SHOW:
|
|
- or go back to the newest paste.
| 1 | #Delete the entire configuration (not factory default, wipe config) | |
| 2 | delete | |
| 3 | ||
| 4 | #Copy/Paste Configuration | |
| 5 | load override terminal - http://kb.juniper.net/InfoCenter/index?page=content&id=KB16622 | |
| 6 | ||
| 7 | #Software Installation/Upgrade (firmware) | |
| 8 | http://kb.juniper.net/InfoCenter/index?page=content&id=KB16652 | |
| 9 | ||
| 10 | #Save (commit) changes | |
| 11 | commit | |
| 12 | ||
| 13 | #Check that commit will work and is not missing any necessary statements (this does not mean that it will work for getting online) | |
| 14 | commit check | |
| 15 | ||
| 16 | #Have commit rollback in x (5 minutes) if another commit is not performed, x can be any number | |
| 17 | commit confirmed 5 | |
| 18 | ||
| 19 | #Set hostname on device | |
| 20 | set system host-name | |
| 21 | ||
| 22 | #Set root password | |
| 23 | set system root-authentication plain-text-password | |
| 24 | ||
| 25 | #Create a new admin user ([name] in most cases will or should be admin) | |
| 26 | set system login user [name] class super-user authentication plain-text-password | |
| 27 | ||
| 28 | #Set IP on fe0/0/0 [check x.x.x.x/x against their current firewall, if its one IP most likely /24 actually but the subnet tends to be 255.255.255.0 on current firewalls] | |
| 29 | set interfaces fe-0/0/0 unit 0 family inet address x.x.x.x/x [probably /24 unless its a /29 or /30] | |
| 30 | ||
| 31 | #Set IP on VLAN (internal/trusted network - check x.x.x.x/x against their current firewall) (MAKE SURE that you delete the default vlan network off if you add one as well) | |
| 32 | set interfaces vlan unit 0 family inet address x.x.x.x/x | |
| 33 | ||
| 34 | #Set default gateway [check x.x.x.x against what the current firewall gateway is set to] | |
| 35 | set routing-options static route 0.0.0.0/0 next-hop x.x.x.x | |
| 36 | ||
| 37 | #Delete DHCP (ONLY IF DHCP IS NOT BEING DONE BY PREVIOUS/CURRENT FIREWALL) | |
| 38 | delete system services dhcp | |
| 39 | ||
| 40 | #Save Rescue Config (eliminates orange alarm light as well, to be ran when finished with config and you don't run it from configure mode) | |
| 41 | request system configuration rescue save | |
| 42 | ||
| 43 | #Application for Firewall rules (example for tcp636 application, the tcp636 portion is the name that is created for the application below) | |
| 44 | set applications application tcp636 protocol tcp | |
| 45 | set applications application tcp636 destination-port 636 | |
| 46 | ||
| 47 | set applications application tcp3389 protocol tcp | |
| 48 | set applications application tcp3389 destination-port 3389 | |
| 49 | ||
| 50 | #Firewall rules - Incoming/Inbound (the NAT portion) (keep source 0.0.0.0/0 and then lockdown in security policy portion) (pool name for example is name of server and address is /32 of | |
| 51 | ||
| 52 | server for that one address) (destination-address is always going to be a /32 even if the external wan interface is a /29 for example, take what that single IP is listed and put it as | |
| 53 | ||
| 54 | a /32 unless otherwise noted) | |
| 55 | set security nat destination pool [poolname] address x.x.x.x/x | |
| 56 | set security nat destination rule-set inbound-nat rule from zone untrust | |
| 57 | ||
| 58 | set security nat destination rule-set inbound-nat rule [namehere] match source-address 0.0.0.0/0 | |
| 59 | set security nat destination rule-set inbound-nat rule [namehere] match destination-address x.x.x.x/32 | |
| 60 | set security nat destination rule-set inbound-nat rule [namehere] match destination-port xx | |
| 61 | set security nat destination rule-set inbound-nat rule [namehere] then destination-nat pool [poolname] | |
| 62 | ||
| 63 | #Firewall rules - Security Policies Incoming/Inbound (the opening and lockdown portion) | |
| 64 | set security policies from-zone untrust to-zone trust policy xxxx-in[ex http-in] match source-address any | |
| 65 | set security policies from-zone untrust to-zone trust policy xxxx-in[ex http-in] match destination-address [trusted address-book address, going from source to this trusted address] | |
| 66 | set security policies from-zone untrust to-zone trust policy xxxx-in[ex http-in] match application junos-xxx | |
| 67 | set security policies from-zone untrust to-zone trust policy xxxx-in[ex http-in] then permit | |
| 68 | ||
| 69 | #Firewall rules - Outgoing/Outbound (rules other than the default listed aren't on every firewall, default posted) | |
| 70 | set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any | |
| 71 | set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any | |
| 72 | set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any | |
| 73 | set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit | |
| 74 | ||
| 75 | #Create an Address (this is an example of a trusted/internal computer or server) | |
| 76 | set security zones security-zone trust address-book address trust-net 10.1.1.0/24 | |
| 77 | set security zones security-zone trust address-book address Bob-PC 10.1.1.1/32 | |
| 78 | ||
| 79 | #Create an Address Set (Groups) (this is an example of trusted/internal computers or servers clusters or groups) | |
| 80 | set security zones security-zone trust address-book address-set All10 address trust-net | |
| 81 | set security zones security-zone trust address-book address-set All10 address Bob-PC | |
| 82 | ||
| 83 | #Create an Address (this is an example of a untrusted/external computer or server) | |
| 84 | set security zones security-zone untrust address-book address example1 x.x.x.x/32 | |
| 85 | set security zones security-zone untrust address-book address example2 x.x.x.x/32 | |
| 86 | ||
| 87 | #Create an Address Set (Groups) (this is an example of untrusted/external computers or servers like example3 [example1/example2]) (NEEDS ADDRESS ABOVE MADE) | |
| 88 | set security zones security-zone untrust address-book address-set example3 address example1 | |
| 89 | set security zones security-zone untrust address-book address-set example3 address example2 | |
| 90 | ||
| 91 | #Bridge Interfaces (cleans up config, fyi will need to run "delete interfaces f0/0/X" after this to truly clean them up) | |
| 92 | set interfaces interface-range interfaces-trust member fe-0/0/1 | |
| 93 | set interfaces interface-range interfaces-trust member fe-0/0/2 | |
| 94 | set interfaces interface-range interfaces-trust member fe-0/0/3 | |
| 95 | set interfaces interface-range interfaces-trust member fe-0/0/4 | |
| 96 | set interfaces interface-range interfaces-trust member fe-0/0/5 | |
| 97 | set interfaces interface-range interfaces-trust member fe-0/0/6 | |
| 98 | set interfaces interface-range interfaces-trust member fe-0/0/7 | |
| 99 | set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust | |
| 100 | ||
| 101 | #For Pulse IPsec VPN (aka mobile user vpn) make sure IKE is running on external interface | |
| 102 | set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ike | |
| 103 | ||
| 104 | #Download Junos Pulse Client - or check ftp under Juniper | |
| 105 | http://www.juniper.net/support/products/pulse/2.1/#sw | |
| 106 | ||
| 107 | #Show MAC address table (do this from the enable line not configure) | |
| 108 | show ethernet-switching table brief | |
| 109 | ||
| 110 | #Remote Management Lockdown (should be cookie cutter) (make sure you add internal lan subnet as well) | |
| 111 | set system services web-management https interface fe-0/0/0.0 | |
| 112 | set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ssh | |
| 113 | set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services https | |
| 114 | set system services ssh rate-limit 3 | |
| 115 | set system services ssh root-login deny | |
| 116 | ||
| 117 | set firewall family inet filter local_acl term remote_mgmt from address X.X.X.X/24 (THIS IS THE NETWORK YOU ARE GOING TO ALLOW ADD AS MANY AS NECESSARY) | |
| 118 | set firewall family inet filter local_acl term remote_mgmt from protocol tcp | |
| 119 | set firewall family inet filter local_acl term remote_mgmt from port ssh | |
| 120 | set firewall family inet filter local_acl term remote_mgmt from port https | |
| 121 | set firewall family inet filter local_acl term remote_mgmt then accept | |
| 122 | set firewall family inet filter local_acl term remote_mgmt_denied from protocol tcp | |
| 123 | set firewall family inet filter local_acl term remote_mgmt_denied from port ssh | |
| 124 | set firewall family inet filter local_acl term remote_mgmt_denied from port https | |
| 125 | set firewall family inet filter local_acl term remote_mgmt_denied then log | |
| 126 | set firewall family inet filter local_acl term remote_mgmt_denied then discard | |
| 127 | ||
| 128 | set firewall family inet filter local_acl term default-term then accept | |
| 129 | set interfaces lo0 unit 0 family inet filter input local_acl | |
| 130 | set interfaces lo0 unit 0 family inet address 127.0.0.1/32 | |
| 131 | ||
| 132 | #If you do an IKE VPN you'll need to make these changes | |
| 133 | delete firewall family inet filter local_acl term remote_mgmt from port https | |
| 134 | delete firewall family inet filter local_acl term remote_mgmt_denied from port https | |
| 135 | ||
| 136 | #Resource cleanup | |
| 137 | delete security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services dhcp | |
| 138 | delete security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services tftp | |
| 139 | set security zones security-zone untrust interfaces fe-0/0/0.0 host-inbound-traffic system-services ping | |
| 140 | ||
| 141 | #Further lockdown and security cleanup (remove the ability to connect to https externally also to not interfere with SSL VPN) | |
| 142 | delete system services web-management https interface fe-0/0/0.0 | |
| 143 | ||
| 144 | #Set inactivity-timeout | |
| 145 | set applications application junos-[xxxx] inactivity-timeout [seconds] |
