SRX Services Gateway
Reply
Contributor
Youness
Posts: 40
Registered: ‎12-06-2011
Accepted Solution

How to Create a Global Firewall Policy on Juniper SRX

[ Edited ]

SRX firewall use a concept of security zone, the default policy is DENY ALL so you have to create policies between zones in order to let the transit traffic pass. However, sometimes you need to open or deny something between all zones, regardless of their source or destination zones. For example, while ago one of my customers wanted me to open ping between all zones for troubleshooting and connectivity testing. There were more than 20 zones, I'm not good in mathematics but I had to write something like 190 policies (not considering intera-zone policies). Back in ScreenOS there was something called global policy, but we don't have such a thing like that in JUNOS, so what is the solution?

SOLUTION:

The solution is Group Configuration, Let's back to my example about pinging, the following config open ping between all zones:

 

[edit groups]

Username@FW01-SRX1400# show

Global-Ping-Policy {

    security {

        policies {

            from-zone <*> to-zone <*> {

                policy PingForAll {

                    match {

                        source-address any;

                        destination-address any;

                        application junos-ping;

                    }

                    then {

                        permit;

                    }

                }

            }

        }

    }

}

 

And this is how to apply it:

 

[edit security policies]

Username@FW01-SRX1400# show

apply-groups Global-Ping-Policy;

 

All you need now is to commit the configuration.

Good luck

 

 

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: How to Create a Global Firewall Policy on Juniper SRX

This is very nice. Junos 11.2 does support global rules, btw :-)

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Contributor
Youness
Posts: 40
Registered: ‎12-06-2011
0

Re: How to Create a Global Firewall Policy on Juniper SRX

[ Edited ]

Yeah, I didn't know that it's started since 11.2, but I've seen it recently on 11.4 feature-support, but you know, since Juniper TAC is still recommending 10.4R7.5, some people including me, don't install not-recommended OS on production-serious big devices.

 

Thanks for your info, and I don't have to edit my post for that, kaz you've already putted it there. :smileywink:

 

Take care

Contributor
Makak
Posts: 33
Registered: ‎05-13-2008
0

Re: How to Create a Global Firewall Policy on Juniper SRX

Hi,

 

Just a note - it works only for already created policies.

If you have policy with some rules from Trust to Untrust, but don't have policy from Untrust to Trust, then ping rule won't be created from Untrust to Trust.

 

Regards,

Mateusz Grzesiak

Contributor
Youness
Posts: 40
Registered: ‎12-06-2011
0

Re: How to Create a Global Firewall Policy on Juniper SRX

[ Edited ]

 


Makak wrote:

Hi,

 

Just a note - it works only for already created policies.

If you have policy with some rules from Trust to Untrust, but don't have policy from Untrust to Trust, then ping rule won't be created from Untrust to Trust.

 

Regards,

Mateusz Grzesiak



Yes of course, thank you to specifically noted this, and the other note is, that this policy will add to the end of policies list, I didn't test it yet, but obviously if we have some deny policy in between(for example to open some stuff for some guys and deny everything else), the ping policy won't work.

 

Thanks again for your note :smileyhappy:

Super Contributor
cryptochrome
Posts: 498
Registered: ‎03-29-2008
0

Re: How to Create a Global Firewall Policy on Juniper SRX

By the way, this same technique can be used to apply things like logging and counting to all existing rules. Doing that here, works like a charm.

 

Anyone willing to upgrade to Junos 11.2+ will have a new feature called global policies, which makes it somewhat easier to define global policies.

Twitter: @cryptochrome
--------------------------------
plus.google.com/11635909860
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.