My Cybersecurity Journal: Run Juniper Networks vSRX Firewall in VMware Workstation

The Juniper Genius portal got deprecated and was migrated to the Juniper Learning portal last February 26, 2021. The Juniper Learning portal is where you can access free Juniper Networks online training (self-paced) and get the exam voucher for JNCIA exams.

I used the Juniper Network's Day One Book for the SRX series and Pluralsight videos by Sean Wilkins to prepare for my JNCIA-SEC (JN0-203) exam. I recently got JNCIA-SEC certified and below are my Digital Badge and eCertificate. This can be viewed and downloaded in Juniper CertManager.

I tried to run the Juniper vSRX VM in VirtualBox but it only got stuck with Loading Linux. So I used VMware Workstation instead.

Import the vSRX by clicking File > Open.

Select the vSRX file > click Import.

Click Accept to continue.

Right-click on the vSRX VM > Rename: vSRX-1.

Add another VMnet by going to Edit > Virtual Network Editor.

Click Change Settings (admin rights needed).

Vmware Workstation has three default VMnet interfaces and types: VMnet0 (Bridged)), VMnet1 (Host-only) and VMnet8 (NAT).

VMware Workstation can add up to VMnet19.

Edit the vSRX Network Adapters as follows:

Select Network Adapter (first) > Custom: Host-only - This is the vSRX fxp0 (management) interface and will not be used.

Select Network Adapter 2 > Custom: VMnet0 (Bridged to VM host LAN with Internet and other VM) - This is the vSRX ge-0/0/0.0 (Untrust) interface.

Select Network Adapter 3 > Custom: Vmnet1 (Host-only) - This is the vSRX ge-0/0/1.0 (Trust) interface.

Below is my JNCIA-SEC virtual lab topology and the initial vSRX configuration.

I chose the vSRX VM with Junos 15.1X49-D80.4 since you can run an almost "identical" J-Web interface and Unified Threat Management (UTM) features. The legacy Juniper Firefly VM runs the old Junos 12.1X46-D10.2 and can only do a stateful firewall.

Note the vSRX VM runs on a 60-day Evaluation/Trial license. You can verify the license in vSRX under Maintain > Software > License.

Notice I got 54 days left before the Virtual Application License expires.

You can also view the licenses in vSRX using the show system license command.

root@vSRX-1> show system license

License usage:

Licenses Licenses Licenses Expiry

Feature name used installed needed

Virtual Appliance 1 1 0 54 days

remote-access-ipsec-vpn-client 0 2 0 permanent

Licenses installed:

License identifier: E420588123

License version: 4

Software Serial Number: 20150123

Customer ID: vSRX-JuniperEval

Features:

Virtual Appliance - Virtual Appliance

count-down, Original validity: 60 days

You can refer to this post for some basic Junos config.

root% cli

root> configure // OR USE edit

Entering configuration mode

The configuration has been changed but not committed

[edit]

root# set system root-authentication plain-text-password

New password:

Retype new password:

[edit]

root# set system host-name vSRX-1

[edit]

root# set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 // LAN INTERFACE IP ADDRESS

[edit]

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.150/24 // WAN INTERFACE IP ADDRESS

[edit]

root# set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1 // STATIC DEFAULT ROUTE

[edit]

root# set security zones security-zone trust interfaces ge-0/0/1.0 // ASSIGN LAN INTERFACE TO TRUST ZONE

[edit]

root# set security zones security-zone untrust interfaces ge0/0/0.0 // ASSIGN WAN INTERFACE TO TRUST ZONE

[edit]

root# set security policies from-zone trust to-zone untrust policy TRUST-UNTRUST match source-address any destination-address any application any // PERMIT TRUST TO UNTRUST TRAFFIC

[edit]

root# set security policies from-zone trust to-zone untrust policy TRUST-UNTRUST then permit

[edit]

root# set security nat source rule-set SOURCE-NAT-TRUST from zone trust // CONFIGURE SOURCE NAT (PAT)

[edit]

root# set security nat source rule-set SOURCE-NAT-TRUST to zone untrust

[edit]

root# set security nat source rule-set SOURCE-NAT-TRUST rule SOURCE-NAT-TRUST match source-address 172.16.1.0/24 destination-address 0.0.0.0/0

[edit]

root# set security nat source rule-set SOURCE-NAT-TRUST rule SOURCE-NAT-TRUST then source-nat interface

[edit]

root# commit
commit complete

I added some commands for the J-WEB GUI to allow host-inbound traffic: ping and SSH. Below is the complete show output.

root@vSRX-1# show

## Last changed: 2021-02-20 15:08:19 SGT

version 15.1X49-D80.4;

system {

host-name vSRX-1;

root-authentication {

encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA

}

services {

ssh {

root-login allow; // ALLOW SSH USING ROOT LOGIN

}

web-management {

https {

system-generated-certificate; // SSL/TLS SELF-SIGN CERT

interface ge-0/0/0.0; // ALLOW HTTPS ON THE UNTRUST INTERFACE

}

syslog {

user * {

any emergency;

}

file messages {

any any;

authorization info;

}

file interactive-commands {

interactive-commands any;

}

license {

autoupdate {

url https://ae1.juniper.net/junos/key_retrieval;

}

ntp;

}

security {

screen {

ids-option untrust-screen {

icmp {

ping-death;

}

ip {

source-route-option;

tear-drop;

}

tcp {

syn-flood {

alarm-threshold 1024;

attack-threshold 200;

source-threshold 1024;

destination-threshold 2048;

queue-size 2000; ## Warning: 'queue-size' is deprecated

timeout 20;

}

land;

}

nat {

source {

rule-set SOURCE-NAT-TRUST {

from zone trust;

to zone untrust;

rule SOURCE-NAT-TRUST {

match {

source-address 172.16.1.0/24;

destination-address 0.0.0.0/0;

}

then {

source-nat {

interface;

}

policies {

from-zone trust to-zone trust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

from-zone trust to-zone untrust {

policy default-permit {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

policy TRUST-UNTRUST {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

zones {

security-zone trust {

tcp-rst;

interfaces {

ge-0/0/1.0 {

host-inbound-traffic {

system-services { // ALLOW PING AND SSH ON THE TRUST ZONE

ping;

ssh;

}

security-zone untrust {

screen untrust-screen;

interfaces {

ge-0/0/0.0 {

host-inbound-traffic {

system-services { // ALLOW PING, SSH AND HTTPS ON UNTRUST ZONE

ping;

ssh;

https;

}

interfaces {

ge-0/0/0 {

unit 0 {

family inet {

address 192.168.1.150/24; // WAN INTERFACE IP ADDRESS

}

ge-0/0/1 {

unit 0 {

family inet {

address 172.16.1.1/24; // LAN INTERFACE IP ADDRESS

}

fxp0 {

unit 0 {

family inet;

}

routing-options {

static {

route 0.0.0.0/0 next-hop 192.168.1.1; // STATIC DEFAULT ROUTE

}

[edit]

Edit Windows 7 VM Network Adapter > Custom: VMnet1 > click OK.

I was able to ping and SSH to the vSRX LAN IP 172.16.1.1 from the Windows 7 VM since I allowed these type of traffic in the host-inbound-traffic.

I was able to ping to Google DNS 8.8.8.8 and open Juniper.net since I configured a Source NAT (PAT) on the vSRX device.

You can use the show security flow session command to view the NAT translations or session table.

root@vSRX-1> show security flow session
Session ID: 6182, Policy name: self-traffic-policy/1, Timeout: 1798, Valid
In: 192.168.1.100/60869 --> 192.168.1.150/22;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 3235, Bytes: 300546,
Out: 192.168.1.150/22 --> 192.168.1.100/60869;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 2129, Bytes: 317027,

Session ID: 6531, Policy name: default-permit/5, Timeout: 300, Valid
In: 172.16.1.100/49621 --> 117.18.232.240/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 27, Bytes: 2922,
Out: 117.18.232.240/80 --> 192.168.1.150/25279;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 54, Bytes: 63424,

Session ID: 6656, Policy name: default-permit/5, Timeout: 288, Valid
In: 172.16.1.100/49659 --> 192.124.249.22/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 6, Bytes: 686,
Out: 192.124.249.22/80 --> 192.168.1.150/21793;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 6, Bytes: 4742,

Session ID: 6659, Policy name: default-permit/5, Timeout: 288, Valid
In: 172.16.1.100/49660 --> 192.124.249.41/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 6, Bytes: 686,
Out: 192.124.249.41/80 --> 192.168.1.150/24410;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 6, Bytes: 4742,

Session ID: 6709, Policy name: default-permit/5, Timeout: 1800, Valid
In: 172.16.1.100/49680 --> 35.244.245.222/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 12, Bytes: 1814,
Out: 35.244.245.222/443 --> 192.168.1.150/13797;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 15, Bytes: 7046,

Session ID: 6714, Policy name: default-permit/5, Timeout: 2, Valid
In: 172.16.1.100/49684 --> 35.244.245.222/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 9, Bytes: 965,
Out: 35.244.245.222/443 --> 192.168.1.150/26477;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 6666,

Session ID: 6744, Policy name: default-permit/5, Timeout: 2, Valid
In: 172.16.1.100/54489 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 65,
Out: 8.8.8.8/53 --> 192.168.1.150/30569;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 161,

Session ID: 6746, Policy name: default-permit/5, Timeout: 298, Valid
In: 172.16.1.100/49693 --> 172.217.194.100/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 4, Bytes: 403,
Out: 172.217.194.100/80 --> 192.168.1.150/26791;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 3, Bytes: 709,

Session ID: 6747, Policy name: default-permit/5, Timeout: 2, Valid
In: 172.16.1.100/50156 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 71,
Out: 8.8.8.8/53 --> 192.168.1.150/11161;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 116,

Session ID: 6748, Policy name: default-permit/5, Timeout: 300, Valid
In: 172.16.1.100/49694 --> 74.125.12.199/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 4, Bytes: 536,
Out: 74.125.12.199/80 --> 192.168.1.150/3879;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 4, Bytes: 1364,
Total sessions: 10

You can also specify the source IP 172.16.1.100 (Windows 7 VM) for a more granular output.

root@vSRX-1> show security flow session ?

Possible completions:

<[Enter]> Execute this command

advanced-anti-malware Show advanced-anti-malware sessions

application Application protocol name

application-firewall Show application-firewall sessions

application-firewall-rule-set Show application-firewall session by rule-set

application-traffic-control Show application-traffic-control sessions

application-traffic-control-rule-set Show application-traffic-control session by rule-set

brief Show brief output (default)

conn-tag Session connection tag (0..4294967295)

destination-port Destination port (1..65535)

destination-prefix Destination IP prefix or address

dynamic-application Dynamic application name

dynamic-application-group Dynamic application group name

encrypted Show encrypted traffic

extensive Show detailed output

family Protocol family

idp IDP sessions

interface Name of incoming or outgoing interface

nat Sessions with network address translation

policy-id Policy id value (1..4294967295)

protocol IP protocol number

resource-manager Sessions with resource manager

security-intelligence Show security-intelligence sessions

session-identifier Show session with specified session identifier

source-port Source port (1..65535)

source-prefix Source IP prefix or address

summary Show output summary

tunnel Tunnel sessions

| Pipe through a command

root@vSRX-1> show security flow session source-prefix 172.16.1.100

Session ID: 8357, Policy name: default-permit/5, Timeout: 1794, Valid

In: 172.16.1.100/49900 --> 65.8.158.60/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 17, Bytes: 2109,

Out: 65.8.158.60/443 --> 192.168.1.150/19993;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 28, Bytes: 15164,

Session ID: 8361, Policy name: default-permit/5, Timeout: 1794, Valid

In: 172.16.1.100/49901 --> 172.217.194.148/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 14, Bytes: 2192,

Out: 172.217.194.148/443 --> 192.168.1.150/16600;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 18, Bytes: 6098,

Session ID: 8362, Policy name: default-permit/5, Timeout: 1794, Valid

In: 172.16.1.100/49902 --> 65.8.158.98/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 5, Bytes: 729,

Out: 65.8.158.98/443 --> 192.168.1.150/10951;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 8, Bytes: 7889,

Session ID: 8363, Policy name: default-permit/5, Timeout: 1794, Valid

In: 172.16.1.100/49903 --> 172.217.26.72/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 23, Bytes: 1975,

Out: 172.217.26.72/443 --> 192.168.1.150/31457;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 55, Bytes: 67533,

Session ID: 8364, Policy name: default-permit/5, Timeout: 1794, Valid

In: 172.16.1.100/49904 --> 65.8.158.98/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 5, Bytes: 741,

Out: 65.8.158.98/443 --> 192.168.1.150/18040;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 8586,

Session ID: 8366, Policy name: default-permit/5, Timeout: 1794, Valid

In: 172.16.1.100/49905 --> 35.201.125.192/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1469,

Out: 35.201.125.192/443 --> 192.168.1.150/25724;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 10, Bytes: 4166,

Session ID: 8367, Policy name: default-permit/5, Timeout: 1796, Valid

In: 172.16.1.100/49906 --> 67.221.239.62/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1512,

Out: 67.221.239.62/443 --> 192.168.1.150/15099;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 18, Bytes: 11076,

Session ID: 8368, Policy name: default-permit/5, Timeout: 1796, Valid

In: 172.16.1.100/49907 --> 67.221.239.62/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 11, Bytes: 1566,

Out: 67.221.239.62/443 --> 192.168.1.150/16508;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 24, Bytes: 16217,

Session ID: 8369, Policy name: default-permit/5, Timeout: 1794, Valid

In: 172.16.1.100/49908 --> 67.221.239.62/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 7, Bytes: 935,

Out: 67.221.239.62/443 --> 192.168.1.150/2537;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 10, Bytes: 5995,

Session ID: 8371, Policy name: default-permit/5, Timeout: 1794, Valid

In: 172.16.1.100/49909 --> 74.125.24.100/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 13, Bytes: 2007,

Out: 74.125.24.100/443 --> 192.168.1.150/7490;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 12, Bytes: 4576,

Session ID: 8372, Policy name: default-permit/5, Timeout: 1796, Valid

In: 172.16.1.100/49910 --> 35.244.153.179/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 11, Bytes: 1775,

Out: 35.244.153.179/443 --> 192.168.1.150/15504;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 10, Bytes: 4067,

Session ID: 8375, Policy name: default-permit/5, Timeout: 1796, Valid

In: 172.16.1.100/49912 --> 74.125.200.154/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1631,

Out: 74.125.200.154/443 --> 192.168.1.150/23154;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 11, Bytes: 4498,

Session ID: 8376, Policy name: default-permit/5, Timeout: 1796, Valid

In: 172.16.1.100/49913 --> 172.217.194.106/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1811,

Out: 172.217.194.106/443 --> 192.168.1.150/28429;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 12, Bytes: 1925,

Session ID: 8378, Policy name: default-permit/5, Timeout: 1796, Valid

In: 172.16.1.100/49914 --> 172.217.194.94/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 11, Bytes: 1581,

Out: 172.217.194.94/443 --> 192.168.1.150/2931;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 13, Bytes: 4402,

Session ID: 8380, Policy name: default-permit/5, Timeout: 1796, Valid

In: 172.16.1.100/49915 --> 74.125.24.154/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 2017,

Out: 74.125.24.154/443 --> 192.168.1.150/19539;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 13, Bytes: 5594,

Total sessions: 15

2 comments:

UnknownSeptember 16, 2023 at 10:02 AM
Hi John, do you still maintain this site? I am just starting my Juniper journey, wonder if there's way to ask you questions?
John Lloyd LaguraJanuary 15, 2024 at 4:56 AM
Hi, yes I do check and reply to comments for time to time. Just shoot and will reply if I can :)

Friday, April 2, 2021

Run Juniper Networks vSRX Firewall in VMware Workstation

2 comments: