vSRX
Highlighted
vSRX

AWS with Security Director and Metadata filters

‎06-20-2019 06:21 AM

I have been trying to get the vSRX in AWS to use Metadata filters created in Security Director with Policy Enforcer.

I can get SD with PE to retrieve the metadata from AWS and create a Dynamic Address group in the vSRX.

However the vSRX which has the DAG policy does not seem to have any addresses on the local device.

 

Has anyone seen this or know how to fix it.

address-name PolicyRuleDAG1 {
description "Provider = PE AND Department = Finance";
profile {
category IPFilter {
feed PolicyRuleDAG1;
}from-zone trust to-zone trust {
policy vSRX-2-Zone-1 {
match {
source-address any;
destination-address PolicyRuleDAG1;
application any;
}
then {
deny;
}

lab@vSRX-2# run show security dynamic-address address-name PolicyRuleDAG1

Instance default Total number of matching entries: 0

 

Security Director has the address in the metadata information. I just don't see the vSRX updated with it.

Thanks for your help

Dave W
9 REPLIES 9
Highlighted
vSRX

Re: AWS with Security Director and Metadata filters

‎06-20-2019 06:27 AM

Hi Dave,

 

I ran into a similar issue recently and it is already under investigation.

Can you please share the vSRX version, SD version and Schema Template version you are using?

 

 

Regards,
Gokul
Highlighted
vSRX

Re: AWS with Security Director and Metadata filters

‎06-20-2019 06:40 AM

I am running 18.4R1 for the vSRX. I am running 19.1R1 for Space, SD and PE.

Dave W
Highlighted
vSRX

Re: AWS with Security Director and Metadata filters

‎06-20-2019 10:26 PM

I saw it on latest 15.1 as well as 19.1, So, it is possible 18.4 is also hit..

Can you please share the last 10-15 lines of 'ipfd' (/var/log/ipfd)?

 

You may sanitise any cofidential data before sharing or send it to me as a direct message.

Regards,
Gokul
Highlighted
vSRX

Re: AWS with Security Director and Metadata filters

‎06-21-2019 08:36 AM


Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:ipfd_ssam_shutdown pid 14593
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:IPFD-main pid 14593 exit -> config check done
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:ipfd_exit: ret code 0, check_only 1
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:ipfd_fw_destroy pid 14593
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:ipfd_fw_destroy component 0 destroy(1) start
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:da_module_destroy: pid 14593 checkonly 1 new 0x0 active 0x0
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:ipfd_fw_destroy component 0 destroy(1) end
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:ipfd_fw_destroy component 1 destroy(1) start
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:ipfd_fw_destroy component 1 destroy(1) end
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:ipfd_fw_destroy: 2 component destroyed
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:----------------------------------------------
Thu Jun 20 12:42:38 2019Smiley Tongueid 14593:0:

Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: pid 12691: SIGHUP-1 SIGTERM-0 SIGUSR1-0 SIGUSR2-0
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:ipfd_fw_parse_config pid 12691 check 0
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:ipfd_fw_config_pre_process pid 12691
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:da_routing_table_dump:
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:Fib-num Fibname
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 0 MSTI
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 1 __juniper_private1__.inet
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 1 __juniper_private1__.inet6
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 1 __juniper_private1__.vpls
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 2 __juniper_private2__.inet
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:36735 __juniper_private3__.inet
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:36736 __juniper_private4__.inet
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 3 __master.anon__.inet
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 3 __master.anon__.inet6
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 3 __master.anon__.iso
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 4 __mpls-oam__.mpls
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 5 aws.inet
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 5 aws.inet6
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 5 aws.iso
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 0 dhcp-snooping
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 0 ethernet-switching
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 0 inet
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 0 inet6
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 0 iso
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 0 mpls
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1: 0 vmembers
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:da_lsys_default_fib_table_dump
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:secintel_config_pre_process: implemented in nsd

Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:ipfd_fw_config_read pid 12691 check 0
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:ipfd_fw_config_post_process pid 12691
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:secintel_config_post_process: implemented in nsd

Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:ipfd_time_capsule_on pid 12691
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:ipfd_fw_config_cleanup_process pid 12691
Thu Jun 20 12:42:38 2019Smiley Tongueid 12691:1:secintel_config_cleanup: implemented in nsd

Dave W
Highlighted
vSRX

Re: AWS with Security Director and Metadata filters

‎06-21-2019 12:05 PM

Hi - Not sure how to repy using the private message system.

Dave W
Highlighted
vSRX

Re: AWS with Security Director and Metadata filters

‎06-24-2019 02:17 AM

 Sorry, I should have been specific Smiley Sad

 

The vSRX generally tries to contact SD every 2 minutes to pull the feed. Please look into IPFD for one such event and share the error.

 

Sample from my lab, when the pull fails:

 

Wed Jun 12 09:03:26 2019:pid 13977:1:da_util_http_download(SD_META360449): download file https://10.219.61.115/sd-feed-server/SD_META360449.gz failed: Unrecognized or bad HTTP Content or Transfer-Encoding

 

If you see a similar error, I strongly recommend you to create a JTAC case to track the fix.

Regards,
Gokul
Highlighted
vSRX

Re: AWS with Security Director and Metadata filters

‎06-24-2019 04:59 AM

That does not seem to be the issue as I cannot find any refererence. I did a show log ipfd | match META

 I think my issue deals with setup.

Everything seems to show up in Security Director fine. I see the metadata tags from AWS and I see the IPs of the tagged devices, I see the sky atp whitelists and blacklists I have configured. Policy Enforcer is configured for Policy Enforcer and SDSN

I have configured Threat prevention using the vpc site from the connector. I have tried my policy enforcement group to be location one time and IP addresses the next. I am using C&C,  geoIP, and antimalware.

I read in some documentation that I needed to configure a feed server in the vSRX - set security feed server x.x.x.x hostname x.x.x.x

I added a name-server because it could seem to resolve the sky-atp url added but that didn't help  either.

But that doesn't seem to help either.

All the policies are showing up but I am not receiving any feeds at all. The vSRX doesn't seem to be polling for anything.

Dave W
Highlighted
vSRX

Re: AWS with Security Director and Metadata filters

‎06-24-2019 05:52 AM

Understood, AFAIK, you don't need to manually configure feed server on the vSRX. SD pushes the configuration to the vSRX when the device is enrolled on SD.

 

Sample of what gets pushed in my lab:

 

[edit services]
+   security-intelligence {
+       url https://10.219.61.115/secmgt-skyatp-proxy/api/manifest.xml;
+       authentication {
+           auth-token p1467r0yDieSlL91oc1R451x6t95451n;
+       }
+   }
+   dynamic-address {
+       feed-server 10.219.61.115 {
+           hostname 10.219.61.115;
+           feed-name SD_META360449 {
+               path /sd-feed-server/SD_META360449.gz;
+               update-interval 120;
+               hold-interval 10800;
+           }
+       }
+       address-name SD_META360449 {
+           description "Provider = SD AND Gokul = Windows";
+           profile {
+               feed-name SD_META360449;
+           }
+       }
+   }

 

In your case, it looks like the basic device admin and Policy push are fine, but SecIntel is broken. Is it possible for you to completely remeove this vSRX from SD and re-enroll it?

 

Regards,
Gokul
Highlighted
vSRX

Re: AWS with Security Director and Metadata filters

‎06-24-2019 06:13 AM

I am trying this out in a lab environment and have launched and removed, space, policy enforcer, SD, the vSRX and cloud EC2 devices. I know I must be missing a step, just can't figure out what it is. At first I missed the part that the connector discovers the device and it should not be manually added. I have gotten past that but now have this new issue. 

Dave W