Junos® OS
Security Policies User Guide for Security Devices
Published
2021-04-18
ii
Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this b c |
n without n c |
||
Junos® OS Security Policies User Guide for Security Devices |
|
|
|
Copyright © 2021 Juniper Networks, Inc. All rights reserved. |
|
|
|
The n rm |
n in this document is current as of the date on the |
page. |
YEAR 2000 NOTICE
Juniper Networks hardware and s ftw r products are Year 2000 compliant. Junos OS has no known m r
m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical |
c m n |
n consists of (or is intended for use |
||||||
with) Juniper Networks s ftw r |
Use of such s |
ftw r |
is subject to the terms and c n |
ns of the End User License |
||||
Agreement ("EULA") posted at |
s s |
r |
n r n |
s |
r |
. By downloading, installing or using such |
||
s ftw r you agree to the terms and c n |
ns of that EULA. |
|
|
|
|
iii
1
2
About This Guide | xviii
Overview
Security Basics Overview | 2
Security Policies Overview | 2
Security Zones
Security Zones | 7
Security Zones Overview | 7
Example: Cr |
n Security Zones | 9 |
|
|
|
|
||||
|
Requirements | 10 |
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|||
|
Overview | 10 |
|
|
|
|
|
|
||
|
C n |
r |
n | 10 |
|
|
|
|
|
|
|
V r |
c |
n | 12 |
|
|
|
|
|
|
Supported System Services for Host Inbound |
r |
c | 13 |
|
||||||
Understanding How to Control Inbound |
r |
c Based on |
r c Types | 14 |
||||||
Example: Controlling Inbound |
r |
c Based on r |
c Types | 15 |
||||||
|
Requirements | 15 |
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|||
|
Overview | 15 |
|
|
|
|
|
|
||
|
C n |
r |
n | 15 |
|
|
|
|
|
|
|
V r |
c |
n | 18 |
|
|
|
|
|
|
Understanding How to Control Inbound |
r |
c Based on Protocols | 18 |
|||||||
Example: Controlling Inbound |
r |
c Based on Protocols |
| 20 |
||||||
|
Requirements | 20 |
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|||
|
Overview | 20 |
|
|
|
|
|
|
||
|
C n |
r |
n | 20 |
|
|
|
|
|
|
|
V r |
c |
n | 22 |
|
|
|
|
|
|
Example: C n |
r n the TCP-Reset Parameter | 23 |
|
|||||||
|
Requirements | 23 |
|
|
|
|
|
|
||
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
3
4
iv
Overview | 23
C |
n |
r |
n | 23 |
V |
r |
c |
n | 24 |
Address Books and Address Sets
Address Books and Address Sets | 26
Understanding Address Books | 26
Understanding Global Address Books | 28
Understanding Address Sets | 29
mns of Addresses and Address Sets in a Security Policy | 29
C n r n Addresses and Address Sets | 30
Example: C n |
r n |
Address Books and Address Sets | 36 |
|||||||
|
Requirements | 36 |
|
|
|
|
|
|||
|
|
|
|
|
|
||||
|
Overview | 37 |
|
|
|
|
|
|
||
|
C n |
r |
n | 39 |
|
|
|
|
|
|
|
V r c |
n | 42 |
|
|
|
|
|
|
|
Excluding Addresses from Policies | 44 |
|
|
|
||||||
Example: Excluding Addresses from Policies | 45 |
|
|
|||||||
|
Requirements | 45 |
|
|
|
|
|
|||
|
|
|
|
|
|
||||
|
Overview | 46 |
|
|
|
|
|
|
||
|
C n |
r |
n | 46 |
|
|
|
|
|
|
|
V r c |
n | 50 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
Security Policy |
|
c |
ns and |
c |
n Sets |
||||
Security Policy |
c |
|
ns and |
c |
n Sets | 54 |
|
|||
Security Policy |
c |
|
ns Overview | 54 |
|
|
|
|||
Security Policy |
c |
|
n Sets Overview | 55 |
|
|
||||
Example: C |
n |
r n |
Security Policy |
c |
ns and |
c n Sets | 55 |
|||
|
Requirements | 56 |
|
|
|
|
|
|||
|
|
|
|
|
|
||||
|
Overview | 56 |
|
|
|
|
|
|
||
|
C n |
r |
n | 57 |
|
|
|
|
|
|
|
V r c |
n | 57 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
v
|
Understanding Policy |
c |
n Timeout C n |
r |
n and Lookup | 58 |
||||
|
Understanding Policy |
c |
n Timeouts C n |
n |
nc s | 59 |
||||
|
Example: S |
n |
a Policy |
c |
n Timeout | 59 |
|
|||
|
|
Requirements | 60 |
|
|
|
|
|||
|
|
|
|
|
|
||||
|
|
Overview | 60 |
|
|
|
|
|||
|
|
C n |
|
r |
n | 60 |
|
|
|
|
|
|
V r |
c |
n | 61 |
|
|
|
|
|
r |
|
n |
Policy |
c |
ns | 61 |
|
|
Understanding Internet-Related |
r |
|
n |
Policy |
c |
ns | 62 |
||||||||
Understanding M cr |
s ft |
r |
|
n |
Policy |
|
c |
ns | 64 |
|
|||||
Understanding Dynamic R |
n |
|
Protocols |
r |
n |
Policy |
c ns | 66 |
|||||||
Understanding Streaming Video |
r |
|
n |
Policy |
c |
ns | 67 |
||||||||
Understanding Sun RPC r |
|
n |
Policy |
|
c |
ns | 68 |
|
|||||||
Understanding Security and Tunnel |
r |
n |
Policy |
c |
ns | 69 |
|||||||||
Understanding IP-Related |
r |
|
n |
Policy |
|
c |
ns | 70 |
|
||||||
Understanding Instant Messaging |
r |
n |
Policy |
|
c |
ns | 71 |
||||||||
Understanding Management r |
|
|
n |
Policy |
|
c |
ns | 72 |
|||||||
Understanding Mail |
r |
n |
Policy |
c |
ns | 74 |
|
|
|||||||
Understanding UNIX |
r |
n |
|
Policy |
|
c |
ns | 75 |
|
||||||
Understanding Miscellaneous |
r |
|
n |
Policy |
c |
ns | 75 |
||||||||
Understanding ICMP |
r |
n |
|
Policy |
|
c |
ns | 77 |
|
||||||
Example: |
|
n n a Custom ICMP |
|
c |
n | 84 |
|
|
|
||||||
|
Requirements | 85 |
|
|
|
|
|
|
|
|
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
||||
|
Overview | 85 |
|
|
|
|
|
|
|
|
|
|
|
||
|
C n |
r |
n | 86 |
|
|
|
|
|
|
|
|
|
|
|
|
V r |
c |
n | 87 |
|
|
|
|
|
|
|
|
|
|
|
Custom Policy |
c |
ns | 87 |
|
|
|
|
|
|
|
Understanding Custom Policy |
c ns | 87 |
vi
Custom |
c n Mappings | 88 |
|
|
|
||
Example: Adding and Modifying Custom Policy |
c |
ns | 88 |
||||
|
Requirements | 89 |
|
|
|
||
|
|
|
|
|||
|
Overview | 89 |
|
|
|
||
|
C n |
r |
n | 89 |
|
|
|
|
V r |
c |
n | 90 |
|
|
|
Example: C n |
r n Custom Policy |
c |
n Term |
ns | 92 |
||
|
Requirements | 92 |
|
|
|
||
|
|
|
|
|||
|
Overview | 92 |
|
|
|
||
|
C n |
r |
n | 93 |
|
|
|
|
V r |
c |
n | 95 |
|
|
|
|
|
|
|
|
|
|
5Security Policies
C n r n Security Policies | 98
Understanding Security Policy Elements | 98
Understanding Security Policy Rules | 99
Understanding Security Policies for Self r c | 103
Security Policies C n |
r |
n Overview | 104 |
||||
Best r c c s for |
n n |
Policies on SRX Series Devices | 105 |
||||
C n |
r n |
Policies Using the Firewall Wizard | 109 |
||||
Example: C |
n |
r n |
a Security Policy to Permit or Deny All r c | 109 |
|||
|
Requirements | 109 |
|
||||
|
|
|||||
|
Overview | 110 |
|
|
|||
|
C n |
r |
n | 112 |
|
||
|
V r |
c |
|
n | 115 |
|
|
Example: C |
n |
r n |
a Security Policy to Permit or Deny Selected r c | 115 |
|||
|
Requirements | 116 |
|
||||
|
|
|||||
|
Overview | 116 |
|
|
|||
|
C n |
r |
n | 118 |
|
||
|
V r |
c |
|
n | 121 |
|
|
Example: C |
n |
r n |
a Security Policy to Permit or Deny Wildcard Address r c | 122 |
vii
|
Requirements | 122 |
||
|
Overview | 122 |
||
|
C n |
r |
n | 123 |
|
V r |
c |
n | 126 |
Example: C n |
r n a Security Policy to Redirect r c Logs to an External System Log |
||
|
Server | 126 |
||
|
Requirements | 127 |
||
|
|||
|
Overview | 127 |
||
|
C n |
r |
n | 128 |
|
V r |
c |
n | 130 |
|
|
|
|
TAP Mode for Security Zones and Policies | 131
|
Understanding TAP Mode Support for Security Zones and Policies | 131 |
|||
|
Example: C |
n r n Security Zones and Policies in TAP mode | 132 |
||
Dynamic Address Groups in Security Policies | 137 |
||||
C n |
r |
Security Policies for VXLAN | 145 |
||
|
Requirements | 145 |
|||
|
||||
|
Overview | 145 |
|||
|
C n |
r |
n | 146 |
|
|
V r |
c |
n | 150 |
|
|
|
|
|
|
nSecurity Policies | 156
nPolicies Overview | 157
n |
Policies C |
n |
r |
n Overview | 158 |
|
|||
Example: C |
n |
r |
a |
n |
Policy Using a Redirect Message r |
| 167 |
||
|
Requirements | 167 |
|
|
|||||
|
|
|
||||||
|
Overview | 167 |
|
|
|
||||
|
C n |
r |
n | 168 |
|
|
|||
|
V r |
c |
|
n | 170 |
|
|
|
|
|
|
|
|
|
|
|
|
|
C |
n |
r a URL Category with |
n |
Policies | 173 |
||||
|
|
Understanding URL Category with |
n |
Policies | 173 |
||||
|
|
|||||||
|
|
Example: C |
n |
r n a |
n |
Policy Using URL Category | 174 |
||
C |
n |
r |
c |
ns in |
n |
Policies | 179 |
viii
|
c |
ns in |
n |
|
Policies |
| 179 |
|
|
|
Example: C n |
r |
a |
n |
Policy Using Dynamic |
c ns | 179 |
||
C n r |
M cr |
c |
ns in |
n |
Policies | 184 |
|
Global Security Policies | 186
Global Policy Overview | 187
Example: C |
n |
r n a Global Policy with No Zone R s r c |
ns | 189 |
|||||
|
Requirements | 190 |
|
|
|
|
|||
|
|
|
|
|
||||
|
Overview | 190 |
|
|
|
|
|||
|
C n |
r |
n | 191 |
|
|
|
|
|
|
V r |
c |
|
n | 194 |
|
|
|
|
Example: C |
n |
r n a Global Policy with M |
Zones | 195 |
|||||
|
Requirements | 195 |
|
|
|
|
|||
|
|
|
|
|
||||
|
Overview | 195 |
|
|
|
|
|||
|
C n |
r |
n | 196 |
|
|
|
|
|
|
V r |
c |
|
n | 198 |
|
|
|
|
User Role Firewall Security Policies | 198 |
|
|
||||||
Understanding User Role Firewalls | 199 |
|
|
||||||
User Role Retrieval and the Policy Lookup Process | 200 |
|
|||||||
Understanding the User n c |
n Table | 203 |
|
||||||
Obtaining Username and Role n |
rm |
n Through Firewall |
n c n | 209 |
|||||
C n |
r n |
a User Role Firewall For C |
v |
Portal R r c |
n | 211 |
|||
Example: C |
n |
r n a User Role Firewall on an SRX Series Device | 213 |
||||||
|
Requirements | 213 |
|
|
|
|
|||
|
|
|
|
|
||||
|
Overview | 213 |
|
|
|
|
|||
|
C n |
r |
n | 215 |
|
|
|
|
|
C n |
r n |
Resource Policies Using UAC | 222 |
|
Reordering Security Policies | 226
Understanding Security Policy Ordering | 226
Example: Reordering Security Policies | 228
Requirements | 229
ix
Overview | 229
C |
n |
r |
n | 229 |
V |
r |
c |
n | 230 |
Scheduling Security Policies | 230
Security Policy Schedulers Overview | 230
Example: C n |
r n Schedulers for a Daily Schedule Excluding One Day | 231 |
||||
|
|
Requirements | 232 |
|
||
|
|
|
|||
|
|
Overview | 232 |
|
||
|
|
C n |
r |
n | 232 |
|
|
|
V r |
c |
n | 235 |
|
Verifying Scheduled Policies | 236 |
|
||||
Threat |
r |
n |
Support in Security Policy | 237 |
||
C n |
r n |
Security Policies for a VRF R |
n Instance | 238 |
||
Overview | 239 |
|
||||
Understanding Security Policy Rules | 241 |
|
||||
Example: C n |
r n a Security Policy to Permit or Deny VRF-Based r c from MPLS |
||||
|
|
Network to an IP Network | 242 |
|
||
|
|
Requirements | 242 |
|
||
|
|
|
|||
|
|
Overview | 243 |
|
||
|
|
C n |
r |
n | 243 |
|
|
|
|
|
|
|
Example: C |
n |
r n a Security Policy to Permit VRF-Based |
r |
c from an IP Network to an |
|
|
MPLS Network | 248 |
|
|
||
|
Requirements | 249 |
|
|
||
|
|
|
|||
|
Overview | 249 |
|
|
||
|
C n |
r |
n | 249 |
|
|
Example: C |
n |
r n a Security Policy to Permit VRF-Based |
r |
c from an MPLS Network to |
|
|
an MPLS Network over GRE without NAT | 254 |
|
|
||
|
Requirements | 255 |
|
|
||
|
|
|
|||
|
Overview | 255 |
|
|
||
|
C n |
r |
n | 255 |
|
|
Example: C |
n |
r n Security Policies Using VRF R n Instances in an MPLS Network | 261 |
x
Requirements | 261
Overview | 261
MPLS Network to Private IP Network | 262
Global IP Network to an MPLS Network | 265
C n |
r n Security Policies Using VRF Group | 271 |
|
|
|
|||
Overview | 272 |
|
|
|
|
|
||
Example: C |
n |
r n a Security Policy to Permit or Deny VRF-Based |
r |
c from MPLS |
|||
|
Network to an IP Network using Source VRF Group | 273 |
|
|
|
|||
|
Requirements | 273 |
|
|
|
|
||
|
|
|
|
|
|||
|
Overview | 274 |
|
|
|
|
||
|
C n |
r |
n | 274 |
|
|
|
|
Example: C |
n |
r n a Security Policy to Permit or Deny VRF-Based |
r |
c from an IP Network |
|||
|
to MPLS Network using |
s n n VRF Group | 278 |
|
|
|
||
|
Requirements | 279 |
|
|
|
|
||
|
|
|
|
|
|||
|
Overview | 279 |
|
|
|
|
||
|
C n |
r |
n | 280 |
|
|
|
|
Managing Overlapping VPN using VRF group | 284 |
|
|
|
||||
Monitoring and r |
b s |
n Security Policies | 285 |
|
|
|
||
Understanding Security Alarms | 285 |
|
|
|
||||
Example: G n r |
n a Security Alarm in Response to Policy V |
ns |
|
| 286 |
|||
|
Requirements | 286 |
|
|
|
|
||
|
|
|
|
|
|||
|
Overview | 287 |
|
|
|
|
||
|
C n |
r |
n | 287 |
|
|
|
|
|
V r c |
n | 289 |
|
|
|
|
|
|
|
|
|
|
|
|
|
Matching Security Policies | 289
Tracking Policy Hit Counts | 291
Checking Memory Usage on SRX Series Devices | 291
Monitoring Security Policy S s cs | 293
Verifying Shadow Policies | 294
Verifying All Shadow Policies | 295
Verifying a Policy Shadows One or More Policies | 296
xi
Verifying a Policy Is Shadowed by One or More Policies | 296
rb s n Security Policies | 298
Synchronizing Policies Between R n Engine and Packet Forwarding Engine | 298
Checking a Security Policy Commit Failure | 299
Verifying a Security Policy Commit | 300
Debugging Policy Lookup | 301
High Availability (HA) Sync r n z n of Address Name Resolving Cache | 301
6 |
C n |
r |
|
n Statements |
|
||
|
address (Security Address Book) | 308 |
||||||
|
address-book | 310 |
|
|
|
|||
|
address-set | 312 |
|
|
|
|||
|
alarms (Security) | 314 |
|
|
||||
|
alarm-threshold | 316 |
|
|
||||
|
alarm-without-drop | 318 |
|
|||||
|
c |
n ( |
|
c |
ns) | 319 |
||
|
c |
n (Security Alarms) | 323 |
|||||
|
c |
n (Security Policies) | 325 |
|||||
|
c |
n |
r |
c |
( |
c |
ns) | 328 |
|
c |
n s |
rv c s (Security Policies) | 331 |
||||
|
c |
n |
r c n |
(Security Zones) | 334 |
|||
|
c |
n |
r |
c c |
n r |
( |
c n Services) | 335 |
c| 337
audible (Security Alarms) | 339
n c |
n (Security Alarms) | 340 |
c v |
r (Services UAC Policy) | 342 |
count (Security Policies) | 344
xii
default-policy | 345
deny (Security Policies) | 347
scr |
n ( |
|
c |
ns) | 348 |
|||
scr |
n (Security Address Book) | 350 |
||||||
scr |
n (Security Zone) | 352 |
||||||
s |
n |
n |
|
r |
ss (Security Policies) | 353 |
||
s |
n |
n |
|
r |
ss (Security Policies Flag) | 355 |
||
s |
n |
n |
|
r ss |
xc |
| 357 |
|
s |
n |
n |
(Security Alarms) | 358 |
||||
s |
n |
n |
r |
( |
|
c |
ns) | 360 |
dns-cache | 366 |
|
|
|
||||
dns-proxy | 368 |
|
|
|
||||
yn m c |
|
c |
|
n (Security) | 370 |
|||
yn m c |
|
c |
|
n (Security Policies) | 372 |
|||
dynamic-dns | 374 |
|
|
|||||
exclude (Schedulers) | 376 |
|
||||||
r w |
|
n |
c |
|
n (Security Policies) | 378 |
forward-only (DNS) | 381 from-zone (Security Policies) | 382
from-zone (Security Policies Global) | 386
nc n z n | 388
global (Security Policies) | 390
s nb n r |
|
c | 394 |
icmp-code ( |
c |
ns) | 395 |
icmp-type ( |
c |
ns) | 397 |
xiii
n c v y m ( c ns) | 399
interfaces (Security Zones) | 400
nc mss | 402
ipsec-group-vpn (Security Policies) | 404 ipsec-vpn (Security Policies) | 405
log (Security Policies) | 407 management (Security Zones) | 409 match (Security Policies) | 411 match (Security Policies Global) | 413
ncy max-lookups | 416
n |
cy c |
sync |
r n z |
n | 417 |
pair-policy | 419 |
|
|
||
pass-through | 420 |
|
|||
permit (Security Policies) | 423 |
||||
policies | 426 |
|
|
|
|
policy (Security Alarms) | 436 |
||||
policy (Security Policies) | |
438 |
|||
policy-match | 442 |
|
|
||
policy-rematch | 444 |
|
|||
policy-stats | 446 |
|
|
||
n |
v |
n | 448 |
|
|
pre-id-default-policy | 451 |
||||
r |
( yn m c |
c |
n) | 454 |
|
protocol ( |
c |
ns) | 457 |
protocols (Security Zones Host Inbound r c) | 459
xiv
protocols (Security Zones Interfaces) | 462
range-address | 465 |
|
|
|
redirect-wx ( |
c n Services) | 466 |
||
reject (Security) |
| 468 |
|
|
report-skip | 470 |
|
|
|
reverse-tcp-mss | 471 |
|
|
|
rpc-program-number ( |
c |
ns) | 473 |
|
scheduler (Security Policies) | 474 |
|||
scheduler-name | 477 |
|
|
|
schedulers (Security Policies) | 478 |
|||
screen (Security Zones) | 480 |
|||
secure-neighbor-discovery | 481 |
|||
security-intelligence | 483 |
|
|
|
security-zone | 485 |
|
|
|
sequence-check-required | 488 |
|||
s rv c s ffl |
(Security) |
| |
489 |
session-close | 491
session-init | 492 simple-mail-client-service | 494 source-address (Security Policies) | 495 source-address-excluded | 497
s rc |
n |
y | 498 |
|
source-ip (Security Alarms) | 501 |
|||
source-port ( |
c |
ns) | 503 |
|
ssl-proxy ( |
|
c |
n Services) | 505 |
xv
ss |
rm n |
n r |
| 506 |
start-date | 508 |
|
||
s r |
m |
(Schedulers) | 510 |
|
stop-date | 512 |
|
sm | 513
syn-check-required | 515
system-services (Security Zones Host Inbound r c) | 517 system-services (Security Zones Interfaces) | 520
c |
|
ns (Security Policies) | 523 |
||||||
tcp-rst | 526 |
|
|
|
|
|
|||
term ( |
|
c |
ns) | 528 |
|
|
|||
then (Security Policies) | 529 |
|
|
||||||
to-zone (Security Policies) | 533 |
|
|||||||
to-zone (Security Policies Global) | 536 |
||||||||
r c |
|
ns ( |
yn m c |
c |
|
n) | 538 |
||
r |
c |
|
ns (Security Policies) | |
541 |
||||
r c |
|
ns (Security User |
n |
c n) | 544 |
||||
r c |
|
ns (System Services DNS) | 547 |
||||||
tunnel (Security Policies) | 550 |
|
|||||||
nn |
ns |
c |
n | 552 |
|
|
|
||
uac-policy ( |
c |
n Services) | 554 |
||||||
n |
r c |
n |
s ss |
n r |
r s |
n |
| 555 |
|
n |
|
|
cy |
x |
c m |
c |
| 557 |
|
s r |
r w |
| 558 |
|
|
|
|
||
s r |
n |
c |
n | 560 |
|
|
|
xvi
|
utm-policy | 562 |
|
|
|
|
|
|
|
|
|
|
||||
|
uuid ( |
c |
|
ns) | 565 |
|
|
|
|
|
|
|
|
|||
|
vrrp | 566 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
w b |
n |
c |
|
n | 568 |
|
|
|
|
|
|
|
|
||
|
web-redirect | 570 |
|
|
|
|
|
|
|
|
|
|
||||
|
zones | 571 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
7 |
r |
n |
Commands |
|
|
|
|
|
|
|
|
||||
|
clear security alarms | 577 |
|
|
|
|
|
|
|
|
||||||
|
clear security policies hit-count | 581 |
|
|
|
|
|
|||||||||
|
clear security policies s |
s |
cs |
| 583 |
|
|
|
|
|
||||||
|
clear system services dns dns-proxy |
| 584 |
|
|
|
|
|
||||||||
|
request security policies check | 586 |
|
|
|
|
|
|||||||||
|
request security policies resync | 589 |
|
|
|
|
|
|||||||||
|
request security |
s |
r |
n |
c |
n |
c |
|
r z |
n |
b |
add | 592 |
|||
|
request security |
s |
r |
n |
c |
n |
c |
|
n c |
n |
b |
delete | 595 |
|||
|
show security alarms | 597 |
|
|
|
|
|
|
|
|
||||||
|
show security |
r w |
|
|
n |
c |
n users address | 603 |
|
|||||||
|
show security |
r w |
|
|
n |
c |
n users auth-type | 608 |
|
|||||||
|
show security fl |
w session |
|
c |
n | 611 |
|
|
|
|
||||||
|
show security match-policies | 617 |
|
|
|
|
|
|
||||||||
|
show security policies | 627 |
|
|
|
|
|
|
|
|||||||
|
show security policies checksum | 650 |
|
|
|
|
|
|||||||||
|
show security policies hit-count | 653 |
|
|
|
|
|
|||||||||
|
show security policies n rm |
n | 658 |
|
|
|
|
|
||||||||
|
show security policies |
n n |
wn s |
rc |
n |
y | 667 |
|
|
xvii
show security policies zone-context | 669 |
|
|
|
|
||||||
show security policy-report | 673 |
|
|
|
|
|
|||||
show security shadow-policies | 677 |
|
|
|
|
||||||
show security |
s r |
n |
c |
n |
c |
n |
c |
n |
b | 681 |
|
show security |
s |
r |
n |
c |
n role-provision all | 685 |
|||||
show security |
s |
r |
n |
c |
n s |
rc |
n |
y |
r v s |
n all | 687 |
show security |
s |
r |
n |
c |
n user-provision all | 689 |
show security zones | 691 show security zones type | 700
show system services dns dns-proxy | 705 show system services dynamic-dns | 709
xviii
Use this guide to c n |
r security zones, address books and address sets, security policy |
c |
ns |
||
and |
c |
n sets, and security policies in Junos OS on the SRX Series devices. |
|
|
1
CHAPTER
Security Basics Overview | 2
Security Policies Overview | 2
2
This guide provides n |
rm |
n about the security basics used to c n |
r features for security devices. |
||
• A security zone is a c |
c n of one or more network segments requiring the r |
|
n of inbound |
||
and outbound r |
c through policies. Security zones are logical n |
s to which one or more |
|||
interfaces are bound. With many types of Juniper Networks devices, you can |
n m |
security |
|||
zones, the exact number of which you determine based on your network needs. |
|
|
|||
• An address book is a c |
c n of addresses and address sets. Junos OS allows you to c n r |
maddress books. Address books are like components, or building blocks, that are referenced in
other c n |
r |
ns such as security policies or NAT. You can add addresses to address books or use |
the r |
n addresses available to each address book by default. |
• An |
c |
n set is a group of |
|
manage a small number of |
c |
||
entries. The |
c n (or |
c |
|
packets n |
n sessions. |
|
cns Junos OS s m s the process by allowing you to
n sets, rather than a large number of individual c n n set) is referred to by security policies as match criteria for
• A security policy is a stateful r w |
policy that provides a set of tools to network administrators, |
||
enabling them to implement network security for their r n z |
ns Security policies enforce rules |
||
for transit r |
c in terms of what r |
c can pass through the |
r w and the c ns that need to |
take place on |
r c as it passes through the r w |
|
RELATED DOCUMENTATION
Gn Started Guide for Junos OS
To secure their business, r n z ns must control access to their LAN and their resources. Security policies are commonly used for this purpose. Secure access is required both within the company across
the LAN and in its n |
r c ns with external networks such as the Internet. Junos OS provides powerful |
||||||||
network security features through its stateful |
r w |
c |
n |
r w |
and user n y |
r w |
All |
||
three types of r w |
enforcement are implemented through security policies. The stateful |
r w |
|
||||||
policy syntax is widened to include |
n |
tuples for the |
c |
n |
r w and the user |
n |
y |
||
r w |
|
|
|
|
|
|
|
|
|
3
In a Junos OS stateful r w |
the security policies enforce rules for transit r |
c in terms of what |
|||||||||
r c can pass through the |
r w |
and the c |
ns that need to take place on |
r c as it passes |
|
||||||
through the r w From the |
rs |
c v |
of security policies, the r |
c enters one security zone and |
|||||||
exits another security zone. This c |
mb n |
n of a from-zone and to-zone is called a context. Each |
|||||||||
context contains an ordered list of policies. Each policy is processed in the order that it is |
n |
within |
|||||||||
a context. |
|
|
|
|
|
|
|
|
|
|
|
A security policy, which can be c |
n |
r from the user interface, controls the |
r c fl w from one |
||||||||
zone to another zone by |
n n |
the kind(s) of r |
c rm |
from s |
c |
IP sources to s c |
IP |
||||
s n |
ns at scheduled |
m s |
|
|
|
|
|
|
|
|
|
Policies allow you to deny, permit, reject (deny and send a TCP RST or ICMP port unreachable message
to the source host), encrypt and decrypt, |
n |
c |
r r z schedule, |
r and monitor the |
r c |
|||
|
m |
n to cross from one security zone to another. You decide which users and what data can enter |
||||||
and exit, and when and where they can go. |
|
|
|
|
|
|
||
|
|
|||||||
|
NOTE: For an SRX Series device that supports virtual systems, policies set in the root system do |
|||||||
|
not |
c policies set in virtual systems. |
|
|
|
|
|
|
|
|
|
|
|||||
An SRX Series device secures a network by ns |
c n |
and then allowing or denying, all c nn c |
n |
|||||
|
m s that require passage from one security zone to another. |
|
|
|
||||
Logging capability can also be enabled with security policies during session n |
z |
n (session-init) or |
||||||
session close (session-close) stage. |
|
|
|
|
|
|
||
• |
To view logs from denied c nn c ns enable log on session-init. |
|
|
|
||||
• |
To log sessions ft r their conclusion/tear-down, enable log on session-close. |
|
|
|||||
|
|
|
|
|||||
|
NOTE: Session log is enabled at real m |
in the fl |
w code which impacts the user performance. |
|||||
|
If both session-close and session-init are enabled, performance is further degraded as compared |
|||||||
|
to enabling session-init only. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
For SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550M devices, a factory-default security policy is provided that:
•Allows all r c from the trust zone to the untrust zone.
•Allows all r c between trusted zones, that is from the trust zone to intrazone trusted zones.
•Denies all r c from the untrust zone to the trust zone.
4
Through the cr |
n of policies, you can control the r |
c fl w from zone to zone by |
n n |
the kinds |
|||||
of r c rm |
to pass from s c |
sources to s c |
s n |
ns at scheduled |
m s |
|
|
||
At the broadest level, you can allow all kinds of |
r c from any source in one zone to any |
s |
n |
n in |
|||||
all other zones without any scheduling r s r c |
ns At the narrowest level, you can create a policy that |
||||||||
allows only one kind of r c between a s |
c |
host in one zone and another s c |
host in |
|
|||||
another zone during a scheduled interval of |
m |
See Figure 1 on page 4. |
|
|
|
Figure 1: Security Policy
Every |
m |
a packet |
m s to pass from one zone to another or between two interfaces bound to the |
||||||
same zone, the device checks for a policy that permits such r |
c (see "Understanding Security Zones" |
||||||||
on page 7 and "Example: C n r n Security Policy |
c |
ns and |
c |
n Sets" on page 55). |
|||||
To allow r |
c to pass from one security zone to another—for example, from zone A to zone B—you |
||||||||
must c |
n |
r |
a policy that permits zone A to send |
r |
c to zone B. To allow r |
c to fl w the other |
|||
way, you must c n |
r another policy rm n |
r |
c from zone B to zone A. |
|
|||||
To allow data r |
c to pass between zones, you must c |
n |
r r w |
policies. |
|
5
RELATED DOCUMENTATION
C n r n Security Policies | 98
2
CHAPTER
Security Zones | 7
7
IN THIS SECTION |
|
|
|
|
|
|
|
Security Zones Overview | 7 |
|
|
|
|
|
|
Example: Cr |
n Security Zones | 9 |
|
c | 13 |
|
|
|
|
|
||||
|
Supported System Services for Host Inbound |
r |
r c Types | 14 |
|||
|
||||||
|
Understanding How to Control Inbound r |
c Based on |
||||
|
||||||
|
Example: Controlling Inbound r |
c Based on r |
c Types | 15 |
|||
|
||||||
|
Understanding How to Control Inbound r |
c Based on Protocols | 18 |
||||
|
||||||
|
Example: Controlling Inbound r |
c Based on Protocols |
| 20 |
|||
|
||||||
|
Example: C n |
r n the TCP-Reset Parameter | 23 |
|
|||
|
|
|||||
|
|
|
|
|
|
|
A security zone is a c |
c |
n of one or more network segments requiring the r |
n of inbound and |
||
outbound r c through policies. Security zones are logical n |
s to which one or more interfaces are |
||||
bound. You can |
n |
m |
security zones, the exact number of which you determine based on your |
||
network needs. |
|
|
|
|
|
IN THIS SECTION
Understanding Security Zone Interfaces | 8
Understanding F nc n Zones | 8
Understanding Security Zones | 9
Interfaces act as a doorway through which r c enters and exits a Juniper Networks device. Many
interfaces can share exactly the same security requirements; however, |
r n interfaces can also have |
|
r n security requirements for inbound and outbound data packets. Interfaces with |
n c |
|
security requirements can be grouped together into a single security zone. |
|
|
8
A security zone is a c |
c n of one or more network segments requiring the r |
n of inbound and |
|||||||||
outbound r |
c through policies. |
|
|
|
|
|
|
|
|||
Security zones are logical n |
s to which one or more interfaces are bound. With many types of |
||||||||||
Juniper Networks devices, you can |
|
n |
m |
security zones, the exact number of which you |
|||||||
determine based on your network needs. |
|
|
|
|
|
||||||
On a single device, you can c |
n |
r |
m |
security zones, dividing the network into segments to |
|||||||
which you can apply various security |
|
ns to s |
s y the needs of each segment. At a minimum, you |
||||||||
must |
n |
two security zones, basically to protect one area of the network from the other. On some |
|||||||||
security |
|
rms you can |
n many security zones, bringing |
n r granularity to your network |
|||||||
security design—and without deploying m |
|
security appliances to do so. |
|
||||||||
From the |
|
rs c v |
of security policies, |
r c enters into one security zone and goes out on another |
|||||||
security zone. This c |
mb n |
n of a from-zone and a to-zone is |
n as a context. Each context |
||||||||
contains an ordered list of policies. For more n |
rm |
n on policies, see Security Policies Overview. |
|||||||||
This topic includes the following s |
c |
ns |
|
|
|
|
|
Understanding Security Zone Interfaces
An interface for a security zone can be thought of as a doorway through which TCP/IP |
r |
c can pass |
|||
between that zone and any other zone. |
|
|
|||
Through the policies you |
n |
you can permit r c between zones to fl w in one |
r c |
n or in |
|
both. With the routes that you |
n |
you specify the interfaces that r c from one zone to another |
|||
must use. Because you can bind m |
interfaces to a zone, the routes you chart are important for |
||||
r c n r c to the interfaces of your choice. |
|
|
|||
An interface can be c n |
r |
with an IPv4 address, IPv6 address, or both. |
|
|
Understanding F nc n Zones
A nc |
n zone is used for special purposes, like management interfaces. Currently, only the |
||
management (MGT) zone is supported. Management zones have the following |
r r s |
||
• |
Management zones host management interfaces. |
|
|
• |
r |
c entering management zones does not match policies; therefore, r |
c cannot transit out of |
|
any other interface if it was received in the management interface. |
|
• Management zones can only be used for dedicated management interfaces.
9
Understanding Security Zones
Security zones are the building blocks for policies; they are logical |
n |
s to which one or more |
|
|||||||||||||||
interfaces are bound. Security zones provide a means of s n |
s |
n |
groups of hosts (user systems |
|||||||||||||||
and other hosts, such as servers) and their resources from one another in order to apply |
r n |
|
||||||||||||||||
security measures to them. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
||||
Security zones have the following |
r |
r |
s |
|
|
|
|
|
|
|
|
|
|
|||||
• |
c |
s— |
c v security policies that enforce rules for the transit r |
c in terms of what r |
c can |
|||||||||||||
pass through the |
r w |
and the |
c |
ns that need to take place on the |
r c as it passes through |
|||||||||||||
the |
r w |
For more n |
rm |
n see Security Policies Overview. |
|
|
|
|
|
|
||||||||
• Screens—A Juniper Networks stateful |
r w |
secures a network by ns |
c n |
and then allowing or |
||||||||||||||
denying, all c nn |
c n |
m s that require passage from one security zone to another. For every |
||||||||||||||||
security zone, you can enable a set of |
r |
n |
screen |
ns that detect and block various kinds |
||||||||||||||
of |
r |
c that the device determines as |
|
n |
y harmful. For more n |
rm |
n see |
|
|
|||||||||
Reconnaissance Deterrence Overview. |
|
|
|
|
|
|
|
|
|
|
|
|||||||
• Address books—IP addresses and address sets that make up an address book to |
n |
y its members |
||||||||||||||||
so that you can apply policies to them. Address book entries can include any c |
mb n |
n of IPv4 |
||||||||||||||||
addresses, IPv6 addresses, and Domain Name System (DNS) names. For more n |
rm |
n see |
|
|||||||||||||||
Example: C n |
r n Address Books and Address Sets. |
|
|
|
|
|
|
|
|
|||||||||
• TCP-RST—When this feature is enabled, the system sends a TCP segment with the RESET fl |
set |
|||||||||||||||||
when |
r |
c arrives that does not match an |
x s |
n session and does not have the SYNchronize fl |
||||||||||||||
set. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
• Interfaces—List of interfaces in the zone.
Security zones have the following |
r c n |
r |
zone: |
|
|
• Trust zone—Available only in the factory c n |
r |
n and is used for n |
c nn c n to the |
||
device. ft r you commit a c n |
r |
n the trust zone can be overridden. |
|
Example: Cr |
n Security Zones |
IN THIS SECTION
Requirements | 10
Overview | 10
10
|
C |
n |
r |
n | 10 |
|
V |
r |
c |
n | 12 |
|
||||
|
|
|
|
|
This example shows how to c n r zones and assign interfaces to them. When you c n r a security zone, you can specify many of its parameters at the same m
Before you begin, c n r network interfaces. See the Interfaces User Guide for Security Devices.
An interface for a security zone can be thought of as a doorway through which TCP/IP |
r |
c can pass |
between that zone and any other zone. |
|
|
|
|
|
NOTE: By default, interfaces are in the null zone. The interfaces will not pass r c |
n |
they |
have been assigned to a zone. |
|
|
|
|
|
NOTE: You can c n r 2000 interfaces within a security zone on SRX3400, SRX3600, SRX4600, SRX5400, SRX5600, or SRX5800 devices, depending on the Junos OS release in your ns n
C n r n
IN THIS SECTION
Procedure | 11
11
Procedure
CLI Quick C n |
r |
n |
|
|
|
|
|
To quickly c n |
r this example, copy the following commands, paste them into a text |
remove any |
|||||
line breaks, change any details necessary to match your network c |
n |
r |
n copy and paste the |
||||
commands into the CLI at the [edit] hierarchy level, and then enter commit from c n r |
n mode. |
||||||
|
|
|
|
|
|||
set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.1/24 |
|
|
|
|
|||
set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db8:1::1/64 |
|
|
|
|
|||
set security zones security-zone ABC interfaces ge-0/0/1.0 |
|
|
|
|
|||
|
|
|
|
|
|||
Step-by-Step Procedure |
|
|
|
|
|||
The following example requires you to navigate various levels in the c |
n r |
n hierarchy. For |
|||||
ns r c |
ns on how to do that, see Using the CLI Editor in C n |
r |
n Mode in the CLI User guide. |
||||
To create zones and assign interfaces to them: |
|
|
|
|
|||
1. C n |
r an Ethernet interface and assign an IPv4 address to it. |
|
|
|
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.1/24
2. C n |
r an Ethernet interface and assign an IPv6 address to it. |
[edit]
user@host# set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db8::1/32
3. C n |
r a security zone and assign it to an Ethernet interface. |
[edit]
user@host# set security zones security-zone ABC interfaces ge-0/0/1.0
12
Results
From c |
n |
r n mode, c n |
rm your c n |
r |
n by entering the show security zones security-zone |
|
ABC and show interfaces ge-0/0/1 commands. If the output does not display the intended |
||||||
c |
n |
r |
n repeat the c n |
r n ns r |
c |
ns in this example to correct it. |
For brevity, this show output includes only the c |
n r n that is relevant to this example. Any other |
|||||
c |
n |
r |
n on the system has been replaced with ellipses (...). |
[edit]
user@host# show security zones security-zone ABC
...
interfaces { ge-0/0/1.0 {
...
}
}
[edit]
user@host# show interfaces ge-0/0/1
...
unit 0 { family inet {
address 203.0.113.1/24;
}
family inet6 {
address 2001:db8:1::1/64;
}
}
If you are done c n r n the device, enter commit from c n r n mode.
r c n
IN THIS SECTION
r b s |
n with Logs | 13 |