Juniper SRX – Network Interview https://networkinterview.com Online Networking Interview Preparations Mon, 16 Jun 2025 16:10:40 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.1 https://networkinterview.com/wp-content/uploads/2019/03/cropped-Picture1-1-32x32.png Juniper SRX – Network Interview https://networkinterview.com 32 32 162715532 NGFWs: Juniper SRX Firewall vs Fortinet Firewall https://networkinterview.com/juniper-srx-firewall-vs-fortinet-firewall/ https://networkinterview.com/juniper-srx-firewall-vs-fortinet-firewall/#respond Mon, 16 Jun 2025 11:18:19 +0000 https://networkinterview.com/?p=20872 Firewalls are the backbone of all networks and they have come a long way from traditional packet-based filtering firewalls to Next generation firewalls having convention firewall with network device filtering functions involving deep packet inspection, intrusion prevention system (IPS), TLS based encryption, website filtering, QoS / bandwidth management, malware inspection etc. 

Today we look more in detail about next generation firewalls such as Juniper SRX firewall and Fortinet firewalls, how they are different from each other, and their features. 

Juniper SRX Firewall

Juniper SRX is a single appliance having NGFW functionality, unified threat management (UTM) capability, and secure switching and routing. The SRX firewalls provide network wide threat visibility.

Introduction to Juniper SRX Firewall

  • It provides NGFW capabilities such as full packet inspection, appliance aware, UTM.
  • It has inbuilt intrusion prevention to understand application behaviour and weaknesses.
  • It defends the network from viruses, phishing attacks, malware, and intrusion.
  • Adaptive threat intelligence is performed using spotlight secure to consolidate threat feeds from various sources to provide actionable insights into SRX gateway.
  • Role of router and firewall into one appliance with switching capabilities.
  • Juniper uses Junos Services Redundancy Protocol (JSRP) to enable it to set up two SRX gateways for high availability. 

Fortinet Firewall

Fortinet NGFW works at high speed and inspects encrypted traffic, identifies, isolates, and defuses live threats and protection from threats. Fortinet also provides web filtering, sandboxing, anti-virus, and intrusion prevention system (IPS) capabilities. Performing high speed secure socket layer (SSL) or transport layer (TLS) inspection. Consistent enforcement policies using central policy and device management having zero touch deployments. 

What is common between Juniper SRX firewall and Fortinet Firewall?

  • Secure routing where inspection happens to analyze if traffic is legitimate before being forwarded across network 

Comparison: Juniper SRX firewall vs Fortinet Firewall

Function

Juniper SRX Firewall

Fortinet Firewall

Architecture Employs a modular architecture using Junos operating system used across devices for consistent and scalable platform Uses proprietary operating system known as FortiOS. It integrates a range of security features into a single platform
Security Features Advanced threat protection (ATP), intrusion prevention system (IPS), VPN, and unified threat management (UTM) capabilities. Consolidation of various security capabilities into a single device primarily unified threat management (UTM). In addition of features related to antivirus, antispam, web filtering and application control
Proactive security measures such as threat intelligence and analytics
Performance High performance hardware and meant for demanding enterprise environments. Scalable to handle network traffic load and security demands High performance firewalls in terms of throughput and latency. Focus on consolidating security functions to optimize performance and ease of management
User Interface User interface available with Junos space platform for its simplicity and ease of use. Intuitive interface for administrators User friendly interface and FortiManager central management system to have centralized control of devices. Visualizations and dashboards for network monitoring and security events
Scalability Emphasis on scalability and ideal for both small and large enterprises. Modular architecture to support additional functionality to be added as network grows Designed with scalability in mind having appliances to cater all network sizes. Consolidation of multiple security functions into a single device offering scalability.
Configuration Mode SRX supports configuration commit method to deploy changes. Let deploy and stage changes and commit changes later as desired. Fortinet uses configuration tree and post exit the config branch of the tree changes get committed.
Commit Rollback Feature Commit rollback to a pre-existing state is supported Do not support commit rollback feature
IPv6 Support Better support for IPv6 and routing-based feature DVMRP. IPv6 is supported with other features like DHCPv6
SSL VPN Support Juniper requires to buy another appliance for SSL VPN terminations Supports SSLVPN on appliance
Integral Wireless – Controller Juniper SRX supports wireless Lan controls on large branch model or on bigger appliances with limited AP count FGT models all support some type of integral WLC and limited support of APs and wireless tunnelling
Shell Access Supports Unix Shell Do not support Unix shell
Security Policies SRX uses concept of zones and policies are built from one zone to another Fortinet uses port-based policies and built from one port to another port

Download: Juniper SRX firewall vs Fortinet Firewall Comparison table

Continue Reading:

Palo Alto vs Fortinet Firewall: Detailed Comparison

Juniper SRX Firewall vs Palo alto Firewall

]]>
https://networkinterview.com/juniper-srx-firewall-vs-fortinet-firewall/feed/ 0 20872
Juniper SRX Firewall vs Palo alto Firewall https://networkinterview.com/juniper-srx-firewall-vs-palo-alto-firewall/ https://networkinterview.com/juniper-srx-firewall-vs-palo-alto-firewall/#respond Tue, 02 Apr 2024 09:02:28 +0000 https://networkinterview.com/?p=20793 Application aware security is the need of the IT enterprises. Companies are replacing the old and outdated firewalls with Next generation firewalls which are application aware and this evolution can be attributed to web 2.0 where web-based applications and services are getting predominant in the IT landscape. While migrating or moving to another firewall platform it is important to investigate how to utilize and implement new features as well as ease of implementation, use and cost. 

Today we look more in detail about comparison between next generation firewalls such as Juniper SRX firewall and Palo Alto firewalls, how they are different from each other, and their features. 

Juniper SRX Firewall

Juniper SRX is a next generation firewall departure from ScreenOS based firewalls. SRX provides scalability and scalable services. Scaling under load is a typical requirement of firewalls including other services such as stateful firewall, VPN, NAT, UTM and intrusion prevention. The SRX branch series of firewalls are meant for small and large office locations where the firewall is typically deployed at network edge and in data center series of SRX designed to provide scaling services.  

Introduction to Juniper SRX Firewall

Related: How to configure Juniper SRX Firewall? Step by Step Guide

Features of Juniper SRX Firewall

  • Users can limit traffic and shape bandwidth based on application information and contexts
  • Ability to route traffic over different WAN links
  • More accurate and granular security policies
  • Prevent users to download ransomware hidden within encrypted traffic 

Palo Alto Firewall

Palo Alto detects known and unknown threats such as encrypted traffic with intelligence. PAN-OS is software which runs Palo Alto networks having key technologies built into PAN-OS as a native feature – App-ID, content-ID, device-ID, and User-ID. Policies and rules can be applied uniformly across all assets. Anomalous user behaviour across enterprise and consistently protect all business applications and allow to grant leased privileged zero trust policies. 

Palo Alto can access TLS/SSL encryption and feature of inspection for traffic monitoring to ensure malicious traffic in encrypted disguise enters your network. Customers have access to granular controls for application, tunnel monitoring, QoS services , integrated DNS, usage-based policy configuration and mobile device management. 

Palo Alto Firewall Architecture

Features of Palo Alto Firewall

  • Consistent protection from threats in real time, full visibility, and traffic control
  • User access filtering and assessment in intelligent manner
  • Data loss prevention with outbound traffic exfiltration

Comparison: Juniper SRX Firewall vs Palo alto Firewall

Below table summarizes the points of comparison between the two types of firewalls:

FUNCTION

JUNIPER SRX FIREWALL

PALO ALTO FIREWALL

Ease of use The setup process for Juniper srx is complex and time consuming depending on environment complexity Palo Alto setup process is simple and user friendly with quicker deployment timelines
Architecture Based on proprietary Junos operating system Based on proprietary PAN-OS based on Linux kernel
Natively engineered Router OS is having bolt-in security capability while AppControl is third party component Palo Alto is natively engineered to provide integrated security approach
Platform support Junos supports ESXi, NSX, KVM, AWS and Azure Palo Alto supports ESXi, NSX, Hyper-V, KVM, ACI, GCP, AWS, Azure, AliCloud, Oracle , vCloud
Management interface Managed via Junos space of network and security director Managed via Panorama network security management
Features
  • Intrusion prevention is on but intelligent inspection reduces IPS functionality .
  • Support for 3rd party AV and URL filtering(Forcepoint/Websense).
  • Limited storage locally and reporting, it is recommended to use external log collector.
  • Intrusion prevention is usually on
  • It is natively integrated AV and URL filtering
  • Supports local logging
  • Provides credential theft protection

Download the comparison table: Juniper SRX Firewall vs Palo alto Firewall

Continue Reading:

Palo Alto vs Fortinet Firewall: Detailed Comparison

Palo Alto vs Checkpoint Firewall: Detailed Comparison

]]>
https://networkinterview.com/juniper-srx-firewall-vs-palo-alto-firewall/feed/ 0 20793
Juniper SRX Commonly Used Commands https://networkinterview.com/juniper-srx-commonly-used-commands/ https://networkinterview.com/juniper-srx-commonly-used-commands/#respond Fri, 23 Feb 2024 06:55:14 +0000 https://networkinterview.com/?p=20631 In the previous articles, we have studied the basics of Juniper SRX firewall, its architecture, installation, modes, security policies etc. Today, we will discuss the command line interface of Juniper SRX.

Commonly Used Commands: Juniper SRX

Here are some commonly used CLI commands for managing and configuring Juniper SRX devices:

Viewing System Information

show version:

Displays the Junos software version running on the device.

show system uptime:

Shows how long the device has been running since its last reboot.

show chassis hardware:

Provides hardware information such as model, serial number, and installed modules.

Interface Configuration and Status

show interfaces terse:

Displays brief information about all interfaces on the device.

show interfaces <interface-name>:

Shows detailed information about a specific interface.

show interfaces diagnostics optics <interface-name>:

Displays optical transceiver diagnostics information for a specific interface.

Routing and Forwarding Table

show route:

Shows the routing table.

show route forwarding-table:

Displays the forwarding table.

show route protocol <protocol-name>:

Shows routes learned via a specific routing protocol.

Security Policies and Zones

show security policies:

Displays security policies configured on the device.

show security zones:

Shows configured security zones and associated interfaces.

show security flow session:

Displays active sessions passing through the device.

NAT (Network Address Translation)

show security nat source:

Shows configured source NAT rules.

show security nat destination:

Displays configured destination NAT rules

VPN (Virtual Private Network)

show security ipsec security-associations:

Displays active IPsec security associations.

show security ike security-associations:

Shows active IKE (Internet Key Exchange) security associations.

show security ipsec vpn:

Displays configured IPsec VPNs.

System Logs and Monitoring

show log:

Displays system log messages.

show security flow session source-prefix <source-ip>:

Shows active sessions originating from a specific source IP address.

show security flow session destination-prefix <destination-ip>:

Shows active sessions destined to a specific destination IP address.

Packet Capture

monitor traffic interface <interface-name>:

Initiates packet capture on a specific interface.

monitor traffic interface <interface-name> extensive:

Initiates packet capture with more detailed information.

monitor traffic no-resolve:

Captures packets without resolving IP addresses to hostnames.

Commit and Rollback

commit:

Commits configuration changes to the device.

commit check:

Checks the configuration for syntax errors without committing.

commit full:

commit entire configuration

commit comment “{TEXT}”:

Add a comment after commit changes

rollback <rollback-number>:

Rolls back the configuration to a previous state.

rollback rescue:

Rollback the configuration to rescue point

Process Management

show system processes extensive:

Show processes

restart {process} gracefully:

Restart the process after all the present tasks have been completed

Miscellaneous

request system reboot:

Reboots the device.

request system storage cleanup:

Remove unwanted files

request support information:

Collects system information for troubleshooting purposes.

configure:

Enters configuration mode.

exit:

Exits configuration mode or the CLI.

Please Note:

These commands provide a basic overview of managing and configuring Juniper SRX devices via the CLI. The actual command syntax may vary depending on the Junos OS version and device model. It is advised to always refer to official documentation or consult with Juniper support for detailed information and assistance.

Continue Reading:

How to Configure Security Packet Capture on SRX?

How to configure SSL Forward Proxy on SRX?

]]>
https://networkinterview.com/juniper-srx-commonly-used-commands/feed/ 0 20631
How to Configure Security Packet Capture on SRX? https://networkinterview.com/configure-security-packet-capture-on-srx/ https://networkinterview.com/configure-security-packet-capture-on-srx/#respond Wed, 14 Feb 2024 12:17:42 +0000 https://networkinterview.com/?p=20578 For debugging network issues capturing packet traffic is a very useful utility. It helps to analyse network traffic and help in network monitoring and logging. Packets are captured in binary form without any changes and you can read packet information offline using packet analyzers such as wireshark, tcpdump etc. packet capture is similar to capturing sampled traffic on device and also captures IP fragments. 

Today we look more in detail about how to configure security packet capture of SRX firewalls.

Configure Security Packet Capture on SRX 

Before we begin configuring security packet capture on SRX we will use a sample topology. 

There are two vSRX devices which are connected to each other using ge-01/0/0 interface having IP subnet as 11.11.11.0/24. Loopback interfaces are connected to vSRX1 and vSRX2 having IP address as 198.16.1.1/24 and 198.16.2.1/24.

Scenario: capture traffic with 

Protocol : ICMP

Source : 198.16.1.1

Target : 198.16.2.1

With the assumption that routing is already configured on both devices. We want to capture ICMP only traffic from source 198.16.1.1 to 198.16.2.1 unidirectionally.

Related: Palo Alto Packet Capture/ Packet Sniffing

Enable Packet Capture 

Enable packet capture and configure the output file to which capture details will be written. The filename is ‘CAPTURE2’. 

set forwarding-options packet-capture file filename CAPTURE2

Write Firewall Filter

Now write a firewall filter to match the traffic which is to go in the capture file. Match ICMP traffic from source 198.16.1.1 (vSRX1) loopback interface to target 198.16.2.1 (vSRX2) loopback interface.

Action would be mentioned as ‘Sample’ which means to capture matching traffic. In addition, enable the count of the number of matched traffic. 

set firewall filter CAPTURE_FILTER term 1 from source-address 198.16.1.1/32

set firewall filter CAPTURE_FILTER term 1 from destination-address 198.16.2.1/32

set firewall filter CAPTURE_FILTER term 1 from protocol icmp

set firewall filter CAPTURE_FILTER term 1 then count COUNT1

set firewall filter CAPTURE_FILTER term 1 then sample

set firewall filter CAPTURE_FILTER term 2 then accept

Apply firewall filter to interface (ge-1/0/0/0)

set interfaces ge-1/0/0-unit 0 family inet filter input CAPTURE_FILTER

User1@vSRX2# show | compare 

[edit interfaces ge-1/0/0 unit 0 family inet filter]

–        input FILTER2;

+        input CAPTURE_FILTER;

[edit]

+  forwarding-options {

+      packet-capture {

+          file filename CAPTURE2;

+      }

+  }

[edit firewall]

+   filter CAPTURE_FILTER {

+       term 1 {

+           from {

+               source-address {

+                   198.16.1.1/32;

+               }

+               destination-address {

+                   198.16.2.1/32;

+               }

+               protocol icmp;

+           }

+           then {

+               count COUNT1;

+               sample;

+           }

+       }

+       term 2 {

+           then accept;

+       }

+   }

We have to disable the packet capture when it is not required anymore. 

set forwarding-options packet-capture disable 

The capture result is stored in “/var/tmp/” directory and with the name of “CAPTURE2.ge-1.0.0” name of interface is auto added to the name which is configured for capture file.

We can use the show firewall command to show the number of packets matched and captured.

User@vSRX2# run show firewall     

Filter: __default_bpdu_filter__                                

Filter: CAPTURE_FILTER                                         

Counters:

Name                                                Bytes              Packets

COUNT1                                           512                    3

FAQs Related to Juniper SRX Packet Capture

  • What is packet capture on Juniper SRX devices?

Packet capture on Juniper SRX devices is a feature that allows you to capture and analyze network traffic passing through the device. It’s useful for troubleshooting network issues, analyzing traffic patterns, and diagnosing security incidents.

  • How do I perform a packet capture on Juniper SRX?

Packet capture on Juniper SRX devices can be performed using the monitor traffic command in the CLI (Command-Line Interface). You specify the interface, direction (ingress or egress), and any additional filters to capture specific traffic.

  • Can I capture packets based on specific criteria?

Yes, you can apply filters to capture packets based on specific criteria such as source or destination IP address, protocol, port number, etc. This helps in narrowing down the captured packets to focus on relevant traffic.

  • Where are the captured packets stored?

Captured packets are typically stored in memory buffers on the Juniper SRX device. You can then view the captured packets directly on the device or export them to an external server for further analysis using tools like Wireshark.

  • How much memory is allocated for packet capture?

The amount of memory allocated for packet capture depends on the model and configuration of the Juniper SRX device. You can check the available memory and adjust the capture settings accordingly to avoid running out of memory during capture.

  • Can I capture packets for a specific duration?

Yes, you can specify the duration for which you want to capture packets using the duration option with the monitor traffic command. This allows you to capture packets for a specific period, which is useful for troubleshooting intermittent network issues.

  • Is it possible to capture packets on multiple interfaces simultaneously?

Yes, you can capture packets on multiple interfaces simultaneously by running multiple packet capture sessions concurrently. This is useful for analyzing traffic between different network segments or troubleshooting complex network configurations.

  • Are there any performance impacts of packet capture on Juniper SRX devices?

Performing packet capture on Juniper SRX devices may have some performance impact, especially if capturing a large volume of traffic or applying complex filters. It’s recommended to use packet capture judiciously and only when necessary to minimize any potential performance degradation.

  • Can I automate packet capture tasks on Juniper SRX devices?

Yes, you can automate packet capture tasks on Juniper SRX devices using scripting or automation tools that interact with the device’s CLI interface. This allows you to schedule packet captures, retrieve captured packets, and perform analysis programmatically.

  • Are there any security considerations when capturing packets on Juniper SRX devices?

When capturing packets on Juniper SRX devices, it’s important to ensure that sensitive information such as passwords or personally identifiable information (PII) is not captured unintentionally. Additionally, restrict access to packet capture functionality to authorized personnel to prevent misuse or unauthorized access to network traffic.

Continue Reading:

How to configure SSL Forward Proxy on SRX?

Understanding Juniper SRX Modes

]]>
https://networkinterview.com/configure-security-packet-capture-on-srx/feed/ 0 20578
How to configure SSL Forward Proxy on SRX? https://networkinterview.com/how-to-configure-ssl-forward-proxy-on-srx/ https://networkinterview.com/how-to-configure-ssl-forward-proxy-on-srx/#respond Sat, 10 Feb 2024 16:31:23 +0000 https://networkinterview.com/?p=20567 Network protection is enabled from malware by utilizing the SSL proxy component. It is used to prevent malware which is hidden in encrypted traffic. It is used to perform SSL encryption and decryption between server and end client in a non-transparent manner. Server authentication is used to guard against malicious transmissions by validating the web server identity. SSL forward proxy has keys to encrypt and decrypt the payloads. 

Today we look more in detail about how to configure the Secure socket layer, i.e. SSL forward proxy on SRX firewall.

Configure SSL Forward Proxy on SRX

Below figure depicts how SSL forward proxy works on payload which is encrypted. With Application firewall (AppFW) is configured SSL forward proxy acts as SSL server to terminate SSL session from end client and start new SSL session.

To configure SSL forward proxy a list of steps to be taken:

  • Root CA certificate configuration
  • Load CA profile group
  • Associate root CA certificate and CA profile group while configuring SSL proxy profile 
  • Security policy creation by defining input traffic match criteria
  • Application of SSL proxy profile to security policy
  • Creation of allowlists and SSL proxy logging (optional steps)

Root Certificate Configuration

Obtain root CA certificate using Junos OS CLI. Generation of a PKI public/private key pair (local digital certificate) 

FW1@host1>request security pki generate-key-pair certificate-id certificate-id size size type type

Following combinations could be selected 

1024 bits, 2048, 4096 (RSA / DSA only) 

256 bits, 384, 521 (ECDSA only)

FW1@host1> request security pki generate-key-pair certificate-id SECURITY-cert size 4096 type rsa

FW1@host1> request security pki generate-key-pair certificate-id SECURITY-cert size 256 type ecdsa

Define self-certificate

FW1@host1> request security pki local-certificate generate-self-signed certificate-id certificate-id domain-name domain-name subject subject email email-id add-ca-constraint

Load CA profile group

In configuration mode apply loaded certificate to SSL proxy profile

FW1@host1> set services ssl proxy profile profile-name root-ca certificate-id

Import root CA as trusted CA for web servers.

Configure CA profile group

CA profile establishes the certificate information in authentication. Obtain a list of trusted CA certificates by loading group of CA profiles and attach the CA group to SSL proxy profile. 

FW1@host1> request security pki ca-certificate ca-profile-group load ca-group-name group-name filename default 

The dynamic updates of default trusted certificates are supported by SRX. To load a trusted list to the device used.

FW1@host1> request security pki ca-certificate ca-profile-group load ca-group-name group-name filename /var/tmp/IE-all.pem

Now attach trusted CA or trusted CA group with SSL proxy profile

FW1@host1> set services ssl proxy profile profile-name trusted-ca all 

Import root CA into web browser 

To import root CA certificate 

Generate PEM format file 

FW1@host1> request security pki local-certificate export certificate-id root-ca type pem filename path/filename.pem

Application of SSL proxy profile to security policy

SSL proxy is enabled within security policy as an application service. Create a security policy and mention match criteria for policy.  

FW1@host1> set security policies from-zone trust to-zone untrust policy policy-name match source-address source-address

FW1@host1> set security policies from-zone trust to-zone untrust policy policy-name match destination-address destination-address

FW1@host1> set security policies from-zone trust to-zone untrust policy policy-name match application application

SSL proxy logging configuration

While configuring SSL proxy logging, you can configure partial or full options. SSL proxy logs contain logical system name, SSL proxy allow-lists, information about policy, information about SSL proxy to troubleshoot issues. All or specific events can be configured. 

FW1@host1> set services ssl proxy profile profile-name actions log all

FW1/@host1> set services ssl proxy profile profile-name actions log errors

We can use enable-flow-tracing option for enablement of debug tracing 

Continue Reading:

How to configure Juniper SRX Firewall? Step by Step Guide

How To Configure Juniper SRX Security Policy?

If you want to learn more about Juniper SRX Firewall, then please check our e-book on interview questions and answers related to Juniper SRX Firewall.

 

]]>
https://networkinterview.com/how-to-configure-ssl-forward-proxy-on-srx/feed/ 0 20567
Understanding Juniper SRX Modes https://networkinterview.com/understanding-juniper-srx-modes/ https://networkinterview.com/understanding-juniper-srx-modes/#respond Wed, 07 Feb 2024 11:59:43 +0000 https://networkinterview.com/?p=20555 Firewalls perform the processing of traffic for packets which enter and exit a device. Juniper SRX firewalls have a wide variety of filtering and traffic shaping features including policies, screens, network address translation (NAT) and services based on flow. Processing could be packet based and flow based depending on the requirements.

Today we look more in detail about Juniper SRX next generation firewalls mode of traffic processing, how traffic processing happens in those modes and its characteristics. 

Traffic Processing in Juniper SRX 

Traffic which enters and exits from firewall is processed as per configured features such as screens, packet filters and security policies. Packets entering or exiting the device have both packet based and flow-based processing.

Flow-Based Processing 

Packets undergo flow-based processing post packet-based filters and some screens applied before. All flow-based processing happens on a single flow on a single service processing unit (SPU). SPU processes flow of packets according to security features and services configured in. 

Flow-Based Processing Mode: Juniper SRX

A flow comprises a stream of packets which are related and meet a matching criteria and share characteristics. Flow based processing or stateful processing performs creation of sessions. Session is created for first packet in flow for the purposes: 

  • To store security measures applies to flow of packets
  • Caching information about state of flow 
  • Allocation of resources for features of flow such as NAT
  • Framework for features such as firewall features and ALGs

Processing happens in the context of flow including 

  • Policies, NAT, zones management 
  • Authentication and AIGs management 

Packet-Based Processing 

Packet-based processing happens when it is removed from the queue from the input interface and before putting back on the queue for its output interface. Packet based flow processing applies stateless filters, CoS features and screens having discrete packets. On receiving packets at an interface, sanity check, packet-based filter, CoS features and some screens it is applied to.

While a packet leaves the device at an interface, sanity check, packet-based filter, CoS features and some screens it is applied to.

Packet filters and CoS features are associated with interface or interfaces impacting packets are allowed to transit system and apply special actions.

Packets which enter and exit the firewall perform packet-based processing. Stateless or packet based, packets are treated discreetly. Each packet is analysed individually. Stateless packet-based forwarding happens without regard to flow or state information on a packet-to-packet basis.

Packet-Based Processing Mode: Juniper SRX

When a packet enters devices, classifiers, filters, and policies apply. The egress interface of the packet is identified via a route lookup. When the egress interface is identified for the packet, filters are applied and the packet is sent to the egress interface for queuing and scheduling happens for transmission. Packet based forwarding does not need information of previous or subsequent packets which belong to a given connection and packet specific allow or deny of traffic happens. 

Comparison: Packet-based and Flow-based Processing Modes

Below is the comparison between packet-based and flow-based processing modes in Juniper SRX firewalls:

JUNIPER SRX FIREWALL

Feature Packet-Based Processing Mode Flow-Based Processing Mode
Basic Operation Processes each packet individually as it arrives Aggregates packets into flows and processes them
Traffic Handling Treats each packet as an individual entity Groups packets into flows based on session
Stateful Inspection Performs stateful inspection on each packet Inspects packets within context of established flows
Resource Usage Consumes more system resources due to per-packet processing Consumes fewer resources as it aggregates packets into flows
Efficiency Suitable for environments with low to moderate traffic Suitable for environments with high traffic volumes
Performance Offers lower performance compared to flow-based mode Offers higher performance due to flow optimization
Session Tracking Tracks sessions at the packet level Tracks sessions at the flow level
Security Policy Enforcement Enforces security policies on a per-packet basis Enforces security policies within the context of established flows

Download the comparison table: Packet-based vs Flow-based Processing Modes

Final Words

In summary, packet-based processing mode handles each packet individually, while flow-based processing mode aggregates packets into flows and processes them accordingly. Flow-based processing offers better performance and efficiency, especially in high-traffic environments, by reducing resource consumption through flow optimization. However, packet-based processing may be more suitable for environments with lower traffic volumes or specific security requirements.

Continue Reading:

How To Configure Juniper SRX Security Policy?

How to configure Juniper SRX Firewall? Step by Step Guide

]]>
https://networkinterview.com/understanding-juniper-srx-modes/feed/ 0 20555
How To Configure Juniper SRX Security Policy? https://networkinterview.com/how-to-configure-juniper-srx-security-policy/ https://networkinterview.com/how-to-configure-juniper-srx-security-policy/#respond Sun, 28 Jan 2024 15:16:46 +0000 https://networkinterview.com/?p=20522 To secure networks network administrators create security policies for network resources within the business required to establish security level for network resources. All standard firewalls allow creation or setting up baseline and advanced security policies to enforce rules for transit of traffic, what traffic shall pass through the firewall, and define actions as policies which need to take place as traffic passes through the network firewall. 

Today we look more in detail about how to configure Juniper SRX security policy, understand security policy elements, rules etc.

Juniper SRX Security Policy Elements

A security policy is nothing but a set of statements to control traffic flowing from one specific source to a specific destination while using a specific service. Policies permit, deny, or perform tunnelling specific traffic type in between two points unidirectionally. 

Each policy comprises of :

  • Unique name to policy
  • From-zone to to-zone such as user@myhost#set policies from-zone untrust to-zone untrust
  • Matching criteria to define conditions which must be met to apply the rule which could be based on IP address source or destination, and applications. 
  • Set of actions to be performed based on match status – permit , deny or reject
  • Accounting and auditing such as count, logs, and system logging in structured way

Juniper SRX Security Policy Rules

Security policies apply security rules to transit traffic and each policy is uniquely identified. Each policy has a set of characteristics: 

  • Source zone
  • Destination zone
  • One-many source address name or address name sets
  • One-many destination address name or address name sets
  • One-many application names or application name sets

The rule characteristics are match criteria. Every policy has an action linked with it: permit, deny, reject, count, log, and VPN tunnel. Using wildcards policy can be configured with IPv4 or IPv6 addresses. When flow support is not enabled then all matches happen with IPv4. Flow based forwarding based on IPv6 is enabled using set security forwarding-options family inet6 mode flow-based command.

With IPv6 traffic enablement, the maximum number of IPv4 and IPv6 addresses which are configurable in security policy is based on match criteria. IPv6 requires four times more memory space than IPv4.

Number_of_src_IPv4_addresses  + number_of_src_IPv6_addresses * 4 <1024

Number_of_dst_IPv4_addresses  + number_of_dst_IPv6_addresses * 4 <1024

Security Policy Configuration 

To create a security policy following steps are required we will use a scenario to define steps to configure security policy on firewall

P1: allow http

P2: allow telnet

P3: allow icmp 

P4: explicit deny-all ; log and count 

Juniper SRX is connected with IP subnet 172.168.1.0 to outgoing zone through G0 Ethernet and connected to incoming zone with G1 Ethernet and IP subnet 172.168.10.0 

Policies are configured from incoming-zone to outgoing-zone 

[edit]

FW1# show | compare 

[edit security policies]

     from-zone outgoing to-zone junos_fw-host { … }

    from-zone incoming to-zone outgoing {

        policy ALLOW-WEB {

            match {

                source-address NET_172_168_10_0__24;

                destination-address any;

                application junos_fw-http;

            }

            then {

                permit;

                log {

                    session-init;

                    session-close;

                }

                count;

            }

        }

        policy ALLOW-TELNET {

            match {

                source-address NET_172_168_10_0__24;

                destination-address any;

                application junos_fw-telnet;

            }

            then {

                permit;

                log {

                    session-init;

                    session-close;

                }

                count;

            }

        }

        policy ALLOW-ICMP {

            match {

                source-address NET_172_168_10_0__24;

                destination-address any;

                application junos_fw-icmp-all;

            }                          

            then {                     

                permit;                

                log {                  

                    session-init;      

                }                      

                count;                 

            }                          

        }                              

        policy DENY-ALL {              

            match {                    

                source-address any;    

                destination-address any;

!

P1: allow http

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB match source-address NET_172_168_10_0__24

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB match destination-address any

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB match application junos-http

 

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB then ALLOW

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB then log session-init

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB then log session-close

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB then count

!

P2: allow telnet

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET match source-address NET_172_168_10_0__24

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET match destination-address any

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET match application junos-telnet

 

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET then permit

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET then log session-init

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET then log session-close

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET then count

!

P3: allow icmp 

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP match source-address NET_192_168_10_0__24

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP match destination-address any

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP match application junos-icmp-all

 

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP then permit

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP then log session-init

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP then count

!

P4: explicit deny-all ; log and count 

set security policies from-zone incoming to-zone outgoing policy DENY-ALL match source-address any

set security policies from-zone incoming to-zone outgoing policy DENY-ALL match destination-address any

set security policies from-zone incoming to-zone outgoing policy DENY-ALL match application any

 

set security policies from-zone incoming to-zone outgoing policy DENY-ALL then reject

set security policies from-zone incoming to-zone outgoing policy DENY-ALL then log session-init

set security policies from-zone incoming to-zone outgoing policy DENY-ALL then count

set security policies pre-id-default-policy then log session-close

Continue Reading:

Palo Alto Security Profiles and Security Policies

Checkpoint Firewall Policy: Rules & Configuration

]]>
https://networkinterview.com/how-to-configure-juniper-srx-security-policy/feed/ 0 20522
How to configure Juniper SRX Firewall? Step by Step Guide https://networkinterview.com/how-to-configure-juniper-srx-firewall/ https://networkinterview.com/how-to-configure-juniper-srx-firewall/#respond Sun, 28 Jan 2024 14:30:43 +0000 https://networkinterview.com/?p=20517 We can’t imagine a network without a firewall, they are the staple of almost every network in the IT landscape. The firewalls provide protection to nearly every network-based transaction. Over a decade the underlying technology has changed rapidly as the way firewalls and technology have undergone a major shift from stateful inspection firewalls to firewall devices as a service gateway. Deep inspection from service gateway firewalls is the new firewall of the future. 

Today we look more in detail about Juniper SRX Next generation firewalls, a true service gateway firewall and understand how to configure them. 

Steps to Configure Juniper SRX Firewall

In this topic we are covering how to configure NGFW and set up a new SRX device to connect to the Internet. 

When we login to a new SRX box there is no password for root.

1. Press enter.

login: root

Password:

— JUNOS 12.1X47-D20.7 built 2017-03-03 21:53:50 UTC

root@%

2. Use CLI to enter Operational mode

root@% cli

root>

3. Use configure command to enter configuration mode

root> configure

Entering configuration mode

[edit]

root#

Now we will configure Juniper SRX as gateway. Use commit command to apply as active configuration

4. Configuring root password

root# set system root-authentication plain-text-password

New password:

Retype new password:

[edit]

root#

5. Create new user 

[edit]

root# set system login user mad1 class super-user authentication plain-text-password

New password:

Retype new password:

6. Provide host name

[edit]

root# set system host-name letsconfig-SRX

[edit]

root# commit

commit complete

[edit]

root@letsconfig-SRX#

8. DNS server setup on Juniper SRX

[edit]

root@letsconfig-SRX# set system name-server 8.8.8.8

9. Enable SSH on SRX 

[edit]

root@letsconfig-SRX# set system services ssh

10. Setup NTP and time zone

[edit]

root@letsconfig-SRX#set system time-zone Asia/India

[edit]

root@letsconfig-SRX# set system ntp server time.google.com

11. Assign IP address

set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.100/24

set interfaces ge-0/0/2 unit 0 family inet address 10.1.1.1/24

*Family inet means IPv4 and inet6 means IPv6

12. Establish zone configuration

user@hostj#set security zones security-zone un-trust interfaces ge-0/0/1.0

user@hostj#set security zones security-zone un-trust host-inbound-traffic system-services all

user@hostj#set security zones security-zone un-trust host-inbound-traffic protocols all

user@hostj#set security zones security-zone trust1 interfaces ge-0/0/2.0

user@hostj#set security zones security-zone trust1 host-inbound-traffic system-services all

user@hostj#set security zones security-zone trust1 host-inbound-traffic protocols all

13. Establish security policy for zone

edit security policies from-zone trust1 to-zone un-trust policy our-internet-policy

            set match source-address any

            set match destination-address any

            set match application any

            set then permit

            exit

edit security policies from-zone un-trust to-zone trust1 policy our-deny-policy 

            set match source-address any

            set match destination-address any

            set match application any

            set then deny

            exit

commit

** everything is allowed in the outgoing path and deny everything in the incoming path.

14. Configure static route as routing protocol

set routing-options static route 0.0.0.0/0 next-hop 192.168.3.1

15. NAT/PAT configuration

set security nat source rule-set ourr-nat-rule-set from zone trust

set security nat source rule-set ourr-nat-rule-set to zone untrust

set security nat source rule-set ourr-nat-rule-set rule ourr-nat-rule match source-address 10.1.1.1/24

set security nat source rule-set ourr-nat-rule-set rule ourr-nat-rule match destination-address 0.0.0.0/0

set security nat source rule-set ourr-nat-rule-set rule ourr-nat-rule then source-nat interface

16. Enable Intrusion detection prevention(IDP) in SRX firewall

set security idp idp-policy recommended

set security idp idp-policy idpengine

17. Configuring one of the IDP policy as default policy

set security idp default-policy recommended

18. Check to confirm if default policy configured on device

show security idp default-policy

Continue Reading:

Introduction to Juniper SRX Firewall

NAT vs PAT: IP Address Translation Explained

]]>
https://networkinterview.com/how-to-configure-juniper-srx-firewall/feed/ 0 20517
Introduction to Juniper SRX Firewall https://networkinterview.com/juniper-srx-firewall/ https://networkinterview.com/juniper-srx-firewall/#respond Mon, 22 Jan 2024 10:45:18 +0000 https://networkinterview.com/?p=20502 Network based security landscape is changing drastically and becoming more and more complex and dynamic in operations. New challenges in the cyber security domain related to web based and social network applications, sophisticated cyber-attacks, social engineering attacks are on rise due to increased use of web applications, Artificial intelligence, and machine learning adoption. Simple rule based stateful inspection firewalls are things of the past and no longer can provide protection against advanced threat landscape. 

Today we look more in detail about the next generation firewall (NGFW) from Juniper, i.e., Juniper SRX, its architecture, working and how it protects against advanced threat landscape. 

What is a Juniper SRX Firewall?

The early predecessors of SRX firewalls were ScreenOS products. First time introduced the concept of split OS and firewall software hence providing flexibility to choose the underlying OS it was comfortable with. Juniper SRX series is a next generation shift from ScreenOS platform built to provide scalable services. Service is an action or set of actions which are applied to network traffic such as stateful inspection and intrusion prevention (Referred here as service).

SRX firewall provides services on passing traffic which is scalable as well. Scaling provides an appropriate level of processing based on workload requirements. Placement of firewalls at data center and branch further have different sets of scalability requirements hence Juniper SRX series comes under two product lines – the branch SRX series and data center SRX series

Juniper SRX (NGFW) Architecture

The network generation firewall architecture provides security services for remote sites, WAN connectivity. While using SRX device on premises site as a standalone NGFW the WAN routing functions are taken care of by SRX device itself. This architecture allows SRX device to perform all in-built security functions such as firewall and network address translation along with visibility to LANs which exist on spoke sites. Figure 1 shows SRX device connectivity to both onsite LAN and WAN.

SRX series devices can be used as standalone firewalls managed by Contrail Service Orchestration (CSO) which supports SRX 300+, SRX500+, SRX1500, SRX4100+ and vSRX series. NGFW provides multiple functionalities as mentioned under.

  • WAN connectivity for sites – Provisioned NGFW for tenant allows any site belonging to that tenant to use NGFW device as its WAN link back to CSO.
  • Automatic LAN connectivity – NGFW built in DHCP provide addressing capabilities for connected LAN
  • Custom application signatures in firewall policies – In addition to support for existing SD-WAN policies CSO also supports custom application signatures in firewall policies
  • Customized IPS signatures, static and dynamic groups – creation, modification, or deletion of customized intrusion prevention system (IPS) signatures, IPS signatures static and dynamic grouping. Cloning predefined or customized IPS signatures, groups (static and dynamic) 
  • Policy configuration import – Import of policy configurations from NGFW devices are supported. 

Related: IPS vs IDS vs Firewall

SRX (NGFW) Security Features 

The security device integrates network security and routing capabilities. Traffic which enters and exits a security device is processed as per configured features such as packet filtering, security policies, and screens. Software can determine if:

  • Packet is allowed onto device
  • Firewall screen applies to packet
  • Which route to be taken by packet to reach its destination
  • If need to apply NAT to translate packet IP address
  • Does packet require an application layer gateway (ALG)

SRX supports next generation firewall protection having application aware security services, intrusion detection and prevention, role-based user firewall, unified threat management (UTM).

Let’s look at some of the security features more in detail.

Firewall User Authentication – additional layer of security by restricting or permitting individual users or groups. 

Intrusion Prevention – enable selective enforcement of various attack detection and prevention mechanisms on network traffic passing through the IDP enabled firewall. 

AppSecure – AppSecure detects behaviour of application and weaknesses which prevent application borne security threats detection and prevention though. Provides greater visibility of application. Stopping users from visiting inappropriate sites or downloading malware , traffic prioritization based on application type and bandwidth requirement, encryption and decryption using SSL-Proxy. 

Unified Threat Management (UTM) – capability to protect against spam, viruses, worms, spyware, trojans and malware, content filtering to provide basic data loss prevention capability. 

Continue Reading:

Introduction to Sophos UTM Firewall

NGFW: What is a Next Generation Firewall?

]]>
https://networkinterview.com/juniper-srx-firewall/feed/ 0 20502