This came from Jeremy Merideth's blog, which it doesn't appear that he is currently maintaining, but great info in here and a thanks to him. How to get an SRX out of default Juniper config:
http://runningsecure.blogspot.com/2011/06/screenos-background.html
SRX Default Config
For the purpose of this blog I will be configuring an SRX100.
When either taking an SRX out of the box or entering the following commands, you will get the Juniper default configuration.
root@host# load factory-default
root@host# set system root-authentication plain-text-password
root@host# commit and-quit
root@host> request system reboot
Personally I prefer to work from a blank canvas, so the following commands removes all Juniper applied config, adds a few tweaks and gives us a starting point to build up our configurations.
Remove the interface Ethernet Switching
root@host# delete interfaces fe-0/0/1 unit 0 family ethernet-switching
"Repeat for interfaces range 1-7"
root@host# delete interfaces vlan unit 0 family inet address 192.168.1.1/24
root@host# delete interfaces vlan unit 0 family inet
Remove the fe0/0/0.0 interface from Security Zone
root@host# delete security zones security-zone untrust interfaces fe-0/0/0.0
Remove the Zone Interfaces and Policies
root@host# delete security zones security-zone trust host-inbound-traffic
root@host# delete security zones security-zone trust interfaces vlan.0
Remove Default Policies
root@host# delete security policies from-zone trust to-zone untrust
Remove Default Web Management
root@host# delete system services web-management http interface vlan.0
root@host# delete system services web-management https interface vlan.0
Remove NAT rule
root@host# delete security nat source rule-set trust-to-untrust
Remove Screening on Untrust Zone
root@host# delete security zones security-zone untrust screen
Remove Existing Name Servers and add Google ones
root@host# delete system name-server 208.67.222.222
root@host# delete system name-server 208.67.220.220
root@host# set system name-server 8.8.8.8
root@host# set system name-server 8.8.4.4
root@host# delete system services dhcp
Remove Default Security Zones
root@host# delete security zones security-zone untrust
root@host# delete security zones security-zone trust
set version 11.1R2.3
set system root-authentication encrypted-password "$1$sF9Tjm/m$zu6xvdjAUIqeeHSP69Vfm0"
set system name-server 8.8.8.8
set system name-server 8.8.4.4
set system services ssh
set system services telnet
set system services xnm-clear-text
set system services web-management http
set system services web-management https system-generated-certificate
set system syslog archive size 100k
set system syslog archive files 3
set system syslog user * any emergency
set system syslog file messages any critical
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands error
set system max-configurations-on-flash 5
set system max-configuration-rollbacks 5
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fe-0/0/0 unit 0
set interfaces fe-0/0/1 unit 0
set interfaces fe-0/0/2 unit 0
set interfaces fe-0/0/3 unit 0
set interfaces fe-0/0/4 unit 0
set interfaces fe-0/0/5 unit 0
set interfaces fe-0/0/6 unit 0
set interfaces fe-0/0/7 unit 0
set interfaces vlan unit 0
set protocols stp
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security policies
set vlans vlan-trust vlan-id 3
set vlans vlan-trust l3-interface vlan.0
And then how to set it up to more closely emulate an MX series SP switch from the Juniper Forums:
Cleaned up the rack some, and added some cable management. The second ADVA (GE206V) is just waiting for some MM fiber jumpers to arrive. (quite literally, possibly, on a slow boat from china)
Need to sell a couple more racks and I'll have enough to pull the trigger on a Juniper EX2200 to more fully simulate the types of circuits we'll be performing break/fix on.
Thanks for sharing the code! It was really helpful. Looking forward for your next post.
ReplyDeleteUPS BATTERIES