Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuration example using fully qualified domain names in security policies

0

0

Article ID: KB20994 KB Last Updated: 05 Feb 2014Version: 7.0
Summary:

This article describes the current Junos behavior on the SRX platform, when domain names are used in the zones address-book and subsequently in the security policies.

Symptoms:

To reduce the amount of configuration changes and avoid constant tracking of the friend-or-foe IP addresses in the dynamic network environment, fully qualified domain names (FQDN) can be used to rely on the trusted name resolution service; which will provide an IP address list, against which the traffic should be evaluated. A configuration example and verification procedure are provided.

Cause:

Solution:
In the zones address-book, you can use FQDN as an address entry. Later in the security policy, you can use the named address entry in match conditions for source or destination addresses. Junos will resolve the FQDN to an IP address and use it during the policy check on traffic. If the FQDN resolves more than one IP address, Junos will use the returned list of addresses. You can also restrict the populated IP addresses to only IPv4 or IPv6.

Note: You should be aware of the current Junos design limitation, which will restrict the amount of addresses populated in the security policy. The software limitation is not related to the address count; but rather to the UDP DNS response size. At this time, Junos is using only UDP based DNS query for the domain name resolution of the address book entry. As per RFC1035, the messages carried by UDP is restricted to 512 bytes. So, for longer FQDNs, there would be fewer IP addresses populated to the security policy. The approximate number will vary between approximately 25-30 addresses.

Issues when using the FQDN in address objects:

  • When using Junos 11.1R1-11.1R3, the list of IP addresses resolved from DNS are populated in the security policy only once during commit. The security policy will not refresh with new IPs, unless a new commit is performed. This is resolved in 11.1R4 or later.

  • Use of FQDNs may cause high CPU utilization over time. This issue is fixed, as per PR585154, in Junos 10.2R4, 10.3R4, 10.4R4, and 11.1R2 or later.

Configuration example:

[edit]
# set security zones security-zone OUTSIDE address-book address GOOGLE dns-name www.google.com ipv4-only
# set security policies from-zone ZONE-01 to-zone OUTSIDE policy PERMIT-GOOGLE match source-address any
# set security policies from-zone ZONE-01 to-zone OUTSIDE policy PERMIT-GOOGLE match destination-address GOOGLE
# set security policies from-zone ZONE-01 to-zone OUTSIDE policy PERMIT-GOOGLE match application any
# set security policies from-zone ZONE-01 to-zone OUTSIDE policy PERMIT-GOOGLE then permit

Verifying the configuration:

[edit security zones security-zone OUTSIDE address-book]
# show 
address GOOGLE {
    dns-name www.google.com {
        ipv4-only;
    }
}
 [edit security policies from-zone ZONE-01 to-zone OUTSIDE policy PERMIT-GOOGLE]
# show 
match {
    source-address any;
    destination-address GOOGLE;
    application any;
}
then {
    permit;
}
 > show security policies policy-name PERMIT-GOOGLE detail 
Policy: PERMIT-GOOGLE, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: ZONE-01, To zone: OUTSIDE
  Source addresses:
    any-ipv4: 0.0.0.0/0 
    any-ipv6: ::/0
  Destination addresses:
    GOOGLE: 74.125.224.52/32 
    GOOGLE: 74.125.224.48/32 
    GOOGLE: 74.125.224.49/32 
    GOOGLE: 74.125.224.50/32 
    GOOGLE: 74.125.224.51/32
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search