Junos
Junos

Objects in stateful firewall rules on Juniper devices

‎06-19-2019 02:43 AM

Greetings and sorry for my English.

 

I'm setting stateful firewall rules (ACLs/filters/whatever you call it) on several Juniper SRX3xx appliances running Junos 15.1X49. What I'm actually trying to accomplish is to minimize my future manual labor in case I need to reconfigure some of the rules. On Cisco ASA the answer is simple: use objects instead of actual IP addresses. In case you need to change some server's IP only the object representing it should be changed while all related rules are left intact.

 

Junos has address books (security address-book ...) which serve similar purpose except they aren't applicable (?!) to firewall rules (firewall ... filter ... term ...). It also has prefix lists (policy-options prefix-list ...) which theoretically can be used in firewall rules (firewall ... filter ... term ... from source-prefix-list ...). It's weird to have two sets of the objects representing same IPs, but I can live with that. However prefix lists seem to be much more than just some object definitions to use elsewhere. Or should I say not the object definitions that I need at all? The topic is sadly pretty unclear in Juniper documentation which in most other cases is excellent.

 

So my question is: How does the typical Junos admin organize his firewall rules? Should it be the rules with the explicit IP addresses and than you edit it for few hours when you need to change single address? Or is it okay to use prefix lists extensively in firewall rules? Or do I miss something maybe?

6 REPLIES 6
Junos

Re: Objects in stateful firewall rules on Juniper devices

‎06-19-2019 02:59 AM
Junos

Re: Objects in stateful firewall rules on Juniper devices

‎06-19-2019 03:05 AM

Welcome to Junos.

 

Firewall filters are stateless packet filters.

these make use of prefix lists to store groups or a name to ip address mapping

 

For stateful firewall rules you will be configuring zone to zone security policies.

security > policy > from zone > to zone

 

Security policies will use address objects and address groups by requirement, you cannot simply add ip addresses.

 

With address objects you have the choice of puting them all where you note as global objects.

Or you can create the objects under the zone hierarchy where the object exists.  This helps organize the address books and make cleaner views in the cli when viewing them.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Junos

Re: Objects in stateful firewall rules on Juniper devices

[ Edited ]
‎06-19-2019 05:07 AM

@spuluka wrote:

 

Firewall filters are stateless packet filters.


 

Hm, than I don't understand the concept. I thought that firewall filters track the connection state (e. g. established/finished/closed/...) while security > policy > from zone > to zone is more like a general stateless filter (e. g. don't send any packets from here to there). Am I wrong?

 


@spuluka wrote:

 

these make use of prefix lists to store groups or a name to ip address mapping

 

So it's ok to build your firewall filters based entirely on prefix-lists and to have duplicating address-book and prefix-lists entries? Are there any reason behind address-books being not applicable to firewall?

 

Can you also clarify what do you mean by "name to ip address mapping"?

Junos

Re: Objects in stateful firewall rules on Juniper devices

‎06-19-2019 05:59 AM
Hi,

As I see, you are looking to configure stateful firewall rules on Juniper SRX series devices. When you say Stateful, these imply Security Policies on the SRX device for which usage of Address-books is mandatory. Firewall filters on the SRX are stateless for which prefix-lists can be used or IP address can be directly entered in the term. Please clarify the requirement.

To add some for info, Security policies control the traffic flow from one zone to another zone by defining the kind(s) of traffic permitted from specified IP sources to specified IP destinations at scheduled times and are flow based. More information at https://www.juniper.net/documentation/en_US/junos/topics/concept/policy-overview.html

Where stateless firewall rules are packet based and are linked to ingress and egress interface and has options either accept, reject or deny.

Its ok to have both address book and prefix lists for same IP's as the usage is different. Address objects being used with Security policies are more flexible and can have predefined addresses, network prefixes, wildcard address and DNS names as part of it. Please refer the link for detailed understanding of address objects and their usage at https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-address-books-sets.html

"name to ip address mapping"? -> This just means giving a name for an IP address and using the name instead of IP address in the firewall rule.
https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/prefix-li...

Hope this information helps.

Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

Juniper Internal
Junos

Re: Objects in stateful firewall rules on Juniper devices

‎06-19-2019 03:15 PM

Yes, firewall filters have no state table and the name is confusing as a result.  These are filters applied to the input or output of an interface and process only packets that cross that queue.  There is no state.

 

Firewall filters date back to the beginnings of Junos and were in place long before any session based firewall existed in the Juniper line.

 

Only the SRX is able to have a state table and manage flows via security policy.  This came from the Juniper aquisition of Netscreen and simply built on the existing model of zone to zone policy based firewalls from ScreenOS.

 

This is why there are two systems and the differences.  Typically only session based policies are used on the SRX.  But firewall filters are an option for more targeted issues or protections in specific cases.  The system also gets used for policy based routing match criteria.

 

So if you are setting up a session based firewall on the SRX just use the security policy hierarchy and address objects.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Junos

Re: Objects in stateful firewall rules on Juniper devices

‎06-29-2019 11:39 AM

In SRX, it is a stateful firewall. Security policy is zone based. From zone--->To zone.

You can define the interface under zones. Regarding the IP, there is a address book you can define either under zone or globally. The address book is like a object you can assosiate multiple IPs and manage them.