SRX Workshop Sep 2009 Lab Overview

1. SRX Workshop Sep 2009Lab Overview Stefan Lager

2. Lab Overview Internet 1.1.1.1 Static (MIP) .13 Dest NAT .14 Src NAT-Pool 15-19 Static (MIP) .23 Dest NAT .24 Src NAT-Pool 25-29 Static (MIP) .n3 Dest NAT .n4 Src NAT-Pool n5-n9 1.1.1.10 1.1.1.n0 1.1.1.20 .10 .20 .21 .n0 .n1 .11 192.168.2.1 Group-2 192.168.1.1 Group-1 192.168.n.1 Group-n Management Network 10.1.75.0/24 .223STRM Series .222NS Security Manager .111FTP-Server

3. Lab 1: Cluster setup • Logon to the console port (user=root, no password ). • Setup Cluster according to the information in the PPT slides. • FXP0 in SRX-240 is ge-0/0/0, should be assigned an IP-address in the management network, 10.1.75.<gr>0/24. • FXP1 (Control) port is ge-0/0/1, connect the two ports with a cable. • FAB port can be any port, connect the two ports with a cable. • Use access to the FTP-server to retrieve the latest firmware file and upgrade the system to the latest firmware version. Note; If you only have one unit chose one port as management port and assign the FXP0 address above.

4. Lab 1b: Cluster setup (cont) • Create a redundancy group for the controlplane (RG0) #set chassi cluster redundancy-group 0 node0 weight 200 # set chassi cluster redundancy-group 0 node1 weight 100 • Create a redundancy group for the interfaces (RG1) #set chassi cluster redundancy-group 1 node0 weight 200 #set chassi cluster redundancy-group 1 node1 weight 100 #set chassi cluster redundancy-group 1 interface reth0 #set chassis cluster redundancy-group 1 interface reth1 • Create redundant ethernet interfaces and assign physical interfaces to them. • # set chassi cluster reth-count 2 • # set interfaces reth0 unit 0 family inet address 192.168.n.1/24 • # set interfaces reth1 unit 0 family inet address 1.1.1.n0/24 • # set int ge-0/0/4 gigether-option redundant-parent reth0 • # set int ge-5/0/4 gigether-option redundant-parent reth0 • # set int ge-0/0/8 gigether-option redundant-parent reth1 • # set int ge-5/0/8 gigether-option redundant-parent reth1 • Assign interfaces to zones • # set security zones security-zone trust interface reth0 • # set security zones security-zone untrust interface reth1

5. Lab 2: Basic Setup • Enable management# set system services ssh# set system services web-management http • Make sure routing is setup correctly and that there is a basic security policy to allow traffic from trust to untrust. • Setup logging of traffic to the file “traffic.log”(#set system syslog file traffic.log user info structured-data) • Test connectivity to Internet. Check traffic.log(#run show log traffic.log) • If failed, use debug commands to find the reason. • TIPS: • #set security flow traceoptions file flow.deb • #set security flow traceoptions flag basic-data-path • #commit • #run show log flow.deb

6. Lab 3: Source NAT • LAB 3.1 : Interface-based Src-NAT • Setup Source NAT for internal (trust) traffic to external (untrust), source address should be the untrust interface IP-address. Test Internet connectivity. • # set security nat source rule-set interface-nat from zone trust • # set security nat source rule-set interface-nat to zone untrust • # set security nat source rule-set interface-nat rule rule1 match source-address 0.0.0.0/0 destination-address 0.0.0.0/0 • # set security nat source rule-set interface-nat rule rule1 then source-nat interface • LAB 3.2 : Pool-based Src-NAT • Add a NAT-Pool to the above source nat. Use addresses 1.1.1 .<gr>5 - <gr>9. (e.i. 15-19, 25-29, etc.) *Use debug commands continuously to find the packets and flow through the rules above. *

7. Lab 3b Destination NAT • LAB 3.3 : Static-NAT (MIP) Dst-NAT • Setup Destination NAT for external (untrust) traffic to an internal (trust) host, use external IP-address 1.1.1.<gr>3. Ask other groups to test connectivity for you. (Don’t forget proxy-arp) • # set security nat proxy-arp interface ge-0/0/0 address 1.1.1.n3/32 • # set security nat static rule-set static-nat from zone untrust • # set security nat static rule-set static-nat rule rule1 match destination-address 1.1.1.n3 • # set security nat static rule-set static-nat rule rule1 then static-nat prefix 192.168.n.99 • LAB 3.4 : Dst-NAT with Port Translation • Setup Destination NAT w/ Port Translation for external (untrust) traffic to an internal (trust) host with a service of your choice (ex; a webserver), use external IP-address 1.1.1.<gr>4 and port 8080.

8. Create firewall rule to accept incomming traffic to the static NAT IP (MIP) Create address object # set security zones security-zone trust address-book address my-laptop 192.168.n.99/32 Create firewall policy # edit security policy from-zone untrust to-zone trust # set policy my-nat-rule match source any destination any application any # set policy my-nat-rule then permit # set policy my-nat-rule then log session-close OR

9. Lab 4: IPSEC VPN • Create proposals for phase 1 & 2. • Set up IPSEC tunnel to your own test unit, or partner with an other group to setup the tunnel to. Remember to agree on Preshared key. • Test connectivity through the tunnel. Used debug commands to sort out what the issue is.

10. Lab 5: Connect to NSM and STRM • Setup management with NSM. • Verify that NSM is connected to the unit. • Setup logging to NSM • Verify • Setup logging in the SRX to the STRM. • Verify that the STRM unit is receiving log data from the SRX.

11. You can do packet captures and save as pcap-files

12. RPM=Remote Performance Monitor.A features the makes it possible to send probes and measure jitter/RTT/packet loss and send traps if threshold is reached

13. (Lab 7: UTM functions) • Install UTM license. • Activate IDP and filtering in a security policy • Activate AntiVirus engine and filtering in a security policy • Activate WebFilter engine and filtering in a security policy