Knowledge Search


×
 

[SRX] Example Configuration - Web redirect for Pass through HTTP traffic with firewall user authentication

  [KB31391] Show Article Properties


Summary:

This article explains how to configure web-redirect for pass through HTTP traffic with firewall user authentication to restrict the clear text credential exchange while authentication.

Symptoms:

During pass through authentication when SRX obtains the HTTP request with clear text user name/password in the HTTP header, it passes the successfully authenticated traffic to the back-end server without the header modification. On all SRX Series devices, after authenticated by pass through firewall user authentication, credentials can be captured in plain text in the following HTTP request to the target server. To mitigate this security vulnerability, from Junos OS version 12.1X47-D35, 12.3X48-D25, 12.3X48-D30, 15.1X49-D35, 15.1X49-D40, or 16.1R1, a commit warning was introduced to use web-redirect for the HTTP traffic. Using web-redirect on an SRX IP address will ensure that the authentication headers are passed only to SRX.

Example commit warning:

root@srx3600# commit check
[edit security policies from-zone UT-ZONE to-zone T-ZONE policy P1 then permit firewall-authentication]
'pass-through'
We recommend that you configure web-redirect for HTTP pass-through instead of using direct HTTP pass-through because web browser may automatically carry credential in subsequential request to target web-server.
configuration check succeeds

Notes:

  • This is a warning message and does not affect the services and features configured on SRX.
  • This issue affects all SRX platforms (branch SRX, high-end SRX, and vSRX platforms) and occurs when pass-through firewall user authentication is used.
Solution:

To mitigate the clear text credential exchange and stop the commit warning messages, configure web-redirect for all the security policies with firewall authentication enabled for pass through traffic.

Refer to Example: Configuring Pass -Through Authentication

Steps to configure web-redirect:

  1. Identify all security policies configured for all the security policies with firewall user authentication enabled for pass through traffic.

  2. Configure web-redirect to the security policy as follows:

    set security policies from-zone untrust to-zone trust policy test then permit firewall-authentication pass-through web-redirect

  3. Enable firewall authentication on the ingress interface for the traffic as follows:

    set interfaces ge-0/0/1 unit 0 family inet address 21.0.0.100/24 preferred
    set interfaces ge-0/0/1 unit 0 family inet address 21.0.0.101/24 web-authentication http
Note: Web-authentication cannot be configured on the IP address assigned to interface. Hence, configure the interface IP address as preferred and configure another free IP address for web-authentication.
Related Links: