Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Traffic cannot reach the expected unified security policy

0

0

Article ID: KB35454 KB Last Updated: 31 Mar 2020Version: 1.0
Summary:
Traffic cannot reach the expected unified security policy.
Symptoms:

Topology:

SSH client(10.0.0.1) ------ (ge-0/0/2)SRX340(ge-0/0/1) ------ SSH server(172.16.0.1)

Unified security policy configuration:

policy global-ssh-allow {
    match {
        source-address lab-dc1-10.0.0.1;
        destination-address server-public-172.16.0.1;
        application junos-defaults;    
        dynamic-application junos:SSH;  
        from-zone [ SS-LAN trust ];
        to-zone untrust;
    }
    then {
        permit;
        log {
            session-close;
        }
    }
}

policy global-appTest--deny {
    match {
        source-address [ ss-alpha-lab-net-2 vpn-site-net ss-alpha-lab-net-1 ss-alpha-noc ];
        destination-address any;
        application junos-defaults;  
        dynamic-application [ junos:MS-TEAMS junos:SSH junos:TELNET ];  
        from-zone [ SS-LAN trust ];
        to-zone untrust;
    }
    then {
        deny;
        log {
            session-close;
        }
    }
}

When testing ssh traffic from 10.0.0.1 to 172.16.0.1 port 22, ssh traffic can be identified and permitted by policy global-ssh-allow correctly. However, when testing ssh traffic from 10.0.0.1 to 172.16.0.1 port 8080, ssh traffic can be identified correctly while denied by policy global-appTest--deny.

The problem is global-ssh-allow "Destination ports" is only for port 22 even if we configure junos-defaults in global-ssh-allow.

root@router> show security policies global policy-name global-ssh-allow detail
Policy: global-ssh-allow, action-type: permit, State: enabled, Index: 23, Scope Policy: 0
  Policy Type: Configured, global
  Sequence number: 10
  From zones:
    SS-LAN
    trust
  To zones:
    untrust
  Source vrf group:
    any
  Destination vrf group:
    any
  Source addresses:
    lab-dc1-10.0.0.1(global): 10.0.0.1/32
  Destination addresses:
    server-public-172.16.0.1(global): 172.16.0.1/32
  Application: junos-defaults
    IP protocol: TCP, ALG: 0, Inactivity timeout: 1800
      Destination ports: 22   <--- only port 22 is listed here
  Dynamic Application:
    junos:SSH: 198
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
  Session log: at-close

root@router> show security policies global policy-name global-appTest--deny detail
Policy: global-appTest--deny, action-type: deny, State: enabled, Index: 28, Scope Policy: 0
  Policy Type: Configured, global
  Sequence number: 15
  From zones:
    SS-LAN
    trust
  To zones:
    untrust
  Source vrf group:
    any
  Destination vrf group:
    any
  Source addresses:
    ss-alpha-noc(global): 10.3.8.0/24
    ss-alpha-lab-net-1(global): 10.0.1.0/24
    vpn-site-net(global): 10.86.0.0/16
    ss-alpha-lab-net-2(global): 10.100.101.0/24
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0
    any-ipv6(global): ::/0
  Application: junos-defaults
    IP protocol: TCP, ALG: 0, Inactivity timeout: 1800
      Destination ports: 22, 23, 80, 443, 3128, 8000, 8080   <--- multiple ports are listed here
  Dynamic Application:
    junos:TELNET: 209
    junos:SSH: 198
    junos:MS-TEAMS: 3374
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
  Session log: at-close
Solution:

The destination port in unified security policy depends on how you configure dynamic-application, not application (junos-defaults). "junos-defaults" means using the default protocol and port of dynamic applications.

Original configuration:

    policy global-ssh-allow {
        match {
            source-address lab-dc1-10.0.0.1;
            destination-address server-public-172.16.0.1;
            application junos-defaults;
            dynamic-application junos:SSH;
            from-zone [ SS-LAN trust ];
            to-zone untrust;
        }
        then {
            permit;
            log {
                session-close;
            }
        }
    }

root@router> show security policies global policy-name global-ssh-allow detail    
Policy: global-ssh-allow, action-type: permit, State: enabled, Index: 23, Scope Policy: 0
  Policy Type: Configured, global
  Sequence number: 10
  From zones:
    SS-LAN
    trust
  To zones:
    untrust
  Source vrf group:
    any
  Destination vrf group:
    any
  Source addresses:
    lab-dc1-10.0.0.1(global): 10.0.0.1/32
  Destination addresses:
    server-public-172.16.0.1(global): 172.16.0.1/32
  Application: junos-defaults
    IP protocol: TCP, ALG: 0, Inactivity timeout: 1800
      Destination ports: 22  
  Dynamic Application:
    junos:SSH: 198
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
  Session log: at-close


In order for this policy to permit SSH traffic on port 8080, add the application with port 8080 to this policy.

Example:

policy global-ssh-allow {
    match {
        source-address lab-dc1-10.0.0.1;
        destination-address server-public-172.16.0.1;
        application [ tcp-8080 junos-ssh ];
        dynamic-application junos:SSH;
        from-zone [ SS-LAN trust ];
        to-zone untrust;
    }
    then {
        permit;
        log {
            session-close;
        }
    }
}
 
root@router> show security policies global policy-name global-ssh-allow detail
Policy: global-ssh-allow, action-type: permit, State: enabled, Index: 23, Scope Policy: 0
  Policy Type: Configured, global
  Sequence number: 10
  From zones:
    SS-LAN
    trust
  To zones:
    untrust
  Source vrf group:
    any
  Destination vrf group:
    any
  Source addresses:
    lab-dc1-10.0.0.1(global): 10.0.0.1/32
  Destination addresses:
    server-public-172.16.0.1(global): 172.16.0.1/32
  Application: tcp-8080
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0]
      Destination ports: 8080 
  Application: junos-ssh
    IP protocol: tcp, ALG: 0, Inactivity timeout: 1800
      Source port range: [0-0]
      Destination ports: 22   
  Dynamic Application:
    junos:SSH: 198
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
  Session log: at-close
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search