SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Both AppID and IDP Signatures on SRX

    Posted 07-22-2014 23:07

    Hi Guys,

     

    I believe these two signature databases are pretty much the same, and that you would typically only need one. Am I right?

     

    If so, what would be the expected behaviour if I had both of them installed on my SRX?

     

    I'm trying to play and test UTM features. To block file upload/download via file-extensions..and it seems not to be working. My UTM session counter is not getting any hits.. Below are my config snippets...

     

    So i'm trying to transfer a backup config file ive created, and this is going through..yet my config should not allow this. Are config files created by the "save" command automatically saved with ".config" extension ?

     

    admin@srxA-1> show configuration security utm
custom-objects {
    filename-extension {
        Deny-extensions {
            value config;
        }
    }
}
feature-profile {
    content-filtering {
        profile denied-content {
            block-extension Deny-extensions;
        }
    }
}
utm-policy UTM-check {
    content-filtering {
        ftp {
            upload-profile denied-content;
            download-profile denied-content;
        }
    }
}

     and the UTM enabled on the Security Policy as well:

     

    admin@srxA-1> show configuration security policies from-zone Juniper-SV to-zone ACME-SV policy app-service-policy
match {
    source-address any;
    destination-address any;
    application any;
}
then {
    permit {
        application-services {
            utm-policy UTM-check;
            inactive: application-firewall {
                rule-set Allowed-services;
            }
        }
    }
    log {
        session-init;
        session-close;
    }
}

     Something also interesting...is that if I check that ftp session in detail, I see "Dynamic Application" is UNKNOWN. Could it be that junos:FTP cannot be identified?

     

    admin@srxA-1> show security flow session session-identifier 2792
Session ID: 2792, Status: Normal
Flag: 0x400040
Policy name: Juniper-to-ACME/8
Source NAT pool: Null, Application: junos-ftp/1
Dynamic application: junos:UNKNOWN,
Maximum timeout: 1800, Current timeout: 1718
Session State: Valid
Start time: 81546, Duration: 1007
   In: 172.20.101.10/55645 --> 172.20.201.1/21;tcp,
    Interface: fe-0/0/4.101,
    Session token: 0x7, Flag: 0x0x621
    Route: 0xd0010, Gateway: 172.20.101.10, Tunnel: 0
    Port sequence: 0, FIN sequence: 0,
    FIN state: 0,
    Pkts: 9, Bytes: 415
   Out: 172.20.201.1/21 --> 172.20.101.10/55645;tcp,
    Interface: .local..0,
    Session token: 0x2, Flag: 0x0x630
    Route: 0xfffb0006, Gateway: 172.20.201.1, Tunnel: 0
    Port sequence: 0, FIN sequence: 2520512333,
    FIN state: 1,
    Pkts: 8, Bytes: 527
Total sessions: 1

     

    Please let me know if I am missing something... Thanks...

     



  • 2.  RE: Both AppID and IDP Signatures on SRX
    Best Answer

    Posted 07-23-2014 05:31

    Hey All,

     

    Just found the issue. I had another Policy which was matching before the UTM policy.. So, I just re-ordered and made sure the "app-service-policy" is on top so that it matches 1st.

     

    Now it works perfect. I can block ftp file transfer based on file extentions....