Corelan Team - jhabumal.files.wordpress.com€¦ · - Zone : logical grouping of subnets and...

https://www.corelan.be

https://www.corelan.be - / 12

Corelan Team:: Knowledge is not an object, it's a flow ::

Juniper Firewall ScreenOS Basics (CJFV)Corelan Team (corelanc0d3r) · Sunday, June 22nd, 2008

ScreenOS Concepts & TerminologyThe following document is based on ScreenOS v5.4.0r7.0- Interface = connection to a specific subnet. An interface is assigned an IP address only if firewall is operating in L3 mode. Default interface namescan vary on different Netscreen devices.- Zone : logical grouping of subnets and interfaces. All devices within a zone share the same security requirements- Firewall functionality is based upon policies. Policy specifies which traffic is to be permitted to pass through the firewall. Policies are implemented ona per zone basis : leaving one zone and entering another zone- Virtual Router = logical routing construct. Each VR has its own routing table and routing logic. Routing part of kernel/firewall engine.- Forwarding table : used to determine outbound interface for a particular packet- Virtual System : logical division of the device into multiple administrative areas- Firewalls track traffic based on flows and sessions (= 2-way flows)A Netscreen OS based device consists of- One or more Virtual Systems (VSYS)- Each VSYS contains one or more Virtual Routers (VR)- Each VR contains * One routing table * One or more zones Each zone contains – One or more interfaces – Optional policies within a zone (intrazone) * Policies between zones within the same VR- A VSYS can have policies between zones in different VR’sA policy can only be applied to traffic between two different zones

Exception : if you enable "Block Intra-subnet traffic" on a specific interface, you can create policies within a zone as well. This behaviour is disabled bydefault, and would require proper routing to be set up

Command Line conventionsWhen configuring the device from CLI, you must enter a ‘save’ command in order to write the changed configuration to disk. When using the GUI,settings are saved automatically when you click "Apply" or "OK"Most configurations can be defined using ‘set’ and ‘unset’. You can see configuration parameters using ‘get’A ? (question mark) will show (context sensitive) helpYou can use tab completion and abbreviated commandsIf you want to see the current configuration, use ‘get conf’If you want to see the current system information, use ‘get system’You can filter the output of a command by using | incl ‘searchpattern’You can use up&down arrows to browse through already used commands.

Corelan Team - Copyright - All rights reserved. Terms Of Use are applicable to this pdf file and its contents. See https://www.corelan.be/index.php/terms-of-use 05/12/2013 - 1 / 12

https://www.corelan.be/

https://www.corelan.be/index.php/2008/06/22/juniper-firewall-screenos-basics-cjfv/

http://www.corelan.be:8800/wp-content/uploads/2008/09/image.png



Managing the device config, backup and firmware updatesYou can reset to factory-default settings using

unset allErase all system config, are you sure y/[n] yresetConfiguration modified, save? [y]/n nSystem reset, are you sure y/[n] yIn reset ...

The first command ‘unset all’ will reset the saved config, not the running config.After entering the reset command, you must answer ‘n’ to the question to save the modified config, otherwise you would be saving the running configagain to the saved config.Note : root password and certificates are not reset by the ‘unset all’ commandBackup the configuration to a tftp server :

save config from flash to tftp 192.168.0.102 <filename>

Note : the Juniper firewall does not provide for a scheduled task/crontab engine. This means that you cannot schedule a backup and store the backupfile on a tftp server. However, you can do it the other way around (connect from a server and download the file from the filesystem)1. Create a read only administrator account on the firewall

set admin user "ReadOnlyAdminBackup" password "TheReadOnlyPassword" privilege read-only

save

2. Download pscp from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.htmlNote : some scp clients try to use sftp first, but this is not supported by screenos. Make sure, if you decide to use another scp client than pscp.exe, toverify that the client supports setting a parameter that forces the use of scp.3. Enable scp on the firewall :

set scp enable

save

3. Place the pscp.exe on a server that is allowed to access the firewall over ssh/scp4. Create a batch file on the server that looks like this :

pscp -scp -l ReadOnlyAdminBackup -pw "TheReadOnlyPassword"

192.168.0.1:ns_sys_config d:\backups\ssg550_backup.cfg

5. Create a folder on the server called d:\backups6. Use the scheduled tasks on the server to schedule this script. The first time, run the command yourself. pscp will prompt you to accept a host key,so you’ll need to run this command manually at least once.The filesystem on a SSG device looks like this :

firewall1-> get file flash:/CONFIG.BIN 112 flash:/$NSBOOT$.BIN 9554671 flash:/golerd.rec 0 flash:/certfile.cfg 8425 flash:/envar.rec 45 flash:/license.key 361 flash:/expire.rec 23 flash:/ns_sys_config 19615 flash:/dnstb.rec 41 flash:/usrterms.txt 515 flash:/prngseed.bin 32 flash:/attacks.sig 201470

Restore the configuration from a tftp server :

save config from tftp 192.168.0.102 <filename> to flashsave config from tftp 192.168.0.102 <filename> merge

‘to flash’ = config will be active at next boot‘merge’ = config will be merged and activated right away – use with caution !NEVER perform an update/config restore using the GUI – always use the CLI !Backup the Operating System :

save software from flash to tftp 192.168.0.102 <filename>

Upgrade the Operating System :

save software from tftp 192.168.0.102 <filename> to flash

Always read the release notes – sometimes, a new bootloader is required. Reboot the device after performing the software upgrade. Make sure theupgrade process is not interrupted or you might cause irrepairable damage to the system.Get OS version :


http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html



get sys | incl SoftwareSoftware Version: 5.4.0r7.0, Type: Firewall+VPN

Reboot device :

reset

Recovery of the device :- Restore firmware at boot time. If you have a corrupted flash image, but the bootloader still works, you can interrupt the boot process ("Hit any key torun loader" -> Press any key during the first couple of seconds of the boot process), and upload a new software version from a tftp server. You willneed to set a local (self) IP address and the IP address of the tftp server – which needs to be on the same subnet – during the restore wizard. You willbe prompted to save the file to flash, and whether you want to run the downloaded image.- Reset to factory defaults and restore config to flash- System (asset) recovery : * Login using serial number as username & password * Use pinhole on some devices : – Press until flashing light changes to orange – Release and count 3 seconds, then press again until flashing red – All leds will flash, device will rebootIf you want to use the last procedure, this functionality has to be enabled on the device :

set admin device-resetset admin hw-reset

The asset recovery procedure will allow you to overcome the problem of a lost password, however this procedure is quite destructive. It will remove allsettings (including root password and certificates) from the device, so you’ll need to reconfigure the device, or restore a recent backup file. You cansee when an asset recovery has been performed on the device by looking at the control serial number in the output of a ‘get sys’

get sysProduct Name: SSG-550Serial Number: 999999999999 , Control Number: 00000000Hardware Version: 0000(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)Software Version: 5.4.0r7.0, Type: Firewall+VPNFeature: AV-K

Every time an asset recovery is performed, the Control Number is increased by one.

Zones & Interface configurationOn a SSG-550, these are the default zones :

firewall1-> get zone---------------------------------------------------------------------- ID Name Type Attr VR Default-IF VSYS 0 Null Null Shared untrust-vr hidden Root 1 Untrust Sec(L3) Shared trust-vr null Root 2 Trust Sec(L3) trust-vr null Root 3 DMZ Sec(L3) trust-vr null Root 4 Self Func trust-vr self Root 5 MGT Func trust-vr null Root 6 HA Func trust-vr null Root 10 Global Sec(L3) trust-vr null Root 11 V1-Untrust Sec(L2) Shared trust-vr v1-untrust Root 12 V1-Trust Sec(L2) Shared trust-vr v1-trust Root 13 V1-DMZ Sec(L2) Shared trust-vr v1-dmz Root 14 VLAN Func Shared trust-vr vlan1 Root 15 V1-Null Sec(L2) trust-vr l2v Root 16 Untrust-Tun Tun trust-vr hidden.1 Root

You can create your own zones and assign them to a VR. Every Virtual Router has its own routing table. In standard configurations, you’ll have multiplezones, but only one Virtual Router (trust-vr). If you are using dynamic routing protocols and you want to separate routing tables, you may needmultiple Virtual Routers.After creating a custom interface, you’ll have to assign the interface to a zone. Then you can assign an IP address to an interface. You can only assignan IP address after an interface has been assigned to a zone.Don’t use 255.255.255.255 as a subnetmask for the IP address of an interface. Use the networks’s subnetmask, so the firewall can determine the"local subnet"

Initial device configurationConnect, change passwords, create admin accounts

- Connect to the console using serial connection (9600bps, 8 bit, no parity, 1 stop bit, no flow control)- Default username & password : netscreen / netscreen(Change the password right away. Pay attention : you cannot recover the netscreen password easily, so don’t forget this password !).

set admin password "ThisIsANewButBadPassword"save

Optionally, you can change the default administrator account. In this example, I’m changing the username to "administrator"

set admin name netscreen "administrator"save

Create administrator account and assign rights (read-only or read-write)




set admin user "username" password "password" privilege allset admin user "readonlyuser" password "readonlypassword" privilege read-onlysave

By default, the internal database is used for admin authentication, but you can use an external resource (Radius, ldap, …) for admin authentication aswell.Set minimum password length to 8 and number of admin attempts to 2

set admin password restrict length 8set admin access attempts 2save

If you want to restrict "root" login to console only, use

set admin root access consolesave

You can get all users and all ssh users, using the following commands :

get admin userget admin ssh all

Set hostname

set hostname "firewall1"save

Set zones & interfaces

By default, the device has 3 zones : Trust, Untrust and DMZ. The interface in Trust mode is set to nat mode by defualt, all other interfaces are inroute mode. By default, the device allows outbound access ‘From Trust to Untrust) and blocks incoming access (default policy : deny)I recommend not to use any of these 3 zones, but to create your own zones, and assign your interfaces to your custom zones. I also do notrecommend using interfaces in nat mode, but use route mode instead.Create 2 zones : One zone for Internet, one zone for your LAN, and assign the zones to a VR :

set zone "Internet"set zone "Internet" vrouter trust-vr

set zone "Lan"set zone "Lan" vrouter trust-vr

save

Assign interface ethernet0/1 to Internet, and interface ethernet0/2 to Lan.

set interface ethernet0/1 zone "Internet"set interface ethernet0/2 zone "Lan"save

See zone configuration :

firewall1-> get zoneTotal 16 zones created in vsys Root - 10 are policy configurable.Total policy configurable zones for Root is 10.------------------------------------------------------------------------ ID Name Type Attr VR Default-IF VSYS 0 Null Null Shared untrust-vr hidden Root 1 Untrust Sec(L3) Shared trust-vr null Root 2 Trust Sec(L3) trust-vr null Root 3 DMZ Sec(L3) trust-vr null Root 4 Self Func trust-vr self Root 5 MGT Func trust-vr null Root 6 HA Func trust-vr null Root 10 Global Sec(L3) trust-vr null Root 11 V1-Untrust Sec(L2) Shared trust-vr v1-untrust Root 12 V1-Trust Sec(L2) Shared trust-vr v1-trust Root 13 V1-DMZ Sec(L2) Shared trust-vr v1-dmz Root 14 VLAN Func Shared trust-vr vlan1 Root 15 V1-Null Sec(L2) trust-vr l2v Root 16 Untrust-Tun Tun trust-vr hidden.1 Root 100 Lan Sec(L3) trust-vr ethernet0/2 Root 101 Internet Sec(L3) trust-vr ethernet0/1 Root

The zone name has to be unique across all VR’sAssign Lan interface a private static IP address, assign Interface a static IP address or DHCP IP address :

set interface ethernet0/2 ip 192.168.0.1/24

set interface ethernet0/1 ip 1.1.1.1/29set interface ethernet0/1 dhcp client enablesave

Tip : if you need to define multiple interfaces in the same IP subnet, you’ll have to enable this first in the vrouter

set vrouter trust-vr ignore-subnet-conflictsave




Note : Pay attention to the subnetmask when configuring a firewall interface. Don’t use /32 or the firewall won’t work.Set both interfaces in route mode

set interface ethernet0/1 routeset interface ethernet0/2 routesave

Set interface duplex and speed parameters (if required ! – by default, autonegotiation works fine)

set interface ethernet0/2 phy ?auto auto negotiationfull force full duplexhalf force half duplexholddown holddown timelink-down bring down link

set interface ethernet0/2 phy full ?1000mb 1000Mbps100mb 100Mbps10mb 10Mbps

Activate license, configure routing and anti-spoofing

It is advised to install your license now. You’ll need to activate your device on the Juniper website, and then you can run the exec license-key update command to retrieve your license key. Use the "save" command to save the license key on the device. In order to download the key, the device needs to have access to the internet, so you’ll have to create a default route and configure DNS resolution first :Assuming that your firewall has a static public IP address 1.1.1.1 and that the internet router (default gateway) is 1.1.1.2, and your public DNS is at 2.2.2.2,then you can use the following commands to allow the firewall to access the internet :

set route 0.0.0.0/0 gateway 1.1.1.2set dns host dns1 2.2.2.2 src-interface ethernet0/1save

Now you can install the license key :

firewall1-> exec license-key updateLicense key was retrieved successfully.License keys have been updated.You must reset the device for the new setting to take effect.firewall1-> savefirewall1-> reset

After rebooting, you can verify that the key was installed correctly using

firewall1-> get license-keydi_db_key : JDkdLZidzoad9ZçjdklDIODiodaodiaOODIDZAdkdlazdD93+D DKJ393jdLDKlcdkdLKZCnCZALDIdzidldjidLDZEIDJIZIODOD DZKJLDLLIEDiODIJDELlkkLD/ bdazjlDIZDlldiIED0O93jdKLDZJIDO3DOJEIOLDJKLLDKDKDK DKDJKLDlID9D9DKldjdklDJIDIDOZDNSQCCBZJK2E238ldklde DZKALldiç3IK3LLjdkl30DJKLDL3ZJJKLL/ DKJLKddlzlzjkLDIZIlazkalJDII3CBNQDMJKDLKMkdlekldek DZKLjdlkJD/DJKLDL3LJDKL3IOMOMKDLK==expire date: 2009/01/1Model: AdvancedSessions: 128064 sessionsCapacity: unlimited number of usersNSRP: ActiveActiveVPN tunnels: 1000 tunnelsVsys: NoneVrouters: 8 virtual routersZones: 512 zonesVLANs: 150 vlansDrp: EnableDeep Inspection: EnableDeep Inspection Database Expire Date: 2012/01/01

(don’t bother – I have used a random string as db_key in my example…) Depending on how your network looks like, you may or may not need to add more routes to your firewall.By default, a route is "dynamic". This means that, if the interface that ‘hosts’ the route goes down, the route is removed from the routing table. So if you have2 interfaces that have a route to the same subnet, but with a different cost, you can create some dynamic routing based on interface status. Of course, youcan create a permanent route as well, that is not affected by interface status.Let’s assume that you have another subnet 192.168.1.0/24 that is in your Lan, setting behind router 192.168.0.10, then this would be the command to addthe route to your firewall (to trust-vr by default) :

set route 192.168.1.0/24 gateway 192.168.0.10 permanentsave

If you want to create a route in a specific (non default) VR, you can use this statement :

set vrouter YourOwn-vr route 192.168.0.0/24 interface ethernet0/3 gateway 10.1.1.1

save

You can get the routing table using

get route

A route with type C = connected subnet




You will see an entry for the IP address of every ethernet interface, with type "H". This is not a real route and will not be used during route evaluation.When debugging, these host entries will be referred to as "SELF"Equal cost multipath routing is allowedScreenOS supports source-based and destination-based routing, and supports RIP, OSPF and BGP You can test routes using the "get route" statement. This will show the route/interface it will use to get to the target host or network :

firewall-> get route ip 192.168.1.15

Dest for 192.168.1.15

--------------------------------------------------------------------------------

trust-vr : => 192.168.1.0/24 (id=16) via 192.168.0.10 (vr: trust-vr)

Interface ethernet0/2 , metric 1

You can also verify routing using the ping and trace-route commands. If you launch ‘ping’ without any parameters, you enter the extended ping mode. Thisallows you to specify the target IP, number of pings, datagram size, timeout, and source interface. You can remove a route using the unset command :

firewall1-> unset route 4.4.4.0/24total routes deleted = 1

If you are using multiple VR’s, you’ll need to set up routing between the two VR’s. For that matter, you can use the name of each VR as gateway on both VR’s Anti-spoofing :L3 mode : based on routing tablesL2 mode : based on address list entriesAnti-spoofing requires your routing table to be set up correctly. You can enable anti-spoofing on a per zone basis :

set zone "Internet" screen ip-spoofing

save

If you want to check for reverse-path routes to drop or allow traffic, use this command :

set zone "Internet" screen ip-spoofing drop-no-rpf-route

save

Restrict management to/from certain IP addresses and on certain management services

Management services :- Telnet, SSH, HTTP(s), snmp, ping, ident- Can be enabled/disabled per interface and optioanlly set to a virtual IP address on the interface (manage ip)- Traffic for these management services can be allowed from certain IP addresses only (manager-ip)- Always disable ident, unless you have problems with AS400 RPC connectionsFirst, disable management services on all interfaces :

unset interface ethernet0/1 manageunset interface ethernet0/2 manageunset interface ethernet0/1 ip manageableunset interface ethernet0/2 ip manageablesave

Create a virtual IP address on the Lan interface (192.168.0.2) to allow local administrators to connect :

set interface ethernet0/2 manage-ip 192.168.0.2set interface ethernet0/2 ip manageablesave

You can see the virtual IP address that is used to host the management services using this command :

get int ethernet0/2 | incl managemanage ip 192.168.0.2, mac 0010.dbe2.c300

Enable management services on Lan interface :

set admin http redirectset interface ethernet0/2 manage sshset interface ethernet0/2 manage sslset ssl encrypt 3des sha-1set interface ethernet0/2 manage websave

If you want to disable one of the management services (e.g. disable ping to the Lan interface), use

unset interface ethernet0/2 manage ping

save

If you want to allow management on all services, use this command :

set interface ethernet0/2 manage




Only allow traffic from management station 192.168.0.5 Note : configure this via the console cable, as you may cut off your own connection if youdon’t specify your own IP address first.

set admin manager-ip 192.168.0.5 255.255.255.255save

You can see the IP addresses that are allowed to access the management services using the following commands :

get sys | incl "Mng Host"

Mng Host IP: 192.168.0.5/255.255.255.255

get admin manager-ip

Mng Host IP: 192.168.0.5/255.255.255.255

You can define up to 6 IP addresses as manager-ipSet console timeout. Default = 10 minutes, recommended : 5 minutes :

set console timeout 5save

Tip : you can get the open/listening ports on the device using the “get socket” command.

Set up NTP, DNS, SNMP and Syslog

NTP :

set ntp server 192.168.0.3set ntp server src-interface ethernet0/2set ntp timezone 1set clock timezone 1set clock ntpsaveget clock

exec ntp update

The last command will force a manual ntp updateDNS :

set dns host dns1 192.168.0.4 src-interface ethernet0/2set domain mydomain.comset dns host schedule 04:00 interval 4save

The dns host schedule interval defines the cache refresh time for DNS hostnames that are defined in the address list.If you already had a DNS entry because of the license key installation, you can remove that entry using an unset command :

unset dns host dns1

SNMP :

set snmp community "MyROCommunity" Read-Only Trap-on traffic version v1set snmp host "MyROCommunity" 192.168.0.100 255.255.255.255 src-interface ethernet0/2 trap v1set snmp port listen 161set snmp port trap 162save

Syslog :

set syslog config "192.168.0.101"set syslog config "192.168.0.101" facilities local0 local1set syslog src-interface ethernet0/2set syslog enablesave

Address Lists and PoliciesDefault policy is defined in "Global" Zone (default deny). By default, deny will be applied, but you won’t see this when querying the device. It isrecommended to set the global policy to any any deny, that way you can see the global policies if you want to

firewall1-> get policy all | incl GlobalNo global policy!Default deny.firewall1-> set policy global any any denyfirewall1-> save

Firewall policies are always created between two different zones. (exception : if you have enabled intrazone blocking, you can apply policies for traffic withinthe same zone)If traffic does not match any of the rules, then the global policy applies. This means that you don’t need a any any deny policy for every Source Zone to TargetZone ruleset definition. Before you can create firewall policies, you’ll need "address" definitions and "service" definitions.First, you need to create an address (host or network) in a specific zone :

set address "Lan" "Proxyserver1" 192.168.0.200 255.255.255.255 "Proxy Server 1"set address "Lan" "LanNetwork1" 192.168.0.0 255.255.255.0 "Local Network 1"set address "Lan" "LanNetwork2" 192.168.1.0 255.255.255.0 "Local Network 2"




save

You can create an address multiple times, and in multiple zones at the same time. Suppose you have a remote host that can be reached via 2different routes over 2 different interfaces, that are in different zones, then you’ll need to define the same host twice.You can group addresses using the GUI or CLI :

set group address "Lan" "LocalNetworks" add "LanNetwork1"set group address "Lan" "LocalNetworks" add "LanNetwork2"

Next, you can create custom services. The device is already pre-loaded with some services, so verify that the service does not exist yet.

set service "MyCustomService" protocol tcp src-port 0-65535 dst-port 1234-1234save

Note : you can group services as well, which is the preferred method over creating rules with multiple individual services. During evaluation of the policy,every source/target/service rule will be split up, causing the device to use more resources. Now you are ready to create a policy.- New policies are added to the bottom of the list. Use the GUI to rearrange the new policy (or command line : e.g. ‘set policy move 5 before 4′)- Make sure to manually activate nat-src for traffic going to the internet ! (see later – Address Translation)- Policy actions can be permit, deny, reset or tunnel- Policies can be scheduled (one time, recurring). If you have created a one time policy, the policy will not be removed automatically, so you’ll need to cleanup afterwards- You can negate source or destination addresses using the "negate" statement in the policy definition If you want to allow the proxy server to access all hosts on the internet, on port 1234, then use the following statement :

set policy from "Lan" to "Internet" "ProxyServer1" ANY "MyCustomService" nat src permit

save

You can get the policies using

get policy from "Lan" to "Internet"

I must admit – I like the CLI a lot, but if you want to create and manage policies, it’s just so much easier to use the HTTPS GUI for policy management. How does Juniper handle packets & sessions ?

(This model is called the 5-tuple)

Debugging & Troubleshooting PoliciesScreenOS has quite some features that allow for debugging. I will now explain the major debug functions that apply to the debugging of firewall policies. We’llhave a look at some of the other debugging parameters that apply to VPN tunnels later on.2 main tools for debugging : "debug" and "snoop"The most common tool used is debug. It allows you to follow packet handling and decisions that are made by the device. You can set some filters to look forspecific traffic. Strings you may want to look for are :- "existing session found"- "packet dropped, no route"- "not interested"- "packet dropped, denied by policy"Snoop is essentially a sniffer. While it shows you the entire conversation, it does not really show what the firewall decides and why it has decided to act in a


http://www.corelan.be:8800/wp-content/uploads/2008/09/image1.png



specific way when a certain packet has arrived at the firewall. Therefore, it is recommended to use debug instead of snoop. The debug buffer is max 32k large. You can get information about the debug buffer and set a custom buffer size using the following commands :

get dbuf infoset dbuf size <newsize>

save

First of all, before you activate debug, make sure to clear the buffer and to clear any filters that may have been set

firewall1-> clear dbuffirewall1-> unset ffilterfilter 0 removedfirewall1-> unset ffilterinvalid id

(repeat unset ffilter until you get the invalid id warning. This ensure that all filters have been cleared first) Start debugging using the following command :

debug flow basic

Generate some traffic. If you are ready, press ‘ESC’ in the console to stop debugging (or use the ‘undebug all’ command)You can get the contents of the debug buffer using

get dbuf stream

Optionally, you can send the entire buffer to a text file on a tftp server using

get dbuf str > tftp 192.168.0.102 debug.log

Note : don’t forget to ‘ESC’ debug (or use ‘undebug all’)… if you disconnect from the console while debug is still running, it may cause some memoryproblems on the device, causing you to reboot the device… You can set filters that will be applied during the debug process :

firewall1-> set ffilter ?<return>dst-ip flow filter dst ipdst-port flow filter dst portip-proto flow filter ip protosrc-ip flow filter src ipsrc-port flow filter src port

Options :Logical AND :- enter options on the same line- all conditions must be present

set ffilter src-uip 1.1.1.1 dst-ip 2.2.2.2 ip-prot 6

Logical OR :- enter options on separate lines- any condition can be present

set ffilter src-ip 1.1.1.1 dst-ip 2.2.2.2 ip-prot 6set ffilter src-ip 2.2.2.3set ffilter dst-port 80

You can see the currently set filter using :

get ffilter

By default, debug output is sent to the buffer. But you can also send the output to the console :

firewall1-> get consoleConsole timeout: 10(minute), Page size: 22/22, debug: bufferprivilege 250, config has not been changed!, default save prompt on exit/reset: yesID State Duration Task Type Host 0 Login 439 21309696 SSH 192.168.137.120:62596 1 Logout 0 21314736 Local 2 Logout 0 21303816 Local 3 Logout 0 21284496 Localfirewall1-> unset console dbuffirewall1-> get consoleConsole timeout: 10(minute), Page size: 22/22, debug: consoleprivilege 250, config was changed and not saved!, default save prompt on exit/reset: yesID State Duration Task Type Host 0 Login 454 21309696 SSH 192.168.137.120:62596 1 Logout 0 21314736 Local 2 Logout 0 21303816 Local 3 Logout 0 21284496 Localfirewall1-> set console dbuffirewall1-> get consoleConsole timeout: 10(minute), Page size: 22/22, debug: bufferprivilege 250, config was changed and not saved!, default save prompt on exit/reset: yesID State Duration Task Type Host 0 Login 464 21309696 SSH 192.168.137.120:62596 1 Logout 0 21314736 Local 2 Logout 0 21303816 Local 3 Logout 0 21284496 Local




Some other usefull commands to troubleshoot policies :- get session(and upload the output to http://tools.juniper.net/fsa)- get policy- get address- get service- get service pre-defined- get conf- get log traffic You can activate traffic logs by editing a policy :

set policy id 1set logexitsave

AlarmsTraffic or event alarms may trigger the alarm led on the device to turn red. You can clear the alarms using

clear alarm trafficclear alarm eventclear led alarm

Traffic countersYou can use traffic graphical traffic counters for traffic that matches a policy. You need to activate accounting using the following commands :

set policy id 1set countexitsave

You can see the graphical counter from the GUI (by clicking the hourglass icon in the policy)

or get the raw data using

get counter policy 1 <time>

(where <time> can be "day", "hour", "minute", "month" or "second")Counters will be reset at boot. If you ever need to work with Juniper Tech Support, they will probably ask you to run a get tech support and send the output to them. This commandgenerates a big log file that contains all of the configurations on your device. If you need to run this command, it may be wise to send the output to a tftpserver right away :

get tech support > tftp 192.168.0.102 get_tech_support.txt

For more info about debugging and troubleshooting : have a look at http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=2719

Address Translation BasicsScreenOS supports 2 types of Address Translation : Interface based or policy based. As stated earlier, I do not recommend using interface basedaddress translation. Interface based address translation- puts ingress interface in NAT mode- source IP address is translated to IP address of egress interface- is easy but allows no flexibility whatsoever- unidirectional only- default setup : from Trust to Untrust and from DMZ to UntrustYou can turn off interface based address translation by putting all interfaces in route mode.When using policy based nat, you’ll have to apply NAT to every rule. This may require some discipline and concentration, but it also allow maximumflexibility and has more features than "nat for dummies" interface based nat.Policy based nat can be used from any zone to any zone, based on a policy. It allows for unidirectional NAT (nat-src, nat-dst, VIP) and bidirectional NAT(MIP). There are several options available for when and how you want to perform NAT :- application based- number of routable addresses- number of internal devices and serversThere are 4 main types of policy based nat :nat-src : translate source address to another source address. Typically used to allow hosts within private network to access internetnat-dst : translate destination address. Typically used to translate public IP to a private IP (when a private server needs to be accessible from theinternet)VIP (Virtual IP) : One to Many mapping that statically associates public address with many internal addresses, based upon ports/applicationsMIP (Mapped IP) : One to One mapping : static association of a public IP with a private IP

nat-src

Unidirectional, has 2 modes : egress interface IP or DIPBest known for allowing private IP addresses to access the internet via public IP address of firewall.When using the egress interface mode, it essentially performs the same way as interface based nat.


http://tools.juniper.net/fsa


http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=2719



nat-src can use DIP as well :- defined on egress interface (can be tunnel interface as well !)- custom specified IP, a range of IP’s (round robin), or a IP-Shift range (careful for overflow ! Shift : same amount of IP’s on both sides of theconnection)- IP (or range) must be in same subnet as * Primary IP or egress interface * Secondary IP of egress interface * Extended IP on egress interface (which can be in different subnet as primary or secondary IP !)- Can be used on multiple policies- Max 252 DIP address sets across all interfaces, and 254 addresses per DIP set- Cannot contain the primary IP itself or another address (MIP, VIP)- Port translation : always enable if you want to avoid conflicts, leave disabled if there is a specific reason (e.g. Sometimes IPSec requires source anddestination ports to be set to 500 at all times. Result : only 1 concurrent connection to same destination IP is possible)- First create DIP on interface, then use in (each) policy

nat-dst

One-to-one mappingMany-to-one mappingMany-to-many mappingPort translation (fixed port, set by admin)One-to-one, unidirectionalExample :- Source : remote public IP, destination : “public” IP on your firewall- After translation : Source : unchanged, destination : internal IP, on all portsWatch out : policy (with nat-dst rule) only becomes effective when traffic flows between zones, However, public IP is in “Untrust” zone (Furthermore, itis a host entry, and host entry routes are not used in the "5 tuple" process – see packet handling diagram earlier in this post)Solution :- Create address list (host) entry for public IP/32 in your Lan zone ! (or use a secondary IP and create address list entry to secondary IP)- Add static route to the public IP/32 and point route to interface (not gateway) in your “Lan” zone- Create policy from Internet to Lan, from ANY to Host Entry in Trusts zone (which points to public IP) and invoke nat-dstOne-to-manyVirtual IP (VIP)Only works when the interface is in the Untrust zone. If you’re not using Untrust zone (as recommended by me :) ), then you can accomplish the samething using nat-dst.You cannot use the real Public IP. The VIP IP must be in the same subnet as the public IP though.Create set of Public IP / Private IP+Port combinations within a VIPUsed to allow on or more multiple services to be reachable from other zone, using a single IPExample :—Real Public IP : 1.1.1.1, VIP : 1.1.1.2, internal network = 192.168.0.0/24—Port 21 on 1.1.1.2 must be mapped to 192.168.0.1 on port 21—Port 80 on 1.1.1.2 must be mapped to 192.168.0.2 on port 8080—Port 515 on 1.1.1.2 must be mapped to 192.168.0.3 on port 515—Remote client only uses 1.1.1.2 as destination address (which is the VIP)Configuration : create a VIP on the public interfaceNo routing or host entry required. Only use a policy and use the VIP address in the destination field.Which ports need to be allowed in the policy ? Port 21, 80 and 515 ? Or port 21, 8080 and 515 ?Answer : 21, 80, 515. The firewall will handle the port translation itself. One-to-one, bidirectionalMIP- No port translation- Defined on outward facing interface- (Target/Host)Address can be defined in any subnet, it does not need to be associated with any of the interfaces. As long as the firewall and upstreamrouters can route to that IP, it will work- Config :Create MIP (public IP + IP of host to route traffic to. Host IP : set subnetmask to /32 (If you use something else, you’ll do IP shifting)Create policy and invoke MIP Note on NAT : Using NAT may become quite complex. I could write an entire blog post on NAT alone, so if you have specific questions, don’t hesitate tocontact me directly.

NAT application precedence




AuthenticationScreenOS supports two types of authentication :- Firewall authentication (this requires that traffic matches a policy to trigger the login dialog). This policy must permit at least one of the followingprotocols : HTTP, Telnet, FTP. The firewall will basically perform a "mitm" to present you with an authentication login page.- WebAuth : requires the user to browse to a designated webpage first and logon before a policy is applied.You can find more information on how to set up WebAuth in conjunction with Windows IAS Radius on the following blog post on this website : UsingActive Directory and IAS based Radius for Netscreen WebAuth authentication

The alarm ledIf you notice that the alarm led on your device turns red, then it may be caused because screening is enabled, and one of the following eventsoccurred :Emergency:Syn AttackTear Drop AttackPing of DeathAlert:Winnuke AttackIP Spoof AttackIP Source Route AttackLand AttackICMP FloodUDP FloodPort Scan AttackAddress SweepPolicy Deny Alarms The led will turn red if one of these attacks was detected. You can clear the red led using ‘clear led alarm’

This entry was postedon Sunday, June 22nd, 2008 at 1:46 pm and is filed under 001_Security, Juniper, NetworkingYou can follow any responses to this entry through the Comments (RSS) feed. Both comments and pings are currently closed.



http://www.corelan.be:8800/index.php/2007/11/11/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication/

http://www.corelan.be:8800/index.php/2007/11/11/using-active-directory-and-ias-based-radius-for-netscreen-webauth-authentication/

https://www.corelan.be/security

https://www.corelan.be/juniper

https://www.corelan.be/networking

https://www.corelan.be/index.php/comments/feed/

Corelan Team - jhabumal.files.wordpress.com€¦ · - Zone : logical grouping of subnets and...

Documents

Transcript of Corelan Team - jhabumal.files.wordpress.com€¦ · - Zone : logical grouping of subnets and...