set system services web-management https interface {ifname}

set system services web-management http interface {ifname}

web-management https system-generated-certificate

http://junosgeek.blogspot.in/2013_08_01_archive.html

A firewall is a network security system designed to prevent unauthorized access to

or from a private network. Firewalls can be implemented in both hardware and
software, or a combination of both.

Juniper SRX vs ScreenOS

The Juniper family of SRX services gateways are the replacement platforms
for the SSG platforms, the ISG 1000 and ISG 2000 as well as the NS 5000
Series (NS-5200 and NS-5400). The SRX family include a set of branch
platforms (SRX210, SRX240 and SRX650), and the high end platforms
(SRX3000 and SRX5000).

The SRX Series Services Gateways are high-performance security, routing

and network solutions for enterprise and service providers.

The entire line of SRX platforms uses JUNOS, a very powerful networking
platform that consolidates switching, routing, security and applications into a
single OS. JUNOS is very different than ScreenOS and as such, will place a
significant migration burden on Juniper, their customers and their partners.

SRX firewall provide wide verity of services like static packet filtering,
IDS/IPS, Ana moly Detection, VPN service, Dynamic / state full filtering and
proxy server/ ALG (Application layer gateway)

The SRX is a new firewall/security product based on JunOS. This is the

successor to the ScreenOS based SSG firewall. The SRX takes all the features
of ScreenOS and transplants them into JunOS. That means the concepts are
the same for many features including policies, zones, IPSEC VPN, IDS and
UTM.
The new features of the SRX are:
Dynamic VPN - Clientless or JunOS Pulse
Rule based NAT - Much less mind bending than ScreenOS
VOIP Support for SIP - Some models have voice ports
Captive Portal for NAC
What you will find is the SRX has "more bang for your buck" than the SSG. A
few of the SRX does better are:
Throughput - SSG140 300mbps vs SRX240 500mbps (IMIX figures)
Gigabit ports - SSG140 2 Gig ports vs SRX240 16 Gig ports
Route Capacity - SSG140 4,000 vs SRX240 32,000
The feature integration on the SRX Series is enabled by the Junos OS. By
combining the routing heritage of the Junos OS and the security heritage of
ScreenOS, the SRX Series is equipped with a robust list of features that
includefirewall, intrusion detection and prevention (IDP), denial of service
(DoS), Network Address Translation (NAT), and quality of service (QoS).

Session Maintenance
When a packet enters the system and does not match any existing sessions,
the Junos OS creates a new sessionbased on routing and security policy
information. Once this new session is created, the software puts it into
asession hash table for further packet matching and processing. Depending
on the protocol and service (TCP or UDP),the session is programmed with a
default timeout. The default TCP timeout is 30 minutes and the UDP default
timeout is 1 minute.

Session Cleanup
If no traffic matches the session during the service timeout, the Junos OS
ages out the session and frees it to a common resource pool for a later
reuse.

Session Run-Time Changes Propagation

The flow module is responsible for propagating any run-time changes that
happen during the lifetime of the session. This propagation allows new
packets that match the session to forward using up-to-date information.
Routing run-time changes always propagate into the session. Security policy
run-time changes might propagate into the session in progress, based on the
corresponding security policy configuration.

Packet Flow Example: Part 1

We now apply the described decision process to a specific example. As the graphic shows,
Host-B at 10.1.20.5 wants to initiate an HTTP session with the Web server at 200.5.5.5. The
traffic passes through an SRX Series Services Gateway and is therefore subject to the
decision process.

Configure Firewall Rule in Juniper SRX

Firewall rules or also called security policies are methods of filtering and logging traffic in the network.
Juniper firewalls are capable of filtering traffic based on source/destination IP address and port numbers.
Juniper SRX series firewall products provide firewall solutions from SOHO network to large corporate
networks. SRX firewall inspects each packets passing through the device. You can configure firewall rule
in Juniper SRX using command line or GUI console. Here, I will use command line to demonstrate firewall
rule creation.

Before configuring firewall rules, there are some basic terminologies that are necessary to understand.
Elements of Juniper firewall rules are:

1. Security Zones: Security zones are logical boundary. Each interface is assigned to a
security zone. Interface connected to the Internet is usually named Untrust Zone,
interface connected to the internal network is usually called Trust Zone. These zones
are user defines. You can create zone name as Accounting Zone for firewall interface
connected to accounting switch and so on. Firewall policies (rules) need source zone and
destination zones defined prior defining the firewall rule.
2. Policy: This is a policy name that is used to define the firewall rule (policy). For
example, if I want to allow traffic from Untrust Zone to Trust Zone then I would name
my policy as Internet Rule or Internet Policy. Note: Cisco calls firewall rule, Juniper
calls security policy which is basically the same thing.
3. IP Address: IP address define source network or hosts and destination network or
hosts. These source address and destination address are used to match the condition.
For example, a policy named My Policy matches source address of x.x.x.x/x and
destination address of y.y.y.y/y then we define a condition to allow or block the traffic.
Address book are created in zones to match address in the rule.
4. Application: This is a protocol or service that is allowed/denied by the rule. For
example, http, https, FTP, etc. can be defined as match condition. Source address,
destination address and application are mandatory match conditions.
5. Condition: Conditions are whether to allow/deny the traffic. Various conditions can
be defined like, permit, deny, log, reject and count. For example, if a policy named My
Policy matches source address of x.x.x.x/x and destination address of y.y.y.y/y and
application of FTP then we can define condition to permit and log the traffic.

Configure Firewall Rule in Juniper SRX

We have a scenario as shown in the diagram below. We have a Mail Server hosted in the internal
network or the trust-zone. We want users from Internet to be able to access the Mail Server. We
want mail traffic to flow in and out of two security zones, untrust and trust. So, lets configure this
in SRX 240. We will assume that in the following scenario NAT (Network Address
Translation) has been configured properly.

Step 1: Assign Interface to Security Zone

Type the following command in [edit security zone] hierarchy. We need to assign interface ge-0/0/1
to Untrust-Zone and interface ge-0/0/0 to Trust-Zone. The command is, set security-zone <Zone
Name> interfaces <interface name>.

You can see the configured security zones by typing Show Command under [edit security
zones] hierarchy
Step 2: Create Address Book in Trust Zone

To match source and destination IP address in the firewall rule we need to create an address book. We
cant simply type IP address in the rule. We need to create address book of Mail Server that we have in
the Trusted-Zone. To create address type following command in [edit security zones security-zone Trust-
Zone] hierarchy. Type command, set address-book address <Address-Name> <IP-
Address>.

You can type show command to view the configuration for Trust-Zone till now. We can see the address
book and interface at this zone in screenshot shown below.

Step 4: Create Firewall Rule to Allow Traffic from Internet destined for Mail Server

We need to create firewall rule for traffic coming from Untrust-Zone to Trust-Zone. So we have to be
in, [edit security policies from zone Untrust-Zone to-zone Trust-Zone] hierarchy. Since the traffic is coming
from Untrust-Zone we need to match any source-addres and destination-address of MailServer then
specify the condition.

Now, lets specify the condition. We want to permit the traffic and log each sessions.
 To view the firewall rule, type show command in the same hierarchy.

Similarly, you can create firewall rule to pass any traffic from Trust-Zone to Untrust-Zone.

In this way you can configure firewall rule in Juniper SRX firewall. You can configure logs to view traffic
for Mail Server.

juniper srx web interface configuration

Configure Web Management access via the Management Ethernet Interface on SW1.
root@SW1> configure
Entering configuration mode

[edit]
root@SW1# set interfaces me0 unit 0 family inet address 172.16.22.121/24
 [edit]
root@SW1# set system services web-management https interface me0.0

[edit]
root@SW1# set system services web-management https system-generated-
certificate

[edit]
root@SW1# commit and-quit
commit complete
Exiting configuration mode

root@SW1>
Verify access to the Web Manager from your desktop.