To delve into NAT processing in Junos it is better to see the packet flow in ASCII. First PATH: Screens->Static NAT->Dest NAT->Route->Zones->Policy->Reverse Static NAT->Source NAT->Services ALG->Session Fast PATH:  Screens->TCP->NAT->Services ALG Based on the first packet of session, JUNOS installes NAT and PAT information into the session table for fast path processing. You should pay attention
Read More »


Screen is an option that you can use to prevent some sort of attacks. Once enabled, screen check is performed prior to any other check according to the packet flow diagram.  For an attack to take place, several stages have to be taken; Reconnaissance IP Address Sweep This is used to know the layout of
Read More »

JNCIS-SEC [ Firewall User Authentication ]

With firewall authentication,  users can be restricted. If a user tries to access a network resource, they will be asked for username/password.  Authentication methods are; * local password database * RADIUS * LDAP * SecurID There are two types of user authentication available * Pass-through authentication: Users are authenticated when they try to access a
Read More »

JNCIS-SEC [Security Policies]

Security policy is set of rules that tells a Junos device what to do with transit traffic between zones and within a zone. SRXs as apposed to Netscreen devices by default don’t allow intra zone traffic. If the destination of the traffic is the device itself, security policies aren’t applicable. Instead host-inbound-traffic option must be used
Read More »

JNCIS-SEC [Introduction]

Packet forwarding on Junos security devices are stateful as opposed to a traditional router whose behaviour is stateless/promiscuous. There are several requirements for security devices; 1) Stateful packet processing based on IP,transport and application layer 2) NAT,PAT 3) VPNs with authentication and encryption Stateful packet processing involves a unidirectional flow consisting of six elements 1)
Read More »


Here are my notes I have taken while preparing for JNCIS-SEC exam. It may not be useful for everyone as it is for me to remember some of the stuff. Zones are logical groupings of logical interfaces with a common security requirement. Special interfaces like fxp0,chassis cluster interfaces and em0 interfaces cannot be assigned to
Read More »

advanced commands

Here is a command I have just seen. Command takes you to flow daemon and allows several advanced troubleshooting options. It is good to look deeply. root@host>start shell pfe network fwdd BSD platform (OCTEON processor, 136MB memory, 1024KB flash) FLOWD_OCTEON(host vty)#

ipsec configuration on srx

Below is a site-to-site configuration between two SRX boxes (240 and 210) HOST1 root@host1# show security ike {     proposal prop-basic {         authentication-method pre-shared-keys;         dh-group group2;         encryption-algorithm 3des-cbc;         lifetime-seconds 3600;     }

Junos NAT

Doing NAT is very easy with SRX indeed. For example: SOURCE NAT (INTERFACE BASED)  [edit security nat] root@host# show | display set set security nat source rule-set rs1 from zone trust set security nat source rule-set rs1 to zone untrust set security nat source rule-set rs1 rule rl1 match source-address set security nat source
Read More »

Packet debug in SRX

If you want to debug a packet flow you can use the following config by which testdebug.log file will contain icmp traffic debugs. [edit security flow] root@host# show traceoptions {     file testdebug.log;     flag basic-datapath;     packet-filter look-icmp {         protocol icmp;     } }