28May/100
Juniper SRX – Configuring Interfaces and Zones
An interface on an SRX firewall can be configured as a Layer 3 interface with an IP (or IPv6) address or as a Layer2/ethernet switching port. The switching port are then defined within a specific Vlan.
To assign an IP or IPv6 address:
root# set interfaces ge-0/0/0 unit 0 family inet address 4.1.1.100/24 ! - ipv6 address assignment root# set interfaces ge-0/0/0 unit 0 family inet6 address fec0:1:1:1::2/64
Here we will configure an interface in switching mode, assign it to a vlan, and assign that vlan a Layer3 IP address:
! - place interfaces in ethernet-switching mode root# set interfaces ge-0/0/5 unit 0 family ethernet-switching root# set interfaces ge-0/0/6 unit 0 family ethernet-switching root# set interfaces ge-0/0/7 unit 0 family ethernet-switching ! - create the vlan interface and assign it an ip address root# set interfaces vlan unit 20 family inet address 10.0.20.1/24 ! - assign the vlan an vlan-id and place the above interfaces to VLAN-NAME root# set vlans VLAN-NAME vlan-id 20 root# set vlans VLAN-NAME interface ge-0/0/5.0 root# set vlans VLAN-NAME interface ge-0/0/6.0 root# set vlans VLAN-NAME interface ge-0/0/7.0 ! - bind the vlan to the l3-interface root# set vlans VLAN-NAME l3-interface vlan.20
Once the interfaces have been configured, they need to be placed into zones. In the following examples I will be using ge-0/0/0 as the external (untrust) zone and ge-0/0/7 as the internal/trust zone. We also will be defining host-inbound system-services (like ping, ssh, https) and protocols (like bgp, ospf, vrrp). System-services can be thought of as services running on the firewall and are not networking protocols.
! - assign interface ge-0/0/0 to untrust zone and allow only permit PING and SSH [edit security zones] root# set security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping root# set security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh ! - assign interface ge-0/0/7 to the trust zone and permit all incoming packets [edit security zones] root# set security-zone trust interfaces ge-0/0/7 host-inbound-traffic system-services all
Now that the zones have been defined, the policies can be created that will define what traffic is allowed and denied from each zone. Remember by default Juniper will create a policy allowing all traffic from the trust to the untrust zone. This example will create a policy to allow ssh traffic to pass from the untrust zone to the destination address of 10.100.100.99 which is in the SERVER zone
! - create an address book entry for the host 10.100.100.99 [edit security zones] root# set security-zone SERVERS address-book address SSH-SERVER 10.100.100.99/32 ! - create the policy and define the match condition for destination-address defined above in the ! - address book entry SSH-SERVER [edit security policies] root# set from-zone untrust to-zone SERVERS policy ALLOW-SSH match source-address any root# set from-zone untrust to-zone SERVERS policy ALLOW-SSH match destination-address SSH-SERVER root# set from-zone untrust to-zone SERVERS policy ALLOW-SSH match application junos-ssh root# set from-zone untrust to-zone SERVERS policy ALLOW-SSH then permit
26May/100
Juniper SRX Basic System Setup
To create an admistratitive user to manage the device, first create the username and then assign the username a class:
[edit] root# set system login user authentication plain-text-password New password: Retype new password: [edit] root# set system login user admin class super-user
Set the system hostname:
[edit]
root# set system hostname
Set DNS Servers for the device, it is a good idea to setup at least 2 DNS servers:
[edit] root# set system name-server 8.8.8.8 [edit] root# set system name-server 8.8.4.4
This section will setup the unrust interfaces and zones.
First we need to assign an IP to the interface:
[edit]
root#set interface ge-0/0/0 unit 0 family inet address 1.1.1.1/30
Next assign the interface to the untrust zone:
[edit]
root#set security zones security-zone untrust interfaces ge-0/0/0.0
Setup SSH and HTTPS for remote management:
[edit] root#set system services ssh [edit] root#set security zones security-zone untrust host-inbound-traffic system-services ssh [edit] root#set system services web-management https system-generated-certificate [edit] root#set security zones security-zone untrust host-inbound-traffic system-services https
Finally create a default route to exit the untrust interface :
[edit]
root#set routing-options static route 0.0.0.0/0 next-hop 1.1.1.2 (address of upstream router)
This section will setup up the trust interface and zones.
First we need to assign an IP to the interface:
[edit]
root# set interface fe-0/0/7 unit 0 family inet address 10.0.0.1/30
Next assign the interface to the trust zone:
[edit] root# set security zones security-zone untrust interfaces fe-0/0/7.0 [edit] root# set system services ssh root-login allow
To setup management of the firewall, it is a good idea to only allow secure access like HTTPS and SSH on the untrust zone and unsecure management access like HTTP and Telnet can be enabled in the trust zone.
To setup ssh
[edit] root# set system services ssh [edit] root# set security zones security-zone trust host-inbound-traffic system-services ssh [edit] root# set security zones security-zone trust host-inbound-traffic system-services http [edit] root# set system services web-management https system-generated-certificate [edit] root# set security zones security-zone trust host-inbound-traffic system-services https
26May/100
Upgrading a Juniper SRX Firewall Firmware
To upgrade the code on the a Juniper SRX firewall, first determine the current firmware version with the show version command:
root> show version Model: srx210-hm JUNOS Software Release [9.6R1.13]
This firewall is running 9.6R1.13. I am going to install 10.0R3.10. Once you download the .tgz file from Juniper, it needs to be uploaded to the SRX via an WinSCP (over SSH) to the /var/tmp directory.
Once this is completed issue the request system software command with the following options:
root> request system software add no-validate no-copy unlink /var/tmp/junos[...].tgz Installing package '/var/tmp/junos-srxsme-10.0R3.10-domestic.tgz' ... Verified junos-boot-srxsme-10.0R3.10.tgz signed by PackageProduction_10_0_0 Verified junos-srxsme-10.0R3.10-domestic signed by PackageProduction_10_0_0 Available space: 290390 require: 26708 Saving boot file package in /var/sw/pkg/junos-boot-srxsme-10.0R3.10.tgz JUNOS 10.0R3.10 will become active at next reboot WARNING: A reboot is required to load this software correctly WARNING: Use the 'request system reboot' command WARNING: when software installation is complete Saving state for rollback ... Removing /var/tmp/junos-srxsme-10.0R3.10-domestic.tgz root>
The no-copy,no-validate, and unlink commands are optional and I think they speed up the upgrade process. Here is the help JUNOS provides for the following commands:
no-copy- Don't save copies of package filesno-validate- Don't check compatibility with current configurationunlink- Remove the package after successful installation
Once the upgrade is complete, reboot the firewall and the new firmware will loaded:
root> request system reboot Reboot the system ? [yes,no] (no) yes
After reboot, check the current running version:
root> show version Model: srx210-hm JUNOS Software Release [10.0R3.10]
The firewall has been successfully completed!
26May/100
Resetting a Juniper SRX back to factory default
To load factory-defaults, issue the load-factory default at the edit configuration level. You must also setup the root-authentication prior to the commit or the system will prompt you to do so.
root@% cli root> edit Entering configuration mode [edit] root# load factory-default warning: activating factory configuration [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit commit complete [edit] root# quit Exiting configuration mode root> request system reboot Reboot the system ? [yes,no] (no) yes