Search this Blog

Tuesday, October 23, 2012

How do you install Software via CLI from Junos software copied to SRX?

Refer to the following steps for copying the software to the SRX and then performing the software installation via the CLI:
  1. Copy software to SRX via SCP or FTP to /var/tmp:  
    For example:
    user@srx>  scp  junos-srxsme-11.4R4.4-domestic.tgz  user@srx:/var/tmp/junos-srxsme-11.4R4.4-domestic.tgz

    OR

    user@srx>  ftp   (and login) 
    user@srx>  lcd /var/tmp 
    user@srx>  bin 
    user@srx>  get junos-srxsme-11.4R4.4-domestic.tgz
    user@srx>  bye
  2. Install software with the commands below.  For detailed instructions, refer to Installing the Software.
    For example:
    From the local file in /var/tmp
    user@srx>  request system software add no-copy /var/tmp/junos-srxsme-11.4R4.4-domestic.tgz
    user@srx>  request system reboot


    Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Monday, October 22, 2012

How to setup the Configuration of NetScreen-Remote Side:

Create New Policy by clicking the New Connection icon on upper left corner.  Label this new connection Corporate
  1. On Remote Party Identity and Addressing
    1. ID Type: IP Subnet
    2. Subnet: 172.16.10.0
    3. Netmask: 255.255.255.0
    4. Click Connect using Secure Gateway Tunnel
    5. ID Type: IP Address: 1.1.1.1
  2. Expand the connection Corporate
    1. Click Security Policy
      1. Select Phase 1 Negotiation Mode: Aggressive
      2. De-Select Enable Perfect Forward Secrecy (PFS)
      3. De-select "Enable Replay Detection"
    2. Click My Identity
      1. Select Certificate: None
      2. ID Type: Email address: sales@ns.com
      3. Click Pre-Shared Key
        1. Click Enter Key
          1. Enter the Pre-shared key sharedikeid
          2. Click OK
    3. Expand Security Policy
      1. Expand Authentication (Phase 1)
        1. Select Proposal  1
          1. Authentication Method: Pre-Shared Key;Extended Authentication
          2. Encryption Alg: Triple DES
          3. Hash Alg: SHA
          4. SA Life: Unspecified
          5. Key Group: Diffie-Hellman Group 2
      2. Expand Key Exchange (Phase 2)
        1. Select Proposal 1
          1. Encrypt Alg. Triple DES
          2. Hash Alg. SHA
          3. Encapsulation: Tunnel
    4. Click Save

Please click here for  information on configuring other IPSec VPN clients

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Tuesday, October 9, 2012

Do an offline attack update using guiSvrCli.sh when the NSM server does not have internet access?

Attack update can be performed from the CLI using the guiSvrCli.sh script. This tool, by default, uses the HTTP URL https://services.netscreen.com/restricted/sigupdates/nsm-updates/NSM-SecurityUpdateInfo.dat for downloading latest attack DB information.

If the NSM server does not have access to the internet, administrators can follow this procedure to perform attack update via CLI:

1) Obtain the two attack update files (the data file and the attack object database file) from the website.   Copy and paste the content from the URL into a file and name the file as NSMFP3-DI-IDPAttackUpdateInfo.dat or NSM-SecurityUpdateInfo.dat for 2006 and higher. Place these two files (dat file and zip file) on the NSM server under /tmp.
To obtain the dat file:

For Older NSM releases prior to NSM 2006.1t2: NSMFP3-DI-IDPAttackUpdateInfo.dat
For NSM 2006.1 and above: NSM-SecurityUpdateInfo.dat
For the .zip file (that consists of the attack object database), copy both files to /tmp directory on the NSM GUI Server.

For Older NSM releases prior to NSM 2006.1r: NSMFP3-DI-IDP.zip
For NSM 2006.1 (r1 & r2) NSMFP6-DI-IDP.zip
For NSM 2007.1 and 2007.2 NSMFP7-DI-IDP.zip
For NSM 2007.3 NSMFP9-DI-IDP.zip
For NSM 2008.1 NSMFP10-DI-IDP.zip
For NSM 2008.2 NSMFP11-DI-IDP.zip
For NSM 2009.1 NSMFP12-DI-IDP.zip
For NSM 2010.1 NSMFP12-DI-IDP.zip
For NSM 2010.2 NSMFP13-DI-IDP.zip
For NSM 2010.3 NSMFP14-DI-IDP.zip
For NSM 2010.4 NSMFP14-DI-IDP.zip

2) Login to the NSM server (GUI Server) via SSH as root.  If you are using an NSMXpress device, log in as admin and run sudo su - and type in the admin password.  Change to location $NSROOT/GuiSvr/var/svrcli. ($NSROOT in most installs is set to /usr/netscreen).

3) Make a copy of the file updateAttacks.vtl then edit it and replace the https URL found in this file with the directory path as :
  For releases prior to 2006.1 as:   file:///tmp/NSMFP3-DI-IDPAttackUpdateInfo.dat
  For 2006.1 and higher as:   file:///tmp/NSM-SecurityUpdateInfo.dat

4) Run the guiSvrCli.sh script to update attack db:

Change to the utils directory: cd /usr/netscreen/GuISvr/utils

Run one of the following commands for NSM version 2007.1, 2007.2 and 2007.3:
  To perform only the attack update, run the command: ./guiSvrCli.sh --update-attacks --post-action --none
  To perform attack update and device update, run the command: ./guiSvrCli.sh --update-attacks --post-action --update-devices

Run one of the following commands for NSM version 2008.1 and above:
    To perform only the attack update, run the command: ./guiSvrCli.sh --update-attacks --post-action --none
   To perform attack update and device update, run the command: ./guiSvrCli.sh --update-attacks  --post-action --update-devices

5) Once run, you will be prompted for the domain/user; enter : global/super as well as the super user's password (super, the admin user for NSM, not root).

Monday, October 8, 2012

Why isn't there a remote-as statement for any neighbors except for those in the global routing process & ipv4 vrf VRF-1 address-family?


The neighbor ... remote-as command is used to declare what is the BGP AS number used by the neighbor. The  configuration of a PE node like the one you have examined is an example of multiprotocol BGP MP BGP.

In MP BGP we define the neighbors with neighbor ...remote-as in router BGP configuration. The various address families like ipv4  unicast, ipv4 multicast, vpnv4 represent different areas of interest. Each BGP peer can be interested only in some specific address families and not in all of them.

The key command to tell the router that a specific neighbor is interested in address-family X is the neighbor activate command. With this command we instruct the local node in sending and receving updates named NLRI ( Network Layer Reachability information) for the specific address family X.



Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.
 
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */