Post

Starting with Juniper SRX Firewalls

Posted Updated
By Hector G Serrano 5 min read

Packet Mode Processing

The SRX basically operates like a Router.

1

set security forwarding-options family mpls mode packet-based

Logical Packet Flow

Branch SRX Series Factory-Default configuration

  • Interface ge-0/0/0 is set for untrust zone and to get IP via DHCP
  • Default IP address on fxp0.0: 192.168.1.1/24
  • Interface irb.0 is the trust zone with address 192.168.2.1/24
  • All other ports are configured as Layer 2

Security Zones

Interfaces can pass and accept traffic only if assigned to non-null zone.

Types of Zones

Creating a Zone

1
2
3
4
5
6
7

set security zones security-zone untrust interface ge-0/0/0.0
set security zones security-zone trust interface ge-0/0/1.0
set security zones security-zone dmz interface ge-0/0/2.0
set security zones security-zone Server interface ge-0/0/3.0
set security zones security-zone VPN interface st0.0

set security zones functional-zone management interface ge-0/0/3.0

Allow SSH and FTP inbound the Security Zone called “HR” and destined to the SRX

1
2

set security zones security-zone HR host-inbound-traffic system-services ssh
set security zones security-zone HR host-inbound-traffic system-services ftp

Show commands

1

show security zones <NAME>

Junos-Host Zone CLI Configuration

Allow specific hosts from SRC_ZONE to SSH to the SRX

1
2
3
4
5
6

set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-management match source-address host1
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-management match destination-address any
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-management match application junos-ssh
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-management match dynamic-application none
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-management match url-category none
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-management then permit

Block all other SSH attempts from other hosts

1
2
3
4
5
6
7

set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-block match source-address any
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-block match destination-address any
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-block match application junos-ssh
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-block match source-identity any
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-block match dynamic-application none
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-block match url-category none
set security policies from-zone <SRC_ZONE> to-zone junos-host policy ssh-block then deny

Screen Objects

Generate alarms without dropping packets.

1

set security screen ids-option TEST alarm-without-drop

Screen Objects are evaluated only on the Ingress Zone.

Screen Types

Screen Categories

Configuring Screen Options

Address Objects

  • Zone Address Objects

Address objects that are tied to a specific zone May only be used in security policies where the zone is referred

  • Global Address Objects

Define objects in a global address book to avoid duplicate entries for multiple zones Can be used by all security policies All objects must be unique

Creating Address Objects with the CLI

IP address

1

set security address-book PRIVATE address HOST1 192.168.1.35

Wildcard address

1

set security address-book PRIVATE address HOST1 wildcard-address 192.168.0.12/255.255.0.255

Domain name address

1

set security address-book PRIVATE address HOST1 dns-name www.host1.com

Range address

1

set security address-book PRIVATE address HOST1 range-address 192.168.1.100 to 192.168.1.150

To configure Global address books

1

set security address-book global

1

set security address-book TRUST_ADDRESSES description "Address objects for the trust zone" address HR-PRINTER-05 description "PRINTER IN HR BUILDING C ROOM 05" 192.168.50.45

Create and Address Set

1

set security address-book TRUST_ADDRESSES address-set HR-PRINTERS address HR-PRINTER-1

Global Address Book attached to a specific Zone

1

set security address-book TRUST_ADDRESSES attach zone TRUST

Service Objects

Display pre-defined Service Security Objects

1

show configuration groups junos-defaults applications

Create Custom Applications

1

set applications application MyFTP description "FTP with smaller timer" application-protocol ftp protocol tcp desination-port 21 inactivity-timeout 300

Application Sets

1
2
3

set applications application-set access application junos-ping
set applications application-set access application junos-ssh
set applications application-set access application junos-https

Configuring Security Zones (LAB)

NOTE: The host-inbound-traffic interface settings overrides the host-inbound-traffic zone.

1
2
3
4
5
6
7
8
9

set security zones security-zone UNTRUST interfaces ge-0/0/0.0

delete security zones security-zone TRUST host-inbound-traffic system-services all
set security zones security-zone TRUST host-inbound-traffic system-services ssh
set security zones security-zone TRUST host-inbound-traffic system-services https
set security zones security-zone TRUST interfaces ge-0/0/1.0
set security zones security-zone TRUST interfaces ge-0/0/1.0 host-inbound-traffic system-services telnet

set security zones security-zone DMZ interfaces ge-0/0/2.0

Configuring Screens (LAB)

1
2
3
4

set security screen ids-option DMZ-SCREEN icmp large

set security zones security-zone DMZ screen DMZ-SCREEN
set security zones security-zone DMZ host-inbound-traffic system-services ping

1

show security screen statistics zone DMZ

Configuring Global Addresses And Address Sets (LAB)

1
2
3
4
5
6
7
8
9
10
11

set security address-book global address INTERNET-HOST 172.31.15.1/32

set security address-book DMZ-BOOK address DMZ-NET 10.10.102.0/24
set security address-book DMZ-BOOK address WebServer01 10.10.102.11/32
set security address-book DMZ-BOOK address WebServer02 10.10.102.12/32
set security address-book DMZ-BOOK address WebServer03 10.10.102.13/32
set security address-book DMZ-BOOK attach zone DMZ

set security address-book DMZ-BOOK address-set WebServerSet address WebServer01
set security address-book DMZ-BOOK address-set WebServerSet address WebServer02
set security address-book DMZ-BOOK address-set WebServerSet address WebServer03

Configuring Service Applications and Applications Sets (LAB)

1
2
3
4
5
6

set applications application MY-APP protocol tcp destination-port 2020 activity-timeout 300

set applications application-set WebServerAppSet description "Applications for the Web Server"
set applications application-set WebServerAppSet application MY-APP
set applications application-set WebServerAppSet application junos-http
set applications application-set WebServerAppSet application junos-https

1

run show configuration groups junos-defaults applications

Security Policies

Security Policies are examined in the following order:

  1. Zone policies
  2. Global policies
  3. Default policy

Zone security policy example:

1
2
3
4
5

set security policies from-zone UNTRUST to-zone TRUST policy POLICY-2 match source-address any destination-address any application any
set security policies from-zone UNTRUST to-zone TRUST policy POLICY-2 then deny

set security policies from-zone UNTRUST to-zone TRUST policy RULE-2 match source-address any desination-addresa any application any
set security policies from-zone UNTRUST to-zone TRUST policy RULE-2 then deny

Global security policy example:

1
2

set security policies global policy GLOBAL-1 match source-address any destination-address any application any
set security policies global policy GLOBAL-1 then deny

Default security policy example:

Default is deny all traffic.

1

set default-policy permit-all

Troubleshoot

1

show security policies
JUNIPER, JUNOS OS, SRX
juniper
This post is licensed under CC BY 4.0 by the author.