SlideShare a Scribd company logo

Helpful Juniper Tips and Tricks for New Network Engineers

Download as PPTX, PDF
L
Lizbeth E. Melendez

These Juniper commands will help new engineers learn how to configure and troubleshoot a network much quicker and more efficiently. Connect with J.B.C. for more IT resources and industry insights: YouTube ▶️youtube.com/channel/UCmJJUewPWfnyzvZRrFHlykA J.B.C.'s Site ▶️https://www.jbcsec.com/insights Newsletter ▶️ https://mailchi.mp/e7b56addb7fc/cybersightblog Swag Store ▶️ https://www.teepublic.com/user/jbc Twitter ▶️ http://www.twitter.com/JBC_SEC Author ▶️ https://twitter.com/JBizzle703 -----C-----Y-----B-----E-----R-----&----S-----I-----G-----H-----T

Technology
1 of 30
{primary:node0}[edit] test@SRX1# set system services ssh root-login deny • Command: “set system services ssh root-login deny” • On Juniper devices there is a default admin account called root. You cannot rename the account and it has the permissions to do anything on the device • The “set system services ssh root-login deny” command allows you to block the root account from being able to log on across the network via SSH. • This is a good practice to only allow the root account to be used in emergency situations while having local console access @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set system authentication-order radius • Command: “set system authentication-order radius” • This command allows you to only authenticate with accounts that are set up within your Radius server • If you attempt to log in with a local account, your authentication attempt will fail. However, if the device is not able to successfully connect to the Radius server you can login with a local account • If you would like to allow both Radius and local accounts, you can add the keyword “local” to the command after “radius” @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set system login class RO permissions view- configuration set system login class RO allow-commands show set system login class RO deny-commands "(clear)|(file)|(fileshow)|(help)|(load)|(monitor)|(op) |(request)|(save)|(set)|(start)|(test)" set system login class RO deny-configuration all • Topic: Creating a Read-Only Account • This group of commands gives an example of how to create a class called “RO” which restricts which commands and actions are allowed. Accounts can then be associated with this group either locally or via a AAA server • This is useful for having different roles for network support staff. In this case an individual can log in and run show commands, but is limited from being able to do other type of configuration commands @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set system login password minimum-length 15 set system login password change-type character-sets set system login password minimum-numerics 1 set system login password minimum-upper-cases 1 set system login password minimum-lower-cases 1 set system login password minimum-punctuations 1 set system login password format sha1 • Topic: Setting Strong Password Requirements • This group of commands allows an administrator to implement a strong password policy on the device • This grouping of commands includes both complexity and length requirements • This is only applicable to accounts stored locally on the device. If you are using a remote AAA server, a password policy must be applied for the accounts associated with that on the server where the accounts reside @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set groups global-idp security policies from- zone <*> to-zone <*> policy <*> then permit application- services idp set security policies apply-groups global-idp set security idp active-policy Recommended • Topic: Setting a Global IDP Policy • This group of commands allows an administrator to implement an IDP policy across all security zones in the device • The IDP policy that is enabled in this case is the “Recommended” policy, which is a small grouping of IDP policies. Juniper has a collection of various IDP policies that can be implemented, or you can create your own policy based off whichever signatures you want • If you don’t want a global policy, you can just attach the IDP policy on a per security policy basis • There can be only one active policy enabled on the device at one time@JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set system services ssh root-login deny • Command: “set system services ssh root-login deny” • This command makes sure that you cannot log into the device remotely with the root account • This is important from a security perspective, so you can minimize the chance of a brute force attack against the device @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set system services ssh ciphers aes128-ctr set system services ssh ciphers aes192-ctr set system services ssh ciphers aes256-ctr set system services ssh ciphers aes256-cbc set system services ssh ciphers aes192-cbc set system services ssh ciphers aes128-cbc set system services ssh macs hmac-sha1 set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh macs hmac-sha1-96 set system services ssh key-exchange dh-group14-sha1 set system services ssh key-exchange group-exchange-sha2 set system services ssh key-exchange ecdh-sha2-nistp256 set system services ssh key-exchange ecdh-sha2-nistp384 set system services ssh key-exchange ecdh-sha2-nistp521 • Topic: Setting Secure Crypto Ciphers • This group of commands is used to implement what are currently considered acceptable standards for cryptography on the device for your SSH sessions • The device enables multiple weak ciphers by default, so it is important to specifically configure ciphers that are not considered vulnerable • Certain organizations or governing agencies will have specific requirements that you may need to meet @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 • Topic: Saving Configurations with Rollbacks • This group of commands is used set the amount of versions of configurations that are saved on the device • The this will allow you to rollback to any of the previous five configuration states from the previous times you did a commit to the configuration • This number can be altered to meet the requirement and comfort level of the administrators @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set chassis cluster reth-count 5 • Command: “set chassis cluster reth-count 5” • This command sets the number of redundant ethernet interfaces (RETHs) that are configured on the device • A RETH is a pair of interfaces that act as a single interface between an active/passive firewall cluster • If you don’t modify this number, the device will not allow you to add additional RETH’s @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set security log mode stream • Command: “set security log mode stream” • This command changes the way the device processes it’s logging. Stream mode is recommended for the larger sized devices and instead of processing/maintaing the logs on box, ships them off to a remote location • The purpose of this mode is that due to the amount of log processing that happens on carrier grade devices, it can have a negative impact on the performance of the CPU’s @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set security flow traceoptions file FLOW set security flow traceoptions file size 5m set security flow traceoptions file files 5 set security flow traceoptions file world-readable set security flow traceoptions flag tcp-basic • Topic: Traceoptions • These series of commands allows you to capture traffic as it flows through the device. This can be useful in many troubleshooting scenarios • The first commands sets the name of the file, the second the size of the file, the third how many files to create before overwriting the oldest, the fourth the output format, and the fifth which type of traffic to collect • There are many options for the flag command including: all, general, normal, policy, route, state, etc. @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# set security flow tcp-mss ipsec-vpn mss 1300 • Command: “set security flow tcp-mss ipsec-vpn mss 1300” • This command ensures that all traffic going through an IPSec VPN on the device will be using a maximum segment size • This is often needed to ensure fragmentation across the internet or WAN does not take place. There are instances where if the VPN packet is too large it will be dropped. So it is best practice to lower the MSS of your VPN traffic @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1#set security screen ids-option DOS-screen icmp ip-sweep threshold 1000 set security screen ids-option DOS-screen icmp fragment set security screen ids-option DOS-screen icmp large set security screen ids-option DOS-screen icmp flood threshold 200 set security screen ids-option DOS-screen icmp ping-death set security screen ids-option DOS-screen ip bad-option set security screen ids-option DOS-screen ip record-route-option set security screen ids-option DOS-screen ip timestamp-option set security screen ids-option DOS-screen ip security-option set security screen ids-option DOS-screen ip stream-option set security screen ids-option DOS-screen ip spoofing set security screen ids-option DOS-screen ip source-route-option set security screen ids-option DOS-screen ip strict-source-route-option set security screen ids-option DOS-screen ip unknown-protocol set security screen ids-option DOS-screen ip block-frag set security screen ids-option DOS-screen ip tear-drop • Topic: Denial of Service Protections • This group of commands is some of the many that can be applied to an IDS policy • This policy can than be attached to any interfaces where you deem appropriate • There are other IPv6 options, as well as flood and sweep threshold protections @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1#security nat source rule-set To-Untrust rule R1 match source-address 0.0.0.0/0 set security nat source rule-set To-Untrust rule R1 match destination-address 0.0.0.0/0 set security nat source rule-set To-Untrust rule R1 then source-nat interface • Topic: Setting Up Outbound NAT • This group of commands allows you to set up a NAT on an external interface and will NAT all traffic destined to any IP address • This particular configuration would NAT all internal traffic to the external IP address of your firewall @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1#set security nat static rule-set Static-NAT rule Web-Svr1 match destination-address 5.5.5.5/32 set security nat static rule-set Static-NAT rule Web-Svr1 then static-nat prefix 10.10.10.5/32 set security nat proxy-arp interface reth1.10 address 5.5.5.5/32 • Topic: Setting Up Inbound NAT • This group of commands allows you to set up a one-to-one NAT to translate from one external address(public IP) to an internal IP address (private) • It is important to remember to add the “NAT proxy-arp” statement so that the external interface will know to respond to ARP requests for the external NAT IP @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1#set security policies global policy default- deny match source-address any set security policies global policy default-deny match destination-address any set security policies global policy default-deny match application any set security policies global policy default-deny then deny set security policies global policy default-deny then log session-init • Topic: Setting Up a Global Default Deny Policy • This group of commands allows you to set a default deny policy at the bottom of all security zone-based firewall rules • It consists of statements for the source, destination, application, and action. Lastly, there is a command to ensure that every session that matches the rule is logged @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1#set security zones security-zone DOMAIN_CONTROLLERS address-book address DC1 10.10.10.11/32 set security zones security-zone DOMAIN_CONTROLLERS address- book address DC2 10.10.10.12/32 set security zones security-zone DOMAIN_CONTROLLERS address- book address-set Domain_Controllers_Group address DC1 set security zones security-zone DOMAIN_CONTROLLERS address- book address-set Domain_Controllers_Group address DC2 set security zones security-zone DOMAIN_CONTROLLERS interfaces reth0.100 • Topic: Setting Up a Security Zone • A security zone is a group of devices that are associated with an interface/sub-interface. This will normally contain one subnet or multiple • These commands include creating address object entries, creating an address group containing multiple objects, and associating the security zone with an interface (in this case a sub- interface of a redundant ethernet interface @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1#set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP match source-address SECURITY-TOOLS set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP match destination-address Domain_Controllers_Group set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP match application NTP set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP then permit • Topic: Setting Up a Security Policy • A security policy is a rule that allows a device or devices in one security zone to communicate with another device or group of devices in a different security zone • These commands include the source addresses in from the source zone, the destination addresses in the destination zone, the application (ports/protocols) that are allowed, and the action statement for the rule • Additional actions can be added to the rule such as logging, IDP, Anti-Virus scanning, etc. @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1#set interfaces lo0 unit 0 family inet filter input loopback_ACL • Command: “set interfaces lo0 unit 0 family inet filter input xxx” • The control plane of the Juniper devices is where all the internal and management traffic is processed • It is important to protect the control plane and the best way to do this is to create an ACL that allows only expected traffic(ICMP, SNMP, BGP, SSH, Syslog, etc.) from expected sources • The above command is used to attach an ACL to the control plane. Ensure you do one for the “inet6” if you are using IPv6 @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1#run monitor interface reth0.100 • Command: “monitor interface xxxxx” • This command allows you to see live statistics on an interface • This is useful when troubleshooting and verifying traffic flow during various types of service turnups @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM Interface: reth0.100, Enabled, Link is Up Flags: SNMP-Traps 0x4000 Encapsulation: ENET2 VLAN-Tag [ 0x8100.100 ] Local statistics: Current delta Input bytes: 31178797 [0] Output bytes: 18295428 [0] Input packets: 491788 [0] Output packets: 339515 [0] Remote statistics: Input bytes: 0 (10368 bps) [0] Output bytes: 0 (9824 bps) [0] Input packets: 0 (7 pps) [0] Output packets: 0 (6 pps) [0] Traffic statistics: Input bytes: 2508402323652 [4199] Output bytes: 196562958159 [3776] Input packets: 2126407181 [37] Output packets: 1268398436 [27] Protocol: inet, MTU: 1500, Flags: None
test@SRX1# show security flow session destination-prefix 10.10.10.11 source- prefix 10.5.102.14 node0: -------------------------------------------------------------------------- Flow Sessions on FPC0 PIC1: Total sessions: 0 Flow Sessions on FPC0 PIC2: Session ID: 20079227, Policy name: Monitoring/25, State: Active, Timeout: 884, Valid In: 10.10.11.14/53728 --> 10.10.10.11/161;udp, Conn Tag: 0x0, If: reth0.102, Pkts: 50, Bytes: 4316, CP Session ID: 22697955 Out: 10.10.10.11/161 --> 10.10.11.14/53728;udp, Conn Tag: 0x0, If: reth0.100, Pkts: 50, Bytes: 6029, CP Session ID: 22697955 Total sessions: 1 • Command: “show security flow session” • The command allows you to look for real time traffic sessions going through your device • This is helpful for troubleshooting purposes if you want to see if the traffic is traversing your firewall/device • There are multiple tags that can be used to narrow the search for traffic, in this case we used the destination and source prefix to look for a specific flow @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
{primary:node0}[edit] test@SRX1# commit confirmed • Command: “commit confirmed” • This command allows the device to automatically rollback to your previously saved configuration if configurations your entered causes some type of issue and you don’t confirm the configuration • The default rollback is 10 minutes, but you can change the time value by adding a value to the end of the statement, “commit confirmed 5” means it will roll back in 5 minutes • To confirm the configuration so it doesn’t roll back, you need to type “commit” again @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
test@SRX1> show security idp status node0: -------------------------------------------------------------------------- State of IDP: Default, Up since: 2018-11-14 05:24:37 UTC (57w2d 11:53 ago) Packets/second: 189 Peak: 242628 @ 2019-11-16 14:28:28 UTC KBits/second : 687 Peak: 3611901 @ 2019-10-23 23:30:30 UTC Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 15168351] [TCP: 1486997617] [UDP: 3544899862] [Other: 259] Flow Statistics: ICMP: [Current: 10] [Max: 29970 @ 2019-06-25 17:45:12 UTC] TCP: [Current: 434] [Max: 177962 @ 2019-02-14 23:13:54 UTC] UDP: [Current: 1514] [Max: 42528 @ 2019-10-03 17:28:28 UTC] Other: [Current: 4] [Max: 252 @ 2019-03-10 20:32:23 UTC] Session Statistics: [ICMP: 5] [TCP: 217] [UDP: 757] [Other: 2] Number of SSL Sessions : 0 Policy Name : Server-Protection Running Detector Version : 12.6.140190828 Forwarding process mode : regular • Command: “show security idp status” • This command shows the current state of the IDP service on your device (not where it is applied though) • This displays packets going through the IDP, flows, the name of the IDP policy applied (can only apply one policy at one time) and the signature set running @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
test@SRX1> show security idp counters action node0: -------------------------------------------------------------------------- IDP counters: IDP counter type Value None 126 Recommended 0 Ignore 0 Diffserv 0 Drop packet 49 Drop 124522 Close 0 Close server 0 Close client 0 IP action rate limit 0 IP action drop 0 IP action close 0 IP action nofity 0 IP action failed 0 • Command: “show security idp counters” • This command shows the number of packets that have had some type of action implemented on that when they have hit an IDP signature on your device • The actions depend upon the pre-configured rules for the signatures, but they can be modified or ignored with exemption configurations @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
test@SRX1> show security idp attack detail ? Possible completions: <attack-name> Attack name APP:2WIRE-DSL-VULN APP:ABB-NETSCANHOST-OF APP:ACCELLION-FILE-TRANSFER APP:ACRONIS-TRU-IMG-ECO-SRV-DOS APP:ADOBE-CF-DIR-TRAV APP:ADOBE-COLDFUSION-WEBSOCKET • Command: “show security idp attack detail ?” • This command shows an alphabetical listing of all the IDP attack signatures that are available on the device • You can search based off attack name if you have an idea of what you are looking for. You can also go to Juniper website and search their IDP signature database @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
test@SRX1> show security idp attack detail APP:2WIRE-DSL-VULN Display Name: MISC: 2Wire DSL Router Vulnerability Severity: Major Category: APP Recommended: false Recommended Action: Drop Type: signature Direction: STC False Positives: unknown Shellcode: no Flow: control Context: http-text-html Negate: false TimeBinding: Scope: none Count: 1 Hidden Pattern: False Pattern: .*[PAGE=H04_POST][^s]*[PASSWORD=][^s]*[PASSWORD_CONF].* • Command: “show security idp attack detail XXX” • This command shows the detail of a specific IDP attack signature • It includes information like the severity, the action taken when found, the context, and the specific signature it matches against @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
test@SRX1>show security idp attack description APP:2WIRE-DSL-VULN Description: This signature detects attempts to exploit a known vulnerability in 2Wire DSL routers. An attacker can create a malicious Web site containing dangerous hyperlinks, which if accessed by a victim, allows the attacker to gain control of the victim's DSL router. • Command: “show security idp attack description XXX” • This command shows a description of a specific IDP attack signature and what it is used to protect against @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
test@SRX1> show interfaces terse Interface Admin Link Proto Local Remote gr-0/0/0 up up ip-0/0/0 up up lt-0/0/0 up up xe-2/2/0 up up xe-2/2/0.0 up up aenet --> fab0.0 xe-2/2/1 up up xe-2/2/1.100 up up aenet --> reth0.100 xe-2/2/1.101 up up aenet --> reth0.101 xe-2/2/1.102 up up aenet --> reth0.102 xe-2/2/1.103 up up aenet --> reth0.103 • Command: “show interfaces terse” • This command shows a summary of all interfaces • Information includes their admin/link status, descriptions, protocol used, and IP addresses associated with them @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
test@SRX1> show log messages | grep test Dec 20 17:03:58 SRX1 sshd[55595]: (pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: test Dec 20 17:03:58 SRX1 /kernel: FW1-UV sshd[55595]: (pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: test Dec 20 17:03:58 SRX1 sshd[55593]: Accepted keyboard- interactive/pam for test from 10.10.80.11 port 59598 ssh2 Dec 20 17:03:58 SRX1 /kernel: FW1-UV sshd[55593]: Accepted keyboard-interactive/pam for test from 10.10.80.11 port 59598 ssh2 Dec 20 17:03:58 SRX1 mgd[55598]: UI_AUTH_EVENT: Authenticated user 'test' at permission level 'j-Admins' • Command: “show log messages | grep test” • This command shows all the logs that are in the default messages log and then specifically searches for ones that match the string “test” by using the grep subcommand @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
test@SRX1> show configuration | display set • Command: “show configuration | display set” • The “show configuration” command will display the active configuration that is running on the device. The format of this configuration is a hierarchical bracketed format that is not easily copied back into a device for configuration changes • The “ | display set” subcommand displays the configuration but outputs it in a “set” format which allows for the commands to be copied into other device @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM

Recommended

第6讲 操作与配置Cisco Ios
第6讲 操作与配置Cisco Ios第6讲 操作与配置Cisco Ios
第6讲 操作与配置Cisco IosF.l. Yu
 
Oracle security 02-administering user security
Oracle security 02-administering user securityOracle security 02-administering user security
Oracle security 02-administering user securityZhaoyang Wang
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Havana版 RDO-QuickStart-1 Answer File(answer1.txt)
Havana版 RDO-QuickStart-1 Answer File(answer1.txt) Havana版 RDO-QuickStart-1 Answer File(answer1.txt)
Havana版 RDO-QuickStart-1 Answer File(answer1.txt) VirtualTech Japan Inc.
 
Havana版 RDO-QuickStart-3 Answer File(RDO-QuickStart-3.txt)
Havana版 RDO-QuickStart-3 Answer File(RDO-QuickStart-3.txt) Havana版 RDO-QuickStart-3 Answer File(RDO-QuickStart-3.txt)
Havana版 RDO-QuickStart-3 Answer File(RDO-QuickStart-3.txt) VirtualTech Japan Inc.
 
MySQL Cluster 7.3 Performance Tuning - Severalnines Slides
MySQL Cluster 7.3 Performance Tuning - Severalnines SlidesMySQL Cluster 7.3 Performance Tuning - Severalnines Slides
MySQL Cluster 7.3 Performance Tuning - Severalnines SlidesSeveralnines
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 

Recommended

第6讲 操作与配置Cisco Ios
第6讲 操作与配置Cisco Ios第6讲 操作与配置Cisco Ios
第6讲 操作与配置Cisco IosF.l. Yu
 
Oracle security 02-administering user security
Oracle security 02-administering user securityOracle security 02-administering user security
Oracle security 02-administering user securityZhaoyang Wang
 
Server hardening
Server hardeningServer hardening
Server hardeningTeja Babu
 
Havana版 RDO-QuickStart-1 Answer File(answer1.txt)
Havana版 RDO-QuickStart-1 Answer File(answer1.txt) Havana版 RDO-QuickStart-1 Answer File(answer1.txt)
Havana版 RDO-QuickStart-1 Answer File(answer1.txt) VirtualTech Japan Inc.
 
Havana版 RDO-QuickStart-3 Answer File(RDO-QuickStart-3.txt)
Havana版 RDO-QuickStart-3 Answer File(RDO-QuickStart-3.txt) Havana版 RDO-QuickStart-3 Answer File(RDO-QuickStart-3.txt)
Havana版 RDO-QuickStart-3 Answer File(RDO-QuickStart-3.txt) VirtualTech Japan Inc.
 
MySQL Cluster 7.3 Performance Tuning - Severalnines Slides
MySQL Cluster 7.3 Performance Tuning - Severalnines SlidesMySQL Cluster 7.3 Performance Tuning - Severalnines Slides
MySQL Cluster 7.3 Performance Tuning - Severalnines SlidesSeveralnines
 
CentOS Linux Server Hardening
CentOS Linux Server HardeningCentOS Linux Server Hardening
CentOS Linux Server HardeningMyOwn Telco
 
Hardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxHardening Linux and introducing Securix Linux
Hardening Linux and introducing Securix LinuxSecurity Session
 
Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...NETWAYS
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhydn|u - The Open Security Community
 
Oracle11g Security
Oracle11g SecurityOracle11g Security
Oracle11g SecurityInprise Group
 
LF_OVS_17_Riley: Pushing networking to the edge
LF_OVS_17_Riley: Pushing networking to the edgeLF_OVS_17_Riley: Pushing networking to the edge
LF_OVS_17_Riley: Pushing networking to the edgeLF_OpenvSwitch
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3David Pasek
 
Day 5.2 startingarouter
Day 5.2 startingarouterDay 5.2 startingarouter
Day 5.2 startingarouterCYBERINTELLIGENTS
 
Known basic of NFV Features
Known basic of NFV FeaturesKnown basic of NFV Features
Known basic of NFV FeaturesRaul Leite
 
Cisco asa active,active failover configuration
Cisco asa active,active failover configurationCisco asa active,active failover configuration
Cisco asa active,active failover configurationIT Tech
 
Day 13.1 startingaswitch
Day 13.1 startingaswitchDay 13.1 startingaswitch
Day 13.1 startingaswitchCYBERINTELLIGENTS
 
LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...
LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...
LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...LF_OpenvSwitch
 
Mac authentication amigopod radius
Mac authentication amigopod radiusMac authentication amigopod radius
Mac authentication amigopod radiusAruba, a Hewlett Packard Enterprise company
 
Deploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallDeploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallKHNOG
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsRaul Leite
 
TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편ymtech
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLETariq Sheikh
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxRoger Eisentrager
 
Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Mohamed Al-Natour
 
Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overviewali raza
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 

More Related Content

What's hot

Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsSunil Paudel
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...NETWAYS
 
LF_OVS_17_Riley: Pushing networking to the edge
LF_OVS_17_Riley: Pushing networking to the edgeLF_OVS_17_Riley: Pushing networking to the edge
LF_OVS_17_Riley: Pushing networking to the edgeLF_OpenvSwitch
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3David Pasek
 
Known basic of NFV Features
Known basic of NFV FeaturesKnown basic of NFV Features
Known basic of NFV FeaturesRaul Leite
 
Cisco asa active,active failover configuration
Cisco asa active,active failover configurationCisco asa active,active failover configuration
Cisco asa active,active failover configurationIT Tech
 
LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...
LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...
LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...LF_OpenvSwitch
 
Deploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallDeploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallKHNOG
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Cisco Russia
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsRaul Leite
 
TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편ymtech
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLETariq Sheikh
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015Scott Sutherland
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxRoger Eisentrager
 
Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Mohamed Al-Natour
 

What's hot (20)

Linux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by StepsLinux Server Hardening - Steps by Steps
Linux Server Hardening - Steps by Steps
 
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
OSMC 2019 | Use Cloud services & features in your redundant Icinga2 Environme...
 
Linux Hardening - nullhyd
Linux Hardening - nullhydLinux Hardening - nullhyd
Linux Hardening - nullhyd
 
Oracle11g Security
Oracle11g SecurityOracle11g Security
Oracle11g Security
 
LF_OVS_17_Riley: Pushing networking to the edge
LF_OVS_17_Riley: Pushing networking to the edgeLF_OVS_17_Riley: Pushing networking to the edge
LF_OVS_17_Riley: Pushing networking to the edge
 
Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3Spectre meltdown performance_tests - v0.3
Spectre meltdown performance_tests - v0.3
 
Day 5.2 startingarouter
Day 5.2 startingarouterDay 5.2 startingarouter
Day 5.2 startingarouter
 
Known basic of NFV Features
Known basic of NFV FeaturesKnown basic of NFV Features
Known basic of NFV Features
 
Cisco asa active,active failover configuration
Cisco asa active,active failover configurationCisco asa active,active failover configuration
Cisco asa active,active failover configuration
 
Day 13.1 startingaswitch
Day 13.1 startingaswitchDay 13.1 startingaswitch
Day 13.1 startingaswitch
 
LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...
LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...
LF_OVS_17_OvS-CD: Optimizing Flow Classification for OvS using the DPDK Membe...
 
Mac authentication amigopod radius
Mac authentication amigopod radiusMac authentication amigopod radius
Mac authentication amigopod radius
 
Deploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA FirewallDeploy Failover/High Availability in ASA Firewall
Deploy Failover/High Availability in ASA Firewall
 
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
Using packet-tracer, capture and other Cisco ASA tools for network troublesho...
 
Automação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOpsAutomação do físico ao NetSecDevOps
Automação do físico ao NetSecDevOps
 
TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편TR-069 클라이언트 검토자료8편
TR-069 클라이언트 검토자료8편
 
FlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLEFlexVPNLabHandbook-SAMPLE
FlexVPNLabHandbook-SAMPLE
 
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 201510 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
10 Deadly Sins of SQL Server Configuration - APPSEC CALIFORNIA 2015
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on Linux
 
Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3Juniper Srx quickstart-12.1r3
Juniper Srx quickstart-12.1r3
 

Similar to Helpful Juniper Tips and Tricks for New Network Engineers

Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overviewali raza
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideHarris Andrea
 
My sql monitoring cu沙龙
My sql monitoring cu沙龙My sql monitoring cu沙龙
My sql monitoring cu沙龙colderboy17
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)NetProtocol Xpert
 
Helpful Cisco Tips and Tricks for New Network Engineers
Helpful Cisco Tips and Tricks for New Network EngineersHelpful Cisco Tips and Tricks for New Network Engineers
Helpful Cisco Tips and Tricks for New Network EngineersLizbeth E. Melendez
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01slavenvvv
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pixangelitoh11
 
Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0Santosh Kangane
 
CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.pptveracru1
 
CCNA Security 06- AAA
CCNA Security 06- AAACCNA Security 06- AAA
CCNA Security 06- AAAAhmed Habib
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesFelipe Prado
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access darkRoyce Davis
 
Лекц 8
Лекц 8Лекц 8
Лекц 8Muuluu
 
Ansible: How to Get More Sleep and Require Less Coffee
Ansible: How to Get More Sleep and Require Less CoffeeAnsible: How to Get More Sleep and Require Less Coffee
Ansible: How to Get More Sleep and Require Less CoffeeSarah Z
 
04 module operating & configuring ios
04 module operating & configuring ios04 module operating & configuring ios
04 module operating & configuring iosAsif
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 

Similar to Helpful Juniper Tips and Tricks for New Network Engineers (20)

Chapter 2 overview
Chapter 2 overviewChapter 2 overview
Chapter 2 overview
 
Cisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening GuideCisco Router and Switch Security Hardening Guide
Cisco Router and Switch Security Hardening Guide
 
My sql monitoring cu沙龙
My sql monitoring cu沙龙My sql monitoring cu沙龙
My sql monitoring cu沙龙
 
Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)Basic Cisco ASA 5506-x Configuration (Firepower)
Basic Cisco ASA 5506-x Configuration (Firepower)
 
Helpful Cisco Tips and Tricks for New Network Engineers
Helpful Cisco Tips and Tricks for New Network EngineersHelpful Cisco Tips and Tricks for New Network Engineers
Helpful Cisco Tips and Tricks for New Network Engineers
 
network security
network securitynetwork security
network security
 
Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01Ciscorouterasavpnserver 100218045815-phpapp01
Ciscorouterasavpnserver 100218045815-phpapp01
 
Configuring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A PixConfiguring Ip Sec Between A Router And A Pix
Configuring Ip Sec Between A Router And A Pix
 
Ccnas v11 ch02_eb
Ccnas v11 ch02_ebCcnas v11 ch02_eb
Ccnas v11 ch02_eb
 
Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0
 
EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)EMEA Airheads- Manage Devices at Branch Office (BOC)
EMEA Airheads- Manage Devices at Branch Office (BOC)
 
CCNA_Security_02.ppt
CCNA_Security_02.pptCCNA_Security_02.ppt
CCNA_Security_02.ppt
 
CCNA Security 06- AAA
CCNA Security 06- AAACCNA Security 06- AAA
CCNA Security 06- AAA
 
CCNA Icnd110 s04l04
CCNA Icnd110 s04l04CCNA Icnd110 s04l04
CCNA Icnd110 s04l04
 
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitchesDEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
DEF CON 23 - CASSIDY LEVERETT LEE - switches get stitches
 
Owning computers without shell access dark
Owning computers without shell access darkOwning computers without shell access dark
Owning computers without shell access dark
 
Лекц 8
Лекц 8Лекц 8
Лекц 8
 
Ansible: How to Get More Sleep and Require Less Coffee
Ansible: How to Get More Sleep and Require Less CoffeeAnsible: How to Get More Sleep and Require Less Coffee
Ansible: How to Get More Sleep and Require Less Coffee
 
04 module operating & configuring ios
04 module operating & configuring ios04 module operating & configuring ios
04 module operating & configuring ios
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 

Recently uploaded

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

Helpful Juniper Tips and Tricks for New Network Engineers

  • 1. {primary:node0}[edit] test@SRX1# set system services ssh root-login deny • Command: “set system services ssh root-login deny” • On Juniper devices there is a default admin account called root. You cannot rename the account and it has the permissions to do anything on the device • The “set system services ssh root-login deny” command allows you to block the root account from being able to log on across the network via SSH. • This is a good practice to only allow the root account to be used in emergency situations while having local console access @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 2. {primary:node0}[edit] test@SRX1# set system authentication-order radius • Command: “set system authentication-order radius” • This command allows you to only authenticate with accounts that are set up within your Radius server • If you attempt to log in with a local account, your authentication attempt will fail. However, if the device is not able to successfully connect to the Radius server you can login with a local account • If you would like to allow both Radius and local accounts, you can add the keyword “local” to the command after “radius” @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 3. {primary:node0}[edit] test@SRX1# set system login class RO permissions view- configuration set system login class RO allow-commands show set system login class RO deny-commands "(clear)|(file)|(fileshow)|(help)|(load)|(monitor)|(op) |(request)|(save)|(set)|(start)|(test)" set system login class RO deny-configuration all • Topic: Creating a Read-Only Account • This group of commands gives an example of how to create a class called “RO” which restricts which commands and actions are allowed. Accounts can then be associated with this group either locally or via a AAA server • This is useful for having different roles for network support staff. In this case an individual can log in and run show commands, but is limited from being able to do other type of configuration commands @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 4. {primary:node0}[edit] test@SRX1# set system login password minimum-length 15 set system login password change-type character-sets set system login password minimum-numerics 1 set system login password minimum-upper-cases 1 set system login password minimum-lower-cases 1 set system login password minimum-punctuations 1 set system login password format sha1 • Topic: Setting Strong Password Requirements • This group of commands allows an administrator to implement a strong password policy on the device • This grouping of commands includes both complexity and length requirements • This is only applicable to accounts stored locally on the device. If you are using a remote AAA server, a password policy must be applied for the accounts associated with that on the server where the accounts reside @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 5. {primary:node0}[edit] test@SRX1# set groups global-idp security policies from- zone <*> to-zone <*> policy <*> then permit application- services idp set security policies apply-groups global-idp set security idp active-policy Recommended • Topic: Setting a Global IDP Policy • This group of commands allows an administrator to implement an IDP policy across all security zones in the device • The IDP policy that is enabled in this case is the “Recommended” policy, which is a small grouping of IDP policies. Juniper has a collection of various IDP policies that can be implemented, or you can create your own policy based off whichever signatures you want • If you don’t want a global policy, you can just attach the IDP policy on a per security policy basis • There can be only one active policy enabled on the device at one time@JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 6. {primary:node0}[edit] test@SRX1# set system services ssh root-login deny • Command: “set system services ssh root-login deny” • This command makes sure that you cannot log into the device remotely with the root account • This is important from a security perspective, so you can minimize the chance of a brute force attack against the device @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 7. {primary:node0}[edit] test@SRX1# set system services ssh ciphers aes128-ctr set system services ssh ciphers aes192-ctr set system services ssh ciphers aes256-ctr set system services ssh ciphers aes256-cbc set system services ssh ciphers aes192-cbc set system services ssh ciphers aes128-cbc set system services ssh macs hmac-sha1 set system services ssh macs hmac-sha2-512 set system services ssh macs hmac-sha2-256 set system services ssh macs hmac-sha1-96 set system services ssh key-exchange dh-group14-sha1 set system services ssh key-exchange group-exchange-sha2 set system services ssh key-exchange ecdh-sha2-nistp256 set system services ssh key-exchange ecdh-sha2-nistp384 set system services ssh key-exchange ecdh-sha2-nistp521 • Topic: Setting Secure Crypto Ciphers • This group of commands is used to implement what are currently considered acceptable standards for cryptography on the device for your SSH sessions • The device enables multiple weak ciphers by default, so it is important to specifically configure ciphers that are not considered vulnerable • Certain organizations or governing agencies will have specific requirements that you may need to meet @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 8. {primary:node0}[edit] test@SRX1# set system max-configurations-on-flash 5 set system max-configuration-rollbacks 5 • Topic: Saving Configurations with Rollbacks • This group of commands is used set the amount of versions of configurations that are saved on the device • The this will allow you to rollback to any of the previous five configuration states from the previous times you did a commit to the configuration • This number can be altered to meet the requirement and comfort level of the administrators @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 9. {primary:node0}[edit] test@SRX1# set chassis cluster reth-count 5 • Command: “set chassis cluster reth-count 5” • This command sets the number of redundant ethernet interfaces (RETHs) that are configured on the device • A RETH is a pair of interfaces that act as a single interface between an active/passive firewall cluster • If you don’t modify this number, the device will not allow you to add additional RETH’s @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 10. {primary:node0}[edit] test@SRX1# set security log mode stream • Command: “set security log mode stream” • This command changes the way the device processes it’s logging. Stream mode is recommended for the larger sized devices and instead of processing/maintaing the logs on box, ships them off to a remote location • The purpose of this mode is that due to the amount of log processing that happens on carrier grade devices, it can have a negative impact on the performance of the CPU’s @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 11. {primary:node0}[edit] test@SRX1# set security flow traceoptions file FLOW set security flow traceoptions file size 5m set security flow traceoptions file files 5 set security flow traceoptions file world-readable set security flow traceoptions flag tcp-basic • Topic: Traceoptions • These series of commands allows you to capture traffic as it flows through the device. This can be useful in many troubleshooting scenarios • The first commands sets the name of the file, the second the size of the file, the third how many files to create before overwriting the oldest, the fourth the output format, and the fifth which type of traffic to collect • There are many options for the flag command including: all, general, normal, policy, route, state, etc. @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 12. {primary:node0}[edit] test@SRX1# set security flow tcp-mss ipsec-vpn mss 1300 • Command: “set security flow tcp-mss ipsec-vpn mss 1300” • This command ensures that all traffic going through an IPSec VPN on the device will be using a maximum segment size • This is often needed to ensure fragmentation across the internet or WAN does not take place. There are instances where if the VPN packet is too large it will be dropped. So it is best practice to lower the MSS of your VPN traffic @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 13. {primary:node0}[edit] test@SRX1#set security screen ids-option DOS-screen icmp ip-sweep threshold 1000 set security screen ids-option DOS-screen icmp fragment set security screen ids-option DOS-screen icmp large set security screen ids-option DOS-screen icmp flood threshold 200 set security screen ids-option DOS-screen icmp ping-death set security screen ids-option DOS-screen ip bad-option set security screen ids-option DOS-screen ip record-route-option set security screen ids-option DOS-screen ip timestamp-option set security screen ids-option DOS-screen ip security-option set security screen ids-option DOS-screen ip stream-option set security screen ids-option DOS-screen ip spoofing set security screen ids-option DOS-screen ip source-route-option set security screen ids-option DOS-screen ip strict-source-route-option set security screen ids-option DOS-screen ip unknown-protocol set security screen ids-option DOS-screen ip block-frag set security screen ids-option DOS-screen ip tear-drop • Topic: Denial of Service Protections • This group of commands is some of the many that can be applied to an IDS policy • This policy can than be attached to any interfaces where you deem appropriate • There are other IPv6 options, as well as flood and sweep threshold protections @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 14. {primary:node0}[edit] test@SRX1#security nat source rule-set To-Untrust rule R1 match source-address 0.0.0.0/0 set security nat source rule-set To-Untrust rule R1 match destination-address 0.0.0.0/0 set security nat source rule-set To-Untrust rule R1 then source-nat interface • Topic: Setting Up Outbound NAT • This group of commands allows you to set up a NAT on an external interface and will NAT all traffic destined to any IP address • This particular configuration would NAT all internal traffic to the external IP address of your firewall @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 15. {primary:node0}[edit] test@SRX1#set security nat static rule-set Static-NAT rule Web-Svr1 match destination-address 5.5.5.5/32 set security nat static rule-set Static-NAT rule Web-Svr1 then static-nat prefix 10.10.10.5/32 set security nat proxy-arp interface reth1.10 address 5.5.5.5/32 • Topic: Setting Up Inbound NAT • This group of commands allows you to set up a one-to-one NAT to translate from one external address(public IP) to an internal IP address (private) • It is important to remember to add the “NAT proxy-arp” statement so that the external interface will know to respond to ARP requests for the external NAT IP @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 16. {primary:node0}[edit] test@SRX1#set security policies global policy default- deny match source-address any set security policies global policy default-deny match destination-address any set security policies global policy default-deny match application any set security policies global policy default-deny then deny set security policies global policy default-deny then log session-init • Topic: Setting Up a Global Default Deny Policy • This group of commands allows you to set a default deny policy at the bottom of all security zone-based firewall rules • It consists of statements for the source, destination, application, and action. Lastly, there is a command to ensure that every session that matches the rule is logged @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 17. {primary:node0}[edit] test@SRX1#set security zones security-zone DOMAIN_CONTROLLERS address-book address DC1 10.10.10.11/32 set security zones security-zone DOMAIN_CONTROLLERS address- book address DC2 10.10.10.12/32 set security zones security-zone DOMAIN_CONTROLLERS address- book address-set Domain_Controllers_Group address DC1 set security zones security-zone DOMAIN_CONTROLLERS address- book address-set Domain_Controllers_Group address DC2 set security zones security-zone DOMAIN_CONTROLLERS interfaces reth0.100 • Topic: Setting Up a Security Zone • A security zone is a group of devices that are associated with an interface/sub-interface. This will normally contain one subnet or multiple • These commands include creating address object entries, creating an address group containing multiple objects, and associating the security zone with an interface (in this case a sub- interface of a redundant ethernet interface @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 18. {primary:node0}[edit] test@SRX1#set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP match source-address SECURITY-TOOLS set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP match destination-address Domain_Controllers_Group set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP match application NTP set security policies from-zone MONITORING_TOOLS to-zone DOMAIN_CONTROLLERS policy NTP then permit • Topic: Setting Up a Security Policy • A security policy is a rule that allows a device or devices in one security zone to communicate with another device or group of devices in a different security zone • These commands include the source addresses in from the source zone, the destination addresses in the destination zone, the application (ports/protocols) that are allowed, and the action statement for the rule • Additional actions can be added to the rule such as logging, IDP, Anti-Virus scanning, etc. @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 19. {primary:node0}[edit] test@SRX1#set interfaces lo0 unit 0 family inet filter input loopback_ACL • Command: “set interfaces lo0 unit 0 family inet filter input xxx” • The control plane of the Juniper devices is where all the internal and management traffic is processed • It is important to protect the control plane and the best way to do this is to create an ACL that allows only expected traffic(ICMP, SNMP, BGP, SSH, Syslog, etc.) from expected sources • The above command is used to attach an ACL to the control plane. Ensure you do one for the “inet6” if you are using IPv6 @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 20. {primary:node0}[edit] test@SRX1#run monitor interface reth0.100 • Command: “monitor interface xxxxx” • This command allows you to see live statistics on an interface • This is useful when troubleshooting and verifying traffic flow during various types of service turnups @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM Interface: reth0.100, Enabled, Link is Up Flags: SNMP-Traps 0x4000 Encapsulation: ENET2 VLAN-Tag [ 0x8100.100 ] Local statistics: Current delta Input bytes: 31178797 [0] Output bytes: 18295428 [0] Input packets: 491788 [0] Output packets: 339515 [0] Remote statistics: Input bytes: 0 (10368 bps) [0] Output bytes: 0 (9824 bps) [0] Input packets: 0 (7 pps) [0] Output packets: 0 (6 pps) [0] Traffic statistics: Input bytes: 2508402323652 [4199] Output bytes: 196562958159 [3776] Input packets: 2126407181 [37] Output packets: 1268398436 [27] Protocol: inet, MTU: 1500, Flags: None
  • 21. test@SRX1# show security flow session destination-prefix 10.10.10.11 source- prefix 10.5.102.14 node0: -------------------------------------------------------------------------- Flow Sessions on FPC0 PIC1: Total sessions: 0 Flow Sessions on FPC0 PIC2: Session ID: 20079227, Policy name: Monitoring/25, State: Active, Timeout: 884, Valid In: 10.10.11.14/53728 --> 10.10.10.11/161;udp, Conn Tag: 0x0, If: reth0.102, Pkts: 50, Bytes: 4316, CP Session ID: 22697955 Out: 10.10.10.11/161 --> 10.10.11.14/53728;udp, Conn Tag: 0x0, If: reth0.100, Pkts: 50, Bytes: 6029, CP Session ID: 22697955 Total sessions: 1 • Command: “show security flow session” • The command allows you to look for real time traffic sessions going through your device • This is helpful for troubleshooting purposes if you want to see if the traffic is traversing your firewall/device • There are multiple tags that can be used to narrow the search for traffic, in this case we used the destination and source prefix to look for a specific flow @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 22. {primary:node0}[edit] test@SRX1# commit confirmed • Command: “commit confirmed” • This command allows the device to automatically rollback to your previously saved configuration if configurations your entered causes some type of issue and you don’t confirm the configuration • The default rollback is 10 minutes, but you can change the time value by adding a value to the end of the statement, “commit confirmed 5” means it will roll back in 5 minutes • To confirm the configuration so it doesn’t roll back, you need to type “commit” again @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 23. test@SRX1> show security idp status node0: -------------------------------------------------------------------------- State of IDP: Default, Up since: 2018-11-14 05:24:37 UTC (57w2d 11:53 ago) Packets/second: 189 Peak: 242628 @ 2019-11-16 14:28:28 UTC KBits/second : 687 Peak: 3611901 @ 2019-10-23 23:30:30 UTC Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 15168351] [TCP: 1486997617] [UDP: 3544899862] [Other: 259] Flow Statistics: ICMP: [Current: 10] [Max: 29970 @ 2019-06-25 17:45:12 UTC] TCP: [Current: 434] [Max: 177962 @ 2019-02-14 23:13:54 UTC] UDP: [Current: 1514] [Max: 42528 @ 2019-10-03 17:28:28 UTC] Other: [Current: 4] [Max: 252 @ 2019-03-10 20:32:23 UTC] Session Statistics: [ICMP: 5] [TCP: 217] [UDP: 757] [Other: 2] Number of SSL Sessions : 0 Policy Name : Server-Protection Running Detector Version : 12.6.140190828 Forwarding process mode : regular • Command: “show security idp status” • This command shows the current state of the IDP service on your device (not where it is applied though) • This displays packets going through the IDP, flows, the name of the IDP policy applied (can only apply one policy at one time) and the signature set running @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 24. test@SRX1> show security idp counters action node0: -------------------------------------------------------------------------- IDP counters: IDP counter type Value None 126 Recommended 0 Ignore 0 Diffserv 0 Drop packet 49 Drop 124522 Close 0 Close server 0 Close client 0 IP action rate limit 0 IP action drop 0 IP action close 0 IP action nofity 0 IP action failed 0 • Command: “show security idp counters” • This command shows the number of packets that have had some type of action implemented on that when they have hit an IDP signature on your device • The actions depend upon the pre-configured rules for the signatures, but they can be modified or ignored with exemption configurations @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 25. test@SRX1> show security idp attack detail ? Possible completions: <attack-name> Attack name APP:2WIRE-DSL-VULN APP:ABB-NETSCANHOST-OF APP:ACCELLION-FILE-TRANSFER APP:ACRONIS-TRU-IMG-ECO-SRV-DOS APP:ADOBE-CF-DIR-TRAV APP:ADOBE-COLDFUSION-WEBSOCKET • Command: “show security idp attack detail ?” • This command shows an alphabetical listing of all the IDP attack signatures that are available on the device • You can search based off attack name if you have an idea of what you are looking for. You can also go to Juniper website and search their IDP signature database @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 26. test@SRX1> show security idp attack detail APP:2WIRE-DSL-VULN Display Name: MISC: 2Wire DSL Router Vulnerability Severity: Major Category: APP Recommended: false Recommended Action: Drop Type: signature Direction: STC False Positives: unknown Shellcode: no Flow: control Context: http-text-html Negate: false TimeBinding: Scope: none Count: 1 Hidden Pattern: False Pattern: .*[PAGE=H04_POST][^s]*[PASSWORD=][^s]*[PASSWORD_CONF].* • Command: “show security idp attack detail XXX” • This command shows the detail of a specific IDP attack signature • It includes information like the severity, the action taken when found, the context, and the specific signature it matches against @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 27. test@SRX1>show security idp attack description APP:2WIRE-DSL-VULN Description: This signature detects attempts to exploit a known vulnerability in 2Wire DSL routers. An attacker can create a malicious Web site containing dangerous hyperlinks, which if accessed by a victim, allows the attacker to gain control of the victim's DSL router. • Command: “show security idp attack description XXX” • This command shows a description of a specific IDP attack signature and what it is used to protect against @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 28. test@SRX1> show interfaces terse Interface Admin Link Proto Local Remote gr-0/0/0 up up ip-0/0/0 up up lt-0/0/0 up up xe-2/2/0 up up xe-2/2/0.0 up up aenet --> fab0.0 xe-2/2/1 up up xe-2/2/1.100 up up aenet --> reth0.100 xe-2/2/1.101 up up aenet --> reth0.101 xe-2/2/1.102 up up aenet --> reth0.102 xe-2/2/1.103 up up aenet --> reth0.103 • Command: “show interfaces terse” • This command shows a summary of all interfaces • Information includes their admin/link status, descriptions, protocol used, and IP addresses associated with them @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 29. test@SRX1> show log messages | grep test Dec 20 17:03:58 SRX1 sshd[55595]: (pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: test Dec 20 17:03:58 SRX1 /kernel: FW1-UV sshd[55595]: (pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: test Dec 20 17:03:58 SRX1 sshd[55593]: Accepted keyboard- interactive/pam for test from 10.10.80.11 port 59598 ssh2 Dec 20 17:03:58 SRX1 /kernel: FW1-UV sshd[55593]: Accepted keyboard-interactive/pam for test from 10.10.80.11 port 59598 ssh2 Dec 20 17:03:58 SRX1 mgd[55598]: UI_AUTH_EVENT: Authenticated user 'test' at permission level 'j-Admins' • Command: “show log messages | grep test” • This command shows all the logs that are in the default messages log and then specifically searches for ones that match the string “test” by using the grep subcommand @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM
  • 30. test@SRX1> show configuration | display set • Command: “show configuration | display set” • The “show configuration” command will display the active configuration that is running on the device. The format of this configuration is a hierarchical bracketed format that is not easily copied back into a device for configuration changes • The “ | display set” subcommand displays the configuration but outputs it in a “set” format which allows for the commands to be copied into other device @JBC_SEC & @JBIZZLE703 Cyber&Sight™ Network Knowledge Juniper Edition JBCSEC.COM