Juniper SRX340 HA Cluster Configuraiton - NETSEC

Latest

Learning, Sharing, Creating

Cybersecurity Memo

Wednesday, October 26, 2016

Juniper SRX340 HA Cluster Configuraiton

The SRX340 Services Gateway has a capacity of 3 gigabits per second (Gbps) and is 1 rack unit (U) tall. This services gateway has eight 1 G Ethernet ports, eight 1 G SFP ports, one management port, 4 GB of DRAM memory, 8 GB of flash memory, and four Mini-Physical Interface Module (Mini-PIM) slots.

SRX 340 Front Panel

SRX 340 Back Panel














The connection is a little different from SRX 240 and 1400. Here are some related posts:



Topology:


Configure Steps:
Chassis Cluster Flow Diagram (SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX1500 Devices)



1. Remove Factory Default Configuration:

1.1 Factory Default Configuration
root> show configuration 
## Last commit: 2016-09-29 05:23:17 UTC by root
version 15.1X49-D45;
system {
    autoinstallation {
        delete-upon-commit; ## Deletes [system autoinstallation] upon change/commit
        traceoptions {
            level verbose;
            flag {
                all;
            }
        }
        interfaces {
            ge-0/0/0 {
                bootp;
            }
        }
    }
    name-server {
        208.67.222.222;
        208.67.220.220;
    }
    services {
        ssh;                            
        telnet;
        xnm-clear-text;
        web-management {
            http {
                interface [ fxp0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ge-0/0/6.0 ge-0/0/7.0 ];
            }
            https {
                system-generated-certificate;
                interface [ fxp0.0 ge-0/0/1.0 ge-0/0/2.0 ge-0/0/3.0 ge-0/0/4.0 ge-0/0/5.0 ge-0/0/6.0 ge-0/0/7.0 ];
            }
        }
        dhcp {
            pool 192.168.2.0/24 {
                address-range low 192.168.2.2 high 192.168.2.254;
                router {
                    192.168.2.1;
                }
                propagate-settings ge-0/0/0.0;
            }
            pool 192.168.3.0/24 {
                address-range low 192.168.3.2 high 192.168.3.254;
                router {
                    192.168.3.1;
                }
                propagate-settings ge-0/0/0.0;
            }
            pool 192.168.4.0/24 {
                address-range low 192.168.4.2 high 192.168.4.254;
                router {
                    192.168.4.1;
                }
                propagate-settings ge-0/0/0.0;
            }
            pool 192.168.5.0/24 {
                address-range low 192.168.5.2 high 192.168.5.254;
                router {
                    192.168.5.1;
                }
                propagate-settings ge-0/0/0.0;
            }
            pool 192.168.6.0/24 {
                address-range low 192.168.6.2 high 192.168.6.254;
                router {
                    192.168.6.1;        
                }
                propagate-settings ge-0/0/0.0;
            }
            pool 192.168.7.0/24 {
                address-range low 192.168.7.2 high 192.168.7.254;
                router {
                    192.168.7.1;
                }
                propagate-settings ge-0/0/0.0;
            }
            pool 192.168.8.0/24 {
                address-range low 192.168.8.2 high 192.168.8.254;
                router {
                    192.168.8.1;
                }
                propagate-settings ge-0/0/0.0;
            }
        }
    }
    syslog {
        archive size 100k files 3;
        user * {
            any emergency;              
        }
        file messages {
            any critical;
            authorization info;
        }
        file interactive-commands {
            interactive-commands error;
        }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
    ## Warning: missing mandatory statement(s): 'root-authentication'
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;             
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {  
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }                       
            }
        }
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;                
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
                ge-0/0/3.0;
                ge-0/0/4.0;
                ge-0/0/5.0;
                ge-0/0/6.0;
                ge-0/0/7.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                        }
                    }
                }                       
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0;
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.2.1/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.3.1/24;
            }
        }
    }
    ge-0/0/3 {                          
        unit 0 {
            family inet {
                address 192.168.4.1/24;
            }
        }
    }
    ge-0/0/4 {
        unit 0 {
            family inet {
                address 192.168.5.1/24;
            }
        }
    }
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 192.168.6.1/24;
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family inet {               
                address 192.168.7.1/24;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family inet {
                address 192.168.8.1/24;
            }
        }
    }
    ge-0/0/8 {
        unit 0;
    }
    ge-0/0/9 {
        unit 0;
    }
    ge-0/0/10 {
        unit 0;
    }
    ge-0/0/11 {
        unit 0;
    }                                   
    ge-0/0/12 {
        unit 0;
    }
    ge-0/0/13 {
        unit 0;
    }
    ge-0/0/14 {
        unit 0;
    }
    ge-0/0/15 {
        unit 0;
    }
    fxp0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}

         root> 



1.2 Delete all default configuraiton

root> configure 
Entering configuration mode
The configuration has been changed but not committed

[edit]
root# delete  
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes 


[edit]
root# set system root-authentication plain-text-password 
New password:
Retype new password:

[edit]
root# commit 
Oct  4 03:42:44 init: dhcp (PID 1684) exited with status=0 Normal Exit
Oct  4 03:42:44 init: autoinstallation (PID 1682) exited with status=0 Normal Exit
commit complete

[edit]
root# 


2. Enable Chassis Cluster on Node0 and Node1


[edit]
root# show           
## Last changed: 2016-10-04 03:42:37 UTC
version 15.1X49-D45;
system {
    root-authentication {
        encrypted-password "$5$kUxAKKC3$v6GLhluBqbu1.oksOHHLstkMNiG1hzCWtL9uhKEKfB1"; ## SECRET-DATA
    }
}

[edit]
root# exit 
Exiting configuration mode

root> set chassis cluster cluster-id 9 node 0 reboot   
Successfully enabled chassis cluster. Going to reboot now.

root>                                                                                
*** FINAL System shutdown message from root@ ***                             

System going down IMMEDIATELY                                                  
                                                                               
OWaiting (max 60 seconds) for system process `vnlru' to stop...done
Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done
Waiting (max 60 seconds) for system process `bufdaemon' to stop...done
Waiting (max 60 seconds) for system process `syncer' to stop...
Syncing disks, vnodes remaining...0 0 0 done

syncing disks... Syncing disks, buffers remaining... 12 12 12 11 11 7 7 7 7 7 7 7 4 4 4 4 4 4 4 3 3 3 3 3 3 3 
Final sync complete
Uptime: 4d22h25m46s
Rebooting...
cpu_reset: Stopping other CPUs


SPI stage 1 bootloader (Build time: May  3 2016 - 23:48:30)
early_board_init: Board type: SRX_340

U-Boot 2013.07-JNPR-3.1 (Build time: May 03 2016 - 23:48:31)

SRX_340 board revision major:1, minor:7, serial #: CY3216AF0293
OCTEON CN7130-AAP pass 1.2, Core clock: 1200 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x10fc00000, size: 0x400000
DRAM: 4 GiB
Clearing DRAM...... done
Using default environment

SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB
Found valid SPI bootloader at offset: 0x90000, size: 1481840 bytes


U-Boot 2013.07-JNPR-3.1 (Build time: May 03 2016 - 23:50:19)

Using DRAM size from environment: 4096 MBytes
checkboard siege 
SATA0: not available
SATA1: not available
SATA BIST STATUS = 0x0
SRX_340 board revision major:1, minor:7, serial #: CY3216AF0293
OCTEON CN7130-AAP pass 1.2, Core clock: 1200 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR)
Base DRAM address used by u-boot: 0x10f000000, size:
.......<Omitted>
.
kern.securelevel: -1 -> 1
hw.re.gres_sync_other: 1 -> 0
Creating JAIL MFS partition...
JAIL MFS partition created
Boot media /dev/da0 has dual root support
** /dev/da0s2a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 1152837 free (53 frags, 144098 blocks, 0.0% fragmentation)
Tue Oct  4 03:49:59 UTC 2016
OOOOOOOOOOOOO
Amnesiac (ttyu0)

login: root
Password:

--- JUNOS 15.1X49-D45 built 2016-04-25 07:29:58 UTC
root@% 

note: Please make sure your cluster id is different if you are using multiple clusters in same network.

Verify Cluster Status after reboot.
{primary:node0}[edit]
root# run show chassis cluster status    
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring              
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring
 
Cluster ID: 9
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  1        primary        no      no       None           
node1  0        secondary      no      no       CF   



Enable Cluster on Second Node, node1

root@% cli

root>

root>

root>

root>

root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes


[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit and-quit
commit complete
Exiting configuration mode

root> Oct 13 22:56:58 init: mountd-service (PID 20972) exited with status=1
Oct 13 22:56:59 init: exec_command: /usr/sbin/mountd (PID 20985) started
Oct 13 22:56:59 init: mountd-service (PID 20985) started
Oct 13 22:56:59 init: gstatd (PID 20973) exited with status=1
Oct 13 22:56:59 init: exec_command: /usr/sbin/gstatd (PID 20994) started
Oct 13 22:56:59 init: gstatd (PID 20994) started

root> set chassis cluster cluster-id 9 node 1 reboot
Successfully enabled chassis cluster. Going to reboot now.





3. Basic Interfaces, Security Zones, Routes and Policies Configuration

{primary:node0}[edit]
set groups node0 system host-name fw-HA-1
set groups node0 interfaces fxp0 unit 0 family inet address 10.8.1.19/24
set groups node0 interfaces fxp0 unit 0 family inet address 10.8.1.21/24 master-only
set groups node1 system host-name fw-com-twn1-2
set groups node1 interfaces fxp0 unit 0 family inet address 10.8.1.20/24
set groups node1 interfaces fxp0 unit 0 family inet address 10.8.1.21/24 master-only
set apply-groups "${node}"
set chassis cluster reth-count 2
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 100
set chassis cluster redundancy-group 1 node 0 priority 200
set chassis cluster redundancy-group 1 node 1 priority 100
set interfaces fab0 fabric-options member-interfaces ge-0/0/3
set interfaces fab1 fabric-options member-interfaces ge-5/0/3
set interfaces ge-0/0/0 gigether-options redundant-parent reth0
set interfaces ge-5/0/0 gigether-options redundant-parent reth0
set interfaces ge-0/0/2 gigether-options redundant-parent reth1
set interfaces ge-5/0/2 gigether-options redundant-parent reth1
set interfaces reth0 redundant-ether-options redundancy-group 1
set interfaces reth1 redundant-ether-options redundancy-group 1
set security zones security-zone Zone1
set security zones security-zone Zone2
set security zones security-zone Zone1 host-inbound-traffic system-services all
set security zones security-zone Zone2 host-inbound-traffic system-services all
set interfaces reth0 unit 0 family inet address 10.8.2.14/24
set security zones security-zone Zone1 interfaces reth0.0
set interfaces reth1 unit 0 family inet address 10.8.3.13/24
set security zones security-zone Zone2 interfaces reth1.0


set system backup-router destination 10.0.0.0/8 10.8.1.1
set routing-options static route 0.0.0.0/0 next-hop 10.8.1.1

set security policies from-zone Zone1 to-zone Zone2 policy allow_any match source-address any
set security policies from-zone Zone1 to-zone Zone2 policy allow_any match destination-address any
set security policies from-zone Zone1 to-zone Zone2 policy allow_any match application any
set security policies from-zone Zone1 to-zone Zone2 policy allow_any then permit
set security policies from-zone Zone2 to-zone Zone1 policy allow_any match source-address any
set security policies from-zone Zone2 to-zone Zone1 policy allow_any match destination-address any
set security policies from-zone Zone2 to-zone Zone1 policy allow_any match application any
set security policies from-zone Zone2 to-zone Zone1 policy allow_any then permit

set security zones security-zone Zone2 tcp-rst
set security zones security-zone Zone1 tcp-rst


{primary:node0}[edit]
root# commit 
node0: 
configuration check succeeds
node1: 
commit complete
Oct  4 04:11:18 init: mountd-service (PID 2418) exited with status=1 
Oct  4 04:11:18 init: exec_command: /usr/sbin/mountd (PID 2423) started
Oct  4 04:11:18 init: mountd-service (PID 2423) started
Oct  4 04:11:18 init: gstatd (PID 2416) exited with status=1 
Oct  4 04:11:18 init: exec_command: /usr/sbin/gstatd (PID 2427) started
Oct  4 04:11:18 init: gstatd (PID 2427) started
Oct  4 04:11:18 init: l2cpd-service (PID 2414) exited with status=0 Normal Exit
Oct  4 04:11:18 init: exec_command: /usr/sbin/l2cpd (PID 2430) started
Oct  4 04:11:18 init: l2cpd-service (PID 2430) started
node0: 
commit complete

{primary:node0}[edit]
root@fw-HA-1# 



4. More Configuration
4.1 group configuration

set groups node0 system backup-router 10.8.1.1
set groups node0 system backup-router destination 10.44.20.160/24
set groups node0 system services ssh max-sessions-per-connection 32
set groups node0 system syslog file default-log-messages any info
set groups node0 system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES"
set groups node0 system syslog file default-log-messages structured-data
set groups node0 interfaces fxp0 unit 0 family inet filter input restrict_ssh

set groups node1 system backup-router 10.8.1.1
set groups node1 system backup-router destination 10.44.20.160/24
set groups node1 system services ssh max-sessions-per-connection 32
set groups node1 system syslog file default-log-messages any info
set groups node1 system syslog file default-log-messages match "(requested 'commit' operation)|(copying configuration to juniper.save)|(commit complete)|ifAdminStatus|(FRU power)|(FRU removal)|(FRU insertion)|(link UP)|transitioned|Transferred|transfer-file|(license add)|(license delete)|(package -X update)|(package -X delete)|(FRU Online)|(FRU Offline)|(plugged in)|(unplugged)|GRES"
set groups node1 system syslog file default-log-messages structured-data
set groups node1 interfaces fxp0 unit 0 family inet filter input restrict_ssh
set apply-groups "${node}"

set firewall filter restrict_ssh term ssh-from-nsm from source-address 10.44.20.0/24
set firewall filter restrict_ssh term ssh-from-nsm from destination-address 10.8.1.19/24
set firewall filter restrict_ssh term ssh-from-nsm from destination-address 10.8.1.20/24
set firewall filter restrict_ssh term ssh-from-nsm from destination-address 10.8.1.21/24
set firewall filter restrict_ssh term ssh-from-nsm from destination-port 22
set firewall filter restrict_ssh term ssh-from-nsm then accept
set firewall filter restrict_ssh term block-all-ssh from destination-address 10.8.1.19/24
set firewall filter restrict_ssh term block-all-ssh from destination-address 10.8.1.20/24
set firewall filter restrict_ssh term block-all-ssh from destination-address 10.8.1.21/24
set firewall filter restrict_ssh term block-all-ssh from protocol tcp
set firewall filter restrict_ssh term block-all-ssh from destination-port 22
set firewall filter restrict_ssh term block-all-ssh then count bad-access
set firewall filter restrict_ssh term block-all-ssh then log
set firewall filter restrict_ssh term block-all-ssh then syslog
set firewall filter restrict_ssh term block-all-ssh then reject tcp-reset
set firewall filter restrict_ssh term default-permit then accept



4.2 SNMP Configuration
set snmp filter-duplicates
set snmp v3 usm local-engine user junosAES authentication-md5 authentication-key "$$KO.v7-Vb2ZDi4ojqm5F3SrlKxNbs2gJGre24JZkqP5QFnCp0BhyltpORSyKvWLx-ds2gJZjHlKJGUjq.hSyevL-VwoaUyls2oaiHtu0OcyX7-dwY0BEyevLXbs2oaUHkPF39q.z6/CB1-VbsoJjq5z3Dj0BREyrZUDHkP369pO16/0IEcle4aJZk."
set snmp v3 usm local-engine user junosAES privacy-aes128 privacy-key "9$bp2ZU.mTQ3624/Ctu1Idbwg4ZiHmPQFUDApuORE24oJHqfTz9Cu3nlKvWx7Ujiq.5n6ApBI3ntOBIcSwY24aUHkPfQFmPT39CB1EcyrWLxNdbYg7NqmfT3n/Ctp0IEhrvMXyrMX-dg4ZUjHP56/tB1h/9u1IhrlJGUji.z36AtO/9ev8Xbw24aGk."
set snmp v3 vacm security-to-group security-model usm security-name junosAES group readonly
set snmp v3 vacm access group readonly default-context-prefix security-model usm security-level privacy read-view view_all
set snmp engine-id local 4014
set snmp view view_all oid 1 include
set snmp client-list snmpclient 10.4.1.0/24


4.3 System , Routing-options and Routing-instance Configuration

set system backup-router 10.8.1.1
set system backup-router destination 10.0.0.0/8
set system time-zone UTC
set system login class sec-read-only permissions view-configuration
set system login class sec-read-only allow-commands show
set system login class sec-read-only deny-commands "(clear)|(file)|(file show)|(help)|(load)|(monitor)|(op)|(request)|(save)|(set)|(start)|(test)"
set system login class sec-read-only deny-configuration all
set system login class super-user-cust idle-timeout 10
set system login class super-user-cust permissions all
set system login user test uid 2001
set system login user test class super-user
set system login user test authentication encrypted-password "$1$2po2xsGc$BUVkMEQGCf9.2CH7FCSA/"
set system services ssh
set system services netconf ssh
set system syslog archive size 750k
set system syslog archive files 2
set system syslog user * any emergency
set system syslog host 10.8.128.42 any any
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file messages explicit-priority
set system syslog file interactive-commands interactive-commands error
set system syslog file traffic-create any any
set system syslog file traffic-create match RT_FLOW_SESSION_CREATE
set system syslog file traffic-deny any any
set system syslog file traffic-deny match RT_FLOW_SESSION_DENY
set system max-configurations-on-flash 10
set system max-configuration-rollbacks 30
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set system ntp server 10.9.16.5
set system ntp server 10.44.4.27

set routing-options static route 0.0.0.0/0 next-hop 10.8.1.1

set routing-instances def-vr instance-type virtual-router
set routing-instances def-vr interface reth0.0
set routing-instances def-vr interface reth1.0
set routing-instances def-vr routing-options static route 0.0.0.0/0 next-hop 10.8.2.1



Reference:

No comments:

Post a Comment