SRX Services Gateway
Reply
Regular Visitor
chekorn
Posts: 1
Registered: ‎01-31-2011
0

Policy statistics by address set member

Hi All,

 

We've recently installed our first pair of SRX firewalls in the organization and we've run into a bit of a reporting snag.  As mandated by our security policy we do monthly policy reviews to look for any permitted connections that haven't been used and clean them up if necessary.

 

We've configured all of our policies with the count feature, however, the statistics reported seam to apply for the entire policy rather than the individual elements of that policy. 

 

For example, we have a policy where the source address match is an address set that includes 12 individual addresses.  When I view the count statistics for this policy it doesn't give me a break down of each address that has registered a policy lookup hit but rather an overall number of policy lookups.

 

I've looked through the KB and can't find anything other than the standard "show security policy policy-name policyname detail" command and a few scripts that clean up the output a little bit.  Does anyone out there know of any way of extracting statistics for the 12 individual addresses short of creating 12 separate policies with the count feature enabled?

 

Thanks in advance,

Jeremy

Visitor
New User
Posts: 3
Registered: ‎04-20-2012
0

Re: Policy statistics by address set member

[ Edited ]

Hello Chekorn,

 

Looks like you are talking about "Policy Stats" as described in "JunOS Security" book Chapter 4.4 Safari

Please be aware there is limited number of policies you can enable this "then count" option. 

It is seems there is a new SRX feature in 12.1 called "hit-count tracking". Details available in release notes

Please note JunOS 10.4 is currently recommended by JTac to run in production environment. It could be that 12.1 is highly unstable.

 

You will be able to use "show security policies hit-count" to check the stats after 12.1 upgrade.

 

I would highly recommend consider using Tufin, Firemon or AlgoSec for you audit task. It will save you time dramatically. Tufin Juniper firewall analysis is based on Syslog messages passing (you will need to feed syslog to Tufin) and there is no LSYS support on Tufin today. I hope once 12.1 got more exposed Tufin will add "hit-count tracking" support.

 

Regards,

 

P.S. Anyone know limits for pre 12.1 "then count" option for each SRX model? it is seems high end platforms has support for 1024 policy counters.

Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Re: Policy statistics by address set member

The hit count feature in 12.1 is still for an entire policy, and does not enumerate the individual elements AFAIK.  This is a major deficiency in the SRX platform, and I've brought this up to my account team in the past.  I suspect that this information exists "under the hood," but it is not visible at this time.  

 

The general response is to use STRM, or a similar tool, but a Cisco ASA can already perform this task on box, for free, and has been able to do so for years.  I can't speak of the other vendors (PAN, Fortinet, etc.), but reporting has been a real annoyance so far.

 

Here's an exercise, try generating a report that shows all of the rules for a given IP address or subnet.  At this time the underlying IP information is not enumerated in a 'show security policy' output, so you either have to know the address-book entry name, or be very tedious in your approach.  In Cisco's world you simply type 'show access-list | include 1.2.3.4" and the underlying IP details of every object-group is enumerated in the output, in addition to the object-group name.  Juniper's answer is to use SLAX scripts that are poorly maintained, and lack feature parity with the publicly released Junos versions (no global policy support, for example).

 

I digress...

Visitor
New User
Posts: 3
Registered: ‎04-20-2012
0

Re: Policy statistics by address set member

[ Edited ]

You are right, looks like there is no breakdown for complex address books, while Cisco ASA maintaining stats for each Object-Group member. As a possible workaround you can use flat address book (with no grouping)

 

How many firewalls you are maintaining? Have you ever tried Tufin or alike? Average cost is about $1000 per firewall (each box or virtual context). Go on, download and setup trial. It will take you 1 hour at most. There is new VM version you can kick start with single click.

 

Do some research if you want on other vendors - http://www.google.co.uk/search?q=tufin+algosec+firemon

Here is good article comparing all main players http://www.ashimmy.com/2011/02/network-security-managementa-snapshot.html 

 

Command reference for "show security policies" link

Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Re: Policy statistics by address set member

Would these be alternatives to Junos Space + SD and NSM, or something else entirely? 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.