SRX

Expand all | Collapse all

best practice firewall filter or security zone/policy (pfsense firewall rules to srx)

Jump to Best Answer
  • 1.  best practice firewall filter or security zone/policy (pfsense firewall rules to srx)

    Posted 09-03-2019 06:21

    Hello,

     

    I am planning to migrate pfsense firewall rules to SRX340, but i would like to know what is the most best practice solution to do this. Do i need to use security zone with additional policies or using firewall filter to allow services/protocols towards differents destinations/endpoints.

     

    example pfsense:

    protocol: tcp

    source: LAN (TEST-LAN)

    port: any

    Destination:LDAP

    port:389

    port:636

     

    How do i convert this to SRX firewall rule?. let say i am using security zones, does this means i need to make security zone for each firewall rule in pfsense.

     

    SRX:

    Source/destination:

    Set security address-book global address TEST 172.16.1.1

    Set security address-book global address LDAP 172.22.1.46

     

    Ports:
    Set applications application tcp-389 protocol tcp destination 389
    Set applications application tcp-636 protocol udp destination 636

     

    Set applications application-set LDAP-PORTS application tcp-389
    Set applications application-set LDAP-PORTS application tcp-636

     

    Zones:
    set security zones security-zone TEST-LAN interfaces reth1.16 host-inbound-traffic system-services all
    set security zones security-zone TEST-LAN interfaces reth1.16 host-inbound-traffic protocol all

     

    set security zones security-zone LDAP interfaces reth1.16 host-inbound-traffic system-services all
    set security zones security-zone LDAP interfaces reth1.16 host-inbound-traffic protocol all

     

    Policies:
    Set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap match source-address TEST
    Set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap destination-address LDAP
    Set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap match application LDAP-PORTS
    Set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap then permit
    Set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap then log session-init
    Set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap then log session-close

     

     

    Thank u in advance.

     

     



  • 2.  RE: best practice firewall filter or security zone/policy (pfsense firewall rules to srx)

    Posted 09-03-2019 07:20

    Hi Suli,

     

    Let's consider the topology for an explanation.

     

    TEST(172.16.1.1)------<TEST-LAN zone>--------(ingress)SRX340(egress)----------<LDAP zone>-------(172.22.1.46)LDAP server

     

    If the traffic is initiated from one zone to another zone, let's say from the above topology, it's from TEST-LAN zone to LDAP zone, please create the security policy like the one below:

     

    set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap match source-address TEST
    set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap destination-address LDAP
    set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap match application LDAP-PORTS
    set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap then permit
    set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap then log session-init
    set security policies from-zone TEST-LAN to-zone LDAP policy test-lan-to-ldap then log session-close

     

    Based on your configuration, you've called reth1.16 interface into two different security zones(TEST-LAN and LDAP). This is not required and if it's configured such a way, it will throw an error during commit.

     

    So, the TEST-LAN security zone should contain the SRX's ingress interface and the LDAP zone should contain SRX's egress interface.

     

    Please let me know if my understanding of the requirement is correct.



  • 3.  RE: best practice firewall filter or security zone/policy (pfsense firewall rules to srx)

    Posted 09-03-2019 11:33

    Thank u very much noobmaster. the idea that i gave that example was to explain if it is preferable to use security zones instead of firewall filters in SRX?. Because i have to many firewall rules set in the pfsense and i need them to convert into the SRX. So that means i need to make different zones for all the rules that i have in pfsense and do i need to attach them as egress interface (outside interface) as destination.


    SRX:

    reth0.100 is the outside interface is attached on untrust security zone (internet)

    reth1.16 is the inside interface and is attach on OT-TEST security zone. (TEST-LAN has an ip on the subnet of OT-TEST)

     

    reth0 {
    description "internet";
    vlan-tagging;
    redundant-ether-options {
    redundancy-group 1;
    lacp {
    active;
    periodic slow;
    }
    }
    unit 100 {
    vlan-id 100;
    family inet {
    address 192.168.0.1/29;
    }
    }
    }
    reth1 {
    description switch01;
    vlan-tagging;
    redundant-ether-options {
    redundancy-group 1;
    lacp {
    active;
    periodic slow;
    }
    }
    unit 10 {
    description "idrac vlan 10";
    vlan-id 10;
    family inet {
    address 172.22.x.x/26;
    }
    }
    unit 20 {
    description "application vlan 20";
    vlan-id 20;
    family inet {
    address 172.22.x.x/21;
    }
    }
    unit 60 {
    description "mgmt vlan 60";
    vlan-id 60;
    family inet {
    address 172.22.x.x/27 {
    primary;

    }
    }
    unit 16 {
    description "OT-TEST vlan 16";
    vlan-id 16;
    family inet {
    address 172.16.1.2/27 {
    primary;

     

    security {
    policies {
    from-zone untrust to-zone junos-host {
    policy ssh {
    match {
    source-address any;
    destination-address any;
    application junos-ssh;
    }
    then {
    permit;
    }
    }
    }
    from-zone management-network to-zone junos-host {
    policy ssh {
    match {
    source-address any;
    destination-address any;
    application junos-ssh;
    }
    then {
    permit;
    }
    }
    }
    from-zone junos-host to-zone management-network {
    policy ssh {
    match {
    source-address any;
    destination-address any;
    application junos-ssh;
    }
    then {
    permit;
    }
    }
    }

    from-zone OT-TEST to-zone LDAP {
    policy test-lan-to-ldap {
    match {
    source-address TEST;
    destination-address LDAP;
    application LDAP-PORTS;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone untrust {
    address-book {
    address office-1 194.x.x.x/29;
    address office-2 195.x.x.x/27;
    address office-3 196.x.x.x/32;
    address office-4 211.x.x.x/32;
    address office-5 212.x.x.x/29;
    address-set office {
    address office-1;
    address office-2;
    address office-3;
    address office-4;
    address office-5;
    }
    }
    host-inbound-traffic {
    system-services {
    ping;
    ssh;
    https;
    }
    }
    interfaces {
    reth0.100 {
    host-inbound-traffic {
    system-services {
    ping;
    https;
    ssh;
    }
    }
    }
    }
    }
    security-zone management-network {
    interfaces {
    reth1.60 {
    host-inbound-traffic {
    system-services {
    ping;
    ssh;
    https;
    }
    }
    }
    }
    }
    security-zone idrac {
    interfaces {
    reth1.10 {
    host-inbound-traffic {
    system-services {
    ping;
    }
    }
    }
    }
    }
    security-zone application {
    interfaces {
    reth1.20 {
    host-inbound-traffic {
    system-services {
    ping;
    }
    }
    }
    }
    }

    security-zone OT-TEST {
    interfaces {
    reth1.16 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    }
    }
    security-zone LDAP {
    interfaces {
    reth?????? {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    }
    }
    }



  • 4.  RE: best practice firewall filter or security zone/policy (pfsense firewall rules to srx)

     
    Posted 09-03-2019 22:03

    Hello,

     

    Firstly you would need to use security policy and not firewall filter (ff), the ff is meant for a different purpose.

     

    Could you please help understand what destination LDAP means in pfsense? Is is an exit interface (vlan) ? Like "OT-TEST vlan 16" corresponds to the LAN (TEST-LAN) in pfsense.

     

    Regards,

     

    Vikas



  • 5.  RE: best practice firewall filter or security zone/policy (pfsense firewall rules to srx)

    Posted 09-04-2019 07:03
      |   view attached

    Hello Vikas,

     

    Hereby i have attached a sample of pfsense firewall configuration. The "LAN" is Like "OT-TEST vlan 16" that allows connection to specified destination "LDAP" as long as it originated from LAN network (ingress). Destination LDAP means that server/host on LAN network can access the ldap server on ldap ports. LDAP has no any outbound interface.

     



  • 6.  RE: best practice firewall filter or security zone/policy (pfsense firewall rules to srx)

    Posted 09-04-2019 08:59

    Hi Suli,

     

    From your inputs, I have mentioned my observation below:

     

    TEST - 172.16.1.1 (reth1.16 - OT-TEST zone)

    LDAP - 172.22.1.46

     

    Let me know under which segment, LDAP(172.22.1.46) is configured. From the configuration, there are 3 possibilities:

    reth1.10(172.22.x.x/26) or reth1.20(172.22.x.x/21) or reth1.60(172.22.x.x/21).

     

    If we get to know which interface LDAP is configured, we can determine the zones from that interface. Post that we can configure security policies accordingly.

     

    Awaiting for your inputs.

     



  • 7.  RE: best practice firewall filter or security zone/policy (pfsense firewall rules to srx)

    Posted 09-04-2019 09:52

    Hello,

     

     

    that will be under reth1.20 (172.22.x.x/21)



  • 8.  RE: best practice firewall filter or security zone/policy (pfsense firewall rules to srx)
    Best Answer

    Posted 09-04-2019 10:08

    Hi Suli,

     

    Thanks for the input. It seems like you've already mapped reth1.20 under a security zone named "application".

     

    security-zone application {
    interfaces {
    reth1.20 {
    host-inbound-traffic {
    system-services {
    ping;

     

    Now, the only step left to make this communication work is to configure the security policy(considering routes are placed properly) as mentioned below:

     

    set security policies from-zone OT-TEST to-zone application policy test-lan-to-ldap match source-address TEST
    set security policies from-zone OT-TEST to-zone application policy test-lan-to-ldap destination-address LDAP
    set security policies from-zone OT-TEST to-zone application policy test-lan-to-ldap match application LDAP-PORTS
    set security policies from-zone OT-TEST to-zone application policy test-lan-to-ldap then permit
    set security policies from-zone OT-TEST to-zone application policy test-lan-to-ldap then log session-init
    set security policies from-zone OT-TEST to-zone application policy test-lan-to-ldap then log session-close

     

    Let me know if you face any difficulty.



  • 9.  RE: best practice firewall filter or security zone/policy (pfsense firewall rules to srx)

    Posted 09-04-2019 11:18

    Thank u Guys, that should do it!.