Juniper SRX Crash Course
This is intended to be a crash course on getting a Juniper Networks branch SRX up and running. In this case, we’ll be using an SRX210H, but the same configuration will generally apply for any branch SRX. Let’s get going.
The first thing you want to do is console in, login as root (no password), jump into the CLI with the “cli” command, and delete the current configuration:
root@R1> edit Entering configuration mode [edit] root@R1# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes
Now show your configuration to be sure it’s clean:
[edit] root@R1# show [edit] root@R1#
Without setting a root password, Junos will not allow you to commit your configuration:
root@R1# set system root-authentication plain-text-password New password: Retype new password:
Of course, we’ll want to set a hostname, and configure the router for SSH authentication, and add a user:
[edit] root@R1# set system host-name R1 [edit] root@R1# set system services ssh root@R1# set system login user cjones class super-user full-name "Chris Jones" authentication plain-text-password New password: Retype new password:
Let’s have a look at our config so far:
[edit]
cjones@R1# show
## Last changed: 2011-08-08 21:26:28 UTC
system {
host-name R1;
root-authentication {
encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"; ## SECRET-DATA
}
login {
user cjones {
full-name "Chris Jones";
class super-user;
authentication {
encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."; ## SECRET-DATA
}
}
}
services {
ssh;
}
}
Looks good! We can also see the commands that would be required to re-create the configuration:
[edit] cjones@R1# show | display set set system host-name R1 set system root-authentication encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0" set system login user cjones full-name "Chris Jones" set system login user cjones class super-user set system login user cjones authentication encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l." set system services ssh
NOTE: If you wanted to paste in a section of “set-based” configuration, you would use:
load set terminal
NOTE: If you wanted to paste in a section of “standard” configuration, you would use:
load merge terminal
NOTE: If you wanted to paste in an entire “standard” configuration, you would use:
load override terminal
Back to our config. The next thing you might want to do is set up an interface on a management subnet. For this we will use virtual-routers in order to keep the management routes separate from the main RIB. In this case, our management network is 10.255.255.0/24 with a gateway of .254
Configure the interface (fe-0/0/7.0 in this case) and assign the IP address:
[edit] cjones@R1# set interfaces fe-0/0/7 unit 0 family inet address 10.255.255.1/24
Create the VR and assign fe-0/0/7.0 to it:
[edit] cjones@R1# set routing-instances MANAGEMENT instance-type virtual-router interface fe-0/0/7.0
Add a static default route to the MANAGEMENT VR:
[edit] cjones@R1# set routing-instances MANAGEMENT routing-options static route 0.0.0.0/0 next-hop 10.255.255.254
NOTE: The configuration heirarchy within a VR is the same as always, for example OSPF configuration would be found under “routing-instances protocols ospf” just as it would usually be under “protocols ospf”
Again, let’s take a look at our configuration:
[edit]
cjones@R1# show
## Last changed: 2011-08-08 21:56:40 UTC
system {
host-name R1;
root-authentication {
encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"; ## SECRET-DATA
}
login {
user cjones {
full-name "Chris Jones";
class super-user;
authentication {
encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."; ## SECRET-DATA
}
}
}
services {
ssh;
}
}
interfaces {
fe-0/0/7 {
unit 0 {
family inet {
address 10.255.255.1/24;
}
}
}
}
routing-instances {
MANAGEMENT {
instance-type virtual-router;
interface fe-0/0/7.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.255.255.254;
}
}
}
}
[edit]
cjones@R1# show | display set
set system host-name R1
set system root-authentication encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"
set system login user cjones full-name "Chris Jones"
set system login user cjones class super-user
set system login user cjones authentication encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."
set system services ssh
set interfaces fe-0/0/7 unit 0 family inet address 10.255.255.1/24
set routing-instances MANAGEMENT instance-type virtual-router
set routing-instances MANAGEMENT interface fe-0/0/7.0
set routing-instances MANAGEMENT routing-options static route 0.0.0.0/0 next-hop 10.255.255.254
NOTE: You’ll notice the “set” display format is significantly shorter, and is therefore a good way of using a text editor to edit repetitive tasks, which can be pasted in using “load set terminal”
Now we add untrust (outside) and trust (inside) interfaces. Our link to the service provider is 1.2.2.2/30 with a gateway of 1.2.2.1, and our link facing our internal network is 10.0.0.1/24:
[edit] cjones@R1# set interfaces ge-0/0/1 unit 0 family inet address 1.2.2.2/30 [edit] cjones@R1# set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.1/24
Add a default route:
[edit] cjones@R1# set routing-options static route 0.0.0.0/0 next-hop 1.2.2.1
Now, if you were running in packet mode, you’d be done. Assuming you want your shiny new SRX to function as a firewall too, you will need to set up security.
NOTE: Packet mode is what most Juniper routers run (M/MX, and older J-Series). Flow mode is what new J-Series and branch SRX run. Packet mode works as a traditional router, whereas flow mode integrates features from ScreenOS such as a stateful firewall. To convert your SRX to packet mode (which you don’t want to do in this case), issue the following commands:
delete security set security forwarding-options family inet6 mode packet-based set security forwarding-options family mpls mode packet-based
To start the firewall configuration, you first need to create your zones. In our case we will create two zones, one called UNTRUST and one called TRUST. Assign interfaces, as appropriate:
[edit] cjones@R1# set security zones security-zone UNTRUST interfaces ge-0/0/1.0 [edit] cjones@R1# set security zones security-zone TRUST interfaces ge-0/0/2.0
Next we need to create policies. Unless you have Internet accessible services in the TRUST zone, you will typically want the default from UNTRUST -> TRUST, which is to deny traffic. Since this is the default, no policy is required to be configured.
To allow traffic to pass through your firewall from the TRUST zone to the Internet (UNTRUST), you will need to create a policy. In this case, we’re going to allow all outbound traffic.
[edit] cjones@R1# set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match source-address any destination-address any application any [edit] cjones@R1# set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL then permit
While not necessary in this case, as we only have one interface in the TRUST zone, we will go ahead and add a policy that allows intra-zone traffic from TRUST -> TRUST:
[edit] cjones@R1# set security policies from-zone TRUST to-zone TRUST policy PERMIT_ALL match source-address any destination-address any application any [edit] cjones@R1# set security policies from-zone TRUST to-zone TRUST policy PERMIT_ALL then permit
Now the next part is a bit tricky, and commonly confuses Junos newbies. While your traffic will now flow, if you want to be able to ping your interfaces (among other things, including routing protocols like OSPF), you will need to allow host-inbound-traffic in the zone. Let’s allow ping to all interfaces in the TRUST zone:
[edit] cjones@R1# set security zones security-zone TRUST host-inbound-traffic system-services ping
You can configure host-inbound-traffic more specifically per interface as well (we aren’t going to be using OSPF here, but we’ll include it as an example):
[edit] cjones@R1# set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping [edit] cjones@R1# set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf
NOTE: interface-level host-inbound-traffic configuration completely overrides the zone-level configuration, which means we must configure both ping and OSPF to be allowed at the interface-level.
Now, if you think back to what we have done so far… what are we missing? Of course! We’re missing the ability to send SSH host-inbound-traffic to the management interface we had configured! Let’s add this to our configuration:
[edit] cjones@R1# set security zones security-zone MANAGEMENT interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
NOTE: Since there will never be traffic THROUGH the MANAGEMENT VR, we have no need for an inter-zone or intra-zone firewall policy.
Finally, we will need to add NAT to our configuration. Configuring simple source NAT on the SRX in flow mode is easy. In packet mode, not so much. Here we are going to simply NAT everything in the TRUST zone to the IP address of the UNTRUST interface ge-0/0/1.0:
[edit] cjones@R1# set security nat source rule-set ALL_TRUST from zone TRUST [edit] cjones@R1# set security nat source rule-set ALL_TRUST to zone UNTRUST [edit] cjones@R1# set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 [edit] cjones@R1# set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface
Let’s take a look at our NAT configuration:
cjones@R1# show security nat
source {
rule-set ALL_TRUST {
from zone TRUST;
to zone UNTRUST;
rule RULE_1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
[edit]
cjones@R1# show security nat | display set
set security nat source rule-set ALL_TRUST from zone TRUST
set security nat source rule-set ALL_TRUST to zone UNTRUST
set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 match destination-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface
And our entire security section:
[edit]
cjones@R1# show security
nat {
source {
rule-set ALL_TRUST {
from zone TRUST;
to zone UNTRUST;
rule RULE_1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone TRUST to-zone UNTRUST {
policy PERMIT_ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone UNTRUST {
interfaces {
ge-0/0/1.0;
}
}
security-zone TRUST {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
ospf;
}
}
}
}
}
security-zone MANAGEMENT {
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
ssh;
}
}
}
}
}
}
[edit]
cjones@R1# show security | display set
set security nat source rule-set ALL_TRUST from zone TRUST
set security nat source rule-set ALL_TRUST to zone UNTRUST
set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 match destination-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match application any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL then permit
set security zones security-zone UNTRUST interfaces ge-0/0/1.0
set security zones security-zone TRUST host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf
set security zones security-zone MANAGEMENT interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
And that’s it! You now have a fully functional and (mostly) secure firewall! There are plenty of other options that could be configured, including critical system services like NTP and AAA, but this is definitely a good start.
Let’s have a look at our final configuration before committing:
[edit]
cjones@R1# show
## Last changed: 2011-08-08 22:35:43 UTC
system {
host-name R1;
root-authentication {
encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"; ## SECRET-DATA
}
login {
user cjones {
full-name "Chris Jones";
class super-user;
authentication {
encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."; ## SECRET-DATA
}
}
}
services {
ssh;
}
}
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
address 1.2.2.2/30;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 10.255.255.1/24;
}
}
}
}
security {
nat {
source {
rule-set ALL_TRUST {
from zone TRUST;
to zone UNTRUST;
rule RULE_1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone TRUST to-zone UNTRUST {
policy PERMIT_ALL {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone UNTRUST {
interfaces {
ge-0/0/1.0;
}
}
security-zone TRUST {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
ospf;
}
}
}
}
}
security-zone MANAGEMENT {
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
ssh;
}
}
}
}
}
}
}
routing-instances {
MANAGEMENT {
instance-type virtual-router;
interface fe-0/0/7.0;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.255.255.254;
}
}
}
}
[edit]
cjones@R1# show |display set
set system host-name R1
set system root-authentication encrypted-password "$1$rqnMR5or$EkGp.o9TcDxXVtPvmRgqp0"
set system login user cjones full-name "Chris Jones"
set system login user cjones class super-user
set system login user cjones authentication encrypted-password "$1$p2RMgNSM$GDlMyrBX05TIaYFwfhz9l."
set system services ssh
set interfaces ge-0/0/1 unit 0 family inet address 1.2.2.2/30
set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.1/24
set interfaces fe-0/0/7 unit 0 family inet address 10.255.255.1/24
set security nat source rule-set ALL_TRUST from zone TRUST
set security nat source rule-set ALL_TRUST to zone UNTRUST
set security nat source rule-set ALL_TRUST rule RULE_1 match source-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 match destination-address 0.0.0.0/0
set security nat source rule-set ALL_TRUST rule RULE_1 then source-nat interface
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL match application any
set security policies from-zone TRUST to-zone UNTRUST policy PERMIT_ALL then permit
set security zones security-zone UNTRUST interfaces ge-0/0/1.0
set security zones security-zone TRUST host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic system-services ping
set security zones security-zone TRUST interfaces ge-0/0/2.0 host-inbound-traffic protocols ospf
set security zones security-zone MANAGEMENT interfaces fe-0/0/7.0 host-inbound-traffic system-services ssh
set routing-instances MANAGEMENT instance-type virtual-router
set routing-instances MANAGEMENT interface fe-0/0/7.0
set routing-instances MANAGEMENT routing-options static route 0.0.0.0/0 next-hop 10.255.255.254
Let’s try to check our work:
[edit] cjones@R1# commit check configuration check succeeds
Looks good! Go ahead and commit:
[edit] cjones@R1# commit and-quit commit complete Exiting configuration mode cjones@R1>
Hope that helps!
What do you think of using:
set security zones functional-zone management (etc)
instead of a security zone? The non-forwardingness is built in. It should be good for something, don’t you think?
Hmm, I’ve never used a funcitonal-zone. Does it provide a mechanism to allow me to add a static default management route without conflicting with inet.0?
From memory a functional zone means it can’t be a transit zone.
So you can set one as your device manangement but the SRX won’t push traffic through it to another zone so there is no zone-to-zone communication.
AFAIK there is still no way to put the bloody FXP0 interfaces into their own RIB which makes management a pain in the ass.
Yes, but zone to zone communication isn’t the reason I use a VR. I use the VR because I want to be able to put any kind of static routes I want for management, without conflicting with inet.0.
And you’re right… still can’t put fxp0 into a VR on the SRX, nor the vme.0 into a VR on an EX. You could put all your transit traffic into a VR and leave inet.0 for management, as long as you don’t want to use IPSec, which can’t be terminated in a VR.
I’ve been setting up my first SRX today after working with ScreenOS for years. You’re post really helped me make sure I was actually doing what I thought I was doing, THANKS!
Great Post Chris, just be aware that by deleting the entire config, you remove syslogging from the messages file, which may bite you down the track.
And yes, +1 for not putting fxp0 route into inet.0 – Juniper could at least let us put fxp0 into it’s own VR and not break IPSEC.
Of course, I’m making the assumption that the user will add back in anything they need. I just much prefer to start with a clean slate, as I don’t like the default configurations Juniper is putting in their enterprise-class devices.
Great post. I’ve read a lot of Junos books but i needed something like this to cement my understanding. How does VRF actually differ from a VR?
Great post, came across this on my quest to understand better the differences between packet and flow mode. Newbie to Junos, studying for JNCIS-SEC now (yes, I know it is not in that exam, but my point is to *learn* stuff, not just pass on a test.)
Thanks for all the content!
thanks for your perfect post, but you miss to mentioned SCREENS, because once you delete the entire config. there is no screens like follows:set security screen ids-option untrusted-internet icmp fragment
set security screen ids-option untrusted-internet icmp ping-death
set security screen ids-option untrusted-internet ip bad-option
set security screen ids-option untrusted-internet ip spoofing
set security screen ids-option untrusted-internet ip source-route-option
set security screen ids-option untrusted-internet ip unknown-protocol
set security screen ids-option untrusted-internet ip tear-drop
set security screen ids-option untrusted-internet tcp syn-flood alarm-threshold 1024
set security screen ids-option untrusted-internet tcp syn-flood attack-threshold 200
set security screen ids-option untrusted-internet tcp syn-flood source-threshold 1024
set security screen ids-option untrusted-internet tcp syn-flood destination-threshold 2048
set security screen ids-option untrusted-internet tcp syn-flood queue-size 2000
set security screen ids-option untrusted-internet tcp syn-flood timeout 20
set security screen ids-option untrusted-internet tcp land
set security screen ids-option untrusted-internet udp flood threshold 1000
I didn’t miss it, I’m simply not including it. I’m making the assumption that the person following the tutorial understands that after wiping the configuration, they will need to re-add whatever config is relevant or needed.