Category Archives: Juniper Firewalls

Juniper Junos & ScreenOS Firewalls.

Junos: SRX series
ScreenOS: Netscreen Firewalls & SSG/ISG Series

Researchers suspect NSA as FBI probes Juniper back door vulnerability

Some are suggesting American Secret Service  has created a backdoor in an American vendors products – popularly installed in American government offices for connections to the Internet.

Not only that but the devices themselves affected – are supposed to be security devices – is the state now at threat from this hack?

As CRN states….”Just shy of a week after Juniper revealed vulnerabilities in its firewall operating system, partners said a document saying that the NSA exploited the flaws to gain backdoor access to VPN connections has them concerned. The document, provided by whistleblower Edward Snowden and published Wednesday by The Intercept, indicates that the NSA has cooperated with British counterpart GCHQ to exploit vulnerabilities in Juniper NetScreen firewall devices running the ScreenOS operating system.”

The tech World is astounded!

nsa offices
nsa offices

Further Information here

The equipment in question is coomonly known as Netscreen or ScreenOS firewalls of the SSG ISG range

juniper
juniper

 

Juniper SRX Upgrade Process

Example Task: Upgrade a HA pair of Juniper SRX240 firewalls (currently 10.4R9.2)

First step – grab two 8GB USB’s and plugin to each cluster member and backup the current software to them:

>request system snapshot media usb

Note: I woud reboot each chassis to confirm the current software boots first before taking a copy with usb

I used these versions and performed stepped upgrades – finishing with the current Juniper recommended version for the platform required. (in this case an SRX240)

  • junos-srxsme-11.4R3.7-domestic.tgz
  • junos-srxsme-12.1X44-D55.3-domestic.tgz
  • junos-srxsme-12.1X46-D35.1-domestic.tgz

“Juniper Support – JTAC” support/recommend upgrading with 2 versions in between, meaning the new software is 3 versions away from the current.

However JTAC also state: you can upgrade directly from one EEOL release to the next EEOL release even though EEOL releases generally occur in increments beyond three releases. For example, Junos OS Releases 10.0, 10.4, and 11.4 are EEOL releases. You can upgrade from Junos OS Release 10.0 to Release 10.4 or even from Junos OS Release 10.0 to Release 11.4

Further info here

Juniper don’t provide earlier versions on their download site – so I normally go with the 11.4R3.7 as have not had any issues with it before and its one I had to hand

The approach I use is to:

  • Separate the model you are upgrading from the cluster by removing all the cables
  • Do 1 firewall at a time
  • use WINSCP for the file transfer into /tmp directory and
  • run the following command:

>request system software add /tmp/junos-srxsme-11.4R3.7-domestic.tgz no-copy no-validate unlink

  • no-copy — Installs the software package but does not saves the copies of package files
  • no-validate— Does not check the compatibility with current configuration before installation starts
  • unlink—Removes the software package after successful installation

The no-validate is referenced in some of the release notes where sometimes its flagged as being an issue between certain versions when there isn’t actually an issue.

This method also removes the install software as soon as possible to make sure that there is enough disk space available for install

I had issues – because the software we were running the “request system software” from was corrupted so you need to confirm that the software you are running is generally healthy – if not boot from other partition and copy that over

Why – no-validate?

In the junos12.1×44 release notes it states: “On the SRX240B2 and SRX240H2 models, when you try to upgrade from Junos OS Release 11.4 to Junos OS Release 12.1X44, 12.1X45, 12.1X46, or 12.1X47, the upgrade fails when attempting to validate the configuration. To resolve this, use the no-validate option”

Confirm software on dual partitions with:

>show system snapshot media internal

Copy to Backup Partition

>request system snapshot slice alternate

It will take a while then you can check the version of the backup software by executing the following command:

>show system software backup

If Fails:

  1. >request system software rollback
  2. Excellent article from Thorsten on Recover Juniper SRX from failed boot

https://yorickdowne.wordpress.com/2013/11/13/recover-juniper-srx-from-failed-boot/

  1. Also see Tech Notes / RtooDtoo.net

http://rtoodtoo.net/recovering-primary-junos-image/

SRX Logging & Packet Capture

How to Create a PCAP packet capture on SRX Branch device

http://aleeboo.com/how-to-create-a-pcap-packet-capture-on-a-j-series-or-srx-branch-device/

How to capture packets on High-End SRX devices

http://aleeboo.com/how-to-capture-packets-on-high-end-srx-devices/

SRX Getting Started – Configure Logging

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16634

SRX Getting Started – Configure Traffic Logging (Security Policy Logs) for SRX Branch Devices

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16509

SRX Getting Started – Configure Traffic Logs (or Security Policy Logs) for SRX High-End Devices

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16506

[SRX] How to enable and view traffic logs in the J-Web/GUI on SRX devices

http://kb.juniper.net/InfoCenter/index?page=content&id=KB19490