Juniper CLI

由 datahunter 在五, 04/10/2013 - 16:03 發表

最後更新: 2019-05-20

OS

ScreenOS

SSG Series
ISG Series
NetSreen Series

Junos

進入 Shell

# juniper cmd shell

cli

由 "root@fw%" 轉成了 "root@fw>"

# Enter configuration mode

configure

由 "root@fw>" 轉成了 "root@fw#"

# Enter configuration mode

edit

Dump All Settings

Display the last committed current configuration

show configuration | display set | no-more

## Last commit: 2019-05-29 01:11:14 GMT+8 by root
version 15.1X49-D70.3;
....

Current configuration (without commit)

root@FW# show

## Last changed: 2019-05-29 01:11:14 GMT+8
version 15.1X49-D70.3;
....

Dump part of setting

i.e. dump IPSec Setting

root@FW-SRX# show security ike

root@FW-SRX# show security ipsec

view the configuration as set commands

show configuration | display set

Show basic info

root@srx220h> show version

Hostname: srx220h
Model: srx220h
JUNOS Software Release [11.4R7.5]

root@srx220h> show system alarms

2 alarms currently active
Alarm time               Class  Description
2013-11-21 09:27:14 UTC  Minor  Autorecovery information needs to be saved
2013-11-21 09:27:14 UTC  Minor  Rescue configuration is not set

show system uptime

Current time: 2013-11-21 10:25:20 UTC
System booted: 2013-11-21 09:25:08 UTC (01:00:12 ago)
Protocols started: 2013-11-21 09:27:17 UTC (00:58:03 ago)
Last configured: 2013-11-21 10:13:09 UTC (00:12:11 ago) by root
10:25AM  up 1 hr, 4 users, load averages: 0.00, 0.25, 0.49

# 什麼人在 login 中

root@srx220h> show system users

10:25AM  up 1 hr, 6 users, load averages: 0.00, 0.23, 0.49
USER     TTY      FROM                              LOGIN@  IDLE WHAT
root     p0       115.160.xxx.xxx                   9:48AM     26 cli
root     p1       115.160.xxx.xxx                   10:00AM    18 cli
root     p2       115.160.xxx.xxx                   10:08AM    16 cli
root     p3       115.160.xxx.xxx                   10:11AM     - cli
root     jweb1    192.168.100.202                  9:37AM     44
root     jweb2    192.168.100.68                   9:48AM     13

IDLE 的單位是 min

logout 某人:

request system logout

request system logout (pid pid | terminal terminal | user username)<all>

Set Time

Manual

# user@host> set date YYYYMMDDhhmm.ss

set date 202107221322

# user@host> set time-zone America/Los_Angeles

set system time-zone Asia/Hong_Kong

# Verify: show system uptime

show system uptime

Current time: 2023-12-28 10:52:26 HKT
Time Source:  LOCAL CLOCK
System booted: 2023-12-28 10:25:57 HKT (00:26:29 ago)
Protocols started: 2023-12-28 10:25:57 HKT (00:26:29 ago)
Last configured: 2023-12-28 10:52:13 HKT (00:00:13 ago) by root
10:52AM  up 26 mins, 1 user, load averages: 0.50, 0.30, 0.51

NTP

# force sync with SERVER time now

user@host> set date ntp [SERVER]

i.e.

root@fw> set date ntp stdtime.gov.hk

# Set Default NTP Server

root@fw# set system ntp server stdtime.gov.hk

root@fw# delete system ntp server time.google.com

Checking

root@fw> show ntp associations

   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
*static-DIA-83-17.143.118-on-nets.com
                  .GNSS.           1 -    7   64   37    2.662    9.936   1.337

when When the last packet from the peer was received. 距離上次 sync time 多久
poll Polling interval, in seconds. 每 64s 與 server 同步一次.
reach      Reachability register, in octal(base-8).
              377 = 3x8^2 + 7x8^1 + 7 = 192 + 56 + 7 = 255 = 11111111
              => successfully communicated with the NTP server in the last 8 attempts
                    (The rightmost bit represents the most recent interval,
                    and the leftmost bit represents the oldest interval.)

root@fw> show ntp status

Set Network

# set interface ip:

set interfaces ge-0/0/0 unit 0 family inet address <IP>/24

# set default route:

set routing-options static route 0.0.0.0/0 next-hop <IP>

# Save and rellback setting:

root@srx220h# save /root/config.txt

Wrote 283 lines of configuration to '/root/config/config.txt'

# restore Setting

root@srx220h# load override /root/config/config.txt

# 回復 Setting

root@srx220h# rollback 0

# 比較

root@srx220h# show | compare rollback 0

Show Command

root@srx220h> show route

inet.0: 17 destinations, 22 routes (17 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 01:00:49
                    > to 203.174.xxx.xxx via ge-0/0/0.0
72.17.191.242/32   *[Static/5] 00:31:24
                    > to 192.168.6.2 via vlan.8
172.16.16.0/24     *[Direct/0] 00:31:29
                    > via vlan.6
172.16.16.1/32     *[Local/0] 01:01:03
                      Local via vlan.6
172.168.0.1/32     *[Local/0] 01:01:03
                      Reject
192.168.6.0/24     *[Direct/0] 00:31:24
                    > via vlan.8

root@srx220h> show arp

MAC Address       Address         Name                      Interface           Flags
88:32:9b:95:45:76 172.16.16.125   172.16.16.125             vlan.6              none
90:18:7c:7c:42:c7 172.16.16.146   172.16.16.146             vlan.6              none
70:18:8b:06:bc:c9 172.16.16.181   172.16.16.181             vlan.6              none
5c:0a:5b:6e:5f:d1 172.16.16.182   172.16.16.182             vlan.6              none

show configuration

## Last commit: 2013-11-21 10:13:09 UTC by root
version 11.4R7.5;
system {
    host-name srx220h;
    domain-name local;
    root-authentication {
        encrypted-password "???????????????"; ## SECRET-DATA
    }
    .............

user@host> show route instance

# show all interface ip

show interfaces terse

Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     l.l.l.l/n
gr-0/0/0                up    up
......................

Single interface

show interfaces ge-0/0/1.0

Get NIC(Wan Port) Info

dhcp lease time

root@fw> show dhcp client binding [detail]

IP address        Hardware address   Expires     State      Interface
R.R.R.R           b0:33:a6:xx:xx:xx  1254        BOUND      ge-0/0/0.0

Link Info

# detail / extensive

show interfaces ge-0/0/0 extensive | no-more

  ...
  Input errors:
    Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Policed discards: 67, L3 incompletes: 0,
    L2 channel errors: 0, L2 mismatch timeouts: 0, FIFO errors: 0, Resource errors: 0
  Output errors:
    Carrier transitions: 1, Errors: 0, Drops: 0, Collisions: 0, Aged packets: 0, FIFO errors: 0,
    HS link CRC errors: 0, MTU errors: 0, Resource errors: 0

show interfaces ge-0/0/0 extensive | match "CRC"

One To One NAT

[edit security nat static]

set security nat static rule-set rs1 from zone untrust
set security nat static rule-set rs1 rule r1 match destination-address 203.194.130.57/32
set security nat static rule-set rs1 rule r1 then static-nat prefix 192.168.1.179/32

[edit security nat]

set security nat proxy-arp interface ge-0/0/0.0 address 203.194.130.57

[edit security]

set zones security-zone trust address-book address server1 192.168.1.179/32

[edit security policies from-zone untrust to-zone trust]

set security policies from-zone untrust to-zone trust policy server-access match source-address any destination-address server1 application any
set security policies from-zone untrust to-zone trust policy server-access then permit

[edit security policies from-zone trust to-zone untrust]

set security policies from-zone trust to-zone untrust policy permit-all match source-address server1 destination-address any application any
set security policies from-zone trust to-zone untrust policy permit-all then permit

set routing-options static route 0.0.0.0/0 next-hop 203.194.130.1

Change Password

GUI

Setting the Root User Password

Configure>System Properties>System Identity

Creating a New Admin User

Configure>System Properties>User Management

Edit User -> Add ->

CLI

user@host# set system root-authentication plain-text-password

user@host# commit

Debug

set security flow traceoptions file DebugTraffic

set security flow traceoptions flag basic-datapath

# define filter to capture traffic from client to Server's public IP address 1.1.1.30

set security flow traceoptions packet-filter MatchTraffic source-prefix 192.168.1.2/32 destination-prefix <IP>/32

#define filter to capture traffic from Server in Trust to Client's NAT'd address
set security flow traceoptions packet-filter MatchTrafficReverse source-prefix 192.168.224.30/32 destination-prefix 192.168.224.3/32

Persistent NAT

Address Persistent:
Interface Port-Overloading:

There were error(s) delivering the configuration.

Error(s):

'persistent-nat'

1) To config persistent NAT with interface-based source NAT pool,please turn off port-overloading first.

2) configuration check-out failed

Persistent NAT:

Persistent NAT allows applications to use the Session Traversal Utilities for NAT (STUN) protocol when passing through NAT firewalls

Persistent NAT ensures that all requests from the same internal transport address are mapped to the same external transport address by the NAT device closest to the STUN server.

Persistent NAT is not applicable for destination NAT, because persistent NAT bindings are based on outgoing sessions from internal to external.

Any remote host
-------------------
All requests from a specific internal IP address and port are mapped to the same external IP address and port. Any external host can send a packet to the internal host using the mapped external transport address when the incoming policy from external to internal is configured.

Target host
-------------

All requests from a specific internal IP address and port are mapped to the same external IP address and port. An external host can send a packet to an internal host only if the internal host had previously sent a packet to the external host’s IP address.

STUN (Session Traversal Utilities for NAT) Protocol

VoIP, encodes IP addresses and port numbers within application data.

VLAN

set vlans vlan1 description desktops vlan-id 1 l3-interface vlan.1
set vlans vlan2 description servers vlan-id 2 l3-interface vlan.2

set interfaces vlan unit 1 family inet address 10.0.1.1/24
set interfaces vlan unit 2 family inet addresses 10.0.2.1/24

set security zones security-zone trust interfaces vlan.1
set security zones security-zone trust interfaces vlan.2

set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any destination-address any application any then permit

set interfaces ge-0/0/0 unit 0 family ethernet switching port-mode access vlan members vlan1
set interfaces ge-0/0/1 unit 0 family ethernet switching port-mode access vlan members vlan2

Enable / Disable interface:

# To disable

set interfaces <interface> disable

# To enable:

delete interface <interface> disable

# 必須 commit 後先生效

commit

Interfaces

root@srx220h> show ethernet-switching interfaces

Interface    State  VLAN members        Tag   Tagging  Blocking
ge-0/0/1.0   down   vlan-trust          5     untagged blocked by STP
ge-0/0/2.0   up     vlan-trust          5     untagged unblocked
ge-0/0/3.0   down   vlan-trust          5     untagged blocked by STP
ge-0/0/4.0   up     vlan-192.168.16.0   3     untagged unblocked
ge-0/0/5.0   up     vlan-172.16.0.0     2     untagged unblocked
ge-0/0/6.0   up     oversea             4     untagged unblocked
ge-0/0/7.0   down   vlan-trust          5     untagged blocked by STP

Vlan

root@srx220h> show interfaces vlan terse

Interface               Admin Link Proto    Local                 Remote
vlan                    up    up
vlan.0                  up    up   inet     192.168.100.1/24
vlan.5                  up    down inet     172.168.0.1/24
vlan.6                  up    up   inet     172.16.16.1/24
vlan.7                  up    up   inet     192.168.16.1/24
vlan.8                  up    up   inet     192.168.6.1/24

root@srx220h> show vlans

Name           Tag     Interfaces
default        1
                       None
oversea        4
                       ge-0/0/6.0*
vlan-172.16.0.0 2
                       ge-0/0/5.0*
vlan-192.168.16.0 3
                       ge-0/0/4.0*
vlan-trust     5
                       ge-0/0/1.0*, ge-0/0/2.0, ge-0/0/3.0, ge-0/0/7.0

root@srx220h> show interfaces vlan media

Physical interface: vlan, Enabled, Physical link is Up
  Interface index: 133, SNMP ifIndex: 506
  Type: VLAN, Link-level type: VLAN, MTU: 1518, Speed: 1000mbps
  Device flags   : Present Running
  Link type      : Full-Duplex
  Current address: 3c:8a:b0:xx.xx.xx, Hardware address: 3c:8a:b0:xx.xx.xx
  Last flapped   : 2013-11-21 09:27:55 UTC (01:30:49 ago)
  Input rate     : 446032 bps (277 pps)
  Output rate    : 2037000 bps (285 pps)

root@srx220h> show interfaces vlan brief

Physical interface: vlan, Enabled, Physical link is Up
  Type: VLAN, Link-level type: VLAN, MTU: 1518, Clocking: Unspecified, Speed: 1000mbps
  Device flags   : Present Running

  Logical interface vlan.0
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.5 ]  Encapsulation: ENET2
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf ospf3 pgm pim rip ripng router-discovery rsvp
    sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip dhcpv6 r2cp
    inet  192.168.100.1/24

  Logical interface vlan.5
    Flags: Link-Layer-Down SNMP-Traps 0x0 Encapsulation: ENET2
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf ospf3 pgm pim rip ripng router-discovery rsvp
    sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip dhcpv6 r2cp
    inet  172.168.0.1/24

root@srx220h> show interfaces vlan detail

root@srx220h> show interfaces vlan

root@srx220h> show interfaces vlan statistics

Physical interface: vlan, Enabled, Physical link is Up
  Interface index: 133, SNMP ifIndex: 506
  Type: VLAN, Link-level type: VLAN, MTU: 1518, Speed: 1000mbps
  Device flags   : Present Running
  Link type      : Full-Duplex
  Current address: 3c:8a:b0:xx:xx:xx, Hardware address: 3c:8a:b0:xx:xx:xx
  Last flapped   : 2013-11-21 09:27:55 UTC (01:27:49 ago)
  Statistics last cleared: Never
  Input rate     : 3581904 bps (876 pps)
  Output rate    : 3675880 bps (867 pps)
  Input errors: 0, Output errors: 0

  Logical interface vlan.0 (Index 69) (SNMP ifIndex 507)
    Flags: SNMP-Traps 0x0 VLAN-Tag [ 0x8100.5 ]  Encapsulation: ENET2
    Bandwidth: 0
    Input packets : 36698497
    Output packets: 420793
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf ospf3 pgm pim rip ripng router-discovery rsvp
    sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip dhcpv6 r2cp
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re, Is-Primary
      Addresses, Flags: Is-Default Is-Preferred Is-Primary
        Destination: 192.168.100/24, Local: 192.168.100.1, Broadcast: 192.168.100.255

  Logical interface vlan.5 (Index 70) (SNMP ifIndex 533)
    Flags: Link-Layer-Down SNMP-Traps 0x0 Encapsulation: ENET2
    Bandwidth: 0
    Input packets : 0
    Output packets: 0
    Security: Zone: trust
    Allowed host-inbound traffic : bootp bfd bgp dns dvmrp igmp ldp msdp nhrp ospf ospf3 pgm pim rip ripng router-discovery rsvp
    sap vrrp dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp
    snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl lsping ntp sip dhcpv6 r2cp
    Protocol inet, MTU: 1500
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Dest-route-down Is-Preferred Is-Primary
        Destination: 172.168.0/24, Local: 172.168.0.1, Broadcast: 172.168.0.255

system services

By allowing system services to run, you can configure zones to specify different types of traffic that can reach the device from systems

that are directly connected to its interfaces. You can configure the different system services at the zone level,

in which case they affect all interfaces of the zone, or at the interface level. (Interface configuration overrides that of the zone.)

You must enable all expected host-inbound traffic.

Inbound traffic from devices directly connected to the device's interfaces is dropped by default.

Controlling Management Access

* By default, any host on the trusted interface can manage a security device.
To limit the IP addresses that can manage a device, you can configure a firewall filter to deny all

[1]

show system services web-management

http {
    interface [ ge-0/0/1.0 ge-0/0/0.0 ];
}

remark

set system services web-management http interface ?

[2]

# Verify that host-inbound traffic is enabled on all zones.

show security zones | match "host-inbound-traffic" | display set

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ike
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

remark

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http

一定出 /servererror.php?code=401

run show log httpd.log

httpd: 0: checkInterface failed
httpd: 2: GET /servererror.php?code=401 HTTP/1.1
httpd: 0: GET IFNAME WORKED st0.1
httpd: 0: GET ALLOWED FAILED st0.1
httpd: 2: Error: "Unauthorized", code 401 for URI "/servererror.php", 
 file "/html/servererror.php": Interface  is not authorized for HTTP access.

因為只 Allow 了 interface ge-0/0/1.0 及 ge-0/0/0.0, 所以由 st0.1 就去唔到 webpanel

Restart WebPanel

run restart web-management

Web management gatekeeper process started, pid 25814

https

set system services web-management https system-generated-certificate

set system services web-management https interface

Change management Port

web-management change port

set system services web-management http port N

set system services web-management https port N

ssh change port

只可以用 DNAT 修改

Show IPSec Configure

Show Configure

# Phase 1

admin@srx> show configuration security ike

proposal MyIPSecProp {
    authentication-method pre-shared-keys;
    dh-group group5;
    authentication-algorithm sha-256;
    encryption-algorithm aes-192-cbc;
    lifetime-seconds 86400;
}
policy RemoteOffice {
    mode main;
    description "my remote office";
    proposals MyIPSecProp;
    pre-shared-key ascii-text "?"; ## SECRET-DATA
}
gateway RemoteOfficeIP {
    ike-policy RemoteOffice;
    address R.R.R.R;
    dead-peer-detection {
        always-send;
        interval 20;
        threshold 5;
    }
    external-interface ge-0/0/0.0;
    version v2-only;
}

# Phase 2

admin@srx> show configuration security ipsec

proposal MyIPSecProp {
    protocol esp;
    authentication-algorithm hmac-sha-256-128;
    encryption-algorithm aes-192-cbc;
    lifetime-seconds 86400;
}
policy RemoteOffice {
    perfect-forward-secrecy {
        keys group5;
    }
    proposals MyIPSecProp;
}
vpn RemoteOfficeIP {
    bind-interface st0.0;
    ike {
        gateway RemoteOfficeIP;
        ipsec-policy RemoteOffice;
    }
    establish-tunnels immediately;
}

# Route

# Remote Lan Subnet: 10.200.32.0/24

admin@srx> show configuration routing-options

static {
    route 10.200.32.0/24 next-hop st0.0;
}

# ACL

show configuration security zones

security-zone RemoteOfficeZone {
    interfaces {
        st0.0;
    }
}

show configuration security policies from-zone RemoteOfficeZone to-zone Internal

policy Remote-Office_Access_Server-Web {
    match {
        source-address any;
        destination-address [ crmapp crmdev ];
        application [ https http ];
    }
    then {
        permit;
    }
}

Show Status

CLI:

show security ike security-associations

Index   State  Initiator cookie  Responder cookie  Mode      Remote Address
5786946 UP     ?                 ?                 IKEv2     R.R.R.R

J-Web:

Select Monitor > IPSec VPN > Phase I

CLI:

show security ipsec security-associations

Total active tunnels: 1
ID      Algorithm              SPI      Life:sec/kb  Mon lsys Port  Gateway
<131073 ESP:aes-cbc-192/sha256 d5aa6fae 46897/unlim   -  root 500   R.R.R.R
>131073 ESP:aes-cbc-192/sha256 98581d7  46897/unlim   -  root 500   R.R.R.R

J-Web:

Select Monitor > IPSec VPN > Phase II

Statistics

show security ipsec statistics index N

ESP Statistics:
  Encrypted bytes:         29331884
  Decrypted bytes:          9940892
  Encrypted packets:         236341
  Decrypted packets:         165580
AH Statistics:
  Input bytes:                    0
  Output bytes:                   0
  Input packets:                  0
  Output packets:                 0
Errors:
  AH authentication failures: 0, Replay errors: 0
  ESP authentication failures: 0, ESP decryption failures: 0
  Bad headers: 0, Bad trailers: 0

Disconnect / restart IPSec

# 獲 index: show security ike security-associations

# Disconnect 後, 有 package 到遠方就會 trigger 再連

clear security ike security-associations index XXX

clear security ipsec security-associations index XXX

restart ipsec-key-management <-- this will restart ipsec daemon

Debug

# Display debug status for currently enabled Internet Key Exchange (IKE) tracing

show security ike debug-status

Disabled

Enabled
flag: all
level: 7
Local IP: L.L.L.L, Remote IP: R.R.R.R

# Enable IKE tracing on a single VPN tunnel specified by a local and a remote IP address

request security ike debug-enable local local-ip-address remote remote-ip-address

# Attempt tunnel establishment to capture trace information to the /var/log/kmd file

show log kmd | match "ike|initiator|responder"

# Disable IKE debugging

request security ike debug-disable

# To Deactivate:

user@srx#deactivate security ike gateway <gatewayname>

user@srx#deactivate security ipsec vpn <vpn name>

user@srx#commit

# To Activate:

user@srx#activate security ike gateway <gatewayname>

user@srx#activate security ipsec vpn <vpn name>