Categories
Networking

Can’t ping Juniper SRX

Assign the interface to the security zone

#set security zones security-zone untrust interfaces ge-0/0/0

Enable ping in the security zone

#set security zones security-zone host-inbound-traffic system-services ping
#commit check
#commit
Categories
Networking

Juniper SRX Install Software

Initial check

user@host> request system snapshot
user@host> request system snapshot media internal

Installing image

user@host> request system software add [package location]/[package name] reboot
user@host>request system software add "ftp://test.jnpr.net/pub/junos/7.5R2.8/jinstall-7.5R2.8-domestic-signed.tgz reboot
user@host>request system software add /var/tmp/7.5R2.8/jinstall-7.5R2.8-domestic-signed.tgz reboot

Other options

user@host>request system software add /var/tmp/7.5R2.8/jinstall-7.5R2.8-domestic-signed.tgz no-validate no-copy reboot

Installing step by step

user@host>file copy ftp://username:prompt@ftp.hostname.net/filename  /var/tmp/
user@host> request system software add /var/tmp/jinstall-8.x-package-name-signed.tgz
user@host> request system reboot

Primary and backup copy to be the same

user@host> request system snapshot slice alternate
Categories
Web Server

Nmap basic commands to check ports

nmap [HOSTNAME]
nmap localhost
nmap xx.xx.xx.xx
nmap -p 1-65535 localhost
nmap -p 80,443 8.8.8.8

Multiple IP Addresses

nmap 1.1.1.1 8.8.8.8
nmap -p 1.1.1.1,2,3,4
nmap -p 8.8.8.0/28
nmap 8.8.8.1-14
nmap  8.8.8.*
nmap -p 8.8.8.* --exclude  8.8.8.5

Top ports

nmap --top-ports 10 192.168.1.1

Scan from a text file

nmap -iL list.txt

Save to file

nmap -oN output.txt localhost
nmap -oX output.xml localhost

OS and service detection

nmap -A -T4 localhost

Service and Daemon version

nmap -sV localhost
Categories
Networking

Juniper Ansible Playbook setup

Check if netconf is enabled

ssh admin@xx.xx.xx.xx -p 830 -s netconf
Categories
Networking

Juniper SRX setup

Initialise

root%           <-- Shell
root% cli       <-- Operational CLI mode
root>           <-- Logged in to operational CLI mode
root>configure <-- Configuration mode
root#           <-- Logged in to configuration mode

Creating password

root# set system root-authentication plain-text-password

New password:
Retype new password:

root# set system host-name srx
root# commit

commit complete

root@srx#

Interfaces

#delete interfaces ge-0/0/0
#delete interfaces ge-0/0/1
#set interfaces ge-0/0/0 unit 0 family inet address 192.168.100.38/24
#set interfaces ge-0/0/1 unit 0 family inet address 192.168.239.1/24

Default route

#set routing-options static route 0.0.0.0/0 next-hop 192.168.100.1

Security zone allowing ping and ssh

#set security zones security-zone INTERNAL interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
#set security zones security-zone INTERNAL interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh
#set security zones security-zone INTERNAL interfaces ge-0/0/0.0

Address book entries

#set security zones security-zone INTERNAL address-book address network_239 192.168.239.0/24

Security policies

#delete security policies
#set security policies from-zone internal to-zone internet policy allow-internal-clients match source-address network_239
#set security policies from-zone internal to-zone internet policy allow-internal-clients match destination-address any
#set security policies from-zone internal to-zone internet policy allow-internal-clients match application any
#set security policies from-zone INTERNAL to-zone internet policy allow-internal-clients then permit

Nat for internal clients

#delete security nat
#set security nat source rule-set internal-to-internet from zone internal
#set security nat source rule-set internal-to-internet to zone internet
#set security nat source rule-set internal-to-internet rule internet-access match source-address 192.168.239.0/24
#set security nat source rule-set internal-to-internet rule internet-access match destination-address 0.0.0.0/0
#set security nat source rule-set internal-to-internet rule internet-access then source-nat interface
#commit

Enable specific incoming system service traffic

#set security zones security-zone INTERNAL host-inbound-traffic system-services all
#set security zones security-zone INTERNAL host-inbound-traffic system-services ftp except
#set security zones security-zone INTERNAL host-inbound-traffic system-services http except

Allow SSH and NetConf for Ansible to connect

user@hostname> configure 
Entering configuration mode

[edit]
user@hostname# set system services netconf ssh 

[edit]
user@hostname# commit and-quit 
commit complete
Exiting configuration mode

user@hostname> show system connections inet | match 830 
tcp4       0      0  *.830                    *.*                       LISTEN

user@hostname> show system connections inet6 | match 830   
tcp6       0      0  *.830                    *.*