SRX

Hi all,

This feels like a FAQ but I couldn't find the answer when I went digging.

[ apologies for not including config snippets - I'm not at work at the moment. ]

I have a bunch of SRX devices of various types from both the branch and high-end range. We use them mostly as IPsec routers, rather than firewalls, although we are still running in flow mode. All devices are running JUNOS 10.0R4.

We have a single "permit-all" security policy; as I said, we're not really using the firewalling capabilities.

There is an application in my network that uses TCP ports 3320 and 3330. I'd like to change the inactivity timeout for this traffic from 30 minutes to something higher.

I've defined the applications but it doesn't look like JUNOS is matching/classifying the traffic. I can see the flows in the output of "show security flow session ..." and they all start off with an 1800 second timeout.

Is defining the applications without any policy statements explicitly matching the custom application definitions enough?

Cheers!

Hi,

you can check the default-policy and all policies in your SRX

# run show security policies

# run show security policies | match default

If it is deny-all you can shift it to permit all

# set security policies default-policy permit-all

Regards,

Mohamed

Hi Mohamed, thanks for replying.

I'm more interested in applying the inactivity-timeout value to a custom defined application.

I don't have any security policies defined (other than the default permit-all) so I don't have an opportunity to reference the custom application in a policy term.

Are you able to comment on that?

Hi,

This is where you configure it:

root@srx# set applications application test inactivity-timeout ?
Possible completions:
<timeout> Number of seconds (4 .. 86400)
never Disables inactivity timeout

I wouldn't recommend using never but try to set a large/small value as needed.

Also, try to be on the latest recommended release though you are not using the device as a firewall. 

Hope that helps.

Hi Rakesh,

I appreciate the response but please re-read my post to properly understand the issue.

I had this in my config:

user@srx> show configuration applications
application genesys-cpd {
    protocol tcp;
    destination-port 3320;
    inactivity-timeout 43200;
}
application genesys-ocs {
    protocol tcp;
    destination-port 3330;
    inactivity-timeout 43200;
}

user@srx> show configuration security policies
default-policy {
    permit-all;
}

Traffic to TCP ports 3320 or 3330 does not inherit the 43,200 second idle timer, so it appears that defining the applications alone is not enough, or I am hitting a bug.

Sure enough, amending my security policy configuration as follows achieves the desired result:

user@j6350> show configuration security policies
from-zone trust to-zone trust {
    policy TEST1 {
        match {
            source-address any;
            destination-address any;
            application [ genesys-cpd genesys-ocs ];
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }
}
default-policy {
    permit-all;
}

Summary:

1) Defining the custom application's parameters (e.g. inactivity-timeout) without matching in an explicitly defined security policy does not achieve the desired result.

2) When using a default-policy that permits all traffic, for custom application parameters to take effect, an explicity policy must be defined. This is not the case for pre-defined/built-in ("junos-*") application definitions.

3) Further, custom application definitions do not appear in the output of 'request pfe execute target fwdd "show usp app-def [tcp|udp]"', even when matched in an explicit security policy term.

Cheers.

HI,

Yes you are right. If the security policy doesn't point to the application, then that application is not invoked in which case the default timeout values are used.