If you run a Juniper cluster, from time to time you need to connect from one note to another.
To reboot the second node, or to simply check the system status.
Let's say you log onto node 0 and you want to reboot node 1.
Connect to to node 1
root@firewall> request routing-engine login node 1
Once you are connected to node 1, you can just request a system reboot.
root@firewall> request system reboot
I hope you enjoy this command, it made my life easier few times.
by Renato de Oliveira
Showing posts with label Juniper. Show all posts
Showing posts with label Juniper. Show all posts
Tuesday, 23 April 2013
Wednesday, 27 March 2013
IT projects I have successfully worked and complete (Firewalls SRX)
IT
projects I have successfully worked and completed continuation...
Firewall
setup.
Juniper
SRX 240 H
For some reason many financial
institutions like Cisco at least the ones I have dealt with, most use Cisco. What
a pity!
I personally have used Juniper SSG F25
(running SreenOS) for many years and I just loved it. I think it is easy to
setup, it is robust, it is reliable and I love the concept of “Zones”.
By the way “Zones” was something that
Juniper developed and not Cisco as many think.
So I thought of using Juniper SSGs F25,
but after talking to few people and doing some research I discovered SRX range.
We decided to use the Juniper SRX
240H, this Security Gateway has an amazing 16xGig Ethernet ports, 1GB Memory
without mentioning Juniper’s support is the best I have ever used. Juniper
engineers are knowledgeable, are helpful and they know their stuff.
One of the requirements was the site
must be available at all times, and we will only failover to our DR if our live
site is completely down.
With that in mind, I decided to use a
HA cluster and bought two Juniper SRXs.
The Juniper cluster has been up since
I finished the setup 1 year ago. They are so stable, so robust and reliable.
There are two ways of configuring a
Juniper SRX:
1.
Using
the web interface
The
command interface is very intuitive; easy to use (it is not confusing like some
firewalls out there i.e Sonicwall and Cisco ASA).
2.
Via
command line
The
command line is quick, reliable and the commands are just named right.
There
are aspects I prefer to config via command line and some other parts are just
nice configuring using J-web.
Another strong point in favour of
Juniper SRX is it price comparing to for example, Cisco. If you were to buy a
Cisco device with the same amount of Giga Bit Interfaces x 16, Memory and
features, it would cost 3 times the Juniper price.
Setting up an IPsec VPN is easy, quick and also very easy to troubleshoot, there is feature called "traceoptions", makes your work much pleasurable.
I think for Administrators, it is a great product and for business it is a great value for money. Robust, secure and reliable.
Some SRX Features
- User processes are separated from the kernel, If an user process crashes, the system continues to run fine, as it does not affect the kernel.
I could list loads of features here,
but there is a nice PDF with many really cool and interesting features, check
it out:
Specification
Memory 1GB
Firewall performance (max)
1.8 Gbps
1.8 Gbps
IPS performance (NSS 4.2.1)
230 Mbps
230 Mbps
AES256+SHA-1 / 3DES+SHA-1 VPN performance
300 Mbps
300 Mbps
Maximum concurrent sessions
128 K (Base) / 256 K (High Mem)
128 K (Base) / 256 K (High Mem)
New sessions/second (sustained, TCP, 3-way)
8,500
8,500
Maximum security policies
4,096
4,096
Maximum users supported
Unrestricted
Unrestricted
WAN / LAN fixed ports
16 x 10/100/1000BASE-T
16 x 10/100/1000BASE-T
CX111 3G/4G modem support
Yes
Yes
WAN / LAN PIMs
·
T1/E1
·
ADSL2 Annex A
·
ADSL2 Annex B
·
G.SHDSL
·
VDSL2 Annex A
·
DOCSIS 3.0 Cable Modem
·
GbE SFP
·
Sync Serial
High-availability support
Yes
Yes
Monday, 25 March 2013
Netwok design, install and configuration
Netwok design, install and configuration
I have decided to share with you my experiences and I will show you most things about networks.
I am going to start from scratch and write posts on how to:
I am going to give you ideas on how to plan your AD, your DNS naming, your IP address scheme, how to position your clients on the network.
I will discuss DMZ, VLANs, Security, SSH, Locking down Linux.
I will have recommendations on security, patch management, for Windows. Design considerations for your network.
Resiliency and redundancy will be discussed also.
If you want to benefit from this blog, just keep visiting it, it will be your stop shop for most Network systems.
My plan is to every day write a new post about some topic.
I have already few posts and I will make the link between each post, so you can easily follow up.
If you have suggestions, please let me know I will try my best to accomodate your suggestions and also write about them.
I hope you will enjoy and learn all this exciting stuff related to IT.
Many thanks
Renato Oliveira
I have decided to share with you my experiences and I will show you most things about networks.
I am going to start from scratch and write posts on how to:
- How to Install Windows 2008
- Setup network
- Active Directory
- DNS
- DHCP
- etc
- How to Install Redhat 6
- Setup the Network
- Integrate Linux to Active directory
- Setup most config files under /etc
- NFS
- SAMBA
- How to Set up Citrix
- How to Setup Juniper SRX Security gateway
- How to Setup NetApp Ontap 8.1
I am going to give you ideas on how to plan your AD, your DNS naming, your IP address scheme, how to position your clients on the network.
I will discuss DMZ, VLANs, Security, SSH, Locking down Linux.
I will have recommendations on security, patch management, for Windows. Design considerations for your network.
Resiliency and redundancy will be discussed also.
If you want to benefit from this blog, just keep visiting it, it will be your stop shop for most Network systems.
My plan is to every day write a new post about some topic.
I have already few posts and I will make the link between each post, so you can easily follow up.
If you have suggestions, please let me know I will try my best to accomodate your suggestions and also write about them.
I hope you will enjoy and learn all this exciting stuff related to IT.
Many thanks
Renato Oliveira
Monday, 18 March 2013
Juniper SRX minor system alarms
Juniper SRX minor system alarms
Recently we replaced one of our Juniper SRX firewalls and I had to put the new one into the cluster.
Once I had finished configuring the new device, I ran few commands to make sure everything was ok.
I want to make sure the cluster was running smoothly, make sure the system was behaving properly.
Then I came across two minor system alarms:
root@firewall-a01> show system alarms
2 alarms currently active
Alarm time Class Description
2013-02-26 16:11:35 UTC Minor Rescue configuration is not set
2013-02-26 16:11:36 UTC Minor Autorecovery information needs to be saved
root@firewall-a01>show chassis craft-interface
All the juniper firewall is telling us is, we need to:
1) We need to set the rescue configuration
root@firewall-a01>request system configuration rescue save
2) We need to save an auto-recovery configuration
root@firewall-a01> request system autorecovery state save
This will take care of these minor alarms and everything will look nice and green.
I think these are nice features provided by Juniper. Creating a restore point where you know when things were working fine ans you can restore easily and quick is just a nice thinking.
Autorecovery
To save current state of the disk partitioning, configuration, and licenses for autorecovery.
root@firewall-a01> request system autorecovery state save
To clear all saved autorecovery information.
root@firewall-a01> request system autorecovery state clear
To perform checks and shows status of all autorecovered items.
root@firewall-a01> show system autorecovery state
Acording to the Juniper website:
Amber and steadily on indicates a major alarm, such as low memory (less than 10% remaining), session full, maximum number of VPN tunnels reached,
HA status change, or redundant group member not found.
Trobleshooting Amber lights on SRX
root@firewall-a01>show chassis craft-interface
You should see an output similar to the one below:
Front Panel System Indicator:
Routing Engine 0
-----------------------------
OK *
Front Panel Alarm Indicator:
----------------------------
RED .
ORANGE *
Front Panel HA Indicator:
-------------------------
GREEN .
Front Panel PS Indicator:
PS 0
-------------------------
RED .
GREEN *
I hope this will help you guys.
by Renato de Oliveira
Recently we replaced one of our Juniper SRX firewalls and I had to put the new one into the cluster.
Once I had finished configuring the new device, I ran few commands to make sure everything was ok.
I want to make sure the cluster was running smoothly, make sure the system was behaving properly.
Then I came across two minor system alarms:
root@firewall-a01> show system alarms
2 alarms currently active
Alarm time Class Description
2013-02-26 16:11:35 UTC Minor Rescue configuration is not set
2013-02-26 16:11:36 UTC Minor Autorecovery information needs to be saved
root@firewall-a01>show chassis craft-interface
All the juniper firewall is telling us is, we need to:
1) We need to set the rescue configuration
root@firewall-a01>request system configuration rescue save
2) We need to save an auto-recovery configuration
root@firewall-a01> request system autorecovery state save
This will take care of these minor alarms and everything will look nice and green.
I think these are nice features provided by Juniper. Creating a restore point where you know when things were working fine ans you can restore easily and quick is just a nice thinking.
Autorecovery
To save current state of the disk partitioning, configuration, and licenses for autorecovery.
root@firewall-a01> request system autorecovery state save
To clear all saved autorecovery information.
root@firewall-a01> request system autorecovery state clear
To perform checks and shows status of all autorecovered items.
root@firewall-a01> show system autorecovery state
Acording to the Juniper website:
Amber and steadily on indicates a major alarm, such as low memory (less than 10% remaining), session full, maximum number of VPN tunnels reached,
HA status change, or redundant group member not found.
Trobleshooting Amber lights on SRX
root@firewall-a01>show chassis craft-interface
You should see an output similar to the one below:
Front Panel System Indicator:
Routing Engine 0
-----------------------------
OK *
Front Panel Alarm Indicator:
----------------------------
RED .
ORANGE *
Front Panel HA Indicator:
-------------------------
GREEN .
Front Panel PS Indicator:
PS 0
-------------------------
RED .
GREEN *
I hope this will help you guys.
by Renato de Oliveira
Tuesday, 26 February 2013
Setting up an iPsec Site to Site VPN Juniper SRX
Setting up an iPsec Site to Site VPN Juniper SRX
I have been tasked to to setup another site to site IPsec VPN. We nto connect to a partner and I had to get it sorted.
The first step is, whenver we need to connect to a third part company, thy most certainly will provide us with a VPN form, which we need to complete.
The form will request various piece of information, such as:
Once you have complete the form and sent it back, you will probably receive the VPN parameters. Sometimes the same form to be complete already includes the VPN parameters.
I am going to describe the VPN setup with a ficticious thirdparty company name.
VPN Parameters
Company Name: LivingUK
Phase 1
Proposal
Authentication Algorithm: Sha1
Authentication method: pre-shared-keys
Descriptions: "LivingUK P1"
DH Group: group2
Encryption Algorithm: aes-128-cbc
Lifetime seconds: 3600
IKE Policy
Mode: main
IKE Gateway
Policy: "PolicyName"
Setup Phase I
set interfaces st0 unit 30 description "Tunnel Name"
Create a Phase I Proposal
set security ike proposal "VPNPartner P1 Name" description "VPN Partner Name"
set security ike proposal "VPNPartner P1 Name" authentication-method pre-shared-keys
set security ike proposal "VPNPartner P1 Name" dh-group group2
set security ike proposal "VPNPartner P1 Name" authentication-algorithm sha1
set security ike proposal "VPNPartner P1 Name" encryption-algorithm aes-128-cbc
set security ike proposal "VPNPartner P1 Name" lifetime-seconds 86400
set security ike policy "IKEPolicyName" mode main
set security ike policy "IKEPolicyName" proposals "VPNPartner P1 Name"
set security ike policy "IKEPolicyName" pre-shared-key ascii-text "Your VPN Key"
set security ike gateway "IkeGatewayVPN" ike-policy "IKEPolicyName"
set security ike gateway "IkeGatewayVPN" address "Peer IP Address"
set security ike gateway "IkeGatewayVPN" external-interface reth0.0
Setup Phase II
set security ipsec proposal "IPSEC VPNPartner P2 Name" description "PhaseII"
set security ipsec proposal "IPSEC VPNPartner P2 Name" protocol esp
set security ipsec proposal "IPSEC VPNPartner P2 Name" authentication-algorithm hmac-sha1-96
set security ipsec proposal "IPSEC VPNPartner P2 Name" encryption-algorithm aes-128-cbc
set security ipsec proposal "IPSEC VPNPartner P2 Name" lifetime-seconds 28800
set security ipsec policy "IpsecPolicyP2" description "Ipsec P2 Policy"
set security ipsec policy "IpsecPolicyP2" perfect-forward-secrecy keys group2
set security ipsec policy "IpsecPolicyP2" proposals "IPSEC VPNPartner P2 Name"
set security ipsec vpn "VPNNameAK" bind-interface st0.30
set security ipsec vpn "VPNNameAK ike gateway "IkeGatewayVPN"
set security ipsec vpn "VPNNameAK ike proxy-identity local <Local IP or subnet to be used as ID>
set security ipsec vpn "VPNNameAK ike proxy-identity remote <Remote IP or subnet to be used as ID>
set security ipsec vpn "VPNNameAK ike ipsec-policy "IpsecPolicyP2"
set security ipsec vpn "VPNNameAK establish-tunnels immediately
set security nat source rule-set LANOut rule "NATRuleName" match source-address <Local IP or subnet to be matched>
set security nat source rule-set LANOut rule "NATRuleName" match destination-address <Remote IP to be matched>
set security nat source rule-set LANOut rule "NATRuleName" then source-nat off
Note: This is not finishe yet. I need to explain each parameter used within this configuration.
I have been tasked to to setup another site to site IPsec VPN. We nto connect to a partner and I had to get it sorted.
The first step is, whenver we need to connect to a third part company, thy most certainly will provide us with a VPN form, which we need to complete.
The form will request various piece of information, such as:
- Public IP address
- Firewall used (Make and Model)
- Private IPs or subnets which need accessing the VPN
Once you have complete the form and sent it back, you will probably receive the VPN parameters. Sometimes the same form to be complete already includes the VPN parameters.
I am going to describe the VPN setup with a ficticious thirdparty company name.
VPN Parameters
Company Name: LivingUK
Phase1
Auth method – Pre Shared Key
Encrypt - aes128
Hash - sha1
Group2
Lifetime in seconds 36400
Phase2
Encrypt - eas128
Hash - sha1
Lifetime in seconds 36400
You have to match the above parameters with Juniper Junos parameters (most the time your peer will not be a Juniper)
Proposal
Authentication Algorithm: Sha1
Authentication method: pre-shared-keys
Descriptions: "LivingUK P1"
DH Group: group2
Encryption Algorithm: aes-128-cbc
Lifetime seconds: 3600
IKE Policy
Mode: main
IKE Gateway
Policy: "PolicyName"
Setup Phase I
set interfaces st0 unit 30 description "Tunnel Name"
Create a Phase I Proposal
set security ike proposal "VPNPartner P1 Name" description "VPN Partner Name"
set security ike proposal "VPNPartner P1 Name" authentication-method pre-shared-keys
set security ike proposal "VPNPartner P1 Name" dh-group group2
set security ike proposal "VPNPartner P1 Name" authentication-algorithm sha1
set security ike proposal "VPNPartner P1 Name" encryption-algorithm aes-128-cbc
set security ike proposal "VPNPartner P1 Name" lifetime-seconds 86400
set security ike policy "IKEPolicyName" mode main
set security ike policy "IKEPolicyName" proposals "VPNPartner P1 Name"
set security ike policy "IKEPolicyName" pre-shared-key ascii-text "Your VPN Key"
set security ike gateway "IkeGatewayVPN" ike-policy "IKEPolicyName"
set security ike gateway "IkeGatewayVPN" address "Peer IP Address"
set security ike gateway "IkeGatewayVPN" external-interface reth0.0
Setup Phase II
set security ipsec proposal "IPSEC VPNPartner P2 Name" description "PhaseII"
set security ipsec proposal "IPSEC VPNPartner P2 Name" protocol esp
set security ipsec proposal "IPSEC VPNPartner P2 Name" authentication-algorithm hmac-sha1-96
set security ipsec proposal "IPSEC VPNPartner P2 Name" encryption-algorithm aes-128-cbc
set security ipsec proposal "IPSEC VPNPartner P2 Name" lifetime-seconds 28800
set security ipsec policy "IpsecPolicyP2" description "Ipsec P2 Policy"
set security ipsec policy "IpsecPolicyP2" perfect-forward-secrecy keys group2
set security ipsec policy "IpsecPolicyP2" proposals "IPSEC VPNPartner P2 Name"
set security ipsec vpn "VPNNameAK" bind-interface st0.30
set security ipsec vpn "VPNNameAK ike gateway "IkeGatewayVPN"
set security ipsec vpn "VPNNameAK ike proxy-identity local <Local IP or subnet to be used as ID>
set security ipsec vpn "VPNNameAK ike proxy-identity remote <Remote IP or subnet to be used as ID>
set security ipsec vpn "VPNNameAK ike ipsec-policy "IpsecPolicyP2"
set security ipsec vpn "VPNNameAK establish-tunnels immediately
set security nat source rule-set LANOut rule "NATRuleName" match source-address <Local IP or subnet to be matched>
set security nat source rule-set LANOut rule "NATRuleName" match destination-address <Remote IP to be matched>
set security nat source rule-set LANOut rule "NATRuleName" then source-nat off
Note: This is not finishe yet. I need to explain each parameter used within this configuration.
Monday, 18 February 2013
Configuring Juniper SRX (some commands)
Configuring Juniper (Some Commands)
How to save config to a File:
root@fw-name# save <config-11-21-10-version-1>
How to restart Firewall
root@srx100-01> request system reboot
How to display systems alarms
root@srx100-01> show system alarms
How to set System hostname
root@srx100-01# set system host-name <hostname>
How to set the system domain name on Juniper SRX
admin@srx100-01# set system domain-name <domainname>
How to set the nameserver or resolvers for your SRX
admin@srx100-01#set system name-server <IP Nameserver>
How to set root password
root@srx100-01#set system root-authentication plain-text-password
How to create an user on Juniper SRX
root@srx100-01#set system login user <username> class super-user
How to set the new user's name password on Juniper
root@srx100-01#set system login user renato authentication plain-text-password
How to create a readonly user on SRX
admin@srx100-01# set system login user readonly class read-only
How to display the Junos version
root@srx100-01# show version
How to set Time Zone
root@srx100-01# set system time-zone Europe/London
How to set Date and Time
root@srx100-01> set date 201302170917.32
Note: The command above can be explained as follows:
2013 (year), 02 (month), 17 (day of month), 0917.32 (09:17:32am - nine o'clock, seventeen minutes and thirty two seconds a.m)
How to set Juniper to sync date and time from NTP server
root@srx100-01> set date ntp <NTPSERVER>
How to setup 2 NTP servers and have one as a preferred one
root@srx100-01# set system ntp server <NTPSERVER> version 4 prefer
root@srx100-01# set system ntp server <NTPSERVER> version 4
How to setup NTP server at boot time
root@srx100-01# set system ntp boot-server <NTPSERVER>
Hot to show NTP server configured on Juniper
root@srx100-01# show system ntp
How to show NTP status
root@srx100-01> show ntp status
How to show the Uptime for a Juniper firewall
root@srx100-01> show system uptime | match current
How to troubleshoot NTP problems
root@srx100-01> show log messages | match ntp
Saturday, 16 February 2013
How to replace a broken node in a Juniper SRX HA cluster
Couple of weeks ago, one of our Juniper SRXs failed. Just as well I had invested the money and time in setting up a HA Cluster.
I think these devices are very robust and it got me really as a big surprise to have found this device completely failed for apparently no reason.
There were no lights at the front panel, no access via console, I had to pull its plug off and even so, it did not come back alive.
The replacement is very easy. I logged a call with Juniper, received the replacement SRX the following day.
One thing I would like to point out, Juniper support so far has been fantastic, their engineer's knowledge are high level. I am very happy not only to use Juniper's devices but also to recommend the use of them.
Replacement How To
I think these devices are very robust and it got me really as a big surprise to have found this device completely failed for apparently no reason.
There were no lights at the front panel, no access via console, I had to pull its plug off and even so, it did not come back alive.
The replacement is very easy. I logged a call with Juniper, received the replacement SRX the following day.
One thing I would like to point out, Juniper support so far has been fantastic, their engineer's knowledge are high level. I am very happy not only to use Juniper's devices but also to recommend the use of them.
Replacement How To
- Check the OS version on your existing one:
root@srx100-01# show version (hit ENTER)
## Last changed: 2013-02-16 05:13:37 GMT
version 11.2R4.3;
2. Connect your SRX to your laptop or PC via the console port using the console cable.
3. Power the Juniper replacement on and check its version:
root@srx100-01# show version (hit ENTER)
Note: both nodes must be running the same OS version.
4. I am going to assume both devices are on the same OS version.
Note: I'll write another How to later about how to upgrade the OS on an Juniper SRX.
5. Delete the configuration on your replacement device:
root@srx100-01# delete (hit ENTER)
Note: this command will delete the whole configuration and leave your device blank
6. Set the root password:
root@srx100-01# set system root-authentication plain-text-password (hit ENTER)
7. Commit the changes:
root@srx100-01# commit
8. The following steps will require some knowledge of your existing cluster, and how it it is setup.
* Cluster-id (ID)
* Node number (No.)
9. Once you have at hand your cluster ID and the node number, type in the following command:
root@srx100-01> set chassis cluster cluster-id 1 node 0 reboot
Note: the command above will set your new Juniper to be part of cluster 1 and it will be node 0, then
it will reboot.
10. Log to existing Juniper SRX and save the configuration file /root
root@srx100-01# save config_Juniper_SRX
11. Copy the config file config_Juniper_SRX to the new SRX.
Note: You can use an USB memory stick to transfer the file.
12. Once you have copied the file config_Juniper_SRX to /root,
run the following command:
root@srx100-01# load override /root/config_Juniper_SRX
13. Commit the changes
root@srx100-01# commit
root@srx100-01> show configuration | display set
Note: I always compare both devices and make sure the config
is the same.
14. root@srx100-01# exit
15. Halt the system, with the command below:
root@srx100-01> request system halt
16. Connect the fabric and control ports
17. Power your new SRX on
18. Once the New Firewall has booted, check cluster status
root@srx100-01# show chassis cluster status
root@srx100-01# show chassis fpc pic-status
19. Check if there are any alarms on your new SRX:
root@srx100-01> show system alarms
Note: There might be two minor alarms, I will talk about that in the next posts.
Your cluster should be fully online and operating well by now.
By Renato
* Cluster-id (ID)
* Node number (No.)
9. Once you have at hand your cluster ID and the node number, type in the following command:
root@srx100-01> set chassis cluster cluster-id 1 node 0 reboot
Note: the command above will set your new Juniper to be part of cluster 1 and it will be node 0, then
it will reboot.
10. Log to existing Juniper SRX and save the configuration file /root
root@srx100-01# save config_Juniper_SRX
11. Copy the config file config_Juniper_SRX to the new SRX.
Note: You can use an USB memory stick to transfer the file.
12. Once you have copied the file config_Juniper_SRX to /root,
run the following command:
root@srx100-01# load override /root/config_Juniper_SRX
13. Commit the changes
root@srx100-01# commit
root@srx100-01> show configuration | display set
Note: I always compare both devices and make sure the config
is the same.
14. root@srx100-01# exit
15. Halt the system, with the command below:
root@srx100-01> request system halt
16. Connect the fabric and control ports
17. Power your new SRX on
18. Once the New Firewall has booted, check cluster status
root@srx100-01# show chassis cluster status
root@srx100-01# show chassis fpc pic-status
19. Check if there are any alarms on your new SRX:
root@srx100-01> show system alarms
Note: There might be two minor alarms, I will talk about that in the next posts.
Your cluster should be fully online and operating well by now.
By Renato
Subscribe to:
Posts (Atom)