Policy this, policy that

Next topic on the blog is Security policies. An important part of firewalls is controlling of traffic. Once we logically define zones and we segregate the network we need to control traffic to and from these zones. It is important that we know what we want to achieve from the outset. Once we have a clear goal in mind we can then proceed by using a hierarchical process to define out terms, group them, then apply them.

I have taken the habit of getting an A5 notepad and writing out policy after policy. Creating address books, address sets, custom applications, and application sets, I have been able to grasp the syntax and learn it pretty quickly. As with most things Junos, unlike ASA, it lends itself to a logical format. I am going to outline two policies here that I wrote down from a random list of requirements. This is for a video editing company. Emphasis is learning policies backwards.

ProFX Media

Editing to Media
  • Define the following addresses
    • Editor_A – 172.16.32.15/32
    • Editor_B – 172.16.32.60/32
    • Cache_172.16.33 – 172.16.33.0/24
    • Editing_172.16.32 – 172.16.32.0/24
    • Media_10.23.84 – 10.23.84.0/24
  • Assign Editor A, B and Cache Network to an address set named Editing_ProFX_Media
  • Define the ProFX applications with the following parameters
    • ProFX_6112
      • TCP
      • destination 6112
      • source 1024-65535
    • ProFX_1896
      • UDP
      • destination 1896
      • source 1024-65535
  • Create an application set named Editing_ProFX_AS that references the above protocols and includes HTTPS, TFTP, SSH.
  • Create a policy named ProFX_to_Media that puts this all together.
  • Apply a scheduler called ProFX_Business_Hours that permits Editing to Media only to  be active Monday to Saturday, 0600 – 2000 hours.
  • In a new Policy, The network 172.16.32.0/24 must be denied at all times with the application set defined prior.
    • You are also required to log the start of attempted sessions and count attempts.
Battle time
Lets break this down and begin creating. Once you stay planning what you require it gets much easy. Firstly, it is important to know that you can create address books globally and on a per zone basis. I prefer per zone basis as it gives you a more concise control without exposing objects to other zones. If you are re-using objects across many zones numerous times then maybe Global Address books will suit.
Lets start by defining out address book and compiling some address sets.
Firstly, Address book entries. Note that our destination network MEDIA_10.23.84 is actually in the zone address-book of Media. More on that later.
set security zones security-zone Editing address-book address EDITOR_A 172.16.32.15/32
set security zones security-zone Editing address-book address EDITOR_B 172.16.32.60/32
set security zones security-zone Editing address-book address CACHE_172.16.33 172.16.33.0/24
set security zones security-zone Editing address-book address EDITING_172.16.32 172.16.32.0/24
set security zones security-zone Media address-book address MEDIA_10.23.84 10.23.84.0/24
Secondly, Address Sets
set security zones security-zone Editing address-book address-set EDITING_ProFX_MEDIA address EDITOR_A
set security zones security-zone Editing address-book address-set EDITING_ProFX_MEDIA address EDITOR_B
set security zones security-zone Editing address-book address-set EDITING_ProFX_MEDIA address CACHE_172.16.33
Now lets create those ProFX applications we want to allow. We then need to assign them to an application set.
set applications application ProFX_6112 protocol tcp
set applications application ProFX_6112 source-port 1024-65535
set applications application ProFX_6112 destination-port 6112


set applications application ProFX_1896 protocol udp
set applications application ProFX_1896 source-port 1024-65535
set applications application ProFX_1896 destination-port 1896


set applications application-set Editing_ProFX_AS application ProFX_6112
set applications application-set Editing_ProFX_AS application ProFX_1896
set applications application-set Editing_ProFX_AS application junos-https
set applications application-set Editing_ProFX_AS application junos-ssh
set applications application-set Editing_ProFX_AS application junos-tftp
Now referencing the address and application sets we made earlier, we now can define the policy. This is from Editing to Media
set security policies from-zone Editing to-zone Media policy ProFX_to_Media match source-address EDITING_ProFX_MEDIA
set security policies from-zone Editing to-zone Media policy ProFX_to_Media match destination-address MEDIA_10.23.84
set security policies from-zone Editing to-zone Media policy ProFX_to_Media match application Editing_ProFX_AS
set security policies from-zone Editing to-zone Media policy ProFX_to_Media then permit

Now to create and assign the scheduler to the policy required.
set schedulers scheduler ProFX_Business_Hours daily start-time 06:00:00 stop-time 20:00:00
set schedulers scheduler ProFX_Business_Hours sunday exclude

set security policies from-zone Editing to-zone Media policy ProFX_to_Media scheduler-name ProFX_Business_Hours
One of the requirements is to monitor and track failed attempts into Media from Editing. Let us create a second policy. This policy is 24/7, not confined to business hours like the previous policy.
set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media match source-address EDITING_172.16.32
set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media match destination-address MEDIA_10.23.84
set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media match application Editing_ProFX_AS
set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media then deny
set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media then log session-init
set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media then count

Bonus

It is important to know that when you use per zone address books destinations that are called upon in a policy statement are drawing upon the to-zones address-book, not the from-zone. The error I was getting was this

[email protected]# commit check 
[edit security policies from-zone Editing to-zone Media]
  'policy ProFX_to_Media'
    Address or address_set (MEDIA_10.23.84) not found.
error: configuration check-out failed
 I was thinking maybe if the destination network wasn’t in the routing table or something funny it wouldn’t commit it. After thinking and looking around at my references my hunch turned out to be wrong. Kurt Bales was able to decipher this for me very quickly. After the pros and cons of Global address-books vs per-zone address books he explained something my sponge of a brain overlooked.

And with that, success. I immediately removed my MEDIA_10.23.84 address in the Editing zone and added it to the Media zone. Commit check and…
[edit]
[email protected]# ... Media address-book address MEDIA_10.23.84 10.23.84.0/24    

[edit]
[email protected]# commit check 
configuration check succeeds
Success! Problem solved. So as you can see it is quite a methodical process creating Policies. The important part is that you think about the requirements. Imagine yourself as the SRX and treat each arm as a zone. Use that logical and you will succeed. Thanks for reading and I hope this has been informative.

2 thoughts on “Policy this, policy that”

  1. Why didn’t you choose to use global addresses and address-sets? In that way you could later use them in the NAT rules, etc.. Any reasons?

Leave a Reply

Your email address will not be published. Required fields are marked *


*