Junos OS

hello guys, from this link: http://kb.juniper.net/InfoCenter/index?page=content&id=KB22053  it uses virtual routers.

What is the equivalent of virtual routers in JunOS?

If the ScreenOS config has the virtual router, is it necessary to have it in JunOS?

Thanks for any input.

hello ,

PFA the link  :  http://kb.juniper.net/InfoCenter/index?page=content&id=KB16453

Its for the custom routing instance for Junos

Hi JJJCR,

The equivalent of the virtual router is the routing instance  with instance typer vitual router.

The routing instance would be required if you want the routing table to be segregated from the efault routing table , inet.0

Hi ssn, if I have DMZ and  private network do I need to set a routing instance or a virtual router?

Thanks.

Hi,

If you have overlapping address space between DMZ and private then you would need a routing instance of type virtual router. If you have no overlapping address space then there is no requirement to create separate tables.

Tim

Hello,

On screenOS, everything by default is part of trust-vr [interfaces, zones etc.]

So if you screenOS has only trust-vr routing instance, you do not need to configure routing instance when migrating configuration on Junos.

On junos, default routing instance (inet.0) does the same work as that of trust-vr.

Moreover if you can attach 'screenOS configuration' here, I can tell you if you need a routing instance on junos.

Regards,

Rushi

Hi Rushi, here's the config below:

Thanks for any input.

set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit

set vrouter "trust-vr"
unset auto-route-export
exit

set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block

unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst

set interface "ethernet1" zone "Trust"
set interface "ethernet2" zone "DMZ"
set interface "ethernet3" zone "Untrust"
set interface "ethernet4" zone "Trust"
unset interface vlan1 ip

set interface "ethernet3" mip 5.18.10.229 host 192.168.14.17 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 5.18.10.230 host 192.168.14.16 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 5.18.10.228 host 192.168.13.1 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 5.18.10.232 host 192.168.13.2 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet3" mip 5.18.10.233 host 192.168.13.19 netmask 255.255.255.255 vr "trust-vr"


set address "Trust" "192.168.13.0/24" 192.168.13.0 255.255.255.0
set address "Trust" "192.168.14.16/24" 192.168.14.16 255.255.255.0
set address "Trust" "192.168.14.17/24" 192.168.14.17 255.255.255.0
set address "Trust" "192.168.14.24 /24" 192.168.124.24 255.255.255.0
set address "Trust" "192.168.15.0/24" 192.168.15.0 255.255.255.0
set address "Trust" "5.18.17.236/27" 5.18.17.226 255.255.255.224
set address "Trust" "5.18.17.236/28" 5.18.17.226 255.255.255.240
set address "Trust" "5.18.17.236/32" 5.18.17.226 255.255.255.255
set address "Trust" "5.18.17.243/32" 5.18.17.233 255.255.255.255
set address "Trust" "5.18.17.245/24" 5.18.17.235 255.255.255.0


set address "Untrust" "5.18.17.235/32" 5.18.10.235 255.255.255.255
set address "Untrust" "5.18.17.236/27" 5.18.17.236 255.255.255.224
set address "Untrust" "5.18.17.236/32" 5.18.17.236 255.255.255.255
set address "Untrust" "5.18.17.239/32" 5.18.17.239 255.255.255.255


set address "DMZ" "192.168.14.16/24" 192.168.14.16 255.255.255.0
set address "DMZ" "192.168.14.17/24" 192.168.14.17 255.255.255.0


Config below is a default setting?  Is  it also a default in JunOS?

set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land

Hello,

Based on the configuration provided, you do not need any virtual router when converting configuration to Junos.

Just ignore the virtual router part completely when converting the configuration.

Regards,

Rushi

Hello,

Screen related configuration is not a default Junos configuration.

It's junos equivalent would be:

security {
    screen {
        ids-option Untrust_screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                land;
                /* Using default value for timeout since not within range 0-50 */
                syn-flood {
                    timeout 20;
                }
            }
        }
        ids-option V1-Untrust_screen {
            tcp {
                /* Using default value for timeout since not within range 0-50 */
                syn-flood {
                    timeout 20;
                }
            }
        }
    }
    zones {
        security-zone Untrust {
            screen Untrust_screen;
        }
        security-zone V1-Untrust {
            screen V1-Untrust_screen;
        }
    }
}

Regards,

Rushi

You can ignore and not migrate the ScreenOS configuration for zone V1-Untrust.  this is only used when the ScreenOS device is in transparent mode.  The device in this thread is clearly layer 3 mode so this V1-Untrust zone configuration is not used.

Hi Rushi, is there any default security configuration for a newly purchase JunOS firewall?

Or the end user has to configured from scratch the security configuration?

Thanks.

Hello,

There is a default security configuration on Junos SRX boxes.

Explanation is given in the link below:

http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/security-branch-device-factory-default-setting-understanding.html

Also pasting default configuration of the SRX in my lab here:

set system autoinstallation delete-upon-commit
set system autoinstallation traceoptions level verbose
set system autoinstallation traceoptions flag all
set system autoinstallation interfaces ge-0/0/0 bootp
set system name-server 208.67.222.222
set system name-server 208.67.220.220
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http interface vlan.0
set system services web-management https system-generated-certificate
set system services web-management https interface vlan.0
set system services dhcp router 192.168.1.1
set system services dhcp pool 192.168.1.0/24 address-range low 192.168.1.2
set system services dhcp pool 192.168.1.0/24 address-range high 192.168.1.254
set system services dhcp propagate-settings ge-0/0/0.0
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces ge-0/0/0 unit 0
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces vlan unit 0 family inet address 192.168.1.1/24
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set trust-to-untrust from zone trust
set security nat source rule-set trust-to-untrust to zone untrust
set security nat source rule-set trust-to-untrust rule source-nat-rule match source-address 0.0.0.0/0
set security nat source rule-set trust-to-untrust rule source-nat-rule then source-nat interface
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.0
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services tftp
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0

Regards,

Rushi

Thank you, Rushi.

I really appreciate your help.

God bless!