Knowledge Search


×
 

[SRX] Configuration Example - How to limit self traffic using Security Policies

  [KB24227] Show Article Properties


Summary:

This article provides an example of how to allow or block the self/device centric traffic used for management purposes.

Symptoms:

Users can apply security services to the self traffic by referring to the junos-host zone in the Security Policies.

For example, one may want to allow traffic sourced from a router to be forwarded through policy-based IPSec so as to remotely manage the router.

Solution:

Refer to the following configuration example. The portions highlighted in blue correspond to this feature.

For more information on self-traffic, refer to Understanding Security Policies for Self Traffic.

Caution: Please be certain of what protocols and services to allow and restrict using this method because it may have an impact on other host-inbound traffic.
In the example 'selfpolicy' given below, only junos-ssh and junos-http are allowed, while rejecting everything else.  So, if an incoming client has IKE, OSPF, BGP, or any other host-inbound protocols, and a device is configured with the policy as given below, the SRX will drop all the traffic except SSH and HTTP. In such a situation, the incoming client will not be able to use IKE, OSPF, BGP or any other host-inbound service or protocol.

root@# show 
system {
    host-name mySRX;
    root-authentication {
        encrypted-password "$1$O8ak1l/4$8iYUSEjQu/EN3dMsOANHc/"; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http;
            https {
                system-generated-certificate;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
security {
    flow {                    ## For capturing the flow logs; see example output below
        traceoptions {
            file selfpolicy size 1m;
            flag basic-datapath;
            packet-filter 1 {
                source-prefix 192.168.1.2/32;
                destination-prefix 192.168.1.1/32;
            }
        }
    }
    policies {
        from-zone test to-zone junos-host {  
            policy selfpolicy {            ## Security policy for the Self Traffic 
                match {
                    source-address any;
                    destination-address any;
                    application [ junos-ssh junos-http ]; # SSH, HTTP management traffic specified under the application stanza          
                }
                then {
                    permit;   # Traffic being permited
                }
            }
            policy denyall {  #security policy for deny all other Management traffic except SSH and HTTP
               match {
                      source-address any;
                      destination-address any;
                      application any;
                     }
                then {
                       reject;
                      }
                   }
            }
        default-policy {
            deny-all;
        }
    }
    zones {
        security-zone test {
            interfaces {
                all {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}

Note: No interfaces can be configured under the junos-host security zone. It will cause a commit error.

Logs:

root@# run show log selfpolicy | no-more
Apr 12 16:50:41 mySRX clear-log[10415]: logfile cleared
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:<192.168.1.2/49972->192.168.1.1/22;6> matched filter 1:
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:packet [64] ipid = 62080, @423f8d9c
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 14, common flag 0x0, mbuf 0x423f8b80, rtbl_idx = 0
Apr 12 16:51:22 16:51:22.528204:CID-0:RT: flow process pak fast ifl 68 in_ifp ge-0/0/0.0
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:  ge-0/0/0.0:192.168.1.2/49972->192.168.1.1/22, tcp, flag 2 syn
Apr 12 16:51:22 16:51:22.528204:CID-0:RT: find flow: table 0x4953b840, hash 46906(0xffff), sa 192.168.1.2, da 192.168.1.1, sp 49972, dp 22, proto 6, tok 7
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:check self-traffic on ge-0/0/0.0, in_tunnel 0x0
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:retcode: 0x1204
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:pak_for_self : proto 6, dst port 22, action 0x4
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:  flow_first_create_session
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:  flow_first_in_dst_nat: in <ge-0/0/0.0>, out <N/A> dst_adr 192.168.1.1, sp 49972, dp 22
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:  chose interface ge-0/0/0.0 as incoming nat if.
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:flow_first_rule_dst_xlate: DST no-xlate: 0.0.0.0(0) to 192.168.1.1(22)
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:flow_first_routing: vr_id 0, call flow_route_lookup(): src_ip 192.168.1.2, x_dst_ip 192.168.1.1, in ifp ge-0/0/0.0, out ifp N/A sp 49972, dp 22, ip_proto 6, tos 0
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:Doing DESTINATION addr route-lookup
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:  routed (x_dst_ip 192.168.1.1) from test (ge-0/0/0.0 in 0) to .local..0, Next-hop: 192.168.1.1
Apr 12 16:51:22 16:51:22.528204:CID-0:RT:  policy search from zone test-> zone junos-host (0x0,0xc3340016,0x16)
Apr 12 16:51:22 16:51:22.528675:CID-0:RT:  policy has timeout 900
Apr 12 16:51:22 16:51:22.528675:CID-0:RT:  app 22, timeout 1800s, curr ageout 20s
Apr 12 16:51:22 16:51:22.528675:CID-0:RT:flow_first_src_xlate:  nat_src_xlated: False, nat_src_xlate_failed: False
Apr 12 16:51:22 16:51:22.528675:CID-0:RT:flow_first_src_xlate: src nat returns status: 0, rule/pool id: 0/0, pst_nat: False.
Apr 12 16:51:22 16:51:22.528675:CID-0:RT:  dip id = 0/0, 192.168.1.2/49972->192.168.1.2/49972 protocol 0
Apr 12 16:51:22 16:51:22.528675:CID-0:RT:flow_first_get_out_ifp: IN!
Apr 12 16:51:22 16:51:22.528675:CID-0:RT:  choose interface .local..0 as outgoing phy if
Apr 12 16:51:22 16:51:22.528675:CID-0:RT:is_loop_pak: No loop: ifp doesnt match .local..0 vs looked-up: ge-0/0/0.0, addr: 192.168.1.1, rtt_idx: 0, addr_type:0x3
Apr 12 16:51:22 16:51:22.528675:CID-0:RT:jsf sess interest check. regd plugins 19



Note: If you are trying to access host inbound services for lo0 interface in the custom zone, you need to have an additional policy between the physical interface where the traffic is coming in and the lo0 interface zones. 

security-zone TRUST {
    interfaces {
        ge-0/0/3.0 {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
        lo0.0 {                         
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
        }
    }
}

If not configured, one will see packet drops due to a policy deny:

May 14 06:10:25 06:10:25.335304:CID-1:RT:<1.1.1.2/0->2.2.2.2/51154;1,0x0> matched filter pf1:
May 14 06:10:25 06:10:25.335304:CID-1:RT:packet [84] ipid = 1422, @0x43e6b21c
May 14 06:10:25 06:10:25.335304:CID-1:RT:---- flow_process_pkt: (thd 2): flow_ctxt type 15, common flag 0x0, mbuf 0x43e6b000, rtbl_idx = 0
May 14 06:10:25 06:10:25.335304:CID-1:RT: flow process pak fast ifl 77 in_ifp ge-0/0/3.0
May 14 06:10:25 06:10:25.335304:CID-1:RT: flow_process_pkt: setting in_vrf_id in lpak to 0, grp 0
May 14 06:10:25 06:10:25.335304:CID-1:RT:  ge-0/0/3.0:1.1.1.2->2.2.2.2, icmp, (8/0)
May 14 06:10:25 06:10:25.335304:CID-1:RT:Changing out-ifp from .local..0 to lo0.0 for dst: 2.2.2.2 in vr_id:0
May 14 06:10:25 06:10:25.335304:CID-1:RT:  routed (x_dst_ip 2.2.2.2) from TRUST (ge-0/0/3.0 in 0) to lo0.0, Next-hop: 2.2.2.2
May 14 06:10:25 06:10:25.335304:CID-1:RT:flow_first_policy_search: policy search from zone TRUST-> zone TRUST (0x0,0xc7d2,0xc7d2)    <<<< This policy check will happen. 
May 14 06:10:25 06:10:25.335304:CID-1:RT:  packet dropped, denied by policy
May 14 06:10:25 06:10:25.335304:CID-1:RT:  denied by policy default-policy-logical-system-00(2), dropping pkt
May 14 06:10:25 06:10:25.335304:CID-1:RT:  packet dropped,  policy deny.

The solution is to add the following policy: 

from-zone TRUST to-zone TRUST {      ## Additional policy required. 
    policy TRUS-to-TRUST {              
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}

Results:

May 14 06:17:36 06:17:36.793731:CID-1:RT:<1.1.1.2/0->2.2.2.2/51159;1,0x0> matched filter pf1:
May 14 06:17:36 06:17:36.793731:CID-1:RT:packet [84] ipid = 17955, @0x43e70f9c
May 14 06:17:36 06:17:36.793731:CID-1:RT:  routed (x_dst_ip 2.2.2.2) from TRUST (ge-0/0/3.0 in 0) to lo0.0, Next-hop: 2.2.2.2
May 14 06:17:36 06:17:36.793731:CID-1:RT:flow_first_policy_search: policy search from zone TRUST-> zone TRUST (0x0,0xc7d7,0xc7d7)   <<<<<<< First policy lookup 
May 14 06:17:36 06:17:36.793731:CID-1:RT:Policy lkup: vsys 0 zone(8:TRUST) -> zone(8:TRUST) scope:0
May 14 06:17:36 06:17:36.793731:CID-1:RT:             1.1.1.2/2048 -> 2.2.2.2/16920 proto 1
May 14 06:17:36 06:17:36.793731:CID-1:RT:  app 0, timeout 60s, curr ageout 60s
May 14 06:17:36 06:17:36.793731:CID-1:RT:  permitted by policy TRUS-to-TRUST(6)
May 14 06:17:36 06:17:36.793731:CID-1:RT:  packet passed, Permitted by policy.
 
May 14 06:17:36 06:17:36.794110:CID-1:RT:flow_first_policy_search: policy search from zone TRUST-> zone junos-host (0x0,0xc7d7,0xc7d7)  <<<<<<< Second policy lookup 
May 14 06:17:36 06:17:36.794110:CID-1:RT:Policy lkup: vsys 0 zone(8:TRUST) -> zone(2:junos-host) scope:0                                   
May 14 06:17:36 06:17:36.794110:CID-1:RT:  permitted by policy self-policy(4)
May 14 06:17:36 06:17:36.794110:CID-1:RT:  packet passed, Permitted by policy.
May 14 06:17:36 06:17:36.794503:CID-1:RT:  Session (id:848) created for first pak 220
Modification History:
2019-05-18: Added additional scenario: Access host inbound services for lo0 interface in the custom zone.
Related Links: