In this post series, we will cover one of the wonderful things with Junos, which is loading configurations to the devices. Compared to other vendors where you paste into a live configuration, Junus uses a candidate configuration for all changes. A great benefit of this is that there are a few ways to load configurations onto the devices.

The ways we can load the configurations are shown below.

  factory-default      Override existing configuration with factory default
  merge                Merge contents with existing configuration
  override             Override existing configuration
  patch                Load patch file into configuration
  replace              Replace configuration data
  set                  Execute set of commands on existing configuration
  update               Update existing configuration

I want to briefly touch on a few of the commands.

The first command, factory-default, is a way to soft reset the configuration back to the factory configuration without losing any of the locally stored data. The alternate way is factory default the configuration is to use the request system zeroize command. The zerioze command will rest the device back to the factory configuration and remove all locally stored user data (logs, files, etc).

The second command, override, will discard the current configuration and replace it with what you load into the device. When doing this the Junos device will re-evaluate the entire configuration you have entered. By re-evaluating the config, it will treat everything like it is new and you will have an impact to the device. If you want to just update the config and not re-evaluate everything, then you would use load update, which we will cover in post 4.

For this post, we will cover merge, patch, replace, update, and set.

For this lab series, we will use a simple topology to demonstrate the different ways to load configs. We have our SRX configured with TRUST and UNTRUST zones, a connection to the Internet, and a Windows 7 PC that has a browser installed. We will focus on making changes to our security policies.

Our current configured security policy is fairly straight forward. NAT, routing, security zones have all been pre-configured for this post. For testing we will use a website called HTTPvsHTTP to test HTTP and HTTP access from our Win7 box. We will be permitting traffic from TRUST to the Internet for HTTP, ICMP, and DNS initially with the goal to add an HTTPS policy and have traffic pass. Our currently configured security policy is below:

security {
    policies {
        from-zone TRUST to-zone UNTRUST {
            policy PERMIT-HTTPS {
                match {
                    source-address any;
                    destination-address any;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
            policy PERMIT-ICMP {
                match {
                    source-address any;
                    destination-address any;
                    application junos-icmp-all;
                }
                then {
                    permit;
                }
            }
            policy PERMIT-DNS {
                match {
                    source-address any;         
                    destination-address any;
                    application [ junos-dns-tcp junos-dns-udp ];
                }
                then {
                    permit;
                }
            }
            policy DENY-ALL {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    reject;
                }
            }
        }
    }
}

Now before we make changes, we should test our policy to verify that the PC can access the site over regular HTTP and not HTTPS. In the video below you can see that HTTP traffic is working and when we try the HTTPs site, it is not working.

We could also check this by running a show security match-policies command on the firewall. Below we run one for HTTP showing that it matches the PERMIT-HTTP policy and one for HTTPS showing that it is denied via the DENY-ALL policy.

[- HTTP POLICY PERMITTED -]
show security match-policies from-zone TRUST to-zone UNTRUST source-ip 10.1.1.100 source-port 1024 destination-ip 45.33.7.16 destination-port 80  protocol tcp

Policy: PERMIT-HTTP, action-type: permit, State: enabled, Index: 8
0
  Policy Type: Configured
  Sequence number: 1
  From zone: TRUST, To zone: UNTRUST
  Source addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Application: junos-http
    IP protocol: tcp, ALG: 0, Inactivity timeout: 300
      Source port range: [0-0] 
      Destination ports: 80
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

[- HTTPS POLICY DENIED -]
show security match-policies from-zone TRUST to-zone UNTRUST source-ip 10.1.1.100 source-port 1024 destination-ip 45.33.7.16 destination-port 443  protocol tcp

Policy: DENY-ALL, action-type: reject, State: enabled, Index: 6
0
  Policy Type: Configured
  Sequence number: 4
  From zone: TRUST, To zone: UNTRUST
  Source addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination ports: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

We will be adding a policy to permit HTTPS traffic from the TRUST to the UNTRUST zone. Below is the configuration in stanza format that we will be adding to the configuration to permit the traffic.

security {
    policies {
        from-zone TRUST to-zone UNTRUST {
            policy PERMIT-HTTPS {
                match {
                    source-address any;
                    destination-address any;
                    application junos-https;
                }
                then {
                    permit;
                }
            }
        }   
    }   
}

The first load command we will try will be load merge. This command will merge the pasted configuration into your Juniper device. To end your paste, you need to press CTRL-D on an empty line.

[edit]
jfry@FRYGUY-LAB# load merge terminal 
[Type ^D at a new line to end input]
security {
    policies {
        from-zone TRUST to-zone UNTRUST {
            policy PERMIT-HTTPS {
                match {
                    source-address any;
                    destination-address any;
                    application junos-https;
                }
                then {
                    permit;
                }
            }
        }   
    }   
}
^D
load complete

Now we can check our configuration to make sure that this appears in our security policies. We will do this by issuing the command show security policies while still in configuration mode. What you should notice is that the new configuration was added at the end of the existing policies. This is because, with security policies, new policies appear in the order they are added.

[edit]
jfry@FRYGUY-LAB# show security policies 
from-zone TRUST to-zone UNTRUST {
    policy PERMIT-HTTP {
        match {
            source-address any;
            destination-address any;
            application junos-http;
        }
        then {
            permit;
        }
    }
    policy PERMIT-ICMP {
        match {
            source-address any;
            destination-address any;
            application junos-icmp-all;
        }
        then {
            permit;
        }
    }
    policy PERMIT-DNS {
        match {
            source-address any;         
            destination-address any;
            application [ junos-dns-tcp junos-dns-udp ];
        }
        then {
            permit;
        }
    }
    policy DENY-ALL {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            reject;
        }
    }
    policy PERMIT-HTTPS {
        match {
            source-address any;
            destination-address any;
            application junos-https;
        }                               
        then {
            permit;
        }
    }

Since it is at the end of the polices, we need to move it before the DENY-ALL policy by using the INSERT command. After that we can check to make sure it is before the DENY-ALL policy.

insert security policy from-zone TRUST to-zone UNTURST policy PERMIT-HTTPS before policy DENY-ALL                      

[edit]
jfry@FRYGUY-LAB# show security policies 
from-zone TRUST to-zone UNTRUST {
    policy PERMIT-HTTP {
        match {
            source-address any;
            destination-address any;
            application junos-http;
        }
        then {
            permit;
        }
    }
    policy PERMIT-ICMP {
        match {
            source-address any;
            destination-address any;
            application junos-icmp-all;
        }
        then {
            permit;
        }
    }
    policy PERMIT-DNS {
        match {
            source-address any;         
            destination-address any;
            application [ junos-dns-tcp junos-dns-udp ];
        }
        then {
            permit;
        }
    }
    policy PERMIT-HTTPS {
        match {
            source-address any;
            destination-address any;
            application junos-https;
        }
        then {
            permit;
        }
    }
    policy DENY-ALL {
        match {
            source-address any;
            destination-address any;
            application any;
        }                               
        then {
            reject;
        }
    }
}

Below is a quick video of me adding the above configuration to the device, checking the load with show | compare and then showing the security policies verifying that it was added, but to the end of the config. I then move the policy before the DENY-ALL policy.

Now we can test our HTTPS access via the match-policies as well as our terminal. We can see from the CLI that the traffic is permitted.

show security match-policies from-zone TRUST to-zone UNTRUST source-ip 10.1.1.100 source-port 1024 destination-ip 45.33.7.16 destination-port 443  protocol tcp
               
Policy: PERMIT-HTTPS, action-type: permit, State: enabled, Index: 4
0
  Policy Type: Configured
  Sequence number: 4
  From zone: TRUST, To zone: UNTRUST
  Source addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Application: junos-https
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0] 
      Destination ports: 443
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

Now let us test it from our Windows 7 client. As you can see from the video, we can load HTTP and HTTPS traffic now.