SRX

Hi,

 

I have some policies in my untrust-to-trust zones where I want to block subnets for ssh. The policy looks like

            policy UNTRUST-to-TRUST-SSH {
                match {
                    source-address [ address1 address2 .... addressn ];
                    destination-address any;
                    source-address-excluded;
                    application junos-ssh;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }

If there are more than 10 source-addresses, commits will fail. I thought I could use an address-set but if I reference an address-set, JunOS just dereferences it and still complains that I have more than 10 entries. Currently I have another policy that's exactly the same but with a different name with other source-addresses.

 

Is there a more elegant way to work around this limitation?

I finally took some time to look this up. Documentation at https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-address-books-sets.html#id-excluding-addresses-from-policies states

 

When a range of addresses or a single address is negated, it can be divided into multiple addresses. These negated addresses are shown as a prefix or a length that requires more memory for storage on a Packet Forwarding Engine.

 .

 .

A policy can contain 10 source or destination addresses.

 

Using 2 rules actually didn't work because the first rule satisfied the match. What I ended up doing was to have a regular match w/out negation and deny where maximum address objects is 1024.

 

            policy UNTRUST-to-TRUST-DENY {
                match {
                    source-address [ address-set-x ];
                    destination-address any;
                    application junos-ssh;
                }
                then {
                    deny;
                    log {
                        session-init;
                        session-close;
                    }
                    count;
                }
            }

Hi,

      What should i do, when i need to permit  ssh access to 20nos of random ip's from a huge segment.And deny everything else.

 

set security policies from-zone trust to-zone srv-frm policy srv-access match source-address srv_admin_list

set security policies from-zone trust to-zone srv-frm policy srv-access match destination-address srv_list

set security policies from-zone trust to-zone srv-frm policy srv-access match source-address-excluded

set security policies from-zone trust to-zone srv-frm policy srv-access match application junos-ssh

set security policies from-zone trust to-zone srv-frm policy srv-access then deny

set security policies from-zone trust to-zone srv-frm policy srv-access then log session-init

set security policies from-zone trust to-zone srv-frm policy srv-access then log session-close

 

 

In the "srv_admin_list" i have 10 random ip's.And these are allowed to connect.And they are working fine.But when I add more than ten it refuces to add the ip's.And getting the message the limit of source-address are 10Nos.I need 20 random IP's to be added.I was forced to use "source-address-excluded" because there is a "permit any any" statement which is used by some traffic which I dont want to disrupt.

 

Best Regards,

S.Syed

Hi there,

The source-address-exclude command is quite limited - you'd be better off creating an explicit permit rule for the 20 hosts you wish to allow, and then follow it with a deny rule.  I would also advise using an address-set so that you can add and remove hosts from your permit list without having to change the policy.  eg:

## First, create an address-set AS-DENY-SSH containing the servers you wish to deny SSH for:

set security address-book global address SERVER1 192.168.1.11/32
set security address-book global address SERVER2 192.168.1.12/32
set security address-book global address SERVER3 192.168.1.13/32
set security address-book global address SERVER4 192.168.1.14/32
set security address-book global address SERVER5 192.168.1.15/32
set security address-book global address-set AS-SRV_LIST address SERVER1
set security address-book global address-set AS-SRV_LIST address SERVER2
set security address-book global address-set AS-SRV_LIST address SERVER3
set security address-book global address-set AS-SRV_LIST address SERVER4
set security address-book global address-set AS-SRV_LIST address SERVER5
set security address-book global address-set AS-DENY-SSH address SERVER1
set security address-book global address-set AS-DENY-SSH address SERVER3
set security address-book global address-set AS-DENY-SSH address SERVER5

## Now create your security policies - always make sure you place any DENY rules first

set security policies from-zone trust to-zone srv-frm policy DENY-SSH match source-address srv_admin_list 
set security policies from-zone trust to-zone srv-frm policy DENY-SSH match destination-address AS-DENY-SSH
set security policies from-zone trust to-zone srv-frm policy DENY-SSH match application junos-ssh
set security policies from-zone trust to-zone srv-frm policy DENY-SSH then deny
set security policies from-zone trust to-zone srv-frm policy DENY-SSH then log session-init

## Tip: there is no need to log session-close for a DENY policy, as the session will never be allowed to establish (and so there will never be a session-close event generated)

set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH match source-address srv_admin_list 
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH match destination-address AS-SRV_LIST
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH match application junos-ssh
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH then permit
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH then log session-init
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH then log session-close

​

------------------------------
Cheers,

Ben Dale
JNCIE-SEC #63
JNCIP-SP
JNCIP-ENT
JNCIP-DC
------------------------------

Original Message:
Sent: 11-01-2020 03:40
From: Elevate Member
Subject: Re: 10 maximum source-address in policy match

Hi,

      What should i do, when i need to permit  ssh access to 20nos of random ip's from a huge segment.And deny everything else.

 

set security policies from-zone trust to-zone srv-frm policy srv-access match source-address srv_admin_list

set security policies from-zone trust to-zone srv-frm policy srv-access match destination-address srv_list

set security policies from-zone trust to-zone srv-frm policy srv-access match source-address-excluded

set security policies from-zone trust to-zone srv-frm policy srv-access match application junos-ssh

set security policies from-zone trust to-zone srv-frm policy srv-access then deny

set security policies from-zone trust to-zone srv-frm policy srv-access then log session-init

set security policies from-zone trust to-zone srv-frm policy srv-access then log session-close

 

 

In the "srv_admin_list" i have 10 random ip's.And these are allowed to connect.And they are working fine.But when I add more than ten it refuces to add the ip's.And getting the message the limit of source-address are 10Nos.I need 20 random IP's to be added.I was forced to use "source-address-excluded" because there is a "permit any any" statement which is used by some traffic which I dont want to disrupt.

 

Best Regards,

S.Syed