Juniper Junos OS Getting Started Manual Download Page 83 | Manualshive

Page: 83 / 158

background image

Web_Server
idp-engine

13.

Activate the predefined Recommended policy as the active policy.

[edit]

user@host#

set security idp active-policy Recommended

14.

Confirm the active policy enabled on your device.

[edit]

user@host>

show security idp active-policy

active-policy Recommended;

15.

Create a security policy for the traffic from the untrust zone to the DMZ zone. In this
step, you are creating an address set in the DMZ zone to group all HTTP server
addresses together. In this example, you are applying security policies that can be
used to inspect the traffic between the untrust zone and the DMZ zone.

NOTE:

Keep in mind the following points:

•

Security policy on order on SRX Series device is important because
Junos OS performs a policy lookup starting from the top of the list,
and when the device finds a match for the traffic received, it stops
policy lookup.

•

The SRX Series device allows you to enable IDP processing on a
security policy on a rule-by-rule basis, instead of turning on IDP
inspection across the device.

•

A security policy identifies what traffic is to be sent to the IDP engine,
and then the IDP engine applies inspection based on the contents of
that traffic. Traffic that matches a security policy in which IDP is not
enabled completely bypasses IDP processing. Traffic that matches
a security policy marked for IDP processing is handed off to the IDP
engine.

[edit]

user@host#

set security zones security-zone DMZ address-book address

Server-HTTP-1 192.168.2.2/24

user@host#

set security zones security-zone DMZ address-book address

Server-HTTP-2 192.168.2.3/24

user@host#

set security zones security-zone DMZ address-book address-set

DMZ-address-set-http address Server-HTTP-1

user@host#

set security zones security-zone DMZ address-book address-set

DMZ-address-set-http address Server-HTTP-2

user@host#

set security policies from-zone untrust to-zone DMZ policy P1 match

source-address any

user@host#

set security policies from-zone untrust to-zone DMZ policy P1 match

destination-address DMZ-address-set-http

user@host#

set security policies from-zone untrust to-zone DMZ policy P1 match

application junos-http

67

Copyright © 2016, Juniper Networks, Inc.

Chapter 9: Configuring Intrusion Detection and Prevention for SRX Series

«
...
81
82
83
84
85
...
»

Summary of Contents for Junos OS

Page 1: ...Junos OS Getting Started Guide for Branch SRX Series Release 12 3X48 D10 Modified 2016 09 01 Copyright 2016 Juniper Networks Inc...

Page 2: ...tting Started Guide for Branch SRX Series 12 3X48 D10 Copyright 2016 Juniper Networks Inc All rights reserved The information in this document is current as of the date on the title page YEAR 2000 NOT...

Page 3: ...Default Configuration Topology 7 Default Port Settings 8 Default Settings for Interfaces Zones Policy and NAT 9 Default System Services 10 Autoinstallation 10 SRX210 Factory Default Settings A Sample...

Page 4: ...efault UTM Policy for Branch SRX Series 54 Default UTM Policy 54 Predefined UTM Profile Configuration for Branch SRX Series 54 Antispam 54 Antivirus 55 Web Filtering 56 Chapter 9 Configuring Intrusion...

Page 5: ...sion 109 show security idp active policy 115 show security idp status 116 show security nat destination summary 118 show security policies 120 show security utm session 128 show security utm status 12...

Page 6: ...Copyright 2016 Juniper Networks Inc vi Getting Started Guide for Branch SRX Series...

Page 7: ...n SRX Series Device for the First Time 17 Figure 2 Connecting an SRX210 to the Internet 21 Part 3 Configuring Basic SRX Series Features Chapter 5 Configuring Security Zones and Policies for SRX Series...

Page 8: ...Copyright 2016 Juniper Networks Inc viii Getting Started Guide for Branch SRX Series...

Page 9: ...s Devices 32 Table 8 Address Books Configuration 33 Table 9 Security Policy Configuration 34 Chapter 6 Configuring NAT for SRX Series 39 Table 10 Destination NAT Mapping 41 Chapter 8 Configuring UTM f...

Page 10: ...Copyright 2016 Juniper Networks Inc x Getting Started Guide for Branch SRX Series...

Page 11: ...rs and subject matter experts These books go beyond the technical documentation to explore the nuances of network architecture deployment and administration The current list can be viewed at http www...

Page 12: ...sable unit 0 family inet address 10 0 0 1 24 2 Merge the contents of the file into your routing platform configuration by issuing the load merge configuration mode command edit user host load merge va...

Page 13: ...tant features or instructions Informational note Indicates a situation that might result in loss of data or hardware damage Caution Alerts you to the risk of personal injury or death Warning Alerts yo...

Page 14: ...archy levels or labels on routing platform components Text like this stub default metric metric Encloses optional keywords or variables angle brackets broadcast multicast string1 string2 string3 Indic...

Page 15: ...ks Technical Assistance Center JTAC If you are a customer with an active J Care or Partner Support Service support contract or are covered under warranty and need post sales technical support you can...

Page 16: ...To verify service entitlement by product serial number use our Serial Number Entitlement SNE Tool https tools juniper net SerialNumberEntitlementSearch Opening a Case with JTAC You can open a case wit...

Page 17: ...PART 1 Overview Introduction to SRX Series Devices on page 3 1 Copyright 2016 Juniper Networks Inc...

Page 18: ...Copyright 2016 Juniper Networks Inc 2 Getting Started Guide for Branch SRX Series...

Page 19: ...eries are based on Junos OS a full featured networking operating system that is optimized to provide maximum performance and efficient network security The SRX Series range from lower end branch devic...

Page 20: ...Copyright 2016 Juniper Networks Inc 4 Getting Started Guide for Branch SRX Series...

Page 21: ...Series Services Gateway Understanding Factory Default Configuration Settings on page 7 Configuring an SRX Series Device for the First Time on page 17 Resetting the SRX Series Device on page 27 5 Copyr...

Page 22: ...Copyright 2016 Juniper Networks Inc 6 Getting Started Guide for Branch SRX Series...

Page 23: ...8 Default Settings for Interfaces Zones Policy and NAT on page 9 Default System Services on page 10 Autoinstallation on page 10 Default Configuration Topology Figure 1 on page 8 provides a topology of...

Page 24: ...lan trust The protected hosts can be connected to any one of the ports that are part of the default VLAN The DHCP server is running on vlan 0 and assigns IP addresses to other interfaces for the local...

Page 25: ...es in the 192 168 1 2 to 192 168 1 254 range to any device plugged into the trust interfaces Default Settings for Interfaces Zones Policy and NAT Table 3 on page 9 provides the default configuration o...

Page 26: ...s automatic configuration for a new device that you connect to the network Autoinstallation is active by default and is deactivated when you commit the device for the first time You can use the delete...

Page 27: ...rtificate interface vlan 0 dhcp router 192 168 1 1 pool 192 168 1 0 24 address range low 192 168 1 2 high 192 168 1 254 propagate settings ge 0 0 0 0 syslog archive size 100k files 3 user any emergenc...

Page 28: ...g vlan members vlan trust fe 0 0 2 unit 0 family ethernet switching vlan members vlan trust fe 0 0 3 unit 0 family ethernet switching vlan members vlan trust fe 0 0 4 unit 0 family ethernet switching...

Page 29: ...creen ids option untrust screen icmp ping death ip source route option tear drop tcp syn flood alarm threshold 1024 attack threshold 200 source threshold 1024 destination threshold 2048 timeout 20 lan...

Page 30: ...tination address any application any then permit zones security zone trust host inbound traffic system services all protocols all interfaces vlan 0 security zone untrust screen untrust screen interfac...

Page 31: ...onnecting the Branch SRX Series Through the Console Port for the First Time on page 19 Understanding Factory Default Configuration Settings of an SRX210 on page 7 15 Copyright 2016 Juniper Networks In...

Page 32: ...Copyright 2016 Juniper Networks Inc 16 Getting Started Guide for Branch SRX Series...

Page 33: ...lowing methods right out of the box Connecting through the console port Use an Ethernet cable with an RJ 45 to DB 9 serial port adapter to connect the console port on the SRX Series to the serial port...

Page 34: ...account Administrator Password Record the name of your SRX210 to identify itself on your network Hostname Network security often depends on knowing the exact time when a specific event occurs If you d...

Page 35: ...different applications 4 Press the POWER button on the device and wait till the Power LED turns green 5 Log in to the device as root and leave the password field blank When you boot the device with t...

Page 36: ...Related Documentation Understanding Methods to Manage the Branch SRX Series on page 17 Understanding Factory Default Configuration Settings of an SRX210 on page 7 Configuring a Hostname to Identify a...

Page 37: ...ess and gateway through DHCP If your ISP supports DHCP your services gateway acquires an IP address and other settings domain name servers default routes from your ISP Assign IP address manually If yo...

Page 38: ...Default Configuration Settings of an SRX210 on page 7 Connecting the Branch SRX Series Through the Console Port for the First Time on page 19 Configuring a Hostname to Identify a Branch SRX Series Ser...

Page 39: ...e show commands such as show system host name show system login and show system name server as shown in the following samples Verify system hostname details edit root host show system host name host n...

Page 40: ...d Address obtained 1 1 1 20 update server enables Lease Obtained at 2007 05 10 18 16 04 PST Lease Expires at 2007 05 11 18 16 04 PST DHCP Options Name name server Value 1 1 1 2 Code 1 Type ip address...

Page 41: ...es Services Gateway in Your Network on page 20 Configuring Internet Access for the Branch SRX Series on page 21 Configuring a Network Time Protocol Server for the Branch SRX Series on page 22 Validati...

Page 42: ...Copyright 2016 Juniper Networks Inc 26 Getting Started Guide for Branch SRX Series...

Page 43: ...services gateway will load and commit the rescue configuration During this operation the Status light on the front panel of your services gateway glows amber Resetting Your SRX Series to Factory Setti...

Page 44: ...Copyright 2016 Juniper Networks Inc 28 Getting Started Guide for Branch SRX Series...

Page 45: ...for SRX Series on page 39 Managing Licenses for SRX Series on page 47 Configuring UTM for Branch SRX Series on page 49 Configuring Intrusion Detection and Prevention for SRX Series on page 63 Underst...

Page 46: ...Copyright 2016 Juniper Networks Inc 30 Getting Started Guide for Branch SRX Series...

Page 47: ...are used to identify traffic flow direction in security policies to control traffic On a single device you can configure multiple security zones and at a minimum you must define two security zones ba...

Page 48: ...or Security Devices Related Documentation Understanding Factory Default Configuration Settings of an SRX210 on page 7 Connecting Your Branch SRX Series for the First Time Example Configuring Security...

Page 49: ...thernet switching factory configuration setting to family inet Assign IP address 192 168 1 2 24 to the host connected to the fe 0 0 2 0 interface in the trust zone Set up two HTTP servers Server HTTP...

Page 50: ...zoneDMZaddress bookaddressServer SMTP192 168 2 4 24 set security zones security zone DMZ address book address set DMZ address set http address Server HTTP 1 set security zones security zone DMZ addre...

Page 51: ...ecurity zone DMZ address book address set DMZ address set http address Server HTTP 2 5 Create address books in the trust zone edit user srx210 host set security zones security zone trust address book...

Page 52: ...ook address Server HTTP 1 192 168 2 2 24 address Server HTTP 2 192 168 2 3 24 address Server SMTP 192 168 2 4 24 address set DMZ address set http address Server HTTP 1 address Server HTTP 2 interfaces...

Page 53: ...e show security flow session command from operational mode For samples of the show security flow session command output see show security flow session Related Documentation Understanding Security Zone...

Page 54: ...Copyright 2016 Juniper Networks Inc 38 Getting Started Guide for Branch SRX Series...

Page 55: ...same size Destination NAT Destination NAT is the translation of the destination IP address of a packet entering the SRX Series Destination NAT is used to redirect traffic destined to a virtual host i...

Page 56: ...ss to the private address Requirements Before you begin create security zones and assign interfaces to them See Example Configuring Security Zones and Policies for SRX Series on page 32 This example u...

Page 57: ...rce IP Address 192 168 2 2 1 1 1 3 1 1 1 3 20 20 20 20 In this topology you provide access to the server Server HTTP 1 in the DMZ zone from the Internet after translating the public IP address 1 1 1 3...

Page 58: ...the commands into the CLI at the edit hierarchy level and then enter commit from configuration mode set security nat destination pool dst nat pool 1 address 192 168 2 2 32 set security nat destinatio...

Page 59: ...st set security policies from zone untrust to zone DMZ policy server access match source address any user srx210 host set security policies from zone untrust to zone DMZ policy server access match des...

Page 60: ...nat destination summary command View the translation hits field to check for traffic using IP addresses from the pool Total pools 1 Pool name Address Routing Port Total Range Instance Address dst nat...

Page 61: ...rstanding Factory Default Configuration Settings of an SRX210 on page 7 Connecting Your Branch SRX Series for the First Time 45 Copyright 2016 Juniper Networks Inc Chapter 6 Configuring NAT for SRX Se...

Page 62: ...Copyright 2016 Juniper Networks Inc 46 Getting Started Guide for Branch SRX Series...

Page 63: ...You can Install the license on the SRX Series using either the automatic method or manual method as follows Install your license automatically on the device To install or update your license automatic...

Page 64: ...license View license usage for UTM features License identifier JUNOS240185 License version 2 Valid for device AH1111AA7883 Features av_key_kaspersky_engine Kaspersky AV date based 2010 01 04 08 00 00...

Page 65: ...threats enter the network The following UTM modules are supported Antispam Antispam blocks and filters unwanted e mail traffic by scanning inbound and outbound SMTP e mail traffic by using some combi...

Page 66: ...Redirect Web filtering junos wf local default juniper local Local Web filtering junos wf enhanced default juniper enhanced Enhanced Web filtering SMTP POP3 IMAP HTTP and FTP NA NA NA Content filterin...

Page 67: ...CLI Quick Configuration To quickly configure this example copy the following commands paste them into a text file remove any line breaks change any details necessary to match your network configurati...

Page 68: ...e address any destination address any application any user srx210 host set security policies from zone trust to zone untrust policy trust to untrust then permit application services utm policy policy...

Page 69: ...hat the antispam filtering configuration is active Action From operational mode enter the show security utm anti spam status command user srx210 host show security utm anti spam status SBL Whitelist S...

Page 70: ...Branch SRX Series Default UTM Policy anti virus http profile junos av defaults ftp upload profile junos av defaults download profile junos av defaults smtp profile junos av defaults pop3 profile juno...

Page 71: ...ng scan mode all content size limit 10000 timeout 180 decompress layer limit 2 notification options virus detection type message no notify mail sender custom message VIRUS WARNING fallback block type...

Page 72: ...ns default log and permit content size log and permit engine not ready log and permit timeout log and permit out of resources log and permit too many requests log and permit scan options uri check con...

Page 73: ...s_Alcohol_Tobacco action block Education action permit Finance_Investment action permit Food_Drink action permit Gambling action block Games action block Glamour_Intimate_Apparel action permit Governm...

Page 74: ...ng action block Photo_Searches action permit Real_Estate action permit Reference action permit Religion action permit Remote_Proxies action block Sex_Education action block Search_Engines action permi...

Page 75: ...fallback settings default log and permit server connectivity log and permit timeout log and permit too many requests log and permit juniper local profile junos wf local default custom block message Ju...

Page 76: ...action block Enhanced_Nudity action block Enhanced_Adult_Content action block Enhanced_Sex action block Enhanced_Hacking action block Enhanced_Personals_and_Dating action block Enhanced_Alcohol_and_To...

Page 77: ...log and permit custom block message Juniper Web Filtering has been set to block this site fallback settings default log and permit server connectivity log and permit timeout log and permit too many r...

Page 78: ...Copyright 2016 Juniper Networks Inc 62 Getting Started Guide for Branch SRX Series...

Page 79: ...ge on the Juniper Networks website This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks Configure recommended policy as...

Page 80: ...u want to inspect This example shows how to configure a security policy to enable IDP services for the first time on traffic flowing on the device Requirements on page 64 Overview on page 64 Configura...

Page 81: ...x cgi Version info 2230 Mon Feb 4 19 40 13 2013 GMT 8 Detector 12 6 160121210 3 Install the attack database edit user host run request security idp security package install Will be processed in async...

Page 82: ...ing the status checking CLI 9 Verify the installation status update edit user host run request security idp security package install status Done policy templates has been successfully updated into int...

Page 83: ...security policy identifies what traffic is to be sent to the IDP engine and then the IDP engine applies inspection based on the contents of that traffic Traffic that matches a security policy in which...

Page 84: ...ss set http application junos http then permit application services idp If you are done configuring the device enter commit from configuration mode Verification Confirm that the configuration is worki...

Page 85: ...Memory Detector 0 Recommended 0 2233 12 6 160121210 Meaning The sample output shows the Recommended predefined IDP policy as the active policy Related Documentation Updating Licenses for a Branch SRX...

Page 86: ...Copyright 2016 Juniper Networks Inc 70 Getting Started Guide for Branch SRX Series...

Page 87: ...defined configurations the factory default configuration contains at a minimum a trust and untrust zone The trust zone is used for configuration and attaching the internal LAN to the branch SRX Series...

Page 88: ...y parameter index SPI destination IP address and security protocol Authentication Header or Encapsulating Security Payload employed Through the SA an IPsec tunnel can provide the following security fu...

Page 89: ...PART 4 Configuration Statements and Operational Commands Configuration Statements on page 75 Operational Commands on page 107 73 Copyright 2016 Juniper Networks Inc...

Page 90: ...Copyright 2016 Juniper Networks Inc 74 Getting Started Guide for Branch SRX Series...

Page 91: ...ding options group VPNs Intrusion Detection Prevention IDP Internet Key Exchange IKE Internet Protocol Security IPsec logging Network Address Translation NAT public key infrastructure PKI policies res...

Page 92: ...page 90 edit security pki Hierarchy Level edit security policies Hierarchy Level on page 93 edit security resource manager Hierarchy Level edit security screen Hierarchy Level edit security softwires...

Page 93: ...ny client to server server to client service service name shellcode all intel no shellcode sparc test test condition chain expression boolean expression member member name attack type anomaly same sta...

Page 94: ...code value data length match equal greater than less than not equal value data length identification match equal greater than less than not equal value identification value sequence number match equa...

Page 95: ...ater than less than not equal value identification value ihl match equal greater than less than not equal value ihl value ip flags df no df mf no mf rb no rb protocol match equal greater than less tha...

Page 96: ...t match equal greater than less than not equal value hop limit value next header match equal greater than less than not equal value next header value payload length match equal greater than less than...

Page 97: ...er than less than not equal value reserved value sequence number match equal greater than less than not equal value sequence number source port match equal greater than less than not equal value sourc...

Page 98: ...transport layer protocol number rpc program number rpc program number tcp minimum port port number maximum port port number udp minimum port port number maximum port port number regexp regular expres...

Page 99: ...p policy policy name rulebase exempt rule rule name description text match attacks custom attack groups attack group name custom attacks attack name dynamic attack groups attack group name predefined...

Page 100: ...class forwarding class close client close client and server close server drop connection drop packet ignore connection mark diffserv value no action recommended ip action ip block ip close ip notify l...

Page 101: ...cache limit lt lower threshold value min objcache limit ut upper threshold value reject timeout value reset on policy no reset on policy udp anticipated timeout value global enable all qmodules no ena...

Page 102: ...ignore reassembly memory overflow ignore reassembly overflow max flow mem value max packet mem ratio percetnage value max synacks queued value tcp error logging no tcp error logging ssl inspection cac...

Page 103: ...ail address nat keepalive seconds no nat traversal remote identity distinguished name container container string wildcard wildcard string hostname hostname inet ip address inet6 ipv6 address user at h...

Page 104: ...association manual encryption iked_encryption enabled algorithm 3des cbc key ascii text key policy policy name description description perfect forward secrecy keys group1 group14 group19 group2 group...

Page 105: ...ely on traffic ike gateway gateway name idle time seconds install interval seconds ipsec policy ipsec policy name no anti replay proxy identity local ip prefix remote ip prefix service any service nam...

Page 106: ...ecurity nat destination pool pool name address ip address port port number to ip address description text routing instance routing instance name default rule set rule set name description text from in...

Page 107: ...tilization alarm clear threshold value raise threshold value port block allocation active block timeouttimeout interval block size block size log disable maximum blocks per host maximum block number d...

Page 108: ...imeout seconds max session number value permit any remote host target host target host port off pool pool name persistent nat address mapping inactivity timeout seconds max session number number permi...

Page 109: ...uting instance routing instance name default rule session count alarm clear threshold value raise threshold value traceoptions file filename files number match regular expression world readable no wor...

Page 110: ...me scheduler name then count alarm per minute threshold number per second threshold number deny log session close session init permit application services application firewall rule set rule set name a...

Page 111: ...profile name domain domain name ssl termination profile profile name web authentication client match user or group name services offload tcp options sequence check required syn check required tunnel...

Page 112: ...lose session init permit application services application firewall rule set rule set name application traffic control rule set rule set name gprs gtp profile profile name gprs sctp profile profile nam...

Page 113: ...nitial tcp mss mss value reverse tcp mss mss value sequence check required syn check required reject policy rematch policy stats system wide disable enable traceoptions file filename files number matc...

Page 114: ...spam address blacklist list name address whitelist list name sbl profile profile name custom tag string string sbl default server no sbl default server spam action block tag header tag subject traceop...

Page 115: ...nder type message protocol only fallback non block custom message message custom message subject message subject notify mail recipient no notify mail recipient virus detection custom message message c...

Page 116: ...ge message custom message subject message subject display host notify mail sender no notify mail sender type message protocol only fallback non block custom message message custom message subject mess...

Page 117: ...mit permit too many requests block log and permit permit notification options fallback block administrator email email address allow email custom message message custom message subject message subject...

Page 118: ...xception list name list list name notification options custom message message notify mail sender no notify mail sender type message protocol only permit command protocol command list traceoptions flag...

Page 119: ...t value server host host name port number juniper local profile profile name custom block message value default block log and permit permit fallback settings default block log and permit server connec...

Page 120: ...og and permit too many requests block log and permit server host host name port number sockets value timeout value ipc traceoptions flag flag traceoptions flag flag utm policy policy name anti spam sm...

Page 121: ...75 Unified Threat Management Overview edit security zones Hierarchy Level security zones functional zone management description text host inbound traffic protocols protocol name except system services...

Page 122: ...t host inbound traffic protocols protocol name except system services service name except interfaces interface name host inbound traffic protocols protocol name except system services service name exc...

Page 123: ...show security idp active policy show security idp status show security nat destination summary show security policies show security utm session show security utm status show security zones show syste...

Page 124: ...m license update trial on page 108 Output Fields When you enter this command you are provided feedback on the status of your request Sample Output request system license update user host request syste...

Page 125: ...n firewall Application firewall enabled application firewall rule set Application firewall enabled with the specified rule set application traffic control Application traffic control session applicati...

Page 126: ...curity flow session on page 112 show security flow session brief on page 112 show security flow session extensive on page 113 show security flow session summary on page 113 Output Fields Table 12 on p...

Page 127: ...ority Forwarding class Differentiated Services DiffServ code point DSCP value remarked by the matching rule for this session DSCP code point One of four priority levels set by the matching rule to con...

Page 128: ...00001 Policy name default policy 2 Timeout 1794 Valid In 40 0 0 111 32852 30 0 0 100 21 tcp If ge 0 0 2 0 Pkts 25 Bytes 1138 Out 30 0 0 100 21 40 0 0 111 32852 tcp If ge 0 0 1 0 Pkts 20 Bytes 1152 Tot...

Page 129: ...rface ge 0 0 2 0 Session token 0x9 Flag 0x20 Route 0x0 Gateway 20 0 0 10 Tunnel 0 Port sequence 0 FIN sequence 0 FIN state 0 Pkts 0 Bytes 0 Total sessions 1 show security flow session summary root sho...

Page 130: ...Valid sessions 0 Pending sessions 0 Invalidated sessions 0 Sessions in other states 0 Maximum sessions 819200 Copyright 2016 Juniper Networks Inc 114 Getting Started Guide for Branch SRX Series...

Page 131: ...e Output show security idp active policy on page 115 Output Fields Table 13 on page 115 lists the output fields for the showsecurityidpactive policycommand Output fields are listed in the approximate...

Page 132: ...throughput packets per second for the system Packets second The aggregated throughput kilobits per second for the system KBits second min Minimum delay for a packet to receive and return by a node in...

Page 133: ...icroseconds min 0 max 0 avg 0 Packet Statistics ICMP 0 TCP 82 UDP 0 Other 0 Flow Statistics ICMP Current 0 Max 0 2010 02 05 06 49 51 UTC TCP Current 2 Max 6 2010 02 05 06 52 08 UTC UDP Current 0 Max 0...

Page 134: ...ation pool Security Destination NAT rule Security Destination NAT Security Configuration Statement Hierarchy on page 75 List of Sample Output show security nat destination summary on page 119 Output F...

Page 135: ...ll the destination NAT rules Total fail times Sample Output show security nat destination summary user host show security nat destination summary Total pools 2 Pool name Address Routing Port Total Ran...

Page 136: ...cp mss options added in Junos OS Release 12 3X48 D20 Description Display a summary of all security policies configured on the device If a particular policy is specified display information particular...

Page 137: ...able in a from zoneA to zoneB context might be ordered with sequence numbers 1 2 3 Also in a from zoneC to zoneD context four policies might have sequence numbers 1 2 3 4 Sequence number For standard...

Page 138: ...with translated destination addresses drop untranslated Drop the packets without translated destination addresses Destination Address Translation An application firewall includes the following Rule se...

Page 139: ...irection Output packets The total number of packets actually processed by the device Initial direction The number of packets actually processed by the device from the initial direction Reply direction...

Page 140: ...sses sa 1 ipv4 2 2 2 0 24 sa 2 ipv6 2001 0db8 32 sa 3 ipv6 2001 0db6 24 sa 4 wc 192 168 0 11 255 255 0 255 Destination addresses da 1 ipv4 2 2 2 0 24 da 2 ipv6 2400 0af8 32 da 3 ipv6 2400 0d78 0 24 da...

Page 141: ...n addresses any Source identities role1 role2 role4 Applications any Action permit services offload show security policies detail user host show security policies detail Default policy deny all Policy...

Page 142: ...ol 0 ALG 0 Inactivity timeout 0 Source port range 0 0 Destination port range 0 0 Per policy TCP Options SYN check No SEQ check No show security policies detail TCP Options user host show security poli...

Page 143: ...00 196 0 22 ad5 ad 15 1 7 199 15 1 8 19 ad6 ad 15 1 8 0 21 ad7 ad 15 1 7 0 24 Destination addresses excluded ad13 ad2 20 1 7 0 24 ad12 ad2 20 1 4 1 32 ad11 ad2 20 1 7 199 20 1 8 19 ad10 ad2 50 1 4 0 2...

Page 144: ...ormation from both nodes in a chassis cluster Required Privilege Level view Related Documentation clear security utm session show security utm status on page 129 Output Fields show security utm sessio...

Page 145: ...status of both the nodes with full chassis cluster support for UTM Required Privilege Level view Related Documentation clear security utm session show security utm session on page 128 Output Fields sh...

Page 146: ...ature Guide for Security Devices List of Sample Output show security zones on page 131 show security zones abc on page 131 show security zones abc detail on page 131 show security zones terse on page...

Page 147: ...reset for non SYN session TCP packets Off Policy configurable Yes Interfaces bound 1 Interfaces ge 0 0 1 0 Security zone def Description This is the def zone Send reset for non SYN session TCP packet...

Page 148: ...es Interfaces bound 1 Interfaces ge 0 0 1 0 Sample Output show security zones terse user host show security zones terse Zone Type my internal Security my external Security dmz Security Copyright 2016...

Page 149: ...Series Devices List of Sample Output show system license on page 134 show system license installed on page 134 show system license keys on page 135 show system license usage on page 135 show system l...

Page 150: ...Output show system license user host show system license License usage Licenses Licenses Licenses Expiry Feature name used installed needed av_key_kaspersky_engine 1 1 0 2012 03 30 01 00 00 IST wf_key...

Page 151: ...xxxxx xxxxxx xxxxxx xxx show system license usage user host show system license usage Licenses Licenses Licenses Expiry Feature name used installed needed av_key_kaspersky_engine 1 1 0 2012 03 30 01 0...

Page 152: ...statistics on page 138 Output Fields Table 19 on page 136 lists the output fields for the show system services dhcp client command Output fields are listed in the approximate order in which they appea...

Page 153: ...o the DHCP server for local configuration parameters DHCPRELEASE Packet sent to the DHCP server to relinquish network address and cancel remaining lease DHCPRENEW Packet sent to the DHCP server to ren...

Page 154: ...ress Value 255 255 255 0 Name name server Value 77 77 77 77 55 55 55 55 Name domain name Value mylab example net Sample Output show system services dhcp client statistics user host show system service...

Page 155: ...PART 5 Index Index on page 141 139 Copyright 2016 Juniper Networks Inc...

Page 156: ...Copyright 2016 Juniper Networks Inc 140 Getting Started Guide for Branch SRX Series...

Page 157: ...t 19 console port 17 conventions text and syntax xiii curly braces in configuration statements xiv customer support xv contacting JTAC xv D default configuration NAT 7 policies 7 destination NAT 40 de...

Page 158: ...nat destination summary command 118 show security policies command 120 show security utm session 128 show security utm status 129 show security zones command 130 show system license command 133 show...

Reviews:

No comments

Related manuals for Junos OS

Brand: IBM Pages: 86

Enterprise Filter Authentication R3000

Brand: 8e6 Technologies Pages: 66

Brand: Harmonic Pages: 56

Brand: Furuno Pages: 24

Brand: Wintech Pages: 21

Brand: ICP DAS USA Pages: 8

Hotwire ATM Line Cards 8335

Brand: Paradyne Pages: 132

SLK-R602 Series

Brand: Seriallink Pages: 29

Brand: HighPoint Pages: 10

Brand: ANEP Pages: 48

Brand: Waver Pages: 36

Brand: Lindy Pages: 12

Brand: Echo Pages: 21

Network Adapter AC AAP

Brand: Extron electronics Pages: 2

Imagestore Intuition+

Brand: Miranda Pages: 60

Brand: NetComm Pages: 4

Brand: Juniper Pages: 230

Brand: Sun Microsystems Pages: 410

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands