Please be aware that I whipped this rather quick, so I'm sure there are some errors here and there. I'll update it as necessary. Also, if there are better ways to configure this or more optimized methods, please don't hesitate to comment!
Moving on.. here's a summary of each site:
Site A: 2x SRX 220's running in a cluster with a dual-ISP setup. It is also running an SMTP server that is accessible on both the primary and secondary ISP's. It has IP-Monitoring so if the primary or backup ISP goes down, traffic is rerouted automatically.
Site B: A single SRX w/IDP running.
Between the sites, VPN connections are setup over every ISP. OSPF is running for redundancy and to take care of all the static routes. All SRX's are running 11.4 or later.
Configs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| set version 11.4R9.4 | |
| set groups node0 system host-name siteA-node0 | |
| set groups node0 interfaces fxp0 unit 0 family inet | |
| set groups node1 system host-name siteA-node1 | |
| set groups node1 interfaces fxp0 unit 0 family inet | |
| set apply-groups "${node}" | |
| set system domain-name mydomain.com | |
| set system time-zone PST8PDT | |
| set system no-redirects | |
| set system root-authentication encrypted-password "Password" | |
| set system name-server 192.168.1.10 | |
| set system services ssh root-login allow | |
| set system services ssh protocol-version v2 | |
| set system services web-management http interface reth0.0 | |
| set system services web-management https system-generated-certificate | |
| set system services web-management https interface reth1.0 | |
| set system services web-management https interface reth2.0 | |
| set system syslog archive size 100k | |
| set system syslog archive files 3 | |
| set system syslog user * any emergency | |
| set system syslog file messages any warning | |
| set system syslog file messages authorization info | |
| set system syslog file interactive-commands interactive-commands error | |
| set system max-configurations-on-flash 5 | |
| set system max-configuration-rollbacks 5 | |
| set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval | |
| # Disable UTM permanently if you are not using it to save memory | |
| set system processes utmd disable | |
| set system ntp server 10.10.0.1 | |
| set chassis cluster reth-count 3 | |
| set chassis cluster redundancy-group 0 node 0 priority 100 | |
| set chassis cluster redundancy-group 0 node 1 priority 1 | |
| set chassis cluster redundancy-group 1 node 0 priority 100 | |
| set chassis cluster redundancy-group 1 node 1 priority 1 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-0/0/0 weight 255 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-0/0/1 weight 255 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-0/0/2 weight 255 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-3/0/0 weight 255 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-3/0/1 weight 255 | |
| set chassis cluster redundancy-group 1 interface-monitor ge-3/0/2 weight 255 | |
| set interfaces ge-0/0/0 gigether-options redundant-parent reth0 | |
| set interfaces ge-0/0/1 gigether-options redundant-parent reth1 | |
| set interfaces ge-0/0/2 gigether-options redundant-parent reth2 | |
| set interfaces ge-3/0/0 gigether-options redundant-parent reth0 | |
| set interfaces ge-3/0/1 gigether-options redundant-parent reth1 | |
| set interfaces ge-3/0/2 gigether-options redundant-parent reth2 | |
| set interfaces fab0 fabric-options member-interfaces ge-0/0/5 | |
| set interfaces fab1 fabric-options member-interfaces ge-3/0/5 | |
| # Set the lo0 with an unused dummy IP that is not on your network | |
| set interfaces lo0 unit 0 family inet address 172.16.172.181/32 | |
| set interfaces reth0 redundant-ether-options redundancy-group 1 | |
| set interfaces reth0 unit 0 description LAN | |
| set interfaces reth0 unit 0 family inet mtu 1500 | |
| set interfaces reth0 unit 0 family inet filter input LAN-IN-FILTER | |
| set interfaces reth0 unit 0 family inet address 10.10.0.2/30 | |
| set interfaces reth1 redundant-ether-options redundancy-group 1 | |
| set interfaces reth1 unit 0 description ISP1 | |
| set interfaces reth1 unit 0 family inet mtu 1500 | |
| set interfaces reth1 unit 0 family inet filter input ISP1-IN-FILTER | |
| set interfaces reth1 unit 0 family inet address 66.66.66.66/28 | |
| set interfaces reth2 redundant-ether-options redundancy-group 1 | |
| set interfaces reth2 unit 0 description ISP2 | |
| set interfaces reth2 unit 0 family inet mtu 1500 | |
| set interfaces reth2 unit 0 family inet filter input ISP2-IN-FILTER | |
| set interfaces reth2 unit 0 family inet address 77.77.77.77/28 | |
| set interfaces st0 unit 0 description VPN-SITEB-ISP1 | |
| set interfaces st0 unit 0 family inet mtu 1350 | |
| set interfaces st0 unit 0 family inet address 10.0.0.1/30 | |
| set interfaces st0 unit 1 description VPN-SITEB-ISP2 | |
| set interfaces st0 unit 1 family inet mtu 1350 | |
| set interfaces st0 unit 1 family inet address 10.0.0.5/30 | |
| set snmp location SITEA | |
| set snmp community public authorization read-only | |
| # Only allow host 10.10.10.10 to access SNMP | |
| set snmp community public clients 10.10.10.10/32 | |
| set routing-options interface-routes rib-group inet inside | |
| # Set the virtual-router ISP1 as the default route out | |
| set routing-options static route 0.0.0.0/0 next-table ISP1.inet.0 | |
| # I do not think you need the next line anymore with 11.4 but I put it in just for kicks on how confusing this setup is | |
| set routing-options static route 88.88.88.88/32 next-hop 172.16.172.181 | |
| set routing-options static route 10.10.10.0/24 next-hop 10.10.0.1 | |
| set routing-options static route 10.10.11.0/24 next-hop 10.10.0.1 | |
| # rib-groups basically import and export routing tables from other instances | |
| set routing-options rib-groups inside import-rib inet.0 | |
| set routing-options rib-groups inside import-rib TRUST-VRF.inet.0 | |
| set routing-options rib-groups inside import-rib ISP1.inet.0 | |
| set routing-options rib-groups inside import-rib ISP2.inet.0 | |
| # This is only for comestics which sets the OSPF router ID | |
| set routing-options router-id 10.10.0.2 | |
| # This is for adding more routes via OSPF, not necessary if your internal router supports OSPF | |
| set protocols ospf export Export-Local-Nets | |
| # Now lets create a simple OSPF area for the VPNs and routing between sites so we dont have massive static routes to babysit | |
| set protocols ospf area 0.0.0.0 interface st0.0 metric 150 | |
| # Notice how this interface is a higher metric than st0.0. We dont want VPN traffic going over st0.1 unless st0.0 is down | |
| set protocols ospf area 0.0.0.0 interface st0.1 metric 160 | |
| # If you don't have OSPF on your internal router add the word passive at the end of the next line | |
| set protocols ospf area 0.0.0.0 interface reth0.0 | |
| # I dont use spamming-tree so its disabled | |
| set protocols stp disable | |
| # This is just an example of hosts that get dropped with my firewall interface filter | |
| set policy-options prefix-list blocked-access 111.111.111.111/32 | |
| set policy-options prefix-list blocked-access 222.222.222.222/32 | |
| # This list is for hosts I want to give ssh and https access so they can manage this firewall remotely | |
| set policy-options prefix-list mgmnt-access 55.55.55.55/24 | |
| set policy-options prefix-list mgmnt-access 55.55.55.44/32 | |
| # If you do not have OSPF on your internal router then add the lines below if you have internal routes that dont hit the firewall | |
| # From my static routes above in the routing-options section, Im adding my 2 internal subnets | |
| set policy-options policy-statement Export-Local-Nets term 1 from protocol static | |
| set policy-options policy-statement Export-Local-Nets term 1 from protocol direct | |
| set policy-options policy-statement Export-Local-Nets term 1 from route-filter 10.10.10.0/24 exact | |
| set policy-options policy-statement Export-Local-Nets term 1 from route-filter 10.10.11.0/24 exact | |
| set policy-options policy-statement Export-Local-Nets term 1 then accept | |
| # Below is the VPN settings | |
| set security ike proposal SHA1-PSK-DH2-AES128 authentication-method pre-shared-keys | |
| set security ike proposal SHA1-PSK-DH2-AES128 dh-group group2 | |
| set security ike proposal SHA1-PSK-DH2-AES128 authentication-algorithm sha1 | |
| set security ike proposal SHA1-PSK-DH2-AES128 encryption-algorithm aes-128-cbc | |
| set security ike proposal SHA1-PSK-DH2-AES128 lifetime-seconds 86400 | |
| set security ike policy PSK-IKE-Policy mode main | |
| set security ike policy PSK-IKE-Policy proposals SHA1-PRE-AES128 | |
| set security ike policy PSK-IKE-Policy pre-shared-key ascii-text "PreSharedKey" | |
| # OK so this gets funky | |
| # For DUAL-ISPs you need to add the local and remote identities on both sides of the VPN | |
| # Also there is a bug with Juniper and ike v1's dead peer detection so use version v2 which has | |
| # it in there by default and does not have this bug. You can still use v1 but you get weird | |
| # errors in the logs like "Notification payload contains invalid protocol id" | |
| set security ike gateway SITEB-GW-ISP1 ike-policy PSK-IKE-Policy | |
| set security ike gateway SITEB-GW-ISP1 address 88.88.88.88 | |
| set security ike gateway SITEB-GW-ISP1 local-identity inet 10.0.0.1 | |
| set security ike gateway SITEB-GW-ISP1 remote-identity inet 10.0.0.2 | |
| set security ike gateway SITEB-GW-ISP1 external-interface reth1.0 | |
| set security ike gateway SITEB-GW-ISP1 version v2-only | |
| set security ike gateway SITEB-GW-ISP2 ike-policy PSK-IKE-Policy | |
| set security ike gateway SITEB-GW-ISP2 address 88.88.88.88 | |
| set security ike gateway SITEB-GW-ISP2 local-identity inet 10.0.0.5 | |
| set security ike gateway SITEB-GW-ISP2 remote-identity inet 10.0.0.6 | |
| set security ike gateway SITEB-GW-ISP2 external-interface reth2.0 | |
| set security ike gateway SITEB-GW-ISP2 version v2-only | |
| set security ipsec proposal SHA1-AES128-ESP protocol esp | |
| set security ipsec proposal SHA1-AES128-ESP authentication-algorithm hmac-sha1-96 | |
| set security ipsec proposal SHA1-AES128-ESP encryption-algorithm aes-128-cbc | |
| set security ipsec proposal SHA1-AES128-ESP lifetime-seconds 3600 | |
| set security ipsec policy IPSEC-PFS2-Policy perfect-forward-secrecy keys group2 | |
| set security ipsec policy IPSEC-PFS2-Policy proposals SHA1-AES128-ESP | |
| set security ipsec vpn SITEB-VPN-ISP1 bind-interface st0.0 | |
| set security ipsec vpn SITEB-VPN-ISP1 ike gateway SITEB-GW-ISP1 | |
| set security ipsec vpn SITEB-VPN-ISP1 ike ipsec-policy IPSEC-PFS2-Policy | |
| set security ipsec vpn SITEB-VPN-ISP2 bind-interface st0.1 | |
| set security ipsec vpn SITEB-VPN-ISP2 ike gateway SITEB-GW-ISP2 | |
| set security ipsec vpn SITEB-VPN-ISP2 ike ipsec-policy IPSEC-PFS2-Policy | |
| # Address book entries. I put them all in global to make life easy. | |
| set security address-book global address LAN_SMTP_SERVER 10.10.10.250/32 | |
| # All my inside subnets | |
| set security address-book global address NET_LOOPBACK 172.16.172.181/32 | |
| set security address-book global address NET_LAN10 10.10.10.0/24 | |
| set security address-book global address NET_LAN11 10.10.11.0/24 | |
| set security address-book global address NET_LAN1 10.10.0.0/30 | |
| # Group them up | |
| set security address-book global address-set NET_LOCAL address NET_LOOPBACK | |
| set security address-book global address-set NET_LOCAL address NET_LAN10 | |
| set security address-book global address-set NET_LOCAL address NET_LAN11 | |
| set security address-book global address-set NET_LOCAL address NET_LAN1 | |
| # Algs are mostly broken so disable them to avoid headaches | |
| set security alg dns disable | |
| # If you want to keep DNS then add the entry below | |
| set security alg dns maximum-message-length 8192 | |
| set security alg dns doctoring none | |
| set security alg mgcp disable | |
| set security alg msrpc disable | |
| set security alg sunrpc disable | |
| set security alg sql disable | |
| set security flow allow-dns-reply | |
| # Below is only needed for certain DSL connections to fix web site loading | |
| # For example, if yahoo.com doesnt load correctly add the line below | |
| set security flow tcp-mss all-tcp mss 1350 | |
| # Add the line below for your VPN connections -- fixes fragmentation problems | |
| set security flow tcp-mss ipsec-vpn mss 1350 | |
| # This screen stuff is just all default -- keep or tweak at your own discretion | |
| set security screen ids-option untrust-screen icmp ping-death | |
| set security screen ids-option untrust-screen ip source-route-option | |
| set security screen ids-option untrust-screen ip tear-drop | |
| set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 | |
| set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 | |
| set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 | |
| set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 | |
| set security screen ids-option untrust-screen tcp syn-flood timeout 20 | |
| set security screen ids-option untrust-screen tcp land | |
| # This is the source NAT (outgoing) setup for both ISPs. | |
| # For examples sake Im using a different IP for the primary ISP | |
| # and just the same IP as the interface for the secondary ISP | |
| set security nat source pool SNAT-ISP1-67 address 66.66.66.67/32 | |
| set security nat source rule-set SNAT-ISP1 from routing-instance default | |
| set security nat source rule-set SNAT-ISP1 to routing-instance ISP1 | |
| # I'm adding my address book entry "NET_LOCAL" just to be anal | |
| # you can use "source-address 0.0.0.0/0" just as well | |
| set security nat source rule-set SNAT-ISP1 rule SNAT-POOL-ISP1-67 match source-address-name NET_LOCAL | |
| set security nat source rule-set SNAT-ISP1 rule SNAT-POOL-ISP1-67 match destination-address 0.0.0.0/0 | |
| set security nat source rule-set SNAT-ISP1 rule SNAT-POOL-ISP1-67 then source-nat pool SNAT-ISP1-67 | |
| # Now to add ISP2 in case ISP1 ever goes down | |
| set security nat source rule-set SNAT-ISP2 from routing-instance default | |
| set security nat source rule-set SNAT-ISP2 to routing-instance ISP2 | |
| set security nat source rule-set SNAT-ISP2 rule SNAT-INTERFACE-ISP2 match source-address-name NET_LOCAL | |
| set security nat source rule-set SNAT-ISP2 rule SNAT-INTERFACE-ISP2 match destination-address 0.0.0.0/0 | |
| set security nat source rule-set SNAT-ISP2 rule SNAT-INTERFACE-ISP2 then source-nat interface | |
| # This is the destination NAT (incoming) setup for the SMTP server | |
| set security nat destination pool DNAT_SMTP_SERVER address 10.10.10.250/32 | |
| set security nat destination rule-set ISP1-dnat from routing-instance ISP1 | |
| set security nat destination rule-set ISP1-dnat rule ISP1-to-SMTP_SERVER match source-address 0.0.0.0/0 | |
| set security nat destination rule-set ISP1-dnat rule ISP1-to-SMTP_SERVER match destination-address 66.66.66.68/32 | |
| set security nat destination rule-set ISP1-dnat rule ISP1-to-SMTP_SERVER then destination-nat pool DNAT_SMTP_SERVER | |
| set security nat destination rule-set ISP2-dnat from routing-instance ISP2 | |
| set security nat destination rule-set ISP2-dnat rule ISP2-to-SMTP_SERVER match source-address 0.0.0.0/0 | |
| set security nat destination rule-set ISP2-dnat rule ISP2-to-SMTP_SERVER match destination-address 77.77.77.79/32 | |
| set security nat destination rule-set ISP2-dnat rule ISP2-to-SMTP_SERVER then destination-nat pool DNAT_SMTP_SERVER | |
| # Add all external IPs that will be used here (not including the interface IPs) | |
| set security nat proxy-arp interface reth1.0 address 66.66.66.67/32 | |
| set security nat proxy-arp interface reth1.0 address 66.66.66.68/32 | |
| set security nat proxy-arp interface reth2.0 address 77.77.77.79/32 | |
| # Now this is where we define security ACLs | |
| # I like to block garbage traffic from going out | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match source-address any-ipv4 | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match destination-address any-ipv4 | |
| # Below is just an example of stuff to block | |
| # You can create your own at the end of the config or use "show configuration groups junos-defaults applications" to see the predefined ones | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-netbios-session | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-smb-session | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-nbname | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-nbds | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff match application junos-cifs | |
| set security policies from-zone LAN to-zone ISP1 policy Bad-Stuff then deny | |
| set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 match source-address NET_LOCAL | |
| set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 match destination-address any-ipv4 | |
| set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 match application any | |
| set security policies from-zone LAN to-zone ISP1 policy LAN-to-ISP1 then permit | |
| # Copy the above for ISP2 | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-netbios-session | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-smb-session | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-nbname | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-nbds | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff match application junos-cifs | |
| set security policies from-zone LAN to-zone ISP2 policy Bad-Stuff then deny | |
| set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 match source-address NET_LOCAL | |
| set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 match destination-address any-ipv4 | |
| set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 match application any | |
| set security policies from-zone LAN to-zone ISP2 policy LAN-to-ISP2 then permit | |
| # Allow LAN to LAN | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match source-address any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match destination-address any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match application any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN then permit | |
| # Allow Destination NAT traffic | |
| set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER match source-address any-ipv4 | |
| set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER match destination-address LAN_SMTP_SERVER | |
| # Notice how im using my own application called cust-smtp | |
| # Which will be explained at the end of the config | |
| set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER match application cust-smtp | |
| set security policies from-zone ISP1 to-zone LAN policy ISP1-dnat-SMTP_SERVER then permit | |
| set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER match source-address any-ipv4 | |
| set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER match destination-address LAN_SMTP_SERVER | |
| set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER match application cust-smtp | |
| set security policies from-zone ISP2 to-zone LAN policy ISP2-dnat-SMTP_SERVER then permit | |
| # Add allowed traffic to hit the firewall | |
| # Note: this isn't allowing traffic to pass through firewall, but rather actually hit the interfaces of the firewall | |
| set security zones security-zone LAN host-inbound-traffic system-services all | |
| set security zones security-zone LAN host-inbound-traffic protocols ospf | |
| # adding a custom entry here instead of the global one above for LAN because the loopback interface doesnt need ospf on it | |
| # You can do the same for the reth0.0 interface is you dont have an internal router using OSPF | |
| set security zones security-zone LAN interfaces lo0.0 host-inbound-traffic system-services all | |
| set security zones security-zone LAN interfaces reth0.0 | |
| set security zones security-zone LAN interfaces st0.0 | |
| set security zones security-zone LAN interfaces st0.1 | |
| # For the ISP zones, services will be limited | |
| set security zones security-zone ISP1 screen untrust-screen | |
| set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services ike | |
| set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services traceroute | |
| set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services ping | |
| set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services ssh | |
| set security zones security-zone ISP1 interfaces reth1.0 host-inbound-traffic system-services https | |
| set security zones security-zone ISP2 screen untrust-screen | |
| set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services ping | |
| set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services ike | |
| set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services traceroute | |
| set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services ssh | |
| set security zones security-zone ISP2 interfaces reth2.0 host-inbound-traffic system-services https | |
| # | |
| # Now these are the firewall interface filters. They are used before the policies. | |
| # | |
| # The LAN-IN-FILTER is an example only if you want a certain host or subnet to go out ISP2 instead of the default ISP1 | |
| # Here the computer at 10.10.10.100 will be using ISP2 by default. | |
| set firewall filter LAN-IN-FILTER term 1 from source-address 10.10.10.100/32 | |
| set firewall filter LAN-IN-FILTER term 1 from destination-address 0.0.0.0/0 | |
| set firewall filter LAN-IN-FILTER term 1 from destination-address 10.0.0.0/8 except | |
| set firewall filter LAN-IN-FILTER term 1 then routing-instance ISP2 | |
| set firewall filter LAN-IN-FILTER term 2 then accept | |
| # The ISP1 and ISP2-IN-FILTERs handle routing traffic coming back in from the virtual routers | |
| set firewall filter ISP1-IN-FILTER term 1 from source-prefix-list blocked-access | |
| set firewall filter ISP1-IN-FILTER term 1 then discard | |
| # Because ssh and https from the remote management networks needs to be accepted for it to work | |
| # This term will do that. Otherwise it gets re-routed and dropped. | |
| set firewall filter ISP1-IN-FILTER term 2 from source-prefix-list mgmnt-access | |
| set firewall filter ISP1-IN-FILTER term 2 from protocol tcp | |
| set firewall filter ISP1-IN-FILTER term 2 from destination-port 22 | |
| set firewall filter ISP1-IN-FILTER term 2 from destination-port 443 | |
| set firewall filter ISP1-IN-FILTER term 2 then accept | |
| # Here all other trafficon our ISP subnet gets rerouted to the default instance and checked for policies and NAT | |
| set firewall filter ISP1-IN-FILTER term 3 from destination-address 66.66.66.64/28 | |
| set firewall filter ISP1-IN-FILTER term 3 then routing-instance TRUST-VRF | |
| set firewall filter ISP1-IN-FILTER term 4 then accept | |
| # Rinse and repeat for ISP2 | |
| set firewall filter ISP2-IN-FILTER term 1 from source-prefix-list blocked-access | |
| set firewall filter ISP2-IN-FILTER term 1 then discard | |
| set firewall filter ISP2-IN-FILTER term 2 from source-prefix-list mgmnt-access | |
| set firewall filter ISP2-IN-FILTER term 2 from protocol tcp | |
| set firewall filter ISP2-IN-FILTER term 2 from destination-port 22 | |
| set firewall filter ISP2-IN-FILTER term 2 from destination-port 443 | |
| set firewall filter ISP2-IN-FILTER term 2 then accept | |
| set firewall filter ISP2-IN-FILTER term 3 from destination-address 77.77.77.74/28 | |
| set firewall filter ISP2-IN-FILTER term 3 then routing-instance TRUST-VRF | |
| set firewall filter ISP2-IN-FILTER term 4 then accept | |
| # Setup the virtual routers | |
| set routing-instances ISP1 instance-type virtual-router | |
| set routing-instances ISP1 interface reth1.0 | |
| set routing-instances ISP1 routing-options interface-routes rib-group inet inside | |
| set routing-instances ISP1 routing-options static route 0.0.0.0/0 next-hop 66.66.66.69 | |
| set routing-instances ISP2 instance-type virtual-router | |
| set routing-instances ISP2 interface reth2.0 | |
| set routing-instances ISP2 routing-options interface-routes rib-group inet inside | |
| set routing-instances ISP2 routing-options static route 0.0.0.0/0 next-hop 77.77.77.80 | |
| # Setup the forwarder | |
| set routing-instances TRUST-VRF instance-type forwarding | |
| # Add in any internal routes that are not connected directly to the firewall | |
| set routing-instances TRUST-VRF routing-options static route 10.10.10.0/24 next-hop 10.10.0.1 | |
| set routing-instances TRUST-VRF routing-options static route 10.10.11.0/24 next-hop 10.10.0.1 | |
| # Setup the IP Monitoring service in case one of the ISP goes down | |
| # I'm using the gateway of ISP1 and the next hop of ISP2's gateway for examples sake | |
| set services rpm probe ISP1-GW test uplink target address 66.66.66.69 | |
| set services rpm probe ISP1-GW test uplink probe-count 5 | |
| set services rpm probe ISP1-GW test uplink probe-interval 3 | |
| set services rpm probe ISP1-GW test uplink test-interval 30 | |
| set services rpm probe ISP1-GW test uplink thresholds successive-loss 5 | |
| set services rpm probe ISP1-GW test uplink thresholds total-loss 5 | |
| set services rpm probe ISP1-GW test uplink destination-interface reth1.0 | |
| set services rpm probe ISP1-GW test uplink next-hop 66.66.66.69 | |
| # ISP2 probing | |
| set services rpm probe ISP2-GW test uplink target address 77.77.78.1 | |
| set services rpm probe ISP2-GW test uplink probe-count 5 | |
| set services rpm probe ISP2-GW test uplink probe-interval 3 | |
| set services rpm probe ISP2-GW test uplink test-interval 30 | |
| set services rpm probe ISP2-GW test uplink thresholds successive-loss 5 | |
| set services rpm probe ISP2-GW test uplink thresholds total-loss 5 | |
| set services rpm probe ISP2-GW test uplink destination-interface reth2.0 | |
| set services rpm probe ISP2-GW test uplink next-hop 77.77.77.80 | |
| # This is what to do when the probe fails | |
| # Basically we are taking the ISP that is down and giving it the gateway of the ISP that is up | |
| set services ip-monitoring policy ISP1-Tracking match rpm-probe ISP1-GW | |
| set services ip-monitoring policy ISP1-Tracking then preferred-route routing-instances ISP1 route 0.0.0.0/0 next-hop 77.77.77.80 | |
| set services ip-monitoring policy ISP2-Tracking match rpm-probe ISP2-GW | |
| set services ip-monitoring policy ISP2-Tracking then preferred-route routing-instances ISP2 route 0.0.0.0/0 next-hop 66.66.66.69 | |
| # This is where we define our custom ports or applications | |
| set applications application cust-tcp-587 protocol tcp | |
| set applications application cust-tcp-587 destination-port 587 | |
| # We can group applications together for simplicity | |
| # Here im going to group my custom port along with the default SMTP one | |
| set applications application-set cust-smtp application cust-tcp-587 | |
| set applications application-set cust-smtp application junos-smtp |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| set version 11.4R9.6 | |
| set system host-name SITEB | |
| set system domain-name mydomain.com | |
| set system time-zone PST8PDT | |
| set system no-redirects | |
| set system root-authentication encrypted-password "Password" | |
| set system name-server 10.20.10.50 | |
| set system services ssh root-login allow | |
| set system services ssh protocol-version v2 | |
| set system services web-management http interface ge-0/0/0.0 | |
| set system services web-management https system-generated-certificate | |
| set system services web-management https interface ge-0/0/1.0 | |
| set system syslog archive size 100k | |
| set system syslog archive files 3 | |
| set system syslog user * any emergency | |
| set system syslog file messages any critical | |
| set system syslog file messages authorization info | |
| set system syslog file interactive-commands interactive-commands error | |
| set system syslog file IDP-Log any any | |
| set system syslog file IDP-Log match RT_IDP | |
| set system max-configurations-on-flash 5 | |
| set system max-configuration-rollbacks 5 | |
| set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval | |
| # IDP is NOT related to UTM | |
| set system processes utmd disable | |
| set system ntp server 10.20.0.1 | |
| set interfaces ge-0/0/0 unit 0 description LAN | |
| set interfaces ge-0/0/0 unit 0 family inet mtu 1500 | |
| set interfaces ge-0/0/0 unit 0 family inet address 10.20.0.2/30 | |
| set interfaces ge-0/0/1 unit 0 description WAN | |
| set interfaces ge-0/0/1 unit 0 family inet mtu 1500 | |
| set interfaces ge-0/0/1 unit 0 family inet filter input FILTER-WAN-IN | |
| set interfaces ge-0/0/1 unit 0 family inet address 88.88.88.88/27 | |
| set interfaces st0 unit 0 description VPN-SITEA-ISP1 | |
| set interfaces st0 unit 0 family inet mtu 1350 | |
| set interfaces st0 unit 0 family inet address 10.0.0.2/30 | |
| set interfaces st0 unit 1 description VPN-SITEA-ISP2 | |
| set interfaces st0 unit 1 family inet mtu 1350 | |
| set interfaces st0 unit 1 family inet address 10.0.0.6/30 | |
| set snmp location SITEB | |
| set snmp community public authorization read-only | |
| set routing-options static route 0.0.0.0/0 next-hop 88.88.88.89 | |
| set routing-options static route 10.20.10.0/24 next-hop 10.20.0.1 | |
| set routing-options router-id 10.20.0.2 | |
| set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 passive | |
| set protocols ospf area 0.0.0.0 interface st0.0 metric 150 | |
| set protocols ospf area 0.0.0.0 interface st0.1 metric 160 | |
| set protocols stp disable | |
| set policy-options prefix-list mgmnt-access 55.55.55.55/24 | |
| set policy-options prefix-list mgmnt-access 55.55.55.44/32 | |
| set policy-options policy-statement Export-Local-Nets term 1 from protocol static | |
| set policy-options policy-statement Export-Local-Nets term 1 from protocol direct | |
| set policy-options policy-statement Export-Local-Nets term 1 from route-filter 10.20.10.0/24 exact | |
| set policy-options policy-statement Export-Local-Nets term 1 then accept | |
| # This is the IDP setup | |
| # Rule 1 - Bypass and stop checking more rules from our trusted remote sites so they do not get blocked by accident | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 1 match from-zone WAN | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 1 match source-address WAN_TRUSTED_SITES | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 1 match destination-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 1 then action no-action | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 1 terminal | |
| # Rule 2 - Block and log all critical attacks | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match from-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match source-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match to-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match destination-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match application default | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]IP - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]TCP - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]HTTP - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]SHELLCODE - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]VIRUS - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]WORM - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 match attacks predefined-attack-groups "[Recommended]TROJAN - Critical" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 then action recommended | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 2 then notification log-attacks alert | |
| # Rule 3 - Log all major attacks | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match from-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match source-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match to-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match destination-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match application default | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match attacks predefined-attack-groups "[Recommended]SHELLCODE - Major" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match attacks predefined-attack-groups "[Recommended]VIRUS - Major" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match attacks predefined-attack-groups "[Recommended]WORM - Major" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 match attacks predefined-attack-groups "[Recommended]TROJAN - Major" | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 then action no-action | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-ips rule 3 then notification log-attacks alert | |
| # Exemptions - This is only an example of how to exempt certain attacks | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-exempt rule E1 match from-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-exempt rule E1 match source-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-exempt rule E1 match to-zone any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-exempt rule E1 match destination-address any | |
| set security idp idp-policy SITEB-IDP-Policy rulebase-exempt rule E1 match attacks predefined-attacks HTTP:AUDIT:UNKNOWN-VERB | |
| set security idp active-policy SITEB-IDP-Policy | |
| # Setup automatic IDP updating | |
| set security idp security-package automatic start-time "2013-11-1.15:59:00 +0800" | |
| set security idp security-package automatic interval 48 | |
| set security idp security-package automatic download-timeout 5 | |
| set security idp security-package automatic enable | |
| set security ike proposal SHA1-PSK-DH2-AES128 authentication-method pre-shared-keys | |
| set security ike proposal SHA1-PSK-DH2-AES128 dh-group group2 | |
| set security ike proposal SHA1-PSK-DH2-AES128 authentication-algorithm sha1 | |
| set security ike proposal SHA1-PSK-DH2-AES128 encryption-algorithm aes-128-cbc | |
| set security ike proposal SHA1-PSK-DH2-AES128 lifetime-seconds 86400 | |
| set security ike policy PSK-IKE-Policy mode main | |
| set security ike policy PSK-IKE-Policy proposals SHA1-PRE-AES128 | |
| set security ike policy PSK-IKE-Policy pre-shared-key ascii-text "PreSharedKey" | |
| set security ike gateway SITEA-ISP1-GW ike-policy PSK-IKE-Policy | |
| set security ike gateway SITEA-ISP1-GW address 66.66.66.66 | |
| set security ike gateway SITEA-ISP1-GW local-identity inet 10.0.0.2 | |
| set security ike gateway SITEA-ISP1-GW remote-identity inet 10.0.0.1 | |
| set security ike gateway SITEA-ISP1-GW external-interface ge-0/0/1.0 | |
| set security ike gateway SITEA-ISP1-GW version v2-only | |
| set security ike gateway SITEA-ISP2-GW ike-policy PSK-IKE-Policy | |
| set security ike gateway SITEA-ISP2-GW address 77.77.77.77 | |
| set security ike gateway SITEA-ISP2-GW local-identity inet 10.0.0.6 | |
| set security ike gateway SITEA-ISP2-GW remote-identity inet 10.0.0.5 | |
| set security ike gateway SITEA-ISP2-GW external-interface ge-0/0/1.0 | |
| set security ike gateway SITEA-ISP2-GW version v2-only | |
| set security ipsec proposal SHA1-AES128-ESP protocol esp | |
| set security ipsec proposal SHA1-AES128-ESP authentication-algorithm hmac-sha1-96 | |
| set security ipsec proposal SHA1-AES128-ESP encryption-algorithm aes-128-cbc | |
| set security ipsec proposal SHA1-AES128-ESP lifetime-seconds 3600 | |
| set security ipsec policy IPSEC-PFS2-Policy perfect-forward-secrecy keys group2 | |
| set security ipsec policy IPSEC-PFS2-Policy proposals SHA1-AES128-ESP | |
| set security ipsec vpn SITEA-ISP1-VPN bind-interface st0.0 | |
| set security ipsec vpn SITEA-ISP1-VPN ike gateway SITEA-ISP1-GW | |
| set security ipsec vpn SITEA-ISP1-VPN ike ipsec-policy IPSEC-PFS2-Policy | |
| set security ipsec vpn SITEA-ISP2-VPN bind-interface st0.1 | |
| set security ipsec vpn SITEA-ISP2-VPN ike gateway SITEA-ISP2-GW | |
| set security ipsec vpn SITEA-ISP2-VPN ike ipsec-policy IPSEC-PFS2-Policy | |
| set security address-book global address LAN_Local 10.20.0.0/16 | |
| set security address-book global address WAN_TRUSTED_SITEA_ISP1 66.66.66.66/28 | |
| set security address-book global address WAN_TRUSTED_SITEA_ISP2 77.77.77.77/28 | |
| set security address-book global address-set WAN_TRUSTED_SITES address WAN_TRUSTED_SITEA_ISP1 | |
| set security address-book global address-set WAN_TRUSTED_SITES address WAN_TRUSTED_SITEA_ISP2 | |
| set security alg dns disable | |
| set security alg dns doctoring none | |
| set security alg mgcp disable | |
| set security alg msrpc disable | |
| set security alg sunrpc disable | |
| set security alg sql disable | |
| set security flow allow-dns-reply | |
| set security flow tcp-mss ipsec-vpn mss 1350 | |
| set security screen ids-option untrust-screen icmp ping-death | |
| set security screen ids-option untrust-screen ip source-route-option | |
| set security screen ids-option untrust-screen ip tear-drop | |
| set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 | |
| set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 | |
| set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 | |
| set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 | |
| set security screen ids-option untrust-screen tcp syn-flood timeout 20 | |
| set security screen ids-option untrust-screen tcp land | |
| set security nat source rule-set LAN-to-WAN from zone LAN | |
| set security nat source rule-set LAN-to-WAN to zone WAN | |
| set security nat source rule-set LAN-to-WAN rule LAN-snat match source-address-name LAN_Local | |
| set security nat source rule-set LAN-to-WAN rule LAN-snat match destination-address 0.0.0.0/0 | |
| set security nat source rule-set LAN-to-WAN rule LAN-snat then source-nat interface | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match source-address any-ipv4 | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match destination-address any-ipv4 | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-netbios-session | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-smb-session | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-gnutella | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-nbname | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-nbds | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic match application junos-cifs | |
| set security policies from-zone LAN to-zone WAN policy deny_blocked_traffic then deny | |
| set security policies from-zone LAN to-zone WAN policy LAN-to-WAN match source-address LAN_Local | |
| set security policies from-zone LAN to-zone WAN policy LAN-to-WAN match destination-address any-ipv4 | |
| set security policies from-zone LAN to-zone WAN policy LAN-to-WAN match application any | |
| # Notice the permit application-services idp instead of just permit | |
| set security policies from-zone LAN to-zone WAN policy LAN-to-WAN then permit application-services idp | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match source-address any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match destination-address any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN match application any | |
| set security policies from-zone LAN to-zone LAN policy LAN-to-LAN then permit | |
| # Here we seperate the VPN zone from the LAN zone just for examples sakes | |
| set security policies from-zone LAN to-zone VPN policy LAN-to-VPN match source-address any | |
| set security policies from-zone LAN to-zone VPN policy LAN-to-VPN match destination-address any | |
| set security policies from-zone LAN to-zone VPN policy LAN-to-VPN match application any | |
| set security policies from-zone LAN to-zone VPN policy LAN-to-VPN then permit | |
| set security policies from-zone VPN to-zone LAN policy VPN-to-LAN match source-address any | |
| set security policies from-zone VPN to-zone LAN policy VPN-to-LAN match destination-address any | |
| set security policies from-zone VPN to-zone LAN policy VPN-to-LAN match application any | |
| set security policies from-zone VPN to-zone LAN policy VPN-to-LAN then permit application-services idp | |
| set security policies from-zone VPN to-zone VPN policy VPN-to-VPN match source-address any | |
| set security policies from-zone VPN to-zone VPN policy VPN-to-VPN match destination-address any | |
| set security policies from-zone VPN to-zone VPN policy VPN-to-VPN match application any | |
| set security policies from-zone VPN to-zone VPN policy VPN-to-VPN then permit | |
| set security zones security-zone VPN host-inbound-traffic system-services all | |
| set security zones security-zone VPN host-inbound-traffic protocols ospf | |
| set security zones security-zone VPN interfaces st0.0 | |
| set security zones security-zone VPN interfaces st0.1 | |
| set security zones security-zone LAN interfaces ge-0/0/0.0 host-inbound-traffic system-services all | |
| set security zones security-zone WAN screen untrust-screen | |
| set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ssh | |
| set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services https | |
| set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ping | |
| set security zones security-zone WAN interfaces ge-0/0/1.0 host-inbound-traffic system-services ike | |
| set firewall filter WAN-FILTER-IN term 1 from source-prefix-list mgmnt-access | |
| set firewall filter WAN-FILTER-IN term 1 from protocol tcp | |
| set firewall filter WAN-FILTER-IN term 1 from destination-port 22 | |
| set firewall filter WAN-FILTER-IN term 1 from destination-port 443 | |
| set firewall filter WAN-FILTER-IN term 1 then accept | |
| set firewall filter WAN-FILTER-IN term 2 from protocol tcp | |
| set firewall filter WAN-FILTER-IN term 2 from destination-port 22 | |
| set firewall filter WAN-FILTER-IN term 2 from destination-port 443 | |
| set firewall filter WAN-FILTER-IN term 2 then discard | |
| set firewall filter WAN-FILTER-IN term 3 then accept | |
Great post...thanks
ReplyDeleteStill useful, Thank you for this effort
ReplyDeleteWe migrated to Palo Alto Firewalls, although the NAT setup is confusing as hell it just blows away Juniper in every aspect. Juniper has been nothing but unstable and buggy. Every month I would have to kill the web management process because it would be consuming all the CPU. Even with disabling all IDP/UTM features, the device could barely handle 50Mbs. Just a poorly designed device. Trying to log traffic kills the CPU, UDP traffic kills the CPU, IDP/UTM is a joke (not exaggerating but I would say 20% chance on every IDP update something would break, either the DB would corrupt or it couldn't send it to the other cluster). The VPN tunnels are barely usable (so many packet drops/retries between Junipers because of bugs). We had a Nimble array that could barely keep up replication when we had a tunnel between 2 Junipers. Switching it out to Palo Alto, the replication traffic tripled, I could see far less packet retries and no more babysitting the firewalls.
ReplyDeleteGood post
ReplyDeletehttp://www.routexp.com/2017/07/dmvpn-configurations-on-juniper-router.html