{"id":680,"date":"2008-06-22T13:46:11","date_gmt":"2008-06-22T11:46:11","guid":{"rendered":"http:\/\/www.corelan.be:8800\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/"},"modified":"2008-06-22T13:46:11","modified_gmt":"2008-06-22T11:46:11","slug":"juniper-firewall-screenos-basics-cjfv","status":"publish","type":"post","link":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/","title":{"rendered":"Juniper Firewall ScreenOS Basics (CJFV)"},"content":{"rendered":"

ScreenOS Concepts & Terminology<\/h4>\n

The following document is based on ScreenOS v5.4.0r7.0<\/p>\n

- Interface = connection to a specific subnet. An interface is assigned an IP address only if firewall is operating in L3 mode. Default interface names can vary on different Netscreen devices.
- Zone : logical grouping of subnets and interfaces. All devices within a zone share the same security requirements
- Firewall functionality is based upon policies. Policy specifies which traffic is to be permitted to pass through the firewall. Policies are implemented on a per zone basis : leaving one zone and entering another zone
- Virtual Router = logical routing construct. Each VR has its own routing table and routing logic. Routing part of kernel\/firewall engine.
- Forwarding table : used to determine outbound interface for a particular packet
- Virtual System : logical division of the device into multiple administrative areas
- Firewalls track traffic based on flows and sessions (= 2-way flows)<\/p>\n

A Netscreen OS based device consists of<\/p>\n

- One or more Virtual Systems (VSYS)
- Each VSYS contains one or more Virtual Routers (VR)
- Each VR contains
    * One routing table
    * One or more zones
       Each zone contains
          - One or more interfaces
          - Optional policies within a zone (intrazone)
    * Policies between zones within the same VR
- A VSYS can have policies between zones in different VR's<\/p>\n

A policy can only be applied to traffic between two different zones<\/p>\n

\"image\"<\/a><\/p>\n

Exception : if you enable "Block Intra-subnet traffic" on a specific interface, you can create policies within a zone as well.  This behaviour is disabled by default, and would require proper routing to be set up<\/p>\n

Command Line conventions<\/h4>\n

When configuring the device from CLI, you must enter a 'save' command in order to write the changed configuration to disk.  When using the GUI, settings are saved automatically when you click "Apply" or "OK"<\/p>\n

Most configurations can be defined using 'set' and 'unset'. You can see configuration parameters using 'get'
A ? (question mark) will show (context sensitive) help<\/p>\n

You can use tab completion and abbreviated commands<\/p>\n

If you want to see the current configuration, use 'get conf'<\/p>\n

If you want to see the current system information, use 'get system'<\/p>\n

You can filter the output of a command by using | incl 'searchpattern'<\/p>\n

You can use up&down arrows to browse through already used commands.<\/p>\n

 <\/p>\n

Managing the device config, backup and firmware updates<\/h4>\n

You can reset to factory-default settings using<\/p>\n

\n
unset all<\/strong>\nErase all system config, are you sure y\/[n]<\/font> y<\/strong>\nreset<\/strong>\nConfiguration modified, save? [y]\/n<\/font>  n<\/strong>\nSystem reset, are you sure y\/[n]<\/font>  y<\/strong>\nIn reset ...<\/font><\/pre>\n<\/div>\n
The first command 'unset all' will reset the saved config, not the running config.<\/p>\n
After entering the reset command, you must answer 'n' to the question to save the modified config, otherwise you would be saving the running config again to the saved config.<\/p>\n
Note : root password and certificates are not reset by the 'unset all' command<\/p>\n
Backup the configuration to a tftp server :<\/p>\n
\n
save config from flash to tftp 192.168.0.102 <<\/span>filename<\/span>><\/span><\/pre>\n<\/div>\n
Note : the Juniper firewall does not provide for a scheduled task\/crontab engine. This means that you cannot schedule a backup and store the backup file on a tftp server. However, you can do it the other way around (connect from a server and download the file from the filesystem)<\/p>\n
1. Create a read only administrator account on the firewall<\/p>\n
\n
set admin user "ReadOnlyAdminBackup" password "TheReadOnlyPassword" privilege read-only\n\nsave<\/pre>\n<\/div>\n
2. Download pscp from http:\/\/www.chiark.greenend.org.uk\/~sgtatham\/putty\/download.html<\/a> <\/p>\n
Note : some scp clients try to use sftp first, but this is not supported by screenos. Make sure, if you decide to use another scp client than pscp.exe, to verify that the client supports setting a parameter that forces the use of scp.<\/p>\n
3. Enable scp on the firewall :<\/p>\n
\n
set scp enable\n\nsave<\/pre>\n<\/div>\n
3. Place the pscp.exe on a server that is allowed to access the firewall over ssh\/scp<\/p>\n
4. Create a batch file on the server that looks like this :<\/p>\n
\n
pscp -scp -l ReadOnlyAdminBackup -pw "TheReadOnlyPassword" \n\n    192.168.0.1:ns_sys_config d:\\backups\\ssg550_backup.cfg<\/pre>\n<\/div>\n
5. Create a folder on the server called d:\\backups<\/p>\n
6. Use the scheduled tasks on the server to schedule this script.  The first time, run the command yourself. pscp will prompt you to accept a host key, so you'll need to run this command manually at least once.<\/p>\n
The filesystem on a SSG device looks like this :<\/p>\n
\n
firewall1-><\/span> get file\n    flash:\/CONFIG.BIN                     112\n    flash:\/$NSBOOT$.BIN               9554671\n    flash:\/golerd.rec                       0\n    flash:\/certfile.cfg                  8425\n    flash:\/envar.rec                       45\n    flash:\/license.key                    361\n    flash:\/expire.rec                      23\n    flash:\/ns_sys_config                19615\n    flash:\/dnstb.rec                       41\n    flash:\/usrterms.txt                   515\n    flash:\/prngseed.bin                    32\n    flash:\/attacks.sig                 201470<\/font><\/pre>\n<\/div>\n
 <\/p>\n
 <\/p>\n
Restore the configuration from a tftp server :<\/p>\n
\n
save config from tftp 192.168.0.102 <<\/span>filename<\/span>><\/span> to flash\nsave config from tftp 192.168.0.102 <<\/span>filename<\/span>><\/span> merge<\/pre>\n<\/div>\n
'to flash' = config will be active at next boot<\/p>\n
'merge' = config will be merged and activated right away - use with caution !<\/p>\n
NEVER perform an update\/config restore using the GUI - always use the CLI !<\/p>\n
Backup the Operating System :<\/p>\n
\n
save software from flash to tftp 192.168.0.102 <<\/span>filename<\/span>><\/span><\/pre>\n<\/div>\n
 <\/p>\n
Upgrade the Operating System :<\/p>\n
\n
save software from tftp 192.168.0.102 <<\/span>filename<\/span>><\/span> to flash<\/pre>\n<\/div>\n
Always read the release notes - sometimes, a new bootloader is required. Reboot the device after performing the software upgrade. Make sure the upgrade process is not interrupted or you might cause irrepairable damage to the system.<\/p>\n
Get OS version :<\/p>\n
\n
get sys | incl Software\nSoftware Version: 5.4.0r7.0, Type: Firewall+VPN<\/pre>\n<\/div>\n
Reboot device :<\/p>\n
\n
reset<\/pre>\n<\/div>\n
 <\/p>\n
Recovery of the device :<\/p>\n
- Restore firmware at boot time. If you have a corrupted flash image, but the bootloader still works, you can interrupt the boot process ("Hit any key to run loader" -> Press any key during the first couple of seconds of the boot process), and upload a new software version from a tftp server. You will need to set a local (self) IP address and the IP address of the tftp server - which needs to be on the same subnet - during the restore wizard.  You will be prompted to save the file to flash, and whether you want to run the downloaded image.<\/p>\n
- Reset to factory defaults and restore config to flash<\/p>\n
- System (asset) recovery :<\/p>\n
  * Login using serial number as username  &  password<\/p>\n
  * Use pinhole on some devices :<\/p>\n
      - Press until flashing light changes to orange<\/p>\n
      - Release and count 3 seconds, then press again until flashing red<\/p>\n
      - All leds will flash, device will reboot<\/p>\n
If you want to use the last procedure, this functionality has to be enabled on the device :<\/p>\n
\n
set admin device-reset\nset admin hw-reset<\/pre>\n<\/div>\n
The asset recovery procedure will allow you to overcome the problem of a lost password, however this procedure is quite destructive. It will remove all settings (including root password and certificates) from the device, so you'll need to reconfigure the device, or restore a recent backup file.  You can see when an asset recovery has been performed on the device by looking at the control serial number in the output of a 'get sys'<\/p>\n
\n
get sys\nProduct Name: SSG-550\nSerial Number: 999999999999 , Control Number: 00000000<\/font>\nHardware Version: 0000(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)\nSoftware Version: 5.4.0r7.0, Type: Firewall+VPN\nFeature: AV-K<\/pre>\n<\/div>\n
Every time an asset recovery is performed, the Control Number is increased by one.<\/p>\n
 <\/p>\n
Zones & Interface configuration<\/h4>\n
On a SSG-550, these are the default zones :<\/p>\n
\n
firewall1-><\/span> get zone\n----------------------------------------------------------------------\n  ID Name               Type    Attr    VR          Default-IF   VSYS\n   0 Null               Null    Shared untrust-vr   hidden       Root\n   1 Untrust            Sec(L3) Shared trust-vr     null         Root\n   2 Trust              Sec(L3)        trust-vr     null         Root\n   3 DMZ                Sec(L3)        trust-vr     null         Root\n   4 Self               Func           trust-vr     self         Root\n   5 MGT                Func           trust-vr     null         Root\n   6 HA                 Func           trust-vr     null         Root\n  10 Global             Sec(L3)        trust-vr     null         Root\n  11 V1-Untrust         Sec(L2) Shared trust-vr     v1-untrust   Root\n  12 V1-Trust           Sec(L2) Shared trust-vr     v1-trust     Root\n  13 V1-DMZ             Sec(L2) Shared trust-vr     v1-dmz       Root\n  14 VLAN               Func    Shared trust-vr     vlan1        Root\n  15 V1-Null            Sec(L2)        trust-vr     l2v          Root\n  16 Untrust-Tun        Tun            trust-vr     hidden.1     Root <\/pre>\n<\/div>\n
You can create your own zones and assign them to a VR. Every Virtual Router has its own routing table. In standard configurations, you'll have multiple zones, but only one Virtual Router (trust-vr). If you are using dynamic routing protocols and you want to separate routing tables, you may need multiple Virtual Routers.<\/p>\n
After creating a custom interface, you'll have to assign the interface to a zone. Then you can assign an IP address to an interface.  You can only assign an IP address after an interface has been assigned to a zone.<\/p>\n
Don't use 255.255.255.255 as a subnetmask for the IP address of an interface. Use the networks's subnetmask, so the firewall can determine the "local subnet"<\/p>\n
 <\/p>\n
Initial device configuration<\/h4>\n
Connect, change passwords, create admin accounts<\/h5>\n
- Connect to the console using serial connection (9600bps, 8 bit, no parity, 1 stop bit, no flow control)<\/p>\n
- Default username & password : netscreen \/ netscreen<\/p>\n
(Change the password right away. Pay attention : you cannot recover the netscreen password easily, so don't forget this password !).  <\/p>\n
\n
set admin password "ThisIsANewButBadPassword"\nsave<\/pre>\n<\/div>\n
Optionally, you can change the default administrator account. In this example, I'm changing the username to "administrator"<\/p>\n
\n
set admin name netscreen "administrator"\nsave<\/pre>\n<\/div>\n
Create administrator account and assign rights (read-only or read-write)<\/p>\n
\n
set admin user "username" password "password" privilege all\nset admin user "readonlyuser" password "readonlypassword" privilege read-only\nsave<\/pre>\n<\/div>\n
By default, the internal database is used for admin authentication, but you can use an external resource (Radius, ldap, ...) for admin authentication as well.<\/p>\n
Set minimum password length to 8 and number of admin attempts to 2<\/p>\n
\n
set admin password restrict length 8\nset admin access attempts 2\nsave<\/pre>\n<\/div>\n
 <\/p>\n
If you want to restrict "root" login to console only, use<\/p>\n
\n
set admin root access console\nsave<\/pre>\n<\/div>\n
You can get all users and all ssh users, using the following commands :<\/p>\n
\n
get admin user\nget admin ssh all<\/pre>\n<\/div>\n
 <\/p>\n
Set hostname<\/p>\n
\n
set hostname "firewall1"\nsave<\/pre>\n<\/div>\n
 <\/p>\n
Set zones & interfaces<\/h5>\n
By default, the device has 3 zones : Trust, Untrust and DMZ.   The interface in Trust mode is set to nat mode by defualt, all other interfaces are in route mode.   By default, the device allows outbound access 'From Trust to Untrust) and blocks incoming access (default policy : deny)<\/p>\n
I recommend not to use any of these 3 zones, but to create your own zones, and assign your interfaces to your custom zones. I also do not recommend using interfaces in nat mode, but use route mode instead.<\/p>\n
Create 2 zones : One zone for Internet, one zone for your LAN, and assign the zones to a VR :<\/p>\n
\n
set zone "Internet"\nset zone "Internet" vrouter trust-vr\n\nset zone "Lan"\nset zone "Lan" vrouter trust-vr\n\nsave<\/pre>\n<\/div>\n
 <\/p>\n
Assign interface ethernet0\/1 to Internet, and interface ethernet0\/2 to Lan.<\/p>\n
\n
set interface ethernet0\/1 zone "Internet"\nset interface ethernet0\/2 zone "Lan"\nsave<\/pre>\n<\/div>\n
See zone configuration :<\/p>\n
\n
firewall1-><\/span> get zone\nTotal 16 zones created in vsys Root - 10 are policy configurable.\nTotal policy configurable zones for Root is 10.\n------------------------------------------------------------------------\n  ID Name               Type    Attr    VR          Default-IF   VSYS\n   0 Null               Null    Shared untrust-vr   hidden       Root\n   1 Untrust            Sec(L3) Shared trust-vr     null         Root\n   2 Trust              Sec(L3)        trust-vr     null         Root\n   3 DMZ                Sec(L3)        trust-vr     null         Root\n   4 Self               Func           trust-vr     self         Root\n   5 MGT                Func           trust-vr     null         Root\n   6 HA                 Func           trust-vr     null         Root\n  10 Global             Sec(L3)        trust-vr     null         Root\n  11 V1-Untrust         Sec(L2) Shared trust-vr     v1-untrust   Root\n  12 V1-Trust           Sec(L2) Shared trust-vr     v1-trust     Root\n  13 V1-DMZ             Sec(L2) Shared trust-vr     v1-dmz       Root\n  14 VLAN               Func    Shared trust-vr     vlan1        Root\n  15 V1-Null            Sec(L2)        trust-vr     l2v          Root\n  16 Untrust-Tun        Tun            trust-vr     hidden.1     Root\n 100 Lan                Sec(L3)        trust-vr     ethernet0\/2  Root\n 101 Internet           Sec(L3)        trust-vr     ethernet0\/1  Root<\/font>      <\/pre>\n<\/div>\n
The zone name has to be unique across all VR's<\/p>\n
Assign Lan interface a private static IP address, assign Interface a static IP address or DHCP IP address :<\/p>\n
\n
set interface ethernet0\/2 ip 192.168.0.1\/24\n\nset interface ethernet0\/1 ip 1.1.1.1\/29\nset interface ethernet0\/1 dhcp client enable\nsave<\/pre>\n<\/div>\n
Tip : if you need to define multiple interfaces in the same IP subnet, you'll have to enable this first in the vrouter<\/p>\n
\n
set vrouter trust-vr ignore-subnet-conflict\nsave<\/pre>\n<\/div>\n
 <\/p>\n
Note : Pay attention to the subnetmask when configuring a firewall interface. Don't use \/32 or the firewall won't work.<\/p>\n
Set both interfaces in route mode<\/p>\n
\n
set interface ethernet0\/1 route\nset interface ethernet0\/2 route\nsave<\/pre>\n<\/div>\n
 <\/div>\n
Set interface duplex and speed parameters (if required ! - by default, autonegotiation works fine)<\/div>\n
\n
set interface ethernet0\/2 phy ?\nauto                 auto negotiation\nfull                 force full duplex\nhalf                 force half duplex\nholddown             holddown time\nlink-down            bring down link<\/font>\n\nset interface ethernet0\/2 phy full ?\n1000mb               1000Mbps\n100mb                100Mbps\n10mb                 10Mbps<\/font><\/pre>\n<\/div>\n
 <\/div>\n
Activate license, configure routing and anti-spoofing<\/h5>\n
It is advised to install your license now.  You'll need to activate your device on the Juniper website, and then you can run the exec license-key update  command to retrieve your license key.  Use the "save" command to save the license key on the device.<\/div>\n
 <\/div>\n
In order to download the key, the device needs to have access to the internet, so you'll have to create a default route and configure DNS resolution first :<\/div>\n
Assuming that your firewall has a static public IP address 1.1.1.1 and that the internet router (default gateway) is 1.1.1.2, and your public DNS is at 2.2.2.2, then you can use the following commands to allow the firewall to access the internet :<\/div>\n
\n
set route 0.0.0.0\/0 gateway 1.1.1.2\nset dns host dns1 2.2.2.2 src-interface ethernet0\/1\nsave<\/pre>\n<\/div>\n
 <\/div>\n
Now you can install the license key :<\/div>\n
\n
firewall1-><\/span> exec license-key update\nLicense key was retrieved successfully.\nLicense keys have been updated.\nYou must reset the device for the new setting to take effect.<\/font>\nfirewall1-><\/span> save\nfirewall1-><\/span> reset<\/pre>\n<\/div>\n
After rebooting, you can verify that the key was installed correctly using<\/p>\n
\n
firewall1-><\/span> get license-key\ndi_db_key           : JDkdLZidzoad9Z\u00e7jdklDIODiodaodiaOODIDZAdkdlazdD93+D\n                      DKJ393jdLDKlcdkdLKZCnCZALDIdzidldjidLDZEIDJIZIODOD\n                      DZKJLDLLIEDiODIJDELlkkLD\/\n                      bdazjlDIZDlldiIED0O93jdKLDZJIDO3DOJEIOLDJKLLDKDKDK\n                      DKDJKLDlID9D9DKldjdklDJIDIDOZDNSQCCBZJK2E238ldklde\n                      DZKALldi\u00e73IK3LLjdkl30DJKLDL3ZJJKLL\/\n                      DKJLKddlzlzjkLDIZIlazkalJDII3CBNQDMJKDLKMkdlekldek\n                      DZKLjdlkJD\/DJKLDL3LJDKL3IOMOMKDLK==\nexpire date: 2009\/01\/1\nModel:              Advanced\nSessions:           128064 sessions\nCapacity:           unlimited number of users\nNSRP:               ActiveActive\nVPN tunnels:        1000 tunnels\nVsys:               None\nVrouters:           8 virtual routers\nZones:              512 zones\nVLANs:              150 vlans\nDrp:                Enable\nDeep Inspection:    Enable\nDeep Inspection Database Expire Date: 2012\/01\/01<\/font><\/pre>\n<\/div>\n
(don't bother - I have used a random string as db_key in my example...)<\/p>\n
 <\/div>\n
Depending on how your network looks like, you may or may not need to add more routes to your firewall. <\/div>\n
By default, a route is "dynamic". This means that, if the interface that 'hosts' the route goes down, the route is removed from the routing table. So if you have 2 interfaces that have a route to the same subnet, but with a different cost, you can create some dynamic routing based on interface status.  Of course, you can create a permanent route as well, that is not affected by interface status.<\/div>\n
Let's assume that you have another subnet 192.168.1.0\/24 that is in your Lan, setting behind router 192.168.0.10, then this would be the command to add the route to your firewall (to trust-vr by default) :<\/div>\n
\n
set route 192.168.1.0\/24 gateway 192.168.0.10 permanent\nsave<\/pre>\n<\/div>\n
 <\/div>\n
If you want to create a route in a specific (non default) VR, you can use this statement :<\/div>\n
\n
set vrouter YourOwn-vr route 192.168.0.0\/24 interface ethernet0\/3 gateway 10.1.1.1\n\nsave<\/pre>\n<\/div>\n
 <\/p>\n
You can get the routing table using<\/div>\n
\n
get route<\/pre>\n<\/div>\n
A route with type C = connected subnet <\/p>\n
You will see an entry for the IP address of every ethernet interface, with type "H". This is not a real route and will not be used during route evaluation. When debugging, these host entries will be referred to as "SELF"<\/p>\n
Equal cost multipath routing is allowed<\/p>\n
ScreenOS supports source-based and destination-based routing, and supports RIP, OSPF and BGP<\/p>\n<\/div>\n
 <\/div>\n
You can test routes using the "get route" statement.  This will show the route\/interface it will use to get to the target host or network :<\/div>\n
\n
firewall-> get route ip 192.168.1.15\n\nDest for 192.168.1.15<\/font>\n\n--------------------------------------------------------------------------------<\/font>\n\ntrust-vr : => 192.168.1.0\/24 (id=16) via 192.168.0.10 (vr: trust-vr)<\/font>\n\nInterface ethernet0\/2 , metric 1<\/font><\/pre>\n<\/div>\n
 <\/div>\n
You can also verify routing using the ping and trace-route commands. If you launch 'ping' without any parameters, you enter the extended ping mode.  This allows you to specify the target IP, number of pings, datagram size, timeout, and source interface.<\/div>\n
 <\/div>\n
You can remove a route using the unset command :<\/div>\n
\n
firewall1-><\/span> unset route 4.4.4.0\/24\ntotal routes deleted = 1<\/font><\/pre>\n<\/div>\n
 <\/div>\n
If you are using multiple VR's, you'll need to set up routing between the two VR's.  For that matter, you can use the name of each VR as gateway on both VR's<\/div>\n
 <\/div>\n
 <\/div>\n
Anti-spoofing :<\/u><\/div>\n
L3 mode : based on routing tables <\/p>\n
L2 mode : based on address list entries<\/p>\n<\/div>\n
Anti-spoofing requires your routing table to be set up correctly.  You can enable anti-spoofing on a per zone basis :<\/div>\n
\n
set zone "Internet" screen ip-spoofing\n\nsave<\/pre>\n<\/div>\n
 <\/p>\n
If you want to check for reverse-path routes to drop or allow traffic, use this command :<\/p>\n
\n
set zone "Internet" screen ip-spoofing drop-no-rpf-route\n\nsave<\/pre>\n<\/div>\n
 <\/div>\n
 <\/div>\n
Restrict management to\/from certain IP addresses and on certain management services<\/h5>\n
Management services :<\/p>\n
- Telnet, SSH, HTTP(s), snmp, ping, ident<\/p>\n
- Can be enabled\/disabled per interface and optioanlly set to a virtual IP address on the interface (manage ip)<\/p>\n
- Traffic for these management services can be allowed from certain IP addresses only (manager-ip)<\/p>\n
- Always disable ident, unless you have problems with AS400 RPC connections<\/p>\n
First, disable management services on all interfaces :<\/p>\n
\n
unset interface ethernet0\/1 manage\nunset interface ethernet0\/2 manage\nunset interface ethernet0\/1 ip manageable\nunset interface ethernet0\/2 ip manageable\nsave<\/pre>\n<\/div>\n
 <\/p>\n
Create a virtual IP address on the Lan interface (192.168.0.2) to allow local administrators to connect :<\/p>\n
\n
set interface ethernet0\/2 manage-ip 192.168.0.2set interface ethernet0\/2 ip manageablesave<\/pre>\n<\/div>\n
You can see the virtual IP address that is used to host the management services using this command :<\/p>\n
\n
get int ethernet0\/2 | incl manage\nmanage ip 192.168.0.2, mac 0010.dbe2.c300<\/font><\/pre>\n<\/div>\n
Enable management services on Lan interface :<\/p>\n
\n
set admin http redirect\nset interface ethernet0\/2 manage ssh\nset interface ethernet0\/2 manage ssl\nset ssl encrypt 3des sha-1\nset interface ethernet0\/2 manage web\nsave<\/pre>\n<\/div>\n
If you want to disable one of the management services (e.g. disable ping to the Lan interface), use<\/p>\n
\n
unset interface ethernet0\/2 manage ping\n\nsave<\/pre>\n<\/div>\n
If you want to allow management on all services, use this command :<\/p>\n
\n
set interface ethernet0\/2 manage<\/pre>\n<\/div>\n
Only allow traffic from management station 192.168.0.5  Note : configure this via the console cable, as you may cut off your own connection if you don't specify your own IP address first.<\/p>\n
\n
set admin manager-ip 192.168.0.5 255.255.255.255\nsave<\/pre>\n<\/div>\n
You can see the IP addresses that are allowed to access the management services using the following commands :<\/p>\n
\n
get sys | incl "Mng Host"\n\nMng Host IP: 192.168.0.5\/255.255.255.255<\/font>\n\n<\/font>  get admin manager-ip\n\nMng Host IP: 192.168.0.5\/255.255.255.255<\/font><\/pre>\n<\/div>\n
You can define up to 6 IP addresses as manager-ip<\/p>\n
Set console timeout. Default = 10 minutes, recommended : 5 minutes :<\/p>\n
\n
set console timeout 5\nsave<\/pre>\n<\/div>\n
Tip : you can get the open\/listening ports on the device using the \u201cget socket\u201d command.<\/p>\n
 <\/p>\n
Set up NTP, DNS, SNMP and Syslog<\/h5>\n
NTP :<\/u><\/p>\n
\n
set ntp server 192.168.0.3\nset ntp server src-interface ethernet0\/2\nset ntp timezone 1\nset clock timezone 1\nset clock ntp\nsave\nget clock\n\nexec ntp update<\/pre>\n<\/div>\n
The last command will force a manual ntp update<\/p>\n
DNS :<\/u><\/p>\n
\n
set dns host dns1 192.168.0.4 src-interface ethernet0\/2\nset domain mydomain.com\nset dns host schedule 04:00 interval 4\nsave<\/pre>\n<\/div>\n
The dns host schedule interval defines the cache refresh time for DNS hostnames that are defined in the address list.<\/p>\n
If you already had a DNS entry because of the license key installation, you can remove that entry using an unset command :<\/p>\n
\n
unset dns host dns1<\/pre>\n<\/div>\n
SNMP :<\/u><\/p>\n
\n
set snmp community "MyROCommunity" Read-Only Trap-on traffic version v1\nset snmp host "MyROCommunity" 192.168.0.100 255.255.255.255 src-interface ethernet0\/2 trap v1\nset snmp port listen 161\nset snmp port trap 162\nsave<\/pre>\n<\/div>\n
<\/u><\/p>\n
Syslog :<\/p>\n<\/p>\n
\n
set syslog config "192.168.0.101"\nset syslog config "192.168.0.101" facilities local0 local1\nset syslog src-interface ethernet0\/2\nset syslog enable\nsave<\/pre>\n<\/div>\n
 <\/p>\n
Address Lists and Policies<\/h4>\n
Default policy is defined in "Global" Zone (default deny). By default, deny will be applied, but you won't see this when querying the device.  It is recommended to set the global policy to any any deny, that way you can see the global policies if you want to<\/p>\n
\n
firewall1-><\/span> get policy all | incl Global\nNo global policy!Default deny.<\/font>\nfirewall1-><\/span> set policy global any any deny\nfirewall1-><\/span> save<\/pre>\n<\/div>\n
 <\/div>\n
Firewall policies are always created between two different zones. (exception : if you have enabled intrazone blocking, you can apply policies for traffic within the same zone)<\/div>\n
If traffic does not match any of the rules, then the global policy applies. This means that you don't need a any any deny policy for every Source Zone to Target Zone ruleset definition.<\/div>\n
 <\/div>\n
Before you can create firewall policies, you'll need "address" definitions and "service" definitions.<\/div>\n
First, you need to create an address (host or network) in a specific zone :<\/div>\n
\n
set address "Lan" "Proxyserver1" 192.168.0.200 255.255.255.255 "Proxy Server 1"\nset address "Lan" "LanNetwork1" 192.168.0.0 255.255.255.0 "Local Network 1"\nset address "Lan" "LanNetwork2" 192.168.1.0 255.255.255.0 "Local Network 2"\n\nsave<\/pre>\n<\/div>\n
You can create an address multiple times, and in multiple zones at the same time.  Suppose you have a remote host that can be reached via 2 different routes over 2 different interfaces, that are in different zones, then you'll need to define the same host twice.<\/p>\n
You can group addresses using the GUI or CLI :<\/p>\n
\n
set group address "Lan" "LocalNetworks" add "LanNetwork1"\nset group address "Lan" "LocalNetworks" add "LanNetwork2"<\/pre>\n<\/div>\n
Next, you can create custom services. The device is already pre-loaded with some services, so verify that the service does not exist yet.<\/p>\n
\n
set service "MyCustomService" protocol tcp src-port 0-65535 dst-port 1234-1234\nsave<\/pre>\n<\/div>\n
Note : you can group services as well, which is the preferred method over creating rules with multiple individual services. During evaluation of the policy, every source\/target\/service rule will be split up, causing the device to use more resources.<\/div>\n
 <\/div>\n
Now you are ready to create a policy. <\/div>\n
- New policies are added to the bottom of the list. Use the GUI to rearrange the new policy (or command line : e.g. 'set policy move 5 before 4')<\/div>\n
- Make sure to manually activate nat-src for traffic going to the internet ! (see later - Address Translation)<\/div>\n
- Policy actions can be permit, deny, reset or tunnel<\/div>\n
- Policies can be scheduled (one time, recurring). If you have created a one time policy, the policy will not be removed automatically, so you'll need to clean up afterwards<\/div>\n
- You can negate source or destination addresses using the "negate" statement in the policy definition<\/div>\n
 <\/div>\n
If you want to allow the proxy server to access all hosts on the internet, on port 1234, then use the following statement :<\/div>\n
\n
set policy from "Lan" to "Internet" "ProxyServer1" ANY "MyCustomService" nat src permit\n\nsave<\/pre>\n<\/div>\n
 <\/div>\n
You can get the policies using<\/div>\n
\n
get policy from "Lan" to "Internet"<\/pre>\n<\/div>\n
 <\/div>\n
I must admit - I like the CLI a lot, but if you want to create and manage policies, it's just so much easier to use the HTTPS GUI for policy management.<\/div>\n
 <\/div>\n
How does Juniper handle packets & sessions ? <\/div>\n
\"image\"<\/a> <\/div>\n
(This model is called the 5-tuple)<\/div>\n
 <\/div>\n
Debugging & Troubleshooting Policies<\/h4>\n
ScreenOS has quite some features that allow for debugging. I will now explain the major debug functions that apply to the debugging of firewall policies. We'll have a look at some of the other debugging parameters that apply to VPN tunnels later on.<\/div>\n
2 main tools for debugging : "debug" and "snoop"<\/div>\n
The most common tool used is debug.  It allows you to follow packet handling and decisions that are made by the device. You can set some filters to look for specific traffic.  Strings you may want to look for are :<\/div>\n
- "existing session found"<\/div>\n
- "packet dropped, no route"<\/div>\n
- "not interested"<\/div>\n
- "packet dropped, denied by policy"<\/div>\n
Snoop is essentially a sniffer.  While it shows you the entire conversation, it does not really show what the firewall decides and why it has decided to act in a specific way when a certain packet has arrived at the firewall. Therefore, it is recommended to use debug instead of snoop.<\/div>\n
 <\/div>\n
The debug buffer is max 32k large. You can get information about the debug buffer and set a custom buffer size using the following commands :<\/div>\n
\n
get dbuf info\nset dbuf size <newsize>\n\nsave<\/pre>\n<\/div>\n
 <\/div>\n
First of all, before you activate debug, make sure to clear the buffer and to clear any filters that may have been set<\/div>\n
\n
firewall1-><\/span> clear dbuf\nfirewall1-><\/span> unset ffilter\nfilter 0 removed<\/font>\nfirewall1-><\/span> unset ffilter\ninvalid id<\/font><\/pre>\n<\/div>\n
(repeat unset ffilter until you get the invalid id warning. This ensure that all filters have been cleared first)<\/div>\n
 <\/div>\n
Start debugging using the following command :<\/div>\n
\n
debug flow basic<\/pre>\n<\/div>\n
 <\/div>\n
Generate some traffic. If you are ready, press 'ESC' in the console to stop debugging (or use the 'undebug all' command)<\/div>\n
You can get the contents of the debug buffer using<\/div>\n
\n
get dbuf stream<\/pre>\n<\/div>\n
Optionally, you can send the entire buffer to a text file on a tftp server using<\/p>\n
\n
get dbuf str ><\/span> tftp 192.168.0.102 debug.log<\/pre>\n<\/div>\n
Note : don't forget to 'ESC' debug (or use 'undebug all')...  if you disconnect from the console while debug is still running, it may cause some memory problems on the device, causing you to reboot the device...<\/div>\n
 <\/div>\n
You can set filters that will be applied during the debug process :<\/div>\n
\n
firewall1-><\/span> set ffilter ?<\/font><\/strong>\n<<\/span>return<\/span>><\/span>\ndst-ip               flow filter dst ip\ndst-port             flow filter dst port\nip-proto             flow filter ip proto\nsrc-ip               flow filter src ip\nsrc-port             flow filter src port<\/font><\/pre>\n<\/div>\n
Options : <\/p>\n
Logical AND :<\/p>\n
- enter options on the same line<\/p>\n
- all conditions must be present<\/p>\n<\/div>\n
\n
set ffilter src-uip 1.1.1.1 dst-ip 2.2.2.2 ip-prot 6<\/pre>\n<\/div>\n
Logical OR : <\/p>\n
- enter options on separate lines<\/p>\n
- any condition can be present<\/p>\n<\/div>\n
\n
set ffilter src-ip 1.1.1.1 dst-ip 2.2.2.2 ip-prot 6\nset ffilter src-ip 2.2.2.3\nset ffilter dst-port 80<\/pre>\n<\/div>\n
You can see the currently set filter using :<\/div>\n
\n
get ffilter<\/pre>\n<\/div>\n
\n
 <\/p><\/div>\n
 <\/div>\n
By default, debug output is sent to the buffer. But you can also send the output to the console :<\/div>\n
\n
fi<\/strong>rewall1-><\/span> get console<\/font><\/strong>\nConsole timeout: 10(minute), Page size: 22\/22, debug: buffer<\/font><\/strong>\nprivilege 250, config has not been changed!, default save prompt on exit\/reset: yes\nID State  Duration Task Type   Host\n 0 Login       439 21309696 SSH    192.168.137.120:62596\n 1 Logout        0 21314736 Local\n 2 Logout        0 21303816 Local\n 3 Logout        0 21284496 Local\nfirewall1-><\/span> unset console dbuf<\/font><\/strong>\nfirewall1-><\/span> get console<\/font><\/strong>\nConsole timeout: 10(minute), Page size: 22\/22, debug: console\n<\/font><\/strong>privilege 250, config was changed and not saved!, default save prompt on exit\/reset: yes\nID State  Duration Task Type   Host\n 0 Login       454 21309696 SSH    192.168.137.120:62596\n 1 Logout        0 21314736 Local\n 2 Logout        0 21303816 Local\n 3 Logout        0 21284496 Local\nfirewall1-><\/span> set console dbuf<\/font><\/strong>\nfirewall1-><\/span> get console<\/font><\/strong>\nConsole timeout: 10(minute), Page size: 22\/22, debug: buffer<\/font><\/strong>\nprivilege 250, config was changed and not saved!, default save prompt on exit\/reset: yes\nID State  Duration Task Type   Host\n 0 Login       464 21309696 SSH    192.168.137.120:62596\n 1 Logout        0 21314736 Local\n 2 Logout        0 21303816 Local\n 3 Logout        0 21284496 Local<\/font><\/pre>\n<\/div>\n
 <\/div>\n
 <\/div>\n
Some other usefull commands to troubleshoot policies :<\/div>\n
- get session<\/div>\n
(and upload the output to http:\/\/tools.juniper.net\/fsa)<\/div>\n
- get policy<\/div>\n
- get address<\/div>\n
- get service<\/div>\n
- get service pre-defined<\/div>\n
- get conf<\/div>\n
- get log traffic<\/div>\n
 <\/div>\n
You can activate traffic logs by editing a policy :<\/div>\n
\n
set policy id 1\nset log\nexit\nsave<\/pre>\n<\/div>\n
 <\/div>\n
Alarms<\/div>\n
Traffic or event alarms may trigger the alarm led on the device to turn red. You can clear the alarms using<\/div>\n
\n
clear alarm traffic\nclear alarm event\nclear led alarm<\/pre>\n<\/div>\n
 <\/div>\n
Traffic counters<\/div>\n
You can use traffic graphical traffic counters for traffic that matches a policy. You need to activate accounting using the following commands :<\/div>\n
\n
set policy id 1\nset count\nexit\nsave<\/pre>\n<\/div>\n
You can see the graphical counter from the GUI (by clicking the hourglass icon in the policy)<\/div>\n
\"image\"<\/a> <\/div>\n
 <\/div>\n
or get the raw data using<\/div>\n
\n
get counter policy 1 <<\/span>time<\/span>><\/span><\/pre>\n<\/div>\n
(where <time> can be  "day", "hour", "minute", "month" or "second")<\/div>\n
Counters will be reset at boot.<\/div>\n
 <\/div>\n
If you ever need to work with Juniper Tech Support, they will probably ask you to run a get tech support and send the output to them.  This command generates a big log file that contains all of the configurations on your device.  If you need to run this command, it may be wise to send the output to a tftp server right away :<\/div>\n
\n
get tech support ><\/span> tftp 192.168.0.102 get_tech_support.txt<\/pre>\n<\/div>\n
 <\/div>\n
For more info about debugging and troubleshooting : have a look at http:\/\/forums.juniper.net\/jnet\/board\/message?board.id=Firewalls&thread.id=2719<\/a><\/div>\n
 <\/div>\n
 <\/div>\n
Address Translation Basics<\/h4>\n
ScreenOS supports 2 types of Address Translation : Interface based or policy based.  As stated earlier, I do not recommend using interface based address translation.  Interface based address translation<\/p>\n
- puts ingress interface in NAT mode<\/p>\n
- source IP address is translated to IP address of egress interface<\/p>\n
- is easy but allows no flexibility whatsoever<\/p>\n
- unidirectional only<\/p>\n
- default setup : from Trust to Untrust and from DMZ to Untrust<\/p>\n
You can turn off interface based address translation by putting all interfaces in route mode.<\/p>\n
When using policy based nat, you'll have to apply NAT to every rule. This may require some discipline and concentration, but it also allow maximum flexibility and has more features than "nat for dummies" interface based nat.<\/p>\n
Policy based nat can be used from any zone to any zone, based on a policy. It allows for unidirectional NAT (nat-src, nat-dst, VIP) and bidirectional NAT (MIP).  There are several options available for when and how you want to perform NAT :<\/p>\n
- application based<\/p>\n
- number of routable addresses<\/p>\n
- number of internal devices and servers<\/p>\n
There are 4 main types of policy based nat :<\/p>\n
nat-src <\/u>: translate source address to another source address. Typically used to allow hosts within private network to access internet<\/p>\n
nat-dst <\/u>: translate destination address. Typically used to translate public IP to a private IP (when a private server needs to be accessible from the internet)<\/p>\n
VIP <\/u>(Virtual IP) : One to Many mapping that statically associates public address with many internal addresses, based upon ports\/applications<\/p>\n
MIP <\/u>(Mapped IP) : One to One mapping : static association of a public IP with a private IP<\/p>\n
nat-src<\/h5>\n
Unidirectional, has 2 modes : egress interface IP or DIP<\/p>\n
Best known for allowing private IP addresses to access the internet via public IP address of firewall.<\/p>\n
When using the egress interface mode, it essentially performs the same way as interface based nat.<\/p>\n
nat-src can use DIP as well :<\/p>\n
- defined on egress interface (can be tunnel interface as well !)<\/p>\n
- custom specified IP, a range of IP\u2019s (round robin), or a IP-Shift range (careful for overflow ! Shift : same amount of IP\u2019s on both sides of the connection)<\/p>\n
- IP (or range) must be in same subnet as  
    * Primary IP or egress interface<\/p>\n
    * Secondary IP of egress interface<\/p>\n
    * Extended IP on egress interface (which can be in different subnet as primary or secondary IP !)<\/p>\n
- Can be used on multiple policies<\/p>\n
- Max 252 DIP address sets across all interfaces, and 254 addresses per DIP set<\/p>\n
- Cannot contain the primary IP itself or another address (MIP, VIP)<\/p>\n
- Port translation : always enable if you want to avoid conflicts, leave disabled if there is a specific reason (e.g. Sometimes IPSec requires source and destination ports to be set to 500 at all times. Result : only 1 concurrent connection to same destination IP is possible)<\/p>\n
- First create DIP on interface, then use in (each) policy<\/p>\n
nat-dst<\/h5>\n
One-to-one mapping<\/p>\n
Many-to-one mapping<\/p>\n
Many-to-many mapping<\/p>\n
Port translation (fixed port, set by admin)<\/p>\n
One-to-one, unidirectional<\/u><\/p>\n
Example :<\/p>\n
- Source : remote public IP, destination : \u201cpublic\u201d IP on your firewall<\/p>\n
- After translation : Source : unchanged, destination : internal IP, on all ports<\/p>\n
Watch out : policy (with nat-dst rule) only becomes effective when traffic flows between zones, However, public IP is in \u201cUntrust\u201d zone (Furthermore, it is a host entry, and host entry routes are not used in the "5 tuple" process - see packet handling diagram earlier in this post)<\/p>\n
Solution :<\/p>\n
- Create address list (host) entry for public IP\/32 in your Lan<\/u> zone ! (or use a secondary IP and create address list entry to secondary IP)<\/p>\n
- Add static route to the public IP\/32 and point route to interface (not gateway) in your \u201cLan\u201d zone<\/p>\n
- Create policy from Internet to Lan, from ANY to Host Entry in Trusts zone (which points to public IP) and invoke nat-dst<\/p>\n
One-to-many<\/u><\/p>\n
Virtual IP (VIP)<\/p>\n
Only works when the interface is in the Untrust<\/u> zone.  If you're not using Untrust zone (as recommended by me \ud83d\ude42 ), then you can accomplish the same thing using nat-dst.<\/p>\n
You cannot use the real Public IP. The VIP IP must be in the same subnet as the public IP though.<\/p>\n
Create set of Public IP \/ Private IP+Port combinations within a VIP<\/p>\n
Used to allow on or more multiple services to be reachable from other zone, using a single IP<\/p>\n
Example :<\/p>\n
\u2014Real Public IP : 1.1.1.1, VIP : 1.1.1.2, internal network = 192.168.0.0\/24<\/p>\n
\u2014Port 21 on 1.1.1.2 must be mapped to 192.168.0.1 on port 21<\/p>\n
\u2014Port 80 on 1.1.1.2 must be mapped to 192.168.0.2 on port 8080<\/p>\n
\u2014Port 515 on 1.1.1.2 must be mapped to 192.168.0.3 on port 515<\/p>\n
\u2014Remote client only uses 1.1.1.2 as destination address (which is the VIP)<\/p>\n
Configuration : create a VIP on the public interface<\/p>\n
No routing or host entry required. Only use a policy and use the VIP address in the destination field.<\/p>\n
Which ports need to be allowed in the policy ?  Port 21, 80 and 515 ?  Or port 21, 8080 and 515 ?<\/p>\n
Answer : 21, 80, 515. The firewall will handle the port translation itself.<\/p>\n
 <\/p>\n
One-to-one, bidirectional<\/u><\/p>\n
MIP<\/p>\n
- No port translation<\/p>\n
- Defined on outward facing interface<\/p>\n
- (Target\/Host)Address can be defined in any subnet, it does not need to be associated with any of the interfaces. As long as the firewall and upstream routers can route to that IP, it will work<\/p>\n
- Config :<\/p>\n
Create MIP (public IP + IP of host to route traffic to. Host IP : set subnetmask to \/32 (If you use something else, you\u2019ll do IP shifting)<\/p>\n
Create policy and invoke MIP<\/p>\n
 <\/p>\n
Note on NAT : Using NAT may become quite complex. I could write an entire blog post on NAT alone, so if you have specific questions, don't hesitate to contact me directly.<\/p>\n
 <\/p>\n
NAT application precedence<\/h5>\n
\"image\"<\/a><\/p>\n
 <\/p>\n
Authentication<\/h4>\n
ScreenOS supports two types of authentication :<\/p>\n
- Firewall authentication (this requires that traffic matches a policy to trigger the login dialog). This policy must permit at least one of the following protocols : HTTP, Telnet, FTP.  The firewall will basically perform a "mitm" to present you with an authentication login page.<\/p>\n
- WebAuth : requires the user to browse to a designated webpage first and logon before a policy is applied.<\/p>\n
You can find more information on how to set up WebAuth in conjunction with Windows IAS Radius on the following blog post on this website : Using Active Directory and IAS based Radius for Netscreen WebAuth authentication<\/a><\/p>\n
 <\/p>\n
The alarm led<\/h4>\n
If you notice that the alarm led on your device turns red, then it may be caused because screening is enabled, and one of the following events occurred :<\/p>\n
Emergency:<\/b> <\/p>\n
Syn Attack <\/p>\n
Tear Drop Attack <\/p>\n
Ping of Death<\/p>\n
Alert:<\/b> <\/p>\n
Winnuke Attack <\/p>\n
IP Spoof Attack <\/p>\n
IP Source Route Attack <\/p>\n
Land Attack <\/p>\n
ICMP Flood <\/p>\n
UDP Flood <\/p>\n
Port Scan Attack <\/p>\n
Address Sweep <\/p>\n
Policy Deny Alarms<\/p>\n
 <\/p>\n
The led will turn red if one of these attacks was detected. You can clear the red led using \u2018clear led alarm\u2019<\/p>\n","protected":false},"excerpt":{"rendered":"
ScreenOS Concepts & Terminology The following document is based on ScreenOS v5.4.0r7.0 - Interface = connection to a specific subnet. An interface is assigned an IP address only if firewall is operating in L3 mode. Default interface names can vary on different Netscreen devices. - Zone : logical grouping of subnets and interfaces. All devices … Continue reading \"Juniper Firewall ScreenOS Basics (CJFV)\"<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[554,164,127],"tags":[3735,2440],"class_list":["post-680","post","type-post","status-publish","format-standard","hentry","category-juniper","category-networking","category-security","tag-juniper-netscreen-screenos","tag-ftp"],"yoast_head":"\nJuniper Firewall ScreenOS Basics (CJFV) - Corelan | Exploit Development & Vulnerability Research<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Juniper Firewall ScreenOS Basics (CJFV) - Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"og:description\" content=\"ScreenOS Concepts & Terminology The following document is based on ScreenOS v5.4.0r7.0 - Interface = connection to a specific subnet. An interface is assigned an IP address only if firewall is operating in L3 mode. Default interface names can vary on different Netscreen devices. - Zone : logical grouping of subnets and interfaces. All devices … Continue reading "Juniper Firewall ScreenOS Basics (CJFV)"\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/\" \/>\n<meta property=\"og:site_name\" content=\"Corelan | Exploit Development & Vulnerability Research\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/corelanconsulting\" \/>\n<meta property=\"article:published_time\" content=\"2008-06-22T11:46:11+00:00\" \/>\n<meta name=\"author\" content=\"corelanc0d3r\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@corelanc0d3r\" \/>\n<meta name=\"twitter:site\" content=\"@corelanc0d3r\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"TechArticle\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/juniper-firewall-screenos-basics-cjfv\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/juniper-firewall-screenos-basics-cjfv\\\/\"},\"author\":{\"name\":\"corelanc0d3r\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\"},\"headline\":\"Juniper Firewall ScreenOS Basics (CJFV)\",\"datePublished\":\"2008-06-22T11:46:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/juniper-firewall-screenos-basics-cjfv\\\/\"},\"wordCount\":4561,\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"keywords\":[\"juniper netscreen screenos\",\"ftp\"],\"articleSection\":[\"Juniper\",\"Networking\",\"Security\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/juniper-firewall-screenos-basics-cjfv\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/juniper-firewall-screenos-basics-cjfv\\\/\",\"name\":\"Juniper Firewall ScreenOS Basics (CJFV) - Corelan | Exploit Development & Vulnerability Research\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\"},\"datePublished\":\"2008-06-22T11:46:11+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/juniper-firewall-screenos-basics-cjfv\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/juniper-firewall-screenos-basics-cjfv\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/2008\\\/06\\\/22\\\/juniper-firewall-screenos-basics-cjfv\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.corelan.be\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Juniper Firewall ScreenOS Basics (CJFV)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#website\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"name\":\"Corelan CyberSecurity Research\",\"description\":\"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.corelan.be\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#organization\",\"name\":\"Corelan CyberSecurity Research\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"contentUrl\":\"https:\\\/\\\/www.corelan.be\\\/wp-content\\\/uploads\\\/2026\\\/03\\\/corelanlogo2_small-20.png\",\"width\":200,\"height\":200,\"caption\":\"Corelan CyberSecurity Research\"},\"image\":{\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/corelanconsulting\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\",\"https:\\\/\\\/x.com\\\/corelanconsulting\",\"https:\\\/\\\/instagram.com\\\/corelanconsult\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.corelan.be\\\/#\\\/schema\\\/person\\\/3be5542b9b0a0787893db83a5ad68e8f\",\"name\":\"corelanc0d3r\",\"pronouns\":\"he\\\/him\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x\",\"caption\":\"corelanc0d3r\"},\"description\":\"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.\",\"sameAs\":[\"https:\\\/\\\/www.corelan-training.com\",\"https:\\\/\\\/instagram.com\\\/corelanc0d3r\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/petervaneeckhoutte\\\/\",\"https:\\\/\\\/x.com\\\/corelanc0d3r\"],\"url\":\"https:\\\/\\\/www.corelan.be\\\/index.php\\\/author\\\/admin0\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Juniper Firewall ScreenOS Basics (CJFV) - Corelan | Exploit Development & Vulnerability Research","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/","og_locale":"en_US","og_type":"article","og_title":"Juniper Firewall ScreenOS Basics (CJFV) - Corelan | Exploit Development & Vulnerability Research","og_description":"ScreenOS Concepts & Terminology The following document is based on ScreenOS v5.4.0r7.0 - Interface = connection to a specific subnet. An interface is assigned an IP address only if firewall is operating in L3 mode. Default interface names can vary on different Netscreen devices. - Zone : logical grouping of subnets and interfaces. All devices … Continue reading \"Juniper Firewall ScreenOS Basics (CJFV)\"","og_url":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/","og_site_name":"Corelan | Exploit Development & Vulnerability Research","article_publisher":"https:\/\/www.facebook.com\/corelanconsulting","article_published_time":"2008-06-22T11:46:11+00:00","author":"corelanc0d3r","twitter_card":"summary_large_image","twitter_creator":"@corelanc0d3r","twitter_site":"@corelanc0d3r","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"TechArticle","@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/#article","isPartOf":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/"},"author":{"name":"corelanc0d3r","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f"},"headline":"Juniper Firewall ScreenOS Basics (CJFV)","datePublished":"2008-06-22T11:46:11+00:00","mainEntityOfPage":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/"},"wordCount":4561,"publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"keywords":["juniper netscreen screenos","ftp"],"articleSection":["Juniper","Networking","Security"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/","url":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/","name":"Juniper Firewall ScreenOS Basics (CJFV) - Corelan | Exploit Development & Vulnerability Research","isPartOf":{"@id":"https:\/\/www.corelan.be\/#website"},"datePublished":"2008-06-22T11:46:11+00:00","breadcrumb":{"@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.corelan.be\/index.php\/2008\/06\/22\/juniper-firewall-screenos-basics-cjfv\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.corelan.be\/"},{"@type":"ListItem","position":2,"name":"Juniper Firewall ScreenOS Basics (CJFV)"}]},{"@type":"WebSite","@id":"https:\/\/www.corelan.be\/#website","url":"https:\/\/www.corelan.be\/","name":"Corelan CyberSecurity Research","description":"Corelan publishes in-depth tutorials on exploit development, Windows exploitation, vulnerability research, heap internals, reverse engineering and security tooling used by professionals worldwide.","publisher":{"@id":"https:\/\/www.corelan.be\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.corelan.be\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.corelan.be\/#organization","name":"Corelan CyberSecurity Research","url":"https:\/\/www.corelan.be\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/","url":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","contentUrl":"https:\/\/www.corelan.be\/wp-content\/uploads\/2026\/03\/corelanlogo2_small-20.png","width":200,"height":200,"caption":"Corelan CyberSecurity Research"},"image":{"@id":"https:\/\/www.corelan.be\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/corelanconsulting","https:\/\/x.com\/corelanc0d3r","https:\/\/x.com\/corelanconsulting","https:\/\/instagram.com\/corelanconsult"]},{"@type":"Person","@id":"https:\/\/www.corelan.be\/#\/schema\/person\/3be5542b9b0a0787893db83a5ad68e8f","name":"corelanc0d3r","pronouns":"he\/him","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","url":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3783bed6acd72d7fa5bb2387d88acbb9a3403e7cada60b2037e1cbb74ad451f9?s=96&d=mm&r=x","caption":"corelanc0d3r"},"description":"Peter Van Eeckhoutte is the founder of Corelan and a globally recognized expert in exploit development and vulnerability research. With over two decades in IT security, he built Corelan into a respected platform for deep technical research, hands-on training, and knowledge sharing. Known for his influential exploit development tutorials, tools, and real-world training, Peter combines a strong research mindset with a passion for education\u2014helping security professionals understand not just how exploits work, but why.","sameAs":["https:\/\/www.corelan-training.com","https:\/\/instagram.com\/corelanc0d3r","https:\/\/www.linkedin.com\/in\/petervaneeckhoutte\/","https:\/\/x.com\/corelanc0d3r"],"url":"https:\/\/www.corelan.be\/index.php\/author\/admin0\/"}]}},"views":66353,"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/680","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/comments?post=680"}],"version-history":[{"count":0,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/posts\/680\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/media?parent=680"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/categories?post=680"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.corelan.be\/index.php\/wp-json\/wp\/v2\/tags?post=680"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}