Quick-Series 25 – UTM Anti-Spam

No Comments

Hi,

A Quick look at the SRX UTM Feature in relation to Antispam in local Whitelist and Blacklist.

Screen-shot1

Testing Locally on SRX

Screen-shot 2

If it matches Blacklist, its blocked. If it matches whitelist, it gets allowed, and importantly if it does not match then it will be allowed.

 

Regards

Rakesh M

 

Quick Series 24 – Double-Nat

No Comments

Hi,

This should technically wind up my NAT studies on SRX. I have covered most of the NAT’s and I am planning for a Mind-Map sort of thing to compose all NATs in SRX.

Double-Nat has always been a tricky aspect , majorly because we have same-subnet every-where πŸ˜‰

Requirements

-> SRX supportingΒ  virtual-Routing instances – Obviously, you cannot have same subnet belonging two different interfaces in same routing table

-> policies to allow the traffic

-> nat definitions to correctly redirect the traffic.

Topology

1_topology

Verification of zones and policies

1_zone_config

3_security_policies

Nat Definition – The routing here should be directed to next Routing instance, A miss here would prove very costly. the virtual pool will act like the destination address and also the match-address

2_nat_config

Lets verify things – See a one-to-one mapping exists, if i try to ping 3.3.3.3, it would relate to 8.8.12.3 and not any-other IP address.

4_verification

5_verification_cont

Regards

Rakesh M

Update on Studies!

1 Comment

Hi,

I have not written any blog post for over a week now as i was extremely busy in one of the official implementations and office projects.

As far as studies go,

I have been reading the following topics in my free-time.

-> U.T.M – Undoubtedly, this topic will be the most complicated of all the topics for me, reason being i do not have a proper test-bed for UTM implementations and all of the UTM is not feasible on VSRX.

I am following through J-UTM course from Juniper official Course-ware and have been reading through Junos-SRX series Book.

-> IDP – Second Most confusing topic for me is the IDP implementation. This topic requires you to setup a Attack server, a host and several DMZ virtualized servers for proper studies, and i am planning to setup the environment in a weeks-Time.

I am folllowing Juniper-IDP courseware along with Junos-Advanced troubleshooting to understand things. As always Junos-SRX series would always help.

This is the update from my end, have a great week ahead for everyone

Regards

Rakesh M

Quick Series 21 – IPV6 TO IPV6 NAT

No Comments

Hi,

I have been going through various course-ware and written books and I see when it comes to IPV6, authors have taken a approach to directly jump into 6to4 , 4to6 , ds-lite and so on. In my opinion it is easier if i can lab-up specific v6-to-v6 Nat scenarios then move onto 4-to-6.

Requirement – R5 (2002::2/128) should be natted to 2001::13/128 , when it tries to access 2001::2

Topology

Topology

First things first, enabled Ipv6 flow mode , similar to “ipv6 unicast-routing” in cisco, other wise you cannot communicate with other nodes.

1_enabling_ipv6

Configure Zones and policies

2_zone_config 3_security_policy

Lastly NAT configuration, if you forget proxy-ndp, you can never reach the other-end, very very important.

4_nat_config 5_verification

Regards

Rakesh M

BGP & OSPF over IPSEC VPN

No Comments

Hi,

Continuing from where we left off from the previous post,

https://r2079.wordpress.com/2015/09/20/hub-and-spoke-vpn-implementation-srx/

Requirement is to first run OSPF among the hub and spoke routers and once loopbacks are exchanged over OSPF, bgp over loopbackΒ  should be formed.

Policies are very-important more than anything else for this requirement, you exactly have to know in which zone policy needs to be allowed.

topology

Configuring OSPF and verifying it

1_ospf_config 2_ospf_check 3_ospf_ping_test

Once Loopback Reachability is established, time to form BGP

4_bgp_config

Looking at policies and protocols allowed for zone

5_zone_policy_config

As we can see, protocol configuration is straight forward, but you have to know what to allow where in order for this to happen.

Regards

Rakesh M

Vlan-Rewrite on SRX

No Comments

Hi,

Vlan Rewrite on any box is always a fascinating concept. You have tagged packets coming with a specific vlan and once they come in they are changed to some-other vlan for egress and vice-versa.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB23737

The above kb will give you an idea on how vlan-rewrite is configured for a sample scenario in srx, I made some enhancements as in adding aΒ  new irb interface on SRX and having a trunk-port with a sub-interface.

Topology

topology_1

Configuration is very straight forward

-> identify which vlan needs to be manipulated

-> Identify the ingress interface

-> Make sure your vlan-id-list does not include the vlan which needs to be converted to – Yes it is ‘Does Not’

2_bridge_domains

Here, Vlan 100 is not in the vlan-id-list of Trunk interface ge-0/0/8 which is the ingress point, it might be a misconception from many people to allow all the vlans which are configured on the interface, but the point which needs to be understood here is that , it is already being re-written to another vlan which interface has allowed, so we need not allow it again in interface vlan-id-list

3_ping_test

A policy needs to be written with layer-2 interfaces in place, unlike routed-mode firewall where we include Layer-3 interfaces, Transparent mode firewall needs layer-2 interfaces in Zones, i initially tried configuring irb interfaces in zones to understand that irb interfaces can never go into a security zone.

Regards

Rakesh M

Quick Series 20 – SRX APPSECURE_SUITE – APPFW

No Comments

Hi,

Continuing from the previous post,

https://r2079.wordpress.com/2015/09/16/quick-series-19-srx-appsecure_suite-apptrack/

the identified facebook traffic needs to be blocked, while traffic for apple and others are still allowed.

Topology

topology_png

APPFW – Application Firewall by the name gives the flexibility to block specific applications. For example over https, we may have gmail and facebook , so we go about blocking 443 it will block all https connections, APP-ID will help us to identify the application traversing and APPFW will help us block the Related Application seamlessly.

1_rules_policies

Let us see this in Log server, Kindly note without session-init here, we would not be seeing any SESSION_DENY logs as per the documentation

2_session_deny_logs

Regards

Rakesh M

Quick Series 19 – SRX APPSECURE_SUITE – APPTRACK

1 Comment

Hi,

In my previous post i have covered installation of app-secure applications and license. This post would cover APP_TRACK , the tracker !

For installation of APP-SECURE ON VSRX, Follow the below URL

https://r2079.wordpress.com/2015/09/16/appsecure-suite-installing-license-evaluation-version-on-vsrx-firefly/

What is APP_TRACK – By the name itself, it is used to track Applications within the security-zones or type of application traffic traversing through SRX

So By know which sort of traffic is traversing the system, we can analyze and block if not necessary

Topology

topology_png

I have a syslog server running on Raspberry_Pi and Apple Ipad Trying to gain connectivity to internet.

First lets see, without any application-tracking, how does the syslog messages look like

1_without_any_appsecure

Let us enable APP-Track for security-zone internet. Please do remember, you have enable first-update as well if you need to see SESSION_INIT message, without this , you can only see SESSION_CLOSE messages only

2_enabling_track

Out of many types of traffic, let us see if we have any hits for Facebook and Apple.

3_matching_facebookandapple

Finally counter on APP-TRACK Stats

3.5_counters

Now, that we know what sort-of traffic is going through the firewall, we will block it in next-post via APP-TRACK Firewall

Regards

Rakesh M

APPSECURE SUITE – INSTALLING LICENSE – EVALUATION VERSION ON VSRX FIREFLY

4 Comments

Hi,

No one denies the fact of having a good lab if you are aiming at your expert level-exam. App-secure suite is one critical thing on Juniper VSRX which not only is important for exam but also for real-world implementations.

Appsecure suite canΒ  be installed with a 30 day Evaluation license from Juniper. Below are the details

Requirement

VSRX ( 12.1X47-D20.7 ) —-Β  Connected-to —- INTERNET

1_basic_reachability

Next , get the evaluation license from juniper

http://www.juniper.net/us/en/dm/free-vsrx-trial/

You require appropriate credentials i guess, i work for a partner so i do not have any login issues here.

2_trial_license_install

Checking the applications and downloading files from internet

3_downloading_files

Once you download, next is to install the files onto the system

4_installing_applications

Happy Labbing

Regards

Rakesh M

Quick Series 15 – SRX CHASSIS CLUSTER – RETH0 INTERFACE CONFIGURATION

No Comments

Hi,

This is the 15th post in the Quick-Series and this is on SRX Chassis cluster building RETH interface

Requirement:

configure RETH0 interface on SRX Cluster for the end-server subnet of 172.20.101.0/24

Toplogy

topology

Looking at the configuration

srx1_1

show outputs

srx1_2 outputs

ping and security-zones

srx1_3_final_output

Regards

Rakesh M

Older Entries

Close Bitnami banner
Bitnami