SRX

Is there a way to automatically create a security policy from a management security zone to all other security zones? I tried to do it with groups config below, but the policy won't appear after i commit it:

 

global-policy {
        security {
            policies {
                from-zone MGMT to-zone <*> {
                    policy allow-mgmt {
                        match {
                            source-address any;
                            destination-address any;
                            application any;
                        }
                        then {
                            permit;
                        }
                    }
                }
            }
        }
    }

 

By definition and design the management zone is a functional zone type that does NOT allow transit traffic.  This is a way to have additional interfaces besides any built in out-of-band interface also be out-of-band.

 

This section from the JNCIS-SEC study guide volume 1 - chapter 2 -page 4 outlines the definitions.  You can download free copies from the Fast Track.

https://learningportal.juniper.net/juniper/user_fasttrack_home.aspx

 

Functional Zones
Functional zones are special-purpose zones that cannot be specified in security policies. Note that transit traffic does not use functional zones. While the fxp0 management ethernet interface is out-of-band by default, the Management Zone allows you to assign other network interfaces the same behavior of isolating management traffic from transit traffic.

 

I should have been more clear: the "management zone" is just a regular security zone we created, not a functional one (it's not the trust zone, it has its own name). It doesn't have the fxp0 interface assigned to it. It's a zone that holds our monitoring server so it needs access to servers in the other zones. Since we have about 30 security zones it would be nice to use groups for this if we can get it to work. Rephrased, the question is: Can I use groups to create a security policy from one zone to every other zone?

I think I understand what you trying to do, but I don't think that's how GROUP inheritence work in Junos. Here is a short explanation of what I understand group to be.

 

I assume from your configuration that you made a GROUP called "global-policy" with those parameters.

 

Groups aren't used in the actual configuration. They are like defining a variable (like $policy = blah blah blah in other scripting languages).

 

So with your configuration, to actually use it you'll have to actually do

 

set security policies from-zone MGMT to-zone X apply-groups global-policy

 

where X is any zone. Now, this doesn't mean it'll apply to EVERY zone. You said you have 30 zones, so said if they are zone1 through zone30 you have to do

 

set security policies from-zone MGMT to-zone zone1 apply-groups global-policy

set security policies from-zone MGMT to-zone zone2 apply-groups global-policy

set security policies from-zone MGMT to-zone zone3 apply-groups global-policy

 

etc. for all 30 zones. This is how group works from my undetrstanding. and to check if it actually worked you'll use

 

show security policies | display inheritance

 

This should show you if each policy inherited the right configuration.

 

What you want to do though I am not sure of an easy way, maybe you could try using group AND wildcard range operation such as:

 

wildcard range set security policies from-zone MGMT to-zone zone[1-30] apply-groups global-policy

 

This, in theory would apply that policy to all 30 zones...

 

OR what you can do is just put EVERY SINGLE interface in the MGMT zone, and DENY ALL host-inbound traffic and allow only on certain interfaces....

 

maybe some one else have a better solution...

Interesting. I think something like this should work, but can;t try right now:

 

set group policy-template security policy from-zone management to-zone <*> policy policy .... (writepolicy)

 

set security policy apply-group policy-template

 

You can check with show security policy | display inheritance

---

@Screenie wrote:

Interesting. I think something like this should work, but can;t try right now:

 

set group policy-template security policy from-zone management to-zone <*> policy policy .... (writepolicy)

 

set security policy apply-group policy-template

 

You can check with show security policy | display inheritance

---

I actually tried that before and it didn't work for me. I had to make theconfig all the way to from-zone to actually get it to inherit.

---

@twei214 wrote:

---

@Screenie wrote:

Interesting. I think something like this should work, but can;t try right now:

 

set group policy-template security policy from-zone management to-zone <*> policy policy .... (writepolicy)

 

set security policy apply-group policy-template

 

You can check with show security policy | display inheritance

---

I actually tried that before and it didn't work for me. I had to make theconfig all the way to from-zone to actually get it to inherit.

---

Yep. This was disappointing to find out.

Hi all

 

I have this configured on an SRX cluster running 11.2.  Typically I have

 

user@srx-cluster-node0> show configuration groups DHCP-INFORMS
security {
    policies {
        from-zone <*> to-zone dhcp-server-zone {
            policy dhcp-informs {
                match {
                    source-address any;
                    destination-address dhcp-servers;
                    application junos-dhcp-server;
                }
                then {
                    permit;
                }
            }
        }
    }
}

Then the group is applied to various zones as below:

 

set security policies from-zone GUEST to-zone dhcp-server-zone apply-groups DHCP-INFORMS

 

This results in the security policy below:

 

user@srx-cluster-node0> show security policies from-zone GUEST to-zone dhcp-server-zone
node0:
--------------------------------------------------------------------------

Policy: dhcp-informs, State: enabled, Index: 76, Scope Policy: 0, Sequence number: 2
Source addresses: any
Destination addresses: dhcp-servers
Applications: junos-dhcp-server
Action: permit

 

 

However, there are limitations.  Doing this gives you no control over where in the policy order these rules get inserted. They seem to be inserted at the end of the policy, which may not be ideal.

Thanks papageno I had been trying this for quite sometime , is there a way to put this policy on the top .

Hi Vipin

 

I have never found one, but it seems there may be a way to fix the position of the inherited policy in the rulebase, see http://forums.juniper.net/t5/Junos-and-Junosphere/Applying-inherited-policy-rules-before-regular-policy-rules/td-p/217577

Hope this helps.

The wildcard range command was only recently added in JUNOS 12.1. I'm running 11.4 at the moment. I don't think it would have helped though since all of our security zones have unique non-sequential names.

 

I ended up manually creating security policies from our MGMT zone to every other zone. The other option was using global policies which would have worked. However, you can't use security zone address books and global address books together so I would have had to either a) convert all of my security zone address books to global policy address books and recreate all of my policies as global policies or b) allow all traffic between all zones.