Logicalwebhost Cheatsheet

Linux & Open Source Cheatsheets & Howto's

Skip to: Content | Sidebar | Footer

Juniper JunOS

Juniper makes lots of stuff, but are probably most widely known for their firewall products. Here we look at some basic management of the SRX line, which runs JunOS

hook to console

On the front of your SSG there will be a console connection, which usually fools you because it looks like a normal network port, but really it’s a serial connection that just LOOKS like a network port.

  1. you have to go find an adapter that will connect a CAT5 cable to a serial cable, sometimes you can find them in the Juniper box, but you can find them online for pretty cheap too
  2. On mine I had to then convert the serial connection to a USB, since my laptop only has USB, and no serial. I got a Tripplite one, which I think I found here I think for about $20. On Windows 7 I had to download the driver too from here, which I think is really for Windows 8, but it worked.
  3. you have to have a terminal program on your laptop that can talk over a serial connection. I used TeraTerm, which I downloaded from Sourceforge here
  4. Once I installed the driver and hooked up the USB -> serial -> CAT5 adapter -> CAT5 cable -> SSG console port, then I started TeraTerm with the following settings:
  5. COM3 (well, on mine it was just the next COM above the ones it used to show before I installed the Tripplite driver, which happened to be COM3), Baud rate: 9600, data 8 bit, parity: none, stop: 1 bit, flow control: none.
  6. if it worked and you’re connected, you should hit a couple times and it should give you a login: prompt.

SRX

SRX platform runs JunOS, which is a BSD, versus the old ScreenOS, so it’s a lot different.

When you boot the platform, it takes about 3 minutes to come up all the way, which seems like forever. Even after the interface lights come up it’s not done booting yet

You can use a Cisco style console cable, which is an RJ-45 ethernet looking cable on one end, and a serial 9-pin on the other end, which you plug into a USB -> Serial dongle, like a Tripp-Lite USA-19HS that you plug into your laptop. If you’re using a Mac do ls /dev/tty* and find something that looks like /dev/tty.USA19H141P1.1, that’s the console you want to connect to. Then do:

screen /dev/tty.USA19H141P1.1
<enter>
login: root
password:
switchname% cli
switchname> config
Entering configuration mode
[edit]
switchname#

Here are some common commands you’ll use. You’ll have to enter CLI mode to use them after you login. There’s also a web interface, which makes things easier to visualize.

command what it does
show config shows your configuration
show system software Information for junos:
Comment:
JUNOS Software Release [15.1X49-D45]
show int terse shows your interfaces
set protocols l2-learning global-mode switching changes to a layer 3 switch. You have to do this from the ‘configure’ mode.
commit saves your last commands, you probably should do a commit-check first if you want to check it first.
commit check tests your commands before you save them
delete interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 removes that IP from that interface
request system reboot reboots the box
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 set the first interface to 192.168.20.2 netmask 255.255.255.0

Set your previously transparent switch (L2) to a normal Layer 3 router:

cli
config
#set protocols l2-learning global-mode switching
 
set system host-name whateveryouwanttocallyourfirewall
 
delete security zones security-zone BT interfaces ge-0/0/0
set security zones security-zone untrust
set security zones security-zone untrust interfaces ge-0/0/0
set security zones security-zone trust1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24
#set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
 
set security zones security-zone trust1 interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone trust1 interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0
 
rename interfaces ge--0/0/0.0 family inet 1.2.3.4/24 to address 5.6.7.8/24

troubleshooting JunOS

config t
set security flow traceoptions file 10debug
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter MatchTraffic source-prefix 192.168.10.0/24 destination-prefix 0.0.0.0/0
commit
exit
exit
tail -f /cf/var/log/10debug

Look for bad things. When you’re done, do:

deactivate flow traceoptions packet-filter MatchTraffic
deactivate flow traceoptions flag basic-datapath
show flow
traceoptions {
    file 10debug;
    inactive: flag basic-datapath;
    inactive: packet-filter MatchTraffic {
        source-prefix 192.168.10.0/24;
        destination-prefix 0.0.0.0/0;
    }
}
commit

Resources:

SRX for beginners