Junos Space Security Director Technical Overview

Junos Space Security Director
Technical Overview
Lab Guide
Worldwide Education Services
1133 Innovation Way

Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Course Number: PRTSD01

This document is produced by Juniper Networks, Inc.
This document or any part thereof may not be reproduced or transmitted in any form under penalty of law, without the prior written permission of Juniper
Networks, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other
countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered
trademarks, or registered service marks are the property of their respective owners.
Junos Space Security Director Technical Overview Lab Guide, Revision A
Copyright 2015 Juniper Networks, Inc. All rights reserved.
Printed in USA.
Revision History:
April 2013.
The information in this document is current as of the date listed above.
The information in this document has been carefully verified and is believed to be accurate for software Release 12.2R1.3. Juniper Networks assumes no
responsibilities for any inaccuracies that may appear in this document. In no event will Juniper Networks be liable for direct, indirect, special, exemplary,
incidental, or consequential damages resulting from any defect or omission in this document, even if advised of the possibility of such damages.
Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
YEAR 2000 NOTICE
Juniper Networks hardware and software products do not suffer from Year 2000 problems and hence are Year 2000 compliant. The Junos operating system has
no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.
SOFTWARE LICENSE
The terms and conditions for using Juniper Networks software are described in the software license provided with the software, or to the extent applicable, in an
agreement executed between you and Juniper Networks, or Juniper Networks agent. By using Juniper Networks software, you indicate that you understand and
agree to be bound by its license terms and conditions. Generally speaking, the software license restricts the manner in which you are permitted to use the Juniper
Networks software, may contain prohibitions against certain uses, and may state conditions under which the license is automatically terminated. You should
consult the software license for further details.
Document Conventions
CLI and GUI Text

Frequently throughout this course, we refer to text that appears in a command-line interface (CLI) or a graphical user
interface (GUI). To make the language of these documents easier to read, we distinguish GUI and CLI text from standard
text according to the following table.
Style Description Usage Example
Franklin Gothic Normal text. Most of what you read in the Lab Guide and
Student Guide.
Courier New Console text:

commit complete
Screen captures
Noncommand-related syntax Exiting configuration mode
GUI text elements:
Menu names Select File > Open, and then click
Configuration.conf in the Filename
Text field entry
text box.
Input Text Versus Output Text

You will also frequently see cases where you must enter input text yourself. Often these instances will be shown in the
context of where you must enter them. We use bold style to distinguish text that is input versus text that is simply
displayed.
Normal CLI No distinguishing variant. Physical interface:fxp0, Enabled

Normal GUI View configuration history by clicking
Configuration > History.
CLI Input Text that you must enter. lab@San_Jose> show route
GUI Input Select File > Save, and type config.ini
in the Filename field.
Defined and Undefined Syntax Variables

Finally, this course distinguishes between regular text and syntax variables, and it also distinguishes between syntax
variables where the value is already assigned (defined variables) and syntax variables where you must assign the value
(undefined variables). Note that these styles can be combined with the input style as well.
CLI Variable Text where variable value is already policy my-peers

assigned.
GUI Variable Click my-peers in the dialog.
CLI Undefined Text where the variables value is the Type set policy policy-name.
users discretion or text where the
ping 10.0.x.y
variables value as shown in the lab
GUI Undefined guide might differ from the value the Select File > Save, and type filename in
user must input according to the lab the Filename field.
topology.
www.juniper.net Document Conventions v

vi Document Conventions www.juniper.net
Contents
Lab 0: Introduction to the Juniper Networks Virtual Lab . . . . . . . . . . . . . . . . . . . . 0-1
Part 1:Accessing the Virtual Labs Homepage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0-2
Part 2:Logging in to the Virtual Labs site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0-2
Part 3:Entering and Exiting a Virtual Lab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0-3
Part 4:Additional Information and Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0-7
Lab 1: Logging In to Junos Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Part 1:Logging In to Junos Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Part 2:Verifying Version and Application Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Part 3:Verify Installed Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Lab 2: Creating and Deploying IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Part 1:Accessing the Lab Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Part 2:Performing Device Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2
Part 3:Exploring IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Lab 3: Creating and Deploying Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Part 1:Performing Device Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-2
Part 2:Exploring Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9
Part 3:Policy Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47
Appendix A:Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
www.juniper.net 1
2 www.juniper.net
Lab 0
Introduction to the Juniper Networks Virtual Lab
Overview
Lab 0 describes the basic procedures for accessing the Juniper Networks Virtual Lab (vLab)
environment using a standard Web browser.
The Purpose of the Virtual Labs
The vLabs help partners receive hands-on training through a virtual portal which is available
24 hours a day, 7 days a week. This is not a simulator, but live equipment to promote learning
and development for interested partners in association with the Juniper Networks Partner
Learning Academy.
The vLab exercises assist a student in becoming proficient at installing, configuring, and
troubleshooting Juniper products. The time needed to complete each course track and the
associated virtual lab exercises will vary. You will need your Juniper partner login to access the
virtual lab website.
Once logged in, access is granted on a first come, first served basis. The system will check to
see if the selected vLab has a lab environment available. If a vLab environment for the selected
lab is available, access is granted. If a vLab environment for the selected vLab is not available,
you will be asked to try again later. The vLabs are also available for dedicated instructor-led
courses on an as-needed basis.
Each of the vLab environments is duplicated multiple times, making it more likely that a vLab
environment will be available for you to use.
Note
We recommend that you read through Lab 0 prior to
starting your lab. The guide provides important
information regarding accessing the lab
environment and the lab exercises. Lab 0 is the
same for all vLabs.
Introduction to the Juniper Networks Virtual Lab Lab 01

Part 1: Accessing the Virtual Labs Homepage
The first step in accessing the vLabs is to go to the vLab website. To access the vLab website,
type or copy and paste the URL shown below into a web browser and follow the link provided on
the page to access the Virtual Labs:
https://virtuallabs.juniper.net
Part 2: Logging in to the Virtual Labs site
If you are already logged into the Juniper Networks Partner Learning Academy or Partner
Center, you should already be logged into the Virtual Labs site. However, if you are not logged in
to the Learning Academy or Partner Center, a login screen will be presented, as shown below.
Once you have successfully logged in, you will be presented with the Course Management
homepage, which will look similar to the image shown below.
Lab 02 Introduction to the Juniper Networks Virtual Lab

Part 3: Entering and Exiting a Virtual Lab
Find the lab you wish to enter from amongst the tiles presented in the Courses Catalog on the
Course Management homepage. You can use Search courses in the upper left of the
screen if needed. In the default view the courses are presented as tiles, as shown in the first
image below. You can also click List, located on the right of the blue menu bar, to display the
course tiles as an alphabetized list, as shown in the second image below.
Clicking on a tiles image will show you a high-level diagram of the lab topology (use the back
button on your browser to return to the Course Management page). For additional information
regarding a particular lab, click the More Info link. When you are ready to enter the lab
environment, click the Reserve button.

Step 3.1
A RESERVE window which displays the time reserved for you to complete the lab exercises
(SCHEDULE field) will appear. The selected lab name is also displayed (NAME field). The
allotted time (typically 2 or 3 hours) should be more than adequate to complete the exercises,
but you can set the SCHEDULE time to a maximum of 4 hours if needed. The COURSE field
provides a drop down menu in case you want to select a different course.
Click the Reserve button to enter the lab environment for the selected lab.

Step 3.2
The lab environment for the course you selected will be displayed, similar to the image shown
below. The lab environment displays the main devices (represented as tiles) that comprise the
lab. The example below shows two tiles representing the MX Series routers in this particular
lab (mx1 and mx2), along with a virtual router tile (vr-device), and their associated
management IP addresses.
The initial configuration loaded on the devices is a base configuration needed to begin the
particular lab you have selected. Upon first entering the lab environment, a brief setup process
will initiate. The green Active icon on the blue menu bar will change to Setup and then back to
Active to signify the lab is ready to use.
Once you are on this lab environment page and setup is finished, you can begin the lab
exercises available in the lab guide for the selected course (you should begin with Lab 1 and
sequentially work through the lab exercises). A timer in the blue menu bar will show you how
much time you have left in your reservation to complete the lab exercises.
Step 3.3
When you are ready to leave the lab environment, click the END icon located on the right side
of the blue menu bar, as shown in the image below. The environment will go into a Teardown
process. You can leave the lab environment page while the Teardown process is occurring.

Step 3.4
Confirm your intent to leave the lab environment by clicking OK in the pop-up window that
appears.
Step 3.5
Upon clicking OK, the lab environment will begin the configuration teardown/reset process,
your reservation timer will end, and the lab environment you were using will be released.
The Course Management menu in the upper left of the screen provides a drop down menu so
that you can return to the Courses page if you want to start another course, or you can go to
the Reservations page. The Reservations page, shown in the first image below, shows a history
of the vLabs you have accessed.
You can logout of the Virtual Lab site from either the Course Management, Reservations, or lab
environment pages by clicking on your user name in the upper right of the screen and selecting
Exit Virtual Labs from the drop down menu, as shown in the second image below.

Part 4: Additional Information and Feedback
Virtual Lab Support:

If you have a question on, or issue with, the lab environment or this lab guide, please contact
Juniper University Support at:
JuniperUsupport@juniper.net
Feedback:
If you would like to provide feedback on ways we can improve your virtual lab experience,
please send an e-mail to elearning@juniper.net.
Be sure to view the appropriate section of the associated

STOP courseware before proceeding to Lab 1.

Lab 1
Logging In to Junos Space
Overview
In this lab, you will log into the Junos Space graphical user interface (GUI) and view its
basic components. You will log into the platform architecture and verify the platform
version information. You will also verify what applications are currently installed.
By completing this lab, you will perform the following tasks:
Log in to the Junos Space GUI;
Verify the Junos Space platform version; and
Verify what applications are installed on the Junos Space platform.
www.juniper.net Logging In to Junos Space Lab 11

12.2R1.3
Junos Space Security Director Overview
Part 1: Logging In to Junos Space
In this lab part, you will use a Web browser from Host 1 to access and log into Junos
Space.
Step 1.1
Lab 0 provided instructions regarding entering a lab environment. The lab
environment setup process for Junos Space Security Director Overview can take up
to 15 minutes to complete. The tiles will appear one by one in the lab environment
as setup progresses. The blue menu bar will provide status, and the green Setup
icon will change to Active when the setup process is complete. You will also see
green Online circles on the individual tiles once they are online and ready.
When the setup process has finished, the lab environment page will appear similar
to the first image shown below.
To begin this lab part, open a Windows desktop session by hovering the mouse
pointer over the tile titled desktop.pvirtspaX.sv (X will be a numeric value,
dependent on the kit you are given). From the desktop tile menu that appears, move
the mouse pointer over the Action icon (a downward pointing triangle icon) and
select Virtual_Console from the menu that appears, as shown in the second
image below.
Lab 12 Logging In to Junos Space www.juniper.net

Step 1.2
A new browser tab will open, displaying a Windows desktop. Select Student as the
user and enter lab123 as the password. The desktop (Host 1) will be displayed as
shown in the image below. Do not close any tabs until instructed to do so.

Step 1.3
Double-click the Firefox Web Browser icon to open a web browser on the
desktop. When the browser window opens, notice that for convenience we have the
Junos Space login address for this lab, https://10.233.246.1/mainui, set
up as the homepage within the Firefox browser.
Step 1.4
The lab uses self-signed certificates for https, therefore, when you see the message
shown below you can safely click on I Understand the Risks.
The image will then expand to the image shown below. You can safely click the Add
Exception... button to continue.

Step 1.5
On the Add Security Exception window that appears, leave all of the settings
as they are. You can safely click the Confirm Security Exception button to
proceed.
Step 1.6
You will then be presented with the Junos Space login screen. Log into Junos Space
as user super with the password 123lab.
Step 1.7
If not already activated, you will need to activate Adobe Flash to view the Junos
Space desktop. Click on Activate Adobe Flash within the System Health
window on the Junos Space dashboard.
Part 2: Verifying Version and Application Information
In this lab part, you will verify the licensing and application information of the Junos
Space platform.
Step 2.1
Now that you have logged in to Junos Space, the first display you see is the
Network Application Platform user interface (hereafter called the
Platform) as shown in the following screen capture.

Step 2.2
Familiarize yourself with the three parts to the user interface: the task tree to the
left, the main dashboard window on the right, and the banner across the top which
offers the date, time, and several icon buttons for frequently used actions. The
question mark icon is the Help application which provides access to
context-sensitive workspace help. The check mark icon displays the My Jobs
dialog box from which you can view the progress and status of current managed
jobs. Next is a gear icon which displays the User Preferences dialog box from
which you can change user preferences, such as the password. Finally, there is a
right pointing arrow icon which you use to Log Out of the system. A closer look at
the icons on the right of the banner is shown below.
Step 2.3
Click the question mark icon in the banner to access the Help application. Next,
click the plus icon (+) at the lower right corner of the Help application to open the
About box and then answer the following question.
Question: What information is displayed in the

About box?
Answer: The About box displays brief information

regarding licensing information and the Junos
Space release version.

Step 2.4
Close the Help application by clicking the >> icon in the upper right corner of the
application.
Part 3: Verify Installed Applications
In this lab part, you will determine what applications are currently installed on the
Junos Space platform.

Step 3.1
In the task tree on the left, click the plus sign (+) button next to Administration.
Next, click on the Manage Applications link that appears in the menu tree.
Question: Which applications are displayed on the

page?
Answer: You should see the Network

Application Platform, Security Design,
Service Insight, and Service Now
applications displayed.

Step 3.2
Log out of the Junos Space Web GUI using the Log Out icon at the far right of the
user interface banner, and close the desktop browser window.
Do not close any lab environment browser tabs. You will return for Lab 2.
STOP You have completed Lab 1. Please return to the course and complete
the next section.

Lab 2
Creating and Deploying IPsec VPNs
Overview
This lab introduces you to the Security Director application of Junos Space. You will
explore, create, and deploy virtual private network (VPN) policies.
Log in to the Junos Space graphical user interface (GUI).
Implement device discovery.
Create and deploy VPN policies.
www.juniper.net Creating and Deploying IPsec VPNs Lab 21

12.2R1.3
Part 1: Accessing the Lab Environment
In this lab part, you will again use a Web browser from Host 1 to access and login to
Junos Space.
Step 1.1
Again, from the Host 1 desktop, double-click the Firefox Web Browser icon to
access the Junos Space login screen.
Step 1.2
Log in to Junos Space, using super as the username and 123lab as the
password.
Part 2: Performing Device Discovery
In this lab part, you will perform device discovery. You will use device discovery to
add devices to Junos Space. Discovery is the process of finding a device and then
synchronizing the device inventory and configuration with the Junos Space
database. To use device discovery, Junos Space must be able to connect to the
device. Device discovery is a three-step process in which you specify target devices,
a probe method (ping, SNMP, both, or none), and, optionally, credentials to connect
to each device.
Lab 22 Creating and Deploying IPsec VPNs www.juniper.net

Step 2.1
First, you must specify the device targets that you want Junos Space to discover.
From the main landing page, click the plus sign (+) next to Devices on the task
tree in the left pane. Then click the plus sign (+) next to Discover Devices.
Next, click the Discover Targets link, as shown in the figure below.
The Discover Targets dialog box appears.

You can add devices using either the CSV Upload button or the Add button, or
both together. You would use the CSV Upload feature to add devices in bulk. You
can add hundreds of devices to Junos Space by using a CSV file that contains
information extracted from an LDAP repository.
For this lab, click the green plus sign (+) button. The Add Device Target box
appears. Select the IP range radio button. For the IP range addresses, enter
the IP addresses of srxA-1 and srxA-2, 10.233.255.1 and 10.233.255.2, then
click the Add button.
The Discover Targets dialog box displays the addresses of the configured
device targets.

Step 2.2
In this step, you specify a probe method to connect to and discover the device
targets. Click the Next button in the Discover Targets dialog box to move to
the Specify Probes dialog box.
Note
You need to navigate through the Specify
Probes and Specify Credentials
dialog boxes before you click the Discover
button.
The Discover Probes dialog box appears.
When both the Use Ping and Use SNMP check boxes are selected (the default),
Junos Space can discover the target device more quicklyif the device is pingable
and SNMP is enabled on the device.
For this lab, we will accept the default and leave both boxes checked, then, click
Next to move to the Specify Credentials dialog box.
The Specify Credentials dialog box appears.

Step 2.3
As an option, you can specify an administrator name and password to establish the
SSH connection for each target device that you configured.
Click the green plus sign (+) Add button.
Step 2.4
The Add Device Login Credential box appears. Enter lab as the
username and lab123 as the password. Enter the password a second time to
confirm it, then click the Add button.

Step 2.5
An icon with the added username will appear in the Specify Credentials
dialog box. Click Discover to start the discovery job.

The Discovery Status dialog box appears.
The Discovery Status dialog box shows the progress of discovery in real time.
You can click a bar in the chart to view information about the devices currently
managed or discovered, or for which discovery failed. The example above shows the
completed process with two managed devices.
Note
Within this lab environment, you might receive an error in
which one device fails to reach the Managed state. When this
issue occurs, repeat the device discovery process. To do this,
select Discover Targets again in the left task pane, click
Next in the Discover Targets window that appears, click
Next in the Specify Probes window, then click
Discover in the Specify Credentials window. In a
moment, the second device will now be discovered and enter
the managed state. You can then continue to the next step.

Question: How many devices did Junos Space
discover?
Answer: Junos Space should discover two devices,

both of which are SRX Series devices.
Question: After the devices are discovered, does the

status change?
Answer: The answer should be yes. Shortly after

both SRX Series devices are discovered, the status
should change from Discovered to Managed.
Note
If you would like to view device discovery
details, you can select View Detailed
Report. The report displays the IP
address, hostname, and discovery status
for discovered devices.
Part 3: Exploring IPsec VPNs
In this lab part, you will explore how to deploy IP Security (IPsec) VPNs using Security
Director.
Step 3.1
Now that the discovery process is complete, minimize the Junos Space browser
window. (Do not close the browser window, you will be coming back to Junos Space
later in this lab.) Next, you will open a Terminal window on the Host 1 desktop.
From the Terminal window on Host 1, ping Host 2 (172.16.20.100) using the
command shown below. Host 2 connects directly to srxA-2.
Note
To open a terminal window on the Host 1
desktop, you simply double-click the
Terminal icon on the desktop.
[lab@desktop ~]$ ping 172.16.20.100 -c 5

PING 172.16.20.100 (172.16.20.100) 56(84) bytes of data.
--- 172.16.20.100 ping statistics ---

5 packets transmitted, 0 received, 100% packet loss, time 3998ms

Question: What are the results from the ping test?
Answer: The ping test reveals that Host 1 does not

have IP connectivity to Host 2.
Step 3.2
Issue a traceroute to the Host 2 address (172.16.20.100) to determine where the
IP connectivity breaks down.
[lab@K01-Host1-LP ~]$ traceroute 172.16.20.100
traceroute to 172.16.20.100 (172.16.20.100), 30 hops max, 40 byte packets
1 172.16.10.1 (172.16.10.1) 0.306 ms 0.080 ms 0.079 ms
2 * * *
3 * * *
...OUTPUT TRIMMED...
29 * * *
30 * * *
[lab@desktop ~]$
Question: What are the results of the traceroute

test?
Answer: The results from the traceroute test reveal

that the routers that reside in the Internet cloud do
not have the routing information to reach the source
address of Host 1.
Question: Could setting up source NAT on srxA-1

resolve the connectivity issue?
Answer: Implementing source NAT on srxA-1 could

possibly fix the connectivity problem that is
occurring between Host 1 and the routers in the
Internet cloud, but it more than likely would not fix
the connectivity problems between Host 1 and
Host 2. The connectivity issue between Host 1 and
Host 2 remains because the routers in the Internet
cloud do not have routing information to the
172.16.20.100 address.
Question: Could setting up an IPsec VPN between
srxA-1 and srxA-2 resolve the connectivity issue?
Answer: Yes. Setting up an IPsec VPN between

srxA-1 and srxA-2 can facilitate connectivity
between Host 1 and Host 2.
Step 3.3
Return to the open Web browser that is running Junos Space. You might have to log
back into Junos Space if you have been logged out due to inactivity.
From Junos Space, open the drop-down menu above the task tree on the left side of
the screen. Click on Security Design to open the application.
The Security Design dashboard appears in the right pane.

Step 3.4
In the task tree on the left side, click the plus sign (+) next to VPN and then click the
Create VPN link to begin creating a new IPsec VPN. The Create VPN screen
appears. Next, name this VPN H1-H2-Connectivity (no spaces) and give it an
appropriate description.
Question: What value do the Internet Key Exchange

(IKE) phase 1 negotiations use for the preshared
key?
Answer: By default, Security Director selects the

Auto-generate radio button. This selection
means that the value that the preshared key
contains is randomly generated, but it is the same
for both end points.
Step 3.5
Leave the rest of the settings at their default values, scroll down to the bottom of the
screen and click Next. The available devices are displayed.

Step 3.6
Select srxA-1 and srxA-2 and add them as end points for the VPN using the Add
as Endpoint button in the center, and then click Next.
Step 3.7
For Tunnel Settings, select Numbered, and configure the IPsec tunnel to use
the 192.168.0.0/24 prefix for the st0 interfaces. Then, under Route
Settings, use Static Routing to direct the traffic into the tunnel.

Step 3.8
Under the Global Settings area at the bottom of the Create VPN dialog box,
select the ge-0/0/1.0 interface as the External Interface (left-click once in the
area below External Interface, then select the interface from the menu).
Step 3.9
Select the Untrust zone as the Tunnel Zone (left-click once in the area below
Tunnel Zone, select Untrust from the Select Existing drop-down menu,
then click Ok).
Step 3.10
Last, select the Trust zone as the Protected Network Zone (left-click once
in the area below Protected Network, click once on Trust and click the right
arrow to put it in the Selected column, then click OK).

Step 3.11
Click Next at the bottom of the Create VPN dialog box to continue.
Question: What options are available for zone

selection?
Answer: When selecting a zone, you have the option

to select a preconfigured zone or you can create a
new zone.

Step 3.12
Configure the srxA-2 device to use a new zone named VPN as the tunnel zone
(left-click in the area below the Tunnel Zone on the srxA-2 row which currently
reads Untrust, select Create New, name it VPN, then click Ok).
Step 3.13
Click Finish at the bottom of the Create VPN dialog box to create the VPN.
Question: Is the new VPN configuration present on

the srxA-1 and srxA-2 devices?
Answer: No. You must publish the new VPN to the

devices with VPN policy before the VPN
configuration becomes active on the srxA-1 and
srxA-2 devices.
Step 3.14
The H1-H2-Connectivity VPN now appears on the VPNs page. Examine the
VPNs page, but do not change anything. Be sure to click the links in the Modify
field that are at the top of the VPN page (General Settings, Device
Association, and Tunnel/Route Settings). Use Cancel to close each
window that appears. After doing so, answer the questions presented following
these sample screen shots.

General Settings dialog box:
Device Association dialog box:

Tunnel/Route Settings dialog box:
Question: How can you change the external

interface that the VPN uses for a device?
Answer: You can click the External Interface

cell for the necessary device, and then you can
select a different interface to use as the external
interface.
Question: Where can you change the VPN profile?
Answer: You can change the VPN profile by clicking

the General Settings link and adjusting the
VPN Profile drop-down box.
Question: Where can you change the routing

method for the VPN?
Answer: You can change the routing method for the

VPN by clicking the Tunnel/Route Settings
link and selecting a different routing option.

Question: How can you change the tunnel interface
zone placement?
Answer: You can click the Tunnel Zone cell for

the necessary device. Then, you can select, or
create, a different zone for the tunnel interface.
Step 3.15
Next, you will publish the VPN. Click Publish VPN from the task tree in the left
pane. Select the H1-H2-Connectivity VPN that you just created by checking
the box (notice the Not Published state), and click Next.
Step 3.16
The Affected Devices page now appears. Click the View link for the
srxA-1 device to inspect the new VPN configuration in command-line interface (CLI)
commands.
Note
The IP address and unit number on the st0
interface might vary slightly from the
following screen capture.

Question: What new service is enabled under the

ge-0/0/1 interface?
Answer: The CLI commands show that the ge-0/0/1

interface is now accepting IKE packets.
Question: To which address are the IKE packets

sent?
Answer: The CLI shows that phase 1 is configured to

send IKE packets to the 10.11.11.2 address.

Question: Does the configuration change facilitate
the communication with the 10.11.11.2 address?
Answer: No. This configuration change only provides

routing information for the 172.16.20/24 prefix.
Other routing information must be in place to
facilitate the communication with the 10.11.11.2
address.
Step 3.17
Click Close and inspect the Affected Devices page. When you are finished
examining the Affected Devices page, click Publish and Update at the
bottom of the page, then click OK on the pop-up window that appears.
Question: What is the difference between the

Publish and the Publish and Update
buttons?
Answer: The Publish button only publishes the

VPN. Then, you can review any pending updates,
from other elements of Security Director, and
deploy those updates in the Security Design
Devices workspace. The Publish and
Update button publishes the VPN and updates the
managed devices with the resulting configuration.
Question: How can using the Publish button save

time?
Answer: If you are working with multiple elements of

Security Director, such as firewall policies, VPN
configurations, NAT policies, and intrusion
prevention system (IPS) management, you can
publish all of the changes, review them, and update
all of the devices in one place.

Step 3.18
Minimize the Junos Space browser window and go to the Terminal session you
previously opened (or open a new Terminal session using the icon on the desktop.)
SSH to srxA-1. If asked for authentication, log in using user lab and the password
lab123. The management address for srxA-1 is 10.233.255.1.
[lab@desktop ~]$ ssh 10.233.255.1
Warning: Permanently added 10.233.255.1 (RSA) to the list of know hosts.
lab@10.233.255.1s password:
--- JUNOS 12.1X44-D10.4 built 2013-01-08 05:52:29 UTC
lab@srxA-1>
Step 3.19
Examine the IKE security associations (SAs) by issuing the show security ike
security-association command.
lab@srxA-1> show security ike security-associations
lab@srxA-1>
Note
You might not see any output for the
command, or you might see output that
displays that the phase 1 tunnel is down.
Either way, phase 1 of the tunnel should
not establish.
Step 3.20
To begin troubleshooting the issue, attempt to ping the remote address of the tunnel
(10.11.11.2) from srxA-1. Refer to the lab diagram at the end of this lab guide to
view the lab topology.
lab@srxA-1> ping 10.11.11.2 rapid count 5
PING 10.11.11.2 (10.11.11.2): 56 data bytes
!!!!!
--- 10.11.11.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.967/5.779/6.023/0.407 ms
Question: What does the ping test reveal?
Answer: The ping test reveals that the remote end of

the tunnel is reachable.

Step 3.21
Examine the IKE and IPsec configurations on srxA-1 by issuing the show
configuration security ike and show configuration security
ipsec commands.
Note
If you do not see any IKE- or IPsec-related
configuration, the VPN policy might be
stuck in the published state on the
Junos Space device. If you are experiencing
this problem, return to the Junos Space
device and repeat steps 3.4 through 3.14.
lab@srxA-1> show configuration security ike

policy srxA-2_H1-H2-Connectivity {
mode main;
proposal-set standard;
pre-shared-key ascii-text "$9$jEikPzF/
9tuF3lKWLN-bs2oUjfTzAuOF3reMW-ds24aZjPfzF/
CTQ9pB1yrYg4ZHqTQntpBDiBIREyrWLx7s2oaUjqm8XZUikTQFn/AO1yrvLX-MWaZ"; ##
SECRET-DATA
}
gateway srxA-2_H1-H2-Connectivity {
ike-policy srxA-2_H1-H2-Connectivity;
address 10.11.11.2;
dead-peer-detection {
interval 10;
threshold 5;
}
nat-keepalive 5;
external-interface ge-0/0/1.0;
}
lab@srxA-1> show configuration security ipsec

policy H1-H2-Connectivity {
proposal-set standard;
}
vpn srxA-2_H1-H2-Connectivity {
bind-interface st0.1;
ike {
gateway srxA-2_H1-H2-Connectivity;
idle-time 60;
no-anti-replay;
ipsec-policy H1-H2-Connectivity;
install-interval 1;
}
}

Note
The IP address and unit number on the st0
interface might vary slightly from the
previous CLI output.
Question: After examining the configuration

outputs, what do you think would cause the IPsec
tunnels to not establish immediately?
Answer: By default, an IPsec tunnel only attempts to

establish when traffic is present that must pass
through the tunnel. To change this behavior, the
establish-tunnels immediately
command must be added to the VPN.
Step 3.22
Open another terminal session on Host 1 by clicking on the Terminal icon on the
desktop. Issue the ping 172.16.20.100 -c 10 command to ping Host 2 ten
times.
[lab@desktop ~]$ ping 172.16.20.100 -c 10
PING 172.16.20.100 (172.16.20.100) 56(84) bytes of data.
64 bytes from 172.16.20.100: icmp_seq=2 ttl=62 time=7.17 ms
--- 172.16.20.100 ping statistics ---

10 packets transmitted, 9 received, 10% packet loss, time 9008ms
rtt min/avg/max/mdev = 4.675/10.673/27.064/7.826 ms
Question: What is the result of the ping test?
Answer: The ping test shows that 9 out of 10

packets successfully made it to Host 2 and back to
Host 1.

Question: Why did the one ping packet fail to
return?
Answer: It took the one ping packet to alert srxA-1

that traffic needs to go through the IPsec VPN.
Then, srxA-1 discarded the packet and set up the
VPN between itself and srxA-2.
Step 3.23
Return to the open session with srxA-1. From the open session with srxA-1, check
the status of the phase 1 and phase 2 tunnels by issuing the show security
ike security-associations and the show security ipsec
security-associations commands. Then, examine the IPsec statistics by
issuing the show security ipsec statistics command.
lab@srxA-1> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
2938285 UP dcee7e3e12205503 3b046f4051a04244 Main 10.11.11.2
lab@srxA-1> show security ipsec security-associations

Total active tunnels: 1
ID Algorithm SPI Life:sec/kb Mon vsys Port Gateway
<131073 ESP:3des/sha1 3b9eb927 3579/ unlim - root 500 10.11.11.2
>131073 ESP:3des/sha1 f86c0459 3579/ unlim - root 500 10.11.11.2
lab@srxA-1> show security ipsec statistics

ESP Statistics:
Encrypted bytes: 1224
Decrypted bytes: 756
Encrypted packets: 9
Decrypted packets: 9
AH Statistics:
Input bytes: 0
Output bytes: 0
Input packets: 0
Output packets: 0
Errors:
AH authentication failures: 0, Replay errors: 0
ESP authentication failures: 0, ESP decryption failures: 0
Bad headers: 0, Bad trailers: 0

Note
If you waited too long from when the ping
packets were sent, the phase 2 tunnel
might have timed out (60 seconds). If you
see this behavior (no active tunnels), return
to the Host 1 device and issue the ping test
again. You do not have to wait for the ping
test to finish before trying the show
commands again on srxA-1.
Question: What are the statuses of the phase 1 and

phase 2 security associations?
Answer: The IKE and IPsec security associations are

present and functional.
Question: How can you verify that the ping packets

passed through the IPsec tunnel?
Answer: As shown in the previous output, the ping

and traceroute tests should be successful.
Note
Do not exit the lab environment. Lab 3
needs to build off of what you have
configured in Lab 2. Do not close any
windows or tabs.
STOP You have completed Lab 2. Please return to the course and complete
the next section.

Lab 3
Creating and Deploying Firewall Policies
Overview
In this lab, you will explore, create, and deploy firewall policies using Junos Space Security
Director. You will then explore how to create policy snapshots which allow you to compare,
rollback, and delete policy versions.
Create and deploy firewall policies.
Explore policy versioning.
www.juniper.net Creating and Deploying Firewall Policies Lab 31

12.2R1.3
Part 1: Performing Device Discovery
This lab builds on the configuration created in Lab 2. If you have completed Lab 2
and have not exited the lab environment, then please skip Part 1 and move on to
Part 2. Part 1 explains again how to login to Junos Space and perform device
discovery.
Step 1.1
From the Host 1 desktop, double-click the Firefox Web Browser icon to access
the Junos Space login screen again.
Step 1.2
Log in to Junos Space, using super as the username and 123lab as the
password.
Lab 32 Creating and Deploying Firewall Policies www.juniper.net

Step 1.3
First, you must specify the device targets that you want Junos Space to discover.
From the main landing page, click the plus sign (+) next to Devices on the task
tree in the left pane. Then click the plus sign (+) next to Discover Devices.
Next, click the Discover Targets link, as shown in the figure below.
The Discover Targets dialog box appears.

You can add devices using either the CSV Upload button or the Add button, or
both together. You would use the CSV Upload feature to add devices in bulk. You
can add hundreds of devices to Junos Space by using a CSV file that contains
information extracted from an LDAP repository.
Click the green plus sign (+) button. The Add Device Target box appears.
Select the IP range radio button. For the IP range addresses, enter the IP
addresses of srxA-1 and srxA-2, 10.233.255.1 and 10.233.255.2, then click
the Add button.
The Discover Targets dialog box displays the addresses of the configured
device targets.

Step 1.4
In this step, you specify a probe method to connect to and discover the device
targets. Click the Next button in the Discover Targets dialog box to move to
the Specify Probes dialog box.
Note
You need to navigate through the Specify
Probes and Specify Credentials
dialog boxes before you click the Discover
button.
The Discover Probes dialog box appears.
When both the Use Ping and Use SNMP check boxes are selected (the default),
Junos Space can discover the target device more quicklyif the device is pingable
and SNMP is enabled on the device.
For this lab, we will accept the default and leave both boxes checked, then, click
Next to move to the Specify Credentials dialog box.
The Specify Credentials dialog box appears.

Step 1.5
As an option, you can specify an administrator name and password to establish the
SSH connection for each target device that you configured.
Click the green plus sign (+) Add button.
Step 1.6
The Add Device Login Credential box appears. Enter lab as the
username and lab123 as the password. Enter the password a second time to
confirm it, then click the Add button.

Step 1.7
An icon with the added username will appear in the Specify Credentials
dialog box. Click Discover to start the discovery job.

The Discovery Status dialog box appears.
The Discovery Status dialog box shows the progress of discovery in real time.
Click a bar in the chart to view information about the devices currently managed or
discovered, or for which discovery failed. The example above shows the completed
process with two managed devices.
Note
Within this lab environment, you might receive an error in
which one device fails to reach the Managed state. When this
issue occurs, repeat the device discovery process. To do this,
select Discover Targets again in the left task pane, click
Next in the Discover Targets window that appears, click
Next in the Specify Probes window, then click
Discover in the Specify Credentials window. In a
moment, the second device will now be discovered and you
can continue to the next step.

Part 2: Exploring Firewall Policies
In this lab part, you will explore how to configure security policies on the SRX Series
devices using Security Director.
Step 2.1
Minimize the Junos Space browser window if necessary and go to the Terminal
session you previously opened to srxA-1. If you need to open the connection again,
open a new Terminal session using the icon on the desktop. SSH to srxA-1 as shown
below. If asked for authentication, log in using user lab and the password lab123.
The management address for srxA-1 is 10.233.255.1.
[lab@K01-HOST1-LP ~]$ ssh 10.233.255.1
lab@srxA-1>
Step 2.2
From the open session with the srxA-1, issue the show security zones and the
show security policies commands.
lab@srxA-1> show security zones
Functional zone: management

Policy configurable: No
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: Trust

Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 1
Interfaces:
ge-0/0/2.0
Security zone: Untrust

Interfaces bound: 2
Interfaces:
ge-0/0/1.0
st0.1
Security zone: junos-host

Interfaces bound: 0
Interfaces:
lab@srxA-1> show security policies

Default policy: permit-all

Question: Which zones are present on srxA-1?
Answer: The management, Trust, Untrust, and

junos-host zones are present on srxA-1.
Question: Which security polices are present on

srxA-1? What are the actions of the security policy?
Answer: Only one security policy is presentthe

default security policy. The default security policy is
set to permit all traffic.
Step 2.3
Go to the other Terminal session you have open on the desktop or open a new
Terminal session if needed. SSH to srxA-2 as shown below. If asked for
authentication, log in using user lab and the password lab123. The management
address for srxA-1 is 10.233.255.2.
[lab@K01-HOST1-LP ~]$ ssh 10.233.255.2
lab@srxA-2>
Step 2.4
From the open session with the srxA-2, issue the show security zones and the
show security policies commands.
lab@srxA-2> show security zones
Functional zone: management

Policy configurable: No
Interfaces bound: 1
Interfaces:
ge-0/0/0.0
Security zone: Trust

Interfaces bound: 1
Interfaces:
ge-0/0/2.0
Security zone: Untrust

Interfaces bound: 1

Interfaces:
ge-0/0/1.0
Security zone: VPN

Interfaces bound: 1
Interfaces:
st0.1
Security zone: junos-host

Interfaces bound: 0
Interfaces:

Question: Which zones are present on srxA-2?
Answer: The management, Trust, Untrust,

vpn, and junos-host zones are present on
srxA-2.
Question: Which security polices are present on

srxA-2? What are the actions of the security policy?
Answer: Only one security policy is presentthe

default security policy. The default security policy is
set to permit all traffic.
Step 2.5
Return to the open Web browser that is running Junos Space. You may need to log in
again due to inactivity. Use super as the username, and 123lab as the password.

Step 2.6
From Junos Space, open the drop-down menu above the task tree on the left side of
the screen. Click on Security Design to open the application.
The Security Design dashboard appears in the right pane.
Step 2.7
In the task tree on the left side, click the plus sign (+) next to Firewall Policy
and then click the Create Policy link to begin creating a new firewall policy.

Step 2.8
Select the Group policy type, name the policy Group-1, and set an appropriate
description. Select a Policy Priority of High. Leave the rest of the options at
their default values. In the Available section at the bottom of the screen, click on
srxA-1 and then click the right-pointing arrow to place it in the Selected section,
then do the same for srxA-2. Click Create to create the firewall policy.

Step 2.9
Click on Create Policy again. Create a second group firewall policy that has a
policy priority level set to Medium and a precedence value of 1. Name this firewall
policy Group-2 and give it an appropriate description. Leave the rest of the options
at their default values, and place srxA-1 and srxA-2 in the Selected section.
Click Create to create the firewall policy.

Step 2.10
Click on Create Policy once more. Create a third group firewall policy that has a
policy priority level set to Medium and a precedence value of 2. Name this firewall
policy Group-3 and give it an appropriate description. Leave the rest of the options
at their default values, and place srxA-1 and srxA-2 in the Selected section.
Click Create to create the firewall policy.
Step 2.11
Examine the Policies window on the left.

Question: How can you determine the priority and
precedence levels of the policies from examining
the Policies window?
Answer: Each firewall policy displays its priority and

precedence levels in parentheses in the Policies
window. For example, the Group-2 firewall policy
displays a priority of MEDIUM and a precedence of
1 in parentheses.
Step 2.12
Before you can edit a policy, you must lock it by clicking the lock icon, which is
available in the policy view toolbar. Select the Group-1 policy and then click the
Lock Policy for Edit icon to start editing the Group-1 policy. You can hold
more than one policy lock at a given time, so also lock the Group-2 and Group-3
policies.
A lock icon will appear in the Policies window on the left, next to each locked
policy, and the areas in the right pane that were previously grayed out will be made
available.
Note
If the locked policy is inactive for the set
timeout value (default 5 minutes), just 1
minute before the timeout interval expires,
a dialog box will appear to allow you to
extend the lock period. If the period expires
while you are working on the lab, reset the
lock as described previously.

Step 2.13
Create a pre rule and a post rule for the Group-1 firewall policy. Begin creating the
rules by clicking the Group-1 firewall policy object. Then, click the Create Pre
Rule and Create Post Rule links. Leave all of the values at their defaults and
click Save to create the rules. Then click Ok to proceed.
Step 2.14
Step 2.15

Question: Which zones are placed in the Source
Zone and Destination Zone fields by default?
Answer: The trust and untrust zones are

placed in the Source Zone and Destination
Zone fields by default.
Step 2.16
Click the Publish Policy link in the far left task tree, then select the Group-1,
Group-2, and Group-3 firewall policies in the right panel by clicking the box to the
left of their names. A check mark will appear in the boxes. Ensure that all three
policies are checked. Click Next to proceed.
Step 2.17
Click View for srxA-1 to verify the configuration. You will get an error message.

Question: What does the error message describe as

the problem?
Answer: The error message states that the zone

trust does not exist in device.
Question: Is the zone trust available on srxA-1 or

srxA-2?
Answer: No. The zone trust does not exist on

either device. However, the zone Trust does exist
on both devices. The difference is that the Trust
zone has a capital T, whereas the trust zone
begins with a lowercase t.
Question: How did this problem occur?
Answer: When you create a firewall policy, the

default values for the source zone and destination
zone are trust and untrust, respectively. These
values are slightly different than the zones that are
present on srxA-1 and srxA-2, in that the Trust
zones have a capital T and the Untrust zones
have a capital U.

Step 2.18
Click Ok to close the Configuration Preview window (error message) if
necessary, and click Cancel at the bottom of the Affected Devices screen to
return to the Firewall Policy landing page.
Step 2.19
Click the Group-1 firewall policy object and change the source zone to Trust and
the destination zone to Untrust in the pre rules and post rules. Then, change the
Action on both rules to Permit. Click Save to save the changes to the rules.
Then click Ok to proceed.
Be sure to perform these changes for both the pre rules and post rules.

Step 2.20
the destination zone to Untrust in the pre and post rules. Then, change the

Step 2.21
the destination zone to Untrust in the pre rules and post rules. Then, change the

Step 2.22
Click the Publish Policy link in the far left task tree and select the Group-1,
Group-2, and Group-3 firewall policies. Click Next to proceed.
Step 2.23
Click View for srxA-1 to verify the configuration.

Question: What is the result of clicking the View

link?
Answer: The configuration validates and the CLI

configuration commands appear.

Step 2.24
Click Close on the Configuration for device window, then click the
Publish and Update button at the bottom of the screen, and then click Ok on
the dialog box that appears.
Step 2.25
Return to the open Terminal session with the srxA-1.
From the open session with the srxA-1, issue the show security policies
command.
Note
It might take a few moments for the
contents from the firewall policies to
appear on srxA-1.

From zone: Trust, To zone: Untrust
Policy: Group-1-Zone-Pre-1, State: enabled, Index: 4, Scope Policy: 0,
Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit
Sequence number: 2
Applications: any
Action: permit
Sequence number: 3
Applications: any
Action: permit
Policy: Group-3-Zone-Post-1, State: enabled, Index: 7, Scope Policy: 0,
Sequence number: 4
Applications: any
Action: permit
Sequence number: 5
Applications: any
Action: permit
Sequence number: 6
Applications: any
Action: permit

Question: What is the order of the policies in the
zone Trust to zone Untrust context?
Answer: The order of the policies are as follows:

1. Group-1-Zone-Pre-1
4. Group-3-Zone-Post-1
Question: Why does the output list the

Group-1-Zone-Pre-1 policy before the other
pre policies?
Answer: Remember that the

Group-1-Zone-Pre-1 policy is derived from the
Group-1 firewall policy that is set to a high priority.
The Group-1-Zone-Pre-1 and the
Group-2-Zone-Pre-1 policies are derived from
the Group-1 and Group-2 firewall policies,
respectively. The Group-1 and Group-2 firewall
policies are set to a medium priority.

Group-2-Zone-Pre-1 policy before the
Group-3-Zone-Pre-1 policy?
Answer: Although both policies are derived from

firewall policies that have medium priorities,
remember that the Group-2-Zone-Pre-1 policy
is derived from the Group-2 firewall policy that
has a precedence of 1, whereas the
Group-2-Zone-Pre-1 policy is derived from the
Group-1 firewall policy that has a precedence of 2,
which is more preferred.

Group-3-Zone-Post-1 policy before the other
post policies?
Answer: The reverse order is applied for post

policies in regard to priority and precedence. The
Group-3-Zone-Post-1 policy has a medium
priority and a precedence of 2, both of which are
more preferred values than what the other post
policies have for priority and precedence.
Question: To which action is the default policy

currently set?
Answer: The default policy is currently set to permit

all traffic. This value can be seen at the beginning
of the previous output.
Step 2.26
Currently, the default policy on the SRX Series devices is configured to allow any
traffic. This setting results in the SRX Series devices permitting all other traffic that
does not match the current security polices. Over the next few steps, you will
configure a firewall policy that changes this behavior on all devices.

Return to the Junos Space platform you have open in a browser. You do not need to
be concerned with any firewall policy locks that might have expired.
Step 2.27
Click All Devices Policy in the Policies pane then click the Lock
Policy for Edit icon to begin editing. Click the plus sign (+) sign at the top of
the Policies page then click Create Pre Rule. Do this twice to create two
new pre rules.

Step 2.28
Change the first pre rule to have a source zone of Trust and a destination zone of
Untrust. Then, change the second pre rule to have a source zone of Untrust
and a destination zone of Trust. Leave all other values at their defaults. Click
Save to save the changes, and then click Ok on the dialog box that appears.

Step 2.29
Right-click the All Devices Policy link on the left, and then select the
Publish Policy option.
Step 2.30
Click the View link for srxA-1 to examine the CLI configuration commands and to
ensure that the firewall policy validates on the selected devices. Click Close on the
Configuration for device window and click Publish and Update. Click
Ok on the dialog box that appears.


Step 2.31
From the open session with the srxA-1, issue the show security policies
command.
Note
appear on srxA-1.

Policy: All-Devices-Zone-Pre-1, State: enabled, Index: 10, Scope Policy: 0,
Sequence number: 1
Applications: any
Action: deny, log
Sequence number: 2
Applications: any
Action: permit
Sequence number: 3
Applications: any
Action: permit
Sequence number: 4
Applications: any
Action: permit
Sequence number: 5
Applications: any
Action: permit
Sequence number: 6

Applications: any
Action: permit
Sequence number: 7
Applications: any
Action: permit
From zone: Untrust, To zone: Trust
Sequence number: 1
Applications: any
Action: deny, log
Question: What is the result of the recent firewall

policy update?
Answer: The All Devices Policy placed the

All-Devices-Zone-Pre-1 policy before any
other policy in the Trust zone to Untrust zone
context. Then, it put the
All-Devices-Zone-Pre-2 policy in the Untrust
zone to Trust zone context. The end result of this
update is that all transit traffic is blocked.
Question: What can you do with the All Devices

Policy that would block traffic not permitted by
the group policies in the Trust zone to Untrust
zone context?
Answer: Remember that the All Devices

Policy has a higher priority than any group or
device firewall policy. This concept means that an
All Devices Policy post rule is placed at the
end of any other policy for a zone context.
Step 2.32
Click All Devices Policy in the Policies pane then click the Lock
Policy for Edit icon if the lock has expired. You do not need to be concerned
with locks on any other policies. Right-click the pre rule that contains the from
Trust zone to Untrust zone context. Next, select the Disable option.
Step 2.33
Click the Create Post Rule link and set the source zone value to Trust and
the destination zone value to Untrust. Leave all other values at their defaults.
Click Save to save your changes. Click Ok on the dialog box that appears.

Question: What would have happened if you simply

deleted the pre rule instead of disabling it?
Answer: The security policy that is derived from the

pre rule would have remained on the SRX Series
devices. To remove it, you would need to enter the
CLI and delete it manually.

Step 2.34
Right-click the All-Devices Policy object and select the Publish Policy
option. Next, click the View link for srxA-1 to examine the CLI configuration
commands and validate the firewall policy against the devices. Click Close on the
Configuration for device window and click Publish and Update. Click
Ok on the dialog box that appears.

Step 2.35
From the Terminal session with the srxA-1, issue the show security policies
command.
Note
appear on srxA-1.

Sequence number: 1
Applications: any
Action: deny, log
Sequence number: 1
Applications: any
Action: permit
Sequence number: 2
Applications: any
Action: permit
Sequence number: 3
Applications: any
Action: permit
Sequence number: 4
Applications: any
Action: permit
Sequence number: 5
Applications: any
Action: permit
Sequence number: 6
Applications: any
Action: permit
Policy: All-Devices-Zone-Post-1, State: enabled, Index: 12, Scope Policy: 0,
Sequence number: 7
Applications: any
Action: deny, log

Question: What is the result of the firewall policy
update?
Answer: The All Devices Policy pre rule has

been removed from the beginning of the Trust zone
to Untrust zone context, and the All Devices
Policy post rule has been added to the end of the
Trust zone to Untrust zone context. Transit traffic
that is going from the Trust zone to the Untrust zone
now can match the other policies in the context
pass through the firewall.
Step 2.36
Return to Junos Space you have open in the browser. You do not need to be
concerned with any firewall policy locks that might have expired.
From the task tree on the far left, click the plus sign (+) next to Firewall
Policy, then click the Prioritize Policies link. Next, examine the
Priority and Precedence window.
Question: In what order does the window list the

firewall policies?
Answer: The window lists the firewall policies from

highest priority first, and then by the most-preferred
precedence.
Step 2.37
Select the Group-3 policy and click Move Up until the Group-3 policy is more
preferred than the Group-1 policy. Click Save to save the changes. Click Ok on the
dialog box that appears.


Question: What are the current priority and
precedence values of the Group-3 policy?
Answer: The Group-3 policy now has the priority

value of High and the precedence value of 1.
Question: Does the priority change of the Group-3

policy mean that it is now more preferred than the
All Devices Policy?
Answer: No. No group policy, or device policy, can be

more preferred than the All Devices Policy.
Question: If you deploy the group policies now, in

which order will they be applied on the SRX
devices?
Answer: Remember that higher priority and

more-preferred precedence causes a policys pre
rules to come first and its post rules to come last. In
that regard, the group policy ordering should occur
as follows:
1. Group-3 pre rules
4. Group-2 post rules
Step 2.38
Click the Publish Policy link in the task tree.

Question: Why is only the Group-3 policy in the

Re-publishing Required state?
Answer: You only changed the priority value on the

Group-3 policy, which requires you to republish
the policy.
Step 2.39
Select the Group-3 check box and click Next. Then, on the next page, click the
View link for srxA-1. Once Security Design validates the configuration changes,
click Close on the Configuration for device window. Then, click Publish
and Update. Click Ok on the dialog box that appears.


Step 2.40
From the Terminal session with the srxA-1, issue the show security policies
command.
Note
appear on srxA-1.

Sequence number: 1

Applications: any
Action: deny, log
Sequence number: 1
Applications: any
Action: permit
Sequence number: 2
Applications: any
Action: permit
Sequence number: 3
Applications: any
Action: permit
Sequence number: 4
Applications: any
Action: permit
Sequence number: 5
Applications: any
Action: permit
Sequence number: 6
Applications: any
Action: permit
Policy: All-Devices-Zone-Post-1, State: enabled, Index: 12, Scope Policy: 0,
Sequence number: 7
Applications: any
Action: deny, log

Question: How did the order of the security policies
change?
Answer: The Group-3-Zone-Pre-1 policy is now

the first policy in the Trust zone to Untrust zone
context. Then, the Group-3-Zone-Post-1 policy
is now the second-to-last policy in the Trust zone
to Untrust zone context.
Part 3: Policy Versioning
In this lab part, you will explore policy versioning by comparing, rolling back, and
deleting firewall policies.
Step 3.1
Next, create a version snapshot of the current Group-1 policy. From the
Policies area, right-click the Group-1 policy, and select Snapshot Policy.

Step 3.2
The Policy Name field shows the name of the firewall policy for which the
snapshot is taken. Enter your comments in the Comments field. For this lab, have
your comments read Group-1 Permit then click Create to take the snapshot.
The Snapshot Policy window appears, showing the status of the version as it is
created. Click Close on the Snapshot Policy window.
Step 3.3
You can view or manage all available versions of a selected policyyou can view
differences between any two versions, rollback to a specific version, and delete
versions from the system.
Now that we have created a snapshot of the Group-1 firewall policy, lets alter and
republish the policy so we can see how to use versioning.
Click the Group-1 firewall policy object. Click the lock icon so you can edit the
policy. Next, change the Action from Permit to Deny, in the pre rules and post
rules. Click Save to save the changes to the rules. Then click Ok to proceed.


Step 3.4
Click the Publish Policy link under Firewall Policy in the far left task
tree and check mark the Group-1 firewall policy in the list of policies on the right.
Notice that the Group-1 Publish State is Re-publishing Required. Click
Next to proceed.
Step 3.5
Click View for srxA-1 to verify the configuration.

Step 3.6
Click Close on the Configuration for device window, then click the
Publish and Update button at the bottom of the screen, and then click Ok on
the dialog box that appears.

Step 3.7
Next, create a snapshot of this new version of the Group-1 policy. From the
Policies area, right-click the Group-1 policy, and select Snapshot Policy.

Step 3.8
This time in the Comments field, enter the comment Group-1 Deny so we can
differentiate the snapshot. Click Create to take the snapshot. The Snapshot
Policy window appears, showing the status of the version as it is created. Click
Close on the Snapshot Policy window.

Step 3.9
Next, lets compare the two versions of the Group-1 policy.
From the Policies area, right-click the Group-1 policy, and select Manage
Snapshots. The Manage Versions window appears, showing all policy
versions.
Note
Note the additional snapshots in the list
that appears. During any policy publish,
Security Director takes an automatic
snapshot of the policy.

Step 3.10
Select the versions to be compared. For this lab, select the Group-1 Permit and
Group-1 Deny snapshots and click Compare. You can select only two versions at
a time to compare.
Step 3.11
A dialog box will appear that will give you the choice of which snapshot to compare
to which base version. The Swap button can be used to toggle the selection. For this
lab, accept the default. Click Compare.

Example of toggling the selection using the Swap button:
For this lab, do not use Swap, accept the default.
Step 3.12
A Compare Versions progress window will briefly appear. Then the Compare
Versions results window appears, showing a comparison between the selected
versions.

Step 3.13
The Compare Versions results window can include the following areas:
Policy Property Changes: Shows policy changes for the modified rules
Rule Changes: Displays rules that are added, modified, or deleted
Column Changes: Shows the differences between the column contents
for modified rules
Question: What areas are shown in the Compare

Versions results window for this lab?
Answer: The output for this lab shows Rule Changes

and Column Changes, noting the changes made to
the policy action.
Step 3.14
Click Close to exit the Compare Versions results window. Then click Close to
exit the Manage Versions: Group-1 window.

Step 3.15
You can rollback to a different snapshot version using Manage Snapshots.
Snapshots. The Manage Versions: Group-1 window appears, showing all
policy versions.

Step 3.16
Select the version to which you want to rollback. For this lab, check mark the
Group-1 Permit snapshot and click Rollback.
Note
The rollback operation replaces all the
rules and rule groups of the current version
with rules and rule groups from the
selected version. For all the shared objects,
Object Conflict Resolution (OCR) is done. If
there are any conflicts between the
versioned data and the current objects in
the system, an OCR window will be
displayed. From the OCR window, you can
choose to retain the existing object,
rename the object, or overwrite it with the
new object.
Step 3.17
A Service Summary window appears. From the Service Summary window,
click Next to view the OCR summary report window.


Step 3.18
Click Finish to replace the current policy with the versioned data. Click Yes on the
dialog box that appears to reload the policy. A summary screen of the snapshot
policy will be displayed. After reviewing the information provided on the summary
screen, click Close.

Note
The Action for the Group-1 policy is once
again Permit.
Step 3.19
Finally, you can also delete snapshot versions using Manage Snapshots.

Snapshots. The Manage Versions window appears, showing all policy
versions.
Step 3.20
You can delete multiple versions at a time. For this lab, select version Group-1
Deny from the Manage Versions window, then click Delete.

Note
Note that this is the same Manage
Versions window as used in the compare
and rollback operations. You can delete,
rollback, or compare versions from this
window. The options available are
dependent on the number of policies you
select.
Step 3.21
The Delete Snapshot dialog box appears. Click Yes to confirm deletion of the
snapshot. The Manage Versions window is updated, showing the remaining
snapshot versions. Click Close to close the Manage Versions window.

Step 3.22
Use the logout icon in the upper right corner to log out of Junos Space.
You may now close the desktop browser, close the Terminal sessions, and then close
the tab for the lab desktop.
Next, you can end your lab reservation by clicking the End icon in the blue menu bar.
Confirm your desire to end the reservation by clicking Ok on the window that
appears. Your reservation will go into a Teardown process and your reservation will
be released.
You can move to the Courses or Reservations page, or click your username in the
upper right of the screen and select Exit Virtual Labs to exit the site.
You have completed Lab 3. This concludes the lab portion of this
STOP course. Please return to the course and complete the remainder of the
presentation.


Junos Space Security Director
Overview
Appendix A: Lab Diagrams

A2 Lab Diagrams www.juniper.net

Junos Space Security Director Technical Overview

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Junos Space Security Director Technical Overview

Uploaded by

Copyright:

Available Formats

Junos Space Security Director

Worldwide Education Services

1133 Innovation Way

Course Number: PRTSD01

CLI and GUI Text

Style Description Usage Example

Courier New Console text:

Input Text Versus Output Text

Style Description Usage Example

Normal CLI No distinguishing variant. Physical interface:fxp0, Enabled

Defined and Undefined Syntax Variables

Style Description Usage Example

CLI Variable Text where variable value is already policy my-peers

www.juniper.net Document Conventions v

Lab 1: Logging In to Junos Space . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Lab 2: Creating and Deploying IPsec VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Lab 3: Creating and Deploying Firewall Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Appendix A:Lab Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

The Purpose of the Virtual Labs

Introduction to the Juniper Networks Virtual Lab Lab 01

Part 2: Logging in to the Virtual Labs site

Lab 02 Introduction to the Juniper Networks Virtual Lab

Introduction to the Juniper Networks Virtual Lab Lab 03

Lab 04 Introduction to the Juniper Networks Virtual Lab

Introduction to the Juniper Networks Virtual Lab Lab 05

Lab 06 Introduction to the Juniper Networks Virtual Lab

Virtual Lab Support:

Be sure to view the appropriate section of the associated

Introduction to the Juniper Networks Virtual Lab Lab 07

www.juniper.net Logging In to Junos Space Lab 11

Part 1: Logging In to Junos Space

Lab 12 Logging In to Junos Space www.juniper.net

www.juniper.net Logging In to Junos Space Lab 13

Lab 14 Logging In to Junos Space www.juniper.net

Part 2: Verifying Version and Application Information

Lab 16 Logging In to Junos Space www.juniper.net

Question: What information is displayed in the

Answer: The About box displays brief information

www.juniper.net Logging In to Junos Space Lab 17

Part 3: Verify Installed Applications

Lab 18 Logging In to Junos Space www.juniper.net

Question: Which applications are displayed on the

Answer: You should see the Network

www.juniper.net Logging In to Junos Space Lab 19

Lab 110 Logging In to Junos Space www.juniper.net

www.juniper.net Creating and Deploying IPsec VPNs Lab 21

Part 1: Accessing the Lab Environment

Part 2: Performing Device Discovery

Lab 22 Creating and Deploying IPsec VPNs www.juniper.net

The Discover Targets dialog box appears.

www.juniper.net Creating and Deploying IPsec VPNs Lab 23

Lab 24 Creating and Deploying IPsec VPNs www.juniper.net

The Discover Probes dialog box appears.

www.juniper.net Creating and Deploying IPsec VPNs Lab 25

Lab 26 Creating and Deploying IPsec VPNs www.juniper.net

www.juniper.net Creating and Deploying IPsec VPNs Lab 27

Lab 28 Creating and Deploying IPsec VPNs www.juniper.net

Answer: Junos Space should discover two devices,

Question: After the devices are discovered, does the

Answer: The answer should be yes. Shortly after

Part 3: Exploring IPsec VPNs

[lab@desktop ~]$ ping 172.16.20.100 -c 5

--- 172.16.20.100 ping statistics ---