SRX Services Gateway
Highlighted
SRX Services Gateway

Anyone with good understanding of Unified Security Policies (SRX)

‎12-11-2019 12:26 PM

Been looking for awhile at wanting to use the unified security policies as they keep releasing compelling features based on it. Not to mention, newer versions of Junos will be defaulted to this and it is required for use in Security Director based on your Junos version. Just wanted to see if anyone had any good experience using these new Unified Security Policies (USP)

For example:

  • Applications can be matched as part of your security policy (traditional application firewall applied as a service to a rule is going away )

  • URL categories as part of your security policy match

  • Multiple IPS policies can be used

 

However there seems to be some caveats to using unified policies (USP):

  • If a USP is present in a zone based policy table; there will be no lookup performed in the global policy table if there is no match. If you utilize the global policy table this forces you to create all USPs in the global policy table

  • a mix of traditional and USP changes your policy lookup order. If you have a traditional security policy after a USP, the traditional policy will be matched first

  • It seems all deny rules must be as a USP or you get into the policy lookup order issue above.

  • Possible potential match policies where the APP hasn't been ID'd yet

 

 

1 REPLY 1
Highlighted
SRX Services Gateway

Re: Anyone with good understanding of Unified Security Policies (SRX)

‎12-11-2019 12:27 PM

 

Some more thoughts/questions on using USP

 

  • I am not sure how I would utilize having a restrictive default-allow rule while also maintaining a Deny-All rule beneath

    • Currently in testing I have had to use a Default Permit Rule that matches any-any to any dynamic-application

      • This then makes me never use my Default-Deny rule

  • Some Application Groups contain apps that have no Default Ports in the signature, therefore you get a nasty commit message.

Below is an example of how I would expect USP to work but I can't get this working, one due to the Junos application group "web"

  • deny specific web application categories

  • permit the general web application group

  • default deny everything else

If I try to utilize the Junos web application group as below it gives me commit errors stating that there are applications within the group that do not contain any configured default ports. It asks to configure a more restrictive application or services with dynamic-application set to none.

 

policy global-webCategories-deny {
    match {
        source-address [ XX-site-lab-net-2 vpn-site-net XX-site-lab-net-1 XX-site-dept ];
        destination-address any;
        application junos-defaults;
        dynamic-application [junos:web:proxy junos:web:gaming junos:web:anonymizer junos:web:remote-access junos:web:p2p junos:web:social-networking junos:web:advertisements];
        from-zone [ XX-LAN trust ];
        to-zone untrust;
    }
    then {
        permit {
            application-services {
                idp;
                ssl-proxy {             
                    profile-name XX-ssl-inspect-lab;
                }
                utm-policy XX-utm-pol;
                security-intelligence-policy siteATPPolicy;
                advanced-anti-malware-policy siteATPPolicy;
            }
        }
        log {
            session-close;
        }
    }
}
policy global-default-allow-unified {
    match {
        source-address [ XX-site-lab-net-2 vpn-site-net XX-site-lab-net-1 XX-site-dept ];
        destination-address any;
        application junos-defaults;
        dynamic-application junos:web;
        from-zone [ XX-LAN trust ];
        to-zone untrust;
    }
    then {
        permit {
            application-services {
                idp;
                ssl-proxy {             
                    profile-name XX-ssl-inspect-lab;
                }
                utm-policy XX-utm-pol;
                security-intelligence-policy siteATPPolicy;
                advanced-anti-malware-policy siteATPPolicy;
            }
        }
        log {
            session-close;
        }
    }
}
policy global-default-deny {
    match {
        source-address any;
        destination-address any;
        application junos-defaults;
        dynamic-application any;
        from-zone any;
        to-zone any;
    }
    then {
        deny;
        log {
            session-init;
        }
    }
}