Monday, September 16, 2013

Firewall Juniper SRX Implicit Deny

This is note and tutorial how to configure smoothly firewall Juniper SRX.

 Basicly Juniper SRX is same behaviour with other variant JunOS router and JunOS switch. But as firewall SRX have specific behaviour of security feature. To simple identify specific security feature is SRX have more config under security tree.

 #### Juniper SRX Security tree

 user@JunOSRX> configure 
Entering configuration mode

 [edit]
user@JunOSRX# set security ?
Possible completions:
> alg                  Configure ALG security options
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> certificates         X.509 certificate configuration
> dynamic-vpn          Configure dynamic VPN
> firewall-authentication  Firewall authentication parameters
> flow                 FLOW configuration
> forwarding-options   Security-forwarding-options configuration
> ike                  IKE configuration
> ipsec                IPSec configuration
> log                  Configure security log
> nat                  Configure Network Address Translation
> pki                  PKI service configuration
> policies             Configure Network Security Policies
> resource-manager     Configure resource manager security options
> screen               Configure screen feature
> ssh-known-hosts      SSH known host list
> traceoptions         Network security daemon tracing options
> zones                Zone configuration
[edit]
user@JunOSRX# exit
Exiting configuration mode

 user@JunOSRX> show security ?
Possible completions:
  alg                  Show ALG security services information
  dynamic-policies     Show security dynamic policies
  dynamic-vpn          Show Dynamic VPN Remote Access information
  firewall-authentication  Show firewall authentication tables, information
  flow                 Show flow information
  ike                  Show Internet Key Exchange information
  ipsec                Show IP Security information
  monitoring           Show security SPU monitoring information
  nat                  Show Network Address Translation information
  pki                  Show public-key infrastructure information
  policies             Show security firewall policies
  resource-manager     Show resource manager security services information
  screen               Show screen service information
  zones                Show security zone information
user@JunOSRX>

 Due to SRX as firewall, it has strict rule for some configuration. The simple strict rule is implicit deny. By default all interface in Juniper SRX is implicit deny, that is mean all traffic is deny for ingress and egress. All interface is control under zone (or policy).

 #### Example Set Physical Interface and Zone

 user@JunOSRX> show configuration interfaces ge-0/0/1   
unit 0 {
    family inet {
        address 172.16.0.1/24;
    }
}

 user@JunOSRX> show configuration security zones security-zone GE001 
interfaces {
    ge-0/0/1.0 {
        host-inbound-traffic {
            system-services {
                all;
            }
        }
    }
}

 #### Example Set Logical Interface and Zone

 user@JunOSRX> show configuration vlans VLAN7   
vlan-id 7;
l3-interface vlan.7;

 user@JunOSRX> show configuration interfaces fe-0/0/7    
unit 0 {
    family ethernet-switching {
        port-mode access;
        vlan {
            members VLAN7;
        }
    }
}

user@JunOSRX> show configuration interfaces vlan unit 7 
family inet {
    address 172.16.0.7/24;
}

 user@JunOSRX> show configuration security zones security-zone FE007   
interfaces {
    vlan.7 {
        host-inbound-traffic {
            system-services {
                all;
            }
        }
    }
}

 Thank you :-)
Posted by Hermawan Widiyanto at 5:36 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)