Nov 18
JUNIPER SECURITY, Uncategorized jncie, jncip No Comments
Hi,
A Quick look at the SRX UTM Feature in relation to Antispam in local Whitelist and Blacklist.
Testing Locally on SRX
If it matches Blacklist, its blocked. If it matches whitelist, it gets allowed, and importantly if it does not match then it will be allowed.
Regards
Rakesh M
Oct 18
Hi,
This should technically wind up my NAT studies on SRX. I have covered most of the NAT’s and I am planning for a Mind-Map sort of thing to compose all NATs in SRX.
Double-Nat has always been a tricky aspect , majorly because we have same-subnet every-where π
Requirements
-> SRX supportingΒ virtual-Routing instances – Obviously, you cannot have same subnet belonging two different interfaces in same routing table
-> policies to allow the traffic
-> nat definitions to correctly redirect the traffic.
Topology
Verification of zones and policies
Nat Definition – The routing here should be directed to next Routing instance, A miss here would prove very costly. the virtual pool will act like the destination address and also the match-address
Lets verify things – See a one-to-one mapping exists, if i try to ping 3.3.3.3, it would relate to 8.8.12.3 and not any-other IP address.
Regards
Rakesh M
Oct 11
Hi,
I have not written any blog post for over a week now as i was extremely busy in one of the official implementations and office projects.
As far as studies go,
I have been reading the following topics in my free-time.
-> U.T.M – Undoubtedly, this topic will be the most complicated of all the topics for me, reason being i do not have a proper test-bed for UTM implementations and all of the UTM is not feasible on VSRX.
I am following through J-UTM course from Juniper official Course-ware and have been reading through Junos-SRX series Book.
-> IDP – Second Most confusing topic for me is the IDP implementation. This topic requires you to setup a Attack server, a host and several DMZ virtualized servers for proper studies, and i am planning to setup the environment in a weeks-Time.
I am folllowing Juniper-IDP courseware along with Junos-Advanced troubleshooting to understand things. As always Junos-SRX series would always help.
This is the update from my end, have a great week ahead for everyone
Regards
Rakesh M
Sep 22
Hi,
I have been going through various course-ware and written books and I see when it comes to IPV6, authors have taken a approach to directly jump into 6to4 , 4to6 , ds-lite and so on. In my opinion it is easier if i can lab-up specific v6-to-v6 Nat scenarios then move onto 4-to-6.
Requirement – R5 (2002::2/128) should be natted to 2001::13/128 , when it tries to access 2001::2
Topology
First things first, enabled Ipv6 flow mode , similar to “ipv6 unicast-routing” in cisco, other wise you cannot communicate with other nodes.
Configure Zones and policies
Lastly NAT configuration, if you forget proxy-ndp, you can never reach the other-end, very very important.
Regards
Rakesh M
Sep 22
Hi,
Continuing from where we left off from the previous post,
https://r2079.wordpress.com/2015/09/20/hub-and-spoke-vpn-implementation-srx/
Requirement is to first run OSPF among the hub and spoke routers and once loopbacks are exchanged over OSPF, bgp over loopbackΒ should be formed.
Policies are very-important more than anything else for this requirement, you exactly have to know in which zone policy needs to be allowed.
Configuring OSPF and verifying it
Once Loopback Reachability is established, time to form BGP
Looking at policies and protocols allowed for zone
As we can see, protocol configuration is straight forward, but you have to know what to allow where in order for this to happen.
Regards
Rakesh M
Sep 20
jncie-security, JUNIPER SECURITY cluster swfab fab srx ha jncie No Comments
Hi,
Vlan Rewrite on any box is always a fascinating concept. You have tagged packets coming with a specific vlan and once they come in they are changed to some-other vlan for egress and vice-versa.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB23737
The above kb will give you an idea on how vlan-rewrite is configured for a sample scenario in srx, I made some enhancements as in adding aΒ new irb interface on SRX and having a trunk-port with a sub-interface.
Topology
Configuration is very straight forward
-> identify which vlan needs to be manipulated
-> Identify the ingress interface
-> Make sure your vlan-id-list does not include the vlan which needs to be converted to – Yes it is ‘Does Not’
Here, Vlan 100 is not in the vlan-id-list of Trunk interface ge-0/0/8 which is the ingress point, it might be a misconception from many people to allow all the vlans which are configured on the interface, but the point which needs to be understood here is that , it is already being re-written to another vlan which interface has allowed, so we need not allow it again in interface vlan-id-list
A policy needs to be written with layer-2 interfaces in place, unlike routed-mode firewall where we include Layer-3 interfaces, Transparent mode firewall needs layer-2 interfaces in Zones, i initially tried configuring irb interfaces in zones to understand that irb interfaces can never go into a security zone.
Regards
Rakesh M
Sep 16
Hi,
Continuing from the previous post,
https://r2079.wordpress.com/2015/09/16/quick-series-19-srx-appsecure_suite-apptrack/
the identified facebook traffic needs to be blocked, while traffic for apple and others are still allowed.
Topology
APPFW – Application Firewall by the name gives the flexibility to block specific applications. For example over https, we may have gmail and facebook , so we go about blocking 443 it will block all https connections, APP-ID will help us to identify the application traversing and APPFW will help us block the Related Application seamlessly.
Let us see this in Log server, Kindly note without session-init here, we would not be seeing any SESSION_DENY logs as per the documentation
Regards
Rakesh M
Sep 16
JUNIPER SECURITY nat pat vsrx jncis-sec jncip-sec, security appsecure app-track 1 Comment
Hi,
In my previous post i have covered installation of app-secure applications and license. This post would cover APP_TRACK , the tracker !
For installation of APP-SECURE ON VSRX, Follow the below URL
https://r2079.wordpress.com/2015/09/16/appsecure-suite-installing-license-evaluation-version-on-vsrx-firefly/
What is APP_TRACK – By the name itself, it is used to track Applications within the security-zones or type of application traffic traversing through SRX
So By know which sort of traffic is traversing the system, we can analyze and block if not necessary
Topology
I have a syslog server running on Raspberry_Pi and Apple Ipad Trying to gain connectivity to internet.
First lets see, without any application-tracking, how does the syslog messages look like
Let us enable APP-Track for security-zone internet. Please do remember, you have enable first-update as well if you need to see SESSION_INIT message, without this , you can only see SESSION_CLOSE messages only
Out of many types of traffic, let us see if we have any hits for Facebook and Apple.
Finally counter on APP-TRACK Stats
Now, that we know what sort-of traffic is going through the firewall, we will block it in next-post via APP-TRACK Firewall
Regards
Rakesh M
Sep 16
jncie-security, JUNIPER SECURITY security app-secure install trial license juniper 4 Comments
Hi,
No one denies the fact of having a good lab if you are aiming at your expert level-exam. App-secure suite is one critical thing on Juniper VSRX which not only is important for exam but also for real-world implementations.
Appsecure suite canΒ be installed with a 30 day Evaluation license from Juniper. Below are the details
Requirement
VSRX ( 12.1X47-D20.7 ) —-Β Connected-to —- INTERNET
Next , get the evaluation license from juniper
http://www.juniper.net/us/en/dm/free-vsrx-trial/
You require appropriate credentials i guess, i work for a partner so i do not have any login issues here.
Checking the applications and downloading files from internet
Once you download, next is to install the files onto the system
Happy Labbing
Regards
Rakesh M
Sep 05
Hi,
This is the 15th post in the Quick-Series and this is on SRX Chassis cluster building RETH interface
Requirement:
configure RETH0 interface on SRX Cluster for the end-server subnet of 172.20.101.0/24
Toplogy
Looking at the configuration
show outputs
ping and security-zones
Regards
Rakesh M
RSS