Knowledge Search


×
 

SRX Getting Started - Configure Security Policies

  [KB16553] Show Article Properties


Summary:

This article provides an example of configuring a security policy.

For other topics, go to the SRX Getting Started main page.

Symptoms:

Configure security policies.

Cause:

Solution:

This section contains the following:



Security Policies

Security policies enforce a set of rules for transit traffic, identifying which traffic can pass through the firewall and the actions taken on the traffic as it passes through the firewall.

The technical documentation at https://www.juniper.net/techpubs/en_US/junos12.1x44/information-products/pathway-pages/security/security-basic-policy.html addresses the following topics on security policies:

    Security Policies Overview
    Understanding Security Policy Rules
    Understanding Security Policy Elements
    Understanding Security Policies for Self Traffic
    Understanding Security Policy Ordering
    Global Policy Overview
    Security Policy Schedulers Overview
    Understanding User Role Firewalls
    User Role Retrieval and the Policy Lookup Process
    Understanding the User Identification Table
    Understanding Searching and Sorting Audit Log
    Understanding Packet Flow Alarms and Auditing


Default Security Policies

On the SRX devices, system-default and factory-default security policies are implemented as follows:
System-Default Security Policy

By default, Junos denies all traffic through an SRX Series device. In fact, an implicit default security policy exists that denies all packets. You can change this behavior by configuring a standard security policy that permits certain types of traffic.  The implicit default policy can be changed to permit all traffic with the 'set security policies default-policy' command; however, this is not recommended.

Factory-Default Security Policies


The factory-default template configuration file in branch security platforms has three preconfigured security policies (not to be confused with the system-default security policy discussed in the previous paragraph):
  1. Trust-to-trust zone policy: Denies all intrazone traffic within the trust zone
  2. Trust-to-untrust zone policy: Permits all traffic from the trust zone to the untrust zone
  3. Untrust-to-trust zone policy: Denies all traffic from the untrust zone to the trust zone.
These can be displayed with the 'show security policies' command:
root@> show security policies | no-more
Default policy: deny-all
From zone: trust, To zone: untrust
Policy: trust-to-untrust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1
Source addresses: any
Destination addresses: any
Applications: any
Action: permit

Note: The device outputs in the above command is based on the Junos 12.1X44 release.



Configuration Examples

Below are some simple examples of creating security policies.   For a detailed configuration example, refer to https://www.juniper.net/techpubs/en_US/junos12.1x44/topics/example/policy-defining-cli.html.

Create Policy (without NAT)
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit


Create Policy  (with NAT)

NAT is decoupled from security policy configuration. If NAT is required, refer to http://kb.juniper.net/KB15758.

Create Policy (with IDP)

set security policies from-zone vpn-ssg to-zone client policy idp-example match source-address any
set security policies from-zone vpn-ssg to-zone client policy idp-example match destination-address any
set security policies from-zone vpn-ssg to-zone client policy idp-example match application any
set security policies from-zone vpn-ssg to-zone client policy idp-example then permit application-services idp

For details on how to configure IDP refer to http://kb.juniper.net/KB16561.

Create Policy (with UTM)
set security policies from-zone trust to-zone untrust policy utm-example match source-address any
set security policies from-zone trust to-zone untrust policy utm-example match destination-address any
set security policies from-zone trust to-zone untrust policy utm-example match application any
set security policies from-zone trust to-zone untrust policy utm-example then permit application-services utm-policy custom-policy

For details on how to configure s UTM policy, refer to Antivirus or Web Filter examples.

Note:  Policy ordering is important. By default, new policies go to the end of the list. You can change the order using the insert command. The following command inserts the policy "NEW" to a certain position:
insert security policies from-zone Untrust to-zone trust policy NEW before policy default-permit

Tips:

  • If no Policy is found to process certain traffic, a default policy is in place which denies all traffic without logging.
  • In JUNOS 9.5 and above, NAT is no longer configured as part of the security policy, but it is configured through as a NAT policy.  For more information, refer to http://kb.juniper.net/KB15758.
  • To get traffic logs from permitted sessions, add "then log session-close" to your policy.
  • To get traffic logs from denied or rejected sessions, add "then log session-init" to your policy.



Verification

Use the show security policies command to display a summary of all the security policies.



Troubleshooting

For information on troubleshooting security policies, refer to https://www.juniper.net/techpubs/en_US/junos12.1x44/topics/task/troubleshooting/policy-troubleshooting.html.  For additional information on flow traceoptions, refer to http://kb.juniper.net/KB16233.



Technical Documentation


Junos 12.1x44 Junos 11.4
  • PDF -- See 'Security Policies' Chapter, page 187.
  • HTML
Junos 10.4
  • PDF -- See 'Security Policies' Chapter, page 143.
  • HTML

Note: Significant changes (examples, instructions, explanations) were made to the Junos 12.1X44 technical documentation. So, if your device is running Junos 11.x or 10.x, you may refer to the Junos 12.1x44 or latest technical documentation for detailed explanations.



Related Links: