반응형
SMALL
반응형
LIST
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX(방화벽) 패스워드 초기화  (5) 2024.10.24
DeepFinder (웹방화벽)  (6) 2024.10.23
FortiGate SIP Debug  (1) 2023.05.02
SRX IPSec Tunnel Sample  (0) 2023.05.02
AhnLab Network Solutions  (0) 2022.11.21
반응형
SMALL

To resolve the issue, use the following procedure to recover the root password for SRX Branch devices running on Junos release versions 10.0R1, 10.0R2, and 10.1R1. This involves disabling watchdog functionality to allow the system to properly boot into single-user mode.

Press the power button on the front panel to power on the router.  Verify that the POWER LED on the front panel turns green. The console should continuously display the boot message.
When the prompt appears, press the spacebar to access the router’s bootstrap loader and type these commands:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...

Loader>
Loader> watchdog disable
Loader> boot –s

The firewall starts up in single-user mode. In single-user mode, a multiuser operating system such as Junos boots into a single superuser. Single-use mode is mainly used for maintenance of multi-user environments such as network servers.
At the prompt, enter " recovery " to start the root password recovery procedure.
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery
The device directly enters operational mode without asking for an user ID or password..
Starting CLI ...

root@host> edit

When in configuration mode, set the root password.
root@host# set system root-authentication plain-text-password
On pressing the return key, type in the new root password.  Reenter the new root password when the second prompt appears.

New password: juniper1
Retype new password: juniper1
Commit the changes.
root@host# commit
commit complete
Reboot the device again.
root@host# run request system reboot
Reboot the system ? [yes,no] (no) yes

The boot messages display on the console.
Press the spacebar one time, to access the router’s bootstrap loader prompt. This sequence appears on the console:
Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...

Loader>
Loader> watchdog enable
Loader> boot
The device reboots again and this time it asks for an user ID and password.  Enter the newly configured password. 
Wed Jun 16 14:20:21 UTC 2010
Amnesiac (ttyu0)
login: root
Password: juniper1
For more information, refer to PR499745 .

Modification History
2019-08-28: Article reviewed for accuracy. Only applicable on the specific versions
request system zeroize    공장초기화
리부팅 
set system root-authentication plain-text-password
commit
show system chassis       ,, J 대문자 Juniper
 set chassis cluster disable reboot   이중화 종료
delete interfaces vlan unit 0 family inet address 192.168.1.222/24
root# show | display set
 request system power-off at now    시스템 종료

반응형
LIST
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

How to Deploy and Manage FortiEndpoint | Endpoint Security  (7) 2024.11.08
DeepFinder (웹방화벽)  (6) 2024.10.23
FortiGate SIP Debug  (1) 2023.05.02
SRX IPSec Tunnel Sample  (0) 2023.05.02
AhnLab Network Solutions  (0) 2022.11.21
반응형
SMALL
SRX IPSec Tunnel Sample
root@SRX_Test# show | display set | no-more
set version 15.1X49-D90.7
set system host-name SRX_Test
set system root-authentication encrypted-password "$5$ZZrR8Xx5$ZPpG6X5ugNL7s0dHqj.URP4v6YhfzLqkDk3TrtfWHh8"
set system name-server 8.8.8.8
set system login user isd uid 2001
set system login user isd class super-user
set system login user isd authentication encrypted-password "$5$7i/tv6W2$eU0ilDNMbZQhZHff4gUFbtqTFIwigO3SiY8yqpD/.n0"
set security ike proposal IKE-PROPOSAL authentication-method pre-shared-keys
set security ike proposal IKE-PROPOSAL dh-group group5
set security ike proposal IKE-PROPOSAL authentication-algorithm sha1
set security ike proposal IKE-PROPOSAL encryption-algorithm 3des-cbc
set security ike proposal IKE-PROPOSAL lifetime-seconds 28800
set security ike policy IKE-POLICY mode main
set security ike policy IKE-POLICY proposals IKE-PROPOSAL
set security ike policy IKE-POLICY pre-shared-key ascii-text "$9$-nd4aJGiqPQdbmTQ3tp0BIhlM7Nbg4Z8L2aZU.mcylvNd"
set security ike gateway VPN-GATEWAY ike-policy IKE-POLICY
set security ike gateway VPN-GATEWAY address 10.1.2.201
set security ike gateway VPN-GATEWAY dead-peer-detection interval 10
set security ike gateway VPN-GATEWAY dead-peer-detection threshold 1
set security ike gateway VPN-GATEWAY nat-keepalive 10
set security ike gateway VPN-GATEWAY external-interface ge-0/0/0.0
set security ipsec proposal IPSEC-PROPOSAL protocol esp
set security ipsec proposal IPSEC-PROPOSAL authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-PROPOSAL encryption-algorithm 3des-cbc
set security ipsec proposal IPSEC-PROPOSAL lifetime-seconds 86400
set security ipsec policy IPSEC-POLICY perfect-forward-secrecy keys group5
set security ipsec policy IPSEC-POLICY proposals IPSEC-PROPOSAL
set security ipsec vpn IPSEC-VPN bind-interface st0.1
set security ipsec vpn IPSEC-VPN ike gateway VPN-GATEWAY
set security ipsec vpn IPSEC-VPN ike proxy-identity local 172.15.0.0/24
set security ipsec vpn IPSEC-VPN ike proxy-identity remote 172.15.1.0/24
set security ipsec vpn IPSEC-VPN ike proxy-identity service any
set security ipsec vpn IPSEC-VPN ike ipsec-policy IPSEC-POLICY
set security ipsec vpn IPSEC-VPN establish-tunnels immediately
set security flow tcp-mss ipsec-vpn mss 1350
set security nat source rule-set src-nat from zone trust
set security nat source rule-set src-nat to zone untrust
set security nat source rule-set src-nat rule r1 match source-address 0.0.0.0/0
set security nat source rule-set src-nat rule r1 then source-nat interface
set security forwarding-process enhanced-services-mode
set security policies from-zone trust to-zone untrust policy permit-all match source-address any
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any
set security policies from-zone trust to-zone untrust policy permit-all match application any
set security policies from-zone trust to-zone untrust policy permit-all then permit
set security policies from-zone trust to-zone vpn policy permit-all match source-address any
set security policies from-zone trust to-zone vpn policy permit-all match destination-address any
set security policies from-zone trust to-zone vpn policy permit-all match application any
set security policies from-zone trust to-zone vpn policy permit-all then permit
set security policies from-zone vpn to-zone trust policy permit-all match source-address any
set security policies from-zone vpn to-zone trust policy permit-all match destination-address any
set security policies from-zone vpn to-zone trust policy permit-all match application any
set security policies from-zone vpn to-zone trust policy permit-all then permit
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone vpn interfaces st0.1
set interfaces ge-0/0/0 unit 0 family inet address 10.1.2.115/24
set interfaces ge-0/0/1 unit 0 family inet address 172.15.0.1/24
set interfaces st0 unit 1 family inet
set routing-options static route 0.0.0.0/0 next-hop 10.1.2.1
set routing-options static route 172.15.1.0/24 next-hop st0.1
[edit]
root@SRX_Test# run show security ike sa
Index State Initiator cookie Responder cookie Mode Remote Address
6299423 UP f51982a09b260851 3fcd24f6bec6f419 Main 10.1.2.201
6299424 UP 25885c239e958271 92d1dde980db90c8 Main 10.1.2.201
[edit]
root@SRX_Test# run show security ipsec sa
Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon lsys Port Gateway
<131073 ESP:3des/sha1 44d00f02 84435/unlim - root 500 10.1.2.201
>131073 ESP:3des/sha1 46f0dfb7 84435/unlim - root 500 10.1.2.201
[edit]
root@SRX_Test#
======================================================================================================================================================
FWF90D3Z13006231 # get vpn ipsec tunnel details
gateway
name: 'VPN-GW'
type: route-based
local-gateway: 10.1.2.201:0 (static)
remote-gateway: 10.1.2.115:0 (static)
mode: ike-v1
interface: 'wan1' (6)
rx packets: 0 bytes: 0 errors: 0
tx packets: 0 bytes: 0 errors: 7870
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'VPN-TUNNEL'
auto-negotiate: disable
mode: tunnel
src: 0:172.15.1.0/255.255.255.0:0
dst: 0:172.15.0.0/255.255.255.0:0
SA
lifetime/rekey: 86400/79426
mtu: 1446
tx-esp-seq: 1
replay: enabled
inbound
spi: 46f0dfb7
enc: 3des 6b1ddb0ba8c46a879e22dd055ae0c5b643983f4d68d72ff1
auth: sha1 ce45021dbfac556674600ff9cb08faf7d942d48f
outbound
spi: 44d00f02
enc: 3des aa81515e22c7e8eefce24d6ff740b1b3c4cec463d6dd15b5
auth: sha1 69dff90febd00f5d4e64637c73dec32527ddbba7
NPU acceleration: none
FWF90D3Z13006231 #
FWF90D3Z13006231 # get vpn ip tunnel summary
'VPN-GW' 10.1.2.115:0 selectors(total,up): 1/1 rx(pkt,err): 0/0 tx(pkt,err): 0/7902
FWF90D3Z13006231 # get ipsec tunnel list
NAME REMOTE-GW PROXY-ID-SOURCE PROXY-ID-DESTINATION STATUS TIMEOUT
VPN-GW 10.1.2.115:0 172.15.1.0/255.255.255.0 172.15.0.0/255.255.255.0 up 79367
반응형
LIST
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

DeepFinder (웹방화벽)  (6) 2024.10.23
FortiGate SIP Debug  (1) 2023.05.02
AhnLab Network Solutions  (0) 2022.11.21
FortiGate FSSO 설정  (0) 2022.08.10
Juniper SRX Cluster configuration  (2) 2021.08.26
반응형
SMALL

[SSL VPN] Configuration

AxGate# show running-config 
aos v2.1-x86(2.5-r28000)
!
hostname AxGate
!
username change password duration 60
username axroot privilege 15 password 5 8.ktW$kkQKSeYoc1JbA0nWqfQhiLhGIYulzXSPkjZ86cLUZ96
!
clock timezone KST 9 
!
config sync manual 
config sync group ip service time target
config sync signature
config sync parameters
config sync aip
config sync arp-sniff
config sync policy userauth security nat
config sync admin network
config sync l2-tunnel
!
config full-sync exclude ha
config full-sync exclude hostname
config full-sync exclude full-sync
config full-sync exclude sync
config full-sync exclude vrrp
!
healthcheck threshold 600
!
security zone dmz
security zone ssl
security zone trust
security zone untrust
security zone any
!
logging
 console kernel off
 memory system severity informational
 memory audit
 memory session
 memory application
 memory ipsec
 memory anti-ddos
 memory ips
 memory anti-spam
 memory anti-virus
 memory sslvpn
 memory userauth
 file option size 50 alert 7 purge 5
 file system audit session application ipsec anti-ddos ips anti-spam anti-virus sslvpn userauth
!
statistics log at 01:00:00
!
report
 option top count 10
 language html korean
!
arp max-entries 8192
!
ip domain-lookup timeout 1 retry 1
!
ip dhcp server lease-check icmp svpn0
!
ip dhcp pool ssl
 network 50.0.0.0 255.255.255.0
 range 50.0.0.10 50.0.0.50
 classless-routes 7.7.1.10/32 50.0.0.1
 lease 1 0 0
!
ipv6 neighbor max-entries 1024
!
ip igmp max-memberships 20
!
interface lo
 ip address 127.0.0.1/8
!
interface eth0-0
 ip address 10.10.11.116/24
 security-zone untrust
 no shutdown
!
interface eth0-1
 ip address 7.7.2.1/24
 security-zone trust
 no shutdown
!
interface eth0-2
 shutdown
!
interface eth0-3
 shutdown
!
interface eth0-4
 shutdown
!         
interface eth0-5
 shutdown
!
interface eth0-6
 shutdown
!
interface eth0-7
 shutdown
!
interface eth0-8
 shutdown
!
interface eth0-9
 shutdown
!
interface bond0
 bonding mode balance-rr
 bonding link-check miimon 1
 shutdown
!
interface svpn0
 mtu 1426
 sslvpn heartbeat interval 500 threshold 10
 sslvpn proto tcp port 7900 queue 16384
 sslvpn key 1q2w3e
 sslvpn algorithm aes128 aes128
 sslvpn source eth0-0
 ip address 50.0.0.1/24
 security-zone ssl
 no shutdown
!
ip route 0.0.0.0/0 10.10.11.1
ip route 7.7.1.0/24 10.10.11.118
!
security parameters
 no offloading
 control-no3way-timeout
 session-timeout generic 1800
 session-timeout icmp 10
 session-timeout tcp 3600
 session-timeout udp 60
 state-timeout tcp syn-sent 120
 state-timeout tcp syn-recv 60
 state-timeout tcp no3way-est 60
 state-timeout tcp fin-wait 120
 state-timeout tcp close-wait 60
 state-timeout tcp last-ack 30
 state-timeout tcp time-wait 120
 state-timeout tcp reset 3
 session-limit 4500002
 logging firewall
 logging ha session-synced
 logging security-policy expired
 logging nat-policy expired
 logging ipsec
 logging ips
 logging anti-ddos
 logging anti-spam
 logging anti-virus
 logging application
 logging sslvpn
 logging userauth
 accounting firewall
 accounting ips
 accounting anti-ddos
 accounting anti-spam
 accounting anti-virus
 accounting ipsec
 accounting application
 top-statistics update-time 10
 top-statistics topn-count 10
 qos priority queue length 10
 qos priority queue restore-time 10000
 qos priority queue host-lifetime 60
 nat entry-limit 5000
 reference update-time 600
 use-abbreviated-shell
!
security signature timeout connection 10 transaction 60
security signature retry connection 3
security signature code 20
!
ddns
 update-period 600
!
service group acmsoda
 proto tcp sport any dport eq 6969
!
service group ats
 proto tcp sport any dport eq 2201
!
service group avt-profile
 proto tcp sport any dport eq 5004
!
service group bgp
 proto tcp sport any dport eq 179
!
service group blp2
 proto tcp sport any dport eq 8195
!
service group bootpc
 proto udp sport any dport eq 68
!
service group bootps
 proto udp sport any dport eq 67
!
service group dcube(default)
 proto esp
 proto udp sport any dport eq 7900
!
service group dhcpv6-server
 proto tcp sport any dport eq 547
!
service group dns
 proto tcp sport any dport eq 53
 proto udp sport any dport eq 53
!
service group fodms
 proto udp sport any dport eq 7200
!
service group ftp
 proto tcp sport any dport eq 21
!
service group ftps
 proto tcp sport any dport eq 990
!
service group h263-video
 proto tcp sport any dport eq 2979
!
service group h323gatedisc
 proto tcp sport any dport eq 1718
!
service group h323gatestat
 proto tcp sport any dport eq 1719
!
service group h323hostcall
 proto tcp sport any dport eq 1720
!         
service group h323hostcallsc
 proto tcp sport any dport eq 1300
!
service group hostmon
 proto udp sport any dport eq 5355
!
service group hpvipgrp
 proto tcp sport any dport eq 5223
!
service group http
 proto tcp sport any dport eq 80
!
service group https
 proto tcp sport any dport eq 443
!
service group ike
 proto udp sport any dport eq 500
!
service group imap
 proto tcp sport any dport eq 143
 proto tcp sport any dport eq 993
!
service group imaps
 proto tcp sport any dport eq 993
!
service group kerberos
 proto tcp sport any dport eq 88
!
service group kerberos_v5
 proto tcp sport any dport eq 464
!
service group l2tp
 proto udp sport any dport eq 1701
!
service group ldap
 proto tcp sport any dport eq 389
!
service group ldaps
 proto tcp sport any dport eq 636
!
service group mdns
 proto udp sport any dport eq 5353
!
service group mevent
 proto tcp sport any dport eq 7900
!         
service group microsoft-ds
 proto tcp sport any dport eq 445
!
service group mindprintf
 proto tcp sport any dport eq 8033
!
service group mms
 proto tcp sport any dport eq 1755
 proto udp sport any dport eq 1755
!
service group ms-sql
 proto udp sport any dport eq 1434
 proto tcp sport any dport eq 1433
!
service group ms-sql-m
 proto udp sport any dport eq 1434
!
service group ms-sql-s
 proto tcp sport any dport eq 1433
!
service group mysql
 proto tcp sport any dport eq 3306
!         
service group netbios
 proto udp sport any dport multi 137 138 139
!
service group netbios-dgm
 proto udp sport any dport eq 138
!
service group netbios-ns
 proto udp sport any dport eq 137
!
service group netbios-ssn
 proto udp sport any dport eq 139
!
service group ntp
 proto udp sport any dport eq 123
!
service group oracle
 proto tcp sport any dport eq 1521
!
service group oracle-em2
 proto tcp sport any dport eq 1754
!
service group oracle-vp1
 proto tcp sport any dport eq 1809
!
service group oracle-vp2
 proto tcp sport any dport eq 1808
!
service group pharos
 proto tcp sport any dport eq 4443
!
service group pop3
 proto tcp sport any dport eq 110
 proto tcp sport any dport eq 995
!
service group pptp
 proto udp sport any dport eq 1723
!
service group proshare-mc-2
 proto tcp sport any dport eq 1674
!
service group radius-account
 proto tcp sport any dport eq 1813
!
service group radius-auth
 proto tcp sport any dport eq 1812
!         
service group regacy_radius
 proto tcp sport any dport multi 1645 1646
!
service group rsync
 proto tcp sport any dport eq 873
!
service group rtsp
 proto tcp sport any dport eq 554
!
service group sabams
 proto tcp sport any dport eq 2760
!
service group sftp
 proto tcp sport any dport eq 115
!
service group smtp
 proto tcp sport any dport eq 25
!
service group smtps
 proto tcp sport any dport eq 465
!
service group snapp
 proto tcp sport any dport eq 2333
!
service group snmp
 proto udp sport any dport eq 161
!
service group snmptrap
 proto udp sport any dport eq 162
!
service group ssdp
 proto udp sport any dport eq 1900
!
service group ssh
 proto tcp sport any dport eq 22
!
service group stun
 proto udp sport any dport eq 3478
!
service group syslog
 proto udp sport any dport eq 514
!
service group tcslap
 proto tcp sport any dport eq 2869
!
service group telnet
 proto tcp sport any dport eq 23
!
service group teradataordbms
 proto tcp sport any dport eq 8002
!
service group teredo
 proto udp sport any dport eq 3544
!
service group tftp-mcast
 proto tcp sport any dport eq 1758
!
service group unicall
 proto tcp sport any dport eq 4343
!
service group vcom-tunnel
 proto tcp sport any dport eq 8001
!
service group webcache
 proto tcp sport any dport eq 8080
!
service group www
 proto tcp sport any dport eq 80
 proto tcp sport any dport eq 443
!
service group www-ldap-gw
 proto tcp sport any dport eq 1760
!
service group x11-ssh-offset
 proto tcp sport any dport eq 6010
!
service group xmpp-client
 proto tcp sport any dport eq 5222
!
password policy admin
 length 9 16
 character-count upper 1 lower 1 digit 1 special 1
 impossible sequential-count asc 3 same 3 qwerty-right 3
 impossible contain-word id password 6
!
password policy user
 length 9 16
 character-count english 1 digit 1 special 1
!
userauth http port 10444 secure-port 10443
userauth http-install port 4443
userauth factor ip
userauth expire-timeout 24 expire-update delete-timeout 65535 connection-timeout 1
userauth max-connections 1000
userauth server priority local
userauth username mskang password 5 bJoq0$vdlEf8FVv1CqhdC3eFev.L0z0f/dAVUgCrhy3tyrFG7
userauth username test01 password 5 bJo35$EflVN/ufphqDzV8ZS498mrMv93yI9GSE2Vy6AjBJTd5
userauth username test02 password 5 4DmRC$d9M.Cb93m.JZWBFX6mcfuB9wEMJAbFCZiY/w0TzcD8C
userauth group special
userauth group special username mskang
userauth group special username test01
userauth group special username test02
!
application http option url-cache 10000
!
ip userauth policy from ssl to trust 1
 source any
 destination any
 action authenticate
 enable
!
ip userauth policy from ssl to untrust 1
 source any
 destination any
 action authenticate
 enable
!
security policy index 3
!
ip security policy from ssl to trust 10 id 1
 source any
 destination any
 action pass log
 enable
!
ip security policy from ssl to untrust 10 id 3
 source any
 destination any
 tcp-mss 1300
 action pass log
 enable
!
vrrp vmac disable
!
line vty
 exec-timeout 10 0
 telnet port 2333
 ssh port 2222
 http secure-port 4433
 login server request-condition auth-fail
 login server priority local
 login server privilege default monitor
!
end

AxGate#    

 

 

반응형
LIST
저작자표시

'업무이야기 > Security' 카테고리의 다른 글

Fortinet FortiSandbox Clustering Setting sample  (0) 2021.01.20
Juniper SRX 설정 방법 (CLI)  (0) 2021.01.20
Juniper Firewall Transparent mode config (Example)  (0) 2018.05.08
SRX Syslog config  (0) 2018.05.08
Palo Alto Firewall Appliance PA-VM - Useful Commands  (0) 2018.05.08
반응형
SMALL
Juniper Firewall Transparent mode config (Example)
 
Management
set interface vlan1 ip 1.1.1.1/24
set interface vlan1 manage web
set interface vlan1 manage telnet
set interface vlan1 manage ssh
set interface vlan1 manage ping
 
Interfaces
set interface ethernet0/1 ip 0.0.0.0/0
set interface ethernet0/1 zone v1-trust
set interface ethernet0/3 ip 0.0.0.0/0
set interface ethernet0/3 zone v1-untrust
 
V1-Trust Zone
set zone v1-trust manage web
set zone v1-trust manage telnet
set zone v1-trust manage ping
 
Addresses
set address v1-trust FTP_Server 1.1.1.5/32
set address v1-trust Mail_Server 1.1.1.10/32
 
Route
set vrouter trust-vr route 0.0.0.0/0 interface vlan1 gateway 1.1.1.250 metric 1
 
Policies
set policy from v1-trust to v1-untrust any any any permit
set policy from v1-untrust to v1-trust any Mail_Server mail permit

 

set policy from v1-untrust to v1-trust any FTP_Server ftp-get permit

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX 설정 방법 (CLI)  (0) 2021.01.20
Axgate [SSL VPN] Configuration  (5) 2021.01.17
SRX Syslog config  (0) 2018.05.08
Palo Alto Firewall Appliance PA-VM - Useful Commands  (0) 2018.05.08
FortiGate FGSP  (0) 2018.05.08
반응형
SMALL
admin@PA-VM>configure
admin@PA-VM#set deviceconfig system ip-address 192.168.200.63 netmask 255.255.255.0 default-gateway 192.168.200.254 dns-setting servers primary 8.8.8.8
 
 
If you have every worked on any
Juniper Box with JUNOS CLI, you will feel at home when working on Palo
Alto Firewall Appliance....
 
Operational Mode and Configuration Modes
 
username@hostname> (Operational mode)
 
username@hostname> configure
 
Entering configuration mode
 
[edit]
 
username@hostname# (Configuration mode)
 
 
Moving between Modes
 
up—changes the context to one level up in the hierarchy.
 
Example:
 
[edit network interface] (network level)
 
@abce# up
 
[edit network]
 
 
username@hostname# (now at the network level)
 
 
top—changes context to the top level of the hierarchy.
 
Example:
 
[edit network interface vlan] (network vlan level)
 
username@hostname# top
 
[edit]
 
username@hostname# (now at network vlan level)
 
 
Changing modes
 
username@hostname# exit
 
 
Software Version, Mgmt Address etc.
 
dmin@PA-VM> show system info
 
 
Grep/Match
 
admin@PA-VM> show system info | match model
 
model: PA-VM
 
 
Find commands with following keyword
 
username@hostname# find command keyword hsm
 
 
Restart Appliance
 
>request restart system
 
 
Show Configuration Hierarchy
 
username@hostname# show network interface ethernet
 
ethernet {
 
  ethernet1/1 {
 
    virtual-wire;
 
  }
 
  ethernet1/2 {
 
    virtual-wire;
 
  }
 
  ethernet1/3 {
 
    layer2 {
 
    units {
 
      ethernet1/3.1;
 
    }
 
  }
 
}
 
ethernet1/4;
 
}
 
[edit]
 
username@hostname#
 
 
Configure IP Address to a given Port
 
IP address/netmask 10.1.1.12/24 to the Layer 3 interface for the Ethernet port ethernet1/4:
 
[edit]
 
username@hostname# set network interface ethernet ethernet1/4 layer3 ip10.1.1.12/24
 
 
Check pending changes (uncommitted)
 
username@hostname# check pending-changes
 
 
Saves a snapshot of the firewall configuration or the device state files
 
username@hostname# save config to savefile
 
 
Get Hw Address of Interfaces
 
show system state | match hwaddr
 
 
Routing Table
 
> show routing route
 
 
Show running-configuration
 
admin@PA-VM#show
 
Logs
 
admin@PA-VM> less mp-log  ? (you will see all possible logs)
 
Packet Capture:-
 
admin@PA-VM> debug dataplane packet-diag set log on 
 
admin@PA-VM> debug dataplane packet-diag set filter on
 
 
admin@PA-VM> debug dataplane packet-diag set filter match source <ip Address>
 
Removing Filters
 
 
If setting command shows two filters configured and we want to remove on of them, then we can use
 
 
admin@PA-VM> debug dataplane packet-diag clear filter <filter number>
 
 
Export pcap file
 
 
scp export filter-pcap from <file> to <SCP_serv>
 
 
Viewing Packet Hitting Filter in live mode
 
 
admin@PA-VM> view-pcap follow yes filter-pcap test1_capture 
 
 
Show Packet Capture Setting
 
admin@PA-VM> debug dataplane packet-diag show setting
 
 
Management Traffic Capture:-
 
Their Mgmt Interface is eth0
 
admin@PA-VM> tcpdump filter "dst 49.0.0.254"
 
Press Ctrl-C to stop capturing
 
 
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
 
^C
 
11 packets captured
 
22 packets received by filter
 
 
0 packets dropped by kernel
 
admin@PA-VM> tcpdump filter "dst 49.0.0.254"
 
admin@PA-VM> view-pcap mgmt-pcap mgmt.pcap
 
 
Show all Sessions
 

 

>show session all

 

 

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Juniper Firewall Transparent mode config (Example)  (0) 2018.05.08
SRX Syslog config  (0) 2018.05.08
FortiGate FGSP  (0) 2018.05.08
FortiAnalyzer CLI  (0) 2018.05.08
fortigate File reached uncompressed size limit  (0) 2018.05.08
반응형
SMALL

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Resetting a lost Fortigate Admin Password  (1) 2012.11.07
FortiOS 5.0 Enhancement Summary  (0) 2012.10.23
WEBFRONT SSH PORT 변경  (0) 2012.10.18
Setting up a Policy-Based VPN Tunnel  (0) 2012.10.18
Fortigate IPS DoS Test용 configuration Sample  (0) 2012.10.18
반응형
SMALL
LAN to LAN VPN between two Juniper firewalls in Transparent mode

 

Summary:
VPN terminates at the Juniper firewall in Transparent mode.
How to configure a Virtual Private Network (VPN) between two Juniper firewalls in Transparent mode.

 

Problem or Goal:
How is a VPN configured between two Juniper firewalls in Transparent mode?
This example will be based on a VPN between two SSG140s, using ScreenOS 5.4.0r8.0; however, this config is valid with ScreenOS 5.x and 6.x.



Assumptions:

Firewall at Site A and Site B are in Transparent mode and connected to the Internet.
Internal network on the Firewall at Site A is 1.1.1.0 255.255.255.0. The Internet router is at 1.1.1.1, and the VLAN1 IP of the firewall is 1.1.1.50
Internal network on the Firewall at Site B is 1.1.2.0 255.255.255.0. The internet router is at 1.1.2.1, and the VLAN1 IP of the firewall is 1.1.2.50
Assuming both P1 and P2 are using "standard" security level, the Preshare key for P1 is "netscreen", and Replay Protection is disabled.


 

 

Solution:
The steps are documented below.

Note that when the Virtual Private Network (VPN) tunnel uses a pair of Juniper firewalls in Transparent mode as the termination point, the security gateway needs to point to the IP address of the peer's VLAN1 interface.
Additionally, the Transparent mode Juniper firewall needs a static route to reach the remote IPSec gateway.



Site A Configuration details:
--------------------------------------

Define address objects



WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-B
    * IP Address/Netmask: 1.1.2.0/24

Choose V1-Trust from pull-down menu and click New
Enter following and click OK

    * Address Name: lan-A
    * IP address/Netmask: 1.1.1.0/24


CLI:
set address v1-trust lan-A 1.1.1.0/24
set address v1-untrust lan-B 1.1.2.0/24



Define IKE gateway (Phase 1)



WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toB
  •   Security Level: Standard
  •   Static IP Address: 1.1.2.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toB address 1.1.2.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard



Define IPSec VPN (Phase 2)



WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toB
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toB

CLI:
set vpn toB gateway toB sec-level standard



Define policy



WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1 Untrust
Enter following and click OK
  •   Source Address: Address Book Entry, lan-A
  •   Destination Address: Address Boot Entry, lan-B
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toB
  •   Modify matching bidirectional VPN policy: check 

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-A lan-B any tunnel vpn toB
set policy id 1001 from v1-untrust to v1-trust lan-B lan-A any tunnel vpn toB pair-policy 1000



Define static route



WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.1.1
 
CLI:
set route 0.0.0.0/0 gateway 1.1.1.1

 


Site B Configuration details:
--------------------------------------

Define address objects



WEBUI:
Select Objects > Addresses > List
Choose V1-Untrust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-A
  •     IP Address/Netmask: 1.1.1.0/24
Choose V1-Trust from pull-down menu and click New
Enter following and click OK
  •     Address Name: lan-B
  •     IP address/Netmask: 1.1.2.0/24

CLI:
set address v1-trust lan-B 1.1.2.0/24
set address v1-trust lan-A 1.1.1.0/24



Define IKE gateway (Phase1)



WEBUI:
Select VPNs > Autokey Advanced > Gateway and click New
Enter following and click OK
  •   Gateway Name: toA
  •   Security Level: Standard
  •   Static IP Address: 1.1.1.50
  •   Preshared Key: netscreen
  •   Outgoing Zone: V1-Untrust

CLI:
set ike gateway toA address 1.1.1.50 main outgoing-zone v1-untrust preshare netscreen sec-level standard


Define IPSec VPN (Phase 2)



WEBUI:
Select VPNs > Autokey IKE and click New
Enter following and click OK
  •   VPN Name: toA
  •   Security Level: Standard
  •   Remote Gateway: Predefined: toA

CLI:
set vpn toA gateway toA sec-level standard


Define policy



WEBUI:
Select Policies and following, then click New
  •   From: V1-Trust
  •   To: V1-Untrust

Enter following and click OK

  •   Source Address: Address Book Entry, lan-B
  •   Destination Address: Address Boot Entry, lan-A
  •   Service: ANY
  •   Action: Tunnel
  •   Tunnel: VPN, toA
  •   Modify matching bidirectional VPN policy: check 

CLI:
set policy id 1000 from v1-trust to v1-untrust lan-B lan-A any tunnel vpn toA
set policy id 1001 from v1-untrust to v1-trust lan-A lan-B any tunnel vpn toA pair-policy 1000



Define static route



WEBUI:
Select Network > Routing > Destination, then click New
Enter following and click OK
  • IP Address/Netmask: 0.0.0.0/0
  • Next Hop: Gateway (selected)
  • Interface: VLAN1
  • Gateway IP Address: 1.1.2.1
CLI:
set route 0.0.0.0/0 gateway 1.1.2.1

 


Note: Technical Documentation

A Transparent mode VPN example is also included in the Technical Documentation:

ScreenOS  Concepts & Examples ScreenOS Reference Guide, Volume 5:  Virtual Private Networks

Chapter 4 -- Site-to-Site Virtual Private Networks
“Transparent Mode VPN” Example

 

ScreenOS 5.4: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v5.pdf 
ScreenOS 6.0: http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/CE_v5.pdf

 

 

Purpose:
Troubleshooting

 

 

Related Links:

 

 

 

 

반응형
LIST
저작자표시 비영리 변경금지

'업무이야기 > Security' 카테고리의 다른 글

Juniper SRX Firewall Password Recovery  (0) 2012.03.21
Juniper 인터넷 2회선을 이용한 Load Balancing  (0) 2012.02.21
Juniper Firewall ALG  (0) 2012.02.20
Juniper Firewall DHCP Server Configuration  (0) 2012.01.27
LG SafeZone IPS 2400 뒷면.....  (0) 2012.01.26

+ Recent posts

티스토리툴바