Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Security Policies for Tenant Systems

Security policies can be configured with tenant systems. For more information see the following topics:

Understanding Security Policies for Tenant Systems

Security policies enforce rules for what traffic can pass through the firewall and actions that need to take place on the traffic as it passes through the firewall. Through the creation of security policies, the administrator for the tenant system can control the traffic flow from zone to zone by defining the kinds of traffic permitted to pass from sources to destinations. From the perspective of the security policies, traffic enters one security zone and exits through another security zone. By default, the tenant system denies all traffic in all directions, including intra-zone and inter-zone directions.

Starting in Junos OS Release 18.3R1, the security policies feature supported on logical systems is now extended to tenant systems.

Security policies can be configured in the tenant systems. Tenant security policies are configured the same way as logical system security policies and firewall-wide security policies. Any security policies, policy rules, address books, applications and application sets, and schedulers created within a tenant system are only applicable to that tenant system. Only predefined applications and application sets, such as junos-ftp, are shared between the tenant systems.

The administrator for the tenant system can configure and view all attributes for security policies in a tenant system.

Starting in Junos OS Release 18.4R1, the tenant system administrator can create dynamic address within a tenant system. A dynamic address entry contains IP addresses and prefixes extracted from external sources. The security policies use the dynamic address in the source-address field or destination-address field. You can view the dynamic-address information including the name, feeds, and properties for tenant systems by using the command show security dynamic-address.

A dynamic address entry (DAE) is a group of IP addresses that can be entered manually or imported from external sources within tenant systems. The DAE feature allows feed-based IP objects to be used in security policies to either deny or allow traffic based on either source or destination IP criteria.

Note:

The maximum number of DAE for a given tenant system equals the system-wide scaling number. Furthermore, the sum of DAE for all the tenant systems must be less than or equal to the system-wide scaling number for DAE. If one tenant system uses maximum number of IP entries, other tenant system will fail to get IP entries into their DAE.

Starting in Junos 18.4R1, the set security dynamic-address feed-server command can be configured under the tenant systems.

Application Timeouts

The application timeout value set for an application determines the session timeout. Application timeout behavior is the same for a tenant system as it is at the root level. Although the administrators of the tenant system can use predefined applications in security policies, the administrators cannot modify the timeout value for these predefined applications. Application timeout values are stored in the application entry database and in the corresponding tenant system TCP and UDP port-based timeout tables.

Security Policy Allocation

The primary administrator creates a security profile to allocate the maximum number of policies that can be configured for each tenant system. The administrator of the tenant system is then restricted by the security profile to create no more than the number of policies described in the security profile. The administrator of the tenant system use the show system security-profile policy command to view the number of security policies allocated to the tenant system.

Example: Configuring Security Policies in the Tenant System

This example shows how to configure the security policies for the tenant system.

Requirements

Before you begin the configuration:

  • Configure zones. See Example: Configuring Security Zones in the Tenant System.

  • Use the show system security-profiles policy command to see the security policy resources allocated to the tenant system.

Overview

In this example, you can configure a security policy for the tenant system. The administrator for the tenant system user can use [edit tenants tenant-name security policies] hierarchy level to configure the security policies. This example configures the security policies described in Table 1.

Table 1: Security Policies Parameters

Feature

Configuration Parameters

Policy 1

Permit the following traffic:

  • Policy name: p1

  • Tenant name: TSYS1

  • From zone: trust

  • To zone: untrust

  • Source address: any

  • Destination address: any

  • Application: any

Policy 2

Permit the following traffic:

  • Policy name: p1

  • Tenant name: TSYS1

  • From zone: untrust

  • To zone: trust

  • Source address: any

  • Destination address: any

  • Application: any

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the security policies in the tenant system:

  1. Log in to the tenant system and define the tenant system name as TSYS1.

  2. Create a security policy as p1 that permits traffic from zone trust to zone untrust and configure the match condition.

  3. Create a security policy as p2 that permits traffic from zone untrust to zone trust and configure the match condition.

Results

From configuration mode, confirm your configuration by entering the show tenants tenant-name security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Verification

Verifying Policy Configuration

Purpose

Verify the information about security policies.

Action

To verify the configuration is working properly, enter the show security policies detail tenant TSYS1 command from operational mode.

Meaning

The output displays the information about the security policies configured on the tenant system.

Configuring Dynamic Address for Tenant Systems

A dynamic address entry in the tenant system provides dynamic IP address information to security policies. To use dynamic address, you must specify basic information of dynamic address including their names, feeds and properties for a tenant system.

To configure the dynamic address in IPv4 networks within a tenant system:

  1. Define the tenant system name as TSYS1.
  2. Create dynamic address within a tenant system.
  3. Confirm your configuration by entering the show tenants TSYS1 security dynamic-address command.
  • To configure the security policies in the tenant system:

    1. Define the tenant system name as TSYS1.

    2. Create a security policy as p1 that permits traffic from zone trust to zone untrust and configure the match condition.

    3. Confirm your configuration by entering the show tenants tenant-name security policies command

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
18.3R1
Starting in Junos OS Release 18.3R1, the security policies feature supported on logical systems is now extended to tenant systems.