Read here {http://www.rsivanandan.com/2010/01/24/documentation-for-juniper-devices/}

There is a much better way if you use Firefox. There is a search plug-in that you could use to integrate it with Firefox and have the term/configuration you want directly from the browser.

Can’t wait to get it? Head straight to http://kb.juniper.net and below right hand corner, you can see ‘Install Search Plug-in’.

Install it and there you have it;

An example page that I searched was looking as below;

Have fun…

First create a custom service to address the PPTP requirement (This is Microsoft windows specific);

set service CustomPPTP group "other" 47 src 2048-2048 dst 2048-2048

set service CustomPPTP + tcp src 0-65535 dst 1723-1723

The first line above creates a custom service named “CustomPPTP” with protocol number 47 (GRE) with source/destination port as 2048.

The second line adds to the same service for PPTP (port 1723 TCP).

Then the next step would be to NAT the internal PPTP server to publically accessible server using a public ip address. Here we’d use the same address assigned on the untrust interface (single public ip available scenario);

set vip multi-port

set interface ethernet0/0 vip 2048 CustomPPTP 10.1.1.10

The first line above states that it is a multi-port VIP. Normally a VIP listens only on a single port, if a single ip address is used and you want to have multiple ports forwarded, multi-port VIP is needed.

The second line above sets a VIP for port 2048 for the internal server (PPTP Server) 10.1.1.10 (assuming the ip of the internal PPTP server to be this).

almost done; the only thing pending is a policy to allow traffic to pass through this condition;

set policy from untrust to trust "any" "VIP::1" "CustomPPTP" permit

The above policy allows any machine from untrust zone (internet) to connect to VIP address (trust zone) for the service “CustomPPTP”.

Just save the configuration and you should have it working just fine…

Juniper KB Link

UTM feature (Unified Threat Management) is integrated into SRX devices. So in order to block a site(s);

1. First create a custom block lists to contain the websites that you want to block.

custom-objects {
    url-pattern {
            badsite {
                    value www.facebook.com;
            }
            addictivesite {
                            value www.twitter.com;
            }
}
    custom-url-category {
        bad-sites {
            value [ addictivesite badsite ];
        }
    }
}

As you can see, the custom URL category block list above contains the site ‘www.facebook.com’ and ‘www.twitter.com’ and based on the preferences time-eating sites like facebook/twitter/myspace etc can be used in here. Again, the advantage is that it doesn’t deal with ip addresses and hence very effective how many ever servers are hosted around the world.

2. Then create a web filtering policy to allow the traffic after screening the type/site to which the traffic is going to, as below;

policies {
    from-zone trust to-zone untrust {
        policy utm {
                match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
        then {
                permit {
                    application-services {
                                            utm-policy wf-block-specfic-categories;
                                        }
                        }
                    }
                }
            }
        }
utm {
    feature-profile {
        web-filtering {
            url-blacklist bad-sites; #This causes sites in the bad-sites category to be blocked

utm-policy wf-block-specfic-categories {
    web-filtering {
        http-profile block-selected-sites;
                }
        }
}

Along with this, SRX also supports usage of ‘Custom Block Messages’ and also make this time bound. Say if you don’t want to block it completely but just block it during business hours that is possible too by scheduling policies.

Assuming that your wireless network is your trusted network and you want to have this network use untrust ip address to be used (natted) while going to internet or other networks.

   1: set interface "wireless0/0" zone "Trust"

   2: set interface wireless0/0 ip 192.168.2.1/24

   3: set interface wireless0/0 nat

   4: set interface wireless0/0 ip manageable

   5: set interface wireless0/0 dhcp server service

   6: set interface wireless0/0 dhcp server auto

   7: set interface wireless0/0 dhcp server option gateway 192.168.2.1

   8: set interface wireless0/0 dhcp server option netmask 255.255.255.0

   9: set interface wireless0/0 dhcp server option domainname mycompany.com

  10: set interface wireless0/0 dhcp server option dns1 192.168.20.20

  11: set interface wireless0/0 dhcp server option dns2 192.168.128.50

  12: set interface wireless0/0 dhcp server ip 192.168.2.33 to 192.168.2.126

  13: unset interface wireless0/0 dhcp server config next-server-ip

  14: set ssid WLAN interface wireless0

1 –> sets the interface wireless0/0 in Trust Zone.

2 –> sets the IP address on the wireless interface.

3 –> sets the wireless interface mode to nat.

4 –> sets the wireless interface manageable (ping/ssh/web etc).

5 –> tells the dhcp server service to be ON on wireless interface.

6 to 13 –> sets the different network IP parameters to be used by DHCP Server service.

14 –> defines the SSID to which the users should connect.

Note that this hasn’t specified any wireless encryption part here. This is intended to be a simple post.

1. The first one is the rack it up, connecting the cables and power it up.

2. Then login to the router using the console port of the router (usually in the front).

3. Juniper Router does provide you the Management interface to be either a specific management port or a general port on it. Wouldn’t go into the details of it

4. Setup the IP address for the Management port.

5. Enable the needed access from network to the box itself.

After these steps, you essentially have the router up and running on the router, on which you can do your necessary configuration. I intend to cover them later across multiple posts.

So now to action; 1 & 2 is fairly straight forward and lets look at 3;

The Management Port is usually “fxp0” on the router – Specific Management Port (Out-Of-Band Management)

Or you can use one of your normal ports like “ge0/0/0” for the Management (In-Band Management).

First part is to assign an IP address to the management port:-

   1: root@PE3-MX480% cli

   2:  

   3: root@PE3-MX480> configure 

   4: [edit]

   5: root@PE3-MX480# set interfaces fxp0 unit 0 family inet address 192.168.1.1/24

   6:  

Enabling Remote Access:- There are different protocols available, mainly SSH/Telnet/HTTP

So to enable these protocols on the management interface; follow this;

   1: set system services ssh

   2:  

   3: set system services ssh root-login allow

   4: set system services ssh protocol-version v1

   5: set system services ssh protocol-version v2

   6:  

   7: set system services telnet

   9:  

  10: set system services web-management http

As you can see, all SSH/Telnet and HTTP access is enabled and also you can see how to enable root login via SSH (By default not allowed).

After you configure all these, you have the access to this box via these protocols from the local network. You can verify it by issuing the command;

root@PE3-MX480> show configuration | display set

OR

root@PE3-MX480> show configuration (this should show the configuration in a C like syntax styled fashion)

   One of the best part about Microsoft and Cisco are not just the

products but supporting documentation as well, it is vast and a lot of configuration examples with actual configuration samples.

If you want to load something on to a brand new Cisco device, just Google and just Copy&Paste would take care of minimal configuration and just modification would bring it up in minutes.

Unfortunately the problem with Juniper Documentation is that they can’t match that much of the results from other vendors. For example if I have to learn about NSRP knowledge base and if you just type ‘nsrp’ onto Google, you’ll get a max of 3 or 4 search results that are relevant and even if you get it, it’ll be the basic ‘how to configure kind of stuff’. On the other hand, if you use Google’s advanced searching mechanism, you’ll get much better results on the subject you’re searching. For example;

nsrp site:kb.juniper.net

The above search would yield only the results from Juniper KB site and would have a wide variety of information lined up for you to dig on.

While this is the true for all vendor’s documentation, I just wanted to emphasize the usage of ‘kb.juniper.net’ instead of ‘www.juniper.net’, because there is a difference

  Based off the Glassdoor.com surveys from the employee’s themselves of each company, Juniper Networks’ ranks the first!

Got this snippet from { Here }

  One difference about glassdoor compared to all other predictions is that these are derived by anonymous input’s from the respective organizations itself.

{ Click Here to get it }

Though it is a comparison with FG – 224B, you can pretty much see the plus points that comes with Juniper SSG series of Firewalls.

      2009 Information Security/SearchSecurity.com Readers’ Choice awards are announced and guess what; Juniper Won the best security solution awards in the following categories;

• Intrusion Prevention:   Gold Award   : Juniper IDP Series
• NAC                            :   Gold Award   : Juniper Networks Unified Access Control
• Remote Access       :    Silver Award : Juniper Networks SA Series SSL VPN Appliances

Last year Juniper was named a finalist in five categories and won an award in each category, including Authentication, NAC, Network Firewalls, Remote Access and UTM. Juniper SSG, ISG and SA SSL VPN won Gold awards.  UAC won a Silver award. Juniper Steel-Belted Radius, NetScreen and SSG won Bronze awards.

Way to go Juniper! If you look at Juniper’s Security Market/Products, the solutions have been there in the market only for a few years now, but still they made through and take on the long-timers now!

The latest information on Juniper’s success in diversified segments of market is the ‘Ethernet Platforms’.  Despite the recession;

Quarter over Quarter, pretty steady growth and as per Mike Banic, VP at Juniper Networks for Product Marketing “Based on the companies covered in the Dell’Oro report, over the past five quarters of revenue shipments, Juniper has grown its EX Series switch revenue faster than any enterprise Layer 2/Layer 3 switch vendor entering the market in the previous decade,”

Full News at Yahoo

Some interesting facts if we look back, Juniper had a wide variety of products and what was lacking in the portfolio was a ‘complete solution’, the switches. I used to wonder why haven’t they started a BU around this and based on the reputation and more importantly people like choices – it would only seem imperative that they need to have done this couple of years back and of course it would be a huge investment, can’t discount for that.

Instead of a vendor setting standards and price tags, a customer always would prefer a choice of vendors where he get to make the calls!

Great going Juniper…

At this point, something of strange nature is that the EVP of Ethernet Platforms Group at Juniper, Hitesh Sheth – moved over to Aruba to take a position of COO. This would be the first position at Aruba, a COO!

Full News at bizjournals

I think it is not of much attention that there are many e-Learning courses available from Juniper FREE of cost. Mostly it is either advised by SE’s or some product road shows. Otherwise, Juniper lacks the publicity that Cisco and MSFT has been carrying over for a long period on eLearning.

So to let people know, Juniper does offer some eLearning programs on Enterprise Routing, Enterprise Switching, Security etc.

Also one of the interesting training would be the Intrusion Prevention training which can be accessed here. [Click]

Click on the picture above to check out all the available courses.

The latest report on performance from Miercom on Enterprise segment Firewalls goes as this; for real world HTTP (web 2.0) simulated traffic;

While this is a performance evaluation of the box by itself, some time back NetworkWorld tested SSG 500 series firewalls from Juniper and it topped the converged security solutions. Which means UTM (Unified Threat Management) next generation firewalls.

Also note that the firewall involved in Miercom’s testing is ‘NS-5200’, which is based on Netscreen architecture, the latest firewalls are much more efficient (hardware wise) and runs on Juniper architecture! I guess, when a test is performed and some one picks ASA-5580 which is pretty latest, the Juniper gear also should’ve been the latest (from SSG/ISG series)

So what does it mean for a customer looking at the market?

Real-World HTTP throughput tops in Cisco’s ASA 5580, instead if you’re looking for a box which can do Integrated stuff (IPS, AV, AntiSpam, Network Access Control) then the answer seems to be Juniper Firewalls. It is a tough choice again based on your switch ports you want to protect vs additional security that you want in one box.

Personally, I’m a fan of both of the boxes and both has its flexibility. After being configuring for almost 6-7 years the Cisco Gear, now I’ve been working on Juniper gear for last 2 years. But this 2 years made me like the Juniper security solutions as well. The reason, policy driven traffic management and support for WAN drops directly onto the firewall (remember, I worked mostly on PIX firewalls which only has 1 outside interface with Ethernet support).

Links to read :

Miercom Full Report :

http://6200networks.com/wp-content/uploads/docs/miercom_cisco_asa_5580.pdf

NetworkWorld Full Report : http://www.networkworld.com/reviews/2006/020606-juniper-ssg-test.html

One of the feature that you can achieve using rules in policies on a Juniper Firewall is conditional pass through of traffic. What I mean by that is, to first authenticate the user and if you want that user to access what he is trying then, allow/disallow the traffic; More as an example;

set policy id 1 from Trust to Untrust any any HTTP permit log

The above command would allow any user from the Trust zone to access HTTP resources on the Untrust side of the firewall. Now say I want to allow only one user ; In that case I can setup an authentication prior to allowing that connection in the same *ONE* line policy as below; For the example I’m going to use a ‘user’ created locally on the firewall, however integration to external authentication server is very well supported in Juniper Firewalls.

set user <username> password <password>

set user <username> enable

set policy id 1 from Trust to Untrust any any HTTP permit auth user <username> log

The above 3 lines does the job for you. So as you know, multiple services/multiple users can go in there on a single rule. Only after the authentication, the user is allowed to access the resource. One of the very simplified approach!

The following is a working example screen-shot of a telnet session by double authentication (one on the firewall and the other on the actual telnet server).

A Telnet Session using Policy Based Authentication (Red box displays the first level of auth done at firewall, Blue box displays the actual telnet authentication)

The relevant firewall configuration used for this is as below;

   1: set user rsivanandan password password

   2: set user rsivanandan enable

   3:  

   4: set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "TELNET" permit auth server "Local" user "rsivanandan" log

Advantage of having this? I’ve seen environment where in a same username is used by different persons in the organization to login and access data. Here, we have only one authentication method and there is no way of finding out who actually logged in. If Policy Based Authentication is implemented, then controlled access can be done, as well if the username/password is integrated in the firewall policy (think of External User Database).

Then we know who accessed the data last – ACCOUNTABILITY

An evaluation of Junipers newly launched EX Series switch underwent tests for industry conformance and you can find it at Network World;

The verdict: This is one fast box. The EX 4200 delivered line-rate throughput in every case, the only switch we’ve tested this year to do so. What’s more, 10G Ethernet latency is the lowest we’ve ever measured. We also were impressed by the EX 4200′s feature set and powerful JUNOS command-line interface (CLI).

Further Read – Full set of tests run against the switch…

Juniper Firewalls can be configured in Nat/Route mode or Transparent mode, in simple terms L3 or L2 mode.

L3 :: Pure route mode where all the interfaces bear ip addresses and routing is run.

L2 :: Pure layer2 mode where all the interfaces are pass along and no ip addresses.

There is a 3rd mode which can be configured and is Mixed Mode. Say the situation demands, one of the network to be in transparent mode and others in nat/route mode.

A typical example is if you have the Firewall connected to different networks and at the same time you want to have 2 ports receive dhcp assigned ip addresses (I have this config at desk since I maintain a VPN network for testing. On the other hand on my desk I have my laptop and desktop both of which gets corporate dhcp leased ip addresses. So I have configured the SSG-20 in this mode).

   1: set interface "bgroup0" zone "Trust"

   2: set interface bgroup0 port ethernet0/2

   3:  

   4: The above is connected to a network which is routed

   5:  

   6: set interface "bgroup1" zone "V1-Trust"

   7: set interface bgroup1 port ethernet0/0

   8: set interface bgroup1 port ethernet0/3

   9: set interface bgroup1 port ethernet0/4

  10:  

  11: The above is connected to a network which is transparent;

  12:  

  13: ethernet0/0 is connected to corporate network

  14: ethernet0/3 is connected to Desktop

  15: ethernet0/4 is connected to Laptop

  16:  

So both laptop and desktop gets ip addresses leased from corporate DHCP server (Bgroup1 acts as transparent)