Table of Contents - JUNOS Software Administration Guide for Security Devices

About This Guide

J Series and SRX Series Documentation and Release Notes
Objectives
Audience
Supported Routing Platforms
Document Conventions
Documentation Feedback
Requesting Technical Support

Configuring the Device for Administration

User Interface Overview

J-Web Overview
CLI Overview

Before You Begin

Using the J-Web Interface

Starting the J-Web Interface
J-Web Layout
Using the Commit Options to Commit Configuration Changes on J-Web
Getting J-Web Help

J-Web Sessions

Unresolved xref

Using the Command-Line Interface

CLI Command Hierarchy

Starting the CLI

CLI Operational Mode

CLI Configuration Mode

CLI Basics

Editing Keystrokes
Command Completion
Online Help
Configuring the CLI Environment

Configuring Secure Web Access

Secure Web Access Terms

Secure Web Access Overview

Before You Begin

Generating SSL Certificates

Configuring Management Access

Configuring Device Addresses
Enabling Access Services
Adding, Editing, and Deleting Certificates on the Device

Configuring Secure Web Access with a Configuration Editor

Verifying Secure Web Access

Displaying an SSL Certificate Configuration
Displaying a Secure Access Configuration

Managing Administrator Authentication

User Authentication Terms

User Authentication Overview

User Authentication

User Accounts

Login Classes

Permission Bits
Denying or Allowing Individual Commands

Template Accounts

Before You Begin

Managing User Authentication

Adding a RADIUS Server or TACACS Server for Authentication
Configuring System Authentication
Adding New Users

Managing User Authentication with a Configuration Editor

Setting Up RADIUS Authentication

Setting Up TACACS+ Authentication

Configuring Authentication Order

Controlling User Access

Defining Login Classes
Creating User Accounts

Setting Up Template Accounts

Creating a Remote Template Account
Creating a Local Template Account

Securing the Console Port

Accessing Remote Devices with the CLI

Using the telnet Command
Using the ssh Command

Configuring Password Retry Limits for Telnet and SSH Access

Reverse Telnet

Reverse Telnet Overview

Reverse Telnet Options
Reverse Telnet Restrictions

Configuring Reverse Telnet and Reverse SSH

CLI Configuration

Setting Up USB Modems for Remote Management

USB Modem Terms

USB Modem Overview

USB Modem Interfaces
How the Device Initializes USB Modems
USB Modem Connection and Configuration Overview

Before You Begin

Connecting the USB Modem to the USB Port

Configuring USB Modem Interfaces with a Configuration Editor

Configuring a USB Modem Interface (Required)
Configuring a Dialer Interface (Required)
Configuring Dial-In (Required)
Configuring CHAP on Dialer Interfaces (Optional)

Connecting to the Device from the User End

Configuring a Dial-Up Modem Connection at the User End
Connecting to the Device from the User End

Administering USB Modems

Modifying USB Modem Initialization Commands
Resetting USB Modems

Verifying the USB Modem Configuration

Verifying a USB Modem Interface
Verifying Dialer Interface Configuration

Configuring SNMP for Network Management

SNMP Architecture

Management Information Base
SNMP Communities
SNMP Traps
Spoofing SNMP Traps
SNMP Health Monitor

Before You Begin

Configuring SNMP with Quick Configuration

Configuring SNMP with a Configuration Editor

Defining System Identification Information (Required)
Configuring SNMP Agents and Communities (Required)
Managing SNMP Trap Groups (Required)
Controlling Access to MIBs (Optional)

Verifying the SNMP Configuration

Verifying SNMP Agent Configuration
Verifying SNMP Health Monitor Configuration

Configuring the Device for DHCP

DHCP Terms

DHCP Overview

DHCP Server Operation

DHCP Options
Compatibility with Autoinstallation

DHCP Client Operation

Propagation of TCP/IP Settings

DHCP Relay Operation

Conflict Detection and Resolution

Interface Restrictions

Before You Begin

Configuring DHCP with Quick Configuration

Configuring DHCP Service with Quick Configuration
Configuring the Device as a DHCP Client with Quick Configuration
Configuring BOOTP or DHCP Relay with Quick Configuration

Configuring DHCP with a Configuration Editor

Configuring the Device as a DHCP Server

Configuring the Device as a DHCP Client

Configuring the Device as a DHCP Relay Agent

Configuring the Device as a BootP/DHCP Relay Agent

Verifying a DHCP Configuration

Displaying Global DHCP Information
Verifying the DHCP Binding Database
Verifying the DHCP Client
Verifying DHCP Server Operation
Displaying DHCP Relay Statistics

Configuring Autoinstallation

Autoinstallation Terms

Autoinstallation Overview

Supported Autoinstallation Interfaces and Protocols
Typical Autoinstallation Process on a New Device

Before You Begin

Configuring Autoinstallation with a Configuration Editor

Verifying Autoinstallation

Verifying Autoinstallation Status

Automating Network Operations and Troubleshooting

Defining and Enforcing Configuration Rules with Commit Scripts

Commit Script Overview
Enabling Commit Scripts
Disabling Commit Scripts

Automating Network Management and Troubleshooting with Operation Scripts

Operation Script Overview
Enabling Operation Scripts
Executing Operation Scripts
Disabling Operation Scripts

Running Self-Diagnostics with Event Policies

Event Policy Overview
Configuring Event Policies

Recovering the Root Password (SRX Series)

Recovering the Root Password (J Series)

Monitoring the Device

Monitoring the Device and Routing Operations

Monitoring Overview

Monitoring Terms
Filtering Command Output

Monitoring Interfaces

Monitoring Events and Alarms

Monitoring the System

Monitoring System Properties (J Series)

Monitoring System Properties (SRX Series)

Monitoring Chassis Information

IOC to NPC Mapping

Monitoring Process Details

Monitoring NAT

Monitoring Source NAT Information
Monitoring Destination NAT Information
Monitoring Static NAT Information
Monitoring Incoming Table Information
Monitoring Interface NAT Port Information

Monitoring Security Features

Monitoring Policies

Graph Pane
Policy Counter

Monitoring Screen Counters

Monitoring IDP

Monitoring IDP Status

Monitoring Flow Session Statistics

Monitoring Flow Session Statistics Summary Information
Monitoring Flow Information for All Sessions
Monitoring Flow Information for Application Sessions
Monitoring Flow Session Destination Port Information
Monitoring Flow Session Destination Prefix Information
Monitoring Flow Session Interface Information
Monitoring Flow Session Protocol Information
Monitoring Flow Session Resource Manager
Monitoring Flow Session Identifier Session
Monitoring Flow Session Source Port Information
Monitoring Flow Session Source Prefix Information
Monitoring Flow Session Tunnel Information

Monitoring IDP

Monitoring Flow Gate Information

Monitoring Firewall Authentication

Monitoring Firewall Authentication Table
Monitoring Firewall Authentication History

Monitoring 802.1x

Monitoring ALGs

Monitoring SIP ALG Information

Monitoring SIP ALG Calls
Monitoring SIP ALG Counters
Monitoring SIP ALG Rate Information
Monitoring SIP ALG Transactions

Monitoring H.323 ALG Information

Monitoring MGCP ALG Information

Monitoring MGCP ALG Calls
Monitoring MGCP ALG Counters
Monitoring MGCP ALG Endpoints

Monitoring SCCP ALG Information

Monitoring SCCP ALG Calls
Monitoring SCCP ALG Counters

Monitoring VPNs

Monitoring IKE Gateway Information
Monitoring IPsec VPN—Phase I
Monitoring IPsec VPN—Phase II
Monitoring IPsec VPN Information

Monitoring Enhanced Switching

Monitoring Ethernet Switching
Monitoring Spanning Tree
Monitoring IGMP Snooping
Monitoring GVRP

Monitoring Routing Information

Monitoring Route Information
Monitoring RIP Routing Information
Monitoring OSPF Routing Information
Monitoring BGP Routing Information

Monitoring Class-of-Service Performance

Monitoring CoS Interfaces
Monitoring CoS Classifiers
Monitoring CoS Value Aliases
Monitoring CoS RED Drop Profiles
Monitoring CoS Forwarding Classes
Monitoring CoS Rewrite Rules
Monitoring CoS Scheduler Maps

Monitoring MPLS Traffic Engineering Information

Monitoring MPLS Interfaces
Monitoring MPLS LSP Information
Monitoring MPLS LSP Statistics
Monitoring RSVP Session Information
Monitoring MPLS RSVP Interfaces Information

Monitoring PPPoE

Monitoring PPP

Monitoring the WAN Acceleration Interface

Monitoring Services

Monitoring DHCP

Monitoring DHCP Service Statistics
Monitoring DHCP Client Bindings

Monitoring Events and Managing System Log Files

System Log Message Terms

System Log Messages Overview

System Log Message Destinations
Redundant System Log Server
System Log Facilities and Severity Levels
Control Plane and Data Plane Logs

Before You Begin

Configuring System Log Messages with a Configuration Editor

Setting the System to Send All Log Messages Through eventd
Setting the System to Stream Security Logs Through Revenue Ports
Sending System Log Messages to a File
Sending System Log Messages to a User Terminal
Archiving System Logs
Disabling System Logs

Monitoring System Log Messages with the J-Web Event Viewer

Configuring and Monitoring Alarms

Interface Alarm Conditions
System Alarm Conditions and Corrective Actions

Before You Begin

Configuring Alarms with a Configuration Editor

Checking Active Alarms

Verifying the Alarms Configuration

Displaying Alarm Configurations

Managing Device Software

Performing Software Upgrades and Reboots for the SRX Series Services Gateways

Understanding Software Upgrades for the SRX Series Services Gateways

Overview on Upgrade and Downgrade Procedures for the Software Upgrades on the SRX Series Services Gateways

Upgrade Software Packages

Preparing Your SRX Series Services Gateway for Software Upgrades

Configuring External CompactFlash on SRX650 Services Gateways

Downloading JUNOS Software Upgrades for the SRX Series Services Gateways

Installing Software Upgrades on the SRX Series Services Gateways

Installing Software Upgrades from a Remote Server on the SRX Series Services Gateways (J-Web Procedure)
Installing Software Upgrades by Uploading Files on the SRX Series Services Gateways (J-Web Procedure)
Installing Software Upgrades on the SRX Series Services Gateways (CLI Procedure)

Installing JUNOS Software on the SRX Series Services Gateways from the TFTP Server

Prerequisites
Accessing the U-Boot Prompt
Accessing the Loader Prompt
Setting the Environment Variables for JUNOS Software Installation Using TFTP on the SRX Series Services Gateways
Installing JUNOS Software Using TFTP on the SRX Series Services Gateways

Installing Software from the Boot Loader Using a USB Storage Device on SRX Series Services Gateways

Downgrading Software on the SRX Series Services Gateways

Downgrading JUNOS Software on SRX Series Services Gateways (J-Web Procedure)
Downgrading the JUNOS Software on SRX Series Services Gateways (CLI Procedure)

Configuring Boot Devices for SRX Series Services Gateways

Configuring a Boot Device for Backup on SRX Series Services Gateways (J-Web Procedure)
Configuring a Boot Device for Backup on SRX Series Services Gateways (CLI Procedure)

Rebooting or Halting the Device in SRX Series Services Gateways

Rebooting the SRX Series Services Gateways (J-Web Procedure)
Rebooting the SRX Series Services Gateways (CLI Procedure)
Halting the SRX Series Services Gateways (CLI Procedure)
Bringing Chassis Components Online and Offline on SRX Series Services Gateways
Chassis Control Restart Options on SRX Series Services Gateways

Dual-Root Partitioning Scheme on the SRX Series Services Gateways (JUNOS Software Release 10.0 or Later)

Dual-Root Partitioning Scheme Overview
Boot Media and Boot Partition on the SRX Series Services Gateways
Important Features of the Dual-Root Partitioning Scheme

Performing Software Upgrades to JUNOS Release 10.0 or Later for the SRX Series Services Gateways

Software Upgrade Methods on the SRX Series Services Gateways

Upgrading to JUNOS Release 10.0 Without Transitioning to Dual-Root Partitioning

Upgrading to JUNOS Release 10.0 or Later with Dual-Root Partitioning on SRX Series Services Gateways

Installing Software on SRX Series Services Gateways from the Boot Loader Using a TFTP Server
Installing Software on SRX Series Services Gateways from the Boot Loader Using an USB Storage Device
Installing Software on SRX Series Services Gateways Using the Partition Option (CLI Procedure)
Installing Software on SRX Series Services Gateways Using the Partition Option (J-Web Procedure)

Upgrading the Boot Loader on SRX Series Services Gateways

Verifying the Boot Loader Version on SRX Series Services Gateways (CLI Procedure)

Verifying the Root Partition Details on SRX Series Services Gateway (CLI Procedures)

Display the Partitioning Scheme Details
Display Snapshot Information

Installing an Earlier Version of JUNOS Software on SRX Series Services Gateways

Installing JUNOS Release 9.6 or Earlier Release on SRX Series Services Gateways with Dual-Root Partitioning
Reinstalling the Single-Root Partition Release Using TFTP on SRX Series Services Gateways
Reinstalling the Single-Root Partition Release Using a USB on SRX Series Services Gateways

Recovery of the Primary JUNOS Software Image with Dual-Root Partitioning on SRX Series Services Gateways

Auto BIOS Upgrade on SRX Series Services Gateways

Auto BIOS Upgrade Methods on the SRX Series Services Gateways
Disabling Auto BIOS Upgrade on SRX Series Services Gateways (CLI Procedure)

Performing Software Upgrades and Reboots for the J Series Services Routers

Overview on Software Upgrades for J Series Services Routers

Overview on Upgrade and Downgrade Procedures for the J Series Services Routers

Upgrade Software Packages
Recovery Software Packages

Before You Begin Software Upgrades on J Series Services Routers

Downloading Software Upgrades for J Series Services Routers from Juniper Networks

Installing Software Upgrades on J Series Services Routers

Installing Software Upgrades on J Series Services Routers (J-Web Procedure)

Installing Software Upgrades from a Remote Server on J Series Services Routers
Installing Software Upgrades by Uploading Files on J Series Services Routers (J-Web Procedure)

Installing Software Upgrades on J Series Services Routers (CLI Procedure)

Downgrading Software on the J Series Services Routers

Downgrading the Software on the J Series Services Routers (J-Web Procedure)
Downgrading the Software on the J Series Services Routers (CLI Procedure)

Configuring Boot Devices for J Series Services Routers

Configuring a Boot Device for Backup for J Series Services Routers (J-Web Procedure)
Configuring a Boot Device for Backup for J Series Services Routers (CLI Procedure)
Configuring a Boot Device to Receive Software Failure Memory Snapshots in J Series Services Routers

Rebooting or Halting the Device in J Series Services Routers

Rebooting the J Series Services Routers (J-Web Procedure)
Rebooting the J Series Services Routers (CLI Procedure)
Halting the J Series Services Routers (CLI Procedure)

Bringing Chassis Components Online and Offline on J Series Services Routers

Chassis Control Restart Options on J Series Services Routers

Configuring Selective Stateless Packet-Based Services

Understanding Packet-Based and Flow-Based Forwarding

Packet-Based Forwarding
Flow-Based Forwarding

Understanding Selective Stateless Packet-Based Services

Related Topics

Configuring Selective Stateless Packet-Based Services

Example: Configuring Selective Stateless Packet-Based Services—End-to-End Packet-Based

CLI Configuration
Related Topics

Verifying the Selective Stateless Packet-Based Services Configuration—End-to-End Packet-Based

Displaying the End-to-End Packet-Based Example Configuration
Verifying Session Establishment On Intranet Traffic
Verifying Session Establishment On Internet Traffic

Example: Configuring Selective Stateless Packet-Based Services—Packet-Based to Flow-Based

CLI Configuration
Related Topics

Verifying the Selective Stateless Packet-Based Services Configuration—Packet-Based to Flow-Based

Displaying the Packet-Based to Flow-Based Example Configuration
Verifying Session Establishment On LAN Traffic
Verifying Session Establishment On Internet Traffic

Installing and Managing Licenses

JUNOS Software Services License Overview

License Enforcement
Software Feature Licenses
License Key Components

Generating a License Key

Managing JUNOS Software Services Licenses with the CLI

Adding New Licenses with the CLI
Deleting a License with the CLI
Updating New Licenses with the CLI
Saving License Keys with the CLI

Managing JUNOS Software Services Licenses with the J-Web Interface

Adding New Licenses with the J-Web Interface
Deleting Licenses with the J-Web Interface
Displaying License Keys with the J-Web interface
Downloading Licenses with the J-Web Interface

Verifying JUNOS Software Services License Management

Displaying Installed Licenses
Displaying License Usage
Displaying Installed License Keys

Managing Files

Before You Begin

Managing Files with the J-Web Interface

Cleaning Up Files
Downloading Files
Deleting Files
Deleting the Backup Software Image

Cleaning Up Files with the CLI

Managing Accounting Files

Encrypting and Decrypting Configuration Files

Encrypting Configuration Files
Decrypting Configuration Files
Modifying the Encryption Key

Diagnosing Performance and Network Problems

Using Diagnostic Tools

Diagnostic Terms

Diagnostic Tools Overview

J-Web Diagnostic Tools Overview
CLI Diagnostic Commands Overview
MPLS Connection Checking

Before You Begin

General Preparation

Ping MPLS Preparation

MPLS Enabled
Loopback Address
Source Address for Probes

Pinging Hosts from the J-Web Interface

Using the J-Web Ping Host Tool
Ping Host Results and Output Summary

Checking MPLS Connections from the J-Web Interface

Using the J-Web Ping MPLS Tool
Ping MPLS Results and Output

Tracing Unicast Routes from the J-Web Interface

Using the J-Web Traceroute Tool
Traceroute Results and Output Summary

Capturing and Viewing Packets with the J-Web Interface

Using J-Web Packet Capture
Packet Capture Results and Output Summary

Using CLI Diagnostic Commands

Pinging Hosts from the CLI

Checking MPLS Connections from the CLI

Pinging RSVP-Signaled LSPs and LDP-Signaled LSPs
Pinging Layer 3 VPNs
Pinging Layer 2 VPNs
Pinging Layer 2 Circuits

Tracing Unicast Routes from the CLI

Using the traceroute Command
Using the traceroute monitor Command

Tracing Multicast Routes from the CLI

Using the mtrace from-source Command
Using the mtrace monitor Command

Displaying Log and Trace Files from the CLI

Monitoring Interfaces and Traffic from the CLI

Using the monitor interface Command
Using the monitor traffic Command

Configuring Packet Capture

Packet Capture Terms

Packet Capture Overview

Packet Capture on Device Interfaces
Firewall Filters for Packet Capture
Packet Capture Files
Analysis of Packet Capture Files

Before You Begin

Configuring Packet Capture with a Configuration Editor

Enabling Packet Capture (Required)
Configuring Packet Capture on an Interface (Required)
Configuring a Firewall Filter for Packet Capture (Optional)
Disabling Packet Capture
Deleting Packet Capture Files

Changing Encapsulation on Interfaces with Packet Capture Configured

Verifying Packet Capture

Displaying a Packet Capture Configuration
Displaying a Firewall Filter for Packet Capture Configuration
Verifying Captured Packets

Configuring RPM Probes

RPM Terms

RPM Overview

RPM Probes
RPM Tests
Probe and Test Intervals
Jitter Measurement with Hardware Timestamping
RPM Statistics
RPM Thresholds and Traps
RPM for BGP Monitoring

Before You Begin

Configuring RPM with Quick Configuration

Configuring RPM with a Configuration Editor

Configuring Basic RPM Probes

Configuring TCP and UDP Probes

Tuning RPM Probes

Configuring RPM Probes to Monitor BGP Neighbors

Configuring RPM Probes for BGP Monitoring
Directing RPM Probes to Select BGP Routers

Configuring RPM Timestamping

Real-time performance monitoring over VPN routing and forwarding

Verifying an RPM Configuration

Verifying RPM Services
Verifying RPM Statistics
Verifying RPM Probe Servers

Monitoring RPM Probes

Index

Index