- play_arrow Overview
- Understanding the Common Criteria Evaluated Configuration
- Understanding Junos OS in FIPS Mode of Operation
- Understanding FIPS Mode of Operation Terminology and Supported Cryptographic Algorithms
- Identifying Secure Product Delivery
- Applying Tamper-Evident Seals to the Cryptographic Module
- Understanding Management Interfaces
- play_arrow Configuring Roles and Authentication Methods
- Understanding Roles and Services for Junos OS in FIPS Mode of Operation
- Understanding Services for Junos OS in FIPS Mode of Operation
- Downloading Software Packages from Juniper Networks
- Installing Junos Software Packages
- Understanding Zeroization to Clear System Data for FIPS Mode of Operation
- Loading Firmware on the Device
- How to Enable and Configure Junos OS in FIPS Mode of Operation
- play_arrow Configuring Administrative Credentials and Privileges
- Network Time Protocol
- play_arrow Configuring SSH and Console Connection
- play_arrow Configuring the Remote Syslog Server
- play_arrow Configuring Audit Log Options
- play_arrow Configuring Event Logging
- play_arrow Configuring MACSec
- play_arrow Configuring a Secure Logging Channel
- play_arrow Configuring VPNs
- play_arrow Configuring Security Flow Policies
- play_arrow Configuring Traffic Filtering Rules
- Overview
- Understanding Protocol Support
- Configuring Traffic Filter Rules
- Configuring Default Deny-All and Reject Rules
- Logging the Dropped Packets Using Default Deny-all Option
- Configuring Mandatory Reject Rules for Invalid Fragments and Fragmented IP Packets
- Configuring Default Reject Rules for Source Address Spoofing
- Configuring Default Reject Rules with IP Options
- Configuring Default Reject Rules
- play_arrow Configuring Network Attacks
- Configuring IP Teardrop Attack Screen
- Configuring TCP Land Attack Screen
- Configuring ICMP Fragment Screen
- Configuring Ping-Of-Death Attack Screen
- Configuring tcp-no-flag Attack Screen
- Configuring TCP SYN-FIN Attack Screen
- Configuring TCP fin-no-ack Attack Screen
- Configuring UDP Bomb Attack Screen
- Configuring UDP CHARGEN DoS Attack Screen
- Configuring TCP SYN and RST Attack Screen
- Configuring ICMP Flood Attack Screen
- Configuring TCP SYN Flood Attack Screen
- Configuring TCP Port Scan Attack Screen
- Configuring UDP Port Scan Attack Screen
- Configuring IP Sweep Attack Screen
- play_arrow Configuring the IDP Extended Package
- play_arrow Performing Self-Tests on a Device
- play_arrow Configuration Statements
- checksum-validate
- code
- data-length
- destination-option
- extension-header
- header-type
- home-address
- identification
- icmpv6 (Security IDP Custom Attack)
- ihl (Security IDP Custom Attack)
- option-type
- reserved (Security IDP Custom Attack)
- routing-header
- sequence-number (Security IDP ICMPv6 Headers)
- type (Security IDP ICMPv6 Headers)
Understanding Cluster Mode
The Administrator of the TOE can set up the Cluster Mode for High Availability (HA) by connecting dedicated HA control port of node0 and node1 as described in the article - Connecting SRX Series Devices to Create a Chassis Cluster.
The factory-default configuration does not include HA configuration. To enable HA, please remove any configurations on the physical interfaces used by HA. The two hosts constituting a chassis cluster must have identical configuration. Configure one cluster to node 0 and the other to node 1.
The TOE has a dedicated fxp0 interface for HA management. The interface for HA control link must be between em0 on each device. The Administrator can define the fabric interface. The cluster is now defined and set up by the Administrator. The two devices constituting a chassis cluster have identical cluster-id but different node ID as one host is on node 0 and the second cluster is on node 1.
For SRX3XX devices, the ge-0/0/1 interface on node1 changes to ge-5/0/1.
The node 1 renumbers its interfaces by adding the total number of system FPCs to the original FPC number of the interface. The fabric interface remains Administrator-defined.
With L2 HA link encryption tunnel, any Security Sensitive Parameters (Critical Security Parameters) exchanged over the control link between the two chassis in cluster mode are protected using IPsec. The configuration information and IKE HA messages that pass through the chassis cluster link from the primary node to the secondary node are protected from active and passive eavesdropping by using IPsec for internal communication between nodes. An attacker cannot gain privilege access or observe traffic, without the internal IPsec key.