SRX Services Gateway
Highlighted
SRX Services Gateway

Security Director don't delivery correct schema configuration for SDSN

‎05-18-2018 07:28 AM

uff... sometimes with security director is difficult :-|

Here my case.

I've update the DMI schema from JunosSPACE 17.2 R1, in order to perfectly match my vSRX17.3R1.10.

 

The problem is that meanwhile I'm trying to configure SDSN 17.2R1 by Junos Security Director, it's missing some parameterse that JunOS require but security director don't mention.

 

For example here below. I try to configure manually SDSN by CLI and it's correctly working!

After that I syncronized the policy with security director, update the policy and try to push it.

The problem specifically is that it's trying to remove "match and permit" policy from the service advanced-threat-prevention, but as I said seems that it's required from the system!

Maybe Security Directory is right and I should install one old DMI because "match and permit statenement" was allowed in 15.x version. ...but it's really strange this things BTW.

 

ANy update please?

 

##Security Policy Settings##
set security policies policy-rematch
##Security Firewall Policy : contact - Server##
delete security policies from-zone contact to-zone Server policy VPN-Client_to_Server then permit application-services 
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match application junos-dns-udp
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match destination-address dc_host
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match destination-address synology_host
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : Server - contact##
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match application junos-dns-udp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match application server-internet_access
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match destination-address any
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 match source-address server-net
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services idp 
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 then permit application-services utm-policy Advance_internet_antivirus
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match application Synology-Torrent
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match application synology_internet
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match destination-address any-ipv4
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 match source-address synology_host
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services idp 
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application junos-icmp-ping
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application junos-snmp-agentx
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match application snmp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match destination-address any-ipv4
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 match source-address phpipam
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 then permit application-services security-intelligence-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application junos-https
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application junos-ssh
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match application snmp
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match destination-address fw-edge-inside
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match destination-address EX-Core
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match source-address Junos-SPACE
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 match source-address phpipam
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : contact - junos-host##
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-https
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ssh
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ping
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : Server - junos-host##
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-icmp-all
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-ssh
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application junos-snmp-agentx
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match application snmp
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 match source-address server-net
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : junos-host - contact##
delete security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match source-address Block_from_Reagion
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match source-address Server_Enforcement_Net_10.20.20.1/24
delete security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match destination-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 match destination-address any
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone junos-host to-zone contact policy PolicyEnforcer-Rule1-1 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : junos-host - Server##
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match application any
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies from-zone junos-host to-zone Server policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
##Security Firewall Policy : contact - junos-host##
insert security policies from-zone contact to-zone junos-host policy PolicyEnforcer-Rule1-1 before policy HQ_mgmt_FW
##Security Firewall Policy : contact - Server##
insert security policies from-zone contact to-zone Server policy PolicyEnforcer-Rule1-1 before policy HQ_to_serverDNS
##Security Firewall Policy : Server - contact##
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-2 before policy DNS-DC_request
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-3 before policy server_internet_access
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-4 before policy synology_internet_access
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-5 before policy Observium_to_HQ
insert security policies from-zone Server to-zone contact policy PolicyEnforcer-Rule1-6 before policy Space-MGMT
##Security Firewall Policy : Server - junos-host##
insert security policies from-zone Server to-zone junos-host policy PolicyEnforcer-Rule1-1 before policy SNMP-Monitoring
##Security Firewall Policy : junos-host - Server##
insert security policies from-zone junos-host to-zone Server policy vSRX-Server after policy PolicyEnforcer-Rule1-2
##Security Firewall Policy : global ##
set security policies global policy PolicyEnforcer-Rule1-2 match application any
set security policies global policy PolicyEnforcer-Rule1-2 match destination-address any
set security policies global policy PolicyEnforcer-Rule1-2 match source-address Server_Enforcement_Net_10.20.20.1/24
set security policies global policy PolicyEnforcer-Rule1-2 then permit application-services advanced-anti-malware-policy SkyATP_DMZ
set security policies global policy PolicyEnforcer-Rule1-2 then permit application-services security-intelligence-policy SkyATP_DMZ
##Advanced AntiMalware Policy Configurations##
delete services advanced-anti-malware policy SkyATP_DMZ match   (THIS IS NEEDED!!!!)
delete services advanced-anti-malware policy SkyATP_DMZ then  (THIS IS NEEDED!!!!)
delete services advanced-anti-malware policy SkyATP_DMZ inspection-profile 
delete services advanced-anti-malware policy SkyATP_DMZ default-notification 
delete services advanced-anti-malware policy SkyATP_DMZ whitelist-notification 
delete services advanced-anti-malware policy SkyATP_DMZ blacklist-notification 

6 REPLIES 6
Highlighted
SRX Services Gateway

Re: Security Director don't delivery correct schema configuration for SDSN

[ Edited ]
‎05-28-2018 06:33 AM

Hi,

up for this post. We have same exact problem, tried also to uprage at 18.1 version without resolution.

Any ideas or supports from Juniper?

Highlighted
SRX Services Gateway

Re: Security Director don't delivery correct schema configuration for SDSN

‎06-07-2018 07:25 AM

Hi,

try to open one ticket to Juniper... I'll update you if you cannot open one ticket.

 

In my personal furter analisis I found (maybe) the specific problem.

The problem IS NOT on the Security Director.... but in the vSRX it self.

In the specific. Following the official note from Juniper, from 15.x version, match then statement is not any longer needed.

The problem is that in my case, my 17.x version seem still require "the old way to configure" as 15.x version.

Then the problem is not on the security director.

Security Director with the correct DMI, is correctly try to configure the advanced-threat-prevention, without match and then!!

vSRX expecting something else! :-\

 

What vSRX version do you have? Maybe we have the same version:

root@vSRXdmzserver# run show system information
Model: vsrx
Family: junos-es
Junos: 17.3R1.10
Hostname: vSRXdmzserver

 

My collegues that have 17.4.X ...is not affecting by this problem!!! and under:

(my collegue) run show configuration services advanced-anti-malware policy SkyATP_DMZ he has http and imap parameters...
(in my case):
root@vSRXdmzserver# run show configuration services advanced-anti-malware policy SkyATP_DMZ ?
Possible completions:
<[Enter]> Execute this command
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> blacklist-notification Blacklist notification logging option
> default-notification Default notification logging option
> fallback-options Fallback options for abnormal conditions
inspection-profile Advanced Anti-malware inspection-profile name
> match Policy match conditions
> then
> whitelist-notification Whitelist notification logging option

only match then... :-|

 

Highlighted
SRX Services Gateway

Re: Security Director don't delivery correct schema configuration for SDSN

‎06-07-2018 11:38 PM

Hi Alfaromeo and thank you for your feedback.

I can confirm thtat we're running the same vSRX's 17.3R1.10 version.

 

We'll upgrade at the 17.4 as soon as possible (to see if this effectively will resolve the problem) and give you a feedback.

 

 

 

 

 

Highlighted
SRX Services Gateway

Re: Security Director don't delivery correct schema configuration for SDSN

‎06-08-2018 01:19 AM

Tried to upgrade too...

Right now my junos space from yesterday night is trying to upgrade the DMI schema!!!! :-|
Then I can't provide you the feedback...
Waiting for it  :-)

Highlighted
SRX Services Gateway

Re: Security Director don't delivery correct schema configuration for SDSN

[ Edited ]
‎07-05-2018 07:47 AM

Hi, any news for this thread?

In our case at this time we are unable to upgrade the vSXR software...

Highlighted
SRX Services Gateway

Re: Security Director don't delivery correct schema configuration for SDSN

‎07-08-2018 02:32 AM

No any other feedback, (at least from my side).

I've just tested upgrade vSRX and it was working.

 

I don't know if any other else have some other news about this.

 

regards