Juniper Networks, Inc. 1

Juniper Networks

SRX FastTrack Training

POD1 Lab Guide

Version 2.1

Sept 2012

SRX

Fastt

rack

LAB

Guid

e

Ju

niper

Net

work

s, In

c.

2

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 3

Pod Configuration

Pod # X Trust Interface Trust IP Untrust interface Untrust IP

DMZ Interface DMZ IP

POD1 1 ge-0/0/1.0 192.168.11.1/24 ge-0/0/0.100 192.168.10.1/24 ge-0/0/0.200 192.168.12.1/24

POD2 2 ge-0/0/1.0 192.168.21.1/24 ge-0/0/0.100 192.168.20.1/24 ge-0/0/0.200 192.168.22.1/24

POD3 3 ge-0/0/1.0 192.168.31.1/24 ge-0/0/0.100 192.168.30.1/24 ge-0/0/0.200 192.168.32.1/24

POD4 4 ge-0/0/1.0 192.168.41.1/24 ge-0/0/0.100 192.168.40.1/24 ge-0/0/0.200 192.168.42.1/24

POD5 5 ge-0/0/1.0 192.168.51.1/24 ge-0/0/0.100 192.168.50.1/24 ge-0/0/0.200 192.168.52.1/24

POD6 6 ge-0/0/1.0 192.168.61.1/24 ge-0/0/0.100 192.168.60.1/24 ge-0/0/0.200 192.168.62.1/24

POD7 7 ge-0/0/1.0 192.168.71.1/24 ge-0/0/0.100 192.168.70.1/24 ge-0/0/0.200 192.168.72.1/24

POD8 8 ge-0/0/1.0 192.168.81.1/24 ge-0/0/0.100 192.168.80.1/24 ge-0/0/0.200 192.168.82.1/24 Instructor

SRX ge-0/0/1.0 192.168.200.1/24 ge-0/0/0.0 192.168.210.1

the X value corresponds to your Pod # (192.168.x1.1/24 = 192.168.11.1/24 for pod 1)

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 4

Lab 1: Configuration Basics The purpose of this lab exercise is to create an initial configuration and familiarize yourself with the JUNOS command line interface. After the completion of this lab, you can connect to the web interface and examine how to perform the same configuration steps with the GUI.

Step 1 - Initial Login ! Configure your terminal emulation settings to 9600 Baud, 8 Bits, No Parity and 1 Stop bit

(9600, 8, N, 1) ! Connect your workstation through the console cable to the SRX console port ! Login using the built in root user account, please ask your instructor if there is a password on the

account. o Note that when you login using the root user account, you will be placed into the

C-shell prompt. Amnesiac (ttyu0) login: root Password: root@%

! Type cli to start the cli application and you will be placed in the Operational Menu designated by >:

root@% cli root>

! Type edit to enter Configuration Menu designated by #:

root> edit Entering configuration mode [edit] root#

Step 2 - Factory Defaults Please factory default your SRX unit by following the following procedure from the configuration menu.

[edit] load factory-default

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 5

Step 3 - Configure System Parameters At this point, the factory-default configuration is loaded as the candidate configuration.

Configure the following system parameters: a) After loading the Factory Default, we will create a new configuration which removes certain statements

in the Default Config. [edit] delete system name-server delete system services delete interfaces delete vlans vlan-trust delete security zones security-zone trust interface vlan.0 delete security zones security-zone untrust interface ge-0/0/0.0 delete security nat

b) Set a password on the root account. The password will be Juniper (please use exact case)

[edit] set system root-authentication plain-text-password Enter Juniper when prompted and confirm

c) Create an additional user called netadmin and assign the same password of Juniper

[edit] set system login user netadmin class super-user authentication plain-text-password

Enter Juniper when prompted and confirm

d) Set the hostname using the following format SRX-1. [edit] set system host-name SRX-POD-x

e) Set the system domain name to fasttrack.net

[edit] set system domain-name fasttrack.net

f) Set the name-server to 4.2.2.2 [edit] set system name-server 4.2.2.2

g) Set SSH version 2 access for user root. Normally you would only use the root account from console.

[edit] set system services ssh root-login allow protocol-version v2

h) Set web-management using http to interface ge-0/0/1.0. This interface will be added to the trust zone. [edit] set system services web-management http interface ge-0/0/1.0

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 6

Step 4 - Setup the Inside Interface (trust) Setup the interface ge-0/0/0 that will be used in the trust zone, its management and IP properties. Configure interface ge-0/0/1.0 as follows

a) POD 1 - Set the IP address on the ge-0/0/1.0 interface to 192.168.x1.1/24 [edit] set interface ge-0/0/1.0 family inet address 192.168.x1.1/24

b) Add interface ge-0/0/1.0 to the trust zone

[edit] set security zones security-zone trust interface ge-0/0/1.0

c) Set a DHCP pool for use on the ge-0/0/1.0 interface

edit system services dhcp pool 192.168.x1.0/24 set address-range low 192.168.x1.100 high 192.168.x1.200 set router 192.168.x1.1 set name-server 4.2.2.2

d) Enable ping, dhcp, and http as services on the ge-0/0/1.0 interface in zone trust. After entering the first

command in the following section, try using the up arrow to recall the command and just modify the final service at the end of the command line. edit security zones security-zone trust interface ge-0/0/1.0 set host-inbound-traffic system-services dhcp set host-inbound-traffic system-services ping set host-inbound-traffic system-service http set host-inbound-traffic system-service ssh

Commit your Configuration (note you must be at the Top of the menu)

Step 5 - Setup the Outside Interface (untrust) Setup the interfaces ge-0/0/0 that will be used in the untrust and dmz zones, its management and IP properties.

Instead of using discrete interfaces for each zone, we will tag the physical interface ge-0/0/0 to support the requirement. Note, since we are using VLAN IDs 100 and 200, we have to delete unit 0 from the default configuration.

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 7

Configure interface ge-0/0/0 as follows

a) Configure the ge-0/0/0 interface for VLAN tagging [edit] set interface ge-0/0/0 vlan-tagging

b) Set the VLAN tag on ge-0/0/0.100 as VLAN id 100 for untrust zone [edit] set interface ge-0/0/0.100 vlan-id 100

c) Set the IP address on the ge-0/0/0.100 interface to 192.168.x0.1/24

[edit] set interface ge-0/0/0.100 family inet address 192.168.x0.1/24

d) Add interface ge-0/0/0.100 to the untrust zone [edit] set security zones security-zone untrust interface ge-0/0/0.100

e) Set a static default route to the switch

[edit] set routing-options static route 0.0.0.0/0 next-hop 192.168.x0.2

Step 6 - Setup the DMZ Interface Configure interface ge-0/0/0 as follows

a) Configure the ge-0/0/0 interface for VLAN tagging this was done in Step 4a.

b) Set the VLAN tag on ge-0/0/0.200 as VLAN id 200 for the DMZ zone [edit] set interface ge-0/0/0.200 vlan-id 200

c) Set the IP address on the ge-0/0/0.200 interface to 192.168.x2.1/24

[edit] set interface ge-0/0/0.200 family inet address 192.168.x2.1/24

d) Place the interface ge-0/0/0.200 into zone DMZ

[edit] set security zones security-zone dmz interface ge-0/0/0.200

Commit To commit the configuration, type commit and press enter.

[edit] commit

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 8

Operational tasks To view the configuration and check status of the interfaces and connectivity, please perform the following operational commands.

! Show the interfaces section of the configuration show interfaces

! Show the interfaces in operational mode from configuration mode run show interfaces

! Ping the upstream Instructor SRX interface from your SRX console interface run ping 192.168.210.1

! Ping the instructor PC at 192.168.200.10 from your SRX console interface run ping 192.168.200.10

Optional Tasks Create and apply a custom user class as follows

a) Create user class called netops with permissions to view only the interface portion of the config [edit] set system login class netops permissions interface permissions network permissions view

b) Create user called Bill and apply class netops with password set to Juniper

[edit] set system login user Bill class netops authentication plain-text-password

Enter Juniper when prompted and confirm

c) Commit the configuration [edit] commit

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 9

Lab 2: Policies The purpose of this lab is to verify the implicit firewall behavior and set appropriate security policies.

Remove Factory Default Policies a) Delete the factory default policies

[edit] delete security policies

b) Commit the configuration

[edit] commit

Verify the firewall default action is to drop packets ! Ping the upstream instructor SRX interface from your laptop.

ping 192.168.10.2

The pings should fail.

Create a Policy to allow the following outbound services - ping http, dns a) Create and Set the match conditions for the policy

[edit] set security policies from-zone trust to-zone untrust policy permit-out match source-address any destination-address any application junos-ping set security policies from-zone trust to-zone untrust policy permit-out match application junos-http set security policies from-zone trust to-zone untrust policy permit-out match application junos-dns-udp

b) Set the action for the policy

[edit] set security policies from-zone trust to-zone untrust policy permit-out then permit

Create a Policy to allow service ftp from zone trust to the instructor laptop a) Create an address book entry for the instructor laptop in zone untrust

[edit] set security zones security-zone untrust address-book address inst-pc 192.168.200.10/32

b) Create and Set the match conditions for the policy

[edit] set security policies from-zone trust to-zone untrust policy permit-inst-ftp match source-address any destination-address inst-pc application junos-ftp

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 10

c) Set the action for the policy [edit] set security policies from-zone trust to-zone untrust policy permit-inst-ftp then permit

d) Set the policy to count traffic

[edit] set security policies from-zone trust to-zone untrust policy permit-inst-ftp then count

Create a Policy to allow services ping, ftp, http to zone DMZ a) Configure the DMZ zone to accept ping

[edit] set security zones security-zone dmz host-inbound-traffic system-services ping

b) Create an address book entry for a host in the DMZ zone called dmz-host with an IP address of

192.168.x2.2/32 [edit] set security zones security-zone dmz address-book address dmz-host 192.168.x2.2/32

c) Create a policy to allow ping to the dmz-host

[edit] set security policies from-zone untrust to-zone dmz policy dmz-access match source-address any destination-address dmz-host application junos-ping application junos-ftp application junos-http set security policies from-zone untrust to-zone dmz policy dmz-access then permit

d) Commit the configuration

[edit] commit

Operational Tasks ! Ping the instructor laptop

run ping 192.168.200.10 ! To download the course manual, please FTP to the instructor laptop from your laptop

o Username anonymous, Password anonymous o set transfer to binary, get file srxcourse.pdf

! Ping other pods dmz hosts run ping 192.168.x2.2

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 11

Lab 3: NAT The purpose of this lab is to configure source and destination NAT.

Configure NAT Source for Outbound Traffic a) Set the source-NAT rule from context to the trust zone

[edit] set security nat source rule-set outbound-nat from zone trust

b) Set the source-NAT rule for context to the untrust zone

[edit] set security nat source rule-set outbound-nat to zone untrust

c) Set the source-NAT address matching conditions to any/any

[edit] set security nat source rule-set outbound-nat rule src-nat-rule match source-address 0.0.0.0/0 destination-address 0.0.0.0/0

d) Set the source-NAT action to perform source-NAT using the interface IP address

[edit] set security nat source rule-set outbound-nat rule src-nat-rule then source-nat interface

e) Commit the configuration

[edit] commit

Test and Verify NAT ! Generate a continuous ping from your laptop to the instructor laptop

ping 192.168.200.10 -t

! Show the session table on the firewall to verify that the source address is being translated to the external IP address run show security flow session

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 12

Re-Configure NAT Source to use an address POOL a) Create NAT source address pool on same subnet as outside interface

[edit] set security nat source pool outside-pool address 192.168.x0.10 to 192.168.x0.15

b) Reconfigure current source NAT rule to use the new pool instead of the interface

[edit] set security nat source rule-set outbound-nat rule src-nat-rule then source-nat pool outside-pool

c) Configure the firewall to answer proxy-arp for the NAT pool

[edit] set security nat proxy-arp interface ge-0/0/0.100 address 192.168.x0.10 to 192.168.x0.15

d) Commit the configuration

[edit] commit

Test and Verify NAT ! Generate a continuous ping from your laptop to the instructor laptop

ping 192.168.200.10 -t

! Show the session table on the firewall to verify that the source address is being translated to the external IP address run show security flow session

Configure Destination NAT for a DMZ host a) Change the configuration hierarchy level to simplify configuration command strings for destination NAT

[edit] edit security nat destination

b) Create the Pool for the real address of the host to be NATd

[edit security nat destination] set pool dnat-dmz-host address 192.168.x2.2/32

c) Set the destination NAT rule from context to the untrust zone and the trust zone

[edit security nat destination] set rule-set dst-nat-rule from zone untrust

d) Set the destination NAT rule destination address (outside) match condition

[edit security nat destination] set rule-set dst-nat-rule rule dnat-dmz-host match destination-address 192.168.x0.20/32

e) Set the destination NAT rule action

[edit security nat destination] set rule-set dst-nat-rule rule dnat-dmz-host then destination-nat pool dnat-dmz-host

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 13

f) Go up one level in the configuration hierarchy [edit security nat destination] up

g) Enable the outside interface to respond to proxy arps for the 192.168.x0.20 address

[edit security nat] set proxy-arp interface ge-0/0/0.100 address 192.168.x0.20

h) Return to the top of the configuration hierarchy [edit security nat] top

i) Create the match conditions for a policy to allow traffic from the trust zone to ping the dmz host [edit] set security policies from-zone trust to-zone dmz policy dmz-access match source-address any destination-address dmz-host application junos-ping

j) Create the action for the policy to allow the ping traffic to the real address of the dmz host

[edit] set security policies from-zone trust to-zone dmz policy dmz-access then permit

k) Commit the configuration

[edit] commit

Test and Verify NAT ! Ping the dmz host address from your laptop

ping 192.168.x2.2

! Ping the translated dmz host address from your laptop ping 192.168.x0.20

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 14

You should notice that you are able to ping both the real and translated addresses for the dmz host and other pods dmz hosts via the real and translated address. Now we will change the policies to only allow the translated address to be pinged. This is done via the policy, not the NAT rule.

a) Modify the policy allowing the dmz host to be pinged within the untrust to dmz context [edit] set security policies from-zone untrust to-zone dmz policy dmz-access then permit destination-address drop-untranslated

b) Modify the policy allowing the dmz host to be pinged within the untrust to dmz context

[edit] set security policies from-zone trust to-zone dmz policy dmz-access then permit destination-address drop-untranslated

c) Commit the configuration

[edit] commit

Test and Verify NAT ! Ping the dmz host address from your laptop

ping 192.168.x2.2

! Ping the translated dmz host address from your laptop ping 192.168.x0.20

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 15

Lab 4: IPSec VPN The purpose of this lab is to create a route-based IPSec VPN with OSPF Dynamic Routing.

Create the secure tunnel interface a) Create a secure tunnel interface and set the IP address on that interface to 192.168.x3.1/24

[edit] set interface st0.0 family inet address 192.168.x3.1/24

b) Add the secure tunnel interface to the trust zone

[edit] set security zones security-zone trust interface st0.0

c) Enable ospf protocol processing within the trust zone

[edit] set security zones security-zone trust host-inbound-traffic protocols ospf

Configure IKE a) Create an IKE policy

[edit] set security ike policy fasttrack-policy mode main proposal-set standard pre-shared-key ascii-text fasttrack

b) Create the IKE gateway

[edit] set security ike gateway inst-fw ike-policy fasttrack-policy address 192.168.210.1 external-interface ge-0/0/0.100

Configure IPSec a) Create an IPSec policy

[edit] set security ipsec policy fasttrack-policy proposal-set standard

b) Create an IPsec VPN

[edit] set security ipsec vpn pod1-inst-fw ike gateway inst-fw ipsec-policy fasttrack-policy

c) Set the VPN to establish tunnel immediately

[edit] set security ipsec vpn pod1-inst-fw establish-tunnels immediately

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 16

d) Bind the VPN to interface st0.0 [edit] set security ipsec vpn pod1-inst-fw bind-interface st0.0

Configure the OSPF Protocol a) Configure the OSPF protocol on the st0.0 interface

[edit] set protocols ospf area 0.0.0.0 interface st0.0

b) Configure the OSPF protocol on the ge-0/0/1.0 interface in passive mode

[edit] set protocols ospf area 0.0.0.0 interface ge-0/0/1.0 passive

Create Intra-Zone Policy a) Create the policy context and match conditions

[edit] set security policies from-zone trust to-zone trust policy intra-permit match source-address any destination-address any application any

b) Create the policy action

[edit] set security policies from-zone trust to-zone trust policy intra-permit then permit

c) Commit the configuration

[edit] commit

Test and Verify IPSEC and OSPF ! Show the status of the IKE security association

run show security ike security-associations

! Show the status of the IPSec security association run show security ipsec security-associations

! Show the status of OSPF neighbor associations run show ospf neighbor

! Show the routing table run show route

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 17

Lab 5: UTM The purpose of this lab is to familiarize you with some basic UTM configuration.

Configure UTM Features a) Configure the anti-virus UTM feature to use the Kaspersky full AV engine

[edit] set security utm feature-profile anti-virus type kaspersky-lab-engine

b) Configure the web-filtering UTM feature to use the integrated (cloud) surfcontrol engine.

[edit] set security utm feature-profile web-filtering type surf-control-integrated

Create UTM Policy a) Create a UTM policy and instruct it to perform anti-virus scanning on http traffic

[edit] set security utm utm-policy fasttrack-policy anti-virus http-profile junos-av-defaults

b) Modify the UTM policy to perform web filtering with the default settings

[edit] set security utm utm-policy fasttrack-policy web-filtering http-profile junos-wf-cpa-default

Apply UTM Policy to Firewall Policy a) Modify the permit-out policy to perform UTM inspection.

[edit] set security policies from-zone trust to-zone untrust policy permit-out then permit application-services utm-policy fasttrack-policy

b) Commit the configuration

[edit] commit

Manually Update Virus Signature Database ! For the purpose of this lab, we will only do a manual database update. Automatic updates are set to 60

minutes by default but are configurable. [edit] run request security utm anti-virus kaspersky-lab-engine pattern-update

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 18

Test UTM Capabilities ! If you are comfortable with this step, from your laptop, go to www.eicar.org and click on the download

malware test link. Scroll to the bottom and click on one of the non-https versions of the eicar test file and attempt to download it.

! Attempt to browse to www.guns.to

! Run the following show commands to view statistics run show security utm anti-virus statistics run show security utm web-filtering statistics

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 19

Lab 6: IDP The purpose of this lab is to create a simple IDP configuration with the command line interface.

Download the IDP Security-Package a) Download the IDP security package. This step assumes that an IDP license is installed and valid on

the device. [edit] request security idp security-package download full-update

b) Check the status of the security package download. This command can be repeated as the download could take some time. [edit] request security idp security-package download status

Install the IDP Security-Package a) Install the IDP security package

[edit] request security idp security-package install

b) Check the status of the IDP security package installation. This step takes a considerable amount of

time so the command can be repeated until it shows that the package has been successfully installed. [edit] request security idp security-package install status

Download the IDP Policy-Templates (Optional) a) The security policy templates do not need to be downloaded for this lab or a real life implementation.

The templates contain some example IDP policies that are the same as the templates that are built in to NSM. The first step is to download the templates. [edit] request security idp security-package download policy-templates

b) Check the status of the policy template download

[edit] request security idp security-package download status

c) Install the policy templates

[edit] request security idp security-package install policy-templates

d) Check the status of the policy template installation

[edit] request security idp security-package install status

SRX Fasttrack LAB Guide

Juniper Networks, Inc. 20

e) Enable the policy templates. For this lab, we recommend that you do not perform this step as it creates a very large configuration file with many pages to examine however there is no negative operational impact. You may want to complete the lab and then perform this step to see the policy templates it creates through the application of a commit script. You will have to commit the configuration for the script to run. [edit] set system scripts commit file templates.xsl

Create an IDP Policy a) Create the IDP policy match conditions. For the purposes of this course and lab, we are keeping it

simple and enabling FTP signatures. IDP implementation best practices and tuning are beyond the scope of this course. [edit] set security idp idp-policy fasttrack rulebase-ips rule 1 match from-zone any to-zone any source-address any destination-address any attacks predefined-attack-groups FTP

b) Create the IDP policy action.

[edit] set security idp idp-policy fasttrack rulebase-ips rule 1 then action recommended

Activate the IDP Policy a) Set the fasttrack to be the active IDP policy

[edit] set security idp active-policy fasttrack

ModifyPolicy to Send Traffic to IDP Detector a) Change the dmz-access policy within the trust to dmz context to send traffic to the IDP detector

[edit] set security policy from-zone trust to-zone trust policy intra-permit then permit application-services idp

b) commit the configuration

[edit] commit

Test IDP and Operational Tasks ! FTP to the instructor laptop (192.168.200.10) and login as username:anonymous,

password:anonymous ! Type cd ~root and press enter ! The session should be immediately terminated by the IDP action. ! Try the following operational commands

Show security idp status Show security idp active-policy Show security idp attack table