SRX Security Zones and Policies

SRX Security Zones and Policies

Comments 0 Comment

I recently read Junos Security book and Junos Security course materials, so I pretty confident in my knowledge of basic SRX security functions.
For configuration examples use Security Zones and Interfaces Feature Guide and Security Policies Feature Guide.

Complete SRX Security zones configuration hierarchy:

security {
    zones {
        functional-zone {
            management {
                description text;
                host-inbound-traffic {
                    protocols protocol-name {
                        except;
                    }
                    system-services service-name {
                        except;
                    }
                }
                interfaces interface-name {
                    host-inbound-traffic {
                        protocols protocol-name {
                            except;
                        }
                        system-services service-name {
                            except;
                        }
                    }
                }
            screen screen-name;
            }
        }
        security-zone zone-name {
            address-book {
                address address-name {
                    ip-prefix {
                        description text;
                    }
                    description text;
                    dns-name domain-name {
                        ipv4-only;
                        ipv6-only;
                    }
                    range-address lower-limit to upper-limit;
                    wildcard-address ipv4-address/wildcard-mask;
                }
                address-set address-set-name {
                    address address-name;
                    address-set address-set-name;
                    description text;
                }
            }
            application-tracking;
            description text;
            host-inbound-traffic {
                protocols protocol-name {
                    except;
                }
                system-services service-name {
                    except;
                }
            }  
            interfaces interface-name {
                host-inbound-traffic {
                    protocols protocol-name {
                        except;
                    }
                    system-services service-name {
                        except;
                    }
                }
            }
            screen screen-name;
            tcp-rst;
        }
    }
}

Prymary thing to remember here is the host-inbound-traffic protocols and system-services configurations – you can enable and disable various protocols and system services at the zone level and at the interface level (and remember – if you configure anything under specific interface level, then zone-specific configuration doesn’t apply to this interface anymore).

And next are few SRX Security Policy configuration examples.

Permit all traffic:

set security policies from-zone trust to-zone untrust policy permit-all match source-address any
set security policies from-zone trust to-zone untrust policy permit-all match destination-address any
set security policies from-zone trust to-zone untrust policy permit-all match application any
set security policies from-zone trust to-zone untrust policy permit-all then permit


Explicitly deny all traffic:

set security policies from-zone untrust to-zone trust policy deny-all match source-address any
set security policies from-zone untrust to-zone trust policy deny-all match destination-address any
set security policies from-zone untrust to-zone trust policy deny-all match application any
set security policies from-zone untrust to-zone trust policy deny-all then deny


Permit selected traffic:

set security address-book book1 address mail-untrust 1.1.1.24/32
set security address-book book1 attach zone untrust
set security address-book book2 address mail-trust 192.168.1.1/32
set security address-book book2 attach zone trust
set security policies from-zone trust to-zone untrust policy permit-mail match source-address mail-trust
set security policies from-zone trust to-zone untrust policy permit-mail match destination-address mail-untrust
set security policies from-zone trust to-zone untrust policy permit-mail match application junos-mail
set security policies from-zone trust to-zone untrust policy permit-mail then permit


Wildcard address:

set security address-book book1 address wildcard-trust wildcard-address 192.168.0.11/255.255.0.255
set security address-book book1 attach zone trust
set security policies from-zone trust to-zone untrust policy permit-wildcard match source-address wildcard-trust
set security policies from-zone trust to-zone untrust policy permit-wildcard match destination-address any
set security policies from-zone trust to-zone untrust policy permit-wildcard match application any
set security policies from-zone trust to-zone untrust policy permit-wildcard then permit


Logging to external server:

set security log source-address 1.1.1.1
set security log stream trafficlogs severity debug
set security log stream trafficlogs host 14.1.1.2
set security policies from-zone client to-zone server policy match then permit
set security policies from-zone client to-zone server policy match then log session-init
set security policies from-zone client to-zone server policy match then log session-close


Excluded addresses:

set security policies from-zone trust to-zone untrust policy p1 match source-address as1
set security policies from-zone trust to-zone untrust policy p1 match source-address-excluded
set security policies from-zone trust to-zone untrust policy p1 match destination-address as2
set security policies from-zone trust to-zone untrust policy p1 match destination-address-excluded
set security policies from-zone trust to-zone untrust policy p1 match application any
set security policies from-zone trust to-zone untrust policy p1 then permit


Global policy:

set security address-book global address server1 www.juniper.net
set security address-book global address server2 www.mail.com
set security policies global policy gp1 match source-address server1
set security policies global policy gp1 match destination-address server2
set security policies global policy gp1 match application any
set security policies global policy gp1 then permit


Global policy with zones:

set security policies global policy Pa match source-address any
set security policies global policy Pa match destination-address any
set security policies global policy Pa match application any
set security policies global policy Pa match from-zone zone1
set security policies global policy Pa match from-zone zone2
set security policies global policy Pa match to-zone zone3
set security policies global policy Pa match to-zone zone4
set security policies global policy Pa then permit


Schedulers:

set schedulers scheduler sch1 start-date 2009-10-01.08:00 stop-date 2010-06-01.21:00
set schedulers scheduler sch1 sunday exclude
set schedulers scheduler SunHrs sunday start-time 12:00 stop-time 18:00
set security policies from-zone green to-zone red policy abc then permit
set security policies from-zone green to-zone red policy abc scheduler-name sch1


Policy-rematch – for every session associated with the policy, the device reevaluates the policy lookup after changes made to this policy (disabled by default).

set security policies policy-rematch


Default-policy defines the actions the device takes on a packet that does not match any user-defined policy (deny-all by default).

set security policies default-policy (deny-all | permit-all)


And finally some show commands:

show security zones
show security policies
show security match-policies from-zone z1, to-zone z2 source-ip 10.10.10.1 destination-ip 30.30.30.1 source-port 1 destination-port 21 protocol tcp result_count 5
show schedulers
show security shadow-policies from-zone zone-a to-zone zone-b policy P1

Leave a Reply

Your email address will not be published. Required fields are marked *