SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  How to Create a Global Firewall Policy on Juniper SRX

    Posted 12-07-2011 00:28

    SRX firewall use a concept of security zone, the default policy is DENY ALL so you have to create policies between zones in order to let the transit traffic pass. However, sometimes you need to open or deny something between all zones, regardless of their source or destination zones. For example, while ago one of my customers wanted me to open ping between all zones for troubleshooting and connectivity testing. There were more than 20 zones, I'm not good in mathematics but I had to write something like 190 policies (not considering intera-zone policies). Back in ScreenOS there was something called global policy, but we don't have such a thing like that in JUNOS, so what is the solution?

    SOLUTION:

    The solution is Group Configuration, Let's back to my example about pinging, the following config open ping between all zones:

     

    [edit groups]

    Username@FW01-SRX1400# show

    Global-Ping-Policy {

        security {

            policies {

                from-zone <*> to-zone <*> {

                    policy PingForAll {

                        match {

                            source-address any;

                            destination-address any;

                            application junos-ping;

                        }

                        then {

                            permit;

                        }

                    }

                }

            }

        }

    }

     

    And this is how to apply it:

     

    [edit security policies]

    Username@FW01-SRX1400# show

    apply-groups Global-Ping-Policy;

     

    All you need now is to commit the configuration.

    Good luck

     

     



  • 2.  RE: How to Create a Global Firewall Policy on Juniper SRX
    Best Answer

    Posted 12-08-2011 03:03

    This is very nice. Junos 11.2 does support global rules, btw 🙂



  • 3.  RE: How to Create a Global Firewall Policy on Juniper SRX

    Posted 12-08-2011 03:27

    Yeah, I didn't know that it's started since 11.2, but I've seen it recently on 11.4 feature-support, but you know, since Juniper TAC is still recommending 10.4R7.5, some people including me, don't install not-recommended OS on production-serious big devices.

     

    Thanks for your info, and I don't have to edit my post for that, kaz you've already putted it there. 😉

     

    Take care



  • 4.  RE: How to Create a Global Firewall Policy on Juniper SRX

    Posted 12-13-2011 23:52

    Hi,

     

    Just a note - it works only for already created policies.

    If you have policy with some rules from Trust to Untrust, but don't have policy from Untrust to Trust, then ping rule won't be created from Untrust to Trust.

     

    Regards,

    Mateusz Grzesiak



  • 5.  RE: How to Create a Global Firewall Policy on Juniper SRX

    Posted 12-14-2011 07:57

     

    @Makak wrote:

    Hi,

     

    Just a note - it works only for already created policies.

    If you have policy with some rules from Trust to Untrust, but don't have policy from Untrust to Trust, then ping rule won't be created from Untrust to Trust.

     

    Regards,

    Mateusz Grzesiak


    Yes of course, thank you to specifically noted this, and the other note is, that this policy will add to the end of policies list, I didn't test it yet, but obviously if we have some deny policy in between(for example to open some stuff for some guys and deny everything else), the ping policy won't work.

     

    Thanks again for your note 🙂



  • 6.  RE: How to Create a Global Firewall Policy on Juniper SRX

    Posted 12-14-2011 09:52

    By the way, this same technique can be used to apply things like logging and counting to all existing rules. Doing that here, works like a charm.

     

    Anyone willing to upgrade to Junos 11.2+ will have a new feature called global policies, which makes it somewhat easier to define global policies.