Friday, April 2, 2021

Run Juniper Networks vSRX Firewall in VMware Workstation

The Juniper Genius portal got deprecated and was migrated to the Juniper Learning portal last February 26, 2021. The Juniper Learning portal is where you can access free Juniper Networks online training (self-paced) and get the exam voucher for JNCIA exams.


I used the Juniper Network's Day One Book for the SRX series and Pluralsight videos by Sean Wilkins to prepare for my JNCIA-SEC (JN0-203) exam. I recently got JNCIA-SEC certified and below are my Digital Badge and eCertificate. This can be viewed and downloaded in Juniper CertManager.


I tried to run the Juniper vSRX VM in VirtualBox but it only got stuck with Loading Linux. So I used VMware Workstation instead.

Import the vSRX by clicking File > Open.

 Select the vSRX file > click Import.

Click Accept to continue.



Right-click on the vSRX VM > Rename: vSRX-1. 

Add another VMnet by going to Edit > Virtual Network Editor.

Click Change Settings (admin rights needed).

Vmware Workstation has three default VMnet interfaces and types: VMnet0 (Bridged)), VMnet1 (Host-only) and VMnet8 (NAT).

VMware Workstation can add up to VMnet19.


Edit the vSRX Network Adapters as follows:

 

Select Network Adapter (first) > Custom: Host-only - This is the vSRX fxp0 (management) interface and will not be used.

 

Select Network Adapter 2 > Custom: VMnet0 (Bridged to VM host LAN with Internet and other VM) - This is the vSRX ge-0/0/0.0 (Untrust) interface.

 

Select Network Adapter 3 > Custom: Vmnet1 (Host-only) -  This is the vSRX ge-0/0/1.0 (Trust) interface.

 

 

Below is my JNCIA-SEC virtual lab topology and the initial vSRX configuration.



I chose the vSRX VM with Junos 15.1X49-D80.4 since you can run an almost "identical" J-Web interface and Unified Threat Management (UTM) features. The legacy Juniper Firefly VM runs the old Junos 12.1X46-D10.2 and can only do a stateful firewall.
 
 
Note the vSRX VM runs on a 60-day Evaluation/Trial license. You can verify the license in vSRX under Maintain > Software > License.

Notice I got 54 days left before the Virtual Application License expires.
 

You can also view the licenses in vSRX using the show system license command.

 

root@vSRX-1> show system license      

License usage:

                                 Licenses     Licenses    Licenses    Expiry

  Feature name                       used    installed      needed

  Virtual Appliance                     1            1           0    54 days

  remote-access-ipsec-vpn-client        0            2           0    permanent

 

Licenses installed:

  License identifier: E420588123

  License version: 4

  Software Serial Number: 20150123

  Customer ID: vSRX-JuniperEval

  Features:

    Virtual Appliance - Virtual Appliance

      count-down, Original validity: 60 days

  

You can refer to this post for some basic Junos config.

 

root% cli

root> configure    // OR USE edit

Entering configuration mode

The configuration has been changed but not committed

 

[edit]

root# set system root-authentication plain-text-password

New password:

Retype new password:

 

[edit]

root# set system host-name vSRX-1

 

[edit]

root# set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24   // LAN INTERFACE IP ADDRESS

 

[edit]

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.150/24   // WAN INTERFACE IP ADDRESS

 

[edit]

root# set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1   // STATIC DEFAULT ROUTE

 

[edit]

root# set security zones security-zone trust interfaces ge-0/0/1.0   // ASSIGN LAN INTERFACE TO TRUST ZONE

 

[edit]

root# set security zones security-zone untrust interfaces ge0/0/0.0   // ASSIGN WAN INTERFACE TO TRUST ZONE

 

[edit]

root# set security policies from-zone trust to-zone untrust policy TRUST-UNTRUST match source-address any destination-address any application any   // PERMIT TRUST TO UNTRUST TRAFFIC

 

[edit]

root# set security policies from-zone trust to-zone untrust policy TRUST-UNTRUST then permit

 

[edit]

root# set security nat source rule-set SOURCE-NAT-TRUST from zone trust    // CONFIGURE SOURCE NAT (PAT)

 

[edit]

root# set security nat source rule-set SOURCE-NAT-TRUST to zone untrust

 

[edit]

root# set security nat source rule-set SOURCE-NAT-TRUST rule SOURCE-NAT-TRUST match source-address 172.16.1.0/24 destination-address 0.0.0.0/0

 

[edit]

root# set security nat source rule-set SOURCE-NAT-TRUST rule SOURCE-NAT-TRUST then source-nat interface

 

[edit]

root# commit
commit complete

   
 
I added some commands for the J-WEB GUI to allow host-inbound traffic: ping and SSH. Below is the complete show output.

root@vSRX-1# show

## Last changed: 2021-02-20 15:08:19 SGT

version 15.1X49-D80.4;

system {

    host-name vSRX-1;

    root-authentication {

        encrypted-password "$5$h/gVhuqb$nH2lW4/iyVyXnAnvbBg8aLy2b1HZcpqhiTeH/lSFD./"; ## SECRET-DATA

    }

    services {

        ssh {

            root-login allow;   // ALLOW SSH USING ROOT LOGIN

        }

        web-management {

            https {

                system-generated-certificate;   // SSL/TLS SELF-SIGN CERT

                interface ge-0/0/0.0;   // ALLOW HTTPS ON THE UNTRUST INTERFACE

            }

        }

    }

    syslog {

        user * {

            any emergency;

        }

        file messages {                

            any any;

            authorization info;

        }

        file interactive-commands {

            interactive-commands any;

        }

    }

    license {

        autoupdate {

            url https://ae1.juniper.net/junos/key_retrieval;

        }

    }

    ntp;

}

security {

    screen {

        ids-option untrust-screen {

            icmp {

                ping-death;

            }

            ip {

                source-route-option;

                tear-drop;             

            }

            tcp {

                syn-flood {

                    alarm-threshold 1024;

                    attack-threshold 200;

                    source-threshold 1024;

                    destination-threshold 2048;

                    queue-size 2000; ## Warning: 'queue-size' is deprecated

                    timeout 20;

                }

                land;

            }

        }

    }

    nat {

        source {

            rule-set SOURCE-NAT-TRUST {

                from zone trust;

                to zone untrust;

                rule SOURCE-NAT-TRUST {

                    match {

                        source-address 172.16.1.0/24;

                        destination-address 0.0.0.0/0;

                    }

                    then {

                        source-nat {

                            interface;

                        }

                    }

                }

            }

        }

    }

    policies {

        from-zone trust to-zone trust {

            policy default-permit {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }                              

        from-zone trust to-zone untrust {

            policy default-permit {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

            policy TRUST-UNTRUST {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit;

                }

            }

        }

    }                                  

    zones {

        security-zone trust {

            tcp-rst;

            interfaces {

                ge-0/0/1.0 {

                    host-inbound-traffic {

                        system-services {     // ALLOW PING AND SSH ON THE TRUST ZONE

                            ping;

                            ssh;

                        }

                    }

                }

            }

        }

        security-zone untrust {

            screen untrust-screen;

            interfaces {

                ge-0/0/0.0 {

                    host-inbound-traffic {

                        system-services {    // ALLOW PING, SSH AND HTTPS ON UNTRUST ZONE

                            ping;

                            ssh;

                            https;     

                        }

                    }

                }

            }

        }

    }

}

interfaces {

    ge-0/0/0 {

        unit 0 {

            family inet {

                address 192.168.1.150/24;    // WAN INTERFACE IP ADDRESS

            }

        }

    }

    ge-0/0/1 {

        unit 0 {

            family inet {

                address 172.16.1.1/24;    // LAN INTERFACE IP ADDRESS

            }

        }

    }

    fxp0 {                             

        unit 0 {

            family inet;

        }

    }

}

routing-options {

    static {

        route 0.0.0.0/0 next-hop 192.168.1.1;    // STATIC DEFAULT ROUTE

    }

}

 

[edit]

 

Edit Windows 7 VM Network Adapter > Custom: VMnet1 > click OK.
 
 
I was able to ping and SSH to the vSRX LAN IP 172.16.1.1 from the Windows 7 VM since I allowed these type of traffic in the host-inbound-traffic.

 
I was able to ping to Google DNS 8.8.8.8 and open Juniper.net since I configured a Source NAT (PAT) on the vSRX device.

You can use the show security flow session command to view the NAT translations or session table.

root@vSRX-1> show security flow session 
Session ID: 6182, Policy name: self-traffic-policy/1, Timeout: 1798, Valid
  In: 192.168.1.100/60869 --> 192.168.1.150/22;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 3235, Bytes: 300546,
  Out: 192.168.1.150/22 --> 192.168.1.100/60869;tcp, Conn Tag: 0x0, If: .local..0, Pkts: 2129, Bytes: 317027,

Session ID: 6531, Policy name: default-permit/5, Timeout: 300, Valid
  In: 172.16.1.100/49621 --> 117.18.232.240/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 27, Bytes: 2922,
  Out: 117.18.232.240/80 --> 192.168.1.150/25279;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 54, Bytes: 63424,
 
Session ID: 6656, Policy name: default-permit/5, Timeout: 288, Valid
  In: 172.16.1.100/49659 --> 192.124.249.22/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 6, Bytes: 686,
  Out: 192.124.249.22/80 --> 192.168.1.150/21793;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 6, Bytes: 4742,

Session ID: 6659, Policy name: default-permit/5, Timeout: 288, Valid
  In: 172.16.1.100/49660 --> 192.124.249.41/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 6, Bytes: 686,
  Out: 192.124.249.41/80 --> 192.168.1.150/24410;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 6, Bytes: 4742,
                                        
Session ID: 6709, Policy name: default-permit/5, Timeout: 1800, Valid
  In: 172.16.1.100/49680 --> 35.244.245.222/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 12, Bytes: 1814,
  Out: 35.244.245.222/443 --> 192.168.1.150/13797;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 15, Bytes: 7046,

Session ID: 6714, Policy name: default-permit/5, Timeout: 2, Valid
  In: 172.16.1.100/49684 --> 35.244.245.222/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 9, Bytes: 965,
  Out: 35.244.245.222/443 --> 192.168.1.150/26477;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 6666,

Session ID: 6744, Policy name: default-permit/5, Timeout: 2, Valid
  In: 172.16.1.100/54489 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 65,
  Out: 8.8.8.8/53 --> 192.168.1.150/30569;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 161,

Session ID: 6746, Policy name: default-permit/5, Timeout: 298, Valid
  In: 172.16.1.100/49693 --> 172.217.194.100/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 4, Bytes: 403,
  Out: 172.217.194.100/80 --> 192.168.1.150/26791;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 3, Bytes: 709,

Session ID: 6747, Policy name: default-permit/5, Timeout: 2, Valid
  In: 172.16.1.100/50156 --> 8.8.8.8/53;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 1, Bytes: 71,
  Out: 8.8.8.8/53 --> 192.168.1.150/11161;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 116,

Session ID: 6748, Policy name: default-permit/5, Timeout: 300, Valid
  In: 172.16.1.100/49694 --> 74.125.12.199/80;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 4, Bytes: 536,
  Out: 74.125.12.199/80 --> 192.168.1.150/3879;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 4, Bytes: 1364,
Total sessions: 10

 

You can also specify the source IP 172.16.1.100 (Windows 7 VM) for a more granular output.

root@vSRX-1> show security flow session ?

Possible completions:

  <[Enter]>            Execute this command

  advanced-anti-malware  Show advanced-anti-malware sessions

  application          Application protocol name

  application-firewall  Show application-firewall sessions

  application-firewall-rule-set  Show application-firewall session by rule-set

  application-traffic-control  Show application-traffic-control sessions

  application-traffic-control-rule-set  Show application-traffic-control session by rule-set

  brief                Show brief output (default)

  conn-tag             Session connection tag (0..4294967295)

  destination-port     Destination port (1..65535)

  destination-prefix   Destination IP prefix or address

  dynamic-application  Dynamic application name

  dynamic-application-group  Dynamic application group name

  encrypted            Show encrypted traffic

  extensive            Show detailed output

  family               Protocol family

  idp                  IDP sessions

  interface            Name of incoming or outgoing interface

  nat                  Sessions with network address translation

  policy-id            Policy id value (1..4294967295)

  protocol             IP protocol number

  resource-manager     Sessions with resource manager

  security-intelligence  Show security-intelligence sessions

  session-identifier   Show session with specified session identifier

  source-port          Source port (1..65535)

  source-prefix        Source IP prefix or address

  summary              Show output summary

  tunnel               Tunnel sessions

  |                    Pipe through a command

 

root@vSRX-1> show security flow session source-prefix 172.16.1.100

Session ID: 8357, Policy name: default-permit/5, Timeout: 1794, Valid

  In: 172.16.1.100/49900 --> 65.8.158.60/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 17, Bytes: 2109,

  Out: 65.8.158.60/443 --> 192.168.1.150/19993;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 28, Bytes: 15164,

 

Session ID: 8361, Policy name: default-permit/5, Timeout: 1794, Valid

  In: 172.16.1.100/49901 --> 172.217.194.148/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 14, Bytes: 2192,

  Out: 172.217.194.148/443 --> 192.168.1.150/16600;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 18, Bytes: 6098,

 

Session ID: 8362, Policy name: default-permit/5, Timeout: 1794, Valid

  In: 172.16.1.100/49902 --> 65.8.158.98/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 5, Bytes: 729,

  Out: 65.8.158.98/443 --> 192.168.1.150/10951;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 8, Bytes: 7889,

 

Session ID: 8363, Policy name: default-permit/5, Timeout: 1794, Valid

  In: 172.16.1.100/49903 --> 172.217.26.72/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 23, Bytes: 1975,

  Out: 172.217.26.72/443 --> 192.168.1.150/31457;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 55, Bytes: 67533,

                                       

Session ID: 8364, Policy name: default-permit/5, Timeout: 1794, Valid

  In: 172.16.1.100/49904 --> 65.8.158.98/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 5, Bytes: 741,

  Out: 65.8.158.98/443 --> 192.168.1.150/18040;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 9, Bytes: 8586,

 

Session ID: 8366, Policy name: default-permit/5, Timeout: 1794, Valid

  In: 172.16.1.100/49905 --> 35.201.125.192/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1469,

  Out: 35.201.125.192/443 --> 192.168.1.150/25724;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 10, Bytes: 4166,

 

Session ID: 8367, Policy name: default-permit/5, Timeout: 1796, Valid

  In: 172.16.1.100/49906 --> 67.221.239.62/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1512,

  Out: 67.221.239.62/443 --> 192.168.1.150/15099;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 18, Bytes: 11076,

 

Session ID: 8368, Policy name: default-permit/5, Timeout: 1796, Valid

  In: 172.16.1.100/49907 --> 67.221.239.62/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 11, Bytes: 1566,

  Out: 67.221.239.62/443 --> 192.168.1.150/16508;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 24, Bytes: 16217,

 

Session ID: 8369, Policy name: default-permit/5, Timeout: 1794, Valid

  In: 172.16.1.100/49908 --> 67.221.239.62/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 7, Bytes: 935,

  Out: 67.221.239.62/443 --> 192.168.1.150/2537;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 10, Bytes: 5995,

 

Session ID: 8371, Policy name: default-permit/5, Timeout: 1794, Valid

  In: 172.16.1.100/49909 --> 74.125.24.100/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 13, Bytes: 2007,

  Out: 74.125.24.100/443 --> 192.168.1.150/7490;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 12, Bytes: 4576,

 

Session ID: 8372, Policy name: default-permit/5, Timeout: 1796, Valid

  In: 172.16.1.100/49910 --> 35.244.153.179/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 11, Bytes: 1775,

  Out: 35.244.153.179/443 --> 192.168.1.150/15504;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 10, Bytes: 4067,

 

Session ID: 8375, Policy name: default-permit/5, Timeout: 1796, Valid

  In: 172.16.1.100/49912 --> 74.125.200.154/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1631,

  Out: 74.125.200.154/443 --> 192.168.1.150/23154;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 11, Bytes: 4498,

 

Session ID: 8376, Policy name: default-permit/5, Timeout: 1796, Valid

  In: 172.16.1.100/49913 --> 172.217.194.106/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 1811,

  Out: 172.217.194.106/443 --> 192.168.1.150/28429;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 12, Bytes: 1925,

 

Session ID: 8378, Policy name: default-permit/5, Timeout: 1796, Valid

  In: 172.16.1.100/49914 --> 172.217.194.94/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 11, Bytes: 1581,

  Out: 172.217.194.94/443 --> 192.168.1.150/2931;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 13, Bytes: 4402,

 

Session ID: 8380, Policy name: default-permit/5, Timeout: 1796, Valid

  In: 172.16.1.100/49915 --> 74.125.24.154/443;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 10, Bytes: 2017,

  Out: 74.125.24.154/443 --> 192.168.1.150/19539;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 13, Bytes: 5594,

Total sessions: 15

 

2 comments:

  1. Hi John, do you still maintain this site? I am just starting my Juniper journey, wonder if there's way to ask you questions?

    ReplyDelete
  2. Hi, yes I do check and reply to comments for time to time. Just shoot and will reply if I can :)

    ReplyDelete