Next topic on the blog is Security policies. An important part of firewalls is controlling of traffic. Once we logically define zones and we segregate the network we need to control traffic to and from these zones. It is important that we know what we want to achieve from the outset. Once we have a clear goal in mind we can then proceed by using a hierarchical process to define out terms, group them, then apply them.
I have taken the habit of getting an A5 notepad and writing out policy after policy. Creating address books, address sets, custom applications, and application sets, I have been able to grasp the syntax and learn it pretty quickly. As with most things Junos, unlike ASA, it lends itself to a logical format. I am going to outline two policies here that I wrote down from a random list of requirements. This is for a video editing company. Emphasis is learning policies backwards.
ProFX Media
- Define the following addresses
- Editor_A – 172.16.32.15/32
- Editor_B – 172.16.32.60/32
- Cache_172.16.33 – 172.16.33.0/24
- Editing_172.16.32 – 172.16.32.0/24
- Media_10.23.84 – 10.23.84.0/24
- Assign Editor A, B and Cache Network to an address set named Editing_ProFX_Media
- Define the ProFX applications with the following parameters
- ProFX_6112
- TCP
- destination 6112
- source 1024-65535
- ProFX_1896
- UDP
- destination 1896
- source 1024-65535
- ProFX_6112
- Create an application set named Editing_ProFX_AS that references the above protocols and includes HTTPS, TFTP, SSH.
- Create a policy named ProFX_to_Media that puts this all together.
- Apply a scheduler called ProFX_Business_Hours that permits Editing to Media only to be active Monday to Saturday, 0600 – 2000 hours.
- In a new Policy, The network 172.16.32.0/24 must be denied at all times with the application set defined prior.
- You are also required to log the start of attempted sessions and count attempts.
set security zones security-zone Editing address-book address EDITOR_A 172.16.32.15/32 set security zones security-zone Editing address-book address EDITOR_B 172.16.32.60/32 set security zones security-zone Editing address-book address CACHE_172.16.33 172.16.33.0/24 set security zones security-zone Editing address-book address EDITING_172.16.32 172.16.32.0/24 set security zones security-zone Media address-book address MEDIA_10.23.84 10.23.84.0/24
set security zones security-zone Editing address-book address-set EDITING_ProFX_MEDIA address EDITOR_A set security zones security-zone Editing address-book address-set EDITING_ProFX_MEDIA address EDITOR_B set security zones security-zone Editing address-book address-set EDITING_ProFX_MEDIA address CACHE_172.16.33
set applications application ProFX_6112 protocol tcp set applications application ProFX_6112 source-port 1024-65535 set applications application ProFX_6112 destination-port 6112 set applications application ProFX_1896 protocol udp set applications application ProFX_1896 source-port 1024-65535 set applications application ProFX_1896 destination-port 1896 set applications application-set Editing_ProFX_AS application ProFX_6112 set applications application-set Editing_ProFX_AS application ProFX_1896 set applications application-set Editing_ProFX_AS application junos-https set applications application-set Editing_ProFX_AS application junos-ssh set applications application-set Editing_ProFX_AS application junos-tftp
set security policies from-zone Editing to-zone Media policy ProFX_to_Media match source-address EDITING_ProFX_MEDIA set security policies from-zone Editing to-zone Media policy ProFX_to_Media match destination-address MEDIA_10.23.84 set security policies from-zone Editing to-zone Media policy ProFX_to_Media match application Editing_ProFX_AS set security policies from-zone Editing to-zone Media policy ProFX_to_Media then permit
set schedulers scheduler ProFX_Business_Hours daily start-time 06:00:00 stop-time 20:00:00 set schedulers scheduler ProFX_Business_Hours sunday exclude set security policies from-zone Editing to-zone Media policy ProFX_to_Media scheduler-name ProFX_Business_Hours
set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media match source-address EDITING_172.16.32 set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media match destination-address MEDIA_10.23.84 set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media match application Editing_ProFX_AS set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media then deny set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media then log session-init set security policies from-zone Editing to-zone Media policy Deny_Editing_to_Media then count
Bonus
[email protected]# commit check [edit security policies from-zone Editing to-zone Media] 'policy ProFX_to_Media' Address or address_set (MEDIA_10.23.84) not found. error: configuration check-out failed
[edit] [email protected]# ... Media address-book address MEDIA_10.23.84 10.23.84.0/24 [edit] [email protected]# commit check configuration check succeeds
Why didn’t you choose to use global addresses and address-sets? In that way you could later use them in the NAT rules, etc.. Any reasons?