SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Cooper
Visitor
Cooper
Posts: 8
Registered: ‎03-03-2011
0
Accepted Solution

Can I use groups to create a security policy from my management zone to every other zone?

Options

‎06-21-2012 05:51 PM

Is there a way to automatically create a security policy from a management security zone to all other security zones? I tried to do it with groups config below, but the policy won't appear after i commit it:

 

global-policy {
        security {
            policies {
                from-zone MGMT to-zone <*> {
                    policy allow-mgmt {
                        match {
                            source-address any;
                            destination-address any;
                            application any;
                        }
                        then {
                            permit;
                        }
                    }
                }
            }
        }
    }

 

Message 1 of 9 (821 Views)
 
Reply
Distinguished Expert
Distinguished Expert
spuluka
Posts: 1,628
Registered: ‎03-30-2009
0

Re: Can I use groups to create a security policy from my management zone to every other zone?

Options

‎06-21-2012 06:00 PM

By definition and design the management zone is a functional zone type that does NOT allow transit traffic.  This is a way to have additional interfaces besides any built in out-of-band interface also be out-of-band.

 

This section from the JNCIS-SEC study guide volume 1 - chapter 2 -page 4 outlines the definitions.  You can download free copies from the Fast Track.


https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

 

Functional Zones
Functional zones are special-purpose zones that cannot be specified in security policies. Note that transit traffic does not use functional zones. While the fxp0 management ethernet interface is out-of-band by default, the Management Zone allows you to assign other network interfaces the same behavior of isolating management traffic from transit traffic.

 

Steve Puluka BSEET
Juniper Ambassador
Senior Network Engineer
JNCIA-ER JNCIA-EX JNCIS-SEC JNCIP-SEC
JNCIS-FWV JNCIS-SSL
MCP - Managing Server 2003 MCP - Windows XP Professional
MCTS Windows 7
http://puluka.com/home
Message 2 of 9 (816 Views)
 
Reply
Cooper
Visitor
Cooper
Posts: 8
Registered: ‎03-03-2011
0

Re: Can I use groups to create a security policy from one zone to every other zone?

Options

‎06-22-2012 01:32 AM

I should have been more clear: the "management zone" is just a regular security zone we created, not a functional one (it's not the trust zone, it has its own name). It doesn't have the fxp0 interface assigned to it. It's a zone that holds our monitoring server so it needs access to servers in the other zones. Since we have about 30 security zones it would be nice to use groups for this if we can get it to work. Rephrased, the question is: Can I use groups to create a security policy from one zone to every other zone?
Message 3 of 9 (810 Views)
 
Posted from Apple iPad
Reply
twei214
Contributor
twei214
Posts: 12
Registered: ‎06-07-2012

Re: Can I use groups to create a security policy from one zone to every other zone?

Options

‎06-22-2012 02:10 PM

I think I understand what you trying to do, but I don't think that's how GROUP inheritence work in Junos. Here is a short explanation of what I understand group to be.

 

I assume from your configuration that you made a GROUP called "global-policy" with those parameters.

 

Groups aren't used in the actual configuration. They are like defining a variable (like $policy = blah blah blah in other scripting languages).

 

So with your configuration, to actually use it you'll have to actually do

 

set security policies from-zone MGMT to-zone X apply-groups global-policy

 

where X is any zone. Now, this doesn't mean it'll apply to EVERY zone. You said you have 30 zones, so said if they are zone1 through zone30 you have to do

 

set security policies from-zone MGMT to-zone zone1 apply-groups global-policy

set security policies from-zone MGMT to-zone zone2 apply-groups global-policy

set security policies from-zone MGMT to-zone zone3 apply-groups global-policy

 

etc. for all 30 zones. This is how group works from my undetrstanding. and to check if it actually worked you'll use

 

show security policies | display inheritance

 

This should show you if each policy inherited the right configuration.

 

What you want to do though I am not sure of an easy way, maybe you could try using group AND wildcard range operation such as:

 

wildcard range set security policies from-zone MGMT to-zone zone[1-30] apply-groups global-policy

 

This, in theory would apply that policy to all 30 zones...

 

OR what you can do is just put EVERY SINGLE interface in the MGMT zone, and DENY ALL host-inbound traffic and allow only on certain interfaces....

 

maybe some one else have a better solution...

Message 4 of 9 (793 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 976
Registered: ‎01-10-2008
0

Re: Can I use groups to create a security policy from one zone to every other zone?

Options

‎06-23-2012 02:53 PM

Interesting. I think something like this should work, but can;t try right now:

 

set group policy-template security policy from-zone management to-zone <*> policy policy .... (writepolicy)

 

set security policy apply-group policy-template

 

You can check with show security policy | display inheritance

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 5 of 9 (780 Views)
 
Reply
twei214
Contributor
twei214
Posts: 12
Registered: ‎06-07-2012
0

Re: Can I use groups to create a security policy from one zone to every other zone?

Options

‎06-25-2012 07:58 AM

Screenie wrote:

Interesting. I think something like this should work, but can;t try right now:

 

set group policy-template security policy from-zone management to-zone <*> policy policy .... (writepolicy)

 

set security policy apply-group policy-template

 

You can check with show security policy | display inheritance

I actually tried that before and it didn't work for me. I had to make theconfig all the way to from-zone to actually get it to inherit.

Message 6 of 9 (767 Views)
 
Reply
Cooper
Visitor
Cooper
Posts: 8
Registered: ‎03-03-2011
0

Re: Can I use groups to create a security policy from one zone to every other zone?

[ Edited ]
Options

‎06-29-2012 05:51 PM - edited ‎06-29-2012 06:04 PM

The wildcard range command was only recently added in JUNOS 12.1. I'm running 11.4 at the moment. I don't think it would have helped though since all of our security zones have unique non-sequential names.

 

I ended up manually creating security policies from our MGMT zone to every other zone. The other option was using global policies which would have worked. However, you can't use security zone address books and global address books together so I would have had to either a) convert all of my security zone address books to global policy address books and recreate all of my policies as global policies or b) allow all traffic between all zones.

 

Message 7 of 9 (758 Views)
 
Reply
Cooper
Visitor
Cooper
Posts: 8
Registered: ‎03-03-2011
0

Re: Can I use groups to create a security policy from one zone to every other zone?

Options

‎06-29-2012 06:21 PM

twei214 wrote:
Screenie wrote:

Interesting. I think something like this should work, but can;t try right now:

 

set group policy-template security policy from-zone management to-zone <*> policy policy .... (writepolicy)

 

set security policy apply-group policy-template

 

You can check with show security policy | display inheritance

I actually tried that before and it didn't work for me. I had to make theconfig all the way to from-zone to actually get it to inherit.

Yep. This was disappointing to find out.

Message 8 of 9 (745 Views)
 
Reply
papageno
Contributor
papageno
Posts: 74
Registered: ‎07-08-2011
0

Re: Can I use groups to create a security policy from one zone to every other zone?

Options

‎07-04-2012 02:37 AM

Hi all

 

I have this configured on an SRX cluster running 11.2.  Typically I have

 

user@srx-cluster-node0> show configuration groups DHCP-INFORMS
security {
    policies {
        from-zone <*> to-zone dhcp-server-zone {
            policy dhcp-informs {
                match {
                    source-address any;
                    destination-address dhcp-servers;
                    application junos-dhcp-server;
                }
                then {
                    permit;
                }
            }
        }
    }
}

Then the group is applied to various zones as below:

 

set security policies from-zone GUEST to-zone dhcp-server-zone apply-groups DHCP-INFORMS

 

This results in the security policy below:

 

user@srx-cluster-node0> show security policies from-zone GUEST to-zone dhcp-server-zone
node0:
--------------------------------------------------------------------------

Policy: dhcp-informs, State: enabled, Index: 76, Scope Policy: 0, Sequence number: 2
Source addresses: any
Destination addresses: dhcp-servers
Applications: junos-dhcp-server
Action: permit

 

 

However, there are limitations.  Doing this gives you no control over where in the policy order these rules get inserted. They seem to be inserted at the end of the policy, which may not be ideal.

Message 9 of 9 (724 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.