ShortestPathFirst Network Architecture and Design, and Information Security Best Practices

29Jun/118

Juniper SRX Tips :: Uniform Security Policy Modification

Often there are instances where we want to affect all security policies configured on an SRX device.  For example, let's say that we have thousands of policies configured on our firewall, and we want to enable logging for every single policy.  Obviously this would take some time if we were to do this manually on each and every individual policy, so an easier way is desired.

In ScreenOS we have the concept of a Global zone which acts as a container encompassing all zones, but to date, Junos does not support a similar functionality on the SRX. Furthermore, the Global zone doesn't affect existing policies but rather is way to apply a consistent policy to all Inter-zone and Intra-zone traffic that doesn't match any of the existing policies.

However, despite all of this, there is in fact a methodology we can use to uniformly modify all of the existing security policies on our box, in a manner that is actually much more powerful than what is accomplished in ScreenOS with the Global zone.

Let's take a look.  First, let's say we have some policies that we would like to enable logging on:

root@ce-1# show security policies
from-zone Trust to-zone Untrust {
    policy allow-outbound {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone Untrust to-zone Trust {
    policy allow-web {
        match {
            source-address any;
            destination-address web-server;
            application junos-http;
        }
        then {
            permit;
        }
    }
}

Here you can see we have a policy allowing all traffic outbound from Trust to Untrust, and another policy allowing inbound HTTP traffic from the Untrust zone towards the Web Server in the Trust zone.  Now, let's enable logging for all of our policies by using an apply-group and matching on all policies from any zone to any other zone.  Note that this will encompass both Inter-zone as well as Intra-zone traffic:

groups {
    global-logging {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy <*> {
                        then {
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
}

Finally, let's apply our apply-group at the [security policies] stanza within our configuration:

root@ce-1# set security policies apply-groups global-logging

Now that we've completed the configuration, let's examine the results of the application of our apply-group by taking a look at our security policies, this time by displaying the inherited configuration:

root@ce-1# show security policies | display inheritance
apply-groups global-logging
from-zone Trust to-zone Untrust {
    policy allow-outbound {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            ##
            ## 'log' was inherited from group 'global-logging'
            ##
            log {
                ##
                ## 'session-init' was inherited from group 'global-logging'
                ##
                session-init;
            }
        }
    }
}
from-zone Untrust to-zone Trust {
    policy allow-web {
        match {
            source-address any;
            destination-address web-server;
            application junos-http;
        }
        then {
            permit;
            ##
            ## 'log' was inherited from group 'global-logging'
            ##
            log {
                ##
                ## 'session-init' was inherited from group 'global-logging'
                ##
                session-init;
            }
        }
    }
}

As you can see, with a couple of lines of code we can alter all of the existing policies on our device without having to resort to manual configuration of each and every one. This type of functionality is perfect when we want to have a singular set of configuration elements apply to all of our policies uniformly.  On the other hand, if there are certain policies that we don't want to inherit these settings, we can simply utilize the apply-group-except statement for each of those respective policies.

In our next article we will examine how to change the default-deny behavior on the SRX to also including logging of denied packets.

Post to Twitter Post to Delicious Post to Digg Post to Facebook Post to Google Buzz Send Gmail Post to LinkedIn Post to Slashdot Post to Technorati

Comments (8) Trackbacks (0)
  1. Excellent Idea!
    Thanks Stefan for sharing this idea.

  2. Excellent Share. Keep rolling and helping us with your tips. Cheers :)

  3. Fantastic Post Stefan!

  4. Great tip!

    I wonder if you can use something like this to put a clean up rule (deny any any log) into each zone-pair policy.

  5. You may want to use session-close to see the data transfer statistics of the flow on close. deny policies have no session-close so far as I’ve seen, but in time I won’t be too surprised if it becomes a feature later.

    [edit groups] will not play well with NSM (besides the usual node0 node1 for clusters, and other platform typical no-single-point-of-failure features similar to clustering).

    You can mix and match hierarchy of apply-group and apply-group-except to your liking. Take for instance, you have a lot of allow policies, and use log session-close on them. However, you want to use a few select policies by hand, or log on session-init only. You can apply-group at an upper level, and then apply-groups-except at a deeper level.

  6. Thanks for the great post. It would great if you could share your preparation tips for the JNCIE-SEC exam. Your preparation tips for JNCIE-M/T helped me quite a bit for my own successful attempt.

  7. Willy,

    In fact I am writing this blog post as we speak and should have it available in the next day or so… stay tuned!

  8. That is great to hear. I look forward to reading it.
    In addition, if I may so suggest , I would love to see a JNCIE-SEC study guide written by you. The ones for the JNCIx-M/T from Harry Reynolds were really good. In addition to being great for the lab prep, it was also very good from a real world usability point of you. Now that you are a trainer at Juniper, I can’t really think of a better qualified person to write it. If you did come out with a book, know I would buy a copy.
    Cheers


Leave a comment

No trackbacks yet.