Logicalwebhost Cheatsheet

Linux & Open Source Cheatsheets & Howto's

Skip to: Content | Sidebar | Footer

Juniper firewalls

Juniper makes lots of stuff, but are probably most widely known for their firewall products. Here we look at some basic management of the SSG line, which are basically bulletproof and really easy to love…once you understand the Juniper way of doing things 🙂

basic setup

This is for most of the SSG series, though there are some differences

  1. Web UI: by default you plug in a CAT5 cable to your laptop and to port 3 (port 0 on larger SSG boxes) and set your IP manually to: 192.168.1.11 netmask 255.255.255.0 gateway/router 192.168.1.1
  2. Open up a browser and navigate to http://192.168.1.1 , which will take you to a setup wizard if you need that
  3. Fine tuning a juniper box can be daunting, but the forum folks are pretty good, so that might help.

reset to factory defaults

Everyone blows up a firewall occasionally, or locks themselves out.

  1. find the reset pinhole
  2. get a paperclip and straighten one end so it will poke in there and not bend
  3. this next part is hard, you might wind up doing it a few times, but don’t worry, it doesn’t break anything if you have to try it twice.
  4. with the unit powered up and the status light blinking green (that means it’s booted and running), press and hold the paperclip in the hole for about 5-10 seconds. The status light should turn amberish redish. Let off after it turns color.
  5. Wait about 2 seconds, then push the paperclip back in for about 5 more seconds. The status light will turn solid amberish redish then.
  6. Wait a couple seconds, then let up on the paperclip. Then the unit will start the reboot process.
  7. It takes like 2 minutes to reboot, which will seem like FOREVER when you’re trying to figure out if this worked.
  8. Just keep waiting until the green status light is steadily blinking again, that means it’s rebooted.
  9. Now try to plug in a CAT5 cable to a port (usually 0/2, but sometimes 0/0) and try to connect to http://192.168.1.1

hook to console

On the front of your SSG there will be a console connection, which usually fools you because it looks like a normal network port, but really it’s a serial connection that just LOOKS like a network port.

  1. you have to go find an adapter that will connect a CAT5 cable to a serial cable, sometimes you can find them in the Juniper box, but you can find them online for pretty cheap too
  2. On mine I had to then convert the serial connection to a USB, since my laptop only has USB, and no serial. I got a Tripplite one, which I think I found here I think for about $20. On Windows 7 I had to download the driver too from here, which I think is really for Windows 8, but it worked.
  3. you have to have a terminal program on your laptop that can talk over a serial connection. I used TeraTerm, which I downloaded from Sourceforge here
  4. Once I installed the driver and hooked up the USB -> serial -> CAT5 adapter -> CAT5 cable -> SSG console port, then I started TeraTerm with the following settings:
  5. COM3 (well, on mine it was just the next COM above the ones it used to show before I installed the Tripplite driver, which happened to be COM3), Baud rate: 9600, data 8 bit, parity: none, stop: 1 bit, flow control: none.
  6. if it worked and you’re connected, you should hit a couple times and it should give you a login: prompt.

backup config file via CLI

Sometimes the GUI doesn’t work, or maybe you just want to know how to backup your config files otherwise. To do this you have to install a tftpd SERVER on a box that has non-firewalled access to the Juniper unit you’re backing up, so I installed a Debian box connected to a Trust interface subnet, then do:

apt-get install tftpd-hpa tftp
specify folder /srv/tftp (or wherever you want)
netstat -lnp | grep 69
udp     0      0 0.0.0.0:69     0.0.0.0:*        32420/in.tftpd

now test from your local box first to see if you can transfer a file:

touch /srv/tftp/somefile.txt
chown nobody.root /srv/tftp/somefile.txt
cd ~
tftp localhost
tftp> status
Connected to localhost.
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> get somefile.txt
tftp> quit
ls

if it worked, you should see somefile.txt sitting in your home directory. Now you have to add a couple firewall rules to allow your Juniper box to send you a file like:

iptables -A INPUT -s juniper.ip.subnet.0/24 -m tcp -p tcp --dport 69 -j ACCEPT
iptables -A INPUT -s juniper.ip.subnet.0/24 -m udp -p udp --dport 69 -j ACCEPT

This means you can go try to transfer your Juniper config to this box like:

ssh you@juni.per.ip 
ssg5-v92-> save config to tftp your.tftpd.server.ip configfile.txt

if it worked, you should see a file in /srv/tftp/configfile.txt

CLI basics

Sooner or later you’ll wind up (probably) becoming familiar and using the CLI, basically logging into the box using ssh. BTW, you have to actually enable SSH management on the interface you want to connect to, otherwise it won’t let you login and change anything. You do that at:

Network -> Interfaces -> edit (on the interface you want) -> Management Services -> check the ssh box.

Now ssh in with username/password of netscreen/netscreen, which you should immediately change to something else.

Here are some useful commands and what they do:

command what it does
get system tells you about the hardware
get int e0/0 shows the configurations for ethernet0/0
clear led alarm clears that annoying front panel alarm led

diagnostic stuff(CLI mostly)

figuring out what your routing table really says (and should) is a good idea first. Scroll to the right in the code blocks to get the explanation for each route.

SSG550-> get route
  IPv4 Dest-Routes for <untrust-vr> (0 entries)
  --------------------------------------------------------------------------------------
  H: Host C: Connected S: Static A: Auto-Exported
  I: Imported R: RIP/RIPng P: Permanent D: Auto-Discovered
  N: NHRP
  iB: IBGP eB: EBGP O: OSPF/OSPFv3 E1: OSPF external type 1
  E2: OSPF/OSPFv3 external type 2 trailing B: backup route
  -
  IPv4 Dest-Routes for <trust-vr> (12 entries) 
  --------------------------------------------------------------------------------------
           ID          IP-Prefix      Interface         Gateway   P Pref    Mtr     Vsys
  --------------------------------------------------------------------------------------
  *        16        10.1.1.1/32         eth0/2         0.0.0.0   H    0      0     Root  <-- your trust iface itself
  *        17          0.0.0.0/0         eth0/0 upstream.provider.i.p   C    0      1     Root  <-- where to send all traffic upstream
  *        12     pu.bl.ic.ip/32         eth0/0         0.0.0.0   H    0      0     Root  <-- public IP itself
  *        13    some.dmz.i.p/27         eth0/1         0.0.0.0   C    0      0     Root  <-- IP range for your DMZ
  *        14  dmz.ip.it.self/32         eth0/1         0.0.0.0   H    0      0     Root  <-- IP of the DMZ iface itself
  *        15        10.1.1.1/24         eth0/2         0.0.0.0   C    0      0     Root  <-- IP of the Trust iface itself

So let’s say you want to know where your router might send stuff from a specific IP on your Trust interface/group, you’d do:

SSG550-> get route ip 10.1.1.19
  Dest for 10.1.1.19
  --------------------------------------------------------------------------------------
  trust-vr       : => 10.1.1.1/24 (id=15) via 0.0.0.0 (vr: trust-vr)
                      Interface ethernet0/2 , metric 0

So that tells you what interface it EXPECTS to see that IP from, and where it wants to send it next. In this case, it would send it to a default route (that’s what 0.0.0.0/0 means), and then send it to wherever that default route pointed – in our case it would be the upstream provider’s IP/gateway they gave you.

clear alarm LED

Sometimes the red alarm illuminates on the front panel when there are emergency alerts, but you have to login to the CLI to clear them like:

clear led alarm

SRX

SRX platform runs JunOS, which is a BSD, versus the old ScreenOS, so it’s a lot different.

When you boot the platform, it takes about 3 minutes to come up all the way, which seems like forever. Even after the interface lights come up it’s not done booting yet

You can use a Cisco style console cable, which is an RJ-45 ethernet looking cable on one end, and a serial 9-pin on the other end, which you plug into a USB -> Serial dongle, like a Tripp-Lite USA-19HS that you plug into your laptop. If you’re using a Mac do ls /dev/tty* and find something that looks like /dev/tty.USA19H141P1.1, that’s the console you want to connect to. Then do:

screen /dev/tty.USA19H141P1.1
<enter>
login: root
password:
switchname% cli
switchname> config
Entering configuration mode
[edit]
switchname#

Here are some common commands you’ll use. You’ll have to enter CLI mode to use them after you login. There’s also a web interface, which makes things easier to visualize.

command what it does
show config shows your configuration
show system software Information for junos:
Comment:
JUNOS Software Release [15.1X49-D45]
set protocols l2-learning global-mode switching changes to a layer 3 switch. You have to do this from the ‘configure’ mode.
commit saves your last commands, you probably should do a commit-check first if you want to check it first.
commit check tests your commands before you save them
delete interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 removes that IP from that interface
request system reboot reboots the box

Set your previously transparent switch (L2) to a normal Layer 3 router:

cli
config
set protocols l2-learning global-mode switching
set security zones security-zone untrust
set security zones security-zone untrust interfaces ge-0/0/0
set security zones security-zone trust1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
 
set security zones security-zone trust1 interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone trust1 interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0

Write a comment

You need to login to post comments!