Juniper makes lots of stuff, but are probably most widely known for their firewall products. Here we look at some basic management of the SRX line, which runs JunOS
hook to console
On the front of your SSG there will be a console connection, which usually fools you because it looks like a normal network port, but really it’s a serial connection that just LOOKS like a network port.
- you have to go find an adapter that will connect a CAT5 cable to a serial cable, sometimes you can find them in the Juniper box, but you can find them online for pretty cheap too
- On mine I had to then convert the serial connection to a USB, since my laptop only has USB, and no serial. I got a Tripplite one, which I think I found here I think for about $20. On Windows 7 I had to download the driver too from here, which I think is really for Windows 8, but it worked.
- you have to have a terminal program on your laptop that can talk over a serial connection. I used TeraTerm, which I downloaded from Sourceforge here
- Once I installed the driver and hooked up the USB -> serial -> CAT5 adapter -> CAT5 cable -> SSG console port, then I started TeraTerm with the following settings:
- COM3 (well, on mine it was just the next COM above the ones it used to show before I installed the Tripplite driver, which happened to be COM3), Baud rate: 9600, data 8 bit, parity: none, stop: 1 bit, flow control: none.
- if it worked and you’re connected, you should hit
a couple times and it should give you a login: prompt.
SRX
SRX platform runs JunOS, which is a BSD, versus the old ScreenOS, so it’s a lot different.
When you boot the platform, it takes about 3 minutes to come up all the way, which seems like forever. Even after the interface lights come up it’s not done booting yet
You can use a Cisco style console cable, which is an RJ-45 ethernet looking cable on one end, and a serial 9-pin on the other end, which you plug into a USB -> Serial dongle, like a Tripp-Lite USA-19HS that you plug into your laptop. If you’re using a Mac do ls /dev/tty* and find something that looks like /dev/tty.USA19H141P1.1, that’s the console you want to connect to. Then do:
screen /dev/tty.USA19H141P1.1 <enter> login: root password: switchname% cli switchname> config Entering configuration mode [edit] switchname# |
Here are some common commands you’ll use. You’ll have to enter CLI mode to use them after you login. There’s also a web interface, which makes things easier to visualize.
command | what it does |
set system root-authentication plain-text-password |
sets the root password |
show config |
shows your configuration |
show system software |
Information for junos: |
show int terse |
shows your interfaces |
set protocols l2-learning global-mode switching |
changes to a layer 3 switch. You have to do this from the ‘configure’ mode. |
commit |
saves your last commands, you probably should do a commit-check first if you want to check it first. |
commit check |
tests your commands before you save them |
commit confirmed 1 |
commit confirmed will be automatically rolled back in 1 minutes unless confirmed |
delete interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 |
removes that IP from that interface |
request system reboot at now |
reboots the box immediately |
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 |
set the first interface to 192.168.20.2 netmask 255.255.255.0 |
Set your previously transparent switch (L2) to a normal Layer 3 router:
cli config #set protocols l2-learning global-mode switching set system host-name whateveryouwanttocallyourfirewall delete security zones security-zone BT interfaces ge-0/0/0 set security zones security-zone untrust set security zones security-zone untrust interfaces ge-0/0/0 set security zones security-zone trust1 set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 #set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access rename interfaces ge--0/0/0.0 family inet 1.2.3.4/24 to address 5.6.7.8/24 |
troubleshooting JunOS
You can watch stuff happen with some of these commands:
show security flow session destination-prefix 192.168.43.50 show security flow session protocol icmp show security flow session summary show security flow session nat show security flow session nat interface ge-0/0/8.431 show security flow session nat destination-port 5001 show security flow session destination-prefix 192.168.43.50 set security zones security-zone untrust interfaces ge-0/0/0.0 show security flow statistics show interfaces flow-statistics ge-0/0/1.0 |
Or record some session data and look at it later like:
configure set security flow traceoptions file 10debug set security flow traceoptions flag basic-datapath set security flow traceoptions packet-filter MatchTraffic source-prefix 192.168.10.0/24 destination-prefix 0.0.0.0/0 commit exit exit tail -f /cf/var/log/10debug |
Look for bad things. When you’re done, do:
cli config edit security deactivate flow traceoptions packet-filter MatchTraffic deactivate flow traceoptions flag basic-datapath show flow traceoptions { file 10debug; inactive: flag basic-datapath; inactive: packet-filter MatchTraffic { source-prefix 192.168.10.0/24; destination-prefix 0.0.0.0/0; } } commit |
merging code
If you have a config file you change some stuff in with a text editor on your desktop, you can upload via the web interface, but if there are syntax errors it just quits and dumps the upload, rather than telling you what the issue is.
To get around this, you can cut/paste your code into the terminal with a command and it will tell you if there are issues and what they are. To do this:
- open up your config file you want to upload in a text editor like Notepad (or whatever)
- Select and copy all your text to the clipboard (Windows: ctrl-A then ctrl-C, Mac apple-A then apple-C)
- Connect to your Juniper with the console cable (plug the console cable to the unit, and the other end to your USB converter, then plug it into your laptop and run: screen /dev/tty.USA19H141P1.1 (on Mac))
- login then get into the cli, NOT THE EDIT MENU
- If you’re using iterm2 on Mac, Select Edit > Paste Special > Paste slow, this will allow the terminal paste to work better
- Now run this next command and then paste the contents of you clipboard
> test configuration terminal paste your code now |
Now it will tell you if there’s errors like:
terminal:3:(8) syntax error: test [edit system] 'test;' syntax error terminal:4:(11) statement must contain additional statements: ; [edit system login] 'login ;' statement must contain additional statements configuration syntax failed |
You can use the “show” command to figure out where the issue is, then commit the code.
You can also get into the EDIT menu dump the config straight into there, but if it breaks, it might overwrite HALF of your config, or something weird, and give you a very strange config. If you decide to do it anyway, do:
load replace terminal |
Reset root password
You have to reboot the unit and catch it with a console cable connected and watching the boot process in a terminal. After it boots for like a minute, you’ll get to a screen where you have to hit the SPACE bar to interrupt normal boot:
... Consoles: U-Boot console Found compatible API, ver. 2.5 FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.5 (slt-builder@slt-junos15.juniper.net, Tue Apr 2 12:36:46 PDT 2013) Memory: 2048MB [0]Booting from internal-compact-flash slice 2 Un-Protected 1 sectors writing to flash... Protected 1 sectors Loading /boot/defaults/loader.conf /kernel data=0xb1618c+0x167c syms=[0x4+0x8bb00+0xcabc9] Hit [Enter] to boot immediately, or space bar for command prompt. Type '?' for a list of commands, 'help' for more detailed help. loader> |
Then type
loader> boot -s Kernel entry at 0x801000e0 ... init regular console Primary ICache: Sets 64 Size 128 Asso 4 Primary DCache: Sets 1 Size 128 Asso 64 Secondary DCache: Sets 128 Size 128 Asso 8 GDB: debug ports: uart GDB: current port: uart ... Attaching /cf/packages/junos via /dev/mdctl... Mounted junos package on /dev/md1... OBooting single-user Mounting /dev/bo0s3f /cf/var ** /dev/bo0s3f FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 299919 free (127 frags, 37474 blocks, 0.0% fragmentation) System watchdog timer disabled Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery |
After you type recovery, it will enter a recovery shell eventually:
Performing system setup ... Checking integrity of BSD labels: s1: Passed s2: Passed s3: Passed s4: Passed ** /dev/bo0s3e FILE SYSTEM CLEAN; SKIPPING CHECKS clean, 23457 free (9 frags, 2931 blocks, 0.0% fragmentation) ** /dev/bo0s3f FILE SYSTEM CLEAN; SKIPPING CHECKS ... Running recovery script ... machdep.bootsuccess: 1 -> 1 Performing initialization of management services ... Performing checkout of management services ... NOTE: Once in the CLI, you will need to enter configuration mode using NOTE: the 'configure' command to make any required changes. For example, NOTE: to reset the root password, type: NOTE: configure NOTE: set system root-authentication plain-text-password NOTE: (enter the new password when asked) NOTE: commit NOTE: exit NOTE: exit NOTE: When you exit the CLI, you will be asked if you want to reboot NOTE: the system Starting CLI ... root@router> |
So it kind of tells you what to do, just enter the commands and type your new password and eventually reboot the system when it asks. If it worked, you can just watch it boot until you get to the normal login prompt like:
login: root Password: |
Different models have different processes to reset root, here’s a few:
EX-4550 | juniper link |
reset to factory defaults
If you do enough bad things, it’s sometimes easier to reset everything from the command line, here’s how you do that:
router> config [edit] router# load factory-default warning: activating factory configuration [edit] router# set system root-authentication plain-text-password New password: Retype new password: router# commit |
You should be able to hook up your laptop to one of the interfaces like 0/2 and get a dhcp lease and configure from web, or stick with cli and do it there.
monitor bandwidth on an interface
You can also port this to a remote bash script, but run it first here:
show interfaces ge-0/1/1 extensive | match bps Link-level type: Ethernet, MTU: 1514, MRU: 0, Speed: 1000mbps, Duplex: Full-Duplex, BPDU Error: None, Input bytes : 17080147150 1824 bps Output bytes : 128119082354 4112 bps Link mode: Full-duplex, Flow control: Symmetric, Remote fault: OK, Link partner Speed: 1000 Mbps % bps % usec Input bytes : 0 0 bps Output bytes : 0 0 bps |
You can automate this by following the JunOS video here
passwordless ssh login
You have to generate a key on your linux server first by doing:
root@linrouter:~# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: b9:70:89:4c:65:b0:29:0d:0a:52:7b:13:91:e4:eb:67 root@linrouter The key's randomart image is: +--[ RSA 2048]----+ |o...=o..o | |.. +.+ = | | o = = | | . * . o | | . + S | | . o . | | . E . | | o | | | +-----------------+ |
Now copy/paste just the key into the next command you enter on the SRX UNIT, you get that by doing:
root@linrouter:~# cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmWk9y00c6NQQhZDE1yWJE0vnYMf2DbfDrytpQ1ZtK6T5tMnHHQR5 NwjOtsE2jBKTx3HhaYb/NcV7LJ3XRrY/5K6tSxKND3+fnW+GSKl/h5VWPQEXsiZgNy5Hh9dRQ+HZUinh7gbMo5d /4JLREHF4xEcFvKjGz3Ez7I4xxTHyb6QOKcOvBjou5C089F/BDR7ya/xsQZSAueraeArL3h3RcM8VwLSikmvXsi4x xMscJ9ali+YqTrKiF7o5cd4mdKo9F6cYJW7vK8+pUPdJ/6DbHqvocRp/U3V5fHdljxkD/y0YVBGnNgGEutIt2J3pbfV w7uG9RXwehypm0p9w1V6hF root@linrouter |
login from the remote server by doing:
ssh whoever@jun.os.srx.ip cli config t set system services ssh set system services ssh protocol-version v2 # only enter this if you only want to not use password: set system services ssh no-password-authentication set system root-authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmWk9y00c6NQQhZDE1yWJE0vnYMf2DbfDrytpQ1ZtK6T5tMnHHQR5 NwjOtsE2jBKTx3HhaYb/NcV7LJ3XRrY/5K6tSxKND3+fnW+GSKl/h5VWPQEXsiZgNy5Hh9dRQ+HZUinh7gbMo5d /4JLREHF4xEcFvKjGz3Ez7I4xxTHyb6QOKcOvBjou5C089F/BDR7ya/xsQZSAueraeArL3h3RcM8VwLSikmvXsi4x xMscJ9ali+YqTrKiF7o5cd4mdKo9F6cYJW7vK8+pUPdJ/6DbHqvocRp/U3V5fHdljxkD/y0YVBGnNgGEutIt2J3pbfV w7uG9RXwehypm0p9w1V6hF root@linrouter" commit check commit and quit |
Now you should be able to login from your remote linux server using ssh and it shouldn’t ask you for a password.
Traffic shaping
# set class-of-service interfaces ge-0/0/1 scheduler-map Smap_Shaping # set class-of-service scheduler-maps Smap_Shaping forwarding-class best-effort scheduler Shaping # set class-of-service scheduler-maps Smap_Shaping forwarding-class expedited-forwarding scheduler Shaping # set class-of-service scheduler-maps Smap_Shaping forwarding-class assured-forwarding scheduler Shaping # set class-of-service scheduler-maps Smap_Shaping forwarding-class network-control scheduler Shaping # set class-of-service schedulers Shaping shaping-rate 300m # set class-of-service schedulers Shaping priority low |
Resources:
command cheat sheet
https://cmdref.net/hardware/junos/index.html