Versions Compared

Old Version 8

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version 9

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...



Part 1:


Code Block
titlelab config
collapsetrue
lab@vSRX-1# show | display set    
set version 15.1X49-D90.7
set system host-name vSRX-1
set system root-authentication encrypted-password "$5$wLJg.4U3$CKyEttCSIQEJMc65XcP1VS
eqM.tFF5yOxs6oQpxsy0."
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password "$5$s6Wv7AVW$eNGzs/eoTLe6
mr7/tZhlRpTSShhqcWav5uHO1/oWWW6"
set system services ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file AppSecure-log any any
set system syslog file AppSecure-log match RT_FLOW
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security policies global policy Untrust-HTTP match source-address any
set security policies global policy Untrust-HTTP match destination-address any
set security policies global policy Untrust-HTTP match application junos-http
set security policies global policy Untrust-HTTP match application custom-http-8080
set security policies global policy Untrust-HTTP match from-zone Untrust
set security policies global policy Untrust-HTTP match to-zone Server
set security policies global policy Untrust-HTTP then permit
set security policies global policy Untrust-DNS match source-address any
set security policies global policy Untrust-DNS match destination-address any
set security policies global policy Untrust-DNS match application junos-dns-tcp
set security policies global policy Untrust-DNS match application junos-dns-udp
set security policies global policy Untrust-DNS match from-zone Untrust
set security policies global policy Untrust-DNS match to-zone Server
set security policies global policy Untrust-DNS then permit
set security zones security-zone Server host-inbound-traffic system-services any-serv
ice
set security zones security-zone Server interfaces ge-0/0/4.0
set security zones security-zone Server interfaces ge-0/0/2.0
set security zones security-zone Untrust interfaces ge-0/0/3.0
set interfaces ge-0/0/1 unit 0 family inet address 10.0.100.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.0.1.1/24
set interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30
set interfaces ge-0/0/4 unit 0 family inet policer input RL
set interfaces ge-0/0/4 unit 0 family inet address 172.16.10.1/24
set interfaces fxp0 unit 0 family inet address 172.25.11.1/24
set interfaces lo0 unit 0 family inet address 192.168.1.1/32
set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1
set firewall policer RL if-exceeding bandwidth-limit 1m
set firewall policer RL if-exceeding burst-size-limit 20k
set firewall policer RL then discard
set applications application custom-http-8080 protocol tcp
set applications application custom-http-8080 destination-port 8080


lab@vSRX-2# show | display set    
set version 15.1X49-D70.3
set system host-name vSRX-2
set system root-authentication encrypted-password "$5$wLJg.4U3$CKyEttCSIQEJMc65XcP1VS
eqM.tFF5yOxs6oQpxsy0."
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password "$5$s6Wv7AVW$eNGzs/eoTLe6
mr7/tZhlRpTSShhqcWav5uHO1/oWWW6"
set system services ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security forwarding-options family mpls mode packet-based
set security zones security-zone all host-inbound-traffic system-services any-service
set security zones security-zone all host-inbound-traffic protocols all
set security zones security-zone all interfaces all
deactivate security zones
set interfaces ge-0/0/1 unit 0 family inet address 10.0.100.2/24
set interfaces ge-0/0/2 unit 0 family inet address 10.0.1.2/24
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/3 unit 0 family inet address 172.18.2.2/30
set interfaces ge-0/0/6 unit 0 family inet address 172.16.10.200/24
set interfaces fxp0 unit 0 family inet address 172.25.11.2/24
set interfaces lo0 unit 0 family inet address 192.168.1.2/32
set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.1002.00
set routing-options static route 0.0.0.0/0 next-hop 172.18.2.1
set routing-options static route 172.16.1.100/32 next-hop 172.18.2.1
set protocols isis interface ge-0/0/2.0 level 1 disable
set protocols isis interface lo0.0 level 1 disable
deactivate protocols


Part 2:

AppFW and AppID


Code Block
titlepart 2
collapsetrue
show configuration security application-firewall
show configuration security policies global policy Untrust-HTTP
show configuration system syslog

[edit]
lab@vSRX-1# show security application-firewall | display set 
set security application-firewall rule-sets protect-server rule HTTP match dynamic-application junos:HTTP
set security application-firewall rule-sets protect-server rule HTTP then permit
set security application-firewall rule-sets protect-server default-rule deny

[edit]
lab@vSRX-1# show security policies global policy Untrust-HTTP | display set  
set security policies global policy Untrust-HTTP match source-address any
set security policies global policy Untrust-HTTP match destination-address any
set security policies global policy Untrust-HTTP match application junos-http
set security policies global policy Untrust-HTTP match application custom-http-8080
set security policies global policy Untrust-HTTP match from-zone Untrust
set security policies global policy Untrust-HTTP match to-zone Server
set security policies global policy Untrust-HTTP then permit application-services application-firewall rule-set protect-server
set security policies global policy Untrust-HTTP then log session-init
set security policies global policy Untrust-HTTP then log session-close

[edit]
lab@vSRX-1# show system syslog | display set 
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file AppSecure-log any any
set system syslog file AppSecure-log match RT_FLOW


Part 3:

Custom Application Signature


Code Block
titlepart 3
collapsetrue
show configuration services application-identification
show configuration security application-firewall

lab@vSRX-1> show configuration services application-identification | display set 
set services application-identification no-application-system-cache
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 context http-header-host
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 pattern "(.*\.)?(ajsecserver.ajsec.juniper.net)"
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 direction client-to-server
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 context http-url-parsed
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 pattern /files/
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 direction client-to-server

lab@vSRX-1> show configuration security application-firewall | display set 
set security application-firewall rule-sets protect-server rule AJSEC-FILES match dynamic-application AJSEC-FILES
set security application-firewall rule-sets protect-server rule AJSEC-FILES then deny
set security application-firewall rule-sets protect-server rule HTTP match dynamic-application junos:HTTP
set security application-firewall rule-sets protect-server rule HTTP then permit
set security application-firewall rule-sets protect-server default-rule deny


Part 4:

AppTrack


Code Block
titleApptrack
collapsetrue
show configuration firewall 
show configuration interfaces ge-0/0/4 
show configuration security application-tracking 
show configuration security zones security-zone Server 
show configuration security policies global policy FTP-Unstrust


lab@vSRX-1> show configuration firewall | display set 
set firewall policer RL if-exceeding bandwidth-limit 1m
set firewall policer RL if-exceeding burst-size-limit 20k
set firewall policer RL then discard
set firewall policer ftp-policer if-exceeding bandwidth-limit 1m
set firewall policer ftp-policer if-exceeding burst-size-limit 20k
set firewall policer ftp-policer then discard

lab@vSRX-1> show configuration interfaces ge-0/0/4 | display set 
set interfaces ge-0/0/4 unit 0 family inet policer input ftp-policer
set interfaces ge-0/0/4 unit 0 family inet address 172.16.10.1/24

lab@vSRX-1> show configuration security application-tracking | display set 
set security application-tracking first-update
set security application-tracking session-update-interval 2

lab@vSRX-1> show configuration security zones security-zone Server | display set 
set security zones security-zone Server host-inbound-traffic system-services any-service
set security zones security-zone Server interfaces ge-0/0/4.0
set security zones security-zone Server interfaces ge-0/0/2.0
set security zones security-zone Server application-tracking

lab@vSRX-1> show configuration security policies global policy FTP-Unstrust | display set 
set security policies global policy FTP-Unstrust match source-address any
set security policies global policy FTP-Unstrust match destination-address any
set security policies global policy FTP-Unstrust match application junos-ftp
set security policies global policy FTP-Unstrust match from-zone Untrust
set security policies global policy FTP-Unstrust match to-zone Server
set security policies global policy FTP-Unstrust then permit


Part 5:

APBR


Code Block
titleAPBR configuration
collapsetrue
lab@vSRX-1> show configuration security policies global policy Untrust-SSH | display set 
set security policies global policy Untrust-SSH match source-address any
set security policies global policy Untrust-SSH match destination-address any
set security policies global policy Untrust-SSH match application junos-ssh
set security policies global policy Untrust-SSH match from-zone Untrust
set security policies global policy Untrust-SSH match to-zone Server
set security policies global policy Untrust-SSH then permit

lab@vSRX-1> show configuration routing-instances APBR | display set 
set routing-instances APBR instance-type forwarding
set routing-instances APBR routing-options static route 0.0.0.0/0 next-hop 10.0.1.2

lab@vSRX-1> show configuration routing-options rib-groups | display set 
set routing-options rib-groups APBR import-rib inet.0
set routing-options rib-groups APBR import-rib APBR.inet.0
set routing-options rib-groups APBR import-policy block-rts

lab@vSRX-1> show configuration routing-options interface-routes | display set 
set routing-options interface-routes rib-group inet APBR


Code Block
titleAPBR show commands
collapsetrue

show services application-identification application-system-cache
show security advance-policy-based-routing statistics
show security flow session

[edit routing-options]
lab@vSRX-1# run show security flow session 
Session ID: 46634, Policy name: Untrust-SSH/7, Timeout: 1202, Valid
  In: 172.16.1.100/41256 --> 172.16.10.100/22;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 20, Bytes: 2764, 
  Out: 172.16.10.100/22 --> 172.16.1.100/41256;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 20, Bytes: 4436, 
Total sessions: 1

[edit routing-options]
lab@vSRX-1# run show security flow session    
Session ID: 46798, Policy name: Untrust-SSH/7, Timeout: 1796, Valid
  In: 172.16.1.100/41005 --> 172.16.10.100/22;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 20, Bytes: 2764, 
  Out: 172.16.10.100/22 --> 172.16.1.100/41005;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 20, Bytes: 4436, 
Total sessions: 1

[edit routing-options]
lab@vSRX-1# run show security advance-policy-based-routing stat
                                                               ^
'stat' is ambiguous.
Possible completions:
  statistics           Show advance-policy-based-routing statistics
  status               Show advance-policy-based-routing status
[edit routing-options]
lab@vSRX-1# run show security advance-policy-based-routing statistics  
Advance Profile Based Routing statistics:
  Session Processed:                     214
  ASC Success:                           2
  Rule match success:                    2
  Route  modified:                       2
  AppID Requested:                       158

[edit routing-options]
lab@vSRX-1#