반응형
Juniper Firewall Transparent mode config (Example)
 
Management
set interface vlan1 ip 1.1.1.1/24
set interface vlan1 manage web
set interface vlan1 manage telnet
set interface vlan1 manage ssh
set interface vlan1 manage ping
 
Interfaces
set interface ethernet0/1 ip 0.0.0.0/0
set interface ethernet0/1 zone v1-trust
set interface ethernet0/3 ip 0.0.0.0/0
set interface ethernet0/3 zone v1-untrust
 
V1-Trust Zone
set zone v1-trust manage web
set zone v1-trust manage telnet
set zone v1-trust manage ping
 
Addresses
set address v1-trust FTP_Server 1.1.1.5/32
set address v1-trust Mail_Server 1.1.1.10/32
 
Route
set vrouter trust-vr route 0.0.0.0/0 interface vlan1 gateway 1.1.1.250 metric 1
 
Policies
set policy from v1-trust to v1-untrust any any any permit
set policy from v1-untrust to v1-trust any Mail_Server mail permit

 

set policy from v1-untrust to v1-trust any FTP_Server ftp-get permit

 

 

반응형

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX 설정 방법 (CLI)  (0) 2021.01.20
Axgate [SSL VPN] Configuration  (8) 2021.01.17
SRX Syslog config  (0) 2018.05.08
Palo Alto Firewall Appliance PA-VM - Useful Commands  (0) 2018.05.08
FortiGate FGSP  (0) 2018.05.08
반응형
 
root@srx# set security log mode stream
root@srx# set security log format sd-syslog
root@srx# set security log source-address 10.10.10.2
root@srx# set security log stream securitylog category all
root@srx# set security log stream securitylog host 10.10.10.1
root@srx# set security log stream securitylog host port 514
 
 
When complete and a 'commit' is executed, and the configuration looks like this:
 
security {
log {
mode stream;
format sd-syslog;
source-address 10.10.10.2;
stream securitylog {
category all;
host {
10.0.10.1;
port 514;
}
}
}
}
set security log mode stream
set security log format sd-syslog
set security log source-address 10.10.10.2
set security log stream securitylog format sd-syslog
set security log stream securitylog category all
set security log stream securitylog host 10.10.10.1

 

set security log stream securitylog host 172.22.154.214 port 514

 

 

 

반응형

'업무이야기 > Security' 카테고리의 다른 글

Axgate [SSL VPN] Configuration  (8) 2021.01.17
Juniper Firewall Transparent mode config (Example)  (0) 2018.05.08
Palo Alto Firewall Appliance PA-VM - Useful Commands  (0) 2018.05.08
FortiGate FGSP  (0) 2018.05.08
FortiAnalyzer CLI  (0) 2018.05.08
반응형

Juniper Firewall DHCP Server Configuration

 

set interface ethernet0/3 dhcp server service
set interface ethernet0/3 dhcp server enable
set interface ethernet0/3 dhcp server option lease 1440000
set interface ethernet0/3 dhcp server option gateway 172.17.1.1
set interface ethernet0/3 dhcp server option netmask 255.255.255.0
set interface ethernet0/3 dhcp server option dns1 168.126.63.1
set interface ethernet0/3 dhcp server ip 172.17.1.10 to 172.17.1.100
unset interface ethernet0/3 dhcp server config next-server-ip

 

 

 

반응형
반응형

# Setting up a Policy-Based VPN Tunnel

1. Bind interfaces to zones and assign them IP addresses:
set interface ethernet1 zone trust
set interface ethernet1 ip 10.1.1.1/24
set interface ethernet3 zone untrust
set interface ethernet3 ip 1.1.1.1/24
2. Set the addresses for the end entities beyond the two ends of the VPN tunnel:
set address trust host1 10.1.1.5/32
set address untrust host2 10.2.2.5/32
3. Define the IKE Phase 1 proposal and Phase 2 proposal. If you use the default proposals, you do not need to
define Phase 1 and Phase 2 proposals.
4. Define the remote gateway:
set ike gateway gw1 address 2.2.2.2 main outgoing-interface ethernet3 preshare
netscreen proposal pre-g2-3des-sha
5. Define the VPN tunnel as AutoKey IKE:
set vpn vpn1 gateway gw1 proposal g2-esp-des-md5
6. Set a default route (both the Trust and Untrust zones are in the trust-vr routing domain):
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 1.1.1.250
7. Set outbound and inbound policies:
set policy from trust to untrust host1 host2 any tunnel vpn vpn1
set policy from untrust to trust host2 host1 any tunnel vpn vpn1
The procedure for setting up a VPN tunnel for a dialup user with IKE also constitutes up to seven steps.
1. Bind interfaces to zones and assign them IP addresses.
2. Define the protected address that you want the dialup user to be able to access through the tunnel. (See the
set address command.)
3. Define the user as an IKE user. (See the set user command.)
4. Define the IKE Phase 1 proposal, Phase 2 proposal, and remote gateway. (Note: If you use the default
proposals, you do not need to define a Phase 1 or Phase 2 proposal.)
5. Define the VPN tunnel as AutoKey IKE. (See the set vpn command.)
6. Set a default route (both the Trust and Untrust zones are in the trust-vr routing domain).
7. Define an incoming policy, with Dial-Up VPN as the source address and the VPN tunnel you configured in
step 5.

 

 

반응형
반응형
  1. Power off the device by pressing the power button on the front panel and reboot the device.
  2. Turn on the power to the management device.
  3. Power on the device by pressing the power button on the front panel. Verify that the POWER LED on the front panel turns green.The terminal emulation screen on your management device displays the device’s boot sequence.
  4. When the autoboot is completed, press the spacebar a few times to access the bootstrap loader prompt.
  5. At the following prompt, enter boot -s to start up the system in single-user mode.
    loader>boot -s
  6. At the following prompt, enter recovery to start the root procedure.
  7. Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
  8. Enter configuration mode in the CLI.
  9. Set the root password. For example:
    user@host# set system root-authentication plain-text-password
    For more information about configuring the root password, see the System Basics Configuration Guide.
  10. At the following prompt, enter the new root password. For example:
    New password: juniper1
    Retype new password:
  11. At the second prompt, reenter the new root password.
  12. If you are finished configuring the network, commit the configuration.
    root@host# commit
    commit complete
  13. Exit configuration mode in the CLI.
  14. Exit operational mode in the CLI.
  15. At the prompt, enter y to reboot the device.
    Reboot the system? [y/n] y

 

반응형
반응형

 









 

 

 

 

 

 

 

 

 

반응형
반응형

ScreenOS divides its routing component into two virtual routers—untrust-VR and trust-VR. If you have obtained and loaded a virtual router (VR) software key, you can create a new VR. Multiple VRs can exist, but trust-VR is the default.

Additionally, you can set basic parameters for the untrust-VR and trust-VR and for user-defined VRs. When you set parameters for a VR, you can also configure dynamic routing protocols.

If you configure AutoConnect virtual private network (AC-VPN), you must enable Next-Hop Resolution Protocol (NHRP) on the VR.

To Create or Modify a Virtual Router

  1. Enter the required information:

Virtual Router Name: Indicates the name of the VR.

Virtual Router ID: Indicates one of two settings that identify the VR.

Use System Default: Indicates that the IP address of the VR acts as the ID of the routing instance.

Custom: Enables you to set an IP address to identify the virtual routing instance that is different from the default address.

Management VR: Designates this VR as the management virtual router (MGT VR). A MGT VR supports the out-of-band management infrastructure and segments security device management traffic away from production traffic.

Maximum Route Entry: Indicates the upper limit of the number of routes the VR can store in its routing table.

Unlimited: Indicates that the current virtual routing instance has no upper limit for the number of routes it can store in its routing table.

Set Limit At: Enables you to set a specified upper limit for the number of routes the current VR can store in its routing table.

Maximum ECMP Routes: Enables you to set a specified upper limit for the maximum number of equal cost multipath (ECMP) routes that can exist for each protocol and for static routes in a routing table. Specify 2, 3, or 4. Setting the limit enables ECMP routing so that the security device can perform load balancing between ECMP routes.

Route Lookup Preference: Specifies the order in which the VR performs route lookup, if source-based routing or source interface-based routing (SIBR) is enabled in the VR. The VR checks the routing table with the highest preference value first.

For Destination Routing: Assigns a preference value for the destination-based routing table. The default value is 1. Enter a value between 1 and 255.

For Source Based Routing: Assigns a preference value for the source-based routing table. The default value is 2. Enter a value between 1 and 255.

For Source Interface Based Routing: Assigns a preference value for the SIBR routing table. The default value is 3. Enter a value between 1 and 255.

Use default route: (For the trust-VR only) Adds a default route with the specified VR as the next hop.

Shared and accessible by other vsys: Indicates that the root-level local VR is accessible from a virtual system (vsys). The untrust-VR is, by default, shared by all other vsys.

Ignore Subnet Conflict for Interfaces in This VRouter: Directs the VR to ignore overlapping subnet addresses for interfaces in the VR.

Make This VRouterDefault-Vrouter for the System: Sets this VR as the default VR for the vsys. The trust-VR is the default VR for the root system.

Auto Export Route to Untrust-VR: Directs the VR to export public interface routes to the untrust-VR.

Make SNMP Trap Private: (This option is only available for the default root-level VR.) Enables you to make Simple Network Management Protocol (SNMP) traps for the dynamic routing MIBs private for the VR.

Enable Source Based Routing: Enables source based routing on this VR.

Enable Source Interface Based Routing: Enables source interface-based routing on this VR.

Advertise Routes on Inactive Interfaces: Directs the VR to consider active routes on inactive interfaces for advertising.

Permit sync VR configure to NSRP peer: Directs the VR to synchronize its configuration with the VR on its NetScreen Redundancy Protocol (NSRP) peer.

Route Preference: Displays various ways to identify the desirability of a route in the current VR. The lower the value, the more probable the VR will select the route.

Auto Exported: Indicates the level of desirability associated with the decision the current VR makes to select an automatically exported route from other VRs on the network.  

Imported: Indicates the level of desirability associated with the decision the current virtual routing instance makes to select a route imported from another VR on the network.  

EBGP: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from an Exterior Border Gateway Protocol (EBGP) router.

OSPF: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from an Open Shortest Path First (OSPF) router.

RIP/RIPng: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from a Routing Information Protocol (RIP) or a Routing Information Protocol Next Generation (RIPng) router. RIPng is intended only for use in IPv6 networks.

Connected: Indicates the level of desirability associated with the decision the current VR makes to select a route sent from a router that has at least one interface with an IP address assigned to it.

Static: Indicates the level of desirability associated with the decision the current VR makes to select a static or manually configured route.

IBGP: Indicates the level of desirability associated with the decision the current VR makes to select a route originating from an Interior Border Gateway Protocol (IBGP) router.

OSPF External Type 2: Indicates the level of desirability associated with the decision the current VR makes to select OSPF External-Type-2 routes.

  1. Click OK to save your changes and return to the Virtual Router List. Click Apply to continue configuring the VR.

If you clicked Apply, the Dynamic Routing Protocols Support area displays with the following links:

BGP: A link for creating a Border Gateway Protocol (BGP) routing instance. For more information, see Virtual Router BGP Settings.

OSPF: A link for creating an OSPF routing instance. For more information, see OSPF Virtual Router Settings.

RIP: A link for creating a RIP routing instance. For more information, see RIP Virtual Router Settings.

RIPng: A link for creating a RIPng routing instance. For more information, see RIPng Virtual Router Settings.

Next Hop Resolution Protocol (NHRP) Support: If you are configuringAC-VPN,click NHRP Setting to enable NHRP and configure Next Hop Client (NHC) cache entries.

반응형
반응형
LAN to LAN VPN between two Juniper firewalls in Transparent mode


 

Summary:
VPN terminates at the Juniper firewall in Transparent mode.
How to configure a Virtual Private Network (VPN) between two Juniper firewalls in Transparent mode.

 

Problem or Goal:
How is a VPN configured between two Juniper firewalls in Transparent mode?
This example will be based on a VPN between two SSG140s, using ScreenOS 5.4.0r8.0; however, this config is valid with ScreenOS 5.x and 6.x.



Assumptions:

Firewall at Site A and Site B are in Transparent mode and connected to the Internet.
Internal network on the Firewall at Site A is 1.1.1.0 255.255.255.0. The Internet router is at 1.1.1.1, and the VLAN1 IP of the firewall is 1.1.1.50
Internal network on the Firewall at Site B is 1.1.2.0 255.255.255.0. The internet router is at 1.1.2.1, and the VLAN1 IP of the firewall is 1.1.2.50
Assuming both P1 and P2 are using "standard" security level, the Preshare key for P1 is "netscreen", and Replay Protection is disabled.


 

 

Solution:
The steps are documented below.

Note that when the Virtual Private Network (VPN) tunnel uses a pair of Juniper firewalls in Transparent mode as the termination point, the security gateway needs to point to the IP address of the peer's VLAN1 interface.
Additionally, the Transparent mode Juniper firewall needs a static route to reach the remote IPSec gateway.



Site A Configuration details:
--------------------------------------

Define address objects



WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-B
    * IP Address/Netmask: 1.1.2.0/24

Choose V1-Trust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-A
    * IP address/Netmask: 1.1.1.0/24


CLI:
set address v1-trust lan-A 1.1.1.0/24
set address v1-untrust lan-B 1.1.2.0/24



Define IKE gateway (Phase 1)



WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toB
  •   Security Level: Standard
  •   Static IP Address: 1.1.2.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toB address 1.1.2.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard



Define IPSec VPN (Phase 2)



WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toB
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toB

CLI:
set vpn toB gateway toB sec-level standard



Define policy



WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1 Untrust
Enter following and click OK
  •   Source Address: Address Book Entry, lan-A
  •   Destination Address: Address Boot Entry, lan-B
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toB
  •   Modify matching bidirectional VPN policy: check 

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-A lan-B any tunnel vpn toB
set policy id 1001 from v1-untrust to v1-trust lan-B lan-A any tunnel vpn toB pair-policy 1000



Define static route



WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.1.1
 
CLI:
set route 0.0.0.0/0 gateway 1.1.1.1

 


Site B Configuration details:
--------------------------------------

Define address objects



WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-A
  •     IP Address/Netmask: 1.1.1.0/24
Choose V1-Trust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-B
  •     IP address/Netmask: 1.1.2.0/24

CLI:
set address v1-trust lan-B 1.1.2.0/24
set address v1-trust lan-A 1.1.1.0/24



Define IKE gateway (Phase1)



WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toA
  •   Security Level: Standard
  •   Static IP Address: 1.1.1.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toA address 1.1.1.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard


Define IPSec VPN (Phase 2)



WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toA
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toA

CLI:
set vpn toA gateway toA sec-level standard


Define policy



WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1-Untrust

Enter following and click OK

  •   Source Address: Address Book Entry, lan-B
  •   Destination Address: Address Boot Entry, lan-A
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toA
  •   Modify matching bidirectional VPN policy: check 

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-B lan-A any tunnel vpn toA
set policy id 1001 from v1-untrust to v1-trust lan-A lan-B any tunnel vpn toA pair-policy 1000



Define static route



WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.2.1
CLI:
set route 0.0.0.0/0 gateway 1.1.2.1

 


Note: Technical Documentation

A Transparent mode VPN example is also included in the Technical Documentation:

ScreenOS  Concepts & Examples ScreenOS Reference Guide, Volume 5:  Virtual Private Networks

Chapter 4 -- Site-to-Site Virtual Private Networks
“Transparent Mode VPN” Example

 

ScreenOS 5.4: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf 
ScreenOS 6.0: http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v5.pdf

 

 

Purpose:
Troubleshooting

 

 

Related Links:

 

 

 

 

반응형

+ Recent posts