Tuesday, February 11, 2014

Juniper Configuration Like (show running configuration) Root@SRX-My_config-# show | display set | no-more

root@SRX-Muconfig-# show | display set | no-more

set version 11.4R7.5 (SRX version)
set system host-name SRX--ISP
set system time-zone Asia/Calcutta
set system root-authentication encrypted-password "$1$2yUNAp4N$STWilCvDlJib3r6Gy/sYL1"
set system name-server 08.7.222.222
set system name-server 08.7.220.220
set system name-server 03.29.222.21
set system name-server 03.9.222.23
set system name-server 20.4.6.60

Login

set system login message "U R WELCOME IF AUTHORIZED"
set system login user admin uid 2000
set system login user admin class super-user
set system login user admin authentication encrypted-password "Pd"
set system login user test uid 2001
set system login user test class super-user
set system login user test authentication encrypted-password "$1$wVZiqCwX$XBrK/mNqBnJID6webCtge0"

Services

set system services ssh
set system services telnet
set system services xnm-clear-text

Web Management commands

set system services web-management http interface ge-0/0/1.0
set system services web-management http interface ge-0/0/2.0
set system services web-management http interface ge-0/0/3.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set system services web-management https interface ge-0/0/2.0
set system services web-management https interface ge-0/0/3.0

Default DCHP will be enabled for Management interface

set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp pool 192.168.1.0/24 router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 propagate-settings ge-0/0/0.0
set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.2
set system services dhcp pool 192.168.2.0/24 address-range high 192.168.2.254
set system services dhcp pool 192.168.2.0/24 router 192.168.2.1
set system services dhcp pool 192.168.2.0/24 propagate-settings ge-0/0/0.0
set system services dhcp pool 192.168.3.0/24 address-range low 192.168.3.2
set system services dhcp pool 192.168.3.0/24 address-range high 192.168.3.254
set system services dhcp pool 192.168.3.0/24 router 192.168.3.1
set system services dhcp pool 192.168.3.0/24 propagate-settings ge-0/0/0.0

Syslog

set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval


NTP

set system ntp server 22.162.2.12
set system ntp server 204.15.18.72


Interface assigning vlan and Tagging the port with Vlans

family inet :- Is default routing table for IPV4

set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 description toswitch
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 1 vlan-id 1
set interfaces ge-0/0/1 unit 1 family inet address 192.168.2.2/28'

set interfaces ge-0/0/1 unit 2 vlan-id 2
set interfaces ge-0/0/1 unit 2 family inet address 0.0.0.0.33/29

set interfaces ge-0/0/1 unit 3 vlan-id 3
set interfaces ge-0/0/1 unit 3 family inet address 0.0.0.0.49/29
set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.1/24
set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.1/24

set interfaces ce1-7/0/0 e1-options framing unframed
set interfaces ce1-7/0/0 no-partition interface-type e1
set interfaces e1-7/0/0 unit 0 family inet filter output block-sites
set interfaces e1-7/0/0 unit 0 family inet address 0.0.0.0.21/30

set interfaces lo0 unit 0 family inet address 0.0.0.0.254/32
set interfaces lo0 unit 0 family inet address 0.0.0.0.253/32


Static route

set routing-options static route 0.0.0.0/0 next-hop 0.0.0.0.22
set routing-options static route 0.0.0.0.0/24 discard
set routing-options static route 0.0.0.0.0/24 preference 250

BGP

set routing-options autonomous-system 7633

BGP external peer

set protocols bgp group REL-GRP type external
set protocols bgp group REL-GRP description "[[isp]]"
set protocols bgp group REL-GRP neighbor 0.0.0.0.22 multihop ttl 10
set protocols bgp group REL-GRP neighbor 0.0.0.0.22 export isp-Customer-via-RELI
set protocols bgp group REL-GRP neighbor 0.0.0.0.22 peer-as 18101

Route-map

set policy-options policy-statement Madurai-Customer-via-REL term 1 from route-filter 0.0.0.0.0/24 orlonger
set policy-options policy-statement i-Customer-via-REL term 1 then accept
set policy-options policy-statement i-Customer-via-REL term 2 from protocol bgp
set policy-options policy-statement i-Customer-via-REL term 2 then reject

IDS SRX

set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land

Zone

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
set security policies from-zone trust to-zone trust policy trust-to-trust match application any
set security policies from-zone trust to-zone trust policy trust-to-trust then permit

set security policies default-policy permit-all:-    This SRX box will be like router because we are allow all the traffic 

set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone trust interfaces ge-0/0/3.0
set security zones security-zone trust interfaces e1-7/0/0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces e1-7/0/0.0 host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.1 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.2 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.3 host-inbound-traffic system-services all

set security zones security-zone untrust screen untrust-screen

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp

Filter list

set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.34/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.32/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.25/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.107/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.106/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.6/32
set firewall family inet filter block-sites term 1 from source-address 0.0.0.0.0.36/32
set firewall family inet filter block-sites term 1 from source-address 64.94.235.124/32
set firewall family inet filter block-sites term 1 from source-address 210.118.213.21/32
set firewall family inet filter block-sites term 1 then discard
set firewall family inet filter block-sites term 2 then accept

No comments:

Post a Comment

Optimization of fortigate IPS

IPS signature need select according to infrastructure environment  Eg:-  if  we are not have Linux servers this ips signature can disable (d...