These Juniper commands will help new engineers learn how to configure and troubleshoot a network much quicker and more efficiently.
Connect with J.B.C. for more IT resources and industry insights:
YouTube ▶️youtube.com/channel/UCmJJUewPWfnyzvZRrFHlykA
J.B.C.'s Site ▶️https://www.jbcsec.com/insights
Newsletter ▶️ https://mailchi.mp/e7b56addb7fc/cybersightblog
Swag Store ▶️ https://www.teepublic.com/user/jbc
Twitter ▶️ http://www.twitter.com/JBC_SEC
Author ▶️ https://twitter.com/JBizzle703
-----C-----Y-----B-----E-----R-----&----S-----I-----G-----H-----T
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
Helpful Juniper Tips and Tricks for New Network Engineers
1. {primary:node0}[edit]
test@SRX1# set system services ssh root-login deny
• Command: “set system services ssh root-login
deny”
• On Juniper devices there is a default admin
account called root. You cannot rename the
account and it has the permissions to do
anything on the device
• The “set system services ssh root-login deny”
command allows you to block the root account
from being able to log on across the network via
SSH.
• This is a good practice to only allow the root
account to be used in emergency situations while
having local console access
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
2. {primary:node0}[edit]
test@SRX1# set system authentication-order radius
• Command: “set system authentication-order
radius”
• This command allows you to only authenticate
with accounts that are set up within your Radius
server
• If you attempt to log in with a local account, your
authentication attempt will fail. However, if the
device is not able to successfully connect to the
Radius server you can login with a local account
• If you would like to allow both Radius and local
accounts, you can add the keyword “local” to the
command after “radius”
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
3. {primary:node0}[edit]
test@SRX1# set system login class RO permissions view-
configuration
set system login class RO allow-commands show
set system login class RO deny-commands
"(clear)|(file)|(fileshow)|(help)|(load)|(monitor)|(op)
|(request)|(save)|(set)|(start)|(test)"
set system login class RO deny-configuration all
• Topic: Creating a Read-Only Account
• This group of commands gives an example of
how to create a class called “RO” which restricts
which commands and actions are allowed.
Accounts can then be associated with this group
either locally or via a AAA server
• This is useful for having different roles for
network support staff. In this case an individual
can log in and run show commands, but is limited
from being able to do other type of configuration
commands
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
4. {primary:node0}[edit]
test@SRX1# set system login password minimum-length
15
set system login password change-type character-sets
set system login password minimum-numerics 1
set system login password minimum-upper-cases 1
set system login password minimum-lower-cases 1
set system login password minimum-punctuations 1
set system login password format sha1
• Topic: Setting Strong Password Requirements
• This group of commands allows an administrator
to implement a strong password policy on the
device
• This grouping of commands includes both
complexity and length requirements
• This is only applicable to accounts stored locally
on the device. If you are using a remote AAA
server, a password policy must be applied for the
accounts associated with that on the server
where the accounts reside
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
5. {primary:node0}[edit]
test@SRX1# set groups global-idp security policies from-
zone <*> to-zone <*> policy <*> then permit application-
services idp
set security policies apply-groups global-idp
set security idp active-policy Recommended
• Topic: Setting a Global IDP Policy
• This group of commands allows an administrator
to implement an IDP policy across all security
zones in the device
• The IDP policy that is enabled in this case is the
“Recommended” policy, which is a small
grouping of IDP policies. Juniper has a collection
of various IDP policies that can be implemented,
or you can create your own policy based off
whichever signatures you want
• If you don’t want a global policy, you can just
attach the IDP policy on a per security policy
basis
• There can be only one active policy
enabled on the device at one time@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
6. {primary:node0}[edit]
test@SRX1# set system services ssh root-login deny
• Command: “set system services ssh root-login
deny”
• This command makes sure that you cannot log
into the device remotely with the root account
• This is important from a security perspective, so
you can minimize the chance of a brute force
attack against the device
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
7. {primary:node0}[edit]
test@SRX1# set system services ssh ciphers aes128-ctr
set system services ssh ciphers aes192-ctr
set system services ssh ciphers aes256-ctr
set system services ssh ciphers aes256-cbc
set system services ssh ciphers aes192-cbc
set system services ssh ciphers aes128-cbc
set system services ssh macs hmac-sha1
set system services ssh macs hmac-sha2-512
set system services ssh macs hmac-sha2-256
set system services ssh macs hmac-sha1-96
set system services ssh key-exchange dh-group14-sha1
set system services ssh key-exchange group-exchange-sha2
set system services ssh key-exchange ecdh-sha2-nistp256
set system services ssh key-exchange ecdh-sha2-nistp384
set system services ssh key-exchange ecdh-sha2-nistp521
• Topic: Setting Secure Crypto Ciphers
• This group of commands is used to implement
what are currently considered acceptable
standards for cryptography on the device for your
SSH sessions
• The device enables multiple weak ciphers by
default, so it is important to specifically configure
ciphers that are not considered vulnerable
• Certain organizations or governing agencies will
have specific requirements that you may need to
meet
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
8. {primary:node0}[edit]
test@SRX1# set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
• Topic: Saving Configurations with Rollbacks
• This group of commands is used set the amount
of versions of configurations that are saved on
the device
• The this will allow you to rollback to any of the
previous five configuration states from the
previous times you did a commit to the
configuration
• This number can be altered to meet the
requirement and comfort level of the
administrators
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
9. {primary:node0}[edit]
test@SRX1# set chassis cluster reth-count 5
• Command: “set chassis cluster reth-count 5”
• This command sets the number of redundant
ethernet interfaces (RETHs) that are configured
on the device
• A RETH is a pair of interfaces that act as a single
interface between an active/passive firewall
cluster
• If you don’t modify this number, the device will
not allow you to add additional RETH’s
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
10. {primary:node0}[edit]
test@SRX1# set security log mode stream
• Command: “set security log mode stream”
• This command changes the way the device
processes it’s logging. Stream mode is
recommended for the larger sized devices and
instead of processing/maintaing the logs on box,
ships them off to a remote location
• The purpose of this mode is that due to the
amount of log processing that happens on carrier
grade devices, it can have a negative impact on
the performance of the CPU’s
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
11. {primary:node0}[edit]
test@SRX1# set security flow traceoptions file FLOW
set security flow traceoptions file size 5m
set security flow traceoptions file files 5
set security flow traceoptions file world-readable
set security flow traceoptions flag tcp-basic
• Topic: Traceoptions
• These series of commands allows you to capture
traffic as it flows through the device. This can be
useful in many troubleshooting scenarios
• The first commands sets the name of the file, the
second the size of the file, the third how many
files to create before overwriting the oldest, the
fourth the output format, and the fifth which
type of traffic to collect
• There are many options for the flag command
including: all, general, normal, policy, route,
state, etc.
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
12. {primary:node0}[edit]
test@SRX1# set security flow tcp-mss ipsec-vpn mss 1300
• Command: “set security flow tcp-mss ipsec-vpn
mss 1300”
• This command ensures that all traffic going
through an IPSec VPN on the device will be using
a maximum segment size
• This is often needed to ensure fragmentation
across the internet or WAN does not take place.
There are instances where if the VPN packet is
too large it will be dropped. So it is best practice
to lower the MSS of your VPN traffic
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
13. {primary:node0}[edit]
test@SRX1#set security screen ids-option DOS-screen icmp ip-sweep threshold
1000
set security screen ids-option DOS-screen icmp fragment
set security screen ids-option DOS-screen icmp large
set security screen ids-option DOS-screen icmp flood threshold 200
set security screen ids-option DOS-screen icmp ping-death
set security screen ids-option DOS-screen ip bad-option
set security screen ids-option DOS-screen ip record-route-option
set security screen ids-option DOS-screen ip timestamp-option
set security screen ids-option DOS-screen ip security-option
set security screen ids-option DOS-screen ip stream-option
set security screen ids-option DOS-screen ip spoofing
set security screen ids-option DOS-screen ip source-route-option
set security screen ids-option DOS-screen ip strict-source-route-option
set security screen ids-option DOS-screen ip unknown-protocol
set security screen ids-option DOS-screen ip block-frag
set security screen ids-option DOS-screen ip tear-drop
• Topic: Denial of Service Protections
• This group of commands is some of the many
that can be applied to an IDS policy
• This policy can than be attached to any interfaces
where you deem appropriate
• There are other IPv6 options, as well as flood and
sweep threshold protections
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
14. {primary:node0}[edit]
test@SRX1#security nat source rule-set To-Untrust rule
R1 match source-address 0.0.0.0/0
set security nat source rule-set To-Untrust rule R1 match
destination-address 0.0.0.0/0
set security nat source rule-set To-Untrust rule R1 then
source-nat interface
• Topic: Setting Up Outbound NAT
• This group of commands allows you to set up a
NAT on an external interface and will NAT all
traffic destined to any IP address
• This particular configuration would NAT all
internal traffic to the external IP address of your
firewall
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
15. {primary:node0}[edit]
test@SRX1#set security nat static rule-set Static-NAT rule
Web-Svr1 match destination-address 5.5.5.5/32
set security nat static rule-set Static-NAT rule Web-Svr1
then static-nat prefix 10.10.10.5/32
set security nat proxy-arp interface reth1.10 address
5.5.5.5/32
• Topic: Setting Up Inbound NAT
• This group of commands allows you to set up a
one-to-one NAT to translate from one external
address(public IP) to an internal IP address
(private)
• It is important to remember to add the “NAT
proxy-arp” statement so that the external
interface will know to respond to ARP requests
for the external NAT IP
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
16. {primary:node0}[edit]
test@SRX1#set security policies global policy default-
deny match source-address any
set security policies global policy default-deny match
destination-address any
set security policies global policy default-deny match
application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log
session-init
• Topic: Setting Up a Global Default Deny Policy
• This group of commands allows you to set a
default deny policy at the bottom of all security
zone-based firewall rules
• It consists of statements for the source,
destination, application, and action. Lastly, there
is a command to ensure that every session that
matches the rule is logged
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
17. {primary:node0}[edit]
test@SRX1#set security zones security-zone
DOMAIN_CONTROLLERS address-book address DC1 10.10.10.11/32
set security zones security-zone DOMAIN_CONTROLLERS address-
book address DC2 10.10.10.12/32
set security zones security-zone DOMAIN_CONTROLLERS address-
book address-set Domain_Controllers_Group address DC1
set security zones security-zone DOMAIN_CONTROLLERS address-
book address-set Domain_Controllers_Group address DC2
set security zones security-zone DOMAIN_CONTROLLERS interfaces
reth0.100
• Topic: Setting Up a Security Zone
• A security zone is a group of devices that are
associated with an interface/sub-interface. This
will normally contain one subnet or multiple
• These commands include creating address object
entries, creating an address group containing
multiple objects, and associating the security
zone with an interface (in this case a sub-
interface of a redundant ethernet interface
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
18. {primary:node0}[edit]
test@SRX1#set security policies from-zone MONITORING_TOOLS
to-zone DOMAIN_CONTROLLERS policy NTP match source-address
SECURITY-TOOLS
set security policies from-zone MONITORING_TOOLS to-zone
DOMAIN_CONTROLLERS policy NTP match destination-address
Domain_Controllers_Group
set security policies from-zone MONITORING_TOOLS to-zone
DOMAIN_CONTROLLERS policy NTP match application NTP
set security policies from-zone MONITORING_TOOLS to-zone
DOMAIN_CONTROLLERS policy NTP then permit
• Topic: Setting Up a Security Policy
• A security policy is a rule that allows a device or
devices in one security zone to communicate
with another device or group of devices in a
different security zone
• These commands include the source addresses in
from the source zone, the destination addresses
in the destination zone, the application
(ports/protocols) that are allowed, and the action
statement for the rule
• Additional actions can be added to the rule such
as logging, IDP, Anti-Virus scanning, etc.
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
19. {primary:node0}[edit]
test@SRX1#set interfaces lo0 unit 0 family inet filter input
loopback_ACL
• Command: “set interfaces lo0 unit 0 family inet
filter input xxx”
• The control plane of the Juniper devices is where
all the internal and management traffic is
processed
• It is important to protect the control plane and
the best way to do this is to create an ACL that
allows only expected traffic(ICMP, SNMP, BGP,
SSH, Syslog, etc.) from expected sources
• The above command is used to attach an ACL to
the control plane. Ensure you do one for the
“inet6” if you are using IPv6
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
20. {primary:node0}[edit]
test@SRX1#run monitor interface reth0.100
• Command: “monitor interface xxxxx”
• This command allows you to see live statistics on
an interface
• This is useful when troubleshooting and verifying
traffic flow during various types of service
turnups
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
Interface: reth0.100, Enabled, Link is Up
Flags: SNMP-Traps 0x4000
Encapsulation: ENET2
VLAN-Tag [ 0x8100.100 ]
Local statistics: Current delta
Input bytes: 31178797 [0]
Output bytes: 18295428 [0]
Input packets: 491788 [0]
Output packets: 339515 [0]
Remote statistics:
Input bytes: 0 (10368 bps) [0]
Output bytes: 0 (9824 bps) [0]
Input packets: 0 (7 pps) [0]
Output packets: 0 (6 pps) [0]
Traffic statistics:
Input bytes: 2508402323652 [4199]
Output bytes: 196562958159 [3776]
Input packets: 2126407181 [37]
Output packets: 1268398436 [27]
Protocol: inet, MTU: 1500, Flags: None
21. test@SRX1# show security flow session destination-prefix 10.10.10.11 source-
prefix 10.5.102.14
node0:
--------------------------------------------------------------------------
Flow Sessions on FPC0 PIC1:
Total sessions: 0
Flow Sessions on FPC0 PIC2:
Session ID: 20079227, Policy name: Monitoring/25, State: Active, Timeout: 884,
Valid
In: 10.10.11.14/53728 --> 10.10.10.11/161;udp, Conn Tag: 0x0, If: reth0.102,
Pkts: 50, Bytes: 4316, CP Session ID: 22697955
Out: 10.10.10.11/161 --> 10.10.11.14/53728;udp, Conn Tag: 0x0, If: reth0.100,
Pkts: 50, Bytes: 6029, CP Session ID: 22697955
Total sessions: 1
• Command: “show security flow session”
• The command allows you to look for real time
traffic sessions going through your device
• This is helpful for troubleshooting purposes if you
want to see if the traffic is traversing your
firewall/device
• There are multiple tags that can be used to
narrow the search for traffic, in this case we used
the destination and source prefix to look for a
specific flow
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
22. {primary:node0}[edit]
test@SRX1# commit confirmed
• Command: “commit confirmed”
• This command allows the device to automatically
rollback to your previously saved configuration if
configurations your entered causes some type of
issue and you don’t confirm the configuration
• The default rollback is 10 minutes, but you can
change the time value by adding a value to the
end of the statement, “commit confirmed 5”
means it will roll back in 5 minutes
• To confirm the configuration so it doesn’t roll
back, you need to type “commit” again
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
23. test@SRX1> show security idp status
node0:
--------------------------------------------------------------------------
State of IDP: Default, Up since: 2018-11-14 05:24:37 UTC (57w2d 11:53 ago)
Packets/second: 189 Peak: 242628 @ 2019-11-16 14:28:28 UTC
KBits/second : 687 Peak: 3611901 @ 2019-10-23 23:30:30 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 15168351] [TCP: 1486997617] [UDP: 3544899862] [Other: 259]
Flow Statistics:
ICMP: [Current: 10] [Max: 29970 @ 2019-06-25 17:45:12 UTC]
TCP: [Current: 434] [Max: 177962 @ 2019-02-14 23:13:54 UTC]
UDP: [Current: 1514] [Max: 42528 @ 2019-10-03 17:28:28 UTC]
Other: [Current: 4] [Max: 252 @ 2019-03-10 20:32:23 UTC]
Session Statistics:
[ICMP: 5] [TCP: 217] [UDP: 757] [Other: 2]
Number of SSL Sessions : 0
Policy Name : Server-Protection
Running Detector Version : 12.6.140190828
Forwarding process mode : regular
• Command: “show security idp status”
• This command shows the current state of the IDP
service on your device (not where it is applied
though)
• This displays packets going through the IDP,
flows, the name of the IDP policy applied (can
only apply one policy at one time) and the
signature set running
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
24. test@SRX1> show security idp counters action
node0:
--------------------------------------------------------------------------
IDP counters:
IDP counter type Value
None 126
Recommended 0
Ignore 0
Diffserv 0
Drop packet 49
Drop 124522
Close 0
Close server 0
Close client 0
IP action rate limit 0
IP action drop 0
IP action close 0
IP action nofity 0
IP action failed 0
• Command: “show security idp counters”
• This command shows the number of packets that
have had some type of action implemented on
that when they have hit an IDP signature on your
device
• The actions depend upon the pre-configured
rules for the signatures, but they can be modified
or ignored with exemption configurations
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
25. test@SRX1> show security idp attack detail ?
Possible completions:
<attack-name> Attack name
APP:2WIRE-DSL-VULN
APP:ABB-NETSCANHOST-OF
APP:ACCELLION-FILE-TRANSFER
APP:ACRONIS-TRU-IMG-ECO-SRV-DOS
APP:ADOBE-CF-DIR-TRAV
APP:ADOBE-COLDFUSION-WEBSOCKET
• Command: “show security idp attack detail ?”
• This command shows an alphabetical listing of all
the IDP attack signatures that are available on
the device
• You can search based off attack name if you have
an idea of what you are looking for. You can also
go to Juniper website and search their IDP
signature database
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
26. test@SRX1> show security idp attack detail APP:2WIRE-DSL-VULN
Display Name: MISC: 2Wire DSL Router Vulnerability
Severity: Major
Category: APP
Recommended: false
Recommended Action: Drop
Type: signature
Direction: STC
False Positives: unknown
Shellcode: no
Flow: control
Context: http-text-html
Negate: false
TimeBinding:
Scope: none
Count: 1
Hidden Pattern: False
Pattern:
.*[PAGE=H04_POST][^s]*[PASSWORD=][^s]*[PASSWORD_CONF].*
• Command: “show security idp attack detail XXX”
• This command shows the detail of a specific IDP
attack signature
• It includes information like the severity, the
action taken when found, the context, and the
specific signature it matches against
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
27. test@SRX1>show security idp attack description
APP:2WIRE-DSL-VULN
Description: This signature detects attempts to exploit a
known vulnerability in 2Wire DSL routers. An attacker can
create a malicious Web site containing dangerous
hyperlinks, which if accessed by a victim, allows the
attacker to gain control of the victim's DSL router.
• Command: “show security idp attack description
XXX”
• This command shows a description of a specific
IDP attack signature and what it is used to
protect against
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
28. test@SRX1> show interfaces terse
Interface Admin Link Proto Local Remote
gr-0/0/0 up up
ip-0/0/0 up up
lt-0/0/0 up up
xe-2/2/0 up up
xe-2/2/0.0 up up aenet --> fab0.0
xe-2/2/1 up up
xe-2/2/1.100 up up aenet --> reth0.100
xe-2/2/1.101 up up aenet --> reth0.101
xe-2/2/1.102 up up aenet --> reth0.102
xe-2/2/1.103 up up aenet --> reth0.103
• Command: “show interfaces terse”
• This command shows a summary of all interfaces
• Information includes their admin/link status,
descriptions, protocol used, and IP addresses
associated with them
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
29. test@SRX1> show log messages | grep test
Dec 20 17:03:58 SRX1 sshd[55595]: (pam_sm_acct_mgmt): DEBUG:
PAM_ACTUAL_USER: test
Dec 20 17:03:58 SRX1 /kernel: FW1-UV sshd[55595]:
(pam_sm_acct_mgmt): DEBUG: PAM_ACTUAL_USER: test
Dec 20 17:03:58 SRX1 sshd[55593]: Accepted keyboard-
interactive/pam for test from 10.10.80.11 port 59598 ssh2
Dec 20 17:03:58 SRX1 /kernel: FW1-UV sshd[55593]: Accepted
keyboard-interactive/pam for test from 10.10.80.11 port 59598 ssh2
Dec 20 17:03:58 SRX1 mgd[55598]: UI_AUTH_EVENT: Authenticated
user 'test' at permission level 'j-Admins'
• Command: “show log messages | grep test”
• This command shows all the logs that are in the
default messages log and then specifically
searches for ones that match the string “test” by
using the grep subcommand
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM
30. test@SRX1> show configuration | display set • Command: “show configuration | display set”
• The “show configuration” command will display
the active configuration that is running on the
device. The format of this configuration is a
hierarchical bracketed format that is not easily
copied back into a device for configuration
changes
• The “ | display set” subcommand displays the
configuration but outputs it in a “set” format
which allows for the commands to be copied into
other device
@JBC_SEC & @JBIZZLE703
Cyber&Sight™ Network Knowledge
Juniper
Edition
JBCSEC.COM