SRX

Expand all | Collapse all

Question about Address prefix vs. range-address in Security Policies

Jump to Best Answer
  • 1.  Question about Address prefix vs. range-address in Security Policies

    Posted 03-31-2019 04:33

    Hi,

     

    I was trying to set up intra-zone (trust-to-trust) security policies and discovered my source-address that references a network prefix doesn't work but when redefined as a range-address does work.

     

    Has anyone run into this before?

     

     

    security {
       address-book {
          trusted-addresses {
             address A-prefix-subnet x.y.z.0/24;
             address A-range-subnet {
                range-address x.y.z.1 {
                   to {
                         x.y.z.254;
                   }
                }
             }
             address B-prefix-subnet a.b.c.0/24;
             address B-range-subnet {
                range-address a.b.c.1 {
                   to {
                         a.b.c.254;
                   }
                }
             }
             attach {
                zone trust;
             }
          }
       }
       policies {
            from-zone trust to-zone trust {
                policy Intra-trust-allow {
                    match {
                        # client in x.y.z.107 cannot ping B's q.r.s.t
                        source-address A-prefix-subnet;
                        # client in x.y.z.107 can ping B's q.r.s.t
                        source-address A-range-subnet;
                        destination-address any;
                        application any;
                        source-identity any;
                    }
                    then {
                        permit;
                    }
                }
            }
       }
    }

     

     

    Within the SRX's (12.1X46-D71) CLI, I can ping all IPs.

     

    Thanks



  • 2.  RE: Question about Address prefix vs. range-address in Security Policies

     
    Posted 03-31-2019 05:14

    Hello ,

     

    I do not see any issue in mentioning a prefix as subnet in security policy . It should work with either prefix or range . Maybe try removing the "source-identity any" configuration and try again with prefix .

     



  • 3.  RE: Question about Address prefix vs. range-address in Security Policies

    Posted 03-31-2019 15:15
    I just tried it by modifying the address and policy but didn't make any difference. Guess it could be the way I've created my policies although I only have one trust-to-trust.


  • 4.  RE: Question about Address prefix vs. range-address in Security Policies

    Posted 03-31-2019 18:27

    Hope there is no type in address book ip address. Please use below mentioned command in both cases and check the status:

     

    show security match-policies from-zone trust to-zone trust source-ip a.b.c.d destination-ip e.f.g.h source-port 1025 destination-port 1025 protocol icmp

     

     

     



  • 5.  RE: Question about Address prefix vs. range-address in Security Policies

    Posted 04-02-2019 00:24

    @Nellikka wrote:

    Hope there is no type in address book ip address. Please use below mentioned command in both cases and check the status:

     

    show security match-policies from-zone trust to-zone trust source-ip a.b.c.d destination-ip e.f.g.h source-port 1025 destination-port 1025 protocol icmp


    Thanks for your reply. If I have a typo wouldn't JunOS notice and issue an error? I used the webUI for these changes so I hope they're fine syntax-wise. Anyway I changed my config as follows:

    1. Changed destination to subnet - OK!
    2. Changed source to subnet - Error.

    Here's the error output

    Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2
    Sequence number: 2

    The problem is I can't find this Default-Policy when I issue show security policies.

    When everything was working after changing step 1, here's the output

    Policy: Intra-trust-allow, action-type: permit, State: enabled, Index: 12
    0
      Policy Type: Configured
      Sequence number: 1
      From zone: trust, To zone: trust
      Source addresses:
        Management-subnet(Trusted-Addresses): x.y.z.1 ~ x.y.z.254
      Destination addresses:
        any-ipv4(Trusted-Addresses): 0.0.0.0/0
        any-ipv6(Trusted-Addresses): ::/0
      Application: any
        IP protocol: 0, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0]
          Destination port range: [0-0]
      Source identities:
        any
      Per policy TCP Options: SYN check: No, SEQ check: No


  • 6.  RE: Question about Address prefix vs. range-address in Security Policies

     
    Posted 03-31-2019 18:32

    Hello ,

     

    SRX by default in flow mode , blocks in intra zonal traffic also . So indeed you need trust-to-trust policy if the traffic is traversing from  x.y.z.0/24  to  x.y.z.0/24or a.b.c.0/24 as they both are binded to the trust zone .

     

    Can you also try configuring the following way :

     

    set security zones security-zone trust address-book address A-prefix-subnet x.y.z.0/24
    set security zones security-zone trust address-book address B-prefix-subnet a.b.c.0/24

     

    set security policies from-zone trust to-zone trust policy Intra-trust-allow match source-address A-prefix-subnet
    set security policies from-zone trust to-zone trust policy Intra-trust-allow match destination-address B-prefix-subnet
    set security policies from-zone trust to-zone trust policy Intra-trust-allow match application any
    set security policies from-zone trust to-zone trust policy Intra-trust-allow then permit

     

     



  • 7.  RE: Question about Address prefix vs. range-address in Security Policies

    Posted 04-02-2019 00:26

    @joses wrote:

    Hello ,

     

    SRX by default in flow mode , blocks in intra zonal traffic also . So indeed you need trust-to-trust policy if the traffic is traversing from  x.y.z.0/24  to  x.y.z.0/24or a.b.c.0/24 as they both are binded to the trust zone .

     

    Can you also try configuring the following way :

     

    set security zones security-zone trust address-book address A-prefix-subnet x.y.z.0/24
    set security zones security-zone trust address-book address B-prefix-subnet a.b.c.0/24

     

    set security policies from-zone trust to-zone trust policy Intra-trust-allow match source-address A-prefix-subnet
    set security policies from-zone trust to-zone trust policy Intra-trust-allow match destination-address B-prefix-subnet
    set security policies from-zone trust to-zone trust policy Intra-trust-allow match application any
    set security policies from-zone trust to-zone trust policy Intra-trust-allow then permit


    Thanks for your reply. I tried it but because I'm using global address book entries, I can't enter any addresses in my zones.



  • 8.  RE: Question about Address prefix vs. range-address in Security Policies
    Best Answer

     
    Posted 03-31-2019 20:05

    Hello,

     

    Indeed sounds strange. Assuming no typo in the /24 subnet definition I would try the following

     

    > Remove the /24 entry

    > commit the config

    > Add the /24 address book entry

    > Add the /24 address-book entry to the policy while removing the range entry

    > commit full (note that dynamic routing and vpns may encounter a blip with this)

     

    > Can you check if the policy detial shows the correct subnet?


    root@srx> show security policies from-zone trust to-zone trust detail
    Policy: Subnet1-to-Subnet2, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
    Policy Type: Configured
    Sequence number: 1
    From zone: trust, To zone: trust
    Source addresses:
    Subnet1(global): 192.168.10.0/24
    Destination addresses:
    Subnet2(global): 192.168.20.0/24
    Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
    Source port range: [0-0]
    Destination port range: [0-0]
    Per policy TCP Options: SYN check: No, SEQ check: No 


    > Which platform is this? We can check if the policy is programmed properly in the pfe is the above steps dont help

     

    I hope this helps.

     

    Regards,

     

    Vikas



  • 9.  RE: Question about Address prefix vs. range-address in Security Policies

    Posted 04-02-2019 00:41

    @Nelumbo wrote:

    Hello,

     

    Indeed sounds strange. Assuming no typo in the /24 subnet definition I would try the following

     

    > Remove the /24 entry

    > commit the config

    > Add the /24 address book entry

    > Add the /24 address-book entry to the policy while removing the range entry

    > commit full (note that dynamic routing and vpns may encounter a blip with this)

     

    > Can you check if the policy detial shows the correct subnet?


    root@srx> show security policies from-zone trust to-zone trust detail
    Policy: Subnet1-to-Subnet2, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
    Policy Type: Configured
    Sequence number: 1
    From zone: trust, To zone: trust
    Source addresses:
    Subnet1(global): 192.168.10.0/24
    Destination addresses:
    Subnet2(global): 192.168.20.0/24
    Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
    Source port range: [0-0]
    Destination port range: [0-0]
    Per policy TCP Options: SYN check: No, SEQ check: No 


    > Which platform is this? We can check if the policy is programmed properly in the pfe is the above steps dont help

     

    I hope this helps.

     

    Regards,

     

    Vikas


    Interesting!

    I replaced the entry in my reply to Nellikka, and here's the detail:

    root@srx240poe> show security policies from-zone trust to-zone trust detail
    Policy: Intra-trust-allow, action-type: permit, State: enabled, Index: 12, Scope Policy: 0
      Policy Type: Configured
      Sequence number: 1
      From zone: trust, To zone: trust
      Source addresses:
        Management-subnet(Trusted-Addresses): x.y.z.0/0.0.0.24
      Destination addresses:
        any-ipv4(Trusted-Addresses): 0.0.0.0/0
        any-ipv6(Trusted-Addresses): ::/0
      Application: any
        IP protocol: 0, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0]
          Destination port range: [0-0]
      Source identities:
        any
      Per policy TCP Options: SYN check: No, SEQ check: No

    The problem was I was using CIDR and not reading the description in the CLI nor the webUI's drop down "IP Address/Netmask"!

    Duh.

    Replacing x.y.z.0/24 with x.y.z.0/255.255.255.0 fixed it!

     

    EDIT: You guys are real sharp. I think the reason why you wrote if there was a typo was the CLI config doesn't use CIDR but they are defined as

                address Management-subnet {
                    wildcard-address x.y.z.0/255.255.255.0;
                }
    

    Thank you everyone.