Please consider donating: https://www.corelan.be/index.php/donate/


65,214 views

Juniper Firewall ScreenOS Basics (CJFV)

ScreenOS Concepts & Terminology

The following document is based on ScreenOS v5.4.0r7.0

– Interface = connection to a specific subnet. An interface is assigned an IP address only if firewall is operating in L3 mode. Default interface names can vary on different Netscreen devices.
– Zone : logical grouping of subnets and interfaces. All devices within a zone share the same security requirements
– Firewall functionality is based upon policies. Policy specifies which traffic is to be permitted to pass through the firewall. Policies are implemented on a per zone basis : leaving one zone and entering another zone
– Virtual Router = logical routing construct. Each VR has its own routing table and routing logic. Routing part of kernel/firewall engine.
– Forwarding table : used to determine outbound interface for a particular packet
– Virtual System : logical division of the device into multiple administrative areas
– Firewalls track traffic based on flows and sessions (= 2-way flows)

A Netscreen OS based device consists of

– One or more Virtual Systems (VSYS)
– Each VSYS contains one or more Virtual Routers (VR)
– Each VR contains
    * One routing table
    * One or more zones
       Each zone contains
          – One or more interfaces
          – Optional policies within a zone (intrazone)
    * Policies between zones within the same VR
– A VSYS can have policies between zones in different VR’s

A policy can only be applied to traffic between two different zones

image

Exception : if you enable "Block Intra-subnet traffic" on a specific interface, you can create policies within a zone as well.  This behaviour is disabled by default, and would require proper routing to be set up

Command Line conventions

When configuring the device from CLI, you must enter a ‘save’ command in order to write the changed configuration to disk.  When using the GUI, settings are saved automatically when you click "Apply" or "OK"

Most configurations can be defined using ‘set’ and ‘unset’. You can see configuration parameters using ‘get’
A ? (question mark) will show (context sensitive) help

You can use tab completion and abbreviated commands

If you want to see the current configuration, use ‘get conf’

If you want to see the current system information, use ‘get system’

You can filter the output of a command by using | incl ‘searchpattern’

You can use up&down arrows to browse through already used commands.

 

Managing the device config, backup and firmware updates

You can reset to factory-default settings using

unset all
Erase all system config, are you sure y/[n] y
reset
Configuration modified, save? [y]/n  n
System reset, are you sure y/[n]  y
In reset ...

The first command ‘unset all’ will reset the saved config, not the running config.

After entering the reset command, you must answer ‘n’ to the question to save the modified config, otherwise you would be saving the running config again to the saved config.

Note : root password and certificates are not reset by the ‘unset all’ command

Backup the configuration to a tftp server :

save config from flash to tftp 192.168.0.102 <filename>

Note : the Juniper firewall does not provide for a scheduled task/crontab engine. This means that you cannot schedule a backup and store the backup file on a tftp server. However, you can do it the other way around (connect from a server and download the file from the filesystem)

1. Create a read only administrator account on the firewall

set admin user "ReadOnlyAdminBackup" password "TheReadOnlyPassword" privilege read-only

save

2. Download pscp from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Note : some scp clients try to use sftp first, but this is not supported by screenos. Make sure, if you decide to use another scp client than pscp.exe, to verify that the client supports setting a parameter that forces the use of scp.

3. Enable scp on the firewall :

set scp enable

save

3. Place the pscp.exe on a server that is allowed to access the firewall over ssh/scp

4. Create a batch file on the server that looks like this :

pscp -scp -l ReadOnlyAdminBackup -pw "TheReadOnlyPassword" 

    192.168.0.1:ns_sys_config d:\backups\ssg550_backup.cfg

5. Create a folder on the server called d:\backups

6. Use the scheduled tasks on the server to schedule this script.  The first time, run the command yourself. pscp will prompt you to accept a host key, so you’ll need to run this command manually at least once.

The filesystem on a SSG device looks like this :

firewall1-> get file
    flash:/CONFIG.BIN                     112
    flash:/$NSBOOT$.BIN               9554671
    flash:/golerd.rec                       0
    flash:/certfile.cfg                  8425
    flash:/envar.rec                       45
    flash:/license.key                    361
    flash:/expire.rec                      23
    flash:/ns_sys_config                19615
    flash:/dnstb.rec                       41
    flash:/usrterms.txt                   515
    flash:/prngseed.bin                    32
    flash:/attacks.sig                 201470

 

 

Restore the configuration from a tftp server :

save config from tftp 192.168.0.102 <filename> to flash
save config from tftp 192.168.0.102 <filename> merge

‘to flash’ = config will be active at next boot

‘merge’ = config will be merged and activated right away – use with caution !

NEVER perform an update/config restore using the GUI – always use the CLI !

Backup the Operating System :

save software from flash to tftp 192.168.0.102 <filename>

 

Upgrade the Operating System :

save software from tftp 192.168.0.102 <filename> to flash

Always read the release notes – sometimes, a new bootloader is required. Reboot the device after performing the software upgrade. Make sure the upgrade process is not interrupted or you might cause irrepairable damage to the system.

Get OS version :

get sys | incl Software
Software Version: 5.4.0r7.0, Type: Firewall+VPN

Reboot device :

reset

 

Recovery of the device :

– Restore firmware at boot time. If you have a corrupted flash image, but the bootloader still works, you can interrupt the boot process ("Hit any key to run loader" -> Press any key during the first couple of seconds of the boot process), and upload a new software version from a tftp server. You will need to set a local (self) IP address and the IP address of the tftp server – which needs to be on the same subnet – during the restore wizard.  You will be prompted to save the file to flash, and whether you want to run the downloaded image.

– Reset to factory defaults and restore config to flash

– System (asset) recovery :

  * Login using serial number as username  &  password

  * Use pinhole on some devices :

      – Press until flashing light changes to orange

      – Release and count 3 seconds, then press again until flashing red

      – All leds will flash, device will reboot

If you want to use the last procedure, this functionality has to be enabled on the device :

set admin device-reset
set admin hw-reset

The asset recovery procedure will allow you to overcome the problem of a lost password, however this procedure is quite destructive. It will remove all settings (including root password and certificates) from the device, so you’ll need to reconfigure the device, or restore a recent backup file.  You can see when an asset recovery has been performed on the device by looking at the control serial number in the output of a ‘get sys’

get sys
Product Name: SSG-550
Serial Number: 999999999999 , Control Number: 00000000
Hardware Version: 0000(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.4.0r7.0, Type: Firewall+VPN
Feature: AV-K

Every time an asset recovery is performed, the Control Number is increased by one.

 

Zones & Interface configuration

On a SSG-550, these are the default zones :

firewall1-> get zone
----------------------------------------------------------------------
  ID Name               Type    Attr    VR          Default-IF   VSYS
   0 Null               Null    Shared untrust-vr   hidden       Root
   1 Untrust            Sec(L3) Shared trust-vr     null         Root
   2 Trust              Sec(L3)        trust-vr     null         Root
   3 DMZ                Sec(L3)        trust-vr     null         Root
   4 Self               Func           trust-vr     self         Root
   5 MGT                Func           trust-vr     null         Root
   6 HA                 Func           trust-vr     null         Root
  10 Global             Sec(L3)        trust-vr     null         Root
  11 V1-Untrust         Sec(L2) Shared trust-vr     v1-untrust   Root
  12 V1-Trust           Sec(L2) Shared trust-vr     v1-trust     Root
  13 V1-DMZ             Sec(L2) Shared trust-vr     v1-dmz       Root
  14 VLAN               Func    Shared trust-vr     vlan1        Root
  15 V1-Null            Sec(L2)        trust-vr     l2v          Root
  16 Untrust-Tun        Tun            trust-vr     hidden.1     Root 

You can create your own zones and assign them to a VR. Every Virtual Router has its own routing table. In standard configurations, you’ll have multiple zones, but only one Virtual Router (trust-vr). If you are using dynamic routing protocols and you want to separate routing tables, you may need multiple Virtual Routers.

After creating a custom interface, you’ll have to assign the interface to a zone. Then you can assign an IP address to an interface.  You can only assign an IP address after an interface has been assigned to a zone.

Don’t use 255.255.255.255 as a subnetmask for the IP address of an interface. Use the networks’s subnetmask, so the firewall can determine the "local subnet"

 

Initial device configuration

Connect, change passwords, create admin accounts

– Connect to the console using serial connection (9600bps, 8 bit, no parity, 1 stop bit, no flow control)

– Default username & password : netscreen / netscreen

(Change the password right away. Pay attention : you cannot recover the netscreen password easily, so don’t forget this password !). 

set admin password "ThisIsANewButBadPassword"
save

Optionally, you can change the default administrator account. In this example, I’m changing the username to "administrator"

set admin name netscreen "administrator"
save

Create administrator account and assign rights (read-only or read-write)

set admin user "username" password "password" privilege all
set admin user "readonlyuser" password "readonlypassword" privilege read-only
save

By default, the internal database is used for admin authentication, but you can use an external resource (Radius, ldap, …) for admin authentication as well.

Set minimum password length to 8 and number of admin attempts to 2

set admin password restrict length 8
set admin access attempts 2
save

 

If you want to restrict "root" login to console only, use

set admin root access console
save

You can get all users and all ssh users, using the following commands :

get admin user
get admin ssh all

 

Set hostname

set hostname "firewall1"
save

 

Set zones & interfaces

By default, the device has 3 zones : Trust, Untrust and DMZ.   The interface in Trust mode is set to nat mode by defualt, all other interfaces are in route mode.   By default, the device allows outbound access ‘From Trust to Untrust) and blocks incoming access (default policy : deny)

I recommend not to use any of these 3 zones, but to create your own zones, and assign your interfaces to your custom zones. I also do not recommend using interfaces in nat mode, but use route mode instead.

Create 2 zones : One zone for Internet, one zone for your LAN, and assign the zones to a VR :

set zone "Internet"
set zone "Internet" vrouter trust-vr

set zone "Lan"
set zone "Lan" vrouter trust-vr

save

 

Assign interface ethernet0/1 to Internet, and interface ethernet0/2 to Lan.

set interface ethernet0/1 zone "Internet"
set interface ethernet0/2 zone "Lan"
save

See zone configuration :

firewall1-> get zone
Total 16 zones created in vsys Root - 10 are policy configurable.
Total policy configurable zones for Root is 10.
------------------------------------------------------------------------
  ID Name               Type    Attr    VR          Default-IF   VSYS
   0 Null               Null    Shared untrust-vr   hidden       Root
   1 Untrust            Sec(L3) Shared trust-vr     null         Root
   2 Trust              Sec(L3)        trust-vr     null         Root
   3 DMZ                Sec(L3)        trust-vr     null         Root
   4 Self               Func           trust-vr     self         Root
   5 MGT                Func           trust-vr     null         Root
   6 HA                 Func           trust-vr     null         Root
  10 Global             Sec(L3)        trust-vr     null         Root
  11 V1-Untrust         Sec(L2) Shared trust-vr     v1-untrust   Root
  12 V1-Trust           Sec(L2) Shared trust-vr     v1-trust     Root
  13 V1-DMZ             Sec(L2) Shared trust-vr     v1-dmz       Root
  14 VLAN               Func    Shared trust-vr     vlan1        Root
  15 V1-Null            Sec(L2)        trust-vr     l2v          Root
  16 Untrust-Tun        Tun            trust-vr     hidden.1     Root
 100 Lan                Sec(L3)        trust-vr     ethernet0/2  Root
 101 Internet           Sec(L3)        trust-vr     ethernet0/1  Root      

The zone name has to be unique across all VR’s

Assign Lan interface a private static IP address, assign Interface a static IP address or DHCP IP address :

set interface ethernet0/2 ip 192.168.0.1/24

set interface ethernet0/1 ip 1.1.1.1/29
set interface ethernet0/1 dhcp client enable
save

Tip : if you need to define multiple interfaces in the same IP subnet, you’ll have to enable this first in the vrouter

set vrouter trust-vr ignore-subnet-conflict
save

 

Note : Pay attention to the subnetmask when configuring a firewall interface. Don’t use /32 or the firewall won’t work.

Set both interfaces in route mode

set interface ethernet0/1 route
set interface ethernet0/2 route
save
 
Set interface duplex and speed parameters (if required ! – by default, autonegotiation works fine)
set interface ethernet0/2 phy ?
auto                 auto negotiation
full                 force full duplex
half                 force half duplex
holddown             holddown time
link-down            bring down link

set interface ethernet0/2 phy full ?
1000mb               1000Mbps
100mb                100Mbps
10mb                 10Mbps
 
Activate license, configure routing and anti-spoofing
It is advised to install your license now.  You’ll need to activate your device on the Juniper website, and then you can run the exec license-key update  command to retrieve your license key.  Use the "save" command to save the license key on the device.
 
In order to download the key, the device needs to have access to the internet, so you’ll have to create a default route and configure DNS resolution first :
Assuming that your firewall has a static public IP address 1.1.1.1 and that the internet router (default gateway) is 1.1.1.2, and your public DNS is at 2.2.2.2, then you can use the following commands to allow the firewall to access the internet :
set route 0.0.0.0/0 gateway 1.1.1.2
set dns host dns1 2.2.2.2 src-interface ethernet0/1
save
 
Now you can install the license key :
firewall1-> exec license-key update
License key was retrieved successfully.
License keys have been updated.
You must reset the device for the new setting to take effect.
firewall1-> save
firewall1-> reset

After rebooting, you can verify that the key was installed correctly using

firewall1-> get license-key
di_db_key           : JDkdLZidzoad9ZçjdklDIODiodaodiaOODIDZAdkdlazdD93+D
                      DKJ393jdLDKlcdkdLKZCnCZALDIdzidldjidLDZEIDJIZIODOD
                      DZKJLDLLIEDiODIJDELlkkLD/
                      bdazjlDIZDlldiIED0O93jdKLDZJIDO3DOJEIOLDJKLLDKDKDK
                      DKDJKLDlID9D9DKldjdklDJIDIDOZDNSQCCBZJK2E238ldklde
                      DZKALldiç3IK3LLjdkl30DJKLDL3ZJJKLL/
                      DKJLKddlzlzjkLDIZIlazkalJDII3CBNQDMJKDLKMkdlekldek
                      DZKLjdlkJD/DJKLDL3LJDKL3IOMOMKDLK==
expire date: 2009/01/1
Model:              Advanced
Sessions:           128064 sessions
Capacity:           unlimited number of users
NSRP:               ActiveActive
VPN tunnels:        1000 tunnels
Vsys:               None
Vrouters:           8 virtual routers
Zones:              512 zones
VLANs:              150 vlans
Drp:                Enable
Deep Inspection:    Enable
Deep Inspection Database Expire Date: 2012/01/01

(don’t bother – I have used a random string as db_key in my example…)

 
Depending on how your network looks like, you may or may not need to add more routes to your firewall.
By default, a route is "dynamic". This means that, if the interface that ‘hosts’ the route goes down, the route is removed from the routing table. So if you have 2 interfaces that have a route to the same subnet, but with a different cost, you can create some dynamic routing based on interface status.  Of course, you can create a permanent route as well, that is not affected by interface status.
Let’s assume that you have another subnet 192.168.1.0/24 that is in your Lan, setting behind router 192.168.0.10, then this would be the command to add the route to your firewall (to trust-vr by default) :
set route 192.168.1.0/24 gateway 192.168.0.10 permanent
save
 
If you want to create a route in a specific (non default) VR, you can use this statement :
set vrouter YourOwn-vr route 192.168.0.0/24 interface ethernet0/3 gateway 10.1.1.1

save

 

You can get the routing table using
get route
A route with type C = connected subnet

You will see an entry for the IP address of every ethernet interface, with type "H". This is not a real route and will not be used during route evaluation. When debugging, these host entries will be referred to as "SELF"

Equal cost multipath routing is allowed

ScreenOS supports source-based and destination-based routing, and supports RIP, OSPF and BGP

 
You can test routes using the "get route" statement.  This will show the route/interface it will use to get to the target host or network :
firewall-> get route ip 192.168.1.15

Dest for 192.168.1.15

--------------------------------------------------------------------------------

trust-vr : => 192.168.1.0/24 (id=16) via 192.168.0.10 (vr: trust-vr)

Interface ethernet0/2 , metric 1
 
You can also verify routing using the ping and trace-route commands. If you launch ‘ping’ without any parameters, you enter the extended ping mode.  This allows you to specify the target IP, number of pings, datagram size, timeout, and source interface.
 
You can remove a route using the unset command :
firewall1-> unset route 4.4.4.0/24
total routes deleted = 1
 
If you are using multiple VR’s, you’ll need to set up routing between the two VR’s.  For that matter, you can use the name of each VR as gateway on both VR’s
 
 
Anti-spoofing :
L3 mode : based on routing tables

L2 mode : based on address list entries

Anti-spoofing requires your routing table to be set up correctly.  You can enable anti-spoofing on a per zone basis :
set zone "Internet" screen ip-spoofing

save

 

If you want to check for reverse-path routes to drop or allow traffic, use this command :

set zone "Internet" screen ip-spoofing drop-no-rpf-route

save
 
 
Restrict management to/from certain IP addresses and on certain management services

Management services :

– Telnet, SSH, HTTP(s), snmp, ping, ident

– Can be enabled/disabled per interface and optioanlly set to a virtual IP address on the interface (manage ip)

– Traffic for these management services can be allowed from certain IP addresses only (manager-ip)

– Always disable ident, unless you have problems with AS400 RPC connections

First, disable management services on all interfaces :

unset interface ethernet0/1 manage
unset interface ethernet0/2 manage
unset interface ethernet0/1 ip manageable
unset interface ethernet0/2 ip manageable
save

 

Create a virtual IP address on the Lan interface (192.168.0.2) to allow local administrators to connect :

set interface ethernet0/2 manage-ip 192.168.0.2set interface ethernet0/2 ip manageablesave

You can see the virtual IP address that is used to host the management services using this command :

get int ethernet0/2 | incl manage
manage ip 192.168.0.2, mac 0010.dbe2.c300

Enable management services on Lan interface :

set admin http redirect
set interface ethernet0/2 manage ssh
set interface ethernet0/2 manage ssl
set ssl encrypt 3des sha-1
set interface ethernet0/2 manage web
save

If you want to disable one of the management services (e.g. disable ping to the Lan interface), use

unset interface ethernet0/2 manage ping

save

If you want to allow management on all services, use this command :

set interface ethernet0/2 manage

Only allow traffic from management station 192.168.0.5  Note : configure this via the console cable, as you may cut off your own connection if you don’t specify your own IP address first.

set admin manager-ip 192.168.0.5 255.255.255.255
save

You can see the IP addresses that are allowed to access the management services using the following commands :

get sys | incl "Mng Host"

Mng Host IP: 192.168.0.5/255.255.255.255

  get admin manager-ip

Mng Host IP: 192.168.0.5/255.255.255.255

You can define up to 6 IP addresses as manager-ip

Set console timeout. Default = 10 minutes, recommended : 5 minutes :

set console timeout 5
save

Tip : you can get the open/listening ports on the device using the “get socket” command.

 

Set up NTP, DNS, SNMP and Syslog

NTP :

set ntp server 192.168.0.3
set ntp server src-interface ethernet0/2
set ntp timezone 1
set clock timezone 1
set clock ntp
save
get clock

exec ntp update

The last command will force a manual ntp update

DNS :

set dns host dns1 192.168.0.4 src-interface ethernet0/2
set domain mydomain.com
set dns host schedule 04:00 interval 4
save

The dns host schedule interval defines the cache refresh time for DNS hostnames that are defined in the address list.

If you already had a DNS entry because of the license key installation, you can remove that entry using an unset command :

unset dns host dns1

SNMP :

set snmp community "MyROCommunity" Read-Only Trap-on traffic version v1
set snmp host "MyROCommunity" 192.168.0.100 255.255.255.255 src-interface ethernet0/2 trap v1
set snmp port listen 161
set snmp port trap 162
save

Syslog :

set syslog config "192.168.0.101"
set syslog config "192.168.0.101" facilities local0 local1
set syslog src-interface ethernet0/2
set syslog enable
save

 

Address Lists and Policies

Default policy is defined in "Global" Zone (default deny). By default, deny will be applied, but you won’t see this when querying the device.  It is recommended to set the global policy to any any deny, that way you can see the global policies if you want to

firewall1-> get policy all | incl Global
No global policy!Default deny.
firewall1-> set policy global any any deny
firewall1-> save
 
Firewall policies are always created between two different zones. (exception : if you have enabled intrazone blocking, you can apply policies for traffic within the same zone)
If traffic does not match any of the rules, then the global policy applies. This means that you don’t need a any any deny policy for every Source Zone to Target Zone ruleset definition.
 
Before you can create firewall policies, you’ll need "address" definitions and "service" definitions.
First, you need to create an address (host or network) in a specific zone :
set address "Lan" "Proxyserver1" 192.168.0.200 255.255.255.255 "Proxy Server 1"
set address "Lan" "LanNetwork1" 192.168.0.0 255.255.255.0 "Local Network 1"
set address "Lan" "LanNetwork2" 192.168.1.0 255.255.255.0 "Local Network 2"

save

You can create an address multiple times, and in multiple zones at the same time.  Suppose you have a remote host that can be reached via 2 different routes over 2 different interfaces, that are in different zones, then you’ll need to define the same host twice.

You can group addresses using the GUI or CLI :

set group address "Lan" "LocalNetworks" add "LanNetwork1"
set group address "Lan" "LocalNetworks" add "LanNetwork2"

Next, you can create custom services. The device is already pre-loaded with some services, so verify that the service does not exist yet.

set service "MyCustomService" protocol tcp src-port 0-65535 dst-port 1234-1234
save
Note : you can group services as well, which is the preferred method over creating rules with multiple individual services. During evaluation of the policy, every source/target/service rule will be split up, causing the device to use more resources.
 
Now you are ready to create a policy.
– New policies are added to the bottom of the list. Use the GUI to rearrange the new policy (or command line : e.g. ‘set policy move 5 before 4’)
– Make sure to manually activate nat-src for traffic going to the internet ! (see later – Address Translation)
– Policy actions can be permit, deny, reset or tunnel
– Policies can be scheduled (one time, recurring). If you have created a one time policy, the policy will not be removed automatically, so you’ll need to clean up afterwards
– You can negate source or destination addresses using the "negate" statement in the policy definition
 
If you want to allow the proxy server to access all hosts on the internet, on port 1234, then use the following statement :
set policy from "Lan" to "Internet" "ProxyServer1" ANY "MyCustomService" nat src permit

save
 
You can get the policies using
get policy from "Lan" to "Internet"
 
I must admit – I like the CLI a lot, but if you want to create and manage policies, it’s just so much easier to use the HTTPS GUI for policy management.
 
How does Juniper handle packets & sessions ?
image
(This model is called the 5-tuple)
 

Debugging & Troubleshooting Policies

ScreenOS has quite some features that allow for debugging. I will now explain the major debug functions that apply to the debugging of firewall policies. We’ll have a look at some of the other debugging parameters that apply to VPN tunnels later on.
2 main tools for debugging : "debug" and "snoop"
The most common tool used is debug.  It allows you to follow packet handling and decisions that are made by the device. You can set some filters to look for specific traffic.  Strings you may want to look for are :
– "existing session found"
– "packet dropped, no route"
– "not interested"
– "packet dropped, denied by policy"
Snoop is essentially a sniffer.  While it shows you the entire conversation, it does not really show what the firewall decides and why it has decided to act in a specific way when a certain packet has arrived at the firewall. Therefore, it is recommended to use debug instead of snoop.
 
The debug buffer is max 32k large. You can get information about the debug buffer and set a custom buffer size using the following commands :
get dbuf info
set dbuf size 

save
 
First of all, before you activate debug, make sure to clear the buffer and to clear any filters that may have been set
firewall1-> clear dbuf
firewall1-> unset ffilter
filter 0 removed
firewall1-> unset ffilter
invalid id
(repeat unset ffilter until you get the invalid id warning. This ensure that all filters have been cleared first)
 
Start debugging using the following command :
debug flow basic
 
Generate some traffic. If you are ready, press ‘ESC’ in the console to stop debugging (or use the ‘undebug all’ command)
You can get the contents of the debug buffer using
get dbuf stream

Optionally, you can send the entire buffer to a text file on a tftp server using

get dbuf str > tftp 192.168.0.102 debug.log
Note : don’t forget to ‘ESC’ debug (or use ‘undebug all’)…  if you disconnect from the console while debug is still running, it may cause some memory problems on the device, causing you to reboot the device…
 
You can set filters that will be applied during the debug process :
firewall1-> set ffilter ?
<return>
dst-ip               flow filter dst ip
dst-port             flow filter dst port
ip-proto             flow filter ip proto
src-ip               flow filter src ip
src-port             flow filter src port
Options :

Logical AND :

– enter options on the same line

– all conditions must be present

set ffilter src-uip 1.1.1.1 dst-ip 2.2.2.2 ip-prot 6
Logical OR :

– enter options on separate lines

– any condition can be present

set ffilter src-ip 1.1.1.1 dst-ip 2.2.2.2 ip-prot 6
set ffilter src-ip 2.2.2.3
set ffilter dst-port 80
You can see the currently set filter using :
get ffilter

 

 
By default, debug output is sent to the buffer. But you can also send the output to the console :
firewall1-> get console
Console timeout: 10(minute), Page size: 22/22, debug: buffer
privilege 250, config has not been changed!, default save prompt on exit/reset: yes
ID State  Duration Task Type   Host
 0 Login       439 21309696 SSH    192.168.137.120:62596
 1 Logout        0 21314736 Local
 2 Logout        0 21303816 Local
 3 Logout        0 21284496 Local
firewall1-> unset console dbuf
firewall1-> get console
Console timeout: 10(minute), Page size: 22/22, debug: console
privilege 250, config was changed and not saved!, default save prompt on exit/reset: yes
ID State  Duration Task Type   Host
 0 Login       454 21309696 SSH    192.168.137.120:62596
 1 Logout        0 21314736 Local
 2 Logout        0 21303816 Local
 3 Logout        0 21284496 Local
firewall1-> set console dbuf
firewall1-> get console
Console timeout: 10(minute), Page size: 22/22, debug: buffer
privilege 250, config was changed and not saved!, default save prompt on exit/reset: yes
ID State  Duration Task Type   Host
 0 Login       464 21309696 SSH    192.168.137.120:62596
 1 Logout        0 21314736 Local
 2 Logout        0 21303816 Local
 3 Logout        0 21284496 Local
 
 
Some other usefull commands to troubleshoot policies :
– get session
(and upload the output to http://tools.juniper.net/fsa)
– get policy
– get address
– get service
– get service pre-defined
– get conf
– get log traffic
 
You can activate traffic logs by editing a policy :
set policy id 1
set log
exit
save
 
Alarms
Traffic or event alarms may trigger the alarm led on the device to turn red. You can clear the alarms using
clear alarm traffic
clear alarm event
clear led alarm
 
Traffic counters
You can use traffic graphical traffic counters for traffic that matches a policy. You need to activate accounting using the following commands :
set policy id 1
set count
exit
save
You can see the graphical counter from the GUI (by clicking the hourglass icon in the policy)
image
 
or get the raw data using
get counter policy 1 <time>
(where
Counters will be reset at boot.
 
If you ever need to work with Juniper Tech Support, they will probably ask you to run a get tech support and send the output to them.  This command generates a big log file that contains all of the configurations on your device.  If you need to run this command, it may be wise to send the output to a tftp server right away :
get tech support > tftp 192.168.0.102 get_tech_support.txt
 
For more info about debugging and troubleshooting : have a look at http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=2719
 
 

Address Translation Basics

ScreenOS supports 2 types of Address Translation : Interface based or policy based.  As stated earlier, I do not recommend using interface based address translation.  Interface based address translation

– puts ingress interface in NAT mode

– source IP address is translated to IP address of egress interface

– is easy but allows no flexibility whatsoever

– unidirectional only

– default setup : from Trust to Untrust and from DMZ to Untrust

You can turn off interface based address translation by putting all interfaces in route mode.

When using policy based nat, you’ll have to apply NAT to every rule. This may require some discipline and concentration, but it also allow maximum flexibility and has more features than "nat for dummies" interface based nat.

Policy based nat can be used from any zone to any zone, based on a policy. It allows for unidirectional NAT (nat-src, nat-dst, VIP) and bidirectional NAT (MIP).  There are several options available for when and how you want to perform NAT :

– application based

– number of routable addresses

– number of internal devices and servers

There are 4 main types of policy based nat :

nat-src : translate source address to another source address. Typically used to allow hosts within private network to access internet

nat-dst : translate destination address. Typically used to translate public IP to a private IP (when a private server needs to be accessible from the internet)

VIP (Virtual IP) : One to Many mapping that statically associates public address with many internal addresses, based upon ports/applications

MIP (Mapped IP) : One to One mapping : static association of a public IP with a private IP

nat-src

Unidirectional, has 2 modes : egress interface IP or DIP

Best known for allowing private IP addresses to access the internet via public IP address of firewall.

When using the egress interface mode, it essentially performs the same way as interface based nat.

nat-src can use DIP as well :

– defined on egress interface (can be tunnel interface as well !)

– custom specified IP, a range of IP’s (round robin), or a IP-Shift range (careful for overflow ! Shift : same amount of IP’s on both sides of the connection)

– IP (or range) must be in same subnet as 
    * Primary IP or egress interface

    * Secondary IP of egress interface

    * Extended IP on egress interface (which can be in different subnet as primary or secondary IP !)

– Can be used on multiple policies

– Max 252 DIP address sets across all interfaces, and 254 addresses per DIP set

– Cannot contain the primary IP itself or another address (MIP, VIP)

– Port translation : always enable if you want to avoid conflicts, leave disabled if there is a specific reason (e.g. Sometimes IPSec requires source and destination ports to be set to 500 at all times. Result : only 1 concurrent connection to same destination IP is possible)

– First create DIP on interface, then use in (each) policy

nat-dst

One-to-one mapping

Many-to-one mapping

Many-to-many mapping

Port translation (fixed port, set by admin)

One-to-one, unidirectional

Example :

– Source : remote public IP, destination : “public” IP on your firewall

– After translation : Source : unchanged, destination : internal IP, on all ports

Watch out : policy (with nat-dst rule) only becomes effective when traffic flows between zones, However, public IP is in “Untrust” zone (Furthermore, it is a host entry, and host entry routes are not used in the "5 tuple" process – see packet handling diagram earlier in this post)

Solution :

– Create address list (host) entry for public IP/32 in your Lan zone ! (or use a secondary IP and create address list entry to secondary IP)

– Add static route to the public IP/32 and point route to interface (not gateway) in your “Lan” zone

– Create policy from Internet to Lan, from ANY to Host Entry in Trusts zone (which points to public IP) and invoke nat-dst

One-to-many

Virtual IP (VIP)

Only works when the interface is in the Untrust zone.  If you’re not using Untrust zone (as recommended by me :) ), then you can accomplish the same thing using nat-dst.

You cannot use the real Public IP. The VIP IP must be in the same subnet as the public IP though.

Create set of Public IP / Private IP+Port combinations within a VIP

Used to allow on or more multiple services to be reachable from other zone, using a single IP

Example :

—Real Public IP : 1.1.1.1, VIP : 1.1.1.2, internal network = 192.168.0.0/24

—Port 21 on 1.1.1.2 must be mapped to 192.168.0.1 on port 21

—Port 80 on 1.1.1.2 must be mapped to 192.168.0.2 on port 8080

—Port 515 on 1.1.1.2 must be mapped to 192.168.0.3 on port 515

—Remote client only uses 1.1.1.2 as destination address (which is the VIP)

Configuration : create a VIP on the public interface

No routing or host entry required. Only use a policy and use the VIP address in the destination field.

Which ports need to be allowed in the policy ?  Port 21, 80 and 515 ?  Or port 21, 8080 and 515 ?

Answer : 21, 80, 515. The firewall will handle the port translation itself.

 

One-to-one, bidirectional

MIP

– No port translation

– Defined on outward facing interface

– (Target/Host)Address can be defined in any subnet, it does not need to be associated with any of the interfaces. As long as the firewall and upstream routers can route to that IP, it will work

– Config :

Create MIP (public IP + IP of host to route traffic to. Host IP : set subnetmask to /32 (If you use something else, you’ll do IP shifting)

Create policy and invoke MIP

 

Note on NAT : Using NAT may become quite complex. I could write an entire blog post on NAT alone, so if you have specific questions, don’t hesitate to contact me directly.

 

NAT application precedence

image

 

Authentication

ScreenOS supports two types of authentication :

– Firewall authentication (this requires that traffic matches a policy to trigger the login dialog). This policy must permit at least one of the following protocols : HTTP, Telnet, FTP.  The firewall will basically perform a "mitm" to present you with an authentication login page.

– WebAuth : requires the user to browse to a designated webpage first and logon before a policy is applied.

You can find more information on how to set up WebAuth in conjunction with Windows IAS Radius on the following blog post on this website : Using Active Directory and IAS based Radius for Netscreen WebAuth authentication

 

The alarm led

If you notice that the alarm led on your device turns red, then it may be caused because screening is enabled, and one of the following events occurred :

Emergency:

Syn Attack

Tear Drop Attack

Ping of Death

Alert:

Winnuke Attack

IP Spoof Attack

IP Source Route Attack

Land Attack

ICMP Flood

UDP Flood

Port Scan Attack

Address Sweep

Policy Deny Alarms

 

The led will turn red if one of these attacks was detected. You can clear the red led using ‘clear led alarm’

© 2008 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.

2 Responses to Juniper Firewall ScreenOS Basics (CJFV)

Corelan Training

We have been teaching our win32 exploit dev classes at various security cons and private companies & organizations since 2011

Check out our schedules page here and sign up for one of our classes now!

Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Protected by Copyscape Web Plagiarism Tool

Corelan on Slack

You can chat with us and our friends on our Slack workspace:

  • Go to our facebook page
  • Browse through the posts and find the invite to Slack
  • Use the invite to access our Slack workspace
  • Categories