Professional Documents
Culture Documents
Technical Overview
Lab Guide
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Document Conventions
Franklin Gothic Normal text. Most of what you read in the Lab Guide and
Student Guide.
CLI Input Text that you must enter. lab@San_Jose> show route
GUI Input Select File > Save, and type config.ini
in the Filename field.
CLI Undefined Text where the variables value is the Type set policy policy-name.
users discretion or text where the
ping 10.0.x.y
variables value as shown in the lab
GUI Undefined guide might differ from the value the Select File > Save, and type filename in
user must input according to the lab the Filename field.
topology.
www.juniper.net 1
2 www.juniper.net
Lab 0
Introduction to the Juniper Networks Virtual Lab
Overview
Lab 0 describes the basic procedures for accessing the Juniper Networks Virtual Lab (vLab)
environment using a standard Web browser.
The vLabs help partners receive hands-on training through a virtual portal which is available
24 hours a day, 7 days a week. This is not a simulator, but live equipment to promote learning
and development for interested partners in association with the Juniper Networks Partner
Learning Academy.
The vLab exercises assist a student in becoming proficient at installing, configuring, and
troubleshooting Juniper products. The time needed to complete each course track and the
associated virtual lab exercises will vary. You will need your Juniper partner login to access the
virtual lab website.
Once logged in, access is granted on a first come, first served basis. The system will check to
see if the selected vLab has a lab environment available. If a vLab environment for the selected
lab is available, access is granted. If a vLab environment for the selected vLab is not available,
you will be asked to try again later. The vLabs are also available for dedicated instructor-led
courses on an as-needed basis.
Each of the vLab environments is duplicated multiple times, making it more likely that a vLab
environment will be available for you to use.
Note
We recommend that you read through Lab 0 prior to
starting your lab. The guide provides important
information regarding accessing the lab
environment and the lab exercises. Lab 0 is the
same for all vLabs.
The first step in accessing the vLabs is to go to the vLab website. To access the vLab website,
type or copy and paste the URL shown below into a web browser and follow the link provided on
the page to access the Virtual Labs:
https://virtuallabs.juniper.net
If you are already logged into the Juniper Networks Partner Learning Academy or Partner
Center, you should already be logged into the Virtual Labs site. However, if you are not logged in
to the Learning Academy or Partner Center, a login screen will be presented, as shown below.
Once you have successfully logged in, you will be presented with the Course Management
homepage, which will look similar to the image shown below.
Find the lab you wish to enter from amongst the tiles presented in the Courses Catalog on the
Course Management homepage. You can use Search courses in the upper left of the
screen if needed. In the default view the courses are presented as tiles, as shown in the first
image below. You can also click List, located on the right of the blue menu bar, to display the
course tiles as an alphabetized list, as shown in the second image below.
Clicking on a tiles image will show you a high-level diagram of the lab topology (use the back
button on your browser to return to the Course Management page). For additional information
regarding a particular lab, click the More Info link. When you are ready to enter the lab
environment, click the Reserve button.
Once you are on this lab environment page and setup is finished, you can begin the lab
exercises available in the lab guide for the selected course (you should begin with Lab 1 and
sequentially work through the lab exercises). A timer in the blue menu bar will show you how
much time you have left in your reservation to complete the lab exercises.
Step 3.3
When you are ready to leave the lab environment, click the END icon located on the right side
of the blue menu bar, as shown in the image below. The environment will go into a Teardown
process. You can leave the lab environment page while the Teardown process is occurring.
Step 3.5
Upon clicking OK, the lab environment will begin the configuration teardown/reset process,
your reservation timer will end, and the lab environment you were using will be released.
The Course Management menu in the upper left of the screen provides a drop down menu so
that you can return to the Courses page if you want to start another course, or you can go to
the Reservations page. The Reservations page, shown in the first image below, shows a history
of the vLabs you have accessed.
You can logout of the Virtual Lab site from either the Course Management, Reservations, or lab
environment pages by clicking on your user name in the upper right of the screen and selecting
Exit Virtual Labs from the drop down menu, as shown in the second image below.
Overview
In this lab, you will log into the Junos Space graphical user interface (GUI) and view its
basic components. You will log into the platform architecture and verify the platform
version information. You will also verify what applications are currently installed.
By completing this lab, you will perform the following tasks:
Log in to the Junos Space GUI;
Verify the Junos Space platform version; and
Verify what applications are installed on the Junos Space platform.
In this lab part, you will use a Web browser from Host 1 to access and log into Junos
Space.
Step 1.1
Lab 0 provided instructions regarding entering a lab environment. The lab
environment setup process for Junos Space Security Director Overview can take up
to 15 minutes to complete. The tiles will appear one by one in the lab environment
as setup progresses. The blue menu bar will provide status, and the green Setup
icon will change to Active when the setup process is complete. You will also see
green Online circles on the individual tiles once they are online and ready.
When the setup process has finished, the lab environment page will appear similar
to the first image shown below.
To begin this lab part, open a Windows desktop session by hovering the mouse
pointer over the tile titled desktop.pvirtspaX.sv (X will be a numeric value,
dependent on the kit you are given). From the desktop tile menu that appears, move
the mouse pointer over the Action icon (a downward pointing triangle icon) and
select Virtual_Console from the menu that appears, as shown in the second
image below.
Step 1.2
A new browser tab will open, displaying a Windows desktop. Select Student as the
user and enter lab123 as the password. The desktop (Host 1) will be displayed as
shown in the image below. Do not close any tabs until instructed to do so.
Step 1.4
The lab uses self-signed certificates for https, therefore, when you see the message
shown below you can safely click on I Understand the Risks.
The image will then expand to the image shown below. You can safely click the Add
Exception... button to continue.
Step 1.6
You will then be presented with the Junos Space login screen. Log into Junos Space
as user super with the password 123lab.
Step 1.7
If not already activated, you will need to activate Adobe Flash to view the Junos
Space desktop. Click on Activate Adobe Flash within the System Health
window on the Junos Space dashboard.
www.juniper.net Logging In to Junos Space Lab 15
Junos Space Security Director Overview
In this lab part, you will verify the licensing and application information of the Junos
Space platform.
Step 2.1
Now that you have logged in to Junos Space, the first display you see is the
Network Application Platform user interface (hereafter called the
Platform) as shown in the following screen capture.
Step 2.2
Familiarize yourself with the three parts to the user interface: the task tree to the
left, the main dashboard window on the right, and the banner across the top which
offers the date, time, and several icon buttons for frequently used actions. The
question mark icon is the Help application which provides access to
context-sensitive workspace help. The check mark icon displays the My Jobs
dialog box from which you can view the progress and status of current managed
jobs. Next is a gear icon which displays the User Preferences dialog box from
which you can change user preferences, such as the password. Finally, there is a
right pointing arrow icon which you use to Log Out of the system. A closer look at
the icons on the right of the banner is shown below.
Step 2.3
Click the question mark icon in the banner to access the Help application. Next,
click the plus icon (+) at the lower right corner of the Help application to open the
About box and then answer the following question.
In this lab part, you will determine what applications are currently installed on the
Junos Space platform.
Do not close any lab environment browser tabs. You will return for Lab 2.
STOP You have completed Lab 1. Please return to the course and complete
the next section.
Overview
This lab introduces you to the Security Director application of Junos Space. You will
explore, create, and deploy virtual private network (VPN) policies.
By completing this lab, you will perform the following tasks:
Log in to the Junos Space graphical user interface (GUI).
Implement device discovery.
Create and deploy VPN policies.
In this lab part, you will again use a Web browser from Host 1 to access and login to
Junos Space.
Step 1.1
Again, from the Host 1 desktop, double-click the Firefox Web Browser icon to
access the Junos Space login screen.
Step 1.2
Log in to Junos Space, using super as the username and 123lab as the
password.
In this lab part, you will perform device discovery. You will use device discovery to
add devices to Junos Space. Discovery is the process of finding a device and then
synchronizing the device inventory and configuration with the Junos Space
database. To use device discovery, Junos Space must be able to connect to the
device. Device discovery is a three-step process in which you specify target devices,
a probe method (ping, SNMP, both, or none), and, optionally, credentials to connect
to each device.
The Discover Targets dialog box displays the addresses of the configured
device targets.
When both the Use Ping and Use SNMP check boxes are selected (the default),
Junos Space can discover the target device more quicklyif the device is pingable
and SNMP is enabled on the device.
For this lab, we will accept the default and leave both boxes checked, then, click
Next to move to the Specify Credentials dialog box.
The Specify Credentials dialog box appears.
Step 2.4
The Add Device Login Credential box appears. Enter lab as the
username and lab123 as the password. Enter the password a second time to
confirm it, then click the Add button.
The Discovery Status dialog box shows the progress of discovery in real time.
You can click a bar in the chart to view information about the devices currently
managed or discovered, or for which discovery failed. The example above shows the
completed process with two managed devices.
Note
Within this lab environment, you might receive an error in
which one device fails to reach the Managed state. When this
issue occurs, repeat the device discovery process. To do this,
select Discover Targets again in the left task pane, click
Next in the Discover Targets window that appears, click
Next in the Specify Probes window, then click
Discover in the Specify Credentials window. In a
moment, the second device will now be discovered and enter
the managed state. You can then continue to the next step.
Note
If you would like to view device discovery
details, you can select View Detailed
Report. The report displays the IP
address, hostname, and discovery status
for discovered devices.
In this lab part, you will explore how to deploy IP Security (IPsec) VPNs using Security
Director.
Step 3.1
Now that the discovery process is complete, minimize the Junos Space browser
window. (Do not close the browser window, you will be coming back to Junos Space
later in this lab.) Next, you will open a Terminal window on the Host 1 desktop.
From the Terminal window on Host 1, ping Host 2 (172.16.20.100) using the
command shown below. Host 2 connects directly to srxA-2.
Note
To open a terminal window on the Host 1
desktop, you simply double-click the
Terminal icon on the desktop.
Step 3.2
Issue a traceroute to the Host 2 address (172.16.20.100) to determine where the
IP connectivity breaks down.
[lab@K01-Host1-LP ~]$ traceroute 172.16.20.100
traceroute to 172.16.20.100 (172.16.20.100), 30 hops max, 40 byte packets
1 172.16.10.1 (172.16.10.1) 0.306 ms 0.080 ms 0.079 ms
2 * * *
3 * * *
...OUTPUT TRIMMED...
29 * * *
30 * * *
[lab@desktop ~]$
Step 3.3
Return to the open Web browser that is running Junos Space. You might have to log
back into Junos Space if you have been logged out due to inactivity.
From Junos Space, open the drop-down menu above the task tree on the left side of
the screen. Click on Security Design to open the application.
Step 3.5
Leave the rest of the settings at their default values, scroll down to the bottom of the
screen and click Next. The available devices are displayed.
Step 3.7
For Tunnel Settings, select Numbered, and configure the IPsec tunnel to use
the 192.168.0.0/24 prefix for the st0 interfaces. Then, under Route
Settings, use Static Routing to direct the traffic into the tunnel.
Step 3.9
Select the Untrust zone as the Tunnel Zone (left-click once in the area below
Tunnel Zone, select Untrust from the Select Existing drop-down menu,
then click Ok).
Step 3.10
Last, select the Trust zone as the Protected Network Zone (left-click once
in the area below Protected Network, click once on Trust and click the right
arrow to put it in the Selected column, then click OK).
Step 3.13
Click Finish at the bottom of the Create VPN dialog box to create the VPN.
Step 3.14
The H1-H2-Connectivity VPN now appears on the VPNs page. Examine the
VPNs page, but do not change anything. Be sure to click the links in the Modify
field that are at the top of the VPN page (General Settings, Device
Association, and Tunnel/Route Settings). Use Cancel to close each
window that appears. After doing so, answer the questions presented following
these sample screen shots.
Step 3.15
Next, you will publish the VPN. Click Publish VPN from the task tree in the left
pane. Select the H1-H2-Connectivity VPN that you just created by checking
the box (notice the Not Published state), and click Next.
Step 3.16
The Affected Devices page now appears. Click the View link for the
srxA-1 device to inspect the new VPN configuration in command-line interface (CLI)
commands.
Note
The IP address and unit number on the st0
interface might vary slightly from the
following screen capture.
Step 3.17
Click Close and inspect the Affected Devices page. When you are finished
examining the Affected Devices page, click Publish and Update at the
bottom of the page, then click OK on the pop-up window that appears.
lab@srxA-1>
Note
You might not see any output for the
command, or you might see output that
displays that the phase 1 tunnel is down.
Either way, phase 1 of the tunnel should
not establish.
Step 3.20
To begin troubleshooting the issue, attempt to ping the remote address of the tunnel
(10.11.11.2) from srxA-1. Refer to the lab diagram at the end of this lab guide to
view the lab topology.
lab@srxA-1> ping 10.11.11.2 rapid count 5
PING 10.11.11.2 (10.11.11.2): 56 data bytes
!!!!!
--- 10.11.11.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.967/5.779/6.023/0.407 ms
Note
The IP address and unit number on the st0
interface might vary slightly from the
previous CLI output.
Step 3.22
Open another terminal session on Host 1 by clicking on the Terminal icon on the
desktop. Issue the ping 172.16.20.100 -c 10 command to ping Host 2 ten
times.
[lab@desktop ~]$ ping 172.16.20.100 -c 10
PING 172.16.20.100 (172.16.20.100) 56(84) bytes of data.
64 bytes from 172.16.20.100: icmp_seq=2 ttl=62 time=7.17 ms
64 bytes from 172.16.20.100: icmp_seq=3 ttl=62 time=27.0 ms
64 bytes from 172.16.20.100: icmp_seq=4 ttl=62 time=23.2 ms
64 bytes from 172.16.20.100: icmp_seq=5 ttl=62 time=7.62 ms
64 bytes from 172.16.20.100: icmp_seq=6 ttl=62 time=7.10 ms
64 bytes from 172.16.20.100: icmp_seq=7 ttl=62 time=6.59 ms
64 bytes from 172.16.20.100: icmp_seq=8 ttl=62 time=6.14 ms
64 bytes from 172.16.20.100: icmp_seq=9 ttl=62 time=6.44 ms
64 bytes from 172.16.20.100: icmp_seq=10 ttl=62 time=4.67 ms
Step 3.23
Return to the open session with srxA-1. From the open session with srxA-1, check
the status of the phase 1 and phase 2 tunnels by issuing the show security
ike security-associations and the show security ipsec
security-associations commands. Then, examine the IPsec statistics by
issuing the show security ipsec statistics command.
lab@srxA-1> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2938285 UP dcee7e3e12205503 3b046f4051a04244 Main 10.11.11.2
Note
If you waited too long from when the ping
packets were sent, the phase 2 tunnel
might have timed out (60 seconds). If you
see this behavior (no active tunnels), return
to the Host 1 device and issue the ping test
again. You do not have to wait for the ping
test to finish before trying the show
commands again on srxA-1.
Note
Do not exit the lab environment. Lab 3
needs to build off of what you have
configured in Lab 2. Do not close any
windows or tabs.
STOP You have completed Lab 2. Please return to the course and complete
the next section.
Overview
In this lab, you will explore, create, and deploy firewall policies using Junos Space Security
Director. You will then explore how to create policy snapshots which allow you to compare,
rollback, and delete policy versions.
By completing this lab, you will perform the following tasks:
Create and deploy firewall policies.
Explore policy versioning.
This lab builds on the configuration created in Lab 2. If you have completed Lab 2
and have not exited the lab environment, then please skip Part 1 and move on to
Part 2. Part 1 explains again how to login to Junos Space and perform device
discovery.
Step 1.1
From the Host 1 desktop, double-click the Firefox Web Browser icon to access
the Junos Space login screen again.
Step 1.2
Log in to Junos Space, using super as the username and 123lab as the
password.
The Discover Targets dialog box displays the addresses of the configured
device targets.
When both the Use Ping and Use SNMP check boxes are selected (the default),
Junos Space can discover the target device more quicklyif the device is pingable
and SNMP is enabled on the device.
For this lab, we will accept the default and leave both boxes checked, then, click
Next to move to the Specify Credentials dialog box.
The Specify Credentials dialog box appears.
Step 1.6
The Add Device Login Credential box appears. Enter lab as the
username and lab123 as the password. Enter the password a second time to
confirm it, then click the Add button.
The Discovery Status dialog box shows the progress of discovery in real time.
Click a bar in the chart to view information about the devices currently managed or
discovered, or for which discovery failed. The example above shows the completed
process with two managed devices.
Note
Within this lab environment, you might receive an error in
which one device fails to reach the Managed state. When this
issue occurs, repeat the device discovery process. To do this,
select Discover Targets again in the left task pane, click
Next in the Discover Targets window that appears, click
Next in the Specify Probes window, then click
Discover in the Specify Credentials window. In a
moment, the second device will now be discovered and you
can continue to the next step.
In this lab part, you will explore how to configure security policies on the SRX Series
devices using Security Director.
Step 2.1
Minimize the Junos Space browser window if necessary and go to the Terminal
session you previously opened to srxA-1. If you need to open the connection again,
open a new Terminal session using the icon on the desktop. SSH to srxA-1 as shown
below. If asked for authentication, log in using user lab and the password lab123.
The management address for srxA-1 is 10.233.255.1.
[lab@K01-HOST1-LP ~]$ ssh 10.233.255.1
Warning: Permanently added 10.233.255.1 (RSA) to the list of know hosts.
lab@10.233.255.1s password:
--- JUNOS 12.1X44-D10.4 built 2013-01-08 05:52:29 UTC
lab@srxA-1>
Step 2.2
From the open session with the srxA-1, issue the show security zones and the
show security policies commands.
lab@srxA-1> show security zones
Step 2.3
Go to the other Terminal session you have open on the desktop or open a new
Terminal session if needed. SSH to srxA-2 as shown below. If asked for
authentication, log in using user lab and the password lab123. The management
address for srxA-1 is 10.233.255.2.
[lab@K01-HOST1-LP ~]$ ssh 10.233.255.2
Warning: Permanently added 10.233.255.2 (RSA) to the list of know hosts.
lab@10.233.255.2s password:
--- JUNOS 12.1X44-D10.4 built 2013-01-08 05:52:29 UTC
lab@srxA-2>
Step 2.4
From the open session with the srxA-2, issue the show security zones and the
show security policies commands.
lab@srxA-2> show security zones
Step 2.5
Return to the open Web browser that is running Junos Space. You may need to log in
again due to inactivity. Use super as the username, and 123lab as the password.
Step 2.7
In the task tree on the left side, click the plus sign (+) next to Firewall Policy
and then click the Create Policy link to begin creating a new firewall policy.
Step 2.11
Examine the Policies window on the left.
Step 2.12
Before you can edit a policy, you must lock it by clicking the lock icon, which is
available in the policy view toolbar. Select the Group-1 policy and then click the
Lock Policy for Edit icon to start editing the Group-1 policy. You can hold
more than one policy lock at a given time, so also lock the Group-2 and Group-3
policies.
A lock icon will appear in the Policies window on the left, next to each locked
policy, and the areas in the right pane that were previously grayed out will be made
available.
Note
If the locked policy is inactive for the set
timeout value (default 5 minutes), just 1
minute before the timeout interval expires,
a dialog box will appear to allow you to
extend the lock period. If the period expires
while you are working on the lab, reset the
lock as described previously.
Step 2.13
Create a pre rule and a post rule for the Group-1 firewall policy. Begin creating the
rules by clicking the Group-1 firewall policy object. Then, click the Create Pre
Rule and Create Post Rule links. Leave all of the values at their defaults and
click Save to create the rules. Then click Ok to proceed.
Step 2.14
Create a pre rule and a post rule for the Group-2 firewall policy. Begin creating the
rules by clicking the Group-2 firewall policy object. Then, click the Create Pre
Rule and Create Post Rule links. Leave all of the values at their defaults and
click Save to create the rules. Then click Ok to proceed.
Step 2.15
Create a pre rule and a post rule for the Group-3 firewall policy. Begin creating the
rules by clicking the Group-3 firewall policy object. Then, click the Create Pre
Rule and Create Post Rule links. Leave all of the values at their defaults and
click Save to create the rules. Then click Ok to proceed.
Step 2.16
Click the Publish Policy link in the far left task tree, then select the Group-1,
Group-2, and Group-3 firewall policies in the right panel by clicking the box to the
left of their names. A check mark will appear in the boxes. Ensure that all three
policies are checked. Click Next to proceed.
Step 2.17
Click View for srxA-1 to verify the configuration. You will get an error message.
Step 2.19
Click the Group-1 firewall policy object and change the source zone to Trust and
the destination zone to Untrust in the pre rules and post rules. Then, change the
Action on both rules to Permit. Click Save to save the changes to the rules.
Then click Ok to proceed.
Be sure to perform these changes for both the pre rules and post rules.
Step 2.20
Click the Group-2 firewall policy object and change the source zone to Trust and
the destination zone to Untrust in the pre and post rules. Then, change the
Action on both rules to Permit. Click Save to save the changes to the rules.
Then click Ok to proceed.
Be sure to perform these changes for both the pre rules and post rules.
Step 2.21
Click the Group-3 firewall policy object and change the source zone to Trust and
the destination zone to Untrust in the pre rules and post rules. Then, change the
Action on both rules to Permit. Click Save to save the changes to the rules.
Then click Ok to proceed.
Be sure to perform these changes for both the pre rules and post rules.
Step 2.23
Click View for srxA-1 to verify the configuration.
Step 2.25
Return to the open Terminal session with the srxA-1.
From the open session with the srxA-1, issue the show security policies
command.
Note
It might take a few moments for the
contents from the firewall policies to
appear on srxA-1.
Step 2.26
Currently, the default policy on the SRX Series devices is configured to allow any
traffic. This setting results in the SRX Series devices permitting all other traffic that
does not match the current security polices. Over the next few steps, you will
configure a firewall policy that changes this behavior on all devices.
Step 2.27
Click All Devices Policy in the Policies pane then click the Lock
Policy for Edit icon to begin editing. Click the plus sign (+) sign at the top of
the Policies page then click Create Pre Rule. Do this twice to create two
new pre rules.
Step 2.30
Click the View link for srxA-1 to examine the CLI configuration commands and to
ensure that the firewall policy validates on the selected devices. Click Close on the
Configuration for device window and click Publish and Update. Click
Ok on the dialog box that appears.
Step 2.31
Return to the open Terminal session with the srxA-1.
From the open session with the srxA-1, issue the show security policies
command.
Note
It might take a few moments for the
contents from the firewall policies to
appear on srxA-1.
Step 2.32
Return to the Junos Space platform you have open in a browser. You do not need to
be concerned with any firewall policy locks that might have expired.
Lab 334 Creating and Deploying Firewall Policies www.juniper.net
Junos Space Security Director Overview
Click All Devices Policy in the Policies pane then click the Lock
Policy for Edit icon if the lock has expired. You do not need to be concerned
with locks on any other policies. Right-click the pre rule that contains the from
Trust zone to Untrust zone context. Next, select the Disable option.
Step 2.33
Click the Create Post Rule link and set the source zone value to Trust and
the destination zone value to Untrust. Leave all other values at their defaults.
Click Save to save your changes. Click Ok on the dialog box that appears.
Step 2.35
Return to the open Terminal session with the srxA-1.
From the Terminal session with the srxA-1, issue the show security policies
command.
Note
It might take a few moments for the
contents from the firewall policies to
appear on srxA-1.
Step 2.36
Return to Junos Space you have open in the browser. You do not need to be
concerned with any firewall policy locks that might have expired.
From the task tree on the far left, click the plus sign (+) next to Firewall
Policy, then click the Prioritize Policies link. Next, examine the
Priority and Precedence window.
Step 2.37
Select the Group-3 policy and click Move Up until the Group-3 policy is more
preferred than the Group-1 policy. Click Save to save the changes. Click Ok on the
dialog box that appears.
Step 2.38
Click the Publish Policy link in the task tree.
Step 2.39
Select the Group-3 check box and click Next. Then, on the next page, click the
View link for srxA-1. Once Security Design validates the configuration changes,
click Close on the Configuration for device window. Then, click Publish
and Update. Click Ok on the dialog box that appears.
Step 2.40
Return to the open Terminal session with the srxA-1.
From the Terminal session with the srxA-1, issue the show security policies
command.
Note
It might take a few moments for the
contents from the firewall policies to
appear on srxA-1.
In this lab part, you will explore policy versioning by comparing, rolling back, and
deleting firewall policies.
Step 3.1
Return to the Junos Space platform you have open in a browser. You do not need to
be concerned with any firewall policy locks that might have expired.
Next, create a version snapshot of the current Group-1 policy. From the
Policies area, right-click the Group-1 policy, and select Snapshot Policy.
Step 3.3
You can view or manage all available versions of a selected policyyou can view
differences between any two versions, rollback to a specific version, and delete
versions from the system.
Now that we have created a snapshot of the Group-1 firewall policy, lets alter and
republish the policy so we can see how to use versioning.
Click the Group-1 firewall policy object. Click the lock icon so you can edit the
policy. Next, change the Action from Permit to Deny, in the pre rules and post
rules. Click Save to save the changes to the rules. Then click Ok to proceed.
Be sure to perform these changes for both the pre rules and post rules.
Step 3.5
Click View for srxA-1 to verify the configuration.
Step 3.6
Click Close on the Configuration for device window, then click the
Publish and Update button at the bottom of the screen, and then click Ok on
the dialog box that appears.
Step 3.7
Next, create a snapshot of this new version of the Group-1 policy. From the
Policies area, right-click the Group-1 policy, and select Snapshot Policy.
Step 3.8
This time in the Comments field, enter the comment Group-1 Deny so we can
differentiate the snapshot. Click Create to take the snapshot. The Snapshot
Policy window appears, showing the status of the version as it is created. Click
Close on the Snapshot Policy window.
Step 3.9
Next, lets compare the two versions of the Group-1 policy.
From the Policies area, right-click the Group-1 policy, and select Manage
Snapshots. The Manage Versions window appears, showing all policy
versions.
Note
Note the additional snapshots in the list
that appears. During any policy publish,
Security Director takes an automatic
snapshot of the policy.
Step 3.10
Select the versions to be compared. For this lab, select the Group-1 Permit and
Group-1 Deny snapshots and click Compare. You can select only two versions at
a time to compare.
Step 3.11
A dialog box will appear that will give you the choice of which snapshot to compare
to which base version. The Swap button can be used to toggle the selection. For this
lab, accept the default. Click Compare.
Step 3.12
A Compare Versions progress window will briefly appear. Then the Compare
Versions results window appears, showing a comparison between the selected
versions.
Step 3.13
The Compare Versions results window can include the following areas:
Policy Property Changes: Shows policy changes for the modified rules
Rule Changes: Displays rules that are added, modified, or deleted
Column Changes: Shows the differences between the column contents
for modified rules
Step 3.14
Click Close to exit the Compare Versions results window. Then click Close to
exit the Manage Versions: Group-1 window.
Step 3.17
A Service Summary window appears. From the Service Summary window,
click Next to view the OCR summary report window.
Note
The Action for the Group-1 policy is once
again Permit.
Step 3.19
Finally, you can also delete snapshot versions using Manage Snapshots.
Step 3.20
You can delete multiple versions at a time. For this lab, select version Group-1
Deny from the Manage Versions window, then click Delete.
Note
Note that this is the same Manage
Versions window as used in the compare
and rollback operations. You can delete,
rollback, or compare versions from this
window. The options available are
dependent on the number of policies you
select.
Step 3.21
The Delete Snapshot dialog box appears. Click Yes to confirm deletion of the
snapshot. The Manage Versions window is updated, showing the remaining
snapshot versions. Click Close to close the Manage Versions window.
Step 3.22
Use the logout icon in the upper right corner to log out of Junos Space.
You may now close the desktop browser, close the Terminal sessions, and then close
the tab for the lab desktop.
Next, you can end your lab reservation by clicking the End icon in the blue menu bar.
Confirm your desire to end the reservation by clicking Ok on the window that
appears. Your reservation will go into a Teardown process and your reservation will
be released.
You can move to the Courses or Reservations page, or click your username in the
upper right of the screen and select Exit Virtual Labs to exit the site.
You have completed Lab 3. This concludes the lab portion of this
STOP course. Please return to the course and complete the remainder of the
presentation.