Juniper Mx / M series url blocking without license for http traffic.

Steps for url blocking without license for http traffic:


1.     Create URL pattern (eg: youtube-block, url, Fb1)


set security utm custom-objects url-pattern youtube-block value "http://www.youtube.com/watch?v=n3sYq4Y9hIQ"
set security utm custom-objects url-pattern url value "http://www.youtube.com/watch?v=LX0Ced3G5eg"
set security utm custom-objects url-pattern Fb1 value "http://www.facebook.com/rajesh.achari.75?sk=wall"
set security utm custom-objects url-pattern Fb1 value http://www.facebook.com/king.rajesh.921
set security utm custom-objects url-pattern Fb1 value "https://www.facebook.com/king.rajesh.921?fref=ts"
set security utm custom-objects url-pattern Fb1 value "http://www.facebook.com/jaihomullichodbaba?ref=profile"
set security utm custom-objects url-pattern Fb1 value "http://www.facebook.com/manoj.kaushal.7121?fref=ts"

2.       Add the url (youtube-block, url, Fb1) to category-list (youtube-block-custom)

set security utm custom-objects custom-url-category youtube-block-custom value youtube-block
set security utm custom-objects custom-url-category youtube-block-custom value url
set security utm custom-objects custom-url-category youtube-block-custom value Fb1

3.       Call youtube-block-custom list to blacklist:

set security utm feature-profile web-filtering url-blacklist youtube-block-custom


4.       Define web-filtering type as juniper-local (it will check its local database for urls, since we are not using any web-filtering license)

set security utm feature-profile web-filtering type juniper-local

5.       Create utm-policy (eg; web-block)

set security utm utm-policy web-block web-filtering http-profile junos-wf-local-default
set security utm utm-policy web-block traffic-options sessions-per-client over-limit log-and-permit


6.       Apply it in security policy (for source-address 203.129.209.9)

set security policies from-zone Trust-Customer-LAN to-zone Untrust-WAN policy test-policy match source-address 203.129.209.9
set security policies from-zone Trust-Customer-LAN to-zone Untrust-WAN policy test-policy match destination-address any
set security policies from-zone Trust-Customer-LAN to-zone Untrust-WAN policy test-policy match application any
set security policies from-zone Trust-Customer-LAN to-zone Untrust-WAN policy test-policy then permit application-servicesutm-policy web-block

Web Filtering solutions for juniper

There are three types of Web Filtering solutions:

1) Integrated Web Filtering:  This solution intercepts every HTTP request in a TCP connection. Then device identifies the category of a URL either from user-defined categories or from a category server (Surf Control Content Portal by Websense)

2) Redirect Web Filtering: This solution intercepts HTTP requests and sends them to an external URL filtering server (websense) to determine if URL is to be blocked or not

3) Local web filtering: This solution intercepts every HTTP request and device looks up a URL to determine if it is in the whitelist or blacklist based on its user-defined category.
*TIP: Web filtering profiles or antivirus profiles or both can be applied to a firewall policy.  If both applied, web filtering is applied first and then antivirus is applied. If URL is blocked, TCP connection is closed and no antivirus scanning is performed.

Configuring Integrated Web Filtering Custom Objects


[edit security utm custom-objects]
root@host# show
url-pattern {
    url-list-1 {
        value http://www.example.com;
    }
    url-list-black {
        value [ http://www.example2.com 7.7.7.7 ];
    }
    url-list-white {
        value [ http://www.example3.com 1.1.1.1 ];
    }
}
custom-url-category {
    cust-list-1 {
        value url-list-1;
    }
    cust-list-black {
        value url-list-black;
    }
    cust-list-white {
        value url-list-white;
    }
} Feature Profile
[edit security utm]
root@host# show feature-profile
web-filtering {
    url-whitelist cust-list-white;
    url-blacklist cust-list-black;
    type juniper-local;
    surf-control-integrated {
        cache {
            timeout 1700;
            size 500;
        }
        server {
            host surfcontrol.surfcontrol.com;
        }
        profile surfprofile1 {
            category {
                cust-list-1 {
                    action block;
                }
            }
            default block;
            custom-block-message “***ACCESS DENIED***”;
            fallback-settings {
                default block;
                server-connectivity block;
                timeout block;
                too-many-requests block;
            }
            timeout 10;
        }
    }
}
UTM Policy
[edit security utm]
root@host# show | find utm-policy
utm-policy utm-pol1 {
    web-filtering {
        http-profile surfprofile1;
    }
}

Wan Optimizer

Wan Optimizer 



Wan optimizer will do the compression of TCP/IP packet and send out to router interface (gig/ethernet)
in this devices we need to priorities the subnet( Means statically define the subnets which need to be compressed on the box.eg: Data basic and important subnet etc.....)

Mode of working :- inline mode


PFA for network Diagram

HP MSR 2003 configuration for IPSEC SITE TO SITE VPN

 IPSEC SITE TO SITE VPN IN HP MSR 2003

Acl for allowing the traffic for IPSEC tunnel for DR and DC site

#
acl number 3001 name IPSEC-ACL-D1 match-order auto
 rule 0 permit ip source 172.30.12.0 0.0.0.255 destination 172.16.3.0 0.0.0.255
#
acl number 3002 name IPSEC-ACL-D2 match-order auto
  rule 0 permit ip source 172.30.12.0 0.0.0.255 destination 172.16.3.0 0.0.0.255
#
------------------------------------------------IPSEC Configuration---------------------------------------------------------------

#
 ipsec anti-replay window 1024
 ipsec sa global-duration time-based 86400
 ipsec sa idle-time 120
#
ipsec transform-set test                          IPSEC Transform-set
 esp encryption-algorithm des-cbc
 esp authentication-algorithm sha1
#
ipsec policy-template test 1            Site 1 configuration 
 transform-set test
 security acl 3001                           ACL linking with Ipsec policy 
 remote-address 172.16.20.1         Remote Peer
 reverse-route dynamic                   Dynamically Router will generate static routes for this path
 reverse-route tag 1980              
#
ipsec policy-template test 2           Site 2 configuration
 transform-set test
 security acl 3002
 remote-address 172.16.120.5
 reverse-route dynamic
 reverse-route tag 1981
#
ipsec policy test 10 isakmp template test
#
ike proposal 1
 encryption-algorithm 3des-cbc
#
ike proposal 2
 encryption-algorithm 3des-cbc
#
ike keychain test                           Preshared Keys  for both sites 
 pre-shared-key address 172.16.20.1 255.255.255.255 key cipher $c$3$nxjzSsXFLYV9STbF4Q/SPuflAecjGCqegMpjPZF661JHEAo35g==
 pre-shared-key address 172.16.120.5 255.255.255.255 key cipher $c$3$Om1IkIRIu9aRYXa6iMfpf/jXMQXlQKbcE0TeZBjqih2YgPbRVw==

Interface serial 3/0

ipsec apply policy test1                          Ipsec applied on to interface 

CISCO SLA = HP NQA

Cisco SLA configuration Link

http://learningmynetworks.blogspot.in/2013/01/cisco-ip-sla-is-function-of-ciscos-ios.html


Hp Network Quality Analyzer

(NQA) analyzes network performance, services and service quality through

sending test packets, and provides you with network performance and service quality parameters

such as delay jitter, TCP connection delay, FTP connection delay and file transfer rate.

With the NQA test results, you can:

1) Know network performance in time and then take corresponding measures.

2) Diagnose and locate network faults.

At present, NQA supports ten test types: ICMP echo, DHCP, DNS, FTP, HTTP, UDP jitter, SNMP, TCP,UDP echo and DLSw.

In an NQA test, the client sends different types of test packets to the peer to detect the availability and

the response time of the peer, helping you know protocol availability and network performance based

on the test results.

If I want to just send ICMP from one device to another, continuously...

nqa client enable

nqa entry admin icmp

 type icmp-echo

  destination ip 68.191.191.242

  frequency 5000

  history-record enable

  history-record number 10

  probe count 10

  probe timeout 500

 nqa schedule admin icmp start-time now lifetime forever and here is what a display looks like:

[NQA]display nqa res admin icmp

  NQA entry(admin admin, tag icmp) test results:

    Destination IP address: 68.191.191.242

      Send operation times: 10             Receive response times: 10

      Min/Max/Average round trip time: 2/3/2

      Square-Sum of round trip time: 65

      Last succeeded probe time: 2007-01-02 05:11:02.7

    Extended results:

      Packet lost in test: 0%

      Failures due to timeout: 0

      Failures due to disconnect: 0

      Failures due to no connection: 0

      Failures due to sequence error: 0

      Failures due to internal error: 0

      Failures due to other errors: 0

      Packet(s) arrived late: 0

and using the history:

[NQA]dis nqa hist admin icmp

  NQA entry(admin admin, tag icmp) history record(s):

    Index      Response     Status           Time

    1070       2            Succeeded        2014-01-02 05:11:32.7

    1069       3            Succeeded        2014-01-02 05:11:32.7

    1068       2            Succeeded        2014-01-02 05:11:32.7

    1067       2            Succeeded        2014-01-02 05:11:32.7

    1066       2            Succeeded        2014-01-02 05:11:32.7

    1065       3            Succeeded        2014-01-02 05:11:32.7

    1064       2            Succeeded        2014-01-02 05:11:32.7

    1063       2            Succeeded        2014-01-02 05:11:32.7

    1062       2            Succeeded        2014-01-02 05:11:32.7

    1061       3            Succeeded        2014-01-02 05:11:32.7

Juniper Configuration Like (show running configuration) Root@SRX-My_config-# show | display set | no-more

root@SRX-Muconfig-# show | display set | no-more

set version 11.4R7.5 (SRX version)
set system host-name SRX--ISP
set system time-zone Asia/Calcutta
set system root-authentication encrypted-password "$1$2yUNAp4N$STWilCvDlJib3r6Gy/sYL1"
set system name-server 08.7.222.222
set system name-server 08.7.220.220
set system name-server 03.29.222.21
set system name-server 03.9.222.23
set system name-server 20.4.6.60

Login

set system login message "U R WELCOME IF AUTHORIZED"
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password "Pd"
set system login user test uid 2001
set system login user test class super-user
set system login user test authentication encrypted-password "$1$wVZiqCwX$XBrK/mNqBnJID6webCtge0"

Services

set system services ssh
set system services telnet
set system services xnm-clear-text

Web Management commands

set system services web-management http interface ge-0/0/1.0
set system services web-management http interface ge-0/0/2.0
set system services web-management http interface ge-0/0/3.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set system services web-management https interface ge-0/0/2.0
set system services web-management https interface ge-0/0/3.0

Default DCHP will be enabled for Management interface

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0
set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.2
set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.254
set system services dhcp pool 192.168.2.0/24 router 192.168.2.1
set system services dhcp pool 192.168.2.0/24 propagate-settings ge-0/0/0.0
set system services dhcp pool 192.168.3.0/24 address-range low 192.168.3.2
set system services dhcp pool 192.168.3.0/24 address-range high 192.168.3.254
set system services dhcp pool 192.168.3.0/24 router 192.168.3.1
set system services dhcp pool 192.168.3.0/24 propagate-settings ge-0/0/0.0

Syslog

set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval


NTP

set system ntp server 22.162.2.12
set system ntp server 204.15.18.72


Interface assigning vlan and Tagging the port with Vlans

family inet :- Is default routing table for IPV4

set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description toswitch
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 1 vlan-id 1
set interfaces ge-0/0/1 unit 1 family inet address 192.168.2.2/28'

set interfaces ge-0/0/1 unit 2 vlan-id 2
set interfaces ge-0/0/1 unit 2 family inet address 0.0.0.0.33/29

set interfaces ge-0/0/1 unit 3 vlan-id 3
set interfaces ge-0/0/1 unit 3 family inet address 0.0.0.0.49/29
set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24

set interfaces ce1-7/0/0 e1-options framing unframed
set interfaces ce1-7/0/0 no-partition interface-type e1
set interfaces e1-7/0/0 unit 0 family inet filter output block-sites
set interfaces e1-7/0/0 unit 0 family inet address 0.0.0.0.21/30

set interfaces lo0 unit 0 family inet address 0.0.0.0.254/32
set interfaces lo0 unit 0 family inet address 0.0.0.0.253/32


Static route

set routing-options static route 0.0.0.0/0 next-hop 0.0.0.0.22
set routing-options static route 0.0.0.0.0/24 discard
set routing-options static route 0.0.0.0.0/24 preference 250

BGP

set routing-options autonomous-system 7633

BGP external peer

set protocols bgp group REL-GRP type external
set protocols bgp group REL-GRP description "[[isp]]"
set protocols bgp group REL-GRP neighbor 0.0.0.0.22 multihop ttl 10
set protocols bgp group REL-GRP neighbor 0.0.0.0.22 export isp-Customer-via-RELI
set protocols bgp group REL-GRP neighbor 0.0.0.0.22 peer-as 18101

Route-map

set policy-options policy-statement Madurai-Customer-via-REL term 1 from route-filter 0.0.0.0.0/24 orlonger
set policy-options policy-statement i-Customer-via-REL term 1 then accept
set policy-options policy-statement i-Customer-via-REL term 2 from protocol bgp
set policy-options policy-statement i-Customer-via-REL term 2 then reject

IDS SRX

set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

Zone

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit

set security policies default-policy permit-all:-    This SRX box will be like router because we are allow all the traffic 

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone trust interfaces e1-7/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces e1-7/0/0.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.2 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.3 host-inbound-traffic system-services all

set security zones security-zone untrust screen untrust-screen

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp

Filter list

set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.34/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.32/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.25/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.107/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.106/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.6/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.36/32
set firewall family inet filter block-sites term 1 from source-address 64.94.235.124/32
set firewall family inet filter block-sites term 1 from source-address 210.118.213.21/32
set firewall family inet filter block-sites term 1 then discard
set firewall family inet filter block-sites term 2 then accept

Default configuration for HP MSR 2003 Router (Firmware 7)

Default configuration for MSR 2003 Router (Firmware 7)



 ===============display current-configuration===============
#

 version 7.1.041, ESS 0006

#

 sysname HP

#

 password-recovery enable

#

vlan 1

#

controller Cellular0/0

#

interface Aux0

#

interface NULL0

#

interface GigabitEthernet0/0

 port link-mode route

 shutdown

#

interface GigabitEthernet0/1

 port link-mode route

 shutdown

#

 scheduler logfile size 16

#

line class aux

 user-role network-admin

#

line class tty

 user-role network-operator

#

line class vty

 user-role network-operator

#

line aux 0

 user-role network-admin

#

line vty 0 63

 user-role network-operator

#

domain system

#

 aaa session-limit ftp 16

 aaa session-limit ssh 16

 aaa session-limit telnet 16

 domain default enable system

#

role name level-0

 description Predefined level-0 role

#

role name level-1

 description Predefined level-1 role

#

role name level-2

 description Predefined level-2 role

#

role name level-3

 description Predefined level-3 role

#

role name level-4

 description Predefined level-4 role

#

role name level-5

 description Predefined level-5 role

#

role name level-6

 description Predefined level-6 role

#

role name level-7

 description Predefined level-7 role

#

role name level-8

 description Predefined level-8 role

#

role name level-9

 description Predefined level-9 role

#

role name level-10

 description Predefined level-10 role

#

role name level-11

 description Predefined level-11 role

#

role name level-12

 description Predefined level-12 role

#

role name level-13

 description Predefined level-13 role

#

role name level-14

 description Predefined level-14 role

#

user-group system

#

local-user admin class manage

 password hash $h$6$Fn+Tu4Z6OBBO4yE3$6tnCCZDJnXCtk+YZBP4GUmmil0ZjaYWVGKl7QqgdDDK0MM7sivXLDdRRQYP57K6C2Rx3kVvAtC270WyjD2yWcg==

 service-type ssh telnet terminal http https

 authorization-attribute user-role network-operator

#

return

3COM Comware 5 to HP Comware 7 (Not changed much)

Doing the Testing on Comware 7, Will update ...............

===============display version===============  

HP Comware Software, Version 7.1.041, ESS 0006

Copyright (c) 2010-2013 Hewlett-Packard Development Company, L.P.

HP MSR2003 uptime is 0 weeks, 0 days, 1 hour, 48 minutes

Last reboot reason : Power on

Boot image: flash:/msr2000-cmw710-boot-e0006.bin

Boot image version: 7.1.041, ESS 0006

System image: flash:/msr2000-cmw710-system-e0006.bin

System image version: 7.1.041, ESS 0006

Feature image(s) list:

  flash:/msr2000-cmw710-security-e0006.bin, version: 7.1.041  -------------Bin files for security feature (Need to take licenses)  

  flash:/msr2000-cmw710-voice-e0006.bin, version: 7.1.041  ------------------ For voice feature (Need to take licenses) 

  flash:/msr2000-cmw710-data-e0006.bin, version: 7.1.041 ------------------- Data feature(default )

CPU ID: 0x1

1G bytes DDR3 SDRAM Memory

2M bytes Flash Memory

PCB               Version:  3.0

CPLD              Version:  2.0

Basic    BootWare Version:  1.05

Extended BootWare Version:  1.05

[SLOT  0]AUX                       (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]GE0/0                     (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]GE0/1                     (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

[SLOT  0]CELLULAR0/0               (Hardware)3.0    (Driver)1.0,   (Cpld)2.0

================================================

Notes on Access point (HP)

Useful Notes on Access point (HP)

The WA2110, WA2220-AG, WA2110-AG, WA2612-AGN, WA2620-AGN, WA2620E-AGN Access Points are not supported as FAT Standalone APs outside of China, therefore, no FAT software is currently provided for those devices.

The FIT code for any of the Access Points mention above will be found under the Active Controller used to support them in managed mode (i.e. WX3000, WX5002, WX5004, 7500/7900 wireless module, S5800 (small or large) blade). This software should include the Active Controller Main.bin (operational code) but also all the FIT binary files allowing the control of all H3C FIT AP.The only HP H3C APs supporting both FAT and FIT mode are the AP9552 (JD019A) and AP9152 (JD019A).