Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Security Policy lookup for traffic terminated on loopback interface

0

0

Article ID: KB30997 KB Last Updated: 24 Jun 2016Version: 1.0
Summary:

This article describes the security policy lookup behavior for traffic terminated on loopback interface.

Symptoms:

Traffic is dropped when attempting to communicate to the SRX via loopback interface.

Cause:

When the SRX receives host-inbound traffic to the loopback interface IP, the traffic is traversing from ingress interface to loopback interface. Based on this traffic flow, there are 2 policy lookups requiring security policies to allow traffic:

  • Ingress interface zone --> Loopback zone
  • Loopback zone --> junos-host

Solution:

The following examples show policy lookup behavior for host-bound-traffic based on various configurations. IPSec traffic was used here.

SRX as VPN Initiator

Traffic generated from SRX is allowed by default using "self-traffic-policy":
Jun 22 13:54:57 13:54:56.998719:CID-0:RT: routed (x_dst_ip 2.2.2.2) from junos-host (.local..0 in 0) to ge-0/0/2.0, Next-hop: 10.10.10.2
Jun 22 13:54:57 13:54:56.998719:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone untrust (0x0,0x1f401f4,0x1f4)
Jun 22 13:54:57 13:54:56.998719:CID-0:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(6:untrust) scope:0
Jun 22 13:54:57 13:54:56.998719:CID-0:RT: 1.1.1.1/500 -> 2.2.2.2/500 proto 17
Jun 22 13:54:57 13:54:56.998719:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 13:54:57 13:54:56.998719:CID-0:RT: permitted by policy self-traffic-policy(1)
Jun 22 13:54:57 13:54:56.998719:CID-0:RT: packet passed, Permitted by policy.

Note: If traffic to the box or from the box needs to be blocked, then policy can be created from/to "junos-host". For example, the following policy denies all traffic to Junos-host. Even though lo0 is part of untrust, second policy lookup is done to allow the traffic to the RE. If there is any explicit policy defined to deny the packet, then during second lookup packet will be dropped as below:

set security policies from-zone untrust to-zone junos-host policy untrust-to-junos match source-address any
set security policies from-zone untrust to-zone junos-host policy untrust-to-junos match destination-address any
set security policies from-zone untrust to-zone junos-host policy untrust-to-junos match application any
set security policies from-zone untrust to-zone junos-host policy untrust-to-junos then deny

Jun 22 16:23:24 16:23:24.644809:CID-0:RT: routed (x_dst_ip 1.1.1.1) from untrust (lo0.1 in 0) to .local..0, Next-hop: 1.1.1.1
Jun 22 16:23:24 16:23:24.644809:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone junos-host (0x0,0x1f401f4,0x1f4)
Jun 22 16:23:24 16:23:24.644809:CID-0:RT:Policy lkup: vsys 0 zone(6:untrust) -> zone(2:junos-host) scope:0
Jun 22 16:23:24 16:23:24.644809:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 16:23:24 16:23:24.645300:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 16:23:24 16:23:24.645300:CID-0:RT: packet dropped, denied by policy
Jun 22 16:23:24 16:23:24.645300:CID-0:RT: denied by policy untrust-to-junos(7), dropping pkt
Jun 22 16:23:24 16:23:24.645300:CID-0:RT: packet dropped, policy deny.
SRX as Responder

VPN Egress Interface = lo0.1
Physical Egress Inerface = ge-0/0/1.0
ge-0/0/1 and lo0 are part of same security zone "untrust"

set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces lo0.1
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match source-address any
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match destination-address any
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match application any
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust then permit

First policy loopkup  from untrust to untrust
Jun 22 13:59:21 13:59:21.038488:CID-0:RT: routed (x_dst_ip 1.1.1.1) from untrust (ge-0/0/2.0 in 0) to lo0.1, Next-hop: 1.1.1.1
Jun 22 13:59:21 13:59:21.038488:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone untrust (0x0,0x1f401f4,0x1f4)  
Jun 22 13:59:21 13:59:21.038488:CID-0:RT:Policy lkup: vsys 0 zone(6:untrust) -> zone(6:untrust) scope:0  
Jun 22 13:59:21 13:59:21.038488:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17  
Jun 22 13:59:21 13:59:21.038488:CID-0:RT: app 54, timeout 60s, curr ageout 60s   
Jun 22 13:59:21 13:59:21.038488:CID-0:RT: permitted by policy untrust-to-untrust(6)   
Jun 22 13:59:21 13:59:21.038488:CID-0:RT: packet passed, Permitted by policy.
Second policy lookup from untrust to junos-host
Jun 22 13:59:21 13:59:21.038983:CID-0:RT: routed (x_dst_ip 1.1.1.1) from untrust (lo0.1 in 0) to .local..0, Next-hop: 1.1.1.1
Jun 22 13:59:21 13:59:21.038983:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone junos-host (0x0,0x1f401f4,0x1f4)
Jun 22 13:59:21 13:59:21.038983:CID-0:RT:Policy lkup: vsys 0 zone(6:untrust) -> zone(2:junos-host) scope:0
Jun 22 13:59:21 13:59:21.038983:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 13:59:21 13:59:21.038983:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 13:59:21 13:59:21.038983:CID-0:RT: permitted by policy self-traffic-policy(1)
Jun 22 13:59:21 13:59:21.038983:CID-0:RT: packet passed, Permitted by policy.


Restricting inbound traffic via policies

You may use host-bound-traffic with an exlicit policy to deny traffic from one zone to another zone, or use global policies to deny traffic.
Zone based policies will take higher precedence over the global policies.

Example: 
Use of a global deny policy with no explicit policy configured for untrust to untrust zone.
set security policies global policy global_deny match source-address any
set security policies global policy global_deny match destination-address any
set security policies global policy global_deny match application any
set security policies global policy global_deny then deny

Jun 22 14:03:30 14:03:30.316873:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone intrust (0x0,0x1f401f4,0x1f4)
Jun 22 14:03:30 14:03:30.316873:CID-0:RT:Policy lkup: vsys 0 zone(6:untrust) -> zone(6:untrust) scope:0
Jun 22 14:03:30 14:03:30.316873:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 14:03:30 14:03:30.316873:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0
Jun 22 14:03:30 14:03:30.317249:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 14:03:30 14:03:30.317249:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 14:03:30 14:03:30.317249:CID-0:RT: packet dropped, denied by policy
Jun 22 14:03:30 14:03:30.317249:CID-0:RT: denied by policy global_deny(7), dropping pkt
Jun 22 14:03:30 14:03:30.317249:CID-0:RT: packet dropped, policy deny
Default Deny

SRX devices, by deafult, deny all the traffic requiring explicit policies to allow the traffic based on zones or global policy.
If there are no explicit policies defined to allow the traffic, the policy lookup process will fail resulting in packet drops.
Jun 22 14:09:43 14:09:43.500445:CID-0:RT: routed (x_dst_ip 1.1.1.1) from untrust (ge-0/0/2.0 in 0) to lo0.1, Next-hop: 1.1.1.1
Jun 22 14:09:43 14:09:43.500445:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone vpn (0x0,0x1f401f4,0x1f4)
Jun 22 14:09:43 14:09:43.500445:CID-0:RT:Policy lkup: vsys 0 zone(6:untrust) -> zone(10:vpn) scope:0
Jun 22 14:09:43 14:09:43.500445:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 14:09:43 14:09:43.500445:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0
Jun 22 14:09:43 14:09:43.500445:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 14:09:43 14:09:43.500445:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 14:09:43 14:09:43.500445:CID-0:RT: packet dropped, denied by policy
Jun 22 14:09:43 14:09:43.500939:CID-0:RT: denied by policy default-policy-00(2), dropping pkt
Jun 22 14:09:43 14:09:43.500939:CID-0:RT: packet dropped, policy deny. 

Reference Configuration

set security ike policy ike-pol mode main
set security ike policy ike-pol proposal-set standard
set security ike policy ike-pol pre-shared-key ascii-text "$9$Z9DH.QF/0BEP5BEcyW8ZUj"
set security ike gateway ike-gw ike-policy ike-pol
set security ike gateway ike-gw address 1.1.1.1
set security ike gateway ike-gw dead-peer-detection
set security ike gateway ike-gw external-interface lo0.1
set security ike gateway ike-gw version v1-only
set security ipsec policy vpn-policy perfect-forward-secrecy keys group2
set security ipsec policy vpn-policy proposal-set standard
set security ipsec vpn ipsec-vpn bind-interface st0.1
set security ipsec vpn ipsec-vpn ike gateway ike-gw
set security ipsec vpn ipsec-vpn ike ipsec-policy vpn-policy

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search