keeganjacobson

Juniper (Junos) Essentials

Oct 4th, 2012
220
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.67 KB | None | 0 0
  1. #Delete the entire configuration (not factory default, wipe config)
  2. delete
  3.  
  4. #Copy/Paste Configuration
  5. load override terminal - http://kb.juniper.net/InfoCenter/index?page=content&id=KB16622
  6.  
  7. #Software Installation/Upgrade (firmware)
  8. http://kb.juniper.net/InfoCenter/index?page=content&id=KB16652
  9.  
  10. #Save (commit) changes
  11. commit
  12.  
  13. #Check that commit will work and is not missing any necessary statements (this does not mean that it will work for getting online)
  14. commit check
  15.  
  16. #Have commit rollback in x (5 minutes) if another commit is not performed, x can be any number
  17. commit confirmed 5
  18.  
  19. #Set hostname on device
  20. set system host-name
  21.  
  22. #Set root password
  23. set system root-authentication plain-text-password
  24.  
  25. #Create a new admin user ([name] in most cases will or should be admin)
  26. set system login user [name] class super-user authentication plain-text-password
  27.  
  28. #Set IP on fe0/0/0 [check x.x.x.x/x against their current firewall, if its one IP most likely /24 actually but the subnet tends to be 255.255.255.0 on current firewalls]
  29. set interfaces fe-0/0/0 unit 0 family inet address x.x.x.x/x [probably /24 unless its a /29 or /30]
  30.  
  31. #Set IP on VLAN (internal/trusted network - check x.x.x.x/x against their current firewall) (MAKE SURE that you delete the default vlan network off if you add one as well)
  32. set interfaces vlan unit 0 family inet address x.x.x.x/x
  33.  
  34. #Set default gateway [check x.x.x.x against what the current firewall gateway is set to]
  35. set routing-options static route 0.0.0.0/0 next-hop x.x.x.x
  36.  
  37. #Delete DHCP (ONLY IF DHCP IS NOT BEING DONE BY PREVIOUS/CURRENT FIREWALL)
  38. delete system services dhcp
  39.  
  40. #Save Rescue Config (eliminates orange alarm light as well, to be ran when finished with config and you don't run it from configure mode)
  41. request system configuration rescue save
  42.  
  43. #Application for Firewall rules (example for tcp636 application, the tcp636 portion is the name that is created for the application below)
  44. set applications application tcp636 protocol tcp
  45. set applications application tcp636 destination-port 636
  46.  
  47. set applications application tcp3389 protocol tcp
  48. set applications application tcp3389 destination-port 3389
  49.  
  50. #Firewall rules - Incoming/Inbound (the NAT portion) (keep source 0.0.0.0/0 and then lockdown in security policy portion) (pool name for example is name of server and address is /32 of
  51.  
  52. server for that one address) (destination-address is always going to be a /32 even if the external wan interface is a /29 for example, take what that single IP is listed and put it as
  53.  
  54. a /32 unless otherwise noted)
  55. set security nat destination pool [poolname] address x.x.x.x/x
  56. set security nat destination rule-set inbound-nat rule from zone untrust
  57.  
  58. set security nat destination rule-set inbound-nat rule [namehere] match source-address 0.0.0.0/0
  59. set security nat destination rule-set inbound-nat rule [namehere] match destination-address x.x.x.x/32
  60. set security nat destination rule-set inbound-nat rule [namehere] match destination-port xx
  61. set security nat destination rule-set inbound-nat rule [namehere] then destination-nat pool [poolname]
  62.  
  63. #Firewall rules - Security Policies Incoming/Inbound (the opening and lockdown portion)
  64. set security policies from-zone untrust to-zone trust policy xxxx-in[ex http-in] match source-address any
  65. set security policies from-zone untrust to-zone trust policy xxxx-in[ex http-in] match destination-address [trusted address-book address, going from source to this trusted address]
  66. set security policies from-zone untrust to-zone trust policy xxxx-in[ex http-in] match application junos-xxx
  67. set security policies from-zone untrust to-zone trust policy xxxx-in[ex http-in] then permit
  68.  
  69. #Firewall rules - Outgoing/Outbound (rules other than the default listed aren't on every firewall, default posted)
  70. set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
  71. set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
  72. set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
  73. set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
  74.  
  75. #Create an Address (this is an example of a trusted/internal computer or server)
  76. set security zones security-zone trust address-book address trust-net 10.1.1.0/24
  77. set security zones security-zone trust address-book address Bob-PC 10.1.1.1/32
  78.  
  79. #Create an Address Set (Groups) (this is an example of trusted/internal computers or servers clusters or groups)
  80. set security zones security-zone trust address-book address-set All10 address trust-net
  81. set security zones security-zone trust address-book address-set All10 address Bob-PC
  82.  
  83. #Create an Address (this is an example of a untrusted/external computer or server)
  84. set security zones security-zone untrust address-book address example1 x.x.x.x/32
  85. set security zones security-zone untrust address-book address example2 x.x.x.x/32
  86.  
  87. #Create an Address Set (Groups) (this is an example of untrusted/external computers or servers like example3 [example1/example2]) (NEEDS ADDRESS ABOVE MADE)
  88. set security zones security-zone untrust address-book address-set example3 address example1
  89. set security zones security-zone untrust address-book address-set example3 address example2
  90.  
  91. #Bridge Interfaces (cleans up config, fyi will need to run "delete interfaces f0/0/X" after this to truly clean them up)
  92. set interfaces interface-range interfaces-trust member fe-0/0/1
  93. set interfaces interface-range interfaces-trust member fe-0/0/2
  94. set interfaces interface-range interfaces-trust member fe-0/0/3
  95. set interfaces interface-range interfaces-trust member fe-0/0/4
  96. set interfaces interface-range interfaces-trust member fe-0/0/5
  97. set interfaces interface-range interfaces-trust member fe-0/0/6
  98. set interfaces interface-range interfaces-trust member fe-0/0/7
  99. set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
  100.  
  101. #For Pulse IPsec VPN (aka mobile user vpn) make sure IKE is running on external interface
  102. set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike
  103.  
  104. #Download Junos Pulse Client - or check ftp under Juniper
  105. http://www.juniper.net/support/products/pulse/2.1/#sw
  106.  
  107. #Show MAC address table (do this from the enable line not configure)
  108. show ethernet-switching table brief
  109.  
  110. #Remote Management Lockdown (should be cookie cutter) (make sure you add internal lan subnet as well)
  111. set system services web-management https interface fe-0/0/0.0
  112. set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh
  113. set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https
  114. set system services ssh rate-limit 3
  115. set system services ssh root-login deny
  116.  
  117. set firewall family inet filter local_acl term remote_mgmt from address X.X.X.X/24 (THIS IS THE NETWORK YOU ARE GOING TO ALLOW ADD AS MANY AS NECESSARY)
  118. set firewall family inet filter local_acl term remote_mgmt from protocol tcp
  119. set firewall family inet filter local_acl term remote_mgmt from port ssh
  120. set firewall family inet filter local_acl term remote_mgmt from port https
  121. set firewall family inet filter local_acl term remote_mgmt then accept
  122. set firewall family inet filter local_acl term remote_mgmt_denied from protocol tcp
  123. set firewall family inet filter local_acl term remote_mgmt_denied from port ssh
  124. set firewall family inet filter local_acl term remote_mgmt_denied from port https
  125. set firewall family inet filter local_acl term remote_mgmt_denied then log
  126. set firewall family inet filter local_acl term remote_mgmt_denied then discard
  127.  
  128. set firewall family inet filter local_acl term default-term then accept
  129. set interfaces lo0 unit 0 family inet filter input local_acl
  130. set interfaces lo0 unit 0 family inet address 127.0.0.1/32
  131.  
  132. #If you do an IKE VPN you'll need to make these changes
  133. delete firewall family inet filter local_acl term remote_mgmt from port https
  134. delete firewall family inet filter local_acl term remote_mgmt_denied from port https
  135.  
  136. #Resource cleanup
  137. delete security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp
  138. delete security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp
  139. set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping
  140.  
  141. #Further lockdown and security cleanup (remove the ability to connect to https externally also to not interfere with SSL VPN)
  142. delete system services web-management https interface fe-0/0/0.0
  143.  
  144. #Set inactivity-timeout
  145. set applications application junos-[xxxx] inactivity-timeout [seconds]
Add Comment
Please, Sign In to add comment