Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to verify if a signature is matching the existing rule-set configured on your device

0

0

Article ID: KB31095 KB Last Updated: 23 Aug 2016Version: 1.0
Summary:

While configuring Application Firewall ruleset rules, it is strongly recommended to have optimized rules added so that the signatures are not repeated. Often times, a single application signature that a user wants to add may already be a part of another application signature group configured on the device. This article describes how to identify such cases and show you how to configure optimum polices on the device.

Symptoms:
Example Scenario

The current configuration on a device for Application Firewall ruleset is:

set security application-firewall rule-sets 1 rule 1 match dynamic-application junos:YOUTUBE-COMMENT
set security application-firewall rule-sets 1 rule 1 match dynamic-application junos:BITTORRENT
set security application-firewall rule-sets 1 rule 1 match dynamic-application-group junos:web
set security application-firewall rule-sets 1 rule 1 match dynamic-application-group junos:infrastructure
set security application-firewall rule-sets 1 rule 1 then deny
set security application-firewall rule-sets 1 default-rule deny

The user now wants to add the application signature junos:FACEBOOK-ACCESS.  He should identify if the configuration is required or if it is already covered in the dynamic-application-groups configured on the rulesets.

Cause:

Solution:

Run the following command on the firewall:

labroot# run show security application-firewall match-rule rule-set 1 dynamic-application junos:FACEBOOK-ACCESS
Logical system: root-logical-system
Non-SSL-Encrypted rules:
Rule: 1
Dynamic Applications: junos:YOUTUBE-COMMENT, junos:BITTORRENT
Dynamic Application Groups: junos:web, junos:infrastructure
SSL-Encryption: any
Action: deny
SSL-Encrypted rules:
Rule: 1
Dynamic Applications: junos:YOUTUBE-COMMENT, junos:BITTORRENT
Dynamic Application Groups: junos:web, junos:infrastructure
SSL-Encryption: any
Action: den
y

From the output above, Rule 1 is already configured to have signatures that cover junos:FACEBOOK-ACCESS signature. Therefore, this configuration is not required.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search