Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Can a user have rights to only view the security policy from zone A to zone B and nothing else?

0

0

Article ID: KB24443 KB Last Updated: 24 Feb 2020Version: 3.0
Summary:
This article describes the possibility of a user having rights to only view the security policy from Zone A to Zone B and nothing else.
 
Symptoms:
Assume that the A, B, and C zones are configured on the SRX device:
 
  • The goal is to allow only viewing of the policy from zone A to zone B and vice-versa.

  • The user should not be able to view policy from any other zone.

  • Generally, Junos cannot deny anything that is user-defined.
Solution:
The Junos code being used for testing is 11.4R3.

The following configuration will restrict the user to view only the policies for all of the zones:

 
#set system login user test class view-pol-zone-cfg
#set system login user test authentication encrypted-password "$ABC123"
#set system login class view-pol-zone-cfg permissions security
#set system login class view-pol-zone-cfg deny-commands
"(show security zones)|(show security alg)|(show security flow)|(show security policies application-firewall)|
(show security policies global)|(show security application-tracking)|(show security datapath-debug)|
(show security dynamic-policies)|(show security firewall-authentication)|(show security gprs)|
(show security policies to-zone C)|(show security idp)|(show security keychain)|(show security log)|
(show security match-policies)|(show security monitoring)|(show security pki)|(show security resource-manager)|
(show security policies logical-system)|(show security policies root-logical-system)|(show security policies zone-context)|(show security alarms)|(show security utm)|(show security nat)|(show security policies count)|(show security policies detail)|(clear)|(help)|(load)|(op)|(request)|(file)|(save)|(test)|(start)"
Verification:
root@D10_32-SRX240H-Node1-HQ-SSH% ssh test@172.22.145.114
test@172.22.145.114's password: 
--- JUNOS 11.4R3.7 built 2012-05-14 20:51:00 UTC

{primary:node0}
test@SRX3400-D03_29> show ?          
Possible completions:
  security             Show security information
{primary:node0}
test@SRX3400-D03_29> show security ?  
Possible completions:
  policies             Show security firewall policies < Notice the user can only view the 'security policies'
{primary:node0}
test@SRX3400-D03_29> show security policies ?
Possible completions:
  <[Enter]>            Execute this command
  from-zone            Show the policy information matching the given source zone
  policy-name          Show the policy information matching the given policy name
  to-zone              Show the policy information matching the given destination zone
  |                    Pipe through a command
{primary:node0}
test@SRX3400-D03_29> show security policies from-zone ? < Notice that multiple zones are available
for viewing, which is NOT the requirement.
Possible completions:
  <from-zone>          Show the policy information matching the given source zone
  A                    Security zone name
  B                    Security zone name
  C                    Security zone name
  junos-host           Security zone name
  trust                Security zone name
  untrust              Security zone name

Conclusion:
 
  • Based on the above deny-command expression, it is possible to restrict the user to view only show security policies from the zone.

  • It is not possible to restrict users to view only selected user-defined zone policies. You can either ensure that all policies are viewable or block all of them. This functionality is not supported due to the following reason:

    "Junos does not deny any dynamic names in the configuration"

For example:

show security policies from-zone is system defined. Any word after that is dynamic and is not accounted for by Junos. Notice the following command in the above configuration:
(show security policies to-zone C)
Even though zone C was not supposed to be visible, but still is, is due to it being a dynamic name.
 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search