Junos 18.2 introduced a number of configuration stanza adjustments relating to IDP, AppFW and UTM for SRX devices.
Migration to the new configuration syntax is required when SRX devices are to be managed by Security Director.
Junos Space Security Director 19.3 and higher supports the majority of these differences. (A few known issues exist with SD 19.3 for UTM that will be fixed in a future release)
As of Junos SRX 18.2, IDP/UTM/App-FW configuration has started a deprecation process of moving legacy configuration stanzas a hidden CLI state and introducing new configuration stanzas. Due to this configuration adjustment of hiding the the old stanza, Junos Space Security Director is unable to manage SRX devices using Junos 18.2 and above the same way as earlier versions.
NOTE: Legacy configuration stanzas will continue to work the same way on Junos, impacting Security director management.
This deprecated command can be seen on SRX CLI when using a "show" command (only in standard notation, set notation does not show the deprecated comments):
# show security
application-firewall { ## Warning: 'application-firewall' is deprecated
Set Notation Example, that will not show the deprecated line
# show security | display set
set security application-firewall rule-sets APPFW_RuleSet1 rule AppFW_rule1 match dynamic-application junos:CNN
set security application-firewall rule-sets APPFW_RuleSet1 rule AppFW_rule1 then permit
set security application-firewall rule-sets APPFW_RuleSet1 rule AppFW_rule2 match dynamic-application junos:AMAZON
set security application-firewall rule-sets APPFW_RuleSet1 rule AppFW_rule2 then permit
set security application-firewall rule-sets APPFW_RuleSet1 default-rule permit
set security policies from-zone zone1 to-zone zone2 policy AppFW_FW_Policy1 match source-address any
Output from SRX 18.2 showing completion options for "set security"
# set security ?
Possible completions:
> address-book Security address book
> advance-policy-based-routing Configure Network Security APBR Policies
> alarms Configure security alarms
> alg Configure ALG security options
> analysis Configure security analysis
> application-tracking Application tracking configuration
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> authentication-key-chains Authentication key chain configuration
> certificates X.509 certificate configuration
<Output is alphabetical, removed the remaining items>
Notice application-firewall option is not available.
AppFW
Junos SRX Security has transitioned to a new configuration model called Unified Policy, requiring that the application firewall configuration be removed and merged with the firewall policies.
This also changes how the SRX will process traffic, please review technical documentation on use of Unified Security Policies. Contact SRX JTAC for questions regarding the SRX documentation.
IDP
Junos SRX has changed some of the configuration commands for IDP to allow for separate IDP policies to be assigned to individual firewall rules. The firewall policies need to be modified to the new syntax.
UTM
A number of commands found under utm feature-profile are now found under utm default-configuration, and need to be migrated. The earlier UTM are now hidden, but not marked as deprecated.
| SRX Feature |
SRX Junos Version |
SD Supported Version |
Remarks |
Unified Firewall Policy
(dynamic-application in fw rule)
|
18.2 and Higher |
SD 18.4 and higher |
Support to configure L7 apps from Firewall policy |
| IPS "active-policy' |
18.1 and Lower
|
All SD Versions |
|
| Deprecated IDP "active-policy" |
18.2 and Above |
Conversion support only with SD 19.3 and higher. |
SD will aid in conversion from Deprecated "active-policy" to New SRX configuration syntax |
IPS Policy using "idp-policy" in firewall rule
|
18.2 and Above |
SD 19.3 and higher. |
Support to configure IPS Policy from Firewall Policy |
| Multiple IDP policies using "idp-policy" in firewall rule and Default IDP Policy |
18.3 and above |
SD 19.3 and higher. |
Support to configure multiple IPS Policy from Firewall Policy and select default IDP policy |
| AppFW (application-firewall) |
18.1 and Lower |
All SD Versions |
|
Deprecated AppFW
(application-firewall) |
18.2 and Above |
None, Deprecated by Junos, not supported in SD |
|
UTM feature profiles
|
18.1 and Lower |
SD All Versions |
|
| Deprecated UTM feature profiles elements |
18.2 and Above |
None, Deprecated by Junos, not supported in SD |
Many but not all feature-profile commands are deprecated by Junos and moved to default-configuration See below for full list |
| UTM Default Configuration |
18.2 and Above |
SD 19.3 and higher. |
|
If IPS or UTM functions are needed, with Security director, please continue using on Junos 18.1 or lower or upgrade to Security Director 19.3 or above once available.
SRX Release notes at type of writing, Note the changes to IDP and UTM as part of the Unified Policy changes.
AppFW, Now Unified Policy
SRX Versions below 18.2
set security application-firewall *
set security policies from-zone <zone> to-zone <zone> policy <policy> then permit application-services application-firewall rule-set
18.2 and Above
Convert to use of
Unified Policies
set security policies from-zone <zone> to-zone <zone> policy <policy> match dynamic-application
Security Director 18.4R1 and Above supports Unified Policy
Security Director Release notes
If using Security Director to aid with policy migration, the following process can be used. (Only available for Security Director Device Policies, Migration not available for Group Policies)
- Clone Existing policy in SD
- Remove all Existing AppFW configuration from policy
- Select modified Policy in Security Director, rt-click and select Convert to Unified Policy
- Navigate to the migrated policy in Security Director, now found under Unified Policies
- Add new Application Based rules following the Unified Policy structure, see SRX documentation for details on functionality.
- Un-assign Existing Standard Policy from device
- Assign policy to firewall
- In a Maintenance Window: Manually Delete application-firewall and from all firewall rules that have the configuration: application-services application-firewall from SRX CLI
- Update New policy to SRX
IDP
Security Director support: Junos Space Security Director version 19.3 or higher is required to manage IDP with SRX 18.2 and above
SRX Versions below 18.2
set security policies from-zone <zone> to-zone <zone> policy <policy> then permit application-services idp
set security idp active-policy <IDP policy name>
Works in all Security Director versions.
SRX 18.2 only
Instead of using active-policy to specify the IDP policy to use per firewall rule, the specification is done on each firewall rule.
set security policies from-zone <zone> to-zone <zone> policy <policy #1> then permit application-services <IDP policy name>
set security policies from-zone <zone> to-zone <zone> policy <policy #2> then permit application-services <IDP policy name>
-
Only 1 IDP Policy name can be used for all firewall rules.
-
active-policy is a deprecated command.
-
This can be used with the “unified policy” or “legacy policy”
SRX 18.3 and above
Unique IDP policy per firewall rule now possible
set security policies from-zone <zone> to-zone <zone> policy <policy #1> then permit application-services <IDP policy name #1>
set security policies from-zone <zone> to-zone <zone> policy <policy #2> then permit application-services <IDP policy name #2>
set security idp default-policy <IDP policy name>
-
default-policy is required when 2 different IDP policy are in use, optional if only 1 idp-policy has been configured
-
A separate IDP policy can be used for each firewall rule
-
Can be used with the “unified policy” or “legacy policy”
Upgrading from Junos 18.1 and lower to 18.2 and above when using IDP and Security Director
After upgrading SRX to 18.2 and above the following conversion steps are required.
- Edit all firewall rules containing "then permit application-services idp" to "then permit application-services <IDP policy name>"
This can be done on Device CLI, or in SD UI by editing each rule with IDP configured. Notice 2 separate dropdowns depending on SRX code version, Select the IDP policy name from the 18.2 and higher drop down. Publish and update firewall policy to the device
Note: With SRX 18.2 and higher devices, the IDP policy is no longer seen as assigned to SRX Device. IDP policies are now linked and publish/updated in combination with the firewall policy
- Remove config line from SRX manually (SD can not do this for you)
set security idp active-policy <IDP policy name>
- If SRX is running 18.3+ configure default-policy
Via SRX CLI CLI:
set security idp default-policy <IDP policy name>
Using Security Director:
Navigate to the Firewall Policy screen, select "Global Options" at the top of the screen, select IDP tab and select the default IDP policy on a per-device basis.
Note: If any steps were performed on SRX CLI to modify IDP configuration. Policy will need to be re-imported into Security Director.
UTM
Security Director support: An upcoming Junos Space Security Director version 19.3 and higher is required to manage UTM features with SRX 18.2 and above.
With Security Director 19.3 it is not possible to configure Anti-virus as the UI does not allow for selection of anti-virus type, this will be fixed in a future release.
The following UTM commands have changed in SRX 18.2 and above, and the older version has been deprecated in Junos, preventing these command from working as expected with Security Director.
SRX Versions below 18.2 use the following commands:
set security utm feature-profile web-filtering type
set security utm feature-profile web-filtering url-blacklist
set security utm feature-profile web-filtering url-whitelist
set security utm feature-profile web-filtering http-persist
set security utm feature-profile web-filtering http-reassemble
set security utm feature-profile web-filtering juniper-enhanced cache
set security utm feature-profile web-filtering juniper-enhanced reputation
set security utm feature-profile web-filtering juniper-enhanced query-type
set security utm feature-profile anti-virus mime-whitelist
set security utm feature-profile anti-virus url-whitelist
set security utm feature-profile anti-virus type
set security utm feature-profile anti-virus sophos-engine
set security utm feature-profile anti-spam address-blacklist
set security utm feature-profile anti-spam address-whitelist
SRX 18.2 and above use the new commands:
set security utm default-configuration web-filtering type
set security utm default-configuration web-filtering url-filtering
set security utm default-configuration web-filtering url-blacklist
set security utm default-configuration web-filtering http-persist
set security utm default-configuration web-filtering http-reassemble
set security utm default-configuration web-filtering juniper-enhanced cache
set security utm default-configuration web-filtering juniper-enhanced reputation
set security utm default-configuration web-filtering juniper-enhanced query-type
set security utm default-configuration anti-virus mime-whitelist
set security utm default-configuration anti-virus url-whitelist
set security utm default-configuration anti-virus anti-virus type
set security utm default-configuration anti-virus anti-virus sophos-engine
set security utm default-configuration anti-spam address-blacklist
set security utm default-configuration anti-spam address-whitelist
For Security Director 19.3 and above to manage a device that uses any of the above commands correctly, the UTM configuration lines must be migrated to the new syntax.
Some of this migration is possible in Security Director UI, further details to be added in a future KB update
Important: After migration of the commands above to the new syntax using Security Director, or SRX CLI, the previous command syntax must be manually removed from device CLI.
If the changes were made using SRX CLI, please re-import the device into Security Director.