Security Swconfig Initial Device Config PDF
Uploaded by
Minh HoàngSecurity Swconfig Initial Device Config PDF
Uploaded by
Minh HoàngJunos® OS
Administration Guide for Security Devices
Release
12.1X46-D10
Modified: 2016-07-07
Copyright © 2016, Juniper Networks, Inc.
Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
®
Junos OS Administration Guide for Security Devices
12.1X46-D10
Copyright © 2016, Juniper Networks, Inc.
All rights reserved.
The information in this document is current as of the date on the title page.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.
ii Copyright © 2016, Juniper Networks, Inc.
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Part 1 Overview
Chapter 1 Secure Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Secure Web Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 J-Web User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Understanding the User Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
J-Web User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Starting the J-Web User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Understanding the J-Web Interface Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
J-Web Commit Options Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Getting Help in the J-Web User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Establishing J-Web Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 3 User Authentication and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Understanding User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Understanding User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Understanding Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Permission Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Denying or Allowing Individual Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Understanding Template Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 4 USB Modems for Remote Management Setup . . . . . . . . . . . . . . . . . . . . . . . . 19
USB Modem Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
USB Modem Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Dialer Interface Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
How the Device Initializes USB Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
USB Modem Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Copyright © 2016, Juniper Networks, Inc. iii
Administration Guide for Security Devices
Chapter 5 Telnet and SSH Device Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Securing the Console Port Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . 25
Reverse Telnet Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Reverse Telnet Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Reverse Telnet Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Chapter 6 DHCP for IP Address Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
DHCP Server, Client, and Relay Agent Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
DHCP Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Understanding DHCP Server Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Compatibility with Autoinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Understanding DHCP Client Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Understanding DHCP Relay Agent Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
DHCP Settings and Restrictions Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Propagation of TCP/IP Settings for DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
DHCP Conflict Detection and Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
DHCP Interface Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Understanding DHCP Services in a Routing Instance . . . . . . . . . . . . . . . . . . . . . . . 34
DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
DHCP Client, DHCP Local Server, and Address-Assignment Pool
Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
DHCP Local Server and Address-Assignment Pools . . . . . . . . . . . . . . . . 35
DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
DHCP Client, DHCP Relay Agent, and DHCP Local Servers . . . . . . . . . . . . . . 36
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Chapter 7 DHCPv6 Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
DHCPv6 Client Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Understanding DHCPv6 Client and Server Identification . . . . . . . . . . . . . . . . . . . 40
Chapter 8 DHCPv6 Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
DHCPv6 Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Chapter 9 File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
File Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Chapter 10 Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Junos OS License Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
License Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
License Key Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
License Management Fields Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Junos OS Feature License Model Number for J Series Services Routers and SRX
Series Services Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Part 2 Configuration
Chapter 11 USB Modems for Remote Management Setup . . . . . . . . . . . . . . . . . . . . . . . . 51
Example: Configuring a USB Modem Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Example: Configuring a Dialer Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
iv Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Example: Configuring a Dialer Interface for USB Modem Dial-In . . . . . . . . . . . . . . 57
Configuring a Dial-Up Modem Connection Remotely . . . . . . . . . . . . . . . . . . . . . . 59
Chapter 12 DHCP for IP Address Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Example: Configuring the Device as a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . 61
Example: Configuring the Device as a DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . 67
Example: Configuring the Device as a BOOTP or DHCP Relay Agent . . . . . . . . . . . 71
Configuring a DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Minimum DHCP Local Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Configuring Address-Assignment Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configuring an Address-Assignment Pool Name and Addresses . . . . . . . . . . 77
Configuring a Named Address Range for Dynamic Address Assignment . . . . 77
Configuring Static Address Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
Configuring DHCP Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Verifying and Managing DHCP Local Server Configuration . . . . . . . . . . . . . . . 79
Configuring a DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Minimum DHCP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Configuring Optional DHCP Client Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 80
Verifying and Managing DHCP Client Configuration . . . . . . . . . . . . . . . . . . . . 81
Configuring a DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Minimum DHCP Relay Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Verifying and Managing DHCP Relay Configuration . . . . . . . . . . . . . . . . . . . . 82
Minimum DHCP Local Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configuring Address-Assignment Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Configuring an Address-Assignment Pool Name and Addresses . . . . . . . . . . . . . 84
Configuring DHCP Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Configuring a Named Address Range for Dynamic Address Assignment . . . . . . . 86
Configuring Static Address Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Enabling TCP/IP Propagation on a DHCP Local Server . . . . . . . . . . . . . . . . . . . . . 87
Minimum DHCP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Configuring Optional DHCP Client Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Minimum DHCP Relay Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter 13 DHCPv6 Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Minimum DHCPv6 Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Configuring Optional DHCPv6 Client Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Configuring Nontemporary Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Configuring Identity Associations for Nontemporary Addresses and Prefix
Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configuring Auto-Prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Configuring the DHCPv6 Client Rapid Commit Option . . . . . . . . . . . . . . . . . . . . . 95
Configuring a DHCPv6 Client in Autoconfig Mode . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configuring TCP/IP Propagation on a DHCPv6 Client . . . . . . . . . . . . . . . . . . . . . . 96
Chapter 14 DHCPv6 Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Creating a Security Policy for DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Example: Configuring DHCPv6 Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Example: Configuring an Address-Assignment Pool . . . . . . . . . . . . . . . . . . . . . . 103
Configuring a Named Address Range for Dynamic Address Assignment . . . . . . 105
Configuring Address-Assignment Pool Linking . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Copyright © 2016, Juniper Networks, Inc. v
Administration Guide for Security Devices
Configuring DHCP Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Configuring an Address-Assignment Pool for Router Advertisement . . . . . . . . . 107
Chapter 15 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
[edit security certificates] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
[edit security ssh-known-hosts] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Interfaces Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Groups Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
address-assignment (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
address-pool (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
allow-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
allow-configuration-regexps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
authentication-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
boot-server (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
broadcast-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
client-ia-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
client-identifier (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
client-identifier (dhcpv6-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
client-list-name (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
client-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
deny-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
deny-configuration-regexps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
dhcp-attributes (Access IPv4 Address Pools) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
dhcp-attributes (Access IPv6 Address Pools) . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
dhcp-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
dhcpv6-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
dhcp-local-server (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
dhcpv6 (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
family (Security Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
forwarding-options (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
group (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
host (SSH Known Hosts) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
hostkey-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
interface (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
interfaces (ARP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
interfaces (Security Zones) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
interface-traceoptions (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . 167
internet-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
lease-time (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
lockout-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
multicast-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
name-server (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
neighbor-discovery-router-advertisement (Access) . . . . . . . . . . . . . . . . . . . . . . . 172
ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
overrides (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
peer (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
port (System Services Reverse SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
vi Copyright © 2016, Juniper Networks, Inc.
Table of Contents
port (System Services Reverse Telnet) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
profilerd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
rapid-commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
reconfigure (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
req-option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
retransmission-attempt (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
retransmission-attempt (dhcpv6-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
retransmission-interval (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
ssh (reverse) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
ssh-known-hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
server (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
server-address (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
source-address (NTP, RADIUS, System Logging, or TACACS+) . . . . . . . . . . . . . . 192
telnet (System Services Reverse) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
traceoptions (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
trusted-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
update-router-advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
update-server (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
update-server (dhcpv6-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
user-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
use-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
vendor-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
vpn (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Chapter 16 Configuration Statements (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
System Configuration Statement Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
connection-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
disable (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
dlv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
kernel-replication (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
macs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
protocol-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
root-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
single-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
static-subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
statistics-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
subscriber-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
subscriber-management-helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
uac-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
usb-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
web-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
web-management (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
Copyright © 2016, Juniper Networks, Inc. vii
Administration Guide for Security Devices
Part 3 Administration
Chapter 17 Secure Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Generating an SSL Certificate Using the openssl Command . . . . . . . . . . . . . . . . 255
Generating a Self-Signed SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Manually Generating Self-Signed SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . 256
Configuring Device Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Enabling Access Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Example: Configuring Secure Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
Adding, Editing, and Deleting Certificates on the Device . . . . . . . . . . . . . . . . . . . 260
Chapter 18 User Authentication and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Example: Configuring a RADIUS Server for System Authentication . . . . . . . . . . 263
Example: Configuring a TACACS+ Server for System Authentication . . . . . . . . . 266
Example: Configuring Authentication Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Example: Configuring New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Example: Configuring System Retry Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Example: Creating Template Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Handling Authorization Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
Understanding Administrative Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
Example: Configuring Administrative Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Chapter 19 USB Modems for Remote Management Setup . . . . . . . . . . . . . . . . . . . . . . . 291
Connecting to the Device Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
Modifying USB Modem Initialization Commands . . . . . . . . . . . . . . . . . . . . . . . . . 291
Resetting USB Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Chapter 20 Telnet and SSH Device Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Configuring Password Retry Limits for Telnet and SSH Access . . . . . . . . . . . . . . 295
Configuring Reverse Telnet and Reverse SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Example: Controlling Management Access on SRX and J-Series Devices . . . . . . 297
The telnet Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
The ssh Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Chapter 21 DHCP for IP Address Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Verifying and Managing DHCP Local Server Configuration . . . . . . . . . . . . . . . . . 303
Verifying and Managing DHCP Client Configuration . . . . . . . . . . . . . . . . . . . . . . 304
Verifying and Managing DHCP Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . 304
Chapter 22 File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Decrypting Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Encrypting Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Modifying the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Cleaning Up Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
Cleaning Up Files with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Deleting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Deleting the Backup Software Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Downloading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Managing Accounting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
viii Copyright © 2016, Juniper Networks, Inc.
Table of Contents
Chapter 23 Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Displaying License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Downloading License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Generating a License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Saving License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Updating License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Example: Adding a New License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Example: Deleting a License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Chapter 24 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
clear dhcp client binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
clear dhcpv6 client binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
clear dhcp client statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
clear dhcpv6 client statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
clear dhcp relay binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
clear dhcp relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
clear dhcp server binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
clear dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
clear dhcpv6 server binding (Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
clear dhcpv6 server statistics (Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
clear system login lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
file archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
file checksum md5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
file checksum sha1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
file checksum sha-256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
file compare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
file copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
file delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
file list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
file rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
file show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
request dhcp client renew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
request dhcpv6 client renew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
request system autorecovery state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
request system download abort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
request system download clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357
request system download pause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
request system download resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
request system download start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
request system firmware upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
request system license update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
request system partition compact-flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
request system power-off fpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
request system services dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
request system snapshot (Maintenance) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
request system software abort in-service-upgrade (ICU) . . . . . . . . . . . . . . . . . . 369
request system software add (Maintenance) . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
request system reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
request system software rollback (Maintenance) . . . . . . . . . . . . . . . . . . . . . . . . 372
Copyright © 2016, Juniper Networks, Inc. ix
Administration Guide for Security Devices
request support information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
request system zeroize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382
restart (Reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Restart Commands Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
show chassis routing-engine (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
show dhcp client binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393
show dhcpv6 client binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
show dhcp client statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
show dhcpv6 client statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
show dhcp relay binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
show dhcp relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
show dhcp server binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
show dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
show dhcpv6 server binding (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
show dhcpv6 server statistics (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414
show firewall (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
show system autorecovery state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
show system directory-usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
show system download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 423
show system license (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
show system login lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
show system services dhcp client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
show system services dhcp relay-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 432
show system snapshot media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434
show system storage (View SRX Series) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
show system storage partitions (View SRX Series) . . . . . . . . . . . . . . . . . . . . . . . 437
Part 4 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
x Copyright © 2016, Juniper Networks, Inc.
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi
Part 1 Overview
Chapter 2 J-Web User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 3: Concurrent Web Sessions on SRX Series Devices . . . . . . . . . . . . . . . . . . . . 7
Chapter 3 User Authentication and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Table 4: Predefined Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 5: Permission Bits for Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 4 USB Modems for Remote Management Setup . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 6: Default Modem Initialization Commands . . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 7: Configuring Branch Office and Head Office Routers for USB Modem
Backup Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Table 8: Incoming Map Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Chapter 6 DHCP for IP Address Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 9: Sample DHCP Configuration Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Chapter 10 Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 10: Summary of License Management Fields . . . . . . . . . . . . . . . . . . . . . . . . 46
Table 11: Junos OS Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Part 2 Configuration
Chapter 14 DHCPv6 Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Table 12: DHCPv6 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Part 3 Administration
Chapter 20 Telnet and SSH Device Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Table 13: CLI telnet Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Table 14: CLI ssh Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Chapter 22 File Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Table 15: request system set-encryption-key Commands . . . . . . . . . . . . . . . . . . 308
Chapter 24 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Table 16: Sample show Commands Called by the request information support
command on an MX Series Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Table 17: show chassis routing-engine Output Fields . . . . . . . . . . . . . . . . . . . . . . 390
Copyright © 2016, Juniper Networks, Inc. xi
Administration Guide for Security Devices
Table 18: show dhcp client binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 393
Table 19: show dhcpv6 client binding Output Fields . . . . . . . . . . . . . . . . . . . . . . 396
Table 20: show dhcp client statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Table 21: show dhcpv6 client statistics Output Fields . . . . . . . . . . . . . . . . . . . . . 400
Table 22: show dhcp relay binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 402
Table 23: show dhcp relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Table 24: show dhcp server binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . 406
Table 25: show dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Table 26: show dhcv6p server binding Output Fields . . . . . . . . . . . . . . . . . . . . . . 410
Table 27: show dhcpv6 server statistics Output Fields . . . . . . . . . . . . . . . . . . . . . 415
Table 28: show firewall Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
Table 29: show system autorecovery state Output Fields . . . . . . . . . . . . . . . . . . 419
Table 30: show system directory-usage Output Fields . . . . . . . . . . . . . . . . . . . . . 421
Table 31: show system download Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 423
Table 32: show system license Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Table 33: show system login lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428
Table 34: show system services dhcp client Output Fields . . . . . . . . . . . . . . . . . 429
Table 35: show system services dhcp relay-statistics Output Fields . . . . . . . . . . 432
Table 36: show system storage Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 435
xii Copyright © 2016, Juniper Networks, Inc.
About the Documentation
• Documentation and Release Notes on page xiii
• Supported Platforms on page xiii
• Using the Examples in This Manual on page xiii
• Documentation Conventions on page xv
• Documentation Feedback on page xvii
• Requesting Technical Support on page xvii
Documentation and Release Notes
®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
• J Series
• SRX Series
• LN Series
Using the Examples in This Manual
If you want to use the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.
Copyright © 2016, Juniper Networks, Inc. xiii
Administration Guide for Security Devices
If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.
If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:
[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {
file ex-script-snippet.xsl; }
xiv Copyright © 2016, Juniper Networks, Inc.
About the Documentation
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:
[edit]
user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:
[edit system scripts]
user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete
For more information about the load command, see the CLI User Guide.
Documentation Conventions
Table 1 on page xv defines notice icons used in this guide.
Table 1: Notice Icons
Icon Meaning Description
Informational note Indicates important features or instructions.
Caution Indicates a situation that might result in loss of data or hardware damage.
Warning Alerts you to the risk of personal injury or death.
Laser warning Alerts you to the risk of personal injury from a laser.
Tip Indicates helpful information.
Best practice Alerts you to a recommended use or implementation.
Table 2 on page xvi defines the text and syntax conventions used in this guide.
Copyright © 2016, Juniper Networks, Inc. xv
Administration Guide for Security Devices
Table 2: Text and Syntax Conventions
Convention Description Examples
Bold text like this Represents text that you type. To enter configuration mode, type the
configure command:
user@host> configure
Fixed-width text like this Represents output that appears on the user@host> show chassis alarms
terminal screen.
No alarms currently active
Italic text like this • Introduces or emphasizes important • A policy term is a named structure
new terms. that defines match conditions and
• Identifies guide names. actions.
• Junos OS CLI User Guide
• Identifies RFC and Internet draft titles.
• RFC 1997, BGP Communities Attribute
Italic text like this Represents variables (options for which Configure the machine’s domain name:
you substitute a value) in commands or
configuration statements. [edit]
root@# set system domain-name
domain-name
Text like this Represents names of configuration • To configure a stub area, include the
statements, commands, files, and stub statement at the [edit protocols
directories; configuration hierarchy levels; ospf area area-id] hierarchy level.
or labels on routing platform • The console port is labeled CONSOLE.
components.
< > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>;
| (pipe symbol) Indicates a choice between the mutually broadcast | multicast
exclusive keywords or variables on either
side of the symbol. The set of choices is (string1 | string2 | string3)
often enclosed in parentheses for clarity.
# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS only
same line as the configuration statement
to which it applies.
[ ] (square brackets) Encloses a variable for which you can community name members [
substitute one or more values. community-ids ]
Indention and braces ( { } ) Identifies a level in the configuration [edit]
hierarchy. routing-options {
static {
route default {
; (semicolon) Identifies a leaf statement at a
nexthop address;
configuration hierarchy level.
retain;
}
}
}
GUI Conventions
xvi Copyright © 2016, Juniper Networks, Inc.
About the Documentation
Table 2: Text and Syntax Conventions (continued)
Convention Description Examples
Bold text like this Represents graphical user interface (GUI) • In the Logical Interfaces box, select
items you click or select. All Interfaces.
• To cancel the configuration, click
Cancel.
> (bold right angle bracket) Separates levels in a hierarchy of menu In the configuration editor hierarchy,
selections. select Protocols>Ospf.
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
• Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.
• E-mail—Send your comments to [email protected]. Include the document
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
Copyright © 2016, Juniper Networks, Inc. xvii
Administration Guide for Security Devices
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html.
xviii Copyright © 2016, Juniper Networks, Inc.
PART 1
Overview
• Secure Web Access on page 3
• J-Web User Interface on page 5
• User Authentication and Access on page 13
• USB Modems for Remote Management Setup on page 19
• Telnet and SSH Device Control on page 25
• DHCP for IP Address Device on page 29
• DHCPv6 Client on page 39
• DHCPv6 Local Server on page 41
• File Management on page 43
• Licenses on page 45
Copyright © 2016, Juniper Networks, Inc. 1
Administration Guide for Security Devices
2 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 1
Secure Web Access
• Secure Web Access Overview on page 3
Secure Web Access Overview
Supported Platforms J Series, LN Series, SRX Series
You can manage a Juniper Networks device remotely through the J-Web interface. To
communicate with the device, the J-Web interface uses the Hypertext Transfer Protocol
(HTTP). HTTP allows easy Web access but no encryption. The data that is transmitted
between the Web browser and the device by means of HTTP is vulnerable to interception
and attack. To enable secure Web access, the Juniper Networks devices support HTTP
over Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS access on specific
interfaces and ports as needed.
The Juniper Networks device uses the Secure Sockets Layer (SSL) protocol to provide
secure device management through the Web interface. SSL uses public-private key
technology that requires a paired private key and an authentication certificate for providing
the SSL service. SSL encrypts communication between your device and the Web browser
with a session key negotiated by the SSL server certificate.
An SSL certificate includes identifying information such as a public key and a signature
made by a certificate authority (CA). When you access the device through HTTPS, an
SSL handshake authenticates the server and the client and begins a secure session. If
the information does not match or the certificate has expired, you cannot access the
device through HTTPS.
Without SSL encryption, communication between your device and the browser is sent
in the open and can be intercepted. We recommend that you enable HTTPS access on
your WAN interfaces.
HTTP access is enabled by default on the built-in management interfaces. By default,
HTTPS access is supported on any interface with an SSL server certificate.
Related • Generating an SSL Certificate Using the openssl Command on page 255
Documentation
• Generating a Self-Signed SSL Certificate on page 256
• Configuring Device Addresses on page 257
• Example: Configuring Secure Web Access on page 258
Copyright © 2016, Juniper Networks, Inc. 3
Administration Guide for Security Devices
• Administration Guide for Security Devices
4 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 2
J-Web User Interface
• Understanding the User Interfaces on page 5
• Starting the J-Web User Interface on page 7
• Understanding the J-Web Interface Layout on page 8
• J-Web Commit Options Guidelines on page 10
• Getting Help in the J-Web User Interface on page 11
• Establishing J-Web Sessions on page 12
Understanding the User Interfaces
Supported Platforms J Series, LN Series, SRX Series
You can use two user interfaces to configure, monitor, manage, and troubleshoot your
device—the J-Web user interface and the command-line interface (CLI) for Junos OS.
NOTE: Other user interfaces facilitate the configuration of one or, in some
cases, many devices on the network through a common API. Among the
supported interfaces are the Junos Scope and Session and Resource Control
(SRC) applications.
You can operate the device either in secure or router context. With the J-Web user interface
and the CLI, you configure the routing protocols that run on the device and the device
security features, including stateful firewall policies, Network Address Translation (NAT)
attack prevention screens, Application Layer Gateways (ALGs), and IPsec VPNs. You
also set the properties of its network interfaces. After activating a software configuration,
you can use either user interface to monitor the system and the protocol traffic passing
through the device, manage operations, and diagnose protocol and network connectivity
problems.
This section contains the following topics:
• J-Web User Interface on page 6
• CLI on page 6
Copyright © 2016, Juniper Networks, Inc. 5
Administration Guide for Security Devices
J-Web User Interface
The J-Web user interface allows you to monitor, configure, troubleshoot, and manage
your device by means of a Web browser enabled with Hypertext Transfer Protocol (HTTP)
or HTTP over Secure Sockets Layer (HTTPS). J-Web provides access to all the
configuration statements supported by the device, so you can fully configure it without
using the CLI editor.
You can perform the following tasks with the J-Web user interface:
• Dashboard (SRX Series devices only)—Views high-level details of Chassis View, system
identification, resource utilization, security resources, system alarms, file usage, login
sessions, chassis status, threats activity, and storage usage.
• Configuring—View the current configurations at a glance, configure the device, and
manage configuration files. The J-Web user interface provides the following
configuration methods:
• Edit a graphical version of the Junos OS CLI configuration statements and hierarchy.
• Edit the configuration in a text file.
• Upload a configuration file.
• Use wizards to configure basic setup, firewall, VPN, and NAT settings on SRX100,
SRX210, SRX220, SRX240, and SRX650 devices.
The J-Web user interface also allows you to manage configuration history and set a
rescue configuration.
• Monitoring—Display the current configuration and information about the system,
interfaces, chassis, routing protocols, routing tables, routing policy filters, and other
features.
• Managing—Manage log, temporary, and core (crash) files and schedule reboots on
your devices. You can also manage software packages and licenses, and copy a
snapshot of the system software to a backup device.
• Diagnosing—Diagnose routing problems by running the ping or traceroute diagnostic
tool. The diagnostic tools also allow you to capture and analyze control traffic on the
devices.
• Configuring and monitoring events—Filter and view system log messages that record
events occurring on the device. You can configure files to log system log messages
and also assign attributes, such as severity levels, to messages.
• Configuring and monitoring alarms—Monitor and diagnose the device by monitoring
active alarms that alert you to the conditions on a network interface. You can also set
the conditions that trigger alarms on an interface.
CLI
The CLI is a straightforward command-line interface in which you type commands on a
line and press Enter to execute them. The CLI provides command Help, command
6 Copyright © 2016, Juniper Networks, Inc.
Chapter 2: J-Web User Interface
completion, and Emacs-style keyboard sequences for moving around on the command
line and scrolling through a buffer of recently executed commands.
The CLI has two modes:
• Operational mode—Complete set of commands to control the CLI environment, monitor
and troubleshoot network connectivity, manage the device, and enter configuration
mode.
• Configuration mode—Complete set of commands to configure the device. This topic
refers to configuration mode as the CLI configuration editor.
Related • Starting the J-Web User Interface on page 7
Documentation
• Understanding the J-Web Interface Layout on page 8
• Getting Help in the J-Web User Interface on page 11
• CLI User Guide
• Administration Guide for Security Devices
Starting the J-Web User Interface
Supported Platforms J Series, LN Series, SRX Series
Before you start the user interface, you must perform the initial device configuration
described in the Getting Started Guide for your device. After the initial configuration, you
use your username and password, and the hostname or IP address of the device, to start
the user interface.
Table 3 on page 7 shows the maximum number of concurrent Web sessions on SRX100,
SRX210, SRX220, SRX240, and SRX650 devices.
Table 3: Concurrent Web Sessions on SRX Series Devices
SRX100 SRX210 SRX220 SRX240 SRX650
3 3 3 5 5
To start the J-Web user interface:
1. Launch your HTTP-enabled or HTTPS-enabled Web browser.
To use HTTPS, you must have installed the certificate provided by the device.
NOTE: If the device is running the worldwide version of the Junos OS and
you are using the Microsoft Internet Explorer Web browser, you must
disable the Use SSL 3.0 option in the Web browser to access the device.
2. Type http:// or https:// in your Web browser followed by the hostname or IP address
of the device, and press Enter.
Copyright © 2016, Juniper Networks, Inc. 7
Administration Guide for Security Devices
The J-Web login page appears.
3. Type your username and password, and click Log In.
To correct or change the username or password you typed, click Reset, type the new
entry or entries, and click Log In.
NOTE: The default username is root with no password. You must change
this during initial configuration or the system does not accept the
configuration.
To explicitly terminate a J-Web session at any time, click Logout in the top pane.
Related • Understanding the User Interfaces on page 5
Documentation
• Understanding the J-Web Interface Layout on page 8
• J-Web Commit Options Guidelines on page 10
• Getting Help in the J-Web User Interface on page 11
• Establishing J-Web Sessions on page 12
• Administration Guide for Security Devices
Understanding the J-Web Interface Layout
Supported Platforms J Series, LN Series, SRX Series
The top pane of the J-Web user interface comprises the following elements:
• hostname–model—The hostname and model of the device are displayed in the
upper-left corner.
• Logged in as: username—The username you used to log in to the device is displayed in
the upper-left corner.
• Chassis—The chassis view of the device.
• Commit Options—A set of global options that allow you to commit multiple changes
at the same time.
• Commit—Commits the candidate configuration of the current user session, along
with changes from other user sessions.
• Compare—Displays the XML log of pending uncommitted configurations on the
device.
8 Copyright © 2016, Juniper Networks, Inc.
Chapter 2: J-Web User Interface
• Discard—Discards the candidate configuration of the current user session, along
with changes from other user sessions.
• Preference—Indicates your choice of committing all global configurations together
or committing each configuration change immediately. The two behavior modes to
which you can set your commit options are:
• Validate and commit configuration changes—Sets the system to force an
immediate commit on every screen after every configuration change.
• Validate configuration changes—Loads all the configuration changes for an
accumulated single commit. If there are errors in loading the configuration, the
errors are logged. This is the default mode.
• Help—Links to information on Help and the J-Web user interface.
• Help Contents—Displays context-sensitive Help topics.
• About—Displays information about the J-Web user interface, such as the version
number.
• Logout—The Logout link, which ends your current login session and returns you to the
login page, is available in the upper-right corner.
• Taskbar— A menu of J-Web tasks is displayed as tabs across the top of the J-Web user
interface. Select a tab to access a task.
• Dashboard—Displayd current activity on the system.
• Configure—Configures the device and views configuration history.
• Monitor—Displays information about configuration and hardware on the device.
• Maintain—Manages files and licenses, upgrades software, and reboots the device.
• Troubleshoot—Troubleshoots network connectivity problems.
The main pane of the J-Web user interface includes the following elements to help you
configure the device:
• Red asterisk (*)—Appears next to all required fields.
• Help (?) icon—Displays useful information when you move the cursor over the question
mark. This Help displays field-specific information, such as the definition, format, and
valid range of the field.
The left pane of the J-Web user interface displays subtasks related to the selected task
in the J-Web taskbar.
Related • Understanding the User Interfaces on page 5
Documentation
• Starting the J-Web User Interface on page 7
• J-Web Commit Options Guidelines on page 10
• Getting Help in the J-Web User Interface on page 11
Copyright © 2016, Juniper Networks, Inc. 9
Administration Guide for Security Devices
• Establishing J-Web Sessions on page 12
• Administration Guide for Security Devices
J-Web Commit Options Guidelines
Supported Platforms J Series, LN Series, SRX Series
Using the J-Web Commit Preference, you can configure the commit options either to
commit all global configurations together or to commit each configuration change
immediately. Do one of the following to commit a configuration:
• Set Commit Preference to Validate and commit configuration changes, and then click
OK.
• Set Commit Preference to Validate configuration changes, click OK to check your
configuration and save it as a candidate configuration, and then click Commit
Options>Commit.
For example, suppose you want to delete a firewall and add a new one.
• If Commit Preference is set to Validate and commit configuration changes, then you
would need to commit your changes twice for each action.
• If Commit Preference is set to Validate configuration changes, then you work in a copy
of the current configuration to create a candidate configuration. The changes you make
to the candidate configuration are visible through the user interface immediately,
allowing other users to edit those configurations, but the changes do not take effect
on the device platform until you commit them. When you commit the configuration,
the candidate file is checked for proper syntax, activated, and marked as the current,
operational software configuration file. If multiple users are editing the configuration
when you commit the candidate configuration, changes made by all the users take
effect.
You use the single commit feature to commit all your configurations in J-Web
simultaneously. This helps to reduce the time J-Web takes to commit configurations
because when changes are committed at every step, rollback configurations pile up
quickly.
NOTE: If you end a session with a particular Commit Preference, the
subsequent sessions for that particular browser will automatically come up
with the preference you previously selected. If you start the subsequent
session on a different browser, the session will come up with the default
commit preference.
10 Copyright © 2016, Juniper Networks, Inc.
Chapter 2: J-Web User Interface
NOTE: There are some pages whose configurations would need to be
committed immediately. For such pages, even if you configure the commit
options to perform a single global commit for them, the system displays
appropriate information notification windows to remind you to commit your
changes immediately. Examples of such pages are Switching, Interfaces, and
Class of Service.
Related • Understanding the User Interfaces on page 5
Documentation
• Starting the J-Web User Interface on page 7
• Understanding the J-Web Interface Layout on page 8
• Getting Help in the J-Web User Interface on page 11
• Establishing J-Web Sessions on page 12
• Administration Guide for Security Devices
Getting Help in the J-Web User Interface
Supported Platforms J Series, LN Series, SRX Series
To get Help in the J-Web user interface, use the following methods:
• Field-sensitive Help—Move the cursor over the question mark (?) next to the field for
which you want more information. Typically, this Help includes one line of information
about what this field does or what you must enter in a given text box. For example,
Help for the Peer Autonomous System Number text box states, “The value should be
a number between 1 and 65535.”
• Context-sensitive Help—Click Help in the taskbar to open a separate page displaying
the summary of all the fields on that page. To exit Help, close the page. You can navigate
Help pages using hypertext links connecting related topics, or click the following options
(if available) at the top and bottom of each page.
• Prev— Access the previous page.
• Next—Access the next page.
• Report an Error—Access a form for providing feedback.
• Wizard Help (SRX100, SRX210, SRX220, SRX240, and SRX650)—Use the Firewall
Policy, VPN, and NAT wizards to perform basic configurations. Click a field in a wizard
page to display information about that field in the lower left corner of the wizard page.
Related • Understanding the User Interfaces on page 5
Documentation
• Starting the J-Web User Interface on page 7
• Understanding the J-Web Interface Layout on page 8
• J-Web Commit Options Guidelines on page 10
Copyright © 2016, Juniper Networks, Inc. 11
Administration Guide for Security Devices
• Establishing J-Web Sessions on page 12
• Administration Guide for Security Devices
Establishing J-Web Sessions
Supported Platforms J Series, LN Series, SRX Series
You establish a J-Web session through an HTTP-enabled or HTTPS-enabled Web browser.
The HTTPS protocol, which uses 128-bit encryption, is available only in domestic versions
of the Junos OS. To use HTTPS, you must have installed the certificate provided by the
device.
When you attempt to log in through the J-Web interface, the system authenticates your
username with the same methods used for Telnet and SSH.
The device can support multiple J-Web sessions for a single user who logs in to each
session. However, if a single user attempts to launch multiple J-Web windows—for
example, by right-clicking a link to launch another instance of a Web browser—the session
can have unpredictable results.
If the device does not detect any activity through the J-Web user interface for 15 minutes,
the session times out and is terminated. You must log in again to begin a new session.
To explicitly terminate a J-Web session at any time, click Logout in the top pane.
Related • Understanding the User Interfaces on page 5
Documentation
• Starting the J-Web User Interface on page 7
• Understanding the J-Web Interface Layout on page 8
• J-Web Commit Options Guidelines on page 10
• Getting Help in the J-Web User Interface on page 11
• Administration Guide for Security Devices
12 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 3
User Authentication and Access
• Understanding User Authentication Methods on page 13
• Understanding User Accounts on page 13
• Understanding Login Classes on page 14
• Understanding Template Accounts on page 17
Understanding User Authentication Methods
Supported Platforms J Series, LN Series, SRX Series
Junos OS supports three methods of user authentication: local password authentication,
Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller
Access Control System Plus (TACACS+).
With local password authentication, you configure a password for each user allowed to
log into the device.
RADIUS and TACACS+ are authentication methods for validating users who attempt to
access the device using Telnet. Both are distributed client/server systems—the RADIUS
and TACACS+ clients run on the device, and the server runs on a remote network system.
You can configure the device to use RADIUS or TACACS+ authentication, or both, to
validate users who attempt to access the device. If you set up both authentication
methods, you also can configure which method the device will try first.
Related • Understanding User Accounts on page 13
Documentation
• Understanding Login Classes on page 14
• Understanding Template Accounts on page 17
• Administration Guide for Security Devices
Understanding User Accounts
Supported Platforms J Series, LN Series, SRX Series
User accounts provide one way for users to access the device. Users can access the
device without accounts if you configured RADIUS or TACACS+ servers. After you have
Copyright © 2016, Juniper Networks, Inc. 13
Administration Guide for Security Devices
created an account, the device creates a home directory for the user. An account for the
user root is always present in the configuration. For each user account, you can define
the following:
• Username—Name that identifies the user. It must be unique within the device. Do not
include spaces, colons, or commas in the username.
• User's full name—If the full name contains spaces, enclose it in quotation marks (“ ”).
Do not include colons or commas.
• User identifier (UID)—Numeric identifier that is associated with the user account name.
The identifier range from 100 through 64,000 and must be unique within the device.
If you do not assign a UID to a username, the software assigns one when you commit
the configuration, preferring the lowest available number.
• User's access privilege—You can create login classes with specific permission bits or
use one of the predefined classes.
• Authentication method or methods and passwords that the user can use to access
the device—You can use SSH or an MD5 password, or you can enter a plain-text
password that Junos OS encrypts using MD5-style encryption before entering it in the
password database. If you configure the plain-text-password option, you are prompted
to enter and confirm the password.
Related • Understanding User Authentication Methods on page 13
Documentation
• Example: Configuring a RADIUS Server for System Authentication on page 263
• Example: Configuring a TACACS+ Server for System Authentication on page 266
• Example: Configuring Authentication Order on page 268
• Administration Guide for Security Devices
Understanding Login Classes
Supported Platforms J Series, LN Series, SRX Series
All users who log into the device must be in a login class. You can define any number of
login classes. You then apply one login class to an individual user account. With login
classes, you define the following:
• Access privileges users have when they are logged into the device.
• Commands and statements that users can and cannot specify.
• How long a login session can be idle before it times out and the user is logged off.
Table 4 on page 15 contains a few predefined login classes. The predefined login classes
cannot be modified.
14 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: User Authentication and Access
Table 4: Predefined Login Classes
Login Class Permission Bits Set
operator clear, network, reset, trace, view
read-only view
super-user and superuser all
unauthorized None
This section contains the following topics:
• Permission Bits on page 15
• Denying or Allowing Individual Commands on page 17
Permission Bits
Each top-level command-line interface (CLI) command and each configuration statement
has an access privilege level associated with it. Users can execute only those commands
and configure and view only those statements for which they have access privileges. The
access privileges for each login class are defined by one or more permission bits (see
Table 5 on page 15).
Two forms for the permissions control the individual parts of the configuration:
• "Plain" form—Provides read-only capability for that permission type. An example is
interface.
• Form that ends in -control—Provides read and write capability for that permission type.
An example is interface-control.
Table 5: Permission Bits for Login Classes
Permission Bit Access
admin Can view user account information in configuration mode and with the show configuration
command.
admin-control Can view user accounts and configure them (at the [edit system login] hierarchy level).
access Can view the access configuration in configuration mode and with the show configuration
operational mode command.
access-control Can view and configure access information (at the [edit access] hierarchy level).
all Has all permissions.
clear Can clear (delete) information learned from the network that is stored in various network
databases (using the clear commands).
Copyright © 2016, Juniper Networks, Inc. 15
Administration Guide for Security Devices
Table 5: Permission Bits for Login Classes (continued)
Permission Bit Access
configure Can enter configuration mode (using the configure command) and commit configurations
(using the commit command).
control Can perform all control-level operations (all operations configured with the -control
permission bits).
field Reserved for field (debugging) support.
firewall Can view the firewall filter configuration in configuration mode.
firewall-control Can view and configure firewall filter information (at the [edit firewall] hierarchy level).
floppy Can read from and write to the removable media.
interface Can view the interface configuration in configuration mode and with the show configuration
operational mode command.
interface-control Can view chassis, class of service, groups, forwarding options, and interfaces configuration
information. Can configure chassis, class of service, groups, forwarding options, and
interfaces (at the [edit] hierarchy).
maintenance Can perform system maintenance, including starting a local shell on the device and
becoming the superuser in the shell (by issuing the su root command), and can halt and
reboot the device (using the request system commands).
network Can access the network by entering the ping, ssh, telnet, and traceroute commands.
reset Can restart software processes using the restart command and can configure whether
software processes are enabled or disabled (at the [edit system processes] hierarchy
level).
rollback Can use the rollback command to return to a previously committed configuration other
than the most recently committed one.
routing Can view general routing, routing protocol, and routing policy configuration information
in configuration and operational modes.
routing-control Can view general routing, routing protocol, and routing policy configuration information
and configure general routing (at the [edit routing-options] hierarchy level), routing
protocols (at the [edit protocols] hierarchy level), and routing policy (at the [edit
policy-options] hierarchy level).
secret Can view passwords and other authentication keys in the configuration.
secret-control Can view passwords and other authentication keys in the configuration and can modify
them in configuration mode.
security Can view security configuration in configuration mode and with the show configuration
operational mode command.
16 Copyright © 2016, Juniper Networks, Inc.
Chapter 3: User Authentication and Access
Table 5: Permission Bits for Login Classes (continued)
Permission Bit Access
security-control Can view and configure security information (at the [edit security] hierarchy level).
shell Can start a local shell on the device by entering the start shell command.
snmp Can view SNMP configuration information in configuration and operational modes.
snmp-control Can view SNMP configuration information and configure SNMP (at the [edit snmp]
hierarchy level).
system Can view system-level information in configuration and operational modes.
system-control Can view system-level configuration information and configure it (at the [edit system]
hierarchy level).
trace Can view trace file settings in configuration and operational modes.
trace-control Can view trace file settings and configure trace file properties.
view Can use various commands to display current system-wide, routing table, and
protocol-specific values and statistics.
Denying or Allowing Individual Commands
By default, all top-level CLI commands have associated access privilege levels. Users
can execute only those commands and view only those statements for which they have
access privileges. For each login class, you can explicitly deny or allow the use of
operational and configuration mode commands that are otherwise permitted or not
allowed by a permission bit.
Related • Understanding User Authentication Methods on page 13
Documentation
• Understanding User Accounts on page 13
• Understanding Template Accounts on page 17
• Example: Configuring New Users on page 270
• Administration Guide for Security Devices
Understanding Template Accounts
Supported Platforms J Series, LN Series, SRX Series
You use local user template accounts when you need different types of templates. Each
template can define a different set of permissions appropriate for the group of users who
use that template. These templates are defined locally on the device and referenced by
the TACACS+ and RADIUS authentication servers.
Copyright © 2016, Juniper Networks, Inc. 17
Administration Guide for Security Devices
When you configure local user templates and a user logs in, Junos OS issues a request
to the authentication server to authenticate the user's login name. If a user is
authenticated, the server returns the local username to the device, which then determines
whether a local username is specified for that login name (local-username for TACACS+,
Juniper-Local-User for RADIUS). If so, the device selects the appropriate local user
template locally configured on the device. If a local user template does not exist for the
authenticated user, the device defaults to the remote template.
Related • Understanding User Authentication Methods on page 13
Documentation
• Understanding User Accounts on page 13
• Understanding Login Classes on page 14
• Example: Creating Template Accounts on page 277
• Administration Guide for Security Devices
18 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 4
USB Modems for Remote Management
Setup
• USB Modem Interface Overview on page 19
• USB Modem Configuration Overview on page 22
USB Modem Interface Overview
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240
Juniper Networks devices support the use of USB modems for remote management. You
can use Telnet or SSH to connect to the device from a remote location through two
modems over a telephone network. The USB modem is connected to the USB port on
the device, and a second modem is connected to a remote management device such as
a PC or laptop computer.
You can configure your device to fail over to a USB modem connection when the primary
Internet connection experiences interruption.
A USB modem connects to a device through modem interfaces that you configure. The
device applies its own modem AT commands to initialize the attached modem. Modem
setup requires that you connect and configure the USB modem at the device and the
modem at the user end of the network.
You use either the J-Web configuration editor or CLI configuration editor to configure the
USB modem and its supporting dialer interfaces.
NOTE: Low-latency traffic such as VoIP traffic is not supported over USB
modem connections.
NOTE: We recommend using a US Robotics USB 56k V.92 Modem, model
number USR Model 5637.
USB Modem Interfaces
You configure two types of interfaces for USB modem connectivity:
Copyright © 2016, Juniper Networks, Inc. 19
Administration Guide for Security Devices
• A physical interface which uses the naming convention umd0. The device creates this
interface when a USB modem is connected to the USB port.
• A logical interface called the dialer interface. You use the dialer interface, dln, to
configure dialing properties for USB modem connections. The dialer interface can be
configured using Point-to-Point Protocol (PPP) encapsulation. You can also configure
the dialer interface to support authentication protocols—PPP Challenge Handshake
(CHAP) or Password Authentication Protocol (PAP). You can configure multiple dialer
interfaces for different functions on the device. After configuring the dialer interface,
you must configure a backup method such as a dialer backup, a dialer filter, or a dialer
watch.
The USB modem provides a dial-in remote management interface, and supports dialer
interface features by sharing the same dial pool as a dialer interface. The dial pool allows
the logical dialer interface and the physical interface to be bound together dynamically
on a per-call basis. You can configure the USB modem to operate either as a dial-in
console for management or as a dial-in WAN backup interface. Dialer pool priority has
a range from 1 to 255, with 1 designating the lowest priority interfaces and 255 designating
the highest priority interfaces.
Dialer Interface Rules
The following rules apply when you configure dialer interfaces for USB modem
connections:
• The dialer interface must be configured to use PPP encapsulation. You cannot configure
Cisco High-Level Data Link Control (HDLC) or Multilink PPP (MLPPP) encapsulation
on dialer interfaces.
• The dialer interface cannot be configured as a constituent link in a multilink bundle.
• The dialer interface can perform backup, dialer filter, and dialer watch functions, but
these operations are mutually exclusive. You can configure a single dialer interface to
operate in only one of the following ways:
• As a backup interface—for one primary interface
• As a dialer filter
• As a dialer watch interface
The backup dialer interfaces are activated only when the primary interface fails. USB
modem backup connectivity is supported on all interfaces except lsq-0/0/0.
The dial-on-demand routing backup method allows a USB modem connection to be
activated only when network traffic configured as an “interesting packet” arrives on the
network. Once the network traffic is sent, an inactivity timer is triggered and the connection
is closed. You define an interesting packet using the dialer filter feature of the device. To
configure dial-on-demand routing backup using a dialer filter, you first configure the dialer
filter and then apply the filter to the dialer interface.
Dialer watch is a backup method that integrates backup dialing with routing capabilities
and provides reliable connectivity without relying on a dialer filter to trigger outgoing USB
modem connections. With dialer watch, the device monitors the existence of a specified
20 Copyright © 2016, Juniper Networks, Inc.
Chapter 4: USB Modems for Remote Management Setup
route. If the route disappears, the dialer interface initiates the USB modem connection
as a backup connection.
How the Device Initializes USB Modems
When you connect the USB modem to the USB port on the device, the device applies
the modem AT commands configured in the init-command-string command to the
initialization commands on the modem.
If you do not configure modem AT commands for the init-command-string command,
the device applies the following default sequence of initialization commands to the
modem: AT S7=45 S0=0 V1 X4 &C1 E0 Q0 &Q8 %C0. Table 6 on page 21 describes the
commands. For more information about these commands, see the documentation for
your modem.
Table 6: Default Modem Initialization Commands
Modem Command Description
AT Attention. Informs the modem that a command follows.
S7=45 Instructs the modem to wait 45 seconds for a telecommunications service provider
(carrier) signal before terminating the call.
S0=0 Disables the auto answer feature, whereby the modem automatically answers calls.
V1 Displays result codes as words.
&C1 Disables reset of the modem when it loses the carrier signal.
E0 Disables the display on the local terminal of commands issued to the modem from
the local terminal.
Q0 Enables the display of result codes.
&Q8 Enables Microcom Networking Protocol (MNP) error control mode.
%C0 Disables data compression.
When the device applies the modem AT commands in the init-command-string command
or the default sequence of initialization commands to the modem, it compares them to
the initialization commands already configured on the modem and makes the following
changes:
• If the commands are the same, the device overrides existing modem values that do
not match. For example, if the initialization commands on the modem include S0=0
and the device’s init-command-string command includes S0=2, the device applies
S0=2.
• If the initialization commands on the modem do not include a command in the device’s
init-command-string command, the device adds it. For example, if the
init-command-string command includes the command L2, but the modem commands
Copyright © 2016, Juniper Networks, Inc. 21
Administration Guide for Security Devices
do not include it, the device adds L2 to the initialization commands configured on the
modem.
Related • USB Modem Configuration Overview on page 22
Documentation
• Example: Configuring a USB Modem Interface on page 51
• Example: Configuring a Dialer Interface for USB Modem Dial-In on page 57
• Administration Guide for Security Devices
• Modem Interfaces Feature Guide for Security Devices
USB Modem Configuration Overview
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240
Before you begin:
1. Install device hardware. For more information, see the Getting Started Guide for your
device.
2. Establish basic connectivity. For more information, see the Getting Started Guide for
your device.
3. Order a US Robotics USB 56k V.92 Modem, model number USR Model 5637 from US
Robotics (http://www.usr.com/).
4. Order a public switched telephone network (PSTN) line from your telecommunications
service provider. Contact your service provider for more information.
5. Connect the USB modem to the device's USB port.
NOTE: J Series devices have two USB ports. However, you can connect
only one USB modem to the USB ports on these devices. If you connect
USB modems to both ports, the device detects only the first modem
connected.
NOTE: When you connect the USB modem to the USB port on the device,
the USB modem is initialized with the modem initialization string
configured for the USB modem interface on the device.
a. Plug the modem into the USB port.
b. Connect the modem to your telephone network.
Suppose you have a branch office router and a head office router each with a USB modem
interface and a dialer interface. This example shows you how to establish a backup
connection between the branch office and head office routers. See Table 7 on page 23
for a summarized description of the procedure.
22 Copyright © 2016, Juniper Networks, Inc.
Chapter 4: USB Modems for Remote Management Setup
Table 7: Configuring Branch Office and Head Office Routers for USB Modem Backup Connectivity
Router Location Configuration Requirement Procedure
Branch Office Configure the logical dialer interface on the To configure the logical dialer interface,
branch office router for USB modem dial see “Example: Configuring a USB Modem
backup. Interface” on page 51.
Configure the dialer interface dl0 on the Configure the dialer interface using one
branch office router using one of the following of the following backup methods:
backup methods:
• To configure dl0 as a backup for
• Configure the dialer interface dl0 as the t1-1/0/0 see Example: Configuring
backup interface on the branch office Dialer Interfaces and Backup Methods
router's primary T1 interface t1-1/0/0. for USB Modem Dial Backup.
• Configure a dialer filter on the branch office • To configure a dialer filter on dl0, see
router's dialer interface. Example: Configuring Dialer Interfaces
• Configure a dialer watch on the branch and Backup Methods for USB Modem
office router's dialer interface. Dial Backup.
• To configure a dialer watch on dl0, see
Example: Configuring Dialer Interfaces
and Backup Methods for USB Modem
Dial Backup.
Head Office Configure dial-in on the dialer interface dl0 To configure dial-in on the head office
on the head office router. router, see “Example: Configuring a Dialer
Interface for USB Modem Dial-In” on
page 57.
If the dialer interface is configured to accept only calls from a specific caller ID, the device
matches the incoming call's caller ID against the caller IDs configured on its dialer
interfaces. If an exact match is not found and the incoming call's caller ID has more digits
than the configured caller IDs, the device performs a right-to-left match of the incoming
call's caller ID with the configured caller IDs and accepts the incoming call if a match is
found. For example, if the incoming call's caller ID is 4085321091 and the caller ID
configured on a dialer interface is 5321091, the incoming call is accepted. Each dialer
interface accepts calls from only callers whose caller IDs are configured on it.
See Table 8 on page 23 for a list of available incoming map options.
Table 8: Incoming Map Options
Option Description
accept-all Dialer interface accepts all incoming calls.
You can configure the accept-all option for only one of the dialer interfaces
associated with a USB modem physical interface. The dialer interface with the
accept-all option configured is used only if the incoming call's caller ID does not
match the caller IDs configured on other dialer interfaces.
Copyright © 2016, Juniper Networks, Inc. 23
Administration Guide for Security Devices
Table 8: Incoming Map Options (continued)
Option Description
caller Dialer interface accepts calls from a specific caller ID. You can configure a
maximum of 15 caller IDs per dialer interface.
The same caller ID must not be configured on different dialer interfaces.
However, you can configure caller IDs with more or fewer digits on different
dialer interfaces. For example, you can configure the caller IDs 14085551515,
4085551515, and 5551515 on different dialer interfaces.
You configure dialer interfaces to support PAP. PAP allows a simple method for a peer
to establish its identity using a two-way handshake during initial link establishment. After
the link is established, an ID and password pair are repeatedly sent by the peer to the
authenticator until authentication is acknowledged or the connection is terminated.
Related • USB Modem Interface Overview on page 19
Documentation
• Example: Configuring a USB Modem Interface on page 51
• Administration Guide for Security Devices
• Modem Interfaces Feature Guide for Security Devices
24 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 5
Telnet and SSH Device Control
• Securing the Console Port Configuration Overview on page 25
• Reverse Telnet Overview on page 26
Securing the Console Port Configuration Overview
Supported Platforms J Series, LN Series, SRX Series
You can use the console port on the device to connect to the device through an RJ-45
serial cable. From the console port, you can use the CLI to configure the device. By default,
the console port is enabled. To secure the console port, you can configure the device to
take the following actions:
• Log out of the console session when you unplug the serial cable connected to the
console port.
• Disable root login connections to the console. This action prevents a non-root user
from performing password recovery operation using the console.
• Disable the console port. We recommend disabling the console port to prevent
unauthorized access to the device, especially when the device is used as customer
premises equipment (CPE) and is forwarding sensitive traffic.
NOTE: It is not always possible to disable the console port, because console
access is important during operations such as software upgrades.
To secure the console port:
1. Do one of the following:
• Disable the console port. Enter
[edit system ports console]
user@host# set disable
• Disable root login connections to the console. Enter
[edit system ports console]
user@host# set insecure
Copyright © 2016, Juniper Networks, Inc. 25
Administration Guide for Security Devices
NOTE: After configuring the console port as insecure, if a user tries to
perform password recovery operation by booting in single-user mode,
the device will prompt for the root password. This way, the user will be
unable to log into single-user mode for password recovery unless the
root password is known.
• Log out of the console session when the serial cable connected to the console port
is unplugged. Enter
[edit system ports console]
user@host# set log-out-on-disconnect
2. If you are done configuring the device, enter commit from configuration mode.
Related • The telnet Command on page 300
Documentation
• The ssh Command on page 301
• Configuring Password Retry Limits for Telnet and SSH Access on page 295
• Reverse Telnet Overview on page 26
• Configuring Reverse Telnet and Reverse SSH on page 296
• Administration Guide for Security Devices
Reverse Telnet Overview
Supported Platforms J Series, LN Series
Reverse telnet allows you to configure a device to listen on a specific port for Telnet and
SSH services. When you connect to that port, the device provides an interface to the
auxiliary port on the device. You use a rollover cable to connect the auxiliary port from
the device on which reverse telnet is enabled to the console port of the device you want
to manage.
NOTE: Reverse telnet is supported only on J Series devices.
To use reverse telnet, you must have the following devices:
• A device with an auxiliary port running the appropriate version of Junos OS.
• A device with a console port for remote management if network connectivity fails and
you want to use console access.
This section contains the following topics:
• Reverse Telnet Options on page 27
• Reverse Telnet Restrictions on page 27
26 Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Telnet and SSH Device Control
Reverse Telnet Options
When you enable reverse telnet, you can control the port that is used, and you can
optionally turn on reverse ssh to encrypt the reverse telnet communication between the
device and the client. By default, reverse telnet uses port 2900 and reverse ssh uses port
2901.
NOTE: Enabling reverse ssh requires an additional command. By default,
when you enable reverse telnet, the connection is not encrypted.
Reverse Telnet Restrictions
Keep the following restrictions in mind when you attempt to use reverse telnet or reverse
ssh:
• Multiple connections to the serial port are not allowed. If there is an existing connection
to the serial port, any other connections are denied.
• If the auxiliary port is enabled (through the system services port auxiliary configuration
statement), you cannot use reverse telnet or reverse ssh because another service is
already using the auxiliary port.
Related • The telnet Command on page 300
Documentation
• The ssh Command on page 301
• Configuring Password Retry Limits for Telnet and SSH Access on page 295
• Configuring Reverse Telnet and Reverse SSH on page 296
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 27
Administration Guide for Security Devices
28 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 6
DHCP for IP Address Device
• DHCP Server, Client, and Relay Agent Overview on page 29
• DHCP Configuration Overview on page 30
• Understanding DHCP Server Operation on page 31
• Understanding DHCP Client Operation on page 32
• Understanding DHCP Relay Agent Operation on page 33
• DHCP Settings and Restrictions Overview on page 33
• Understanding DHCP Services in a Routing Instance on page 34
DHCP Server, Client, and Relay Agent Overview
Supported Platforms J Series, LN Series, SRX Series
A Dynamic Host Configuration Protocol (DHCP) server can automatically allocate IP
addresses and also deliver configuration settings to client hosts on a subnet. DHCP lets
network administrators centrally manage a pool of IP addresses among hosts and
automate the assignment of IP addresses in a network. An IP address can be leased to
a host for a limited period of time, allowing the DHCP server to share a limited number
of IP addresses among a group of hosts that do not need permanent IP addresses.
The Juniper Networks device acts as the DHCP server, providing IP addresses and settings
to hosts, such as PCs, that are connected to device interfaces. The DHCP server is
compatible with the DHCP servers of other vendors on the network.
The device can also operate as a DHCP client and DHCP relay agent.
DHCP is based on BOOTP, a bootstrap protocol that allows a client to discover its own
IP address, the IP address of a server host, and the name of a bootstrap file. DHCP servers
can handle requests from BOOTP clients, but provide additional capabilities beyond
BOOTP, such as the automatic allocation of reusable IP addresses and additional
configuration options.
NOTE: Although a Juniper Networks device can act as a DHCP server, a DHCP
client, or DHCP relay agent at the same time, you cannot configure more than
one DHCP role on a single interface.
Copyright © 2016, Juniper Networks, Inc. 29
Administration Guide for Security Devices
DHCP provides two primary functions:
• Allocate temporary or permanent IP addresses to clients.
• Store, manage, and provide client configuration parameters.
Related • DHCP Configuration Overview on page 30
Documentation
• Understanding DHCP Server Operation on page 31
• Understanding DHCP Client Operation on page 32
• Understanding DHCP Relay Agent Operation on page 33
• DHCP Settings and Restrictions Overview on page 33
• Administration Guide for Security Devices
DHCP Configuration Overview
Supported Platforms J Series, LN Series, SRX Series
A typical DHCP server configuration provides the following configuration settings for a
particular subnet on a device interface:
• An IP address pool, with one address excluded from the pool.
• Default and maximum lease times.
• Domain search suffixes. These suffixes specify the domain search list used by a client
when resolving hostnames with DNS.
• A DNS name server.
• Device solicitation address option (option 32). The IP address excluded from the IP
address pool is reserved for this option.
In addition, the DHCP server might assign a static address to at least one client on the
subnet. Table 9 on page 30 provides the settings and values for the sample DHCP server
configuration.
Table 9: Sample DHCP Configuration Settings
Setting Sample Value
DHCP Subnet Configuration
Address pool subnet address 192.168.2.0/24
High address in the pool range 192.168.2.254
Low address in the pool range 192.168.2.2
Address pool default lease time, in seconds 1,209,600 (14 days)
Address pool maximum lease time, in seconds 2,419,200 (28 days)
30 Copyright © 2016, Juniper Networks, Inc.
Chapter 6: DHCP for IP Address Device
Table 9: Sample DHCP Configuration Settings (continued)
Setting Sample Value
Domain search suffixes mycompany.net
mylab.net
Address to exclude from the pool 192.168.2.33
DNS server address 192.168.10.2
Identifier code for router solicitation address option 32
Type choice for router solicitation address option Ip address
IP address for router solicitation address option 192.168.2.33
DHCP MAC Address Configuration
Static binding MAC address 01:03:05:07:09:0B
Fixed address 192.168.2.50
Related • DHCP Server, Client, and Relay Agent Overview on page 29
Documentation
• Understanding DHCP Server Operation on page 31
• Understanding DHCP Client Operation on page 32
• Understanding DHCP Relay Agent Operation on page 33
• RFC 3397, Dynamic Host Configuration Protocol (DHCP) Domain Search Option
• Administration Guide for Security Devices
Understanding DHCP Server Operation
Supported Platforms J Series, LN Series, SRX Series
As a DHCP server, a Juniper Networks device can provide temporary IP addresses from
an IP address pool to all clients on a specified subnet, a process known as dynamic
binding. Juniper Networks devices can also perform static binding, assigning permanent
IP addresses to specific clients based on their media access control (MAC) addresses.
Static bindings take precedence over dynamic bindings.
Copyright © 2016, Juniper Networks, Inc. 31
Administration Guide for Security Devices
NOTE: The DHCP requests received on an interface are associated to a DHCP
pool that is in the same subnet as the primary IP address/subnet on an
interface. If an interface is associated with multiple IP addresses/subnets,
the device uses the lowest numerically assigned IP address as the primary
IP address/subnet for the interface. To change the IP address/subnet that
is listed as the primary address on an interface, use the set interfaces <
interface name > unit 0 family inet xxx.xxx.xxx.xxx/yy primary command and
commit the change.
This section contains the following topics:
• DHCP Options on page 32
• Compatibility with Autoinstallation on page 32
DHCP Options
In addition to its primary DHCP server functions, you can also configure the device to
send configuration settings like the following to clients through DHCP:
• IP address of the DHCP server (Juniper Networks device)
• List of Domain Name System (DNS) and NetBIOS servers
• List of gateway routers
• IP address of the boot server and the filename of the boot file to use
• DHCP options defined in RFC 2132, DHCP Options and BOOTP Vendor Extensions
Compatibility with Autoinstallation
The functions of a Juniper Networks device acting as a DHCP server are compatible with
the autoinstallation feature. The DHCP server automatically checks any autoinstallation
settings for conflicts and gives the autoinstallation settings priority over corresponding
DHCP settings. For example, an IP address set by autoinstallation takes precedence over
an IP address set by the DHCP server.
Related • DHCP Server, Client, and Relay Agent Overview on page 29
Documentation
• Example: Configuring the Device as a DHCP Server on page 61
• Understanding DHCP Client Operation on page 32
• Understanding DHCP Relay Agent Operation on page 33
• Administration Guide for Security Devices
Understanding DHCP Client Operation
Supported Platforms J Series, LN Series, SRX Series
32 Copyright © 2016, Juniper Networks, Inc.
Chapter 6: DHCP for IP Address Device
A Juniper Networks device can act as a DHCP client, receiving its TCP/IP settings and
the IP address for any physical interface in any security zone from an external DHCP
server. The device can also act as a DHCP server, providing TCP/IP settings and IP
addresses to clients in any zone. When the device operates as a DHCP client and a DHCP
server simultaneously, it can transfer the TCP/IP settings learned through its DHCP client
module to its default DHCP server module. For the device to operate as a DHCP client,
you configure a logical interface on the device to obtain an IP address from the DHCP
server in the network. You set the vendor class ID, lease time, DHCP server address,
retransmission attempts, and retry interval. You can renew DHCP client releases.
Related • DHCP Server, Client, and Relay Agent Overview on page 29
Documentation
• Example: Configuring the Device as a DHCP Client on page 67
• Understanding DHCP Relay Agent Operation on page 33
• DHCP Settings and Restrictions Overview on page 33
• Administration Guide for Security Devices
Understanding DHCP Relay Agent Operation
Supported Platforms J Series, LN Series, SRX Series
A Juniper Networks device operating as a DHCP relay agent forwards incoming requests
from BOOTP and DHCP clients to a specified BOOTP or DHCP server. Client requests
can pass through virtual private network (VPN) tunnels.
Although a Juniper Networks device can act as a DHCP server, a DHCP client, or DHCP
relay agent at the same time, you cannot configure more than one DHCP role on a single
interface.
DHCP relay operations are supported on all SRX Series devices in chassis cluster mode.
Related • DHCP Server, Client, and Relay Agent Overview on page 29
Documentation
• Understanding DHCP Server Operation on page 31
• Example: Configuring the Device as a BOOTP or DHCP Relay Agent on page 71
• DHCP Settings and Restrictions Overview on page 33
• Administration Guide for Security Devices
DHCP Settings and Restrictions Overview
Supported Platforms J Series, LN Series, SRX Series
Copyright © 2016, Juniper Networks, Inc. 33
Administration Guide for Security Devices
This section contains the following topics:
• Propagation of TCP/IP Settings for DHCP on page 34
• DHCP Conflict Detection and Resolution on page 34
• DHCP Interface Restrictions on page 34
Propagation of TCP/IP Settings for DHCP
The Juniper Networks device can operate simultaneously as a client of the DHCP server
in the untrust zone and a DHCP server to the clients in the trust zone. The device takes
the TCP/IP settings that it receives as a DHCP client and forwards them as a DHCP server
to the clients in the trust zone. The device interface in the untrust zone operates as the
DHCP client, receiving IP addresses dynamically from an Internet service provider (ISP)
on the external network.
During the DHCP protocol exchange, the device receives TCP/IP settings from the external
network on its DHCP client interface. Settings include the address of the ISP's DHCP
name server and other server addresses. These settings are propagated to the DHCP
server pools configured on the device to fulfill host requests for IP addresses on the
device's internal network.
DHCP Conflict Detection and Resolution
A client that receives an IP address from the device operating as a DHCP server performs
a series of Address Resolution Protocol (ARP) tests to verify that the address is available
and no conflicts exist. If the client detects an address conflict, it informs the DHCP server
about the conflict and can request another IP address from the DHCP server.
The device maintains a log of all client-detected conflicts and removes addresses with
conflicts from the DHCP address pool. To display the conflicts list, you use the show
system services dhcp conflict command. The addresses in the conflicts list remain excluded
until you use the clear system services dhcp conflict command to manually clear the list.
DHCP Interface Restrictions
The device supports DHCP client requests received on any Ethernet interface. DHCP
requests received from a relay agent are supported on all interface types.
DHCP is not supported on interfaces that are part of a virtual private network (VPN).
Related • DHCP Server, Client, and Relay Agent Overview on page 29
Documentation
• Understanding DHCP Server Operation on page 31
• Understanding DHCP Client Operation on page 32
• Understanding DHCP Relay Agent Operation on page 33
• Administration Guide for Security Devices
Understanding DHCP Services in a Routing Instance
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
34 Copyright © 2016, Juniper Networks, Inc.
Chapter 6: DHCP for IP Address Device
The Dynamic Host Configuration Protocol (DHCP) can serve as a DHCP local server, a
DHCP client, or a DHCP relay agent.
DHCP Local Server
You can enable an SRX Series device to function as a DHCP local server, and then
configure its options on the device. The DHCP local server provides an IP address and
other configuration information in response to a client request.
To configure the DHCP local server on the device, include the dhcp-local-server statement
at the [edit system services] hierarchy level.
NOTE: You cannot configure the DHCP local server and the DHCP relay agent
on the same interface.
DHCP Client, DHCP Local Server, and Address-Assignment Pool Interaction
In a typical branch network configuration, the DHCP client is on the subscriber’s computer,
and the DHCP local server is configured on the device. The following steps provide a
high-level description of the interaction among the DHCP client, DHCP local server, and
address-assignment pools.
1. The DHCP client sends a discover packet to one or more DHCP local servers in the
network to obtain configuration parameters and an IP address for the subscriber.
2. Each DHCP local server that receives the discover packet then searches its
address-assignment pool for the client address and configuration options. Each local
server creates an entry in its internal client table to keep track of the client state, then
sends a DHCP offer packet to the client.
3. On receipt of the offer packet, the DHCP client selects the DHCP local server from
which to obtain configuration information and sends a request packet indicating the
DHCP local server selected to grant the address and configuration information.
4. The selected DHCP local server sends an acknowledgement packet to the client that
contains the client address lease and configuration parameters. The server and client
installs the host route and ARP entry, and then monitors the lease state.
DHCP Local Server and Address-Assignment Pools
In a DHCP local server operation, the client address and configuration information reside
in centralized address-assignment pools, that are managed independently from the
DHCP local server and they can be shared by different client applications.
Configuring a DHCP environment that includes a DHCP local server requires two
independent configuration operations, which you can complete in any order. In one
operation, you configure the DHCP local server on the device and specify how the DHCP
local server determines which address-assignment pool to use. In the other operation,
you configure the address-assignment pools used by the DHCP local server. The
address-assignment pools contain the IP addresses, named address ranges, and
configuration information for DHCP clients.
Copyright © 2016, Juniper Networks, Inc. 35
Administration Guide for Security Devices
NOTE: The DHCP local server and the address-assignment pools used by
the server must be configured in the same routing instance.
DHCP Client
DHCP configuration consists of configuring DHCP clients and a DHCP local server. A
client configuration determines how clients send a message requesting an IP address,
while a server configuration enables the server to send an IP address back to the client.
For the device to operate as a DHCP client, you configure a logical interface on the device
to obtain an IP address from the DHCP local server in the network. You set the vendor
class ID, lease time, DHCP server address, retransmission attempts, and retry interval.
DHCP Relay Agent
You can configure DHCP relay options on the device and enable the device to function
as a DHCP relay agent. A DHCP relay agent forwards DHCP request and reply packets
between a DHCP client and a DHCP local server.
To configure the DHCP relay agent on the router, include the dhcp-relay statement at
the [edit forwarding-options] hierarchy level.
You can also include the dhcp-relay statement at the following hierarchy level:
[edit routing-instances routing-instance-name forwarding-options]
DHCP Client, DHCP Relay Agent, and DHCP Local Servers
In a typical branch network configuration, the DHCP client is on the subscriber’s computer,
and the DHCP relay agent is configured on the device between the DHCP client and one
or more DHCP local servers.
The following steps describe, at a high level, how the DHCP client, DHCP relay agent,
and DHCP local server interact in a configuration that includes two DHCP local servers.
1. The DHCP client sends a discover packet to find a DHCP local server in the network
from which to obtain configuration parameters for the subscriber, including an IP
address.
2. The DHCP relay agent receives the discover packet and forwards copies to each of
the two DHCP local servers. The DHCP relay agent then creates an entry in its internal
client table to keep track of the client’s state.
3. In response to receiving the discover packet, each DHCP local server sends an offer
packet to the client. The DHCP relay agent receives the offer packets and forwards
them to the DHCP client.
4. On receipt of the offer packets, the DHCP client selects the DHCP local server from
which to obtain configuration information. Typically, the client selects the server that
offers the longest lease time on the IP address.
36 Copyright © 2016, Juniper Networks, Inc.
Chapter 6: DHCP for IP Address Device
5. The DHCP client sends a request packet that specifies the DHCP local server from
which to obtain configuration information.
6. The DHCP local server requested by the client sends an acknowledgement (ACK)
packet that contains the client’s configuration parameters.
7. The DHCP relay agent receives the ACK packet and forwards it to the client.
8. The DHCP client receives the ACK packet and stores the configuration information.
9. If configured to do so, the DHCP relay agent installs a host route and Address
Resolution Protocol (ARP) entry for this client.
10. After establishing the initial lease on the IP address, the DHCP client and the DHCP
local server use unicast transmission to negotiate lease renewal or release.
Considerations
The following considerations apply when you enable a DHCP local server, DHCP relay
agent, or DHCP client in a routing instance:
• The DHCP local server, DHCP relay agent, and DHCP client can be configured in one
routing instance, but the functionality is mutually exclusive on one interface. If the
DHCP client is enabled on one interface, the DHCP local server or the DHCP relay agent
cannot be enabled on that interface.
• The DHCP client, DHCP relay agent and DHCP local server services act independently
in their respective routing instance. The following features can function simultaneously
on a device:
• DHCP client and DHCP local server
• DHCP client and DHCP relay agent
• Multiple routing instances. Each instance can have a DHCP local server, DHCP relay
agent, or DHCP client, or each routing instance can have a DHCP client and DHCP
local server or a DHCP client and DHCP relay agent.
• In Junos Release 12.1X46, autoinstallation is not compatible with jDHCPd:
version 12.1X46-D40.2;
system {
/* not compatible with jDHCPd */ <<<<<<
autoinstallation {
usb {
disable;
}
}
NOTE: Before you enable DHCP services in a routing instance, you must
remove all the configuration related to DHCP services that does not include
routing instance support. If you do not do this, the old default routing instance
configuration will override the new routing instance configuration.
Copyright © 2016, Juniper Networks, Inc. 37
Administration Guide for Security Devices
Related • Configuring a DHCP Local Server on page 76
Documentation
• Configuring a DHCP Client on page 80
• Configuring a DHCP Relay Agent on page 82
• Administration Guide for Security Devices
38 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 7
DHCPv6 Client
• DHCPv6 Client Overview on page 39
• Understanding DHCPv6 Client and Server Identification on page 40
DHCPv6 Client Overview
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
A Juniper Networks device can act as a Dynamic Host Configuration Protocol version 6
(DHCPv6) client, receiving its TCP/IP settings and the IPv6 address for any physical
interface in any security zone from an external DHCPv6 server. When the device operates
as a DHCPv6 client and a DHCPv6 server simultaneously, it can transfer the TCP/IP
settings learned through its DHCPv6 client module to its default DHCPv6 server module.
For the device to operate as a DHCPv6 client, you configure a logical interface on the
device to obtain an IPv6 address from the DHCPv6 server in the network.
DHCPv6 client support for Juniper Networks devices includes the following features:
• Identity association for nontemporary addresses (IA_NA)
• Identity association for prefix delegation (IA_PD)
• Rapid commit
• TCP/IP propagation
• Auto-prefix delegation
• Autoconfig mode (stateful and stateless)
To configure the DHCPv6 client on the device, include the dhcpv6-client statement at
the [edit interfaces] hierarchy level.
NOTE: To configure a DHCPv6 client in a routing instance, add the interface
in a routing instance using the [edit routing-instances] hierarchy.
Related • Minimum DHCPv6 Client Configuration on page 91
Documentation
Copyright © 2016, Juniper Networks, Inc. 39
Administration Guide for Security Devices
Understanding DHCPv6 Client and Server Identification
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Each DHCPv6 client and server is identified by a DHCP unique identifier (DUID). The DUID
is unique across all DHCPv6 clients and servers, and it is stable for any specific client or
server. DHCPv6 clients use DUIDs to identify a server in messages where a server needs
to be identified. DHCPv6 servers use DUIDs to determine the configuration parameters
to be used for clients and in the association of addresses with clients.
The DUID is a 2-octet type code represented in network byte order, followed by a variable
number of octets that make up the actual identifier; for example,
00:02:00:01:02:03:04:05:07:a0. A DUID can be up to 128 octets in length (excluding the
type code). The following types are currently defined for the DUID parameter:
• Type 1—Link Layer address plus time (duid-llt)
• Type 2—Vendor-assigned unique ID based on enterprise number (vendor)
• Type 3—Link Llayer address (duid-ll)
The duid-llt DUID consists of a 2-octet type field that contains the value 1, a 2-octet
hardware type code, 4 octets that signify a time value, followed by the Link Layer address
of any one network interface that is connected to the DHCP device at the time that the
DUID is generated.
The vendor DUID is assigned by the vendor to the device and contains the vendor's
registered private enterprise number as maintained by the identity association for
nontemporary addresses (IA_NA) assignment, followed by a unique identifier assigned
by the vendor.
The duid-ll DUID contains a 2-octet type field that stores the value 3, and a 2-octet
network hardware type code, followed by the Link Layer address of any one network
interface that is permanently connected to the client or server device.
Related • DHCPv6 Client Overview on page 39
Documentation
40 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 8
DHCPv6 Local Server
• DHCPv6 Server Overview on page 41
DHCPv6 Server Overview
Supported Platforms LN Series, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
A Dynamic Host Configuration Protocol version 6 (DHCPv6) server can automatically
allocate IP addresses to IP version 6 (IPv6) clients and deliver configuration settings to
client hosts on a subnet or to requesting devices that need an IPv6 prefix. A DHCPv6
server lets network administrators centrally manage a pool of IP addresses among hosts
and automate the assignment of IP addresses in a network.
NOTE: SRX Series and J Series devices do not support DHCP client
authentication. In a DHCPv6 deployment, security policies control access
through the device for any DHCP client that has received an address and
other attributes from the DHCPv6 server.
Some features include:
• Configuration for a specific interface or a group of interfaces
• Stateless address autoconfiguration (SLAAC)
• Prefix delegation, including access-internal route installation
• DHCPv6 server groups
The DHCPv6 server configuration usually consists of DHCPv6 options for clients, an IPv6
prefix, an address pool that contains IPv6 address ranges and options, and a security
policy to allow DHCPv6 traffic. In a typical setup the provider Juniper Networks device is
configured as an IPv6 prefix delegation server that assigns addresses to the customer
edge device. The customer’s edge router then provides addresses to internal devices.
To configure DHCPv6 local server on a device, you include the DHCPv6 statement at the
[edit system services dhcp-local-server] hierarchy level. You then create an address
assignment pool for DHCPv6 that is configured in the [edit access address-assignment
pool] hierarchy level using the family inet6 statement.
Copyright © 2016, Juniper Networks, Inc. 41
Administration Guide for Security Devices
You can also include the dhcpv6 statement at the [edit routing-instances
routing-instance-name system services dhcp-local-server] hierarchy.
NOTE: Existing DHCPv4 configurations in the [edit system services dhcp]
hierarchy are not affected when you upgrade to Junos OS Release 10.4 from
an earlier version or enable DHCPv6 server.
Related • Example: Configuring DHCPv6 Server Options on page 100
Documentation
• Example: Configuring an Address-Assignment Pool on page 103
• Configuring a Named Address Range for Dynamic Address Assignment on page 105
• Creating a Security Policy for DHCPv6 on page 99
• Administration Guide for Security Devices
42 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 9
File Management
• File Management Overview on page 43
File Management Overview
Supported Platforms J Series, LN Series, SRX Series
You can use the J-Web user interface and the CLI to perform routine file management
operations such as archiving log files and deleting unused log files, cleaning up temporary
files and crash files, and downloading log files from the routing platform to your computer.
You can also encrypt the configuration files with the CLI to prevent unauthorized users
from viewing sensitive configuration information.
Before you perform any file management tasks, you must perform the initial device
configuration described in the Getting Started Guide for your device.
Related • Cleaning Up Files on page 309
Documentation
• Cleaning Up Files with the CLI on page 310
• Managing Accounting Files on page 313
• Encrypting Configuration Files on page 308
• Network Monitoring and Troubleshooting Guide for Security Devices
• Junos OS System Log Reference for Security Devices
Copyright © 2016, Juniper Networks, Inc. 43
Administration Guide for Security Devices
44 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 10
Licenses
• Junos OS License Overview on page 45
• Junos OS Feature License Model Number for J Series Services Routers and SRX Series
Services Gateways on page 47
Junos OS License Overview
Supported Platforms J Series, LN Series, SRX Series
To enable some Junos OS features, you must purchase, install, and manage separate
software licenses. For those features that require a license, the presence on the device
of the appropriate software license keys (passwords) determines whether you can use
the feature.
For information about how to purchase software licenses for your device, contact your
Juniper Networks sales representative.
Certain Junos OS features require licenses. Each license is valid for only a single device.
To manage the licenses, you must understand license enforcement and the components
of a license key.
This section contains the following topics:
• License Enforcement on page 45
• License Key Components on page 46
• License Management Fields Summary on page 46
License Enforcement
For features that require a license, you must install and properly configure the license to
use the feature. Although the device allows you to commit a configuration that specifies
a feature requiring a license when the license is not present, you are prohibited from
actually using the feature.
Successful commitment of a configuration does not imply that the required licenses are
installed. If a required license is not present, the system provides a warning message
after it commits the configuration rather than failing to commit it because of a license
violation.
Copyright © 2016, Juniper Networks, Inc. 45
Administration Guide for Security Devices
License Key Components
A license key consists of two parts:
• License ID—Alphanumeric string that uniquely identifies the license key. When a license
is generated, it is given a license ID.
• License data—Block of binary data that defines and stores all license key objects.
For example, in the following typical license key, the string XXXXXXXXXX is the license
ID, and the trailing block of data is the license data:
XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx
The license data defines the device ID for which the license is valid and the version of the
license.
License Management Fields Summary
The Licenses page displays a summary of licensed features that are configured on the
device and a list of licenses that are installed on the device. The information on the license
management page is summarized in Table 10 on page 46.
Table 10: Summary of License Management Fields
Field Name Definition
Feature Summary
Feature Name of the licensed feature:
• Features—Software feature licenses.
• All features—All-inclusive licenses
Licenses Used Number of licenses currently being used on the device. Usage is determined by the
configuration on the device. If a feature license exists and that feature is configured, the
license is considered used.
Licenses Installed Number of licenses installed on the device for the particular feature.
Licenses Needed Number of licenses required for legal use of the feature. Usage is determined by the
configuration on the device: If a feature is configured and the license for that feature is not
installed, a single license is needed.
Installed Licenses
ID Unique alphanumeric ID of the license.
State Valid—The installed license key is valid.
Invalid—The installed license key is not valid.
Version Numeric version number of the license key.
46 Copyright © 2016, Juniper Networks, Inc.
Chapter 10: Licenses
Table 10: Summary of License Management Fields (continued)
Field Name Definition
Group If the license defines a group license, this field displays the group definition.
If the license requires a group license, this field displays the required group definition.
NOTE: Because group licenses are currently unsupported, this field is always blank.
Enabled Features Name of the feature that is enabled with the particular license.
Expiry Verify that the expiration information for the license is correct.
For Junos OS, only permanent licenses are supported. If a license has expired, it is shown as
invalid.
Related • Junos OS Feature License Model Number for J Series Services Routers and SRX Series
Documentation Services Gateways on page 47
• Generating a License Key on page 316
• Updating License Keys on page 317
• Saving License Keys on page 317
• Downloading License Keys on page 316
• Installation and Upgrade Guide for Security Devices
• Administration Guide for Security Devices
Junos OS Feature License Model Number for J Series Services Routers and SRX Series
Services Gateways
Supported Platforms J Series, SRX Series
For information about how to purchase a software license, contact your Juniper Networks
sales representative at http://www.juniper.net/in/en/contact-us/.
Each feature license is tied to exactly one software feature, and that license is valid for
exactly one device. Table 11 on page 47 describes the Junos OS features that require
licenses.
Table 11: Junos OS Feature Licenses
Junos OS License
Requirements
SRX3000 SRX5000
SRX100 SRX110 SRX210 SRX220 SRX240 SRX550 SRX650 SRX1400 line line
Feature
Access Manager X X X X X X X
Copyright © 2016, Juniper Networks, Inc. 47
Administration Guide for Security Devices
Table 11: Junos OS Feature Licenses (continued)
Junos OS License
Requirements
SRX3000 SRX5000
SRX100 SRX110 SRX210 SRX220 SRX240 SRX550 SRX650 SRX1400 line line
Feature
BGP Route X
Reflectors
Dynamic VPN X X X X X X X
IDP Signature X* X X* X* X* X X X X X
Update
Application X X X X X X X X X X
Signature Update
(Application
Identification)
Juniper-Kaspersky X X X X X X X
Antivirus
Juniper-Sophos X X X X X X X X X X
Antivirus
Juniper-Sophos X X X X X X X X X X
Antispam
Juniper-Enhanced X X X X X X X X X X
Web filtering
Juniper-Websense X X X X X X X
Web filtering
Logical Systems X X X
SRX100 Memory X
Upgrade
UTM X* X X* X X* X X X X X
* Indicates support on high-memory devices only.
Each license allows you to run the specified advanced software features on a single
device.
Related • Junos OS License Overview on page 45
Documentation
• Installation and Upgrade Guide for Security Devices
• Installation and Upgrade Guide for Security Devices
• Administration Guide for Security Devices
48 Copyright © 2016, Juniper Networks, Inc.
PART 2
Configuration
• USB Modems for Remote Management Setup on page 51
• DHCP for IP Address Device on page 61
• DHCPv6 Client on page 91
• DHCPv6 Local Server on page 99
• Configuration Statements on page 109
• Configuration Statements (System) on page 199
Copyright © 2016, Juniper Networks, Inc. 49
Administration Guide for Security Devices
50 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 11
USB Modems for Remote Management
Setup
• Example: Configuring a USB Modem Interface on page 51
• Example: Configuring a Dialer Interface on page 53
• Example: Configuring a Dialer Interface for USB Modem Dial-In on page 57
• Configuring a Dial-Up Modem Connection Remotely on page 59
Example: Configuring a USB Modem Interface
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240
This example shows how to configure a USB modem interface for dial backup.
• Requirements on page 51
• Overview on page 51
• Configuration on page 51
• Verification on page 52
Requirements
No special configuration beyond device initialization is required before configuring this
feature.
Overview
In this example, you create an interface called as umd0 for USB modem connectivity
and set the dialer pool priority to 25. You also configure a modem initialization string to
autoanswer after a specified number of rings. The default modem initialization string is
AT S7=45 S0=0 V1 X4 &C1 E0 Q0 &Q8 %C0. The modem command S0=0 disables the
modem from autoanswering the calls. Finally, you set the modem to act as a dial-in WAN
backup interface.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
Copyright © 2016, Juniper Networks, Inc. 51
Administration Guide for Security Devices
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces umd0 dialer-options pool usb-modem-dialer-pool priority 25
set modem-options init-command-string "ATS0=2 \n" dialin routable
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure a USB modem interface for dial backup:
1. Create an interface.
[edit]
user@host# edit interfaces umd0
2. Set the dialer options and priority.
[edit interfaces umd0]
user@host# set dialer-options pool usb-modem-dialer-pool priority 25
3. Specify the modem options.
[edit interfaces umd0]
user@host# set modem-options init-command-string "ATS0=2 \n"
4. Set the modem to act as a dial-in WAN backup interface.
[edit interfaces umd0]
user@host# set modem-options dialin routable
Results From configuration mode, confirm your configuration by entering the show interface umd0
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show interface umd0
modem-options {
init-command-string "ATS0=2 \n";
dialin routable;
}
dialer-options {
pool usb-modem-dialer-pool priority 25;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the Configuration
Purpose Verify a USB modem interface for dial backup.
52 Copyright © 2016, Juniper Networks, Inc.
Chapter 11: USB Modems for Remote Management Setup
Action From configuration mode, enter the show interfaces umd0 extensive command. The
output shows a summary of interface information and displays the modem status.
Physical interface: umd0, Enabled, Physical link is Up
Interface index: 64, SNMP ifIndex: 33, Generation: 1
Type: Async-Serial, Link-level type: PPP-Subordinate, MTU: 1504,
Clocking: Unspecified, Speed: MODEM
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
Link flags : None
Hold-times : Up 0 ms, Down 0 ms
Last flapped : Never
Statistics last cleared: Never
Traffic statistics:
Input bytes : 21672
Output bytes : 22558
Input packets: 1782
Output packets: 1832
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards:
0,
Resource errors: 0
Output errors:
Carrier transitions: 63, Errors: 0, Drops: 0, MTU errors: 0, Resource errors:
0
MODEM status:
Modem type : LT V.92 1.0 MT5634ZBA-USB-V92 Data/Fax Modem
(Dual Config) Version 2.27m
Initialization command string : ATS0=2
Initialization status : Ok
Call status : Connected to 4085551515
Call duration : 13429 seconds
Call direction : Dialin
Baud rate : 33600 bps
Most recent error code : NO CARRIER
Logical interface umd0.0 (Index 2) (SNMP ifIndex 34) (Generation 1)
Flags: Point-To-Point SNMP-Traps Encapsulation: PPP-Subordinate
Related • USB Modem Configuration Overview on page 22
Documentation
• USB Modem Interface Overview on page 19
• Example: Configuring a Dialer Interface for USB Modem Dial-In on page 57
• Administration Guide for Security Devices
• Modem Interfaces Feature Guide for Security Devices
Example: Configuring a Dialer Interface
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240
Copyright © 2016, Juniper Networks, Inc. 53
Administration Guide for Security Devices
This example shows how to configure a logical dialer interface for the device.
• Requirements on page 54
• Overview on page 54
• Configuration on page 54
• Verification on page 56
Requirements
Before you begin:
• Install device hardware and establish basic connectivity. See the Getting Started Guide
for your device.
• Order a US Robotics USB 56k V.92 Modem, model number USR Model 5637, from US
Robotics (http://www.usr.com/).
• Order a dial-up modem for the PC or laptop computer at the remote location from
where you want to connect to the device.
• Order a PSTN line from your telecommunications service provider. Contact your service
provider.
Overview
In this example, you configure a logical dialer interface called dl0 to establish USB
connectivity. You can configure multiple dialer interfaces for different functions on the
device. You add a description to differentiate among different dialer interfaces. For
example, this modem is called USB-modem-remote-management. Configure PPP
encapsulation and set the logical unit as 0. You then specify the name of the dialer pool
as usb-modem-dialer-pool and set the source and destination IP addresses as 172.20.10.2,
and 172.20.10.1, respectively.
NOTE: You cannot configure Cisco High-Level Data Link Control (HDLC) or
Multilink PPP (MLPPP) encapsulation on dialer interfaces used in USB modem
connections.
NOTE: If you configure multiple dialer interfaces, ensure that the same IP
subnet address is not configured on different dialer interfaces. Configuring
the same IP subnet address on multiple dialer interfaces can result in
inconsistency in the route and packet loss. The device might route packets
through another dialer interface with the IP subnet address instead of through
the dialer interface to which the USB modem call is mapped.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
54 Copyright © 2016, Juniper Networks, Inc.
Chapter 11: USB Modems for Remote Management Setup
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces dl0 description USB-modem-remote-management encapsulation ppp
set interfaces dl0 unit 0 dialer-options pool usb-modem-dialer-pool
set interfaces dl0 unit 0 family inet address 172.20.10.2 destination 172.20.10.1
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure a logical dialer interface for the device:
1. Create an interface.
[edit]
user@host# set interfaces dl0
2. Add a description and configure PPP encapsulation.
[edit interfaces dl0]
user@host# set description USB-modem-remote-management
user@host# set encapsulation ppp
3. Create the logical unit.
NOTE: The logical unit number must be 0.
[edit interfaces dl0]
user@host# set unit 0
4. Configure the name of the dialer pool to use for USB modem connectivity.
[edit interfaces dl0 unit 0]
user@host# set dialer-options pool usb-modem-dialer-pool
5. Configure source and destination IP addresses for the dialer interface.
[edit interfaces dl0 unit 0]
user@host# set family inet address 172.20.10.2 destination 172.20.10.1
Results From configuration mode, confirm your configuration by entering the show interfaces dl0
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show interfaces dl0
description USB-modem-remote-management;
encapsulation ppp;
unit 0 {
family inet {
address 172.20.10.2/32 {
destination 172.20.10.1;
}
}
Copyright © 2016, Juniper Networks, Inc. 55
Administration Guide for Security Devices
dialer-options {
pool usb-modem-dialer-pool;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying a Dialer Interface
Purpose Verify that the dialer interface has been configured.
Action From configuration mode, enter the show interfaces dl0 extensive command. The output
shows a summary of dialer interface information.
Physical interface: dl0, Enabled, Physical link is Up
Interface index: 128, SNMP ifIndex: 24, Generation: 129
Type: 27, Link-level type: PPP, MTU: 1504, Clocking: Unspecified, Speed:
Unspecified
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex
Link flags : Keepalives
Physical info : Unspecified
Hold-times : Up 0 ms, Down 0 ms
Current address: Unspecified, Hardware address: Unspecified
Alternate link address: Unspecified
Last flapped : Never
Statistics last cleared: Never
Traffic statistics:
Input bytes : 13859 0 bps
Output bytes : 0 0 bps
Input packets: 317 0 pps
Output packets: 0 0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards:
0,
Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0, Resource errors:
0
Logical interface dl0.0 (Index 70) (SNMP ifIndex 75) (Generation 146)
Description: USB-modem-remote-management
Flags: Point-To-Point SNMP-Traps 0x4000 LinkAddress 23-0 Encapsulation: PPP
Dialer:
State: Active, Dial pool: usb-modem-dialer-pool
Dial strings: 220
Subordinate interfaces: umd0 (Index 64)
Activation delay: 0, Deactivation delay: 0
Initial route check delay: 120
Redial delay: 3
Callback wait period: 5
Load threshold: 0, Load interval: 60
Bandwidth: 115200
Traffic statistics:
56 Copyright © 2016, Juniper Networks, Inc.
Chapter 11: USB Modems for Remote Management Setup
Input bytes : 24839
Output bytes : 17792
Input packets: 489
Output packets: 340
Local statistics:
Input bytes : 10980
Output bytes : 17792
Input packets: 172
Output packets: 340
Transit statistics:
Input bytes : 13859 0 bps
Output bytes : 0 0 bps
Input packets: 317 0 pps
Output packets: 0 0 pps
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured,
mpls: Not-configured
CHAP state: Success
Protocol inet, MTU: 1500, Generation: 136, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.20.10.1, Local: 172.20.10.2, Broadcast: Unspecified,
Generation: 134
Related • USB Modem Interface Overview on page 19
Documentation
• USB Modem Configuration Overview on page 22
• Example: Configuring a USB Modem Interface on page 51
• Example: Configuring a Dialer Interface for USB Modem Dial-In on page 57
• Administration Guide for Security Devices
Example: Configuring a Dialer Interface for USB Modem Dial-In
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240
This example shows how to configure a dialer interface for USB modem dial-in.
• Requirements on page 57
• Overview on page 57
• Configuration on page 58
• Verification on page 59
Requirements
No special configuration beyond device initialization is required before configuring this
feature.
Overview
To enable connections to the USB modem from a remote location, you must configure
the dialer interfaces set up for USB modem use to accept incoming calls. You can
Copyright © 2016, Juniper Networks, Inc. 57
Administration Guide for Security Devices
configure a dialer interface to accept all incoming calls or accept only calls from one or
more caller IDs.
If the dialer interface is configured to accept only calls from a specific caller ID, the system
matches the incoming call's caller ID against the caller IDs configured on its dialer
interfaces. If an exact match is not found and the incoming call's caller ID has more digits
than the configured caller IDs, the system performs a right-to-left match of the incoming
call's caller ID with the configured caller IDs and accepts the incoming call if a match is
found. For example, if the incoming call's caller ID is 4085550115 and the caller ID
configured on a dialer interface is 5550115, the incoming call is accepted. Each dialer
interface accepts calls from only callers whose caller IDs are configured on it.
You can configure the following incoming map options for the dialer interface:
• accept-all—Dialer interface accepts all incoming calls.
You can configure the accept-all option for only one of the dialer interfaces associated
with a USB modem physical interface. The device uses the dialer interface with the
accept-all option configured only if the incoming call's caller ID does not match the
caller IDs configured on other dialer interfaces.
• caller—Dialer interface accepts calls from a specific caller ID—for example, 4085550115.
You can configure a maximum of 15 caller IDs per dialer interface.
The same caller ID must not be configured on different dialer interfaces. However, you
can configure caller IDs with more or fewer digits on different dialer interfaces. For
example, you can configure the caller IDs 14085550115, 4085550115, and 5550115 on
different dialer interfaces.
In this example, you configure the incoming map option as caller 4085550115 for dialer
interface dl0.
Configuration
CLI Quick To quickly configure this example, copy the following command, paste it into a text file,
Configuration remove any line breaks, change any details necessary to match your network configuration,
and then copy and paste the command into the CLI at the [edit] hierarchy level.
set interfaces dl0 unit 0 dialer-options incoming-map caller 4085550115
Step-by-Step To configure a dialer interface for USB modem dial-in:
Procedure
1. Select a dialer interface.
[edit]
user@host# edit interfaces dl0
2. Configure the incoming map options.
[edit]
user@host# edit unit 0 dialer-options incoming-map caller 4085551515
3. If you are done configuring the device, commit the configuration.
[edit]
user@host# commit
58 Copyright © 2016, Juniper Networks, Inc.
Chapter 11: USB Modems for Remote Management Setup
Verification
To verify the configuration is working properly, enter the show interface dl0 command.
Related • USB Modem Configuration Overview on page 22
Documentation
• Example: Configuring a USB Modem Interface on page 51
• Administration Guide for Security Devices
• Modem Interfaces Feature Guide for Security Devices
Configuring a Dial-Up Modem Connection Remotely
Supported Platforms J Series, LN Series, SRX Series
To remotely connect to the USB modem connected to the USB port on the device, you
must configure a dial-up modem connection on the PC or laptop computer at your remote
location. Configure the dial-up modem connection properties to disable IP header
compression.
To configure a dial-up modem connection remotely:
1. At your remote location, connect a modem to a management device such as a PC or
laptop computer.
2. Connect the modem to your telephone network.
3. On the PC or laptop computer, select Start>Settings>Control Panel>Network
Connections. The Network Connections page appearts.
4. Click Create a new connection. The New Connection Wizard appears.
5. Click Next. The New Connection Wizard: Network Connection Type page appears.
6. Select Connect to the network at my workplace, and then click Next.
The New Connection Wizard: Network Connection page appears.
7. Select Dial-up connection, and then click Next. The New Connection Wizard: Connection
Name page appears.
8. In the Company Name box, type the dial-up connection name, for example
USB-modem-connect. Then, click Next. The New Connection Wizard: Phone Number
to Dial page appears.
9. In the Phone number box, type the telephone number of the PSTN line connected to
the USB modem at the device end.
10. Click Next twice, and then click Finish. The Connect USB-modem-connect page
appears.
11. If CHAP is configured on the dialer interface used for the USB modem interface at the
device end, type the username and password configured in the CHAP configuration
in the User name and Password boxes.
Copyright © 2016, Juniper Networks, Inc. 59
Administration Guide for Security Devices
12. Click Properties. The USB-modem-connect Properties page appears.
13. In the Networking tab, select Internet Protocol (TCP/IP), and then click Properties.
The Internet Protocol (TCP/IP) Properties page appears.
14. Click Advanced. The Advanced TCP/IP Settings page appears.
15. Clear the Use IP header compression check box.
Related • USB Modem Interface Overview on page 19
Documentation
• USB Modem Configuration Overview on page 22
• Connecting to the Device Remotely on page 291
• Administration Guide for Security Devices
60 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 12
DHCP for IP Address Device
• Example: Configuring the Device as a DHCP Server on page 61
• Example: Configuring the Device as a DHCP Client on page 67
• Example: Configuring the Device as a BOOTP or DHCP Relay Agent on page 71
• Configuring a DHCP Local Server on page 76
• Configuring a DHCP Client on page 80
• Configuring a DHCP Relay Agent on page 82
• Minimum DHCP Local Server Configuration on page 83
• Configuring Address-Assignment Pools on page 84
• Configuring an Address-Assignment Pool Name and Addresses on page 84
• Configuring DHCP Client-Specific Attributes on page 85
• Configuring a Named Address Range for Dynamic Address Assignment on page 86
• Configuring Static Address Assignments on page 86
• Enabling TCP/IP Propagation on a DHCP Local Server on page 87
• Minimum DHCP Client Configuration on page 88
• Configuring Optional DHCP Client Attributes on page 88
• Minimum DHCP Relay Agent Configuration on page 89
Example: Configuring the Device as a DHCP Server
Supported Platforms J Series, LN Series, SRX Series
This example shows how to configure the device as a DHCP server.
• Requirements on page 62
• Overview on page 62
• Configuration on page 62
• Verification on page 65
Copyright © 2016, Juniper Networks, Inc. 61
Administration Guide for Security Devices
Requirements
Before you begin:
• Determine the IP address pools and the lease durations to use for each subnet.
• Obtain the MAC addresses of the clients that require permanent IP addresses. Determine
the IP addresses to use for these clients.
• List the IP addresses that are available for the servers and devices on your network;
for example, DNS, NetBIOS servers, boot servers, and gateway devices. See the
Understanding Management Predefined Policy Applications.
• Determine the DHCP options required by the subnets and clients in your network.
Overview
In this example, you configure the device as a DHCP server. You specify the IP address
pool as 192.168.2.0/24 and from a low range of 192.168.2.2 to a high range of 192.168.2.254.
You set the default-lease-time to 1,209,600 and the maximum-lease-time to 2,419,200.
You then set the domain search suffixes as mycompany.net and mylab.net. These suffixes
specify the domain search list used by a client when resolving hostnames with DNS.
Then you specify the DNS server IP address as 192.168.10.2. You set the IP address for
the device solicitation address option (option 32) as 192.168.2.33. The IP address excluded
from the IP address pool is reserved for this option. Finally, you assign a fixed IP address
as 192.168.2.50 with the MAC address of the client, 01:03:05:07:09:0B.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set system services dhcp pool 192.168.2.0/24 address-range low 192.168.2.2
high 192.168.2.254
set system services dhcp pool 192.168.2.0/24 default-lease-time 1209600
maximum-lease-time 2419200
set system services dhcp pool 192.168.2.0/24 domain-search mycompany.net
set system services dhcp pool 192.168.2.0/24 domain-search mylab.net
set system services dhcp pool 192.168.2.0/24 name-server 192.168.10.2
set system services dhcp pool 192.168.2.0/24 option 32 ip-address 192.168.2.33
set system services dhcp static-binding 01:03:05:07:09:0B fixed-address 192.168.2.50
GUI Step-by-Step To configure the device as a DHCP server:
Procedure
1. In the J-Web interface, select Configure>Services>DHCP>Boot DHCP Relay.
2. Next to System, click Configure.
3. Next to Services, make sure the check box is selected, and click Configure.
4. Next to Dhcp, click Configure.
62 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
5. Define the IP address pool. Next to Pool, click Add new entry.
6. In the Subnet address box, type 192.168.2.0/24.
7. Next to Address range, select the check box.
8. In the High box, type 192.168.2.254.
9. In the Low box, type 192.168.2.2.
10. Click OK.
11. Define the default and maximum lease times, in seconds. From the Default lease time
list, select Enter Specific Value.
12. In the Length box, type 1209600.
13. From the Maximum lease time list, select Enter Specific Value.
14. Next to Maximum lease time, type 2419200.
15. Define the domain search suffixes to be used by the clients. Next to Domain search,
click Add new entry.
16. In the Suffix box, type mycompany.net.
17. Click OK.
18. Next to Domain search, click Add new entry.
19. In the Suffix box, type mylab.net.
20. Click OK.
21. Define a DNS server. Next to Name server, click Add new entry.
22. In the Address box, type 192.168.10.2.
23. Click OK.
24. Define DHCP option 32, the device solicitation address option. Next to Option, click
Add new entry.
25. In the Option identifier code box, type 32.
26. From the Option type choice list, select Ip address.
27. In the Ip address box, type 192.168.2.33.
28. Click OK twice.
29. Assign a static IP address to a MAC address.Next to Static binding, click Add new entry.
30. In the Mac address box, type 01:03:05:07:09:0B.
31. Next to Fixed address, click Add new entry.
32. In the Address box, type 192.168.2.50.
33. Click OK until you return to the Configuration page.
34. Click OK to check your configuration and save it as a candidate configuration.
35. If you are done configuring the device, click Commit Options>Commit.
Copyright © 2016, Juniper Networks, Inc. 63
Administration Guide for Security Devices
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure the device as a DHCP server:
1. Configure the DHCP server.
[edit]
user@host# edit system services dhcp
2. Specify the IP address pool range.
[edit system services dhcp]
user@host# set pool 192.168.2.0/24 address-range low 192.168.2.2 high 192.168.2.254
3. Define the default and maximum lease times, in seconds.
[edit system services dhcp]
user@host# set pool 192.168.2.0/24 default-lease-time 1209600
maximum-lease-time 2419200
4. Define the domain search suffixes to be used by the clients.
[edit system services dhcp]
user@host# set pool 192.168.2.0/24 domain-search mycompany.net
user@host# set pool 192.168.2.0/24 domain-search mylab.net
5. Specify the DNS server IP address.
[edit system services dhcp]
user@host# set pool 192.168.2.0/24 name-server 192.168.10.2
6. Set the device solicitation IP address.
[edit system services dhcp]
user@host# set pool 192.168.2.0/24 option 32 ip-address 192.168.2.33
7. Assign a fixed IP address with the MAC address of the client.
[edit system services dhcp]
user@host# set static-binding 01:03:05:07:09:0B fixed-address 192.168.2.50
Results From configuration mode, confirm your configuration by entering the show system services
dhcp command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show system services dhcp
pool 192.168.2.0/24 {
address-range low 192.168.2.2 high 192.168.2.254;
maximum-lease-time 2419200;
default-lease-time 1209600;
name-server {
192.168.10.2;
}
domain-search {
mycompany.net;
mylab.net;
}
64 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
option 32 ip-address 192.168.2.33;
}
static-binding 01:03:05:07:09:0B {
fixed-address {
192.168.2.50;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
• Verifying Global DHCP Information on page 65
• Verifying the DHCP Binding Database on page 65
• Verifying DHCP Server Operation on page 66
Verifying Global DHCP Information
Purpose Verify that the global DHCP Information has been configured for the device.
Action From operational mode, enter the show system services dhcp global command.
Global settings:
BOOTP lease length infinite
DHCP lease times:
Default lease time 1 day
Minimum lease time 1 minute
Maximum lease time infinite
DHCP options:
Name: domain-name, Value: mylablab.example.net
Name: name-server, Value: [ 192.168.5.68, 172.17.28.101, 172.17.28.100 ]
Verifying the DHCP Binding Database
Purpose Verify that the DHCP binding database reflects the DHCP server configuration.
Action From operational mode, enter these commands:
• show system services dhcp binding command to display all active bindings in the
database.
• show system services dhcp binding address detail command (where address is the IP
address of the client) to display more information about a client.
• show system services dhcp conflict command to show any potential conflicts with the
bindings.
These commands produce following sample output:
user@host> show system services dhcp binding
IP Address Hardware Address Type Lease expires at
30.1.1.20 00:12:1e:a9:7b:81 dynamic 2007-05-11 11:14:43 PDT
Copyright © 2016, Juniper Networks, Inc. 65
Administration Guide for Security Devices
user@host> show system services dhcp binding 3.3.3.2 detail
IP address 3.3.3.2
Hardware address 00:a0:12:00:13:02
Pool 3.3.3.0/24
Interface fe-0/0/0, relayed by 3.3.3.200
Lease information:
Type DHCP
Obtained at 2004-05-02 13:01:42 PDT
Expires at 2004-05-03 13:01:42 PDT
State active
DHCP options:
Name: name-server, Value: { 6.6.6.6, 6.6.6.7 }
Name: domain-name, Value: mydomain.tld
Code: 32, Type: ip-address, Value: 3.3.3.33
user@host> show system services dhcp conflict
Detection time Detection method Address
2004-08-03 19:04:00 PDT ARP 3.3.3.5
2004-08-04 04:23:12 PDT Ping 4.4.4.8
2004-08-05 21:06:44 PDT Client 3.3.3.10
Verifying DHCP Server Operation
Purpose Verify that the DHCP server operation has been configured.
Action From operational mode, enter these commands:
• ping command to verify that a client responds to ping packets containing the destination
IP address assigned by the device.
• ipconfig /all command to display the IP configuration on the client. For example, on a
PC running Microsoft Windows, enter ipconfig /all at the command prompt to display
the PC's IP configuration.
user@host> ping 192.168.2.2
PING 192.168.2.2 (192.168.2.2): 56 data bytes
64 bytes from 192.168.2.2: icmp_seq=0 ttl=255 time=8.856 ms
64 bytes from 192.168.2.2: icmp_seq=1 ttl=255 time=11.543 ms
64 bytes from 192.168.2.2: icmp_seq=2 ttl=255 time=10.315 ms
...
C:\Documents and Settings\user> ipconfig /all
Windows 2000 IP Configuration
Host Name . . . . . . . . . . . . : my-pc
Primary DNS Suffix . . . . . . . : mycompany.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : mycompany.net mylab.net
Ethernet adapter Local Area Connection 2:
66 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
Connection-specific DNS Suffix . : mycompany.net mylab.net
Description . . . . . . . . . . . : 10/100 LAN Fast Ethernet Card
Physical Address. . . . . . . . . : 02-04-06-08-0A-0C
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.2
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 192.168.10.3
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.10.2
Primary WINS Server . . . . . . . : 192.168.10.4
Secondary WINS Server . . . . . . : 192.168.10.5
Lease Obtained. . . . . . . . . . : Monday, January 24, 2005 8:48:59 AM
Lease Expires . . . . . . . . . . : Monday, February 7, 2005 8:48:59 AM
Related • DHCP Server, Client, and Relay Agent Overview on page 29
Documentation
• Understanding DHCP Server Operation on page 31
• Understanding DHCP Relay Agent Operation on page 33
• DHCP Settings and Restrictions Overview on page 33
• Administration Guide for Security Devices
Example: Configuring the Device as a DHCP Client
Supported Platforms J Series, LN Series, SRX Series
This example shows how to configure the device as a DHCP client.
• Requirements on page 67
• Overview on page 67
• Configuration on page 68
• Verification on page 70
Requirements
Before you begin:
• Determine the IP address pools and the lease durations to use for each subnet.
• Obtain the MAC addresses of the clients that require permanent IP addresses. Determine
the IP addresses to use for these clients.
• List the IP addresses that are available for the servers and devices on your network;
for example, DNS, NetBIOS servers, boot servers, and gateway devices. See the
Understanding Management Predefined Policy Applications.
• Determine the DHCP options required by the subnets and clients in your network.
Overview
In this example, you configure the device as a DHCP client. You specify the interface as
ge-0/0/1, set the logical unit as 0, and create a DHCP inet family. You then specify the
Copyright © 2016, Juniper Networks, Inc. 67
Administration Guide for Security Devices
DHCP client identifier as 00:0a:12:00:12:12 in hexadecimal. You use hexadecimal if the
client identifier is a MAC address. You set the DHCP lease time as 86,400 seconds. The
range is from 60 through 2,147,483,647 seconds.
Then you set the number of retransmission attempts to 6. The range is from 0 through
6, and the default is 4. You set the retransmission interval to 5 seconds. The range is from
4 through 64, and the default is 4 seconds. Finally, you set the IPv4 address of the
preferred DHCP server to 10.1.1.1 and the vendor class ID to ether.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set interfaces ge-0/0/1 unit 0 family inet dhcp
set interfaces ge-0/0/1 unit 0 family inet dhcp client-identifier 00:0a:12:00:12:12
set interfaces ge-0/0/1 unit 0 family inet dhcp lease-time 86400
set interfaces ge-0/0/1 unit 0 family inet dhcp retransmission-attempt 6
set interfaces ge-0/0/1 unit 0 family inet dhcp retransmission-interval 5
set interfaces ge-0/0/1 unit 0 family inet dhcp server-address 10.1.1.1
set interfaces ge-0/0/1 unit 0 family inet dhcp vendor-id ether
GUI Step-by-Step To configure the device as a DHCP client:
Procedure
1. In the J-Web user interface, select Configure>Services>DHCP>Boot DHCP Relay.
2. Under Interfaces, click ge-0/0/1.
3. Under Unit, next to the unit number, click Edit.
4. Under Family, select the Inet check box and click Edit.
5. Next to Dhcp, click Yes and click Configure.
6. Configure the DHCP client identifier as either an ASCII or hexadecimal value. Next to
Client identifier, click Configure.
7. From the Client identifier choice list, select hexadecimal.
8. In the Hexadecimal box, type the client identifier—00:0a:12:00:12:12.
9. Click OK.
10. Set the DHCP lease time in seconds. From the Lease time list, select Enter Specific
Value.
11. In the Length box, type 86400.
12. Set the retransmission number of attempts. In the Retransmission attempt box, type
6.
13. Set the retransmission interval in seconds. In the Retransmission interval box, type 5.
14. Set the IPv4 address of the preferred DHCP server. In the Server address box, type
10.1.1.1.
68 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
15. Set the vendor class ID. In the Vendor id box, type ether.
16. Click OK.
17. Click OK to check your configuration and save it as a candidate configuration.
18. If you are done configuring the device, click Commit Options>Commit.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure the device as a DHCP client:
1. Specify the DHCP client interface.
[edit]
user@host# edit interfaces ge-0/0/1 unit 0 family inet dhcp
2. Configure the DHCP client identifier as a hexadecimal value.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp]
user@host# set client-identifier 00:0a:12:00:12:12
3. Set the DHCP lease time.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp]
user@host# set lease-time 86400
4. Set the number of attempts allowed to retransmit a DHCP packet.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp]
user@host# set retransmission-attempt 6
5. Set the interval (in seconds) allowed between retransmission attempts. The range
is 4 through 64. The default is 4 seconds.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp]
user@host# set retransmission-interval 5
6. Set the IPv4 address of the preferred DHCP server.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp]
user@host# set server-address 10.1.1.1
7. Set the vendor class ID for the DHCP client.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp]
user@host# set vendor-id ether
Results From configuration mode, confirm your configuration by entering the show interfaces
ge-0/0/1 unit 0 family inet command. If the output does not display the intended
configuration, repeat the configuration instructions in this example to correct it.
[edit]
user@host# show interfaces ge-0/0/1 unit 0 family inet
dhcp {
client-identifier hexadecimal 00:0a:12:00:12:12;
lease-time 86400;
retransmission-attempt 6;
Copyright © 2016, Juniper Networks, Inc. 69
Administration Guide for Security Devices
retransmission-interval 5;
server-address 10.1.1.1;
update-server;
vendor-id ether;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
• Verifying the DHCP Client on page 70
Verifying the DHCP Client
Purpose Verify that the DHCP client information has been configured.
Action From operational mode, enter these commands:
• show system services dhcp client command to display DHCP client information.
• show system services dhcp client interface-name command to display more information
about a specific interface.
• show system services dhcp client statistics command to show client statistics.
These commands produce the following sample output:
user@host> show system services dhcp client
Logical Interface Name ge-0/0/1.0
Hardware address 00:0a:12:00:12:12
Client Status bound
Vendor Identifier ether
Server Address 10.1.1.1
Address obtained 10.1.1.89
update server enables
Lease Obtained at 2006-08-24 18:13:04 PST
Lease Expires at 2006-08-25 18:13:04 PST
DHCP Options:
Name: name-server, Value: [ 10.209.194.131, 2.2.2.2, 3.3.3.3 ]
Name: server-identifier, Value: 10.1.1.1
Name: router, Value: [ 10.1.1.80 ]
Name: domain-name, Value: netscreen-50
user@host> show system services dhcp client ge-0/0/1.0
Logical Interface Name ge-0/0/1.0
Hardware address 00:12:1e:a9:7b:81
Client Status bound
Address obtained 30.1.1.20
update server enables
Lease Obtained at 2007-05-10 18:16:04 PST
Lease Expires at 2007-05-11 18:16:04 PST
DHCP Options:
70 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
Name: name-server, Value: [ 30.1.1.2 ]
Code: 1, Type: ip-address, Value: 255.255.255.0
Name: name-server, Value: [ 77.77.77.77, 55.55.55.55 ]
Name: domain-name, Value: mylab.example.net
user@host> show system services dhcp client statistics
Packets dropped:
Total 0
Messages Received:
DHCPOFFER 0
DHCPACK 8
DHCPNAK 0
Messages Sent:
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPREQUEST 1
DHCPINFORM 0
DHCPRELEASE 0
DHCPRENEW 7
DHCPREBIND 0
Related • DHCP Server, Client, and Relay Agent Overview on page 29
Documentation
• Understanding DHCP Server Operation on page 31
• Understanding DHCP Client Operation on page 32
• DHCP Settings and Restrictions Overview on page 33
• Administration Guide for Security Devices
Example: Configuring the Device as a BOOTP or DHCP Relay Agent
Supported Platforms J Series, LN Series, SRX Series
This example shows how to configure the device as a BOOTP or DHCP relay agent.
• Requirements on page 71
• Overview on page 71
• Configuration on page 72
• Verification on page 75
Requirements
No special configuration beyond device initialization is required before configuring this
feature.
Overview
In this example, you enable the DHCP relay agent to relay BOOTP or DHCP messages to
a BOOTP server. You enable VPN encryption to allow client requests to pass through the
Copyright © 2016, Juniper Networks, Inc. 71
Administration Guide for Security Devices
VPN tunnel. You specify the IP time-to-live value to be set in responses to the client as
20. The range is from 1 through 255. You then set the maximum number of hops allowed
per packet to 10. The range is from 4 through 16.
Then you specify the minimum number of seconds before requests are forwarded as
300. The range is from 0 through 30,000 seconds. You set the description of the server
(the value is a string), and you specify a valid server name or address to the server to
forward (the value is an IPv4 address). You define the routing instance, whose value is
a nonreserved text string of 128 or fewer characters. You then specify the incoming BOOTP
or DHCP request forwarding interface as ge-0/0/0. You enable the broadcast option if
the Layer 2 interface is unknown.
You then specify the IP time-to-live value to be set in responses to the client as 30. The
range is from 1 through 255. You set the description of the server as text and the DHCP
option as 82. You set the maximum number of hops allowed per packet to 20 and specify
the minimum number of seconds as 400 before requests are forwarded. You enable the
no listen option. Finally, you enable VPN encryption to allow client requests to pass
through the VPN tunnel.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set forwarding-options helpers bootp relay agent-option
set forwarding-options helpers bootp vpn
set forwarding-options helpers bootp client-response-ttl 20
set forwarding-options helpers bootp maximum-hop-count 10
set forwarding-options helpers bootp minimum-wait-time 300
set forwarding-options helpers bootp description text
set forwarding-options helpers bootp server 2.2.2.2
set forwarding-options helpers bootp server 2.2.2.2 routing instance rt-i-1
set forwarding-options helpers bootp interface ge-0/0/0
set forwarding-options helpers bootp interface ge-0/0/0 broadcast
set forwarding-options helpers bootp interface ge-0/0/0 client-response-ttl 30
set forwarding-options helpers bootp interface ge-0/0/0 description text
set forwarding-options helpers bootp interface ge-0/0/0 dhcp-option82
set forwarding-options helpers bootp interface ge-0/0/0 maximum-hop-count 20
set forwarding-options helpers bootp interface ge-0/0/0 minimum-wait-time 400
set forwarding-options helpers bootp interface ge-0/0/0 no-listen
set forwarding-options helpers bootp interface ge-0/0/0 vpn
GUI Step-by-Step To configure the device as a BOOTP/DHCP relay agent:
Procedure
1. In the J-Web user interface, select Configure>Services>DHCP>Boot DHCP Relay.
2. Select the DHCP relay agent check box to enable the BOOTP/DHCP relay agent.
3. Select the VPN encryption check box.
4. In the Client response TTL box, type 20.
5. In the Maximum hop count box, type 10.
72 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
6. In the Minimum wait time box, type 300.
7. In the Description box, type the description of the server.
8. Add a new server. Next to Server, click Add new Entry.
9. Next to the Name box, type 2.2.2.2.
10. Define the routing instance. Next to Routing instance, click Add new entry.
11. In the Name box, type rt-i-1 and click OK. A routing instance is optional.
12. Add a new interface. Next to Interface, click Add new entry.
13. In the Interface name box, type the interface name. For example, type ge-0/0/0.
14. In the Client response TTL box, type 30.
15. In the Description box, type the description of the server.
16. Select the Dhcp option 82 check box.
17. In the Maximum hop count box, type 20.
18. In the Minimum wait time box, type 400.
19. Select the No listen check box.
20. Select the VPN encryption check box.
21. Click OK until you return to the Configuration page.
22. Click OK to check your configuration and save it as a candidate configuration.
23. If you are done configuring the device, click Commit Options>Commit.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure the device as a BOOTP or DHCP relay agent:
1. Set the DHCP relay agent.
[edit]
user@host# edit forwarding-options helpers bootp
user@host# set relay agent-option
2. Enable VPN encryption to allow client requests to pass through VPN tunnel.
[edit forwarding-options helpers bootp]
user@host# set vpn
3. Set the IP time-to-live value. .
[edit forwarding-options helpers bootp]
user@host# set client-response-ttl 20
4. Set the maximum number of hops allowed per packet.
[edit forwarding-options helpers bootp]
user@host# set maximum-hop-count 10
Copyright © 2016, Juniper Networks, Inc. 73
Administration Guide for Security Devices
5. Set the minimum wait time in seconds.
[edit forwarding-options helpers bootp]
user@host# set minimum-wait-time 300
6. Specify the description of the server.
[edit forwarding-options helpers bootp]
user@host# set description text
7. Add a new server.
[edit forwarding-options helpers bootp]
user@host# set server 2.2.2.2
8. Define the routing instance.
[edit forwarding-options helpers bootp]
user@host# set server 2.2.2.2 routing-instance rt-i-1
9. Define the incoming BootP request forwarding interface.
[edit forwarding-options helpers bootp]
user@host# set interface ge-0/0/0
10. Enable broadcast option.
[edit forwarding-options helpers bootp interface ge-0/0/0]
user@host# set broadcast
11. Define the IP time-to-live value.
[edit forwarding-options helpers bootp interface ge-0/0/0]
user@host# set client-response-ttl 30
12. Specify the description of the server.
[edit forwarding-options helpers bootp interface ge-0/0/0]
user@host# set description text
13. Set the DHCP option 82.
[edit forwarding-options helpers bootp interface ge-0/0/0]
user@host# set dhcp-option82
14. Specify the maximum number of hops allowed per packet.
[edit forwarding-options helpers bootp interface ge-0/0/0]
user@host# set forwarding-options helpers bootp interface ge-0/0/0
maximum-hop-count 20
15. Set the minimum wait time.
[edit forwarding-options helpers bootp interface ge-0/0/0]
user@host# set minimum-wait-time 400
16. Set the no listen option.
[edit forwarding-options helpers bootp interface ge-0/0/0]
user@host# set no-listen
17. Enable VPN encryption to allow client requests to pass through the VPN tunnel.
[edit forwarding-options helpers bootp interface ge-0/0/0]
user@host# set vpn
74 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
Results From configuration mode, confirm your configuration by entering the show
forwarding-options command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show forwarding-options
helpers {
bootp {
relay-agent-option;
description text;
server 2.2.2.2 routing-instance rt-i-1;
maximum-hop-count 10;
minimum-wait-time 300;
client-response-ttl 20;
vpn;
interface {
ge-0/0/0 {
no-listen;
broadcast;
description text;
maximum-hop-count 20;
minimum-wait-time 400;
client-response-ttl 30;
vpn;
dhcp-option82;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying DHCP Relay Statistics
Purpose Verify that the DHCP Relay statistics have been configured.
Action From operational mode, enter the show system services dhcp relay-statistics command.
user@host> show system services dhcp relay-statistics
Received Packets: 4 Forwarded Packets 4 Dropped Packets
4 Due to missing interface in relay database: 4 Due to missing
matching routing instance: 0 Due to an error during packet read: 0 Due
to an error during packet send: 0 Due to invalid server address: 0 Due
to missing valid local address: 0 Due to missing route to server/client: 0
Related • DHCP Server, Client, and Relay Agent Overview on page 29
Documentation
• Understanding DHCP Relay Agent Operation on page 33
• DHCP Settings and Restrictions Overview on page 33
Copyright © 2016, Juniper Networks, Inc. 75
Administration Guide for Security Devices
• Administration Guide for Security Devices
Configuring a DHCP Local Server
Supported Platforms J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
• Minimum DHCP Local Server Configuration on page 76
• Configuring Address-Assignment Pools on page 77
• Configuring an Address-Assignment Pool Name and Addresses on page 77
• Configuring a Named Address Range for Dynamic Address Assignment on page 77
• Configuring Static Address Assignments on page 78
• Configuring DHCP Client-Specific Attributes on page 79
• Verifying and Managing DHCP Local Server Configuration on page 79
Minimum DHCP Local Server Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
This following sample output shows the minimum configuration you must use to configure
an SRX Series device as a DHCP local server. In this output, the server group is named
bob, and the DHCP local server is enabled on interface ge-1/0/1.0 within the group.
[edit access]
address-assignment {
pool verizon family inet {
network 192.168.1.0/24;
}
}
edit system services
dhcp-local-server {
group bob {
interface ge-1/0/1.0
}
}
edit interfaces ge-1/0/1 unit 0
family {
inet {
address 192.168.1.1/24
}
}
NOTE: You can configure the DHCP local server in a routing instance by using
the dhcp-local server, interface, and address-assignment statements in the
[edit routing-instances] hierarchy level.
76 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
Configuring Address-Assignment Pools
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
The address-assignment pool feature enables you to create address pools that can be
shared by different client applications.
To configure an address-assignment pool:
1. Configure the address-assignment pool name and specify the addresses for the pool.
See “Configuring an Address-Assignment Pool Name and Addresses” on page 77.
2. (Optional) Configure named ranges (subsets) of addresses.
See “Configuring a Named Address Range for Dynamic Address Assignment” on
page 77.
3. (Optional;IPv4 only) Create static address bindings.
See “Configuring Static Address Assignments” on page 78.
4. (Optional) Configure attributes for DHCP clients.
See “Configuring DHCP Client-Specific Attributes” on page 79.
Configuring an Address-Assignment Pool Name and Addresses
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
When configuring an address-assignment pool, you must specify the name of the pool
and its addresses.
To configure an IPv4 address-assignment pool:
1. Configure the name of the pool and specify the IPv4 family.
[edit access]
user@host# edit address-assignment pool blr-pool family inet
2. Configure the network address and the prefix length of the addresses in the pool.
[edit access address-assignment pool blr-pool family inet]
user@host# set network 192.168.0.0/16
NOTE: You can configure an IPv4 address-assignment pool in a routing
instance by configuring the address-assignment statements in the [edit
routing-instances] hierarchy level.
Configuring a Named Address Range for Dynamic Address Assignment
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Copyright © 2016, Juniper Networks, Inc. 77
Administration Guide for Security Devices
You can optionally configure multiple named ranges, or subsets, of addresses within an
address-assignment pool. During a dynamic address assignment, a client can be assigned
an address from a specific named range. To create a named range, you specify a name
for the range and define the address range.
To create a named range within an IPv4 address-assignment pool:
1. Specify the name of the address-assignment pool.
[edit access]
user@host# edit address-assignment pool blr-pool family inet
2. Configure the name of the range and the lower and upper boundaries of the addresses
in the range.
[edit access address-assignment pool isp_1 family inet]
user@host# set range southeast low 192.168.102.2 high 192.168.102.254
NOTE: To configure named address ranges in a routing instance, configure
the address-assignment statements in the [edit routing-instances] hierarchy
level.
Configuring Static Address Assignments
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
You can optionally create a static IPv4 address binding by reserving a specific address
for a particular client. The address is removed from the address-assignment pool so that
it is not assigned to another client. When you reserve an address, you identify the client
host and create a binding between the client MAC address and the assigned IP address.
To configure a static IPv4 address binding:
1. Specify the name of the IPv4 address-assignment pool containing the IP address you
want to reserve for the client.
[edit access]
user@host# edit address-assignment pool blr-pool family inet
2. Specify the name of the client for the static binding, the client MAC address, and the
IP address to reserve for the client. This configuration specifies that the client with
MAC address 01:03:05:07:09:0b is always assigned IP address 192.168.10.2.
[edit access address-assignment pool blr-pool family inet]
user@host# set host svale6_boston_net hardware-address 01:03:05:07:09:0b
ip-address 192.168.10.2
NOTE: To configure static binding for an IPv4 address in a routing instance,
configure the address-assignment statements in the [edit routing-instances]
hierarchy.
78 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
Configuring DHCP Client-Specific Attributes
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
You use the address-assignment pool feature to include application-specific attributes
when clients obtain an address. The client application, such as DHCP, uses the attributes
to determine how addresses are assigned and to provide optional application-specific
characteristics to the client. For example, the DHCP application might specify that a
client that matches certain prerequisite information is dynamically assigned an address
from a particular named range. Based on which named range is used, DHCP specifies
additional DHCP attributes such as the boot file that the client uses, the DNS server, and
the maximum lease time.
You use the dhcp-attributes statement to configure DHCP client-specific attributes for
address-assignment pools.
To configure address-assignment pool attributes for DHCP clients:
1. Specify the name of the address-assignment pool.
[edit access]
user@host# edit address-assignment pool blr-pool family inet
2. Configure optional DHCP client attributes.
[edit access address-assignment pool blr-pool family inet]
user@host# set dhcp-attributes maximum-lease-time 2419200
user@host# set dhcp-attributes name-server 192.168.10.2
user@host# set dhcp-attributes boot-file boot-file.txt
user@host# set dhcp-attributes boot-file boot-server example.net
NOTE: To configure DHCP client-specific attributes in a routing instance,
configure the dhcp-attributes statements in the [edit routing-instances]
hierarchy.
Verifying and Managing DHCP Local Server Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Purpose View or clear information about client address bindings and statistics for the DHCP local
server.
Action • To display the address bindings in the client table on the DHCP local server:
user@host> show dhcp server binding
• To display DHCP local server statistics:
user@host> show dhcp server statistics
• To clear the binding state of a DHCP client from the client table on the DHCP local
server:
Copyright © 2016, Juniper Networks, Inc. 79
Administration Guide for Security Devices
user@host> clear dhcp server binding
• To clear all DHCP local server statistics:
user@host> clear dhcp server statistics
NOTE: To clear or view information about client bindings and statistics in a
routing instance, run the following commands:
• show dhcp server binding routing instance <routing-instance name>
• show dhcp server statistics routing instance <routing-instance name>
• clear dhcp server binding routing instance <routing-instance name>
• clear dhcp server statistics routing instance <routing-instance name>
Configuring a DHCP Client
Supported Platforms J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
• Minimum DHCP Client Configuration on page 80
• Configuring Optional DHCP Client Attributes on page 80
• Verifying and Managing DHCP Client Configuration on page 81
Minimum DHCP Client Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
The following sample output shows the minimum configuration you must use to configure
an SRX Series device as a DHCP client. In this output, the interface is ge-0/0/0 and the
logical unit is 0.
[edit interfaces]
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client
}
}
}
NOTE: To configure a DHCP client in a routing instance, add the interface in
a routing instance using the [edit routing-instances] hierarchy.
Configuring Optional DHCP Client Attributes
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
80 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
For the device to operate as a DHCP client, you configure a logical interface on the device
to obtain an IP address from the DHCP local server in the network. You can then set the
client-identifier, lease time, retransmission attempts, retry interval, preferred DHCP local
server address, and vendor class ID.
To configure optional DHCP client attributes:
1. Configure the DHCP client identifier prefix as the routing instance name.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set client-identifier prefix host
2. Set the DHCP lease time.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set lease-time 86400
3. Set the number of attempts allowed to retransmit a DHCP packet.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set retransmission-attempt 6
4. Set the interval (in seconds) allowed between retransmission attempts. The range
is 4 through 64. The default is 4 seconds.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set retransmission-interval 5
5. Set the IPv4 address of the preferred DHCP local server.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set server-address 10.1.1.1
6. Set the vendor class ID for the DHCP client.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set vendor-id ether
NOTE: To configure the DHCP client in a routing instance, configure the
interface in the [edit routing-instances] hierarchy.
Verifying and Managing DHCP Client Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Purpose View or clear information about client address bindings and statistics for the DHCP client.
Action • To display the address bindings in the client table on the DHCP client:
user@host> show dhcp client binding
• To display DHCP client statistics:
user@host> show dhcp client statistics
• To clear the binding state of a DHCP client from the client table on the DHCP client:
user@host> clear dhcp client binding
Copyright © 2016, Juniper Networks, Inc. 81
Administration Guide for Security Devices
• To clear all DHCP client statistics:
user@host> clear dhcp client statistics
NOTE: To clear or view information about client bindings and statistics in a
routing instance, run the following commands:
• show dhcp client binding routing instance <routing-instance name>
• show dhcp client statistics routing instance <routing-instance name>
• clear dhcp client binding routing instance <routing-instance name>
• clear dhcp client statistics routing instance <routing-instance name>
Configuring a DHCP Relay Agent
Supported Platforms J Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
• Minimum DHCP Relay Agent Configuration on page 82
• Verifying and Managing DHCP Relay Configuration on page 82
Minimum DHCP Relay Agent Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
The following sample output shows the minimum configuration you must use to configure
an SRX Series device as a DHCP relay agent. In this output, the active server group is
named server-1 and its IP address is 1.1.1.1/24. The DHCP relay agent configuration is
applied to a group named bob. Within this group, the DHCP relay agent is enabled on
interface ge-1/0/1.0.
[edit forwarding-options]
dhcp-relay {
group bob {
interface ge-1/0/1.0
}
server-group server-1 {
address 1.1.1.1/24
}
active-server-group server-1
}
NOTE: To configure the DHCP relay agent in a routing instance, configure
the dhcp-relay statements in the [edit routing-instances] hierarchy level .
Verifying and Managing DHCP Relay Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
82 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
Purpose View or clear address bindings or statistics for DHCP relay agent clients.
Action • To display the address bindings for DHCP relay agent clients:
user@host> show dhcp relay binding
• To display DHCP relay agent statistics:
user@host> show dhcp relay statistics
• To clear the binding state of DHCP relay agent clients:
user@host> clear dhcp relay binding
• To clear all DHCP relay agent statistics:
user@host> clear dhcp relay statistics
NOTE: To clear or view information about client bindings and statistics in a
routing instance, run the following commands:
• show dhcp relay binding routing instance <routing-instance name>
• show dhcp relay statistics routing instance <routing-instance name>
• clear dhcp relay binding routing instance <routing-instance name>
• clear dhcp relay statistics routing instance <routing-instance name>
Minimum DHCP Local Server Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
This following sample output shows the minimum configuration you must use to configure
an SRX Series device as a DHCP local server. In this output, the server group is named
bob, and the DHCP local server is enabled on interface ge-1/0/1.0 within the group.
[edit access]
address-assignment {
pool verizon family inet {
network 192.168.1.0/24;
}
}
edit system services
dhcp-local-server {
group bob {
interface ge-1/0/1.0
}
}
edit interfaces ge-1/0/1 unit 0
family {
inet {
address 192.168.1.1/24
Copyright © 2016, Juniper Networks, Inc. 83
Administration Guide for Security Devices
}
}
NOTE: You can configure the DHCP local server in a routing instance by using
the dhcp-local server, interface, and address-assignment statements in the
[edit routing-instances] hierarchy level.
Related • Configuring Address-Assignment Pools on page 77
Documentation
• Administration Guide for Security Devices
Configuring Address-Assignment Pools
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
The address-assignment pool feature enables you to create address pools that can be
shared by different client applications.
To configure an address-assignment pool:
1. Configure the address-assignment pool name and specify the addresses for the pool.
See “Configuring an Address-Assignment Pool Name and Addresses” on page 77.
2. (Optional) Configure named ranges (subsets) of addresses.
See “Configuring a Named Address Range for Dynamic Address Assignment” on
page 77.
3. (Optional;IPv4 only) Create static address bindings.
See “Configuring Static Address Assignments” on page 78.
4. (Optional) Configure attributes for DHCP clients.
See “Configuring DHCP Client-Specific Attributes” on page 79.
Related • Administration Guide for Security Devices
Documentation
Configuring an Address-Assignment Pool Name and Addresses
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
When configuring an address-assignment pool, you must specify the name of the pool
and its addresses.
To configure an IPv4 address-assignment pool:
1. Configure the name of the pool and specify the IPv4 family.
[edit access]
user@host# edit address-assignment pool blr-pool family inet
84 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
2. Configure the network address and the prefix length of the addresses in the pool.
[edit access address-assignment pool blr-pool family inet]
user@host# set network 192.168.0.0/16
NOTE: You can configure an IPv4 address-assignment pool in a routing
instance by configuring the address-assignment statements in the [edit
routing-instances] hierarchy level.
Related • Configuring Address-Assignment Pools on page 77
Documentation
• Administration Guide for Security Devices
Configuring DHCP Client-Specific Attributes
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
You use the address-assignment pool feature to include application-specific attributes
when clients obtain an address. The client application, such as DHCP, uses the attributes
to determine how addresses are assigned and to provide optional application-specific
characteristics to the client. For example, the DHCP application might specify that a
client that matches certain prerequisite information is dynamically assigned an address
from a particular named range. Based on which named range is used, DHCP specifies
additional DHCP attributes such as the boot file that the client uses, the DNS server, and
the maximum lease time.
You use the dhcp-attributes statement to configure DHCP client-specific attributes for
address-assignment pools.
To configure address-assignment pool attributes for DHCP clients:
1. Specify the name of the address-assignment pool.
[edit access]
user@host# edit address-assignment pool blr-pool family inet
2. Configure optional DHCP client attributes.
[edit access address-assignment pool blr-pool family inet]
user@host# set dhcp-attributes maximum-lease-time 2419200
user@host# set dhcp-attributes name-server 192.168.10.2
user@host# set dhcp-attributes boot-file boot-file.txt
user@host# set dhcp-attributes boot-file boot-server example.net
NOTE: To configure DHCP client-specific attributes in a routing instance,
configure the dhcp-attributes statements in the [edit routing-instances]
hierarchy.
Copyright © 2016, Juniper Networks, Inc. 85
Administration Guide for Security Devices
Related • Configuring Address-Assignment Pools on page 77
Documentation
• Administration Guide for Security Devices
Configuring a Named Address Range for Dynamic Address Assignment
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
You can optionally configure multiple named ranges, or subsets, of addresses within an
address-assignment pool. During a dynamic address assignment, a client can be assigned
an address from a specific named range. To create a named range, you specify a name
for the range and define the address range.
To create a named range within an IPv4 address-assignment pool:
1. Specify the name of the address-assignment pool.
[edit access]
user@host# edit address-assignment pool blr-pool family inet
2. Configure the name of the range and the lower and upper boundaries of the addresses
in the range.
[edit access address-assignment pool isp_1 family inet]
user@host# set range southeast low 192.168.102.2 high 192.168.102.254
NOTE: To configure named address ranges in a routing instance, configure
the address-assignment statements in the [edit routing-instances] hierarchy
level.
Related • Configuring Address-Assignment Pools on page 77
Documentation
• Administration Guide for Security Devices
Configuring Static Address Assignments
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
You can optionally create a static IPv4 address binding by reserving a specific address
for a particular client. The address is removed from the address-assignment pool so that
it is not assigned to another client. When you reserve an address, you identify the client
host and create a binding between the client MAC address and the assigned IP address.
To configure a static IPv4 address binding:
1. Specify the name of the IPv4 address-assignment pool containing the IP address you
want to reserve for the client.
[edit access]
user@host# edit address-assignment pool blr-pool family inet
86 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
2. Specify the name of the client for the static binding, the client MAC address, and the
IP address to reserve for the client. This configuration specifies that the client with
MAC address 01:03:05:07:09:0b is always assigned IP address 192.168.10.2.
[edit access address-assignment pool blr-pool family inet]
user@host# set host svale6_boston_net hardware-address 01:03:05:07:09:0b
ip-address 192.168.10.2
NOTE: To configure static binding for an IPv4 address in a routing instance,
configure the address-assignment statements in the [edit routing-instances]
hierarchy.
Related • Configuring Address-Assignment Pools on page 77
Documentation
• Administration Guide for Security Devices
Enabling TCP/IP Propagation on a DHCP Local Server
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
This topic describes how to configure TCP/IP settings on a DHCP local server, which
includes a DHCP client and a DHCP local server.
To enable TCP/IP setting propagation on a DHCP local server:
1. Configure the update-server option on the DHCP client.
[edit interfaces ge-0/0/1 unit 0 family inet]
dhcp-client {
update-server;
}
2. Configure the address pool to specify the interface (where update-server is configured)
from which TCP/IP settings can be propagated.
[edit access]
address-assignment {
pool sprint family inet {
network 192.168.2.0/24;
dhcp-attributes {
propagate-settings ge-0/0/1.0;
}
}
}
3. Configure the DHCP local server.
edit system services
dhcp-local-server {
group bob {
interface ge-1/0/1.0
}
}
Copyright © 2016, Juniper Networks, Inc. 87
Administration Guide for Security Devices
Related • Administration Guide for Security Devices
Documentation
Minimum DHCP Client Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
The following sample output shows the minimum configuration you must use to configure
an SRX Series device as a DHCP client. In this output, the interface is ge-0/0/0 and the
logical unit is 0.
[edit interfaces]
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client
}
}
}
NOTE: To configure a DHCP client in a routing instance, add the interface in
a routing instance using the [edit routing-instances] hierarchy.
Related • Configuring Optional DHCP Client Attributes on page 80
Documentation
• Administration Guide for Security Devices
Configuring Optional DHCP Client Attributes
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
For the device to operate as a DHCP client, you configure a logical interface on the device
to obtain an IP address from the DHCP local server in the network. You can then set the
client-identifier, lease time, retransmission attempts, retry interval, preferred DHCP local
server address, and vendor class ID.
To configure optional DHCP client attributes:
1. Configure the DHCP client identifier prefix as the routing instance name.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set client-identifier prefix host
2. Set the DHCP lease time.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set lease-time 86400
3. Set the number of attempts allowed to retransmit a DHCP packet.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set retransmission-attempt 6
88 Copyright © 2016, Juniper Networks, Inc.
Chapter 12: DHCP for IP Address Device
4. Set the interval (in seconds) allowed between retransmission attempts. The range
is 4 through 64. The default is 4 seconds.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set retransmission-interval 5
5. Set the IPv4 address of the preferred DHCP local server.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set server-address 10.1.1.1
6. Set the vendor class ID for the DHCP client.
[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]
user@host# set vendor-id ether
NOTE: To configure the DHCP client in a routing instance, configure the
interface in the [edit routing-instances] hierarchy.
Related • Minimum DHCP Client Configuration on page 80
Documentation
• Administration Guide for Security Devices
Minimum DHCP Relay Agent Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
The following sample output shows the minimum configuration you must use to configure
an SRX Series device as a DHCP relay agent. In this output, the active server group is
named server-1 and its IP address is 1.1.1.1/24. The DHCP relay agent configuration is
applied to a group named bob. Within this group, the DHCP relay agent is enabled on
interface ge-1/0/1.0.
[edit forwarding-options]
dhcp-relay {
group bob {
interface ge-1/0/1.0
}
server-group server-1 {
address 1.1.1.1/24
}
active-server-group server-1
}
NOTE: To configure the DHCP relay agent in a routing instance, configure
the dhcp-relay statements in the [edit routing-instances] hierarchy level .
Related • Verifying and Managing DHCP Relay Configuration on page 82
Documentation
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 89
Administration Guide for Security Devices
90 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 13
DHCPv6 Client
• Minimum DHCPv6 Client Configuration on page 91
• Configuring Optional DHCPv6 Client Attributes on page 92
• Configuring Nontemporary Address Assignment on page 93
• Configuring Identity Associations for Nontemporary Addresses and Prefix
Delegation on page 94
• Configuring Auto-Prefix Delegation on page 94
• Configuring the DHCPv6 Client Rapid Commit Option on page 95
• Configuring a DHCPv6 Client in Autoconfig Mode on page 95
• Configuring TCP/IP Propagation on a DHCPv6 Client on page 96
Minimum DHCPv6 Client Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
This topic describes the minimum configuration you must use to configure an SRX Series
device as a DHCPv6 client.
To configure the device as a DHCPv6 client:
1. Specify the DHCPv6 client interface.
[edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client
2. Configure the DHCPv6 client type. The client type can be autoconfig or statefull.
• To enable DHCPv6 auto configuration mode, configure the client type as autoconfig.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-type autoconfig
• For stateful address assignment, configure the client type as statefull.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-type statefull
3. Specify the identity association type.
• To configure identity association for nontemporary address (IA_NA) assignment,
specify the client-ia type as ia-na.
Copyright © 2016, Juniper Networks, Inc. 91
Administration Guide for Security Devices
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-ia-type ia-na
• To configure identity association for prefix delegation (IA_PD), specify the
client-ia-type as ia-pd.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-ia-type ia-pd
4. Configure the DHCPv6 client identifier by specifying the DHCP unique identifier (DUID)
type. The following DUID types are supported:
• Link Layer address (duid-ll)
• Link Layer address plus time (duid-llt)
• Vendor-assigned unique ID based on enterprise number (vendor)
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-identifier duid-type duid-ll
NOTE: To configure a DHCPv6 client in a routing instance, add the interface
to a routing instance using the [edit routing-instances] hierarchy.
Related • DHCPv6 Client Overview on page 39
Documentation
Configuring Optional DHCPv6 Client Attributes
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
To enable a device to operate as a DHCPv6 client, you configure a logical interface on
the device to obtain an IPv6 address from the DHCPv6 local server in the network. You
can then specify the retransmission attempts, client requested configuration options,
interface used to delegate prefixes, rapid commit, and update server options.
To configure optional DHCPv6 client attributes:
1. Specify one of the following DHCPv6 client requested configuration options:
• dns-server
• domain
• ntp-server
• sip-domain
• sip-server
For example, to specify the DHCPv6 client requested option as dns-server:
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set req-option dns-server
2. Set the number of attempts allowed to retransmit a DHCPv6 client protocol packet.
92 Copyright © 2016, Juniper Networks, Inc.
Chapter 13: DHCPv6 Client
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set retransmission-attempt 6
3. Configure the update-server option on the DHCPv6 client.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set update-server
4. Specify the interface used to delegate prefixes.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set update-router-advertisement interface ge-0/0/0
5. Configure the two-message (rapid commit) exchange option for address assignment.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set rapid-commit
NOTE: To configure a DHCPv6 client in a routing instance, add the interface
to a routing instance using the [edit routing-instances] hierarchy.
Related • Minimum DHCPv6 Client Configuration on page 91
Documentation
Configuring Nontemporary Address Assignment
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Nontemporary address assignment is also known as stateful address assignment. In the
stateful address assignment mode, the DHCPv6 client requests global addresses from
the DHCPv6 server. Based on the DHCPv6 server’s response, the DHCPv6 client assigns
the global addresses to interfaces and sets a lease time for all valid responses. When
the lease time expires, the DHCPv6 client renews the lease from the DHCPv6 server.
To configure nontemporary (stateful) address assignment:
1. Specify the DHCPv6 client interface.
[edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client
2. Configure the client type as statefull.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-type statefull
3. Specify the IA_NA assignment.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-ia-type ia-na
Related • Minimum DHCPv6 Client Configuration on page 91
Documentation
Copyright © 2016, Juniper Networks, Inc. 93
Administration Guide for Security Devices
Configuring Identity Associations for Nontemporary Addresses and Prefix Delegation
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
The DHCPv6 client requests IPv6 addresses and prefixes from the DHCPv6 server. Based
on the DHCPv6 server’s response, the DHCPv6 client assigns the IPv6 addresses to
interfaces and sets a lease time for all valid responses. When the lease time expires, the
DHCPv6 client renews the lease from the DHCPv6 server.
To configure identity association for nontemporary addresses (IA_NA) and identity
association for prefix delegation (IA_PD):
1. Specify the DHCPv6 client interface.
[edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client
2. Configure the client type as statefull.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-type statefull
3. Specify the IA_NA.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-ia-type ia-na
4. Specify the IA_PD.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-ia-type ia-pd
Related • Minimum DHCPv6 Client Configuration on page 91
Documentation
Configuring Auto-Prefix Delegation
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
You can use DHCPv6 client prefix delegation to automate the delegation of IPv6 prefixes
to the customer premises equipment (CPE). With prefix delegation, a delegating router
delegates IPv6 prefixes to a requesting router. The requesting router then uses the prefixes
to assign global IPv6 addresses to the devices on the subscriber LAN. The requesting
router can also assign subnet addresses to subnets on the LAN.
To configure auto-prefix delegation:
1. Configure the DHCPv6 client type as statefull.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-type statefull
2. Specify the identity association type as ia-na for nontemporary addresses.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-ia-type ia-na
94 Copyright © 2016, Juniper Networks, Inc.
Chapter 13: DHCPv6 Client
3. Specify the identity association type as ia-pd for prefix delegation.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-ia-type ia-pd
4. Configure the DHCPv6 client identifier by specifying the DUID type.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-identifier duid-type duid-ll
5. Specify the interface used to delegate prefixes.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set update-router-advertisement interface ge-0/0/0
Related • Minimum DHCPv6 Client Configuration on page 91
Documentation
• Configuring Optional DHCPv6 Client Attributes on page 92
Configuring the DHCPv6 Client Rapid Commit Option
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
The DHCPv6 client can obtain configuration parameters from a DHCPv6 server through
a rapid two-message exchange (solicit and reply). When the rapid commit option is
enabled by both the DHCPv6 client and the DHCPv6 server, the two-message exchange
is used, rather than the default four-method exchange (solicit, advertise, request, and
reply). The two-message exchange provides faster client configuration and is beneficial
in environments in which networks are under a heavy load.
To configure the DHCPv6 client to support the DHCPv6 rapid commit option:
1. Specify the DHCPv6 client interface.
[edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client
2. Configure the two-message exchange option for address assignment.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set rapid-commit
Related • DHCPv6 Client Overview on page 39
Documentation
Configuring a DHCPv6 Client in Autoconfig Mode
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Copyright © 2016, Juniper Networks, Inc. 95
Administration Guide for Security Devices
A DHCPv6 client configured in autoconfig mode acts as a stateful client, a stateless client
(DHCPv6 server is required for TCP/IP configuration), and stateless–no DHCP client,
based on the managed (M) and other configuration (O) bits in the received router
advertisement messages.
If the managed bit is 1 and the other configuration bit is 0, the DHCPv6 client acts as a
stateful client. In stateful mode, the client receives IPv6 addresses from the DHCPv6
server, based on the identity association for nontemporary addresses (IA_NA) assignment.
If the managed bit is 0 and the other configuration bit is 1, the DHCPv6 client acts as a
stateless client. In stateless mode, the addresses are automatically configured, based
on the prefixes in the router advertisement messages received from the router. The
stateless client receives configuration parameters from the DHCPv6 server.
If the managed bit is 0 and the other configuration bit is also 0, the DHCPv6 client acts
as a stateless–no DHCP client. In the stateless–no DHCP mode, the client receives IPv6
addresses from the router advertisement messages.
To configure DHCPv6 client in autoconfig mode:
1. Configure the DHCPv6 client type as autoconfig.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-type autoconfig
2. Specify the identity association type as ia-na for nontemporary addresses.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set client-ia-type ia-na
3. Specify the interface on which to configure router advertisement.
[edit protocols router-advertisement]
user@host# set interface ge-0/0/1.0
Related • Minimum DHCPv6 Client Configuration on page 91
Documentation
• Configuring Optional DHCPv6 Client Attributes on page 92
Configuring TCP/IP Propagation on a DHCPv6 Client
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
You can enable or disable the propagation of TCP/IP settings received on the device
acting as a DHCPv6 client. The settings can be propagated to the server pool running on
the device. This topic describes how to configure TCP/IP settings on a DHCPv6 client,
where both the DHCPv6 client and DHCPv6 server are on the same device.
To configure TCP/IP setting propagation on a DHCPv6 client:
1. Configure the update-server option on the DHCPv6 client.
[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]
user@host# set update-server
96 Copyright © 2016, Juniper Networks, Inc.
Chapter 13: DHCPv6 Client
2. Configure the address pool to specify the interface (where update-server is configured)
from which TCP/IP settings can be propagated.
[edit access]
user@host# set address-assignment pool 2 family inet6 dhcp-attributes
propagate-settings ge-0/0/0
Related • DHCPv6 Client Overview on page 39
Documentation
• Minimum DHCPv6 Client Configuration on page 91
Copyright © 2016, Juniper Networks, Inc. 97
Administration Guide for Security Devices
98 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 14
DHCPv6 Local Server
• Creating a Security Policy for DHCPv6 on page 99
• Example: Configuring DHCPv6 Server Options on page 100
• Example: Configuring an Address-Assignment Pool on page 103
• Configuring a Named Address Range for Dynamic Address Assignment on page 105
• Configuring Address-Assignment Pool Linking on page 106
• Configuring DHCP Client-Specific Attributes on page 106
• Configuring an Address-Assignment Pool for Router Advertisement on page 107
Creating a Security Policy for DHCPv6
Supported Platforms LN Series, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
For the DHCPv6 server to allow DHCPv6 requests, you must create a security policy to
enable DHCPv6 traffic. In this example, the zone my-zone allows DHCPv6 traffic from
the zone untrust, and the ge-0/0/3.0 interface is configured with the IPv6 address 3000:1.
To create a security zone policy to allow DHCPv6:
1. Create the zone and add an interface to that zone.
[edit security zones]
user@host# edit security-zone my-zone interfaces ge-0/0/3.0
2. Configure host inbound traffic system services to allow DCHPv6.
[edit security zones security-zone my-zone interfaces ge-0/0/3.0]
user@host# set host-inbound-traffic system-services dhcpv6
3. If you are done configuring the device, enter commit from configuration mode.
Related • DHCPv6 Server Overview on page 41
Documentation
• Example: Configuring DHCPv6 Server Options on page 100
• Example: Configuring an Address-Assignment Pool on page 103
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 99
Administration Guide for Security Devices
Example: Configuring DHCPv6 Server Options
Supported Platforms LN Series, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
This example shows how to configure DHCPv6 server options.
• Requirements on page 100
• Overview on page 100
• Configuration on page 100
• Verification on page 102
Requirements
Before you begin:
• Determine the IPv6 address pool range.
• Determine the IPv6 prefix. See the Understanding Address Books.
• Determine the grace period, maximum lease time, or any custom options that should
be applied to clients.
• List the IP addresses that are available for the devices on your network; for example,
DNS and SIP servers.
Overview
In this example, you set a default client limit as 100 for all DHCPv6 groups. You then
create a group called my-group that contains at least one interface. In this case, the
interface is ge-0/0/3.0. You set a range of interfaces using the upto command and set
a custom client limit as 200 for group my-group that overrides the default limit. Finally,
you configure interface ge-0/0/3.0 with IPv6 address 3000::1/64 and set router
advertisement for interface ge-0/0/3.0.
NOTE: A DHCPv6 group must contain at least one interface.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set system services dhcp-local-server dhcpv6 overrides interface-client-limit 100
set system services dhcp-local-server dhcpv6 group my-group interface ge-0/0/3.0
set system services dhcp-local-server dhcpv6 group my-group interface ge-0/0/3.0 upto
ge-0/0/6.0
set system services dhcp-local-server dhcpv6 group my-group overrides
interface-client-limit 200
set interfaces ge-0/0/3 unit 0 family inet6 address 3000::1/64
100 Copyright © 2016, Juniper Networks, Inc.
Chapter 14: DHCPv6 Local Server
set protocols router-advertisement interface ge-0/0/3.0 prefix 3000::/64
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure DHCPv6 server options:
1. Configure a DHCP local server.
[edit]
user@host# edit system services dhcp-local-server dhcpv6
2. Set a default limit for all DHCPv6 groups.
[edit system services dhcp-local-server dhcpv6]
user@host# set overrides interface-client-limit 100
3. Specify a group name and interface.
[edit system services dhcp-local-server dhcpv6]
user@host# set group my-group interface ge-0/0/3.0
4. Set a range of interfaces.
[edit system services dhcp-local-server dhcpv6]
user@host# set group my-group interface ge-0/0/3.0 upto ge-0/0/6.0
5. Set a custom client limit for the group.
[edit system services dhcp-local-server dhcpv6]
user@host# set group my-group overrides interface-client-limit 200
6. Configure an interface with an IPv6 address.
[edit interfaces]
user@host# set ge-0/0/3 unit 0 family inet6 address 3000::1/64
7. Set router advertisement for the interface.
[edit protocols]
user@host# set router-advertisement interface ge-0/0/3.0 prefix 3000::/64
Results From configuration mode, confirm your configuration by entering the show system services
dhcp-local-server, show interfaces ge-0/0/3, and show protocols commands. If the output
does not display the intended configuration, repeat the configuration instructions in this
example to correct it.
[edit]
user@host# show system services dhcp-local-server
dhcpv6 {
overrides {
interface-client-limit 100;
}
group my-group {
overrides {
interface-client-limit 200;
}
interface ge-0/0/3.0 {
Copyright © 2016, Juniper Networks, Inc. 101
Administration Guide for Security Devices
upto ge-0/0/6.0;
}
}
}
[edit]
user@host# show interfaces ge-0/0/3
unit 0 {
family inet6 {
address 3000::1/64;
}
}
[edit]
user@host# show protocols
router-advertisement {
interface ge-0/0/3.0 {
prefix 3000::1/64;
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying DHCPv6 Local Server Configuration
Purpose Verify that the client address bindings and statistics for the DHCPv6 local server have
been configured
Action From operational mode, enter these commands:
• show dhcpv6 server binding command to display the address bindings in the client
table on the DHCPv6 local server.
• show dhcpv6 server statistics command to display the DHCPv6 local server statistics.
• clear dhcpv6 server bindings all command to clear all DHCPv6 local server bindings.
You can clear all bindings or clear a specific interface, or routing instance.
• clear dhcpv6 server statistics command to clear all DHCPv6 local server statistics.
Related • DHCPv6 Server Overview on page 41
Documentation
• Example: Configuring an Address-Assignment Pool on page 103
• Configuring a Named Address Range for Dynamic Address Assignment on page 105
• Creating a Security Policy for DHCPv6 on page 99
• Administration Guide for Security Devices
102 Copyright © 2016, Juniper Networks, Inc.
Chapter 14: DHCPv6 Local Server
Example: Configuring an Address-Assignment Pool
Supported Platforms LN Series, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
This example shows how to configure an address-assignment pool.
• Requirements on page 103
• Overview on page 103
• Configuration on page 103
• Verification on page 105
Requirements
Before you begin:
• Specify the name of the address-assignment pool and configure addresses for the
pool.
• Set DHCPv6 attributes for the address-assignment pool.
Overview
In this example, you configure an address-pool called my-pool and specify the IPv6 family
as inet6. You configure the IPv6 prefix as 3000:0000::/10, the range name as range1,
and the IPv6 range for DHCPv6 clients from a low of 3000:0000::/32 to a high of
3000:1000::/32. You can define the range based on the lower and upper boundaries of
the prefixes in the range or based on the length of the prefixes in the range. Finally, you
specify the DHCPv6 attribute for the DNS server as 3001::1, the grace period as 3600,
and the maximum lease time as 120.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set access address-assignment pool my-pool family inet6 prefix 3000:0000::/10
set access address-assignment pool my-pool family inet6 range range1 low
3000:0000::/32 high 3000:1000::/32
set access address-assignment pool my-pool family inet6 dhcp-attributes dns-server
3001::1
set access address-assignment pool my-pool family inet6 dhcp-attributes grace-period
3600
set access address-assignment pool my-pool family inet6 dhcp-attributes
maximum-lease-time 120
Copyright © 2016, Juniper Networks, Inc. 103
Administration Guide for Security Devices
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure an IPv6 address-assignment pool:
1. Configure an address-pool and specify the IPv6 family.
[edit access]
user@host# edit address-assignment pool my-pool family inet6
2. Configure the IPv6 prefix, the range name, and IPv6 range for DHCPv6 clients.
[edit access address-assignment pool my-pool family inet6]
user@host# set prefix 3000:0000::/10
user@host# set range range1 low 3000:0000::/32 high 3000:1000::/32
3. Configure the DHCPv6 attribute for the DNS server for the address pool.
[edit access address-assignment pool my-pool family inet6]
user@host# set dhcp-attributes dns-server 3001::1
4. Configure the DHCPv6 attribute for the grace period.
[edit access address-assignment pool my-pool family inet6]
user@host# set dhcp-attributes grace-period 3600
5. Configure the DHCPv6 attribute for the maximum lease time.
[edit access address-assignment pool my-pool family inet6]
user@host# set dhcp-attributes maximum-lease-time 120
Results From configuration mode, confirm your configuration by entering the show access
address-assignment command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show access address-assignment
pool my-pool {
family inet6 {
prefix 3000:0000::/10;
range range1 {
low 3000:0000::/32;
high 3000:1000::/32;
}
dhcp-attributes {
maximum-lease-time 120;
grace-period 3600;
dns-server {
3001::1;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
104 Copyright © 2016, Juniper Networks, Inc.
Chapter 14: DHCPv6 Local Server
Verification
Confirm that the configuration is working properly.
Verifying Configuration
Purpose Verify that the address-assignment pool has been configured.
Action From operational mode, enter the show access address-assignment command.
Related • DHCPv6 Server Overview on page 41
Documentation
• Example: Configuring DHCPv6 Server Options on page 100
• Configuring a Named Address Range for Dynamic Address Assignment on page 105
• Creating a Security Policy for DHCPv6 on page 99
• Administration Guide for Security Devices
Configuring a Named Address Range for Dynamic Address Assignment
Supported Platforms LN Series, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
You can optionally configure multiple named ranges, or subsets of addresses, within an
address-assignment pool. During dynamic address assignment, a client can be assigned
an address from a specific named range. To create a named range, you specify a name
for the range and define the address range and DHCPv6 attributes.
To configure a named address range for dynamic address assignment:
1. Specify the name of the address-assignment pool and the IPv6 family.
[edit access]
user@host# edit address-assignment pool my-pool2 family inet6
2. Configure the IPv6 prefix and then define the range name and IPv6 range for DHCPv6
clients. You can define the range based on the lower and upper boundaries of the
prefixes in the range, or based on the length of the prefixes in the range.
[edit access address-assignment pool my-pool2 family inet6]
user@host# set prefix 3000:5000::/10
user@host# set range range2 low 3000:2000::/32 high 3000:3000::/32
3. Configure DHCPv6 attributes for the address pool.
[edit access address-assignment pool my-pool2 family inet6]
user@host# set dhcp-attributes dns-server 2001:db8:18:: grace-period 3600
maximum-lease-time 120
4. If you are done configuring the device, enter commit from configuration mode.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 105
Administration Guide for Security Devices
Configuring Address-Assignment Pool Linking
Supported Platforms LN Series, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
Address-assignment pool linking enables you to specify a secondary address pool for
the device to use when the primary address-assignment pool is fully allocated. When
the primary pool has no available addresses remaining, the device automatically switches
over to the linked secondary pool and begins allocating addresses from that pool. The
device uses a secondary pool only when the primary address-assignment pool is fully
allocated.
You can create a chain of multiple linked pools. For example, you can link pool A to pool
B, and link pool B to pool C. When pool A has no available addresses, the device switches
to pool B for addresses. When pool B is exhausted, the device switches to pool C. There
is no limit to the number of linked pools in a chain. However, you cannot create multiple
links to or from the same pool—a pool can be linked to only one secondary pool, and a
secondary pool can be linked from only one primary pool.
To link a primary address-assignment pool named pool1 to a secondary pool named
pool2:
[edit access address-assignment]
user@host# set pool pool1 link pool2
Related • Administration Guide for Security Devices
Documentation
Configuring DHCP Client-Specific Attributes
Supported Platforms LN Series, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
You use the address-assignment pool feature to include application-specific attributes
when clients obtain an address. A client application, such as DHCPv6, uses the attributes
to determine how addresses are assigned and to provide optional application-specific
characteristics to the client. For example, the DHCPv6 application might specify that a
client that matches certain prerequisite information is dynamically assigned an address
from a particular named range. Based on which named range is used, DHCPv6 specifies
additional DHCPv6 attributes such as the DNS server or the maximum lease time for
clients.
You use the dhcp-attributes statement to configure DHCPv6 client-specific attributes
for address-assignment pools at the [edit access address-assignment pool pool-name
family inet6] hierarchy.
Table 12 on page 107 describes the DHCPv6 client attributes for configuring IPv6
address-assignment pools.
106 Copyright © 2016, Juniper Networks, Inc.
Chapter 14: DHCPv6 Local Server
Table 12: DHCPv6 Attributes
DHCPv6
Attribute Description Option
dns-server IPv6 address of DNS server to which clients can 23
send DNS queries
grace-period Grace period offered with the lease –
maximum-lease-time Maximum lease time allowed by the DHCPv6 –
server
option User-defined options –
sip-server-address IPv6 address of SIP outbound proxy server 22
sip-server-domain-name Domain name of the SIP outbound proxy server 21
Related • Administration Guide for Security Devices
Documentation
Configuring an Address-Assignment Pool for Router Advertisement
Supported Platforms LN Series, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800
You can create an address-assignment pool that is explicitly used for router advertisement
address assignment. You populate the address-assignment pool using the standard
procedure, but you additionally specify that the pool is used for router advertisement.
To configure an address-assignment pool that is used for router advertisement:
1. Create the IPv6 address-assignment pool.
2. Specify that the address-assignment pool is used for router advertisement.
[edit access address-assignment]
user@host# set neighbor-discovery-router-advertisement router1
3. If you are done configuring the device, enter commit from configuration mode.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 107
Administration Guide for Security Devices
108 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 15
Configuration Statements
• [edit security certificates] Hierarchy Level on page 111
• [edit security ssh-known-hosts] Hierarchy Level on page 111
• Interfaces Configuration Statement Hierarchy on page 112
• Groups Configuration Statement Hierarchy on page 127
• address-assignment (Access) on page 128
• address-pool (Access) on page 131
• allow-configuration on page 132
• allow-configuration-regexps on page 133
• authentication-key on page 134
• authentication-order on page 135
• boot-server (NTP) on page 136
• broadcast on page 137
• broadcast-client on page 138
• client-ia-type on page 138
• client-identifier (dhcp-client) on page 139
• client-identifier (dhcpv6-client) on page 139
• client-list-name (SNMP) on page 140
• client-type on page 140
• deny-configuration on page 141
• deny-configuration-regexps on page 142
• dhcp-attributes (Access IPv4 Address Pools) on page 143
• dhcp-attributes (Access IPv6 Address Pools) on page 145
• dhcp-client on page 146
• dhcpv6-client on page 147
• dhcp-local-server (System Services) on page 148
• dhcpv6 (System Services) on page 152
• family (Security Forwarding Options) on page 156
• forwarding-options (Security) on page 157
Copyright © 2016, Juniper Networks, Inc. 109
Administration Guide for Security Devices
• group (System Services DHCP) on page 159
• host (SSH Known Hosts) on page 162
• hostkey-algorithm on page 163
• interface (System Services DHCP) on page 164
• interfaces (ARP) on page 165
• interfaces (Security Zones) on page 166
• interface-traceoptions (System Services DHCP) on page 167
• internet-options on page 169
• lease-time (dhcp-client) on page 170
• lockout-period on page 171
• multicast-client on page 171
• name-server (Access) on page 172
• neighbor-discovery-router-advertisement (Access) on page 172
• ntp on page 173
• overrides (System Services DHCP) on page 174
• peer (NTP) on page 175
• port (System Services Reverse SSH) on page 176
• port (System Services Reverse Telnet) on page 176
• prefix on page 177
• profilerd on page 178
• proxy on page 179
• rapid-commit on page 179
• reconfigure (System Services DHCP) on page 180
• req-option on page 181
• retransmission-attempt (dhcp-client) on page 182
• retransmission-attempt (dhcpv6-client) on page 182
• retransmission-interval (dhcp-client) on page 183
• ssh (reverse) on page 183
• ssh-known-hosts on page 184
• server (NTP) on page 185
• server-address (dhcp-client) on page 186
• services on page 187
• source-address (NTP, RADIUS, System Logging, or TACACS+) on page 192
• telnet (System Services Reverse) on page 192
• traceoptions (System Services DHCP) on page 193
• trusted-key on page 195
• update-router-advertisement on page 195
110 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
• update-server (dhcp-client) on page 196
• update-server (dhcpv6-client) on page 196
• user-id on page 197
• use-interface on page 197
• vendor-id on page 198
• vpn (Forwarding Options) on page 198
[edit security certificates] Hierarchy Level
Supported Platforms J Series, LN Series, SRX Series
security {
certificates {
cache-size bytes;
cache-timeout-negative seconds;
certification-authority profile-name {
ca-name name;
crl filename;
encoding (binary | pem);
enrollment-url url;
file filename;
ldap-url url;
}
enrollment-retry number;
local name {
certificate;
load-key-file url;
}
maximum-certificates number;
path-length length;
}
}
Related • Security Configuration Statement Hierarchy
Documentation
• Administration Guide for Security Devices
• Installation and Upgrade Guide for Security Devices
[edit security ssh-known-hosts] Hierarchy Level
Supported Platforms J Series, LN Series, SRX Series
security {
ssh-known-hosts {
fetch-from-server server-name;
host hostname {
dsa-key dsa-key;
ecdsa-sha2-nistp256-key ecdsa-sha2-nistp256-key;
ecdsa-sha2-nistp384-key ecdsa-sha2-nistp384-key;
ecdsa-sha2-nistp521-key ecdsa-sha2-nistp521-key;
rsa-key rsa-key;
Copyright © 2016, Juniper Networks, Inc. 111
Administration Guide for Security Devices
rsa1-key rsa1-key;
}
load-key-file key-file;
}
}
Related • Security Configuration Statement Hierarchy
Documentation
• Administration Guide for Security Devices
Interfaces Configuration Statement Hierarchy
Supported Platforms J Series, LN Series, SRX Series
Use the statements in the interfaces configuration hierarchy to configure interfaces on
the device.
interfaces {
interface-name {
accounting-profile name;
clocking (external | internal);
dce;
description text;
disable;
e1-options {
bert-algorithm algorithm;
bert-error-rate rate;
bert-period seconds;
fcs (16 | 32);
framing (g704 | g704-no-crc4 | unframed);
idle-cycle-flag (flags | ones);
invert-data data;
loopback (local | remote);
start-end-flag (shared | filler);
timeslots time-slot-range;
}
e3-options {
bert-algorithm algorithm;
bert-error-rate rate;
bert-period seconds;
compatibility-mode {
digital-link {
subrate value;
}
kentrox {
subrate value;
}
larscom;
}
fcs (16 | 32);
framing (g.751 | g.832);
idle-cycle-flag value;
invert-data;
loopback (local | remote);
(no-payload-scrambler | payload-scrambler);
112 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
(no-unframed | -unframed);
start-end-flag (filler | shared);
}
encapsulation (ether-vpls-ppp | ethernet-bridge | ethernet-ccc | ethernet-tcc |
ethernet-vpls | extended-frame-relay-ccc | extended-frame-relay-tcc |
extended-vlan-bridge | extended-vlan-ccc | extended-vlan-tcc | extended-vlan-vpls
| frame-relay-port-ccc | vlan-ccc | vlan-vpls);
fastether-options {
802.3ad interface-name {
(backup | primary);
lacp {
port-priority port-number;
}
}
(auto-negotiation | no-auto-negotiation);
ignore-l3-incompletes;
ingress-rate-limit rate;
(loopback | no-loopback);
mpls {
pop-all-labels {
required-depth number;
}
}
redundant-parent interface-name;
source-address-filter mac-address;
}
flexible-vlan-tagging;
gigether-options {
802.3ad interface-name {
(backup | primary);
lacp {
port-priority port-number;
}
}
(auto-negotiation <remote-fault> (local-interface-offline | local-interface-online)
| no-auto-negotiation);
(flow-control | no-flow-control);
ignore-l3-incompletes;
(loopback | no-loopback);
mpls {
pop-all-labels {
required-depth [number];
}
}
redundant-parent interface-name;
source-address-filter mac-address;
}
gratuitous-arp-reply;
hierarchical-scheduler {
maximum-hierarchy-levels 2;
}
hold-time {
down milliseconds;
up milliseconds;
}
keepalives {
Copyright © 2016, Juniper Networks, Inc. 113
Administration Guide for Security Devices
down-count number;
interval number;
up-count number;
}
link-mode (full-duplex | half-duplex);
lmi {
lmi-type (ansi | c-lmi | itu);
n391dte number;
n392dce number;
n392dte number;
n393dce number;
n393dte number;
t391dte number;
t392dce number;
}
logical-tunnel-options {
per-unit-mac-disable;
}
mac mac-address;
mtu bytes;
native-vlan-idvlan-id;
no-gratuitous-arp-request;
no-keepalives;
optics-options {
alarm {
low-light-alarm (link-down | syslog);
}
warning {
low-light-warning (link-down | syslog);
}
wavelength wavelength-options;
}
otn-options {
bytes {
transmit-payload-type number];
}
fec (efec | gfec | none);
(laser-enable | no-laser-enable);
(line-loopback | no-line-loopback);
rate (fixed-stuff-bytes | no-fixed-stuff-bytes | pass-thru);
trigger {
oc-lof {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
oc-lom {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
oc-los {
114 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
oc-wavelength-lock {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-ais {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-bdi {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-lck {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-oci {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-sd {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-tca-bbe {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-tca-es {
Copyright © 2016, Juniper Networks, Inc. 115
Administration Guide for Security Devices
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-tca-ses {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-tca-uas {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
odu-ttim {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
opu-ptim {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-ais {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-bdi {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-bdi {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-fec-deg {
116 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-fec-deg {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-fec-exe {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-iae {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-sd {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-tca-bbe {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-tca-es {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-tca-ses {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-tca-uas {
Copyright © 2016, Juniper Networks, Inc. 117
Administration Guide for Security Devices
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
otu-ttim {
hold-time {
down milliseconds;
up milliseconds;
}
ignore;
}
}
tti (odu-dapi | odu-expected-receive-dapi | odu-expected-receive-sapi | odu-sapi |
otu-dapi |otu-expected-receive-dapi | otu-expected-receive-sapi |otu-sapi);
}
passive-monitor-mode;
(per-unit-scheduler | no-per-unit-schedule);
port-mirror-instance;
ppp-options {
chap {
access-profile name;;
default-chap-secret secret;
local-name name;
no-rfc2486;
passive;
}
compression {
acfc;
pfc;
}
dynamic-profile (dynamic-profile | junos-default-profile);
lcp-max-conf-req number;
lcp-restart-timer milliseconds;
loopback-clear-timer seconds;
ncp-max-conf-req number;
ncp-restart-timer milliseconds;
no-termination-request;
pap {
access-profile name;
default-password password;
local-name name;
local-password password;
no-rfc2486;
passive;
}
}
promiscuous-mode;
receive-bucket {
overflow {
discard;
tag;
}
rate number;
threshold number;
118 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
}
redundant-pseudo-interface-options {
redundancy-group number;
}
satop-options {
excessive-packet-loss-rate {
sample-period milliseconds;
threshold percentage;
}
idle-pattern number;
(jitter-buffer-auto-adjust | jitter-buffer-latency milliseconds | jitter-buffer-packets
number;
payload-size number;
}
speed (100m |10m | 1g);
stacked-vlan-tagging;
switch-options {
switch-port port-number {
(auto-negotiation | no-auto-negotiation);
cascade-port;
link-mode (full-duplex | half-duplex);
speed (100m |10m | 1g);
vlan-id number;
}
}
t1-options {
alarm-compliance {
accunet-t1-5-service;
}
bert-algorithm algorithm;
bert-error-rate rate;
bert-period seconds;
buildout value;
byte-encoding (nx56 | nx64);
fcs (16 | 32);
framing (esf | sf);
idle-cycle-flags (flags | ones);
invert-data;
line-encoding (ami | b8zs);
loopback (local | payload | remote);
remote-loopback-respond;
start-end-flag (filler | shared);
timeslots time-slot-range;
}
t3-options {
bert-algorithm algorithm ;
bert-error-rate rate ;
bert-period seconds ;
(cbit-parity | no-cbit-parity);
compatibility-mode {
adtran {
subrate value;
}
digital-link {
subrate value;
}
Copyright © 2016, Juniper Networks, Inc. 119
Administration Guide for Security Devices
kentrox {
subrate value;
}
larscom;
subrate value;
}
verilink;
subrate value;
}
}
fcs (16 | 32);
(feac-loop-respond | no-feac-loop-respond);
idle-cycle-flag (flags | ones);
(long-buildout | no-long-buildout);
(loop-timing | no-loop-timing);
loopback (local | payload | remote);
(no-payload-scrambler | payload-scrambler);
(no-unframed | unframed);
start-end-flag value (filler | shared);
}
traceoptions {
flag (all | event | ipc | media);
}
transmit-bucket {
overflow {
discard;
}
rate number;
threshold number;
}
(traps | no-traps);
unit unit-number {
accept-source-mac {
mac-address mac-address;
}
accounting-profile name;
arp-resp (restricted | unrestricted);
backup-options {
interface interface-name;
}
bandwidth bandwidth;
description text;
disable;
encapsulation (dix | ether-vpls-fr | frame-relay-ppp | ppp-over-ether | vlan-bridge |
vlan-ccc | vlan-vpls |vlan-tcc);
family {
bridge {
bridge-domain-type (svlan| bvlan);
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
interface-mode (access | trunk);
120 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
policer {
input input-policer-name;
output outputpolicer-name;
}
vlan-id vlan-id;
vlan-id-list [vlan-id];
vlan-rewrite {
translate {
from-vlan-id;
to-vlan-id ;
}
}
}
ccc {
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
policer {
input input-policer-name;
output output-policer-name;
}
}
ethernet-switching {
native-vlan-id native-vlan-id;
port-mode (access | tagged-access | trunk);
reflective-relay;
vlan {
members [member-name];
}
}
inet {
accounting {
destination-class-usage;
source-class-usage {
input;
output;
}
}
address (source–address/prefix) {
arp destination-address {
(mac mac-address | multicast-mac multicast-mac-address);
publish publish-address;
}
broadcast address;
preferred;
primary;
vrrp-group group-id {
(accept-data | no-accept-data);
advertise-interval seconds;
advertisements-threshold number;
authentication-key key-value;
authentication-type (md5 | simple);
Copyright © 2016, Juniper Networks, Inc. 121
Administration Guide for Security Devices
fast-interval milliseconds;
inet6-advertise-interval milliseconds
(preempt <hold-timeseconds> | no-preempt );
priority value;
track {
interface interface-name {
bandwidth-threshold bandwidth;
priority-cost value;
}
priority-hold-time seconds;
route route-address{
routing-instance routing-instance;
priority-cost value;
}
}
virtual-address [address];
virtual-link-local-address address;
vrrp-inherit-from {
active-group value;
active-interface interface-name;
}
}
web-authentication {
http;
https;
redirect-to-https;
}
}
dhcp {
client-identifier {
(ascii string | hexadecimal string);
}
lease-time (length | infinite);
retransmission-attempt value;
retransmission-interval seconds;
server-address server-address;
update-server;
vendor-id vendor-id ;
}
dhcp-client {
client-identifier {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical);
user-id (ascii string| hexadecimal string);
}
lease-time (length | infinite);
retransmission-attempt value;
retransmission-interval seconds;
server-address server-address;
update-server;
vendor-id vendor-id ;
}
122 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
mtu value;
no-neighbor-learn;
no-redirects;
policer {
arp arp-name;
input input-name;
output output-name;
}
primary;
rpf-check {
fail-filter filter-name;
mode {
loose;
}
}
sampling {
input;
output;
simple-filter;
}
targeted-broadcast {
(forward-and-send-to-re |forward-only);
}
unnumbered-address {
interface-name;
preferred-source-address preferred-source-address;
}
}
inet6 {
accounting {
destination-class-usage;
source-class-usage {
input;
ouput;
}
}
address source–address/prefix {
eui-64;
ndp address {
(mac mac-address | multicast-mac multicast-mac-address);
publish;
}
preferred;
primary;
vrrp-inet6-group group_id {
(accept-data | no-accept-data);
advertisements-threshold number;
authentication-key value;
authentication-type (md5 | simple);
Copyright © 2016, Juniper Networks, Inc. 123
Administration Guide for Security Devices
fast-interval milliseconds;
inet6-advertise-interval milliseconds;
(preempt <hold-time seconds>| no-preempt );
priority value;
track {
interface interface-name {
bandwidth-threshold value;
priority-cost value;
}
priority-hold-time seconds;
route route-address{
routing-instance routing-instance;
}
}
virtual-inet6-address [address];
virtual-link-local-address address;
vrrp-inherit-from {
active-group value;
active-interface interface-name;
}
}
web-authentication {
http;
https;
redirect-to-https;
}
}
(dad-disable | no-dad-disable);
dhcpv6-client {
client-ia-type (ia-na | ia-pd);
client-identifier duid-type (duid-ll | duid-llt | vendor);
client-type (autoconfig | stateful);
rapid-commit;
req-option (dns-server | domain | fqdn | nis-domain | nis-server | ntp-server |
sip-domain | sip-server |time-zone | vendor-spec);
retransmission-attempt number;
update-router-advertisement {
interface interface-name;
}
update-server;
}
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
mtu value;
nd6-stale-time seconds;
no-neighbor-learn;
policer {
input input-name;
output output-name;
}
rpf-check {
124 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
fail-filter filter-name;
mode {
loose;
}
}
sampling {
input;
output;
}
unnumbered-address {
interface-name;
preferred-source-address preferred-source-address;
}
}
iso {
address source-address;
mtu value;
}
mlfr-end-to-end {
bundle bundle-name;
}
mlfr-uni-nni {
bundle bundle-name;
}
mlppp {
bundle bundle-name;
}
mpls {
filter {
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
mtu mtu-value;
policer {
input input-name;
output output-name;
}
}
tcc {
policer {
input input-name;
output output-name;
}
proxy {
inet-address inet-address;
}
remote {
inet-address inet-address;
mac-address mac-address;
}
}
vpls {
filter {
Copyright © 2016, Juniper Networks, Inc. 125
Administration Guide for Security Devices
group number;
input filter-name;
input-list [filter-name];
output filter-name;
output-list [filter-name];
}
policer {
input input-name;
output output-name;
}
}
}
input-vlan-map {
inner-tag-protocol-id tpid;
inner-vlan-id number ;
(pop | push | swap);
tag-protocol-id tpid;
vlan-id number;
}
interface-shared-with {
psd-name;
}
native-inner-vlan-id value;
(no-traps | traps);
output-vlan-map {
inner-tag-protocol-id tpid;
inner-vlan-id number;
(pop | push | swap);
tag-protocol-id tpid;
vlan-id number;
}
ppp-options {
chap {
access-profile name;
default-chap-secret name;
local-name name;
no-rfc2486;
passive;
}
dynamic-profile profile-name;
lcp-max-conf-req number;
lcp-restart-timer milliseconds;
loopback-clear-timer seconds;
ncp-max-conf-req number;
ncp-restart-timer milliseconds;
no-termination-request;
pap {
access-profile name;
default-password password;
local-name name;
local-password password;
no-rfc2486;
passive;
}
}
proxy-arp (restricted | unrestricted);
126 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
radio-router {
bandwidth number;
credit {
interval number;
}
data-rate number;
latency number;
quality number;
resource number;
threshold number;
}
swap-by-poppush;
traps;
vlan-id vlan-id;
vlan-id-range vlan-id-range;
vlan-id-list [vlan-id];
vlan-id-range vlan-id1-vlan-id2;
vlan-tags {
(inner vlan-id | inner-range vlan-id1-vlan-id2);
inner-list [vlan-id];
outer vlan-id;
}
}
vlan-tagging;
}
}
Related • Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
Documentation
• Junos OS Interfaces Library for Security Devices
• Administration Guide for Security Devices
Groups Configuration Statement Hierarchy
Supported Platforms J Series, LN Series, SRX Series
Use the statements in the groups configuration hierarchy to configure information that
can be dynamically updated in various parts of the device configuration.
groups {
group-name {
configuration-data ;
}
}
Related • CLI User Guide
Documentation
Copyright © 2016, Juniper Networks, Inc. 127
Administration Guide for Security Devices
address-assignment (Access)
Supported Platforms J Series, LN Series, SRX Series
Syntax address-assignment {
abated-utilization percentage;
abated-utilization-v6 percentage;
high-utilization percentage;
high-utilization-v6 percentage;
neighbor-discovery-router-advertisement ndra-name;
pool pool-name {
family {
inet {
dhcp-attributes {
boot-file boot-file-name;
boot-server boot-server-name;
domain-name domain-name;
grace-period seconds;
maximum-lease-time (seconds | infinite);
name-server ipv4-address;
netbios-node-type (b-node | h-node | m-node | p-node);
next-server next-server-name;
option dhcp-option-identifier-code {
array {
byte [8-bit-value];
flag [ false| off |on |true];
integer [32-bit-numeric-values];
ip-address [ip-address];
short [signed-16-bit-numeric-value];
string [character string value];
unsigned-integer [unsigned-32-bit-numeric-value];
unsigned-short [16-bit-numeric-value];
}
byte 8-bit-value;
flag (false | off | on | true);
integer 32-bit-numeric-values;
ip-address ip-address;
short signed-16-bit-numeric-value;
string character string value;
unsigned-integer unsigned-32-bit-numeric-value;
unsigned-short 16-bit-numeric-value;
}
option-match {
option-82 {
circuit-id match-value {
range range-name;
}
remote-id match-value;
range range-name;
}
}
}
propagate-ppp-settings [interface-name];
propagate-settings interface-name;
router ipv4-address;
128 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
server-identifier ip-address;
sip-server {
ip-address ipv4-address;
name sip-server-name;
}
tftp-server server-name;
wins-server ipv4-address;
}
host hostname {
hardware-address mac-address;
ip-address reserved-address;
}
network network address;
range range-name {
high upper-limit;
low lower-limit;
}
xauth-attributes {
primary-dns ip-address;
primary-wins ip-address;
secondary-dns ip-address;
secondary-wins ip-address;
}
}
inet6 {
dhcp-attributes {
dns-server ipv6-address;
grace-period seconds;
maximum-lease-time (seconds | infinite);
option dhcp-option-identifier-code {
array {
byte [8-bit-value];
flag [ false| off |on |true];
integer [32-bit-numeric-values];
ip-address [ip-address];
short [signed-16-bit-numeric-value];
string [character string value];
unsigned-integer [unsigned-32-bit-numeric-value];
unsigned-short [16-bit-numeric-value];
}
byte 8-bit-value;
flag (false | off | on | true);
integer 32-bit-numeric-values;
ip-address ip-address;
short signed-16-bit-numeric-value;
string character string value;
unsigned-integer unsigned-32-bit-numeric-value;
unsigned-short 16-bit-numeric-value;
}
propagate-ppp-settings [interface-name];
sip-server-address ipv6-address;
sip-server-domain-name domain-name;
}
prefix ipv6-network-prefix;
range range-name {
high upper-limit;
Copyright © 2016, Juniper Networks, Inc. 129
Administration Guide for Security Devices
low lower-limit;
prefix-length delegated-prefix-length;
}
}
link pool-name;
}
}
Hierarchy Level [edit access]
Release Information Statement introduced in Junos OS Release 10.4.
Description The address-assignment pool feature enables you to create IPv4 and IPv6 address pools
that different client applications can share. For example, multiple client applications,
such as DHCPv4 or DHCPv6, can use an address-assignment pool to provide addresses
for their particular clients.
Required Privilege access—To view this statement in the configuration.
Level access-control—To add this statement to the configuration.
Related • Dynamic VPN Feature Guide for SRX Series Gateway Devices
Documentation
• Administration Guide for Security Devices
130 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
address-pool (Access)
Supported Platforms J Series, LN Series, SRX Series
Syntax address-pool pool-name {
(address address-or-address-prefix ) {
address-range {
high upper-limit;
low lower-limit;
mask network-mask;
}
primary-dns name;
primary-wins name;
secondary-dns name;
secondary-wins name;
}
Hierarchy Level [edit access]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Create an address-pool for L2TP clients.
Options • pool-name—Name assigned to the address-pool.
• address—Configure subnet information for the address-pool.
• address-range—Defines the address range available for clients.
• primary-dns—Specify the primary-dns IP address.
• secondary-dns—Specify the secondary-dns IP address.
• primary-wins—Specify the primary-wins IP address.
• secondary-wins—Specify the secondary-wins IP address.
Required Privilege access—To view this statement in the configuration.
Level access-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 131
Administration Guide for Security Devices
allow-configuration
Supported Platforms SRX Series
Syntax allow-configuration "regular-expression";
Hierarchy Level [edit system login class class-name]
Release Information Statement introduced before Junos OS Release 7.4.
Statement introduced in Junos OS Release 11.2 for SRX Series devices.
Description Explicitly allow configuration access to the specified levels in the hierarchy even if the
permissions set with the permissions statement do not grant such access by default.
Default If you omit this statement and the deny-configuration statement, users can edit only
those commands for which they have access privileges through the permissions statement.
Options regular-expression—Extended (modern) regular expression as defined in POSIX 1003.2.
If the regular expression contains any spaces, operators, or wildcard characters,
enclose it in quotation marks.
Required Privilege admin—To view this statement in the configuration.
Level admin-control—To add this statement to the configuration.
Related • System Configuration Statement Hierarchy on page 199
Documentation
• Administration Guide for Security Devices
132 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
allow-configuration-regexps
Supported Platforms SRX Series
Syntax allow-configuration-regexps "regular expression 1" "regular expression 2";
Hierarchy Level [edit system login class class-name]
Release Information Statement introduced in Junos OS Release 11.2.
Statement introduced in Junos OS Release 11.2 for SRX Series devices.
Description Explicitly allow configuration access to specified hierarchies using regular expressions
even if the permissions set with the permissions statement allow that access.
The statement deny-configuration-regexps takes precedence if it is used in the same
login class definition.
Default If you do not configure this statement or the deny-configuration-regexps statement, users
can edit only those commands for which they have access privileges set with the
permissions statement.
Options regular expression—Extended (modern) regular expression as defined in POSIX 1003.2.
If the regular expression contains any spaces, operators, or wildcard characters,
enclose it in quotation marks.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • System Configuration Statement Hierarchy on page 199
Documentation
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 133
Administration Guide for Security Devices
authentication-key
Supported Platforms SRX Series
Syntax authentication-key key-number type md5 value <password>;
Hierarchy Level [edit system ntp]
Release Information Statement introduced before Junos OS Release 7.4.
Description Configure Network Time Protocol (NTP) authentication keys so that the SRX Series
device can send authenticated packets. If you configure the SRX Series device to operate
in authenticated mode, you must configure a key.
Both the keys and the authentication scheme (MD5) must be identical between a set of
peers sharing the same key number.
Options key-number—Positive integer that identifies the key.
type md5—Authentication type. It can only be md5.
value password—The key itself, which can be from 1 through 8 ASCII characters. If the key
contains spaces, enclose it in quotation marks.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • ntp on page 173
Documentation
• Administration Guide for Security Devices
134 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
authentication-order
Supported Platforms EX Series, M Series, SRX Series, T Series
Syntax authentication-order [ authentication-methods ];
Hierarchy Level [edit system]
Release Information Statement introduced before Junos OS Release 7.4.
Statement introduced in Junos OS Release 9.0 for EX Series switches.
Description Configure the order in which the software tries different user authentication methods
when attempting to authenticate a user. For each login attempt, the software tries the
authentication methods in order, starting with the first one, until the password matches.
Default If you do not include the authentication-order statement, users are verified based on their
configured passwords.
Options authentication-methods—One or more authentication methods, listed in the order in which
they should be tried. The method can be one or more of the following:
• password—Use the password configured for the user with the authentication statement
at the [edit system login user] hierarchy level.
• radius—Use RADIUS authentication services.
• tacplus—Use TACACS+ authentication services.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Copyright © 2016, Juniper Networks, Inc. 135
Administration Guide for Security Devices
boot-server (NTP)
Supported Platforms SRX Series
Syntax boot-server (address | hostname);
Hierarchy Level [edit system ntp]
Release Information Statement introduced before Junos OS Release 7.4.
Description Configure the server that NTP queries when the SRX Series device boots to determine
the local date and time.
When you boot the SRX Series device, it issues an ntpdate request, which polls a network
server to determine the local date and time. You need to configure a server that the SRX
Series device uses to determine the time when the SRX Series device boots. You can
configure either an IP address or a hostname for the boot server. If you configure a
hostname instead of an IP address, the ntpdate request resolves the hostname to an IP
address when the SRX Series device boots up.
If you configure an NTP boot server, then when the SRX Series device boots, it immediately
synchronizes with the boot server even if the NTP process is explicitly disabled or if the
time difference between the client and the boot server exceeds the threshold value of
1000 seconds.
Options • address—The IP address of an NTP boot server.
• hostname—The hostname of an NTP boot server.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • ntp on page 173
Documentation
• Administration Guide for Security Devices
136 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
broadcast
Supported Platforms SRX Series
Syntax broadcast address <key key-number> <routing-instance-name routing-instance-name> <ttl
value> <version value>;
Hierarchy Level [edit system ntp]
Release Information Statement introduced before Junos OS Release 7.4.
Description Configure the SRX Series device to operate in broadcast mode with the remote system
at the specified address. In this mode, the SRX Series device sends periodic broadcast
messages to a client population at the specified broadcast or multicast address. Normally,
you include this statement only when the SRX Series device is operating as a transmitter.
Options address—The broadcast address on one of the local networks or a multicast address
assigned to NTP. You must specify an address, not a hostname. If the multicast
address is used, it must be 224.0.1.1.
key key-number—(Optional) All packets sent to the address include authentication fields
that are encrypted using the specified key number.
Range: Any unsigned 32-bit integer
routing-instance-name routing-instance-name—(Optional) The routing instance name in
which the interface has an address in the broadcast subnet.
Default: The default routing instance is used to broadcast packets.
ttl value—(Optional) Time-to-live (TTL) value to use.
Range: 1 through 255
Default: 1
version value—(Optional) Specify the version number to be used in outgoing NTP packets.
Range: 1 through 4
Default: 4
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • ntp on page 173
Documentation
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 137
Administration Guide for Security Devices
broadcast-client
Supported Platforms SRX Series
Syntax broadcast-client;
Hierarchy Level [edit system ntp]
Release Information Statement introduced before Junos OS Release 7.4.
Description Configure the SRX Series device to listen for broadcast messages on the local network
to discover other servers on the same subnet.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • ntp on page 173
Documentation
• Administration Guide for Security Devices
client-ia-type
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax client-ia-type (ia-na | ia-pd);
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Configure the DHCPv6 client identity association type.
Options ia-na— Identity association for nontemporary address
ia-pd—Identity association for prefix delegation
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
138 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
client-identifier (dhcp-client)
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax client-identifier {
user-id {ascii ascii hexadecimal hexadecimal;
use-interface-description {logical |device};
prefix [host-name routing-instance-name];
}
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description The DHCP server identifies a client by a client-identifier value.
Options The remaining statements are explained separately.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
client-identifier (dhcpv6-client)
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax client-identifier duid-type (duid-ll | duid-llt | vendor);
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description The DHCPv6 server identifies a client by a client-identifier value.
Options duid-type—The DHCPv6 client is identified by a DHCP unique identifier (DUID).
duid-ll—Link Layer address.
duid-llt—Link Layer address plus time.
vendor—Vendor-assigned unique ID based on the enterprise number.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 139
Administration Guide for Security Devices
client-list-name (SNMP)
Supported Platforms J Series, LN Series, SRX Series
Syntax client-list-name client-list-name;
Hierarchy Level [edit snmp community community-name ]
Release Information Statement introduced in Release 8.5 of Junos OS.
Description Specify the name of the list of SNMP network management system (NSM) clients that
are authorized to collect information about network operations. You cannot use an SNMP
client list and individually configured SNMP clients in the same configuration.
Options client-list-name— Name of the client list. Client list is the list of IP address prefixes defined
with the prefix-list statement in the policy-options hierarchy.
Required Privilege snmp—To view this statement in the configuration.
Level snmp-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
client-type
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax client-type (autoconfig | statefull);
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description The type of DHCPv6 client.
Options • autoconfig—Autoconfig client type for router advertisement
• statefull— Stateful client type for address assignment
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
140 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
deny-configuration
Supported Platforms SRX Series
Syntax deny-configuration "regular-expression";
Hierarchy Level [edit system login class]
Release Information Statement introduced before Junos OS Release 7.4.
Statement introduced in Junos OS Release 11.2 for SRX Series devices.
Description Explicitly deny configuration access to the specified levels in the hierarchy even if the
permissions set with the permissions statement grant such access by default.
Default If you omit this statement and the allow-configuration statement, users can edit those
levels in the configuration hierarchy for which they have access privileges through the
permissions statement.
Options regular-expression—Extended (modern) regular expression as defined in POSIX 1003.2.
If the regular expression contains any spaces, operators, or wildcard characters,
enclose it in quotation marks.
Required Privilege admin—To view this statement in the configuration.
Level admin-control—To add this statement to the configuration.
Related • System Configuration Statement Hierarchy on page 199
Documentation
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 141
Administration Guide for Security Devices
deny-configuration-regexps
Supported Platforms SRX Series
Syntax deny-configuration-regexps "regular expression 1" "regular expression 2";
Hierarchy Level [edit system login class class-name]
Release Information Statement introduced in Junos OS Release 11.2.
Statement introduced in Junos OS Release 11.2 for SRX Series devices.
Description Explicitly deny configuration access to specified hierarchies using regular expressions
even if the permissions set with the permissions statement allow that access.
Expressions configured with this statement take precedence over
allow-configuration-regexps if the two statements are used in the same login class
definition.
Default If you do not configure this statement or the deny-configuration-regexps statement, users
can edit only those commands for which they have access privileges set with the
permissions statement.
Options regular expression—Extended (modern) regular expression as defined in POSIX 1003.2.
If the regular expression contains any spaces, operators, or wildcard characters,
enclose it in quotation marks.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • System Configuration Statement Hierarchy on page 199
Documentation
• Administration Guide for Security Devices
142 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
dhcp-attributes (Access IPv4 Address Pools)
Supported Platforms J Series, LN Series, SRX Series
Syntax dhcp-attributes {
boot-file boot-file-name;
boot-server boot-server-name;
domain-name domain-name;
grace-period seconds;
maximum-lease-time (seconds | infinite);
name-server ipv4-address;
netbios-node-type (b-node | h-node | m-node | p-node);
next-server next-server-name;
option dhcp-option-identifier-code {
array {
byte [8-bit-value];
flag [ false| off |on |true];
integer [32-bit-numeric-values];
ip-address [ip-address];
short [signed-16-bit-numeric-value];
string [character string value];
unsigned-integer [unsigned-32-bit-numeric-value];
unsigned-short [16-bit-numeric-value];
}
byte 8-bit-value;
flag (false | off | on | true);
integer 32-bit-numeric-values;
ip-address ip-address;
short signed-16-bit-numeric-value;
string character string value;
unsigned-integer unsigned-32-bit-numeric-value;
unsigned-short 16-bit-numeric-value;
}
option-match {
option-82 {
circuit-id match-value {
range range-name;
}
remote-id match-value;
range range-name;
}
}
}
propagate-ppp-settings [interface-name];
propagate-settings interface-name;
router ipv4-address;
server-identifier ip-address;
sip-server {
ip-address ipv4-address;
name sip-server-name;
}
tftp-server server-name;
wins-server ipv4-address;
}
Copyright © 2016, Juniper Networks, Inc. 143
Administration Guide for Security Devices
Hierarchy Level [edit access address-assignment pool pool-name family inet]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Configure attributes for IPv4 address pools that can be used by different clients. The
DHCP attributes for this statement uses standard IPv4 DHCP options.
Required Privilege access—To view this statement in the configuration.
Level access-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
144 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
dhcp-attributes (Access IPv6 Address Pools)
Supported Platforms J Series, LN Series, SRX Series
Syntax dhcp-attributes {
dns-server ipv6-address;
grace-period seconds;
maximum-lease-time (seconds | infinite);
option dhcp-option-identifier-code {
array {
byte [8-bit-value];
flag [ false| off |on |true];
integer [32-bit-numeric-values];
ip-address [ip-address];
short [signed-16-bit-numeric-value];
string [character string value];
unsigned-integer [unsigned-32-bit-numeric-value];
unsigned-short [16-bit-numeric-value];
}
byte 8-bit-value;
flag (false | off | on | true);
integer 32-bit-numeric-values;
ip-address ip-address;
short signed-16-bit-numeric-value;
string character string value;
unsigned-integer unsigned-32-bit-numeric-value;
unsigned-short 16-bit-numeric-value;
}
propagate-ppp-settings [interface-name];
sip-server-address ipv6-address;
sip-server-domain-name domain-name;
}
Hierarchy Level [edit access address-assignment pool pool-name family inet6]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Configure attributes for address pools that can be used by different clients.
Options • dns-server IPv6-address—Specify a DNS server to which clients can send DNS queries.
• grace-period seconds —Specify the grace period offered with the lease.
Range: 0 through 4,294,967,295 seconds
Default: 0 (no grace period)
• maximum-lease-time seconds—Specify the maximum length of time in seconds for
which a client can request and hold a lease on a DHCP server.
Range: 30 through 4,294,967,295 seconds
Default: 86,400 seconds (24 hours)
• option dhcp-option-identifier-code—Specify the DHCP option identifier code.
Copyright © 2016, Juniper Networks, Inc. 145
Administration Guide for Security Devices
• propagate-ppp-settings [interface-name—Specify PPP interface name for propagating
DNS or WINS settings.
• sip-server-address IPv6-address—Specify the IPv6 address of the SIP outbound proxy
server.
• sip-server-domain-name domain-name—Specify the domain name of the SIP outbound
proxy server.
Required Privilege access—To view this statement in the configuration.
Level access-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
dhcp-client
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax dhcp-client {
client-identifier {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical);
user-id (ascii string| hexadecimal string);
}
lease-time (length | infinite);
retransmission-attempt value;
retransmission-interval seconds;
server-address server-address;
update-server;
vendor-id vendor-id ;
}
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Configure the Dynamic Host Configuration Protocol (DHCP) client.
Options The remaining statements are explained separately.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
146 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
dhcpv6-client
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax dhcpv6-client {
client-ia-type (ia-na | ia-pd);
client-identifier duid-type (duid-ll | duid-llt | vendor);
client-type (autoconfig | statefull);
rapid-commit;
req-option (dns-server | domain | fqdn | nis-domain | nis-server | ntp-server | sip-domain
| sip-server |time-zone | vendor-spec);
retransmission-attempt number;
update-router-advertisement {
interface interface-name;
}
update-server;
}
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Configure the Dynamic Host Configuration Protocol version 6 (DHCPv6) client.
Options The remaining options are explained separately.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 147
Administration Guide for Security Devices
dhcp-local-server (System Services)
Supported Platforms J Series, LN Series, SRX Series
Syntax dhcp-local-server {
dhcpv6 {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
group group-name {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
148 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
use-primary dynamic-profile;
}
interface interface-name {
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
exclude;
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
service-profile service-profile-name
trace ;
upto interface-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
Copyright © 2016, Juniper Networks, Inc. 149
Administration Guide for Security Devices
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
150 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
}
group group-name {
interface interface-name {
exclude;
upto upto-interface-name;
}
}
}
Hierarchy Level [edit system services]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Configure DHCP Local Server for DHCPv6, forwarding snoop (unicast) packets, and
setting traceoptions.
NOTE: SRX Series and J Series devices do not support client authentication.
Options The remaining statements are explained separately.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 151
Administration Guide for Security Devices
dhcpv6 (System Services)
Supported Platforms J Series, LN Series, SRX Series
Syntax dhcpv6 {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
group group-name {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile;
152 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
}
interface interface-name {
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
exclude;
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
service-profile service-profile-name
trace ;
upto interface-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
Copyright © 2016, Juniper Networks, Inc. 153
Administration Guide for Security Devices
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
}
154 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
Hierarchy Level [edit system services]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Configure DHCPv6 server to provide IPv6 addresses to clients.
NOTE: SRX Series and J Series devices do not support client authentication.
Options • duplicate-clients-on-interface—Allow duplicate clients on different interfaces in a
subnet.
Remaining options are explained separately.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 155
Administration Guide for Security Devices
family (Security Forwarding Options)
Supported Platforms J Series, LN Series, SRX Series
Syntax family {
inet6 {
mode (drop | flow-based | packet-based);
}
iso {
mode packet-based;
}
mpls {
mode packet-based;
}
}
Hierarchy Level [edit security forwarding-options]
Release Information Statement introduced in Release 8.5 of Junos OS.
Description Determine the protocol family to be used for packet forwarding.
NOTE: Packet-based processing is not supported on the following SRX Series
devices: SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800.
Options The remaining statements are explained separately.
Required Privilege security—To view this statement in the configuration.
Level security-control—To add this statement to the configuration.
Related • MPLS Feature Guide for Security Devices
Documentation
• Administration Guide for Security Devices
156 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
forwarding-options (Security)
Supported Platforms J Series, LN Series, SRX Series
Syntax forwarding-options {
family {
inet6 {
mode (drop | flow-based | packet-based);
}
iso {
mode packet-based;
}
mpls {
mode packet-based;
}
}
}
Hierarchy Level [edit security]
Release Information Statement introduced in Release 8.5 of Junos OS.
Description Determine how the inet6, iso, and mpls protocol families manage security forwarding
options.
NOTE:
• Packet-based processing is not supported on the following SRX Series
devices: SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, and
SRX5800.
• On SRX Series devices, the default mode for processing traffic is flow mode.
To configure an SRX Series device as a border router, you must change the
mode from flow-based processing to packet-based processing. Use the
set security forwarding-options family mpls mode packet-based statement
to configure the SRX device to packet mode. You must reboot the device
for the configuration to take effect.
Options The remaining statements are explained separately.
Required Privilege security—To view this statement in the configuration.
Level security-control—To add this statement to the configuration.
Related • MPLS Feature Guide for Security Devices
Documentation
• Administration Guide for Security Devices
• Understanding External BGP Peering Sessions
• Understanding Packet-Based Processing
Copyright © 2016, Juniper Networks, Inc. 157
Administration Guide for Security Devices
• Juniper Networks Devices Processing Overview
158 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
group (System Services DHCP)
Supported Platforms J Series, LN Series, SRX Series
Syntax group group-name {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile;
}
interface interface-name {
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
exclude;
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
service-profile service-profile-name
trace ;
upto interface-name;
}
liveness-detection {
failure-action {
Copyright © 2016, Juniper Networks, Inc. 159
Administration Guide for Security Devices
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
}
Hierarchy Level [edit system services dhcp-local-server dhcpv6]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Configure a group of interfaces that have a common configuration. The remaining
statements are explained separately.
160 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
Options • group-name—Name of the group.
NOTE: SRX Series and J Series devices do not support DHCP client
authentication.
The remaining statements are explained separately.
Required Privilege access—To view this statement in the configuration.
Level access-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 161
Administration Guide for Security Devices
host (SSH Known Hosts)
Supported Platforms J Series, LN Series, SRX Series
Syntax host hostname {
dsa-key dsa-key;
ecdsa-sha2-nistp256-key ecdsa-sha2-nistp256-key;
ecdsa-sha2-nistp384-key ecdsa-sha2-nistp384-key;
ecdsa-sha2-nistp521-key ecdsa-sha2-nistp521-key;
rsa-key rsa-key;
rsa1-key rsa1-key;
}
Hierarchy Level [edit security ssh-known-hosts]
Release Information Statement modified in Junos OS Release 8.5.
Description Configure the type of base-64 encoded host key.
Options • hostname—Name of the SSH known host.
• dsa-key dsa-key—Digital Signature Algorithm (DSA) for SSH version 2
• ecdsa-sha2-nistp256-key ecdsa-sha2-nistp256-key—Elliptic Curve Digital Signature
Algorithm (ECDSA)
• ecdsa-sha2-nistp384-key ecdsa-sha2-nistp384-key—Elliptic Curve Digital Signature
Algorithm (ECDSA)
• ecdsa-sha2-nistp521-key ecdsa-sha2-nistp521-key—Elliptic Curve Digital Signature
Algorithm (ECDSA)
• rsa-key rsa-key—RSA public key algorithm, which supports encryption and digital
signatures for SSH version 1 and SSH version 2
• rsa1-key rsa1-key—RSA public key algorithm, which supports encryption and digital
signatures for SSH version 1
Required Privilege security—To view this statement in the configuration.
Level security-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
162 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
hostkey-algorithm
Supported Platforms J Series, LN Series, SRX Series
Syntax hostkey-algorithm {
(ssh-dss | no-ssh-dss);
(ssh-ecdsa |no-ssh-ecdsa);
(ssh-rsa | no-ssh-rsa);
}
Hierarchy Level [edit system services ssh]
Release Information Statement introduced in Release 11.2 of Junos OS.
Statement options modified in Release 12.2 of Junos OS.
Description Allow or disallow a host-key signature algorithm for the SSH host to use to authenticate
another host.
Options • ssh-dss—Allow generation of a 1024-bit Digital Signature Algorithm (DSA) host-key.
• no-ssh-dss—Do not allow generation of a 1024-bit Digital Signature Algorithm (DSA)
host-key.
• ssh-ecdsa—Allow generation of an Elliptic Curve Digital Signature Algorithm (ECDSA)
host-key.
• no-ssh-ecdsa—Do not allow generation of an Elliptic Curve Digital Signature Algorithm
(ECDSA) host-key.
• ssh-rsa—Allow generation of a 2048-bit RSA host-key.
• no-ssh-rsa—Do not allow generation of a 2048-bit RSA host-key.
NOTE: DSA keys are not supported in FIPS, so the ssh-dss option is not
available on systems operating in FIPS mode.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 163
Administration Guide for Security Devices
interface (System Services DHCP)
Supported Platforms J Series, LN Series, SRX Series
Syntax interface interface-name {
exclude;
overrides {
interface-client-limit number;
}
trace;
upto upto-interface-name;
}
Hierarchy Level [edit system services dhcp-local-server dhcpv6 group group-name]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Specify one or more interfaces, or a range of interfaces, that are within a specified group
on which the DHCP local server is enabled. You can repeat the interface interface-name
statement to specify multiple interfaces within a group, but you cannot specify the same
interface in more than one group.
Options • interface-name—Name of the interface.
• trace—Enable tracing of the interface specified by the interface-name argument.
• upto upto-interface-name—The upper end of the range of interfaces; the lower end of
the range is the interface-name entry. The interface device name of the
upto-interface-name must be the same as the device name of the interface-name.
Required Privilege security—To view this statement in the configuration.
Level security-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
164 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
interfaces (ARP)
Supported Platforms SRX Series
Syntax interfaces {
interface-name {
aging-timer minutes;
}
}
Hierarchy Level [edit system arp]
Release Information Statement introduced before Junos OS Release 9.4.
Description Specify the Address Resolution Protocol (ARP) aging timer in minutes for a logical
interface.
Options aging-timer minutes—Time between ARP updates, in minutes.
Range: 1 through 240
Default: 20
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Junos OS Administration Library for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 165
Administration Guide for Security Devices
interfaces (Security Zones)
Supported Platforms J Series, LN Series, SRX Series
Syntax interfaces interface-name {
host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
}
Hierarchy Level [edit security zones functional-zone management],
[edit security zones security-zone zone-name]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the set of interfaces that are part of the zone.
Options interface-name —Name of the interface.
The remaining statements are explained separately.
Required Privilege security—To view this statement in the configuration.
Level security-control—To add this statement to the configuration.
Related • Ethernet Port Switching Feature Guide for Security Devices
Documentation
• Layer 2 Bridging and Transparent Mode Feature Guide for Security Devices
• Security Zones and Interfaces Feature Guide for Security Devices
• Administration Guide for Security Devices
166 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
interface-traceoptions (System Services DHCP)
Supported Platforms J Series, LN Series, SRX Series
Syntax interface-traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
Hierarchy Level [edit routing-instances routing-instance-name system services dhcp-local-server],
[edit system services dhcp-local-server]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Configure extended DHCP local server tracing operations that can be enabled on a specific
interface or group of interfaces. You use the interface interface-name trace statement at
the [edit system services group group-name] hierarchy level to enable the tracing operation
on the specific interfaces.
Options file-name—Name of the file to receive the output of the tracing operation. Enclose the
name in quotation marks (“ ”). All files are placed in a file named jdhcpd in the
directory /var/log. If you include the file statement, you must specify a filename.
files number—(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and
so on, until the maximum number of trace files is reached. Then the oldest trace file
is overwritten. If you specify a maximum number of files, you also must specify a
maximum file size with the size option.
Range: 2 through 1000
Default: 3 files
flag flag—Tracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
• all—Trace all events
• dhcpv6-packet—Trace DHCPv6 packet decoding operations.
• dhcpv6-packet-option—Trace DHCPv6 option decoding operations.
• dhcpv6-state—Trace changes in state for DHCPv6 operations.
• packet—Trace packet decoding operations
• packet-option—Trace DHCP option decoding operations
Copyright © 2016, Juniper Networks, Inc. 167
Administration Guide for Security Devices
• state—Trace changes in state
match regular-expression—(Optional) Refine the output to include lines that contain the
regular expression.
no-remote-trace—Disable remote tracing.
no-world-readable—(Optional) Disable unrestricted file access.
size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),
or gigabytes (GB). If you specify a maximum file size, you also must specify a
maximum number of trace files with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB
Default: 128 KB
world-readable—(Optional) Enable unrestricted file access.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
168 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
internet-options
Supported Platforms LN Series, SRX Series
Syntax internet-options {
icmpv4-rate-limit {
bucket size seconds;
packet-rate packet-rate;
}
icmpv6-rate-limit {
bucket size seconds;
packet-rate packet-rate;
}
ipv6-duplicate-addr-detection-transmits number;
no-path-mtu-discovery;
no-source-quench;
no-tcp-reset;
no-tcp-rfc1323;
no-tcp-rfc1323-paws;
path-mtu-discovery;
source-port {
upper-limit range;
}
source-quench;
tcp-drop-synfin-set;
}
Hierarchy Level [edit system]
Release Information Statement introduced in Junos OS Release 11.1.
Description Configure tunable options for Internet operations.
Options • icmpv4-rate-limit—Configure rate-limiting parameters for Internet Control Message
Protocol version 4 (ICMPv4) messages.
• bucket-size seconds—Set ICMP rate-limiting maximum bucket size in seconds.
• packet-rate packet-rate— Set ICMP rate-limiting packets earned per second.
• icmpv6-rate-limit—Configure rate-limiting parameters for Internet Control Message
Protocol version 6 (ICMPv6) messages.
• bucket-size seconds—Set ICMP rate-limiting maximum bucket size in seconds.
• packet-rate packet-rate— Set ICMP rate-limiting packets earned per second.
• ipv6-duplicate-addr-detection-transmits number—Control the number of attempts for
IPv6 duplicate address detection.
• no-path-mtu-discovery—Do not enable path maximum transmission unit (MTU)
discovery on TCP connections.
• no-source-quench—Do not react to incoming ICMP source quench messages.
• no-tcp-reset—Do not send RST TCP packets for packets sent to non-listening ports.
Copyright © 2016, Juniper Networks, Inc. 169
Administration Guide for Security Devices
• no-tcp-rfc1323—Disable RFC 1323 TCP extensions.
• no-tcp-rfc1323-paws—Disable RFC 1323 Protection Against Wrapped Sequence Number
extension.
• path-mtu-discovery—Enable path MTU discovery on TCP connections.
• source-port—Configure source port selection parameters.
• upper-limit range—Specify upper limit of source port selection range.
• source-quench—React to incoming ICMP source quench messages.
• tcp-drop-synfin-set—Drop TCP packets that have both SYN and FIN flags.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
lease-time (dhcp-client)
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax lease-time seconds;
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Specify the time to negotiate and exchange Dynamic Host Configuration Protocol (DHCP)
information.
Options seconds— Request time to negotiate and exchange information.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
170 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
lockout-period
Supported Platforms LN Series, M Series, MX Series, SRX Series, T Series
Syntax lockout-period minutes;
Hierarchy Level [edit system login retry-options]
Release Information Statement introduced in Junos OS Release 11.2.
Description Configure the amount of time before the user can attempt to log in to the router after
being locked out due to the number of failed login attempts specified in the
tries-before-disconnect statement.
Options minutes—Amount of time before the user can attempt to log in after being locked out.
Default: 120
Range: 1 through 43200
Required Privilege admin—To view this statement in the configuration.
Level admin-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
multicast-client
Supported Platforms SRX Series
Syntax multicast-client <address>;
Hierarchy Level [edit system ntp]
Release Information Statement introduced before Junos OS Release 7.4.
Description For NTP, configure the SRX Series device to listen for multicast messages on the local
network to discover other servers on the same subnet.
Options address—(Optional) One or more IP addresses. If you specify addresses, the SRX Series
device joins those multicast groups.
Default: 224.0.1.1.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • ntp on page 173
Documentation
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 171
Administration Guide for Security Devices
name-server (Access)
Supported Platforms J Series, LN Series, SRX Series
Syntax name-server address;
Hierarchy Level [edit access address-assignment pool pool-name family (inet | inet6) xauth-attributes]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Specify the DNS server IP address for an address-assignment pool.
Required Privilege access—To view this statement in the configuration.
Level access-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
neighbor-discovery-router-advertisement (Access)
Supported Platforms J Series, LN Series, SRX Series
Syntax neighbor-discovery-router-advertisement ndra-pool-name;
Hierarchy Level [edit access address-assignment]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Configure the name of the address-assignment pool used to assign the router
advertisement prefix.
Options ndra-pool-name—Name of the address assignment pool.
Required Privilege access—To view this statement in the configuration.
Level access-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
172 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
ntp
Supported Platforms SRX Series
Syntax ntp {
authentication-key key-number type md5 value <password>;
boot-server <address>;
broadcast <address> <key key-number> <routing-instance routing-instance-name> <version
value> <ttl value>;
broadcast-client;
multicast-client <address>;
peer address <key key-number> <version value> <prefer>;
server address <key key-number> <version value> <prefer>;
source-address source-address <routing-instance routing-instance-name>;
trusted-key [key-numbers];
}
Hierarchy Level [edit system]
Release Information Statement introduced before Junos OS Release 7.4.
Description Configure Network Time Protocol (NTP) on the SRX Series device.
The remaining statements are explained separately.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • System Configuration Statement Hierarchy on page 199
Documentation
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 173
Administration Guide for Security Devices
overrides (System Services DHCP)
Supported Platforms J Series, LN Series, SRX Series
Syntax overrides {
interface-client-limit number;
}
Hierarchy Level [edit system services dhcp-local-server dhcpv6]
[edit system services dhcp-local-server dhcpv6 group group-name]
[edit system services dhcp-local-server dhcpv6 group group-name interface interface-name]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Override the default configuration settings for the extended DHCP local server. Specifying
the overrides statement with no subordinate statements removes all DHCP local server
overrides at that hierarchy level.
• To override global DHCP local server configuration options, include the overrides
statement and its subordinate statements at the [edit system services dhcp-local-server]
hierarchy level.
• To override configuration options for a named group of interfaces, include the
statements at the [edit system services dhcp-local-server dhcpv6 group group-name]
hierarchy level.
• To override configuration options for a specific interface within a named group of
interfaces, include the statements at the [edit system services dhcp-local-server dhcpv6
group group-name interface interface-name] hierarchy level.
• Use the DHCPv6 hierarchy levels to override DHCPv6 configuration options.
Options interface-client-limit number—Sets the maximum number of DHCP clients per interface
allowed for a specific group or for all groups. A group specification takes precedence
over a global specification for the members of that group.
Range: 1 through 500,000
Default: No limit
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
174 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
peer (NTP)
Supported Platforms SRX Series
Syntax peer address <key key-number> <version value> <prefer>;
Hierarchy Level [edit system ntp]
Release Information Statement introduced before Junos OS Release 7.4.
Description For NTP, configure the SRX Series device to operate in symmetric active mode with the
remote system at the specified address. In this mode, the SRX Series device and the
remote system can synchronize with each other. This configuration is useful in a network
in which either the SRX Series device or the remote system might be a better source of
time.
Options address—Address of the remote system. You must specify an address, not a hostname.
key key-number—(Optional) All packets sent to the address include authentication fields
that are encrypted using the specified key number.
Range: Any unsigned 32-bit integer
prefer—(Optional) Mark the remote system as the preferred host, which means that if
all other factors are equal, this remote system is chosen for synchronization among
a set of correctly operating systems.
version value—(Optional) Specify the NTP version number to be used in outgoing NTP
packets.
Range: 1 through 4
Default: 4
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • ntp on page 173
Documentation
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 175
Administration Guide for Security Devices
port (System Services Reverse SSH)
Supported Platforms J Series, LN Series
Syntax port port-number;
Hierarchy Level [edit system services reverse ssh ]
Release Information Statement introduced in Release 9.6 of Junos OS.
Description Reverse SSH allows you to configure a device to listen on a specific port for telnet and
SSH (secure shell) services. When you connect to that port, the device provides an
interface to the auxiliary port on the device. You can control the port that is used. By
default, port 2901 is used.
Required Privilege security—To view this statement in the configuration.
Level security-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
port (System Services Reverse Telnet)
Supported Platforms J Series, LN Series
Syntax port port-number;
Hierarchy Level [edit system services reverse telnet]
Release Information Statement introduced in Release 9.6 of Junos OS.
Description Reverse Telnet allows you to configure a device to listen on a specific port for telnet and
SSH (secure shell) services. When you connect to that port, the device provides an
interface to the auxiliary port on the device. You can control the port that is used. By
default, port 2900 is used.
Required Privilege security—To view this statement in the configuration.
Level security-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
176 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
prefix
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax prefix {
host-name;
logical-system-name;
routing-instance-name;
}
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client
client-identifier]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Specify a prefix as a client identifier.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 177
Administration Guide for Security Devices
profilerd
Supported Platforms SRX Series
Syntax profilerd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
Hierarchy Level [edit system processes]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the profiler process.
Options • command binary-file-path—Path to binary for process.
• disable—Disable the profiler process.
• failover—Configure the device to reboot if the software process fails four times within
30 seconds, and specify the software to use during the reboot.
• alternate-media—Configure the device to switch to backup media that contains a
version of the system if a software process fails repeatedly.
• other-routing-engine—Instruct the secondary Routing Engine to take mastership if
a software process fails. If this statement is configured for a process, and that process
fails four times within 30 seconds, then the device reboots from the secondary
Routing Engine.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
178 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
proxy
Supported Platforms LN Series, SRX Series
Syntax proxy {
password password;
port port-number;
server url;
username user-name;
}
Hierarchy Level [edit system]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the proxy information for the router.
Options • password password—Password configured in the proxy server.
• port port number—Proxy server port number.
Range: 0 through 65,535
• server url—URL or IP address of the proxy server host.
• username username—Username configured in the proxy server.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
rapid-commit
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax rapid-commit;
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Used to signal the use of the two-message exchange for address assignment.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 179
Administration Guide for Security Devices
reconfigure (System Services DHCP)
Supported Platforms J Series, LN Series, SRX Series
Syntax reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
Hierarchy Level [edit system services dhcp-local-server dhcpv6]
[edit system services dhcp-local-server group group-name]
[edit system services dhcp-local-server dhcpv6 group group-name]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Enable dynamic reconfiguration triggered by the DHCP local server of all DHCP clients
or only the DHCP clients serviced by the specified group of interfaces. A group
configuration takes precedence over a DHCP local server configuration.
Options attempts number—Configure maximum number of attempts to reconfigure all DHCP
clients or only the DHCP clients serviced by the specified group of interfaces before
reconfiguration is considered to have failed. A group configuration takes precedence
over a DHCP local server configuration.
Range: 1 through 10 attempts
Default: 8 attempts
clear-on-abort —Delete all DHCP clients or only the DHCP clients serviced by the specified
group of interfaces when reconfiguration fails; that is, when the maximum number
of retry attempts have been made without success. A group configuration takes
precedence over a DHCP local server configuration.
strict —Configure the system to only allow packets that contain the reconfigure accept
option.
timeout seconds—Configure the initial value in seconds between attempts to reconfigure
all DHCP clients or only the DHCP clients serviced by the specified group of interfaces.
Each successive attempts doubles the interval between attempts. For example, if
the first value is 2, the first retry is attempted 2 seconds after the first attempt fails.
The second retry is attempted 4 seconds after the first retry fails. The third retry is
attempted 8 seconds after the second retry fails, and so on. A group configuration
takes precedence over a DHCP local server configuration.
Range: 1 through 10 seconds
Default: 2 seconds
180 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
token token-name—Configure a plain-text token for all DHCP clients or only the clients
specified by the specified group of interfaces. The default is null (empty string).
trigger — Specify DHCP reconfigure trigger.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
req-option
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax req-option (dns-server | domain | fqdn | nis-domain | nis-server | ntp-server | sip-domain |
sip-server | time-zone | vendor-spec);
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description The configuration options requested by the DHCPv6 client.
Options dns-server—Specify a DNS server.
domain—Specify a domain name.
fqdn—Specify a fully qualified domain name.
nis-domain—Specify a Network Information Service (NIS) domain.
nis-server—Specify a Network Information Service (NIS) server.
ntp-server—Specify a Network Time Protocol (NTP) server.
sip-domain—Specify a Session Initiation Protocol (SIP) domain.
sip-server—Specify a Session Initiation Protocol (SIP) server.
time-zone—Specify a time zone.
vendor-spec—Specify vendor specification.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 181
Administration Guide for Security Devices
retransmission-attempt (dhcp-client)
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax retransmission-attempts number;
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Specify the number of times the device attempts to retransmit a Dynamic Host Control
Protocol (DHCP) packet fallback.
Options number—Number of attempts to retransmit the packet.
Range: 0 through 6
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
retransmission-attempt (dhcpv6-client)
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax retransmission-attempt number;
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Specify the number of times the device retransmits a DHCPv6 client packet if a DHCPv6
server fails to respond. After the specified number of attempts, no further attempts at
reaching a server are made.
Options number—Number of retransmit attempts
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
182 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
retransmission-interval (dhcp-client)
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax retransmission-interval seconds;
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family familydhcp-client]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Specify the time between successive retransmission attempts.
Options seconds—Number of seconds between successive retransmission attempts.
Range: 4 through 64 seconds
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
ssh (reverse)
Supported Platforms J Series, LN Series
Syntax ssh port port-number;
Hierarchy Level [edit system services reverse]
Release Information Statement introduced in Release 9.6 of Junos OS.
Description Reverse Telnet allows you to configure a device to listen on a specific port for telnet and
SSH (secure shell) services. When you connect to that port, the device provides an
interface to the auxiliary port on the device. Use reverse SSH to encrypt the reverse telnet
communication between the device and the client.
Required Privilege security—To view this statement in the configuration.
Level security-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 183
Administration Guide for Security Devices
ssh-known-hosts
Supported Platforms J Series, LN Series, SRX Series
Syntax ssh-known-hosts {
fetch-from-server server-name;
host hostname {
dsa-key dsa-key;
ecdsa-sha2-nistp256-key ecdsa-sha2-nistp256-key;
ecdsa-sha2-nistp384-key ecdsa-sha2-nistp384-key;
ecdsa-sha2-nistp521-key ecdsa-sha2-nistp521-key;
rsa-key rsa-key;
rsa1-key rsa1-key;
}
load-key-file key-file;
}
Hierarchy Level [edit security]
Release Information Statement modified in Release 8.5 of Junos OS.
Description Configure SSH support for known hosts and for administering SSH host key updates.
Options • fetch-from-server server-name—Retrieve SSH public host key information from a
specified server.
• load-key-file key-file—Import SSH host-key information from the specified
/var/tmp/ssh-known-hosts file.
The remaining statements are explained separately
Required Privilege security—To view this statement in the configuration.
Level security-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
184 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
server (NTP)
Supported Platforms SRX Series
Syntax server address <key key-number> <version value> <prefer>;
Hierarchy Level [edit system ntp]
Release Information Statement introduced before Junos OS Release 7.4.
Description For NTP, configure the SRX Series device to operate in client mode with the remote
system at the specified address. In this mode, the SRX Series device can be synchronized
with the remote system, but the remote system can never be synchronized with the SRX
Series device.
If the NTP client time drifts so that the difference in time from the NTP server exceeds
128 milliseconds, the client is automatically stepped back into synchronization. If the
offset between the NTP client and server exceeds the 1000-second threshold, the client
still synchronizes with the server, but it also generates a system log message noting that
the threshold was exceeded.
Options address—Address of the remote system. You must specify an address, not a hostname.
key key-number—(Optional) Use the specified key number to encrypt authentication
fields in all packets sent to the specified address.
Range: Any unsigned 32-bit integer
prefer—(Optional) Mark the remote system as the preferred host, which means that if
all other things are equal, this remote system is chosen for synchronization among
a set of correctly operating systems.
version value—(Optional) Specify the version number to be used in outgoing NTP packets.
Range: 1 through 4
Default: 4
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • ntp on page 173
Documentation
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 185
Administration Guide for Security Devices
server-address (dhcp-client)
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax server address ip-address;
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Specify the preferred DHCP server address that is sent to DHCP clients.
Options ip-address—DHCP server address.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
186 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
services
Supported Platforms SRX Series
Syntax services {
apply-groups [ group-names ];
apply-groups-except [ group-names ];
dhcp {
boot-file filename;
boot-server (address | hostname);
default-lease-time (infinite | seconds);
domain-name domain-name;
domain-search dns-search-suffix;
maximum-lease-time (infinite | seconds);
name-server ip-address;
next-server ip-address;
option option-identifier-code array type-name [ type-values ] | byte 8-bit-value | flag
(false | off | on | true) | integer signed-32-bit-value | ip-address address | short
signed-16-bit-value | string text-string | unsigned-integer 32-bit-value | unsigned-short
16-bit-value);
pool subnet-ip-address/mask {
address-range {
high address;
low address;
}
boot-file filename;
boot-server (address | hostname);
default-lease-time (infinite | seconds);
domain-name domain-name;
domain-search dns-search-suffix;
exclude-address ip-address;
maximum-lease-time (infinite | seconds);
name-server ip-address;
next-server ip-address;
option option-identifier-code array type-name [ type-values ] | byte 8-bit-value | flag
(false | off | on | true) | integer signed-32-bit-value | ip-address address | short
signed-16-bit-value | string text-string | unsigned-integer 32-bit-value | unsigned-short
16-bit-value);
propagate-ppp-settings interface-name;
propagate-settings interface-name;
router ip-address;
server-identifier dhcp-server;
sip-server {
address ip-address;
name sip-server-name;
}
wins-server netbios-name-server;
}
propagate-ppp-settings interface-name;
propagate-settings interface-name;
router ip-address;
server-identifier dhcp-server;
sip-server {
address ip-address;
name sip-server-name;
Copyright © 2016, Juniper Networks, Inc. 187
Administration Guide for Security Devices
}
static-binding mac-address;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
wins-server netbios-name-server;
}
dns {
dns-proxy {
cache hostname inet ip-address;
default-domain domain-name {
forwarders ip-address;
}
interface interface-name;
propogate-setting (enable | disable);
view view-name {
domain domain-name {
forward-only;
forwarders ip-address;
}
match-clients subnet-address;
}
}
dnssec {
disable;
dlv {
domain-name domain-name trusted-anchor trusted-anchor;
}
secure-domains domain-name;
trusted-keys (key dns-key | load-key-file url);
forwarders {
ip-address;
}
max-cache-ttl seconds;
max-ncache-ttl seconds;
traceoptions {
category {
category-type;
}
debug-level level;
file {
filename;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
188 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
}
dynamic-dns {
client hostname {
agent agent-name;
interface interface-name;
password server-password;
server server-name;
username user-name;
}
}
finger {
connection-limit number;
rate-limit number;
}
ftp {
data {
dscp (alias | bits);
forwarding-class class-name;
}
dscp (alias | bits);
forwarding-class class-name;
}
}
netconf {
ssh {
connection-limit number;
port port-number;
rate-limit number;
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
on-demand;
}
}
outbound-ssh {
client client-id {
address address {
port port-number;
retry number;
timeout seconds;
}
device-id device-id;
keep-alive {
retry number;
Copyright © 2016, Juniper Networks, Inc. 189
Administration Guide for Security Devices
timeout seconds;
}
reconnect-strategy (in-order | sticky);
secret password;
services netconf;
}
traceoptions {
file filename <files number> <match regex> <size size> <world-readable |
no-world-readable>;
flag flag;
no-remote-trace;
}
}
service-deployment {
servers {
address IPv4 address {
security-options {
ssl3;
tls;
}
user username;
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(no-world-readable | world-readable);
}
flag flag ;
no-remote-trac;
}
local-certificate local-certificate;
source-address source-address;
}
}
ssh {
connection-limit number;
port port-number;
rate-limit number;
}
telnet {
connection-limit number;
rate-limit number;
}
web-management {
http {
interfaces interface-names ;
port port;
}
https {
interfaces interface-names;
system-generated-certificate name;
port port;
}
190 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
management url management url;
session {
idle-timout minutes;
session-limit number;
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(no-world-readable | world-readable);
}
flag flag;
level level;
no-remote-trace;
}
}
xnm-clear-text {
connection-limit number;
rate-limit number;
}
xnm-ssl {
connection-limit number;
rate-limit number;
}
}
Hierarchy Level [edit system]
Release Information Statement introduced before Junos OS Release 7.4.
Description Configure the router or switch so that users on remote systems can access the local
router or switch through the DHCP server, finger, rlogin, SSH, telnet, Web management,
Junos XML protocol clear-text, Junos XML protocol SSL, and network utilities or enable
Junos OS to work with the Session and Resource Control (SRC) software.
The remaining statements are explained separately.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Configuring clear-text or SSL Service for Junos XML Protocol Client Applications
Documentation
• Configuring the Junos OS to Work with SRC Software
Copyright © 2016, Juniper Networks, Inc. 191
Administration Guide for Security Devices
source-address (NTP, RADIUS, System Logging, or TACACS+)
Supported Platforms SRX Series
Syntax source-address source-address <routing-instance routing-instance-name>;
Hierarchy Level [edit system accounting destination radius server server-address],
[edit system accounting destination tacplus server server-address],
[edit system ntp],
[edit system radius-server server-address],
[edit system syslog],
[edit system tacplus-server server-address]
Release Information Statement introduced before Junos OS Release 7.4.
Description Specify a source address for each configured TACACS+ server, RADIUS server, or NTP
server, or the source address to record in system log messages that are directed to a
remote machine.
Options source-address—A valid IP address configured on one of the SRX Series devices. For
system logging, the address is recorded as the message source in messages sent to
the remote machines specified in all host hostname statements at the [edit system
syslog] hierarchy level, but not for messages directed to the other Routing Engine.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • ntp on page 173
Documentation
• Administration Guide for Security Devices
telnet (System Services Reverse)
Supported Platforms J Series, LN Series
Syntax telnet port port-number;
Hierarchy Level [edit system services reverse ]
Release Information Statement introduced in Release 9.6 of Junos OS.
Description Reverse Telnet allows you to configure a device to listen on a specific port for telnet and
SSH (secure shell) services. When you connect to that port, the device provides an
interface to the auxiliary port on the device.
Required Privilege security—To view this statement in the configuration.
Level security-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
192 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
traceoptions (System Services DHCP)
Supported Platforms J Series, LN Series, SRX Series
Syntax traceoptions {
file {
filename;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
Hierarchy Level [edit routing-instances routing-instance-name system services dhcp-local-server],
[edit system services dhcp-local-server]
[edit system processes dhcp-service]
Release Information Statement introduced in Release 10.4 of Junos OS.
Description Configure extended DHCP local server tracing operations for DHCP processes.
Options • file-name—Name of the file to receive the output of the tracing operation. Enclose the
name in quotation marks (“ ”). All files are placed in a file named jdhcpd in the directory
/var/log. If you include the file statement, you must specify a filename.
• files number—(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so
on, until the maximum number of trace files is reached. Then the oldest trace file is
overwritten. If you specify a maximum number of files, you also must specify a maximum
file size with the size option.
Range: 2 through 1000
Default: 3 files
• match regular-expression—(Optional) Refine the output to include lines that contain
the regular expression.
• size maximum-file-size—(Optional) Maximum size of each trace file, in kilobytes (KB),
megabytes (MB), or gigabytes (GB). If you specify a maximum file size, you also must
specify a maximum number of trace files with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB
Default: 128 KB
• world-readable—(Optional) Enable unrestricted file access.
• no-world-readable—(Optional) Disable unrestricted file access.
• flag flag—Tracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:
Copyright © 2016, Juniper Networks, Inc. 193
Administration Guide for Security Devices
• all—Trace all events.
• database—Trace database operations.
• dhcpv6-general—Trace operations for DHCPv6.
• dhcpv6-io—Trace input/output operations for DHCPv6.
• dhcpv6-packet—Trace DHCPv6 packet decoding operations.
• dhcpv6-packet-option—Trace DHCPv6 option decoding operations.
• dhcpv6-rpd—Trace routing protocol process operations.
• dhcpv6-session-db—Trace session database operations for DHCPv6.
• dhcpv6-state—Trace changes in state for DHCPv6 operations.
• fwd—Trace firewall process operations.
• general—Trace miscellaneous general operations.
• ha—Trace high-availability related operations.
• interface—Trace interface operations.
• io—Trace input/output operations.
• packet—Trace packet decoding operations.
• packet- option—Trace DHCP option decoding operations.
• performance—Trace DHCP performance measurement operations.
• profile—Trace DHCP profile operations.
• rpd—Trace routing protocol process operations.
• rtsock—Trace routing socket operations.
• session-db—Trace session database operations.
• state—Trace changes in state.
• statistics—Trace changes in statistics.
• ui—Trace changes in user interface operations.
• no remote-trace—Disable remote tracing.
Required Privilege trace—To view this statement in the configuration.
Level trace-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
194 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
trusted-key
Supported Platforms SRX Series
Syntax trusted-key [key-numbers];
Hierarchy Level [edit system ntp]
Release Information Statement introduced before Junos OS Release 7.4.
Description For NTP, configure the keys you are allowed to use when you configure the SRX Series
device to synchronize its time with other systems on the network.
Options key-numbers—One or more key numbers. Each key can be any 32-bit unsigned integer
except 0.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • ntp on page 173
Documentation
• Administration Guide for Security Devices
update-router-advertisement
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax update-router-advertisement (interface interface-name);
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Specify the interface used to delegate prefixes.
Options interface interface-name—Interface on which to delegate prefixes
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 195
Administration Guide for Security Devices
update-server (dhcp-client)
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax update-server;
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Propagate DHCP options to a local DHCP server.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
update-server (dhcpv6-client)
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax update-server;
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Propagate TCP/IP settings to the DHCPv6 server.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
196 Copyright © 2016, Juniper Networks, Inc.
Chapter 15: Configuration Statements
user-id
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax user-id {ascii ascii hexadecimal hexadecimal};
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client
client-identifier]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Specify an ASCII or hexadecimal user ID for the Dynamic Host Configuration Protocol
(DHCP) client.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
use-interface
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax use-interface-description {logical |device};
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client
client-identifier]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description The description configured at the physical or logical interface level is used for client
identification.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 197
Administration Guide for Security Devices
vendor-id
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax vendor-id vendor-id;
Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Configure a vendor class ID for the Dynamic Host Configuration Protocol (DHCP) client.
Options vendor-id—Vendor class ID.
Required Privilege interface—To view this statement in the configuration.
Level interface-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
vpn (Forwarding Options)
Supported Platforms J Series, LN Series, SRX Series
Syntax vpn;
Hierarchy Level [edit forwarding-options helpers bootp]
[edit forwarding-options helpers bootp interface interface-name]
Release Information Statement introduced in Release 9.0 of Junos OS.
Description For Dynamic Host Configuration Protocol (DHCP) or BOOTP client request forwarding,
enable virtual private network (VPN) encryption for a client request to pass through a
VPN tunnel.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
198 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 16
Configuration Statements (System)
• System Configuration Statement Hierarchy on page 199
• ciphers on page 231
• connection-limit on page 232
• disable (System Services) on page 233
• dlv on page 233
• kernel-replication (System) on page 234
• location on page 235
• macs on page 236
• protocol-version on page 237
• radius-server on page 238
• root-authentication on page 240
• single-connection on page 241
• static-subscribers on page 241
• statistics-service on page 242
• subscriber-management on page 242
• subscriber-management-helper on page 243
• uac-service on page 244
• usb-control on page 245
• watchdog on page 246
• web-management on page 247
• web-management (System Services) on page 248
System Configuration Statement Hierarchy
Supported Platforms J Series, LN Series, SRX Series
Use the statements in the system configuration hierarchy to configure system
management functions including addresses of the Domain Name System (DNS) servers;
device’s hostname, address, and domain name; health monitoring; interface filtering;
properties of the device’s auxiliary and console ports; security profiles for logical systems;
time zones and Network Time Protocol (NTP) properties; trace options; and user login
Copyright © 2016, Juniper Networks, Inc. 199
Administration Guide for Security Devices
accounts, including user authentication and the root-level user account. Statement
descriptions that are exclusive to the J Series and SRX Series devices running Junos OS
are described in this section.
system {
accounting {
destination {
radius {
server server-address {
accounting-port port-number;
max-outstanding-requests number;
port number;
retry number;
secret password;
source-address address;
timeout seconds;
}
}
tacplus {
server server-address {
port port-number;
secret password;
single-connection;
source-address source-address;
timeout seconds;
}
}
}
events [change-log interactive-commands login];
traceoptions {
file {
filename;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
allow-v4mapped-packets;
archival {
configuration {
archive-sites url {
password password;
}
transfer-interval interval;
transfer-on-commit;
}
}
arp {
aging-timer minutes;
gratuitous-arp-delay seconds;
gratuitous-arp-on-ifup;
interfaces {
200 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
interface name {
aging-timer minutes;
}
}
passive-learning;
purging;
}
authentication-order [password radius tacplus];
auto-configuration {
traceoptions {
file {
filename;
files number;
match reqular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
auto-snapshot;
autoinstallation {
configuration-servers {
url {
password password;
}
}
interfaces {
interface-name {
bootp;
rarp;
}
}
usb {
disable;
}
}
auto-snapshot;
backup-router {
address;
destination [network];
}
commit {
server {
commit-interval seconds;
days-to-keep-error-logs days;
maximum-aggregate-pool number;
maximum entries number;
traceoptions {
file {
filename;
files number;
microsecond-stamp;
size maximum-file-size;
Copyright © 2016, Juniper Networks, Inc. 201
Administration Guide for Security Devices
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
synchronize;
}
compress-configuration-files;
default-address-selection;
diag-port-authentication {
encrypted-password passsword;
plain-text-password;
}
domain-name domain-name;
domain-search [domain-list];
donot-disable-ip6op-ondad;
dump-device (boot-device | compact-flash | usb);
dynamic-profile-options {
versioning;
}
encrypt-configuration-files;
extensions {
providers {
provider-id {
license-type license deployment-scope [deployments];
}
}
resource-limits {
package package-name {
resources {
cpu {
priority number;
time seconds;
}
file {
core-size bytes;
open number;
size bytes;
}
memory {
data-size mbytes;
locked-in mbytes;
resident-set-size mbytes;
socket-buffers mbytes;
stack-size mbytes;
}
}
}
process process-ui-name {
resources {
cpu {
priority number;
time seconds;
}
file {
202 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
core-size bytes;
open number;
size bytes;
}
memory {
data-size mbytes;
locked-in mbytes;
resident-set-size mbytes;
socket-buffers mbytes;
stack-size mbytes;
}
}
}
}
}
fips {
level (0 | 1 | 2 | 3 | 4);
}
host-name hostname;
inet6-backup-router {
address;
destination destination;
}
internet-options {
icmpv4-rate-limit {
bucket-size seconds;
packet-rate packets-per-second;
}
icmpv6-rate-limit {
bucket-size seconds;
packet-rate packets-per-second;
}
(ipip-path-mtu-discovery | no-ipip-path-mtu-discovery);
ipv6-duplicate-addr-detection-transmits number;
(ipv6-path-mtu-discovery | no-ipv6-path-mtu-discovery);
ipv6-path-mtu-discovery-timeout minutes;
no-tcp-reset (drop-all-tcp | drop-tcp-with-syn-only);
no-tcp-rfc1323;
no-tcp-rfc1323-paws;
(path-mtu-discovery | no-path-mtu-discovery);
source-port upper-limit upper-limit;
(source-quench | no-source-quench);
tcp-drop-synfin-set;
tcp-mss bytes;
}
kernel-replication;
license {
autoupdate {
url url;
password password;
}
renew {
before-expiration number;
interval interval-hours;
}
traceoptions {
Copyright © 2016, Juniper Networks, Inc. 203
Administration Guide for Security Devices
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
location {
altitude feet;
building name;
country-code code;
floor number;
hcoord horizontal-coordinate;
lata service-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}
login {
announcement text;
class class-name {
access-end hh:mm;
access-start hh:mm;
allow-commands regular-expression;
allow-configuration regular-expression;
allow-configuration-regexps [regular-expression];
allowed-days [day];
deny-commands regular-expression;
deny-configuration regular-expression;
deny-configuration-regexps [regular-expression];
idle-timeout minutes;
logical-system logical-system;
login-alarms;
login-script script;
login-tip;
permissions [permissions ];
security-role (audit-administrator | crypto-administrator | ids-administrator |
security-administrator);
}
deny-sources {
address [address-or-hostname];
}
message text;
}
password {
change-type (character-set | set-transitions);
format (des | md5 | sha1);
maximum-length length;
minimum-changes number;
204 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
minimum-length length;
}
retry-options {
backoff-factor seconds;
backoff-threshold number;
lockout-period time;
maximum-time seconds;
minimum-time seconds;
tries-before-disconnect number;
}
user username {
authentication {
encrypted-password password;
load-key-file url;
plain-text-password;
ssh-dsa public-key;
ssh-rsa public-key;
}
class class-name;
full-name complete-name;
uid uid-value;
}
}
max-configuration-rollbacks number;
max-configurations-on-flash number;
mirror-flash-on-disk;
name-server ip-address;
nd-maxmcast-solicit value;
nd-retrasmit-timer value;
no-compress-configuration-files;
no-debugger-on-alt-break;
no-multicast-echo;
no-neighbor-learn;
no-ping-record-route;
no-ping-time-stamp;
no-redirects;
no-saved-core-context;
ntp {
authentication-key key-number {
type md5;
value password;
}
boot-server address;
broadcast broadcast-address {
key key;
ttl value;
version version;
}
broadcast-client;
multicast-client {
address;
}
peer peer-address {
key key;
prefer;
version version;
Copyright © 2016, Juniper Networks, Inc. 205
Administration Guide for Security Devices
}
server server-address {
key key;
prefer;
version version;
}
source-address source-address;
trusted-key [key-number];
}
pic-console-authentication {
encrypted-password password;
plain-text-password;
}
ports {
auxiliary {
disable;
insecure;
type (ansi | small-xterm | vt100 | xterm);
}
console {
disable;
insecure;
log-out-on-disconnect;
type (ansi | small-xterm | vt100 | xterm);
}
}
processes {
802.1x-protocol-daemon {
command binary-file-path;
disable;
}
adaptive-services {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
alarm-control {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
application-identification {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
application-security {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
audit-process {
command binary-file-path;
disable;
}
auto-configuration {
206 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
bootp {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
chassis-control {
disable;
failover alternate-media;
}
class-of-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
craft-control {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
database-replication {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
datapath-trace-service {
disable;
traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
dhcp {
command binary-file-path;
disable;
}
dhcp-service {
disable;
failover (alternate-media | other-routing-engine);
interface-traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
Copyright © 2016, Juniper Networks, Inc. 207
Administration Guide for Security Devices
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
dialer-services {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
diameter-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
disk-monitoring {
command binary-file-path;
disable;
}
dynamic-flow-capture {
command binary-file-path;
disable;
}
208 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
ecc-error-logging {
command binary-file-path;
disable;
}
ethernet-connectivity-fault-management {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ethernet-link-fault-management {
command binary-file-path;
disable;
}
ethernet-switching {
command binary-file-path;
disable;
}
event-processing {
command binary-file-path;
disable;
}
fipsd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
firewall {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
firewall-authentication-service {
disable;
}
forwarding {
command binary-file-path;
disable;
}
general-authentication-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
gprs-process {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
Copyright © 2016, Juniper Networks, Inc. 209
Administration Guide for Security Devices
}
group-key-member {
disable;
}
group-key-server {
disable;
}
idp-policy {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ilmi {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
inet-process {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
init {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
interface-control {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ipmi {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ipsec-key-management {
(disable | enable);
}
jsrp-service {
disable;
}
jtasktest {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
kernel-replication {
command binary-file-path;
disable;
}
l2-learning {
command binary-file-path;
disable;
}
210 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
l2cpd-service {
command binary-file-path;
disable;
}
lacp {
command binary-file-path;
disable;
}
lldpd-service {
command binary-file-path;
disable;
}
logical-system-mux {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
logical-system-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
mib-process {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
mobile-ip {
command binary-file-path;
disable;
}
mountd-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
mspd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
multicast-snooping {
command binary-file-path;
disable;
}
named-service {
disable;
Copyright © 2016, Juniper Networks, Inc. 211
Administration Guide for Security Devices
failover (alternate-media | other-routing-engine);
}
neighbor-liveness {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
network-security {
disable;
}
network-security-trace {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
nfsd-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ntp {
disable;
failover (alternate-media | other-routing-engine);
}
ntpd-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
peer-selection-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
periodic-packet-services {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
pgcp-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
pgm {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
pic-services-logging {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
ppp {
command binary-file-path;
212 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
disable;
}
pppoe {
command binary-file-path;
disable;
}
process-monitor {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error |info |notice | verbose | warning);
no-remote-trace;
}
}
profilerd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
r2cp {
command binary-file-path;
disable;
}
redundancy-interface-process {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
remote-operations {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
resource-cleanup {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error |info |notice | verbose | warning);
no-remote-trace;
}
}
routing {
Copyright © 2016, Juniper Networks, Inc. 213
Administration Guide for Security Devices
disable;
failover (alternate-media | other-routing-engine);
}
sampling {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
sbc-configuration-process {
disable;
failover (alternate-media | other-routing-engine);
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
sdk-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error |info |notice | verbose | warning);
no-remote-trace;
}
}
secure-neighbor-discovery {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
security-log {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
send {
disable;
}
service-deployment {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
214 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
shm-rtsdbd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
simple-mail-client-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
smtpd-service {
disable;
}
snmp {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
static-subscribers {
disable;
}
statistics-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
subscriber-management {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
subscriber-management-helper {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
system-health-management {
disable;
}
tunnel-oamd {
command binary-file-path;
disable;
}
uac-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
usb-control {
command binary-file-path;
disable;
}
virtualization-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
Copyright © 2016, Juniper Networks, Inc. 215
Administration Guide for Security Devices
}
vrrp {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
wan-acceleration {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
watchdog {
enable;
disable;
timeout value;
}
web-management {
disable;
failover (alternate media | other-routing-engine);
}
wireless-lan-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
wireless-wan-service {
disable;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
216 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
}
proxy {
password password;
port port-number;
server url;
username user-name;
}
radius-options {
attributes {
nas-ip-address nas-ip-address;
}
password-protocol mschap-v2;
}
radius-server server-address {
accounting-port number;
max-outstanding-requests number;
port number;
retry number;
secret password;
source-address source-address;
timeout seconds;
}
root-authentication {
encrypted-password password;
load-key-file url;
plain-text-password;
ssh-dsa public-key {
<from pattern-list>;
}
ssh-rsa public-key {
<from pattern-list>;
}
}
saved-core-context;
saved-core-files number;
scripts {
commit {
allow-transients;
direct-access;
file filename {
checksum (md5 | sha-256 | sha1);
optional;
refresh;
refresh-from url;
source url;
}
refresh;
refresh-from url;
traceoptions {
file {
filename;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
Copyright © 2016, Juniper Networks, Inc. 217
Administration Guide for Security Devices
no-remote-trace;
}
}
load-scripts-from-flash;
op {
file filename {
arguments name {
description text;
}
checksum (md5 | sha-256 | sha1);
command filename-alias;
description cli-help-text;
refresh;
refresh-from url;
source url;
}
no-allow-url;
refresh;
refresh-from url;
traceoptions {
file {
filename;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
security-profile security-profile-name {
address-book {
maximum amount;
reserved amount;
}
appfw-profile {
maximum amount;
reserved amount;
}
appfw-rule {
maximum amount;
reserved amount;
}
appfw-rule-set {
maximum amount;
reserved amount;
}
auth-entry {
maximum amount;
reserved amount;
}
cpu {
reserved percent;
}
dslite-softwire-initiator {
maximum amount;
218 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
reserved amount;
}
flow-gate {
maximum amount;
reserved amount;
}
flow-session {
maximum amount;
reserved amount;
}
idp-policy idp-policy-name;
logical-system logical-system-name;
nat-cone-binding {
maximum amount;
reserved amount;
}
nat-destination-pool {
maximum amount;
reserved amount;
}
nat-destination-rule {
maximum amount;
reserved amount;
}
nat-interface-port-ol {
maximum amount;
reserved amount;
}
nat-nopat-address {
maximum amount;
reserved amount;
}
nat-pat-address {
maximum amount;
reserved amount;
}
nat-pat-portnum {
maximum amount
reserved amount
}
nat-port-ol-ipnumber {
maximum amount;
reserved amount;
}
nat-rule-referenced-prefix {
maximum amount;
reserved amount;
}
nat-source-pool {
maximum amount;
reserved amount;
}
nat-source-rule {
maximum amount;
reserved amount;
}
Copyright © 2016, Juniper Networks, Inc. 219
Administration Guide for Security Devices
nat-static-rule {
maximum amount;
reserved amount;
}
policy {
maximum amount;
reserved amount;
}
policy-with-count {
maximum amount;
reserved amount;
}
root-logical-system;
scheduler {
maximum amount;
reserved amount;
}
zone {
maximum amount;
reserved amount;
}
}
security-profile-resources {
cpu-control;
cpu-control-target percent;
}
services {
database-replication {
traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
dhcp {
boot-file filename;
boot-server (address | hostname);
default-lease-time (infinite | seconds);
domain-name domain-name;
domain-search dns-search-suffix;
maximum-lease-time (infinite | seconds);
name-server ip-address;
next-server ip-address;
option option-identifier-code array type-name [ type-values ] | byte 8-bit-value | flag
(false | off | on | true) | integer signed-32-bit-value | ip-address address | short
signed-16-bit-value | string text-string | unsigned-integer 32-bit-value |
unsigned-short 16-bit-value);
pool subnet-ip-address/mask {
address-range {
high address;
220 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
low address;
}
boot-file filename;
boot-server (address | hostname);
default-lease-time (infinite | seconds);
domain-name domain-name;
domain-search dns-search-suffix;
exclude-address ip-address;
maximum-lease-time (infinite | seconds);
name-server ip-address;
next-server ip-address;
option option-identifier-code array type-name [ type-values ] | byte 8-bit-value |
flag (false | off | on | true) | integer signed-32-bit-value | ip-address address |
short signed-16-bit-value | string text-string | unsigned-integer 32-bit-value |
unsigned-short 16-bit-value);
propagate-ppp-settings interface-name;
propagate-settings interface-name;
router ip-address;
server-identifier dhcp-server;
sip-server {
address ip-address;
name sip-server-name;
}
wins-server ip-address;
}
propagate-ppp-settings interface-name;
propagate-settings interface-name;
router ip-address;
server-identifier dhcp-server;
sip-server {
address ip-address;
name sip-server-name;
}
static-binding mac-address;
traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
wins-server ip-address;
}
dhcp-local-server {
dhcpv6 {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
Copyright © 2016, Juniper Networks, Inc. 221
Administration Guide for Security Devices
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
group group-name {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile;
}
interface interface-name {
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
exclude;
222 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
service-profile service-profile-name
trace ;
upto interface-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
}
Copyright © 2016, Juniper Networks, Inc. 223
Administration Guide for Security Devices
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
}
group group-name {
interface interface-name {
exclude;
upto upto-interface-name;
}
}
}
dns {
dns-proxy {
cache hostname inet ip-address;
default-domain domain-name {
forwarders ip-address;
224 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
}
interface interface-name;
propogate-setting (enable | disable);
view view-name {
domain domain-name {
forwarders ip-address;
}
match-clients subnet-address;
}
}
}
dnssec {
disable;
dlv {
domain-name domain-name trusted-anchor trusted-anchor;
}
secure-domains domain-name;
trusted-keys (key dns-key | load-key-file url);
forwarders {
ip-address;
}
max-cache-ttl seconds;
max-ncache-ttl seconds;
traceoptions {
category {
category-type;
}
debug-level level;
file {
filename;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
dynamic-dns {
client hostname {
agent agent-name;
interface interface-name;
password server-password;
server server-name;
username user-name;
}
}
finger {
connection-limit number;
rate-limit number;
}
ftp {
connection-limit number;
rate-limit number;
}
Copyright © 2016, Juniper Networks, Inc. 225
Administration Guide for Security Devices
netconf {
ssh {
connection-limit number;
port port-number;
rate-limit number;
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
on-demand;
}
}
outbound-ssh {
client client-id {
address {
port port-number;
retry number;
timeout value;
}
device-id device-id;
keep-alive {
retry number;
time-out value;
}
reconnect-strategy (in-order |sticky);
secret secret;
services {
netconf;
}
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
service-deployment {
local-certificate certificate-name;
servers server-address {
port port-number;
security-options {
ssl3;
tls;
226 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
}
user user-name;
}
source-address source-address;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
ssh {
ciphers [cipher];
client-alive-count-max number;
client-alive-interval seconds;
connection-limit number;
hostkey-algorithm {
(ssh-dss | no-ssh-dss);
(ssh-ecdsa |no-ssh-ecdsa);
(ssh-rsa | no-ssh-rsa);
}
key-exchange [algorithm];
macs [algorithm];
max-sessions-per-connection number;
protocol-version {
v1;
v2;
}
rate-limit number;
root-login (allow | deny | deny-password);
(tcp-forwarding | no-tcp-forwarding);
}
subscriber-management {
enforce-strict-scale-limit-license;
gres-route-flush-delay;
maintain-subscriber interface-delete;
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
subscriber-management-helper {
traceoptions {
file {
Copyright © 2016, Juniper Networks, Inc. 227
Administration Guide for Security Devices
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}
}
telnet {
connection-limit number;
rate-limit number;
}
web-management {
control {
max-threads number;
}
http {
interface [interface-name];
port port-number;
}
https {
interface [interface-name];
local-certificate name;
pki-local-certificate name;
port port-number;
system-generated-certificate;
}
management-url url;
session {
idle-timeout minutes;
session-limit number;
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}
}
xnm-clear-text {
connection-limit number;
rate-limit number;
}
xnm-ssl {
connection-limit number;
local-certificate name;
rate-limit number;
}
228 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
}
static-host-mapping hostname {
alias [host-name-alias];
inet [ip- address];
inet6 [ipv6- address];
sysid system-identifier;
}
syslog {
allow-duplicates;
archive {
binary-data;
files number;
size maximum-file-size;
(world-readable | no-world-readable);
}
console {
(any | facility) severity;
}
file filename {
allow-duplicates;
archive {
archive-sites url {
password password;
}
(binary-data| no-binary-data);
files number;
size maximum-file-size;
start-time "YYYY-MM-DD.hh:mm";
transfer-interval minutes;
(world-readable | no-world-readable);
}
structure-data {
brief;
}
(any | facility) severity;
}
host (hostname | other-routing-engine) {
(any | facility) severity;
}
log-rotate-frequency minutes;
source-address source-address;
time-format {
millisecond;
year;
}
user (username | *) {
(any | facility) severity;
}
}
tacplus-options {
(exclude-cmd-attribute | no-cmd-attribute-value);
service-name service-name;
}
tacplus-server server-address {
port port-number;
secret password;
Copyright © 2016, Juniper Networks, Inc. 229
Administration Guide for Security Devices
single-connection;
source-address source-address;
timeout seconds;
}
time-zone (GMThour-offset | time-zone);
tracing {
destination-override {
syslog {
host address;
}
}
}
use-imported-time-zones;
}
Related • Master Administrator for Logical Systems Feature Guide for Security Devices
Documentation
• Firewall User Authentication Feature Guide for Security Devices
• Infranet Authentication Feature Guide for Security Devices
• Installation and Upgrade Guide for Security Devices
230 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
ciphers
Supported Platforms J Series, LN Series, SRX Series
Syntax ciphers [ cipher-1 cipher-2 cipher-3 ...]
Hierarchy Level [edit system services ssh]
Release Information Statement introduced in Release 11.2 of Junos OS.
Description Specify the set of ciphers the SSH server can use to perform encryption and decryption
functions.
Options • 3des-cbc—Triple Data Encryption Standard (DES) in Cipher Block Chaining (CBC)
mode.
• aes128-cbc—128-bit Advanced Encryption Standard (AES) in CBC mode.
• aes256-cbc—256-bit AES in CBC mode.
• aes128-ctr—128-bit AES in CBC mode.
• aes192-ctr—192-bit AES in counter mode.
• aes256-ctr—256-bit AES in counter Mode.
• arcfour128—128-bit RC4-stream cipher in CBC mode.
• arcfour256—256-bit RC4-stream cipher in CBC mode.
• blowfish128-cbc—128-bit blowfish-symmetric block cipher in CBC mode.
• cast128-cbc—128-bit cast in CBC mode.
NOTE: Ciphers represent a set. To configure ssh ciphers:
user@host#set system services ssh ciphers [ aes256-cbc aes192-cbc ]
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 231
Administration Guide for Security Devices
connection-limit
Supported Platforms SRX Series
Syntax connection-limit limit;
Hierarchy Level [edit system services finger]
[edit system services ftp]
[edit system services netconf ssh]
[edit system services ssh]
[edit system services telnet]
[edit system services xnm-clear-text]
[edit system services xnm-ssl]
Release Information Statement introduced in Junos OS Release 11.4.
Description Configure the maximum number of connection sessions for each type of system services
(finger, ftp, ssh, telnet, xnm-clear-text, or xnm-ssl) per protocol (either IPv6 or IPv4).
Options limit—Maximum number of established connections per protocol (either IPv6 or IPv4).
On all high-end SRX Series devices, the range and default value are as follows:
Range: 1 through 250
Default: 75
On all branch SRX Series devices, the range is as follows:
Range: 1 through 5
NOTE: The actual number of maximum connections depends on the
availability of system resources, and might be fewer than the configured
connection-limit value if the system resources are limited.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • System Configuration Statement Hierarchy on page 199
Documentation
232 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
disable (System Services)
Supported Platforms J Series, LN Series, SRX Series
Syntax disable;
Hierarchy Level [edit system services dns dnssec]
Release Information Statement introduced in Release 10.2 of Junos OS.
Description Disables DNSSEC in the DNS server.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
dlv
Supported Platforms J Series, LN Series, SRX Series
Syntax dlv {
domain-name domain-name trusted-anchor trusted-anchor;
}
Hierarchy Level [edit system services dns dnssec]
Release Information Statement introduced in Release 10.2 of Junos OS.
Description Configure DNSSEC Lookaside Validation (DLV).
Options • domain-name domain-name—Specify the secure domain server name.
• trusted-anchor trusted-anchor—Specify the trusted DLV anchor.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 233
Administration Guide for Security Devices
kernel-replication (System)
Supported Platforms LN Series, SRX Series
Syntax kernel-replication;
Hierarchy Level [edit system]
Release Information Statement introduced in Junos OS Release 11.1.
Description Configure kernel replication.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
234 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
location
Supported Platforms LN Series, SRX Series
Syntax location {
altitude feet;
building name;
country -code code;
floor number;
hcoord horizontal-coordinate;
lata service-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}
Hierarchy Level [edit system]
Release Information Statement introduced in Junos OS Release 8.5.
Description Configure the physical location of the device.
Options • altitude feet—Number of feet above sea level.
• building name—Name of building. The name of the building can be 1 to 28 characters
in length. If the string contains spaces, enclose it in quotation marks (" ").
• country-code code—Two-letter country code.
• floor number—Floor number in the building.
• hcoord horizontal-coordinate—Bellcore Horizontal Coordinate.
• lata service-area—Long-distance service area.
• latitude degrees—Latitude in degree format.
• longitude degrees—Longitude in degree format.
• npa-nxx number—First six digits of the phone number (area code and exchange).
• postal-code postal-code—Zip code or Postal code.
• rack number—Rack number.
• vcoord vertical-coordinate—Bellcore Vertical Coordinate.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 235
Administration Guide for Security Devices
macs
Supported Platforms J Series, LN Series, SRX Series
Syntax macs [algorithm]
Hierarchy Level [edit system services ssh]
Release Information Statement introduced in Release 11.2 of Junos OS.
SHA-2 options introduced in Release 12.1 of Junos OS.
Description Specify the set of message authentication code (MAC) algorithms that the SSH server
can use to authenticate messages.
Options • hmac-md5—Hash-based MAC using Message-Digest 5 (MD5).
• hmac-md5-96—96-bits of Hash-based MAC using MD5.
• hmac-ripemd160—Hash-based MAC using RIPEMD.
• hmac-sha1—Hash-based MAC using Secure Hash Algorithm (SHA-1).
• hmac-sha1-96—96-bits of Hash-based MAC using SHA-1.
• hmac-sha2-256—256-bits of Hash-based MAC using SHA-2.
• hmac-sha2-256-96—first 96-bits of hmac-sha2-256.
• hmac-sha2-512—96-bits of Hash-based MAC using SHA-1.
• umac-64—Message Authentication Code using Universal Hashing.
NOTE: The macs configuration statement represents a set. Therefore, it
should be configured as in the following.
user@host#set system services ssh macs [hmac-md5 hmac-sha1]
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
236 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
protocol-version
Supported Platforms SRX Series
Syntax protocol-version version;
Hierarchy Level [edit system services ssh]
Release Information Statement introduced before Junos OS Release 11.4.
Description Specify the SSH protocol versions supported.
Default v2—SSH protocol version 2 is the default, introduced in Junos OS Release 11.4.
Options version—SSH protocol version: v1, v2, or both.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • hostkey-algorithm on page 163
Documentation
Copyright © 2016, Juniper Networks, Inc. 237
Administration Guide for Security Devices
radius-server
Supported Platforms LN Series, SRX Series
Syntax radius-server server-address {
accounting-port port-number;
port port-number;
retry value;
secret password;
max-outstanding-requests value;
source-address source-address;
timeout seconds;
}
Hierarchy Level [edit system]
Release Information Statement introduced in Junos OS Release 8.5.
Description Configure RADIUS server address for subscriber access management, Layer 2 Tunnelling
Protocol (L2TP), or (Point-to-Point Protocol (PPP).
To configure multiple RADIUS servers, include multiple radius-server statements. The
servers are tried in order and in a round-robin fashion until a valid response is received
from one of the servers or until all the configured retry limits are reached.
Options • server-address—Address of the RADIUS server.
• accounting-port port-number—RADIUS server accounting port number.
Range: 1 through 65,335 files
Default: 1813
• port port-number—RADIUS server authentication port number.
Range: 1 through 65,335 files
Default: 1812
• retry value—Number of times that the router is allowed to attempt to contact a RADIUS
server.
Range: 1 through 10
Default: 3
• secret password—Password to use; it can include spaces if the character string is
enclosed in quotation marks.
• max-outstanding-requests value—Maximum number of outstanding requests in flight
to server.
Range: 1 through 65,335 files
• source-address source-address—Valid IPv4 or IPv6 address configured on one of the
router or switch interfaces.
238 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
• timeout seconds—Amount of time to wait.
Range: 1 through 90 seconds
Default: 3 seconds
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 239
Administration Guide for Security Devices
root-authentication
Supported Platforms LN Series, SRX Series
Syntax root-authentication {
encrypted-password password;
load-key-file URL;
plain-text-password;
ssh-dsa public-key {
<from pattern-list>;
}
ssh-rsa public-key {
<from pattern-list>;
}
}
Hierarchy Level [edit system]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify authentication information for the root login.
Options • encrypted-password password—Specify the encrypted authentication password. You
must configure a password whose number of characters range from 1 through 128
characters and enclose the password in quotation marks.
• plain-text-password—The CLI prompts you for a password encrypts it, and stores the
encrypted version in its user database.
• load-key-fileURL—File URL containing one or more SSH keys.
• ssh-dsa public-key—SSH DSA public key string.
• from pattern-list—Pattern list of allowed hosts.
• ssh-rsa public-key—SSH RSA public key string.
• from pattern-list—Pattern list of allowed hosts.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
240 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
single-connection
Supported Platforms SRX Series
Syntax single-connection;
Hierarchy Level [edit system accounting destination tacplus server server-address]
[edit system tacplus-server server-address]
Release Information Statement introduced in Junos OS Release 8.5.
Description Optimize the attempt to connect to a TACACS+ server. Junos OS maintains one open
TCP connection to the server for multiple requests rather than opening a connection for
each connection attempt.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • System Configuration Statement Hierarchy on page 199
Documentation
static-subscribers
Supported Platforms LN Series, SRX Series
Syntax static-subscribers {
disable;
}
Hierarchy Level [edit system processes]
Release Information Statement introduced in Junos OS Release 8.5.
Description Associate subscribers with statically configured interfaces, and provide dynamic service
activation for these subscribers.
Options disable—Disable the static subscribers process.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 241
Administration Guide for Security Devices
statistics-service
Supported Platforms LN Series, SRX Series
Syntax statistics-service {
command binary-file-path;
disable;
}
Hierarchy Level [edit system processes]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the Packet Forwarding Engine (PFE) statistics service management process.
Options • command binary-file-path—Path to the binary process.
• disable—Disable the Packet Forwarding Engine (PFE) statistics service management
process.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
subscriber-management
Supported Platforms LN Series, SRX Series
Syntax subscriber-management {
command binary-file-path;
disable;
}
Hierarchy Level [edit system processes]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the subscriber management process.
Options • command binary-file-path—Path to the binary process.
• disable—Disable the subscriber management process.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
242 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
subscriber-management-helper
Supported Platforms LN Series, SRX Series
Syntax subscriber-management-helper {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
Hierarchy Level [edit system processes]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the subscriber management helper process.
Options • command binary-file-path—Path to the binary process.
• disable—Disable the subscriber management helper process.
• failover—Configure the device to reboot if the software process fails four times within
30 seconds, and specify the software to use during the reboot.
• alternate-media—Configure the device to switch to backup media that contains a
version of the system if a software process fails repeatedly.
• other-routing-engine—Instruct the secondary Routing Engine to take mastership if
a software process fails. If this statement is configured for a process, and that process
fails four times within 30 seconds, then the device reboots from the secondary
Routing Engine.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 243
Administration Guide for Security Devices
uac-service
Supported Platforms LN Series, SRX Series
Syntax uac-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}
Hierarchy Level [edit system processes]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the unified access control daemon process.
Options • command binary-file-path—Path to the binary process.
• disable—Disable the unified access control daemon process.
• failover—Configure the device to reboot if the software process fails four times within
30 seconds, and specify the software to use during the reboot.
• alternate-media—Configure the device to switch to backup media that contains a
version of the system if a software process fails repeatedly.
• other-routing-engine—Instruct the secondary Routing Engine to take mastership if
a software process fails. If this statement is configured for a process, and that process
fails four times within 30 seconds, then the device reboots from the secondary
Routing Engine.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
• Firewall User Authentication Feature Guide for Security Devices
244 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
usb-control
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax usb-control {
command binary-file-path;
disable;
}
Hierarchy Level [edit system processes]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the universal serial bus (USB) supervise process.
Options • command binary-file-path—Path to the binary process.
• disable—Disable the universal serial bus (USB) supervise process.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 245
Administration Guide for Security Devices
watchdog
Supported Platforms LN Series, SRX Series
Syntax watchdog {
disable;
enable;
timeout value;
}
Hierarchy Level [edit system processes]
Release Information Statement introduced in Junos OS Release 8.5.
Description Enable or disable the watchdog timer when Junos OS encounters a problem.
Options • disable—Disable the watchdog timer.
• enable—Enable the watchdog timer.
• timeout value—Specify amount of time to wait in seconds.
Range: 1 through 3600 seconds.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
246 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
web-management
Supported Platforms LN Series, SRX Series
Syntax web-management {
disable;
failover (alternate-media | other-routing-engine);
}
Hierarchy Level [edit system processes]
Release Information Statement introduced in Junos OS Release 8.5.
Description Specify the Web management process.
Options • disable—Disable the Web management process.
• failover—Configure the device to reboot if the software process fails four times within
30 seconds, and specify the software to use during the reboot.
• alternate-media—Configure the device to switch to backup media that contains a
version of the system if a software process fails repeatedly.
• other-routing-engine—Instruct the secondary Routing Engine to take mastership if
a software process fails. If this statement is configured for a process, and that process
fails four times within 30 seconds, then the device reboots from the secondary
Routing Engine.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 247
Administration Guide for Security Devices
web-management (System Services)
Supported Platforms J Series, LN Series, SRX Series
Syntax web-management {
http {
interfaces interface-names ;
port port;
}
https {
interfaces interface-names;
system-generated-certificate name;
port port;
}
management url management url;
session {
idle-timout minutes;
session-limit number;
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(no-world-readable | world-readable);
}
flag flag;
level level;
no-remote-trace;
}
}
Hierarchy Level [edit system services]
Release Information Statement introduced in Junos OS Release 9.0.
Description Configure settings for HTTP or HTTPS access. HTTP access allows management of the
device using the J-Web interface. HTTPS access allows secure management of the device
using the J-Web interface. With HTTPS access, communication is encrypted between
your browser and the webserver for your device.
Options control—Disable the SBC process.
• max-threads—Maximum simultaneous threads to handle requests.
Range: 0 through 16
http—Configure HTTP.
• interface [value]—Interface value that accept HTTP access.
• port number—TCP port for incoming HTTP connections.
Range: 1 through 65,535
248 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
https—Configure HTTPS.
• interface [value]—Interface value that accept HTTP access.
• port number—TCP port for incoming HTTP connections.
Range: 1 through 65,535
• local-certificate—X.509 certificate to use from configuration.
• pki-local-certificate—X.509 certificate to use from PKI local store.
• system-generated-certificate—X.509 certificate generated automatically by system.
management url management url—URL Path for Web management access.
session—Configure web management session.
• idle-timout minutes—Default timeout of web-management sessions in minutes.
• session-limit number—Maximum number of web-management sessions to allow.
Copyright © 2016, Juniper Networks, Inc. 249
Administration Guide for Security Devices
traceoptions—Set the trace options.
• file—Configure the trace file information.
• filename—Name of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log.
By default, the name of the file is the name of the process being traced.
• files number— Maximum number of trace files. When a trace file named trace-file
reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on,
until the maximum number of trace files is reached. Then the oldest trace file
is overwritten.
If you specify a maximum number of files, you also must specify a maximum
file size with the size maximum file-size option.
Range: 2 through 1000 files
Default: 10 files
• match regular-expression—Refine the output to include lines that contain the regular
expression.
• size maximum-file-size—Maximum size of each trace file, in kilobytes (KB),
megabytes (MB), or gigabytes (GB).
Range: 10 KB through 1 GB
Default: 128 KB
If you specify a maximum file size, you also must specify a maximum number of
trace files with the files number option.
• (world-readable | no-world-readable)— By default, log files can be accessed only
by the user who configures the tracing operation. The world-readable option enables
any user to read the file. To explicitly set the default behavior, use the
no-world-readable option.
• flag flag—Specify which tracing operation to perform. To specify more than one
tracing operation, include multiple flag statements. You can include the following
flags.
• all—Trace all areas.
• configuration—Trace configuration.
• dynamic-vpn—Trace dynamic-vpn events.
• init—Trace daemon init process.
• mgd—Trace MGD requests.
• webauth—Trace webauth requests.
• level level —Specify the level of debugging output.
• all—Match all levels.
• error—Match error conditions.
250 Copyright © 2016, Juniper Networks, Inc.
Chapter 16: Configuration Statements (System)
• info—Match informational messages.
• notice—Match conditions that should be handled specially.
• verbose—Match verbose messages.
• warning—Match warning messages.
• no-remote-trace—Disable the remote tracing.
Required Privilege system—To view this statement in the configuration.
Level system-control—To add this statement to the configuration.
Related • WLAN Feature Guide for Security Devices
Documentation
• Administration Guide for Security Devices
• Firewall User Authentication Feature Guide for Security Devices
• Dynamic VPN Feature Guide for SRX Series Gateway Devices
Copyright © 2016, Juniper Networks, Inc. 251
Administration Guide for Security Devices
252 Copyright © 2016, Juniper Networks, Inc.
PART 3
Administration
• Secure Web Access on page 255
• User Authentication and Access on page 263
• USB Modems for Remote Management Setup on page 291
• Telnet and SSH Device Control on page 295
• DHCP for IP Address Device on page 303
• File Management on page 307
• Licenses on page 315
• Operational Commands on page 325
Copyright © 2016, Juniper Networks, Inc. 253
Administration Guide for Security Devices
254 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 17
Secure Web Access
• Generating an SSL Certificate Using the openssl Command on page 255
• Generating a Self-Signed SSL Certificate on page 256
• Manually Generating Self-Signed SSL Certificates on page 256
• Configuring Device Addresses on page 257
• Enabling Access Services on page 257
• Example: Configuring Secure Web Access on page 258
• Adding, Editing, and Deleting Certificates on the Device on page 260
Generating an SSL Certificate Using the openssl Command
Supported Platforms J Series, LN Series, SRX Series
To generate an SSL certificate using the openssl command:
1. Enter openssl in the CLI. The openssl command generates a self-signed SSL certificate
in privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted
1024-bit RSA private key to the specified file.
NOTE: Run this command on a LINUX or UNIX device because Juniper
Networks Services Gateways do not support the openssl command.
% openssl req –x509 –nodes –newkey rsa:1024 –keyout filename.pem -out
filename.pem
Replace filename with the name of a file in which you want the SSL certificate to be
written—for example, new.pem.
2. When prompted, type the appropriate information in the identification form. For
example, type US for the country name.
3. Display the contents of the file new.pem.
cat new.pem
Copy the contents of this file for installing the SSL certificate.
Copyright © 2016, Juniper Networks, Inc. 255
Administration Guide for Security Devices
Related • Administration Guide for Security Devices
Documentation
Generating a Self-Signed SSL Certificate
Supported Platforms J Series, LN Series, SRX Series
To generate a self-signed SSL certificate on Juniper Networks devices:
1. Establish basic connectivity.
2. Reboot the system. The self-signed certificate is automatically generated at bootup
time.
user@host> request system reboot
Reboot the system ? [yes,no] yes
3. Specify system-generated-certificate under HTTPS Web management.
[edit]
user@host# show system services web-management https
system-generated-certificate
Related • Administration Guide for Security Devices
Documentation
Manually Generating Self-Signed SSL Certificates
Supported Platforms J Series, LN Series, SRX Series
To manually generate a self-signed SSL certificate on Juniper Networks devices:
1. Establish basic connectivity.
2. If you have root login access, you can manually generate the self-signed certificate
by using the following commands:
root@host> request security pki generate-size 512 certificate-id certname
Generated key pair sslcert, key size 512 bits
root@host> request security pki local-certificate generate-self-signed certificate-id
cert-name email email domain-name domain-name ip-address ip-address subject
“DC= Domain name, CN= Common-Name, OU= Organizational-Unit-name, O=
Organization-Name, ST= state, C= Country”
Self-signed certificate generated and loaded successfully
NOTE: When generating the certificate, you must specify the subject,
e-mail address, and either domain-name or ip-address.
3. Specify local-certificate under HTTPS Web management.
[edit]
256 Copyright © 2016, Juniper Networks, Inc.
Chapter 17: Secure Web Access
root@host# show system services web-management https local-certificate certname
Related • Administration Guide for Security Devices
Documentation
Configuring Device Addresses
Supported Platforms J Series, LN Series, SRX Series
You can use the Management tab to configure IPv4 and loopback addresses on the
device.
To configure IPv4 and loopback addresses:
1. In the J-Web user interface, select Configure>System Properties>Management Access.
2. Click Edit. The Edit Management Access dialog box appears.
3. Select the Management tab.
4. If you want to enable a loopback address for the device, enter an address and
corresponding subnet mask in the Loopback address section.
5. If you want to enable an IPv4 address for the device, select IPv4 address and enter a
corresponding management port, subnet mask, and default gateway.
6. Click OK to save the configuration or Cancel to clear it.
Related • Administration Guide for Security Devices
Documentation
Enabling Access Services
Supported Platforms J Series, LN Series, SRX Series
You can use the Services tab to specify the type of connections that users can make to
the device. For instance, you can enable secure HTTPS sessions to the device or enable
access to the Junos XML protocol XML scripting API.
To enable access services:
1. In the J-Web user interface, select Configure>System Properties>Management Access.
2. Click Edit. The Edit Management Access dialog box appears.
3. Select the Services tab.
4. If you want to enable users to create secure Telnet or secure SSH connections to the
device, select Enable Telnet or Enable SSH.
5. If you want to enable access to the Junos XML protocol XML scripting API, select
Enable Junos XML protocol over clear text or Enable Junos XML protocol over SSL. If
you enable Junos XML protocol over SSL, select the certificate you want to use for
encryption from the Junos XML protocol certificate drop-down list.
Copyright © 2016, Juniper Networks, Inc. 257
Administration Guide for Security Devices
6. Select Enable HTTP if you want users to connect to device interfaces over an HTTP
connection. Then specify the interfaces that should use the HTTP connection:
• Enable on all interfaces—Select this option if you want to enable HTTP on all device
interfaces.
• Selected interfaces—Use the arrow buttons to populate this list with individual
interfaces if you want to enable HTTP on only some of the device interfaces.
7. If you want users to connect to device interfaces over a secure HTTPS connection,
select Enable HTTPS. Then select which certificate you want to use to secure the
connection from the HTTPS certificates list and specify the interfaces that should use
the HTTPS connection:
• Enable on all interfaces—Select this option if you want to enable HTTPS on all device
interfaces.
• Selected interfaces—Use the arrow buttons to populate this list with individual
interfaces if you want to enable HTTPS on only some of the device interfaces.
8. Click OK to save the configuration or Cancel to clear it.
To verify that Web access is enabled correctly, connect to the device using one of the
following methods:
• For HTTP access—In your Web browser, type http://URL or http://IP address.
• For HTTPS access—In your Web browser, type https://URL or https://IP address.
• For SSL Junos XML protocol access—A Junos XML protocol client such as Junos Scope
is required.
Related • Administration Guide for Security Devices
Documentation
Example: Configuring Secure Web Access
Supported Platforms J Series, LN Series, SRX Series
This example shows how to configure secure Web access on your device.
• Requirements on page 258
• Overview on page 259
• Configuration on page 259
• Verification on page 260
Requirements
No special configuration beyond device initialization is required before configuring this
feature.
258 Copyright © 2016, Juniper Networks, Inc.
Chapter 17: Secure Web Access
NOTE: You can enable HTTPS access on specified interfaces. If you enable
HTTPS without specifying an interface, HTTPS is enabled on all interfaces.
Overview
In this example, you import the SSL certificate that you have generated as a new and
private key in PEM format. You then enable HTTPS access and specify the SSL certificate
to be used for authentication. Finally, you specify the port as 8443 on which HTTPS
access is to be enabled.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set security certificates local new load-key-file /var/tmp/new.pem
set system services web-management https local-certificate new port 8443
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.
To configure secure Web access on your device:
1. Import the SSL certificate and private key.
[edit security]
user@host# set certificates local new load-key-file /var/tmp/new.pem
2. Enable HTTPS access and specify the SSL certificate and port.
[edit system]
user@host# set services web-management https local-certificate new port 8443
Results From configuration mode, confirm your configuration by entering the show security
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show security
certificates {
local {
new {
"-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQC/C5UI4frNqbi
qPwbTiOkJvqoDw2YgYse0Z5zzVJyErgSg954T\nEuHM67Ck8hAOrCnb0YO+SY
Y5rCXLf4+2s8k9EypLtYRw/Ts66DZoXI4viqE7HSsK\n5sQw/UDBIw7/MJ+OpA
... KYiFf4CbBBbjlMQJ0HFudW6ISVBslONkzX+FT\ni95ddka6iIRnArEb4VFCRh+
e1QBdp1UjziYf7NuzDx4Z\n -----END RSA PRIVATE KEY-----\n-----BEGIN
CERTIFICATE----- \nMIIDjDCCAvWgAwIBAgIBADANBgkqhkiG9w0BAQQ ...
FADCBkTELMAkGA1UEBhMCdXMx\nCzAJBgNVBAgTAmNhMRIwEAYDVQQHEwlzdW5ue
Copyright © 2016, Juniper Networks, Inc. 259
Administration Guide for Security Devices
HB1YnMxDTALBgNVBAMTBGpucHIxJDAiBgkqhkiG\n9w0BCQEWFW5iaGFyZ2F2YUB
fLUYAnBYmsYWOH\n -----END CERTIFICATE-----\n"; ## SECRET-DATA
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
• Verifying an SSL Certificate Configuration on page 260
• Verifying a Secure Access Configuration on page 260
Verifying an SSL Certificate Configuration
Purpose Verify the SSL certificate configuration.
Action From operational mode, enter the show security command.
Verifying a Secure Access Configuration
Purpose Verify the secure access configuration.
Action From operational mode, enter the show system services command. The following sample
output displays the sample values for secure Web access:
[edit]
user@host# show system services
web-management {
http;
https {
port 8443;
local-certificate new;
}
}
Related • Secure Web Access Overview on page 3
Documentation
• Generating an SSL Certificate Using the openssl Command on page 255
• Generating a Self-Signed SSL Certificate on page 256
• Configuring Device Addresses on page 257
• Junos OS Interfaces Library for Security Devices
Adding, Editing, and Deleting Certificates on the Device
Supported Platforms J Series, LN Series, SRX Series
260 Copyright © 2016, Juniper Networks, Inc.
Chapter 17: Secure Web Access
You can use the Certificates tab to upload SSL certificates to the device, edit existing
certificates on the device, or delete certificates from the device. You can use the
certificates to secure HTTPS and Junos XML protocol sessions.
To add, edit, or delete a certificate:
1. In the J-Web user interface, select Configure>System Properties>Management Access.
2. Click Edit. The Edit Management Access dialog box appears.
3. Select the Certificates tab.
4. Choose one of the following options:
• If you want to add a new certificate, click Add. The Add Certificate section is
expanded.
• If you want to edit the information for an existing certificate, select it and click Edit.
The Edit Certificate section is expanded.
• If you want to delete an existing certificate, select it and click Delete. (You can skip
the remaining steps in this section.)
5. In the Certificate Name box, type a name—for example, new.
6. In the Certificate content box, paste the generated certificate and RSA private key.
7. Click Save.
8. Click OK to save the configuration or Cancel to clear it.
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 261
Administration Guide for Security Devices
262 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 18
User Authentication and Access
• Example: Configuring a RADIUS Server for System Authentication on page 263
• Example: Configuring a TACACS+ Server for System Authentication on page 266
• Example: Configuring Authentication Order on page 268
• Example: Configuring New Users on page 270
• Example: Configuring System Retry Options on page 273
• Example: Creating Template Accounts on page 277
• Handling Authorization Failure on page 280
• Understanding Administrative Roles on page 281
• Example: Configuring Administrative Roles on page 283
Example: Configuring a RADIUS Server for System Authentication
Supported Platforms J Series, LN Series, SRX Series
This example shows how to configure a RADIUS server for system authentication.
• Requirements on page 263
• Overview on page 263
• Configuration on page 264
• Verification on page 265
Requirements
Before you begin:
• Perform the initial device configuration. See the Getting Started Guide for your device.
• Configure at least one RADIUS server. For more details, see RADIUS Authentication and
Accounting Servers Configuration Overview.
Overview
In this example, you add a new RADIUS server with an IP address of 172.16.98.1 and specify
the shared secret password of the RADIUS server as Radiussecret1. The secret is stored
as an encrypted value in the configuration database. Finally, you specify the source
Copyright © 2016, Juniper Networks, Inc. 263
Administration Guide for Security Devices
address to be included in the RADIUS server requests by the device. In most cases you
can use the loopback address of the device, which in this example is 10.0.0.1.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set system radius-server address 172.16.98.1
set system radius-server 172.16.98.1 secret Radiussecret1
set system radius-server 172.16.98.1 source-address 10.0.0.1
GUI Step-by-Step To configure a RADIUS server for system authentication:
Procedure
1. In the J-Web user interface, select Configure>System Properties>User Management.
2. Click Edit. The Edit User Management dialog box appears.
3. Select the Authentication Method and Order tab.
4. In the RADIUS section, click Add. The Add Radius Server dialog box appears.
5. In the IP Address box, type the server’s 32–bit IP address.
6. In the Password and Confirm Password boxes, type the secret password for the server
and verify your entry.
7. In the Server Port box, type the appropriate port.
8. In the Source Address box, type the source IP address of the server.
9. In the Retry Attempts box, specify the number of times that the server should try to
verify the user’s credentials.
10. In the Time Out box, specify the amount of time (in seconds) the device should wait
for a response from the server.
11. Click OK to check your configuration and save it as a candidate configuration.
12. If you are done configuring the device, click Commit Options>Commit.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure a RADIUS server for system authentication:
1. Add a new RADIUS server and set its IP address.
[edit system]
user@host# set radius-server address 172.16.98.1
2. Specify the shared secret (password) of the RADIUS server.
[edit system]
user@host# set radius-server 172.16.98.1 secret Radiussecret1
264 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
3. Specify the device’s loopback address source address.
[edit system]
user@host# set radius-server 172.16.98.1 source-address 10.0.0.1
Results From configuration mode, confirm your configuration by entering the show system
radius-server command. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show system radius-server
radius-server 172.16.98.1 {
secret Radiussecret1;
source-address 10.0.0.1;
}
If you are done configuring the device, enter commit from configuration mode.
NOTE: To completely set up RADIUS authentication, you must create user
template accounts and specify a system authentication order. Do one of the
following tasks:
• Configure a system authentication order. See “Example: Configuring
Authentication Order” on page 268.
• Configure a user. See “Example: Configuring New Users” on page 270.
• Configure local user template accounts. See “Example: Creating Template
Accounts” on page 277.
Verification
Confirm that the configuration is working properly.
Verifying the RADIUS Server System Authentication Configuration
Purpose Verify that the RADIUS server has been configured for system authentication.
Action From operational mode, enter the show system radius-server command.
Related • Understanding User Authentication Methods on page 13
Documentation
• Understanding User Accounts on page 13
• Example: Configuring a TACACS+ Server for System Authentication on page 266
• Understanding Login Classes on page 14
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 265
Administration Guide for Security Devices
Example: Configuring a TACACS+ Server for System Authentication
Supported Platforms J Series, LN Series, SRX Series
This example shows how to configure a TACACS+ server for system authentication.
• Requirements on page 266
• Overview on page 266
• Configuration on page 266
• Verification on page 268
Requirements
Before you begin:
• Perform the initial device configuration. See the Getting Started Guide for your device.
• Configure at least one TACACS+ server.
Overview
In this example, you set the IP address to 172.16.98.24 and the shared secret password
of the TACACS+ server to Tacacssecret1. The secret password is stored as an encrypted
value in the configuration database. You then set the loopback source address as 10.0.0.1
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set system tacplus-server address 172.16.98.24
set system tacplus-server 172.16.98.24 secret Tacacssecret1
set system tacplus-server 172.16.98.24 source-address 10.0.0.1
GUI Step-by-Step To configure a TACACS+ server for system authentication:
Procedure
1. In the J-Web user interface, select Configure>System Properties>User Management.
2. Click Edit. The Edit User Management dialog box appears.
3. Select the Authentication Method and Order tab.
4. In the TACACS section, click Add. The Add TACACS Server dialog box appears.
5. In the IP Address box, type the server’s 32–bit IP address.
6. In the Password and Confirm Password boxes, type the secret password for the server
and verify your entry.
7. In the Server Port box, type the appropriate port.
8. In the Source Address box, type the source IP address of the server.
266 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
9. In the Retry Attempts box, specify the number of times that the server should try to
verify the user’s credentials.
10. In the Time Out box, specify the amount of time (in seconds) the device should wait
for a response from the server.
11. Click OK to check your configuration and save it as a candidate configuration.
12. If you are done configuring the device, click Commit Options>Commit.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure a TACACS+ server for system authentication:
1. Add a new TACACS+ server and set its IP address.
[edit system]
user@host# set tacplus-server address 172.16.98.24
2. Specify the shared secret (password) of the TACACS+ server.
[edit system]
user@host# set tacplus-server 172.16.98.24 secret Tacacssecret1
3. Specify the device’s loopback address as the source address.
[edit system]
user@host# set tacplus-server 172.16.98.24 source-address 10.0.0.1
Results From configuration mode, confirm your configuration by entering the show system
tacplus-server command. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show system tacplus-server
tacplus-server 172.16.98.24 {
secret Tacacssecret1;
source-address 10.0.0.1;
}
If you are done configuring the device, enter commit from configuration mode.
NOTE: To completely set up TACACS+ authentication, you must create user
template accounts and specify a system authentication order. Do one of the
following tasks:
• Configure a system authentication order. See “Example: Configuring
Authentication Order” on page 268.
• Configure a user. See “Example: Configuring New Users” on page 270.
• Configure local user template accounts. See “Example: Creating Template
Accounts” on page 277.
Copyright © 2016, Juniper Networks, Inc. 267
Administration Guide for Security Devices
Verification
Confirm that the configuration is working properly.
Verifying the TACACS+ Server System Authentication Configuration
Purpose Verify that the TACACS+ server has been configured for system authentication.
Action From operational mode, enter the show system tacplus-server command.
Related • Understanding User Authentication Methods on page 13
Documentation
• Understanding User Accounts on page 13
• Example: Configuring a RADIUS Server for System Authentication on page 263
• Understanding Login Classes on page 14
• Administration Guide for Security Devices
Example: Configuring Authentication Order
Supported Platforms J Series, LN Series, SRX Series
This example shows how to configure authentication order.
• Requirements on page 268
• Overview on page 268
• Configuration on page 268
• Verification on page 270
Requirements
Before you begin, perform the initial device configuration. See the Getting Started Guide
for your device.
Overview
You can configure the authentication methods that the device uses to verify that a user
can gain access. For each login attempt, the device tries the authentication methods in
order, starting with the first one, until the password matches. If you do not configure
system authentication, users are verified based on their configured local passwords.
This example configures the device to attempt user authentication with the local password
first, then with the RADIUS server, and finally with the TACACS+ server.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
268 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
insert system authentication-order radius after password
insert system authentication-order tacplus after radius
GUI Step-by-Step To configure authentication order:
Procedure
1. In the J-Web user interface, select Configure>System Properties>User Management.
2. Click Edit. The Edit User Management dialog box appears.
3. Select the Authentication Method and Order tab.
4. Under Available Methods, select the authentication method the device should use to
authenticate users, and use the arrow button to move the item to the Selected Methods
list. Available methods include:
• RADIUS
• TACACS+
• Local Password
If you want to use multiple methods to authenticate users, repeat this step to add the
additional methods to the Selected Methods list.
5. Under Selected Methods, use the Up Arrow and Down Arrow to specify the order in
which the device should execute the authentication methods.
6. Click OK to check your configuration and save it as a candidate configuration.
7. If you are done configuring the device, click Commit Options>Commit.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure authentication order:
1. Add RADIUS authentication to the authentication order.
[edit]
user@host# insert system authentication-order radius after password
2. Add TACACS+ authentication to the authentication order.
[edit]
user@host# insert system authentication-order tacplus after radius
Results From configuration mode, confirm your configuration by entering the show system
authentication-order command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host# show system authentication-order
authentication-order [password, radius, tacplus];
Copyright © 2016, Juniper Networks, Inc. 269
Administration Guide for Security Devices
If you are done configuring the device, enter commit from configuration mode.
NOTE: To completely set up RADIUS or TACACS+ authentication, you must
configure at least one RADIUS or TACACS+ server and create user template
accounts. Do one of the following tasks:
• Configure a RADIUS server. See “Example: Configuring a RADIUS Server
for System Authentication” on page 263.
• Configure a TACACS+ server. See “Example: Configuring a TACACS+ Server
for System Authentication” on page 266.
• Configure a user. See “Example: Configuring New Users” on page 270.
• Configure template accounts. See “Example: Creating Template Accounts”
on page 277.
Verification
Confirm that the configuration is working properly.
Verifying the Authentication Order Configuration
Purpose Verify that the authentication order has been configured.
Action From operational mode, enter the show system authentication-order command.
Related • Understanding User Authentication Methods on page 13
Documentation
• Understanding User Accounts on page 13
• Understanding Login Classes on page 14
• Administration Guide for Security Devices
Example: Configuring New Users
Supported Platforms J Series, LN Series, SRX Series
This example shows how to configure new users.
• Requirements on page 271
• Overview on page 271
• Configuration on page 271
• Verification on page 273
270 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
Requirements
No special configuration beyond device initialization is required before configuring this
feature.
Overview
You can add new users to the device’s local database. For each account, you define a
login name and password for the user and specify a login class for access privileges. The
login password must meet the following criteria:
• The password must be at least six characters long.
• You can include most character classes in a password (alphabetic, numeric, and special
characters), but not control characters.
• The password must contain at least one change of case or character class.
In this example, you create a login class named operator-and-boot and allow it to reboot
the device. You can define any number of login classes. You then allow the
operator-and-boot login class to use commands defined in the clear, network, reset,
trace, and view permission bits.
Then you create user accounts. User accounts provide enable you to access the device.
(You can access the device without accounts if you configured RADIUS or TACACS+
servers.) You set the username as cmartin and the login class as superuser. Finally, you
define the encrypted password for the user.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set system login class operator-and-boot allow-commands “request system reboot”
set system login class operator-and-boot permissions [clear network reset trace view]
set system login user cmartin class superuser authentication encrypted-password
$1$ABC123
GUI Step-by-Step To configure new users:
Procedure
1. In the J-Web user interface, select Configure>System Properties>User Management.
2. Click Edit. The Edit User Management dialog box appears.
3. Select the Users tab.
4. Click Add to add a new user. The Add User dialog box appears.
5. In the User name box, type a unique name for the user.
Do not include spaces, colons, or commas in the username.
6. In the User ID box, type a unique ID for the user.
Copyright © 2016, Juniper Networks, Inc. 271
Administration Guide for Security Devices
7. In the Full Name box, type the user’s full name.
If the full name contains spaces, enclose it in quotation marks. Do not include colons
or commas.
8. In the Password and Confirm Password boxes, enter a login password for the user
and verify your entry.
9. From the Login Class list, select the user’s access privilege:
• operator
• read-only
• unauthorized
This list also includes any user-defined login classes.
10. Click OK in the Add User dialog box and Edit User Management dialog box.
11. Click OK to check your configuration and save it as a candidate configuration.
12. If you are done configuring the device, click Commit Options>Commit.
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure new users:
1. Set the name of the login class and allow the use of the reboot command.
[edit system login]
user@host# set class operator-and-boot allow-commands “request system reboot”
2. Set the permission bits for the login class.
[edit system login]
user@host# set class operator-and-boot permissions [clear network reset trace
view]
3. Set the username, login class, and encrypted password for the user.
[edit system login]
user@host# set user cmartin class superuser authentication encrypted-password
$1$ABC123
Results From configuration mode, confirm your configuration by entering the show system login
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show system login
class operator-and-boot {
permissions [ clear network reset trace view ];
allow-commands "request system reboot";
}
user cmartin {
class superuser;
272 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
authentication {
encrypted-password "$1$ABC123";
}
}
If you are done configuring the device, enter commit from configuration mode.
NOTE: To completely set up RADIUS or TACACS+ authentication, you must
configure at least one RADIUS or TACACS+ server and specify a user template
account. Do one of the following tasks:
• Configure a RADIUS server. See “Example: Configuring a RADIUS Server
for System Authentication” on page 263.
• Configure a TACACS+ server. See “Example: Configuring a TACACS+ Server
for System Authentication” on page 266.
• Configure a user. See “Example: Configuring New Users” on page 270.
• Configure template accounts. See “Example: Creating Template Accounts”
on page 277.
Verification
Confirm that the configuration is working properly.
Verifying the New Users Configuration
Purpose Verify that the new users have been configured.
Action From operational mode, enter the show system login command.
Related • Understanding User Authentication Methods on page 13
Documentation
• Understanding User Accounts on page 13
• Understanding Template Accounts on page 17
• Understanding Login Classes on page 14
• Administration Guide for Security Devices
Example: Configuring System Retry Options
Supported Platforms J Series, LN Series, SRX Series
This example shows how to configure system retry options to protect the device from
malicious users.
• Requirements on page 274
• Overview on page 274
Copyright © 2016, Juniper Networks, Inc. 273
Administration Guide for Security Devices
• Configuration on page 276
• Verification on page 277
Requirements
Before you begin, you should understand “Handling Authorization Failure” on page 280.
No special configuration beyond device initialization is required before configuring this
feature.
Overview
Malicious users sometimes try to log in to a secure device by guessing an authorized user
account’s password. Locking out a user account after a number of failed authentication
attempts helps protect the device from malicious users.
Device lockout allows you to configure the number of failed attempts before the user
account is locked out of the device and configure the amount of time before the user can
attempt to log in to the device again. You can configure the amount of time in-between
failed login attempts of a user account and can manually lock and unlock user accounts.
274 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
NOTE:
This example includes the following settings:
• backoff-factor — Sets the length of delay in seconds after each failed login
attempt. When a user incorrectly logs in to the device, the user must wait
the configured amount of time before attempting to log in to the device
again. The length of delay increases by this value for each subsequent login
attempt after the value specified in the backoff-threshold statement. The
default value for this statement is five seconds, with a range of five to ten
seconds.
• backoff-threshold — Sets the threshold for the number of failed login
attempts on the device before the user experiences a delay when
attempting to reenter a password. When a user incorrectly logs in to the
device and hits the threshold of failed login attempts, the user experiences
a delay that is set in the backoff-factor statement before attempting to log
in to the device again. The default value for this statement is two, with a
range of one through three.
• lockout-period — Sets the amount of time in minutes before the user can
attempt to log in to the device after being locked out due to the number of
failed login attempts specified in the tries-before-disconnect statement.
When a user fails to correctly login after the number of allowed attempts
specified by the tries-before-disconnect statement, the user must wait the
configured amount of minutes before attempting to log in to the device
again. The lockout-period must be greater than zero. The range at which
you can configure the lockout-period is one through 43,200 minutes.
• tries-before-disconnect — Sets the maximum number of times the user is
allowed to enter a password to attempt to log in to the device through SSH
or Telnet. When the user reaches the maximum number of failed login
attempts, the user is locked out of the device. The user must wait the
configured amount of minutes in the lockout-period statement before
attempting to log back in to the device. The tries-before-disconnect
statement must be set when the lockout-period statement is set; otherwise,
the lockout-period statement is meaningless. The default number of
attempts is ten, with a range of one through ten attempts.
Once a user is locked out of the device, if you are the security administrator,
you can manually remove the user from this state using the clear system login
lockout <username> command. You can also use the show system login lockout
command to view which users are currently locked out, when the lockout
period began for each user, and when the lockout period ends for each user.
If the security administrator is locked out of the device, he can log in to the
device from the console port, which ignores any user locks. This provides a
way for the administrator to remove the user lock on their own user account.
Copyright © 2016, Juniper Networks, Inc. 275
Administration Guide for Security Devices
In this example the user waits for the backoff-threshold multiplied by the backoff-factor
interval, in seconds, to get the login prompt. In this example, the user must wait 5 seconds
after the first failed login attempt and 10 seconds after the second failed login attempt
to get the login prompt. The user gets disconnected after 15 seconds after the third failed
attempt because the tries-before-disconnect option is configured as 3.
The user cannot attempt anther login until 120 minutes has elapsed, unless a security
administrator manually clears the lock sooner.
Configuration
CLI Quick To quickly configure the lockout-period, copy the following commands, paste them in a
Configuration text file, remove any line breaks, and then copy and paste the commands into the CLI.
[edit]
set system login retry-options backoff-factor 5
set system login retry-options backoff-threshold 1
set system login retry-options lockout-period 120
set system login retry-options tries-before-disconnect 3
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To configure system retry-options:
1. Configure the backoff factor.
[edit ]
user@host# set system login retry-options backoff-factor 5
2. Configure the backoff threshold.
[edit]
user@host# set system login retry-options backoff-threshold 1
3. Configure the amount of time the device gets locked after failed attempts.
[edit]
user@host# set system login retry-options lockout-period 5
4. Configure the number of unsuccessful attempts during which, the device can remain
unlocked.
[edit]
user@host# set system login retry-options tries-before-disconnect 3
Results From configuration mode, confirm your configuration by entering the show system login
retry-options command. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
user@host# show system login retry-options
backoff-factor 5;
backoff-threshold 1;
lockout-period 5;
tries-before-disconnect 3;
276 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
If you are done configuring the device, enter commit from configuration mode.
Verification
Displaying the Locked User Logins
Purpose Verify that the login lockout configuration is enabled
Action Attempt 3 unsuccessful logins for a particular username. The device gets locked for the
user and then login to the device with a different user name. From operational mode,
enter the show system login lockout command.
Meaning When you perform 3 unsuccessful login attempts with a particular username, the device
is locked for that user for 5 minutes as configured in the example. You can verify that the
user is, locked by logging in to the device with a different username and entering the show
system login lockout command.
Related • Handling Authorization Failure on page 280
Documentation
• Administration Guide for Security Devices
Example: Creating Template Accounts
Supported Platforms J Series, LN Series, SRX Series
This example shows how to create template accounts.
• Requirements on page 277
• Overview on page 277
• Configuration on page 278
• Verification on page 279
Requirements
No special configuration beyond device initialization is required before configuring this
feature.
Overview
You can create template accounts that are shared by a set of users when you are using
RADIUS or TACACS+ authentication. When a user is authenticated by a template account,
the CLI username is the login name, and the privileges, file ownership, and effective user
ID are inherited from the template account.
By default, Junos OS uses the remote template account when:
• The authenticated user does not exist locally on the device.
• The authenticated user's record in the RADIUS or TACACS+ server specifies local user,
or the specified local user does not exist locally on the device.
Copyright © 2016, Juniper Networks, Inc. 277
Administration Guide for Security Devices
In this example, you create a remote template account and set the username to remote
and the login class for the user as operator. You create a remote template that is applied
to users authenticated by RADIUS or TACACS+ that do not belong to a local template
account.
You then create a local template account and set the username as admin and the login
class as superuser. You use local template accounts when you need different types of
templates. Each template can define a different set of permissions appropriate for the
group of users who use that template.
Configuration
• Creating a Remote Template Account on page 278
• Creating a Local Template Account on page 278
Creating a Remote Template Account
CLI Quick To quickly configure this section of the example, copy the following command, paste it
Configuration into a text file, remove any line breaks, change any details necessary to match your
network configuration, and then copy and paste the command into the CLI at the [edit]
hierarchy level.
set system login user remote class operator
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To create a remote template account:
1. Set the username and the login class for the user.
[edit system login]
user@host# set user remote class operator
Results From configuration mode, confirm your configuration by entering the show system login
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show system login
user remote {
class operator;
}
If you are done configuring the device, enter commit from configuration mode.
Creating a Local Template Account
CLI Quick To quickly configure this section of the example, copy the following command, paste it
Configuration into a text file, remove any line breaks, change any details necessary to match your
network configuration, and then copy and paste the command into the CLI at the [edit]
hierarchy level.
278 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
set system login user admin class superuser
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
To create a local template account:
1. Set the username and the login class for the user.
[edit system login]
user@host# set user admin class superuser
Results From configuration mode, confirm your configuration by entering the show system login
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
[edit]
user@host# show system login
user admin {
class super-user;
}
If you are done configuring the device, enter commit from configuration mode.
NOTE: To completely set up RADIUS or TACACS+ authentication, you must
configure at least one RADIUS or TACACS+ server and specify a system
authentication order. Do one of the following tasks:
• Configure a RADIUS server. See “Example: Configuring a RADIUS Server
for System Authentication” on page 263.
• Configure a TACACS+ server. See “Example: Configuring a TACACS+ Server
for System Authentication” on page 266.
• Configure system authentication order. See “Example: Configuring
Authentication Order” on page 268.
Verification
Confirm that the configuration is working properly.
Verifying the Template Accounts Creation
Purpose Verify that the template accounts have been created.
Action From operational mode, enter the show system login command.
Related • Understanding User Authentication Methods on page 13
Documentation
• Understanding User Accounts on page 13
Copyright © 2016, Juniper Networks, Inc. 279
Administration Guide for Security Devices
• Understanding Login Classes on page 14
• Understanding Template Accounts on page 17
• Administration Guide for Security Devices
Handling Authorization Failure
Supported Platforms J Series, LN Series, SRX Series
The security administrator can configure the number of times a user can try to log in to
the device with invalid login credentials. The device can be locked after the specified
number of unsuccessful authentication attempts. This helps to protect the device from
malicious users attempting to access the system by guessing an account’s password.
The security administrator can unlock the user account or define a time period for the
user account to remain locked.
The system lockout-period defines the amount of time the device can be locked for a
user account after a specified number of unsuccessful login attempts.
The security administrator can configure a period of time after which an inactive session
will be locked and require re-authentication to be unlocked. This helps to protect the
device from being idle for a long period before the session times out.
The system idle-timeout defines length of time the CLI operational mode prompt remains
active before the session times out.
The security administrator can configure a banner with an advisory notice to be displayed
before the identification and authentication screen.
The system message defines the system login message. This message appears before
a user logs in.
The number of reattempts the device allows is defined by the tries-before-disconnect
option. The device allows 3 unsuccessful attempts by default or as configured by the
administrator. The device prevents the locked users to perform activities that require
authentication, until a security administrator manually clears the lock or the defined time
period for the device to remain locked has elapsed. However, the existing locks are ignored
when the user attempts to log in from the local console.
280 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
NOTE: To clear the console during an administrator- initiated logout, the
administrator must configure the set system login message “message string”
such that, the message-string contains newline (\n) characters and a login
banner message at the end of the \n characters.
To ensure that configuration information is cleared completely, the
administrator can enter 50 or more \n characters in the message-string of
the command set system login message “message string”.
For example, set system login message
"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Welcome to Junos!!!"
Related • Example: Configuring System Retry Options on page 273
Documentation
• Administration Guide for Security Devices
Understanding Administrative Roles
Supported Platforms LN Series, SRX Series
A system user can be a member of a class that allows the user to act as a particular kind
of administrator for the system. Requiring a specific role to view or modify an item restricts
the extent of information a user can obtain from the system. It also limits how much of
the system is open to intentional or unintentional modification or observation by a user.
We recommend that you use the following guidelines when you are designing
administrative roles:
• Do not allow any user to log in to the system as root.
• Restrict each user to the smallest set of privileges needed to perform the user’s duties.
• Do not allow any user to belong to a login class containing the shell permission flag.
The shell permission flag allows users to run the start shell command from the CLI.
• Allow users to have rollback permissions. Rollback permissions allow users to undo
an action performed by an administrator but does not allow them to commit the
changes.
You can assign an administrative role to a user by configuring a login class to have the
privileges required for that role. You can configure each class to allow or deny access to
configuration statements and commands by name. These specific restrictions override
and take precedence over any permission flags also configured in the class. You can
assign one of the following role attributes to an administrative user.
• Crypto-administrator—Allows the user to configure and monitor cryptographic data.
• Security-administrator—Allows the user to configure and monitor security data.
Copyright © 2016, Juniper Networks, Inc. 281
Administration Guide for Security Devices
• Audit-administrator—Allows the user to configure and monitor audit data.
• IDS-administrator—Allows the user to monitor and clear the intrusion detection service
(IDS) security logs.
Each role can perform the following specific management functions:
• Cryptographic Administrator
• Configures the cryptographic self-test.
• Modifies the cryptographic security data parameters.
• Audit Administrator
• Configures and deletes the audit review search and sort feature.
• Searches and sorts audit records.
• Configures search and sort parameters.
• Manually deletes audit logs.
• Security Administrator
• Invokes, determines, and modifies the cryptographic self-test behavior.
• Enables, disables, determines, and modifies the audit analysis and audit selection
functions and configures the device to automatically delete audit logs.
• Enables or disables security alarms.
• Specifies limits for quotas on Transport Layer connections.
• Specifies the limits, network identifiers, and time periods for quotas on controlled
connection-oriented resources.
• Specifies the network addresses permitted to use Internet Control Message Protocol
(ICMP) or Address Resolution Protocol (ARP).
• Configures the time and date used in time stamps.
• Queries, modifies, deletes, and creates the information flow or access control rules
and attributes for the unauthenticated information flow security function policy
(SFP), the authenticated information flow SFP, the unauthenticated device services,
and the discretionary access control policy.
• Specifies initial values that override default values when object information is created
under unauthenticated information flow SFP, the authenticated information flow
SFP, the unauthenticated target of evaluation (TOE) services, and the discretionary
access control policy.
• Creates, deletes, or modifies the rules that control the address from which
management sessions can be established.
• Specifies and revokes security attributes associated with the users, subjects, and
objects.
• Specifies the percentage of audit storage capacity at which the device alerts
administrators.
282 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
• Handles authentication failures and modifies the number of failed authentication
attempts through SSH or from the CLI that can occur before progressive throttling
is enforced for further authentication attempts and before the connection is dropped.
• Manages basic network configuration of the device.
• IDS Administrator—Specifies IDS security alarms, intrusion alarms, audit selections,
and audit data.
You need to set the security-role attribute in the classes created for these administrative
roles. This attribute restricts which users can show and clear the security logs, actions
that cannot be performed through configuration alone.
For example, you need to set the security-role attribute in the ids-admin class created
for the IDS administrator role if you want to restrict clearing and showing IDS logs to the
IDS administrator role. Likewise, you need to set the security-role to one of the other
admin values to restrict that class from being able to clear and show non-IDS logs only.
NOTE: When a user deletes an existing configuration, the configuration
statements under the hierarchy level of the deleted configuration (that is,
the child objects that the user does not have permission to modify), now
remain in the device.
Related • Example: Configuring Administrative Roles on page 283
Documentation
Example: Configuring Administrative Roles
Supported Platforms LN Series, M Series, SRX Series, T Series
This example shows how to configure individual administrative roles for a distinct, unique
set of privileges apart from all other administrative roles.
• Requirements on page 283
• Overview on page 283
• Configuration on page 284
• Verification on page 289
Requirements
No special configuration beyond device initialization is required before configuring this
feature.
Overview
This example configures four users:
• audit-officer of the class audit-admin
• crypto-officer of the class crypto-admin
Copyright © 2016, Juniper Networks, Inc. 283
Administration Guide for Security Devices
• security-officer of the class security-admin
• ids-officer of the class ids-admin
When a security-admin class is configured, the privileges for creating administrators are
revoked from the user who created the security-admin class. Creation of new users and
logins is at the discretion of the security-officer.
In this example, you create audit admin, crypto admin, security admin, and ids admin
with permission flags pertaining to this role. Then you allow or deny access to configuration
statements and commands by name for each administrative role. These specific
restrictions take precedence over the permission flags also configured in the class. For
example, only the crypto-admin can run the request system set-encryption-key command,
which requires having the security permission flag to access it. Only the security-admin
can include the system time-zone statement in the configuration, which requires having
the system-control permission flag.
Configuration
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set system login class audit-admin permissions security
set system login class audit-admin permissions trace
set system login class audit-admin permissions maintenance
set system login class audit-admin allow-commands "^clear (log|security log)"
set system login class audit-admin deny-commands "^clear (security alarms|system
login lockout)|^file (copy|delete|rename)|^request (security|system
set-encryption-key)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell";
set system login class audit-admin security-role audit-administrator
set system login class crypto-admin permissions admin-control
set system login class crypto-admin permissions configure
set system login class crypto-admin permissions maintenance
set system login class crypto-admin permissions security-control
set system login class crypto-admin permissions system-control
set system login class crypto-admin permissions trace
set system login class crypto-admin allow-commands "^request system
set-encryption-key"
set system login class crypto-admin deny-commands "^clear (log|security alarms|security
log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell"
set system login class crypto-admin allow-configuration-regexps "security (ike|ipsec)
(policy|proposal)" "security ipsec ^vpn$ .* manual
(authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"
set system login class crypto-admin security-role crypto-administrator
set system login class security-admin permissions all
set system login class security-admin deny-commands "^clear (log|security
log)|^(clear|show) security alarms alarm-type idp|^request (security|system
set-encryption-key)|^rollback|^start shell"
set system login class security-admin deny-configuration-regexps "security alarms
potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$
284 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
.* manual (authentication| encryption|protocol|spi)" "security log cache" "security log
exclude .* event-id IDP_.*" "system fips self-test after-key- generation"
set system login class security-admin security-role security-administrator
set system login class ids-admin permissions configure
set system login class ids-admin permissions security-control
set system login class ids-admin permissions trace
set system login class ids-admin permissions maintenance
set system login class ids-admin allow-configuration-regexps "security alarms
potential-violation idp" "security log exclude .* event-id IDP_.*"
set system login class ids-admin deny-commands "^clear log|^(clear|show) security
alarms (alarm-id|all|newer-than|older- than|process|severity)|^(clear|show) security
alarms alarm-type
(authentication|cryptographic-self-test|decryption-failures|encryption-failures|
ike-phase1-failures|ike-phase2-failures|key-generation-self-test|
non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request
(security|system set-encryption-key)|^rollback|
^set date|^show security (dynamic-policies|match-policies|policies)|^start shell"
set system login class ids-admin deny-configuration-regexps "security alarms
potential-violation (authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
set system login class ids-admin security-role ids-admin
set system login user audit-officer class audit-admin
set system login user crypto-officer class crypto-admin
set system login user security-officer class security-admin
set system login user ids-officer class ids-admin
set system login user audit-officer authentication plain-text-password
set system login user crypto-officer authentication plain-text-password
set system login user security-officer authentication plain-text-password
set system login user ids-officer authentication plain-text-password
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the Junos OS CLI guide.
To configure users in administrative roles:
1. Create the audit-admin login class.
[edit]
user@host# set system login class audit-admin
[edit system login class audit-admin]
user@host# set permissions security
user@host# set permissions trace
user@host# set permissions maintenance
2. Configure the audit-admin login class restrictions.
[edit system login class audit-admin]
user@host# set allow-commands "^clear (log|security log)"
user@host# set deny-commands "^clear (security alarms|system login lockout)|^file
(copy|delete|rename)|^request (security|system
set-encryption-key)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell"
user@host# set security-role audit-administrator
Copyright © 2016, Juniper Networks, Inc. 285
Administration Guide for Security Devices
3. Create the crypto-admin login class.
[edit]
user@host# set system login class crypto-admin
[edit system login class crypto-admin]
user@host# set permissions admin-control
user@host# set permissions configure
user@host# set permissions maintenance
user@host# set permissions security-control
user@host# set permissions system-control
user@host# set permissions trace
4. Configure the crypto-admin login class restrictions.
[edit system login class crypto-admin]
user@host# set allow-commands "^request system set-encryption-key"
user@host# set deny-commands "^clear (log|security alarms|security log|system
login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell"
user@host# set allow-configuration-regexps "security (ike|ipsec) (policy|proposal)"
"security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system
fips self-test after-key-generation"
user@host# set security-role crypto-administrator
5. Create the security-admin login class.
[edit]
user@host# set system login class security-admin
[edit system login class security-admin]
user@host# set permissions all
6. Configure the security-admin login class restrictions.
[edit system login class security-admin]
user@host# set deny-commands "^clear (log|security log)|^(clear|show) security
alarms alarm-type idp|^request (security|system
set-encryption-key)|^rollback|^start shell"
user@host# set deny-configuration-regexps "security alarms potential-violation
idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual
(authentication| encryption|protocol|spi)" "security log cache" "security log
exclude .* event-id IDP_.*" "system fips self-test after-key- generation"
user@host# set security-role security-administrator
7. Create the ids-admin login class.
[edit]
user@host# set system login class ids-admin
[edit system login class ids-admin]
user@host# set permissions configure
user@host# set permissions maintenance
user@host# set permissions security-control
user@host# set permissions trace
8. Configure the ids-admin login class restrictions.
286 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
[edit system login class ids-admin]
user@host# set allow-configuration-regexps "security alarms potential-violation
idp" "security log exclude .* event-id IDP_.*"
set system login class ids-admin deny-commands "^clear log|^(clear|show) security
alarms (alarm-id|all|newer-than|older- than|process|severity)|^(clear|show)
security alarms alarm-type
(authentication|cryptographic-self-test|decryption-failures|encryption-failures|
ike-phase1-failures|ike-phase2-failures|key-generation-self-test|
non-cryptographic-self-test|policy|replay-attacks)|^file
(copy|delete|rename)|^request (security|system set-encryption-key)|
^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start
shell"
set system login class ids-admin deny-configuration-regexps "security alarms
potential-violation (authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
user@host# set security-role ids-administrator
9. Assign users to the roles.
[edit]
user@host# set system login
[edit system login]
user@host# set user audit-officer class audit-admin
user@host# set user crypto-officer class crypto-admin
user@host# set user security-officer class security-admin
user@host# set user ids-officer class ids-admin
10. Configure passwords for the users.
[edit system login]
user@host# set user audit-officer authentication plain-text-password
user@host# set user crypto-officer authentication plain-text-password
user@host# set user security-officer authentication plain-text-password
user@host# set user ids-officer authentication plain-text-password
Results
From configuration mode, confirm your configuration by entering the show system
command. If the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.
[edit]
user@host# show system
system {
login {
class audit-admin {
permissions [ maintenance security trace ];
allow-commands "^clear (log|security log)";
deny-commands "^clear (security alarms|system login lockout)|^file
(copy|delete|rename)|^request (security|system
set-encryption-key)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell";
security-role audit-administrator;
}
Copyright © 2016, Juniper Networks, Inc. 287
Administration Guide for Security Devices
class crypto-admin {
permissions [ admin-control configure maintenance security-control system-control
trace ];
allow-commands "^request (system set-encryption-key)";
deny-commands "^clear (log|security alarms|security log|system login lockout)|^file
(copy|delete|rename)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell";
allow-configuration-regexps "security (ike|ipsec) (policy|proposal)" "security ipsec
^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test
after-key-generation" ;
security-role crypto-administrator;
}
class security-admin {
permissions [all];
deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type
idp|^request (security|system set-encryption-key)|^rollback|^start shell";
deny-configuration-regexps "security alarms potential-violation idp" "security
(ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual
(authentication|encryption|protocol|spi)" "security log exclude .* event-id IDP_.*"
"system fips self-test after-key-generation";
security-role security-administrator;
}
class ids-admin {
permissions [ configure maintenance security-control trace ];
deny-commands "^clear log|^(clear|show) security alarms
(alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security
alarms alarm-type
(authentication | cryptographic-self-test | decryption-failures | encryption-failures
| ike-phase1-failures | ike-phase2-failures|key-generation-self-test |
non-cryptographic-self-test |policy | replay-attacks) | ^file (copy|delete|rename)
|^request (security|system set-encryption-key) | ^rollback |
^set date | ^show security (dynamic-policies|match-policies|policies) |^start shell";
allow-configuration-regexps "security alarms potential-violation idp" "security log
exclude .* event-id IDP_.*";
deny-configuration-regexps "security alarms potential-violation
(authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
security-role ids-administrator;
}
user audit-officer {
class audit-admin;
authentication {
encrypted-password "$1$ABC123"; ## SECRET-DATA
}
}
user crypto-officer {
class crypto-admin;
authentication {
encrypted-password "$1$ABC123"; ## SECRET-DATA
}
}
user security-officer {
class security-admin;
authentication {
encrypted-password "$1$ABC123"; ##SECRET-DATA
288 Copyright © 2016, Juniper Networks, Inc.
Chapter 18: User Authentication and Access
}
}
user ids-officer {
class ids-admin;
authentication {
encrypted-password "$1$ABC123"; ## SECRET-DATA
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying the login permissions
Purpose Verify the login permissions for the current user.
Action From operational mode, enter the show cli authorization command.
user@host>show cli authorization
Current user: 'netscreen' class 'super-user'
Permissions:
admin -- Can view user accounts
admin-control-- Can modify user accounts
clear -- Can clear learned network info
configure -- Can enter configuration mode
control -- Can modify any config
edit -- Can edit full files
field -- Can use field debug commands
floppy -- Can read and write the floppy
interface -- Can view interface configuration
interface-control-- Can modify interface configuration
network -- Can access the network
reset -- Can reset/restart interfaces and daemons
routing -- Can view routing configuration
routing-control-- Can modify routing configuration
shell -- Can start a local shell
snmp -- Can view SNMP configuration
snmp-control-- Can modify SNMP configuration
system -- Can view system configuration
system-control-- Can modify system configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
maintenance -- Can become the super-user
firewall -- Can view firewall configuration
firewall-control-- Can modify firewall configuration
secret -- Can view secret statements
secret-control-- Can modify secret statements
rollback -- Can rollback to previous configurations
security -- Can view security configuration
security-control-- Can modify security configuration
access -- Can view access configuration
access-control-- Can modify access configuration
view-configuration-- Can view all configuration (not including secrets)
Copyright © 2016, Juniper Networks, Inc. 289
Administration Guide for Security Devices
flow-tap -- Can view flow-tap configuration
flow-tap-control-- Can modify flow-tap configuration
idp-profiler-operation-- Can Profiler data
pgcp-session-mirroring-- Can view pgcp session mirroring configuration
pgcp-session-mirroring-control-- Can modify pgcp session mirroring configura
tion
storage -- Can view fibre channel storage protocol configuration
storage-control-- Can modify fibre channel storage protocol configuration
all-control -- Can modify any configuration
Individual command authorization:
Allow regular expression: none
Deny regular expression: none
Allow configuration regular expression: none
Deny configuration regular expression: none
This output summarizes the login permissions.
Related • Understanding Administrative Roles on page 281
Documentation
290 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 19
USB Modems for Remote Management
Setup
• Connecting to the Device Remotely on page 291
• Modifying USB Modem Initialization Commands on page 291
• Resetting USB Modems on page 292
Connecting to the Device Remotely
Supported Platforms J Series, LN Series, SRX Series
To remotely connect to the device through a USB modem connected to the USB port on
the device:
1. On the PC or laptop computer at your remote location, select Start>Settings>Control
Panel>Network Connections. The Network Connections page appears.
2. Double-click the USB-modem-connect dial-up connection. The Connect
USB-modem-connect page appears.
3. Click Dial to connect to the Juniper Networks device.
When the connection is complete, you can use Telnet or SSH to connect to the device.
Related • USB Modem Interface Overview on page 19
Documentation
• USB Modem Configuration Overview on page 22
• Configuring a Dial-Up Modem Connection Remotely on page 59
• Administration Guide for Security Devices
Modifying USB Modem Initialization Commands
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240
NOTE: These instructions use Hayes-compatible modem commands to
configure the modem. If your modem is not Hayes-compatible, see the
documentation for your modem and enter equivalent modem commands.
Copyright © 2016, Juniper Networks, Inc. 291
Administration Guide for Security Devices
You can use the CLI configuration editor to override the value of an initialization command
configured on the USB modem or configure additional commands for initializing USB
modems.
NOTE: If you modify modem initialization commands when a call is in
progress, the new initialization sequence is applied on the modem only when
the call ends.
You can configure the following modem AT commands to initialize the USB modem:
• The command S0=2 configures the modem to automatically answer calls on the
second ring.
• The command L2 configures medium speaker volume on the modem.
You can insert spaces between commands.
When you configure modem commands in the CLI configuration editor, you must follow
these conventions:
• Use the newline character \n to indicate the end of a command sequence.
• Enclose the command string in double quotation marks.
You can override the value of the S0=0 command in the initialization sequence configured
on the modem and add the L2 command.
To modify the initialization commands on a USB modem:
1. Configure the modem AT commands to initialize the USB modem.
[edit interfaces umd0]
user@host# set modem-options init-command-string "AT S0=2 L2 \n"
2. If you are done configuring the device, enter commit from configuration mode.
Related • USB Modem Interface Overview on page 19
Documentation
• USB Modem Configuration Overview on page 22
• Resetting USB Modems on page 292
• Administration Guide for Security Devices
Resetting USB Modems
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240
If the USB modem does not respond, you can reset the modem.
292 Copyright © 2016, Juniper Networks, Inc.
Chapter 19: USB Modems for Remote Management Setup
CAUTION: If you reset the modem when a call is in progress, the call is
terminated.
To reset the USB modem, in operational mode, enter the following command:
user@host> request interface modem reset umd0
Related • USB Modem Interface Overview on page 19
Documentation
• USB Modem Configuration Overview on page 22
• Modifying USB Modem Initialization Commands on page 291
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 293
Administration Guide for Security Devices
294 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 20
Telnet and SSH Device Control
• Configuring Password Retry Limits for Telnet and SSH Access on page 295
• Configuring Reverse Telnet and Reverse SSH on page 296
• Example: Controlling Management Access on SRX and J-Series Devices on page 297
• The telnet Command on page 300
• The ssh Command on page 301
Configuring Password Retry Limits for Telnet and SSH Access
Supported Platforms J Series, LN Series, SRX Series
To prevent brute force and dictionary attacks, the device performs the following actions
for Telnet or SSH sessions by default:
• Disconnects a session after a maximum of 10 consecutive password retries.
• After the second password retry, introduces a delay in multiples of 5 seconds between
subsequent password retries.
For example, the device introduces a delay of 5 seconds between the third and fourth
password retry, a delay of 10 seconds between the fourth and fifth password retry, and
so on.
• Enforces a minimum session time of 20 seconds during which a session cannot be
disconnected. Configuring the minimum session time prevents malicious users from
disconnecting sessions before the password retry delay goes into effect, and attempting
brute force and dictionary attacks with multiple logins.
You can configure the password retry limits for Telnet and SSH access. In this example,
you configure the device to take the following actions for Telnet and SSH sessions:
• Allow a maximum of four consecutive password retries before disconnecting a session.
• Introduce a delay in multiples of 5 seconds between password retries that occur after
the second password retry.
• Enforce a minimum session time of 40 seconds during which a session cannot be
disconnected.
Copyright © 2016, Juniper Networks, Inc. 295
Administration Guide for Security Devices
To configure password retry limits for Telnet and SSH access:
1. Set the maximum number of consecutive password retries before a Telnet or SSH or
telnet session is disconnected. The default number is 10, but you can set a number
from 1 through 10.
[edit system login retry-options]
user@host# set tries-before-disconnect 4
2. Set the threshold number of password retries after which a delay is introduced between
two consecutive password retries. The default number is 2, but you can specify a value
from 1 through 3.
[edit system login retry-options]
user@host# set backoff-threshold 2
3. Set the delay (in seconds) between consecutive password retries after the threshold
number of password retries. The default delay is in multiples of 5 seconds, but you
can specify a value from 5 through 10 seconds.
[edit system login retry-options]
user@host# set backoff-factor 5
4. Set the minimum length of time (in seconds) during which a Telnet or SSH session
cannot be disconnected. The default is 20 seconds, but you can specify an interval
from 20 through 60 seconds.
[edit system login retry-options]
user@host# set minimum-time 40
5. If you are done configuring the device, enter commit from configuration mode.
Related • The telnet Command on page 300
Documentation
• The ssh Command on page 301
• Reverse Telnet Overview on page 26
• Configuring Reverse Telnet and Reverse SSH on page 296
• Administration Guide for Security Devices
Configuring Reverse Telnet and Reverse SSH
Supported Platforms J Series, LN Series, SRX1400, SRX3400, SRX3600, SRX5400, SRX5600, SRX5800, SRX650
To configure reverse telnet and reverse ssh:
1. Enable reverse telnet.
[edit]
user@host# set system services reverse telnet
2. Specify the port to be used for reverse telnet. If you do not specify a port, 2900 is the
default port that is used.
[edit]
user@host# set system services reverse telnet port 5000
296 Copyright © 2016, Juniper Networks, Inc.
Chapter 20: Telnet and SSH Device Control
3. Enable reverse ssh to encrypt the connection between the device and the client.
[edit]
user@host# set system services reverse ssh
4. Specify the port for reverse ssh. If you do not specify a port, 2901 is the default port
that is used.
[edit]
user@host# set system services reverse ssh port 6000
5. If you are done configuring the device, enter commit from configuration mode.
Related • The telnet Command on page 300
Documentation
• The ssh Command on page 301
• Configuring Password Retry Limits for Telnet and SSH Access on page 295
• Reverse Telnet Overview on page 26
• Administration Guide for Security Devices
Example: Controlling Management Access on SRX and J-Series Devices
Supported Platforms J Series, LN Series, SRX Series
This example shows how to control management access on SRX Series devices.
• Requirements on page 297
• Overview on page 297
• Configuration on page 297
• Verification on page 300
Requirements
No special configuration beyond device initialization is required before configuring this
feature.
Overview
By default, any host on the trusted interface can manage a security device. To limit the
IP addresses that can manage a device, you can configure a firewall filter to deny all,
with the exception of the IP address or addresses to which you want to grant management
access. This example shows how to limit management access to a specific IP addresses
to allow it to manage SRX Series and J Series devices.
Configuration
• Configuring an IP Address List to Restrict Management Access to a Device on page 298
Copyright © 2016, Juniper Networks, Inc. 297
Administration Guide for Security Devices
Configuring an IP Address List to Restrict Management Access to a Device
CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy
level.
set policy-options prefix-list manager-ip 192.168.4.254/32
set policy-options prefix-list manager-ip 10.0.0.0/8
set firewall filter manager-ip term block_non_manager from source-address 0.0.0.0/0
set firewall filter manager-ip term block_non_manager from source-prefix-list manager-ip
except
set firewall filter manager-ip term block_non_manager from protocol tcp
set firewall filter manager-ip term block_non_manager from destination-port ssh
set firewall filter manager-ip term block_non_manager from destination-port https
set firewall filter manager-ip term block_non_manager from destination-port telnet
set firewall filter manager-ip term block_non_manager from destination-port http
set firewall filter manager-ip term block_non_manager then discard
set firewall filter manager-ip term accept_everything_else then accept
set interfaces lo0 unit 0 family inet filter input manager-ip
Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode.
1. Define a set of host addresses, called "manager-ip",that are allowed to manage
the device.
[edit policy-options]
user@host# set prefix-list manager-ip 192.168.4.254/32
user@host# set prefix-list manager-ip 10.0.0.0/8
NOTE: The configured list is referenced in the actual filter, where you
can change your defined set of addresses.
2. Configure a firewall filter to deny traffic from all IP addresses except the IP addresses
defined in the "manager-ip" list. Management traffic that uses any of the listed
destination ports is rejected when the traffic comes from an address in the list.
[edit firewall filter]
user@host# set manager-ip term block_non_manager from source-address 0.0.0.0/0
user@host# set manager-ip term block_non_manager from source-prefix-list
manager-ip except
user@host# set manager-ip term block_non_manager from protocol tcp
user@host# set manager-ip term block_non_manager from destination-port ssh
user@host# set manager-ip term block_non_manager from destination-port https
user@host# set manager-ip term block_non_manager from destination-port telnet
user@host# set manager-ip term block_non_manager from destination-port http
user@host# set manager-ip term block_non_manager then discard
user@host# set manager-ip term accept_everything_else then accept
298 Copyright © 2016, Juniper Networks, Inc.
Chapter 20: Telnet and SSH Device Control
3. Apply stateless firewall filters to the loopback interface to filter the packets
originating from the hosts to which you are granting management access.
[edit interfaces lo0 unit 0 ]
user@host# set family inet filter input manager-ip
NOTE: This configuration applies to traffic that terminates at the device.
For traffic that terminates at the device interface (such as IPsec, OSPF,
RIP, or BGP), you must also include the management IP addresses in
the manager-ip prefix-list.
Results From configuration mode, confirm your configuration by entering show configuration
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
user@host# show configuration policy-options
prefix-list manager-ip {
10.0.0.0/8;
192.168.4.254/32;
}
user@host# show configuration firewall
filter manager-ip {
term block_non_manager {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
manager-ip except;
}
protocol tcp;
destination-port [ ssh https telnet http ];
}
then {
discard;
}
}
term accept_everything_else {
then accept;
}
}
user@host# show configuration interfaces
lo0 {
unit 0 {
family inet {
filter {
input manager-ip;
}
}
}
}
Copyright © 2016, Juniper Networks, Inc. 299
Administration Guide for Security Devices
user@host# show configuration interfaces lo0
unit 0 {
family inet {
filter {
input manager-ip;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying Interfaces
Purpose Verify if the interfaces are configured correctly.
Action From operational mode, enter the following commands:
• show policy-options
• show firewall
• show interfaces
Related • Administration Guide for Security Devices
Documentation
The telnet Command
Supported Platforms J Series, LN Series, SRX Series
You can use the CLI telnet command to open a Telnet session to a remote device:
user@host> telnet host <8bit> <bypass-routing> <inet> <interface interface-name>
<no-resolve> <port port> <routing-instance routing-instance-name> <source address>
NOTE: On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the
maximum number of concurrent Telnet sessions is as follows:
SRX100 SRX210 SRX220 SRX240 SRX650
3 3 3 5 5
To exit the Telnet session and return to the Telnet command prompt, press Ctrl-].
To exit the Telnet session and return to the CLI command prompt, enter quit.
Table 13 on page 301 describes the telnet command options.
300 Copyright © 2016, Juniper Networks, Inc.
Chapter 20: Telnet and SSH Device Control
Table 13: CLI telnet Command Options
Option Description
8bit Use an 8-bit data path.
bypass-routing Bypass the routing tables and open a Telnet session only to hosts on directly attached
interfaces. If the host is not on a directly attached interface, an error message is returned.
host Open a Telnet session to the specified hostname or IP address.
inet Force the Telnet session to an IPv4 destination.
interface source-interface Open a Telnet session to a host on the specified interface. If you do not include this
option, all interfaces are used.
no-resolve Suppress the display of symbolic names.
port port Specify the port number or service name on the host.
routing-instance Use the specified routing instance for the Telnet session.
routing-instance-name
source address Use the specified source address for the Telnet session.
Related • The ssh Command on page 301
Documentation
• Configuring Password Retry Limits for Telnet and SSH Access on page 295
• Reverse Telnet Overview on page 26
• Configuring Reverse Telnet and Reverse SSH on page 296
• Administration Guide for Security Devices
The ssh Command
Supported Platforms J Series, LN Series, SRX Series
You can use the CLI ssh command to use the secure shell (SSH) program to open a
connection to a remote device:
user@host> ssh host <bypass-routing> <inet> <interface interface-name>
<routing-instance routing-instance-name> <source address> <v1> <v2>
NOTE: On SRX100, SRX210, SRX220, SRX240, and SRX650 devices, the
maximum number of concurrent SSH sessions is as follows:
SRX100 SRX210 SRX220 SRX240 SRX650
3 3 3 5 5
Copyright © 2016, Juniper Networks, Inc. 301
Administration Guide for Security Devices
Table 14 on page 302 describes the ssh command options.
Table 14: CLI ssh Command Options
Option Description
bypass-routing Bypass the routing tables and open an SSH connection only to hosts on directly attached
interfaces. If the host is not on a directly attached interface, an error message is returned.
host Open an SSH connection to the specified hostname or IP address.
inet Force the SSH connection to an IPv4 destination.
interface source-interface Open an SSH connection to a host on the specified interface. If you do not include this
option, all interfaces are used.
routing-instance Use the specified routing instance for the SSH connection.
routing-instance-name
source address Use the specified source address for the SSH connection.
v1 Force SSH to use version 1 for the connection.
v2 Force SSH to use version 2 for the connection.
Related • The telnet Command on page 300
Documentation
• Configuring Password Retry Limits for Telnet and SSH Access on page 295
• Reverse Telnet Overview on page 26
• Configuring Reverse Telnet and Reverse SSH on page 296
• Administration Guide for Security Devices
302 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 21
DHCP for IP Address Device
• Verifying and Managing DHCP Local Server Configuration on page 303
• Verifying and Managing DHCP Client Configuration on page 304
• Verifying and Managing DHCP Relay Configuration on page 304
Verifying and Managing DHCP Local Server Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Purpose View or clear information about client address bindings and statistics for the DHCP local
server.
Action • To display the address bindings in the client table on the DHCP local server:
user@host> show dhcp server binding
• To display DHCP local server statistics:
user@host> show dhcp server statistics
• To clear the binding state of a DHCP client from the client table on the DHCP local
server:
user@host> clear dhcp server binding
• To clear all DHCP local server statistics:
user@host> clear dhcp server statistics
NOTE: To clear or view information about client bindings and statistics in a
routing instance, run the following commands:
• show dhcp server binding routing instance <routing-instance name>
• show dhcp server statistics routing instance <routing-instance name>
• clear dhcp server binding routing instance <routing-instance name>
• clear dhcp server statistics routing instance <routing-instance name>
Copyright © 2016, Juniper Networks, Inc. 303
Administration Guide for Security Devices
Related • Administration Guide for Security Devices
Documentation
Verifying and Managing DHCP Client Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Purpose View or clear information about client address bindings and statistics for the DHCP client.
Action • To display the address bindings in the client table on the DHCP client:
user@host> show dhcp client binding
• To display DHCP client statistics:
user@host> show dhcp client statistics
• To clear the binding state of a DHCP client from the client table on the DHCP client:
user@host> clear dhcp client binding
• To clear all DHCP client statistics:
user@host> clear dhcp client statistics
NOTE: To clear or view information about client bindings and statistics in a
routing instance, run the following commands:
• show dhcp client binding routing instance <routing-instance name>
• show dhcp client statistics routing instance <routing-instance name>
• clear dhcp client binding routing instance <routing-instance name>
• clear dhcp client statistics routing instance <routing-instance name>
Related • Administration Guide for Security Devices
Documentation
Verifying and Managing DHCP Relay Configuration
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Purpose View or clear address bindings or statistics for DHCP relay agent clients.
Action • To display the address bindings for DHCP relay agent clients:
user@host> show dhcp relay binding
• To display DHCP relay agent statistics:
user@host> show dhcp relay statistics
• To clear the binding state of DHCP relay agent clients:
304 Copyright © 2016, Juniper Networks, Inc.
Chapter 21: DHCP for IP Address Device
user@host> clear dhcp relay binding
• To clear all DHCP relay agent statistics:
user@host> clear dhcp relay statistics
NOTE: To clear or view information about client bindings and statistics in a
routing instance, run the following commands:
• show dhcp relay binding routing instance <routing-instance name>
• show dhcp relay statistics routing instance <routing-instance name>
• clear dhcp relay binding routing instance <routing-instance name>
• clear dhcp relay statistics routing instance <routing-instance name>
Related • Administration Guide for Security Devices
Documentation
Copyright © 2016, Juniper Networks, Inc. 305
Administration Guide for Security Devices
306 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 22
File Management
• Decrypting Configuration Files on page 307
• Encrypting Configuration Files on page 308
• Modifying the Encryption Key on page 309
• Cleaning Up Files on page 309
• Cleaning Up Files with the CLI on page 310
• Deleting Files on page 311
• Deleting the Backup Software Image on page 312
• Downloading Files on page 312
• Managing Accounting Files on page 313
Decrypting Configuration Files
Supported Platforms J Series, LN Series, SRX Series
To disable the encryption of configuration files on a device and make them readable to
all:
1. Enter operational mode in the CLI.
2. Verify your permission to decrypt configuration files on this device by entering the
encryption key for the device.
user@host> request system set-encryption-key
Enter EEPROM stored encryption key:
Verifying EEPROM stored encryption key:
3. At the second prompt, reenter the encryption key.
4. Enter configuration mode in the CLI.
5. Enable configuration file decryption.
[edit]
user@host# edit system
user@host# set no-encrypt-configuration-files
6. Begin the decryption process by committing the configuration.
[edit]
user@host# commit
Copyright © 2016, Juniper Networks, Inc. 307
Administration Guide for Security Devices
commit complete
Related • Network Monitoring and Troubleshooting Guide for Security Devices
Documentation
Encrypting Configuration Files
Supported Platforms J Series, LN Series, SRX Series
To configure an encryption key in EEPROM and determine the encryption process, enter
one of the request system set-encryption-key commands in operational mode described
in Table 15 on page 308.
Table 15: request system set-encryption-key Commands
CLI Command Description
request system set-encryption-key Sets the encryption key and enables default configuration file
encryption:
• AES encryption for the Canada and U.S. version of Junos OS
• DES encryption for the international version of Junos OS
request system set-encryption-key algorithm des Sets the encryption key and specifies configuration file
encryption by DES.
request system set-encryption-key unique Sets the encryption key and enables default configuration file
encryption with a unique encryption key that includes the
chassis serial number of the device.
Configuration files encrypted with the unique key can be
decrypted only on the current device. You cannot copy such
configuration files to another device and decrypt them.
request system set-encryption-key des unique Sets the encryption key and specifies configuration file
encryption by DES with a unique encryption key.
To encrypt configuration files on a device:
1. Enter operational mode in the CLI.
2. Configure an encryption key in EEPROM and determine the encryption process; for
example, enter the request system set-encryption-key command.
user@host> request system set-encryption-key
Enter EEPROM stored encryption key:
3. At the prompt, enter the encryption key. The encryption key must have at least six
characters.
Enter EEPROM stored encryption key:example1
Verifying EEPROM stored encryption key:
4. At the second prompt, reenter the encryption key.
5. Enter configuration mode in the CLI.
308 Copyright © 2016, Juniper Networks, Inc.
Chapter 22: File Management
6. Enable configuration file encryption to take place.
[edit]
user@host# edit system
user@host# set encrypt-configuration-files
7. Begin the encryption process by committing the configuration.
[edit]
user@host# commit
commit complete
Related • Network Monitoring and Troubleshooting Guide for Security Devices
Documentation
Modifying the Encryption Key
Supported Platforms J Series, LN Series, SRX Series
When you modify the encryption key, the configuration files are decrypted and then
reencrypted with the new encryption key.
To modify the encryption key:
1. Enter operational mode in the CLI.
2. Configure a new encryption key in EEPROM and determine the encryption process;
for example, enter the request system set-encryption-key command.
user@host> request system set-encryption-key
Enter EEPROM stored encryption key:
3. At the prompt, enter the new encryption key. The encryption key must have at least
six characters.
Enter EEPROM stored encryption key:exampleone
Verifying EEPROM stored encryption key:
4. At the second prompt, reenter the new encryption key.
Related • Network Monitoring and Troubleshooting Guide for Security Devices
Documentation
Cleaning Up Files
Supported Platforms J Series, LN Series, SRX Series
You can use the J-Web user interface to rotate log files and delete unnecessary files on
the device. If you are running low on storage space, the file cleanup procedure quickly
identifies files that can be deleted.
The file cleanup procedure performs the following tasks:
Copyright © 2016, Juniper Networks, Inc. 309
Administration Guide for Security Devices
• Rotates log files—Archives all information in the current log files and creates fresh log
files.
• Deletes log files in /var/log—Deletes any files that are not currently being written to.
• Deletes temporary files in /var/tmp—Deletes any files that have not been accessed
within two days.
• Deletes all crash files in /var/crash—Deletes any core files that the device has written
during an error.
• Deletes all software images (*.tgz files) in /var/sw/pkg—Deletes any software images
copied to this directory during software upgrades.
To rotate log files and delete unnecessary files with the J-Web user interface:
1. In the J-Web user interface, select Maintain>Files.
2. In the Clean Up Files section, click Clean Up Files. The device rotates log files and
identifies the files that can be safely deleted.
The J-Web user interface displays the files that you can delete and the amount of
space that will be freed on the file system.
3. Click one of the following buttons on the confirmation page:
• To delete the files and return to the Files page, click OK.
• To cancel your entries and return to the list of files in the directory, click Cancel.
Related • Network Monitoring and Troubleshooting Guide for Security Devices
Documentation
Cleaning Up Files with the CLI
Supported Platforms J Series, LN Series, SRX Series
You can use the CLI request system storage cleanup command to rotate log files and
delete unnecessary files on the device. If you are running low on storage space, the file
cleanup procedure quickly identifies files that can be deleted.
The file cleanup procedure performs the following tasks:
• Rotates log files—Archives all information in the current log files, deletes old archives,
and creates fresh log files.
• Deletes log files in /var/log—Deletes any files that are not currently being written to.
• Deletes temporary files in /var/tmp—Deletes any files that have not been accessed
within two days.
• Deletes all crash files in /var/crash—Deletes any core files that the device has written
during an error.
• Deletes all software images (*.tgz files) in /var/sw/pkg—Deletes any software images
copied to this directory during software upgrades.
310 Copyright © 2016, Juniper Networks, Inc.
Chapter 22: File Management
To rotate log files and delete unnecessary files with the CLI:
1. Enter operational mode in the CLI.
2. Rotate log files and identify the files that can be safely deleted.
user@host> request system storage cleanup
The device rotates log files and displays the files that you can delete.
3. Enter yes at the prompt to delete the files.
NOTE: You can issue the request system storage cleanup dry-run command
to review the list of files that can be deleted with the request system storage
cleanup command, without actually deleting the files.
NOTE:
On SRX Series devices, the /var hierarchy is hosted in a separate partition
(instead of the root partition). If Junos OS installation fails as a result of
insufficient space:
• Use the request system storage cleanup command to delete temporary files.
• Delete any user-created files in both the root partition and under the /var
hierarchy.
Related • Network Monitoring and Troubleshooting Guide for Security Devices
Documentation
Deleting Files
Supported Platforms J Series, LN Series, SRX Series
You can use the J-Web user interface to delete an individual file from the device. When
you delete the file, it is permanently removed from the file system.
CAUTION: If you are unsure whether to delete a file from the device, we
recommend using the Cleanup Files tool. This tool determines which files can
be safely deleted from the file system.
To delete files with the J-Web user interface:
1. In the J-Web user interface, select Maintain>Files.
2. In the Download and Delete Files section, click one of the following file types:
• Log Files—Lists the log files located in the /var/log directory on the device.
• Temporary Files—Lists the temporary files located in the /var/tmp directory on the
device.
Copyright © 2016, Juniper Networks, Inc. 311
Administration Guide for Security Devices
• Old Junos OS—Lists the software images in the (*.tgz files) in the /var/sw/pkg
directory on the device.
• Crash (Core) Files—Lists the core files located in the /var/crash directory on the
device.
The J-Web user interface displays the files located in the directory.
3. Check the box next to each file you plan to delete.
4. Click Delete.
The J-Web user interface displays the files you can delete and the amount of space
that will be freed on the file system.
5. Click one of the following buttons on the confirmation page:
• To delete the files and return to the Files page, click OK.
• To cancel your entries and return to the list of files in the directory, click Cancel.
Related • Network Monitoring and Troubleshooting Guide for Security Devices
Documentation
Deleting the Backup Software Image
Supported Platforms J Series, LN Series, SRX Series
Junos OS keeps a backup image of the software that was previously installed so that
you can downgrade to that version of the software if necessary. You can use the J-Web
user interface to delete this backup image. If you delete this image, you cannot downgrade
to this particular version of the software.
To delete the backup software image:
1. In the J-Web user interface, select Maintain>Files.
2. Review the backup image information listed in the Delete Backup Junos Package
section.
3. Click the Delete backup Junos package link to delete the backup image.
4. Click one of the following buttons on the confirmation page:
• To delete the backup image and return to the Files page, click OK.
• To cancel the deletion of the backup image and return to the Files page, click Cancel.
Related • Network Monitoring and Troubleshooting Guide for Security Devices
Documentation
Downloading Files
Supported Platforms J Series, LN Series, SRX Series
312 Copyright © 2016, Juniper Networks, Inc.
Chapter 22: File Management
You can use the J-Web user interface to download a copy of an individual file from the
device. When you download a file, it is not deleted from the file system.
To download files with the J-Web user interface:
1. In the J-Web user interface, select Maintain>Files.
2. In the Download and Delete Files section, click one of the following file types:
• Log Files—Lists the log files located in the /var/log directory on the device.
• Temporary Files—Lists the temporary files located in the /var/tmp directory on the
device.
• Old Junos OS—Lists the software images located in the (*.tgz files) in the /var/sw/pkg
directory on the device.
• Crash (Core) Files—Lists the core files located in the /var/crash directory on the
device.
The J-Web user interface displays the files located in the directory.
3. Click Download to download an individual file.
4. Choose a location for the browser to save the file.
The file is downloaded.
Related • Network Monitoring and Troubleshooting Guide for Security Devices
Documentation
Managing Accounting Files
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX650
If you configure your system to capture accounting data in log files, set the location for
your accounting files to the DRAM.
The default location for accounting files is the cfs/var/log directory on the CompactFlash
(CF) card. The nonpersistent option minimizes the read/write traffic to your CF card. We
recommend that you use the nonpersistent option for all accounting files configured on
your system.
To store accounting log files in DRAM instead of the CF card:
1. Enter configuration mode in the CLI.
2. Create an accounting data log file in DRAM and replace filename with the name of
the file.
[edit]
user@host# edit accounting-options file filename
3. Store accounting log files in the DRAM file.
[edit]
user@host# set file filename nonpersistent
Copyright © 2016, Juniper Networks, Inc. 313
Administration Guide for Security Devices
CAUTION: If log files for accounting data are stored on DRAM, these files are
lost when the device reboots. Therefore, we recommend that you back up
these files periodically.
Related • Network Monitoring and Troubleshooting Guide for Security Devices
Documentation
314 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 23
Licenses
• Displaying License Keys on page 315
• Downloading License Keys on page 316
• Generating a License Key on page 316
• Saving License Keys on page 317
• Updating License Keys on page 317
• Example: Adding a New License Key on page 318
• Example: Deleting a License Key on page 321
Displaying License Keys
Supported Platforms J Series, LN Series, SRX Series
To display license keys installed on the device:
1. In the J-Web interface, select Maintain>Licenses.
2. Under Installed Licenses, click Display Keys to display all the license keys installed on
the device.
A screen displaying the license keys in text format appears. Multiple licenses are
separated by a blank line.
Related • Junos OS Feature License Model Number for J Series Services Routers and SRX Series
Documentation Services Gateways on page 47
• Generating a License Key on page 316
• Updating License Keys on page 317
• Saving License Keys on page 317
• Downloading License Keys on page 316
• Example: Adding a New License Key on page 318
• Example: Deleting a License Key on page 321
• Installation and Upgrade Guide for Security Devices
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 315
Administration Guide for Security Devices
Downloading License Keys
Supported Platforms J Series, LN Series, SRX Series
To download license keys installed on the device:
1. In the J-Web interface, select Maintain>Licenses.
2. Under Installed Licenses, click Download Keys to download all the license keys installed
on the device to a single file.
3. Select Save it to disk and specify the file to which the license keys are to be written.
Related • Junos OS Feature License Model Number for J Series Services Routers and SRX Series
Documentation Services Gateways on page 47
• Generating a License Key on page 316
• Updating License Keys on page 317
• Saving License Keys on page 317
• Displaying License Keys on page 315
• Example: Adding a New License Key on page 318
• Example: Deleting a License Key on page 321
• Installation and Upgrade Guide for Security Devices
Generating a License Key
Supported Platforms J Series, LN Series, SRX Series
To generate a license key:
1. Gather the authorization code that you received when you purchased your license as
well as your device serial number.
2. Go to the Juniper Networks licensing page at:
https://www.juniper.net/lcrs/generateLicense.do
3. Enter the device serial number and authorization code in the webpage and click
Generate. Depending on the type of license you purchased, you will receive one of the
following responses:
• License key—If you purchased a perpetual license, you will receive a license key
from the licensing management system. You can enter this key directly into the
system to activate the feature on your device.
• License key entitlement—If you purchased a subscription-based license, you will
receive a license key entitlement from the licensing management system. You can
use this entitlement to validate your license on the Juniper Networks licensing server
and download the feature license from the server to your device.
316 Copyright © 2016, Juniper Networks, Inc.
Chapter 23: Licenses
Related • Junos OS Feature License Model Number for J Series Services Routers and SRX Series
Documentation Services Gateways on page 47
• Updating License Keys on page 317
• Saving License Keys on page 317
• Displaying License Keys on page 315
• Downloading License Keys on page 316
• Example: Adding a New License Key on page 318
• Example: Deleting a License Key on page 321
• Installation and Upgrade Guide for Security Devices
Saving License Keys
Supported Platforms J Series, LN Series, SRX Series
To save license keys installed on the device:
1. From operational mode, save the installed license keys to a file or URL.
user@host>request system license save filename | url
For example, the following command saves the installed license keys to a file named
license.config:
request system license save ftp://user@host/license.conf
Related • Junos OS Feature License Model Number for J Series Services Routers and SRX Series
Documentation Services Gateways on page 47
• Generating a License Key on page 316
• Updating License Keys on page 317
• Displaying License Keys on page 315
• Downloading License Keys on page 316
• Example: Adding a New License Key on page 318
• Example: Deleting a License Key on page 321
• Installation and Upgrade Guide for Security Devices
Updating License Keys
Supported Platforms J Series, LN Series, SRX Series
Copyright © 2016, Juniper Networks, Inc. 317
Administration Guide for Security Devices
To update a license key from the device:
1. From operational mode, do one of the following tasks:
• Update the license keys automatically.
user@host> request system license update
NOTE: The request system license update command will always use the
default Juniper license server https://ae1.juniper.net
You can only use this command to update subscription-based licenses (such as
UTM).
• Update the trial license keys automatically.
user@host>request system license update trial
Related • Junos OS Feature License Model Number for J Series Services Routers and SRX Series
Documentation Services Gateways on page 47
• Generating a License Key on page 316
• Saving License Keys on page 317
• Displaying License Keys on page 315
• Downloading License Keys on page 316
• Example: Adding a New License Key on page 318
• Example: Deleting a License Key on page 321
• Installation and Upgrade Guide for Security Devices
Example: Adding a New License Key
Supported Platforms J Series, LN Series, SRX Series
This example shows how to add a new license key.
• Requirements on page 318
• Overview on page 319
• Configuration on page 319
• Verification on page 320
Requirements
Before you begin, confirm that your Junos OS feature requires you to purchase, install,
and manage a separate software license.
318 Copyright © 2016, Juniper Networks, Inc.
Chapter 23: Licenses
Overview
You can add a license key from a file or URL, from a terminal, or from the J-Web user
interface. Use the filename option to activate a perpetual license directly on the device.
(Most feature licenses are perpetual.) Use the url to send a subscription-based license
key entitlement (such as UTM) to the Juniper Networks licensing server for authorization.
If authorized, the server downloads the license to the device and activates it.
In this example, the file name is bgp-reflection.
Configuration
CLI Quick To quickly add a new license key, copy the following commands, paste them in a text
Configuration file, remove any line breaks, and then copy and paste the commands into the CLI.
From operational mode, you can add a license key in either way:
• From a file or URL:
user@hostname> request system license add bgp-reflection
• From the terminal:
user@hostname> request system license add terminal
GUI Step-by-Step To add a new license key:
Procedure
1. In the J-Web user interface, select Maintain>Licenses.
2. Under Installed Licenses, click Add to add a new license key.
3. Do one of the following, using a blank line to separate multiple license keys:
• In the License File URL box, type the full URL to the destination file containing the
license key to be added.
• In the License Key Text box, paste the license key text, in plain-text format, for the
license to be added.
4. Click OK to add the license key.
NOTE: If you added the SRX100 Memory Upgrade license, the device
reboots immediately and comes back up as a high-memory device.
5. Click OK to check your configuration and save it as a candidate configuration.
6. If you are done configuring the device, click Commit Options>Commit.
Step-by-Step To add a new license key:
Procedure
1. From operational mode, add a license key in either way:
• From a file or URL:
Copyright © 2016, Juniper Networks, Inc. 319
Administration Guide for Security Devices
user@host> request system license add bgp-reflection
• From the terminal:
user@host>request system license add terminal
2. When prompted, enter the license key, separating multiple license keys with a blank
line. If the license key you enter is invalid, an error is generated when you press Ctrl-D
to exit license entry mode.
NOTE: If you added the SRX100 Memory Upgrade license, the device
reboots immediately and comes back up as a high-memory device.
Results From operational mode, confirm your configuration by entering the show system license
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.
user@hostname> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
bgp-reflection 0 1 0 permanent
Licenses installed:
License identifier: G03000002223
License version: 2
Valid for device: JN001875AB
Features:
bgp-reflection - Border Gateway Protocol route reflection
permanent
License identifier: G03000002225
License version: 2
Valid for device: JN001875AB
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
• Verifying Installed Licenses on page 320
• Verifying License Usage on page 321
• Verifying Installed License Keys on page 321
Verifying Installed Licenses
Purpose Verify that the expected licenses have been installed and are active on the device.
Action From operational mode, enter the show system license command.
320 Copyright © 2016, Juniper Networks, Inc.
Chapter 23: Licenses
The output shows a list of the licenses used and a list of the licenses installed on the
device and when they expire.
Verifying License Usage
Purpose Verify that the licenses fully cover the feature configuration on the device.
Action From operational mode, enter the show system license usage command.
user@hostname> show system license usage
Licenses Licenses Licenses Expiry
Feature name used installed needed
bgp-reflection 1 1 0 permanent
The output shows a list of the licenses installed on the device and how they are used.
Verifying Installed License Keys
Purpose Verify that the license keys were installed on the device.
Action From operational mode, enter the show system license keys command.
user@hostname> show system license keys
XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx
The output shows a list of the license keys installed on the device. Verify that each
expected license key is present.
Related • Junos OS Feature License Model Number for J Series Services Routers and SRX Series
Documentation Services Gateways on page 47
• Generating a License Key on page 316
• Updating License Keys on page 317
• Saving License Keys on page 317
• Displaying License Keys on page 315
• Downloading License Keys on page 316
• Example: Deleting a License Key on page 321
• Installation and Upgrade Guide for Security Devices
Example: Deleting a License Key
Supported Platforms J Series, LN Series, SRX Series
Copyright © 2016, Juniper Networks, Inc. 321
Administration Guide for Security Devices
This example shows how to delete a license key.
• Requirements on page 322
• Overview on page 322
• Configuration on page 322
• Verification on page 323
Requirements
Before you delete a license key, confirm that it is no longer needed.
Overview
You can delete a license key from the CLI or J-Web user interface. In this example, the
license ID is G03000002223.
Configuration
CLI Quick To quickly delete a license key, copy the following commands, paste them in a text file,
Configuration remove any line breaks, and then copy and paste the commands into the CLI.
user@host> request system license delete G03000002223
GUI Step-by-Step To delete a license key:
Procedure
1. In the J-Web user interface, select Maintain>Licenses.
2. Select the check box of the license or licenses you want to delete.
3. Click Delete.
NOTE: If you deleted the SRX100 Memory Upgrade license, the device
reboots immediately and comes back up as a low-memory device.
4. Click OK to check your configuration and save it as a candidate configuration.
5. If you are done configuring the device, click Commit Options>Commit.
Step-by-Step To delete a license key:
Procedure
1. From operational mode, for each license, enter the following command and specify
the license ID. You can delete only one license at a time.
user@host> request system license delete G03000002223
NOTE: If you deleted the SRX100 Memory Upgrade license, the device
reboots immediately and comes back up as a low-memory device.
322 Copyright © 2016, Juniper Networks, Inc.
Chapter 23: Licenses
Results From configuration mode, confirm your deletion by entering the show system license
command. The license key you deleted will be removed. If the output does not display
the intended configuration, repeat the configuration instructions in this example to correct
it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Confirm that the configuration is working properly.
Verifying Installed Licenses
Purpose Verify that the expected licenses have been removed from the device.
Action From operational mode, enter the show system license command.
Related • Junos OS Feature License Model Number for J Series Services Routers and SRX Series
Documentation Services Gateways on page 47
• Generating a License Key on page 316
• Updating License Keys on page 317
• Saving License Keys on page 317
• Displaying License Keys on page 315
• Downloading License Keys on page 316
• Example: Adding a New License Key on page 318
• Installation and Upgrade Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 323
Administration Guide for Security Devices
324 Copyright © 2016, Juniper Networks, Inc.
CHAPTER 24
Operational Commands
• clear dhcp client binding
• clear dhcpv6 client binding
• clear dhcp client statistics
• clear dhcpv6 client statistics
• clear dhcp relay binding
• clear dhcp relay statistics
• clear dhcp server binding
• clear dhcp server statistics
• clear dhcpv6 server binding (Local Server)
• clear dhcpv6 server statistics (Local Server)
• clear system login lockout
• file archive
• file checksum md5
• file checksum sha1
• file checksum sha-256
• file compare
• file copy
• file delete
• file list
• file rename
• file show
• request dhcp client renew
• request dhcpv6 client renew
• request system autorecovery state
• request system download abort
• request system download clear
• request system download pause
• request system download resume
Copyright © 2016, Juniper Networks, Inc. 325
Administration Guide for Security Devices
• request system download start
• request system firmware upgrade
• request system license update
• request system partition compact-flash
• request system power-off fpc
• request system services dhcp
• request system snapshot (Maintenance)
• request system software abort in-service-upgrade (ICU)
• request system software add (Maintenance)
• request system reboot
• request system software rollback (Maintenance)
• request support information
• request system zeroize
• restart (Reset)
• Restart Commands Overview on page 389
• show chassis routing-engine (View)
• show dhcp client binding
• show dhcpv6 client binding
• show dhcp client statistics
• show dhcpv6 client statistics
• show dhcp relay binding
• show dhcp relay statistics
• show dhcp server binding
• show dhcp server statistics
• show dhcpv6 server binding (View)
• show dhcpv6 server statistics (View)
• show firewall (View)
• show system autorecovery state
• show system directory-usage
• show system download
• show system license (View)
• show system login lockout
• show system services dhcp client
• show system services dhcp relay-statistics
• show system snapshot media
• show system storage (View SRX Series)
• show system storage partitions (View SRX Series)
326 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
clear dhcp client binding
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clear dhcp client binding
[all|interface <interface-name>]
[routing-instance <routing-instance-name>]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Clear the binding state of a Dynamic Host Configuration Protocol (DHCP) client from
the DHCP client table.
Options all—(Optional) Clear the binding state for all DHCP clients.
interface <interface-name>—(Optional) Clear the binding state for DHCP clients on the
specified interface.
routing-instance <routing-instance-name>—(Optional) Clear the binding state for DHCP
clients on the specified routing instance. If you do not specify a routing instance,
binding state is cleared for DHCP clients on the default routing instance.
Required Privilege clear
Level
Related • show dhcp client binding on page 393
Documentation
• Administration Guide for Security Devices
Output Fields This command produces no output.
Copyright © 2016, Juniper Networks, Inc. 327
Administration Guide for Security Devices
clear dhcpv6 client binding
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clear dhcpv6 client binding
[all | interface interface-name]
[routing-instance routing-instance-name]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Clear the binding state of a Dynamic Host Configuration Protocol (DHCPv6) client from
the DHCPv6 client table.
Options all—(Optional) Clear the binding state for all DHCPv6 clients.
interface interface-name—(Optional) Clear the binding state for DHCPv6 clients on the
specified interface.
routing-instance routing-instance-name—(Optional) Clear the binding state for DHCPv6
clients on the specified routing instance. If you do not specify a routing instance, the
binding state is cleared for DHCPv6 clients on the default routing instance.
Required Privilege clear
Level
Related • show dhcpv6 client binding on page 396
Documentation
Output Fields This command produces no output.
328 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
clear dhcp client statistics
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clear dhcp client statistics
<all>
<interface>
<routing-instance>
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Clear all Dynamic Host Configuration Protocol (DHCP) client statistics.
Options all—(Optional) Clear all the DHCP client statistics.
interface—(Optional) Clear the statistics for DHCP clients on the specified interface.
routing-instance —(Optional) Clear the statistics for DHCP clients on the specified routing
instance. If you do not specify a routing instance, statistics are cleared for the default
routing instance.
Required Privilege clear
Level
Related • show dhcp client statistics on page 398
Documentation
• Administration Guide for Security Devices
Output Fields This command produces no output.
Copyright © 2016, Juniper Networks, Inc. 329
Administration Guide for Security Devices
clear dhcpv6 client statistics
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clear dhcpv6 client statistics
routing-instance routing-instance-name
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Clear all DHCPv6 client statistics.
Options routing-instance routing-instance-name—(Optional) Clear the statistics for DHCPv6 clients
on the specified routing instance. If you do not specify a routing instance, statistics
are cleared for the default routing instance.
Required Privilege clear
Level
Related • show dhcpv6 client statistics on page 400
Documentation
Output Fields This command produces no output.
330 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
clear dhcp relay binding
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clear dhcp relay binding
<all | ip-address | mac-address>
<interface interface-name>
<routing-instance routing-instance-name>
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Clear the binding state of a Dynamic Host Configuration Protocol (DHCP) client from
the client table.
Options all—(Optional) Clear the binding state for all DHCP clients.
ip-address— (Optional) Clear the binding state for the DHCP client, using the specified
IP address.
mac-address—(Optional) Clear the binding state for the DHCP client, using the specified
MAC address.
interface interface-name—(Optional) Clear the binding state for DHCP clients on the
specified interface
routing-instance routing-instance-name—(Optional) Clear the binding state for DHCP
clients on the specified routing instance. If you do not specify a routing instance, the
binding state is cleared for the default routing instance.
Required Privilege clear
Level
Related • show dhcp relay binding on page 402
Documentation
• Administration Guide for Security Devices
Output Fields This command produces no output.
Copyright © 2016, Juniper Networks, Inc. 331
Administration Guide for Security Devices
clear dhcp relay statistics
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clear dhcp relay statistics
<routing-instance routing-instance-name>
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Clear all Dynamic Host Configuration Protocol (DHCP) relay statistics.
Options routing-instance routing-instance-name—(Optional) Clear the DHCP relay statistics on
the specified routing instance. If you do not specify a routing instance name, statistics
are cleared for the default routing instance.
Required Privilege clear
Level
Related • show dhcp relay statistics on page 404
Documentation
• Administration Guide for Security Devices
Output Fields This command produces no output.
332 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
clear dhcp server binding
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clear dhcp server binding
<all | ip-address | mac-address>
<interface interface-name>
<routing-instance routing-instance-name>
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Clear the binding state of a Dynamic Host Configuration Protocol (DHCP) client from
the client table on the DHCP local server.
Options all—(Optional) Clear the binding state for all DHCP clients.
ip-address— (Optional) Clear the binding state for the DHCP client, using the specified
IP address.
mac-address—(Optional) Clear the binding state for the DHCP client, using the specified
MAC address.
interface interface-name—(Optional) Clear the binding state for DHCP clients on the
specified interface.
routing-instance routing-instance-name—(Optional) Clear the binding state for DHCP
clients on the specified routing instance.
Required Privilege clear
Level
Related • show dhcp server binding on page 406
Documentation
• Administration Guide for Security Devices
Output Fields This command produces no output.
Copyright © 2016, Juniper Networks, Inc. 333
Administration Guide for Security Devices
clear dhcp server statistics
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax clear dhcp server statistics
<routing-instance routing-instance-name>
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Clear all Dynamic Host Configuration Protocol (DHCP) local server statistics.
Options routing-instance routing-instance-name—(Optional) Clear the statistics for DHCP clients
on the specified routing instance. If you do not specify a routing instance, statistics
are cleared for the default routing instance.
Required Privilege clear
Level
Related • show dhcp server statistics on page 408
Documentation
• Administration Guide for Security Devices
Output Fields This command produces no output.
334 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
clear dhcpv6 server binding (Local Server)
Supported Platforms J Series, LN Series, SRX Series
Syntax clear dhcpv6 server binding
<all | client-id | ip-address | session-id>
<interface interface-name>
<routing-instance routing-instance-name>
Release Information Command introduced in Junos Release 10.4.
Description Clear the binding state of a DHCPv6 client from the client table on the DHCPv6 local
server.
Options • all—(Optional) Clear the binding state for all DHCPv6 clients.
• client-id—(Optional) Clear the binding state for the DHCPv6 client with the specified
client ID (option 1).
• ip-address—(Optional) Clear the binding state for the DHCPv6 client with the specified
address.
• session-id—(Optional) Clear the binding state for the DHCPv6 client with the specified
session ID.
• interface interface-name—(Optional) Clear the binding state for DHCPv6 clients on
the specified interface.
• routing-instance routing-instance-name—(Optional) Clear the binding state for DHCPv6
clients on the specified routing instance.
Required Privilege clear
Level
Related • show dhcpv6 server binding (View) on page 410
Documentation
• Junos OS Interfaces Library for Security Devices
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 335
Administration Guide for Security Devices
clear dhcpv6 server statistics (Local Server)
Supported Platforms J Series, LN Series, SRX Series
Syntax clear dhcpv6 server statistics
<logical-system logical-system-name>
<routing-instance routing-instance-name>
Release Information Command introduced in Junos Release 10.4.
Description Clear all DHCPv6 local server statistics.
Options logical-system logical-system-name—(Optional) Clear the statistics for DHCPv6 clients
on the specified logical system. If you do not specify a logical system, statistics are
cleared for the default logical system.
routing-instance routing-instance-name—(Optional) Clear the statistics for DHCPv6 clients
on the specified routing instance. If you do not specify a routing instance, statistics
are cleared for the default routing instance.
Required Privilege clear
Level
Related • show dhcpv6 server statistics (View) on page 414
Documentation
• Administration Guide for Security Devices
336 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
clear system login lockout
Supported Platforms J Series, LN Series, SRX Series
Syntax clear system login lockout
<all>
<username>
Release Information Command introduced in Release 11.2 of Junos OS.
Description Unlock the user account locked as a result of invalid login attempts.
Options <all>—Clear all locked user accounts.
<username>—Clear the specified locked user account.
Required Privilege clear
Level
Related • show system login lockout on page 428
Documentation
• Administration Guide for Security Devices
Output Fields This command produces no output.
Copyright © 2016, Juniper Networks, Inc. 337
Administration Guide for Security Devices
file archive
Supported Platforms SRX Series
Syntax file archive destination destination source source
<compress>
Release Information Command introduced before Junos OS Release 7.4.
Description Archive, and optionally compress, one or multiple local system files as a single file, locally
or at a remote location.
Options destination destination—Name of the created archive. Specify the destination as a URL
or filename.
source source— Path of directory to archive.
compress—(Optional) Compress the archived file with the GNU zip (gzip) compression
utility. The compressed files have the suffix .tgz.
Required Privilege maintenance
Level
Related • Administration Guide for Security Devices
Documentation
List of Sample Output file archive (Multiple Files) on page 338
file archive (Single File) on page 338
file archive (with Compression) on page 339
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
file archive (Multiple Files)
The following sample command archives all message files in the local directory
/var/log/messages as the single file messages-archive.tar.
user@host> file archive source /var/log/messages* destination /var/log/messages-archive.tar
/usr/bin/tar: Removing leading / from absolute path names in the archive.
file archive (Single File)
The following sample command archives one message file in the local directory
/var/log/messages as the single file messages-archive.tar.
user@host> file archive source /var/log/messages destination /var/log/messages-archive.tar
/usr/bin/tar: Removing leading / from absolute path names in the archive.
user@host
338 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
file archive (with Compression)
The following sample command archives and compresses all message files in the local
directory /var/log/messages as the single file messages-archive.tar.
user@host> file archive compress source /var/log/messages* destination
/var/log/messages-archive.tgz
/usr/bin/tar: Removing leading / from absolute path names in the archive.
Copyright © 2016, Juniper Networks, Inc. 339
Administration Guide for Security Devices
file checksum md5
Supported Platforms SRX Series
Syntax file checksum md5 path
Release Information Command introduced before Junos OS Release 7.4.
Description Calculate the Message Digest 5 (MD5) checksum of a file.
Options path—(Optional) Path to a filename.
Required Privilege maintenance
Level
Related • Administration Guide for Security Devices
Documentation
• file checksum sha1 on page 341
• file checksum sha-256 on page 342
List of Sample Output file checksum md5 on page 340
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
file checksum md5
user@host> file checksum md5 jbundle-5.3R2.4-export-signed.tgz
MD5 (jbundle-5.3R2.4-export-signed.tgz) = 2a3b69e43f9bd4893729cc16f505a0f5
340 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
file checksum sha1
Supported Platforms SRX Series
Syntax file checksum sha1 path
Release Information Command introduced in Junos OS Release 9.5.
Description Calculate the Secure Hash Algorithm (SHA-1) checksum of a file.
Options path—(Optional) Path to a filename.
Required Privilege maintenance
Level
Related • Administration Guide for Security Devices
Documentation
• file checksum md5 on page 340
• file checksum sha-256 on page 342
List of Sample Output file checksum sha1 on page 341
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
file checksum sha1
user@host> file checksum sha1 /var/db/scripts/opscript.slax
SHA1 (/var/db/scripts/commitscript.slax) = ba9e47120c7ce55cff29afd73eacd370e162c676
Copyright © 2016, Juniper Networks, Inc. 341
Administration Guide for Security Devices
file checksum sha-256
Supported Platforms SRX Series
Syntax file checksum sha-256 path
Release Information Command introduced in Junos OS Release 9.5.
Description Calculate the Secure Hash Algorithm 2 family (SHA-256) checksum of a file.
Options path—(Optional) Path to a filename.
Required Privilege maintenance
Level view
view-configuration
Related • Administration Guide for Security Devices
Documentation
• file checksum sha1 on page 341
• file checksum md5 on page 340
List of Sample Output file checksum sha-256 on page 342
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
file checksum sha-256
user@host> file checksum sha-256 /var/db/scripts/commitscript.slax
SHA256 (/var/db/scripts/commitscript.slax) =
94c2b061fb55399e15babd2529453815601a602b5c98e5c12ed929c9d343dd71
342 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
file compare
Supported Platforms SRX Series
Syntax file compare (files from-file to-file) <context | unified> <ignore-white-space>
Release Information Command introduced before Junos OS Release 7.4.
Description Compare two local files and describe the differences between them in default, context,
or unified output styles:
• default—In the first line of output, c means lines were changed between the two files,
d means lines were deleted between the two files, and a means lines were added
between the two files. The numbers preceding this alphabetical marker represent the
first file, and the lines after the alphabetical marker represent the second file. A left
angle bracket (<) in front of output lines refers to the first file. A right angle bracket (>)
in front of output lines refers to the second file.
• context—The display is divided into two parts. The first part is the first file; the second
part is the second file. Output lines preceded by an exclamation point (!) have changed.
Additions are marked with a plus sign (+), and deletions are marked with a
minus sign (-).
• unified—The display is preceded by the line number from the first and the second file
(xx,xxx,x). Before the line number, additions to the file are marked with a plus sign (+),
and deletions to the file are marked with a minus sign (-). The body of the output
contains the affected lines. Changes are viewed as additions plus deletions.
Options files from-file—Names of files to compare.
files to-file—Names of files to compare against.
context—(Optional) Display output in context format.
ignore-white-space—(Optional) Ignore changes in the amount of white space.
unified—(Optional) Display output in unified format.
Required Privilege none
Level
Related • Administration Guide for Security Devices
Documentation
List of Sample Output file compare files on page 344
file compare files context on page 344
file compare files unified on page 344
file compare files unified ignore-white-space on page 344
Output Fields When you enter this command, you are provided feedback on the status of your request.
Copyright © 2016, Juniper Networks, Inc. 343
Administration Guide for Security Devices
Sample Output
file compare files
user@host> file compare files /tmp/one /tmp/two
100c100
< full-name "File 1";
---
> full-name "File 2";
102c102
< class foo; # 'foo' is not defined
---
> class super-user;
file compare files context
user@host> file compare files /tmp/one /tmp/two context
*** /tmp/one Wed Dec 3 17:12:50 2003
--- /tmp/two Wed Dec 3 09:13:14 2003
***************
*** 97,104 ****
}
}
user bill {
! full-name "Bill Smith";
! class foo; # 'foo' is not defined
authentication {
encrypted-password SECRET;
}
--- 97,105 ----
}
}
user bill {
! full-name "Bill Smith";
! uid 1089;
! class super-user;
authentication {
encrypted-password SECRET;
}
file compare files unified
user@host> file compare files /tmp/one /tmp/two unified
--- /tmp/one Wed Dec 3 17:12:50 2003
+++ /tmp/two Wed Dec 3 09:13:14 2003
@@ -97,8 +97,9 @@
}
}
user bill {
- full-name "Bill Smith";
- class foo; # 'foo' is not defined
+ full-name "Bill Smith";
+ uid 1089;
+ class super-user;
authentication {
encrypted-passwordSECRET;
}
file compare files unified ignore-white-space
user@host> file compare files /tmp/one /tmp/two unified ignore-white-space
344 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
--- /tmp/one Wed Dec 3 09:13:10 2003
+++ /tmp/two Wed Dec 3 09:13:14 2003
@@ -99,7 +99,7 @@
user bill {
full-name "Bill Smith";
uid 1089;
- class foo; # 'foo' is not defined
+ class super-user;
authentication {
encrypted-password <SECRET>; # SECRET-DATA
}
Copyright © 2016, Juniper Networks, Inc. 345
Administration Guide for Security Devices
file copy
Supported Platforms SRX Series
Syntax file copy source destination
<source-address source- address>
Release Information Command introduced before Junos OS Release 7.4.
Description Copy files from one location to another location on the local device or to a location on a
remote device that is reachable by the local device.
WARNING: The sslv3-support option is not available for configuration with
the set system services xnm-ssl and file copy commands. SSLv3 is no longer
supported or available.
You can use the set system services xnm-ssl sslv3-support command to enable
SSLv3 for a Junos XML protocol client application to use as the protocol to
connect to the Junos XML protocol server on a device, and you can use the
file copy source destination sslv3-support command to enable the copying of
files from an SSLv3 URL.
Using SSLv3 presents a potential security vulnerability, and we recommend
that you not use SSLv3. For more details about this security vulnerability, go
to http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656.
Required Privilege maintenance
Level
Related • Administration Guide for Security Devices
Documentation
List of Sample Output Copy a File from the Local Device to a Personal Computer on page 346
Copy a Configuration File Between Routing Engines on page 347
Copy a Log File Between Routing Engines on page 347
Copy a File Using FTP on page 347
Copy a File Using FTP and Requiring a Password on page 347
Copy a File Using Secure Copy on page 347
Sample Output
The following are examples of a variety of file copy scenarios.
Copy a File from the Local Device to a Personal Computer
user@host> file copy /var/tmp/rpd.core.4 mypc:/c/exampleo/tmp
...transferring.file...... | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%
346 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Copy a Configuration File Between Routing Engines
The following sample command copies a configuration file from Routing Engine 0 to
Routing Engine 1:
user@host> file copy /config/example.conf re1:/var/tmp/copied-example.conf
Copy a Log File Between Routing Engines
The following sample command copies a log file from Routing Engine 0 to Routing Engine
1:
user@host> file copy lcc0-re0:/var/log/chassisd lcc0-re1:/var/tmp
Copy a File Using FTP
To use anonymous FTP to copy a local file to a remote system:
user@host>file copy filename ftp://hostname/filename
In the following example, /config/example.conf is the local file and hostname is the FTP
server:
user@host> file copy /config/example.confftp://hostname/example.conf
Receiving ftp: //hostname/example.conf (2198 bytes): 100%
2198 bytes transferred in 0.0 seconds (2.69 MBps)
Copy a File Using FTP and Requiring a Password
To use FTP where you require more privacy and are prompted for a password:
root@host> file copy filename ftp://user@hostname/filename
In the following example, /config/example.conf is the local file and hostname is the FTP
server:
root@host> file copy /config/example.conf ftp://user@hostname/example.conf
Password for user@hostname: ******
Receiving ftp: //user@hostname/example.conf (2198 bytes): 100%
2198 bytes transferred in 0.0 seconds (2.69 MBps)
Copy a File Using Secure Copy
To use scp to copy a local file to a remote system:
root@host> file copy filename scp://user@hostname/path/filename
In the following example, /config/example.conf is the local file, user is the username, and
ssh-host is the scp server:
root@host> file copy /config/example.conf scp://user@ssh-host/tmp/example.conf
user@ssh-host's password: ******
example.conf 100%
|*********************************************************************************|
2198 00:00
Copyright © 2016, Juniper Networks, Inc. 347
Administration Guide for Security Devices
file delete
Supported Platforms SRX Series
Syntax file delete path
<purge>
Release Information Command introduced before Junos OS Release 7.4.
Description Delete a path on the device.
Options path—Name of the path to delete.
purge—(Optional) Overwrite regular files before deleting them.
Required Privilege maintenance
Level
Related • Administration Guide for Security Devices
Documentation
List of Sample Output file delete on page 348
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
file delete
user@host> file list /var/tmp
dcd.core
rpd.core
snmpd.core
user@host> file delete /var/tmp/snmpd.core
user@host> file list /var/tmp
dcd.core
rpd.core
348 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
file list
Supported Platforms SRX Series
Syntax file list path
<detail | recursive>
Release Information Command introduced before Junos OS Release 7.4.
Description Display a list of paths on the device.
Options path—(Optional) Display a list of paths.
detail | recursive—(Optional) Display detailed output or descend recursively through the
directory hierarchy, respectively.
Additional Information The default directory is the home directory of the user logged in to the device. To view
available directories, enter a space and then a slash (/) after the file list command. To
view files within a specific directory, include a slash followed by the directory and,
optionally, subdirectory name after the file list command.
Required Privilege maintenance
Level
Related • Administration Guide for Security Devices
Documentation
List of Sample Output file list on page 349
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
file list
user@host> file list /var/tmp
dcd.core
rpd.core
snmpd.core
Copyright © 2016, Juniper Networks, Inc. 349
Administration Guide for Security Devices
file rename
Supported Platforms SRX Series
Syntax file rename source destination
Release Information Command introduced before Junos OS Release 7.4.
Description Rename a file on the device.
Options destination—New name for the file.
source—Original name of the file.
Required Privilege maintenance
Level
Related • Administration Guide for Security Devices
Documentation
List of Sample Output file rename on page 350
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
file rename
The following example lists the files in /var/tmp, renames one of the files, and then
displays the list of files again to reveal the newly named file.
user@host> file list /var/tmp
dcd.core
rpd.core
snmpd.core
user@host> file rename /var/tmp/dcd.core /var/tmp/dcd.core.990413
user@host> file list /var/tmp
dcd.core.990413
rpd.core
snmpd.core
350 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
file show
Supported Platforms SRX Series
Syntax file show filename
<encoding (base64 | raw)>
Release Information Command introduced before Junos OS Release 7.4.
Description Display the contents of a file.
Options filename—Name of a file.
encoding (base64 | raw)—(Optional) Encode file contents with base64 encoding or show
raw text.
Required Privilege maintenance
Level
Related • Administration Guide for Security Devices
Documentation
List of Sample Output file show on page 351
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
file show
user@host> file show /var/log/messages
Apr 13 21:00:08 romney /kernel: so-1/1/2: loopback suspected; going to standby.
Apr 13 21:00:40 romney /kernel: so-1/1/2: loopback suspected; going to standby.
Apr 13 21:02:48 romney last message repeated 4 times
Apr 13 21:07:04 romney last message repeated 8 times
Apr 13 21:07:13 romney /kernel: so-1/1/0: Clearing SONET alarm(s) RDI-P
Apr 13 21:07:29 romney /kernel: so-1/1/0: Asserting SONET alarm(s) RDI-P
...
Copyright © 2016, Juniper Networks, Inc. 351
Administration Guide for Security Devices
request dhcp client renew
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax request dhcp client renew
[all|interface <interface-name>]
routing-instance <routing-instance-name>
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Initiates a renew request for the specified clients if they are in the bound state.
Options all—Initiate renew requests for all DHCP clients. If you specify a routing instance, renew
requests are initiated for all DHCP clients within that routing instance.
interface <interface-name>—Initiate renew requests for DHCP clients on the specified
interface.
routing-instance <routing-instance-name>—Initiate renew requests for DHCP clients in
the specified routing instance. If you do not specify a routing instance, renew requests
are initiated on the default routing instance.
Required Privilege view
Level
Related • Administration Guide for Security Devices
Documentation
Output Fields This command produces no output.
352 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
request dhcpv6 client renew
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax request dhcpv6 client renew
[all | interface interface-name]
routing-instance <routing-instance-name>
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Initiate a renew request for the specified DHCPv6 clients if they are in the bound state.
Options all—Initiate renew requests for all DHCPv6 clients. If you specify a routing instance, renew
requests are initiated for all DHCPv6 clients within that routing instance.
interface-name interface-name—Initiate renew requests for DHCPv6 clients on the specified
interface.
routing-instance routing-instance-name—Initiate renew requests for DHCPv6 clients in
the specified routing instance. If you do not specify a routing instance, renew requests
are initiated on the default routing instance.
Required Privilege view
Level
Output Fields This command produces no output.
Copyright © 2016, Juniper Networks, Inc. 353
Administration Guide for Security Devices
request system autorecovery state
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax request system autorecovery state (save | recover | clear)
Release Information Command introduced in Junos Release 11.2.
Description Prepares the system for autorecovery of configuration, licenses, and disk information.
Options save—Save the current state of the disk partitioning, configuration, and licenses for
autorecovery.
The active Junos OS configuration is saved as the Junos rescue configuration, after
which the rescue configuration, licenses, and disk partitioning information is saved
for autorecovery. Autorecovery information must be initially saved using this
command for the autorecovery feature to verify integrity of data on every bootup.
NOTE:
• Any recovery performed at a later stage will restore the data to the
same state as it was when the save command was executed.
• A fresh rescue configuration is generated when the command is
executed. Any existing rescue configuration will be overwritten.
recover—Recover the disk partitioning, configuration, and licenses.
After autorecovery data has been saved, the integrity of saved items is always
checked automatically on every bootup. The recovery command allows you to forcibly
re-run the tests at any time if required.
clear—Clear all saved autorecovery information.
Only the autorecovery information is deleted; the original copies of the data used by
the router are not affected. Clearing the autorecovery information also disables all
autorecovery integrity checks performed during bootup.
Required Privilege maintenance
Level
Related • show system autorecovery state on page 419
Documentation
• Installation and Upgrade Guide for Security Devices
List of Sample Output request system autorecovery state save on page 355
request system autorecovery state recover on page 355
request system autorecovery state clear on page 355
Output Fields When you enter this command, you are provided feedback on the status of your request.
354 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Sample Output
request system autorecovery state save
user@host> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving bsdlabel recovery information
Sample Output
request system autorecovery state recover
user@host> request system autorecovery state recover
Configuration:
File Recovery Information Integrity Check Action / Status
rescue.conf.gz Saved Passed None
Licenses:
File Recovery Information Integrity Check Action / Status
JUNOS282736.lic Saved Passed None
JUNOS282737.lic Saved Failed Recovered
BSD Labels:
Slice Recovery Information Integrity Check Action / Status
s1 Saved Passed None
s2 Saved Passed None
s3 Saved Passed None
s4 Saved Passed None
Sample Output
request system autorecovery state clear
user@host> request system autorecovery state clear
Clearing config recovery information
Clearing license recovery information
Clearing bsdlabel recovery information
Copyright © 2016, Juniper Networks, Inc. 355
Administration Guide for Security Devices
request system download abort
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax request system download abort <download-id>
Release Information Command introduced in Release 11.2 of Junos OS.
Description Abort a download. The download instance is stopped and cannot be resumed. Any
partially downloaded file is automatically deleted to free disk space. Information regarding
the download is retained and can be displayed with the show command until a Clear
operation is performed.
NOTE: Only downloads in the active, paused, and error states can be aborted.
Options download-id—(Required) The ID number of the download to be paused.
Required Privilege maintenance
Level
Related • request system download start on page 360
Documentation
• request system download pause on page 358
• request system download resume on page 359
• request system download clear on page 357
• Installation and Upgrade Guide for Security Devices
List of Sample Output request system download abort on page 356
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system download abort
user@host> request system download abort 1
Aborted download #1
356 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
request system download clear
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax request system download clear
Release Information Command introduced in Release 11.2 of Junos OS.
Description Delete the history of completed and aborted downloads.
Required Privilege maintenance
Level
Related • request system download start on page 360
Documentation
• request system download pause on page 358
• request system download resume on page 359
• request system download abort on page 356
• Installation and Upgrade Guide for Security Devices
List of Sample Output request system download clear on page 357
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system download clear
user@host> request system download clear
Cleared information on completed and aborted downloads
Copyright © 2016, Juniper Networks, Inc. 357
Administration Guide for Security Devices
request system download pause
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax request system download pause <download-id>
Release Information Command introduced in Release 11.2 of Junos OS.
Description Suspend a particular download instance.
NOTE: Only downloads in the active state can be paused.
Options download-id—(Required) The ID number of the download to be paused.
Required Privilege maintenance
Level
Related • request system download start on page 360
Documentation
• request system download resume on page 359
• request system download abort on page 356
• request system download clear on page 357
• Installation and Upgrade Guide for Security Devices
List of Sample Output request system download pause on page 358
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system download pause
user@host> request system download pause 1
Paused download #1
358 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
request system download resume
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax request system download resume download-id <max-rate>
Release Information Command introduced in Release 11.2 of Junos OS.
Description Resume a download that has been paused. Download instances that are not in progress
because of an error or that have been explicitly paused by the user can be resumed by
the user. The file will continue downloading from the point where it paused. By default,
the download resumes with the same bandwidth specified with the request system
download start command. The user can optionally specify a new (maximum) bandwidth
with the request system download resume command.
NOTE: Only downloads in the paused and error states can be resumed.
Options download-id—(Required) The ID number of the download to be paused.
max-rate—(Optional) The maximum bandwidth for the download.
Required Privilege maintenance
Level
Related • request system download start on page 360
Documentation
• request system download pause on page 358
• request system download abort on page 356
• request system download clear on page 357
• Installation and Upgrade Guide for Security Devices
List of Sample Output request system download resume on page 359
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system download resume
user@host> request system download resume 1
Resumed download #1
Copyright © 2016, Juniper Networks, Inc. 359
Administration Guide for Security Devices
request system download start
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax request system download start (url | max-rate | save as | login | delay)
Release Information Command introduced in Release 11.2 of Junos OS.
Description Creates a new download instance and identifies it with a unique integer called the
download ID.
Options url—(Required) The FTP or HTTP URL location of the file to be downloaded.
max-rate—(Optional) The maximum average bandwidth for the download. Numbers
with the suffix k or K, m or M, and g or G are interpreted as kbps, mbps, or gbps,
respectively.
save-as—(Optional) The filename to be used for saving the file in the /var/tmp location.
login—(Optional) The username and password for the server in the format
username:password.
delay—(Optional) The number of hours after which the download should start.
Required Privilege maintenance
Level
Related • request system download pause on page 358
Documentation
• request system download resume on page 359
• request system download abort on page 356
• request system download clear on page 357
• Installation and Upgrade Guide for Security Devices
List of Sample Output request system download start on page 360
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system download start
user@host> request system download start login user:passwd ftp://ftp-server//tftpboot/1m_file
max-rate 1k
Starting download #1
360 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
request system firmware upgrade
Supported Platforms J Series, LN Series, SRX Series
Syntax request system firmware upgrade
Release Information Command introduced in Release 10.2 of Junos OS.
Description Upgrade firmware on a system.
Options fpc—Upgrade FPC ROM monitor.
pic—Upgrade PIC firmware.
re—Upgrade baseboard BIOS/FPGA. There is an active BIOS image and a backup BIOS
image.
vcpu—Upgrade VCPU ROM monitor.
Required Privilege maintenance
Level
Related • Installation and Upgrade Guide for Security Devices
Documentation
• Administration Guide for Security Devices
List of Sample Output request system firmware upgrade on page 361
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system firmware upgrade
user@host> request system firmware upgrade re bios
Part Type Tag Current Available Status
version version
Routing Engine 0 RE BIOS 0 1.5 1.9 OK
Routing Engine 0 RE BIOS Backup 1 1.7 1.9 OK
Perform indicated firmware upgrade ? [yes,no] (no) yes
user@host> request system firmware upgrade re bios backup
Part Type Tag Current Available Status
version version
Routing Engine 0 RE BIOS 0 1.5 1.9 OK
Routing Engine 0 RE BIOS Backup 1 1.7 1.9 OK
Perform indicated firmware upgrade ? [yes,no] (no) yes
Copyright © 2016, Juniper Networks, Inc. 361
Administration Guide for Security Devices
request system license update
Supported Platforms J Series, LN Series, SRX Series
Syntax request system license update
Release Information Command introduced in Junos OS Release 9.5.
Description Start autoupdating license keys from the LMS server.
Options trial—Starts autoupdating trial license keys from the LMS server.
Required Privilege maintenance
Level
Related • Administration Guide for Security Devices
Documentation
• UTM Overview Feature Guide for Security Devices
• Installation and Upgrade Guide for Security Devices
List of Sample Output request system license update on page 362
request system license update trial on page 362
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system license update
user@host> request system license update
Request to automatically update license keys from https://ae1.juniper.net has
been sent, use show system license to check status.
request system license update trial
user@host> request system license update trial
Request to automatically update trial license keys from https://ae1.juniper.net
has been sent, use show system license to check status.
362 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
request system partition compact-flash
Supported Platforms J Series, LN Series
Syntax request system partition compact-flash
Release Information Command introduced in Release 9.2 of Junos OS.
Description Reboots the device and repartitions the compact flash. The compact flash is repartitioned
only if it is possible to restore all the data on the compact flash. Otherwise, the operation
is aborted, and a message is displayed indicating that the current disk usage needs to
be reduced.
Required Privilege maintenance
Level
Related • Example: Installing Junos OS on SRX Series Devices Using the Partition Option
Documentation
• Installation and Upgrade Guide for Security Devices
List of Sample Output request system partition compact-flash (If Yes) on page 363
request system partition compact-flash (If No) on page 363
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system partition compact-flash (If Yes)
user@host> request system partition compact-flash
Are you sure you want to reboot
and partition the compact-flash ? [yes,no] yes
Initiating repartition operation.
The operation may take several minutes to complete.
System will reboot now...
<System reboots>
<Repartition operation is performed>
<System reboots and starts up normally>
Sample Output
request system partition compact-flash (If No)
user@host> request system partition compact-flash
Are you sure you want to reboot
and partition the compact-flash ? [yes,no] no
Copyright © 2016, Juniper Networks, Inc. 363
Administration Guide for Security Devices
request system power-off fpc
Supported Platforms J Series
Syntax request system (halt | power-off | reboot) power-off fpc
Release Information Command introduced in Junos OS Release 11.4.
Description Bring Flexible PIC Concentrators (FPCs) offline before Routing Engines are shut down.
Options • halt—Bring FPC offline and then halt the system.
• power-off—Bring FPC offline and then power off the system.
• reboot—Bring FPC offline and then reboot the system.
Required Privilege maintenance
Level
Related • Installation and Upgrade Guide for Security Devices
Documentation
List of Sample Output request system halt power-off fpc on page 364
request system power-off power-off fpc on page 364
request system reboot power-off fpc on page 364
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system halt power-off fpc
user@host> request system halt power-off fpc
Halt the system ? [yes,no] (no) yes
Offline fpc slot 0
request system power-off power-off fpc
user@host> request system power-off power-off fpc
Power off the system ? [yes,no] (no) yes
Offline fpc slot 0
request system reboot power-off fpc
user@host> request system reboot power-off fpc
Reboot the system ? [yes,no] (no) yes
Offline fpc slot 0
364 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
request system services dhcp
Supported Platforms J Series, LN Series, SRX Series
Syntax request system services dhcp (release interface-name | renew interface-name)
Release Information Command introduced in Release 8.5 of Junos OS.
Description Release or renew the acquired IP address for a specific interface.
To view the status of the Dynamic Host Configuration Protocol (DHCP) clients on the
specified interfaces, enter the show system services dhcp client interface-name command.
Options • release interface-name —Clears other resources received earlier from the server, and
reinitializes the client state to INIT for the particular interface.
• renew interface-name —Reacquires an IP address from the server for the interface.
When you use this option, the command sends a discover message if the client state
is INIT and a renew request message if the client state is BOUND. For all other states
it performs no action.
Required Privilege maintenance
Level
Related • dhcp
Documentation
• show system services dhcp client on page 429
• Administration Guide for Security Devices
List of Sample Output request system services dhcp client release ge-1/0/1 on page 365
request system services dhcp client renew ge-1/0/1 on page 365
Output Fields This command produces no output.
Sample Output
request system services dhcp client release ge-1/0/1
user@host> request system services dhcp client release ge-1/0/1
Sample Output
request system services dhcp client renew ge-1/0/1
user@host> request system services dhcp client renew ge-1/0/1
Copyright © 2016, Juniper Networks, Inc. 365
Administration Guide for Security Devices
request system snapshot (Maintenance)
Supported Platforms J Series, LN Series, SRX Series
Syntax request system snapshot
<factory>
<media (compact-flash | hard-disk | internal | usb)>
<node (all | local | node-id | primary)>
<partition>
<slice (alternate) >
Release Information Command introduced in Release 10.2 of Junos OS.
Description Back up the currently running and active file system partitions on the device.
Options • factory— (Optional) Specifies that only the files shipped from the factory are included
in the snapshot.
• media— (Optional) Specifies the media to be included in the snapshot:
• compact-flash— Copies the snapshot to an external compact flash.
• hard-disk— Copies the snapshot to a hard disk.
• usb— Copies the snapshot to the USB storage device.
• internal— Copies the snapshot to internal media. This is the default.
NOTE: USB option is available on all SRX series devices; hard disk and
compact-flash options are available only on high-end SRX series devices;
media internal option is available only on branch SRX series devices.
• node— (Optional) Specifies to archive the data and executable areas of a specific
node.
• node-id—Archive a specific node. The range of node ID is (0,1)
• all—Archive all nodes.
• local—Archive only local nodes.
• primary—Archive only primary nodes.
• partition - (Default) Specifies that the target media should be repartitioned before the
backup is saved to it.
366 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
NOTE:
• The target media is partitioned whether or not it is specified in the
command, because this is a mandatory option.
• You cannot partition a hard-disk as it is mounted on /var directory.
• slice— (Optional) Takes a snapshot of the root partition the system has currently
booted from to another slice in the same media.
• alternate— (Optional) Stores the snapshot on the other root partition in the system.
NOTE:
• The slice option cannot be used along with the other request system
snapshot options, because the options are mutually exclusive. If you use
the factory, media, or partition option, you cannot use the slice option;
if you use the slice option, you cannot use any of the other options.
• The slice partition is supported only on branch SRX Series devices.
Required Privilege maintenance
Level
Related • Example: Installing Junos OS on SRX Series Devices Using the Partition Option
Documentation
• Installation and Upgrade Guide for Security Devices
List of Sample Output request system snapshot media hard-disk on page 367
request system snapshot media usb (when usb device is missing on page 367
request system snapshot media compact-flash on page 368
request system snapshot media internal on page 368
request system snapshot partition on page 368
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system snapshot media hard-disk
user@host> request system snapshot media hard-disk
Verifying compatibility of destination media partitions...
Running newfs (880MB) on hard-disk media / partition (ad2s1a)...
Running newfs (98MB) on hard-disk media /config partition (ad2s1e)...
Copying '/dev/ad0s1a' to '/dev/ad2s1a' .. (this may take a few minutes)
...
request system snapshot media usb (when usb device is missing
user@host> request system snapshot media usb
Copyright © 2016, Juniper Networks, Inc. 367
Administration Guide for Security Devices
Verifying compatibility of destination media partitions...
Running newfs (254MB) on usb media / partition (da1s1a)...
Running newfs (47MB) on usb media /config partition (da1s1e)...
Copying '/dev/da0s2a' to '/dev/da1s1a' .. (this may take a few minutes)
Copying '/dev/da0s2e' to '/dev/da1s1e' .. (this may take a few minutes)
The following filesystems were archived: / /config
request system snapshot media compact-flash
user@host> request system snapshot media compact-flash
error: cannot snapshot to current boot device
request system snapshot media internal
user@host> request system snapshot media internal
error: cannot snapshot to current boot device
request system snapshot partition
user@host> request system snapshot partition
Verifying compatibility of destination media partitions...
Running newfs (439MB) on internal media / partition (da0s1a)...
Running newfs (46MB) on internal media /config partition (da0s1e)...
Copying '/dev/da1s1a' to '/dev/da0s1a' .. (this may take a few minutes)
Copying '/dev/da1s1e' to '/dev/da0s1e' .. (this may take a few minutes)
The following filesystems were archived: / /config
368 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
request system software abort in-service-upgrade (ICU)
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax request system software abort in-service-upgrade
Release Information Command introduced in Release 11.2 of Junos OS.
Description Abort an in-band cluster upgrade (ICU). This command must be issued from a router
session other than the one on which you issued the request system in-service-upgrade
command that launched the ICU. If an ICU is in progress, this command aborts it. If the
node is being upgraded, this command will cancel the upgrade. The command is also
helpful in recovering the node in case of a failed ICU.
Options This command has no options.
Required Privilege view
Level
Related • request system software in-service-upgrade (Maintenance)
Documentation
• Installation and Upgrade Guide for Security Devices
List of Sample Output request system software abort in-service-upgrade on page 369
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
request system software abort in-service-upgrade
user@host> request system software abort in-service-upgrade
In-Service-Upgrade aborted
Copyright © 2016, Juniper Networks, Inc. 369
Administration Guide for Security Devices
request system software add (Maintenance)
Supported Platforms J Series, LN Series, SRX Series
Syntax request system software add package-name
Release Information Partition option introduced in the command in Release 10.1. of Junos OS.
Description Installs the new software package on the device. For example: request system software
add junos-srxsme-10.0R2-domestic.tgz no-copy no-validate partition reboot.
Options • delay–restart — Installs the software package but does not restart the software process
• best-effort-load— Activate a partial load and treat parsing errors as warnings instead
of errors
• no-copy — Installs the software package but does not saves the copies of package
files
• no-validate— Does not check the compatibility with current configuration before
installation starts
• partition — Formats and re-partitions the media before installation
• reboot— Reboots the device after installation is completed
• unlink—Removes the software package after successful installation
• validate—Checks the compatibility with current configuration before installation starts
Required Privilege maintenance
Level
Related • Installation and Upgrade Guide for Security Devices
Documentation
• Administration Guide for Security Devices
370 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
request system reboot
Supported Platforms LN Series, SRX Series
Syntax request system reboot <at time> <in minutes><media><message ’text”>
Release Information Command introduced in Junos OS Release 10.1.
Description Reboots the software.
Options • at time— Specifies the time at which to reboot the device . You can specify time in one
of the following ways:
• now— Reboots the device immediately. This is the default.
• +minutes— Reboots the device in the number of minutes from now that you specify.
• yymmddhhmm— Reboots the device at the absolute time on the date you specify.
Enter the year, month, day, hour (in 24-hour format), and minute.
• hh:mm— Reboots the device at the absolute time you specify, on the current day.
Enter the time in 24-hour format, using a colon (:) to separate hours from minutes.
• in minutes— Specifies the number of minutes from now to reboot the device. This
option is a synonym for the at +minutes option
• media type— Specifies the boot device to boot the device from:
• disk/internal— Reboots from the internal media. This is the default.
• usb— Reboots from the USB storage device.
• compact flash— Reboots from the external compact flash. This option is available
on the SRX650 Services Gateway.
• message text— Provides a message to display to all system users before the device
reboots.
Example: request system reboot at 5 in 50 media internal message stop
Required Privilege maintenance
Level
Related • request system software rollback (Maintenance) on page 372
Documentation
Copyright © 2016, Juniper Networks, Inc. 371
Administration Guide for Security Devices
request system software rollback (Maintenance)
Supported Platforms J Series, LN Series, SRX Series
Syntax request system software rollback
<node node-id> | <all> | <local> | <primary>
<reboot>
Release Information Command introduced in Junos OS Release 10.1.
Description Revert to the software that was loaded at the last successful request system software
add command. Example: request system software rollback.
Options • node node-id—(High-end SRX Series devices only) Roll back the software to the previous
set of packages on a specific node.
• all— Roll back the software on all the nodes.
• local— Roll back the software on the local node.
• primary— Roll back the software on the primary node.
• reboot— Reboot the system after a roll back.
Required Privilege maintenance
Level
Related • Installation and Upgrade Guide for Security Devices
Documentation
• Administration Guide for Security Devices
372 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
request support information
Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series
List of Syntax Syntax on page 373
Syntax (SRX Series) on page 373
Syntax (EX Series Switch and MX Series Router) on page 373
Syntax (TX Matrix Router) on page 373
Syntax (TX Matrix Plus Router) on page 373
Syntax request support information
Syntax (SRX Series) request support information
<node (node id | all | local | primary)>
Syntax (EX Series request support information
Switch and MX Series <all-members>
Router) <local>
<member member-id>
Syntax (TX Matrix request support information
Router) <all-lcc | lcc number | scc>
Syntax (TX Matrix Plus request support information
Router) <all-chassis | all-lcc | lcc number | sfc number>
Release Information Command introduced before Junos OS Release 7.4.
Command introduced in Junos OS Release 9.0 for EX Series switches.
Description Display information about the system. Issue this command before contacting customer
support, and then include the command output in your support request. Output from
this command varies somewhat, depending on which platform you issue the command
from. However, the command always executes a series of show commands, with the
appropriate information for your device automatically included.
Options node node-id—(SRX Series) (Optional) Display system information for the specified node.
On SRX Series, replace node-id with a value of 0 or 1. This option is applicable only
the device with HA environment.
all—(SRX Series) (Optional) Display system information for all nodes.
local—(SRX Series) (Optional) Display system information for local node.
primary—(SRX Series) (Optional) Display system information for primary node.
all-chassis—(TX Matrix and TX Matrix Plus routers) (Optional) Display system information
for all chassis.
all-lcc—(TX Matrix and TX Matrix Plus routers) (Optional) On a TX Matrix router, display
system information for all T640 routers (or line-card chassis) connected to the TX
Matrix router. On a TX Matrix Plus router, display system information for all chassis
for all T1600 routers (or line-card chassis) connected to the TX Matrix Plus router.
Copyright © 2016, Juniper Networks, Inc. 373
Administration Guide for Security Devices
all-members—(EX Series switches and MX Series routers) (Optional) Display system
information for all members of the Virtual Chassis configuration.
lcc number—(TX Matrix and TX Matrix Plus routers) (Optional) On a TX Matrix router,
display system information for a specific T640 router that is connected to the TX
Matrix router. On a TX Matrix Plus router, display system storage information for a
specific T1600 router that is connected to the TX Matrix Plus router. Replace number
with a value from 0 through 3.
local—(EX Series switches and MX Series routers) (Optional) Display system information
for the local Virtual Chassis member.
member member-id—(EX Series switches and MX Series routers) (Optional) Display
system information for the specified member of the Virtual Chassis configuration.
On EX Series switches, replace member-id with a value appropriate for that Virtual
Chassis configuration. On MX Series routers, replace member-id with a value of 0 or
1.
scc—(TX Matrix routers) (Optional) Display system information for the TX Matrix router
(or switch-card chassis).
sfc number—(TX Matrix Plus routers) (Optional) Display system information for the TX
Matrix Plus router (or switch-fabric chassis). Replace number with 0.
Additional Information The show commands issued as a result of this command vary depending on which
platform you issue the command from. Output is always appropriate for the device. For
example, Table 16 on page 374 lists the show commands that are called when you issue
request support information on an MX Series router.
Table 16: Sample show Commands Called by the request information support command on
an MX Series Router
show chassis alarms no-forwarding show pfe statistics traffic
show chassis environment no-forwarding show route summary
show chassis firmware no-forwarding show system boot-messages no-forwarding
show chassis fpc detail show system buffer no-forwarding
show chassis hardware detail no-forwarding show system core-dumps no-forwarding
show chassis hardware extensive no-forwarding show system processes extensive no-forwarding
show chassis routing-engine no-forwarding show system queues no-forwarding
show configuration | except SECRET-DATA show system statistics no-forwarding
show interfaces extensive no-forwarding show system storage no-forwarding
show krt queue show system uptime no-forwarding
374 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Table 16: Sample show Commands Called by the request information support command on
an MX Series Router (continued)
show krt state show system virtual-memory no-forwarding
show pfe statistics error show version detail no-forwarding
The no-forwarding option ensures that all mgd processes associated with the show
command are properly halted if you break into the output (Ctrl+C) while the command
is still running.
Required Privilege maintenance
Level
Related • Request Support Information Overview
Documentation
List of Sample Output request support information | save on page 375
request support information scc (TX Matrix Router) on page 375
request support information sfc (TX Matrix Plus Router) on page 376
request support information (SRX Series) on page 379
Output Fields For information about output fields, see the description for the specific command-–listed
in the output– in which you are interested.
Sample Output
request support information | save
user@host> request support information | save goose
Wrote 1143 lines of output to 'goose'
request support information scc (TX Matrix Router)
user@host> request support information scc
user@host> show system uptime
scc-re0:
--------------------------------------------------------------------------
Current time: 2004-09-15 00:49:06 PDT
System booted: 2004-09-14 12:53:26 PDT (11:55:40 ago)
Protocols started: 2004-09-14 12:54:19 PDT (11:54:47 ago)
Last configured: 2004-09-14 13:07:47 PDT (11:41:19 ago) by
12:49AM PDT up 11:56, 3 users, load averages: 0.00, 0.02, 0.03
lcc0-re0:
--------------------------------------------------------------------------
Current time: 2004-09-15 00:49:06 PDT
System booted: 2004-09-14 15:36:41 PDT (09:12:25 ago)
Last configured: 2004-09-14 15:38:06 PDT (09:11:00 ago) by root
12:49AM PDT up 9:12, 0 users, load averages: 0.13, 0.05, 0.02
lcc2-re0:
--------------------------------------------------------------------------
Copyright © 2016, Juniper Networks, Inc. 375
Administration Guide for Security Devices
Current time: 2004-09-15 00:49:06 PDT
System booted: 2004-09-14 15:36:47 PDT (09:12:19 ago)
Last configured: 2004-09-14 15:38:09 PDT (09:10:57 ago) by root
12:49AM PDT up 9:12, 0 users, load averages: 0.00, 0.00, 0.00
user@host> show version
scc-re0:
--------------------------------------------------------------------------
Hostname: hostA
Model: TX Matrix
JUNOS Base OS boot [7.0I20040914_1707_mapte]
JUNOS Base OS Software Suite [7.0I20040907_1922_rtuplur]
JUNOS Kernel Software Suite [7.0I20040914_1707_mapte]
JUNOS Packet Forwarding Engine Support (T Series) [7.0I20040914_1707_mapte]
JUNOS Routing Software Suite [7.0I20040914_1707_mapte]
JUNOS Online Documentation [7.0I20040914_1707_mapte]
JUNOS Crypto Software Suite [7.0I20040914_1707_mapte]
JUNOS Support Tools Package [7.0-20040908.0]
lcc0-re0:
--------------------------------------------------------------------------
Hostname: hostB
Model: t640
JUNOS Base OS boot [7.0I20040914_1707_mapte]
JUNOS Base OS Software Suite [7.0I20040907_1922_rtuplur]
JUNOS Kernel Software Suite [7.0I20040914_1707_mapte]
JUNOS Packet Forwarding Engine Support (T-Series) [7.0I20040914_1707_mapte]
JUNOS Routing Software Suite [7.0I20040914_1707_mapte]
JUNOS Online Documentation [7.0I20040914_1707_mapte]
JUNOS Crypto Software Suite [7.0I20040914_1707_mapte]
lcc2-re0:
--------------------------------------------------------------------------
Hostname: dewey
Model: t640
JUNOS Base OS boot [7.0I20040914_1707_mapte]
JUNOS Base OS Software Suite [7.0I20040907_1922_rtuplur]
JUNOS Kernel Software Suite [7.0I20040914_1707_mapte]
JUNOS Packet Forwarding Engine Support (T-Series) [7.0I20040914_1707_mapte]
JUNOS Routing Software Suite [7.0I20040914_1707_mapte]
JUNOS Online Documentation [7.0I20040914_1707_mapte]
JUNOS Crypto Software Suite [7.0I20040914_1707_mapte]
...
The output sample is truncated to display some of the support details.
request support information sfc (TX Matrix Plus Router)
user@host> request support information sfc 0
sfc0-re0:
--------------------------------------------------------------------------
user@host> show system uptime no-forwarding
Current time: 2009-05-25 03:43:28 PDT
System booted: 2009-05-25 01:15:04 PDT (02:28:24 ago)
Protocols started: 2009-05-25 01:16:01 PDT (02:27:27 ago)
Last configured: 2009-05-25 03:03:42 PDT (00:39:46 ago) by
3:43AM up 2:28, 7 users, load averages: 0.00, 0.00, 0.00
376 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
user@host> show version detail no-forwarding
Hostname: aj
Model: txp
JUNOS Base OS boot [9.6-20090519.0]
JUNOS Base OS Software Suite [9.6-20090519.0]
JUNOS Kernel Software Suite [9.6-20090519.0]
...
user@host> show system core-dumps no-forwarding
-rw------- 1 root wheel 152223744 May 25 03:10 /var/crash/vmcore.0
-rw-r--r-- 1 bdeleon field 139417 May 22 10:17
/var/tmp/aj-core-apps-config-n-gres.txt
...
user@host> show chassis alarms no-forwarding
9 alarms currently active
Alarm time Class Description
2009-05-25 01:27:08 PDT Minor LCC 0 Minor Errors
2009-05-25 01:27:08 PDT Minor Spare SIB F13 6 Fault
...
user@host> show chassis hardware detail no-forwarding
Hardware inventory:
Item Version Part number Serial number Description
Chassis JN112F007AHB TXP
Midplane REV 05 710-022574 TS4027 SFC Midplane
FPM Display REV 03 710-024027 DX0282 TXP FPM Display
...
user@host> show system processes extensive no-forwarding
last pid: 6639; load averages: 0.00, 0.00, 0.00 up 0+02:28:54 03:43:28
161 processes: 5 running, 138 sleeping, 18 waiting
Mem: 236M Active, 227M Inact, 104M Wired, 392M Cache, 69M Buf, 2296M Free
Swap: 2048M Total, 2048M Free
PID USERNAME THR PRI NICE SIZE RES STATE TIME WCPU COMMAND
11 root 1 171 52 0K 12K RUN 143:00 96.78% idle
1530 root 1 96 0 38160K 24812K select 2:54 1.12% chassisd
1343 root 1 76 0 0K 12K 0:18 0.00% bcmLINK.0
1345 root 1 76 0 0K 12K 0:15 0.00% brq17: uhci1
uhci*
...
user@host> show pfe statistics error
Slot 4
SLCHIP Error statistics:
SLCHIP 0 1
-------------------------------------------------------
Lin XIF : 0 0
Lin SRCTL : 0 0
...
user@host>show pfe statistics traffic
Packet Forwarding Engine traffic statistics:
Copyright © 2016, Juniper Networks, Inc. 377
Administration Guide for Security Devices
Input packets: 2590754 0 pps
Output packets: 2640010 0 pps
Packet Forwarding Engine local traffic statistics:
Local packets input : 2064527
Local packets output : 2115925
Software input control plane drops : 0
Software input high drops : 0
Software input medium drops : 0
Software input low drops : 0
Software output drops : 0
Hardware input drops : 0
Packet Forwarding Engine local protocol statistics:
HDLC keepalives : 0
ATM OAM : 0
Frame Relay LMI : 0
PPP LCP/NCP : 0
OSPF hello : 20048
OSPF3 hello : 109
RSVP hello : 3485
LDP hello : 7191
BFD : 0
IS-IS IIH : 11318
LACP : 0
ARP : 629
ETHER OAM : 930
Unknown : 13212
Packet Forwarding Engine hardware discard statistics:
Timeout : 0
Truncated key : 0
Bits to test : 0
Data error : 0
Stack underflow : 0
Stack overflow : 0
Normal discard : 18060
Extended discard : 0
Invalid interface : 0
Info cell drops : 0
Fabric drops : 0
Packet Forwarding Engine Input IPv4 Header Checksum Error and Output MTU Error
statistics:
Input Checksum : 0
Output MTU : 0
user@host> show chassis routing-engine no-forwarding
Routing Engine status:
Slot 0:
Current state Master
Election priority Master (default)
Temperature 32 degrees C / 89 degrees F
CPU temperature 46 degrees C / 114 degrees F
DRAM 3327 MB
...
user@host> show chassis environment no-forwarding
Class Item Status Measurement
Temp PEM 0 OK 30 degrees C / 86 degrees F
...
user@host> show chassis firmware no-forwarding
Part Type Version
378 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Global FPC 4
Global FPC 6
Global FPC 7
...
user@host> show system boot-messages no-forwarding
...
The output sample is truncated to display some of the support details.
request support information (SRX Series)
user@host> request support information node 0
node0:
--------------------------------------------------------------------------
user@host> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2015-06-11 20:55:12 UTC
System booted: 2015-06-11 17:45:22 UTC (03:09:50 ago)
Protocols started: 2015-06-11 17:47:59 UTC (03:07:13 ago)
Last configured: 2015-04-27 17:41:45 UTC (6w3d 03:13 ago) by root
8:55PM up 3:10, 2 users, load averages: 0.09, 0.06, 0.01
user@host> show version detail no-forwarding
Hostname: tpsrx02
Model: srx1400
JUNOS Software Release [12.1-20150403_dev_x_121_x46.2]
JUNOS wmi Daemon [12.1I20140304_0803_tjzhang]
KERNEL 12.1-20150403_dev_x_121_x46.2 #0 built by builder on 2015-04-04 00:06:53
UTC
MGD release 12.1D0.2 built by builder on 2015-04-04 01:59:04 UTC
CLI release 12.1-20150403_dev_x_121_x46.2 built by builder on 2015-04-04 00:18:42
UTC
RPD release 12.1D0.2 built by builder on 2015-04-04 01:48:23 UTC
...
user@host> request support information node all
node0:
--------------------------------------------------------------------------
user@host> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2015-06-11 20:57:06 UTC
System booted: 2015-06-11 17:45:22 UTC (03:11:44 ago)
Protocols started: 2015-06-11 17:47:59 UTC (03:09:07 ago)
Last configured: 2015-04-27 17:41:45 UTC (6w3d 03:15 ago) by root
8:57PM up 3:12, 2 users, load averages: 0.04, 0.05, 0.01
user@host> show version detail no-forwarding
Hostname: tpsrx02
Model: srx1400
JUNOS Software Release [12.1-20150403_dev_x_121_x46.2]
JUNOS wmi Daemon [12.1I20140304_0803_tjzhang]
Copyright © 2016, Juniper Networks, Inc. 379
Administration Guide for Security Devices
KERNEL 12.1-20150403_dev_x_121_x46.2 #0 built by builder on 2015-04-04 00:06:53
UTC
MGD release 12.1D0.2 built by builder on 2015-04-04 01:59:04 UTC
CLI release 12.1-20150403_dev_x_121_x46.2 built by builder on 2015-04-04 00:18:42
UTC
RPD release 12.1D0.2 built by builder on 2015-04-04 01:48:23 UTC
...
user@host> request support information node local
node0:
--------------------------------------------------------------------------
user@host> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2015-06-11 20:57:55 UTC
System booted: 2015-06-11 17:45:22 UTC (03:12:33 ago)
Protocols started: 2015-06-11 17:47:59 UTC (03:09:56 ago)
Last configured: 2015-04-27 17:41:45 UTC (6w3d 03:16 ago) by root
8:57PM up 3:13, 2 users, load averages: 0.02, 0.04, 0.00
user@host> show version detail no-forwarding
Hostname: tpsrx02
Model: srx1400
JUNOS Software Release [12.1-20150403_dev_x_121_x46.2]
JUNOS wmi Daemon [12.1I20140304_0803_tjzhang]
KERNEL 12.1-20150403_dev_x_121_x46.2 #0 built by builder on 2015-04-04 00:06:53
UTC
MGD release 12.1D0.2 built by builder on 2015-04-04 01:59:04 UTC
CLI release 12.1-20150403_dev_x_121_x46.2 built by builder on 2015-04-04 00:18:42
UTC
RPD release 12.1D0.2 built by builder on 2015-04-04 01:48:23 UTC
...
user@host> request support information node primary
node0:
--------------------------------------------------------------------------
user@host> show system uptime
node0:
--------------------------------------------------------------------------
Current time: 2015-06-11 20:58:35 UTC
System booted: 2015-06-11 17:45:22 UTC (03:13:13 ago)
Protocols started: 2015-06-11 17:47:59 UTC (03:10:36 ago)
Last configured: 2015-04-27 17:41:45 UTC (6w3d 03:16 ago) by root
8:58PM up 3:13, 2 users, load averages: 0.28, 0.11, 0.03
user@host> show version detail no-forwarding
Hostname: tpsrx02
Model: srx1400
JUNOS Software Release [12.1-20150403_dev_x_121_x46.2]
JUNOS wmi Daemon [12.1I20140304_0803_tjzhang]
KERNEL 12.1-20150403_dev_x_121_x46.2 #0 built by builder on 2015-04-04 00:06:53
UTC
MGD release 12.1D0.2 built by builder on 2015-04-04 01:59:04 UTC
380 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
CLI release 12.1-20150403_dev_x_121_x46.2 built by builder on 2015-04-04 00:18:42
UTC
RPD release 12.1D0.2 built by builder on 2015-04-04 01:48:23 UTC
...
The output sample is truncated to display some of the support details.
Copyright © 2016, Juniper Networks, Inc. 381
Administration Guide for Security Devices
request system zeroize
Supported Platforms SRX Series
Syntax request system zeroize <media>
Description Erases all configuration information and resets all key values. The command removes
all data files, including customized configuration and log files, by unlinking the files from
their directories.
The command removes all user-created files from the system including all plain-text
passwords, secrets, and private keys for SSH, local encryption, local authentication,
IPsec, RADIUS, TACACS+, and SNMP.
This command reboots the device and sets it to the factory default configuration. After
the reboot, you cannot access the device through the management Ethernet interface.
Log in through the console as root and start the Junos OS command-line interface (CLI)
by typing cli at the prompt.
Options media—(Optional) In addition to removing all configuration and log files, the media option
causes memory and the media to be scrubbed, removing all traces of any user-created
files. Every storage device attached to the system is scrubbed, including disks, flash
drives, removable USBs, and the like. The duration of the scrubbing process is
dependent on the size of the media being erased. As a result, the request system
zeroize media operation can take considerably more time than the request system
zeroize operation. However, the critical security parameters are all removed at the
beginning of the process.
NOTE: The media option is not supported on SRX5000 line devices.
Required Privilege Not applicable.
Level
Related • request system reboot on page 371
Documentation
• request system software rollback (Maintenance) on page 372
List of Sample Output request system zeroize on page 382
Sample Output
request system zeroize
user@host> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes
warning: zeroizing re0
Loading /boot/loader Consoles: serial port
382 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
BIOS driver C: is disk0
BIOS 607kB/2087552kB available memory
FreeBSD/i386 bootstrap loader, Revision 1.1
([email protected], Mon Mar 28 20:49:26 UTC 2011)
Loading /boot/defaults/loader.confg
/kernel text-0x837a60 data=0x46a78+0x9d44c syms=[0x4+0x8f38+0x4+0xca1ee]
Hit [Enter[ to boot immediately, or space bar for command prompt.
Booting [/kernel]...
platform_early_bootinit: MAG Series Early Boot Initilaization
GDB: debug ports: sio
GDB: current port: sio
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
Copyright (c) 1996-2011, Juniper Networks, Inc.
All rights resrved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 18\989, 1991, 1992, 1993,1994
The Regents of the University of California. All rights reserved.
...
output truncated
Copyright © 2016, Juniper Networks, Inc. 383
Administration Guide for Security Devices
restart (Reset)
Supported Platforms SRX Series
List of Syntax Syntax (High-end SRX Series) on page 384
Syntax (Branch SRX Series) on page 384
Syntax (High-end SRX restart
Series) <application-identification |application-security |audit-process |chassis-control
|class-of-service |database-replication |datapath-trace-service |ddns |dhcp |dhcp-service
|disk-monitoring |dynamic-flow-capture |ethernet-connectivity-fault-management
|ethernet-link-fault-management |event-processing |fipsd |firewall
|firewall-authentication-service |general-authentication-service |gprs-process |gracefully
|idp-policy |immediately |interface-control |ipmi |ipsec-key-management |jnx-wmi-service
|jsrp-service |kernel-replication |l2-learning |l2cpd-service |lacp |license-service
|logical-system-service |mib-process |mountd-service |named-service |network-security
|network-security-trace |nfsd-service |ntpd-service |pgm |pic-services-logging |pki-service
|profilerd |remote-operations |routing |sampling |secure-neighbor-discovery
|security-intelligence |security-log |service-deployment |simple-mail-client-service |snmp
|soft |statistics-service |subscriber-management |subscriber-management-helper
|tunnel-oamd |uac-service |vrrp |web-management>
Syntax (Branch SRX restart
Series) < 802.1x-protocol-daemon |application-identification |application-security |audit-process
|autoinstallation |chassis-control |class-of-service |database-replication |ddns |dhcp
|dhcp-service |dialer-services |dynamic-flow-capture
|ethernet-connectivity-fault-management |ethernet-link-fault-management
|ethernet-switching |event-processing |firewall |firewall-authentication-service |forwarding
|general-authentication-service |gracefully |group-key-member |group-key-server
|idp-policy |immediately |interface-control |ipmi |ipsec-key-management |jsrp-service
|kernel-replication |l2-learning |lacp |license-service |lldpd-service |mib-process
|mountd-service |mpls-traceroute |multicast-snooping |named-service |network-security
|network-security-trace |nfsd-service |peer-selection-service |pgm |pki-service |ppp |pppoe
|profilerd |r2cp |remote-operations |routing |sampling |sdk-service
|secure-neighbor-discovery |security-intelligence |security-log |service-deployment |services
|simple-mail-client-service |snmp |soft |statistics-service |subscriber-management
|subscriber-management-helper |system-health-management |uac-service |usb-control
|vrrp |web-management |wireless-lan-service |wireless-wan-service>
Release Information Command introduced before Junos OS Release 7.4.
dynamic-flow-capture option added in Junos OS Release 7.4.
event-processing option added in Junos OS Release 7.5.
group-key-server option added in Junos OS Release 10.2.
ppp option added in Junos OS Release 7.5.
Description Restart a Junos OS process.
CAUTION: Never restart a software process unless instructed to do so by a
customer support engineer. A restart might cause the router to drop calls
and interrupt transmission, resulting in possible loss of data.
384 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Options • 802.1x-protocol-daemon—(Branch SRX Series only) (Optional) Restart the 802.1x
protocol process (daemon).
• application-identification—(Optional) Restart the process that identifies an application
using intrusion detection and prevention (IDP) to allow or deny traffic based on
applications running on standard or nonstandard ports.
• application-security—(Optional) Restart the application security process.
• audit-process—(Optional) Restart the RADIUS accounting process that gathers
statistical data that can be used for general network monitoring, for analyzing and
tracking usage patterns, and for billing a user based upon the amount of time used or
the type of services accessed.
• autoinstallation—(Branch SRX Series only) (Optional) Restart the autoinstallation
process.
• chassis-control—(Optional) Restart the chassis management process.
• class-of-service—(Optional) Restart the class-of-service (CoS) process, which controls
the router's or switch’s CoS configuration.
• database-replication—(Optional) Restart the database replication process.
• datapath-trace-service—(High-end SRX Series only) (Optional) Restart the packet
path tracing process.
• ddns—(Optional) Restart the dynamic domain name system, which dynamically
updates IP addresses for registered domain names.
• dhcp—(Optional) Restart the software process for a Dynamic Host Configuration
Protocol (DHCP) server. A DHCP server allocates network IP addresses and delivers
configuration settings to client hosts without user intervention.
• dhcp-services—(Branch SRX Series only) (Optional) Restart the Dynamic Host
Configuration Protocol process.
• dialer-services—(Branch SRX Series only) (Optional) Restart the ISDN dial-out process.
• disk-monitoring—(High-end SRX Series only) (Optional) Restart disk monitoring, which
checks the health of the hard disk drive on the Routing Engine.
• dynamic-flow-capture—(Optional) Restart the dynamic flow capture (DFC) process,
which controls DFC configurations on PIC3 monitoring services cards.
• ethernet-connectivity-fault-management—(Optional) Restart the process that provides
IEEE 802.1ag Operation, Administration, and Maintenance (OAM) connectivity fault
management (CFM) database information for CFM maintenance association end
points (MEPs) in a CFM session.
• ethernet-link-fault-management—(Optional) Restart the process that provides the
OAM link fault management (LFM) information for Ethernet interfaces.
• ethernet-switching—(Branch SRX Series only) (Optional) Restart the Ethernet switching
process.
• event-processing—(Optional) Restart the event process (eventd).
• fipsd—(High-end SRX Series only) (Optional) Restart the fipsd services.
Copyright © 2016, Juniper Networks, Inc. 385
Administration Guide for Security Devices
• firewall—(Optional) Restart the firewall management process, which manages the
firewall configuration and accepts or rejects packets that are transiting an interface
on a router or switch.
• firewall-authentication-service—(Optional) Restart the firewall authentication service
process.
• forwarding—(Branch SRX Series only) (Optional) Restart the security forwarding
options process.
• general-authentication-service—(Optional) Restart the general authentication process.
• gprs-process—(High-end SRX Series only) (Optional) Restart the General Packet
Radio Service (GPRS) process.
• gracefully—(Optional) Restart the software process.
• group-key-member—(Branch SRX Series only) (Optional) Restart the group key
member process.
• group-key-server—(Branch SRX Series only) (Optional) Restart the group VPN server
process. The group VPN server loses all its data, including TEK and KEK keys, when it
restarts. New keys are generated, but the keys are not available to group members
until they reregister.
• idp-policy—(Optional) Restart the intrusion detection and prevention (IDP) protocol
process.
• immediately—(Optional) Immediately restart the software process.
• interface-control—(Optional) Restart the interface process, which controls the router's
or switch’s physical interface devices and logical interfaces.
• ipmi—(Optional) Restart the intelligent platform management interface process.
• ipsec-key-management—(Optional) Restart the IPsec key management process.
• jnx-wmi-service—(High-end SRX Series only) (Optional) Restart the jnx Windows
Management Instrumentation (WMI) service process.
• jsrp-service—(Optional) Restart the Juniper Services Redundancy Protocol (jsrdp)
process, which controls chassis clustering.
• kernel-replication—(Optional) Restart the kernel replication process, which replicates
the state of the backup Routing Engine when graceful Routing Engine switchover
(GRES) is configured.
• lacp—(Optional) Restart the Link Aggregation Control Protocol (LACP) process. LACP
provides a standardized means for exchanging information between partner systems
on a link. The LACP process allows link aggregation control instances to reach
agreement on the identity of the LAG to which a link belongs, moves the link to that
LAG, and enables the transmission and reception processes for the link to function in
an orderly manner.
• l2cpd-service—(High-end SRX Series only) (Optional) Restart the Layer 2 Control
Protocol (L2CP) process, which enables features such as L2 protocol tunneling and
nonstop bridging.
386 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
• l2-learning—(Optional) Restart the Layer 2 (L2) address flooding and learning process.
• license-service—(Optional) Restart the feature license management process.
• lldpd-service—(Branch SRX Series only) (Optional) Restart the Link Layer Discovery
Protocol (LLDP) process.
• logical-system-service—(High-end SRX Series only) (Optional) Restart the logical
system service process.
• mib-process—(Optional) Restart the MIB version II process, which provides the router's
MIB II agent.
• mountd-service—(Optional) Restart the service for Network File System (NFS) mount
requests.
• mpls-traceroute—(Branch SRX Series only) (Optional) Restart the MPLS periodic
traceroute process.
• multicast-snooping—(Branch SRX Series only) (Optional) Restart the multicast
snooping process, which makes L2 devices, such as VLAN switches, aware of L3
information, such as the media access control (MAC) addresses of members of a
multicast group.
• named-service—(Optional) Restart the DNS Server process, which is used by a router
or a switch to resolve hostnames into addresses.
• network-security—(Optional) Restart the network security process.
• network-security-trace—(Optional) Restart the network security trace process.
• nfsd-service—(Optional) Restart the remote NFS server process, which provides remote
file access for applications that need NFS-based transport.
• ntpd-service—(High-end SRX Series only) (Optional) Restart the Network Time Protocol
(NTP) process.
• peer-selection-service—(Branch SRX Series only) (Optional) Restart the peer selection
service process.
• pgm—(Optional) Restart the process that implements the Pragmatic General Multicast
(PGM) protocol for assisting in the reliable delivery of multicast packets.
• pic-services-logging—(High-end SRX Series only) (Optional) Restart the logging
process for some PICs. With this process, also known as fsad (the file system access
daemon), PICs send special logging information to the Routing Engine for archiving on
the hard disk.
• pki-service—(Optional) Restart the public key infrastructure (PKI) service process.
• ppp—(Branch SRX Series only) (Optional) Restart the Point-to-Point Protocol (PPP)
process, which is the encapsulation protocol process for transporting IP traffic across
point-to-point links.
• pppoe—(Branch SRX Series only) (Optional) Restart the Point-to-Point Protocol over
Ethernet (PPPoE) process, which combines PPP that typically runs over broadband
connections with the Ethernet link-layer protocol that allows users to connect to a
network of hosts over a bridge or access concentrator.
Copyright © 2016, Juniper Networks, Inc. 387
Administration Guide for Security Devices
• profilerd—(Optional) Restart the profiler process.
• r2cp—(Branch SRX Series only) (Optional) Restart the Radio-to-Router Control Protocol
process.
• remote-operations—(Optional) Restart the remote operations process, which provides
the ping and traceroute MIBs.
• routing—(Optional) Restart the routing protocol process (rpd).
• sampling—(Optional) Restart the sampling process, which performs packet sampling
based on particular input interfaces and various fields in the packet header.
• sdk-service—(Branch SRX Series only) (Optional) Restart the software development
kit (SDK) service process, which runs on the Routing Engine and is responsible for
communications between the SDK application and Junos OS. Although the SDK service
process is present on the router, it is turned off by default.
• secure-neighbor-discovery—(Optional) Restart the secure Neighbor Discovery Protocol
(NDP) process, which provides support for protecting NDP messages.
• security-intelligence—(Optional) Restart security intelligence process.
• security-log—(Optional) Restart the security log process.
• service-deployment—(Optional) Restart the service deployment process, which enables
Junos OS to work with the Session and Resource Control (SRC) software.
• services—(Branch SRX Series only) (Optional) Restart a service.
• simple-mail-client-service—(Optional) Restart the simple mail client service process.
• snmp—(Optional) Restart the SNMP process, which enables the monitoring of network
devices from a central location and provides the router's or switch’s SNMP master
agent.
• soft—(Optional) Reread and reactivate the configuration without completely restarting
the software processes. For example, BGP peers stay up and the routing table stays
constant. Omitting this option results in a graceful restart of the software process.
• statistics-service—(Optional) Restart the process that manages the Packet Forwarding
Engine statistics.
• subscriber-management—(Optional) Restart the subscriber management process.
• subscriber-management-helper—(Optional) Restart the subscriber management
helper process.
• system-health-management—(Branch SRX Series only) (Optional) Restart the system
health management process.
• tunnel-oamd—(High-end SRX Series only) (Optional) Restart the tunnel OAM process
for L2 tunneled networks.
• uac-service—(Optional) Restart the Unified Access Control (UAC) process.
• usb-control—(Branch SRX Series only) (Optional) Restart the USB control process.
• vrrp—(Optional) Restart the Virtual Router Redundancy Protocol (VRRP) process,
which enables hosts on a LAN to make use of redundant routing platforms on that
388 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
LAN without requiring more than the static configuration of a single default route on
the hosts.
• web-management—(Optional) Restart the Web management process.
• wireless-lan-service—(Branch SRX Series only) (Optional) Restart the wireless LAN
service process.
• wireless-wan-service—(Branch SRX Series only) (Optional) Restart the wireless WAN
service process.
Required Privilege reset
Level
Related • Administration Guide for Security Devices
Documentation
• Restart Commands Overview on page 389
List of Sample Output restart interfaces on page 389
Output Fields When you enter this command, you are provided feedback on the status of your request.
Sample Output
restart interfaces
user@host> restart interfaces
interfaces process terminated
interfaces process restarted
Restart Commands Overview
Supported Platforms J Series, LN Series, SRX Series
Use the restart operational commands to restart software processes on the device.
Operational commands are organized alphabetically.
Related • CLI User Guide
Documentation
• Administration Guide for Security Devices
Copyright © 2016, Juniper Networks, Inc. 389
Administration Guide for Security Devices
show chassis routing-engine (View)
Supported Platforms J Series, LN Series, SRX Series
Syntax show chassis routing-engine
Release Information Command introduced in Junos OS Release 9.5.
Description Display the Routing Engine status of the chassis cluster.
Required Privilege view
Level
Related • Administration Guide for Security Devices
Documentation
List of Sample Output show chassis routing-engine on page 391
show chassis routing-engine on page 391
Output Fields Table 17 on page 390 lists the output fields for the show chassis routing-engine command.
Output fields are listed in the approximate order in which they appear.
Table 17: show chassis routing-engine Output Fields
Field Name Field Description
Temperature Routing Engine temperature.
CPU temperature CPU temperature.
Total memory Total memory available on the system.
Control plane memory Memory available for the control plane.
Data plane memory Memory reserved for data plane processing.
CPU utilization Current CPU utilization statistics on the control plane core.
User Current CPU utilization in user mode on the control plane core.
Background Current CPU utilization in nice mode on the control plane core.
Kernel Current CPU utilization in kernel mode on the control plane core.
Interrupt Current CPU utilization in interrupt mode on the control plane core.
Idle Current CPU utilization in idle mode on the control plane core.
Model Routing Engine model.
Start time Routing Engine start time.
390 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Table 17: show chassis routing-engine Output Fields (continued)
Field Name Field Description
Uptime Length of time the Routing Engine has been up (running) since the last start.
Last reboot reason Reason for the last reboot of the Routing Engine.
Load averages The average number of threads waiting in the run queue or currently executing over 1-,
5-, and 15-minute periods.
Sample Output
show chassis routing-engine
user@host> show chassis routing-engine (Sample 1)
Routing Engine status:
Temperature 38 degrees C / 100 degrees F
CPU temperature 36 degrees C / 96 degrees F
Total memory 512 MB Max 435 MB used ( 85 percent)
Control plane memory 344 MB Max 296 MB used ( 86 percent)
Data plane memory 168 MB Max 138 MB used ( 82 percent)
CPU utilization:
User 8 percent
Background 0 percent
Kernel 4 percent
Interrupt 0 percent
Idle 88 percent
Model RE-SRX240-LOWMEM
Serial ID AAAP8652
Start time 2009-09-21 00:04:54 PDT
Uptime 52 minutes, 47 seconds
Last reboot reason 0x200:chassis control reset
Load averages: 1 minute 5 minute 15 minute
0.12 0.15 0.10
Sample Output
show chassis routing-engine
user@host> show chassis routing-engine (Sample 2)
Routing Engine status:
Temperature 46 degrees C / 114 degrees F
CPU temperature 46 degrees C / 114 degrees F
Total memory 1024 MB Max 737 MB used ( 72 percent)
Control plane memory 600 MB Max 426 MB used ( 71 percent)
Data plane memory 424 MB Max 314 MB used ( 74 percent)
CPU utilization:
User 40 percent
Background 0 percent
Kernel 11 percent
Interrupt 0 percent
Idle 49 percent
Model RE-SRXSME-SRE6
Start time 2009-09-19 20:04:18 PDT
Uptime 1 day, 4 hours, 51 minutes, 11 seconds
Last reboot reason 0x200:chassis control reset
Copyright © 2016, Juniper Networks, Inc. 391
Administration Guide for Security Devices
Load averages: 1 minute 5 minute 15 minute
0.27 0.53 0.78
392 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
show dhcp client binding
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show dhcp client binding
[<address> |interface <interface-name>]
routing-instance <routing-instance name>
[brief | detail | summary ]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Display the address bindings in the Dynamic Host Configuration Protocol (DHCP) client
table.
Options address—(Optional) Display DHCP binding information for a specific client identified by
one of the following entries:
• ip-address—The specified IP address.
• mac-address—The specified MAC address.
routing-instance <routing-instance name>—(Optional) Display DHCP binding information
for DHCP clients on the specified routing instance.
interface <interface-name>—(Optional) Perform this operation on the specified interface.
brief—(Optional) Display brief information about the active client bindings.
detail—(Optional) Display detailed client binding information.
summary—(Optional) Display a summary of DHCP client information.
Required Privilege view
Level
Related • clear dhcp client binding on page 327
Documentation
• Administration Guide for Security Devices
List of Sample Output show dhcp client binding on page 394
Output Fields Table 18 on page 393 lists the output fields for the show dhcp client binding command.
Output fields are listed in the approximate order in which they appear.
Table 18: show dhcp client binding Output Fields
Field Name Field Description
IP address IP address of the DHCP client.
Hardware address Hardware address of the DHCP client.
Server IP address of the DHCP server.
Copyright © 2016, Juniper Networks, Inc. 393
Administration Guide for Security Devices
Table 18: show dhcp client binding Output Fields (continued)
Field Name Field Description
Expires Number of seconds in which the lease expires.
State State of the address binding table on the DHCP local server.
Interface Interface on which the request was received.
Lease Expires Date and time at which the client’s IP address lease expires.
Lease Expires in Number of seconds in which the lease expires.
Lease Start Date and time at which the client’s IP address lease started.
Vendor Identifier Vendor identifier.
Server Identifier IP address of the DHCP server.
Client IP Address IP address of the DHCP client.
Sample Output
show dhcp client binding
user@host> show dhcp client binding
2 clients, (2 bound, 0 init, 0 discover, 0 renew, 0 rebind)
IP address Hardware address Server Expires State
Interface
10.1.1.89 00:0a:12:00:12:12 10.1.1.1 348 BOUND
fe-0/0/1.0
20.1.1.90 00:0a:12:00:12:34 20.1.1.1 568 BOUND
fe-0/0/2.0
user@host> show dhcp client binding interface fe-0/0/1.0 detail
Client Interface: fe-0/0/1.0
Hardware address: 00:0a:12:00:12:12
State: BOUND
Lease Expires: 2010-09-16 14:45:41 UTC
Lease Expires in: 528 seconds
Lease Start: 2010-09-16 14:35:41 UTC
Vendor Identifier: ether
Server Identifier: 10.1.1.1
Client IP Address: 10.1.1.89
update server enabled
DHCP Options :
Name: name-server, Value: [ 10.209.194.131, 2.2.2.2, 3.3.3.3 ]
Name: server-identifier, Value: 10.1.1.1
Name: router, Value: [ 10.1.1.80 ]
Name: domain-name, Value: netscreen-50
user@host> show dhcp client binding 10.1.1.89
394 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
IP address Hardware address Server Expires State Interface
10.1.1.89 00:0a:12:00:12:12 10.1.1.1 348 BOUND
fe-0/0/1.0
Copyright © 2016, Juniper Networks, Inc. 395
Administration Guide for Security Devices
show dhcpv6 client binding
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show dhcpv6 client binding
interface interface-name
routing-instance <routing-instance-name>
[brief | detail | summary]
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Display the address bindings in the Dynamic Host Configuration Protocol version 6
(DHCPv6) client table.
Options interface interface-name—(Optional) Perform this operation on the specified interface.
routing-instance routing-instance-name—(Optional) Display DHCPv6 binding information
for DHCPv6 clients on the specified routing instance.
brief—(Optional) Display brief information about the active client bindings.
detail—(Optional) Display detailed client binding information.
summary—(Optional) Display a summary of DHCPv6 client information.
Required Privilege view
Level
Related • clear dhcpv6 client binding on page 328
Documentation
List of Sample Output show dhcpv6 client binding on page 397
Output Fields Table 19 on page 396 lists the output fields for the show dhcpv6 client binding command.
Output fields are listed in the approximate order in which they appear.
Table 19: show dhcpv6 client binding Output Fields
Field Name Field Description
Hardware Address Hardware address of the DHCPv6 client.
State State of the address-binding table on the DHCPv6 local server.
Lease Expires Date and time at which the client’s IP address lease expires.
Lease Expires in Number of seconds until the lease expires.
Lease Start Date and time at which the client’s IP address lease started.
Client DUID The DHCPv6 client’s unique identifier.
Bind type The bind type.
396 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Table 19: show dhcpv6 client binding Output Fields (continued)
Field Name Field Description
Client Type The type of DHCPv6 client. The client type can be autoconfig or statefull.
Rapid Commit Two-message exchange option for address assignment.
Server IP Address IP address of the DHCPv6 server.
Client IP Address IP address of the DHCPv6 client.
Sample Output
show dhcpv6 client binding
user@host> show dhcpv6 client binding
IP prefix Expires ClientType State Interface Client
DUID
2000::b2b7:8631:d968:8d5e/128 96 STATEFULL BOUND ge-0/0/1.0
LL_TIME0x3-0x0-2c:6b:f5:62:39:c1
user@host> show dhcpv6 client binding detail
Client Interface: ge-0/0/1.0
Hardware Address: 2c:6b:f5:62:39:c1
State: BOUND(DHCPV6_CLIENT_STATE_BOUND)
Lease Expires: 2012-08-07 15:52:19 UTC
Lease Expires in: 116 seconds
Lease Start: 2012-08-07 15:50:19 UTC
Client DUID VENDOR0x00000583-0x3000103f
Bind Type: IA_NA
ClientType : STATEFULL
Rapid Commit Off
Server Ip Address: fe80::230:48ff:fe5d:5bf7
Client IP Address: 2000::655b:3c80:2deb:1a3/128
DHCP options:
Name: server-identifier, Value: LL_TIME0x1-0x17acddab-00:30:48:5d:5b:f7
Name: vendor-opts, Value: 000005830002aaaa
Name: sip-server-list, Value: 2000::300 2000::302 2000::303 2000::304
Name: dns-recursive-server, Value: 2000::ff2000::fe
Name: domain-search-list, Value: 076578616d706c6503636f6d00
Copyright © 2016, Juniper Networks, Inc. 397
Administration Guide for Security Devices
show dhcp client statistics
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show dhcp client statistics
routing-instance <routing-instance-name>
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Display Dynamic Host Configuration Protocol (DHCP) client statistics.
Options routing-instance routing-instance-name—(Optional) Display the statistics for DHCP clients
on the specified routing instance.
Required Privilege view
Level
Related • clear dhcp client statistics on page 329
Documentation
• Administration Guide for Security Devices
List of Sample Output show dhcp client statistics on page 399
Output Fields Table 20 on page 398 lists the output fields for the show dhcp client statistics command.
Output fields are listed in the approximate order in which they appear.
Table 20: show dhcp client statistics
Field Name Field Description
Packets dropped Number of packets discarded by the DHCP local server because
of errors. Only nonzero statistics appear in the Packets dropped
output. When all of the Packets dropped statistics are 0 (zero),
only the Total field appears.
Messages received Number of DHCP messages received.
• BOOTREPLY—Number of BOOTP protocol data units
(PDUs) received
• DHCPOFFER—Number of DHCP PDUs of type OFFER
received
• DHCPACK—Number of DHCP PDUs of type ACK received
• DHCPNACK—Number of DHCP PDUs of type NACK received
• DHCPFORCERENEW—Number of DHCP PDUs of type
FORCERENEW received
398 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Table 20: show dhcp client statistics (continued)
Field Name Field Description
Messages sent Number of DHCP messages sent.
• BOOTREQUEST—Number of BOOTP protocol data units
(PDUs) transmitted
• DHCPDECLINE—Number of DHCP PDUs of type DECLINE
transmitted
• DHCPDISCOVER—Number of DHCP PDUs of type DISCOVER
transmitted
• DHCPREQUEST—Number of DHCP PDUs of type REQUEST
transmitted
• DHCPINFORM—Number of DHCP PDUs of type INFORM
transmitted
• DHCPRELEASE—Number of DHCP PDUs of type RELEASE
transmitted
• DHCPRENEW—Number of DHCP PDUs of type RENEW
transmitted
• DHCPREBIND—Number of DHCP PDUs of type REBIND
transmitted
Sample Output
show dhcp client statistics
user@host> show dhcp client statistics
Packets dropped:
Total 0
Messages received:
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
DHCPFORCERENEW 0
Messages sent:
BOOTREQUEST 0
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPREQUEST 0
DHCPINFORM 0
DHCPRELEASE 0
DHCPRENEW 0
DHCPREBIND 0
Copyright © 2016, Juniper Networks, Inc. 399
Administration Guide for Security Devices
show dhcpv6 client statistics
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show dhcpv6 client statistics
routing-instance<routing-instance-name>
Release Information Statement introduced in Junos OS Release 12.1X45-D10.
Description Display Dynamic Host Configuration Protocol (DHCPv6) client statistics.
Options routing-instance <routing-instance-name>—(Optional) Display the statistics for DHCPv6
clients on the specified routing instance.
Required Privilege view
Level
Related • clear dhcpv6 client statistics on page 330
Documentation
List of Sample Output show dhcpv6 client statistics on page 401
Output Fields Table 21 on page 400 lists the output fields for the show dhcpv6 client statistics command.
Output fields are listed in the approximate order in which they appear.
Table 21: show dhcpv6 client statistics Output Fields
Field Name Field Description
Dhcpv6 Packets dropped Number of packets discarded by the DHCPv6 local server
because of errors. Only nonzero statistics appear in the DHCPv6
Packets dropped output. When all of the Packets dropped
statistics are 0 (zero), only the Total field appears.
Messages sent Number of DHCPv6 messages sent.
• DHCPV6_DECLINE—Number of DHCPv6 PDUs of type
DECLINE transmitted
• DHCPV6_SOLICIT—Number of DHCPv6 PDUs of type
SOLICIT transmitted
• DHCPV6_INFORMATION_REQUEST—Number of DHCPv6
PDUs of type INFORMATION REQUEST transmitted
• DHCPV6_RELEASE—Number of DHCPv6 PDUs of type
RELEASE transmitted
• DHCPV6_REQUEST—Number of DHCPv6 PDUs of type
REQUEST transmitted
• DHCPV6_CONFIRM—Number of DHCPv6 PDUs of type
CONFIRM transmitted
• DHCPV6_RENEW—Number of DHCPv6 PDUs of type
RENEW transmitted
• DHCPV6_REBIND—Number of DHCPv6 PDUs of type
REBIND transmitted
400 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Table 21: show dhcpv6 client statistics Output Fields (continued)
Field Name Field Description
Messages received Number of DHCPv6 messages received.
• DHCPV6_ADVERTISE—Number of DHCPv6 PDUs of type
ADVERTISE received
• DHCPV6_REPLY—Number of DHCPv6 PDUs of type REPLY
received
• DHCPV6_RECONFIGURE—Number of DHCPv6 PDUs of type
RECONFIGURE received
Sample Output
show dhcpv6 client statistics
user@host> show dhcpv6 client statistics
Dhcpv6 Packets dropped:
Total 0
Messages sent:
DHCPV6_DECLINE 0
DHCPV6_SOLICIT 3
DHCPV6_INFORMATION_REQUEST 6
DHCPV6_RELEASE 1
DHCPV6_REQUEST 2
DHCPV6_CONFIRM 0
DHCPV6_RENEW 0
DHCPV6_REBIND 0
Messages received:
DHCPV6_ADVERTISE 3
DHCPV6_REPLY 3
DHCPV6_RECONFIGURE 0
Copyright © 2016, Juniper Networks, Inc. 401
Administration Guide for Security Devices
show dhcp relay binding
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax Show dhcp relay binding
[<address> |interface <interface-name>]
routing-instance <routing-instance name>
[brief | detail | summary]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Display the address bindings in the Dynamic Host Configuration Protocol (DHCP) relay
client table.
Options address—(Optional) Display DHCP binding information for a specific client identified by
one of the following entries:
• ip-address—The specified IP address.
• mac-address—The specified MAC address.
routing-instance <routing-instance name>—(Optional) Display DHCP binding information
on the specified routing instance.
interface <interface-name>—(Optional) Perform this operation on the specified interface.
brief—(Optional) Display brief information about the active client bindings.
detail—(Optional) Display detailed client binding information.
summary—(Optional) Display a summary of DHCP client information.
Required Privilege view
Level
Related • clear dhcp relay binding on page 331
Documentation
• Administration Guide for Security Devices
List of Sample Output show dhcp relay binding on page 403
Output Fields Table 22 on page 402 lists the output fields for the show dhcp relay binding command.
Output fields are listed in the approximate order in which they appear.
Table 22: show dhcp relay binding Output Fields
Field Name Field Description
IP address IP address of the DHCP client.
Hardware address Hardware address of the DHCP client.
Request received on Interface on which the request was received.
402 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Table 22: show dhcp relay binding Output Fields (continued)
Field Name Field Description
Type Type of DHCP packet processing performed on the device.
Obtained at Date and time at which the client’s IP address lease started.
Expires at Date and time at which the client’s IP address lease expires.
State State of the address binding table on the DHCP local server.
Sample Output
show dhcp relay binding
user@host> show dhcp relay binding detail
IP address Hardware address Type Lease expires State
100.20.32.1 90:00:00:01:00:01 active 2007-01-17 11:38:47 PST
rebind
100.20.32.3 90:00:00:02:00:01 active 2007-01-17 11:38:41 PST
rebind
100.20.32.4 90:00:00:03:00:01 active 2007-01-17 11:38:01 PST
rebind
100.20.32.5 90:00:00:04:00:01 active 2007-01-17 11:38:07 PST
rebind
100.20.32.6 90:00:00:05:00:01 active 2007-01-17 11:38:47 PST
rebind
user@host> show dhcp relay binding 100.20.32.1
Active binding information:
IP address 100.20.32.1
Hardware address 90:00:00:01:00:01
Lease information:
Type DHCP
Obtained at 2007-01-17 11:28:47 PST
Expires at 2007-01-17 11:38:47 PST
> show dhcp relay binding 100.20.32.1 detail
Active binding information:
IP address 100.20.32.1
Hardware address 90:00:00:01:00:01
Request received on fe-0/0/2.0, relayed by 100.20.32.2
Lease information:
Type DHCP
Obtained at 2007-01-17 11:28:47 PST
Expires at 2007-01-17 11:38:47 PST
State rebind
Copyright © 2016, Juniper Networks, Inc. 403
Administration Guide for Security Devices
show dhcp relay statistics
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show dhcp relay statistics
[<routing-instance>]
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Display Dynamic Host Configuration Protocol (DHCP) relay statistics.
Options routing-instance—(Optional) Display the DHCP relay statistics on the specified routing
instance.
Required Privilege view
Level
Related • clear dhcp relay statistics on page 332
Documentation
• Administration Guide for Security Devices
List of Sample Output show dhcp relay statistics on page 405
Output Fields Table 23 on page 404 lists the output fields for the show dhcp relay statistics command.
Output fields are listed in the approximate order in which they appear.
Table 23: show dhcp relay statistics
Field Name Field Description
Messages received Number of DHCP messages sent.
• BOOTREQUEST—Number of BOOTP protocol data units (PDUs) received
• DHCPDECLINE—Number of DHCP PDUs of type DECLINE received
• DHCPDISCOVER—Number of DHCP PDUs of type DISCOVER received
• DHCPREQUEST—Number of DHCP PDUs of type REQUEST received
• DHCPINFORM—Number of DHCP PDUs of type INFORM received
• DHCPRELEASE—Number of DHCP PDUs of type RELEASE received
Messages sent Number of DHCP messages received.
• BOOTREPLY—Number of BOOTP PDUs transmitted
• DHCPOFFER—Number of DHCP PDUs of type OFFER transmitted
• DHCPACK—Number of DHCP PDUs of type ACK transmitted
• DHCPNACK—Number of DHCP PDUs of type NACK transmitted
• DHCPFORCERENEW—Number of DHCP PDUs of type FORCERENEW transmitted
404 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Sample Output
show dhcp relay statistics
user@host> show dhcp relay statistics
Messages received:
BOOTREQUEST 0
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPINFORM 0
DHCPRELEASE 0
DHCPREQUEST 0
Messages sent:
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
DHCPFORCERENEW 0
Copyright © 2016, Juniper Networks, Inc. 405
Administration Guide for Security Devices
show dhcp server binding
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show dhcp server binding
[interface <interface name>]
<brief | detail | summary | verbose>
<ip-address | MAC address>
<routing-instance routing-instance-name>
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Display the address bindings in the client table on the Dynamic Host Configuration
Protocol (DHCP) local server.
Options interface <interface name>—(Optional) Display information about active client bindings
on the specified interface.
brief | detail | summary—(Optional) Display the specified level of output about active
client bindings. The default is brief, which produces the same output as show dhcp
server binding.
ip-address—Display DHCP binding information for a specific client identified by the
specified IP address.
MAC address—Display DHCP binding information for a specific client identified by the
specified MAC address.
routing-instance routing-instance-name—(Optional) Display information about active
client bindings for DHCP clients on the specified routing instance.
Required Privilege view
Level
Related • clear dhcp server binding on page 333
Documentation
• Administration Guide for Security Devices
List of Sample Output show dhcp server binding on page 407
Output Fields Table 24 on page 406 lists the output fields for the show dhcp server binding command.
Output fields are listed in the approximate order in which they appear.
Table 24: show dhcp server binding Output Fields
Field Name Field Description
IP address IP address of the DHCP client.
Hardware address Hardware address of the DHCP client.
Request received on Interface on which the request was received.
406 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Table 24: show dhcp server binding Output Fields (continued)
Field Name Field Description
Type Type of DHCP packet processing performed on the device.
Obtained at Date and time at which the client’s IP address lease started.
Expires at Date and time at which the client’s IP address lease expires.
State State of the address binding table on the DHCP local server.
Sample Output
show dhcp server binding
user@host> show dhcp server binding 100.20.32.1 detail
Active binding information:
IP address 100.20.32.1
Hardware address 90:00:00:01:00:01
Request received on fe-0/0/2.0, relayed by 100.20.32.2
Lease information:
Type DHCP
Obtained at 2007-01-17 11:28:47 PST
Expires at 2007-01-17 11:38:47 PST
State rebind
Copyright © 2016, Juniper Networks, Inc. 407
Administration Guide for Security Devices
show dhcp server statistics
Supported Platforms J Series, LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show dhcp server statistics
<routing-instance>
Release Information Statement introduced in Junos OS Release 12.1X44-D10.
Description Display d Dynamic Host Configuration Protocol (DHCP) local server statistics.
Options routing-instance—(Optional) Display information about DHCP local server statistics on
the specified routing instance. If you do not specify a routing instance, statistics are
displayed for the default routing instance.
Required Privilege view
Level
Related • clear dhcp server statistics on page 334
Documentation
• Administration Guide for Security Devices
List of Sample Output show dhcp server statistics on page 409
Output Fields Table 25 on page 408 lists the output fields for the show dhcp server statistics command.
Output fields are listed in the approximate order in which they appear.
Table 25: show dhcp server statistics
Field Name Field Description
Packets dropped Number of packets discarded by the DHCP local server because of errors. Only nonzero statistics
appear in the Packets dropped output. When all of the Packets dropped statistics are 0 (zero), only
the Total field appears.
Messages received Number of DHCP messages sent.
• BOOTREQUEST—Number of BOOTP protocol data units (PDUs) received
• DHCPDECLINE—Number of DHCP PDUs of type DECLINE received
• DHCPDISCOVER—Number of DHCP PDUs of type DISCOVER received
• DHCPREQUEST—Number of DHCP PDUs of type REQUEST received
• DHCPINFORM—Number of DHCP PDUs of type INFORM received
• DHCPRELEASE—Number of DHCP PDUs of type RELEASE received
Messages sent Number of DHCP messages received.
• BOOTREPLY—Number of BOOTP PDUs transmitted
• DHCPOFFER—Number of DHCP PDUs of type OFFER transmitted
• DHCPACK—Number of DHCP PDUs of type ACK transmitted
• DHCPNACK—Number of DHCP PDUs of type NACK transmitted
• DHCPFORCERENEW—Number of DHCP PDUs of type FORCERENEW transmitted
408 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Sample Output
show dhcp server statistics
user@host> show dhcp server statistics
Packets dropped:
Total 0
Messages received:
BOOTREQUEST 0
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPINFORM 0
DHCPRELEASE 0
DHCPREQUEST 0
Messages sent:
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
DHCPFORCERENEW 0
Copyright © 2016, Juniper Networks, Inc. 409
Administration Guide for Security Devices
show dhcpv6 server binding (View)
Supported Platforms J Series, LN Series, SRX Series
Syntax show dhcpv6 server binding
<brief | detail | summary>
<interface interface-name>
<routing-instance routing-instance-name>
Release Information Command introduced in Release 10.4 of Junos OS.
Description Display the address bindings in the client table for DCHPv6 local server.
Options • brief | detail | summary—(Optional) Display the specified level of output about active
client bindings. The default is brief, which produces the same output as show dhcpv6
server binding.
• interface interface-name—(Optional) Display information about active client bindings
on the specified interface.
• routing-instance routing-instance-name—(Optional) Display information about active
client bindings for DHCPv6 clients on the specified routing instance.
Required Privilege view
Level
Related • clear dhcpv6 server binding (Local Server) on page 335
Documentation
• Administration Guide for Security Devices
List of Sample Output show dhcpv6 server binding on page 411
show dhcpv6 server binding detail on page 412
show dhcpv6 server binding interface on page 412
show dhcpv6 server binding interface detail on page 412
show dhcpv6 server binding prefix on page 413
show dhcpv6 server binding session-id on page 413
show dhcpv6 server binding summary on page 413
Output Fields Table 26 on page 410 lists the output fields for the show dhcpv6 server binding command.
Output fields are listed in the approximate order in which they appear.
Table 26: show dhcv6p server binding Output Fields
Field Name Field Description Level of Output
number clients, Summary counts of the total number of DHCPv6 clients and the number of summary
(number init, DHCPv6 clients in each state.
number bound,
number selecting,
number requesting,
number renewing,
number releasing)
410 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Table 26: show dhcv6p server binding Output Fields (continued)
Field Name Field Description Level of Output
Prefix Client’s DHCPv6 prefix. brief
detail
Session Id Session ID of the subscriber session. brief
detail
Expires Number of seconds in which lease expires. brief
detail
State State of the address binding table on the DHCPv6 local server: brief
detail
• BOUND—Client has active IP address lease.
• INIT—Initial state.
• RELEASE—Client is releasing IP address lease.
• RECONFIGURE—Client has received reconfigure message from server.
• RENEWING—Client sending request to renew IP address lease.
• REQUESTING—Client requesting a DHCPv6 server.
• SELECTING—Client receiving offers from DHCPv6 servers.
Interface Interface on which the DHCPv6 request was received. brief
Client DUID Client’s DHCP Unique Identifier (DUID). brief
detail
Lease expires Date and time at which the client’s IP address lease expires. detail
Lease expires in Number of seconds in which lease expires. detail
Lease Start Date and time at which the client’s address lease was obtained. detail
Incoming Client Client’s incoming interface. detail
Interface
Server IP Address IP address of DHCPv6 server. detail
Server Interface Interface of DHCPv6 server. detail
Client Id length Length of the DHCPv6 client ID, in bytes. detail
Client Id ID of the DHCPv6 client. detail
Sample Output
show dhcpv6 server binding
user@host> show dhcpv6 server binding
Copyright © 2016, Juniper Networks, Inc. 411
Administration Guide for Security Devices
Prefix Session Id Expires State Interface Client DUID
2001:bd8:1111:2222::/64 6 86321 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c0-00:10:94:00:00:01
2001:bd8:1111:2222::/64 7 86321 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c0-00:10:94:00:00:02
2001:bd8:1111:2222::/64 8 86321 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c0-00:10:94:00:00:03
2001:bd8:1111:2222::/64 9 86321 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c1-00:10:94:00:00:04
2001:bd8:1111:2222::/64 10 86321 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c1-00:10:94:00:00:05
show dhcpv6 server binding detail
user@host> show dhcpv6 server binding detail
Session Id: 6
Client IPv6 Prefix: 2001:bd8:1111:2222::/64
Client DUID: LL_TIME0x1-0x2e159c0-00:10:94:00:00:01
State: BOUND(bound)
Lease Expires: 2009-07-21 10:41:15 PDT
Lease Expires in: 86308 seconds
Lease Start: 2009-07-20 10:41:15 PDT
Incoming Client Interface: ge-1/0/0.0
Server Ip Address: 0.0.0.0
Server Interface: none
Client Id Length: 14
Client Id:
/0x00010001/0x02e159c0/0x00109400/0x0001
Session Id: 7
Client IPv6 Prefix: 2001:bd8:1111:2222::/64
Client DUID: LL_TIME0x1-0x2e159c0-00:10:94:00:00:02
State: BOUND(bound)
Lease Expires: 2009-07-21 10:41:15 PDT
Lease Expires in: 86308 seconds
Lease Start: 2009-07-20 10:41:15 PDT
Incoming Client Interface: ge-1/0/0.0
Server Ip Address: 0.0.0.0
Server Interface: none
Client Id Length: 14
Client Id:
/0x00010001/0x02e159c0/0x00109400/0x0002
show dhcpv6 server binding interface
user@host> show dhcp6 server binding interface ge-1/0/0:10-101
Prefix Session Id Expires State Interface Client DUID
2001:bd8:1111:2222::/64 1 86055 BOUND ge-1/0/0.100
LL_TIME0x1-0x4b0a53b9-00:10:94:00:00:01
show dhcpv6 server binding interface detail
user@host> show dhcp6 server binding interface ge-1/0/0:10-101 detail
Session Id: 7
Client IPv6 Prefix: 2001:bd8:1111:2222::/64
Client DUID: LL_TIME0x1-0x2e159c0-00:10:94:00:00:02
State: BOUND(bound)
Lease Expires: 2009-07-21 10:41:15 PDT
412 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Lease Expires in: 86136 seconds
Lease Start: 2009-07-20 10:41:15 PDT
Incoming Client Interface: ge-1/0/0.0
Server Ip Address: 0.0.0.0
Server Interface: none
Client Id Length: 14
Client Id:
/0x00010001/0x02e159c0/0x00109400/0x0002
show dhcpv6 server binding prefix
user@host> show dhcp6 server binding 14/0x00010001/0x02b3be8f/0x00109400/0x0005
detail
Session Id: 7
Client IPv6 Prefix: 2001:bd8:1111:2222::/64
Client DUID: LL_TIME0x1-0x2e159c0-00:10:94:00:00:02
State: BOUND(bound)
Lease Expires: 2009-07-21 10:41:15 PDT
Lease Expires in: 86136 seconds
Lease Start: 2009-07-20 10:41:15 PDT
Incoming Client Interface: ge-1/0/0.0
Server Ip Address: 0.0.0.0
Server Interface: none
Client Id Length: 14
Client Id:
/0x00010001/0x02e159c0/0x00109400/0x0002
show dhcpv6 server binding session-id
user@host> show dhcpv6 server binding 8
Prefix Session Id Expires State Interface Client DUID
2001:bd8:1111:2222::/64 8 86235 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c0-00:10:94:00:00:03
show dhcpv6 server binding summary
user@host> show dhcpv6 server binding summary
5 clients, (0 init, 5 bound, 0 selecting, 0 requesting, 0 renewing, 0 releasing)
Copyright © 2016, Juniper Networks, Inc. 413
Administration Guide for Security Devices
show dhcpv6 server statistics (View)
Supported Platforms J Series, LN Series, SRX Series
Syntax show dhcpv6 server statistics
<logical-system logical-system-name>
<routing-instance routing-instance-name>
Release Information Command introduced in Release 10.4 of Junos OS.
Description Display DHCPv6 local server statistics.
Options logical-system logical-system-name—(Optional) Display information about extended
DHCPv6 local server statistics on the specified logical system. If you do not specify
a logical system, statistics are displayed for the default logical system.
routing-instance routing-instance-name—(Optional) Display information about DHCPv6
local server statistics on the specified routing instance. If you do not specify a routing
instance, statistics are displayed for the default routing instance.
Required Privilege view
Level
Related • clear dhcpv6 server statistics (Local Server) on page 336
Documentation
• Administration Guide for Security Devices
List of Sample Output show dhcpv6 server statistics on page 416
Output Fields Table 27 on page 415 lists the output fields for the show dhcpv6 server statistics command.
Output fields are listed in the approximate order in which they appear.
414 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Table 27: show dhcpv6 server statistics Output Fields
Field Name Field Description
Dhcpv6 Packets Number of packets discarded by the DHCPv6 local server because of errors. Only nonzero statistics
dropped appear in the Packets dropped output. When all of the Packets dropped statistics are 0 (zero), only
the Total field appears.
• Total—Total number of packets discarded by the DHCPv6 local server
• Strict Reconfigure—Number of solicit messages discarded because the client does not support
reconfiguration
• Bad hardware address—Number of packets discarded because an invalid hardware address was
specified
• Bad opcode—Number of packets discarded because an invalid operation code was specified
• Bad options—Number of packets discarded because invalid options were specified
• Invalid server address—Number of packets discarded because an invalid server address was specified
• No available addresses—Number of packets discarded because there were no addresses available
for assignment
• No interface match—Number of packets discarded because they did not belong to a configured
interface
• No routing instance match—Number of packets discarded because they did not belong to a configured
routing instance
• No valid local address—Number of packets discarded because there was no valid local address
• Packet too short—Number of packets discarded because they were too short
• Read error—Number of packets discarded because of a system read error
• Send error—Number of packets that the DHCPv6 local server could not send
Messages received Number of DHCPv6 messages received.
• DHCPV6_CONFIRM—Number of DHCPv6 CONFIRM PDUs received.
• DHCPV6_DECLINE—Number of DHCPv6 DECLINE PDUs received.
• DHCPV6_INFORMATION_REQUEST—Number of DHCPv6 INFORMATION-REQUEST PDUs received.
• DHCPV6_REBIND—Number of DHCPv6 REBIND PDUs received.
• DHCPV6_RELAY_FORW—Number of DHCPv6 RELAY-FORW PDUs received from a relay by the
DHCPv6 server.
• DHCPV6_RELEASE—Number of DHCPv6 RELEASE PDUs received.
• DHCPV6_RENEW—Number of DHCPv6 RENEW PDUs received.
• DHCPV6_REQUEST—Number of DHCPv6 REQUEST PDUs received.
• DHCPV6_SOLICIT—Number of DHCPv6 SOLICIT PDUs received.
Messages sent Number of DHCPv6 messages sent.
• DHCPV6_ADVERTISE—Number of DHCPv6 ADVERTISE PDUs transmitted.
• DHCPV6_REPLY—Number of DHCPv6 ADVERTISE PDUs transmitted.
• DHC6_RECONFIGURE—Number of DHCPv6 RECONFIGURE PDUs transmitted.
• DHCPV6_RELAY_REPL—Number of DHCPv6 RELAY-REPL PDUs sent from DHCPv6 server to
DHCPv6 relay.
Copyright © 2016, Juniper Networks, Inc. 415
Administration Guide for Security Devices
Sample Output
show dhcpv6 server statistics
user@host> show dhcpv6 server statistics
Dhcpv6 Packets dropped:
Total 0
Messages received:
DHCPV6_DECLINE 0
DHCPV6_SOLICIT 9
DHCPV6_INFORMATION_REQUEST 0
DHCPV6_RELEASE 0
DHCPV6_REQUEST 5
DHCPV6_CONFIRM 0
DHCPV6_RENEW 0
DHCPV6_REBIND 0
DHCPV6_RELAY_FORW 0
Messages sent:
DHCPV6_ADVERTISE 9
DHCPV6_REPLY 5
DHCPV6_RECONFIGURE 0
DHCPV6_RELAY_REPL 0
416 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
show firewall (View)
Supported Platforms J Series, LN Series, SRX Series
Syntax show firewall
<filter filter-name>
<counter counter-name>
<log>
<prefix-action-stats>
<terse>
Release Information Command introduced before Release 10.0 of Junos OS.
Description Display statistics about configured firewall filters.
Options none—Display statistics about configured firewall filters.
filter filter-name—Name of a configured filter.
counter counter-name—Name of a filter counter.
log—Display log entries for firewall filters.
prefix-action-stats—Display prefix action statistics for firewall filters.
terse—Display firewall filter names only.
Required Privilege view
Level
Related • Administration Guide for Security Devices
Documentation
List of Sample Output show firewall on page 418
Output Fields Table 28 on page 417 lists the output fields for the show firewall command. Output fields
are listed in the approximate order in which they appear.
Table 28: show firewall Output Fields
Field Name Field Description
Filter Name of a filter that has been configured with the filter statement at the [edit firewall] hierarchy level.
When an interface-specific filter is displayed, the name of the filter is followed by the full interface
name and by either -i for an input filter or -o for an output filter.
When dynamic filters are displayed, the name of the filter is followed by the full interface name and
by either -in for an input filter or -out for an output filter. When a logical system–specific filter is
displayed, the name of the filter is prefixed with two underscore (__) characters and the name of the
logical system (for example, __ls1/filter1).
Copyright © 2016, Juniper Networks, Inc. 417
Administration Guide for Security Devices
Table 28: show firewall Output Fields (continued)
Field Name Field Description
Counters Display filter counter information:
• Name—Name of a filter counter that has been configured with the counter firewall filter action.
• Bytes—Number of bytes that match the filter term under which the counter action is specified.
• Packets—Number of packets that matched the filter term under which the counter action is specified.
Policers Display policer information:
• Name—Name of policer.
• Bytes—Number of bytes that match the filter term under which the policer action is specified. This
is only the number out-of-specification (out-of-spec) byte counts, not all the bytes in all packets
policed by the policer.
• Packets—Number of packets that matched the filter term under which the policer action is specified.
This is only the number of out-of-specification (out-of-spec) packet counts, not all packets policed
by the policer.
Sample Output
show firewall
user@host> show firewall
Filter: ef_path
Counters:
Name Bytes Packets
def-count 0 0
video-count 0 0
voice-count 0 0
Filter: __default_bpdu_filter__
Filter: deep
Counters:
Name Bytes Packets
deep2 302076 5031
Filter: deep-flood
Counters:
Name Bytes Packets
deep_flood_def 302136 5032
deep1 0 0
Policers:
Name Packets
deep-pol-op-first 0
418 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
show system autorecovery state
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show system autorecovery state
Release Information Command introduced in Release 11.2 of Junos OS.
Description Performs checks and shows status of all autorecovered items.
Required Privilege view
Level
Related • request system autorecovery state on page 354
Documentation
• Installation and Upgrade Guide for Security Devices
• Administration Guide for Security Devices
List of Sample Output show system autorecovery state on page 419
Output Fields Table 29 on page 419 lists the output fields for the show system autorecovery state
command. Output fields are listed in the approximate order in which they appear.
Table 29: show system autorecovery state Output Fields
Field Name Field Description
File The name of the file on which autorecovery checks are performed.
Slice The disk partition on which autorecovery checks are performed.
Recovery Information Indicates whether autorecovery information for the file or slice has been saved.
Integrity Check Displays the status of the file's integrity check (passed or failed).
Action / Status Displays the status of the item, or the action required to be taken for that item.
Sample Output
show system autorecovery state
user@host> show system autorecovery state
Configuration:
File Recovery Information Integrity Check Action / Status
rescue.conf.gz Saved Passed None
Licenses:
File Recovery Information Integrity Check Action / Status
JUNOS282736.lic Saved Passed None
JUNOS282737.lic Not Saved Not checked Requires save
BSD Labels:
Slice Recovery Information Integrity Check Action / Status
s1 Saved Passed None
Copyright © 2016, Juniper Networks, Inc. 419
Administration Guide for Security Devices
s2 Saved Passed None
s3 Saved Passed None
s4 Saved Passed None
420 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
show system directory-usage
Supported Platforms SRX Series
Syntax show system directory-usage
<depth number>
<node node-id | all | local | primary>
<path>
Release Information Command introduced before Junos OS Release 9.0.
Description Display directory usage information.
Options • none—Display all directory usage information.
• depth number—(Optional) Specify the depth of the directory to traverse. This option
is useful when you want to limit the output shown for a large file system.
• node—(Optional) Display the directory information for a specific node.
NOTE: The node option is supported only on high-end SRX Series devices.
• node-id—Identification number of the node. It can be 0 or 1.
• all—(Optional) Display the directory information for all nodes.
• local—(Optional) Display the directory information for the local node.
• primary—(Optional) Display the directory information for the primary node.
• path—(Optional) Specify the path of the root directory to traverse.
Required Privilege view
Level
Related • Administration Guide for Security Devices
Documentation
List of Sample Output show system directory-usage on page 422
Output Fields Table 30 on page 421 describes the output fields for the show system directory-usage
command. Output fields are listed in the approximate order in which they appear.
Table 30: show system directory-usage Output Fields
Field Name Field Description
bytes Number of bytes used by files in a directory.
directory-name Name of the directory.
Copyright © 2016, Juniper Networks, Inc. 421
Administration Guide for Security Devices
Sample Output
show system directory-usage
user@host> show system directory-usage
node0:
--------------------------------------------------------------------------
/var/tmp
2.0K /var/tmp/.ssh
422 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
show system download
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650
Syntax show system download <download-id>
Release Information Command introduced in Release 11.2 of Junos OS.
Description Display a brief summary of all the download instances along with their current state and
extent of progress. If a download-id is provided, the command displays a detailed report
of the particular download instance.
Options • download-id—(Optional) The ID number of the download instance.
Required Privilege view
Level
Related • request system download start on page 360
Documentation
• Installation and Upgrade Guide for Security Devices
• Administration Guide for Security Devices
List of Sample Output show system download on page 423
show system download 1 on page 424
Output Fields Table 31 on page 423 lists the output fields for the show system download command.
Output fields are listed in the approximate order in which they appear.
Table 31: show system download Output Fields
Field Name Field Description
ID Displays the download identification number.
Status Displays the state of a particular download.
Start Time Displays the start time of a particular download.
Progress Displays the percentage of a download that has been completed.
URL Displays the location of the downloaded file.
Sample Output
show system download
user@host> show system download
Download Status Information:
ID Status Start Time Progress URL
1 Active May 4 06:28:36 5% ftp://ftp-server//tftpboot/1m_file
2 Active May 4 06:29:07 3% ftp://ftp-server//tftpboot/5m_file
Copyright © 2016, Juniper Networks, Inc. 423
Administration Guide for Security Devices
3 Error May 4 06:29:22 Unknown ftp://ftp-server//tftpboot/badfile
4 Completed May 4 06:29:40 100% ftp://ftp-server//tftpboot/smallfile
show system download 1
user@host> show system download 1
Download ID : 1
Status : Active
Progress : 6%
URL : ftp://ftp-server//tftpboot/1m_file
Local Path : /var/tmp/1m_file
Maximum Rate : 1k
Creation Time : May 4 06:28:36
Scheduled Time : May 4 06:28:36
Start Time : May 4 06:28:37
Error Count : 0
424 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
show system license (View)
Supported Platforms J Series, LN Series, SRX Series
Syntax show system license
<installed | keys | status | usage>
Release Information Command introduced in Junos OS Release 9.5. Logical system status option added in
Junos OS Release 11.2.
Description Display licenses and information about how licenses are used.
Options none—Display all license information.
installed—(Optional) Display installed licenses only.
keys—(Optional) Display a list of license keys. Use this information to verify that each
expected license key is present.
status—(Optional) Display license status for a specified logical system or for all logical
systems.
usage—(Optional) Display the state of licensed features.
Required Privilege view
Level
Related • Administration Guide for Security Devices
Documentation
• Installation and Upgrade Guide for Security Devices
List of Sample Output show system license on page 426
show system license installed on page 426
show system license keys on page 427
show system license usage on page 427
show system license status logical-system all on page 427
Output Fields Table 32 on page 425 lists the output fields for the show system license command. Output
fields are listed in the approximate order in which they appear.
Table 32: show system license Output Fields
Field Name Field Description
Feature name Name assigned to the configured feature. You use this information to verify that all the features for
which you installed licenses are present.
Licenses used Number of licenses used by the device. You use this information to verify that the number of licenses
used matches the number configured. If a licensed feature is configured, the feature is considered
used.
Copyright © 2016, Juniper Networks, Inc. 425
Administration Guide for Security Devices
Table 32: show system license Output Fields (continued)
Field Name Field Description
Licenses installed Information about the installed license key:
• License identifier—Identifier associated with a license key.
• License version—Version of a license. The version indicates how the license is validated, the type
of signature, and the signer of the license key.
• Valid for device—Device that can use a license key.
• Features—Feature associated with a license.
Licenses needed Number of licenses required for features being used but not yet properly licensed.
Expiry Time remaining in the grace period before a license is required for a feature being used.
Logical system license Displays whether a license is enabled for a logical system.
status
Sample Output
show system license
user@host> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
av_key_kaspersky_engine 1 1 0 2012-03-30
01:00:00 IST
wf_key_surfcontrol_cpa 0 1 0 2012-03-30
01:00:00 IST
dynamic-vpn 0 1 0 permanent
ax411-wlan-ap 0 2 0 permanent
Licenses installed:
License identifier: JUNOS301998
License version: 2
Valid for device: AG4909AA0080
Features:
av_key_kaspersky_engine - Kaspersky AV
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST
License identifier: JUNOS302000
License version: 2
Valid for device: AG4909AA0080
Features:
wf_key_surfcontrol_cpa - Web Filtering
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST
show system license installed
user@host> show system license installed
License identifier: JUNOS301998
License version: 2
Valid for device: AG4909AA0080
Features:
426 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
av_key_kaspersky_engine - Kaspersky AV
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST
License identifier: JUNOS302000
License version: 2
Valid for device: AG4909AA0080
Features:
wf_key_surfcontrol_cpa - Web Filtering
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST
show system license keys
user@host> show system license keys
XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx
show system license usage
user@host> show system license usage
Licenses Licenses Licenses Expiry
Feature name used installed needed
av_key_kaspersky_engine 1 1 0 2012-03-30
01:00:00 IST
wf_key_surfcontrol_cpa 0 1 0 2012-03-30
01:00:00 IST
dynamic-vpn 0 1 0 permanent
ax411-wlan-ap 0 2 0 permanent
show system license status logical-system all
user@host> show system license status logical-system all
Logical system license status:
logical system name license status
root-logical-system enabled
LSYS0 enabled
LSYS1 enabled
LSYS2 enabled
Copyright © 2016, Juniper Networks, Inc. 427
Administration Guide for Security Devices
show system login lockout
Supported Platforms SRX Series
Syntax show system login lockout
Release Information Command introduced in Release 11.2 of Junos OS.
Description Display the user names locked after unsuccessful login attempts.
Required Privilege view and system
Level
Related • Administration Guide for Security Devices
Documentation
• Installation and Upgrade Guide for Security Devices
List of Sample Output show system login lockout on page 428
Output Fields Table 33 on page 428 lists the output fields for the show system login lockout command.
Output fields are listed in the approximate order in which they appear. Field names might
be abbreviated (as shown in parentheses) when no level of output is specified or when
the detail keyword is used.
Table 33: show system login lockout
Field Name Field Description Level of Output
User Username All levels
Lockout start Date and time the username was locked All levels
Lockout end Date and time the username was unlocked All levels
Sample Output
show system login lockout
user@host>show system login lockout
User Lockout start Lockout end
root 2011-05-11 09:11:15 UTC 2011-05-11 09:13:15 UTC
428 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
show system services dhcp client
Supported Platforms J Series, LN Series, SRX Series
Syntax show system services dhcp client
< interface-name >
<statistics>
Release Information Command introduced in Junos OS Release 8.5.
Description Display information about DHCP clients.
Options • none—Display DHCP information for all interfaces.
• interface-name —(Optional) Display DHCP information for the specified interface.
• statistics—(Optional) Display DHCP client statistics.
Required Privilege view and system
Level
Related • dhcp (Interfaces)
Documentation
• request system services dhcp on page 365
• Administration Guide for Security Devices
List of Sample Output show system services dhcp client on page 430
show system services dhcp client ge-0/0/1.0 on page 431
show system services dhcp client statistics on page 431
Output Fields Table 34 on page 429 lists the output fields for the show system services dhcp client
command. Output fields are listed in the approximate order in which they appear.
Table 34: show system services dhcp client Output Fields
Field Name Field Description
Logical Interface Name Name of the logical interface.
Client Status State of the client binding.
Vendor Identifier Vendor ID.
Server Address IP address of the DHCP server.
Address obtained IP address obtained from the DHCP server.
Lease Obtained at Date and time the lease was obtained.
Lease Expires at Date and time the lease expires.
Copyright © 2016, Juniper Networks, Inc. 429
Administration Guide for Security Devices
Table 34: show system services dhcp client Output Fields (continued)
Field Name Field Description
DHCP Options • Name: server-identifier, Value: IP address of the name server.
• Name: device, Value: IP address of the name device.
• Name: domain-name, Value: Name of the domain.
Packets dropped Total packets dropped.
Messages received Number of the following DHCP messages received:
• DHCPOFFER—First packet received on a logical interface when DHCP is enabled.
• DHCPACK—When received from the server, the client sends an ARP request for that
address and adds a (ARP response) timer for 4 seconds and stops the earlier timer
added for DHCPACK.
• DHCPNAK—When a DHCPNAK is received instead of DHCPACK, the logical interface
sends a DHCPDISCOVER packet.
Messages sent Number of the following DHCP messages sent:
• DHCPDECLINE—Packet sent when ARP response is received and there is a conflict.
The logical interface sends a new DHCPDISCOVER packet.
• DHCPDISCOVER—Packet sent on the interface for which the DHCP client is enabled.
• DHCPREQUEST—Packet sent to the DHCP server after accepting the DHCPOFFER.
After sending the DHCPREQUEST, the device adds a retransmission-interval timer.
• DHCPINFORM—Packet sent to the DHCP server for local configuration parameters.
• DHCPRELEASE—Packet sent to the DHCP server to relinquish network address and
cancel remaining lease.
• DHCPRENEW—Packet sent to the DHCP server to renew the address. The next message
to be sent will be a DHCPREQUEST message, which will be unicast directly to the
server.
• DHCPREBIND—Packet sent to any server to renew the address. The next message to
be sent will be a DHCPREQUEST message, which will be broadcast.
Sample Output
show system services dhcp client
user@host> show system services dhcp client
Logical Interface Name ge-0/0/1.0
Hardware address 00:0a:12:00:12:12
Client Status bound
Vendor Identifier ether
Server Address 10.1.1.1
Address obtained 10.1.1.89
update server enabled
Lease Obtained at 2006-08-24 18:13:04 PST
Lease Expires at 2006-08-25 18:13:04 PST
DHCP Options :
Name: name-server, Value: [ 10.209.194.131, 2.2.2.2, 3.3.3.3 ]
Name: server-identifier, Value: 10.1.1.1
Name: router, Value: [ 10.1.1.80 ]
Name: domain-name, Value: netscreen-50
430 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Sample Output
show system services dhcp client ge-0/0/1.0
user@host> show system services dhcp client ge-0/0/1.0
Logical Interface name ge-0/0/1.0
Hardware address 00:12:1e:a9:7b:81
Client status bound
Address obtained 30.1.1.20
Update server disabled
Lease obtained at 2007-05-10 18:16:18 UTC
Lease expires at 2007-05-11 18:16:18 UTC
DHCP options:
Name: server-identifier, Value: 30.1.1.2
Code: 1, Type: ip-address, Value: 255.255.255.0
Name: name-server, Value: [ 77.77.77.77, 55.55.55.55 ]
Name: domain-name, Value: mylab.example.net
Sample Output
show system services dhcp client statistics
user@host> show system services dhcp client statistics
Packets dropped:
Total 0
Messages received:
DHCPOFFER 0
DHCPACK 8
DHCPNAK 0
Messages sent:
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPREQUEST 1
DHCPINFORM 0
DHCPRELEASE 0
DHCPRENEW 7
DHCPREBIND 0
Copyright © 2016, Juniper Networks, Inc. 431
Administration Guide for Security Devices
show system services dhcp relay-statistics
Supported Platforms J Series, LN Series, SRX Series
Syntax show system services dhcp relay-statistics
Release Information Command introduced in Release 8.5 of Junos OS.
Description Display information about the DHCP relay.
Required Privilege view and system
Level
Related • dhcp
Documentation
• Administration Guide for Security Devices
List of Sample Output show system services dhcp relay-statistics on page 433
Output Fields Table 35 on page 432 lists the output fields for the show system services dhcp
relay-statistics command. Output fields are listed in the approximate order in which they
appear.
Table 35: show system services dhcp relay-statistics Output Fields
Field Name Field Description
Received packets Total DHCP packets received.
Forwarded packets Total DHCP packet forwarded.
Dropped packets Total DHCP packets dropped for the following reasons:
• Due to a missing interface in the relay database—Number of packets discarded because
they did not belong to a configured interface.
• Due to a missing matching routing instance—Number of packets discarded because
they did not belong to a configured routing instance.
• Due to an error during packet read—Number of packets discarded because of a system
read error.
• Due to an error during packet send—Number of packets that the DHCP relay application
could not send.
• Due to an invalid server address—Number of packets discarded because an invalid
server address was specified.
• Due to a missing valid local address—Number of packets discarded because there was
no valid local address.
• Due to a missing route to the server or client—Number of packets discarded because
there were no addresses available for assignment.
432 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
Sample Output
show system services dhcp relay-statistics
user@host> show system services dhcp relay-statistics
Received packets: 4
Forwarded packets: 4
Dropped packets: 4
Due to missing interface in relay database: 4
Due to missing matching routing instance: 0
Due to an error during packet read: 0
Due to an error during packet send: 0
Due to invalid server address: 0
Due to missing valid local address: 0
Due to missing route to server/client: 0
Copyright © 2016, Juniper Networks, Inc. 433
Administration Guide for Security Devices
show system snapshot media
Supported Platforms J Series, LN Series, SRX Series
Syntax show system snapshot media media-type
Release Information Command introduced in Release 10.2 of Junos OS.
Description Display the snapshot information for both root partitions on SRX Series devices
Options • internal— Show snapshot information from internal media.
• usb— Show snapshot information from device connected to USB port.
• external— Show snapshot information from the external compact flash. This option
is available on the SRX650 Services Gateway.
Required Privilege View
Level
Related • Installation and Upgrade Guide for Security Devices
Documentation
show system snapshot media internal
show system snapshot media internal
Information for snapshot on internal (/dev/da0s1a) (primary)
Creation date: Jan 15 10:43:26 2010
JUNOS version on snapshot:
junos : 10.1B3-domestic
Information for snapshot on internal (/dev/da0s2a) (backup)
Creation date: Jan 15 10:15:32 2010
JUNOS version on snapshot:
junos : 10.2-20100112.0-domestic
show system snapshot media usb
show system snapshot media usb
Information for snapshot on usb (/dev/da1s1a) (primary)
Creation date: Jul 24 16:16:01 2009
JUNOS version on snapshot:
junos : 10.0I20090723_1017-domestic
Information for snapshot on usb (/dev/da1s2a) (backup)
Creation date: Jul 24 16:17:13 2009
JUNOS version on snapshot:
junos : 10.0I20090724_0719-domestic
434 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
show system storage (View SRX Series)
Supported Platforms LN Series, SRX Series
Syntax show system storage
<detail>
<node node-id | all | local | primary>
<partitions>
Release Information Command introduced in Junos OS Release 10.2.
Description Display the local storage data currently available on the SRX Series devices.
Options • none—Display standard information about the amount of free disk space in the device
file system.
• detail—(Optional) Display detailed output about the amount of free disk space in the
device file system.
• node—(Optional) Display local storage data for a specific node.
NOTE: The node option is supported only on high-end SRX Series devices.
• node-id—Identification number of the node. It can be 0 or 1.
• all—(Optional) Display the local storage data for all nodes.
• local—(Optional) Display the local storage data for the local node.
• primary—(Optional) Display the local storage data for the primary node.
• partitions—(Optional) Display partitions information for the boot media.
NOTE: The partitions option is supported only on branch SRX Series devices.
Required Privilege View
Level
Output Fields Table 36 on page 435 describes the output fields for the show system storage command.
Output fields are listed in the approximate order in which they appear.
Table 36: show system storage Output Fields
Field Name Field Description
Filesystem Name of the file system.
Size Size of the file system.
Copyright © 2016, Juniper Networks, Inc. 435
Administration Guide for Security Devices
Table 36: show system storage Output Fields (continued)
Field Name Field Description
Used Amount of space used in the file system.
Avail Amount of space available in the file system.
Capacity Percentage of the file system space that is being used.
Mounted on Directory in which the file system is mounted.
show system storage
user@host>show system storage
Filesystem Size Used Avail Capacity Mounted on
/dev/ad0s2a 621M 169M 402M 30% /
devfs 1.0K 1.0K 0B 100% /dev
/dev/md0 20M 6.3M 12M 35% /junos
/cf/packages 621M 169M 402M 30% /junos/cf/packages
devfs 1.0K 1.0K 0B 100% /junos/cf/dev
/dev/md1 494M 494M 0B 100% /junos
/cf 20M 6.3M 12M 35% /junos/cf
devfs 1.0K 1.0K 0B 100% /junos/dev/
/cf/packages 621M 169M 402M 30% /junos/cf/packages
1
procfs 4.0K 4.0K 0B 100% /proc
/dev/bo0s3e 49M 24K 45M 0% /config
/dev/bo0s3f 616M 399M 168M 70% /cf/var
/dev/md2 336M 20M 289M 7% /mfs
/cf/var/jail 616M 399M 168M 70% /jail/var
/cf/var/log 616M 399M 168M 70% /jail/var/log
devfs 1.0K 1.0K 0B 100% /jail/dev
/dev/md3 63M 4.0K 58M 0% /mfs/var/run/utm
/dev/md4 1.8M 228K 1.5M 13% /jail/mfs
436 Copyright © 2016, Juniper Networks, Inc.
Chapter 24: Operational Commands
show system storage partitions (View SRX Series)
Supported Platforms LN Series, SRX100, SRX110, SRX210, SRX220, SRX240, SRX550
Syntax show system storage partitions
Release Information Command introduced in Release 10.2 of Junos OS.
Description Displays the partitioning scheme details on SRX Series devices.
Required Privilege View
Level
Related • Installation and Upgrade Guide for Security Devices
Documentation
show system storage partitions (dual root partitioning)
show system storage partitions
Boot Media: internal (da0)
Active Partition: da0s2a
Backup Partition: da0s1a
Currently booted from: active (da0s2a)
Partitions Information:
Partition Size Mountpoint
s1a 293M altroot
s2a 293M /
s3e 24M /config
s3f 342M /var
s4a 30M recovery
show system storage partitions (single root partitioning)
show system storage partitions
Boot Media: internal (da0)
Partitions Information:
Partition Size Mountpoint
s1a 898M /
s1e 24M /config
s1f 61M /var
show system storage partitions (USB)
show system storage partitions
Boot Media: usb (da1)
Active Partition: da1s1a
Backup Partition: da1s2a
Currently booted from: active (da1s1a)
Partitions Information:
Partition Size Mountpoint
s1a 293M /
s2a 293M altroot
s3e 24M /config
s3f 342M /var
s4a 30M recovery
Copyright © 2016, Juniper Networks, Inc. 437
Administration Guide for Security Devices
438 Copyright © 2016, Juniper Networks, Inc.
PART 4
Index
• Index on page 441
Copyright © 2016, Juniper Networks, Inc. 439
Administration Guide for Security Devices
440 Copyright © 2016, Juniper Networks, Inc.
attacks
brute force, preventing..............................................295
dictionary, preventing................................................295
authentication
local password, by default.......................................268
Index login classes............................................................14, 270
methods.............................................................................13
order of user authentication (configuration
Symbols editor).........................................................................268
#, comments in configuration statements...................xvi RADIUS authentication (configuration
( ), in syntax descriptions....................................................xvi editor)..........................................................................263
/cf/var/crash directory See crash files specifying a method..................................................268
/cf/var/log directory See system logs specifying access privileges.....................................270
/cf/var/tmp directory See temporary files TACACS+ authentication (configuration
< >, in syntax descriptions...................................................xvi editor).........................................................................266
[ ], in configuration statements.........................................xvi user accounts..........................................................13, 270
{ }, in configuration statements........................................xvi authentication-key statement.........................................134
| (pipe), in syntax descriptions..........................................xvi authentication-order statement.....................................135
auto-prefix delegation..........................................................94
A autoinstallation, compatibility with the DHCP
access privileges server.......................................................................................32
denying and allowing commands.............................17
permission bits for..........................................................15 B
predefined..........................................................................15 basic connectivity
specifying........................................................................270 secure Web access...........................................................3
accounts See template accounts; user accounts boot-server statement
Address-Assignment Pool NTP....................................................................................136
pool name..................................................................77, 84 braces, in configuration statements................................xvi
Address-Assignment Pools.........................................77, 84 brackets
address-assignment pools angle, in syntax descriptions.....................................xvi
client attributes............................................................106 square, in configuration statements.......................xvi
configuring overview...................................................103 broadcast messages, synchronizing NTP....................138
DHCP attributes...........................................................106 broadcast statement............................................................137
dhcpv6 attributes........................................................106 broadcast-client statement..............................................138
linking...............................................................................106 browser interface See J-Web interface
named range..................................................................105 brute force attacks, preventing.......................................295
router advertisement..................................................107
address-assignment statement......................................128 C
certificates See SSL certificates
address-pool statement......................................................131
checksum
administrative roles
calculating for a file.................................340, 341, 342
example..........................................................................283
ciphers.......................................................................................231
AES encryption
cleaning up files..........................................................309, 310
setting.............................................................................308
clear dhcp client binding command..............................327
allow-configuration statement........................................132
clear dhcp client statistics command..........................329
allow-configuration-regexps statement......................133
clear dhcp relay binding command................................331
archiving files.........................................................................338
clear dhcp relay statistics command............................332
AT commands, for modem initialization
clear dhcp server binding command............................333
description.........................................................................21
clear dhcp server statistics command.........................334
Copyright © 2016, Juniper Networks, Inc. 441
Administration Guide for Security Devices
clear dhcpv6 server binding command.......................335 log files (J-Web)..........................................................309
clear dhcpv6 server statistics command....................336 temporary files (J-Web)...........................................309
clear system login lockout command...........................337 deny-configuration statement..........................................141
clear system services dhcp conflicts command.........34 DES encryption
CLI configuration editor setting.............................................................................308
controlling user access..............................................270 DHCP (Dynamic Host Configuration Protocol)
RADIUS authentication.............................................263 autoinstallation, compatibility with........................32
secure access configuration....................................258 conflict detection and resolution.............................34
TACACS+ authentication.........................................266 interface restrictions.....................................................34
client attributes options...............................................................................32
address-assignment pools......................................106 overview.............................................................................29
client-ia-type statement....................................................138 See also DHCP leases; DHCP pages; DHCP
client-identifier (dhcp-client) statement....................139 pools; DHCP server
client-identifier statement................................................139 server function................................................................29
client-list-name statement..............................................140 verification........................................................................65
client-type statement.........................................................140 DHCP Local Server
comments, in configuration statements.......................xvi minimum configuration........................................76, 83
comparing files......................................................................343 DHCP server
compressing files.................................................................338 preparation.......................................................................30
configuration files sample configuration...................................................30
decrypting.........................................................................43 subnet and single client...................................61, 67, 71
encrypting.........................................................................43 verifying operation........................................................66
configuring address-assignment pool dhcp-attributes statement IPv4.....................................143
dhcpv6.............................................................................103 dhcp-attributes statement IPv6.....................................145
console port dhcp-client attributes...................................................80, 88
disabling............................................................................25 dhcp-client statement........................................................146
securing..............................................................................25 dhcp-local-server.................................................................148
controlling user access.......................................................270 DHCPv6
conventions configure server options............................................100
text and syntax................................................................xv dhcpv6.......................................................................................152
copying configuring address-assignment pool.................103
files...................................................................................346 DHCPv6 client
crash files identification...................................................................40
cleaning up (CLI)..........................................................310 minimum configuration................................................91
cleaning up (J-Web)..................................................309 optional attributes.........................................................92
downloading (J-Web).................................................312 overview............................................................................39
curly braces, in configuration statements.....................xvi TCP/IP propagation......................................................96
customer support..................................................................xvii DHCPv6 local server
contacting JTAC.............................................................xvii overview..............................................................................41
system information, displaying...............................373 dhcpv6 security policy configuration..............................99
DHCPv6 server
D preparation.....................................................................100
deleting dhcpv6-client statement...................................................147
crash files (J-Web).....................................................309 diagnosis
files...................................................................................348 verifying DHCP server operation..............................66
files, with caution...........................................................311 verifying dialer interfaces............................................56
licenses (CLI)..................................................................321 dial-in, USB modem
licenses (J-Web)...........................................................321 voice not supported.......................................................19
442 Copyright © 2016, Juniper Networks, Inc.
Index
dial-up modem connection file management
connecting user end....................................................291 configuration files..........................................................43
dialer interface, for USB modem crash files (CLI).............................................................310
adding (configuration editor)....................................53 crash files (J-Web).....................................................309
See also USB modem connections log files...............................................................................43
verifying.............................................................................56 log files (CLI)..................................................................310
dialer interface, USB modem log files (J-Web)..........................................................309
limitations..........................................................................19 temporary files (CLI)...................................................310
naming convention........................................................19 temporary files (J-Web)...........................................309
restrictions.........................................................................19 file rename command........................................................350
dictionary attacks, preventing.........................................295 file show command..............................................................351
disabling files
console port.....................................................................25 archiving..........................................................................338
root login to console port............................................25 calculating checksum.............................340, 341, 342
disconnection of console cable for console comparing......................................................................343
logout......................................................................................25 compressing..................................................................338
displaying contents, displaying.....................................................351
licenses (J-Web)...........................................................315 copying............................................................................346
dl0.................................................................................................19 deleting...........................................................................348
dlv ..............................................................................................233 list of, displaying..........................................................349
DNSSEC ..................................................................................233 renaming........................................................................350
documentation firewall filters
comments on.................................................................xvii statistics
downloading displaying..............................................................429
crash files (J-Web).......................................................312 font conventions......................................................................xv
licenses (J-Web)...........................................................316 forwarding-options statement.........................................157
log files (J-Web)............................................................312
temporary files (J-Web).............................................312 G
Dynamic Host Configuration Protocol See DHCP group licenses...........................................................................47
group statement....................................................................159
E Groups Configuration Statement Hierarchy................127
encrypted access
through HTTPS..................................................................3 H
through SSL........................................................................3 host statement
ssh-known-hosts.........................................................162
F hostkey-algorithm................................................................163
family statement...................................................................156 hostname
feature licenses See licenses opening an SSH session to.......................................301
file archive command.........................................................338 resolving............................................................................30
file checksum md5 command........................................340 telnetting to..................................................................300
file checksum sha-256 command.................................342 HTTP (Hypertext Transfer Protocol)
file checksum sha1 command..........................................341 enabling Web access .................................................257
file compare command.....................................................343 enabling Web access (configuration
file copy command..............................................................346 editor)..........................................................................258
file delete command..........................................................348 on built-in management interfaces...........................3
file encryption verifying configuration...............................................260
decrypting configuration files.................................307
encrypting configuration files.................................308
file list command.................................................................349
Copyright © 2016, Juniper Networks, Inc. 443
Administration Guide for Security Devices
HTTPS (Hypertext Transfer Protocol over SSL) starting..................................................................................7
enabling secure access..............................................257 windows, multiple, unpredictable results
enabling secure access (configuration with...................................................................................12
editor)..........................................................................258 Junos OS
J-Web configuration....................................................257 generating licenses......................................................316
recommended for secure access...............................3 Internet Explorer, modifying for worldwide
verifying secure access configuration.................260 version...............................................................................7
HTTPS Web access, establishing.......................................3 worldwide version, modifying Internet Explorer
Hypertext Transfer Protocol See HTTP for........................................................................................7
Hypertext Transfer Protocol over SSL See HTTPS Junos OS CLI
access privilege levels...................................................15
I command modes.............................................................6
init-command-string command........................................21 denying and allowing commands.............................17
installation overview...............................................................................6
licenses (CLI).................................................................318 Junos Scope application.........................................................5
licenses (J-Web)...........................................................318 Junos XML management protocol
interface statement.............................................................164 enabling secure access..............................................257
interface-traceoptions statement verifying secure access configuration.................260
DHCP local server.........................................................167 Junos XML protocol over SSL...........................................257
interfaces (ARP)....................................................................165
Interfaces Configuration Statement Hierarchy...........112 L
interfaces statement...........................................................166 lease-time (dhcp-client) statement.............................170
Internet Explorer, modifying for worldwide version license infringement
of Junos OS..............................................................................7 identifying any licenses needed...............................46
ipconfig command.................................................................66 verifying license usage................................................321
explanation......................................................................66 verifying licenses installed.............................320, 323
license keys
J components....................................................................46
J Series........................................................................................43 displaying (CLI).............................................................321
licenses..............................................................................45 status..................................................................................46
managing user authentication...................................13 version................................................................................46
user interfaces See user interfaces licenses
J-Web Configuration adding (CLI)...................................................................318
secure Web access......................................................257 adding (J-Web).............................................................318
J-Web configuration deleting (CLI).................................................................321
adding users..................................................................270 deleting (J-Web)...........................................................321
authentication method.............................................268 displaying........................................................................425
J-Web configuration editor displaying (CLI)..................................................320, 323
controlling user access..............................................270 displaying (J-Web)...............................................46, 315
RADIUS authentication.............................................263 displaying usage............................................................321
secure access................................................................258 downloading (J-Web).................................................316
TACACS+ authentication.........................................266 generating.......................................................................316
J-Web interface group...................................................................................47
Internet Explorer, modifying for worldwide infringement, preventing.............................................46
version of Junos OS......................................................7 See also license infringement
managing licenses........................................................46 key.......................................................................................46
overview...............................................................................6 See also license keys
page layout.........................................................................8 managing (J-Web)........................................................46
sessions...............................................................................12 overview............................................................................45
444 Copyright © 2016, Juniper Networks, Inc.
Index
saving (CLI).....................................................................317 NTP
updating (CLI)................................................................317 listening
verifying.................................................................320, 323 for broadcast messages...................................138
limitations ntp statement.........................................................................173
DHCP, no support on VPN interfaces.....................34
Server relay and DHCP client cannot coexist in O
device.............................................................................29 openssl command...............................................................255
local password operator login class permissions.......................................15
default authentication method for overrides statement
system.........................................................................268 DHCP local server.........................................................174
method for user authentication ...........................268
order of user authentication (configuration P
editor).........................................................................268 parentheses, in syntax descriptions................................xvi
overview..............................................................................13 password retry limits, setting..........................................295
local template accounts.....................................................277 passwords
lockout-period statement...................................................171 local password method for user
log files authentication.........................................................268
archiving............................................................................43 See also local password
deleting unused files.....................................................43 retry limits......................................................................295
rotating...............................................................................43 setting login retry limits.............................................295
login classes peer statement.......................................................................175
defining (configuration editor)...............................270 permission bits, for login classes.......................................15
permission bits for..........................................................15 permissions
predefined permissions................................................15 denying and allowing commands.............................17
specifying........................................................................270 predefined..........................................................................15
login lockout.................................................................337, 428 ping command
login retry limits, setting....................................................295 DHCP server operation................................................66
DHCP server operation, explanation......................66
M ports
macs..........................................................................................236 console port, securing..................................................25
managing DHCP interface restrictions........................................34
files......................................................................................43 prefix statement.....................................................................177
user authentication........................................................13 processes
manuals restarting........................................................................384
comments on.................................................................xvii protocols
MD5 checksum, calculating.............................................340 DHCP See DHCP
messages
broadcast messages, NTP........................................138 R
modem connection to router USB port RADIUS
connecting USB modem to router...........................22 authentication (configuration editor).................263
multicast-client statement.................................................171 order of user authentication (configuration
editor).........................................................................268
N secret (configuration editor)...................................263
neighbor-discovery-router-advertisement specifying for authentication .................................268
statement.............................................................................172 rapid commit............................................................................95
Nontemporary Address rapid-commit statement....................................................179
configuring........................................................................93 read-only login class permissions.....................................15
Nontemporary Addresses and Prefix reconfigure statement
Delegation.............................................................................94 DHCP local server........................................................180
Copyright © 2016, Juniper Networks, Inc. 445
Administration Guide for Security Devices
remote accounts restarting
accessing with SSH (CLI).........................................301 software processes....................................................384
accessing with Telnet (CLI)....................................300 retransmission-attempt statement...............................182
remote template accounts.......................................277 retransmission-interval (dhcp-client)
remote connection to router statement............................................................................183
connecting USB modem to router...........................22 retry limits for passwords..................................................295
remote template accounts................................................277 reverse SSH...............................................................................27
removing reverse ssh port......................................................................176
files...................................................................................348 reverse Telnet...........................................................................26
renaming files........................................................................350 reverse telnet..........................................................................192
req-option statement...........................................................181 reverse telnet port.................................................................176
request interface modem reset umd0 reverse-ssh..............................................................................183
command............................................................................292 roles
request support information command......................373 example..........................................................................283
request system autorecovery state command.........354 root login to the console, disabling..................................25
request system download abort command..............356 rotating files...........................................................................309
request system download clear command................357
request system download pause command............358 S
request system download resume command..........359 sample configuration
request system download start command...............360 for secure access.........................................................260
request system firmware upgrade command...........361 for SSL certificates.....................................................260
request system license add command........................318 samples
request system license add terminal local template account..............................................277
command............................................................................318 user account..................................................................270
request system license delete command....................321 saving licenses (CLI).............................................................317
request system license save command........................317 secret
request system license update command.........317, 362 RADIUS (configuration editor)...............................263
request system partition compact-flash TACACS+ (configuration editor)...........................266
command...........................................................................363 secure access
request system power-off fpc command..................364 establishing.........................................................................3
request system reboot.........................................................371 generating SSL certificates......................................255
request system services dhcp command...................365 HTTPS access ..............................................................257
request system set-encryption-key algorithm des HTTPS access (configuration editor).................258
command...........................................................................308 HTTPS recommended....................................................3
request system set-encryption-key installing SSL certificates.........................................257
command...........................................................................308 installing SSL certificates (configuration
request system set-encryption-key des editor)..........................................................................258
unique..................................................................................308 Junos XML protocol SSL access............................257
request system set-encryption-key unique...............308 overview...............................................................................3
request system snapshot.................................................366 requirements.................................................................255
request system software abort in-service-upgrade sample configuration................................................260
command...........................................................................369 verifying secure access configuration.................260
request system software add .........................................370 Secure Sockets Layer See SSL
request system software rollback..................................372 security
request system storage cleanup command...............310 access privileges....................................................14, 270
request system storage cleanup dry-run console port security.....................................................25
command............................................................................310 password retry limits..................................................295
restart command.................................................................384 user accounts..........................................................13, 270
user authentication........................................................13
446 Copyright © 2016, Juniper Networks, Inc.
Index
serial cable, disconnection for console logout............25 show system storage partitions............................435, 437
Series source-address statement
user interfaces See user interfaces NTP....................................................................................192
server address statement..................................................186 RADIUS and TACACS+...............................................192
server statement system logging...............................................................192
NTP....................................................................................185 SRC application.........................................................................5
Services Gateway SRX Series.................................................................................43
licenses..............................................................................45 licenses..............................................................................45
user interfaces See user interfaces managing user authentication...................................13
Services Router SSH
as a DHCP server............................................................29 accessing remote accounts (CLI)..........................301
licenses..............................................................................45 setting login retry limits.............................................295
user interfaces See user interfaces ssh command.........................................................................301
services statement options.............................................................................301
remote router access..................................................187 ssh-known-hosts statement............................................184
sessions SSL (Secure Sockets Layer)
Telnet...............................................................................300 enabling secure access .............................................257
sessions, J-Web........................................................................12 management access.......................................................3
set no-encrypt-configuration-files command..........307 verifying SSL configuration.....................................260
sha-256 checksum, calculating......................................342 SSL 3.0 option, disabling on Internet Explorer for
SHA–1 checksum, calculating..........................................341 worldwide version of Junos OS........................................7
show chassis routing-engine command....................390 SSL access, establishing........................................................3
show dhcpv6 server binding.............................................410 SSL certificates
show dhcpv6 server statistics command....................414 adding...............................................................................261
show firewall command.....................................................417 adding (configuration editor).................................258
show interfaces dl0 extensive command.....................56 generating.......................................................................255
show system autorecovery state command..............419 sample configuration................................................260
show system download command...............................423 verifying SSL configuration.....................................260
show system license command.................320, 323, 425 startup
explanation..........................................................320, 323 J-Web interface..................................................................7
show system license keys command............................321 status
show system license usage command.........................321 license key........................................................................46
explanation.....................................................................321 super-user login class permissions...................................15
show system login lockout command.........................428 superuser login class permissions.....................................15
show system services dhcp binding command..........65 support, technical See technical support
show system services dhcp binding detail system information, displaying...............................373
command..............................................................................65 syntax conventions.................................................................xv
show system services dhcp client system.......................................................................................273
command....................................................................70, 429 login lockout.........................................................337, 428
show system services dhcp client interface retry options...................................................................273
command..............................................................................70 System Configuration Statement Hierarchy..............199
show system services dhcp client statistics system logs
command...............................................................................71 file cleanup (CLI)..........................................................310
show system services dhcp conflict command..........34 file cleanup (J-Web)..................................................309
show system services dhcp global command............65 system management
show system services dhcp relay-statistics login classes............................................................14, 270
command.....................................................................75, 432 template accounts.................................................17, 277
explanation.......................................................................75 user accounts..........................................................13, 270
show system snapshot media........................................434 user authentication........................................................13
Copyright © 2016, Juniper Networks, Inc. 447
Administration Guide for Security Devices
T USB modem interfaces
TACACS+ dialer interface See dialer interface, USB
authentication (configuration editor).................266 modem
order of user authentication (configuration USB modems
editor).........................................................................268 AT commands..................................................................21
secret (configuration editor)..................................266 default modem initialization commands..............21
specifying for authentication..................................268 initialization by device...................................................21
taskbar...........................................................................................8 resetting..........................................................................292
technical support use-interface statement.....................................................197
contacting JTAC.............................................................xvii user accounts
system information, displaying...............................373 authentication order (configuration
telnet editor).........................................................................268
reverse................................................................................26 contents..............................................................................13
reverse SSH.......................................................................27 creating (configuration editor)...............................270
Telnet for local users.................................................................277
accessing remote accounts (CLI)........................300 for remote users............................................................277
setting login retry limits.............................................295 predefined login classes...............................................15
telnet command..................................................................300 templates for............................................................17, 277
options............................................................................300 See also template accounts
Telnet session.......................................................................300 user interfaces
template accounts Junos Scope application................................................5
description.........................................................................17 overview...............................................................................5
local accounts (configuration editor)...................277 preparation..........................................................................7
remote accounts (configuration editor)..............277 SRC application.................................................................5
temporary files user roles
cleaning up (CLI)..........................................................310 example..........................................................................283
cleaning up (J-Web)..................................................309 user-id statement..................................................................197
downloading (J-Web).................................................312 username
traceoptions statement description.........................................................................13
DHCP local server........................................................193 specifying .......................................................................270
trusted-key statement........................................................195 users
access privileges....................................................14, 270
U accounts See user accounts
umd0............................................................................................19 adding..............................................................................270
unauthorized login class permissions..............................15 login classes............................................................14, 270
update-router-advertisement statement...................195 predefined login classes...............................................15
update-server (dhcp-client) statement......................196 template accounts See template accounts
update-server statement..................................................196 usernames.........................................................................13
updating
licenses (CLI)..................................................................317 V
USB modem connections vendor-id statement...........................................................198
connecting dial-up modem at user end..............291 verification
dialer interface See dialer interface, USB active licenses.....................................................320, 323
modem DHCP server operation................................................66
interface naming conventions...................................19 DHCP statistics...............................................................75
requirements....................................................................22 dialer interfaces..............................................................56
USB modem interface types......................................19 license usage..................................................................321
verifying dialer interfaces............................................56 licenses .................................................................320, 323
secure access...............................................................260
448 Copyright © 2016, Juniper Networks, Inc.
Index
version, license key.................................................................46
voice calls, not supported in dial-in .................................19
vpn statement........................................................................198
VPNs (virtual private networks), DHCP support on
interfaces...............................................................................34
W
Web access, secure See secure access
Web browser, modifying Internet Explorer for
worldwide version of Junos OS........................................7
web-management statement........................................248
windows, J-Web, unpredictable results with
multiple....................................................................................12
Copyright © 2016, Juniper Networks, Inc. 449
Administration Guide for Security Devices
450 Copyright © 2016, Juniper Networks, Inc.
You might also like
- Junos OS: Administration Guide For Security DevicesNo ratings yetJunos OS: Administration Guide For Security Devices788 pages
- Ubee DDW365 MSO Operations Guide Cox 091515No ratings yetUbee DDW365 MSO Operations Guide Cox 091515256 pages
- MANUAL ADMINISTRACION ZULTYS MX - AdminNo ratings yetMANUAL ADMINISTRACION ZULTYS MX - Admin672 pages
- Junos® OS Getting Started Guide For Routing DevicesNo ratings yetJunos® OS Getting Started Guide For Routing Devices398 pages
- OpenScape UC Application V7 OpenScape Desktop Client Enterprise Web Embedded Edition User Guide Issue 4No ratings yetOpenScape UC Application V7 OpenScape Desktop Client Enterprise Web Embedded Edition User Guide Issue 4403 pages
- Juniper Networks Router in The Enterprise - JNCNo ratings yetJuniper Networks Router in The Enterprise - JNC566 pages
- Junos Pulse Secure Access Service 8 0 AdminguideNo ratings yetJunos Pulse Secure Access Service 8 0 Adminguide1,510 pages
- SpiderCloud System Commissioning Guide (LCI) Release 3.150% (2)SpiderCloud System Commissioning Guide (LCI) Release 3.176 pages
- Cisco Identity Services Engine Installation Guide, Release 2.4No ratings yetCisco Identity Services Engine Installation Guide, Release 2.490 pages
- OpenScape UC Application V9 OpenScape Web Client User Guide Issue 29No ratings yetOpenScape UC Application V9 OpenScape Web Client User Guide Issue 29167 pages
- 300+ Artificial Intelligence MCQ Questions & Answers - Letsfindcourse100% (2)300+ Artificial Intelligence MCQ Questions & Answers - Letsfindcourse10 pages
- Guideline: G1117 VHF Data Exchange System (Vdes)100% (1)Guideline: G1117 VHF Data Exchange System (Vdes)29 pages
- Junos SA SSL VPN 7.4 Client Side ChangesNo ratings yetJunos SA SSL VPN 7.4 Client Side Changes78 pages
- The Chinese Air Force - Evolving Concepts, Roles, Capabilities100% (1)The Chinese Air Force - Evolving Concepts, Roles, Capabilities428 pages
- Juniper Extension Toolkit API Guide: ReleaseNo ratings yetJuniper Extension Toolkit API Guide: Release22 pages
- Juniper OS Getting Started Guide For Routing DevicesNo ratings yetJuniper OS Getting Started Guide For Routing Devices62 pages
- Web Interface 5 0 1 Administrators GuideNo ratings yetWeb Interface 5 0 1 Administrators Guide176 pages
- Tsunami A2MP-81XX-CPE - ReferenceManualv2.2 - SWv2.3.5No ratings yetTsunami A2MP-81XX-CPE - ReferenceManualv2.2 - SWv2.3.588 pages
- Xpediter/Tso and Xpediter/Ims Reference Manual: Release 7.2No ratings yetXpediter/Tso and Xpediter/Ims Reference Manual: Release 7.2228 pages
- Extended ECM CE 23.4 Release Notes - Edition For SAP S4HANANo ratings yetExtended ECM CE 23.4 Release Notes - Edition For SAP S4HANA58 pages
- Configuración para Los Administradores Del Cliente (Only Available in English)No ratings yetConfiguración para Los Administradores Del Cliente (Only Available in English)35 pages
- SANtricity v11.20 Array Management Window Help PDFNo ratings yetSANtricity v11.20 Array Management Window Help PDF622 pages
- The Lekha'S Waevguru Is An Ideal Tool For Realizing Networks Starting From 2G To 4G and Extension To 5G Concepts and Other Radio ApplicationsNo ratings yetThe Lekha'S Waevguru Is An Ideal Tool For Realizing Networks Starting From 2G To 4G and Extension To 5G Concepts and Other Radio Applications3 pages
- (May-2022) New PassLeader DP-900 Exam DumpsNo ratings yet(May-2022) New PassLeader DP-900 Exam Dumps8 pages
- ADV - CRPD - SCO - 2024-25 - 21 - ArchivistNo ratings yetADV - CRPD - SCO - 2024-25 - 21 - Archivist9 pages
- Unit - 2: Onventional Ncryption PrinciplesNo ratings yetUnit - 2: Onventional Ncryption Principles35 pages
- Juniper Care Service Description DocumentNo ratings yetJuniper Care Service Description Document7 pages
- Benzell Et Al 2023 How Apis Create Growth by Inverting The FirmNo ratings yetBenzell Et Al 2023 How Apis Create Growth by Inverting The Firm23 pages
- MODEL NO.: V390HJ1 Suffix: P03: Product SpecificationNo ratings yetMODEL NO.: V390HJ1 Suffix: P03: Product Specification31 pages
- Rahul Mondal Resume 2024 - 1743490186742 - Rahul MondalNo ratings yetRahul Mondal Resume 2024 - 1743490186742 - Rahul Mondal5 pages
- CMGT - B - Webex Video Mesh Deployment GuideNo ratings yetCMGT - B - Webex Video Mesh Deployment Guide130 pages
- STC Packet Generator-Analyzer Base Package DatasheetNo ratings yetSTC Packet Generator-Analyzer Base Package Datasheet4 pages
- How To Extend A Data Volume in Windows Server 2003, in Windows XP, in Windows 2000, and in Windows Server 2008No ratings yetHow To Extend A Data Volume in Windows Server 2003, in Windows XP, in Windows 2000, and in Windows Server 20084 pages
- Development of A New Integrated Local Trajectory Planning and Tracking Control Framework For Autonomous Ground VehiclesNo ratings yetDevelopment of A New Integrated Local Trajectory Planning and Tracking Control Framework For Autonomous Ground Vehicles20 pages
- How To Write Cold Emails That Get Clients (Masterclass)No ratings yetHow To Write Cold Emails That Get Clients (Masterclass)10 pages
- Cisco Identity Services Engine: Product OverviewNo ratings yetCisco Identity Services Engine: Product Overview6 pages
- Network Deployments in Cisco ISE: Architecture OverviewNo ratings yetNetwork Deployments in Cisco ISE: Architecture Overview14 pages
- Alcatel-Lucent Omniaccess 4X50 Series Mobility Controllers: Service Multi-Tenant Network ManagementNo ratings yetAlcatel-Lucent Omniaccess 4X50 Series Mobility Controllers: Service Multi-Tenant Network Management5 pages
- Hub and Spoke Architecture: Hardware RequirementNo ratings yetHub and Spoke Architecture: Hardware Requirement4 pages
- Reduce Your Turret Footprint Without Compromise: Compliance ReadyNo ratings yetReduce Your Turret Footprint Without Compromise: Compliance Ready1 page
- The Linux Terminal for Advanced Users - The Command Line Made Easy: First EditionFrom EverandThe Linux Terminal for Advanced Users - The Command Line Made Easy: First EditionNo ratings yet
- Cybersecurity for Executives: A Guide to Protecting Your BusinessFrom EverandCybersecurity for Executives: A Guide to Protecting Your BusinessNo ratings yet
- Blog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your TrafficFrom EverandBlog Smarter, Not Harder: SEO, Blogging, and AI Strategies to Skyrocket Your TrafficNo ratings yet
- Securing ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsFrom EverandSecuring ChatGPT: Best Practices for Protecting Sensitive Data in AI Language ModelsNo ratings yet
