Understanding a Security Flow Policy on a Device Running Junos OS
Security Flow Policy on a Device Running Junos OS Overview
You can define a security flow policy on a device running Junos OS to inspect and process network packets. The device can permit, deny, and log operations to be associated with each policy. Each of these policies are associated to zones on which distinct network interfaces are bound.
The following modes can be defined for a security flow policy to determine how a device directs traffic:
Bypass—The
Permit
option directs the traffic traversing the device through the stateful firewall inspection, but not through the IPsec VPN tunnel.Discard—The
Deny
option inspects and drops all packets that do not match anyPermit
policies.Protect—The traffic is routed through an IPsec tunnel based on the combination of route lookup and
Permit
policy inspection.Log—This option logs traffic and session information for all the modes mentioned above.
The following sections describe how to configure a security policy for each of these modes:
- Configuring a Security Flow Policy in Firewall Bypass Mode
- Configuring a Security Policy in Firewall Discard Mode
- Configuring a Security Flow Policy in IPsec Protect Mode
Configuring a Security Flow Policy in Firewall Bypass Mode
To configure a security flow policy for firewall bypass mode:
Configure the security policies.
[edit security policies] user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLan user@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLan user@host# set from-zone trustZone to-zone untrustZone policy policy1 match application any user@host# set from-zone trustZone to-zone untrustZone policy policy1 then permit user@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-init user@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close
Note:Here,
trustZone
anduntrustZone
are preconfigured security zones andtrustLan
anduntrustLan
are preconfigured network addresses.junos-ssh
is an example of a Junos OS default predefined application that can be configured in a security policy instead of theany
option in the above example to enforce SSH traffic.
Configuring a Security Policy in Firewall Discard Mode
To configure a security flow policy for firewall discard mode:
Configure the security policies.
[edit security policies] user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLan user@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLan user@host# set from-zone untrustZone to-zone trustZone policy policy1 match application junos-telnet user@host# set from-zone untrustZone to-zone trustZone policy policy1 then deny user@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set from-zone untrustZone to-zone trustZone policy policy1 then session-close
Note:Here,
trustZone
anduntrustZone
are the preconfigured security zones andtrustLan
anduntrustLan
are preconfigured network addresses.junos-telnet
is an example of a Junos OS default predefined application that can be configured in a security policy to enforce Telnet traffic.
Configuring a Security Flow Policy in IPsec Protect Mode
To configure a security flow policy for IPsec protect mode:
Configure the VPN.
[edit] user@host# set security ipsec vpn vpn1 ike gateway gw1 user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1 user@host# set security ipsec vpn vpn1 bind-interface st0.0 user@host# set routing-options static route 198.51.100.14/24 qualified-next-hop st0.0 preference 1
Note:Here,
gw1
andipsec-policy1
are preconfigured IKE and IPsec policies.Configure the security policies.
[edit security policies] user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLan user@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLan user@host# set from-zone trustZone to-zone untrustZone policy policy1 match application any user@host# set from-zone trustZone to-zone untrustZone policy policy1 then permit user@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-init user@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close
Note:Here,
trustZone
anduntrustZone
are preconfigured security zones andtrustLan
anduntrustLan
are preconfigured network addresses.
For more information on stateful session behavior, see Traffic Processing on SRX Series Devices Overview
For more information on how to configure known good and bad lists, see Configuring Security Policies
For more information on scheduling security policies, see Scheduling Security Policies and Policer Implementation Overview