set security zones security-zone MyZone
set security zones functional-zone management
show security zones
show interfaces ge-0/0/1.0 extensive
======================================================
** Add Interfaces to a Zone **
edit security zones
set security-zone MyZone interface ge-0/0/1.0
======================================================
** Host-inbound Traffic **
set security-zone MyZone host-inbound-traffic [system-services | protocols]
system-services options
- all
- any-service
- dns
- finger
- ftp
- http
- https
- ident-reset
- ike
- lsping
- netconf
- ntp
- ping
- reverse-ssh
- reverse-telnet
- rlogin
- rpm
- rsh
- sip
- snmp
- snmp-trap
- ssh
- telnet
- tftp
- traceroute
- xnm-clear-text
- xnm-ssl
protocol options
- all
- bfd
- bgp
- dvmrp
- igmp
- ldp
- msdp
- ndp
- nhrp
- ospf
- ospf3
- pgm
- pim
- rip
- ripng
- router-discovery
- rsvp
- sap
- vrrp
======================================================
** Address Book Entries **
Address Book:
[edit security zones]
security-zone MyZone {
address-book {
address PC1 192.168.0.1/32;
address PC2 192.168.0.2/32;
}
}
Address Set:
[edit security zones]
security-zone MyZone {
address-book {
address-set all-PCs {
address PC1 192.168.0.1/32;
address PC2 192.168.0.2/32;
}
}
}
======================================================
** Custom Applications **
[edit applications]
application MyApp {
protocol tcp;
destination-port 5900;
}
Application Set:
[edit applications]
application-set MySet
application App1;
application App2;
}
======================================================
** Policy Match Entries **
[edit security policies]
from-zone MyZone to-zone untrust {
policy-name Policy1 {
match {
source-address PC1;
destination-address IntenetServer;
application-name junos-http;
}
then {
permit
}
policy-name Policy2
match {
source-address PC2;
destination-address IntenetServer;
application-name junos-ftp;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}
NB - The "insert" command is used to reorder policies.
======================================================
** Monitoring Traffic **
1. Use the log option on the policy:
set policy Policy1 then log {session-close | session-init]
2. "show security policies"
3. "show security flow session"
4. Use traceoptions:
[edit security]
policies {
traceoptions {
file MyTraceFile
flag all;
}
flow {
traceoptions {
file MyFlowFile
flag basic-datapath;
flag session;
packet-filter MyPacketFilter {
source-prefix 10.1.1.1/32
destination-prefix 20.1.1.1/32
}
}
}
"policy-rematch" is used to force all traffic to be re-evaluated when changes are made to the policy.
======================================================
** Creating a scheduler **
scheduler MyScheduler {
daily {
start-time 08:30:00 stop-time 18:00:00;
}
sunday exclude;
}
(then add scheduler to the relevant policy)
======================================================
** Firewall User Authentication **
Pass Through Authentication:
- Create Access Profile
[edit access]
profile MyProfile {
client Client1 {
firewall-user {
password xyz123 ## SECRET DATA
}
}
}
- Policy Action with Firewall Authentication
[edit security policies]
from-zone MyZone to-zone Untrust {
policy permit-all {
match {
source-address PC1;
destination-address InternetServer1;
application junos-telnet;
}
then {
permit {
firewall-authentication {
pass-through {
client-match Client1;
}
}
}
}
}
** Web Authentication **
set session-options client-idle-timeout <minutes>
[edit interfaces]
ge-0/0/0 {
unit 0 {
family inet {
address 1.1.1.2/24 {
preferred;
}
address 1.1.1.3/24 {
web authentication http;
}
}
}
}
[edit access]
profile MyProfile {
client Client1 {
firewall-user {
password xyz123 ## SECRET DATA
}
}
client Client2 {
firewall-user {
password xyz123 ## SECRET DATA
}
}
}
[edit security policies]
from-zone MyZone to-zone Untrust {
policy permit-all {
match {
source-address any;
destination-address any;
application junos-telnet;
}
then {
permit {
firewall-authentication {
web-authentication {
client-match Client1;
}
}
}
}
}
show security firewall-authentication users
show security firewall-authentication history
======================================================
** SCREEN Options **
[edit security screen]
ids-option Option1 {
alarm-without-drop;
}
(The above option just logs the info without dropping it)
security {
screen {
ids-option Option1
options;
options;
}
}
}
security {
zones {
security-zone Untrust {
screen Option1
}
}
}
** SCREEN Monitoring **
show security screen statistics zone Untrust
show security screen ids-option Option1
[edit security screen]
traceoptions {
file {
SCREENTraceFile;
files 10;
size 10000;
match attack;
}
flag configuration all
}
======================================================
** Network Address Translation **
Source NAT:
[edit security nat source]
rule-set 1 {
from interface ge-0/0/2.0
to-zone untrust;
rule 1.1 {
match {
source-address 0.0.0.0/0;
}
then {
source-nat interface;
}
}
}
(Traffic with any address sourced from ge-0/0/2.0 interface will be natted to a source address of the egress interface)
Pool Based Source NAT: (with PAT)
[edit security nat source]
pool A
address {
200.0.0.1/32;
}
rule-set 1.1
from-zone trust;
to-zone untrust;
rule 1 {
match {
source-address 10.0.0.0/8;
}
then {
source -nat pool A;
}
}
}
Pool Based Source NAT (without PAT)
[edit security nat source]
pool A
address {
200.0.0.1/32 to 200.0.0.10/32;
}
port no-translation;
overflow-pool interface;
rule-set 1.1
from-zone trust;
to-zone untrust;
rule 1 {
match {
source-address 10.0.0.0/8;
}
then {
source -nat pool A;
}
}
}
Source NAT with Address Shifting
[edit security nat source]
pool A
address {
200.0.0.1/32 to 200.0.0.10/32;
}
host-address-base 10.0.0.25/32;
rule-set 1.1
from-zone trust;
to-zone untrust;
rule 1 {
match {
source-address 10.0.0.0/8;
}
then {
source -nat pool A;
}
}
}
"NAT off" is used where you do not want traffic for a particular destination to be NAT translated.
Pool Based Destination NAT:
[edit security nat destination]
pool A
address {
10.0.0.1/32;
}
rule-set 1.1
from-zone untrust;
rule 1 {
match {
destination-address 200.0.0.1/32;
}
then {
destination-nat pool A;
show security flow session
show security nat destination pool all
show security nat destination rule all
}
}
}
Static NAT:
[edit security nat static]
rule-set r1
from zone untrust;
rule1a {
match {
destination-address 200.0.0.1/32;
}
then {
static-nat prefix 10.0.0.1/32;
}
}
}
NAT Proxy Arp:
[edit security nat]
proxy-arp {
interface ge-0/0/2 {
address {
200.0.0.1/32 to 200.0.0.5/32;
}
}
}
======================================================
** IPSEC VPNs **
set st0 unit 0 family inet address 192.168.32.1
set security zones security-zone untrust interfaces st0.0
[edit security ike]
proposal phase1 {
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm md5;
encryption-algorithm 3des-cbc;
lifetime-seconds 3600;
}
}
policy phase1-policy
mode main;
proposal phase1;
pre-shared-key ascii-text xyz123; ## SECRET DATA
gateway phase1-gateway
ike-policy phase1-policy;
address 172.32.1.1;
dead-peer detection {
interval 20;
threshold 5;
}
external-interface ge-0/0/3.0
[edit security ipsec]
proposal phase2
protocol esp;
authentication-algorithm hmac-md5-96;
encryption-algorithm 3des-cbc;
lifetime-seconds 1000;
policy phase2-policy
perfect-forward-secrecy {
keys-group2;
}
proposals phase2;
vpn MyVPN
bind-interface st0.0
ike {
gateway phase1-gateway;
ipsec-policy phase2-policy;
}
establish-tunnels immediately;
set static route 10.1.0.0/24 next-hop st0.0
[edit security policies]
policy ipsec {
match {
source-address PC1;
destination-address any;
application any;
}
then {
permit;
}
}
show interfaces st0 terse
show security ike security-associations
show security ipsec security-associations <index number>
show | clear security ipsec statistics
NB:
route based VPN = one tunnel created (created by binding the tunnel to interface st0.0)
policy based VPN = new tunnel created for every flow
======================================================
** Intrusion Detection and Prevention **
request security idp security-package install (status)
set system scripts commit file templates.xsl
show security idp security-package-version
set security idp active-policy
[edit security policies from-zone untrust to-zone MyZone]
policy ServerHost
match {
source-address InternetHosts;
destination-address PC1;
application junos-http;
}
then {
permit {
application-services {
idp;
}
}
}
show security policies policy-name ServerHost detail
======================================================
** High Availability Clustering **
======================================================
** Web Filtering **
- Surfcontrol (externally hosted - SRX license needed)
- Websense (internally hosted - SRX license not needed)
Surfcontrol Example
security {
policies {
from-zone trust to-zone untrust {
policy utm {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy wf-block-specific-categories;
}
}
}
}
}
}
utm {
feature-profle {
web-fltering {
type surf-control-integrated;
surf-control-integrated {
profle block-selected-sites {
category {
Criminal_Skills {
action block;
}
Remote_Proxies {
action block;
}
Violence {
action block;
}
Weapons {
action block;
}
}
default permit;
}
}
}
}
utm-policy wf-block-specific-categories {
web-fltering {
http-profle block-selected-sites;
}
}
}
}
Custom Block List
custom-objects {
url-pattern {
badsite {
value www.badsite.com;
}
addictivesite {
value www.addictivesite.com;
}
}
custom-url-category {
bad-sites {
value [ addictivesite badsite ];
}
}
}
This is then added as follows:
utm {
feature-profle {
web-fltering {
url-blacklist bad-sites;
Adding Custom Block Messages:
policies {
from-zone trust to-zone untrust {
policy utm {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy wf-block-specific-categories;
}
}
}
}
}
}
utm {
feature-profle {
web-fltering {
url-blacklist bad-sites;
type surf-control-integrated;
surf-control-integrated {
profle block-selected-sites {
category {
Criminal_Skills {
action block;
}
Remote_Proxies {
action block;
}
Violence {
action block;
}
Weapons {
action block;
}
}
default permit;
custom-block-message “The site requested is not a work-
related site! Go back to work!”;
}
}
}
}
utm-policy wf-block-specfc-categories {
web-fltering {
http-profle block-selected-sites;
}
}
}
Websense Redirect
policies {
from-zone trust to-zone management {
policy webflter-websense {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy wf-redirect;
}
}
}
}
}
}
utm {
feature-profle {
web-fltering {
type websense-redirect;
websense-redirect {
profle server1-redirect {
server {
host 10.1.1.100;
port 15868;
}
custom-block-message “Websense says... you are not allowed!”;
fallback-settings {
default block;
too-many-requests log-and-permit;
sockets 3;
}
}
}
}
utm-policy wf-redirect {
web-fltering {
http-profle server1-redirect;
}
}
}
Monitoring UTM:
show security utm web-fltering statistics
======================================================
** Antivirus for SRX **
security {
utm {
feature-profle {
anti-virus {
type juniper-express-engine | kaspersky-lab-engine;
mime-whitelist {
exception <MIME exception list>;
list <MIME list>;
}
url-whitelist <url whitelist>;
juniper-express-engine {
pattern-update {
email-notify {…}
interval <update check interval in minutes>;
no-autoupdate;
url <database server url>;
url <database server url>;
}
profle <profle name> {
fallback-options {…}
notifcation-options {…}
scan-options {…}
trickling [<trickling timeout>];
}
}
kaspersky-lab-engine {
pattern-update {
email-notify {…}
interval <update check interval in minutes>;
no-autoupdate;
url <database server url>;
}
profle <profle name> {
fallback-options {…}
notifcation-options {…}
scan-options {…}
trickling [<trickling timeout>];
}
}
Updating the database:
>request security utm anti-virus [kaspersky-lab-engine|juniper-express-engine] pattern-update
Show database:
>show security utm anti-virus status | statistics
