Juniper : Introduction to the Junos Operating System: November 2014

Saturday 22 November 2014

Restart a Junos OS Process

Action

To restart a Junos OS process, use the following Junos OS CLI operational mode command and include the process you wish to restart. For example:

user@host> restart routing

Sample Output

user@host> restart routing Routing protocol daemon started, pid 751

Meaning

The sample output shows that the routing protocol daemon was restarted and the process identification (PID) was changed from 685 in the previous sample output to 751.

Options to Restart a Junos OS Process

Option	Description
class-of-service	Restart the class-of-service process, which controls the router’s class-of-service configuration.
gracefully	Restart the software process by sending the equivalent of a UNIX SIGTERM signal.
immediately	Immediately restart the process by sending the equivalent of a UNIX SIGKILL signal.
interface-control	Restart the interface process, which controls the router’s physical interface devices and logical interfaces.
mib-process	Restart the Management Information Base (MIB) II process, which provides the router’s MIB II agent.
network-access-service	Restart the network access process, which provides the router’s Challenge Handshake Authentication Process (CHAP) authentication service.
remote-operations	Restart the remote operations process, which provides the ping and traceroute MIBs.
routing	Restart the routing protocol process, which controls the routing protocols that run on the router and maintains the routing tables.
sampling	Restart the sampling process, which performs packet sampling and cflowd export.
snmp	Restart the Simple Network Management Process (SNMP) process, which provides the router’s SNMP master agent.
soft	Reread and reactivate the configuration without completely restarting the software processes. For example, Border Gateway Protocol (BGP) peers stay up and the routing table stays constant. This option is the equivalent of a UNIX SIGHUP signal; omitting this option is the equivalent of a UNIX SIGTERM (kill) operation.

Monday 10 November 2014

SRX Getting Started - Install license for Antivirus, Web Filter, IDP, or Antispam

Following steps involved in installing a license for Antivirus, Web Filter (URL Filter), IDP or Antispam on a SRX device.

Problem or Goal:

Install subscription license

Cause:

Solution:
The following features require a subscription license:

Antivirus
Web Filter
IDP
Antispam

The high memory system option is also required to use these features. UTM is not supported on the low memory version. For ordering information, refer to the SRX datasheet.

The instructions for installing the subscription licence via the CLI are documented below. For J-Web instructions, refer to the Technical Documentation link below.

Install Subscription License

Perform the following steps to activate, install, and verify the subscription license:

First, activate your subscription license by entering the authorization code and chassis serial number into the Subscription Registration system. Refer to KB9731 - How do I activate a subscription license for my ScreenOS firewall or SRX Series product for more information. If you still need help, please contact Customer Care for subscription and licensing issues.

Then, install the license on the SRX in one of two ways -- automatically or manually:
a. Automatically:
Confirm the SRX device has connectivity to the Internet and DNS configured. Then run the following command to request the license from the License Management Server and install it:

root> request system license update

(The output of the command show configuration system license displays the default URL for the License Management Server.)

OR
b. Manually:
Licenses can also be loaded manually via JWeb, NSM, or using the CLI. The CLI command is as follows:

root> request system license add terminal[Type ^D at a new line to end input, enter blank line between each license key] Paste the license key and press enter
Type Ctrl+D

The License key should be added successfully.

Verify the license is installed using the command:

root> show system license 
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  av_key_kaspersky_engine               0            1           0    2013-03-06 01:00:00 CET
  anti_spam_key_sbl                     1            0           1    25 days
  wf_key_surfcontrol_cpa                1            0           1    25 days

SRX Branch platforms support three different Anti-Virus types. For Antivirus-Express engine and Kaspersky engine look for the feature name "av_key_kaspersky_engine". For Sophos engine, look for the feature name "av_key_sophos_engine".

Note:

SRX Branch platform supports three different Web-Filter (URL Filtering) types. For Integrated Web Filtering look for the feature name "wf_key_surfcontrol_cpa". For Enhanced Web Filtering, look for the feature name "wf_key_websense_ewf ". The Redirect Web filtering feature does not need a license on the SRX.

For IDP, look for feature 'idp-sig'.

For Antispam, look for feature "anti_spam_key_sbl"

NOTE: If running a Chassis Cluster, then the license needs to be installed on both nodes.

Trial licenses are available and valid for 4 weeks; you can only fetch a trial license once per year for each device serial number. Use the command: request system license update trial

Tuesday 4 November 2014

JUNOS : Configuring IPS Features on the SRX

Getting Started with IPS on the SRX

We should perform a few steps before we configure SRX IPS. Here is a list of things to do before configuring the SRX for IPS functionality:

Install the license.
You must install an IDP license before you can download any attack objects. If you are using only custom attack objects, you don’t need to install a license (earlier versions had a bug where they required it), but if you want to download Juniper predefined attack objects, you must have this license. Juniper provides you with the ability to download a 30-day trial license to permit this functionality for a brief period of time to evaluate the functionality. We covered license installation earlier in the book; all you need is the request system license add command either specifying a file, or copying and pasting it into the terminal.
Configure network access.
Before you can download the attack objects, you must have network connectivity to either the Juniper download server or a local server from which the signatures can be downloaded. This typically requires network configuration ...

Deploying and Tuning IPS

Deploying IPS requires a slight learning curve. You could memorize every command and feature by heart, and still have a rocky deployment. The challenge is that every environment is different, just like a fingerprint or DNA. There are different applications, different volumes of the applications, different policies on what is accepted activity, and different resources to protect; all which can make for different goals for the IPS. Although this book can’t tell you exactly what your policy should be, it can certainly help you to build and deploy that policy.

First Steps to Deploying IPS

Before you get too caught up in the actual deployment do a bit of legwork and map out the policy which you want to deploy. Think of it as brainstorming for your IPS. You should identify the assets you want to protect, and identify the systems and applications and how they interact with others in your network. You may need to contact the application owners beforehand to identify this information. You should also determine your IPD protection goals. This would include the types of threats you want to prevent, and any other factors that might limit the scope of the deployment. (Often this involves management approval so that there aren’t any surprises.)

Building the Policy

Once you have identified the assets and the goals of the IPS, and you have gotten all of the necessary approvals, you should be ready to build your IPS policy on the SRX. Remember that if you are using predefined