Configuring Service-Offload on the Juniper SRX

Service Offload Configuration Commands 1. First configure the FPC/PIC (I believe on the SRX1400 if the NP-IOC is in slot 2 it would be FPC2 PIC0 but you can confirm) 2. Then setup a policy from zone x to zone y to allow whatever addressing/protocol and permit services-offload feature for that traffic 3. Then confirm … Read more

Juniper SRX – How to Create a ReadOnly Account

Within this article we will provide the necessary commands required to create a read-only account on a Juniper SRX. Within our example a user is created with the following attributes, A user with the username of ‘user1‘. ONLY allowed to use the show command. SNMP configuration is REMOVED from the configuration output. The policy-options and … Read more

Configuring IPv6 on a Juniper SRX

Within this article we will provide the steps required to enable IPv6 on a Juniper SRX device. IPv6 Forwarding First of all we enable IPv6 forwarding. Once this is added you will need to reboot the device. set security forwarding-options family inet6 mode flow-based You can confirm that IPv6 forwarding is enabled once the device … Read more

Mitigating Network Attacks on the Juniper SRX

The Juniper SRX provides an extensive set of options to block and prevent both internal and external based network attacks. Within this article we will look at the various options and settings to block, Sweeps – Horizontal scans, i.e scans across an IP range. Port Scans – Vertical scans, i.e scans across multiple ports on … Read more

Juniper SRX – High Availability (Active / Passive Simple)

The Juniper SRX offers 4 types of High Availability (HA) deployment, Active/Passive Simple Active/Passive Full Mesh Active/Active Deployment Active/Passive Transparent Mode Within this article we will look at Active/Passive Simple upon a SRX 240 series device. Summary Active/Passive is the most common type of HA deployment and consists of 2 firewall members. Whilst one node … Read more

Juniper SRX – How do I configure LACP (802.3ad) ?

IEEE 802.3ad (LACP) is a technology that provides a method of aggregating multiple Ethernet links into a single logical channel. Configuration To configure LACP the following commands are used. This example aggregates the interfaces fe-0/0/3 and fe-0/0/4 into a logical interface named ‘ae1’. This logical interface is then configured as an access port and assigned … Read more

Juniper SRX – How to configure a trunk/access port

On the SRX Branch Series each interface can be configured as either layer 2 or layer 3. These are shown below : Routed Ports – Layer 3 (inet) Bridge – Layer 2 (only used for transparent mode) Ethernet-switching – Layer 2 (switchport) Within this article we will look at how to configure a trunk and … Read more

Cisco ASA & Juniper Netscreen VPN Overlapping Encryption Domains

Purpose The purpose of this article is to describe the various steps required to create a site to site VPN between a Cisco ASA and a Juniper Netscreen when both sides have overlapping subnets. Example Within this example each side will have an endpoint of 192.168.10.0/24. Because of this both sides will present their endpoint … Read more

Juniper SRX – The Static NAT / Policy based VPN Problem

Purpose The purpose of this document is to explain the issues and problems surrounding the use of static NAT when using policy based VPN on a Juniper SRX Firewall. Background The issue, when using static NAT with a policy based VPN centres around how NAT is processed by the SRX, in that the Proxy ID`s … Read more

Juniper SRX Commands

Below shows some of the main Juniper SRX commands available. All commands are provided with the necessary mode in which they should be run from. Configuration Commands replace pattern expr1 with expr # configuration mode find and replace string within configuration show | compare rollback {1..5} # configuration mode compare the current configuration against roll … Read more

Juniper SRX – Site to Site VPN using a Dynamic IP address

Within this article we will look at the commands required for configuring a Site to Site VPN when one peer is using a dynamic IP address. Note : This article does not include the VPN configuration in its entirety only the additional/amended commands required for this scenario. There are 3 configuration settings that are defined. … Read more

Juniper SRX – How to configure a policy based VPN

Below shows the necessary steps/commands to create a policy based VPN on a Juniper SRX series gateway. The main difference with a policy based VPN is that the tunnel action is defined within each security policy. Note : For troubleshooting steps please see here This VPN is configured with the following : Remote Endpoint : … Read more

Juniper SRX – NAT

The Juniper SRX offers 3 main types of NAT. These are source, destination and static. In this article we will be providing explanations and configuration examples for each. Source NAT As the name suggests source NAT translates the source IP address. There are 2 main types of source NAT these are: Interface NAT – Traffic … Read more

Juniper SRX – How to configure a route based VPN

Below shows the necessary steps/commands to create a route based VPN on a Juniper SRX series gateway. The main difference with a route based VPN is that a tunnel interface is created and assigned to your external interface. Any traffic that you wish to encrypt is routed to this tunnel interface. Access to and from … Read more

Juniper SRX – Dynamic VPN

Within this tutorial we will be showing you how to configure Remote Access VPN (Dynamic VPN) on the Juniper SRX. IKE Configure Aggressive Mode set security ike policy ike-dyn-vpn-policy mode aggressive set security ike policy ike-dyn-vpn-policy proposal-set standard Define Preshared Key set security ike policy ike-dyn-vpn-policy pre-shared-key ascii-text <PRE-SHARED KEY> Configure the IKE Gateway Here … Read more

How do I upgrade a Juniper SRX Series gateway

Within this tutorial we will be providing the steps required to upgrade your Juniper SRX firewall. Copy Image First of all we copy the image over to the SRX via the use of scp. In this case I have used putty’s pscp. C:\Windows\System32>pscp “C:\Users\admin\Downloads\junos-srxsme-11.4R1.6-domestic.tgz” root@[SRX IP]:/mfs Confirm Hash Next we confirm that the file is … Read more

Juniper SRX – Configuring Source NAT with pool

Below provides a short guide in configuring source NAT with an address pool on a Juniper SRX. The following example creates a pool with a 10.1.1.0/24 network. This pool of addresses are then used during the translation of source addresses. In addition to the pool we also configure the following options: set address-persistent – this … Read more

Running a packet capture on a Juniper SRX

Within this article we show you the required steps for obtaining a packet capture on your SRX series firewall. Note : Great care should be taken when applying captures to ensure that only the traffic that you want to capture is defined within the firewall filter. This is to prevent any unnecessary load being placed … Read more

How to define a port range on a Juniper SRX

To create a range of ports within the SRX the following command is used. This example creates an application object named UDP-PORT-RANGE with a UDP port range of 5000-6999. set applications application UDP-PORT-RANGE protocol udp destination-port 5000-6999 Once created you can then add this to a group. This group can then be added to the necessary … Read more

Juniper SRX – Configuring PPPoE

Within this article the necessary steps required to configure PPPoE on the SRX platform are described. Note : This configuration is based upon a) the chap authentication method b) the outside/untrust interface being fe-0/0/7.0. Configuration Below shows the required configuration for PPPoE. set interfaces fe-0/0/7 unit 0 encapsulation ppp-over-ether set interfaces pp0 unit 0 ppp-options … Read more

Juniper SRX – DynDNS

As it stands Juniper SRX (version 11.1R1.10) only provides support for DynDNS (DDNS) via the use of an automation script. Configuration This script can be downloaded here. Once you have downloaded the script transfer it to the SRX directory /var/db/scripts/event/. Finally configure your SRX via the following commands : set system services apply-macro dyndns-client1 hostname XXX.dyndns.orgset … Read more

Troubleshooting a Site to Site VPN on a SRX Series Gateway

Within this article we will look at the various steps required in debugging a Site to Site VPN on an SRX series gateway. 1. Confirm Configuration First of all check the VPN configuration. This is also useful if and when you need to confirm the Phase 1 and Phase 2 parameter’s with the remote end. … Read more

SRX Dynamic VPN – No proposal chosen (14)

Issue When connecting trying to connect via Dynamic VPN your client displays the following error:         IKE Negotiations Failed Within the output of the IKE debug logs you see the following error: Jul 26 11:35:46 ike_st_i_n: Start, doi = 1, protocol = 1, code = No proposal chosen (14), spi[0..0] = 00000000 00000000 …, data[0..0] … Read more

Configure Global Explicit Deny on a SRX Series Gateway

To configure a global deny statement for all your policy entries the following commands are used. set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match source-address any set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match destination-address any set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop … Read more

How do I enable Global Logging on a Juniper SRX ?

Below details the nessecary commands required to enable global logging on all security policies. set groups global-logging security policies from-zone <*> to-zone <*> policy <*> then log session-initset security policies apply-groups global-logging

How do I configure PMTU on a Juniper SRX series gateway ?

By default IPv4 Path MTU is enabled. However all PMTU options can be located under [set system internet-options ….]. root@srx100# set system internet-options ?Possible completions:+ apply-groups         Groups from which to inherit configuration data+ apply-groups-except  Don’t inherit configuration data from these groups  gre-path-mtu-discovery  Enable path MTU discovery for GRE tunnels> icmpv4-rate-limit    Rate-limiting parameters for ICMPv4 messages> … Read more

Juniper SRX – Securing Management Access

Within this article we will show the required commands to restrict and secure management access to your Juniper SRX series gateway. Note : The following syntax/configuration has been tested with a PPPoE setup. Configure Addresses First of all the addresses that are allowed management access to the device are configured. This also includes any DNS … Read more

Juniper SRX – How to configure NTP

Below provides the basic commands for configuring the date, time and NTP on your Juniper SRX gateway. Configure the Time Zone system time-zone Europe/London Configure NTP set system ntp server 0.uk.pool.ntp.org preferset system ntp server 1.uk.pool.ntp.orgset system ntp server 2.uk.pool.ntp.org Set the Time/Date set date ntp 0.uk.pool.ntp.org Confirm user@switch> show ntp statusstatus=0644 leap_none, sync_ntp, 4 … Read more

Juniper SRX – Destination NAT / Port Forwarding

Within this article destination NAT is configured to port forward traffic through to multiple servers based upon the destination port. This type of NAT configuration is equivalent to a ScreenOS VIP.  This example syntax is based upon the following setup : 172.16.1.2:2222    –> 192.168.1.5:22172.16.1.2:3389 –> 192.168.1.6:3389   Configure Address Book First the real addresses … Read more

SRX VPN Issue: packet dropped, pak dropped since re-route failed

Issue VPN fails to route traffic through to the tunnel interface when using Route Based VPN upon a SRX platform. The following is observed : Both Phase 1 and Phase 2 is successfully establishing. Traffic is being received inbound from the Remote Peer and decypted successfully. Multiple VPN policies are assigned to a single tunnel … Read more

Netscreen Traffic Reporting

Traffic reporting on the Juniper Netscreen can be achieved via a number of methods. Various tools and features are available such as the Netscreen Security Manager (NSM), 3rd Party applications along with numerous reporting features on the device itself. This article will look at how to create traffic reports by using just 1. a Netscreen … Read more

Netscreen IPv6 Tunnel Guide

Below shows you the steps on how to configure a tunnel that will encapsulate your IPv6 traffic within an IPv4 tunnel. Please Note : Below uses the Zone Work which is the equivalent to Trust and contains eth1. Ethernet3 is the untrust interface. Enable IPv6 Add the following command and then reboot your device, set … Read more

The Netscreen Proxy ID problem

A proxy-ID is used during phase 2 of Internet Key Exchange (IKE) Virtual Private Network (VPN) negotiations. Both ends of a VPN tunnel either have a proxy-ID manually configured (route-based VPN), or simply use a combination of source IP, destination IP and service in a tunnel policy. When phase 2 of IKE is negotiated, each … Read more

IE6 with Passive FTP: File download fails via Netscreen

You may find when trying to download a file from your FTP server using Internet Explorer 6 with “Folder View Enabled” when using Passive FTP the file download transfer will fail after a short time period. This can be down to Internet Explorer sending TCP packets with sequence numbers which are outside that of the … Read more

NSM fails to update device but shows successful

Issue When updating a Device from the NSM the Job Information dialog shows as successful. The Device Status shows as “In Sync” but the device does not show the new configuration, and an additional Delta Config Summerization shows that the NSM configuration is different to that of the device. Cause ScreenOS has a source/destination object … Read more

Creating a VLAN Trunk on a Netscreen Firewall

Below shows you the basic configuration on how to create a VLAN trunk on a Netscreen Firewall. A VLAN trunk is a term used to describe a collection of logical interfaces, each one being able to receive and de-capsulate VLAN tagged packets for its relevant VLAN. In this example our trunk will consist of 2 … Read more

How to reset a Netscreen back to factory default

In order to reset a Netscreen back to factory default you will need to first connect via the console connection. This is because you will lose IP connectivity once you reset the devices configuration. You will then need to obtain the devices serial number from either of the device itself or from the CLI, netscreen-> … Read more

Troubleshooting a Netscreen Site 2 Site VPN

In this example we will run through various steps to troubleshoot a Site 2 Site VPN. Confirm General Details This will give us a general overview of our vpn. netscreen(M)-> get vpn Name            Gateway         Mode RPlay 1st Proposal         Monitor Use Cnt Interface ————— ————— —- —– ——————– ——- ——- ———- sitea_vpn   sitea       tunl Yes   g2-esp-3des-sha      … Read more

Netscreen Command Library for ScreenOS 6.2

Below is the list of all the commands (including the hidden commands) from a Netscreen NS5GT running ScreenOS 6.2. set fips-mode enable set fips-mode self-test afterkeygen set fips-mode self-test interval set key protection enable set all set vendor-def set envar set clock dst-off set clock dst recurring start-weekday last end-weekday last set clock dst recurring … Read more

Netscreen – Enabling OSPF

The Open Shortest Path First (OSPF) routing protocol is an Interior Gateway rotocol (IGP) intended to operate within a single Autonomous System (AS). A router running OSPF distributes its state information (such as usable interfaces and neighbor reachability) by periodically flooding link-state advertisements (LSAs)throughout the AS. Enabling OSPF on a VR set vrouter trust-vr router-id … Read more

Enabling RIP on a Netscreen

Routing Information Protocol (RIP) is a distance vector protocol used as an Interior Gateway Protocol (IGP) in moderate-sized autonomous systems (AS). Enabling RIP on a VR and an Interface set vrouter trust-vr router-id 10 set vrouter trust-vr protocol rip set vrouter trust-vr protocol rip enableset interface trust protocol rip enable Advertise the default route set … Read more

Netscreen – AC-VPN

AC-VPN Auto-connect VPN works with a hub and spoke setup. Once static VPNs have been configured between all the spokes and the hubs, AC-VPN and NHRP (Next Hop Routing Protocol) is configured on each spoke and the hub.When traffic is initiated between 2 spokes the traffic is passed via the hub while a dynamic tunnel … Read more

Netscreen – VPN Topologies

Back to Back VPNs Back to Back VPNs allow you to create a tunnel for each spoke to the hub. The hub will then have a policy to allow traffic from one tunnel to the next. You can either place each tunnel within its own zone and create a policy between each of the zones. … Read more

Netscreen `set arp always-on-dest` command

By default, Netscreen (ScreenOS versions 6.0.0 or below) will cache the source MAC address from the initial packet for a new session. It will then use this MAC address for the return traffic. This can cause problems with external routers running VRRP where traffic is sent using a Virtual IP but a physical MAC address … Read more

Netscreen – Overview of basic Traffic Shaping

There are 3 main types of traffic shaping on the Netscreen firewalls. Interface Based traffic shaping. Bandwidth allocated shaping in policies. Priority based traffic shapping in policies. Policy Based Policing Bandwidth: Traffic beyond this threshold is dropped at the ingress side of the security device.Guaranteed Bandwidth: Traffic below this threshold will be passed with highest … Read more

Netscreen – IGMP / PIM-SM

Internet Group Management Protocol (IGMP) is a communication protocol that multicasts messages and information among all member devices in an IP multicast group. Traffic is sent to a single MAC address but is forwarded out (via the local multicast router) to multiple hosts via multicast. It can be effectively used for gaming and showing online … Read more

Netscreen – Redundant Interfaces – How to ??

  How to Configure an Redundant Interface Below shows you how to configure redundant interfaces on a Netscreen firewall. In the example below all traffic will be passed over eth1, and in event of the link failing traffic will be sent across eth2. ns5gt-> set interface redundant1 zone inside ns5gt-> set interface redundant1 ip 10.1.1.20/24 … Read more

Netscreen – Virtual Systems / VSYS

Virtual systems allow you to divide your Netscreen firewall into multiple logical firewalls (domains).Each VSYS (Virtual System) has 3 components which can be shared. Once shared they are available to other systems, virtual systems or root. The components are: Virtual Routers Zones Network Interfaces (Shared) How Virtual Systems work There are 3 ways in which … Read more

Netscreen – NSRP

HA Setups There are 3 main types of HA setup, they are, Active / Passive – All traffic passes the active node. In the event of failure the backup firewall is activated, and traffic flow is resumed. Active / Active – Both Firewalls share the network load. In the event of failure all traffic is … Read more

Netscreen – Rekeying a VPN / Clearing the SA`s

In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 “keys” from the gateway. Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association). To see an overview of your VPN`s run the command, `get vpn` In order to find the current … Read more

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial