Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuration Example – Optimizing Application Firewall ruleset on the SRX device

0

0

Article ID: KB31096 KB Last Updated: 24 Aug 2016Version: 1.0
Summary:

When administrators keep adding new application signatures to the application firewall ruleset or rules, over time, this makes the ruleset very bulky. Many individual signatures added may already be a part of a dynamic-application-group on the device configuration. This article describes how to evaluate the configuration and make appropriate modifications to keep it slim and optimized.

Symptoms:

Example Scenario

A user has the following configuration for application-firewall ruleset on their SRX firewall:

set security application-firewall rule-sets 1 rule 1 match dynamic-application junos:YOUTUBE-COMMENT
set security application-firewall rule-sets 1 rule 1 match dynamic-application-group junos:web
set security application-firewall rule-sets 1 rule 1 then deny
set security application-firewall rule-sets 1 default-rule deny

In this case, the user has a signature group junos:web configured, which has YOUTUBE related signatures in it. He needs to identify such redundant configurations and improve the APPFW rulesets.

Cause:

Solution:

Run the following commands on the device:

labroot# run show security application-firewall shadow-rules rule-set 1
Dynamic Application: junos:YOUTUBE-COMMENT
Logical system: root-logical-system
Non-SSL-Encrypted rules:
Matching rule:
Rule: 1
Dynamic Applications: junos:YOUTUBE-COMMENT
Dynamic Application Groups: junos:web
SSL-Encryption: any
Action: deny
SSL-Encrypted rules:
Matching rule:
Rule: 1
Dynamic Applications: junos:YOUTUBE-COMMENT
Dynamic Application Groups: junos:web
SSL-Encryption: any
Action: deny

Number of shadowed dynamic application: 1

Since junos:YOUTUBE-COMMENT is a part of the dynamic application group junos:web, we see that the signature application is already shadowed.  In this configuration, we can remove the signature for YOUTUBE-COMMENT from the configuration.

Note: If the Dynamic Application matches any existing rules, then we would see the rules shown in the output. If there is no match, then there would be no output for the command.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search