Juniper SRX global security policy - revisited

Blog Category:

Quite a while ago I wrote about creating a global policy using apply-groups. It works, but its main disadvantage was that it only logs traffic if there is at least one permit rule between the source and destination zones.

As of Junos 11.2, a global firewall rulebase can now be configured. Just like the netscreen global rulebase, this only gets evaluated if there is no match in the regular rulebase. So, it can be used to create a default logdrop rule like this:

[edit security policies global]
    policy default-logdrop {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
            log {
                session-init;
            }
        }
    }

When traffic does not match any of the permit policies, it is now logged in the following format:

RT_FLOW - RT_FLOW_SESSION_DENY [[email protected] source-address="10.199.6.91" source-port="5947" destination-address="194.178.10.7" destination-port="80" service-name="junos-http" protocol-id="6" icmp-type="0" policy-name="default-logdrop(global)" source-zone-name="trust" destination-zone-name="untrust" application="UNKNOWN" nested-application="UNKNOWN" username="N/A" role="N/A" packet-incoming-interface="fe-0/0/8.6"]

The global policy works fine for a default logdrop rule, but when you want to specify specific source or destination addresses in a rule, things get more interesting. The addresses need to be defined in the new global address book at [security address-book] instead of the zone-specific ones. Unfortunately, the two cannot be combined. If you try to commit this change, you'll see error messages like this:

[edit security zones security-zone untrust]
  'address-book'
    Zone specific address books are not allowed when there are global address books defined

So you will have to convert all your address books to the new style, which is quite a bit of work.

Comments

Also be aware that if you go down this path and start using the global address book, the objects will not show up in the gui, either in the address book or as available to be added to policies. Its all ok via the CLI but the gui is stuffed - and that using the very latest 12.1.
Juniper is aware of the issue and working to fix.
PR807115 - says its resolved in 12.1R5 however that is not out yet at the time I am writing this.
We'll see....

Subscribe to Comments for "Juniper SRX global security policy - revisited"