Today we look more in detail about next generation firewalls such as Juniper SRX firewall and Fortinet firewalls, how they are different from each other, and their features. 

Juniper SRX Firewall

Juniper SRX is a single appliance having NGFW functionality, unified threat management (UTM) capability, and secure switching and routing. The SRX firewalls provide network wide threat visibility.

• It provides NGFW capabilities such as full packet inspection, appliance aware, UTM.
• It has inbuilt intrusion prevention to understand application behaviour and weaknesses.
• It defends the network from viruses, phishing attacks, malware, and intrusion.
• Adaptive threat intelligence is performed using spotlight secure to consolidate threat feeds from various sources to provide actionable insights into SRX gateway.
• Role of router and firewall into one appliance with switching capabilities.
• Juniper uses Junos Services Redundancy Protocol (JSRP) to enable it to set up two SRX gateways for high availability. 

Fortinet Firewall

Fortinet NGFW works at high speed and inspects encrypted traffic, identifies, isolates, and defuses live threats and protection from threats. Fortinet also provides web filtering, sandboxing, anti-virus, and intrusion prevention system (IPS) capabilities. Performing high speed secure socket layer (SSL) or transport layer (TLS) inspection. Consistent enforcement policies using central policy and device management having zero touch deployments. 

What is common between Juniper SRX firewall and Fortinet Firewall?

• Secure routing where inspection happens to analyze if traffic is legitimate before being forwarded across network 

Comparison: Juniper SRX firewall vs Fortinet Firewall

Download: Juniper SRX firewall vs Fortinet Firewall Comparison table

Continue Reading:

Palo Alto vs Fortinet Firewall: Detailed Comparison

Juniper SRX Firewall vs Palo alto Firewall

Today we look more in detail about comparison between next generation firewalls such as Juniper SRX firewall and Palo Alto firewalls, how they are different from each other, and their features. 

Juniper SRX Firewall

Juniper SRX is a next generation firewall departure from ScreenOS based firewalls. SRX provides scalability and scalable services. Scaling under load is a typical requirement of firewalls including other services such as stateful firewall, VPN, NAT, UTM and intrusion prevention. The SRX branch series of firewalls are meant for small and large office locations where the firewall is typically deployed at network edge and in data center series of SRX designed to provide scaling services.  

Related: How to configure Juniper SRX Firewall? Step by Step Guide

Features of Juniper SRX Firewall

• Users can limit traffic and shape bandwidth based on application information and contexts
• Ability to route traffic over different WAN links
• More accurate and granular security policies
• Prevent users to download ransomware hidden within encrypted traffic 

Palo Alto Firewall

Palo Alto detects known and unknown threats such as encrypted traffic with intelligence. PAN-OS is software which runs Palo Alto networks having key technologies built into PAN-OS as a native feature – App-ID, content-ID, device-ID, and User-ID. Policies and rules can be applied uniformly across all assets. Anomalous user behaviour across enterprise and consistently protect all business applications and allow to grant leased privileged zero trust policies. 

Palo Alto can access TLS/SSL encryption and feature of inspection for traffic monitoring to ensure malicious traffic in encrypted disguise enters your network. Customers have access to granular controls for application, tunnel monitoring, QoS services , integrated DNS, usage-based policy configuration and mobile device management. 

Features of Palo Alto Firewall

• Consistent protection from threats in real time, full visibility, and traffic control
• User access filtering and assessment in intelligent manner
• Data loss prevention with outbound traffic exfiltration

Comparison: Juniper SRX Firewall vs Palo alto Firewall

Below table summarizes the points of comparison between the two types of firewalls:

Download the comparison table: Juniper SRX Firewall vs Palo alto Firewall

Continue Reading:

Palo Alto vs Fortinet Firewall: Detailed Comparison

Palo Alto vs Checkpoint Firewall: Detailed Comparison

Commonly Used Commands: Juniper SRX

Here are some commonly used CLI commands for managing and configuring Juniper SRX devices:

Viewing System Information

show version:

Displays the Junos software version running on the device.

show system uptime:

Shows how long the device has been running since its last reboot.

show chassis hardware:

Provides hardware information such as model, serial number, and installed modules.

Interface Configuration and Status

show interfaces terse:

Displays brief information about all interfaces on the device.

show interfaces <interface-name>:

Shows detailed information about a specific interface.

show interfaces diagnostics optics <interface-name>:

Displays optical transceiver diagnostics information for a specific interface.

Routing and Forwarding Table

show route:

Shows the routing table.

show route forwarding-table:

Displays the forwarding table.

show route protocol <protocol-name>:

Shows routes learned via a specific routing protocol.

Security Policies and Zones

show security policies:

Displays security policies configured on the device.

show security zones:

Shows configured security zones and associated interfaces.

show security flow session:

Displays active sessions passing through the device.

NAT (Network Address Translation)

show security nat source:

Shows configured source NAT rules.

show security nat destination:

Displays configured destination NAT rules

VPN (Virtual Private Network)

show security ipsec security-associations:

Displays active IPsec security associations.

show security ike security-associations:

Shows active IKE (Internet Key Exchange) security associations.

show security ipsec vpn:

Displays configured IPsec VPNs.

System Logs and Monitoring

show log:

Displays system log messages.

show security flow session source-prefix <source-ip>:

Shows active sessions originating from a specific source IP address.

show security flow session destination-prefix <destination-ip>:

Shows active sessions destined to a specific destination IP address.

Packet Capture

monitor traffic interface <interface-name>:

Initiates packet capture on a specific interface.

monitor traffic interface <interface-name> extensive:

Initiates packet capture with more detailed information.

monitor traffic no-resolve:

Captures packets without resolving IP addresses to hostnames.

Commit and Rollback

commit:

Commits configuration changes to the device.

commit check:

Checks the configuration for syntax errors without committing.

commit full:

commit entire configuration

commit comment “{TEXT}”:

Add a comment after commit changes

rollback <rollback-number>:

Rolls back the configuration to a previous state.

rollback rescue:

Rollback the configuration to rescue point

Process Management

show system processes extensive:

Show processes

restart {process} gracefully:

Restart the process after all the present tasks have been completed

Miscellaneous

request system reboot:

Reboots the device.

request system storage cleanup:

Remove unwanted files

request support information:

Collects system information for troubleshooting purposes.

configure:

Enters configuration mode.

exit:

Exits configuration mode or the CLI.

Please Note:

These commands provide a basic overview of managing and configuring Juniper SRX devices via the CLI. The actual command syntax may vary depending on the Junos OS version and device model. It is advised to always refer to official documentation or consult with Juniper support for detailed information and assistance.

Continue Reading:

How to Configure Security Packet Capture on SRX?

How to configure SSL Forward Proxy on SRX?

Today we look more in detail about how to configure security packet capture of SRX firewalls.

Configure Security Packet Capture on SRX 

Before we begin configuring security packet capture on SRX we will use a sample topology. 

There are two vSRX devices which are connected to each other using ge-01/0/0 interface having IP subnet as 11.11.11.0/24. Loopback interfaces are connected to vSRX1 and vSRX2 having IP address as 198.16.1.1/24 and 198.16.2.1/24.

Scenario: capture traffic with 

Protocol : ICMP

Source : 198.16.1.1

Target : 198.16.2.1

With the assumption that routing is already configured on both devices. We want to capture ICMP only traffic from source 198.16.1.1 to 198.16.2.1 unidirectionally.

Related: Palo Alto Packet Capture/ Packet Sniffing

Enable Packet Capture 

Enable packet capture and configure the output file to which capture details will be written. The filename is ‘CAPTURE2’. 

set forwarding-options packet-capture file filename CAPTURE2

Write Firewall Filter

Now write a firewall filter to match the traffic which is to go in the capture file. Match ICMP traffic from source 198.16.1.1 (vSRX1) loopback interface to target 198.16.2.1 (vSRX2) loopback interface.

Action would be mentioned as ‘Sample’ which means to capture matching traffic. In addition, enable the count of the number of matched traffic. 

set firewall filter CAPTURE_FILTER term 1 from source-address 198.16.1.1/32

set firewall filter CAPTURE_FILTER term 1 from destination-address 198.16.2.1/32

set firewall filter CAPTURE_FILTER term 1 from protocol icmp

set firewall filter CAPTURE_FILTER term 1 then count COUNT1

set firewall filter CAPTURE_FILTER term 1 then sample

set firewall filter CAPTURE_FILTER term 2 then accept

Apply firewall filter to interface (ge-1/0/0/0)

set interfaces ge-1/0/0-unit 0 family inet filter input CAPTURE_FILTER

User1@vSRX2# show | compare 

[edit interfaces ge-1/0/0 unit 0 family inet filter]

–        input FILTER2;

+        input CAPTURE_FILTER;

[edit]

+  forwarding-options {

+      packet-capture {

+          file filename CAPTURE2;

+      }

+  }

[edit firewall]

+   filter CAPTURE_FILTER {

+       term 1 {

+           from {

+               source-address {

+                   198.16.1.1/32;

+               }

+               destination-address {

+                   198.16.2.1/32;

+               }

+               protocol icmp;

+           }

+           then {

+               count COUNT1;

+               sample;

+           }

+       }

+       term 2 {

+           then accept;

+       }

+   }

We have to disable the packet capture when it is not required anymore. 

set forwarding-options packet-capture disable 

The capture result is stored in “/var/tmp/” directory and with the name of “CAPTURE2.ge-1.0.0” name of interface is auto added to the name which is configured for capture file.

We can use the show firewall command to show the number of packets matched and captured.

User@vSRX2# run show firewall     

Filter: __default_bpdu_filter__                                

…

Filter: CAPTURE_FILTER                                         

Counters:

Name                                                Bytes              Packets

COUNT1                                           512                    3

FAQs Related to Juniper SRX Packet Capture

• What is packet capture on Juniper SRX devices?

Packet capture on Juniper SRX devices is a feature that allows you to capture and analyze network traffic passing through the device. It’s useful for troubleshooting network issues, analyzing traffic patterns, and diagnosing security incidents.

• How do I perform a packet capture on Juniper SRX?

Packet capture on Juniper SRX devices can be performed using the monitor traffic command in the CLI (Command-Line Interface). You specify the interface, direction (ingress or egress), and any additional filters to capture specific traffic.

• Can I capture packets based on specific criteria?

Yes, you can apply filters to capture packets based on specific criteria such as source or destination IP address, protocol, port number, etc. This helps in narrowing down the captured packets to focus on relevant traffic.

• Where are the captured packets stored?

Captured packets are typically stored in memory buffers on the Juniper SRX device. You can then view the captured packets directly on the device or export them to an external server for further analysis using tools like Wireshark.

• How much memory is allocated for packet capture?

The amount of memory allocated for packet capture depends on the model and configuration of the Juniper SRX device. You can check the available memory and adjust the capture settings accordingly to avoid running out of memory during capture.

• Can I capture packets for a specific duration?

Yes, you can specify the duration for which you want to capture packets using the duration option with the monitor traffic command. This allows you to capture packets for a specific period, which is useful for troubleshooting intermittent network issues.

• Is it possible to capture packets on multiple interfaces simultaneously?

Yes, you can capture packets on multiple interfaces simultaneously by running multiple packet capture sessions concurrently. This is useful for analyzing traffic between different network segments or troubleshooting complex network configurations.

• Are there any performance impacts of packet capture on Juniper SRX devices?

Performing packet capture on Juniper SRX devices may have some performance impact, especially if capturing a large volume of traffic or applying complex filters. It’s recommended to use packet capture judiciously and only when necessary to minimize any potential performance degradation.

• Can I automate packet capture tasks on Juniper SRX devices?

Yes, you can automate packet capture tasks on Juniper SRX devices using scripting or automation tools that interact with the device’s CLI interface. This allows you to schedule packet captures, retrieve captured packets, and perform analysis programmatically.

• Are there any security considerations when capturing packets on Juniper SRX devices?

When capturing packets on Juniper SRX devices, it’s important to ensure that sensitive information such as passwords or personally identifiable information (PII) is not captured unintentionally. Additionally, restrict access to packet capture functionality to authorized personnel to prevent misuse or unauthorized access to network traffic.

Continue Reading:

How to configure SSL Forward Proxy on SRX?

Understanding Juniper SRX Modes

Today we look more in detail about how to configure the Secure socket layer, i.e. SSL forward proxy on SRX firewall.

Configure SSL Forward Proxy on SRX

Below figure depicts how SSL forward proxy works on payload which is encrypted. With Application firewall (AppFW) is configured SSL forward proxy acts as SSL server to terminate SSL session from end client and start new SSL session.

To configure SSL forward proxy a list of steps to be taken:

• Root CA certificate configuration
• Load CA profile group
• Associate root CA certificate and CA profile group while configuring SSL proxy profile 
• Security policy creation by defining input traffic match criteria
• Application of SSL proxy profile to security policy
• Creation of allowlists and SSL proxy logging (optional steps)

Root Certificate Configuration

Obtain root CA certificate using Junos OS CLI. Generation of a PKI public/private key pair (local digital certificate) 

FW1@host1>request security pki generate-key-pair certificate-id certificate-id size size type type

Following combinations could be selected 

1024 bits, 2048, 4096 (RSA / DSA only) 

256 bits, 384, 521 (ECDSA only)

FW1@host1> request security pki generate-key-pair certificate-id SECURITY-cert size 4096 type rsa

FW1@host1> request security pki generate-key-pair certificate-id SECURITY-cert size 256 type ecdsa

Define self-certificate

FW1@host1> request security pki local-certificate generate-self-signed certificate-id certificate-id domain-name domain-name subject subject email email-id add-ca-constraint

Load CA profile group

In configuration mode apply loaded certificate to SSL proxy profile

FW1@host1> set services ssl proxy profile profile-name root-ca certificate-id

Import root CA as trusted CA for web servers.

Configure CA profile group

CA profile establishes the certificate information in authentication. Obtain a list of trusted CA certificates by loading group of CA profiles and attach the CA group to SSL proxy profile. 

FW1@host1> request security pki ca-certificate ca-profile-group load ca-group-name group-name filename default 

The dynamic updates of default trusted certificates are supported by SRX. To load a trusted list to the device used.

FW1@host1> request security pki ca-certificate ca-profile-group load ca-group-name group-name filename /var/tmp/IE-all.pem

Now attach trusted CA or trusted CA group with SSL proxy profile

FW1@host1> set services ssl proxy profile profile-name trusted-ca all 

Import root CA into web browser 

To import root CA certificate 

Generate PEM format file 

FW1@host1> request security pki local-certificate export certificate-id root-ca type pem filename path/filename.pem

Application of SSL proxy profile to security policy

SSL proxy is enabled within security policy as an application service. Create a security policy and mention match criteria for policy.  

FW1@host1> set security policies from-zone trust to-zone untrust policy policy-name match source-address source-address

FW1@host1> set security policies from-zone trust to-zone untrust policy policy-name match destination-address destination-address

FW1@host1> set security policies from-zone trust to-zone untrust policy policy-name match application application

SSL proxy logging configuration

While configuring SSL proxy logging, you can configure partial or full options. SSL proxy logs contain logical system name, SSL proxy allow-lists, information about policy, information about SSL proxy to troubleshoot issues. All or specific events can be configured. 

FW1@host1> set services ssl proxy profile profile-name actions log all

FW1/@host1> set services ssl proxy profile profile-name actions log errors

We can use enable-flow-tracing option for enablement of debug tracing 

Continue Reading:

How to configure Juniper SRX Firewall? Step by Step Guide

How To Configure Juniper SRX Security Policy?

If you want to learn more about Juniper SRX Firewall, then please check our e-book on interview questions and answers related to Juniper SRX Firewall.

Today we look more in detail about Juniper SRX next generation firewalls mode of traffic processing, how traffic processing happens in those modes and its characteristics. 

Traffic Processing in Juniper SRX 

Traffic which enters and exits from firewall is processed as per configured features such as screens, packet filters and security policies. Packets entering or exiting the device have both packet based and flow-based processing.

Flow-Based Processing 

Packets undergo flow-based processing post packet-based filters and some screens applied before. All flow-based processing happens on a single flow on a single service processing unit (SPU). SPU processes flow of packets according to security features and services configured in. 

A flow comprises a stream of packets which are related and meet a matching criteria and share characteristics. Flow based processing or stateful processing performs creation of sessions. Session is created for first packet in flow for the purposes: 

• To store security measures applies to flow of packets
• Caching information about state of flow 
• Allocation of resources for features of flow such as NAT
• Framework for features such as firewall features and ALGs

Processing happens in the context of flow including 

• Policies, NAT, zones management 
• Authentication and AIGs management 

Packet-Based Processing 

Packet-based processing happens when it is removed from the queue from the input interface and before putting back on the queue for its output interface. Packet based flow processing applies stateless filters, CoS features and screens having discrete packets. On receiving packets at an interface, sanity check, packet-based filter, CoS features and some screens it is applied to.

While a packet leaves the device at an interface, sanity check, packet-based filter, CoS features and some screens it is applied to.

Packet filters and CoS features are associated with interface or interfaces impacting packets are allowed to transit system and apply special actions.

Packets which enter and exit the firewall perform packet-based processing. Stateless or packet based, packets are treated discreetly. Each packet is analysed individually. Stateless packet-based forwarding happens without regard to flow or state information on a packet-to-packet basis.

When a packet enters devices, classifiers, filters, and policies apply. The egress interface of the packet is identified via a route lookup. When the egress interface is identified for the packet, filters are applied and the packet is sent to the egress interface for queuing and scheduling happens for transmission. Packet based forwarding does not need information of previous or subsequent packets which belong to a given connection and packet specific allow or deny of traffic happens. 

Comparison: Packet-based and Flow-based Processing Modes

Below is the comparison between packet-based and flow-based processing modes in Juniper SRX firewalls:

Download the comparison table: Packet-based vs Flow-based Processing Modes

Final Words

In summary, packet-based processing mode handles each packet individually, while flow-based processing mode aggregates packets into flows and processes them accordingly. Flow-based processing offers better performance and efficiency, especially in high-traffic environments, by reducing resource consumption through flow optimization. However, packet-based processing may be more suitable for environments with lower traffic volumes or specific security requirements.

Continue Reading:

How To Configure Juniper SRX Security Policy?

How to configure Juniper SRX Firewall? Step by Step Guide

Today we look more in detail about how to configure Juniper SRX security policy, understand security policy elements, rules etc.

Juniper SRX Security Policy Elements

A security policy is nothing but a set of statements to control traffic flowing from one specific source to a specific destination while using a specific service. Policies permit, deny, or perform tunnelling specific traffic type in between two points unidirectionally. 

Each policy comprises of :

• Unique name to policy
• From-zone to to-zone such as user@myhost#set policies from-zone untrust to-zone untrust
• Matching criteria to define conditions which must be met to apply the rule which could be based on IP address source or destination, and applications. 
• Set of actions to be performed based on match status – permit , deny or reject
• Accounting and auditing such as count, logs, and system logging in structured way

Juniper SRX Security Policy Rules

Security policies apply security rules to transit traffic and each policy is uniquely identified. Each policy has a set of characteristics: 

• Source zone
• Destination zone
• One-many source address name or address name sets
• One-many destination address name or address name sets
• One-many application names or application name sets

The rule characteristics are match criteria. Every policy has an action linked with it: permit, deny, reject, count, log, and VPN tunnel. Using wildcards policy can be configured with IPv4 or IPv6 addresses. When flow support is not enabled then all matches happen with IPv4. Flow based forwarding based on IPv6 is enabled using set security forwarding-options family inet6 mode flow-based command.

With IPv6 traffic enablement, the maximum number of IPv4 and IPv6 addresses which are configurable in security policy is based on match criteria. IPv6 requires four times more memory space than IPv4.

Number_of_src_IPv4_addresses  + number_of_src_IPv6_addresses * 4 <1024

Number_of_dst_IPv4_addresses  + number_of_dst_IPv6_addresses * 4 <1024

Security Policy Configuration 

To create a security policy following steps are required we will use a scenario to define steps to configure security policy on firewall

P1: allow http

P2: allow telnet

P3: allow icmp 

P4: explicit deny-all ; log and count 

Juniper SRX is connected with IP subnet 172.168.1.0 to outgoing zone through G0 Ethernet and connected to incoming zone with G1 Ethernet and IP subnet 172.168.10.0 

Policies are configured from incoming-zone to outgoing-zone 

[edit]

FW1# show | compare 

[edit security policies]

     from-zone outgoing to-zone junos_fw-host { … }

    from-zone incoming to-zone outgoing {

        policy ALLOW-WEB {

            match {

                source-address NET_172_168_10_0__24;

                destination-address any;

                application junos_fw-http;

            }

            then {

                permit;

                log {

                    session-init;

                    session-close;

                }

                count;

            }

        }

        policy ALLOW-TELNET {

            match {

                source-address NET_172_168_10_0__24;

                destination-address any;

                application junos_fw-telnet;

            }

            then {

                permit;

                log {

                    session-init;

                    session-close;

                }

                count;

            }

        }

        policy ALLOW-ICMP {

            match {

                source-address NET_172_168_10_0__24;

                destination-address any;

                application junos_fw-icmp-all;

            }                          

            then {                     

                permit;                

                log {                  

                    session-init;      

                }                      

                count;                 

            }                          

        }                              

        policy DENY-ALL {              

            match {                    

                source-address any;    

                destination-address any;

!

P1: allow http

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB match source-address NET_172_168_10_0__24

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB match destination-address any

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB match application junos-http

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB then ALLOW

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB then log session-init

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB then log session-close

set security policies from-zone incoming to-zone outgoing policy ALLOW-WEB then count

!

P2: allow telnet

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET match source-address NET_172_168_10_0__24

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET match destination-address any

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET match application junos-telnet

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET then permit

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET then log session-init

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET then log session-close

set security policies from-zone incoming to-zone outgoing policy ALLOW-TELNET then count

!

P3: allow icmp 

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP match source-address NET_192_168_10_0__24

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP match destination-address any

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP match application junos-icmp-all

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP then permit

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP then log session-init

set security policies from-zone incoming to-zone outgoing policy ALLOW-ICMP then count

!

P4: explicit deny-all ; log and count 

set security policies from-zone incoming to-zone outgoing policy DENY-ALL match source-address any

set security policies from-zone incoming to-zone outgoing policy DENY-ALL match destination-address any

set security policies from-zone incoming to-zone outgoing policy DENY-ALL match application any

set security policies from-zone incoming to-zone outgoing policy DENY-ALL then reject

set security policies from-zone incoming to-zone outgoing policy DENY-ALL then log session-init

set security policies from-zone incoming to-zone outgoing policy DENY-ALL then count

set security policies pre-id-default-policy then log session-close

Continue Reading:

Palo Alto Security Profiles and Security Policies

Checkpoint Firewall Policy: Rules & Configuration

Today we look more in detail about Juniper SRX Next generation firewalls, a true service gateway firewall and understand how to configure them. 

Steps to Configure Juniper SRX Firewall

In this topic we are covering how to configure NGFW and set up a new SRX device to connect to the Internet. 

When we login to a new SRX box there is no password for root.

1. Press enter.

login: root

Password:

— JUNOS 12.1X47-D20.7 built 2017-03-03 21:53:50 UTC

root@%

2. Use CLI to enter Operational mode

root@% cli

root>

3. Use configure command to enter configuration mode

root> configure

Entering configuration mode

[edit]

root#

Now we will configure Juniper SRX as gateway. Use commit command to apply as active configuration

4. Configuring root password

root# set system root-authentication plain-text-password

New password:

Retype new password:

[edit]

root#

5. Create new user 

[edit]

root# set system login user mad1 class super-user authentication plain-text-password

New password:

Retype new password:

6. Provide host name

[edit]

root# set system host-name letsconfig-SRX

[edit]

root# commit

commit complete

[edit]

root@letsconfig-SRX#

8. DNS server setup on Juniper SRX

[edit]

root@letsconfig-SRX# set system name-server 8.8.8.8

9. Enable SSH on SRX 

[edit]

root@letsconfig-SRX# set system services ssh

10. Setup NTP and time zone

[edit]

root@letsconfig-SRX#set system time-zone Asia/India

[edit]

root@letsconfig-SRX# set system ntp server time.google.com

11. Assign IP address

set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.100/24

set interfaces ge-0/0/2 unit 0 family inet address 10.1.1.1/24

*Family inet means IPv4 and inet6 means IPv6

12. Establish zone configuration

user@hostj#set security zones security-zone un-trust interfaces ge-0/0/1.0

user@hostj#set security zones security-zone un-trust host-inbound-traffic system-services all

user@hostj#set security zones security-zone un-trust host-inbound-traffic protocols all

user@hostj#set security zones security-zone trust1 interfaces ge-0/0/2.0

user@hostj#set security zones security-zone trust1 host-inbound-traffic system-services all

user@hostj#set security zones security-zone trust1 host-inbound-traffic protocols all

13. Establish security policy for zone

edit security policies from-zone trust1 to-zone un-trust policy our-internet-policy

            set match source-address any

            set match destination-address any

            set match application any

            set then permit

            exit

edit security policies from-zone un-trust to-zone trust1 policy our-deny-policy 

            set match source-address any

            set match destination-address any

            set match application any

            set then deny

            exit

commit

** everything is allowed in the outgoing path and deny everything in the incoming path.

14. Configure static route as routing protocol

set routing-options static route 0.0.0.0/0 next-hop 192.168.3.1

15. NAT/PAT configuration

set security nat source rule-set ourr-nat-rule-set from zone trust

set security nat source rule-set ourr-nat-rule-set to zone untrust

set security nat source rule-set ourr-nat-rule-set rule ourr-nat-rule match source-address 10.1.1.1/24

set security nat source rule-set ourr-nat-rule-set rule ourr-nat-rule match destination-address 0.0.0.0/0

set security nat source rule-set ourr-nat-rule-set rule ourr-nat-rule then source-nat interface

16. Enable Intrusion detection prevention(IDP) in SRX firewall

set security idp idp-policy recommended

set security idp idp-policy idpengine

17. Configuring one of the IDP policy as default policy

set security idp default-policy recommended

18. Check to confirm if default policy configured on device

show security idp default-policy

Continue Reading:

Introduction to Juniper SRX Firewall

NAT vs PAT: IP Address Translation Explained

Today we look more in detail about the next generation firewall (NGFW) from Juniper, i.e., Juniper SRX, its architecture, working and how it protects against advanced threat landscape. 

What is a Juniper SRX Firewall?

The early predecessors of SRX firewalls were ScreenOS products. First time introduced the concept of split OS and firewall software hence providing flexibility to choose the underlying OS it was comfortable with. Juniper SRX series is a next generation shift from ScreenOS platform built to provide scalable services. Service is an action or set of actions which are applied to network traffic such as stateful inspection and intrusion prevention (Referred here as service).

SRX firewall provides services on passing traffic which is scalable as well. Scaling provides an appropriate level of processing based on workload requirements. Placement of firewalls at data center and branch further have different sets of scalability requirements hence Juniper SRX series comes under two product lines – the branch SRX series and data center SRX series. 

Juniper SRX (NGFW) Architecture

The network generation firewall architecture provides security services for remote sites, WAN connectivity. While using SRX device on premises site as a standalone NGFW the WAN routing functions are taken care of by SRX device itself. This architecture allows SRX device to perform all in-built security functions such as firewall and network address translation along with visibility to LANs which exist on spoke sites. Figure 1 shows SRX device connectivity to both onsite LAN and WAN.

SRX series devices can be used as standalone firewalls managed by Contrail Service Orchestration (CSO) which supports SRX 300+, SRX500+, SRX1500, SRX4100+ and vSRX series. NGFW provides multiple functionalities as mentioned under.

• WAN connectivity for sites – Provisioned NGFW for tenant allows any site belonging to that tenant to use NGFW device as its WAN link back to CSO.
• Automatic LAN connectivity – NGFW built in DHCP provide addressing capabilities for connected LAN
• Custom application signatures in firewall policies – In addition to support for existing SD-WAN policies CSO also supports custom application signatures in firewall policies
• Customized IPS signatures, static and dynamic groups – creation, modification, or deletion of customized intrusion prevention system (IPS) signatures, IPS signatures static and dynamic grouping. Cloning predefined or customized IPS signatures, groups (static and dynamic) 
• Policy configuration import – Import of policy configurations from NGFW devices are supported. 

Related: IPS vs IDS vs Firewall

SRX (NGFW) Security Features 

The security device integrates network security and routing capabilities. Traffic which enters and exits a security device is processed as per configured features such as packet filtering, security policies, and screens. Software can determine if:

• Packet is allowed onto device
• Firewall screen applies to packet
• Which route to be taken by packet to reach its destination
• If need to apply NAT to translate packet IP address
• Does packet require an application layer gateway (ALG)

SRX supports next generation firewall protection having application aware security services, intrusion detection and prevention, role-based user firewall, unified threat management (UTM).

Let’s look at some of the security features more in detail.

Firewall User Authentication – additional layer of security by restricting or permitting individual users or groups. 

Intrusion Prevention – enable selective enforcement of various attack detection and prevention mechanisms on network traffic passing through the IDP enabled firewall. 

AppSecure – AppSecure detects behaviour of application and weaknesses which prevent application borne security threats detection and prevention though. Provides greater visibility of application. Stopping users from visiting inappropriate sites or downloading malware , traffic prioritization based on application type and bandwidth requirement, encryption and decryption using SSL-Proxy. 

Unified Threat Management (UTM) – capability to protect against spam, viruses, worms, spyware, trojans and malware, content filtering to provide basic data loss prevention capability. 

Continue Reading:

Introduction to Sophos UTM Firewall

NGFW: What is a Next Generation Firewall?