrate a coon default firewall configuration$ an SRX2. is used$ and the following design assuptions

are ade9

• The protected network is connected to interface ge-.4.4 and fe-.4.42 in the trust 8one!

• (onnectivity to the Internet is through interface ge-.4.4. in the untrust 8one!

• The I: address of interface ge-.4.4. is assigned via ;1(:!



The interfaces ge-.4.4 and fe-.4.42 are a part of the default 6)#%! The protected hosts can be connected to any

one of the ports that are part of the default 6)#%!

Configuration

#n SRX Series device can be configured fro the ()I or through Juniper %etworks J-<eb Software G=I! In this

exaple to use J-<eb$ connect a anageent :( to interface ge-.4.4! The I: address of the :( can be

statically configured or assigned by the factory default ;1(: server enabled on 6)#% interface!

>or this exaple$ the SRX Series device is configured using the ()I$ and the anageent :( is assigned an I:

address fro the ;1(: server process on the SRX Series gateway!

To access an SRX Series device with the Junos ,S ()I9

• (onnect one end of the console cable to the serial port adapter$ plug the adapter into a serial port on the

:( or laptop$ and plug the other end of the cable into the console port on the SRX Series device!

• Start the terinal eulation progra on the :( or laptop$ select the (,? port$ and configure the

following port settings9 /7.. 'bits per second*$ @ 'data bits*$ none 'parity*$ 'stop bits*$ and none 'flow control*!

• :ress the :,<AR button on the router$ and verify that the :,<AR )A; turns green!

• )og in as root$ and press Anter at the :assword propt! '<hen booting the factory default configuration$

you do not need to enter a password!*

• Anter the =%IX shell after you are authenticated through the ()I9

#nesiac 'ttyu.*

login9 root

:assword9

--- J=%,S .!.R!@ built 2../-.@-. ./9259./ =T(



• #t the B propt$ type CcliD to start the ()I and press Anter! The propt changes to an angle bracket 'E*

when you enter ()I operational ode!

rootFB cli

rootE

• #t the 'E* propt$ type CconfigureD and press Anter! The propt changes fro E to when you enter

configuration ode!

rootE configure

Antering configuration ode

Hedit

root

To configure the SRX Series device to be deployed in the network to securely pass traffic using the default

configuration$ use the following two coands9

• (reate a password for the root user to anage the SRX Series device! set syste root authentication

plain-text-password 'will propt for password*

• =se the CcoitD coand at the ()I propt to activate the configuration!

coit

Default -irewall Configuration—Junos OS Release.% and /arlier

The first configuration is often associated with default firewall behavior! #ll outbound traffic fro a private network

is allowed and uses source %#T$ while inbound traffic fro the Internet not atching an established session is

blocked!

The first tie that a branch SRX Series gateway is powered on$ it boots using the factory default configuration as

follows9

• # trust 8one and untrust 8one are created!

• Interface ge-.4.4. is assigned the I: address /2!7@!! and is bound to the trust 8one!

• # ;1(: server instance is enabled on interface ge-.4.4.!

• Three security policies$ one inter-8one and two intra-8one$ are created9

-- trust 8one to trust 8one 'intra-8one*default perit policy -- trust 8one to untrust 8one 'inter-8one*

default perit policy -- untrust 8one to trust 8one 'inter-8one*default deny policy

• illustrate a coon default firewall configuration$ an SRX2. is used$ and the following design

assuptions are ade9

-- The protected network is connected to interface ge-.4.4. in the trust 8one! -- (onnectivity to the Internet is



through interface fe-.4.4K in the untrust 8one! -- The I: address of interface fe-.4.4K is either statically configured

or assigned via ;1(:!

Configuration

#n SRX Series device can be configured fro the ()I or through the J-<eb G=I! To use J-<eb$ connect a

anageent :( to interface ge-.4.4.! The I: address of the :( can be statically configured or assigned by the

factory default ;1(: server enabled on ge-.4.4.!

>or this exaple$ the SRX Series device is configured using the ()I$ and the anageent :( is assigned a

static I: address of /2!7@!!.423 with a default gateway of /2!7@!!!

To access an SRX Series device with the Junos ,S ()I9

• (onnect one end of the console cable to the serial port adapter$ plug the adapter into a serial port on the

:( or laptop$ and plug the other end of the cable into the console port on the SRX Series device!

• Start the terinal eulation progra on the :( or laptop$ select the (,? port$ and configure the

following port settings9 /7.. 'bits per second*$ @ 'data bits*$ none 'parity*$ 'stop bits*$ and none 'flow control*!

• :ress the :,<AR button on the router$ and verify that the :,<AR )A; turns green!

• )og in as root$ and press Anter at the :assword propt! '<hen booting the factory default configuration$

you do not need to enter a password!*



• Anter the =%IX shell after you are authenticated through the ()I9

#nesiac 'ttyu.*

login9 root

:assword9

J=%,S /!3+5 built 2..@-2-/ ..92@90 =T(

rootFB

• #t the B propt$ type CcliD to start the ()I and press Anter! The propt changes to an angle bracket 'E*

when you enter ()I operational ode!

rootFB cli

rootE

• #t the 'E* propt$ type CconfigureD and press Anter! The propt changes fro E to when you enter

configuration ode!

rootE configure

Antering configuration ode

Hedit

root

Configuring anagement (ccess

%ext$ the SRX Series device is configured to allow secure anageent access and apply %#T to all outbound

traffic!

• Set the root user password!

set syste root-authentication plain-text-password'will propt for password*

• Set the syste host nae!

set syste host-nae ysrx

• #ssign interface fe-.4.4K to the untrust 8one '8one naes are case sensitive*!

set security 8one security-8one untrust interface fe-.4.4K

• Set nae server paraeter!

set syste nae-server Lip addressE

• fe-.4.4K I: address and default route configuration!

a To assign the I: address and gateway statically9

set interfaces fe-.4.4K unit . faily inet address !!!45.

set routing-options static route .!.!.!.4. next-hop L ip address of the upstrea routerE



2 To configure interfaces fe-.4.4K to obtain an I: address and default gateway fro a ;1(: server9

set interfaces fe-.4.4K unit . faily inet dhcp

set security 8ones security-8one untrust interfaces fe-.4.4K!. host-inbound-traffic syste-services dhcp

• (reate a %#T rule for source translation of all Internet-bound traffic!

set security nat source rule-set interface-nat fro 8one trust

set security nat source rule-set interface-nat to 8one untrust

set security nat source rule-set interface-nat rule rule atch source-address .!.!.!.4. destination-address

.!.!.!.4.

set security nat source rule-set interface-nat rule rule then source-nat interface

• =se the CcoitD coand at the ()I propt to activate the configuration!

coit

-irewall Configuration for Out2ound (ccess *sing Integrated Routingand 3ridging 4IR3

To eliinate the need for an external switch 'if the SRX Series device has enough available ports*$ an SRX

Series gateway can be configured to provide switching and routing siultaneously! Starting with Junos ,S

Release .!.$ the factory default configuration has integrated routing and bridging 'IR+* enabled!

#n SRX Series device uses virtual )5 interfaces to support IR+$ e"uivalent to routing between a set of switched

and routed interfaces! Today$ this design is widely adopted on enterprise switches! Ipleenting route bridging in

a security device is ore challenging than in a switch because security policies are applied to both inter-8one

and intra-8one traffic! Junos ,S ipleents IR+ with the help of 6)#%s cobined with interfaces! # 6)#% is acollection of interfaces that can be grouped together into a broadcast doain! Junos ,S-based switches

Athernet fraes within a 6)#% rather than routing I: packets! # virtual interface$ called 6)#%$ is used to route

traffic between the switched ports and routed ports! This architectural approach is very siilar to connecting a

standalone switch to a port on the firewall!



Readers ight want to skip this configuration and try it at the end as subse"uent exaples build upon the first

exaple!

• To illustrate this firewall configuration$ ake the following design assuptions9

• Interface fe-.4.4K provides connection to the Internet!

• # 6)#% is created by grouping the following interfaces9 --ge-.4.4. --ge-.4.4 --fe-.4.42 --fe-4.4.45

• # 6)#% interface with an I: address /2!7@!!423 is created to route traffic between switch ports and

the routed interface fe-.4.4K!

Configuration

• Reove the factory default I: address fro the interface ge-.4.4.!

delete interfaces ge-.4.4. unit . faily inet

• (onfigure Athernet switching on the interfaces that are part of the 6)#%!

set interfaces ge-.4.4. unit . faily ethernet-switching

set interfaces ge-.4.4 unit . faily ethernet-switching

set interfaces fe-.4.42 unit . faily ethernet-switching

set interfaces fe-.4.45 unit . faily ethernet-switching

• (onfigure a 6)#% interface to route traffic between the switched ports and routed interface!

set interfaces vlan unit . faily inet address /2!7@!!423

• #ssign a 6)#% interface to the default 6)#%!

set vlans default l5-interface vlan!.

%ote9 SRX Series gateways are preconfigured with a syste-defined 6)#% with nae CdefaultD and 6)#%-

I; C!D

• #ssign the 6)#% interface to the trust security 8one!

set security 8ones security-8one trust interfaces vlan!.

(d5anced Configuration



• (reate an adinistrative user to anage the SRX Series device!

• (reate a read-only adinistrative user!

• Set syste hostnae!

• Set the ;%S server and %T: server paraeters!

• # ;?M 8one is created for securing server access with an I: address of K2!7!!423 and enabling

CpingD service on the 8one!

• Interface ge-.4.4 is assigned to the ;?M 8one!

• Interface ge-.4.4. provides connectivity to the Internet!

• #ll networking paraeters are statically assigned!

• The following security policies are re"uired9 a! #llow 1TT:S traffic fro the untrust 8one to the ;?M

8one! b! #llow ;%S traffic fro the ;?M 8one to the untrust 8one! c! #llow SS1 and 1TT:S traffic fro the host

/2!7@!!2..423 fro the trust 8one to the server in the ;?M 8one!

Configuring Steps

#ll the coands are executed fro the configuration ode unless otherwise noted!

• (reating the adinistrative user to anage the SRX Series device!

set syste login user LusernaeE class super-user

set syste login user LusernaeE authentication plain-text-password 'will propt for password*

• (reating the read-only adinistrative user!

set syste login user LusernaeE class read-only set syste login user LusernaeE authentication plain-text-password 'will propt for password*



• Setting the syste hostnae!

set syste host-nae ysrx

• Setting the ;%S and %T: servers!

set syste nae-server Lip address of serverE

set date ntp LserverNip addressE- This is an operational ode coand! ,perational ode coands can

be executed in the configuration ode by using the key word CrunD

• (reating the ;?M 8one and allowing ping service!

set security 8ones security-8one d8 host-inbound-traffic syste-services ping

• #ssigning interface ge-.4.4 to the ;?M 8one!

set security 8ones security-8one d8 interfaces ge-.4.4

%ote9 If using the factory default with Junos ,S .!. release$ all of the interfaces except ge-.4.4. will have

ethernet switching enabled by default! This configuration is accoplished by applying ethernet switching to a

group Cinterface-trustD and applying the group configuration to the interfaces!

delete interfaces interface-range interfaces-trust eber ge-.4.4

• (onfiguring networking paraeters!

a #ssigning I: address

set interfaces ge-.4.4. unit . faily inet address !!!45.

set interfaces ge-.4.4 unit . faily inet address K2!7!!423

2 (reating a default route

set routing-options static route .!.!.!.4. next-hop Lip addressE

• (onfiguring security policies!

a Security policy fro untrust to ;?M

set security 8ones security-8one d8 address-book address webserver K2!7!!20.423 - (reates an

address book entry for the webserver

set security policies fro-8one untrust to-8one d8 policy webserver-access atch source-address any

set security policies fro-8one untrust to-8one d8 policy webserver-access atch destination-address

webserver

set security policies fro-8one untrust to-8one d8 policy webserver-access atch application Ounos-https

set security policies fro-8one untrust to-8one d8 policy webserver-access then perit 2 Security policy fro ;?M to untrust

set security policies fro-8one d8 to-8one untrust policy dns-access atch source-address webserver

set security policies fro-8one d8 to-8one untrust policy webserver-access atch destination-address any

set security policies fro-8one d8 to-8one untrust policy webserver-access atch application Ounos-dns

set security policies fro-8one d8 to-8one untrust policy webserver-access then perit

c #llow SS1 and 1TT:S traffic fro the host /2!7@!!2..423 fro trust 8one to ;?M 8one server

set security 8ones security-8one trust address-book address gt-pc /2!7@!!2..423 - (reates an address

book entry for the anageent :(

set applications application-set gt-services application Ounos-https

set applications application-set gt-services application Ounos-ssh set security policies fro-8one trust to-8one d8 policy gt-access atch source-address gt-pc



set security policies fro-8one trust to-8one d8 policy gt-access atch destination-address webserver

set security policies fro-8one trust to-8one d8 policy gt-access atch application gt-services

set security policies fro-8one trust to-8one d8 policy gt-access then perit

set security policies fro-8one trust to-8one d8 policy gt-access then log session-init

I6sec 76' Configuration

To illustrate a site-to-site I:sec 6:% configuration$ siply add 6:% specifics to the f irst configuration using the

following design paraeters9

• # route-based I:sec 6:% with preshared keys is used between sites!

• The protected network is connected to interface ge-.4.4. in the trust 8one!

• (onnectivity to the Internet is through fe-.4.4K in the untrust 8one!

• The reote I:sec endpoint I: address is !!!2$ and the protected subnet at the reote site is

.!!!.423!

• #ll traffic to the subnet .!!!.423 is encrypted!

Configuration



To illustrate the siplicity of setting up I:sec tunnels$ the coand se"uence is divided into to four repeatable

steps! Readers should refer to standard Juniper %etworks docuentation to further understand the various

IPA4I:sec configuration options!

• (reate a secure tunnel interface!

set interfaces st. unit . faily inet

set security 8ones security-8one trust interfaces st.!.

• (onfigure routing!

set routing-options static route .!!!.423 next-hop st.!.

• Anable IPA services on the external interface!

set security 8ones security-8one untrust interface ge-.4.4. host-inbound-traffic syste-services ike

• (onfigure IPA :hase paraeters!

set security ike proposal :-#AS authentication-ethod pre-shared-keys

set security ike proposal :-#AS dh-group group2

set security ike proposal :-#AS authentication-algorith sha

set security ike proposal :-#AS encryption-algorith aes-2@-cbc

set security ike policy ike-policy- ode ain

set security ike policy ike-policy- proposals :-#AS

set security ike policy ike-policy- pre-shared-key ascii-text Ouniper

set security ike gateway gw address !!!2

set security ike gateway gw external-interface ge-.4.4.!.

set security ike gateway gw ike-policy ike-policy-

• (onfigure I:sec :hase 2 paraeters!

set security ipsec proposal :2-#AS protocol esp

set security ipsec proposal :2-#AS authentication-algorith hac-sha-/7

set security ipsec proposal :2-#AS encryption-algorith aes-2@-cbc

set security ipsec policy ipsec-policy- proposals :2-#AS

set security ipsec policy ipsec-policy- perfect-forward-secrecy keys group2

set security ipsec vpn vpn ike gateway gw

set security ipsec vpn vpn ike ipsec-policy ipsec-policy-

set security ipsec vpn vpn establish-tunnels iediately

set security ipsec vpn vpn bind-interface st.!.

• =se the CcoitD coand at the ()I propt in the configuration ode to activate the configuration!

(oit!

*) Configuration

The exaple continues with the addition of several coon =T? features to the configuration! +efore

configuring any =T? features$ the =T? feature license ust be installed on the device!

The license keys can be installed using one of the following two ethods! These coands are operational

ode coands



• ;ownload fro )?S server directly 'recoendedaccess to the Internet is re"uired for this

operation*!

• re"uest syste license update

• Install anually 'this process is used when the license keys are available as text file*!

• re"uest syste license add terinal

• Qou can now verify that the license was installed using the operational ode coand Cshow syste

license!D

(nti5irus Configuration

1aving the SRX Series use the express antivirus engine to scan 1TT: traffic is also very easy!

• (onfigure the SRX Series device to use the express antivirus engine!

set security ut feature-profile anti-virus type Ouniper-express-engine

• (onfigure a =T? policy to use the predefined antivirus profile http-profile COunos-eav-defaults!D

set security ut ut-policy custo-ut-policy anti-virus http-profile Ounos-eav-defaults

•

#pply the =T? policy to the existing trust to untrust security policy! set security policies fro-8one trust to-8one untrust policy default-perit then perit application-services

ut-policy custo-ut-policy

• =se the CcoitD coand at the ()I propt in the configuration ode to activate the configuration

(oit! Note: he pre!efine! profile "#unos$eav$!efaults% is preconfigure! with antivirus engine fall&ac'

options( scanning options( an! notification messages. he !efaults can &e viewe! &y using the operational mo!e

comman!:

show configuration groups Ounos-defaults security ut feature-profile anti-virus Ouniper-express-engine profile Ounos-eav-defaults

8e2 -iltering Configuration

=sing the SRX Series to filter <eb traffic is also very straightforward! (onfigure the SRX Series to use the

integrated <eb filtering engine!

• set security ut feature-profile web-filtering type surf-control-integrated

• (onfigure the predefined <eb filtering profile COunos-wf-cpa-defaultD to use the ut-policy configured

earlier!



set security ut ut-policy custo-ut-policy web-filtering http-profile Ounos-wf-cpa-default

• =se the CcoitD coand at the ()I propt in the configuration ode to activate the configuration!

(oit! Note: he pre!efine! profile "#unos$wf$cpa$!efault% is configure! to use the SurfControl C)* +R,

category !ata&ase hoste! &y -e&sense that contains over / million we&sites( classifie! into 01 easy$to$use

categories.

show configuration groups Ounos-defaults security ut feature-profile web-filtering surf-control-integrated

ID6 Series Configuration

The SRX Series offers the sae set of I;: signatures that are available on Juniper %etworks I;: Series

Intrusion ;etection and :revention #ppliances to secure networks against attacks! In this exaple configuration$

the SRX Series device is configured to use a predefined I;: Series policy to secure the network!• ;ownload and install the latest security package!

re"uest security idp security-package download

re"uest security idp security-package install

• ;ownload and install the I;: security policy teplates!

re"uest security idp security-package download policy-teplates

re"uest security idp security-package install policy-teplates

• Anable the teplates!xsl scripts file! '#t coit tie$ the Junos ,S anageent processgd

searches the 4var4db4scripts4coit directory for scripts and runs the script against the candidate configurationdatabase to ensure the configuration confors to the rules dictated by the scripts!*

set syste scripts coit file teplates!xsl

• (oit the configuration!

coit

• (onfigure an active I;: policy!

set security idp active-policy Recoended

Note: -e recommen! a pre!efine! 2D) policy. +se "set security i!p active$policy 3% to view the list of 2D)

policies.

• Anable I;: Series detection on the existing firewall security policy fro the trust 8one to the untrust

8one!

set security policies fro-8one trust to-8one untrust policy default-perit then perit application-services

idp

(ppendi9

>actory ;efault (onfiguration Junos ,S Release .!.

set syste autoinstallation delete-upon-coit



set syste autoinstallation traceoptions level verbose

set syste autoinstallation traceoptions flag all

set syste autoinstallation interfaces ge-.4.4. bootp

set syste nae-server 2.@!7K!222!222

set syste nae-server 2.@!7K!22.!22.

set syste services ssh

set syste services telnet

set syste services web-anageent http interface vlan!.

set syste services web-anageent https syste-generated-certificate

set syste services web-anageent https interface vlan!.

set syste services dhcp router /2!7@!!

set syste services dhcp pool /2!7@!!.423 address-range low /2!7@!!2

set syste services dhcp pool /2!7@!!.423 address-range high /2!7@!!203

set syste services dhcp propagate-settings ge-.4.4.!.

set syste syslog archive si8e ..k

set syste syslog archive files 5

set syste syslog user any eergency

set syste syslog file essages any critical

set syste syslog file essages authori8ation info

set syste syslog file interactive-coands interactive-coands error

set syste ax-configurations-on-flash 0

set syste ax-configuration-rollbacks 0

set syste license autoupdate url https944ae!Ouniper!net4Ounos4keyNretrieval



set interfaces interface-range interfaces-trust eber ge-.4.4

set interfaces interface-range interfaces-trust eber fe-.4.42





set interfaces interface-range interfaces-trust eber fe-.4.4K

set interfaces interface-range interfaces-trust unit . faily ethernet-switching vlan ebers vlan-trust

set interfaces ge-.4.4. unit .

set interfaces vlan unit . faily inet address /2!7@!!423

set security nat source rule-set trust-to-untrust fro 8one trust

set security nat source rule-set trust-to-untrust to 8one untrust

set security nat source rule-set trust-to-untrust rule source-nat-rule atch source-address .!.!.!.4.

set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface

set security screen ids-option untrust-screen icp ping-death

set security screen ids-option untrust-screen ip source-route-option

set security screen ids-option untrust-screen ip tear-drop

set security screen ids-option untrust-screen tcp syn-flood alar-threshold .23

set security screen ids-option untrust-screen tcp syn-flood attack-threshold 2..

set security screen ids-option untrust-screen tcp syn-flood source-threshold .23

set security screen ids-option untrust-screen tcp syn-flood destination-threshold

2.3@

set security screen ids-option untrust-screen tcp syn-flood tieout 2.



set security screen ids-option untrust-screen tcp land

set security 8ones security-8one trust host-inbound-traffic syste-services all

set security 8ones security-8one trust host-inbound-traffic protocols all

set security 8ones security-8one trust interfaces vlan!.

set security 8ones security-8one untrust screen untrust-screen

set security 8ones security-8one untrust interfaces ge-.4.4.!. host-inbound-traffic

syste-services dhcp

set security 8ones security-8one untrust interfaces ge-.4.4.!. host-inbound-traffic

syste-services tftp

set security policies fro-8one trust to-8one untrust policy trust-to-untrust atch

source-address any


destination-address any


application any

set security policies fro-8one trust to-8one untrust policy trust-to-untrust then

perit

set vlans vlan-trust vlan-id 5

set vlans vlan-trust l5-interface vlan!.

Summary

+ranch SRX Series Services Gateways provide all the features re"uired to securely connect odern reote and

branch offices in a one-box solution! Junos ,S offers users unparalleled flexibility designed to eet the ost

deanding network re"uireents! #fter reading this docuent$ you can configure a branch SRX Series device to

securely pass traffic! <ith a little practice$ you can create advanced configurations re"uired for ore coplex

deployents!



I was thinking if I should write a short article for beginners to quickly configure an SRX firewall. I

don’t know how many people will find it useful but I hope it will be for those who use SRX for the

first time in their life. Let’s get started.

Our topology in this tutorial is below;

We will configure the followings from scratch:

1.Loading default config and setting the root password

2.Configuring interfaces and default route

3.Configuring security zones

4.Configuring address book entries

5.Creating security policies

6.Creating source nat for internal clients



Loading default config and setting the root password

I assume you are connected to the SRX device via console

1

2

3

4

5

6

7

8

9

1

0

1

1

1

2

1

3

1

4

1

5

1

6

1

[edit]

root# load factory-default

warning: actiating factory con!guration

[edit]

root# "et "y"te root-aut$entication %lain-te&t-%a""word

'ew %a""word:

(ety%e new %a""word:

[edit]

root# "et "y"te $o"t-nae "r&220

[edit]

root# coit

coit co%lete

[edit]

root)"r&220#



7

1

8

Once we commit the changes, we should see the new hostname srx220 in the prompt.

Commit is required to save and activate your changes.

Configuring interfaces and default route

Interfaces

1

2

3

4

#delete interface" ge-0*0*0

#delete interface" ge-0*0*1

#"et interface" ge-0*0*0 unit 0 faily inet addre"" 192+168+100+38*24

#"et interface" ge-0*0*1 unit 0 faily inet addre"" 192+168+239+1*24

Default route

1 #"et routing-o%tion" "tatic route 0+0+0+0*0 ne&t-$o% 192+168+100+1

Configuring security zones

SRX is a zone based firewall hence you have to assign each interface to a zone to be able to

pass traffic through and into it. There may be two default zones trust and untrust coming with the

factory-default config but we will delete them and configure our own zones. Following will be our

zone configuration;

• Our zone facing pc clients is namedinternal

•

zone facing internet is namedinternet

• Internal clients will be able to reach SRX (i.e ping and ssh service will be enabled)

towards SRX

1

2

3

#"et "ecurity ,one" "ecurity-,one internal interface" ge-0*0*1+0 $o"t-inound-tra.c "y"te-

"erice" %ing

#"et "ecurity ,one" "ecurity-,one internal interface" ge-0*0*1+0 $o"t-inound-tra.c "y"te-



"erice" ""$

#"et "ecurity ,one" "ecurity-,one internet interface" ge-0*0*0+0

Now we have assigned interfaces to each zone. To mention again, if you don’t add the services

e.g ssh&ping under internal zone, you can neither connect to the box via ssh nor ping its internal

interface IP.

Configuring address book entries

If you want to configure a security policy you must create an address book entry for the network

ranges you would like to use. We will create one address book entry for our internal network

block 192.168.239.0/24 as follows;

1 #"et "ecurity ,one" "ecurity-,one internal addre""-oo/ addre"" networ/239 192+168+239+0*24

Our address book entry is also ready for security policy. Now it is time to enforce the security

policy to allow internal users to access outside networks.

Note: Address book configuration has evolved over several releases. To better understand the

address book concept on SRX, you can take a look at myother post about address books once

you finish this post.

Creating security policiesAs this is a firewall, if you don’t create a security policy allowing traffic from one zone to the other

one, don’t expect your transit traffic to work. Here, we first start by deleting already existing

policies to make sure no other policies exist.

1

2

3

4

5

#delete "ecurity %olicie"

#"et "ecurity %olicie" fro-,one internal to-,one internet %olicy allow-internal-client" atc$

"ource-addre"" networ/239


de"tination-addre"" any


a%%lication any

#"et "ecurity %olicie" fro-,one internal to-,one internet %olicy allow-internal-client" t$en %erit

http://rtoodtoo.net/2014/09/28/address-books-explained/





A security policy is created within a context. What does this mean? It means the context defines

the direction. For example, policy we have created named “allow-internal-clients” is only matching

any trafficfrom internal zone to internet zone. As our action is “permit”, we allow traffic from

“network_239 address book network i.e 192.168.239.0/24 towards any address.

Creating source nat for internal clients

You may also need to source NAT internal clients with your outside interface IP address. Here is

how we configure source nat in SRX:

First start deleting previous left over nat rules.

1

2

3

4

5

6

7

#delete "ecurity nat

#"et "ecurity nat "ource rule-"et internal-to-internet fro ,one internal

#"et "ecurity nat "ource rule-"et internal-to-internet to ,one internet

#"et "ecurity nat "ource rule-"et internal-to-internet rule internet-acce"" atc$ "ource-addre""

192+168+239+0*24

#"et "ecurity nat "ource rule-"et internal-to-internet rule internet-acce"" atc$ de"tination-

addre"" 0+0+0+0*0

#"et "ecurity nat "ource rule-"et internal-to-internet rule internet-acce"" t$en "ource-nat

interface

#coit

For simplicity we use interface based nat which means if an internal client has an IP address on

192.168.239.0/24 range, its IP packets’ source addresses will be replaced by the interface IP

address 192.168.100.38 when the client wants to reach Internet.

As you can see source NAT is also a context based configuration. You define from which zone

you are coming and to which zone you are heading.After these configuration your internal clients

whose gateway is 192.168.239.1 should be able to reach Internet if I haven’t made any mistake

so far.

( for eginner" #2

2 (e%lie"

http://rtoodtoo.net/srx-for-beginners-2/#comments

http://rtoodtoo.net/srx-for-beginners-2/#comments



After mysrx for beginners post has become the most popular article of this blog, I have decided

to improve it a little bit as it is missing some vital information. Without talking too much let’s

summarize what we will do in this post

•

What is a flow session?

• How can we interpret a flow session entry?

• How can we open a standard port/application on SRX and do destination NAT?

• How can we open a non-standard port and do destination NAT?

• How can we do proxy-arp?

In this post, we will use the same topology like previous post but I have added three new devices

in this new topology so that I can show source/destination nat and proxy arp.

SRX for beginners topology

Let’s get started:

What is a flow session?

Juniper SRX is a stateful firewall hence box doesn’t forward an IP packet and forgets it. It has toremember which IP packets it has received and which packets it is expecting. It isn’t exactly like

http://rtoodtoo.net/juniper-srx-for-beginners/





this but for the sake of simplicity let’s assume like this now. So what does a session look like on

an SRX firewall. In order to show this from PC1 device, I telnet to TCP port 80 of

www.example.com host which is outside my test network and see how the flow session looks like

on our SRX firewall.

TCP 80 connection is established towards the host 93.184.216.34

1

2

3

4

%c1telnet www+e&a%le+co 80

rying 93+184+216+34+++

onnected to www+e&a%le+co+

"ca%e c$aracter i" ]+

Now let’s see how this session looks like on our firewall

1

2

3

4

5

root)"r&220 "$ow "ecurity ow "e""ion de"tination-%ort 80

e""ion ;: 109< =olicy nae: allow-internal-client"*4< ieout: 294< >alid

n: 192+168+239+3*47715 -- 93+184+216+34*80?tc%< f: ge-0*0*1+0< =/t": 2< @yte": 112

Aut: 93+184+216+34*80 -- 192+168+100+38*20201?tc%< f: ge-0*0*0+0< =/t": 1< @yte": 60

otal "e""ion": 1

As you can see, we can display sessions by “show security flow session” command and by giving

more options e.g destination-port you can filter session table.

How can we interpret a flow session entry?

Now let’s drill down this single flow session entry line by line.

Line 1

• 109 : Each session is given a session identifier by the firewall, here 109

• allow-internal-clients/4 : Security which exactly matches this specific traffic and number

4 is the policy index.

• 294 : When a session is created it starts with default timeout and counts down to zero as

long as no packet is seen. If it reaches 0 session is removed



Line 2

• 192.168.239.3/47715 : Source IP address/Port of the source host which created the

session

• 93.184.216.34/80;tcp : Destination IP address/Port of the destination host and the

transport layer protocol which is tcp here

• ge-0/0/1.0 : The ingress interface of the packet

• Pkts: 2, Bytes: 112 Number of packets and Bytes received on this direction

Line 3

A flow session has two wings and this one is the wing on the reverse direction.

• 93.184.216.34/80 : This is the same as our destination address

• 192.168.100.38/20201 : This is the address to which 93.184.216.34 replies back

but it is different than our source IP address 192.168.239.3 since we are doing source

NAT and port translation

• ge-0/0/0.0 : Ingress interface of the return packets

• Pkts: 1, Bytes: 60 : IP packet and Bytes received from the destination

How can we open a default/standard port/application on SRX and do

destination NAT?

In the topology, we have a Web server and we would like to allow public HTTP service i.e

anyone who types http://192.168.100.38 on their browser from Internet will be redirected

to our internal web server i.e we will create a destination NAT rule and a security policy

allowing this HTTP traffic.

First thing we should go to configuration mode

1

2

root)"r&220 con!gure

ntering con!guration ode

Then we can paste the following commands to configure destination NAT

Destination NAT

1 "et "ecurity nat de"tination %ool we"erer-internal addre"" 192+168+239+10*32



2

3

4

5

"et "ecurity nat de"tination rule-"et internal-"erer" fro ,one internet

"et "ecurity nat de"tination rule-"et internal-"erer" rule we"erer atc$ de"tination-addre""

192+168+100+38*32

"et "ecurity nat de"tination rule-"et internal-"erer" rule we"erer atc$ de"tination-%ort 80

"et "ecurity nat de"tination rule-"et internal-"erer" rule we"erer t$en de"tination-nat %ool

we"erer-internal

Note: In order to forward traffic to the internal server, a pool is required

Security Policy

If you don’t permit the HTTP traffic in a security policy, destination NAT has no use.

On this setup I am moving from zone specific address groups to global addresses for

which I am moving my old address book to global level and I am adding new addressentry for webserver.

1

2

3

delete "ecurity ,one" "ecurity-,one internal addre""-oo/ addre"" networ/239

"et "ecurity addre""-oo/ gloal addre"" networ/239 192+168+239+0*24

"et "ecurity addre""-oo/ gloal addre"" we"erer 192+168+239+10*32

Now we can create the security policy.

1

2

3

4

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-we-"erice atc$ "ource-

addre"" any

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-we-"erice atc$

de"tination-addre"" we"erer

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-we-"erice atc$

a%%lication Buno"-$tt%

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-we-"erice t$en %erit

Note: On SRX, default applications are prefixed by junos- as you can see for junos-http

application.

Finally commit your changes. Now we telnet to the IP 192.168.100.38 from outside

network (10.100.100.10) and check the session table.



1

2

3

4

5


e""ion ;: 147< =olicy nae: allow-we-"erice*5< ieout: 286< >alid

n: 10+100+100+10*36120 -- 192+168+100+38*80?tc%< f: ge-0*0*0+0< =/t": 3< @yte": 164

Aut: 192+168+239+10*80 -- 10+100+100+10*36120?tc%< f: ge-0*0*1+0< =/t": 2< @yte": 120

otal "e""ion": 1

As you can see request for 192.168.100.38:80 is translated to 192.168.239.10:80 by

SRX.

How can we open a non-standard port and do destination NAT?

Now we have a different requirement. There is an SMTP server which is listening on port

default port 25 but we somehow want everyone to access this host on port 2025 instead

of the default port. Now we will configure this scenario.

First Address book entry

1 "et "ecurity addre""-oo/ gloal addre"" "t%"erer 192+168+239+11

1

2

3

4

5

"et "ecurity nat de"tination %ool "t%"erer-internal addre"" 192+168+239+11*32

"et "ecurity nat de"tination %ool "t%"erer-internal addre"" %ort 25

"et "ecurity nat de"tination rule-"et internal-"erer" rule "t%"erer atc$ de"tination-addre""

192+168+100+38*32

"et "ecurity nat de"tination rule-"et internal-"erer" rule "t%"erer atc$ de"tination-%ort 2025

"et "ecurity nat de"tination rule-"et internal-"erer" rule "t%"erer t$en de"tination-nat %ool

"t%"erer-internal

Note: Pay attention that pool we created is for port 25 but actual port match is for 2025

Now security policy

1

2

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-"t%-"erice atc$ "ource-

addre"" any

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-"t%-"erice atc$



3

4

de"tination-addre"" "t%"erer

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-"t%-"erice atc$

a%%lication Buno"-"t%

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-"t%-"erice t$en %erit

Note: You may be asking why do we use junos-smtp application which has port 25

instead of an application which has destination port 2025. The reason is that security

policy processing is done after destination is processed hence when security policy does

the match, port is already translated to 25 from 2025.

For example, if you were to redirect(port nat) 2025 port to another non-standard port e.g

2000 on this smtp server then you would have to create an application e.g named

custom-smtp and permit this application on this policy.

1

2

"et a%%lication" a%%lication cu"to-"t% %rotocol tc%

"et a%%lication" a%%lication cu"to-"t% de"tination-%ort 2025

But this isn’t what we are configuring now. We just redirect outside 2025 port to internal

25 port.

Now we telnet from our Internet host

1

2

3

4

5

6

root)Co"t2:D# $o"t '('1

'('1telnet 192+168+100+38 2025

rying 192+168+100+38+++

onnected to 192+168+100+38+

"ca%e c$aracter i" ]+

220 Co"t2 E= =o"t!& F;eian*G'HI

Heyyy, we have got the smtp response on non-standard port 2025. Let’s check the flow

session.

1 root)"r&220 "$ow "ecurity ow "e""ion de"tination-%ort 25



2

3

4

5

e""ion ;: 151< =olicy nae: allow-"t%-"erice*6< ieout: 1784< >alid

n: 10+100+100+10*56967 -- 192+168+100+38*2025?tc%< f: ge-0*0*0+0< =/t": 3< @yte": 164

Aut: 192+168+239+11*25 -- 10+100+100+10*56967?tc%< f: ge-0*0*1+0< =/t": 2< @yte": 151

otal "e""ion": 1

Yes, port 2025 is translated to 25 as it can be seen in the flow session too.

You can also check the translation hits by the following command to see if the NAT rule is

really being hit or not.

1

2

3

4

5

6

7

8

9

10

11

12

13

root)"r&220 "$ow "ecurity nat de"tination rule "t%"erer

;e"tination 'J rule: "t%"erer (ule-"et: internal-"erer"

(ule-d : 2

(ule %o"ition : 2

Kro ,one : internet

;e"tination addre""e" : 192+168+100+38 - 192+168+100+38

;e"tination %ort : 2025 - 2025

Jction : "t%"erer-internal

ran"lation $it" : 1 L---Cere we can "ee t$e tran"lation $it"+

ucce""ful "e""ion" : 1

Kailed "e""ion" : 0

'uer of "e""ion" : 1

How can we do proxy-arp?

According to our topology, we have only one WAN IP assigned to the external interface

which is 192.168.100.38 but our ISP has given us a /24 block from which now we also

would like to use IP address 192.168.100.100 for some services. However we don’t want

to assign this IP address to the external interface. The problem is that if you don’t assign

an IP to an interface, you don’t respond to ARP requests for that IP. In order to solve thisproblem we need to configure proxy arp. To demonstrate this, we have a scenario. We



have an application server IP of which is 192.168.239.12 in the internal network and

application is running on TCP port 8080. We would like everyone on Internet to access

this application via TCP port 80 i.e we will redirect TCP80 requests coming to

192.168.100.100 to the internal 192.168.239.12 TCP8080.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

#on!gure =ro&y-ar% "o t$at we can re"%ond to J(= reMue"t" to t$i" addre""

"et "ecurity nat %ro&y-ar% interface ge-0*0*0+0 addre"" 192+168+100+100*32

#on!gure =8080 cu"to a%%lication

"et a%%lication" a%%lication =8080 %rotocol tc%

"et a%%lication" a%%lication =8080 de"tination-%ort 8080

#Ne al"o need an addre"" oo/ entry for our %olicy

"et "ecurity addre""-oo/ gloal addre"" a%%"erer 192+168+239+12*32

#Cere we con!gure our %ool for nat

"et "ecurity nat de"tination %ool a%%"erer-internal addre"" 192+168+239+12*32

"et "ecurity nat de"tination %ool a%%"erer-internal addre"" %ort 8080

#;e"tination 'J rule

"et "ecurity nat de"tination rule-"et internal-"erer" rule a%%"erer atc$ de"tination-addre""

192+168+100+100*32

"et "ecurity nat de"tination rule-"et internal-"erer" rule a%%"erer atc$ de"tination-%ort 80

"et "ecurity nat de"tination rule-"et internal-"erer" rule a%%"erer t$en de"tination-nat %ool

a%%"erer-internal



21

22

23

24

#Jnd !nally "ecurity %olicy allowing =8080

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-a%%"erer atc$ "ource-

addre"" any

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-a%%"erer atc$

de"tination-addre"" a%%"erer

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-a%%"erer atc$

a%%lication =8080

"et "ecurity %olicie" fro-,one internet to-,one internal %olicy allow-a%%"erer t$en %erit

Now we do connect to TCP80 port of 192.168.100.100 from 10.100.100.10 Internet host

and see the session table

1

2

3

4

5


e""ion ;: 7< =olicy nae: allow-a%%"erer*7< ieout: 1792< >alid

n: 10+100+100+10*45550 -- 192+168+100+100*80?tc%< f: ge-0*0*0+0< =/t": 3< @yte": 164

Aut: 192+168+239+12*8080 -- 10+100+100+10*45550?tc%< f: ge-0*0*1+0< =/t": 2< @yte": 120

otal "e""ion": 1

Yes it works! we redirect port 80 to internal 8080 port.

Documents

SRX Series Services Gateways