SRX Quick Start June 2013

SRX QUICK START TRAINING
George Kaminski
Systems Engineer Tech Lead

Chapter 1: Course Introduction
INTRODUCTIONS
Before we get started
What is your name?
Where do you work?
What is your primary role in your
organization?
What kind of network experience
do you have?
What is the most important thing for
you to learn in this training session?
Copyright 2013 Juniper Networks, Inc.
www.juniper.net
COURSE CONTENTS
Contents:
Chapter 1: Course Introduction
Chapter 2: Junos OS Overview
Chapter 3: Branch SRX Series Overview
Chapter 4: High-End SRX Series Overview
Chapter 5: SRX Concepts and Features
Chapter 6: Junos OS Command Line Interface (CLI) Introduction
Chapter 7: Other Security Products of Interest
Complete Hands on Labs 1 - 4
www.juniper.net
PREREQUISITES
The prerequisites for this course are the following:
Basic networking knowledge
Understanding of the OSI model and TCP/IP
Basic familiarity with the use and deployment of Firewalls, IPSec
Virtual Private Networks and Network Address Translation (NAT)
www.juniper.net
COURSE ADMINISTRATION
The basics:
Sign-in sheet
Schedule
Class times
Breaks
Lunch
Break and restroom facilities

Fire and safety procedures
Communications
Telephones and wireless devices
Internet access
www.juniper.net
EDUCATION MATERIALS
Available materials for classroom-based
and instructor-led online classes:
Lecture material
Lab guide
Lab equipment
Self-paced online courses also available

http://www.juniper.net/training/technical_education/
www.juniper.net
ADDITIONAL RESOURCES
For those who want more:
Juniper Networks Technical Assistance Center (JTAC)
http://www.juniper.net/support/requesting-support.html
Juniper Networks books

http://www.juniper.net/training/jnbooks/
Hardware and software technical
documentation
Online: http://www.juniper.net/techpubs/
Image files for offline viewing:
http://www.juniper.net/techpubs/resources/cdrom.html
Certification resources
http://www.juniper.net/training/certification/resources.html
www.juniper.net
SATISFACTION FEEDBACK
Class
Feedback
To receive your certificate, you must complete the survey

Either you will receive a survey to complete at the end of class, or we
will e-mail it to you within two weeks

Completed surveys help us serve you better!
www.juniper.net
JUNIPER NETWORKS EDUCATION SERVICES

CURRICULUM
Formats:
Classroom-based instructor-led technical courses
Online instructor-led technical courses
Hardware installation eLearning courses as well as technical
eLearning courses
Courses:
http://www.juniper.net/training/technical_education/
10
www.juniper.net
JUNIPER NETWORKS CERTIFICATION PROGRAM

Why earn a Juniper Networks certification?
Juniper Networks certification makes you stand out
Unleash your creativity across the entire network
Set yourself apart from your peers
Capitalize on the promise of the New Network

Develop and deploy the services you need
Lead the way and increase your value
Unique benefits for certified individuals
11
www.juniper.net
JUNIPER NETWORKS CERTIFICATION PATH
12
www.juniper.net
CERTIFICATION PREPARATION
Training and study resources:
Juniper Networks Certification Program website:
www.juniper.net/certification
Education Services training classes:
www.juniper.net/training
Juniper Networks documentation and white papers:
www.juniper.net/techpubs
Community:
J-Net: http://forums.juniper.net/t5/Training-Certification-and/
bd-p/Training_and_Certification
Twitter: @JuniperCertify
13
www.juniper.net
FIND US ONLINE
http://www.juniper.net/jnet
http://www.juniper.net/facebook
http://www.juniper.net/youtube
http://www.juniper.net/twitter
14
www.juniper.net

Chapter 2: Junos OS Overview
MOVING FROM CISCO IOS TO JUNOS OS

Moving checklist:
Call realtor
Change address
Change utilities
Gas
Electric
Garbage
Find movers
Pack
No matter the cause of the move, once the move is complete,

what a difference the new place makes in your life!
16
www.juniper.net
JUNOS OS:
THE POWER OF ONE OPERATING SYSTEM
Deployed since 1998
First high-performance network operating system

14+ years of innovation and development
Runs routing, switching, and security platforms
Reduces complexity, achieves operational excellence
Evolutionary architecture expands to new services and extends to
new platforms for tomorrow
It is time for a new network

Top 130 global service providers
96 of the Global Fortune 100
Hundreds of federal, state, and local government agencies and higher
education organizations throughout the world
17
www.juniper.net
THE POWER OF ONE JUNOS

T Series
EX Series
SRX
Series
MX Series
QFX Series
M Series
J Series
SECURITY
One OS
Reduces time/effort
to operate network
infrastructure
ROUTERS
SWITCHES
One Release Train

Delivers new
Ensures available &
functionality stably
Reduces OPEX
Simplifies management
18
One Architecture
scalable software for
growing needs
Reduces TCO
www.juniper.net
JUNOS OS MODULAR ARCHITECTURE

Independent modules
Protected memory for stability
No overwrites
Kernel
Controls the modules
between the modules and to the PFE
www.juniper.net
Module n
Interfaces
Routing
...
Kernel
Manages communication
19
Management
rapid isolation
Well-defined interfaces for
expansion of functions/ platforms
Control Plane
Contain faults and enable
JUNOS OS SEPARATE CONTROL AND FORWARDING

Supports scale for high-performance
Assures performance of each plane

Enhances resiliency
Data Plane
Control Plane
Provides options for

redundancy
20
www.juniper.net
Routing
Engine
Packet Forwarding
Engine
JUNOS OS: THE FOUNDATION OF

HIGH-PERFORMANCE NETWORKS
Data center
routing
Headquarters
switching
Branch
security
Campus
services
21
www.juniper.net

Chapter 3: Branch SRX Overview
BRANCH SRX SOLVES CUSTOMER CHALLENGES

All-in-One
Unified
Management
Best Price/
Performance
Next Gen Firewall

VPN
UTM
IPS, AppSecure
Anti-Virus
Anti-Spam
Web filtering
Routing / WAN
WLAN, LAN, Switching
Easy to activate new

security service in UTM
when needed to address
new concerns
23
Easy to manage all

aspects with Junos, a
single OS platform
www.juniper.net
Lower TCO and high

performance allows IT
to do more with less
BRANCH SRX SERIES GATEWAYS
Delivering No-Compromise Services with Scale & Performance

Hardware Platforms Scale from 1G to 10G
Junos Software across Security, Routing and Switching
12.1
2mPIM+6GPIM
WAN slots, 10 x GigE,
PoE, Dual P/S
2 GB DRAM
+ 4 WAN slots,
16 x GigE, PoE
2 GB DRAM
+ 2 WAN slots,
8 x GigE, PoE
1 GB DRAM
Fixed Config
8 x FE1
1 GB DRAM
Fixed Config
VDSL2 WAN
8 x FE1
1 GB DRAM
WAN slot,
2 x GigE, PoE,
1 GB DRAM
+ More LAN slots,

Dual P/S, + Hot Swap I/O
2 GB DRAM
SRX650
SRX550
SRX240
SRX220
SRX210
SRX110
SRX100
Small Office
24
Small to
Medium Office
www.juniper.net
Large Branch/
Regional Office
BRANCH SRX: SERVING MULTIPLE CUSTOMER NEEDS

Multi-services Gateway
Secure Router
Routing and WAN

Interfaces
Firewall, VPN, NAT
In-line IPS
High availability
Transparent mode
NGFW
UTM
Next generation firewall

(AppSecure)
In-line IPS
Application visibility,
tracking and enforcement
User-role based policies
Ease of use
Best-of-breed Anti-Virus,
Anti-Spam, Web filtering
Cloud based AV - Sophos
In-line IPS
AppSecure
Branch SRX
25
www.juniper.net
BRANCH SRX SERVICES GATEWAYS

Highly configurable
Highly configurable
Fixed and modular form factors

Fixedof&WAN
modular
factors
Choice
DSL, form
T1 / E1,
DS3
Wireless WAN and LAN
WAN, WLAN, and LAN interfaces
On-board modular switching
Extensive integration
Extensive integration
Routing and switching capabilities
SRX100/
SRX110
Fixed
No
700/60 Mbps
Magnitude greater performance
SRX210E
1 mini PIM
slot
Optional
850/85 Mbps
performance
and availability
Exceptional
HW Content
Security Acceleration
SRX220
2 mini PIM
slots
Standard
950/100 Mbps
Security Acceleration
Hardware-assisted
Control & data Content
plane separation,
SRX240
Optional
1800/230 Mbps
Exceptional performance
(CSA) for ExpressAV and IPS

redundant processing and power
Control & data plane separation, redundant
processing and power
Model
SRX550
SRX650
26
Content
SEC H/W
FW/IPS
Configuration Acceleration Performance
Full suite of JUNOS routing and switching

capabilities
Unmatched core and UTM security
Unmatched security, including FW, VPN, UTM,
AppSecure, UAC, and full IPS
4 mini PIM
slots
2 mini PIM,
6 GPIM slots
8 GPIM slots
www.juniper.net
Standard 5500/800 Mbps

Standard 7000/900 Mbps
BRANCH SRX PHYSICAL INTERFACES

MPIMs
Wireless LAN
GPIMs
T1/E1
AX411 dual-radio AP
16XGE
Serial
WLA
24XGE
1XGE SFP
WLC2
4XT1E1
ADSL
G.SHDSL
VDSL2
Docsis3.0
2XT1E1
Wireless WAN
2x10GE
SFP+/Copper
EVDO/HSPA/WI
MAX/LTE
1xDS3
8xSFP
8xSerial
Supported on
SRX210/220/240/550
27
Supported across all

Branch SRX platforms
www.juniper.net
Supported on
SRX550/650
JAN 2013
MAY 2012
NEW PIMS FOR SRX550 AND SRX650

8 Port Serial GPIM (12.1R2)
8 Port SFP XPIM (1Q2013)
Synchronous speeds of 8 Mbps
Line rate switching between ports
Interface types supported
Supported SFPs
V.35, X.21, EIA/TIA-449
LX, SX, BX
EIA/TIA-232, EIA/TIA-530
T or Copper SFPs
Full set of L2 switching features
EIA/TIA-530A
Line Coding : NRZ, NRZI
Jumbo frame support 9192B
Uses 8 port smart connector
28
www.juniper.net
BRANCH SRX FEATURES MATRIX

Security
Wireless LAN and

3G/4G WAN
Firewall
VPN
IPS
AppSecure
Antivirus
Enhanced Web filtering
Antispam
802.11n
3G/4G WiMax & LTE
Routing & Switching

RIP, OSPF, BGP,
Multicast, IPv6
MPLS; Full BGP table
J Flow, RPM
L2 Switching
POE Options
29
Physical Interfaces
T1/E1, Serial, DS3/E3

VDSL, ADSL, G.SHDSL
DOCSIS Cable Modem
Ethernet 10/100/1000
& 10G, Copper or Fiber
www.juniper.net
SRX100
Ideal for small sites and managed
telecommuters
Full security features
Firewall and VPN
UTM: IPS, AppSecure, antivirus,
web-filtering, and anti-spam

UTM requires high memory version
Features
On-board Ethernet
8 x FE
Power over Ethernet (802.3af, 802.3at)
None
WAN slots
None
USB ports
Content Security AcceleratorExpressAV

and Intrusion Detection and Prevention
JUNOS Software version support
No
JUNOS 11.1
Firewall performance (Large Packets)
700 Mbps
Firewall performance (IMIX)
200 Mbps
Firewall performance
(Firewall + Routing PPS 64byte)
70 Kpps
VPN PerformanceAES256+SHA-1
3DES+SHA 1
65 Mbps
IPS performance
60 Mbps
Connections Per Second (CPS)
2K CPS
Maximum Concurrent Sessions

(512MB/1GB RAM)
16 K / 32K
Antivirus performance
25Mbps
AppSecure Throughput (HTTP)
90Mbps
High Availability
30
SRX100
www.juniper.net
N/A
SRX110 IDEAL SOLUTION FOR SMALL BRANCH

Designed for flexibility, investment protection, and lowest total cost of ownership (TCO).
Features
Additional
USB port
Front
Backup 3G
WAN
Back
Primary
WAN
VDSL
On-board Ethernet
8 x FE
Primary WAN
VDSL2 with
ADSL2 Fallback
Backup WAN
USB Port for

3G/4G Modem
Additional USB ports

One (total 2)
No
700 Mbps
200 Mbps
65 Kpps
VPN Performance
(AES256+SHA1 / 3DES+SHA1)
65 Mbps
IPS performance
60 Mbps
2K CPS
16 K / 32K
25Mbps
90 Mbps
High Availability
31
SRX 110
www.juniper.net
N/A
SRX210E
Ideal for small branches
On-board Ethernet
WAN slots
Firewall and VPN
USB ports (flash)
UTM: IPS, AppSecure, antivirus,

web-filtering, and anti-spam

UTM requires high memory
version
32
Features
SRX210E
2 x GE + 6 x FE
4 ports, 50 W total
1 x mini PIM
2
Yes
JUNOS 11.1
850 Mbps
250 Mbps
95 Kpps
IPSec VPN Throughput
85 Mbps
IPS performance
85 Mbps
2,200 CPS

(512MB/1GB RAM)
32K / 64K
25 Mbps
250 Mbps
High Availability
A/A or A/P
www.juniper.net
SRX220
Ideal for small and medium
branches
Features
On-board Ethernet
WAN slots
USB ports (flash)
Firewall and VPN

UTM: IPS, AppSecure,
antivirus, web-filtering, and

anti-spam
33
SRX220
18x GE
8 ports GE, 120 W
2 x mini PIM
2
Yes
JUNOS 11.1
950 Gbps
300 Mbps
125 Kpps
3DES+SHA-1
100 Mbps
IPS Performance
100 Mbps
3K CPS

(512MB/1GB RAM)
96K
34 Mbps
300 Mbps
High Availability
A/A or A/P
www.juniper.net
SEPT 2012
SRX240 - NOW WITH 2G MEMORY

New SKUs for SRX240 provide
additional memory
SRX240B2 1GB DRAM, 2GB
Flash
SRX240H2 2GB DRAM, 2GB
Flash
Features
On-board Ethernet
WAN slots
USB ports (flash)

SRX240
16 x GE
16 ports GE, 150 W
4 x mini PIM
2
Yes
JUNOS 11.4R5
1.8 Gbps
No changes in price, hardware

architecture or security services
600 Mbps
200 Kpps
Improved scalability for services
3DES+SHA-1
300 Mbps
IPS Performance
230 Mbps

Maximum Concurrent Sessions (1GB
RAM/2GB RAM)
34
9K CPS
128K / 256K
85 Mbps
750 Mbps
High Availability
A/A or A/P
www.juniper.net
FRS 12.1
SRX550 SERVICES GATEWAY - NEW

No-Compromise Services with scale and performance
for the medium to large branch
Advanced Security
Comprehensive Routing
Firewall and VPN
UTM: IPS, antivirus, enhanced web-filtering,

anti-spam
Application visibility, tracking & enforcement
High Density Switching
Wide range of WAN options: 3G/LTE,

T1/E1/DS3/E3, xDSL, Nx1GE, 10 GE
L2/L3 VPN, MPLS, VPLS, IPv6, v4
Business Continuity, Resiliency
HA cluster (A/A or A/P)
10 x GE on board (6 Copper, 4 SFP)
WAN backup and redundancy
Modular switching with POE
Control plane, data plane separation
GPIM Online-Insertion-Removal*
Optional redundant power supplies (AC and

DC)
Routing Performance
700 Kpps
Firewall Performance
1.7 Gbps (IMIX)

5.5 Gbps (Large
packets)
AV & IDP HW Acceleration
Yes
IPSec Performance
1 Gbps
35
www.juniper.net
12.1
SRX550
Ideal for enterprise medium to large
branch
Ideal office-in-a-box solution for managed
services or commercial business
Features
On-board Ethernet
10 x GE (6 Copper,
4SFP)
40 ports GE, 500 W
WAN slots
USB ports (flash)
SRX550 offers:
Comprehensive Routing and Security
Services
High density on-board and modular
switch ports, Copper and SFP

Application Awareness and Control
Business Continuity and Resiliency
2 mPIM, 6 x GPIM
2
Yes
JUNOS 12.1
5.5 Gbps
1.7 Gbps
700 Kpps
3DES+SHA-1
1.0 Gbps
IPS Performance
800 Mbps
27K CPS
Maximum Concurrent Sessions (2 GB RAM)
375 K
300 Mbps
1.5 Gbps
High Availability
36
SRX550
www.juniper.net
A/A or A/P
SRX650
Features
Ideal for regional sites and large

branches
On-board Ethernet
WAN slots
Firewall and VPN
USB ports (flash)
UTM: IPS, AppSecure, antivirus, web-

filtering, and anti-spam
Modular
LAN switching
Services Routing Processors with
optional redundancy
Power supplies with optional
redundancy (at FRS)
4 x GE
48 ports GE, 250W
or 500 W
8 x GPIM
2 per processor
Yes
JUNOS 11.1
7.0 Gbps
2.5 Gbps
850 Kpps
3DES+SHA-1
1.5 Gbps
IPS Performance
1 Gbps
35K CPS

(512MB/1GB RAM)
512 K
350 Mbps
1.9 Gbps
High Availability
37
SRX650
www.juniper.net
A/A or A/P
Hot swap GPIMs,
Dual power
BRANCH SRX SERIES SPECIFICATIONS
38
www.juniper.net
JUNIPERS WIRELESS WAN SOLUTION CX111

Best signal
Bridge
Get the 3G antenna out
of the wiring closet to

optimize reception*
More choices
Choose 3G/LTE USB modem
or standalone 3G bridge
Choose from 90+ modems from
every major manufacturer*
Tightly coupled system speeds
wired to wireless failover

Redundant radio hardware and
provider diversity*
Direct Plug-in USB

Modem support
Higher reliability
Carriers 3G/4G LTE Network
* Requires bridge solution

39
www.juniper.net
3G/4G WIRELESS WAN UPDATE

Integrated Small Package for 3G:
Now with USB modem support
CX111 Bridge
Direct plug-in USB Modem Support for

SRX100, 110 and 210E
CX111 3G/4G Bridge for

**all** SRX, other platforms
ExpressCards form factor obsolete

GSM/HSPA+ Modem supported now
Secure Modem / Modem Cap
1H 2012
4G LTE modem support Mid 2012
No USB 3G support on
220/240/550/650
40
Worldwide 90+ Modems supported

LTE supported now
CX111 supports SNMP based mgmt
Junos CLI based management in
11.4R2 Q1 2012
www.juniper.net
BRANCH SRX
ADVANCED SECURITY PLATFORM
INTERNET
External
Threats
Internal
Threats
IPS
IDP detects/stops Worms, Trojans,

DoS (L4 & L7), Scans
AppSecure with User Role FW
Application level visibility and classification

Application security policies tied to user roles
Enhanced Web Filtering
Block access to unapproved sites

Real time threat score for each URL
Antivirus
Stops viruses, file-based trojans or spread of

spyware, adware, keyloggers
Antispam
Stops Spam/Phishing
Content Filtering
SRX Series blocks transmission of files for

Data Loss Prevention
Core Security
Firewall, VPN, Unified Access Control
41
www.juniper.net
J-WEB WIZARDS
Configuration Wizards
1
Initial Device
Setup
Firewall
NAT
VPN
JavaScript and XML based with all activity executed by browser
Provides a responsive user experience

Complete Wizard UI is loaded after hitting launch button
Single commit
Reduces configuration time

42
www.juniper.net
JAN 2013
NEW STARTUP WIZARD

New Startup Wizard that
simplifies user configuration
and reduces time to setup
device
Guided setup (step by step)
Basic & Expert Modes
Security topology (zones),
security policy and license

configuration
NAT
Remote/Dynamic VPN
Confirm and Apply
(Commit, Import, Export)
Available on all
Branch SRX platforms
43
www.juniper.net
BRANCH SRX CERTIFICATIONS - UPDATE
Branch SRX leading the industry in most

stringest certifications for enterprise firewall
Key certifications added this year:
Common Criteria CC EAL4
Department of Defense (DoD) certification
Testing and certification by DoD JITC for interoperability with DoD networks
Addition to Unified Capabilities Approved Product List (UC APL)
Branch SRX certified as both router and firewall this is a first for any vendor!
ICSA Corporate Firewall and IPSec 1.3

USGv6 Firewall Profile
44
www.juniper.net

Chapter 4: High-End SRX Overview
High End SRX Platforms
DYNAMIC SERVICES ARCHITECTURE (DSA)

Scales performance, capacity and service density
Worlds fastest firewall and IPS
SRX Services Gateways
High-Speed Fabric
Technology
46
Expandable chassis
Linear scalability
Processing and I/O pools
Industrys top performance
Carrier-Class
Reliability
The power of one OS,
one release train
www.juniper.net
Separation of control and

data planes
Redundant everything
Proven operating system
SRX / HE DATA CENTER SERVICES PLATFORMS

SRX5800
Next-Gen Security Systems
16U, 12 slot, 2RE*, 2+1 SCB,
Scalable Performance
Rich Standard Services
Firewall
VPN
IPS
Full Routing
QoS
Application Security
Role Based Firewall
Extensible Security Services
Integrated Networking Services
2+2 AC, 3+1 DC, 120/30/30G,

10M sess, 350kcps
8U, 6 slot, 2RE*, 1+1 SCB,

2+2 PS, 60/15/15G,
9M sess, 350kcps
NS-5400
SRX5600
SRX3600
5U, 6+6 CFM, 8+4 GE, 2RE*,
2+2 PS, 30/10/10G, 2M sess,
175kcps
SRX3400
3U, 4+3 CFM, 8+4 GE, 2RE*,

1+1 PS, 20/8/8G, 2M sess,
175kcps
SRX1400
ISG2000
3U, 3 CFM, 12GE or 3XGE+9GE , 1+1

PS, 10/2/2G, .5M sess [at FRS], 45kcps
ISG1000
47
NS-5200
Note *: Redundant REs not currently supported
www.juniper.net
HIGH-END SRX COMPONENTS

I/O Cards (IOC)
Provide Ethernet interfaces that connect the services gateway to
your network
Network Processing Unit (NPC)

Network Processing Cards (NPCs) receive inbound traffic from I/O
cards (IOCs) and direct it to the appropriate Services Processing

Card (SPC) for processing
In simple terms, think of it as a session load balancer
Services Processing Card (SPC)

Provide the processing capacity to run integrated services such as
firewall, IPsec, and IDP
48
www.juniper.net
HIGH-END COMPONENTS CONTINUED

Routing Engine (RE)
Runs the Junos operating system (Junos OS)
Including software processes that maintain the routing tables, manage
the routing protocols used on the services gateway, control the services
gateway interfaces, control some chassis components, and provide the
interface for system management and user access to the services
gateway
Switch Fabric Board (SFB)

Powers on and powers off IOCs and SPCs
Controls clocking, system resets, and booting
Monitors and controls system functions, including fan speed, board
power status, and the system front panel

Provides interconnections to all the IOCs within the chassis
through the switch fabrics integrated into the SCB
49
www.juniper.net
HIGH-END COMPONENTS CONTINUED

Network Processing I/O Cards (NP-IOCs)
Special IOCs designed specifically for low-latency applications
Each NP-IOC has its own network processing unit (NPU), so that
traffic traversing the NP-IOC does not have to traverse the services
gateway bus to a remote network processing card (NPC)
50
www.juniper.net
DYNAMIC SERVICES ARCHITECTURE

SRX SERIES FULLY INTEGRATED PACKET FLOW
1.5
Flow Lookup
Classification
DoS/DDoS Policing
I/O Card
Network
Processing
Card
Egress
Packet
Integrated in SRX5000 IOC
QoS/Shaping
51
www.juniper.net
Fabric
Ingress
Packet
Fabric
Oversubscription
Control
Services
FW/VPN/IDP
NAT/Routing
Services
Processing
Cards
HIGH-END SRX SCALING AND PLANNING

The number of NPC and SPC resources dictates the High-End
SRX throughput and performance, i.e. number of IPSec tunnels,
IDP performance, number of FW sessions, etc.
Generally speaking it is the SPCs that make the real difference in
terms of performance
Juniper Networks Systems Engineers and Partner SEs can

assist with sizing guidelines for a given desired performance
profile and application
52
www.juniper.net
SRX1400
12 on-board ports:
3 RU
Modular chassis
3 expansion slots
Compact form factor modules
shared with SRX3000
Junos Software
Fan tray
Expansion Slots
1400GE: 6+4+2 GE
(rear)
(NSPC or SPC+NPC)
1400XGE: 3 XGE plus 6+1+2 GE
Massive scale
Up to 45,000 new, sustained
connections per second (CPS)
Up to .5 million sessions [at FRS]
High performance
Up to 10 Gbps firewall
Up to 2 Gbps IPS
Up to 2 Gbps IPSec VPN
Expansion Slot
Slot
Management
Module (RE)
(IOC)
guide
Redundant power and fans

Chassis Clustering (Q2 2011)
Modular Junos Software
Shared HA-control ports
High availability
SRX3000 technology
Common sparing possible
53
Redundant
FRU
power supply
(optional)
High availability
Power supply
www.juniper.net
SRX 3400
SRX3400 Front View
2 x 10 GigE
I/O card
12 on-board
GbE ports
USB
Switch Fabric
Board (SFB)
Fan tray
16 x GbE
SFP I/O
card
Front slot
guide
16 x 10/100/1000
I/O card
Expansion Slot
(SPC/NPC)
7 expansion slots
(4 front and 3 rear)
Compact form factor modules for
I/O and service processing
Dual, hot swappable management
modules
Junos Software
Massive scale
Expansion Slot
(IOC/SPC)
SRX3400 Rear View
3 RU
Modular chassis
Redundant
Routing Engine
(future) or SCM

Up to 2.25 million sessions
High performance
Up to 6 Gbps IPS
Routing
Engine
High availability
Fan tray
door
Power supply
FRU
54
Redundant
power supply
(optional)
Expansion Slot
(SPC/NPC)
Rear slot
guide

Redundant management
www.juniper.net
SRX3600:
FRONT AND REAR VIEWS
SRX3600 Front View
12 on-board
GigE ports
USB
Switch Fabric
Board (SFB)
2 x 10 GigE
I/O card
16 x GbE
SFP I/O
card
Fan tray
Front slot
guide
Expansion slot
(IOC/SPC)
SRX3600 Rear View

Power supplies
FRU

Up to 2.25 million sessions
Redundant
power supplies
(optional)
Fan tray
door
Expansion slot
(SPC)
55
12 expansion slots
(6 front and 6 rear)
Compact form factor modules for
I/O and service processing
Dual, hot swappable management
modules
Junos Software
Massive scale
16 x 10/100/1000
I/O card
Expansion slot
(SPC/NPC)
Routing
Engine
5 RU
Modular chassis
Redundant
Routing Engine
(future) or SCM
Rear slot
guide
High performance
Up to 10 Gbps IPS
High availability
www.juniper.net
3600 COMPONENT REVIEW

Dual-height SFB
option cover
(SRX3600 only / future)
Switch Fabric
Board (SFB)
Air
Intake
IOC 16xSFP
IOC 2x10GE
IOC 16xCopper
Services Processing
Card (SPC)
Front
Slot guide
Fan tray
door
Services Processing
Cards (SPC)
Network
Processing
Cards (NPC)
[or SPCs]
Routing Engine
(RE)
56
Rear
Slot guide
www.juniper.net
SRX3000 CARDS
Switch Fabric Board (SFB)
High speed switch fabric (320Gbps)

Includes virtual IOC (8x10/100/1000 + 4xSFP), HA-control (2xSFP: SX, LX, LH, T) and system
interface (CRAFT)
Network Processing Card (NPC)
Single Network Processor (NP) subsystem - 10Gig throughput
Services Processing Card (SPC)
Single HD-CPU subsystem (SPU) / 10Gig throughput
Routing Engine (RE)
1.2Ghz processor /w 1GB memory

Complete separation of control / data planes
Includes CPP (central PFE controller) and CB (control board)
Clustering Module (SCM)
Independent control-plane GigE switch to enable second HA-control link

Requires Junos 10.2
I/O Cards (IOC)
3 versions:
57
2-port 10GE-XFP (SR, LR, ER)

16-port GE-SFP (SX, LX, LH, T [10/100/1000])
16-port 10/100/1000 Copper
10Gig full-duplex throughput (oversubscribed)
www.juniper.net
SRX5600: PRODUCT OVERVIEW

SRX5600 Front View
8 RU
Modular chassis
Upper fan tray
Horizontal design
6 expansion slots
Modules for flexible I/O and
service processing
Junos software
Control Panel
Services
Processing
Card
Expansion slot
(fits any module)
Massive scale
Up to 350,000 new & sustained
Up to 9 million sessions
40 x GbE IOC
High performance
Switch Control
Boards (SCBs)
Up to 15 Gbps IPS
Management
Module
Power supplies
FRU
High availability
modules
Redundant switching fabrics
Redundant fans & power
supplies
SRX5600 Rear View
58
www.juniper.net
SRX5800: PRODUCT OVERVIEW

SRX5800 Front View
Control
Panel
16 RU
Modular chassis
Upper fan
tray
Vertical design
12 expansion slots
Modules for flexible I/O and
service processing
Junos software
Switch Control
Boards (SCBs)
Massive Scale
Services
Processing
Card
40 x GbE
I/O Card
Power supplies
FRU
4 x 10GbE
I/O Card
Up to 350,000 new & sustained

Up to 10 million sessions
High performance
Management
module

Up to 30 Gbps IPS
High availability
modules
Redundant switching fabrics
Redundant fans & power
supplies
Lower fan tray
Air intake
Expansion slots
(fits any module)
SRX5800 Rear View

59
www.juniper.net

Chapter 5: SRX Concepts and Features
SRX SERIESFIREWALL, ZONES, AND

POLICIES
ZONE UNTRUST
Originating Zone
INTERNET
Default PolicyDeny All
Default PolicyAllow All
SRX
Originating Zone
ZONE TRUST
61
ZONE TRUST2
www.juniper.net
NEXTGEN DATA PLANE (FLOW THREAD)

Forwarding Lookup
Screens
Static
NAT
NO
Per
Packet
Policer
Per
Packet
Filter
Dest
NAT
Route
Zones
Policy
Reverse
Static
NAT
YES
Match
Session?
Source
NAT
Services
ALG
Session
YES
Screens
TCP
NAT
Services
ALG
Per
Packet
Filter
JUNOS Flow Module

1) Pull Packet from Queue
2) Police Packet
3) Filter Packet
4) Session Lookup
62
5a) No Existing Session

FW Screen Check
Static & Destination NAT
Route Lookup
Destination Zone Lookup
Policy Lookup
Reverse Static & Source NAT
Setup ALG Vector
Install Session
5b) Established Session

FW Screen Check
TCP Checks
NAT Translation
ALG Processing
www.juniper.net
6) Filter Packet
7) Shape Packet
8) Transmit Packet
Per
Packet
Shaper
FIREWALL FILTERS
Stateless Filters
SRC 10.1.20.1 ANY SSH
Applied to interfaces, can mitigate known

un-wanted traffic before policy lookup
INTERNET
Common to MX, EE, SRX Junos

edit firewall filter SRX_Protection
juniper@SRX5800# set term in-ssh from source-address 10.1.20.1/24
juniper@SRX5800# set term in-ssh from protocol tcp
juniper@SRX5800# set term in-ssh from destination-port ssh
juniper@SRX5800# set term in-ssh then accept
Retail
63
www.juniper.net
Branch
Small Office
Regional
APPLICATION LAYER GATEWAYS (ALG)

Advanced inspection of dynamic
applications
FTP
PASV
TCP 21
PORT
FTP
TCP 14599
Can detect negotiated ports and perform

statefull inspection on dynamic
applications (FTP, SIP, SCCP,
H323,MGCP etc)
Automatically utilized when application is

referenced within the security policy
Retail
64
www.juniper.net
Branch
Small Office
Regional
SCREENS
Screens are used to mitigate
known malicious activities
such as DOS, DDOS,
Reconnaissance
Applied on Zone basis, default
screen can be applied to
untrust interface
Uses thresholds and
parameters to determine
traffic flows into zone
Can Drop Traffic or act as a
Proxy for TCP Connections
TCP SYN
TCP SYN
TCP SYN
INTERNET
Retail
65
ICMP Sweep
www.juniper.net
Branch
Small Office
Regional
SCREENS
juniper@SRX5800# show security screen ids-option untrusted-internet
icmp {
ip-sweep threshold 1000000;
fragment;
large;
}
ip
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
Loose-source-route-option;
strict-source-route-option;
unknown-protocol;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000000;
66
www.juniper.net
TCP SYN
TCP SYN
TCP SYN
ICMP Sweep
INTERNET
Regional
FROM THE OVERALL ARCHITECTURE PERSPECTIVE BEST PRACTICES STEPS

Assures legitimate traffic is not
impacted
Step1 - Establish a baseline
Step 2- Build the First Line of Defense

Police traffic close to source or at
ingress into aggregation network
elements, e.g. ingress into a FW
Step 3 Build the Second Line of

Defense
SCREENs
IDP
Application-level IDP
Application Firewall
Step 4 Build the Third Line of
Defense
Traffic shape at the egress of a
FW
67
Throttles all the traffic, minimizing the

impact of attacks on intermediate
network elements
Eliminates all the recognized bad
traffic
Throttles the remainder of the traffic,

which includes legitimate and nonrecognized bad traffic
www.juniper.net
CONTRASTING SCREENS AND IDP

SCREENs
Protect from the outer layer perspective
Are executed prior to any route look up or security policy look up
IDP
Provides deeper packet examination
Detects protocol anomaly
Evoked after route and/or security policy look up
68
www.juniper.net
PROTECTING FROM A FIREWALL PERSPECTIVE
SRX FW
Traffic
Entering
SRX FW
Ingress Policers
& Firewall filters
SCREENs
L4-7
StatefullL3/L4/L5
IDP
IPS
FW
Steps 2, 3, & 4
69
www.juniper.net
Egress
Traffic
Shaping
Traffic
Exiting
SRX FW
ROUTING & SWITCHING

SRX can act as a full router, supporting
IPV4, IPV6, L2/L3 MPLS
Supports IPV4 RIP, OSPF, IS-IS & BGP
Layer 2 switching supported on Branch SRX, not supported on HE SRX

Onboard Ethernet ports on the SRX100, SRX210, and SRX240 devices
Multiport Gigabit Ethernet XPIM on the SRX650 device
Support of Virtual Routers and Logical Tunnel Interfaces

Supports full Junos COS 8 Queues per port
Can also run in Transparent FW mode, supporting Layer2 bridged FW security
70
www.juniper.net
Regional
SRX PACKET FLOW

Branch SRX has 2 modes of Operation
Packet Mode: Can be run in packet mode to operate like a
traditional router, mode used to support MPLS,
VPLS
Flow Mode: Flow mode ensure Fast-Path Lookup, default
action of Branch SRX devices.
Mixed Mode: Brach SRX can also act in Mixed Mode
supporting both Flow and Branch based
connections
71
www.juniper.net
SRX HIGH AVAILABILITY

Features
Stateful fail-over
Active/Backup Control Plane
Active/Active Data Plane

Single System View
Benefits
Maintains connection
persistence & improves

system resiliency for services
Load sharing across systems
Optimized for complex
routing environments
72
www.juniper.net
TWO CHASSIS CONNECTED TOGETHER

Control Plane (fxp1)
Fe-0/0/7
Data Plane (fab1)

IOC to IOC
Control Plane (fxp1)

Connection
SPC-to-SPC
Data Plane (fab1)
Connection
IOC to IOC
73
www.juniper.net
INTERFACE NUMBERING
Interfaces are numbered Hobson style
Node1 (12-23)
Node0 (0-11)
slot 12
slot 0
ge-13/0/0
ge-1/0/0
RE 0
RE 1
slot 23
74
www.juniper.net
CHASSIS CLUSTER INTERFACES

Fxp1 -
Control Plane interface

Dedicated Interface dependant on Model
Dual Control Plane support on HE
Synchronizes Configuration & Keepalives
Fab0/1
-
- Data fabric interface

Can be 1G or 10G dependant on Model
Synchronizes Session information over RTOs
Can be used for forward Z path traffic
Redundancy Group (RG)

Logical Grouping of Interfaces. SRX with Highest Metric (255) is
master for each RG. Failure of interfaces decrements total
RETH
redundant Ethernet, virtual IP and MAC for associated VLAN,
member of redundancy group
75
www.juniper.net
CHASSIS CLUSTER DEPLOYMENTS

ACTIVE/PASSIVE
Active Control Plane
Active Redundancy Group 1
76
www.juniper.net
CHASSIS CLUSTER DEPLOYMENTS

ACTIVE/ACTIVE
Active Control Plane
77
www.juniper.net
APPLICATION VISIBILITY AND CONTROL IS EASY WITH

APPSECURE
Application
Enforcement
by User Role
Application
View
Threat
Mitigation
IPS
Application Awareness and Classification Engine

What application?
What user?
User location?
User device?
78
www.juniper.net
12.1
.NOW WITH USER ROLE FIREWALL
Allows different users to have different application policies based on their role and
group
MAG/UAC
P2P apps blocked
Marketing
Youtube allowed
Anti-virus applied
WF profile A
Branch SRX
Sales
P2P, Youtube
blocked
Anti-virus applied
WF profile B
No apps blocked
CEO
Anti-virus applied
WF profile C
79
www.juniper.net
USER-ROLE FIREWALL FOR ACTIVE DIRECTORY

Windows ADs
Doman user logins into domain

from domain member device
Data
Unauthenticated Client tries to

access resource through SRX,
and dropped
Finance
SRX redirects client to IC for

authentication process using
Kerberos
Upon successful authentication

and identification of user, IC gets
AD group membership using
LDAP and maps to Roles and
sends info to SRX
Client device passes traffic

through SRX per corresponding
policy enforcement controls based
on User/Role
Junos Pulse MAG/IC

Series
3
4
SRX Series
Client
Video
Internet
Apps
Corporate Data Center
80
www.juniper.net
COMPREHENSIVE USER POLICY ENFORCEMENT
Standard
Server
Hardware
Flexibility
Agent-based deployment
can provide advanced
functionalities
Agentless access can be
used for unintrusive,
transparent user
experience
Local web portal can be
used for guest access or
as a fallback mechanism
81
Rich OS Support
Windows XP, Windows Vista
and Windows 7
MacOS support
Linux/Solaris support
Thin clients can be
supported using the local
web portal
Broad range of Smartphone
OS iOS, Android, others
www.juniper.net
Advanced Services
Host checker
Coordinated Threat Control
SSL tunneling
End-to-End Security Policy
enforcement by user role
and group
APPLICATION VISIBILITY FOR INFORMED RISK

ANALYSIS
Monitor & Track Applications
AppTrack
View application by protocol, Web

application, and utilization
Analyze usage and trends
Web 2.0 application visibility
Customize application monitoring

Application usage monitoring
Scalable, flexible logging &
reporting
82
Log and report across security

solutions and systems
www.juniper.net
APPSECURE: BEYOND JUST FIREWALL OR

APPLICATION CONTROL
Control & Enforce Web 2.0 Apps
AppFW
Inspect ports and protocols

Uncover tunneled apps
HTTP
Stop multiple threat types
Dynamic application security
Control nested apps, chat, file

sharing and other Web 2.0 activities
Web 2.0 policy enforcement
Threat detection & prevention
83
www.juniper.net
IPS FOR CUSTOMIZABLE PROTECTION

Monitor & Mitigate Custom Attacks
IPS
AppSecure IPS
Detect and monitor suspicious

behavior
VULNERABILITY
Tune open signatures to detect and

mitigate tailored attacks
Exploits
Other
IPSs
On-going threat protection
Mobile traffic monitoring
Custom attack mitigation
84
Uncover attacks exploiting encrypted

methods
Address vulnerabilities instead of

ever-changing exploits of the
vulnerability
www.juniper.net
ENHANCED WEB FILTERING
Internet
In the Cloud
Categorization Server
Productivity
Performance
Security
SRX
Internal network
85
www.juniper.net
Continuous updates
Large number of URLs
Category granularity
Real time threat score
CUSTOMER CHOICE FOR ANTIVIRUS
Cloud-based option:
Sophos
On-box option:
Kaspersky
Juniper is the only vendor offering customers a choice

between two market proven antivirus solutions.
86
www.juniper.net
CLOUD BASED AV SERVICE: SOPHOS LIVE

PROTECTION ANTI-MALWARE FOR JUNIPER SRX
Cloud-based intelligence
delivers high performance

malware protection
Effective, instant protection
SRX
against malware and

infected web sites
Target customers that want
the performance and ease

of a cloud-based antivirus
solution
87
www.juniper.net
ANTI-SPAM
3
SRX tags email as

***SPAM*** or is allowed
through. Email server can
then use tag to make
supplementary decisions
DMZ
2
Email Server
Web Proxy
Service checks host address

against constantly updated
list and returns a block,
permit or log-and permit
message to the SRX
Internet
(UNTRUST)
Host
TRUST
88
SRX receives email destined for email server

in DMZ or TRUST zone and looks up local
white/black list to check local entries. Finds no
entry and sends address of remote email
server or source to in-the-cloud anti-spam
service
Remote Email Server
www.juniper.net
REMOTE ACCESS VPN

Dynamic VPN Service Access
Manager Client
Clientless dynamic IPSEC client
automatically downloaded
Simultaneous tunnel enforcement
Automatic client upgrade
capabilities
Self-provisioning
IPSec with TCP-based fallback
for NAT traversal
Windows platform supportXP,
Vista, Win 2000, and Windows 7,
Windows 10
Wireless
Wired
3G/4G
Wireless
INTERNET
SRX210
89
www.juniper.net
JUNIPER WIRELESS - COMPLETE WLAN SOLUTION

WLA/WLC PRODUCTS SUITE
WLM Management and Access Tools
Plan
Report
Trouble
shoot
RingMaster
Config
Monitor
SmartPass
WLM - Appliance
Simple - Secure - Mobile

WLA Access Points
90
WLC Controllers
www.juniper.net
APPSECURE SOFTWARE SERVICE SUITE

Application Intelligence and Security In Branch
AppTrack
AppFW
AppQoS
AppDoS
IPS
Understand
security risks
Block access to
risky apps
Prioritize
important apps
Protect apps from

bot attacks
Remediate
security threats
Address new
user behaviors
Allows user
tailored policies
Rate limit less

important apps
Allow legitimate
user traffic
Stay current with

daily signatures
Subscription service includes all modules and updates

Juniper Security Lab provides 900+ application signatures
91
2H
2013
www.juniper.net
APPLICATION SECURITY AVAILABILITY
92
High End SRX
Branch SRX
AppTrack
AppFW
AppQoS
AppDoS
IPS
2H2013
www.juniper.net
LOGICAL SYSTEMS (LSYS)

HIGH-END SRX ONLY
Virtualization of many aspects of Junos, especially security
policies and enforcement options within a single HE SRX
Complete separation of a single device into unique virtual
instances, including:
Administrative separation users in one LSYS have no visibility
into or knowledge of any other LSYS instances that may be

running on the box
Traffic Separation network traffic for a given LSYS cannot cross
into another LSYS unless security and routing policies are
configured to allow it
Resource separation resources such as sessions, policies,
zones, and virtual routers can be budgeted between the various
LSYS instances
An evolution of ScreenOSs VSYS concept

93
www.juniper.net
SERVICES OFFLOAD: A.K.A. LOW LATENCY FIREWALL

HIGH-END SRX ONLY
Allows both latency-sensitive and normal
traffic to be mixed on the same platform
When configured with services offload, SPC
will push policy to NPC, and further processing
is handled directly by NPC
Available as of Junos 11.4
PHY
NP
NPC
SPC
PHY
NPC
SPC
PHY
NP
NPC
SPC
PHY
NP
NPC
SPC
Supports FW, NAT, NPU screens, and QoS

No support for services that require an SPC
Fragmented packets
IPS
Inter-LSYS traffic
94
www.juniper.net
JUNOS SPACE
Open Network Application Platform
Network Application
Platform
Open, extensible, standardsbased (SOA)
Abstractions for generic service
definitions
Network Activate, Transport

Activate QoS Design Ethernet
OSS BSS Green/Energy End-user Forensics

Security
Director
Adapters (MTOSI, OneAPI) others
Juniper Applications
3rd Party Applications
Design Security Design

Virtual Control Service Now
APPLICATIONS
Purpose-built for network

orchestration and automation
RESTful Web Service API
Carrier-grade scale
Transparent communication with
all Junos devices (any device, any
OS version) total management
of Juniper infrastructure
Easy integration with OSS via
NBI/SDK
Network Widgets
Infrastructure Widgets
JUNOS SPACE PLATFORM

Device Management Interface (DMI)
95
www.juniper.net
SECURITY THREAT RESPONSE MANAGER (STRM)
STRM supports SRX Series

Intrusion Prevention System (IPS) and AppSecure
220+ out-of-the box report templates
Fully customizable reporting engine:
creating, branding and scheduling delivery of reports

Compliance reporting packages for PCI, SOX, FISMA, GLBA, and HIPAA
Reports based on control frameworks: NIST, ISO and CoBIT
96
www.juniper.net
JUNOS SCRIPTS
Configuration Automation - Instructs Junos during the
commit process
Options to provide warnings, post log messages,
automatically fail the commit, or change the
configuration
Operations Automation - Instructs Junos as prompted by the
command-line and other scripts:
Create custom operational commands for specific user and
environment needs
Event Automation - Instructs Junos of actions to take in
response to events:
Gather relevant troubleshooting information and correlate
events from the first leading indicators
97
www.juniper.net
JUNOS SCRIPTS
98
www.juniper.net

Chapter 6: Junos OS Command Line Interface (CLI)
Introduction
MULTIPLE WAYS TO MANAGE!

JUNOS CLI
Telnet, SSH
Commit model
JUNOScript: Automated
Configuration, Operations
J-Web
Quick Setup with Templates
Dashboard View
Performance Monitoring
Security Director
Manage multiple devices
Global, group and device
level configuration
100
www.juniper.net
CONFIGURATION HISTORY
commit
Candidate
Configuration
configure
Active
Configuration
0
rollback n
1
Active configuration stored in
/config/juniper.conf.gz
Rollback files stored in
/config/juniper.conf.n.gz (n=13)
/var/db/config/juniper.conf.n.gz (n=449)
101
www.juniper.net
...
49
JUNOS OS CONFIGURATION PROCESS

Separation of configuration edit and activation
Validation checks
Version control
Automated rollback
Convenient deployment of standard configurations and policy

language across the network
commit
candidate
Load configuration
102
commit
confirmed
validated
configuration
commit
scripts
commit
validations
www.juniper.net
active
configuration
JUNOS OS CONFIGURATION PROCESS (CONTD)
commit
configuration
commit
confirmed
commit
scripts
commit
validations
49
Basic steps in the configuration process

1.
2.
3.
103
Enter changes in the candidate

Commit the candidate
Candidate becomes active
active
configuration
www.juniper.net
rollback
validated
configuration
candidate
Load
THE RESCUE CONFIGURATION

A rescue configuration is designed to restore basic connectivity in the
event of configuration problems
Contents are user defined
Include a root password!
By default, there is no rescue configuration

Can be saved using J-Web or the CLI
Once saved, the rescue configuration can be activated with the CLI or a
momentary push of the recessed CONFIG button
CONFIG button
104
www.juniper.net
CLI MODES AND FEATURE OVERVIEW

CLI operational mode:
Editing command lines

Command completion and history
Context-sensitive and documentation-based help
UNIX-style pipes
CLI configuration mode:
105
Object-oriented hierarchy
Jumping between levels
Candidate configuration with sanity checking
Automatic rollback capability
Showing portions of configuration while configuring
Saving, loading, and deleting configuration files
Running operational-mode commands from within configuration
www.juniper.net
CLI MODES
Operational mode:
Monitor and troubleshoot the software, network connectivity, and
router hardware
user@host>
The > character identifies

operational mode
Configuration mode:
Configure the router, including interfaces, general routing
information, routing protocols, user access, and system hardware

properties
[edit]
user@host#
106
The # character identifies

configuration mode
www.juniper.net
LOGGING IN
When logging in:
Nonroot users are placed into the CLI automatically
host (ttyd0)
login: user
Password:
--- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC
user@host>
The root user must start the CLI from the shell
Do not forget to exit root shell after logging out of the CLI!
host (ttyd0)
Shell Prompt
login: root
Password:
--- JUNOS 8.3R2.8 built 2007-07-07 00:21:56 UTC
root@host% cli
root@host>
107
CLI Prompt
www.juniper.net
CLI OPERATIONAL MODE
Execute commands (mainly) from the default CLI

level (user@host>)
Can execute from configuration mode with the run
command
Hierarchy of commands
Example: show ospf neighbor
Less Specific
clear configure file help monitor set show
etc.
bgp chassis configuration ospf rip route version etc.
database interface neighbor route statistics etc.

108
www.juniper.net
More Specific
EDITING COMMAND LINES
EMACS-style editing sequences are supported

user@host> show interfaces
Keyboard
sequence
Ctrl+b
Ctrl+a
Ctrl+f
Cursor position
Ctrl+e
The default VT100 terminal type also supports cursor positioning with the arrow keys
109
www.juniper.net
COMMAND AND VARIABLE COMPLETION

Spacebar completes a command
user@host> sh<space>ow
'i' is ambiguous.
Possible completions:
igmp
ike
interfaces
ipsec
isis
i<space>
Show
Show
Show
Show
Show
Enter a space to
complete a command
Internet Group Management Protocol...

Internet Key Exchange information
interface information
IP Security information
Intermediate System-to-Intermediate...
user@host> show i
Use the Tab key to complete an assigned variable

[edit policy-options]
user@host# show policy-statement t<tab>his-is-my-policy
then accept;
[edit policy-options]
user@host#
110
Use Tab to complete

assigned variables
www.juniper.net
CONTEXT-SENSITIVE HELP
Type ? anywhere on the command line
user@host> ?
clear
configure
information
file
help
. . .
user@host> clear ?
arp
bfd
Detection
bgp
information
firewall
. . .
111
Clear information in the system

Manipulate software configuration
Perform file operations
Provide help information
Clear address resolution information

Clear Bidirectional Forwarding
information
Clear Border Gateway Protocol
Clear firewall counters
www.juniper.net
TOPICAL HELP
The help topic command provides information on general
concepts
user@host> help topic interfaces ?
accept-data
Accept packets destined for virtual IP...
accept-source-mac
Policers for specific source MAC addresses
access-profile
Mapping peer name and secrets for CHAP
accounting-profile
Accounting profile
acknowledge-timer
Maximum time to wait for link...
address
Interface address and destination prefix
...
user@host> help topic interfaces address
Configuring the Interface Address
You assign an address to an interface by specifying the address when

configuring the protocol family. For the inet family, you configure the
interface's IP address. For the iso family, you configure one or more
addresses for the loopback interface. For the ccc, tcc, mpls, tnp, and
vpls families, you never configure an address.
...
112
www.juniper.net
CONFIGURATION SYNTAX HELP

Use help reference for assistance with configuration syntax
user@host> help reference interfaces address
address
Syntax
address address {
arp ip-address (mac | multicast-mac) mac-address <publish>;
broadcast address;
destination address;
destination-profile name;
eui-64;
multipoint-destination address dlci dlci-identifier;
...
Hierarchy Level
[edit interfaces interface-name unit logical-unit-number family family],
[edit logical-routers logical-router-name interfaces interface-name unit
logical-unit-number family family]
Description
Configure the interface address.

...
113
www.juniper.net
USING | (PIPE)
The pipe function allows you to filter and manipulate command
output
Available in all modes and contexts
user@host> show route | ?
count
Count occurrences
display
Show additional kinds of information
except
Show only text that does not match a pattern
find
Search for first occurrence of pattern
hold
Hold text without exiting the --More-- prompt
last
Display end of output only
match
Show only text that matches a pattern
no-more
Don't paginate output
request
Make system-level requests
resolve
Resolve IP addresses
save
Save output text to file
trim
Trim specified number of columns from start of line
user@host> show route |
114
www.juniper.net
ACTIVE AND CANDIDATE CONFIGURAITONS

Batch configuration model:
Must commit configuration changes
Active configuration:
Current operational configuration
Boot-up configuration
Candidate configuration:
A working copy for configuration changes
Initialized with the active configuration
Becomes active configuration upon commit
115
www.juniper.net
CONFIGURE PRIVATE, CONFIGURE EXCLUSIVE

Use configure private for your own copy of the candidate
configuration
mike@jnpr1> configure private
warning: uncommitted changes will be discarded on
exit
Entering configuration mode
Use configure exclusive when you want to prohibit others

from also making changes while you are in configuration mode
mike@jnpr1> configure exclusive

warning: uncommitted changes will be discarded on exit
Entering configuration mode
116
www.juniper.net
SHOW COMMAND
List the complete candidate
from the top of configuration
mode
[edit]
mike@juniper1# show
version "9.2R1.3";
groups
{
re0 {
system {
jnpr1-name jnpr1;
}
}
}
117
List a specific subset of the

candidate configuration from
a deeper level of the
hierarchy
[edit interfaces ge-5/0/0]

mike@jnpr# show
gigether-options {
flow-control;
auto-negotiation;
}
unit 0 {
family inet {
address 1.2.3.4/28;
}
}
www.juniper.net
SET COMMAND
From the top of configuration mode
[edit]
mike@jnpr1# set system services finger
mike@jnpr1# set system services ftp
mike@jnpr1# set system services ssh
mike@jnpr1# set system services telnet
From a sublevel
Either
adds
[edit system services]

mike@jnpr1# set finger
mike@jnpr1# set ftp
mike@jnpr1# set ssh
mike@jnpr1# set telnet
118
www.juniper.net
[edit]
system {
services {
finger;
ftp;
ssh;
telnet;
}
}
DELETE COMMAND
Remove a statement along with any subordinate statements
Deleting a statement effectively returns the affected device, protocol,
or service to an unconfigured state

Deleting a container statement removes everything under that level of
the hierarchy
[edit]
mike@jnpr1# delete system services
Now
119
www.juniper.net
[edit]
system {
}
COMPARE CONFIGURATIONS
Display the differences between the candidate and active
configuration
Options to show any two configurations

mike@jnpr1# show | compare
- ssh;
+ telnet;
- web-management {
http {
port 8080;
}
-}
120
www.juniper.net
COMMIT CHECK
Check that the device will accept your candidate
Validates the logic and completeness of the candidate without
activating the changes

[edit]
mike@jnpr1# commit check
[edit interfaces lo0 unit 0 family inet]
'address 192.168.69.1/24'
Loopback addresses' prefix must be 32 bits
error: configuration check-out failed
121
www.juniper.net
COMMIT
Activates the candidate to become the running configuration of the
device
If the validation checks find any errors, you must fix these before the
candidate can become the active file

[edit] Bullets
Add
mike@jnpr1# commit
error: Policy error: Policy my-policy referenced but not defined
error: BGP: export list not applied
The
commit
complete
message tells you that
error:
configuration
check-out failed
configuration is now active
[edit]
mike@jnpr1# commit
commit complete
122
www.juniper.net
the new
COMMIT CONFIRMED
Automate rollback in remote devices
Commit a candidate configuration for a limited time
[edit]
mike@jnpr1# commit confirmed
commit confirmed will be automatically rolled back in 10
unless
complete
minutes
Finalize
theconfirmed
commit,commit
by entering
a 2nd commit
[edit]
mike@jnpr1# commit
Or,
wait
for rollback
commit
complete
123
command
to your previous configuration
Broadcast Message from root@jnpr1

(no tty) at 08:10:17 UTC
Commit was not confirmed;Copyright
automatic
rollback
complete.
2013 Juniper
Networks, Inc.
www.juniper.net
ROLLBACK
Use rollback (or rollback 0 ) to reset the candidate

configuration to the currently active configuration
rollback 1 loads the previously active configuration
rollback n loads the nth previous active configuration
rollback rescue loads the previously created rescue file
rollback only modifies the candidate configuration

Dont forget to commit the changes!
[edit]
mike@host# rollback
load complete
[edit]
mike@host# commit
commit complete
124
www.juniper.net
SAVING A RESCUE CONFIGURATION
Use request system configuration rescue

[save | delete] CLI command
View with the show system configuration rescue CLI
command
125
www.juniper.net
CONFIGURATION STATEMENT HIERARCHY

[edit]
user@host# edit protocols ospf area 51 stub
[edit protocols ospf area 0.0.0.51 stub]
user@host#
top
Less Specific
chassis interfaces protocols services system etc.
bgp
isis
mpls
ospf
pim
rip
rsvp
vrrp
etc.
area area_id graceful-restart overload traffic-engineering etc.
area-range area_range
126
interface
nssa
stub
etc.
www.juniper.net
More Specific
CONFIGURATION FILE IS HIERARCHICAL

CLI commands are entered without curly brackets
[edit system]
user@host# set services web-management http port 8080
The result is a hierarchical configuration file, complete with curly
brackets
[edit system]
user@host# show services
web-management {
http {
port 8080;
}
}
[edit system]
user@host#
127
www.juniper.net
CONFIGURATION FILE DIFFERENCES

Change the candidate configuration:
[edit system]
user@host# set services telnet
[edit system]
user@host# delete services web-management
[edit system]
user@host# delete services ssh
Display differences between the candidate and active

configurations:
user@host# show | compare
- ssh;
+ telnet;
- web-management {
http {
port 8080;
}
- }
128
www.juniper.net
RUN IS COOL
Use the run command to execute operational-mode CLI
commands from within configuration
Can be a real time-saver when testing the effect of a recent change
[edit interfaces fe-0/0/0]
lab@HongKong# set unit 0 family inet address 10.250.0.141/16

lab@HongKong# commit
commit complete
lab@HongKong# run ping 10.250.0.149 count 1
PING 10.250.0.149 (10.250.0.149): 56 data bytes
64 bytes from 10.250.0.149: icmp_seq=0 ttl=255 time=0.967 ms
--- 10.250.0.149 ping statistics --1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.967/0.967/0.967/0.000 ms
129
www.juniper.net
USING RENAME
User-defined variables can be changed with the rename
command
Can change policy names, filter names, IP addresses, etc.
lab@HongKong# set unit 0 family inet address 10.250.0.141/16
lab@HongKong# show
unit 0 {
family inet {
address 10.250.0.141/16;
}
}
lab@HongKong# rename unit 0 family inet address 10.250.0.141/16 to address 10.250.0.241/16
lab@HongKong# show
unit 0 {
family inet {
address 10.250.0.241/16;
}
}
130
www.juniper.net
USING REPLACE
In configuration mode
[edit]
lab@HongKong# replace pattern 10.1.1.1 with 10.2.2.2
131
www.juniper.net

Chapter X: Other Security Products of Interest
COMMITTED TO INNOVATION AND INVESTMENT

Security is core to our business at Juniper
Market Leader
High-End
Firewalls
Remote Access
SSL VPN
Network
Security
133 Infonetics Research 2012
Global Powerhouse
$1B
global
revenue
Serving customers in over 47 countries,

with a worldwide community of over
1000 Reseller Partners
Dedicated Innovator
Juniper R&D is $1.027B, or 23% of revenues
a figure no one else in the industry comes close
to on a percentage basis 2011 Annual Report
New in 2013: A differentiated approach to security
with our Intrusion Deception and DDoS protection
capabilities
www.juniper.net
OTHER SECURITY PRODUCTS OF INTEREST

Virtualized Firewall Solution
Junos V Firefly
Securing Web Portals

Junos WebApp Secure
Securing Virtual Machines and ESX Hosts

vGW Virtual Gateway
134
www.juniper.net
JUNOS V FIREFLY
135
www.juniper.net
INTRODUCING JUNOSV FIREFLY

Virtualized Environment
VM
VM
VM
Firefly
JunosV Firefly
Enterprise/Tenant A
Hypervisor
Physical SRX & Junos
Juniper is delivering its industry-leading Junos OS and SRX features

as a software appliance for deployment in virtualized environments
136
www.juniper.net
JUNOSV FIREFLY VISION: ADVANCED PROTECTION IN

VIRTUALIZED ENVIRONMENTS
Security & Routing functionality
delivered as a virtual machine
Junos Routing Protocols and SDK
Junos delivered as a virtual

Junos Rich & Extensible Security Stack
appliance on a choice of
Hypervisors
Runs on standard x86 hardware
Full, proven Junos security and

routing protocol suite
Perimeter
Content
Firewall
Anti-Virus
VPN
IPS
Full IDP Feature Set
NAT
Web Filtering
Leverages proven SRX & VJX
technology
Network Admission
Control
flowd over multiple vCPUs
Supports Hypervisor VM functionality
Anti-Spam
CLI, JWeb, SNMP, JSpace- SD, Hypervisor Mgmt, HA/FT
Example: vMotion, snapshots,
HA/FT, Cloning, Management etc.
137
Application
Awareness
Identity
Awareness
Performance optimized
SMP kernel & multi-threaded
Application
www.juniper.net
JUNOSV FIREFLY MANAGEMENT

JUNOSV FIREFLY
DEVICE MANAGEMENT
Centralized management
Junos Space /Security Design
JUNOS SPACE
VIRTUAL DIRECTOR
A Junos Space platform application
that offers complete Lifecycle
management for JunosV Firefly.
Security Insight
STRM (logging and reporting),
Syslog, Traceroute
Local management
CLI
JWeb
Junos Scripts
SNMP
138
Firefly
Virtual Director
www.juniper.net
JUNOS WEBAPP SECURE

139
www.juniper.net
HACKER THREATS
Scripts & Too, Exploits
IP Scan
Targeted Scan
Generic scripts and tools against one site.
Script run against multiple sites seeking

a specific vulnerability.
Targets a specific site for any vulnerability.
Botnet
Human Hacker
Script loaded onto a bot network to carry out attack.
Sophisticated, targeted attack (APT). Low and slow to avoid detection.
Jan
140
www.juniper.net
June
Dec
WEB APP SECURITY TECHNOLOGY
Detection
Signatures
Web Application
Firewall
Web Intrusion
Prevention System
Q1 2012
Tar Traps
Tracking
IP address
Browser, software and scripts

Profiling
IP address
Block IP
141
Section 6.6
Block, warn and deceive attacker

PCI
Browser, software and scripts

Responses
www.juniper.net
THE JUNOS WEBAPP SECURE ADVANTAGE

DECEPTION-BASED SECURITY
Detect
Track
Profile
Respond
Tar Traps detect

threats without false
positives.
Track IPs, browsers,

software and scripts.
Understand
attackers capabilities
and intents.
Adaptive responses,
including block,
warn and deceive.
142
www.juniper.net
THE ANATOMY OF A WEB ATTACK
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Reconnaissance
Attack Vector
Establishment
Implementation
Automation
Maintenance
Weeks or months
Weeks or months
Days or weeks
Months or years
Web App
Firewall
143
www.juniper.net
Years
DETECTION BY DECEPTION
Tar Traps
Query String Parameters
Network
Perimeter
Hidden Input Fields
Client
Firewall
App Server
Server Configuration
144
www.juniper.net
Database
TRACK ATTACKERS BEYOND THE IP

Track IP Address
145
Track Browser Attacks
Track Software and Script Attacks
Persistent Token
Fingerprinting
Capacity to persist in all browsers including

various privacy control features.
HTTP communications.
www.juniper.net
SMART PROFILE OF ATTACKER

Every attacker
assigned a name
Incident history
Attacker
threat level
146
www.juniper.net
RESPOND AND DECEIVE
Junos WebApp
Secure Responses
Human
Hacker
Botnet
Targeted
Scan
IP Scan
Scripts
&Tools
Exploits
Warn attacker
Block user
Force CAPTCHA
Slow connection
Simulate broken application
Force log-out
All responses are available for any type of threat. Highlighted responses are most appropriate for each type of threat.
147
www.juniper.net
UNIFIED PROTECTION ACROSS PLATFORMS
Internal
App Server Database
Virtualized
Cloud
148
www.juniper.net
VGW VIRTUAL GATEWAY

149
www.juniper.net
MEGA TREND SERVER VIRTUALIZATION

Physical Server Installed Base (Millions)
Logical Server Installed Base (Millions)
Millions
Installed
Servers
80
60
Capital
Savings
40
20
0
1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
Source: IDC
150
www.juniper.net
SECURITY IMPLICATION OF VIRTUALIZATION

Physical Network
Virtual Network
VM1
VM2
VM3
ESX/ESXi Host
Virtual
Switch
HYPERVISOR
Firewall/IDS Sees/Protects
All Traffic between Servers
151
Physical Security Is Blind to

Traffic between Virtual Machines
www.juniper.net
APPROACHES TO SECURING VIRTUAL NETWORKS

1
VLANs & Physical

Segmentation
VM1
VM2
VM3
VM1
VM2
VM2
VM3
Virtual Security Layer
VS
HYPERVISOR
HYPERVISOR
HYPERVISOR
Regular Thick Agent for FW & AV
152
www.juniper.net
ESX/ESXi Host
VS
Integrated
Virtual Security
VM1
VM3
ESX/ESXi Host
ESX/ESXi Host
VS
Traditional Security
Agents
THE VGW ARCHITECTURE OVERVIEW

Service Provider & Enterprise Grade
Three Tiered Model
VMware Certified (signed binaries!)
Protects each VM and the hypervisor
Virtual
Center
Security
Design
for vGW
VM
Fault-tolerant architecture (i.e., HA)
VM1
VM2
VM3
ESX or ESXi Host
Virtualization-aware
Secure VMotion
Auto Secure detects/protects
Partner Server
(IDS, SIM,
Syslog, Netflow)
Packet Data
VMWARE APIs
Granular, Tiered Defense
Any vSwitch
(Standard, DVS, 3rd Party)
Stateful firewall, integrated IDS,
and AV
Flexible Policy Enforcement zone,
VM group, VM, individual vNIC
153
HYPERVISOR
www.juniper.net
VMware Kernel
new VMs
THE vGW ENGINE
VGW MODULES
Main
Dashboard view of the virtual system threats (including VM quarantine view)
7 Functional Modules
Network Visibility of inter-VM traffic flows
Firewall Firewall Policy Management and Logs
IDS Centralized view of IDS alerts and ability to drill-down on attacks
AntiVirus Full AV protection for virtual machines
Introspection Centralized view of the software loaded in a VM including OS, Apps,
HotFixes. Ability to track & control changes in loaded software via Image Enforcer
Compliance Out-of-box & custom rules engine to alert on VM & Host config changes
Reports Automated reports for all the functional modules
154
www.juniper.net
SRX SERIES INTEGRATION

Firewall zones integration
(zone synchronization between SRX Series and vGW)
Benefits:
Guarantee integrity of zones

on hypervisor
Automate and verify no

policy violation of VMs
Empower SRX Series with
VM awareness
155
www.juniper.net
RESOURCES TO HELP YOU LEARN MORE

Resource
URL
Pathfinder
http://pathfinder.juniper.net
Content Explorer
http://www.juniper.net/techpubs/content-applications/contentexplorer
Feature Explorer
http://pathfinder.juniper.net/feature-explorer
Learning Bytes
www.juniper.net/learningbytes
Installation and
configuration courses
www.juniper.net/courses
J-Net Forum
http://forums.juniper.net/t5/Training-Certification-and/bdp/
Training_and_Certification
Certification program
www.juniper.net/certification
Courses
http://www.juniper.net/training/technical_education
Translation tools
http://www.juniper.net/customers/support/#task
156
www.juniper.net

SRX Quick Start June 2013

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SRX Quick Start June 2013

Uploaded by

Copyright:

Available Formats

SRX QUICK START TRAINING

SRX QUICK START TRAINING

Copyright 2013 Juniper Networks, Inc.

Copyright 2013 Juniper Networks, Inc.

Virtual Private Networks and Network Address Translation (NAT)

Copyright 2013 Juniper Networks, Inc.

Break and restroom facilities

Copyright 2013 Juniper Networks, Inc.

Self-paced online courses also available

Copyright 2013 Juniper Networks, Inc.

Juniper Networks books

Hardware and software technical

Copyright 2013 Juniper Networks, Inc.

To receive your certificate, you must complete the survey

will e-mail it to you within two weeks

Copyright 2013 Juniper Networks, Inc.

JUNIPER NETWORKS EDUCATION SERVICES

Copyright 2013 Juniper Networks, Inc.

JUNIPER NETWORKS CERTIFICATION PROGRAM

Capitalize on the promise of the New Network

Unique benefits for certified individuals

Copyright 2013 Juniper Networks, Inc.

JUNIPER NETWORKS CERTIFICATION PATH

Copyright 2013 Juniper Networks, Inc.

Copyright 2013 Juniper Networks, Inc.

Copyright 2013 Juniper Networks, Inc.

SRX QUICK START TRAINING

MOVING FROM CISCO IOS TO JUNOS OS

No matter the cause of the move, once the move is complete,

Copyright 2013 Juniper Networks, Inc.

First high-performance network operating system

It is time for a new network

education organizations throughout the world

Copyright 2013 Juniper Networks, Inc.

THE POWER OF ONE JUNOS

One Release Train

Ensures available &

Copyright 2013 Juniper Networks, Inc.

JUNOS OS MODULAR ARCHITECTURE

between the modules and to the PFE

Copyright 2013 Juniper Networks, Inc.

Contain faults and enable

JUNOS OS SEPARATE CONTROL AND FORWARDING

Assures performance of each plane

Provides options for

Copyright 2013 Juniper Networks, Inc.

JUNOS OS: THE FOUNDATION OF

Copyright 2013 Juniper Networks, Inc.

SRX QUICK START TRAINING

BRANCH SRX SOLVES CUSTOMER CHALLENGES

Next Gen Firewall

Easy to activate new

Easy to manage all

Copyright 2013 Juniper Networks, Inc.

Lower TCO and high

BRANCH SRX SERIES GATEWAYS

Delivering No-Compromise Services with Scale & Performance

+ More LAN slots,

BRANCH SRX: SERVING MULTIPLE CUSTOMER NEEDS

Routing and WAN

Next generation firewall

Copyright 2013 Juniper Networks, Inc.

BRANCH SRX SERVICES GATEWAYS

Fixed and modular form factors