Saturday, 15 December 2012

Junos : How to launch Junos Pulse (VPN) and perform a RDP from iPhone/iPad

The following procedure helps to configure Junos pulse on iPad/iPhone to launch VPN and perform RDP access:


  • Go to the Apple App store to download the Junos Pulse client and RDP Lite app.

  • Network Connect (Pre-7.2R1 code) or VPN Tunneling (from 7.2R1 IVE code) has to be configured on the IVE, which will help the user to connect to SSL-VPN using Junos pulse client from the iPad/iPhone.

  • User Role, User Realm, and Sign-in Policy are required with Network Connect configured on the IVE.

  1. On IVE go to Users > Users Role > New User Role > General > Enable Network Connect (Prior to 7.2R1 IVE OS) or VPN Tunneling (In IVE OS 7.2R1 and onwards) and then click Save Changes.


  2. Go to the newly created role's Network Connect/VPN Tunneling tab and ensure that the Split Tunneling Options are set correctly and then click Save Changes.

  3. If Enable split tunneling is configured, make sure that the Split tunneling Resource Policy is applied for that role on IVE under Users > Resource Policies > Network Connect > Split-tunneling Networks (specify the IP address of the Terminal service resource,which you need to access from Junos Pulse on iOS devices; by using any RDP app from the app store).

    If Disable Split Tunneling or Allow access to local subnet is selected, ensure that the ACL under the Access tab on IVE under Users > Resource Policies > Network Connect > Network Connect Access Control allows the specified RDP host IP address.

  4. Configure the NC Connection Profile on IVE under Users > Resource Policies > Network Connect > NC Connection Profiles:

    1. Click New Profile:

      When the SA Series device receives a client request to start a session, it assigns an IP address to the client; based on the IP address policies defined either through DHCP or the IP address pool. Apply to the desired role as well and save changes.

  5. On IVE under Users > Users Realm > New User realm > General:

    You can, by using the above procedure, launch the VPN connection on an iPhone or iPad and perform the RDP access.

    1. Select the Preferred Auth Server and save changes.

    2. Click the Role Mapping tab, create a New Rule, and apply it to the iPhone role as configured in step 1.

  6. Now go to Authentication > Signing In > Sign-in Policies > New URL, create the new Sign-in URL and apply it to the iPhone realm only and save changes.

  7. On the iPhone:

    1. Launch the Junos Pulse App, which was downloaded from the Apple App store.

    2. Configure the Junos Pulse App with the IVE Sign-in URL and a user-friendly name. Save changes.

    3. Click the Connect button on the Junos Pulse App; this will start the connection.

    4. Provide the credentials to authenticate; once authenticated, you will be able to see the VPN icon, as shown in the following image (this confirms that the VPN tunnel is connected):


  8. Perform the RDP Access:

    1. Click the Home button on the iPhone/iPad to exit the Junos Pulse app user interface. Launch the RDP app downloaded from the Apple App store (for example - RDP lite is one application, which can be used for RDP access and is a free download from the Apple App store).

    2. Click Configure on the RDP lite App and then click New.

    3. Specify the Host address for the remote computer; for which the RDP is being performed (ACL for this Host IP address should be specified as described in step-3) and click the back button.

    4. Now you will be able to see the configured Host IP address; click the profile.

    5. This will initiate the RDP access and you will get connected to the RDP device.

Sunday, 9 December 2012

Junos : Sending IDP and traffic logs to a syslog server in SRX

If you want to forward your IDP and traffic session logs to a syslog server, here is how we can do it;

1) First inside the security policy we should set that we want to log session initiations e.g;
{primary:node0}[edit]
root@srx210-1# top show security policies 
from-zone downlink to-zone wan {
    policy net-access {
        match {
            source-address net_210;
            destination-address any;
            application any;
        }
        then {
            permit {
                application-services {
                    idp;
                }
            }
            log {
 session-init;
            }
        }
    }
}

2) Then syslog server configuration;
root@srx210-1# show system syslog        
host 192.168.103.20 {
    any any;
    match "RT_IDP|RT_FLOW_SESSION";
    structured-data;
}

After this we should be able to log our traffic logs to the syslog server 192.168.103.20
As you might see there is RT_IDP regular expression string for IDP logs as well. If you set the following configuration under
IDP rule base, you will also log IDP notifications.

3)  IDP notifications
{primary:node0}[edit]
root@srx210-1# show security idp idp-policy Recommended_1 
rulebase-ips {
    rule 1 {
        match {
            source-address any;
            destination-address any;
            application default;
            attacks {
                predefined-attacks ICMP:INFO:ECHO-REQUEST;
            }
        }
        then {
            action {
                drop-packet;
            }
            notification {
 log-attacks;
            }
        }
    }
}

Wednesday, 5 December 2012

Junos : Software Installation/Upgrade

Install Software via CLI (Method: from Junos software copied to SRX)

Refer to the following steps for copying the software to the SRX and then performing the software installation via the CLI:
  1. Copy software to SRX via SCP or FTP to /var/tmp: 
    For example:
    user@srx>  scp  junos-srxsme-11.4R4.4-domestic.tgz  user@srx:/var/tmp/junos-srxsme-11.4R4.4-domestic.tgz

    OR

    user@srx>  ftp <ip address of local ftp server>  (and login)
    user@srx>  lcd /var/tmp
    user@srx>  bin
    user@srx>  get junos-srxsme-11.4R4.4-domestic.tgz
    user@srx>  bye
  2. Install software with the commands below. 
    For example:
    From the local file in /var/tmp
    user@srx>  request system software add no-copy /var/tmp/junos-srxsme-11.4R4.4-domestic.tgz
    user@srx>  request system reboot

Monday, 3 December 2012

Junos : Routing Policy

Overview

A routing policy is the method that you can use to control what routes from dynamic routing policies (OSPF, BGP, RIP, etc) get imported into your routing table and or advertised to other peers or neighbors.

Import Policy

The import policy is responsible for changing or modifying any routes that are advertised to you by other neighbors or peers. Import policies are most commonly seen changing route metrics or preferences or filtering certain routes from being put into your routing table. The Import policy effects how your router views the world.

Export Policy

The export policy is responsible for filtering or modifying routes that you are adverting to other peers or neighbors. Export policies are most commonly seen changing metrics or preferences of routes or re advertising routes from other routing protocols into the protocol that has the export policy tied to it.

Default Routing Policies

Each routing protocol has a default routing policy associated with it that is not specifically defined in the configuration and each one is different.

RIP

By default (without a routing policy) a JunOS device will accept all RIP routes advertised to it by its explicitly configured neighbors but will not advertise those routes at all.

OSPF

Just like RIP, by default (without a routing policy) a JunOS device will accept all OSPF LSA's and exports all routes learned by OSPF but no other protocols. Link State Protocols depend on all routers having the exact same picture of the network so import and export policies on OSPF are pretty limited.

BGP

By default (without a routing policy) a JunOS device will import and export all BGP routes to and from the routing table.

Saturday, 24 November 2012

Junos : Junos vs Screen OS

[ScreenOS] vs [JunOS]

ScreenOS JUNOS Notes
Session & Interface counters    
get session > show security flow session  
get interface > show interface terse  
get counter stat
get counter stat <interface>
> show interface extensive
> show interface <interface> extensive
 
clear counter stat > clear interface statistics <interface>  
Debug & Snoop    
debug flow basic # edit security flow
# set traceoptions flag basic-datapath
# commit
-creates debugs in default file name: /var/log/security-trace
See KB16108 for traceoptions info.
set ff # edit security flow
# set traceoptions packet-filter
Packet-drop is a feature that will be added
get ff > show configuration | match packet-filter | display set  
get debug > show configuration | match traceoptions | display set  
get db stream View stored log: (recommended option)
> show log <file name> (enter h to see help options)
> show log security-trace (to view 'security flow' debugs)
> show log kmd (to view 'security ike' debugs)
View real-time: (use this option with caution)
> monitor start <debugfilename>
ESC-Q (to pause real-time output to screen)
‘monitor stop' stops real-time view , but debugs are still collected in log files
clear db > clear log <filename> (clears contents of file) Use ‘file delete <filename> to actually delete file>
undebug <debug> (stops collecting debugs) # edit security flow
# deactivate traceoptions OR # delete traceoptions (at the particular hierarchy)
# commit
Deactivate makes it easier to enable/disable.
Use activate traceoptions to activate.
undebug all Not available. You need to deactivate or delete traceoptions separately.  
debug ike detail # edit security ike
# set traceoptions flag ike
# commit
-creates debugs in default file name: kmd
snoop (packets THRU the JUNOS device) Use Packet Capture feature - Not supported on SRX 3x00/5x00 yet
snoop (packets TO the JUNOS device) > monitor traffic interface <int> layer2-headers
write-file option (hidden)
read-file (hidden)
-Only captures traffic destined for the RE of router itself.
- Excludes PING .
Event Logs    
get event > show log messages
> show log messages | last 20 (helpful cmd because newest log entries are at end of file)
 
get event | include <string> > show log messages | match <string>
> show log messages | match “<string> | <string> | <string>”
Examples:
> show log messages | match “error | kernel | panic”
> show log messages | last 20 | find error
Note: There is not an equivalent command for ‘get event include <string>'.

match
displays only the lines that contains the string

find
displays output starting from the first occurrence of the string
clear event > clear log messages  
  > show log  
Config & Software upgrade    
get config > show config (program structured format)
> show config | display set (set command format)
 
get license > show system license keys  
get chassis (serial numbers) > show chassis hardware detail > show chas environment
> show chas routing-engine
exec license > request system license [add | delete |save]  
unset all
reset
load factory-default
set system root-authentication plain-text-passsword
commit and-quit
request system reboot

load config from tftp <tftp_server> <configfile> > start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then
# load override /var/tmp/test.cfg (or full path of config file)
-TFTP is not supported. Use only FTP, HTTP, or SCP.
load software from tftp <tftp_server> <screenosimage> to flash > request system software add
Example:
request system software add ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domestic.tgz reboot
-TFTP is not supported. Use only FTP. HTTP, or SCP.
-Use ‘request system software rollback' to rollback to previous s/w package
See KB16652.
save # commit OR
# commit and-quit
 
reset > request system reboot  
Policy    
get policy > show security policies  
get policy from <zone> to <zone> > show security policies from <zone> to <zone>  
VPN    
get ike cookie > show security ike security-associations  
get sa > show security ipsec security-associations > show security ipsec stat
clear ike cookie > clear security ike security-associations  
clear sa > clear security ipsec security-associations  
NSRP    
get nsrp > show chassis cluster status
> show chassis cluster interfaces
> show chassis cluster status redundancy-group <group>
 
exec nsrp vsd <vsd> mode backup (on master) see KB5885 > request chassis cluster failover redundancy-group <group> node <node>  
  > request chassis cluster failover reset redundancy-group <group>  
DHCP    
get dhcp client > show system services dhcp client See KB15753.
exec dhcp client <int> renew > request system services dhcp renew (or release)  
Routing    
get route > show route  
get route ip <ipaddress> > show route <ipaddress>  
get vr untrust-vr route > show route instance untrust-vr  
get ospf nei > show ospf neighbor  
set route 0.0.0.0/0 interface <int> gateway <ip> # set routing-options static route 0.0.0.0/0 next-hop <ip> See KB16572.
NAT    
get vip > show security nat destination-nat summary  
get mip > show security nat static-nat summary  
get dip > show security nat source-nat summary
> show security nat source-nat pool <pool>
 
Other    
get perf cpu > show chassis routing-engine  
get net-pak s > show system buffers  
get file > show system storage  
get alg > show configuration groups junos-defaults applications All pre-defined applications are located within the hidden group junos-defaults. If any ALGs are applied to the pre-defined applications, they will also be displayed with this command.
get service > show configuration groups junos-defaults applications  
get tech > request support information  
set console page 0 > set cli screen-length 0  
     
  > file list <path>
Example: file list /var/tmp/
Shows directory listing.
Note that / is needed at end of path
     
  #  =  configuration mode prompt  
  =  operational mode prompt  

Sunday, 18 November 2012

Junos : Configure Static Route

Creating Static Routes

The following example configures a static route of 10.2.2.0/24 with a next-hop address of 10.1.1.254:

user@host# set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254

Creating Default Routes

The following example configures an IPv4 default route with a next-hop address of 10.1.1.254:

user@host# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

Verification

To review a summary of the routes in the routing table, use the following operational mode command:

user@host> show route terse

Monday, 12 November 2012

Junos : Create a new admin user



JUNOS Software has predefined login classes that you assign to all users:
  • Operator
  • Read-only
  • Super-user
  • Unauthorized
.
J-Web Configuration
Using Predefined Login Classes

You can apply a login class when creating a new user account or to an existing user account.
To apply a login class to an existing user account:
  1. Select Configure>System Properties>User Management.
  2. Click Edit.
  3. In the Edit User Management dialog box, select a username, and click Edit.
  4. In the Login class list, select the level of permission for executing commands for the user.
  5. Click OK.
  6. In the Edit User Management dialog box, click OK.

Creating a New Admin User

To create a new admin user with super-user privileges:
  1. Select Configure>System Properties>User Management.
  2. Click Edit.
  3. In the Edit User Management dialog box, click Add.
  4. In the User name box, type the username of the user (for example, jlee).
  5. In the Password box, type the password for the user.
  6. In the Confirm password box, type the user password again.
  7. In the Login class list, select the level of permission for executing commands for the user (in this example, super-user).
  8. Click OK.
  9. In the Edit User Management dialog box, click OK.
If you are finished configuring the device, click Commit to commit the configuration.
CLI Configuration

Using Predefined Login Classes


You can review the available login classes by using the following command:

user@host# set system login user labuser class ?
Possible completions:
<class> Login class
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]


In the following example, you apply the
operator login class to the user with the username of csmith:

user@host# set system login user csmith class operator

Creating a New Admin User


To create a new admin user, create a login user with super-user privileges:
  1. Create a user account named jlee, which has super-user privileges.

user@host# set system login user jlee class super-user authentication plain-text-password
  1. Enter the password for the user, and enter the password again. The password does not appear as you type.
New password:
Retype new password:

Tuesday, 6 November 2012

Junos : Configuring an interface and security zone on an SRX Series device.

Network Interface Naming

Junos uses the following interface naming conventions:
  • The show interface terse command displays a list of the interfaces. 
user@host> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up 
ge-0/0/0.0              up    up   inet     10.85.49.150/24
gr-0/0/0                up    up 
ip-0/0/0                up    up 
lsq-0/0/0               up    up 
lt-0/0/0                up    up 
mt-0/0/0                up    up 
pd-0/0/0                up    up 
pe-0/0/0                up    up 
 

  • The syntax for the interface name, such as ge-0/0/0, is as follows:
Interface Type - Slot / Module / Port . Logical number  
  • All numbers for the slot, module, and port start with 0.
  • For example :
    ge-0/0/0 = First onboard Gigabit Interface
    st0.0 = First Secure Tunnel Interface (VPN Tunnel)
    lo0 = First loopback interface
  • Wildcards--Many commands accept wildcards in the interface names.
  • For example:
    show interfaces ge-0/0/*

Security Zone

A security zone is a collection of interfaces that define a security boundary. Internal network interfaces may be assigned to a security zone named "trust," and external network interfaces may be assigned to a security zone named "untrust." Security policies are then used to control transit traffic between security zones. For more information about security zones.

CLI

The following example configures a security zone with one interface:
  1. Verify existing security zones, and verify which interfaces have been assigned to the security zones by using one of the following commands: user@host> show security zones
    user@host>
    show interfaces
  2. Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.
  3. user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24.


  1. If a security zone name does not exist, configure a security zone:
user@host# set security zones security-zone trust
  1. Assign the ge-0/0/1.0 interface to the trust security zone.
user@host# set security zones security-zone trust interfaces ge-0/0/1.0
 





Saturday, 3 November 2012

Junos : What is Junos Pulse



Junos Pulse is an endpoint software platform that enables dynamic SSL VPN connectivity, network access control (NAC), mobile security, online meetings and collaboration, and application acceleration, through an simple yet elegant user interface. It removes the complexity from network connectivity and access control, and delivers optimal connectivity to end users depending on their device type and security state, location, identity, and adherence to corporate access control policies.
Junos Pulse provides easy deployment and management for administrators and easy access for users by intelligently delivering and enabling services through a single, integrated user interface for both mobile and non-mobile devices. Administrators can simplify and secure fast, seamless mobile, remote, and local network, cloud, and application access for end users by configuring policies that automatically enable the appropriate network or cloud connection — with no user interaction required.
Junos Pulse also:
  • Enables mobile and remote network access, network security, and application acceleration, increasing visibility and manageability while enabling secure access to network resources based on user identity and role.
  • Reduces the cost and time associated with deployment.
  • Uses industry and open standards, such as the Trusted Network Connect (TNC) specifications.
  • Serves as a platform for integration of select third-party, best-in-class security, access and connectivity applications.
  • Delivers a value-added services platform for service providers.
Junos Pulse is the only integrated access, security, collaboration, and acceleration services, solution for virtually any device — mobile or non-mobile — that today's businesses need.

Thursday, 25 October 2012

Junos : How to recover root password for Junos

  1. Reboot the system
  2. From console, interrupt the boot routine:
            Hit [Enter] to boot immediately, or any other key for command prompt.
            Booting [kernel] in 9 seconds...
     
            < Press the space bar at this point > 
     
  3. Enter into single-user mode:
            Type '?' for a list of commands, 'help' for more detailed help.
            ok  boot -s
    
    
  4. If you have the following system output, enter recovery, hit enter and skip to step 8.

    Otherwise continue with next step.
            System watchdog timer disabled
            Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
    
    
  5. Enter the shell:
            System watchdog timer disabled
            Jan  1 00:36:47 init: /etc/spwd.db: No such file or directory
            Enter full pathname of shell or RETURN for /bin/sh:  
       
  6. Mount the virtual file systems. (Note that it is not necessary to mount the jbase package; however the other packages still need to be mounted):
            NOTE: to go to multi-user operation, exit the single-user shell (with ^D)
            # cd /packages
            # ./mount.jbase
            Mounted jbase package on /dev/vn1...
            # ./mount.jkernel
            Mounted jkernel package on /dev/vn2...
            # ./mount.jroute
            Mounted jroute package on /dev/vn3...
     
    
  7. Enter recovery mode:
            # /usr/libexec/ui/recovery-mode
     
  8. Enter configuration mode and change the root authentication password:
            root> configure 
            Entering configuration mode
     
            [edit]
            root# set system root-authentication plain-text-password    
            New password:
            Retype new password:
    
    
  9. Commit the changes, and exit configuration mode
            [edit]
            root # commit 
            commit complete
     
            [edit]
            root@router# exit 
            Exiting configuration mode
     
            root@router> exit 
     
  10. Exit recovery mode and enter 'y' when prompted to reboot the system:
            Reboot the system? [y/n] y
            Terminated
    
    The system now reboots and changes made to root authentication are activated.

Saturday, 20 October 2012

Junos: Basic Command

Version and Version Detail

show version: Lists which version of Junos OS is running on your device. It also shows the hostname of the device and the Juniper model number.
show version detail: Shows the version of all Junos processes running on the device.

Chassis Hardware and Chassis Hardware Detail

show chassis hardware: Displays hardware inventory of the device and components installed in the device. Shows version, Juniper part number, serial number, and description of each component.
show chassis hardware detail: Displays version, part number, and serial number for all memory installed on device components.

Configuration

configure: Accesses configuration mode.
show configuration: Displays the configuration currently running (active) on the device.
commit confirmed: Activates configuration changes, but returns to previous configuration automatically if you don’t actively accept the new configuration. Use: When you’re committing a configuration that you think may lock you out of the device or otherwise disrupt access to the device, use this command to guarantee that you’ll be able to log in to the device.

Back Up and Roll Back

request system snapshot: Backs up the device’s file systems, including configurations.
rollback: Returns to the previously active device configuration.
file list detail /config and file list detail /var/db/config: Lists the backup configuration files on the device.

Interfaces

show interfaces terse: Lists all interfaces (network cards) present in the box and shows whether they’re operational (up or down) and lists IP addresses of each interface. This command shows one interface per line, so it’s easily scannable.
show interfaces: Multiline output per interface lists properties of the physical (hardware) interface, including MAC address and hardware MTU, and of the logical (unit or subinterface) interface, including protocol MTU configured protocol addresses.
show interfaces interface-name: Multiline output for a single physical interface. Shows both physical and logical interface information.
show interfaces detail, show interfaces detail interface-name, show interfaces extensive, and show interfaces extensive interface-name: Show increasingly more detailed information about all interfaces or about a specific interface. The detail version adds interface statistics, and the extensive version adds error counters. Output is long, so you generally specify an interface name.

Routing

show route: Lists the entries in all the device’s routing tables. Variants include the following:
  • show route inet.0: Lists all IPv4 routes.
  • show route inet.6l: Lists all IPv6 routes.
  • show route detail: Adds route preference, next hop, and other information.
  • show route protocol: Lists all routes learned by the specified routing protocol.
  • show route forwarding-table: Lists the entries in all the device’s forwarding tables. Use:Lets you check which active routes are actually being used to forward traffic from the device toward network destinations.
show rip neighbor: Lists the RIP routers (neighbors) in the network.
show isis interface: Lists the device’s interfaces running IS-IS.
show isis adjacency: Lists the IS-IS routers (adjacencies) in the network.
show ospf interface: Lists the device interfaces running OSPF.
show ospf neighbor: Lists the IS-IS routers (neighbors) in the network.
show bgp neighbor: Lists the BGP routers to which this device is connected.
show bgp summary: Lists BGP group, peer, and session state information.
show route protocol bgp: Lists the routes learned from BGP.

Switching

show Ethernet-switching interfaces: Lists information about the switched Ethernet interfaces.
show vlans: Lists the configured VLANs.
show virtual-chassis status: Lists the role and member ID assignments in a virtual-chassis configuration.
show spanning-tree bridge: Lists configured or calculated Spanning Tree Protocol parameters.
show spanning-tree interface: Lists configured or calculated interface-level Spanning Tree Protocol (STP) parameters.

Maintenance

show log messages: Lists the system log messages in the default syslog file messages. The syslog family monitors all system-wide operations on the device and records them to syslog files. This command displays time-stamped entries so that you can see what has occurred on the device and when it occurred. Useful for tracking down device, network, and traffic flow problems.
show system uptime: Lists how long a device has been up and running. Shows you the last time that the device was powered on, restarted, or rebooted.
loading...