SRX

Expand all | Collapse all

Session creation and Security Policy on SRX

Jump to Best Answer
  • 1.  Session creation and Security Policy on SRX

    Posted 10-01-2017 12:09

    Hi everyone.

     

    Is it correct SRX creates " Session" for new flow that passes Security policy? 

     

    I am confused about at what point Session is created in session table, please see the example below:

     

     

    PC( 199.199.199.10)---199.199.199.1-f0/1-SRX-f0/2-200.200.200.1-----PC 200.200.200.20

     

    SET UP:

    SRX has  vlan 199, vlan.199 in Zone TRUST ,199.199.199.1/24, f0//1 access port

    SRX has vlan 200, vlan.200 in Zone UNTRUST , 200.200.200.1/24 f0/2 access port

    SRC has STATIC Destination NAT which translate all traffic received from ZONE TRUST and destined to 100.100.100.10, will have DEST natted to 200.200.200.20

    We know Security policy is evaluated after STATIC DEST NAT. Therefore we write a policy on POST NAT IP.

     

    Config is under additional info at the bottom of this post.

     

    PC ( 199.199.199.10) issues ping to 100.100.100.10

     

    I see session table on SRX:

     

    root> show security flow session


    Session ID: 29032, Policy name: A/5, Timeout: 2, Valid
    In: 199.199.199.10/26998 --> 100.100.100.10/1;icmp, If: vlan.199, Pkts: 1, Bytes: 60
    Out: 200.200.200.20/1 --> 199.199.199.10/26998;icmp, If: vlan.200, Pkts: 1, Bytes: 60

     

     

    1) Above we " IN"  SRC IP is 199.199.199.10 DST 100.100.100.10 is created before " Security Policy " is evaluated , I based this because DST IP is still 100.100.100.10 not the NATTED IP 200.200.200.20

    2) It also shows Sesson is created in session table even before STATIC DEST NAT is attempted before DST IP is still 100.100.100.10 not 200.200.200.20

     

    What am i mssing ?  I know the whole lot but I am trying to get the logic down.

     

     

    Thanks and have a nice weekend!!

     

    Additional info:

    root> show configuration | display set


    set version 11.4R7.5
    set system root-authentication encrypted-password "$1$K8pkQCB3$PMhEh2V68NzABTnuUWOiv0"
    set system services ssh
    set system services telnet
    set system services xnm-clear-text
    set system services web-management http interface vlan.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface vlan.0
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system max-configurations-on-flash 5
    set system max-configuration-rollbacks 5
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set interfaces fe-0/0/0 unit 0 family ethernet-switching port-mode trunk
    set interfaces fe-0/0/0 unit 0 family ethernet-switching vlan members all
    set interfaces fe-0/0/1 unit 0 family ethernet-switching port-mode access
    set interfaces fe-0/0/1 unit 0 family ethernet-switching vlan members vlan199
    set interfaces fe-0/0/2 unit 0 family ethernet-switching port-mode access
    set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan200
    set interfaces fe-0/0/3 unit 0 family ethernet-switching port-mode access
    set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members vlan199
    set interfaces fe-0/0/4 unit 0
    set interfaces fe-0/0/5 unit 0
    set interfaces fe-0/0/6 unit 0
    set interfaces fe-0/0/7 unit 0
    set interfaces vlan unit 199 family inet address 199.199.199.1/24
    set interfaces vlan unit 200 family inet address 200.200.200.1/24
    set security address-book global address ZEE 200.200.200.20/32
    set security address-book global address GIGI 100.100.100.10/32
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat static rule-set ZEE1 from zone TRUST
    set security nat static rule-set ZEE1 rule RULE1 match destination-address 100.100.100.10/32
    set security nat static rule-set ZEE1 rule RULE1 then static-nat prefix 200.200.200.20/32
    set security policies from-zone TRUST to-zone UNTRUST policy A match source-address any
    set security policies from-zone TRUST to-zone UNTRUST policy A match destination-address GIGI
    set security policies from-zone TRUST to-zone UNTRUST policy A match destination-address ZEE
    set security policies from-zone TRUST to-zone UNTRUST policy A match application any
    set security policies from-zone TRUST to-zone UNTRUST policy A then permit
    set security policies from-zone UNTRUST to-zone TRUST policy A match source-address GIGI
    set security policies from-zone UNTRUST to-zone TRUST policy A match destination-address any
    set security policies from-zone UNTRUST to-zone TRUST policy A match application any
    set security policies from-zone UNTRUST to-zone TRUST policy A then permit
    set security zones security-zone TRUST host-inbound-traffic system-services all
    set security zones security-zone TRUST interfaces vlan.199
    set security zones security-zone UNTRUST host-inbound-traffic system-services all
    set security zones security-zone UNTRUST interfaces vlan.200
    set vlans vlan199 vlan-id 199
    set vlans vlan199 l3-interface vlan.199
    set vlans vlan200 vlan-id 200
    set vlans vlan200 l3-interface vlan.200

     

     

     

     

     

     



  • 2.  RE: Session creation and Security Policy on SRX
    Best Answer

     
    Posted 10-01-2017 14:27

    Check out the flow chart in this kb article for the details.  You do have this correct that destination NAT drives the security policy while source NAT does not.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110

     

    The session table entry is not about the policy evaluation but letting you know what is happening to the packet on the SRX.  This gives us both the pre and post nat addresses in the flow so we can understand the packet flow.  There is no session created until the full flow chart is evaluated on the first packet and setups the session.