Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Integrated User Firewall (UserFW) Configuration Example

0

0

Article ID: KB30911 KB Last Updated: 25 Feb 2020Version: 3.0
Summary:

The Integrated User Firewall feature was introduced in Junos OS version 12.1X47-D10 on the Juniper SRX Series devices to provide simple integration of user profiles on top of the existing firewall polices. This article explains how to configure and deploy this feature on SRX devices.

Symptoms:

How can users configure and deploy the Integrated User Firewall on SRX devices?

Solution:

Note: This article was written with information available until 15.1X49-D40. Support for this feature on current generation SRX Branch and High End series devices is available from 12.1X47-D10 onward. Support for this feature on vSRX, SRX300 series and SRX1500 series is available from 15.1X49-D40.

For the full feature documentation and feature limitation details, refer to Authentication and Integrated User Firewalls Feature Guide for Security Devices

Network Topology: 

 

The configuration example provided below uses the default administrator profile available in the Windows server. However, for security needs, it is necessary to configure a profile with admin rights on any networking device. Uou can create a non-admin profile with domain query ability using the Knowledge Base article available below, and then make the configuration as described.

Integrated UserFW - Setting up a non-admin user for event log query with Windows Server 2003/2008/2012

The key part for this feature is the identification of the domain path. If this step is not identified correctly, then we will not able to get the setup working.

Identifying the Domain Searcher's Domain Information:

From CMD or Windows PowerShell run the following command to identify the AD structure:

CMD> dsquery user -name <username-added-on-srx-for-lookup>

Example:

C:\Users\Administrator>dsquery user -name administ*
"CN=Administrator,CN=Users,DC=juniperlab,DC=com"

Make sure that you configure the exact tree structure for successful integration. In the next step, implement the configuration on the device:

Full Configuration:

root@SRX-Firewall# show | display set | no-more
set system host-name SRX-Firewall
set system root-authentication encrypted-password "$ABC123"
set system name-server 172.16.26.253
set interfaces fe-0/0/3 unit 0 family inet address 192.168.26.1/24
set interfaces fe-0/0/4 unit 0 family inet address 80.10.126.1/24
set interfaces fe-0/0/6 unit 0 family inet address 172.16.26.1/16
set routing-options static route 0.0.0.0/0 next-hop 80.10.126.254
set security nat source rule-set To-Internet from zone trust
set security nat source rule-set To-Internet to zone untrust
set security nat source rule-set To-Internet rule All-Internet match source-address 0.0.0.0/0
set security nat source rule-set To-Internet rule All-Internet then source-nat interface
set security policies from-zone trust to-zone mgmt policy Link-With-Server match source-address 192_168_26_0-24
set security policies from-zone trust to-zone mgmt policy Link-With-Server match destination-address Local-Server
set security policies from-zone trust to-zone mgmt policy Link-With-Server match application any
set security policies from-zone trust to-zone mgmt policy Link-With-Server then permit
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Engineers match source-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Engineers match destination-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Engineers match application any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Engineers match source-identity "juniperlab.com\engineers"
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Engineers then permit
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Guest match source-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Guest match destination-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Guest match application any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Guest match source-identity "juniperlab.com\guests"
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Guest then permit
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req match source-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req match destination-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req match application any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req match source-identity unknown-user
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req match source-identity unauthenticated-user
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req then permit firewall-authentication user-firewall access-profile juniperlab-users
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req then permit firewall-authentication user-firewall domain juniperlab.com
set security zones security-zone mgmt address-book address Local-Server 172.16.26.253/32
set security zones security-zone mgmt host-inbound-traffic system-services ping
set security zones security-zone mgmt interfaces fe-0/0/6.0
set security zones security-zone trust address-book address 192_168_26_0-24 192.168.26.0/24
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust interfaces fe-0/0/3.0
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces fe-0/0/4.0
set access profile juniperlab-users authentication-order ldap
set access profile juniperlab-users ldap-options base-distinguished-name DC=juniperlab,DC=com
set access profile juniperlab-users ldap-options search search-filter sAMAccountName=
(NOTE: While using Open LDAP, the search-filter should be "uid=" instead of "
sAMAccountName=" in the above command)
set access profile dyn-vpn-ldap-xauth ldap-options search search-filter uid= , If we are using open LDAP 

set access profile juniperlab-users ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=juniperlab,DC=com
set access profile juniperlab-users ldap-options search admin-search password "$ABC123"
set access profile juniperlab-users ldap-server 172.16.26.253
set access firewall-authentication web-authentication default-profile juniperlab-users
set services user-identification active-directory-access domain juniperlab.com user administrator
set services user-identification active-directory-access domain juniperlab.com user password "$ABC123"
set services user-identification active-directory-access domain juniperlab.com domain-controller juniperlab.com address 172.16.26.253
set services user-identification active-directory-access domain juniperlab.com user-group-mapping ldap base DC=juniperlab,DC=com

Here is the breakdown of the configuration, in order to understand the requirement for each portion of the configuration.

Integrating SRX with Windows WMI for fetching event logs of domain users:

set services user-identification active-directory-access domain juniperlab.com user administrator
set services user-identification active-directory-access domain juniperlab.com user password $ABC123
set services user-identification active-directory-access domain juniperlab.com domain-controller juniperlab.com address 172.16.26.253
set services user-identification active-directory-access domain juniperlab.com user-group-mapping ldap base DC=juniperlab,DC=com

To fetch user/group information for non domain users [same or different server]:

set access profile juniperlab-users authentication-order ldap
set access profile juniperlab-users ldap-options base-distinguished-name DC=juniperlab,DC=com
set access profile juniperlab-users ldap-options search search-filter sAMAccountName=
set access profile juniperlab-users ldap-options search admin-search distinguished-name CN=Administrator,CN=Users,DC=juniperlab,DC=com
set access profile juniperlab-users ldap-options search admin-search password $ABC123
set access profile juniperlab-users ldap-server 172.16.26.253
set access firewall-authentication web-authentication default-profile juniperlab-users

Configuring Policies:

Make the policies as specific as required for a more secure deployment.

 

The following section is optional. In my setup the AD is connected with the firewall. This was required to allow communication between the PC and the AD for domain integration at time of login.

To Allow the PC to fetch for DNS, domain Information and other files during user login:

set security policies from-zone trust to-zone mgmt policy Link-With-Server match source-address 192_168_26_0-24
set security policies from-zone trust to-zone mgmt policy Link-With-Server match destination-address Local-Server
set security policies from-zone trust to-zone mgmt policy Link-With-Server match application any
set security policies from-zone trust to-zone mgmt policy Link-With-Server then permit

To allow authenticated Users/Groups from Domain Computers [Multiple Source Identities are allowed for the same policy]:

set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Engineers match source-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Engineers match destination-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Engineers match application any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Engineers match source-identity "juniperlab.com\engineers"
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Engineers then permit

To allow authenticated Users/Groups from Non-Domain Computers [Usually Guest Users]:

set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Guest match source-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Guest match destination-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Guest match application any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Guest match source-identity "juniperlab.com\guests"
set security policies from-zone trust to-zone untrust policy Internet-Auth-Pass-Guest then permit

To fetch the credentials for unauthenticated users:

Note: The user has to open a browser and try to connect to a site to receive the authentication popup. Ping will not trigger the authentication. This is applicable if SRX is unable to poll the event log for domain users, too.

set security policies from-zone trust to-zone untrust policy Internet-Auth-Req match source-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req match destination-address any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req match application any
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req match source-identity unknown-user
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req match source-identity unauthenticated-user
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req then permit firewall-authentication user-firewall access-profile juniperlab-users
set security policies from-zone trust to-zone untrust policy Internet-Auth-Req then permit firewall-authentication user-firewall domain juniperlab.com

Show Outputs:

Successful linking of SRX with Windows Server for fetch event logs:

root@SRX-Firewall# run show services user-identification active-directory-access domain-controller status extensive
Domain: juniperlab.com
Domain controller: juniperlab.com
Address: 172.16.26.253
Status: Connected

Authentication table of SRX (before user login):

root@SRX-Firewall# run show services user-identification active-directory-access active-directory-authentication-table all
Domain: juniperlab.com
Total entries: 2
Source IP Username groups state
172.16.26.1 administrator Valid

Domain: NULL
Total entries: 2
Source IP Username groups state
192.168.26.2 Invalid
192.168.26.3 Invalid

Authentication table of SRX (after user login or after user authenication):

root@SRX-Firewall# run show services user-identification active-directory-access active-directory-authentication-table all
Domain: juniperlab.com
Total entries: 3
Source IP Username groups state
172.16.26.1 administrator Valid
192.168.26.2 engg01 engineers Valid
192.168.26.3 guest01 guests Valid

Domain: NULL
Total entries: 8
Source IP Username groups state
192.168.26.4 Invalid
192.168.26.5 Invalid

 

Flow output based on group filtering:

root@SRX-Firewall# run show security flow session source-prefix 192.168.26.2
Session ID: 14016, Policy name: Internet-Auth-Req/7, Timeout: 16, Valid
In: 192.168.26.2/61677 --> 23.35.200.34/80;tcp, If: fe-0/0/3.0, Pkts: 4, Bytes: 476
Out: 23.35.200.34/80 --> 80.10.126.1/10462;tcp, If: fe-0/0/4.0, Pkts: 0, Bytes: 0

root@SRX-Firewall# run show security flow session source-prefix 192.168.26.2
Session ID: 14069, Policy name: Internet-Auth-Pass-Engineers/4, Timeout: 246, Valid
In: 192.168.26.2/61682 --> 204.79.197.200/80;tcp, If: fe-0/0/3.0, Pkts: 7, Bytes: 772
Out: 204.79.197.200/80 --> 80.10.126.1/29308;tcp, If: fe-0/0/4.0, Pkts: 6, Bytes: 1360

root@SRX-Firewall# run show security flow session source-prefix 192.168.26.3
Session ID: 13851, Policy name: Internet-Auth-Pass-Guest/6, Timeout: 298, Valid
In: 192.168.26.3/51309 --> 216.58.219.35/80;tcp, If: fe-0/0/3.0, Pkts: 4, Bytes: 431
Out: 216.58.219.35/80 --> 80.10.126.1/6482;tcp, If: fe-0/0/4.0, Pkts: 3, Bytes: 976

Checking the User Group Mapping Details for effective configuration:

root@SRX-Firewall# run show services user-identification active-directory-access user-group-mapping user guest01 domain juniperlab.com
Domain: juniperlab.com
Total num: 3
Groups: domain users, guests, users

[edit]
root@SRX-Firewall# run show services user-identification active-directory-access user-group-mapping user engg01 domain juniperlab.com
Domain: juniperlab.com
Total num: 9
Groups: br-l1, br-l2, br-l3, domain users, engineers, he-l1, he-l2, he-l3, users
Groups referenced by policy: engineers
Modification History:

2019-04-17: Added a note regarding search-filter under the 'Full Configuration' section.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search