December 7, 2024

Juniper JunOS

Juniper makes lots of stuff, but are probably most widely known for their firewall products. Here we look at some basic management of the SRX line, which runs JunOS

hook to console

On the front of your SSG there will be a console connection, which usually fools you because it looks like a normal network port, but really it’s a serial connection that just LOOKS like a network port.

  1. you have to go find an adapter that will connect a CAT5 cable to a serial cable, sometimes you can find them in the Juniper box, but you can find them online for pretty cheap too
  2. On mine I had to then convert the serial connection to a USB, since my laptop only has USB, and no serial. I got a Tripplite one, which I think I found here I think for about $20. On Windows 7 I had to download the driver too from here, which I think is really for Windows 8, but it worked.
  3. you have to have a terminal program on your laptop that can talk over a serial connection. I used TeraTerm, which I downloaded from Sourceforge here
  4. Once I installed the driver and hooked up the USB -> serial -> CAT5 adapter -> CAT5 cable -> SSG console port, then I started TeraTerm with the following settings:
  5. COM3 (well, on mine it was just the next COM above the ones it used to show before I installed the Tripplite driver, which happened to be COM3), Baud rate: 9600, data 8 bit, parity: none, stop: 1 bit, flow control: none.
  6. if it worked and you’re connected, you should hit a couple times and it should give you a login: prompt.

SRX

SRX platform runs JunOS, which is a BSD, versus the old ScreenOS, so it’s a lot different.

When you boot the platform, it takes about 3 minutes to come up all the way, which seems like forever. Even after the interface lights come up it’s not done booting yet

You can use a Cisco style console cable, which is an RJ-45 ethernet looking cable on one end, and a serial 9-pin on the other end, which you plug into a USB -> Serial dongle, like a Tripp-Lite USA-19HS that you plug into your laptop. If you’re using a Mac do ls /dev/tty* and find something that looks like /dev/tty.USA19H141P1.1, that’s the console you want to connect to. Then do:

screen /dev/tty.USA19H141P1.1
<enter>
login: root
password:
switchname% cli
switchname> config
Entering configuration mode
[edit]
switchname#

Here are some common commands you’ll use. You’ll have to enter CLI mode to use them after you login. There’s also a web interface, which makes things easier to visualize.

command what it does
set system root-authentication plain-text-password sets the root password
show config shows your configuration
show system software Information for junos:
Comment:
JUNOS Software Release [15.1X49-D45]
show int terse shows your interfaces
set protocols l2-learning global-mode switching changes to a layer 3 switch. You have to do this from the ‘configure’ mode.
commit saves your last commands, you probably should do a commit-check first if you want to check it first.
commit check tests your commands before you save them
commit confirmed 1 commit confirmed will be automatically rolled back in 1 minutes unless confirmed
delete interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 removes that IP from that interface
request system reboot at now reboots the box immediately
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24 set the first interface to 192.168.20.2 netmask 255.255.255.0

Set your previously transparent switch (L2) to a normal Layer 3 router:

cli
config
#set protocols l2-learning global-mode switching
 
set system host-name whateveryouwanttocallyourfirewall
 
delete security zones security-zone BT interfaces ge-0/0/0
set security zones security-zone untrust
set security zones security-zone untrust interfaces ge-0/0/0
set security zones security-zone trust1
set interfaces ge-0/0/0 unit 0 family inet address 192.168.20.2/24
#set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
rename interfaces ge--0/0/0.0 family inet 1.2.3.4/24 to address 5.6.7.8/24

troubleshooting JunOS

You can watch stuff happen with some of these commands:

show security flow session destination-prefix 192.168.43.50
show security flow session protocol icmp
show security flow session summary
show security flow session nat
show security flow session nat interface ge-0/0/8.431
show security flow session nat destination-port 5001
show security flow session destination-prefix 192.168.43.50
set security zones security-zone untrust interfaces ge-0/0/0.0
show security flow statistics
show interfaces flow-statistics ge-0/0/1.0

Or record some session data and look at it later like:

configure
set security flow traceoptions file 10debug
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter MatchTraffic source-prefix 192.168.10.0/24 destination-prefix 0.0.0.0/0
commit
exit
exit
tail -f /cf/var/log/10debug

Look for bad things. When you’re done, do:

cli
config
edit security
deactivate flow traceoptions packet-filter MatchTraffic
deactivate flow traceoptions flag basic-datapath
show flow
traceoptions {
    file 10debug;
    inactive: flag basic-datapath;
    inactive: packet-filter MatchTraffic {
        source-prefix 192.168.10.0/24;
        destination-prefix 0.0.0.0/0;
    }
}
commit

merging code

If you have a config file you change some stuff in with a text editor on your desktop, you can upload via the web interface, but if there are syntax errors it just quits and dumps the upload, rather than telling you what the issue is.

To get around this, you can cut/paste your code into the terminal with a command and it will tell you if there are issues and what they are. To do this:

  1. open up your config file you want to upload in a text editor like Notepad (or whatever)
  2. Select and copy all your text to the clipboard (Windows: ctrl-A then ctrl-C, Mac apple-A then apple-C)
  3. Connect to your Juniper with the console cable (plug the console cable to the unit, and the other end to your USB converter, then plug it into your laptop and run: screen /dev/tty.USA19H141P1.1 (on Mac))
  4. login then get into the cli, NOT THE EDIT MENU
  5. If you’re using iterm2 on Mac, Select Edit > Paste Special > Paste slow, this will allow the terminal paste to work better
  6. Now run this next command and then paste the contents of you clipboard
> test configuration terminal
paste your code now

Now it will tell you if there’s errors like:

terminal:3:(8) syntax error: test
  [edit system]
    'test;'
      syntax error
terminal:4:(11) statement must contain additional statements: ;
  [edit system login]
    'login ;'
      statement must contain additional statements
configuration syntax failed

You can use the “show” command to figure out where the issue is, then commit the code.

You can also get into the EDIT menu dump the config straight into there, but if it breaks, it might overwrite HALF of your config, or something weird, and give you a very strange config. If you decide to do it anyway, do:

load replace terminal

Reset root password

You have to reboot the unit and catch it with a console cable connected and watching the boot process in a terminal. After it boots for like a minute, you’ll get to a screen where you have to hit the SPACE bar to interrupt normal boot:

...
Consoles: U-Boot console
Found compatible API, ver. 2.5
 
FreeBSD/MIPS U-Boot bootstrap loader, Revision 2.5
(slt-builder@slt-junos15.juniper.net, Tue Apr  2 12:36:46 PDT 2013)
Memory: 2048MB
[0]Booting from internal-compact-flash slice 2
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf
/kernel data=0xb1618c+0x167c syms=[0x4+0x8bb00+0xcabc9]
 
Hit [Enter] to boot immediately, or space bar for command prompt.
 
Type '?' for a list of commands, 'help' for more detailed help.
loader>

Then type

loader> boot -s
Kernel entry at 0x801000e0 ...
init regular console
Primary ICache: Sets 64 Size 128 Asso 4
Primary DCache: Sets 1 Size 128 Asso 64
Secondary DCache: Sets 128 Size 128 Asso 8
GDB: debug ports: uart
GDB: current port: uart
...
Attaching /cf/packages/junos via /dev/mdctl...
Mounted junos package on /dev/md1...
OBooting single-user
Mounting /dev/bo0s3f /cf/var
** /dev/bo0s3f
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 299919 free (127 frags, 37474 blocks, 0.0% fragmentation)
System watchdog timer disabled
Enter full pathname of shell or 'recovery' for root password recovery or RETURN for /bin/sh: recovery

After you type recovery, it will enter a recovery shell eventually:

Performing system setup ...
Checking integrity of BSD labels:
  s1: Passed
  s2: Passed
  s3: Passed
  s4: Passed
** /dev/bo0s3e
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 23457 free (9 frags, 2931 blocks, 0.0% fragmentation)
** /dev/bo0s3f
FILE SYSTEM CLEAN; SKIPPING CHECKS
...
Running recovery script ...
machdep.bootsuccess: 1 -> 1
Performing initialization of management services ...
Performing checkout of management services ...
 
NOTE: Once in the CLI, you will need to enter configuration mode using
NOTE: the 'configure' command to make any required changes. For example,
NOTE: to reset the root password, type:
NOTE:    configure
NOTE:    set system root-authentication plain-text-password
NOTE:    (enter the new password when asked)
NOTE:    commit
NOTE:    exit
NOTE:    exit
NOTE: When you exit the CLI, you will be asked if you want to reboot
NOTE: the system
 
Starting CLI ...
root@router>

So it kind of tells you what to do, just enter the commands and type your new password and eventually reboot the system when it asks. If it worked, you can just watch it boot until you get to the normal login prompt like:

login: root
Password:

Different models have different processes to reset root, here’s a few:

EX-4550 juniper link

reset to factory defaults

If you do enough bad things, it’s sometimes easier to reset everything from the command line, here’s how you do that:

router> config
[edit]
router# load factory-default
warning: activating factory configuration
[edit]
router# set system root-authentication plain-text-password
New password:
Retype new password: 
router# commit

You should be able to hook up your laptop to one of the interfaces like 0/2 and get a dhcp lease and configure from web, or stick with cli and do it there.

monitor bandwidth on an interface

You can also port this to a remote bash script, but run it first here:

show interfaces ge-0/1/1 extensive | match bps
Link-level type: Ethernet, MTU: 1514, MRU: 0, Speed: 1000mbps, Duplex: Full-Duplex, BPDU Error: None,
   Input  bytes  :          17080147150                 1824 bps
   Output bytes  :         128119082354                 4112 bps
        Link mode: Full-duplex, Flow control: Symmetric, Remote fault: OK, Link partner Speed: 1000 Mbps
                              %            bps     %           usec
     Input  bytes  :                    0                    0 bps
     Output bytes  :                    0                    0 bps

You can automate this by following the JunOS video here

passwordless ssh login

You have to generate a key on your linux server first by doing:

root@linrouter:~# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
b9:70:89:4c:65:b0:29:0d:0a:52:7b:13:91:e4:eb:67 root@linrouter
The key's randomart image is:
+--[ RSA 2048]----+
|o...=o..o        |
|.. +.+ =         |
|  o = =          |
|   . * . o       |
|    . + S        |
|   .   o .       |
|    . E .        |
|     o           |
|                 |
+-----------------+

Now copy/paste just the key into the next command you enter on the SRX UNIT, you get that by doing:

root@linrouter:~# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmWk9y00c6NQQhZDE1yWJE0vnYMf2DbfDrytpQ1ZtK6T5tMnHHQR5
NwjOtsE2jBKTx3HhaYb/NcV7LJ3XRrY/5K6tSxKND3+fnW+GSKl/h5VWPQEXsiZgNy5Hh9dRQ+HZUinh7gbMo5d
/4JLREHF4xEcFvKjGz3Ez7I4xxTHyb6QOKcOvBjou5C089F/BDR7ya/xsQZSAueraeArL3h3RcM8VwLSikmvXsi4x
xMscJ9ali+YqTrKiF7o5cd4mdKo9F6cYJW7vK8+pUPdJ/6DbHqvocRp/U3V5fHdljxkD/y0YVBGnNgGEutIt2J3pbfV
w7uG9RXwehypm0p9w1V6hF root@linrouter

login from the remote server by doing:

ssh whoever@jun.os.srx.ip
cli
config t
set system services ssh
set system services ssh protocol-version v2
# only enter this if you only want to not use password: set system services ssh no-password-authentication
set system root-authentication ssh-rsa "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmWk9y00c6NQQhZDE1yWJE0vnYMf2DbfDrytpQ1ZtK6T5tMnHHQR5
NwjOtsE2jBKTx3HhaYb/NcV7LJ3XRrY/5K6tSxKND3+fnW+GSKl/h5VWPQEXsiZgNy5Hh9dRQ+HZUinh7gbMo5d
/4JLREHF4xEcFvKjGz3Ez7I4xxTHyb6QOKcOvBjou5C089F/BDR7ya/xsQZSAueraeArL3h3RcM8VwLSikmvXsi4x
xMscJ9ali+YqTrKiF7o5cd4mdKo9F6cYJW7vK8+pUPdJ/6DbHqvocRp/U3V5fHdljxkD/y0YVBGnNgGEutIt2J3pbfV
w7uG9RXwehypm0p9w1V6hF root@linrouter"
commit check
commit and quit

Now you should be able to login from your remote linux server using ssh and it shouldn’t ask you for a password.

Traffic shaping

# set class-of-service interfaces ge-0/0/1 scheduler-map Smap_Shaping
# set class-of-service scheduler-maps Smap_Shaping forwarding-class best-effort scheduler Shaping
# set class-of-service scheduler-maps Smap_Shaping forwarding-class expedited-forwarding scheduler Shaping
# set class-of-service scheduler-maps Smap_Shaping forwarding-class assured-forwarding scheduler Shaping
# set class-of-service scheduler-maps Smap_Shaping forwarding-class network-control scheduler Shaping
# set class-of-service schedulers Shaping shaping-rate 300m
# set class-of-service schedulers Shaping priority low

Resources:

command cheat sheet
https://cmdref.net/hardware/junos/index.html

SRX for beginners