![{primary:node0}[edit]
test@SRX1# set system services ssh root-login deny
• Command: “set system services ssh root-login
deny”
• On Juniper devices there is a default admin
account called root. You cannot rename the
account and it has the permissions to do
anything on the device
• The “set system services ssh root-login deny”
command allows you to block the root account
from being able to log on across the network via
SSH.
• This is a good practice to only allow the root
account to be used in emergency situations while
having local console access
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-1-320.jpg)
![{primary:node0}[edit]
test@SRX1# set system authentication-order radius
• Command: “set system authentication-order
radius”
• This command allows you to only authenticate
with accounts that are set up within your Radius
server
• If you attempt to log in with a local account, your
authentication attempt will fail. However, if the
device is not able to successfully connect to the
Radius server you can login with a local account
• If you would like to allow both Radius and local
accounts, you can add the keyword “local” to the
command after “radius”
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-2-320.jpg)
![{primary:node0}[edit]
test@SRX1# set system login class RO permissions view-
configuration
set system login class RO allow-commands show
set system login class RO deny-commands
"(clear)|(file)|(fileshow)|(help)|(load)|(monitor)|(op)
|(request)|(save)|(set)|(start)|(test)"
set system login class RO deny-configuration all
• Topic: Creating a Read-Only Account
• This group of commands gives an example of
how to create a class called “RO” which restricts
which commands and actions are allowed.
Accounts can then be associated with this group
either locally or via a AAA server
• This is useful for having different roles for
network support staff. In this case an individual
can log in and run show commands, but is limited
from being able to do other type of configuration
commands
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-3-320.jpg)
![{primary:node0}[edit]
test@SRX1# set system login password minimum-length
15
set system login password change-type character-sets
set system login password minimum-numerics 1
set system login password minimum-upper-cases 1
set system login password minimum-lower-cases 1
set system login password minimum-punctuations 1
set system login password format sha1
• Topic: Setting Strong Password Requirements
• This group of commands allows an administrator
to implement a strong password policy on the
device
• This grouping of commands includes both
complexity and length requirements
• This is only applicable to accounts stored locally
on the device. If you are using a remote AAA
server, a password policy must be applied for the
accounts associated with that on the server
where the accounts reside
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-4-320.jpg)
![{primary:node0}[edit]
test@SRX1# set groups global-idp security policies from-
zone <*> to-zone <*> policy <*> then permit application-
services idp
set security policies apply-groups global-idp
set security idp active-policy Recommended
• Topic: Setting a Global IDP Policy
• This group of commands allows an administrator
to implement an IDP policy across all security
zones in the device
• The IDP policy that is enabled in this case is the
“Recommended” policy, which is a small
grouping of IDP policies. Juniper has a collection
of various IDP policies that can be implemented,
or you can create your own policy based off
whichever signatures you want
• If you don’t want a global policy, you can just
attach the IDP policy on a per security policy
basis
• There can be only one active policy
enabled on the device at one time@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-5-320.jpg)
![{primary:node0}[edit]
test@SRX1# set system services ssh root-login deny
• Command: “set system services ssh root-login
deny”
• This command makes sure that you cannot log
into the device remotely with the root account
• This is important from a security perspective, so
you can minimize the chance of a brute force
attack against the device
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-6-320.jpg)
![{primary:node0}[edit]
test@SRX1# set system services ssh ciphers aes128-ctr
set system services ssh ciphers aes192-ctr
set system services ssh ciphers aes256-ctr
set system services ssh ciphers aes256-cbc
set system services ssh ciphers aes192-cbc
set system services ssh ciphers aes128-cbc
set system services ssh macs hmac-sha1
set system services ssh macs hmac-sha2-512
set system services ssh macs hmac-sha2-256
set system services ssh macs hmac-sha1-96
set system services ssh key-exchange dh-group14-sha1
set system services ssh key-exchange group-exchange-sha2
set system services ssh key-exchange ecdh-sha2-nistp256
set system services ssh key-exchange ecdh-sha2-nistp384
set system services ssh key-exchange ecdh-sha2-nistp521
• Topic: Setting Secure Crypto Ciphers
• This group of commands is used to implement
what are currently considered acceptable
standards for cryptography on the device for your
SSH sessions
• The device enables multiple weak ciphers by
default, so it is important to specifically configure
ciphers that are not considered vulnerable
• Certain organizations or governing agencies will
have specific requirements that you may need to
meet
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-7-320.jpg)
![{primary:node0}[edit]
test@SRX1# set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
• Topic: Saving Configurations with Rollbacks
• This group of commands is used set the amount
of versions of configurations that are saved on
the device
• The this will allow you to rollback to any of the
previous five configuration states from the
previous times you did a commit to the
configuration
• This number can be altered to meet the
requirement and comfort level of the
administrators
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-8-320.jpg)
![{primary:node0}[edit]
test@SRX1# set chassis cluster reth-count 5
• Command: “set chassis cluster reth-count 5”
• This command sets the number of redundant
ethernet interfaces (RETHs) that are configured
on the device
• A RETH is a pair of interfaces that act as a single
interface between an active/passive firewall
cluster
• If you don’t modify this number, the device will
not allow you to add additional RETH’s
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-9-320.jpg)
![{primary:node0}[edit]
test@SRX1# set security log mode stream
• Command: “set security log mode stream”
• This command changes the way the device
processes it’s logging. Stream mode is
recommended for the larger sized devices and
instead of processing/maintaing the logs on box,
ships them off to a remote location
• The purpose of this mode is that due to the
amount of log processing that happens on carrier
grade devices, it can have a negative impact on
the performance of the CPU’s
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-10-320.jpg)
![{primary:node0}[edit]
test@SRX1# set security flow traceoptions file FLOW
set security flow traceoptions file size 5m
set security flow traceoptions file files 5
set security flow traceoptions file world-readable
set security flow traceoptions flag tcp-basic
• Topic: Traceoptions
• These series of commands allows you to capture
traffic as it flows through the device. This can be
useful in many troubleshooting scenarios
• The first commands sets the name of the file, the
second the size of the file, the third how many
files to create before overwriting the oldest, the
fourth the output format, and the fifth which
type of traffic to collect
• There are many options for the flag command
including: all, general, normal, policy, route,
state, etc.
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-11-320.jpg)
![{primary:node0}[edit]
test@SRX1# set security flow tcp-mss ipsec-vpn mss 1300
• Command: “set security flow tcp-mss ipsec-vpn
mss 1300”
• This command ensures that all traffic going
through an IPSec VPN on the device will be using
a maximum segment size
• This is often needed to ensure fragmentation
across the internet or WAN does not take place.
There are instances where if the VPN packet is
too large it will be dropped. So it is best practice
to lower the MSS of your VPN traffic
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-12-320.jpg)
![{primary:node0}[edit]
test@SRX1#set security screen ids-option DOS-screen icmp ip-sweep threshold
1000
set security screen ids-option DOS-screen icmp fragment
set security screen ids-option DOS-screen icmp large
set security screen ids-option DOS-screen icmp flood threshold 200
set security screen ids-option DOS-screen icmp ping-death
set security screen ids-option DOS-screen ip bad-option
set security screen ids-option DOS-screen ip record-route-option
set security screen ids-option DOS-screen ip timestamp-option
set security screen ids-option DOS-screen ip security-option
set security screen ids-option DOS-screen ip stream-option
set security screen ids-option DOS-screen ip spoofing
set security screen ids-option DOS-screen ip source-route-option
set security screen ids-option DOS-screen ip strict-source-route-option
set security screen ids-option DOS-screen ip unknown-protocol
set security screen ids-option DOS-screen ip block-frag
set security screen ids-option DOS-screen ip tear-drop
• Topic: Denial of Service Protections
• This group of commands is some of the many
that can be applied to an IDS policy
• This policy can than be attached to any interfaces
where you deem appropriate
• There are other IPv6 options, as well as flood and
sweep threshold protections
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-13-320.jpg)
![{primary:node0}[edit]
test@SRX1#security nat source rule-set To-Untrust rule
R1 match source-address 0.0.0.0/0
set security nat source rule-set To-Untrust rule R1 match
destination-address 0.0.0.0/0
set security nat source rule-set To-Untrust rule R1 then
source-nat interface
• Topic: Setting Up Outbound NAT
• This group of commands allows you to set up a
NAT on an external interface and will NAT all
traffic destined to any IP address
• This particular configuration would NAT all
internal traffic to the external IP address of your
firewall
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-14-320.jpg)
![{primary:node0}[edit]
test@SRX1#set security nat static rule-set Static-NAT rule
Web-Svr1 match destination-address 5.5.5.5/32
set security nat static rule-set Static-NAT rule Web-Svr1
then static-nat prefix 10.10.10.5/32
set security nat proxy-arp interface reth1.10 address
5.5.5.5/32
• Topic: Setting Up Inbound NAT
• This group of commands allows you to set up a
one-to-one NAT to translate from one external
address(public IP) to an internal IP address
(private)
• It is important to remember to add the “NAT
proxy-arp” statement so that the external
interface will know to respond to ARP requests
for the external NAT IP
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-15-320.jpg)
![{primary:node0}[edit]
test@SRX1#set security policies global policy default-
deny match source-address any
set security policies global policy default-deny match
destination-address any
set security policies global policy default-deny match
application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log
session-init
• Topic: Setting Up a Global Default Deny Policy
• This group of commands allows you to set a
default deny policy at the bottom of all security
zone-based firewall rules
• It consists of statements for the source,
destination, application, and action. Lastly, there
is a command to ensure that every session that
matches the rule is logged
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-16-320.jpg)
![{primary:node0}[edit]
test@SRX1#set security zones security-zone
DOMAIN_CONTROLLERS address-book address DC1 10.10.10.11/32
set security zones security-zone DOMAIN_CONTROLLERS address-
book address DC2 10.10.10.12/32
set security zones security-zone DOMAIN_CONTROLLERS address-
book address-set Domain_Controllers_Group address DC1
set security zones security-zone DOMAIN_CONTROLLERS address-
book address-set Domain_Controllers_Group address DC2
set security zones security-zone DOMAIN_CONTROLLERS interfaces
reth0.100
• Topic: Setting Up a Security Zone
• A security zone is a group of devices that are
associated with an interface/sub-interface. This
will normally contain one subnet or multiple
• These commands include creating address object
entries, creating an address group containing
multiple objects, and associating the security
zone with an interface (in this case a sub-
interface of a redundant ethernet interface
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-17-320.jpg)
![{primary:node0}[edit]
test@SRX1#set security policies from-zone MONITORING_TOOLS
to-zone DOMAIN_CONTROLLERS policy NTP match source-address
SECURITY-TOOLS
set security policies from-zone MONITORING_TOOLS to-zone
DOMAIN_CONTROLLERS policy NTP match destination-address
Domain_Controllers_Group
set security policies from-zone MONITORING_TOOLS to-zone
DOMAIN_CONTROLLERS policy NTP match application NTP
set security policies from-zone MONITORING_TOOLS to-zone
DOMAIN_CONTROLLERS policy NTP then permit
• Topic: Setting Up a Security Policy
• A security policy is a rule that allows a device or
devices in one security zone to communicate
with another device or group of devices in a
different security zone
• These commands include the source addresses in
from the source zone, the destination addresses
in the destination zone, the application
(ports/protocols) that are allowed, and the action
statement for the rule
• Additional actions can be added to the rule such
as logging, IDP, Anti-Virus scanning, etc.
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-18-320.jpg)
![{primary:node0}[edit]
test@SRX1#set interfaces lo0 unit 0 family inet filter input
loopback_ACL
• Command: “set interfaces lo0 unit 0 family inet
filter input xxx”
• The control plane of the Juniper devices is where
all the internal and management traffic is
processed
• It is important to protect the control plane and
the best way to do this is to create an ACL that
allows only expected traffic(ICMP, SNMP, BGP,
SSH, Syslog, etc.) from expected sources
• The above command is used to attach an ACL to
the control plane. Ensure you do one for the
“inet6” if you are using IPv6
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-19-320.jpg)
![{primary:node0}[edit]
test@SRX1#run monitor interface reth0.100
• Command: “monitor interface xxxxx”
• This command allows you to see live statistics on
an interface
• This is useful when troubleshooting and verifying
traffic flow during various types of service
turnups
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
Interface: reth0.100, Enabled, Link is Up
Flags: SNMP-Traps 0x4000
Encapsulation: ENET2
VLAN-Tag [ 0x8100.100 ]
Local statistics: Current delta
Input bytes: 31178797 [0]
Output bytes: 18295428 [0]
Input packets: 491788 [0]
Output packets: 339515 [0]
Remote statistics:
Input bytes: 0 (10368 bps) [0]
Output bytes: 0 (9824 bps) [0]
Input packets: 0 (7 pps) [0]
Output packets: 0 (6 pps) [0]
Traffic statistics:
Input bytes: 2508402323652 [4199]
Output bytes: 196562958159 [3776]
Input packets: 2126407181 [37]
Output packets: 1268398436 [27]
Protocol: inet, MTU: 1500, Flags: None](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-20-320.jpg)
![{primary:node0}[edit]
test@SRX1# commit confirmed
• Command: “commit confirmed”
• This command allows the device to automatically
rollback to your previously saved configuration if
configurations your entered causes some type of
issue and you don’t confirm the configuration
• The default rollback is 10 minutes, but you can
change the time value by adding a value to the
end of the statement, “commit confirmed 5”
means it will roll back in 5 minutes
• To confirm the configuration so it doesn’t roll
back, you need to type “commit” again
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-22-320.jpg)
![test@SRX1> show security idp status
node0:
--------------------------------------------------------------------------
State of IDP: Default, Up since: 2018-11-14 05:24:37 UTC (57w2d 11:53 ago)
Packets/second: 189 Peak: 242628 @ 2019-11-16 14:28:28 UTC
KBits/second : 687 Peak: 3611901 @ 2019-10-23 23:30:30 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 15168351] [TCP: 1486997617] [UDP: 3544899862] [Other: 259]
Flow Statistics:
ICMP: [Current: 10] [Max: 29970 @ 2019-06-25 17:45:12 UTC]
TCP: [Current: 434] [Max: 177962 @ 2019-02-14 23:13:54 UTC]
UDP: [Current: 1514] [Max: 42528 @ 2019-10-03 17:28:28 UTC]
Other: [Current: 4] [Max: 252 @ 2019-03-10 20:32:23 UTC]
Session Statistics:
[ICMP: 5] [TCP: 217] [UDP: 757] [Other: 2]
Number of SSL Sessions : 0
Policy Name : Server-Protection
Running Detector Version : 12.6.140190828
Forwarding process mode : regular
• Command: “show security idp status”
• This command shows the current state of the IDP
service on your device (not where it is applied
though)
• This displays packets going through the IDP,
flows, the name of the IDP policy applied (can
only apply one policy at one time) and the
signature set running
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-23-320.jpg)
![test@SRX1> show security idp attack detail APP:2WIRE-DSL-VULN
Display Name: MISC: 2Wire DSL Router Vulnerability
Severity: Major
Category: APP
Recommended: false
Recommended Action: Drop
Type: signature
Direction: STC
False Positives: unknown
Shellcode: no
Flow: control
Context: http-text-html
Negate: false
TimeBinding:
Scope: none
Count: 1
Hidden Pattern: False
Pattern:
.*[PAGE=H04_POST][^s]*[PASSWORD=][^s]*[PASSWORD_CONF].*
• Command: “show security idp attack detail XXX”
• This command shows the detail of a specific IDP
attack signature
• It includes information like the severity, the
action taken when found, the context, and the
specific signature it matches against
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-26-320.jpg)
![test@SRX1> show log messages | grep test
Dec 20 17:03:58 SRX1 sshd[55595]: (pam_sm_acct_mgmt): DEBUG:
PAM_ACTUAL_USER: test
Dec 20 17:03:58 SRX1 /kernel: FW1-UV sshd[55595]:
(pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: test
Dec 20 17:03:58 SRX1 sshd[55593]: Accepted keyboard-
interactive/pam for test from 10.10.80.11 port 59598 ssh2
Dec 20 17:03:58 SRX1 /kernel: FW1-UV sshd[55593]: Accepted
keyboard-interactive/pam for test from 10.10.80.11 port 59598 ssh2
Dec 20 17:03:58 SRX1 mgd[55598]: UI_AUTH_EVENT: Authenticated
user 'test' at permission level 'j-Admins'
• Command: “show log messages | grep test”
• This command shows all the logs that are in the
default messages log and then specifically
searches for ones that match the string “test” by
using the grep subcommand
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM](https://image.slidesharecdn.com/networkknowledge-juniper-200609150451/85/Helpful-Juniper-Tips-and-Tricks-for-New-Network-Engineers-29-320.jpg)
Helpful Juniper Tips and Tricks for New Network Engineers
- 1. {primary:node0}[edit] test@SRX1# set system services ssh root-login deny • Command: “set system services ssh root-login deny” • On Juniper devices there is a default admin account called root. You cannot rename the account and it has the permissions to do anything on the device • The “set system services ssh root-login deny” command allows you to block the root account from being able to log on across the network via SSH. • This is a good practice to only allow the root account to be used in emergency situations while having local console access @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 2. {primary:node0}[edit] test@SRX1# set system authentication-order radius • Command: “set system authentication-order radius” • This command allows you to only authenticate with accounts that are set up within your Radius server • If you attempt to log in with a local account, your authentication attempt will fail. However, if the device is not able to successfully connect to the Radius server you can login with a local account • If you would like to allow both Radius and local accounts, you can add the keyword “local” to the command after “radius” @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 3. {primary:node0}[edit] test@SRX1# set system login class RO permissions view- configuration set system login class RO allow-commands show set system login class RO deny-commands "(clear)|(file)|(fileshow)|(help)|(load)|(monitor)|(op) |(request)|(save)|(set)|(start)|(test)" set system login class RO deny-configuration all • Topic: Creating a Read-Only Account • This group of commands gives an example of how to create a class called “RO” which restricts which commands and actions are allowed. Accounts can then be associated with this group either locally or via a AAA server • This is useful for having different roles for network support staff. In this case an individual can log in and run show commands, but is limited from being able to do other type of configuration commands @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 4. {primary:node0}[edit] test@SRX1# set system login password minimum-length 15 set system login password change-type character-sets set system login password minimum-numerics 1 set system login password minimum-upper-cases 1 set system login password minimum-lower-cases 1 set system login password minimum-punctuations 1 set system login password format sha1 • Topic: Setting Strong Password Requirements • This group of commands allows an administrator to implement a strong password policy on the device • This grouping of commands includes both complexity and length requirements • This is only applicable to accounts stored locally on the device. If you are using a remote AAA server, a password policy must be applied for the accounts associated with that on the server where the accounts reside @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 5. {primary:node0}[edit] test@SRX1# set groups global-idp security policies from- zone <*> to-zone <*> policy <*> then permit application- services idp set security policies apply-groups global-idp set security idp active-policy Recommended • Topic: Setting a Global IDP Policy • This group of commands allows an administrator to implement an IDP policy across all security zones in the device • The IDP policy that is enabled in this case is the “Recommended” policy, which is a small grouping of IDP policies. Juniper has a collection of various IDP policies that can be implemented, or you can create your own policy based off whichever signatures you want • If you don’t want a global policy, you can just attach the IDP policy on a per security policy basis • There can be only one active policy enabled on the device at one time@JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 6. {primary:node0}[edit] test@SRX1# set system services ssh root-login deny • Command: “set system services ssh root-login deny” • This command makes sure that you cannot log into the device remotely with the root account • This is important from a security perspective, so you can minimize the chance of a brute force attack against the device @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 7. {primary:node0}[edit] test@SRX1# set system services ssh ciphers aes128-ctr set system services ssh ciphers aes192-ctr set system services ssh ciphers aes256-ctr set system services ssh ciphers aes256-cbc set system services ssh ciphers aes192-cbc set system services ssh ciphers aes128-cbc set system services ssh macs hmac-sha1 set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh macs hmac-sha1-96 set system services ssh key-exchange dh-group14-sha1 set system services ssh key-exchange group-exchange-sha2 set system services ssh key-exchange ecdh-sha2-nistp256 set system services ssh key-exchange ecdh-sha2-nistp384 set system services ssh key-exchange ecdh-sha2-nistp521 • Topic: Setting Secure Crypto Ciphers • This group of commands is used to implement what are currently considered acceptable standards for cryptography on the device for your SSH sessions • The device enables multiple weak ciphers by default, so it is important to specifically configure ciphers that are not considered vulnerable • Certain organizations or governing agencies will have specific requirements that you may need to meet @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 8. {primary:node0}[edit] test@SRX1# set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 • Topic: Saving Configurations with Rollbacks • This group of commands is used set the amount of versions of configurations that are saved on the device • The this will allow you to rollback to any of the previous five configuration states from the previous times you did a commit to the configuration • This number can be altered to meet the requirement and comfort level of the administrators @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 9. {primary:node0}[edit] test@SRX1# set chassis cluster reth-count 5 • Command: “set chassis cluster reth-count 5” • This command sets the number of redundant ethernet interfaces (RETHs) that are configured on the device • A RETH is a pair of interfaces that act as a single interface between an active/passive firewall cluster • If you don’t modify this number, the device will not allow you to add additional RETH’s @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 10. {primary:node0}[edit] test@SRX1# set security log mode stream • Command: “set security log mode stream” • This command changes the way the device processes it’s logging. Stream mode is recommended for the larger sized devices and instead of processing/maintaing the logs on box, ships them off to a remote location • The purpose of this mode is that due to the amount of log processing that happens on carrier grade devices, it can have a negative impact on the performance of the CPU’s @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 11. {primary:node0}[edit] test@SRX1# set security flow traceoptions file FLOW set security flow traceoptions file size 5m set security flow traceoptions file files 5 set security flow traceoptions file world-readable set security flow traceoptions flag tcp-basic • Topic: Traceoptions • These series of commands allows you to capture traffic as it flows through the device. This can be useful in many troubleshooting scenarios • The first commands sets the name of the file, the second the size of the file, the third how many files to create before overwriting the oldest, the fourth the output format, and the fifth which type of traffic to collect • There are many options for the flag command including: all, general, normal, policy, route, state, etc. @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 12. {primary:node0}[edit] test@SRX1# set security flow tcp-mss ipsec-vpn mss 1300 • Command: “set security flow tcp-mss ipsec-vpn mss 1300” • This command ensures that all traffic going through an IPSec VPN on the device will be using a maximum segment size • This is often needed to ensure fragmentation across the internet or WAN does not take place. There are instances where if the VPN packet is too large it will be dropped. So it is best practice to lower the MSS of your VPN traffic @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 13. {primary:node0}[edit] test@SRX1#set security screen ids-option DOS-screen icmp ip-sweep threshold 1000 set security screen ids-option DOS-screen icmp fragment set security screen ids-option DOS-screen icmp large set security screen ids-option DOS-screen icmp flood threshold 200 set security screen ids-option DOS-screen icmp ping-death set security screen ids-option DOS-screen ip bad-option set security screen ids-option DOS-screen ip record-route-option set security screen ids-option DOS-screen ip timestamp-option set security screen ids-option DOS-screen ip security-option set security screen ids-option DOS-screen ip stream-option set security screen ids-option DOS-screen ip spoofing set security screen ids-option DOS-screen ip source-route-option set security screen ids-option DOS-screen ip strict-source-route-option set security screen ids-option DOS-screen ip unknown-protocol set security screen ids-option DOS-screen ip block-frag set security screen ids-option DOS-screen ip tear-drop • Topic: Denial of Service Protections • This group of commands is some of the many that can be applied to an IDS policy • This policy can than be attached to any interfaces where you deem appropriate • There are other IPv6 options, as well as flood and sweep threshold protections @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 14. {primary:node0}[edit] test@SRX1#security nat source rule-set To-Untrust rule R1 match source-address 0.0.0.0/0 set security nat source rule-set To-Untrust rule R1 match destination-address 0.0.0.0/0 set security nat source rule-set To-Untrust rule R1 then source-nat interface • Topic: Setting Up Outbound NAT • This group of commands allows you to set up a NAT on an external interface and will NAT all traffic destined to any IP address • This particular configuration would NAT all internal traffic to the external IP address of your firewall @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 15. {primary:node0}[edit] test@SRX1#set security nat static rule-set Static-NAT rule Web-Svr1 match destination-address 5.5.5.5/32 set security nat static rule-set Static-NAT rule Web-Svr1 then static-nat prefix 10.10.10.5/32 set security nat proxy-arp interface reth1.10 address 5.5.5.5/32 • Topic: Setting Up Inbound NAT • This group of commands allows you to set up a one-to-one NAT to translate from one external address(public IP) to an internal IP address (private) • It is important to remember to add the “NAT proxy-arp” statement so that the external interface will know to respond to ARP requests for the external NAT IP @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 16. {primary:node0}[edit] test@SRX1#set security policies global policy default- deny match source-address any set security policies global policy default-deny match destination-address any set security policies global policy default-deny match application any set security policies global policy default-deny then deny set security policies global policy default-deny then log session-init • Topic: Setting Up a Global Default Deny Policy • This group of commands allows you to set a default deny policy at the bottom of all security zone-based firewall rules • It consists of statements for the source, destination, application, and action. Lastly, there is a command to ensure that every session that matches the rule is logged @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 17. {primary:node0}[edit] test@SRX1#set security zones security-zone DOMAIN_CONTROLLERS address-book address DC1 10.10.10.11/32 set security zones security-zone DOMAIN_CONTROLLERS address- book address DC2 10.10.10.12/32 set security zones security-zone DOMAIN_CONTROLLERS address- book address-set Domain_Controllers_Group address DC1 set security zones security-zone DOMAIN_CONTROLLERS address- book address-set Domain_Controllers_Group address DC2 set security zones security-zone DOMAIN_CONTROLLERS interfaces reth0.100 • Topic: Setting Up a Security Zone • A security zone is a group of devices that are associated with an interface/sub-interface. This will normally contain one subnet or multiple • These commands include creating address object entries, creating an address group containing multiple objects, and associating the security zone with an interface (in this case a sub- interface of a redundant ethernet interface @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 18. {primary:node0}[edit] test@SRX1#set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP match source-address SECURITY-TOOLS set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP match destination-address Domain_Controllers_Group set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP match application NTP set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP then permit • Topic: Setting Up a Security Policy • A security policy is a rule that allows a device or devices in one security zone to communicate with another device or group of devices in a different security zone • These commands include the source addresses in from the source zone, the destination addresses in the destination zone, the application (ports/protocols) that are allowed, and the action statement for the rule • Additional actions can be added to the rule such as logging, IDP, Anti-Virus scanning, etc. @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 19. {primary:node0}[edit] test@SRX1#set interfaces lo0 unit 0 family inet filter input loopback_ACL • Command: “set interfaces lo0 unit 0 family inet filter input xxx” • The control plane of the Juniper devices is where all the internal and management traffic is processed • It is important to protect the control plane and the best way to do this is to create an ACL that allows only expected traffic(ICMP, SNMP, BGP, SSH, Syslog, etc.) from expected sources • The above command is used to attach an ACL to the control plane. Ensure you do one for the “inet6” if you are using IPv6 @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 20. {primary:node0}[edit] test@SRX1#run monitor interface reth0.100 • Command: “monitor interface xxxxx” • This command allows you to see live statistics on an interface • This is useful when troubleshooting and verifying traffic flow during various types of service turnups @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM Interface: reth0.100, Enabled, Link is Up Flags: SNMP-Traps 0x4000 Encapsulation: ENET2 VLAN-Tag [ 0x8100.100 ] Local statistics: Current delta Input bytes: 31178797 [0] Output bytes: 18295428 [0] Input packets: 491788 [0] Output packets: 339515 [0] Remote statistics: Input bytes: 0 (10368 bps) [0] Output bytes: 0 (9824 bps) [0] Input packets: 0 (7 pps) [0] Output packets: 0 (6 pps) [0] Traffic statistics: Input bytes: 2508402323652 [4199] Output bytes: 196562958159 [3776] Input packets: 2126407181 [37] Output packets: 1268398436 [27] Protocol: inet, MTU: 1500, Flags: None
- 21. test@SRX1# show security flow session destination-prefix 10.10.10.11 source- prefix 10.5.102.14 node0: -------------------------------------------------------------------------- Flow Sessions on FPC0 PIC1: Total sessions: 0 Flow Sessions on FPC0 PIC2: Session ID: 20079227, Policy name: Monitoring/25, State: Active, Timeout: 884, Valid In: 10.10.11.14/53728 --> 10.10.10.11/161;udp, Conn Tag: 0x0, If: reth0.102, Pkts: 50, Bytes: 4316, CP Session ID: 22697955 Out: 10.10.10.11/161 --> 10.10.11.14/53728;udp, Conn Tag: 0x0, If: reth0.100, Pkts: 50, Bytes: 6029, CP Session ID: 22697955 Total sessions: 1 • Command: “show security flow session” • The command allows you to look for real time traffic sessions going through your device • This is helpful for troubleshooting purposes if you want to see if the traffic is traversing your firewall/device • There are multiple tags that can be used to narrow the search for traffic, in this case we used the destination and source prefix to look for a specific flow @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 22. {primary:node0}[edit] test@SRX1# commit confirmed • Command: “commit confirmed” • This command allows the device to automatically rollback to your previously saved configuration if configurations your entered causes some type of issue and you don’t confirm the configuration • The default rollback is 10 minutes, but you can change the time value by adding a value to the end of the statement, “commit confirmed 5” means it will roll back in 5 minutes • To confirm the configuration so it doesn’t roll back, you need to type “commit” again @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 23. test@SRX1> show security idp status node0: -------------------------------------------------------------------------- State of IDP: Default, Up since: 2018-11-14 05:24:37 UTC (57w2d 11:53 ago) Packets/second: 189 Peak: 242628 @ 2019-11-16 14:28:28 UTC KBits/second : 687 Peak: 3611901 @ 2019-10-23 23:30:30 UTC Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 15168351] [TCP: 1486997617] [UDP: 3544899862] [Other: 259] Flow Statistics: ICMP: [Current: 10] [Max: 29970 @ 2019-06-25 17:45:12 UTC] TCP: [Current: 434] [Max: 177962 @ 2019-02-14 23:13:54 UTC] UDP: [Current: 1514] [Max: 42528 @ 2019-10-03 17:28:28 UTC] Other: [Current: 4] [Max: 252 @ 2019-03-10 20:32:23 UTC] Session Statistics: [ICMP: 5] [TCP: 217] [UDP: 757] [Other: 2] Number of SSL Sessions : 0 Policy Name : Server-Protection Running Detector Version : 12.6.140190828 Forwarding process mode : regular • Command: “show security idp status” • This command shows the current state of the IDP service on your device (not where it is applied though) • This displays packets going through the IDP, flows, the name of the IDP policy applied (can only apply one policy at one time) and the signature set running @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 24. test@SRX1> show security idp counters action node0: -------------------------------------------------------------------------- IDP counters: IDP counter type Value None 126 Recommended 0 Ignore 0 Diffserv 0 Drop packet 49 Drop 124522 Close 0 Close server 0 Close client 0 IP action rate limit 0 IP action drop 0 IP action close 0 IP action nofity 0 IP action failed 0 • Command: “show security idp counters” • This command shows the number of packets that have had some type of action implemented on that when they have hit an IDP signature on your device • The actions depend upon the pre-configured rules for the signatures, but they can be modified or ignored with exemption configurations @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 25. test@SRX1> show security idp attack detail ? Possible completions: <attack-name> Attack name APP:2WIRE-DSL-VULN APP:ABB-NETSCANHOST-OF APP:ACCELLION-FILE-TRANSFER APP:ACRONIS-TRU-IMG-ECO-SRV-DOS APP:ADOBE-CF-DIR-TRAV APP:ADOBE-COLDFUSION-WEBSOCKET • Command: “show security idp attack detail ?” • This command shows an alphabetical listing of all the IDP attack signatures that are available on the device • You can search based off attack name if you have an idea of what you are looking for. You can also go to Juniper website and search their IDP signature database @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 26. test@SRX1> show security idp attack detail APP:2WIRE-DSL-VULN Display Name: MISC: 2Wire DSL Router Vulnerability Severity: Major Category: APP Recommended: false Recommended Action: Drop Type: signature Direction: STC False Positives: unknown Shellcode: no Flow: control Context: http-text-html Negate: false TimeBinding: Scope: none Count: 1 Hidden Pattern: False Pattern: .*[PAGE=H04_POST][^s]*[PASSWORD=][^s]*[PASSWORD_CONF].* • Command: “show security idp attack detail XXX” • This command shows the detail of a specific IDP attack signature • It includes information like the severity, the action taken when found, the context, and the specific signature it matches against @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 27. test@SRX1>show security idp attack description APP:2WIRE-DSL-VULN Description: This signature detects attempts to exploit a known vulnerability in 2Wire DSL routers. An attacker can create a malicious Web site containing dangerous hyperlinks, which if accessed by a victim, allows the attacker to gain control of the victim's DSL router. • Command: “show security idp attack description XXX” • This command shows a description of a specific IDP attack signature and what it is used to protect against @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 28. test@SRX1> show interfaces terse Interface Admin Link Proto Local Remote gr-0/0/0 up up ip-0/0/0 up up lt-0/0/0 up up xe-2/2/0 up up xe-2/2/0.0 up up aenet --> fab0.0 xe-2/2/1 up up xe-2/2/1.100 up up aenet --> reth0.100 xe-2/2/1.101 up up aenet --> reth0.101 xe-2/2/1.102 up up aenet --> reth0.102 xe-2/2/1.103 up up aenet --> reth0.103 • Command: “show interfaces terse” • This command shows a summary of all interfaces • Information includes their admin/link status, descriptions, protocol used, and IP addresses associated with them @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 29. test@SRX1> show log messages | grep test Dec 20 17:03:58 SRX1 sshd[55595]: (pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: test Dec 20 17:03:58 SRX1 /kernel: FW1-UV sshd[55595]: (pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: test Dec 20 17:03:58 SRX1 sshd[55593]: Accepted keyboard- interactive/pam for test from 10.10.80.11 port 59598 ssh2 Dec 20 17:03:58 SRX1 /kernel: FW1-UV sshd[55593]: Accepted keyboard-interactive/pam for test from 10.10.80.11 port 59598 ssh2 Dec 20 17:03:58 SRX1 mgd[55598]: UI_AUTH_EVENT: Authenticated user 'test' at permission level 'j-Admins' • Command: “show log messages | grep test” • This command shows all the logs that are in the default messages log and then specifically searches for ones that match the string “test” by using the grep subcommand @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
- 30. test@SRX1> show configuration | display set • Command: “show configuration | display set” • The “show configuration” command will display the active configuration that is running on the device. The format of this configuration is a hierarchical bracketed format that is not easily copied back into a device for configuration changes • The “ | display set” subcommand displays the configuration but outputs it in a “set” format which allows for the commands to be copied into other device @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM