Professional Documents
Culture Documents
George Kaminski
Systems Engineer Tech Lead
INTRODUCTIONS
Before we get started
What is your name?
Where do you work?
What is your primary role in your
organization?
What kind of network experience
do you have?
What is the most important thing for
you to learn in this training session?
www.juniper.net
COURSE CONTENTS
Contents:
Chapter 1: Course Introduction
Chapter 2: Junos OS Overview
Chapter 3: Branch SRX Series Overview
Chapter 4: High-End SRX Series Overview
Chapter 5: SRX Concepts and Features
Chapter 6: Junos OS Command Line Interface (CLI) Introduction
Chapter 7: Other Security Products of Interest
Complete Hands on Labs 1 - 4
www.juniper.net
PREREQUISITES
The prerequisites for this course are the following:
Basic networking knowledge
Understanding of the OSI model and TCP/IP
Basic familiarity with the use and deployment of Firewalls, IPSec
www.juniper.net
COURSE ADMINISTRATION
The basics:
Sign-in sheet
Schedule
Class times
Breaks
Lunch
www.juniper.net
EDUCATION MATERIALS
Available materials for classroom-based
and instructor-led online classes:
Lecture material
Lab guide
Lab equipment
www.juniper.net
ADDITIONAL RESOURCES
For those who want more:
Juniper Networks Technical Assistance Center (JTAC)
http://www.juniper.net/support/requesting-support.html
documentation
Online: http://www.juniper.net/techpubs/
Image files for offline viewing:
http://www.juniper.net/techpubs/resources/cdrom.html
Certification resources
http://www.juniper.net/training/certification/resources.html
www.juniper.net
SATISFACTION FEEDBACK
Class
Feedback
www.juniper.net
eLearning courses
Courses:
http://www.juniper.net/training/technical_education/
10
www.juniper.net
11
www.juniper.net
12
www.juniper.net
CERTIFICATION PREPARATION
Training and study resources:
Juniper Networks Certification Program website:
www.juniper.net/certification
Education Services training classes:
www.juniper.net/training
Juniper Networks documentation and white papers:
www.juniper.net/techpubs
Community:
J-Net: http://forums.juniper.net/t5/Training-Certification-and/
bd-p/Training_and_Certification
Twitter: @JuniperCertify
13
www.juniper.net
FIND US ONLINE
http://www.juniper.net/jnet
http://www.juniper.net/facebook
http://www.juniper.net/youtube
http://www.juniper.net/twitter
14
www.juniper.net
www.juniper.net
JUNOS OS:
THE POWER OF ONE OPERATING SYSTEM
Deployed since 1998
17
www.juniper.net
SRX
Series
MX Series
QFX Series
M Series
J Series
SECURITY
One OS
Reduces time/effort
to operate network
infrastructure
ROUTERS
SWITCHES
functionality stably
Reduces OPEX
Simplifies management
18
One Architecture
scalable software for
growing needs
Reduces TCO
www.juniper.net
Kernel
Controls the modules
www.juniper.net
Module n
Interfaces
Routing
...
Kernel
Manages communication
19
Management
rapid isolation
Well-defined interfaces for
expansion of functions/ platforms
Control Plane
Data Plane
Control Plane
20
www.juniper.net
Routing
Engine
Packet Forwarding
Engine
routing
Headquarters
switching
Branch
security
Campus
services
21
www.juniper.net
Unified
Management
Best Price/
Performance
IPS, AppSecure
Anti-Virus
Anti-Spam
Web filtering
Routing / WAN
WLAN, LAN, Switching
23
www.juniper.net
Fixed Config
8 x FE1
1 GB DRAM
Fixed Config
VDSL2 WAN
8 x FE1
1 GB DRAM
WAN slot,
2 x GigE, PoE,
1 GB DRAM
SRX650
SRX550
SRX240
SRX220
SRX210
SRX110
SRX100
Small Office
24
Small to
Medium Office
Copyright 2013 Juniper Networks, Inc.
www.juniper.net
Large Branch/
Regional Office
NGFW
UTM
Ease of use
Best-of-breed Anti-Virus,
Anti-Spam, Web filtering
Cloud based AV - Sophos
In-line IPS
AppSecure
Branch SRX
25
www.juniper.net
Highly configurable
Extensive integration
Extensive integration
Routing and switching capabilities
SRX100/
SRX110
Fixed
No
700/60 Mbps
SRX210E
1 mini PIM
slot
Optional
850/85 Mbps
performance
and availability
Exceptional
HW Content
Security Acceleration
SRX220
2 mini PIM
slots
Standard
950/100 Mbps
Security Acceleration
Hardware-assisted
Control & data Content
plane separation,
SRX240
Optional
1800/230 Mbps
Exceptional performance
Model
SRX550
SRX650
26
Content
SEC H/W
FW/IPS
Configuration Acceleration Performance
4 mini PIM
slots
2 mini PIM,
6 GPIM slots
8 GPIM slots
www.juniper.net
Wireless LAN
GPIMs
T1/E1
AX411 dual-radio AP
16XGE
Serial
WLA
24XGE
1XGE SFP
WLC2
4XT1E1
ADSL
G.SHDSL
VDSL2
Docsis3.0
2XT1E1
Wireless WAN
2x10GE
SFP+/Copper
EVDO/HSPA/WI
MAX/LTE
1xDS3
8xSFP
8xSerial
Supported on
SRX210/220/240/550
27
www.juniper.net
Supported on
SRX550/650
JAN 2013
MAY 2012
Supported SFPs
LX, SX, BX
EIA/TIA-232, EIA/TIA-530
T or Copper SFPs
Full set of L2 switching features
EIA/TIA-530A
Line Coding : NRZ, NRZI
28
www.juniper.net
Firewall
VPN
IPS
AppSecure
Antivirus
Enhanced Web filtering
Antispam
802.11n
3G/4G WiMax & LTE
29
Physical Interfaces
www.juniper.net
SRX100
Ideal for small sites and managed
telecommuters
Full security features
Firewall and VPN
UTM: IPS, AppSecure, antivirus,
Features
On-board Ethernet
8 x FE
None
WAN slots
None
USB ports
No
JUNOS 11.1
700 Mbps
200 Mbps
Firewall performance
(Firewall + Routing PPS 64byte)
70 Kpps
VPN PerformanceAES256+SHA-1
3DES+SHA 1
65 Mbps
IPS performance
60 Mbps
2K CPS
16 K / 32K
Antivirus performance
25Mbps
90Mbps
High Availability
30
SRX100
www.juniper.net
N/A
Front
Backup 3G
WAN
Back
Primary
WAN
VDSL
On-board Ethernet
8 x FE
Primary WAN
VDSL2 with
ADSL2 Fallback
Backup WAN
One (total 2)
No
700 Mbps
200 Mbps
Firewall performance
(Firewall + Routing PPS 64byte)
65 Kpps
VPN Performance
(AES256+SHA1 / 3DES+SHA1)
65 Mbps
IPS performance
60 Mbps
2K CPS
16 K / 32K
Antivirus performance
25Mbps
90 Mbps
High Availability
31
SRX 110
www.juniper.net
N/A
SRX210E
Ideal for small branches
On-board Ethernet
Power over Ethernet (802.3af, 802.3at)
WAN slots
32
Features
SRX210E
2 x GE + 6 x FE
4 ports, 50 W total
1 x mini PIM
2
Yes
JUNOS 11.1
850 Mbps
250 Mbps
Firewall performance
(Firewall + Routing PPS 64byte)
95 Kpps
85 Mbps
IPS performance
85 Mbps
2,200 CPS
32K / 64K
Antivirus performance
25 Mbps
250 Mbps
High Availability
A/A or A/P
www.juniper.net
SRX220
Ideal for small and medium
branches
Features
On-board Ethernet
Power over Ethernet (802.3af, 802.3at)
WAN slots
33
SRX220
18x GE
8 ports GE, 120 W
2 x mini PIM
2
Yes
JUNOS 11.1
950 Gbps
300 Mbps
Firewall performance
(Firewall + Routing PPS 64byte)
125 Kpps
VPN PerformanceAES256+SHA-1
3DES+SHA-1
100 Mbps
IPS Performance
100 Mbps
3K CPS
96K
Antivirus performance
34 Mbps
300 Mbps
High Availability
A/A or A/P
www.juniper.net
SEPT 2012
Flash
SRX240H2 2GB DRAM, 2GB
Flash
Features
On-board Ethernet
Power over Ethernet (802.3af, 802.3at)
WAN slots
USB ports (flash)
SRX240
16 x GE
16 ports GE, 150 W
4 x mini PIM
2
Yes
JUNOS 11.4R5
1.8 Gbps
600 Mbps
Firewall performance
(Firewall + Routing PPS 64byte)
200 Kpps
VPN PerformanceAES256+SHA-1
3DES+SHA-1
300 Mbps
IPS Performance
230 Mbps
34
9K CPS
128K / 256K
Antivirus performance
85 Mbps
750 Mbps
High Availability
A/A or A/P
www.juniper.net
FRS 12.1
Comprehensive Routing
GPIM Online-Insertion-Removal*
Routing Performance
700 Kpps
Firewall Performance
Yes
IPSec Performance
1 Gbps
35
www.juniper.net
12.1
SRX550
Ideal for enterprise medium to large
branch
Ideal office-in-a-box solution for managed
services or commercial business
Features
On-board Ethernet
10 x GE (6 Copper,
4SFP)
WAN slots
USB ports (flash)
Content Security AcceleratorExpressAV
and Intrusion Detection and Prevention
SRX550 offers:
Comprehensive Routing and Security
Services
High density on-board and modular
2 mPIM, 6 x GPIM
2
Yes
JUNOS 12.1
5.5 Gbps
1.7 Gbps
Firewall performance
(Firewall + Routing PPS 64byte)
700 Kpps
VPN PerformanceAES256+SHA-1
3DES+SHA-1
1.0 Gbps
IPS Performance
800 Mbps
27K CPS
375 K
Antivirus performance
300 Mbps
1.5 Gbps
High Availability
36
SRX550
www.juniper.net
A/A or A/P
SRX650
Features
On-board Ethernet
WAN slots
Modular
LAN switching
Services Routing Processors with
optional redundancy
Power supplies with optional
4 x GE
48 ports GE, 250W
or 500 W
8 x GPIM
2 per processor
Yes
JUNOS 11.1
7.0 Gbps
2.5 Gbps
Firewall performance
(Firewall + Routing PPS 64byte)
850 Kpps
VPN PerformanceAES256+SHA-1
3DES+SHA-1
1.5 Gbps
IPS Performance
1 Gbps
35K CPS
512 K
Antivirus performance
350 Mbps
1.9 Gbps
High Availability
37
SRX650
www.juniper.net
A/A or A/P
Hot swap GPIMs,
Dual power
38
www.juniper.net
More choices
Choose 3G/LTE USB modem
or standalone 3G bridge
Choose from 90+ modems from
every major manufacturer*
Tightly coupled system speeds
Higher reliability
www.juniper.net
CX111 Bridge
www.juniper.net
BRANCH SRX
ADVANCED SECURITY PLATFORM
INTERNET
External
Threats
Internal
Threats
IPS
Antivirus
Antispam
Stops Spam/Phishing
Content Filtering
Core Security
41
www.juniper.net
J-WEB WIZARDS
Configuration Wizards
1
Initial Device
Setup
Firewall
NAT
VPN
www.juniper.net
JAN 2013
Available on all
Branch SRX platforms
43
www.juniper.net
44
www.juniper.net
High-Speed Fabric
Technology
46
Expandable chassis
Linear scalability
Processing and I/O pools
Industrys top performance
Carrier-Class
Reliability
The power of one OS,
one release train
www.juniper.net
Scalable Performance
Rich Standard Services
Firewall
VPN
IPS
Full Routing
QoS
Application Security
Role Based Firewall
Extensible Security Services
Integrated Networking Services
NS-5400
SRX5600
SRX3600
5U, 6+6 CFM, 8+4 GE, 2RE*,
2+2 PS, 30/10/10G, 2M sess,
175kcps
SRX3400
SRX1400
ISG2000
ISG1000
47
NS-5200
Copyright 2013 Juniper Networks, Inc.
www.juniper.net
your network
48
www.juniper.net
www.juniper.net
traffic traversing the NP-IOC does not have to traverse the services
gateway bus to a remote network processing card (NPC)
50
www.juniper.net
1.5
Flow Lookup
Classification
DoS/DDoS Policing
I/O Card
Network
Processing
Card
Egress
Packet
Integrated in SRX5000 IOC
QoS/Shaping
51
www.juniper.net
Fabric
Ingress
Packet
Fabric
Oversubscription
Control
Services
FW/VPN/IDP
NAT/Routing
Services
Processing
Cards
terms of performance
52
www.juniper.net
SRX1400
12 on-board ports:
3 RU
Modular chassis
3 expansion slots
Compact form factor modules
shared with SRX3000
Junos Software
Fan tray
Expansion Slots
1400GE: 6+4+2 GE
(rear)
(NSPC or SPC+NPC)
Massive scale
Up to 45,000 new, sustained
connections per second (CPS)
Up to .5 million sessions [at FRS]
High performance
Up to 10 Gbps firewall
Up to 2 Gbps IPS
Up to 2 Gbps IPSec VPN
Expansion Slot
Slot
Management
Module (RE)
(IOC)
guide
SRX3000 technology
Common sparing possible
53
Redundant
FRU
power supply
(optional)
High availability
Power supply
www.juniper.net
SRX 3400
SRX3400 Front View
2 x 10 GigE
I/O card
12 on-board
GbE ports
USB
Switch Fabric
Board (SFB)
Fan tray
16 x GbE
SFP I/O
card
Front slot
guide
16 x 10/100/1000
I/O card
Expansion Slot
(SPC/NPC)
7 expansion slots
(4 front and 3 rear)
Compact form factor modules for
I/O and service processing
Dual, hot swappable management
modules
Junos Software
Massive scale
Expansion Slot
(IOC/SPC)
3 RU
Modular chassis
Redundant
Routing Engine
(future) or SCM
High performance
Up to 20 Gbps firewall
Up to 6 Gbps IPS
Up to 6 Gbps IPSec VPN
Routing
Engine
High availability
Fan tray
door
Power supply
FRU
54
Redundant
power supply
(optional)
Expansion Slot
(SPC/NPC)
Rear slot
guide
www.juniper.net
SRX3600:
FRONT AND REAR VIEWS
SRX3600 Front View
12 on-board
GigE ports
USB
Switch Fabric
Board (SFB)
2 x 10 GigE
I/O card
16 x GbE
SFP I/O
card
Fan tray
Front slot
guide
Expansion slot
(IOC/SPC)
Redundant
power supplies
(optional)
Fan tray
door
Expansion slot
(SPC)
55
12 expansion slots
(6 front and 6 rear)
Compact form factor modules for
I/O and service processing
Dual, hot swappable management
modules
Junos Software
Massive scale
16 x 10/100/1000
I/O card
Expansion slot
(SPC/NPC)
Routing
Engine
5 RU
Modular chassis
Redundant
Routing Engine
(future) or SCM
Rear slot
guide
High performance
Up to 30 Gbps firewall
Up to 10 Gbps IPS
Up to 10 Gbps IPSec VPN
High availability
Redundant power and fans
Redundant management
Modular Junos Software
www.juniper.net
Switch Fabric
Board (SFB)
Air
Intake
IOC 16xSFP
IOC 2x10GE
IOC 16xCopper
Services Processing
Card (SPC)
Front
Slot guide
Fan tray
door
Services Processing
Cards (SPC)
Network
Processing
Cards (NPC)
[or SPCs]
Routing Engine
(RE)
56
Rear
Slot guide
Copyright 2013 Juniper Networks, Inc.
www.juniper.net
SRX3000 CARDS
Switch Fabric Board (SFB)
3 versions:
57
www.juniper.net
8 RU
Modular chassis
Horizontal design
6 expansion slots
Modules for flexible I/O and
service processing
Junos software
Control Panel
Services
Processing
Card
Expansion slot
(fits any module)
Massive scale
Up to 350,000 new & sustained
connections per second (CPS)
Up to 9 million sessions
40 x GbE IOC
High performance
Switch Control
Boards (SCBs)
Up to 60 Gbps firewall
Up to 15 Gbps IPS
Up to 15 Gbps IPSec VPN
Management
Module
Power supplies
FRU
High availability
Redundant management
modules
Redundant switching fabrics
Redundant fans & power
supplies
Modular Junos Software
58
www.juniper.net
16 RU
Modular chassis
Upper fan
tray
Vertical design
12 expansion slots
Modules for flexible I/O and
service processing
Junos software
Switch Control
Boards (SCBs)
Massive Scale
Services
Processing
Card
40 x GbE
I/O Card
Power supplies
FRU
4 x 10GbE
I/O Card
High performance
Management
module
High availability
Redundant management
modules
Redundant switching fabrics
Redundant fans & power
supplies
Modular Junos Software
Air intake
Expansion slots
(fits any module)
www.juniper.net
INTERNET
SRX
Originating Zone
ZONE TRUST
61
ZONE TRUST2
www.juniper.net
Screens
Static
NAT
NO
Per
Packet
Policer
Per
Packet
Filter
Dest
NAT
Route
Zones
Policy
Reverse
Static
NAT
YES
Match
Session?
Source
NAT
Services
ALG
Session
YES
Screens
TCP
NAT
Services
ALG
Per
Packet
Filter
62
www.juniper.net
6) Filter Packet
7) Shape Packet
8) Transmit Packet
Per
Packet
Shaper
FIREWALL FILTERS
Stateless Filters
SRC 10.1.20.1 ANY SSH
Retail
63
www.juniper.net
Branch
Small Office
Regional
FTP
PASV
TCP 21
PORT
FTP
TCP 14599
64
www.juniper.net
Branch
Small Office
Regional
SCREENS
Screens are used to mitigate
known malicious activities
such as DOS, DDOS,
Reconnaissance
Applied on Zone basis, default
screen can be applied to
untrust interface
Uses thresholds and
parameters to determine
traffic flows into zone
Can Drop Traffic or act as a
Proxy for TCP Connections
TCP SYN
TCP SYN
TCP SYN
INTERNET
Retail
65
ICMP Sweep
www.juniper.net
Branch
Small Office
Regional
SCREENS
juniper@SRX5800# show security screen ids-option untrusted-internet
icmp {
ip-sweep threshold 1000000;
fragment;
large;
}
ip
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
Loose-source-route-option;
strict-source-route-option;
unknown-protocol;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000000;
66
www.juniper.net
TCP SYN
TCP SYN
TCP SYN
ICMP Sweep
INTERNET
Regional
www.juniper.net
IDP
Provides deeper packet examination
Detects protocol anomaly
68
www.juniper.net
SRX FW
Traffic
Entering
SRX FW
Ingress Policers
& Firewall filters
SCREENs
L4-7
StatefullL3/L4/L5
IDP
IPS
FW
Steps 2, 3, & 4
69
www.juniper.net
Egress
Traffic
Shaping
Traffic
Exiting
SRX FW
70
www.juniper.net
Regional
71
www.juniper.net
Benefits
Maintains connection
72
www.juniper.net
www.juniper.net
INTERFACE NUMBERING
Interfaces are numbered Hobson style
Node1 (12-23)
Node0 (0-11)
slot 12
slot 0
ge-13/0/0
ge-1/0/0
RE 0
RE 1
slot 23
74
www.juniper.net
Fab0/1
-
www.juniper.net
76
www.juniper.net
77
www.juniper.net
Application
View
Threat
Mitigation
IPS
78
www.juniper.net
12.1
Allows different users to have different application policies based on their role and
group
MAG/UAC
P2P apps blocked
Marketing
Youtube allowed
Anti-virus applied
WF profile A
Branch SRX
Sales
P2P, Youtube
blocked
Anti-virus applied
WF profile B
No apps blocked
CEO
Anti-virus applied
WF profile C
79
www.juniper.net
Data
Finance
3
4
SRX Series
Client
Video
Internet
Apps
Corporate Data Center
80
www.juniper.net
Standard
Server
Hardware
Flexibility
Agent-based deployment
can provide advanced
functionalities
Agentless access can be
used for unintrusive,
transparent user
experience
Local web portal can be
used for guest access or
as a fallback mechanism
81
Rich OS Support
Windows XP, Windows Vista
and Windows 7
MacOS support
Linux/Solaris support
Thin clients can be
supported using the local
web portal
Broad range of Smartphone
OS iOS, Android, others
www.juniper.net
Advanced Services
Host checker
Coordinated Threat Control
SSL tunneling
End-to-End Security Policy
enforcement by user role
and group
AppTrack
www.juniper.net
AppFW
HTTP
83
www.juniper.net
IPS
AppSecure IPS
VULNERABILITY
Exploits
Other
IPSs
84
www.juniper.net
Internet
In the Cloud
Categorization Server
Productivity
Performance
Security
SRX
Internal network
85
www.juniper.net
Continuous updates
Large number of URLs
Category granularity
Real time threat score
Cloud-based option:
Sophos
On-box option:
Kaspersky
www.juniper.net
SRX
87
www.juniper.net
ANTI-SPAM
3
DMZ
2
Email Server
Web Proxy
Internet
(UNTRUST)
Host
TRUST
88
www.juniper.net
automatically downloaded
Simultaneous tunnel enforcement
Automatic client upgrade
capabilities
Self-provisioning
IPSec with TCP-based fallback
for NAT traversal
Windows platform supportXP,
Vista, Win 2000, and Windows 7,
Windows 10
Wireless
Wired
3G/4G
Wireless
INTERNET
SRX210
89
www.juniper.net
Trouble
shoot
RingMaster
Config
Monitor
SmartPass
WLM - Appliance
90
WLC Controllers
www.juniper.net
AppTrack
AppFW
AppQoS
AppDoS
IPS
Understand
security risks
Block access to
risky apps
Prioritize
important apps
Remediate
security threats
Address new
user behaviors
Allows user
tailored policies
Allow legitimate
user traffic
2H
2013
www.juniper.net
92
Branch SRX
AppTrack
AppFW
AppQoS
AppDoS
IPS
2H2013
www.juniper.net
www.juniper.net
PHY
NP
NPC
SPC
PHY
NPC
SPC
PHY
NP
NPC
SPC
PHY
NP
NPC
SPC
94
www.juniper.net
JUNOS SPACE
Open Network Application Platform
Network Application
Platform
Open, extensible, standardsbased (SOA)
Abstractions for generic service
definitions
Juniper Applications
APPLICATIONS
Carrier-grade scale
Transparent communication with
all Junos devices (any device, any
OS version) total management
of Juniper infrastructure
Easy integration with OSS via
NBI/SDK
Network Widgets
Infrastructure Widgets
95
www.juniper.net
www.juniper.net
JUNOS SCRIPTS
Configuration Automation - Instructs Junos during the
commit process
Options to provide warnings, post log messages,
automatically fail the commit, or change the
configuration
Operations Automation - Instructs Junos as prompted by the
command-line and other scripts:
Create custom operational commands for specific user and
environment needs
Event Automation - Instructs Junos of actions to take in
response to events:
Gather relevant troubleshooting information and correlate
events from the first leading indicators
97
www.juniper.net
JUNOS SCRIPTS
98
www.juniper.net
J-Web
Quick Setup with Templates
Dashboard View
Performance Monitoring
Security Director
Manage multiple devices
Global, group and device
level configuration
100
www.juniper.net
CONFIGURATION HISTORY
commit
Candidate
Configuration
configure
Active
Configuration
0
rollback n
1
Active configuration stored in
/config/juniper.conf.gz
Rollback files stored in
/config/juniper.conf.n.gz (n=13)
/var/db/config/juniper.conf.n.gz (n=449)
101
www.juniper.net
...
49
Automated rollback
commit
candidate
Load configuration
102
commit
confirmed
validated
configuration
commit
scripts
commit
validations
www.juniper.net
active
configuration
commit
configuration
commit
confirmed
commit
scripts
commit
validations
49
103
active
configuration
www.juniper.net
rollback
validated
configuration
candidate
Load
CONFIG button
104
www.juniper.net
105
Object-oriented hierarchy
Jumping between levels
Candidate configuration with sanity checking
Automatic rollback capability
Showing portions of configuration while configuring
Saving, loading, and deleting configuration files
Running operational-mode commands from within configuration
www.juniper.net
CLI MODES
Operational mode:
Monitor and troubleshoot the software, network connectivity, and
router hardware
user@host>
Configuration mode:
Configure the router, including interfaces, general routing
[edit]
user@host#
106
www.juniper.net
LOGGING IN
When logging in:
host (ttyd0)
login: user
Password:
--- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC
user@host>
The root user must start the CLI from the shell
Do not forget to exit root shell after logging out of the CLI!
host (ttyd0)
Shell Prompt
login: root
Password:
--- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC
root@host% cli
root@host>
107
CLI Prompt
www.juniper.net
Less Specific
clear configure file help monitor set show
etc.
www.juniper.net
More Specific
Keyboard
sequence
Ctrl+b
user@host> show interfaces
Ctrl+a
user@host> show interfaces
Ctrl+f
user@host> show interfaces
Cursor position
Ctrl+e
user@host> show interfaces
The default VT100 terminal type also supports cursor positioning with the arrow keys
109
www.juniper.net
i<space>
Show
Show
Show
Show
Show
Enter a space to
complete a command
user@host> show i
110
www.juniper.net
CONTEXT-SENSITIVE HELP
Type ? anywhere on the command line
user@host> ?
Possible completions:
clear
configure
information
file
help
. . .
user@host> clear ?
Possible completions:
arp
bfd
Detection
bgp
information
firewall
. . .
111
www.juniper.net
TOPICAL HELP
The help topic command provides information on general
concepts
user@host> help topic interfaces ?
Possible completions:
accept-data
Accept packets destined for virtual IP...
accept-source-mac
Policers for specific source MAC addresses
access-profile
Mapping peer name and secrets for CHAP
accounting-profile
Accounting profile
acknowledge-timer
Maximum time to wait for link...
address
Interface address and destination prefix
...
user@host> help topic interfaces address
Configuring the Interface Address
112
www.juniper.net
www.juniper.net
USING | (PIPE)
The pipe function allows you to filter and manipulate command
output
Available in all modes and contexts
user@host> show route | ?
Possible completions:
count
Count occurrences
display
Show additional kinds of information
except
Show only text that does not match a pattern
find
Search for first occurrence of pattern
hold
Hold text without exiting the --More-- prompt
last
Display end of output only
match
Show only text that matches a pattern
no-more
Don't paginate output
request
Make system-level requests
resolve
Resolve IP addresses
save
Save output text to file
trim
Trim specified number of columns from start of line
user@host> show route |
114
www.juniper.net
Active configuration:
Current operational configuration
Boot-up configuration
Candidate configuration:
A working copy for configuration changes
Initialized with the active configuration
Becomes active configuration upon commit
115
www.juniper.net
www.juniper.net
SHOW COMMAND
List the complete candidate
from the top of configuration
mode
[edit]
mike@juniper1# show
version "9.2R1.3";
groups
{
re0 {
system {
jnpr1-name jnpr1;
}
}
}
117
www.juniper.net
SET COMMAND
From the top of configuration mode
[edit]
mike@jnpr1# set system services finger
mike@jnpr1# set system services ftp
mike@jnpr1# set system services ssh
mike@jnpr1# set system services telnet
From a sublevel
Either
adds
www.juniper.net
[edit]
system {
services {
finger;
ftp;
ssh;
telnet;
}
}
DELETE COMMAND
Remove a statement along with any subordinate statements
Deleting a statement effectively returns the affected device, protocol,
[edit]
mike@jnpr1# delete system services
Now
119
www.juniper.net
[edit]
system {
}
COMPARE CONFIGURATIONS
Display the differences between the candidate and active
configuration
Options to show any two configurations
120
www.juniper.net
COMMIT CHECK
Check that the device will accept your candidate
Validates the logic and completeness of the candidate without
121
www.juniper.net
COMMIT
Activates the candidate to become the running configuration of the
device
If the validation checks find any errors, you must fix these before the
[edit]
mike@jnpr1# commit
commit complete
122
www.juniper.net
the new
COMMIT CONFIRMED
Automate rollback in remote devices
Commit a candidate configuration for a limited time
[edit]
mike@jnpr1# commit confirmed
commit confirmed will be automatically rolled back in 10
unless
complete
minutes
Finalize
theconfirmed
commit,commit
by entering
a 2nd commit
[edit]
mike@jnpr1# commit
Or,
wait
for rollback
commit
complete
123
command
ROLLBACK
[edit]
mike@host# rollback
load complete
[edit]
mike@host# commit
commit complete
124
www.juniper.net
command
125
www.juniper.net
Less Specific
chassis interfaces protocols services system etc.
bgp
isis
mpls
ospf
pim
rip
rsvp
vrrp
etc.
area-range area_range
126
interface
nssa
stub
etc.
www.juniper.net
More Specific
brackets
[edit system]
user@host# show services
web-management {
http {
port 8080;
}
}
[edit system]
user@host#
127
www.juniper.net
128
www.juniper.net
RUN IS COOL
Use the run command to execute operational-mode CLI
commands from within configuration
Can be a real time-saver when testing the effect of a recent change
[edit interfaces fe-0/0/0]
lab@HongKong# set unit 0 family inet address 10.250.0.141/16
129
www.juniper.net
USING RENAME
User-defined variables can be changed with the rename
command
Can change policy names, filter names, IP addresses, etc.
[edit interfaces fe-0/0/0]
lab@HongKong# set unit 0 family inet address 10.250.0.141/16
[edit interfaces fe-0/0/0]
lab@HongKong# show
unit 0 {
family inet {
address 10.250.0.141/16;
}
}
[edit interfaces fe-0/0/0]
lab@HongKong# rename unit 0 family inet address 10.250.0.141/16 to address 10.250.0.241/16
[edit interfaces fe-0/0/0]
lab@HongKong# show
unit 0 {
family inet {
address 10.250.0.241/16;
}
}
130
www.juniper.net
USING REPLACE
In configuration mode
[edit]
lab@HongKong# replace pattern 10.1.1.1 with 10.2.2.2
131
www.juniper.net
High-End
Firewalls
Remote Access
SSL VPN
Network
Security
Global Powerhouse
$1B
global
revenue
Dedicated Innovator
Juniper R&D is $1.027B, or 23% of revenues
a figure no one else in the industry comes close
to on a percentage basis 2011 Annual Report
New in 2013: A differentiated approach to security
with our Intrusion Deception and DDoS protection
capabilities
Copyright 2013 Juniper Networks, Inc.
www.juniper.net
134
www.juniper.net
JUNOS V FIREFLY
135
www.juniper.net
VM
VM
Firefly
JunosV Firefly
Enterprise/Tenant A
Hypervisor
www.juniper.net
appliance on a choice of
Hypervisors
Runs on standard x86 hardware
Perimeter
Content
Firewall
Anti-Virus
VPN
IPS
Full IDP Feature Set
NAT
Web Filtering
technology
Network Admission
Control
Anti-Spam
137
Application
Awareness
Identity
Awareness
Performance optimized
SMP kernel & multi-threaded
Application
www.juniper.net
JUNOS SPACE
VIRTUAL DIRECTOR
A Junos Space platform application
that offers complete Lifecycle
management for JunosV Firefly.
Security Insight
STRM (logging and reporting),
Syslog, Traceroute
Local management
CLI
JWeb
Junos Scripts
SNMP
138
Firefly
Virtual Director
www.juniper.net
www.juniper.net
HACKER THREATS
Scripts & Too, Exploits
IP Scan
Targeted Scan
Botnet
Human Hacker
Jan
140
www.juniper.net
June
Dec
Detection
Signatures
Web Application
Firewall
Web Intrusion
Prevention System
Q1 2012
Tar Traps
Tracking
IP address
IP address
Block IP
141
Section 6.6
Copyright 2013 Juniper Networks, Inc.
www.juniper.net
Detect
Track
Profile
Respond
Understand
attackers capabilities
and intents.
Adaptive responses,
including block,
warn and deceive.
142
www.juniper.net
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Reconnaissance
Attack Vector
Establishment
Implementation
Automation
Maintenance
Weeks or months
Weeks or months
Days or weeks
Months or years
Web App
Firewall
143
www.juniper.net
Years
DETECTION BY DECEPTION
Tar Traps
Query String Parameters
Network
Perimeter
Hidden Input Fields
Client
Firewall
App Server
Server Configuration
144
www.juniper.net
Database
145
Persistent Token
Fingerprinting
HTTP communications.
www.juniper.net
Incident history
Attacker
threat level
146
www.juniper.net
Junos WebApp
Secure Responses
Human
Hacker
Botnet
Targeted
Scan
IP Scan
Scripts
&Tools
Exploits
Warn attacker
Block user
Force CAPTCHA
Slow connection
Force log-out
All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.
147
www.juniper.net
Internal
App Server Database
Virtualized
Cloud
148
www.juniper.net
www.juniper.net
Millions
Installed
Servers
80
60
Capital
Savings
40
20
0
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Source: IDC
150
www.juniper.net
Virtual Network
VM1
VM2
VM3
ESX/ESXi Host
Virtual
Switch
HYPERVISOR
Firewall/IDS Sees/Protects
All Traffic between Servers
151
www.juniper.net
VM1
VM2
VM3
VM1
VM2
VM2
VM3
VS
HYPERVISOR
HYPERVISOR
HYPERVISOR
152
www.juniper.net
ESX/ESXi Host
VS
Integrated
Virtual Security
VM1
VM3
ESX/ESXi Host
ESX/ESXi Host
VS
Traditional Security
Agents
Virtual
Center
Security
Design
for vGW
VM
VM1
VM2
VM3
Virtualization-aware
Secure VMotion
Auto Secure detects/protects
Partner Server
(IDS, SIM,
Syslog, Netflow)
Packet Data
VMWARE APIs
Any vSwitch
(Standard, DVS, 3rd Party)
and AV
Flexible Policy Enforcement zone,
VM group, VM, individual vNIC
153
HYPERVISOR
www.juniper.net
VMware Kernel
new VMs
VGW MODULES
Main
Dashboard view of the virtual system threats (including VM quarantine view)
7 Functional Modules
Network Visibility of inter-VM traffic flows
Firewall Firewall Policy Management and Logs
IDS Centralized view of IDS alerts and ability to drill-down on attacks
AntiVirus Full AV protection for virtual machines
Introspection Centralized view of the software loaded in a VM including OS, Apps,
HotFixes. Ability to track & control changes in loaded software via Image Enforcer
Compliance Out-of-box & custom rules engine to alert on VM & Host config changes
Reports Automated reports for all the functional modules
154
www.juniper.net
Benefits:
155
www.juniper.net
URL
Pathfinder
http://pathfinder.juniper.net
Content Explorer
http://www.juniper.net/techpubs/content-applications/contentexplorer
Feature Explorer
http://pathfinder.juniper.net/feature-explorer
Learning Bytes
www.juniper.net/learningbytes
Installation and
configuration courses
www.juniper.net/courses
J-Net Forum
http://forums.juniper.net/t5/Training-Certification-and/bdp/
Training_and_Certification
Certification program
www.juniper.net/certification
Courses
http://www.juniper.net/training/technical_education
Translation tools
http://www.juniper.net/customers/support/#task
156
www.juniper.net