SRX

Expand all | Collapse all

10 maximum source-address in policy match

Jump to Best Answer
  • 1.  10 maximum source-address in policy match

    Posted 02-05-2020 22:36

    Hi,

     

    I have some policies in my untrust-to-trust zones where I want to block subnets for ssh. The policy looks like

                policy UNTRUST-to-TRUST-SSH {
                    match {
                        source-address [ address1 address2 .... addressn ];
                        destination-address any;
                        source-address-excluded;
                        application junos-ssh;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                            session-close;
                        }
                        count;
                    }
                }

    If there are more than 10 source-addresses, commits will fail. I thought I could use an address-set but if I reference an address-set, JunOS just dereferences it and still complains that I have more than 10 entries. Currently I have another policy that's exactly the same but with a different name with other source-addresses.

     

    Is there a more elegant way to work around this limitation?



  • 2.  RE: 10 maximum source-address in policy match
    Best Answer

    Posted 02-21-2020 03:49

    I finally took some time to look this up. Documentation at https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-address-books-sets.html#id-excluding-addresses-from-policies states

     

    When a range of addresses or a single address is negated, it can be divided into multiple addresses. These negated addresses are shown as a prefix or a length that requires more memory for storage on a Packet Forwarding Engine.

     .

     .

    A policy can contain 10 source or destination addresses.

     

    Using 2 rules actually didn't work because the first rule satisfied the match. What I ended up doing was to have a regular match w/out negation and deny where maximum address objects is 1024.

     

                policy UNTRUST-to-TRUST-DENY {
                    match {
                        source-address [ address-set-x ];
                        destination-address any;
                        application junos-ssh;
                    }
                    then {
                        deny;
                        log {
                            session-init;
                            session-close;
                        }
                        count;
                    }
                }


  • 3.  Re: 10 maximum source-address in policy match

    Posted 29 days ago

    Hi,

          What should i do, when i need to permit  ssh access to 20nos of random ip's from a huge segment.And deny everything else.

     

    set security policies from-zone trust to-zone srv-frm policy srv-access match source-address srv_admin_list

    set security policies from-zone trust to-zone srv-frm policy srv-access match destination-address srv_list

    set security policies from-zone trust to-zone srv-frm policy srv-access match source-address-excluded

    set security policies from-zone trust to-zone srv-frm policy srv-access match application junos-ssh

    set security policies from-zone trust to-zone srv-frm policy srv-access then deny

    set security policies from-zone trust to-zone srv-frm policy srv-access then log session-init

    set security policies from-zone trust to-zone srv-frm policy srv-access then log session-close

     

     

    In the "srv_admin_list" i have 10 random ip's.And these are allowed to connect.And they are working fine.But when I add more than ten it refuces to add the ip's.And getting the message the limit of source-address are 10Nos.I need 20 random IP's to be added.I was forced to use "source-address-excluded" because there is a "permit any any" statement which is used by some traffic which I dont want to disrupt.

     

    Best Regards,

    S.Syed



  • 4.  RE: Re: 10 maximum source-address in policy match

     
    Posted 12 days ago
    Hi there,

    The source-address-exclude command is quite limited - you'd be better off creating an explicit permit rule for the 20 hosts you wish to allow, and then follow it with a deny rule.  I would also advise using an address-set so that you can add and remove hosts from your permit list without having to change the policy.  eg:

    ## First, create an address-set AS-DENY-SSH containing the servers you wish to deny SSH for:
    
    set security address-book global address SERVER1 192.168.1.11/32
    set security address-book global address SERVER2 192.168.1.12/32
    set security address-book global address SERVER3 192.168.1.13/32
    set security address-book global address SERVER4 192.168.1.14/32
    set security address-book global address SERVER5 192.168.1.15/32
    set security address-book global address-set AS-SRV_LIST address SERVER1
    set security address-book global address-set AS-SRV_LIST address SERVER2
    set security address-book global address-set AS-SRV_LIST address SERVER3
    set security address-book global address-set AS-SRV_LIST address SERVER4
    set security address-book global address-set AS-SRV_LIST address SERVER5
    set security address-book global address-set AS-DENY-SSH address SERVER1
    set security address-book global address-set AS-DENY-SSH address SERVER3
    set security address-book global address-set AS-DENY-SSH address SERVER5
    
    ## Now create your security policies - always make sure you place any DENY rules first
    
    set security policies from-zone trust to-zone srv-frm policy DENY-SSH match source-address srv_admin_list 
    set security policies from-zone trust to-zone srv-frm policy DENY-SSH match destination-address AS-DENY-SSH
    set security policies from-zone trust to-zone srv-frm policy DENY-SSH match application junos-ssh
    set security policies from-zone trust to-zone srv-frm policy DENY-SSH then deny
    set security policies from-zone trust to-zone srv-frm policy DENY-SSH then log session-init
    
    ## Tip: there is no need to log session-close for a DENY policy, as the session will never be allowed to establish (and so there will never be a session-close event generated)
    
    set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH match source-address srv_admin_list 
    set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH match destination-address AS-SRV_LIST
    set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH match application junos-ssh
    set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH then permit
    set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH then log session-init
    set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH then log session-close
    
    ​


    ------------------------------
    Cheers,

    Ben Dale
    JNCIE-SEC #63
    JNCIP-SP
    JNCIP-ENT
    JNCIP-DC
    ------------------------------