JUNIPER DUMP


SRX - Displaying Real-Time Interface Information

posted 24 Oct 2017, 19:04 by Donald Ross   [ updated 24 Oct 2017, 19:05 ]

Example
monitor traffic interface pp0.0 no-resolve extensive

REF:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB16385

https://forum.ivorde.com/junos-tcpdump-how-to-capture-traffic-on-physical-interface-t19777.html

SRX Packet Capture - TCPDUMP

posted 6 Aug 2017, 07:05 by Donald Ross   [ updated 6 Aug 2017, 08:27 ]

Packet Capture

edit forwarding-options packet-capture
set file filename TEST-PACKET-CAPTURE
set maximum-capture-size 1500


set firewall filter PCAP term 1 from source-address 192.168.51.121
set firewall filter PCAP term 1 from destination-address 192.168.60.121
set firewall filter PCAP term 1 then sample 
set firewall filter PCAP term 1 then accept 

set firewall filter PCAP term 2 from source-address 192.168.60.121
set firewall filter PCAP term 2 from destination-address 192.168.51.121
set firewall filter PCAP term 2 then sample 
set firewall filter PCAP term 2 then accept 

set firewall filter PCAP term ALLOW-ALL then accept 


set interfaces ge-0/0/0 unit 0 family inet filter output PCAP
set interfaces ge-0/0/0 unit 0 family inet filter input PCAP

deactivate firewall filter PCAP term 1
deactivate firewall filter PCAP term 2

activate firewall filter PCAP term 1
activate firewall filter PCAP term 2

file list /var/tmp/ | match TEST-PACKET-CAPTURE*

**** trace options used for debug ****

set security flow traceoptions file TEST
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter Match protocol tcp
set security flow traceoptions packet-filter Match destination-port ssh

Juniper Default Logging

posted 6 Aug 2017, 06:37 by Donald Ross

set groups DENY-TEMPLATE security policies from-zone <*> to-zone <*> policy DEFAULT-DENY-ALL match source-address any
set groups DENY-TEMPLATE security policies from-zone <*> to-zone <*> policy DEFAULT-DENY-ALL match destination-address any
set groups DENY-TEMPLATE security policies from-zone <*> to-zone <*> policy DEFAULT-DENY-ALL match application any
set groups DENY-TEMPLATE security policies from-zone <*> to-zone <*> policy DEFAULT-DENY-ALL then deny
set groups DENY-TEMPLATE security policies from-zone <*> to-zone <*> policy DEFAULT-DENY-ALL then log session-init

set groups GLOBAL-LOGGING security policies from-zone <*> to-zone <*> policy <*> then log session-init
set groups GLOBAL-LOGGING security policies from-zone <*> to-zone <*> policy <*> then log session-close
set groups GLOBAL-LOGGING security policies from-zone <*> to-zone <*> policy <*> then count

set apply-groups DENY-TEMPLATE

set apply-groups GLOBAL-LOGGING

show | display inheritance

show configuration groups junos-defaults applications 

Juniper SRX tftp

posted 2 Aug 2017, 04:55 by Donald Ross

root@SRX_DC2% cd config/
root@SRX_DC2% tftp 192.168.0.11
tftp> put
(file) juniper.conf.gz
Sent 3043 bytes in 0.0 seconds


TFTP server side
gzip -d juniper.conf.gz
cat juniper.conf

SRX trunk with native vlan

posted 12 Jan 2017, 02:23 by Donald Ross

set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VLAN-15
set interfaces ge-0/0/0 unit 0 family ethernet-switching native-vlan-id 11

Juniper SA machine level VPN tunnel

posted 2 Nov 2016, 03:14 by Donald Ross

You can configure a machine level VPN tunnel to be active when the user logs out. 

Below is the sequence:

User boots up the laptop
Internet connectivity exists
User hasn’t logged on
Pulse client brings up a VPN tunnel in the machine context using machine certificates / machine credentials
IT or SCCM admin can remotely connect back to the laptop or push updates etc
User hits CTRL+ALT+DEL and logs onto the domain as the domain controller is reachable.
Once the user desktop is loaded and user is within the user context. At this point the VPN tunnel can be configured to be active using the machine tunnel or drop the machine tunnel and reconnect using user credentials with 2 FA etc. VPN will be established
User logs out of the workstation
Machine VPN becomes active
VPN is always on in the above scenario with an exception of when the user is in a trusted network (office location etc)

JUNIPER SA SSL VPN

posted 13 Oct 2016, 12:17 by DR Labs   [ updated 13 Oct 2016, 12:21 ]

Quick setup

YouTube Video




YouTube Video




YouTube Video



YouTube Video




YouTube Video




YouTube Video




YouTube Video






JUNOS CONTROL - FORWARDING - SERVICE

posted 13 Oct 2016, 11:54 by Donald Ross   [ updated 13 Oct 2016, 12:06 by DR Labs ]

Junos operating system cleanly divides the functions of control, services, and forwarding into different planes.

 

SRX DYNDNS

posted 11 Aug 2016, 03:40 by Donald Ross

Configure DYNDNS on an SRX 100

set system services dynamic-dns client ddrxxx.homelinux.com server dyndns

set system services dynamic-dns client ddrxxx.homelinux.com agent DNS-TEST

set system services dynamic-dns client ddrxxx.homelinux.com username donamato

set system services dynamic-dns client ddrxxx.homelinux.com password "$9$Hk.5n/tO1hqmBEcSeK4aJDqm"

set system services dynamic-dns client ddrxxx.homelinux.com interface fe-0/0/2.0



root@DC_FW_01> show system services dynamic-dns client detail

Hostname     : ddrxxx.homelinux.com
Server       : members.dyndns.org
Last response: nochg
Last update  : 2016-08-11 10:31:03 UTC
Username     : donaxxx
Interface    : fe-0/0/2.0
Agent        : ddns-0.1 JUNOS [Model #] (Firmware version

SRX NAT

posted 18 May 2016, 00:22 by Donald Ross   [ updated 17 Jun 2016, 12:27 ]

Rule Processing

The NAT type determines the order in which NAT rules are processed. During the first packet processing for a flow, NAT rules are applied in the following order:

Static NAT rules
Destination NAT rules
Route lookup
Security policy lookup
Reverse mapping of static NAT rules
Source NAT rules

1-10 of 13