SRX

Expand all | Collapse all

Security Policy source-address-excluded

  • 1.  Security Policy source-address-excluded

    Posted 06-12-2017 05:13

    I'm unclear on how to exclude a single IP from a security policy (without creating a duplicate policy with reject). How do I match any IP except for one in a security policy?

     

    Is this the correct way to get this working?:

     

    policy my-security-policy {
      match {
        source-address any;
    source-address-excluded block-this-ip; destination-address endpoint1; application [ http https ]; } then { accept; count; } }


  • 2.  RE: Security Policy source-address-excluded

    Posted 06-12-2017 12:12

    Yes that sees to be correct. I had not noticed this feature in security polices before. I have used similar in ACLs which use the word except. 

    But go for it and test an IP on a test workstation. Also

    BE SURE TO USE: commit confirmed <time_value in minutes>

    If you are remote, ask someone on the network whom you can test it with.

    Unfortunately I do not know if there is a GUI option to test firewall polices, but I dont know of one from the cli. There is a est policy for routing polices. I think this is a major utility that they do not seem to have considered. But it is extremely useful. I know other security firewalls with a built in utility to test all kinds of security polices.



  • 3.  RE: Security Policy source-address-excluded

     
    Posted 06-13-2017 00:15

    Hi VMCOps,

     

    Did you copy this output from SRX? I dont see an option to specify the Address after "source-address-excluded" command.

     

     

    root@srx# ...ock-Access match source-address-excluded ?         
    Possible completions:
      <[Enter]>            Execute this command
    + application          Port-based application
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
    + destination-address  Match destination address
      destination-address-excluded  Exclude destination addresses
    + source-address       Match source address
    > source-end-user-profile  Match source end user profile
    + source-identity      Match source identity
      |                    Pipe through a command
    [edit]
    root@srx#

     

     

    Below URL explains how to configure source-address-excluded and I can see its working.

     

    https://www.juniper.net/documentation/en_US/junos/topics/example/security-policy-negated-address-configuring.html

     

    Step 1. Create address book entry that you need to exclude (It can be zone based or global)

     

    set security zones security-zone TRUST address-book address My-PC 10.10.10.1/32

     

    Step 2.

     

    Create secuirty policy with this address as Source/Destination and include source-address-excluded /destination-address-excluded

     

    set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match source-address My-PC
    set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match destination-address any
    set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match source-address-excluded
    set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match application any
    set security policies from-zone TRUST to-zone UNTRUST policy Block-Access then deny

     

     

    Step 3.

     

    Run "show security policy detail" to make sure the address is showing as excluded

     

    root@srx> ...from-zone TRUST to-zone UNTRUST detail            
    Policy: Block-Access, action-type: deny, State: enabled, Index: 5, Scope Policy: 0
      Policy Type: Configured
      Sequence number: 1
      From zone: TRUST, To zone: UNTRUST
      Source addresses(excluded):
        My-PC: 10.10.10.1/32
      Destination addresses:
        any-ipv4(global): 0.0.0.0/0
        any-ipv6(global): ::/0
      Application: any
        IP protocol: 0, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0]
          Destination port range: [0-0]
      Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No