SRX CoS configuration example

QOS

> configure

# edit interfaces ge-0/0/0

# set unit 0 family inet filter input MapCoS
# set per-unit-scheduler

# top

# set policy-options prefix-list VlanA20Percent 10.0.0.0/24
# set policy-options prefix-list VlanB80Percent 10.0.1.0/24
# set policy-options prefix-list VlanB80Percent 10.0.2.0/24
# set policy-options prefix-list MNG 2.2.2.2/32

# edit class-of-service

# set classifiers dscp Classifie_VLAN import default

# set forwarding-classes queue 5 VlanA20Percent
# set forwarding-classes queue 1 VlanB80Percent

# set interfaces ge-0/0/0 unit 0 scheduler-map VLAN_Map
# set interfaces ge-0/0/0 unit 0 classifiers dscp Classifie_VLAN
# set interfaces ge-0/0/1 unit 0 scheduler-map VLAN_Map
# set interfaces ge-0/0/1 unit 0 classifiers dscp Classifie_VLAN

# set scheduler-maps VLAN_Map forwarding-class VlanA20Percent scheduler VlanA20Percent
# set scheduler-maps VLAN_Map forwarding-class VlanB80Percent scheduler VlanB80Percent

# set schedulers VlanA20Percent transmit-rate percent 20
# set schedulers VlanA20Percent shaping-rate percent 20
# set schedulers VlanA20Percent buffer-size percent 20
# set schedulers VlanA20Percent priority high

# set schedulers VlanB80Percent transmit-rate percent 80
# set schedulers VlanB80Percent shaping-rate percent 80
# set schedulers VlanB80Percent buffer-size percent 80
# set schedulers VlanB80Percent priority low

# edit firewall filter MapCoS

# set term VlanA80Percent from prefix-list VlanA80Percent
# set term VlanA80Percent then forwarding-class VlanA80Percent
# set term VlanA80Percent then accept

# set term VlanB20Percent from prefix-list VlanB20Percent
# set term VlanB20Percent then forwarding-class VlanB20Percent
# set term VlanB20Percent then accept

# set term AllowMNG from source-prefix-list MNG
# set term AllowMNG then accept

# commit

Good Luck 🙂

By: Abed AL-R. Bishara

Advertisements

Junos NAT Examples

Download this PDF file

images

or right click and save target as

Content

Source NAT
Configuring address pools for Source NAT
Configuring source NAT using interface IP
Configuring source NAT using IP pool
Configuring source NAT using multiple rules
Destination NAT
Many to many translation
One to many translation
Double NAT
Source and destination translation
Static NAT

Blocking Sites via FQDN in SRX

In this example we’re emulating the configuration script with two sites “youtube & facebook”

  • First we need to configure a global DNS so that the SRX is going to resolve addresses through it:

set system name-server 1.1.1.1
set system name-server 2.2.2.2

  • Configure address-book in the untrust zone by DNS-name:

set security zones security-zone Untrust address-book address facebook dns-name facebook.com
set security zones security-zone Untrust address-book address youtube dns-name youtube.com ipv4-only
set security zones security-zone Untrust address-book address facebook_2 dns-name http://www.facebook.com
set security zones security-zone Untrust address-book address youtube_2 dns-name http://www.youtube.com

  • Assigning the address-book to an address-set:

set security zones security-zone Untrust address-book address-set deny-websites address facebook
set security zones security-zone Untrust address-book address-set deny-websites address youtube
set security zones security-zone Untrust address-book address-set deny-websites address facebook_2
set security zones security-zone Untrust address-book address-set deny-websites address youtube_2

  • Policy from trust to untrust zone:

set security policies from-zone Trust to-zone Untrust policy block-facebook match source-address any
set security policies from-zone Trust to-zone Untrust policy block-facebook match destination-address deny-websites
set security policies from-zone Trust to-zone Untrust policy block-facebook match application any
set security policies from-zone Trust to-zone Untrust policy block-facebook then deny

** Please note: If you have an implicit permit policy , insert the FQDN blocking policy before it :

insert security policies from-zone Trust to-zone Untrust policy deny-websites before policy permitall

  • And of course don’t forget the commit:

commit

Verifing:

show security policies policy-name block-facebook detail
Policy: block-facebook, action-type: permit, State: enabled, Index: 11, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: Trust, To zone: Untrust
Source addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Destination addresses:
youtube_2: 212.179.154.242/32
youtube_2: 212.179.154.237/32
youtube_2: 212.179.154.217/32
youtube_2: 212.179.154.251/32
youtube_2: 212.179.154.212/32
youtube_2: 212.179.154.236/32
youtube_2: 212.179.154.246/32
youtube_2: 212.179.154.216/32
youtube_2: 212.179.154.241/32
youtube_2: 212.179.154.247/32
youtube_2: 212.179.154.221/32
youtube_2: 212.179.154.227/32
youtube_2: 212.179.154.226/32
youtube_2: 212.179.154.231/32
youtube_2: 212.179.154.232/32
youtube_2: 212.179.154.222/32
facebook_2: 31.13.93.209/32
facebook: 173.252.120.6/32
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No

Good Luck 🙂

Shared by : Abed AL-R. Bishara

Junos Policer (bandwidth-limit)

First we’ve to configure bandwidth-limit 

set firewall policer VLANtrust_output if-exceeding bandwidth-limit 50m

set firewall policer VLANtrust_output if-exceeding burst-size-limit 1m

set firewall policer VLANtrust_output then discard

set firewall policer VLANtrust_input if-exceeding bandwidth-limit 10m

set firewall policer VLANtrust_input if-exceeding burst-size-limit 1m

set firewall policer VLANtrust_input then discard

Now we need to configure the filter:

**Upload configuration**

set firewall family inet filter VLANtrust_input term 0 from source-address 192.168.1.0/24

set firewall family inet filter VLANtrust_input term 0 then policer VLANtrust_input

set firewall family inet filter VLANtrust_input term 0 then accept

**download configuration**

set firewall family inet filter VLANtrust_input term 1 from source-address 0.0.0.0/0

set firewall family inet filter VLANtrust_input term 1 then policer VLANtrust_output

set firewall family inet filter VLANtrust_input term 1 then accept

Assigning the filter to interface:

set interfaces vlan unit 1 family inet filter input VLANtrust_input

set interfaces vlan unit 1 family inet filter output VLANtrust_input

Note: If you want caculate burst limit, and you don’t want to work with exact (M-megabyte) , you can download the rate limit caculator from this website or directly from this link.

Good Luck 🙂

By: Abed AL-R. Bishara

Advanced Monitoring and VPN Troubleshooting commands / hidden commands

For VPN debugging, which enables logging to the KMD log by default without the need to commit:

>request security ike debug-enable local <ip-address> remote <ip-address> level <level>

 and to turn off:

>request security ike debug-disable

Review logs written to /var/log/kmd:

> show log kmd

Checking the debug status:

> show security ike debug-status

For taking a tcpdump of an interface to analyze with Wireshark or similar (Hidden command):

>monitor traffic interface ge-0/0/1.0 write-file test.pcap

 Can be viewed on the SRX also (Hidden command):

>monitor traffic read-file test.pcap

To see default config settings (Hidden command):

# show groups junos-defaults

>show configuration groups junos-defaults

>show configuration groups junos-defaults applications

To see some system limits:

>show log nsd_chk_only

To see currently working Junos applications definitions (Hidden command):

>request pfe execute command “show usp app-def tcp” target fwdd
>request pfe execute command “show usp app-def udp” target fwdd

If you dont have the root login and still you want to capture output on PFE withough going to vty mode. Here is the way:

>request pfe execute target fwdd command “show usp threads”<<<<Just add pfe commands in colun” “.

To make all daemons re-read the configuration. (Hidden command):

# commit full

Another hidden command  useful when troubleshooting is:

> show chassis cluster information ?

Disabling UTM process (Hidden command):

admin@AbedFirewall# set system services utmd
^
syntax error.

admin@AbedFirewall# set system processes utmd disable

admin@AbedFirewall# show | compare
[edit system]
+ processes {
+ utmd disable;
+ }
admin@AbedFirewall# commit check
configuration check succeeds

ALG Configuration (hidden command):

run show security alg configuration

(sa instead of security-associations) (hidden command):

> show security ike sa
> show security ipsec sa

usefull in HA  (hidden command):

root@SRX# run set chassis cluster control-link-vlan ?
Possible completions:
disable Disable control VLAN tag
enable Enable control VLAN tag
reboot Reboot the system after setting the identifiers

Another good one (hidden command):

admin@AbedFirewall> start shell pfe network fwdd

BSD platform (OCTEON processor, 416MB memory, 8192KB flash)

FLOWD_OCTEON(AbedFirewall vty)#
clear clear commands
connect connect to a remote TNP endpoint
debug Debug commands
diagnostic diagnostic commands
eth eth commands
jsflib jsf lib information
pconnect connect to a remote PIP endpoint
peekbyte display memory in bytes
peeklong display memory in 32bit longs
peekword display memory in 16bit words
plugin plugin information
pty open a pty to a PIC
quit quit TTY environment
reboot reboot hardware
set set system parameters
show show system information
sleep pause for a few seconds
test test commands
undebug Undebug commands
vty open a vty to a remote TNP endpoint

FLOWD_OCTEON(AbedFirewall vty)# show threads
PID PR State Name Stack Use Time (Last/Max/Total) cpu
— — ——- ——————— ——— ———————
1 H asleep Maintenance 1144/73824 0/8/45 ms 0%
2 L running Idle 2200/73824 0/8/5518829 ms 0%
3 H asleep Timer Services 2120/73824 0/8/43707 ms 0%
5 L asleep Ukern Syslog 856/73824 0/0/0 ms 0%
6 L asleep Sheaf Background 1128/73824 0/8/8662 ms 0%
7 M asleep mac_db 856/73824 0/0/0 ms 0%
8 M asleep Docsis 2152/73824 0/8/22701 ms 0%
…….
214 L asleep Virtual Console 2168/73824 0/0/0 ms 0%

FLOWD_OCTEON(AbedFirewall vty)# show threads 214
PID PR State Name Stack Use Time (Last/Max/Total) cpu
— — ——- ——————— ——— ———————
214 L asleep Virtual Console 2168/73824 0/0/0 ms 0%

Wakeups:
Type ID Enabled Pending Context
Timer 00 No No 0x489ab068
Socket 00 Yes No 0x5027f088

Frame 00: sp = 0x502ceb10, pc = 0x08014cb0
Frame 01: sp = 0x502ceb88, pc = 0x0801b9b4
Frame 02: sp = 0x502cebc0, pc = 0x08047ee4
Frame 03: sp = 0x502cebf0, pc = 0x08046df0
Frame 04: sp = 0x502cec10, pc = 0x086df254
Frame 05: sp = 0x502cec38, pc = 0x0802b8ec
Frame 06: sp = 0x502cec60, pc = 0x000001a0

FLOWD_OCTEON(AbedFirewall vty)#

To log in to other node of SRX cluster (Hidden command):

{primary:node0}
lab@E1> request routing-engine login ?
Possible completions:
<[Enter]> Execute this command
| Pipe through a command
{primary:node0}
lab@E1> request routing-engine login node 1

— JUNOS 12.1R3.5 built 2012-08-09 07:05:23 UTC
{secondary:node1}
lab@E2>

——————————————

# set apply-flags omit

——————————————

request pfe execute target fwdd command “sh usp ipsec sa”

——————————————

show pfe interfaces

show pfe interfaces statistics

——————————————

show tnp addresses

——————————————

To login to other High-End node:

{primary:node1}
user@SRX-node1> start shell
% rlogin -Jk -T node0
â–’
— JUNOS 12.1X44-D40.2 built 2014-08-28 12:48:56 UTC
{secondary:node0}
user@SRX-node0>

And For fun 🙂

# run show version and haiku
Hostname: AbedFirewall
Model: srx210he
JUNOS Software Release [12.1X44-D45.2]

Nothing feels as good
Arms filled with wiggling children
So much hope and love

Good Luck 🙂

Shared by: Abed AL-R. Bishara

Source

Site to Site between SRX210 and SSG5

Topology

Screenshot_3

Configuration in SRX210 (12.1X44-D45.2):

# set interfaces st0 unit 0 family inet address 192.168.10.1/24
# set routing-options static route 192.168.7.0/24 next-hop st0.0
# set security zones security-zone untrust tcp-rst
# set security zones security-zone untrust host-inbound-traffic system-services all
# set security zones security-zone untrust interfaces pp0.0
# set security zones security-zone untrust interfaces st0.0
# set security zones security-zone Lan tcp-rst
# set security zones security-zone Lan host-inbound-traffic system-services all
# set security zones security-zone Lan interfaces fe-0/0/4.0
# set security ike proposal P1proposal authentication-method pre-shared-keys
# set security ike proposal P1proposal dh-group group2
# set security ike proposal P1proposal encryption-algorithm des-cbc
# set security ike proposal P1proposal lifetime-seconds 86400
# set security ike policy P1policy mode main
# set security ike policy P1policy proposals P1proposal
# set security ike policy P1policy pre-shared-key ascii-text Pinoci0
# set security ike gateway P1gateway ike-policy P1policy
# set security ike gateway P1gateway address 81.218.170.25
# set security ike gateway P1gateway dead-peer-detection interval 10
# set security ike gateway P1gateway dead-peer-detection threshold 3
# set security ike gateway P1gateway external-interface pp0
# set security ipsec proposal P2proposal protocol esp
# set security ipsec proposal P2proposal authentication-algorithm hmac-sha1-96
# set security ipsec proposal P2proposal encryption-algorithm des-cbc
# set security ipsec proposal P2proposal lifetime-seconds 36000
# set security ipsec policy P2policy perfect-forward-secrecy keys group2
# set security ipsec policy P2policy proposals P2proposal
# set security ipsec vpn site1-to-site2 bind-interface st0.0
# set security ipsec vpn site1-to-site2 ike gateway P1gateway
# set security ipsec vpn site1-to-site2 ike ipsec-policy P2policy
# set security ipsec vpn site1-to-site2 establish-tunnels immediately

Now we’ve to configure a policy from untrust to trust and רeverse. In this case I’ve enabled all the ports, of course it’s under your control.

set security policies from-zone Lan to-zone untrust policy Lan2Untrust match source-address any
set security policies from-zone Lan to-zone untrust policy Lan2Untrust match destination-address any
set security policies from-zone Lan to-zone untrust policy Lan2Untrust match application any
set security policies from-zone Lan to-zone untrust policy Lan2Untrust then permit

set security policies from-zone untrust to-zone Lan policy allowall match source-address any
set security policies from-zone untrust to-zone Lan policy allowall match destination-address any
set security policies from-zone untrust to-zone Lan policy allowall match application any
set security policies from-zone untrust to-zone Lan policy allowall then permit

Configuration in SSG5 (6.3.0r19.0)

Screenshot_10 Screenshot_11 Screenshot_12 Screenshot_13 Screenshot_14 Screenshot_15 Screenshot_16 Screenshot_17

Verifying

Screenshot_10Screenshot_11

If you want to see the (U) letter and not (-) , you can enable the vpn monitor feature by this command :

Screenshot_4 Screenshot_5Screenshot_6Screenshot_7

Good Luck 🙂

By: Abed AL-R. Bishara