The Juniper Genius portal got deprecated and was migrated to the Juniper Learning portal last February 26, 2021. The Juniper Learning portal is where you can access free Juniper Networks online training (self-paced) and get the exam voucher for JNCIA exams.
I used the Juniper Network's Day One Book for the SRX series and Pluralsight videos by Sean Wilkins to prepare for my JNCIA-SEC (JN0-203) exam. I recently got JNCIA-SEC certified and below are my Digital Badge and eCertificate. This can be viewed and downloaded in Juniper CertManager.
I tried to run the Juniper vSRX VM in VirtualBox but it only got stuck with Loading Linux. So I used VMware Workstation instead.
Import the vSRX by clicking File > Open.
Select the vSRX file > click Import.
Click Accept to continue.
Right-click on the vSRX VM > Rename: vSRX-1.
Add another VMnet by going to Edit > Virtual Network Editor.
Click Change
Settings (admin rights needed).
Vmware Workstation has three default VMnet interfaces and types: VMnet0 (Bridged)), VMnet1 (Host-only) and VMnet8 (NAT).
VMware
Workstation can add up to VMnet19.
Edit the vSRX Network Adapters as follows:
Select Network Adapter (first) > Custom: Host-only - This is the vSRX fxp0 (management) interface and will not be used.
Select Network Adapter 2 > Custom: VMnet0 (Bridged to VM host LAN with Internet and other VM) - This is the vSRX ge-0/0/0.0 (Untrust) interface.
Select Network Adapter 3 > Custom: Vmnet1 (Host-only) - This is the vSRX ge-0/0/1.0 (Trust) interface.
Below is my JNCIA-SEC virtual lab topology and the initial vSRX configuration.
root@vSRX-1> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
Virtual Appliance 1 1 0 54 days
remote-access-ipsec-vpn-client 0 2 0 permanent
Licenses installed:
License identifier: E420588123
License version: 4
Software Serial Number: 20150123
Customer ID: vSRX-JuniperEval
Features:
Virtual Appliance - Virtual Appliance
count-down, Original validity: 60 days
root% cli
root> configure // OR USE edit
Entering configuration mode
The configuration has been changed but not committed
[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# set system host-name vSRX-1
[edit]
root# set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 // LAN INTERFACE IP ADDRESS
[edit]
set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.150/24 // WAN INTERFACE IP ADDRESS
[edit]
root# set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1 // STATIC DEFAULT ROUTE
[edit]
root# set security zones security-zone trust interfaces ge-0/0/1.0 // ASSIGN LAN INTERFACE TO TRUST ZONE
[edit]
root# set security zones security-zone untrust interfaces ge0/0/0.0 // ASSIGN WAN INTERFACE TO TRUST ZONE
[edit]
root# set security policies from-zone trust to-zone untrust policy TRUST-UNTRUST match source-address any destination-address any application any // PERMIT TRUST TO UNTRUST TRAFFIC
[edit]
root# set security policies from-zone trust to-zone untrust policy TRUST-UNTRUST then permit
[edit]
root# set security nat source rule-set SOURCE-NAT-TRUST from zone trust // CONFIGURE SOURCE NAT (PAT)
[edit]
root# set security nat source rule-set SOURCE-NAT-TRUST to zone untrust
[edit]
root# set security nat source rule-set SOURCE-NAT-TRUST rule SOURCE-NAT-TRUST match source-address 172.16.1.0/24 destination-address 0.0.0.0/0
[edit]
root# set security nat source rule-set SOURCE-NAT-TRUST rule SOURCE-NAT-TRUST then source-nat interface
[edit]
root# commit
commit complete
root@vSRX-1# show
## Last changed: 2021-02-20 15:08:19 SGT
version 15.1X49-D80.4;
system {
host-name vSRX-1;
root-authentication {
encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA
}
services {
ssh {
root-login allow; // ALLOW SSH USING ROOT LOGIN
}
web-management {
https {
system-generated-certificate; // SSL/TLS SELF-SIGN CERT
interface ge-0/0/0.0; // ALLOW HTTPS ON THE UNTRUST INTERFACE
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
ntp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set SOURCE-NAT-TRUST {
from zone trust;
to zone untrust;
rule SOURCE-NAT-TRUST {
match {
source-address 172.16.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy TRUST-UNTRUST {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services { // ALLOW PING AND SSH ON THE TRUST ZONE
ping;
ssh;
}
}
}
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services { // ALLOW PING, SSH AND HTTPS ON UNTRUST ZONE
ping;
ssh;
https;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.150/24; // WAN INTERFACE IP ADDRESS
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 172.16.1.1/24; // LAN INTERFACE IP ADDRESS
}
}
}
fxp0 {
unit 0 {
family inet;
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.1; // STATIC DEFAULT ROUTE
}
}
[edit]
You can use the show security flow session command to view the NAT translations or session table.
root@vSRX-1>
show security flow session
Session ID: 6182, Policy name: self-traffic-policy/1, Timeout: 1798, Valid
In: 192.168.1.100/60869 --> 192.168.1.150/22;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 3235, Bytes: 300546,
Out: 192.168.1.150/22 --> 192.168.1.100/60869;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 2129, Bytes: 317027,
Session ID: 6531, Policy name: default-permit/5, Timeout: 300, Valid
In: 172.16.1.100/49621 --> 117.18.232.240/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 27, Bytes: 2922,
Out: 117.18.232.240/80 --> 192.168.1.150/25279;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 54, Bytes: 63424,
Session ID: 6656, Policy name: default-permit/5, Timeout: 288, Valid
In: 172.16.1.100/49659 --> 192.124.249.22/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 6, Bytes: 686,
Out: 192.124.249.22/80 --> 192.168.1.150/21793;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 6, Bytes: 4742,
Session ID: 6659, Policy name: default-permit/5, Timeout: 288, Valid
In: 172.16.1.100/49660 --> 192.124.249.41/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 6, Bytes: 686,
Out: 192.124.249.41/80 --> 192.168.1.150/24410;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 6, Bytes: 4742,
Session ID: 6709, Policy name: default-permit/5, Timeout: 1800, Valid
In: 172.16.1.100/49680 --> 35.244.245.222/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 12, Bytes: 1814,
Out: 35.244.245.222/443 --> 192.168.1.150/13797;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 15, Bytes: 7046,
Session ID: 6714, Policy name: default-permit/5, Timeout: 2, Valid
In: 172.16.1.100/49684 --> 35.244.245.222/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 9, Bytes: 965,
Out: 35.244.245.222/443 --> 192.168.1.150/26477;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 6666,
Session ID: 6744, Policy name: default-permit/5, Timeout: 2, Valid
In: 172.16.1.100/54489 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 65,
Out: 8.8.8.8/53 --> 192.168.1.150/30569;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 161,
Session ID: 6746, Policy name: default-permit/5, Timeout: 298, Valid
In: 172.16.1.100/49693 --> 172.217.194.100/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 4, Bytes: 403,
Out: 172.217.194.100/80 --> 192.168.1.150/26791;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 3, Bytes: 709,
Session ID: 6747, Policy name: default-permit/5, Timeout: 2, Valid
In: 172.16.1.100/50156 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 71,
Out: 8.8.8.8/53 --> 192.168.1.150/11161;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 116,
Session ID: 6748, Policy name: default-permit/5, Timeout: 300, Valid
In: 172.16.1.100/49694 --> 74.125.12.199/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 4, Bytes: 536,
Out: 74.125.12.199/80 --> 192.168.1.150/3879;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 4, Bytes: 1364,
Total sessions: 10
You can also specify the source IP 172.16.1.100 (Windows 7 VM) for a more granular output.
root@vSRX-1> show security flow session ?
Possible completions:
<[Enter]> Execute this command
advanced-anti-malware Show advanced-anti-malware sessions
application Application protocol name
application-firewall Show application-firewall sessions
application-firewall-rule-set Show application-firewall session by rule-set
application-traffic-control Show application-traffic-control sessions
application-traffic-control-rule-set Show application-traffic-control session by rule-set
brief Show brief output (default)
conn-tag Session connection tag (0..4294967295)
destination-port Destination port (1..65535)
destination-prefix Destination IP prefix or address
dynamic-application Dynamic application name
dynamic-application-group Dynamic application group name
encrypted Show encrypted traffic
extensive Show detailed output
family Protocol family
idp IDP sessions
interface Name of incoming or outgoing interface
nat Sessions with network address translation
policy-id Policy id value (1..4294967295)
protocol IP protocol number
resource-manager Sessions with resource manager
security-intelligence Show security-intelligence sessions
session-identifier Show session with specified session identifier
source-port Source port (1..65535)
source-prefix Source IP prefix or address
summary Show output summary
tunnel Tunnel sessions
| Pipe through a command
root@vSRX-1> show security flow session source-prefix 172.16.1.100
Session ID: 8357, Policy name: default-permit/5, Timeout: 1794, Valid
In: 172.16.1.100/49900 --> 65.8.158.60/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 17, Bytes: 2109,
Out: 65.8.158.60/443 --> 192.168.1.150/19993;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 28, Bytes: 15164,
Session ID: 8361, Policy name: default-permit/5, Timeout: 1794, Valid
In: 172.16.1.100/49901 --> 172.217.194.148/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 14, Bytes: 2192,
Out: 172.217.194.148/443 --> 192.168.1.150/16600;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 18, Bytes: 6098,
Session ID: 8362, Policy name: default-permit/5, Timeout: 1794, Valid
In: 172.16.1.100/49902 --> 65.8.158.98/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 5, Bytes: 729,
Out: 65.8.158.98/443 --> 192.168.1.150/10951;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 8, Bytes: 7889,
Session ID: 8363, Policy name: default-permit/5, Timeout: 1794, Valid
In: 172.16.1.100/49903 --> 172.217.26.72/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 23, Bytes: 1975,
Out: 172.217.26.72/443 --> 192.168.1.150/31457;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 55, Bytes: 67533,
Session ID: 8364, Policy name: default-permit/5, Timeout: 1794, Valid
In: 172.16.1.100/49904 --> 65.8.158.98/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 5, Bytes: 741,
Out: 65.8.158.98/443 --> 192.168.1.150/18040;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 8586,
Session ID: 8366, Policy name: default-permit/5, Timeout: 1794, Valid
In: 172.16.1.100/49905 --> 35.201.125.192/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1469,
Out: 35.201.125.192/443 --> 192.168.1.150/25724;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 10, Bytes: 4166,
Session ID: 8367, Policy name: default-permit/5, Timeout: 1796, Valid
In: 172.16.1.100/49906 --> 67.221.239.62/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1512,
Out: 67.221.239.62/443 --> 192.168.1.150/15099;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 18, Bytes: 11076,
Session ID: 8368, Policy name: default-permit/5, Timeout: 1796, Valid
In: 172.16.1.100/49907 --> 67.221.239.62/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 11, Bytes: 1566,
Out: 67.221.239.62/443 --> 192.168.1.150/16508;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 24, Bytes: 16217,
Session ID: 8369, Policy name: default-permit/5, Timeout: 1794, Valid
In: 172.16.1.100/49908 --> 67.221.239.62/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 7, Bytes: 935,
Out: 67.221.239.62/443 --> 192.168.1.150/2537;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 10, Bytes: 5995,
Session ID: 8371, Policy name: default-permit/5, Timeout: 1794, Valid
In: 172.16.1.100/49909 --> 74.125.24.100/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 13, Bytes: 2007,
Out: 74.125.24.100/443 --> 192.168.1.150/7490;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 12, Bytes: 4576,
Session ID: 8372, Policy name: default-permit/5, Timeout: 1796, Valid
In: 172.16.1.100/49910 --> 35.244.153.179/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 11, Bytes: 1775,
Out: 35.244.153.179/443 --> 192.168.1.150/15504;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 10, Bytes: 4067,
Session ID: 8375, Policy name: default-permit/5, Timeout: 1796, Valid
In: 172.16.1.100/49912 --> 74.125.200.154/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1631,
Out: 74.125.200.154/443 --> 192.168.1.150/23154;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 11, Bytes: 4498,
Session ID: 8376, Policy name: default-permit/5, Timeout: 1796, Valid
In: 172.16.1.100/49913 --> 172.217.194.106/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1811,
Out: 172.217.194.106/443 --> 192.168.1.150/28429;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 12, Bytes: 1925,
Session ID: 8378, Policy name: default-permit/5, Timeout: 1796, Valid
In: 172.16.1.100/49914 --> 172.217.194.94/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 11, Bytes: 1581,
Out: 172.217.194.94/443 --> 192.168.1.150/2931;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 13, Bytes: 4402,
Session ID: 8380, Policy name: default-permit/5, Timeout: 1796, Valid
In: 172.16.1.100/49915 --> 74.125.24.154/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 2017,
Out: 74.125.24.154/443 --> 192.168.1.150/19539;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 13, Bytes: 5594,
Total sessions: 15
Hi John, do you still maintain this site? I am just starting my Juniper journey, wonder if there's way to ask you questions?
ReplyDeleteHi, yes I do check and reply to comments for time to time. Just shoot and will reply if I can :)
ReplyDelete