04-12-2012 03:06 PM
We've recently installed our first pair of SRX firewalls in the organization and we've run into a bit of a reporting snag. As mandated by our security policy we do monthly policy reviews to look for any permitted connections that haven't been used and clean them up if necessary.
We've configured all of our policies with the count feature, however, the statistics reported seam to apply for the entire policy rather than the individual elements of that policy.
For example, we have a policy where the source address match is an address set that includes 12 individual addresses. When I view the count statistics for this policy it doesn't give me a break down of each address that has registered a policy lookup hit but rather an overall number of policy lookups.
I've looked through the KB and can't find anything other than the standard "show security policy policy-name policyname detail" command and a few scripts that clean up the output a little bit. Does anyone out there know of any way of extracting statistics for the 12 individual addresses short of creating 12 separate policies with the count feature enabled?
Thanks in advance,
05-08-2012 07:33 PM - edited 05-08-2012 07:34 PM
Looks like you are talking about "Policy Stats" as described in "JunOS Security" book Chapter 4.4 Safari
Please be aware there is limited number of policies you can enable this "then count" option.
It is seems there is a new SRX feature in 12.1 called "hit-count tracking". Details available in release notes
Please note JunOS 10.4 is currently recommended by JTac to run in production environment. It could be that 12.1 is highly unstable.
You will be able to use "show security policies hit-count" to check the stats after 12.1 upgrade.
I would highly recommend consider using Tufin, Firemon or AlgoSec for you audit task. It will save you time dramatically. Tufin Juniper firewall analysis is based on Syslog messages passing (you will need to feed syslog to Tufin) and there is no LSYS support on Tufin today. I hope once 12.1 got more exposed Tufin will add "hit-count tracking" support.
P.S. Anyone know limits for pre 12.1 "then count" option for each SRX model? it is seems high end platforms has support for 1024 policy counters.
05-09-2012 10:48 PM
The hit count feature in 12.1 is still for an entire policy, and does not enumerate the individual elements AFAIK. This is a major deficiency in the SRX platform, and I've brought this up to my account team in the past. I suspect that this information exists "under the hood," but it is not visible at this time.
The general response is to use STRM, or a similar tool, but a Cisco ASA can already perform this task on box, for free, and has been able to do so for years. I can't speak of the other vendors (PAN, Fortinet, etc.), but reporting has been a real annoyance so far.
Here's an exercise, try generating a report that shows all of the rules for a given IP address or subnet. At this time the underlying IP information is not enumerated in a 'show security policy' output, so you either have to know the address-book entry name, or be very tedious in your approach. In Cisco's world you simply type 'show access-list | include 18.104.22.168" and the underlying IP details of every object-group is enumerated in the output, in addition to the object-group name. Juniper's answer is to use SLAX scripts that are poorly maintained, and lack feature parity with the publicly released Junos versions (no global policy support, for example).
05-10-2012 03:05 AM - edited 05-10-2012 03:06 AM
You are right, looks like there is no breakdown for complex address books, while Cisco ASA maintaining stats for each Object-Group member. As a possible workaround you can use flat address book (with no grouping)
How many firewalls you are maintaining? Have you ever tried Tufin or alike? Average cost is about $1000 per firewall (each box or virtual context). Go on, download and setup trial. It will take you 1 hour at most. There is new VM version you can kick start with single click.
Do some research if you want on other vendors - http://www.google.co.uk/search?q=tufin+algosec+fir
Here is good article comparing all main players http://www.ashimmy.com/2011/02/network-security-ma
Command reference for "show security policies" link