Basic Tuning Juniper SRX Series
- From the sandbox
- Tutorial
There are already several articles about configuring Juniper SRX routers (for example, one , two , three , etc.). In this, I will try to consolidate useful information, supplementing it with some nice little things.
I ask everyone interested under cat.
The new Juniper SRX240B fell into my hands and all of the following will apply to it. And since JunOS is positioned as a single OS for the entire series (at least), then ... draw your own conclusions. I also use the version of JunOS 12.1X46-D20.5 (the latest at the time of publication of the post):
To begin with, we pose a small circle of tasks that we will solve:
Go…
To configure source NAT, just run the following commands:
Or in the form of a config:
With this configuration, ALL networks that will be configured on the internal interfaces of the router will NAT. If you need to NAT only some, then instead:
need to write (an example is given for the network 172.16.1.0/27):
Now configure our SRX as a DHCP server. It is assumed that the interfaces are already configured and we need to configure a DHCP server only for the vlan.0 interface :
Or in the form of a config:
In this case, we set the lease's lifetime to 6 hours (6 * 60 min * 60 sec = 21600 sec); default gateway do 172.16.1.1 ; start distributing addresses from 172.16.1.2 and end 172.16.1.30 (the range within which the DHCP server will work).
These options will only work for the vlan.0 interface . If necessary, it can be replaced with the real interface name, for example, ge-0/0/1 .
Statistics on the DHCP server can be viewed with the following command:
Now let's move on to setting up the DNS server. Starting with Junos OS version 12.1x44D10 , DNS proxy is supported , let's configure it:
Or in the form of a config:
Here we configured the operation of the DNS server on the vlan.0 interface; created an A record for gw-jsrx240.HOME.local (you can make several such records by yourself); and set up DNS forwarders for all other DNS queries.
If the DNS server needs to be enabled for all internal interfaces, then this can be done as follows (if there are several VLANs, then the settings must be made accordingly):
Or in the form of a config:
Statistics on DNS queries can be viewed as follows:
Look at the entries in DNS cahce like this (without displaying the device cache itself, because there are a lot of entries):
Clear the DNS cache like this:
Now let's try to secure our SSH server (even if it looks outside) (instead of SSH_RSA_PUBLIC_KEY you need to insert your SSH RSA Public Key):
Or in the form of a config:
Explanations:
I prefer to leave root the ability to log in with a password, but only through console; other users only with keys with the above restrictions.
Or in the form of a config:
Do not forget to make commit, otherwise no changes will take effect:
The final config can be viewed below. The router has all the necessary functions for quite appropriate money.
If an invite is issued, I will describe the settings for PPPoE, Dynamic VPN, Site-to-Site VPN, etc.
I ask everyone interested under cat.
The new Juniper SRX240B fell into my hands and all of the following will apply to it. And since JunOS is positioned as a single OS for the entire series (at least), then ... draw your own conclusions. I also use the version of JunOS 12.1X46-D20.5 (the latest at the time of publication of the post):
cartman@gw-jsrx240# run show version
Hostname: gw-jsrx240
Model: srx240b
JUNOS Software Release [12.1X46-D20.5]
To begin with, we pose a small circle of tasks that we will solve:
- Source NAT
- DHCP Server
- DNS Server
- SSH Hardening
- IDP, Security Features
Go…
Source NAT
To configure source NAT, just run the following commands:
cartman@gw-jsrx240# show security nat | display set
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
Or in the form of a config:
cartman@gw-jsrx240# show security nat
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
With this configuration, ALL networks that will be configured on the internal interfaces of the router will NAT. If you need to NAT only some, then instead:
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
need to write (an example is given for the network 172.16.1.0/27):
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 172.16.1.0/27
DHCP Server
Now configure our SRX as a DHCP server. It is assumed that the interfaces are already configured and we need to configure a DHCP server only for the vlan.0 interface :
cartman@gw-jsrx240# show system services dhcp | display set
set system services dhcp maximum-lease-time 21600
set system services dhcp default-lease-time 21600
set system services dhcp pool 172.16.1.0/27 address-range low 172.16.1.2
set system services dhcp pool 172.16.1.0/27 address-range high 172.16.1.30
set system services dhcp pool 172.16.1.0/27 router 172.16.1.1
set system services dhcp propagate-settings vlan.0
Or in the form of a config:
cartman@gw-jsrx240# show system services dhcp
maximum-lease-time 21600;
default-lease-time 21600;
pool 172.16.1.0/27 {
address-range low 172.16.1.2 high 172.16.1.30;
router {
172.16.1.1;
}
}
propagate-settings vlan.0;
In this case, we set the lease's lifetime to 6 hours (6 * 60 min * 60 sec = 21600 sec); default gateway do 172.16.1.1 ; start distributing addresses from 172.16.1.2 and end 172.16.1.30 (the range within which the DHCP server will work).
These options will only work for the vlan.0 interface . If necessary, it can be replaced with the real interface name, for example, ge-0/0/1 .
Statistics on the DHCP server can be viewed with the following command:
cartman@gw-jsrx240# run show system services dhcp statistics
Packets dropped:
Total 0
Messages received:
BOOTREQUEST 0
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPINFORM 0
DHCPRELEASE 0
DHCPREQUEST 0
Messages sent:
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
DNS Server
Now let's move on to setting up the DNS server. Starting with Junos OS version 12.1x44D10 , DNS proxy is supported , let's configure it:
cartman@gw-jsrx240# show system services dns | display set
set system services dns forwarders 8.8.8.8
set system services dns forwarders 8.8.4.4
set system services dns dns-proxy interface vlan.0
set system services dns dns-proxy cache gw-jsrx240.HOME.local inet 172.16.1.1
Or in the form of a config:
cartman@gw-jsrx240# show system services dns
forwarders {
8.8.8.8;
8.8.4.4;
}
dns-proxy {
interface {
vlan.0;
}
cache {
gw-jsrx240.HOME.local inet 172.16.1.1;
}
}
Here we configured the operation of the DNS server on the vlan.0 interface; created an A record for gw-jsrx240.HOME.local (you can make several such records by yourself); and set up DNS forwarders for all other DNS queries.
If the DNS server needs to be enabled for all internal interfaces, then this can be done as follows (if there are several VLANs, then the settings must be made accordingly):
cartman@gw-jsrx240# show system name-server | display set
set system name-server 172.16.1.1
Or in the form of a config:
cartman@gw-jsrx240# show system name-server
172.16.1.1;
Statistics on DNS queries can be viewed as follows:
cartman@gw-jsrx240# run show system services dns-proxy statistics
DNS proxy statistics :
Status : enabled
IPV4 Queries received : 0
IPV6 Queries received : 0
Responses sent : 0
Queries forwarded : 0
Negative responses : 0
Positive responses : 0
Retry requests : 0
Pending requests : 0
Server failures : 0
Interfaces : vlan.0
Look at the entries in DNS cahce like this (without displaying the device cache itself, because there are a lot of entries):
cartman@gw-jsrx240# run show system services dns-proxy cache
Clear the DNS cache like this:
cartman@gw-jsrx240# run clear system services dns-proxy cache
SSH Hardening
Now let's try to secure our SSH server (even if it looks outside) (instead of SSH_RSA_PUBLIC_KEY you need to insert your SSH RSA Public Key):
cartman@gw-jsrx240# show system services ssh | display set
set system services ssh root-login deny
set system services ssh protocol-version v2
set system services ssh connection-limit 5
set system services ssh rate-limit 5
cartman@gw-jsrx240# show system login | display set
set system login retry-options tries-before-disconnect 5
set system login retry-options backoff-threshold 1
set system login retry-options backoff-factor 10
set system login retry-options minimum-time 30
set system login user cartman full-name "FIRST_NAME LAST_NAME"
set system login user cartman uid 2000
set system login user cartman class super-user
set system login user cartman authentication ssh-rsa "SSH_RSA_PUBLIC_KEY"
Or in the form of a config:
cartman@gw-jsrx240# show system services ssh
root-login deny;
protocol-version v2;
connection-limit 5;
rate-limit 5;
cartman@gw-jsrx240# show system login
retry-options {
tries-before-disconnect 5;
backoff-threshold 1;
backoff-factor 10;
minimum-time 30;
}
user cartman {
full-name "FIRST_NAME LAST_NAME";
uid 2000;
class super-user;
authentication {
ssh-rsa "SSH_RSA_PUBLIC_KEY"; ## SECRET-DATA
}
}
Explanations:
- root-login deny - prohibit root from connecting via SSH
- protocol-version v2 - use only the SSHv2 protocol version
- connection-limit 5 - maximum number of simultaneous SSH connections
- rate-limit 5 - maximum number of SSH connections per minute
- tries-before-disconnect 5 - how many times password attempts will be allowed, after which the session will be broken
- backoff-threshold 1 - through THIS number of incorrect password attempts, the delay will be enabled
- backoff-factor 10 - after reaching the backoff-threshold, the user will be blocked for 10 seconds.
- minimum-time 30 - the number of seconds to enter a password, after which the session will be broken
I prefer to leave root the ability to log in with a password, but only through console; other users only with keys with the above restrictions.
IDP, Security Features
cartman@gw-jsrx240# show security screen | display set
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
Or in the form of a config:
cartman@gw-jsrx240# show security screen
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
In the end...
Do not forget to make commit, otherwise no changes will take effect:
cartman@gw-jsrx240# commit check
configuration check succeeds
cartman@gw-jsrx240# commit
commit complete
Total
The final config can be viewed below. The router has all the necessary functions for quite appropriate money.
cartman @ gw-jsrx240 # show
cartman @ gw-jsrx240 # show
## Last changed: 2014-07-12 20:15:48 MSK
version 12.1X46-D20.5;
system {
host-name gw-jsrx240;
domain-name HOME.local;
domain-search HOME.local;
time-zone Europe / Moscow;
authentication-order password;
root-authentication {
encrypted-password "$ 1 $ ENCRYPTED_PASSWORD"; ## SECRET-DATA
}
name-server {
172.16.1.1;
}
name-resolution {
no-resolve-on-input;
}
login {
retry-options {
tries-before-disconnect 5;
backoff-threshold 1;
backoff-factor 10;
minimum-time 30;
}
user cartman {
full-name "FIRST_NAME LAST_NAME";
uid 2000;
class super-user;
authentication {
ssh-rsa "SSH_RSA_PUBLIC_KEY"; ## SECRET-DATA
}
}
}
services {
ssh {
root-login deny;
protocol-version v2;
connection-limit 5;
rate-limit 5;
}
dns {
forwarders {
8.8.8.8;
8.8.4.4;
}
dns-proxy {
interface {
vlan.0;
}
cache {
gw-jsrx240.HOME.local inet 172.16.1.1;
}
}
}
web-management {
https {
port 443;
system-generated-certificate;
interface vlan.0;
}
session {
idle-timeout 300;
session-limit 2;
}
}
dhcp {
maximum-lease-time 21600;
default-lease-time 21600;
pool 172.16.1.0/27 {
address-range low 172.16.1.2 high 172.16.1.30;
router {
172.16.1.1;
}
}
propagate-settings vlan.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 0.pool.ntp.org prefer;
server 1.pool.ntp.org;
server 2.pool.ntp.org;
server 3.pool.ntp.org;
}
}
interfaces {
interface-range interfaces-trust {
member-range ge-0/0/1 to ge-0/0/15;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 172.16.1.1/27;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0 / 0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
dhcp;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 10;
l3-interface vlan.0;
}
}
## Last changed: 2014-07-12 20:15:48 MSK
version 12.1X46-D20.5;
system {
host-name gw-jsrx240;
domain-name HOME.local;
domain-search HOME.local;
time-zone Europe / Moscow;
authentication-order password;
root-authentication {
encrypted-password "$ 1 $ ENCRYPTED_PASSWORD"; ## SECRET-DATA
}
name-server {
172.16.1.1;
}
name-resolution {
no-resolve-on-input;
}
login {
retry-options {
tries-before-disconnect 5;
backoff-threshold 1;
backoff-factor 10;
minimum-time 30;
}
user cartman {
full-name "FIRST_NAME LAST_NAME";
uid 2000;
class super-user;
authentication {
ssh-rsa "SSH_RSA_PUBLIC_KEY"; ## SECRET-DATA
}
}
}
services {
ssh {
root-login deny;
protocol-version v2;
connection-limit 5;
rate-limit 5;
}
dns {
forwarders {
8.8.8.8;
8.8.4.4;
}
dns-proxy {
interface {
vlan.0;
}
cache {
gw-jsrx240.HOME.local inet 172.16.1.1;
}
}
}
web-management {
https {
port 443;
system-generated-certificate;
interface vlan.0;
}
session {
idle-timeout 300;
session-limit 2;
}
}
dhcp {
maximum-lease-time 21600;
default-lease-time 21600;
pool 172.16.1.0/27 {
address-range low 172.16.1.2 high 172.16.1.30;
router {
172.16.1.1;
}
}
propagate-settings vlan.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url ae1.juniper.net/junos/key_retrieval;
}
}
ntp {
server 0.pool.ntp.org prefer;
server 1.pool.ntp.org;
server 2.pool.ntp.org;
server 3.pool.ntp.org;
}
}
interfaces {
interface-range interfaces-trust {
member-range ge-0/0/1 to ge-0/0/15;
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/8 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/9 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/10 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/11 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/12 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/13 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/14 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/15 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
vlan {
unit 0 {
family inet {
address 172.16.1.1/27;
}
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0 / 0.0 {
host-inbound-traffic {
system-services {
ping;
ssh;
dhcp;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
}
}
vlans {
vlan-trust {
vlan-id 10;
l3-interface vlan.0;
}
}
If an invite is issued, I will describe the settings for PPPoE, Dynamic VPN, Site-to-Site VPN, etc.