Juniper How to:

How to go to operational mode from unix shell in juniper:
If you are logged as root then you can go to operational mode with the help of “cli”command. Following prompt is in root after using cli it goes in operational mode.

root@%
root@% cli
root>

How to go from operational mode to unix shell in juniper:

root> start shell
root@%

How to see the rollback configuration in juniper:
Juniper maintain upto 50 configuration for backup. To see the auto saved configuration you have to go in configuration mode and then type “rollback ?” you will get a list of auto saved files.

root# rollback ?
Possible completions:
              Execute this command
  0                    2017-02-08 00:00:49 UTC by root via cli
  1                    2017-02-03 01:07:53 UTC by root via cli
  2                    2017-02-03 01:07:00 UTC by root via cli
  3                    2015-01-31 13:06:04 UTC by root via other
  |                    Pipe through a command
[edit]

How to rollback to previous version of config:
You have to go to configuration mode and then type rollback command and then the version to which you want to rollback to.

root# rollback 1
load complete
[edit]

How to compare running config with a auto saved rollback config:
In following example I am comparing running config with rollback 0 configuraiton.

root# show | compare rollback 0
[edit interfaces ge-0/0/0 unit 0]
-     family inet {
-         address 192.168.2.16/24;

How to check up time of SRX device:

SRX>show system uptime
Current time: 2017-02-14 10:43:54 GMT
System booted: 2017-02-13 02:10:48 GMT (1d 08:33 ago)
Protocols started: 2017-02-13 02:13:29 GMT (1d 08:30 ago)
Last configured: 2017-02-13 02:12:11 GMT (1d 08:31 ago) by root
10:43AM  up 1 day,  8:33, 1 user, load averages: 0.11, 0.13, 0.14

How to check all interface summary:

SRX>show interfaces terse

How to check interface details/statistics:

SRX>show interface  extensive

How to check hardware and software details on SRX:

admin@srx> show version
Hostname: srx
Model: srx240h
JUNOS Software Release [12.1X44-D20.3]

How to check security policies in SRX:

SRX#show security policies

How to check configuration in SRX:

show configuration | display set
OR
show configuration

How to check the phase 1 and 2 in SRX:

SRX>show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
5004726 DOWN   155fd4374a0cb3c2  0000000000000000  Aggressive     x.x.x.x

SRX>show security ipsec security-associations

How to check for down tunnel:

 SRX>show security ipsec inactive-tunnels
  Total inactive tunnels: 6
  Total inactive tunnels with establish immediately: 6
  ID     Port  Nego#  Fail#  Flag      Gateway          Tunnel Down Reason
  131078 500   7050   0      600a29    x.x.x.x   P1 SA deleted

How to check current time:

SRX>show system uptime | match current
Current time: 2017-02-24 14:24:23 UTC

How to check route in SRX:

admin@SRX> show route 10.5.198.12
inet.0: 102 destinations, 102 routes (102 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.0/8         *[Static/5] 46w3d 01:31:45
                    > to 10.5.192.9 via ge-2/0/15.0

How to check security zones on SRX:

admin@SRX> show security zones
Security zone: xxxx
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    xxxxxx

How to check session on SRX:

admin@SRX>show security flow session source-prefix x.x.x.x destination-prefix x.x.x.x

To get serial number of SRX device:

SRX> show chassis hardware

Monitoring traffic on interface:

# run monitor traffic interface fxp0.0 matching "host 10.5.194.4" no-resolve size 1500

How to check if there is any policy for the source and destination:

show security match-policies

How to configure interface on SRX interface:

set interfaces reth1 unit 91 vlan-id 91
set interfaces reth1 unit 91 family inet address x.x.x.x
set security zones security-zone DMZ1 interfaces reth1.91
set routing-instances vr1 interface reth1.91

How to apply trace option on SRX:

set security flow traceoptions file log-file-name
set security flow traceoptions file size 5m
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions packet-filter p1 source-prefix x.x.x.x/x
set security flow traceoptions packet-filter p1 destination-prefix y.y.y.y/y

show log log-file-name

How to add route in SRX:

set routing-instances vr1 routing-options static route 0.0.0.0/0 next-hop x.x.x.x

How to configure destination NAT in SRX:

set security nat static rule-set RuelSet1 from zone UNTRUST
set security nat static rule-set RuelSet1 rule RuleNo1 match destination-address 1.1.1.1/32
set security nat static rule-set RuelSet1 rule RuleNo1 then static-nat prefix 10.1.1.1/32

set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy match source-address any
set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy match destination-address NET-10.1.1.1
set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy match application TCP-443
set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy match permit application-services idp
set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy then log session-init
set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy then log session-close


How to configure security policy in SRX
:

set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound match source-address NET-10.0.0.0-8
set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound match destination-address Any
set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound match application TCP_443
set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound then permit
set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound then log session-init
set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound  then log session-close

How to create address object:

set security address-book global address H_10.1.1.1 10.1.1.1/32

set security zones security-zone TRUST address-book address H-10.1.1.1 10.1.1.1/32

How to create a new application:

set applications application TCP-443 protocol tcp
set applications application TCP-443 destination-port 443

Check device health reboot reason:

show chassis routing-engine

How to check license on SRX:

SRX>show system license

How to download and install idp signature manually:

SRX>request security idp security-package download
SRX>request security idp security-package download status
SRX>request security idp security-package install
SRX>request security idp security-package install status

 

Posted in Juniper SRX | Tagged , , , , , , , | Leave a comment

Juniper SRX flow

A packet is considered to be part of a flow if it matches following criteria:

  • Source address
  • Destination address
  • Source port
  • Destination port
  • Protocol
  • Unique session token number for zone and virtual router.

 

Posted in Juniper SRX | Leave a comment

Create self signed root CA certificate with the help of python using openssl

#Following script will create a self signed root ca cert.
from OpenSSL import crypto, SSL
from os.path import join
import random

CN = input("Enter the common name of the certificate you want: ")
pubkey = "%s.crt" % CN #replace %s with CN
privkey = "%s.key" % CN # replcate %s with CN

pubkey = join(".", pubkey)
privkey = join(".", privkey)

k = crypto.PKey()
k.generate_key(crypto.TYPE_RSA, 2048)
serialnumber=random.getrandbits(64)

# create a self-signed cert
cert = crypto.X509()
cert.get_subject().C = input("Country: ")
cert.get_subject().ST = input("State: ")
cert.get_subject().L = input("City: ")
cert.get_subject().O = input("Organization: ")
cert.get_subject().OU = input("Organizational Unit: ")
cert.get_subject().CN = CN
cert.set_serial_number(serialnumber)
cert.gmtime_adj_notBefore(0)
cert.gmtime_adj_notAfter(31536000)#315360000 is in seconds.
cert.set_issuer(cert.get_subject())
cert.set_pubkey(k)
cert.sign(k, 'sha512')
pub=crypto.dump_certificate(crypto.FILETYPE_PEM, cert)
priv=crypto.dump_privatekey(crypto.FILETYPE_PEM, k)
open(pubkey,"wt").write(pub.decode("utf-8"))
open(privkey, "wt").write(priv.decode("utf-8") )
Posted in Python | Tagged , , , , , | Leave a comment

Know hardware detail of port of palo alto networks firewall

If we want to know the details if the port is Ethernet or fiber port. We can use following commands:

Command:
show system state filter sys.s1.p24.phy
Output:
sys.s1.p24.phy: { 'link-partner': { }, 'media': SFP-Plus-Empty, 'type': Ethernet, }

Above command will show detail of port 24. It is a SFP+ port means 10Gig port.

We can replace 24 with any number whose detail you want.

Posted in paloalto networks | Tagged , , | Leave a comment

Configure Palo Alto from CLI

Some time when we are pasting configuration on CLI of PA firewall we get “Invalid syntax.” even if the syntax is correct.It generally happens when you are pasting bulk configuration.

We can overcome “Invalid syntax error.” as follows:

admin@PA>set cli terminal width 500
admin@PA>set cli terminal height 500
admin@PA>set cli scripting-mode on
admin@PA>configure
admin@PA#

Now paste the commands.

Posted in paloalto networks | Tagged , , , | Leave a comment

Untar files in linux

To extract the tar file use following command:
tar -xf <name of the file>

To extract file to a new directory use following command:
mkdir techsupport && tar -xf techsupport.tgz -C techsupport

Posted in Linux | Tagged , , | Leave a comment

Path monitoring in V Wire (Virtual Wire)Palo Alto Networks

We can have path monitoring configured even if all the interface are in V-Wire mode of a Palo Alto firewall. We have to specify a unused IP address and a IP address to which firewall will keep on pinging for path monitoring.

v-wire-path-monitoring

In above screen shot I have give a IP address 10.50.240.230 to firewall to use for path monitoring. Firewall will ping IP 10.50.240.81 with a source as 10.50.240.230.

Posted in paloalto networks | Tagged , , , , | Leave a comment