Monthly Archives: September 2014

How to log traffic dropped by Juniper SRX firewalls

Prior to working with Juniper SRX’s my firewall experience was predominantly Check Point. Two nice features of Check Point firewalls are Smart Log and Smart View Tracker which both provide easy access to firewall log records. When I started using SRX’s one of my first questions was how do I get to view dropped traffic?

One of the easiest ways to do this is to use a ‘Default Deny’ template group. Unless explicitly allowed by a Security Policy all traffic is dropped by default, however this traffic isn’t logged. Using a default deny template group and applying it between all Security Zones is the way to get around this and log the traffic being dropped.

Create the Template:

set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match source-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny match application any
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then deny
set groups default-deny-template security policies from-zone <*> to-zone <*> policy defult-deny then log session-init

Apply the Template:

set apply-groups default-deny-template

Configure Syslog:

set system syslog user * any emergency
set system syslog host 192.168.10.1 any any
set system syslog host 192.168.10.1 match RT_FLOW_SESSION_DENY

You can now fire up your trusty syslog server (you do use one right?) and view the records generated by the Default Deny template that match the regular expression RT_FLOW_SESSION_DENY.

I hope this has been a useful explanation.

Thanks for reading.

Rich

Follow Rich on Twitter

Junos Basics – Securing J-Web Access On Juniper EX Series Switches

In my previous Junos Basics post I covered automatic configuration archiving. In this post we’ll step through a solution to prevent unauthorised access to the J-Web GUI on EX Series switches. This solution could be modified to also restrict access on other management ports such as SSH and SNMP.

First of all we need to define our list of hosts that are allowed to access the switch via J-Web:

set policy-options prefix-list NetManagement 10.0.0.1/32
set policy-options prefix-list NetManagement 10.0.0.2/32
set policy-options prefix-list NetManagement 192.168.10.2/32
set policy-options prefix-list NetManagement 172.16.3.6/32

Next, we create a Firewall Filter that does the following:

  • first, accepts connections on any service from addresses on the NetManagement prefix list
  • then, discards all other HTTPS traffic
  • finally, accepts all other traffic

Here’s the code for this:

set firewall family inet filter J-Web term AllowedIPAnyService from source-prefix-list NetManagement 
set firewall family inet filter J-Web term AllowedIPAnyService then accept
set firewall family inet filter J-Web term BlockOtherHTTPS from destination-port https
set firewall family inet filter J-Web term BlockOtherHTTPS then discard
set firewall family inet filter J-Web term default then accept

Finally, apply the filter inbound to the loopback 0 interface (if you apply a firewall filter inbound on the loopback of a Juniper device, this will be applied to all traffic processed by the routing-engine. This includes traffic with a destination address of a physical interface (i.e. not the loopback):

set interfaces lo0 unit 0 family inet filter input J-Web

I hope this has been a useful explanation.  

Thanks for reading.

Rich

Follow Rich on Twitter