Juniper SRX Tips: Uniform Security Policy Modification

Monday, August 01, 2011

Stefan Fouant

065b7cfbbb03ac9d18cbf5ed0615b40a

Part One HERE

Often there are instances where we want to affect all security policies configured on an SRX device. 

For example, let's say that we have thousands of policies configured on our firewall, and we want to enable logging for every single policy. 

Obviously this would take some time if we were to do this manually on each and every individual policy, so an easier way is desired.

In ScreenOS we have the concept of a Global zone which acts as a container encompassing all zones, but to date, Junos does not support a similar functionality on the SRX.

Furthermore, the Global zone doesn't affect existing policies but rather is way to apply a consistent policy to all Inter-zone and Intra-zone traffic that doesn't match any of the existing policies.

However, despite all of this, there is in fact a methodology we can use to uniformly modify all of the existing security policies on our box, in a manner that is actually much more powerful than what is accomplished in ScreenOS with the Global zone.

Let's take a look.  First, let's say we have some policies that we would like to enable logging on:

root@ce-1# show security policies
from-zone Trust to-zone Untrust {
    policy allow-outbound {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone Untrust to-zone Trust {
    policy allow-web {
        match {
            source-address any;
            destination-address web-server;
            application junos-http;
        }
        then {
            permit;
        }
    }
}

Here you can see we have a policy allowing all traffic outbound from Trust to Untrust, and another policy allowing inbound HTTP traffic from the Untrust zone towards the Web Server in the Trust zone.  Now, let's enable logging for all of our policies by using an apply-group and matching on all policies from any zone to any other zone.  Note that this will encompass both Inter-zone as well as Intra-zone traffic:

groups {
    global-logging {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy <*> {
                        then {
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
}

Finally, let's apply our apply-group at the [security policies] stanza within our configuration:

root@ce-1# set security policies apply-groups global-logging

Now that we've completed the configuration, let's examine the results of the application of our apply-group by taking a look at our security policies, this time by displaying the inherited configuration:

root@ce-1# show security policies | display inheritance
apply-groups global-logging
from-zone Trust to-zone Untrust {
    policy allow-outbound {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
            ##
            ## 'log' was inherited from group 'global-logging'
            ##
            log {
                ##
                ## 'session-init' was inherited from group 'global-logging'
                ##
                session-init;
            }
        }
    }
}
from-zone Untrust to-zone Trust {
    policy allow-web {
        match {
            source-address any;
            destination-address web-server;
            application junos-http;
        }
        then {
            permit;
            ##
            ## 'log' was inherited from group 'global-logging'
            ##
            log {
                ##
                ## 'session-init' was inherited from group 'global-logging'
                ##
                session-init;
            }
        }
    }
}

As you can see, with a couple of lines of code we can alter all of the existing policies on our device without having to resort to manual configuration of each and every one. This type of functionality is perfect when we want to have a singular set of configuration elements apply to all of our policies uniformly. 

On the other hand, if there are certain policies that we don't want to inherit these settings, we can simply utilize the apply-group-except statement for each of those respective policies.

In our next article we will examine how to change the default-deny behavior on the SRX to also including logging of denied packets.

Cross-posted from Shortest Path First - Follow me on Twitter!

Possibly Related Articles:
12013
Policy
Information Security
Certification Policy Training Network Security Juniper JNCIE
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.