Category Archives: juniper

Adding the “last commit” line back into your Junos RANCID commits

juniper, rancid

As of RANCID 3.7, an annoying change was made by the authors of RANCID. The “last commit” line was removed from Junos-based device diiffs.

http://www.shrubbery.net/pipermail/rancid-announce/2017-September/000031.html

junos.pm: filter cycling & useless last commit config line

This wasn’t a switch that we could easily turn on or off, depending on your preference either. We had to dig through the code to re-enable this “useless” feature.

Find your junos.pm file and comment out the following line:

next if (/^## last commit: /i);

The “last commit” line will be present again upon your next RANCID run.

For another valuable RANCID tip, check out another article we wrote.

Using the replace command in Junos

juniper

My ISP has the audacity to change my dynamic IP after only two years and I had to change my IP across many different systems. I found a command and worked out the regex to replace my IP across the entire Junos configuration in a single line. Here’s how:

replace pattern "172\.16\.1\.1" with "10.0.0.1"

I was able to change address books, firewall rules, security policies, prefix lists, etc, with a single command.

Junos packet capture on branch series SRXs

juniper

Performing a packet capture is easy to do on any Juniper branch series SRX.

Three sections of configuration are required: forwarding-options, interfaces and firewall. Examples are below:

set forwarding-options packet-capture file filename PCAP files 5 size 10m

set interfaces ge-0/0/0 unit 0 family inet filter input PCAP
set interfaces ge-0/0/0 unit 0 family inet filter output PCAP

set firewall filter PCAP term PCAP1 from source-address 172.16.0.0/12
set firewall filter PCAP term PCAP1 from destination-address 192.168.0.0/16
set firewall filter PCAP term PCAP1 then sample
set firewall filter PCAP term PCAP1 then accept
set firewall filter PCAP term PCAP2 from source-address 192.168.0.0/16
set firewall filter PCAP term PCAP2 from destination-address 172.16.0.0/12
set firewall filter PCAP term PCAP2 then sample
set firewall filter PCAP term PCAP2 then accept
set firewall filter PCAP term ALLOW-EVERYTHING-ELSE then accept

The result looks as such:

interfaces {
    fe-0/0/0 {
        unit 0 {
            family inet {
                filter {
                    input PCAP;
                    output PCAP;
                }
            }
        }
    }
}

forwarding-options {
    packet-capture {
        file filename PCAP files 5 size 10m;
    }
}

firewall {
    filter PCAP {
        term PCAP1 {
            from {
                source-address {
                    172.16.0.0/12;
                }
                destination-address {
                    192.168.0.0/16;
                }
            }
            then {
                sample;
                accept;
            }
        }
        term PCAP2 {
            from {
                source-address {
                    192.168.0.0/16;
                }
                destination-address {
                    172.16.0.0/12;
                }
            }
            then {
                sample;
                accept;
            }
        }
        term ALLOW-EVERYTHING-ELSE {
            then accept;
        }
    }
}

Alternatively, you can apply this filter on the loopback interface if you wish to capture all packets matching the filter criteria on all interfaces.

To read the PCAP file, simply enter into the shell and use tcpdump:

start shell
tcpdump -r /var/tmp/PCAP.fe-0.0.0

Junos application defaults

juniper, network security, security, srx

Ever needed to do a sanity check on Juniper’s default application values when setting up security policies?

Here’s how:

show groups junos-defaults applications

It’s a hidden command that cannot be tab-completed. Here are the results (as of 12.1X47-D30.4):

#
# File Transfer Protocol 
#
application junos-ftp {
    application-protocol ftp;
    protocol tcp;
    destination-port 21;
}
#
# Trivial File Transfer Protocol 
#
application junos-tftp {
    application-protocol tftp;
    protocol udp;
    destination-port 69;
}
#
# Real Time Streaming Protocol 
#       
application junos-rtsp {
    application-protocol rtsp;
    protocol tcp;
    destination-port 554;
}
#
# Network Basic Input Output System  - networking protocol used on
# Windows networks   session service port
#
application junos-netbios-session {
    protocol tcp;
    destination-port 139;
}
application junos-smb-session {
    protocol tcp;
    destination-port 445;
}
application junos-ssh {
    protocol tcp;
    destination-port 22;
}
application junos-telnet {
    protocol tcp;
    destination-port 23;
}
application junos-smtp {
    protocol tcp;
    destination-port 25;
}
application junos-tacacs {
    protocol tcp;
    destination-port 49;
}
# TACACS Database Service
application junos-tacacs-ds {
    protocol tcp;
    destination-port 65;
}
application junos-dhcp-client {
    protocol udp;
    destination-port 68;
}
application junos-dhcp-server {
    protocol udp;
    destination-port 67;
}
application junos-bootpc {
    protocol udp;
    destination-port 68;
}
application junos-bootps {
    protocol udp;
    destination-port 67;
}
application junos-finger {
    protocol tcp;
    destination-port 79;
}
application junos-http {
    application-protocol http;
    protocol tcp;
    destination-port 80;
}
application junos-https {
    protocol tcp;
    destination-port 443;
}
application junos-pop3 {
    protocol tcp;
    destination-port 110;
}
application junos-ident {
    protocol tcp;
    destination-port 113;
}
application junos-nntp {
    protocol tcp;
    destination-port 119;
}
application junos-ntp {
    protocol udp;
    destination-port 123;
}
application junos-imap {
    protocol tcp;
    destination-port 143;
}
application junos-imaps {
    protocol tcp;
    destination-port 993;
}
application junos-bgp {
    protocol tcp;
    destination-port 179;
}
application junos-ldap {
    protocol tcp;
    destination-port 389;
}
application junos-snpp {
    protocol tcp;
    destination-port 444;
}
application junos-biff {
    protocol udp;
    destination-port 512;
}
# UNIX who
application junos-who {
    protocol udp;
    destination-port 513;
}
application junos-syslog {
    protocol udp;
    destination-port 514;
}
# line printer daemon, printer, spooler
application junos-printer {
    protocol tcp;
    destination-port 515;
}
application junos-rip {
    protocol udp;
    destination-port 520;
}
# INA sanctioned RADIUS port numbers
application junos-radius {
    protocol udp;
    destination-port 1812;
}
application junos-radacct {
    protocol udp;
    destination-port 1813;
}
application junos-nfsd-tcp {
    protocol tcp;
    destination-port 2049;
}
application junos-nfsd-udp {
    protocol udp;
    destination-port 2049;
}
application junos-cvspserver {
    protocol tcp;
    destination-port 2401;
}
# 
# Label Distribution Protocol
# 
application junos-ldp-tcp {
    protocol tcp;
    destination-port 646;
}
application junos-ldp-udp {
    protocol udp;
    destination-port 646;
}
# 
# JUNOScript and JUNOScope management
# 
application junos-xnm-ssl {
    protocol tcp;
    destination-port 3220;
}
application junos-xnm-clear-text {
    protocol tcp;
    destination-port 3221;
}
#
# IPSec tunnel
#
application junos-ike {
    protocol udp;
    destination-port 500;
}
#
# Any IPv4 application 
#
application any {
    term t1 protocol 0;
}
#
# America Online instant messaging services
#
application junos-aol {
    term t1 protocol 6 destination-port 5190-5193;
}
#
# Character generator protocol
#
application junos-chargen {
    term t1 protocol udp destination-port 19;
}
#
# DHCP Relay services 
#
application junos-dhcp-relay {
    term t1 protocol udp destination-port 67;
}
#
# Discard  protocol
#
application junos-discard {
    term t1 protocol udp destination-port 9;
}
#
# DNS
#
application junos-dns-udp {
    term t1 alg dns protocol udp destination-port 53;
}
application junos-dns-tcp {
    term t1 alg dns protocol tcp destination-port 53;
}
#
# Echo protocol
#
application junos-echo {
    term t1 protocol udp destination-port 7;
}
#
# Gopher internet protocol 
#
application junos-gopher {
    term t1 protocol tcp destination-port 70;
}
#
# Gnutella File Sharing Protocol 
#
application junos-gnutella {
    term t1 protocol udp destination-port 6346-6347;
}
#
# Generic Routing Encapsulation Protocol
#
application junos-gre {
    term t1 protocol 47;
}
#
# GPRS Tunneling Protocol
#
application junos-gprs-gtp-c-tcp {
    term t1 alg gprs-gtp-c protocol tcp destination-port 2123;
}
application junos-gprs-gtp-c-udp {
    term t1 alg gprs-gtp-c protocol udp destination-port 2123;
}
application junos-gprs-gtp-c {
    term t1 alg gprs-gtp-c protocol tcp destination-port 2123;
    term t2 alg gprs-gtp-c protocol udp destination-port 2123;
}
application junos-gprs-gtp-u-tcp {
    term t1 alg gprs-gtp-u protocol tcp destination-port 2152;
}
application junos-gprs-gtp-u-udp {
    term t1 alg gprs-gtp-u protocol udp destination-port 2152;
}
application junos-gprs-gtp-u {
    term t1 alg gprs-gtp-u protocol tcp destination-port 2152;
    term t2 alg gprs-gtp-u protocol udp destination-port 2152;
}
application junos-gprs-gtp-v0-tcp {
    term t1 alg gprs-gtp-v0 protocol tcp destination-port 3386;
}
application junos-gprs-gtp-v0-udp {
    term t1 alg gprs-gtp-v0 protocol udp destination-port 3386;
}
application junos-gprs-gtp-v0 {
    term t1 alg gprs-gtp-v0 protocol tcp destination-port 3386;
    term t2 alg gprs-gtp-v0 protocol udp destination-port 3386;
}
#
# GPRS SCTP
#
application junos-gprs-sctp {
    term t1 alg gprs-sctp protocol 132 destination-port 0;
}
#
# HTTP extension
#
application junos-http-ext {
    term t1 protocol tcp destination-port 7001;
}
#
# ICMP All Traffic
#   This can be made to be more restrictive by specifying icmp
#   type and code.
#       
application junos-icmp-all {
    term t1 protocol icmp;
}
#
# ICMP Ping.
#   The echo-reply is allowed upon return
#
application junos-icmp-ping {
    term t1 protocol icmp icmp-type echo-request;
}
#
# Internet locator service
#
application junos-internet-locator-service {
    term t1 protocol tcp destination-port 389;
}
#
# IKE protocol
#
application junos-ike-nat {
    term t1 protocol udp destination-port 4500;
}
#
# Internet Relay Chat protocol
#
application junos-irc {
    term t1 protocol tcp destination-port 6660-6669;
}
#
# L2TP tunnelng protocol
#
application junos-l2tp {
    term t1 protocol udp destination-port 1701;
}
#
# Line Printer Daemon protocol
#
application junos-lpr {
    term t1 protocol tcp destination-port 515;
}
#
# Mail (SMTP) protocol
#
application junos-mail {
    term t1 protocol tcp destination-port 25;
}
#
# H.323 Protocol for audio/video conferencing 
#
application junos-h323 {
    term t1 alg q931 protocol tcp destination-port 1720;
    term t2 alg ras protocol udp destination-port 1719;
    term t3 protocol tcp destination-port 1503;
    term t4 protocol tcp destination-port 389;
    term t5 protocol tcp destination-port 522;
    term t6 protocol tcp destination-port 1731;
}
#
# MGCP Protocol 
#
application junos-mgcp-ua {
    term t1 alg mgcp-ua protocol udp destination-port 2427;
}
application junos-mgcp-ca {
    term t1 alg mgcp-ca protocol udp destination-port 2727;
}
#
# Microsoft Network Messenger
#
application junos-msn {
    term t1 protocol tcp destination-port 1863;
}
#
#  Microsoft RPC
#
application junos-ms-rpc-tcp {
    term t1 alg ms-rpc protocol tcp destination-port 135;
}
application junos-ms-rpc-udp {
    term t1 alg ms-rpc protocol udp destination-port 135;
}
#
#  Microsoft RPC EPM (End Point Mapper)
#
application junos-ms-rpc-epm {
    term t1 protocol tcp uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa;
}
#
#  Microsoft RPC Exchange Directory RFR
#
application junos-ms-rpc-msexchange-directory-rfr {
    term t1 protocol tcp uuid 1544f5e0-613c-11d1-93df-00c04fd7bd09;
}
#
#  Microsoft RPC Exchange Information Store
#
application junos-ms-rpc-msexchange-info-store {
    term t1 protocol tcp uuid a4f1db00-ca47-1067-b31f-00dd010662da;
}
#
#  Microsoft RPC Exchange Directory NSP
#
application junos-ms-rpc-msexchange-directory-nsp {
    term t1 protocol tcp uuid f5cc5a18-4264-101a-8c59-08002b2f8426;
}
#
#  Microsoft RPC DCOM
#
application junos-ms-rpc-wmic-admin {
    term t1 protocol tcp uuid a9e69610-b80d-11d0-b9b9-00a0c922e750;
}
application junos-ms-rpc-wmic-webm-level1login {
    term t1 protocol tcp uuid f309ad18-d86a-11d0-a075-00c04fb68820;
}
application junos-ms-rpc-wmic-webm-objectsink {
    term t1 protocol tcp uuid 7c857801-7381-11cf-884d-00aa004b2e24;
}
application junos-ms-rpc-wmic-webm-services {
    term t1 protocol tcp uuid 9556dc99-828c-11cf-a37e-00aa003240c7;
}
application junos-ms-rpc-wmic-webm-callresult {
    term t1 protocol tcp uuid 44aca675-e8fc-11d0-a07c-00c04fb68820;
}
application junos-ms-rpc-wmic-webm-login-clientid {
    term t1 protocol tcp uuid d4781cd6-e5d3-44df-ad94-930efe48a887;
}
application junos-ms-rpc-wmic-webm-login-helper {
    term t1 protocol tcp uuid 541679ab-2e5f-11d3-b34e-00104bcc4b4a;
}
application junos-ms-rpc-wmic-webm-refreshing-services {
    term t1 protocol tcp uuid 2c9273e0-1dc3-11d3-b364-00105a1f8177;
}
application junos-ms-rpc-wmic-webm-remote-refresher {
    term t1 protocol tcp uuid f1e9c5b2-f59b-11d2-b362-00105a1f8177;
}
application junos-ms-rpc-wmic-webm-shutdown {
    term t1 protocol tcp uuid f309ad18-d86a-11d0-a075-00c04fb68820;
}
application junos-ms-rpc-wmic-webm-classobject {
    term t1 protocol tcp uuid dc12a681-737f-11cf-884d-00aa004b2e24;
}
application junos-ms-rpc-wmic-admin2 {
    term t1 protocol tcp uuid 29822ab8-f302-11d0-9953-00c04fd919c1;
}
application junos-ms-rpc-wmic-mgmt {
    term t1 protocol tcp uuid 8bc3f05e-d86b-11d0-a075-00c04fb68820;
}
application junos-ms-rpc-iis-com-1 {
    term t1 protocol tcp uuid a9e69612-b80d-11d0-b9b9-00a0c922e750;
}
application junos-ms-rpc-iis-com-adminbase {
    term t1 protocol tcp uuid 70b51430-b6ca-11d0-b9b9-00a0c922e750;
}
#
# MS RPC any
#
application junos-ms-rpc-uuid-any-tcp {
    term t1 protocol tcp uuid ffffffff-ffff-ffff-ffff-ffffffffffff;
}
application junos-ms-rpc-uuid-any-udp {
    term t1 protocol udp uuid ffffffff-ffff-ffff-ffff-ffffffffffff;
}
#
#  Microsoft SQL
#
application junos-ms-sql {
    term t1 protocol tcp destination-port 1433;
}
#
# NetBIOS Name Service 
#
application junos-nbname {
    term t1 protocol udp destination-port 137;
}
#
# NetBIOS Datagram Service
#
application junos-nbds {
    term t1 protocol udp destination-port 138;
}
#
# Network File System  protocol
#
application junos-nfs {
    term t1 protocol udp destination-port 111;
}
#
# NS-Global (Management protocol for Juniper Networks Firewall/VPN devices)
#
application junos-ns-global {
    term t1 protocol tcp destination-port 15397;
}
#
# NS-Global-PRO (Monitoring system for the Juniper Networks Firewall/VPN devices)
#
application junos-ns-global-pro {
    term t1 protocol tcp destination-port 15397;
}
#
# NetScreen Security Manager
#
application junos-nsm {
    term t1 protocol udp destination-port 69;
}
#
# OSPF protocol
#
application junos-ospf {
    term t1 protocol 89;
}
#
# PC-anywhere remote control and file transfer protocol
#
application junos-pc-anywhere {
    term t1 protocol udp destination-port 5632;
}
#
# Ping  protocol
#
application junos-ping {
    term t1 protocol 1;
}
#
# Ping for IPv6
#
application junos-pingv6 {
    term t1 protocol 58;
}
#
# ICMP6 destination unreachable address
#
application junos-icmp6-dst-unreach-addr {
    term t1 protocol 58 icmp6-type 1 icmp6-code 3;
}
#
# ICMP6 destination unreachable administration
#
application junos-icmp6-dst-unreach-admin {
    term t1 protocol 58 icmp6-type 1 icmp6-code 1;
}
#
# ICMP6 destination unreachable beyond 
#
application junos-icmp6-dst-unreach-beyond {
    term t1 protocol 58 icmp6-type 1 icmp6-code 2;
}
#
# ICMP6 destination unreachable port
#
application junos-icmp6-dst-unreach-port {
    term t1 protocol 58 icmp6-type 1 icmp6-code 4;
}
#
# ICMP6 destination unreachable route
#
application junos-icmp6-dst-unreach-route {
    term t1 protocol 58 icmp6-type 1 icmp6-code 0;
}
#
# ICMP6 echo reply
#
application junos-icmp6-echo-reply {
    term t1 protocol 58 icmp6-type 129;
}
#
# ICMP6 echo request
#
application junos-icmp6-echo-request {
    term t1 protocol 58 icmp6-type 128;
}
#
# ICMP6 packet too big
#
application junos-icmp6-packet-too-big {
    term t1 protocol 58 icmp6-type 2 icmp6-code 0;
}
#
# ICMP6 parameter problem header 
#
application junos-icmp6-param-prob-header {
    term t1 protocol 58 icmp6-type 4 icmp6-code 0;
}
#
# ICMP6 parameter problem next header 
#
application junos-icmp6-param-prob-nexthdr {
    term t1 protocol 58 icmp6-type 4 icmp6-code 1;
}
#
# ICMP6 parameter problem option
#
application junos-icmp6-param-prob-option {
    term t1 protocol 58 icmp6-type 4 icmp6-code 2;
}
#
# ICMP6 time exceeded reassembly
#
application junos-icmp6-time-exceed-reassembly {
    term t1 protocol 58 icmp6-type 3 icmp6-code 1;
}
#
# ICMP6 time exceeded transit
#
application junos-icmp6-time-exceed-transit {
    term t1 protocol 58 icmp6-type 3 icmp6-code 0;
}
#
# ICMP6 all traffic
#   This can be made to be more restrictive by specifying icmp6
#   type and code.
#       
application junos-icmp6-all {
    term t1 protocol 58;
}
#
# Point-to-Point Tunneling protocol
#
application junos-pptp {
    ##
    ## Warning: statement ignored: unsupported platform (srx5600)
    ##
    term t1 alg pptp protocol tcp destination-port 1723;
}
#
# Real players use this protocol for real time streaming 
# This was the original protocol for real players. 
# RTSP is more widely used by real players 
# but they still support realaudio.
#
application junos-realaudio {
    term t1 alg rtsp protocol tcp destination-port 554;
}
#
# Cisco Station Call Control Protocol
#
application junos-sccp {
    term t1 alg sccp protocol tcp destination-port 2000;
}
application junos-sctp-any {
    term t1 protocol 132;
}
#
# Session Initiation Protocol (SIP)
#
application junos-sip {
    term t1 alg sip protocol udp destination-port 5060;
    term t2 alg sip protocol tcp destination-port 5060;
}
#
# RSH 
#
application junos-rsh {
    term t1 alg rsh protocol tcp destination-port 514;
}
#
# Server Message Block Protocol
#
application junos-smb {
    term t1 protocol tcp destination-port 139;
    term t2 protocol tcp destination-port 445;
}
application junos-sql-monitor {
    term t1 protocol udp destination-port 1434;
}
#
# Oracle SQL*Net Version 1
#
application junos-sqlnet-v1 {
    term t1 protocol tcp destination-port 1525;
}
#
# Oracle SQL*Net Version 2
#
application junos-sqlnet-v2 {
    term t1 alg sqlnet-v2 protocol tcp destination-port 1521;
}
#
# Sun RPC
#
application junos-sun-rpc-tcp {
    term t1 alg sun-rpc protocol tcp destination-port 111;
}
application junos-sun-rpc-udp {
    term t1 alg sun-rpc protocol udp destination-port 111;
}
#
# Sun RPC Portmapper
#
application junos-sun-rpc-portmap-tcp {
    term t1 protocol tcp rpc-program-number 100000;
}
application junos-sun-rpc-portmap-udp {
    term t1 protocol udp rpc-program-number 100000;
}
#
# Sun RPC nfs
#
application junos-sun-rpc-nfs-tcp {
    term t1 protocol tcp rpc-program-number 100003;
}
application junos-sun-rpc-nfs-udp {
    term t1 protocol udp rpc-program-number 100003;
}
#
# Sun RPC mountd
#
application junos-sun-rpc-mountd-tcp {
    term t1 protocol tcp rpc-program-number 100005;
}
application junos-sun-rpc-mountd-udp {
    term t1 protocol udp rpc-program-number 100005;
}
#
# Sun RPC ypbind
#
application junos-sun-rpc-ypbind-tcp {
    term t1 protocol tcp rpc-program-number 100007;
}
application junos-sun-rpc-ypbind-udp {
    term t1 protocol udp rpc-program-number 100007;
}
#
# Sun RPC status
#
application junos-sun-rpc-status-tcp {
    term t1 protocol tcp rpc-program-number 100024;
}
application junos-sun-rpc-status-udp {
    term t1 protocol udp rpc-program-number 100024;
}
#
# Sun RPC ypserv
#
application junos-sun-rpc-ypserv-tcp {
    term t1 protocol tcp rpc-program-number 100004;
}
application junos-sun-rpc-ypserv-udp {
    term t1 protocol udp rpc-program-number 100004;
}
#
# Sun RPC Remote Quota Daemon
#
application junos-sun-rpc-rquotad-tcp {
    term t1 protocol tcp rpc-program-number 100011;
}
application junos-sun-rpc-rquotad-udp {
    term t1 protocol udp rpc-program-number 100011;
}
#
# Sun RPC Network Lock Manager
#
application junos-sun-rpc-nlockmgr-tcp {
    term t1 protocol tcp rpc-program-number 100021;
}
application junos-sun-rpc-nlockmgr-udp {
    term t1 protocol udp rpc-program-number 100021;
}
#
# Sun RPC Remote User Daemon
#
application junos-sun-rpc-ruserd-tcp {
    term t1 protocol tcp rpc-program-number 100002;
}
application junos-sun-rpc-ruserd-udp {
    term t1 protocol udp rpc-program-number 100002;
}
#
# Sun RPC System Administration Daemon
#
application junos-sun-rpc-sadmind-tcp {
    term t1 protocol tcp rpc-program-number 100232;
}
application junos-sun-rpc-sadmind-udp {
    term t1 protocol udp rpc-program-number 100232;
}
#
# Sun RPC SPRAY Daemon
#
application junos-sun-rpc-sprayd-tcp {
    term t1 protocol tcp rpc-program-number 100012;
}
application junos-sun-rpc-sprayd-udp {
    term t1 protocol udp rpc-program-number 100012;
}
#
# Sun RPC WALL Daemon
#
application junos-sun-rpc-walld-tcp {
    term t1 protocol tcp rpc-program-number 100008;
}
application junos-sun-rpc-walld-udp {
    term t1 protocol udp rpc-program-number 100008;
}
#
# SUN RPC any
#
application junos-sun-rpc-any-tcp {
    term t1 protocol tcp rpc-program-number 1610612735;
}
application junos-sun-rpc-any-udp {
    term t1 protocol udp rpc-program-number 1610612735;
}
# UNIX talk
application junos-talk {
    term t1 alg talk protocol udp destination-port 517;
    term t2 alg talk protocol tcp destination-port 517;
}
application junos-ntalk {
    term t1 alg talk protocol udp destination-port 518;
    term t2 alg talk protocol tcp destination-port 518;
}
#
# Any TCP application
#
application junos-tcp-any {
    term t1 protocol tcp;
}
#
# Any UDP application
#
application junos-udp-any {
    term t1 protocol udp;
}
#
# Unix to Unix Copy (UUCP) Protocol
#
application junos-uucp {
    term t1 protocol udp destination-port 540;
}
#
# VDOLive video streaming technology
#
application junos-vdo-live {
    term t1 protocol udp destination-port 7000-7010;
}
#
# Virtual Network Computing's protocol
#
application junos-vnc {
    term t1 protocol tcp destination-port 5800;
}
#
# Wide Area Information Server
#
application junos-wais {
    term t1 protocol tcp destination-port 210;
}
#
# Network Directory Service Protocol
#
application junos-whois {
    term t1 protocol tcp destination-port 43;
}
#
# WinFrame protocol (allows users on non-windows machines to run windows applications)
#
application junos-winframe {
    term t1 protocol tcp destination-port 1494;
}
#
# X-Windows         protocol
#
application junos-x-windows {
    term t1 protocol tcp destination-port 6000-6063;
}
#
# Yahoo Messenger 
#
application junos-ymsg {
    term t1 protocol tcp destination-port 5000-5010;
    term t2 protocol tcp destination-port 5050;
    term t3 protocol udp destination-port 5000-5010;
    term t4 protocol udp destination-port 5050;
}
#
# WX Control Connection used by WX-PIM
#
application junos-wxcontrol {
    term t1 protocol tcp destination-port 3578 inactivity-timeout 7560;
}
#
# SNMP AgentX Connection used by WX-ISM
#
application junos-snmp-agentx {
    term t1 protocol tcp destination-port 705 inactivity-timeout 7560;
}
#
# Simple Traversal of User Datagram Protocol (UDP) Through 
# Network Address Translators (NATs)
#
application junos-stun {
    term t1 protocol udp destination-port 3478-3479;
    term t2 protocol tcp destination-port 3478-3479;
}
#
# Persistent NAT Service
#
application junos-persistent-nat {
    term t1 protocol 255 source-port 65535 destination-port 65535;
}
#
# Radio-Router Control Protocol
#
application junos-r2cp {
    term t1 protocol udp destination-port 28672;
}
# 
# 'junos-routing-inbound' represents routing protocols that may
# that may need access the trusted network from the untrusted
# network.
# 
# Set is intended for a UI to display routing involvement choices.
#
# NOTE:  It is not recommended you use the entire set directly in
#        a firewall rule and open up firewall to all of these 
#        applications.  Also, you should always specify the source
#        and destination prefixes when using each application.
#
# NOTE: the contents of this set may grow in future JUNOS versions.
# 
application-set junos-routing-inbound {
    application junos-bgp;
    application junos-rip;
    application junos-ldp-tcp;
    application junos-ldp-udp;
}
#
# Common Internet File System (cifs)
# It runs over netbios and over smb, so construct
# an application set to capture it.
#
application-set junos-cifs {
    application junos-netbios-session;
    application junos-smb-session;
}
application-set junos-gprs-gtp {
    application junos-gprs-gtp-c;
    application junos-gprs-gtp-u;
    application junos-gprs-gtp-v0;
}
application-set junos-mgcp {
    application junos-mgcp-ua;
    application junos-mgcp-ca;
}
application-set junos-ms-rpc {
    application junos-ms-rpc-tcp;
    application junos-ms-rpc-udp;
}
#
#  Microsoft RPC Microsoft Exchange
#
application-set junos-ms-rpc-msexchange {
    application junos-ms-rpc-tcp;
    application junos-ms-rpc-udp;
    application junos-ms-rpc-epm;
    application junos-ms-rpc-msexchange-directory-rfr;
    application junos-ms-rpc-msexchange-info-store;
    application junos-ms-rpc-msexchange-directory-nsp;
}
application-set junos-ms-rpc-wmic {
    application junos-ms-rpc-tcp;
    application junos-ms-rpc-wmic-admin;
    application junos-ms-rpc-wmic-admin2;
    application junos-ms-rpc-wmic-webm-level1login;
    application junos-ms-rpc-wmic-mgmt;
}
application-set junos-ms-rpc-iis-com {
    application junos-ms-rpc-tcp;
    application junos-ms-rpc-iis-com-1;
    application junos-ms-rpc-iis-com-adminbase;
}
application-set junos-ms-rpc-any {
    application junos-ms-rpc-tcp;
    application junos-ms-rpc-udp;
    application junos-ms-rpc-uuid-any-tcp;
    application junos-ms-rpc-uuid-any-udp;
}
application-set junos-sun-rpc {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
}
application-set junos-sun-rpc-portmap {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
}
application-set junos-sun-rpc-nfs {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-nfs-tcp;
    application junos-sun-rpc-nfs-udp;
}
application-set junos-sun-rpc-mountd {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-mountd-tcp;
    application junos-sun-rpc-mountd-udp;
}
application-set junos-sun-rpc-ypbind {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-ypbind-tcp;
    application junos-sun-rpc-ypbind-udp;
}
application-set junos-sun-rpc-status {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-status-tcp;
    application junos-sun-rpc-status-udp;
}
#
# Sun RPC nfs-access (Requires nfs and mountd)
#
application-set junos-sun-rpc-nfs-access {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-nfs-tcp;
    application junos-sun-rpc-nfs-udp;
    application junos-sun-rpc-mountd-tcp;
    application junos-sun-rpc-mountd-udp;
}
application-set junos-sun-rpc-ypserv {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-ypserv-tcp;
    application junos-sun-rpc-ypserv-udp;
}
application-set junos-sun-rpc-rquotad {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-rquotad-tcp;
    application junos-sun-rpc-rquotad-udp;
}
application-set junos-sun-rpc-nlockmgr {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-nlockmgr-tcp;
    application junos-sun-rpc-nlockmgr-udp;
}
application-set junos-sun-rpc-ruserd {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-ruserd-tcp;
    application junos-sun-rpc-ruserd-udp;
}
application-set junos-sun-rpc-sadmind {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-sadmind-tcp;
    application junos-sun-rpc-sadmind-udp;
}
application-set junos-sun-rpc-sprayd {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-sprayd-tcp;
    application junos-sun-rpc-sprayd-udp;
}
application-set junos-sun-rpc-walld {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-portmap-tcp;
    application junos-sun-rpc-portmap-udp;
    application junos-sun-rpc-walld-tcp;
    application junos-sun-rpc-walld-udp;
}
application-set junos-sun-rpc-any {
    application junos-sun-rpc-tcp;
    application junos-sun-rpc-udp;
    application junos-sun-rpc-any-tcp;
    application junos-sun-rpc-any-udp;
}

Juniper BGP path selection

juniper
  1. Verify that the next hop can be resolved.
  2. Choose the path with the lowest preference value (routing protocol process preference).
  3. Prefer the path with higher local preference. For non-BGP paths, choose the path with the lowest preference2 value.
  4. If the accumulated interior gateway protocol (AIGP) attribute is enabled, prefer the path with the lower AIGP attribute.
  5. Prefer the path with the shortest autonomous system (AS) path value.
  6. Prefer the route with the lower origin code.  Routes learned from an IGP have a lower origin code than those learned from an exterior gateway protocol (EGP), and both have lower origin codes than incomplete routes (routes whose origin is unknown).
  7. Prefer the path with the lowest multiple exit discriminator (MED) metric.
  8. Prefer strictly internal paths, which include IGP routes and locally generated routes (static, direct, local, and so forth).
  9. Prefer strictly external BGP (EBGP) paths over external paths learned through internal BGP (IBGP) sessions.
  10. Prefer the path whose next hop is resolved through the IGP route with the lowest metric.
  11. If both paths are external, prefer the currently active path to minimize route-flapping.
  12. Prefer a primary route over a secondary route. A primary route is one that belongs to the routing table. A secondary route is one that is added to the routing table through an export policy.
  13. Prefer the path from the peer with the lowest router ID. For any path with an originator ID attribute, substitute the originator ID for the router ID during router ID comparison.
  14. Prefer the path with the shortest cluster list length. The length is 0 for no list.
  15. Prefer the path from the peer with the lowest peer IP address.

Comparing Cisco and Juniper administrative distance

cisco, juniper
Protocol Cisco Juniper
Connected / Direct 0 0
Static 1 5
EIGRP Summary 5
OSPF Internal 10
IS-IS Level 1 Internal 15
IS-IS Level 2 Internal 18
BGP External 20
EIGRP Internal 90
OSPF All 110
IS-IS All 115
RIP 120 100
OSPF External 150
IS-IS Level 1 External 160
IS-IS Level 2 External 165
EIGRP External 170
BGP All 170
BGP Internal 200

Fixing your Juniper SRX branch series boot partition

juniper

A recent storm caused us to lose power and the next time I logged in into my SRX100H2 home router, I was greeted with this warning:

***********************************************************************
**                                                                   **
**  WARNING: THIS DEVICE HAS BOOTED FROM THE BACKUP JUNOS IMAGE      **
**                                                                   **
**  It is possible that the primary copy of JUNOS failed to boot up  **
**  properly, and so this device has booted from the backup copy.    **
**                                                                   **
**  Please re-install JUNOS to recover the primary copy in case      **
**  it has been corrupted.                                           **
**                                                                   **
***********************************************************************

Luckily, the fix was easy and kudos to Juniper for implementing the two-partition system. Here’s the fix:

request system snapshot slice alternate

To verify the procedure, issue the following command:

show system snapshot media internal

The results should look something like this:

Information for snapshot on       internal (/dev/da0s1a) (backup)
Creation date: Aug 14 18:06:53 2015
JUNOS version on snapshot:
  junos  : 12.1X44-D35.5-domestic
Information for snapshot on       internal (/dev/da0s2a) (primary)
Creation date: Jul 31 11:15:08 2016
JUNOS version on snapshot:
  junos  : 12.1X44-D35.5-domestic

Juniper SRX data center firewall default security policy

juniper, srx, ,

Being a routing and switching guy (mostly service provider stuff), I don’t deal with firewalls very often, because I am far from a security expert and I would be doing a disservice to my clients. However, this week, I was tasked with getting two brand new Juniper SRX1400s setup and updated I learned three things during this process: 1) unlike the branch-series SRXs, the data-center series comes with very little configuration and no security configuration whatsoever; 2) the default policy if no policy is to deny, and; 3) there’s a difference between inbound host packets and transit packets, and at the very least, the inbound host configuration must be set before you can do anything to the firewall. Example below:

Show

zones {
    security-zone untrust {
        interfaces {
            xe-0/0/7.0 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
            }
        }
    }
}

Display set

set security zones security-zone untrust interfaces xe-0/0/7.0 host-inbound-traffic system-services all

A couple caveats:

First, if this is the only policy you add, you’ll probably find people trying to brute force any services you have running on the firewall within minutes, such as SSHD.

Second, the statement must be applied to a logical interface and not a physical interface (xe-0/0/7.0 vs. xe-0/0/7) in order for it to work.