Juniper SRX FQDN policies

Here is the Juniper flavour of the FQDN access-list. The policy used references the dns-name and creates policy destination addresses accordingly. It is important, as noted in the optimisation and initial ASA FQDN configuration post, that you have a set level of expectation. DNS timers are important.

First off we need to create an address book entry for the untrust zone then apply that to the destination of a permitted any any policy.

set security zones security-zone ZONE-UNTRUST address-book address ADD-maps.google.com dns-name maps.google.com ipv4-only
set security policies from-zone ZONE-LAB to-zone ZONE-UNTRUST policy PERMIT-GOOGLE match source-address any
set security policies from-zone ZONE-LAB to-zone ZONE-UNTRUST policy PERMIT-GOOGLE match destination-address ADD-maps.google.com
set security policies from-zone ZONE-LAB to-zone ZONE-UNTRUST policy PERMIT-GOOGLE match application any
set security policies from-zone ZONE-LAB to-zone ZONE-UNTRUST policy PERMIT-GOOGLE then permit

This configuration is just as easy as the ASA in a previous post. Now define the dns server name.

set system name-server 192.168.1.10

When you expand the policy look at the destination addresses.

SRX110#> show security policies policy-name PERMIT-GOOGLE detail 
Policy: PERMIT-GOOGLE, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: ZONE-LAB, To zone: ZONE-UNTRUST
Source addresses:
any-ipv4: 0.0.0.0/0 
any-ipv6: ::/0
Destination addresses:
ADD-maps.google.com: 74.125.237.101/32 
ADD-maps.google.com: 74.125.237.102/32 
ADD-maps.google.com: 74.125.237.103/32 
ADD-maps.google.com: 74.125.237.104/32 
ADD-maps.google.com: 74.125.237.105/32
Application: any

As with the optimisation post it is important to investigate services you using and inspect their DNS TTL and other features. If your want web filtering then this is not for you. Juniper offer their UTM technology for this.

Leave a Reply

Your email address will not be published. Required fields are marked *

*