Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Security Director] Managing IDP, AppFW and UTM on SRX 18.2 and above with Security Director

1

0

Article ID: KB34945 KB Last Updated: 17 Jan 2020Version: 4.0
Summary:

Junos 18.2 introduced a number of configuration stanza adjustments relating to IDP, AppFW and UTM for SRX devices.  

Migration to the new configuration syntax is required when SRX devices are to be managed by Security Director.

Junos Space Security Director 19.3 and higher supports the majority of these differences. (A few known issues exist with SD 19.3 for UTM that will be fixed in a future release)
 

Symptoms:
  1. Attempting to import a new or existing SRX into Security Director that is using Legacy configuration syntax used in Junos 18.1 or lower relating to IDP, AppFW, and/or UTM features.
  • Security Director will not import the complete configuration
  1. After upgrading a SRX firewall with IDP, AppFW and/or UTM configuration from a version lower than 18.2 to version 18.2 or higher, that is already managed by Security Director
  • Security Director  publish preview may continue to show  IPS, AppFW or UTM  need to be updated to the SRX, after a successful update.
  • Security Director  update configuration will attempt to apply IPS, AppFW or UTM configuration that already exists on device CLI resulting in update/commit failure.
  • Device update fails with "statement creation failed" or other configuration error related to the IPS, AppFW or UTM
     
Cause:

As of Junos SRX 18.2, IDP/UTM/App-FW configuration has started a deprecation process of moving legacy configuration stanzas a hidden CLI state and introducing new configuration stanzas.   Due to this configuration adjustment of hiding the the old stanza, Junos Space Security Director is unable to manage SRX devices using Junos 18.2 and above the same way as earlier versions. 

NOTE: Legacy configuration stanzas will continue to work the same way on Junos, impacting Security director management.

This deprecated command can be seen on SRX CLI when using a "show" command (only in standard notation, set notation does not show the deprecated comments):

# show security
application-firewall { ## Warning: 'application-firewall' is deprecated

Set Notation Example, that will not show the deprecated line
# show security | display set
set security application-firewall rule-sets APPFW_RuleSet1 rule AppFW_rule1 match dynamic-application junos:CNN
set security application-firewall rule-sets APPFW_RuleSet1 rule AppFW_rule1 then permit
set security application-firewall rule-sets APPFW_RuleSet1 rule AppFW_rule2 match dynamic-application junos:AMAZON
set security application-firewall rule-sets APPFW_RuleSet1 rule AppFW_rule2 then permit
set security application-firewall rule-sets APPFW_RuleSet1 default-rule permit
set security policies from-zone zone1 to-zone zone2 policy AppFW_FW_Policy1 match source-address any

Output from SRX 18.2 showing completion options for "set security"
# set security ?
Possible completions:
> address-book         Security address book
> advance-policy-based-routing  Configure Network Security APBR Policies
> alarms               Configure security alarms
> alg                  Configure ALG security options
> analysis             Configure security analysis
> application-tracking  Application tracking configuration
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> authentication-key-chains  Authentication key chain configuration
> certificates         X.509 certificate configuration

<Output is alphabetical, removed the remaining items>
Notice application-firewall option is not available.

AppFW
Junos SRX Security has transitioned to a new configuration model called Unified Policy, requiring that the application firewall configuration be removed and merged with the firewall policies.  This also changes how the SRX will process traffic, please review technical documentation on use of Unified Security Policies.  Contact SRX JTAC for questions regarding the SRX documentation.
 
IDP
Junos SRX has changed some of the configuration commands for IDP to allow for separate IDP policies to be assigned to individual firewall rules.  The firewall policies need to be modified to the new syntax.

UTM
A number of commands found under utm feature-profile are now found under utm default-configuration, and need to be migrated.  The earlier UTM are now hidden, but not marked as deprecated.


 
SRX Feature SRX Junos Version SD Supported Version Remarks
Unified Firewall Policy
(dynamic-application in fw rule)

 
18.2 and Higher SD 18.4 and higher Support to configure L7 apps from Firewall policy
IPS "active-policy' 18.1 and Lower

 
All SD Versions  
Deprecated IDP "active-policy" 18.2 and Above Conversion support only with SD 19.3 and higher. SD will aid in conversion from Deprecated "active-policy" to New SRX configuration syntax
IPS Policy using "idp-policy" in firewall rule
 
18.2 and Above SD 19.3 and higher. Support to configure IPS Policy from Firewall Policy
Multiple IDP policies using "idp-policy" in firewall rule and Default IDP Policy 18.3 and above SD 19.3 and higher. Support to configure multiple IPS Policy from Firewall Policy and select default IDP policy
AppFW (application-firewall) 18.1 and Lower All SD Versions  
Deprecated AppFW
(application-firewall)
18.2 and Above None, Deprecated by Junos, not supported in SD  
UTM feature profiles
 
18.1 and Lower SD All Versions  
Deprecated UTM feature profiles elements 18.2 and Above None, Deprecated by Junos, not supported in SD Many but not all feature-profile commands are deprecated by Junos and moved to default-configuration See below for full list
UTM Default Configuration 18.2 and Above SD 19.3 and higher.  
 
 
Solution:

If IPS or UTM functions are needed, with Security director, please continue using on Junos 18.1 or lower or upgrade to Security Director 19.3 or above once available.

SRX Release notes at type of writing, Note the changes to IDP and UTM as part of the Unified Policy changes.

AppFW, Now Unified Policy

SRX Versions below 18.2
set security application-firewall *
set security policies from-zone <zone> to-zone <zone> policy <policy> then permit application-services application-firewall rule-set

18.2 and Above
Convert to use of Unified Policies
set security policies from-zone <zone> to-zone <zone> policy <policy> match dynamic-application

Security Director 18.4R1 and Above supports Unified Policy  Security Director Release notes

If using Security Director to aid with policy migration, the following process can be used.  (Only available for Security Director Device Policies, Migration not available for Group Policies)
  1. Clone Existing policy in SD
  2. Remove all Existing AppFW configuration from policy
  3. Select modified Policy in Security Director, rt-click and select Convert to Unified Policy
  4. Navigate to the migrated policy in Security Director, now found under Unified Policies
  5. Add new Application Based rules following the Unified Policy structure, see SRX documentation for details on functionality.
  6. Un-assign Existing Standard Policy from device
  7. Assign policy to firewall
  8. In a Maintenance Window: Manually Delete application-firewall and  from all firewall rules that have the configuration: application-services application-firewall from SRX CLI
  9. Update New policy to SRX
 

IDP

Security Director support:  Junos Space Security Director version 19.3 or higher is  required to manage IDP with SRX 18.2 and above

SRX Versions below 18.2

set security policies from-zone <zone> to-zone <zone> policy <policy> then permit application-services idp
set security idp active-policy <IDP policy name>
Works in all Security Director versions.
 

SRX 18.2 only

Instead of using active-policy to specify the IDP policy to use per firewall rule, the specification is done on each firewall rule.
set security policies from-zone <zone> to-zone <zone> policy <policy #1> then permit application-services <IDP policy name>
set security policies from-zone <zone> to-zone <zone> policy <policy #2> then permit application-services <IDP policy name>
 
  • Only 1 IDP Policy name can be used for all firewall rules.
  • active-policy is a deprecated command.
  • This can be used with the “unified policy” or “legacy policy”

 
SRX 18.3 and above
Unique IDP policy per firewall rule now possible
                              
set security policies from-zone <zone> to-zone <zone> policy <policy #1> then permit application-services <IDP policy name #1>
set security policies from-zone <zone> to-zone <zone> policy <policy #2> then permit application-services <IDP policy name  #2>
set security idp default-policy <IDP policy name>
  • default-policy is required when 2 different IDP policy are in use,  optional if only 1 idp-policy has been configured
  • A separate IDP policy can be used for each firewall rule
  • Can be used with the “unified policy” or “legacy policy”

Upgrading from Junos 18.1 and lower to 18.2 and above when using IDP and Security Director
 
After upgrading SRX to 18.2 and above the following conversion steps are required.
  1. Edit all firewall rules containing "then permit application-services idp"  to  "then permit application-services <IDP policy name>"  
This can be done on Device CLI, or in SD UI by editing each rule with IDP configured.  Notice 2 separate dropdowns  depending on SRX code version, Select the IDP policy name from the  18.2 and higher drop down.  Publish and update firewall policy to the device

Note: With SRX 18.2 and higher devices, the IDP policy is no longer seen as assigned to SRX Device. IDP policies are now linked and publish/updated in combination with the firewall policy
  1. Remove config line from SRX manually (SD can not do this for you)
set security idp active-policy <IDP policy name>
  1. If SRX is running 18.3+  configure default-policy
Via SRX CLI CLI: 
    set security idp default-policy <IDP policy name>
Using Security Director:
    Navigate to the Firewall Policy screen, select "Global Options" at the top of the screen, select IDP tab and select the default IDP policy on a per-device basis.

Note: If any steps were performed on SRX CLI to modify IDP configuration.  Policy will need to be re-imported into Security Director.

UTM

Security Director support:  An upcoming Junos Space Security Director version 19.3 and higher is required to manage UTM features  with SRX 18.2 and above.
                                           With Security Director 19.3 it is not possible to configure Anti-virus as the UI does not allow for selection of anti-virus type, this will be fixed in a future release.


The following UTM commands have changed in SRX 18.2 and above, and the older version has been deprecated in Junos, preventing these command from working as expected with Security Director.

SRX Versions below 18.2 use the following commands:
set security utm feature-profile web-filtering type
set security utm feature-profile web-filtering url-blacklist
set security utm feature-profile web-filtering url-whitelist
set security utm feature-profile web-filtering http-persist
set security utm feature-profile web-filtering http-reassemble
set security utm feature-profile web-filtering juniper-enhanced cache
set security utm feature-profile web-filtering juniper-enhanced reputation
set security utm feature-profile web-filtering juniper-enhanced query-type
set security utm feature-profile anti-virus mime-whitelist
set security utm feature-profile anti-virus url-whitelist
set security utm feature-profile anti-virus type
set security utm feature-profile anti-virus sophos-engine
set security utm feature-profile anti-spam address-blacklist
set security utm feature-profile anti-spam address-whitelist


SRX 18.2 and above use the new commands:
set security utm default-configuration web-filtering type
set security utm default-configuration web-filtering url-filtering
set security utm default-configuration web-filtering url-blacklist
set security utm default-configuration web-filtering http-persist
set security utm default-configuration web-filtering http-reassemble
set security utm default-configuration web-filtering juniper-enhanced cache
set security utm default-configuration web-filtering juniper-enhanced reputation
set security utm default-configuration web-filtering juniper-enhanced query-type
set security utm default-configuration anti-virus mime-whitelist
set security utm default-configuration anti-virus url-whitelist
set security utm default-configuration anti-virus anti-virus type
set security utm default-configuration anti-virus anti-virus sophos-engine
set security utm default-configuration anti-spam address-blacklist
set security utm default-configuration anti-spam address-whitelist


For Security Director  19.3 and above to manage a device that uses any of the above commands correctly,  the UTM configuration lines must be migrated to the new syntax.

Some of this migration is  possible in Security Director UI, further details to be added in a future KB update

Important:  After migration of the commands above to the new syntax using Security Director, or SRX CLI, the previous command syntax must be manually removed from device CLI.

If the changes were made using SRX CLI, please re-import the device into Security Director.
 
Modification History:
2020-01-17: Added comparison table
2019-12-21: Added content for Security Director 19.3.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search