Juniper : Introduction to the Junos Operating System

Tuesday, 2 December 2014

VPN Monitoring -

When you enable VPN monitoring for a specific tunnel, the security device sends ICMP echo requests (or “pings”) through the tunnel at specified intervals (configured in seconds) to monitor network connectivity through the tunnel.
When Optimized is selected, the VPN monitoring behavior changes as follows:

The J Series or SRX Series device accepts incoming traffic through the VPN tunnel as a substitute for ICMP echo replies.
If there is both incoming and outgoing traffic through the VPN tunnel, the J Series or SRX Series device suppresses VPN monitoring pings.

If you enable VPN monitoring optimization, be aware that VPN monitoring can no longer provide accurate SNMP statistics.
Configure via CLI:

set security ipsec vpn <vpn-name> vpn-monitor optimized

Saturday, 22 November 2014

Restart a Junos OS Process

Action

To restart a Junos OS process, use the following Junos OS CLI operational mode command and include the process you wish to restart. For example:

user@host> restart routing

Sample Output

user@host> restart routing Routing protocol daemon started, pid 751

Meaning

The sample output shows that the routing protocol daemon was restarted and the process identification (PID) was changed from 685 in the previous sample output to 751.

Options to Restart a Junos OS Process

Option	Description
class-of-service	Restart the class-of-service process, which controls the router’s class-of-service configuration.
gracefully	Restart the software process by sending the equivalent of a UNIX SIGTERM signal.
immediately	Immediately restart the process by sending the equivalent of a UNIX SIGKILL signal.
interface-control	Restart the interface process, which controls the router’s physical interface devices and logical interfaces.
mib-process	Restart the Management Information Base (MIB) II process, which provides the router’s MIB II agent.
network-access-service	Restart the network access process, which provides the router’s Challenge Handshake Authentication Process (CHAP) authentication service.
remote-operations	Restart the remote operations process, which provides the ping and traceroute MIBs.
routing	Restart the routing protocol process, which controls the routing protocols that run on the router and maintains the routing tables.
sampling	Restart the sampling process, which performs packet sampling and cflowd export.
snmp	Restart the Simple Network Management Process (SNMP) process, which provides the router’s SNMP master agent.
soft	Reread and reactivate the configuration without completely restarting the software processes. For example, Border Gateway Protocol (BGP) peers stay up and the routing table stays constant. This option is the equivalent of a UNIX SIGHUP signal; omitting this option is the equivalent of a UNIX SIGTERM (kill) operation.

Monday, 10 November 2014

SRX Getting Started - Install license for Antivirus, Web Filter, IDP, or Antispam

Following steps involved in installing a license for Antivirus, Web Filter (URL Filter), IDP or Antispam on a SRX device.

Problem or Goal:

Install subscription license

Cause:

Solution:
The following features require a subscription license:

Antivirus
Web Filter
IDP
Antispam

The high memory system option is also required to use these features. UTM is not supported on the low memory version. For ordering information, refer to the SRX datasheet.

The instructions for installing the subscription licence via the CLI are documented below. For J-Web instructions, refer to the Technical Documentation link below.

Install Subscription License

Perform the following steps to activate, install, and verify the subscription license:

First, activate your subscription license by entering the authorization code and chassis serial number into the Subscription Registration system. Refer to KB9731 - How do I activate a subscription license for my ScreenOS firewall or SRX Series product for more information. If you still need help, please contact Customer Care for subscription and licensing issues.

Then, install the license on the SRX in one of two ways -- automatically or manually:
a. Automatically:
Confirm the SRX device has connectivity to the Internet and DNS configured. Then run the following command to request the license from the License Management Server and install it:

root> request system license update

(The output of the command show configuration system license displays the default URL for the License Management Server.)

OR
b. Manually:
Licenses can also be loaded manually via JWeb, NSM, or using the CLI. The CLI command is as follows:

root> request system license add terminal[Type ^D at a new line to end input, enter blank line between each license key] Paste the license key and press enter
Type Ctrl+D

The License key should be added successfully.

Verify the license is installed using the command:

root> show system license 
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  av_key_kaspersky_engine               0            1           0    2013-03-06 01:00:00 CET
  anti_spam_key_sbl                     1            0           1    25 days
  wf_key_surfcontrol_cpa                1            0           1    25 days

SRX Branch platforms support three different Anti-Virus types. For Antivirus-Express engine and Kaspersky engine look for the feature name "av_key_kaspersky_engine". For Sophos engine, look for the feature name "av_key_sophos_engine".

Note:

SRX Branch platform supports three different Web-Filter (URL Filtering) types. For Integrated Web Filtering look for the feature name "wf_key_surfcontrol_cpa". For Enhanced Web Filtering, look for the feature name "wf_key_websense_ewf ". The Redirect Web filtering feature does not need a license on the SRX.

For IDP, look for feature 'idp-sig'.

For Antispam, look for feature "anti_spam_key_sbl"

NOTE: If running a Chassis Cluster, then the license needs to be installed on both nodes.

Trial licenses are available and valid for 4 weeks; you can only fetch a trial license once per year for each device serial number. Use the command: request system license update trial

Tuesday, 4 November 2014

JUNOS : Configuring IPS Features on the SRX

Getting Started with IPS on the SRX

We should perform a few steps before we configure SRX IPS. Here is a list of things to do before configuring the SRX for IPS functionality:

Install the license.
You must install an IDP license before you can download any attack objects. If you are using only custom attack objects, you don’t need to install a license (earlier versions had a bug where they required it), but if you want to download Juniper predefined attack objects, you must have this license. Juniper provides you with the ability to download a 30-day trial license to permit this functionality for a brief period of time to evaluate the functionality. We covered license installation earlier in the book; all you need is the request system license add command either specifying a file, or copying and pasting it into the terminal.
Configure network access.
Before you can download the attack objects, you must have network connectivity to either the Juniper download server or a local server from which the signatures can be downloaded. This typically requires network configuration ...

Deploying and Tuning IPS

Deploying IPS requires a slight learning curve. You could memorize every command and feature by heart, and still have a rocky deployment. The challenge is that every environment is different, just like a fingerprint or DNA. There are different applications, different volumes of the applications, different policies on what is accepted activity, and different resources to protect; all which can make for different goals for the IPS. Although this book can’t tell you exactly what your policy should be, it can certainly help you to build and deploy that policy.

First Steps to Deploying IPS

Before you get too caught up in the actual deployment do a bit of legwork and map out the policy which you want to deploy. Think of it as brainstorming for your IPS. You should identify the assets you want to protect, and identify the systems and applications and how they interact with others in your network. You may need to contact the application owners beforehand to identify this information. You should also determine your IPD protection goals. This would include the types of threats you want to prevent, and any other factors that might limit the scope of the deployment. (Often this involves management approval so that there aren’t any surprises.)

Building the Policy

Once you have identified the assets and the goals of the IPS, and you have gotten all of the necessary approvals, you should be ready to build your IPS policy on the SRX. Remember that if you are using predefined

Friday, 31 October 2014

Need to make a new user's home directory manually on all SRX platforms (including Firefly Perimeter) running with Junos OS release 12.1X47-D10

Alert Type:

PSN - Product Support Notification

Product Affected:

All SRX platforms and Firefly Perimeter

Alert Description:

Due to an internal build error, if a new user is configured on any of SRX devices (including Firefly Perimeter), which is running with Junos OS 12.1X47-D10. The user's home directory will not be created automatically.

e.g.,

[edit]
root@SRX# set system login user newuser class operator authentication plain-text-password 
New password:
Retype new password:

[edit]
root@SRX# commit and-quit 
commit complete
Exiting configuration mode

root@SRX> file list detail /var/home/ | match newuser    

root@SRX>

If you try to login to the SRX device using the new login username, you can login to the device, but it shows error messages, which cannot change to home directory.

% ssh newuser@172.22.145.106
Password:
--- JUNOS 12.1X47-D10.4 built 2014-08-14 22:48:52 UTC
Could not chdir to home directory /var/home/newuser: No such file or directory
newuser@SRX>

Solution:
The correction is included in Junos OS 12.1X47-D11 (refer to the download links below), 12.1X47-D15 (scheduled to be released in early December 2014) and above.

Workaround:

After creating a new user on the CLI or J-Web, type "start shell" or "start shell user root" in Junos CLI without double quotes
Create the user's home directory and change the ownership

% mkdir -p /var/home/(username)

% chown -R -P -f (userid or username):20 /var/home/(username)

e.g.,

root@SRX> start shell 
root@SRX% mkdir -p /var/home/newuser
root@SRX% chown -R -P -f newuser:20 /var/home/newuser
root@SRX% ls -al /var/home/newuser
total 8
drwxr-xr-x   2 newuser  20      512 Oct  8 21:47 .
drwxr-xr-x  34 root     wheel  1024 Oct  8 21:47 ..


OR

root@SRX% chown -R -P -f 2009:20 /var/home/newuser
root@SRX% ls -al /var/home/newuser
total 8
drwxr-xr-x   2 newuser  20      512 Oct  8 21:47 .
drwxr-xr-x  34 root     wheel  1024 Oct  8 21:47 ..

NOTE: The userid's of each login name can be verified from the configuration.

e.g.,

[edit]
root@SRX# show system login user newuser 
uid 2009;   <-- LOOK HERE (uid stands for userid)
class operator;
authentication {
    encrypted-password "$1$FyKeeKqo$XKT8V1udIJbT9f4fpw2Yc."; ## SECRET-DATA
}

Friday, 17 October 2014

SRX tcp-proxy resource exhaustion for ALG/IDP/UTM traffic with client/server communication using TCP keepalives

Product Affected:

All SRX platforms
Junos OS 11.4
Junos OS 12.1
Junos OS 12.1X44

Alert Description:

SRX tcp-proxy resources may reach device limits during processing of ALG/IDP/UTM based traffic if client/server communication use TCP keepalive mechanism, resulting in session setup failure for new ALG/IDP/UTM based traffic.

During SRX processing of ALG/IDP/UTM traffic involving TCP keepalives, upon receipt of server to client TCP keepalive, the SRX will send a TCP keepalive response back to the server on behalf of the client via tcp-proxy. However the received keepalive is not sent to the client, resulting in client establishment of a new session with server upon client not receiving keepalive packets. The SRX session, and associated tcp-proxy resource, is not freed based upon the continued keepalives from server to client being handled by the tcp-proxy.
The process repeats and results in session build up on SRX and exhaustion of available tcp-proxy resources.

Locate tcp-proxy resource limit
SRX Datacenter

1) Open Shell connection
     >start shell

2) Elevate to root level access (as needed)
     % su (enter in root password)

3) Locate tcp-proxy resource limit per SPC

root@srx5800% srx-cprod.sh -s spu -c "show usp nat cp sys" | grep proxy
   usp_max_tcpproxy_connection = 10240
   usp_max_tcpproxy_connection = 10240
   usp_max_tcpproxy_connection = 10240
   usp_max_tcpproxy_connection = 10240

SRX Branch-Campus

1) Locate deivce tcp-proxy resource limit


   >request pfe execute target fwdd command "show usp nat cp sys" | match proxy
    GOT: usp_max_tcpproxy_connection = 4096

Verify current tcp-proxy resource usage
SRX Datacenter

1) Open Shell connection
    >start shell

2) Elevate to root level access (as needed)
    % su (enter in root password)

3) Locate current usage of tcp-proxy

root@srx5800% srx-cprod.sh -s spu -c "show usp jsf tcpstats" | grep "flow_tcb alloc\|Start SPU" | uniq
    ======== Start SPU4.0, fpc4.pic0, spu ========
    flow_tcb alloc cnt         : 0000000000  flow_tcb free cnt         : 0000000000
    ======== Start SPU4.1, fpc4.pic1, spu ========
    flow_tcb alloc cnt         : 0000012487  flow_tcb free cnt         : 0000008741
    ======== Start SPU11.0, fpc11.pic0, spu ========
    flow_tcb alloc cnt         : 0000011452  flow_tcb free cnt         : 0000007930
    ======== Start SPU11.1, fpc11.pic1, spu ========
    flow_tcb alloc cnt         : 0000012874  flow_tcb free cnt         :

0000009016

4) For each SPC Subtract 'flow_tcb free cnt' from 'flow_tcb alloc cnt'
    fpc4.pic0           0 -      0 =      0
    fpc4.pic1    12487 - 8741 = 3746 in use
    fpc11.pic0   11452 - 7930 = 3522 in use
    fpc11.pic1   12874 - 9016 = 3858 in use

SRX Branch-Campus

1) Open Shell connection

  >start shell

2) Elevate to root level access (as needed)
% su (enter in root password)

3) Locate current usage of tcp-proxy

root@PN-STL-RTR1% cprod -A fwdd -c show usp jsf tcpstats | grep "flow_tcb alloc" | uniq
  flow_tcb alloc cnt         : 0000000015  flow_tcb free cnt         :

0000000012

4)Subtract 'flow_tcb free cnt' from 'flow_tcb alloc cnt'
15 - 12 = 3 in use

Solution:
The following software releases have enhanced SRX handling of tcp-keepalive processing.
    Junos OS 12.1X45
    Junos OS 12.1X46
    Junos OS 12.1X47 and higher versions

SRX enhancement enables tcp-proxy ability to learn TCP keepalive parameters from client and server allowing SRX tcp-proxy to send TCP keepalive to both client and server as well as allowing closing of SRX session and associated tcp-proxy resource upon no response for 16 tcp-proxy keepalives.

WorkAround
Prior to reaching resource limit, close SRX sessions associated with client/server communication using TCP keepalives and freeing SRX tcp-proxy resource.

          SRX Clusters:
               Failover data redundancy groups (RG1+) to peer node
                 (triggers tcp-proxy to send packets to both client/server causing client to issue RST and closing of associated SRX session)

                 >request chassis cluster failover redundancy-group <#> node <#>

                 or

               Manually clear sessions for client/server communication that use tcp-keepalive
                      >clear security flow session source-prefix <x.x.x.x> destination-prefix <y.y.y.y>

          Standalone SRX:
               Manually clear sessions for client/server communication that use tcp-keepalive
                       >clear security flow session source-prefix <x.x.x.x> destination-prefix <y.y.y.y>

Saturday, 4 October 2014

Junos Dates & Milestones

Product	FRS Date	End of Engineering	End of Support
Junos 14.1	06/13/2014	06/13/2016	12/13/2016
Junos 13.3¹	01/22/2014	01/22/2017	07/22/2017
Junos 13.2	08/29/2013	08/29/2015	02/29/2016
Junos 13.1	03/15/2013	03/15/2015	09/15/2015
Junos 12.3X54⁴	07/18/2014	07/18/2016	01/18/2017
Junos 12.3X52⁴	08/23/2013	08/23/2015	02/23/2016
Junos 12.3X51⁴	03/15/2013	03/15/2015	09/15/2015
Junos 12.3¹	01/31/2013	01/31/2016	07/31/2016
Junos 12.2	09/05/2012	09/05/2014	03/05/2015
Junos 12.1X47²	08/18/2014	08/18/2016	02/18/2017
Junos 12.1X46¹²³	12/30/2013	12/30/2016	06/30/2017
Junos 12.1X45²	07/17/2013	07/17/2014	01/17/2015
Junos 12.1X44¹²	01/18/2013	01/18/2016	07/18/2016
Junos 12.1	03/28/2012	03/28/2014	09/28/2014
Junos 11.4¹	12/21/2011	12/21/2014	06/21/2015
Junos 11.3	08/15/2011	07/15/2012	03/15/2013
Junos 11.2	08/03/2011	06/15/2012	02/15/2013
Junos 11.1	03/29/2011	11/15/2011	05/15/2012
Junos 10.4¹	12/08/2010	12/08/2013	06/08/2014
Junos 10.3	08/15/2010	08/03/2011	12/21/2011
Junos 10.2	05/28/2010	05/15/2011	11/15/2011
Junos 10.1	02/15/2010	11/15/2010	05/15/2011
Junos 10.0¹	11/04/2009	11/15/2012	05/15/2013
Junos 9.6	08/06/2009	05/06/2010	11/06/2010
Junos 9.5	04/14/2009	02/15/2010	08/15/2010
Junos 9.4	02/11/2009	11/11/2009	05/11/2010
Junos 9.3¹	11/14/2008	11/15/2011	05/15/2012
Junos 9.2	08/12/2008	05/12/2009	11/12/2009
Junos 9.1	04/28/2008	01/28/2009	07/28/2009
Junos 9.0	02/15/2008	11/15/2008	05/15/2009
Junos 8.5¹	11/16/2007	11/16/2010	05/16/2011
Junos 8.4	08/09/2007	05/09/2008	11/09/2008
Junos 8.3	04/18/2007	01/18/2008	07/18/2008
Junos 8.2	02/15/2007	11/15/2007	05/15/2008
Junos 8.1¹	11/06/2006	11/06/2009	05/06/2010
Junos 8.0	08/15/2006	05/15/2007	11/15/2007
Junos 7.6	05/15/2006	02/15/2007	08/15/2007
Junos 7.5	02/08/2006	11/08/2006	05/08/2007
Junos 7.4	11/15/2005	08/15/2006	02/15/2007
Junos 7.3	08/16/2005	05/16/2006	11/16/2006
Junos 7.2	05/14/2005	02/14/2006	08/14/2006
Junos 7.1	02/14/2005	11/14/2005	05/14/2006
Junos 7.0	11/15/2004	08/15/2005	02/15/2006
Junos 6.4	08/12/2004	05/12/2005	11/12/2005
Junos 6.3	05/15/2004	02/15/2005	08/15/2005
Junos 6.2	02/15/2004	11/15/2004	05/15/2005
Junos 6.1	11/15/2003	08/15/2004	02/15/2005
Junos 6.0	08/15/2003	05/15/2004	11/15/2004
Junos 5.7	05/15/2003	02/15/2004	08/15/2004
Junos 5.6	02/15/2003	11/15/2003	05/15/2004
Junos 5.5	11/15/2002	08/15/2003	02/15/2004
Junos 5.4	08/12/2002	05/15/2003	11/15/2003
Junos 5.3	05/12/2002	02/15/2003	08/15/2003
Junos 5.2	02/12/2002	11/12/2002	05/15/2003
Junos 5.1	11/07/2001	08/12/2002	02/15/2003
Junos 5.0	08/17/2001	05/15/2002	11/15/2002
Junos 4.4	04/30/2001	02/12/2002	08/15/2002
Junos 4.3	01/31/2001	11/12/2001	05/15/2002
Junos 4.2	10/16/2000	08/13/2001	02/15/2002
Junos 4.1	08/15/2000	05/14/2001	11/15/2001
Junos 4.0	03/31/2000	02/12/2001	08/15/2001

Pre-12.1 Releases (other than EEOL Releases):
EOE date: The earlier of (i) the date eighteen (18) months from first general availability or (ii) two (2) subsequent releases of such software.
EOL/EOS date: The earlier of (i) the date twelve (12) months after the EOE date or (ii) two (2) subsequent releases of such software.
Release 12.1 and following (other than EEOL Releases):
EOE date: The date twenty four (24) months after the first general availability date.
EOL/EOS date: The date six (6) months after the EOE date.