Juniper: SRX / J-Serie: Configure syslog to enable web policy log

JUNOS J-Web Policy Log display
So, you've just intalled a new srx in place of your netscreen, so you go through Config / Security /Policy FW and add a new policy, you tick the check-box logging seesiion-init and session-close.
You start some traffic that match the policy, go again on j-web to view the policy logs....and found nothing ! Why ????
This is because you first need to configure the syslog in a special way so the j-web can display the logs.
As you know, or not, all components of junos config works internaly with XML. So you need to create an xml syslog file.
Two way to do so:
- directly with the jweb,
- manually with cli.

CLI Method
under cli, in configuration mode you have to configure this:
[edit system syslog]
root@gwoob#
file policy_session {
    user info;
    match RT_FLOW;
    archive size 1000k world-readable;
    structured-data;
}
by entering the command:
set system syslog file policy_session user info
set system syslog file policy_session match RT_FLOW
set system syslog file policy_session archive size 1000k
set system syslog file policy_session archive world-readable
set system syslog file policy_session structured-data

J-Web Method
If you have no log under Monitor / Event and Alarms / Security Event
You have to click on the button: Create log configuration in the middle panel. Same path ( Monitor / Event and Alarms / Security Event ).

Now you will be able to see the policy log's.

Phil.

JUNOS: HOWTO create an olive

What's an olive ?

"olive" is the codename given to a virtualized junos router/switches/firewall operating system.

But, right now, just the router version can be virtualized, in a vmware image or in a qemu or in a virtualbox image.

Then you can hace the choice between the M/T series junos version (ie: without flow module) or a J-series junos version, with the flow module. Flow module can track the sessions, so you can have a statefull Firewall.

The easiest way to create one olive.

I tried different method,  the last exposed i my prefered.

Somes people try to first install a freebsd base system version 4.4, then they install the junos version 7, then install the version 8, and then the version 9. For me this is not the cleanest way nor the easiest way to do it.

I prefer to download the install media image package, which is a raw image of the Card Flash, and copying it on a virtual disk, with the dd tool.

The goal is to extract/copy the content of disk image to a virtual disk, i'll use a LiveCD of freebsd, named frenzy.
So you have to access somes files from your VirtualImage, first is the disk image, second is a copy of the new fstab.mr, here you have many choice:

• using a usb stick,
• using a pre-formatted  virtualdisk with FAT,
• using network transfert with ssh/scp
• using network transfert with ftp
• .....

Personally i prefer using a pre-formatted vdisk with FAT, so i can map the disk with the windows host, and copy whatever file i need, and doing so remotely.

HINT: with VM-Workstation, you can't attach a usb stick to the guest when accsesing to the host remotely (ie: with RDP).

Preparing the Virtual Images

For the JUNOS:

• Memory: 512 Mo
• Processors: 1
• HardDisk 1: Type=IDE, Size=1Go, Option=Independent,Persistent
• HardDisk 2: Type=IDE, Size=1Go, Option=Independent,Persistent
• Network Adapter 1: Bridged (as u want)
• Network Adapter 2: Bridged (as u want)
• Network Adapter 3: Bridged (as u want)
• Network Adapter 4: Bridged (as u want)
• USB Controler: Present
• Display: Auto Detect

For the Frenzy:

• Memory: 256 Mo
• Processors: 1
• HardDisk 1: Type=IDE, Size=20Go, Option=Independent,Persistent, Formated FAT with a WINXP vm
• HardDisk 2: Type=IDE, Existent, HDD 1 from JUNOS VM
• HardDisk 3: Type=IDE, Existent, HDD 1 from JUNOS VM
• CD/DVD: Type=IDE, Using file: link to the frenzy.iso
• Network Adapter 1: Bridged (as u want)
• USB Controler: Present (or not)
• Display: Auto Destec

For the VDISK:
using a Windows vm, don't forget to first create the disk, IDE, 20Go, boot the windows, with the disk manager create a primary partition and format it with FAT. Then you have to stop the windows vm.

Preparing the Files:

Map the VDISK:

using VM-Workstation, map the vdisk using:

File>Map or Disconnect Virtual Disk

don't forget to map it with read/write rights !

Install Media:

you need to download the disk image from the Juniper.net website.
As a reminder, those files are named like this:

junos-jsr-9.3R4.4-export-cf1024  # JUNOS for JSERIES with flow support, 1Go CardFlash image

junos-jseries-9.3R4.4-export-cf1024 # JUNOS for JSERIES without flow support, 256Mo CardFlash image

Seleect the one you need, and copy it to the vdisk.


fstab.mr file:

You need to modify the fstab file, it should be something like:

# Device Mountpoint FStype Options Dump Pass#
/dev/md0 / cd9660 ro 0 0
proc /proc procfs rw 0 0
/dev/ad1s1d /config ufs rw 2 2
/dev/ad1s1b none swap sw 0 0


Copy the files, junos and fstab to the fat partition. Then umount the partiton from windows.

Preparing the Disks:

For the rest of the preparation steps, we will run on the frenzy vm / frenzy booted.

First DISK

This one is easy, you just have to dd the junos file:

First, mount / as read/write:

mount -o rw /

normally the fat partion should be automatically mounted, if not:
mkdir /mnt/ad0s1.fat
mount -t msdosfs /dev/ad0s1 /mnt/ad0s1.fat

copy the content of the disk image to the virtual disk:
dd if=/mnt/ad0s1.fat/junos-jseries-9.3R4.4-export-cf1024 of=/dev/ad1

When it is done, you can copy the fstab:
mount -t ufs /dev/ad0s1a /mnt/tmp
cp /mnt/ad0s1.fat/fstab.mr /mnt/tmp/cf/etc/

Then create a /config dir:

mkdir /config

Now launch sysintall,

go to Configure > Disk then choose the ad2 disk,

then create a partition of 1000M,

press C then enter 1000M,
partition type will be 165,
type W
you can install standard MBR, clic ok,
type Q to quit,

Then in the sysinstall go to Label, and add 2 label:

one of 500M for filesystem,
another one for swap,

Quit, that should be sufficent.

NETWORK Interface: E1000

be sure to use a network interface of E1000 type, for this, edit the .vmx file from your virtual machine,

Below the line

ethernet0.present = "True"

add

ethernet0.virtualDev = "e1000"

do the same for the other interfaces.



Reminder: All the Steps

1. Have the frenzy livecd
2. Have a junos system media file
3. Create the virtual machine
4. Add a hard-drive of 1Go
5. Add another hard-rive of 1Go
6. boot on the frenzy livecd
7. copy the content of system media file to the hard-drive, via dd
8. mount the first slice of this HDD and copy the fstab.mr file to /mnt/tmp/cf/etc
9. mount / with read-write option
10. create the /config dir
11. launch sysinstall
12. create a partition with type 165, with Fdisk
13. create a standard boot manager
14. create a slice of 100M with label, type is FS, mountpoint is /config
15. create a slice for the swap
16. halt the virtual machine
17. add network interface to the virtual machine
18. verify that the type is e1000
19. Boot the vm.

Tune frenzy

at the boot loader you can set your language:

lang=fr

when booted, sometimes you need to modify the disks after mounting/demounting it, so you need to tune the system:

sysctl kern.geom.debugflags=16


TODO

this post is draft, i need to reread it, to find mistakes, but, if you understand what you are doing, you should have an olive, working:

philippe@jseries1> show version
Hostname: jseries1
Model: olive
JUNOS Software Release [9.3R4.4] (Export edition)

Juniper: How to reset to factory default a SRX

SRX: different way to reset to factory-default

so, you may know the standard way, the teached way, i mean pushing during 15 secondes the reset micro-button. This method work fine on J-series, but not on somes SRX, not on MX series...

so, i will try to write down somes of the method i used to reset to factory default the juniperdevices.

Factory Default, really ?

First, i need, we need to define what exactly is a factory-default reset. Is it just putting back the configuration to its initial state ? just this ? and what do you do with all the logs files ? the debug files ? the configurations saved ?

It is a security breach to lets everything inside the box, so putting a device back to the factory-default state is not just the configuration, it is mainly everything, even the ssh key: we want to generate a new one, because the old is not trusted anymore.

Lets start.

Loose the root password.
the common process is the boot in single user mode:

at the boot, after the u-boot, when the bootstrap is loaded, you can hit the spacebar:

 

Hit [Enter] to boot immediately, or space bar for command prompt.

 

so you should see:

FreeBSD/MIPS U-Boot bootstrap loader, Revision 1.5
(builder@ormonth.juniper.net, Fri Oct  9 10:55:15 UTC 2009)
Memory: 1024MB
[0]Booting from nand-flash slice 2
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf
/kernel data=0x97d8ac+0xd70d0 syms=[0x4+0x79c50+0x4+0xadd2e] 

Hit [Enter] to boot immediately, or space bar for command prompt.

Loader>

Loader> watchdog disable

Loader> boot –s

root@host% cli

root@host> edit

root@host# set system root-authentication plain-text-password

New password: juniper1

Retype new password: juniper1

root@host# commit

commit complete

root@host# run request system reboot

Reboot the system ? [yes,no] (no) yes

Root passwd on SRX Platform
on SRX Branch platforms and JUNOS 10.0R1 or later, there is a condition in which the password recovery process does not work. After issuing recovery command, system never reaches the point where root password can be changed. System reboots instead. So we need to apply a specific procedure to recover root password for SRX Branch devices running on Junos version 10.0R1 or later. This involves disabling watchdog functionality to allow for system to properly boot into single-user mode.

 

Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [kernel] in 9 seconds...

Loader>

Loader> watchdog disable

Loader> boot –s

change the root passwd, reboot, and don't forget to enable the watchdog, and boot in normal mode

 

Hit [Enter] to boot immediately, or space bar for command prompt.

Booting [kernel] in 9 seconds...

Loader>

Loader> watchdog enable

Loader> boot

Damned, HA is enabled

If you're lucky, your device is in master mode, so you can just diasble the HA:

{primary:node1}
root@titi> set chassis cluster disable reboot
Successfully disabled chassis cluster. Going to reboot now

But if you're not, lucky i mean, your device is on hold, and you're trying to reset the root passwd on single user mode, but you can't:

Starting CLI ...
{hold:node1}
root> edit
warning: Clustering enabled; using private edit
error: shared configuration database modified

Please temporarily use 'configure shared' to commit
outstanding changes in the shared database, exit,
and return to configuration mode using 'configure'

{hold:node1}
root>

Ok, so deleting all the interfaces in the configuration seems to allow me to finally commit.

Then reboot and disable the cluster :

root@>set chassis cluster disable

TRUE Factory default

so, to delete all the logs, the dumps, the rollback, the root password in the factory-default config, and even to reset the host ssh key, you need to zeroize the device:

root> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes

warning: zeroizing re0

....

....

Local package initialization:.
starting local daemons:.
kern.securelevel: -1 -> 1
Creating JAIL MFS partition...
JAIL MFS partition created

Database Initialization Utility
RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com
Copyright (c) 1992-2006 Birdstep Technology, Inc.  All Rights Reserved.

secdb initialized

Database Initialization Utility
RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com
Copyright (c) 1992-2006 Birdstep Technology, Inc.  All Rights Reserved.

dfacache initialized

Boot media /dev/da0 has dual root support
** /dev/da0s2a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 58564 free (44 frags, 7315 blocks, 0.0% fragmentation)
Tue Mar 29 14:41:31 UTC 2011

Amnesiac (ttyu0)

login: root

--- JUNOS 10.2R3.10 built 2010-10-16 20:36:59 UTC

root@%

EX series TIPS

LINECARD

sometimes, your switch can be in the linecard state, which means that there is no routing engine running in it. So you first need to enable one.

Example off linecard prompt:

root@:LC:0% cli
{linecard:0}
root>

To enabled the RE mode:

root> request virtual-chassis reactivate

This member split from a virtual chassis. Please make sure that no active
switch belonging to this virtual chassis has conflicting configuration.

Do you want to continue ? [yes,no] (no) yes

{linecard:0}
root>
Amnesiac (ttyu0)

login:
Amnesiac (ttyu0)

login:
Amnesiac (ttyu0)

root@:RE:0%      

so now you can configure the switch.

 

MEMBER-ID is not 0

so, if your switch was member of a virtual-chassis, and it member-id was from 1 to 9, you can't let it as is, because all your interfafce configuration that belongs to ge-0/0/0-47 won't be enabled...

So you need to renumber your device:

{master:1}
root> request virtual-chassis renumber new-member-id 0 member-id 1

Note: change 1 with your actual id.

prompt changed:

{master:0}
root>

That's all for the moment.

JUNOS: vlan tagging

Junos: How to configure a tag for a L3 interface ?

<br />
So, you have a L3 interface an want to add an IEEE 802.1Q VLAN TAG,

here is how to do so:

root@s1> show configuration interfaces me0

description "MGMT INTERFACE - DO NOT DELETE";

vlan-tagging;

unit 101 {

    vlan-id 101;

    family inet {

        address 10.150.8.161/16;

    }

}

Junos: Config V9 sur junos v8

Compatibilité entre conf v8 et conf v9

security {
    zones {
        security-zone trust {
            interfaces {
                all {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
    policies {
        default-policy {
            permit-all;
        }
    }
}