SRX

Expand all | Collapse all

addresses set by dns-name & security policy

  • 1.  addresses set by dns-name & security policy

    Posted 09-18-2017 07:45

    Hello,

    We just moving from SRX210HE (JunOS 12.1X46-D65) to SRX300 (JunOS 15.1X49-D90) & unfortunately found out that addresses set as 'dns-name' are not correctly used/recognized inside security polices, e.g.

    root@SRX300-1> show configuration security zones security-zone untrust address-book
    address TEST-SourceAddress {
        dns-name www.juniper.net;
    }

     

    Interesting thing is that listing this policy by general information this 'problematic' address is reported, but listing with detail there is no mention about it


    root@SRX300-1> show security policies policy-name TEST
    From zone: untrust, To zone: trust
      Policy: TEST, State: enabled, Index: 23, Scope Policy: 0, Sequence number: 6
        Source addresses: TEST-SourceAddress
        Destination addresses:TEST-DestinationAddress
        Applications: any
        Action: permit

    root@SRX300-1> show security policies policy-name TEST detail
    Policy: TEST, action-type: permit, State: enabled, Index: 23, Scope Policy: 0
      Policy Type: Configured
      Sequence number: 6
      From zone: untrust, To zone: trust
      Destination addresses:
        TEST-DestinantionAddress: 192.168.0.100/32
      Application: any
        IP protocol: 0, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0]
          Destination port range: [0-0]
      Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

    TEST-SourceAddress of course is correctly resolved on SRX300 device, is also present in local dns-cache

    root@SRX300-1> show security dns-cache
    DNS Name: www.juniper.net
    DNS entry number: 1

    ---
    Best Regards



  • 2.  RE: addresses set by dns-name & security policy

    Posted 09-18-2017 10:39

    Hi,

    Can you check if the DNS server is reachable through a custom routing instance in your setup ?

     

    please provide output of following commands from operational mode:
    show configuration system name-server
    show route <DNS server ip address>
    show route forwarding-table destination < dns server ip address>

    show security dns-cache

     



  • 3.  RE: addresses set by dns-name & security policy

    Posted 09-20-2017 08:46

    Dear Kinshukc,

     

    Yes, for sure all DNS servers are reachable - all tools launched from 'inside' this device are successfully resolving IP from DNS names, in all routing instance we've configured.



  • 4.  RE: addresses set by dns-name & security policy

    Posted 09-18-2017 11:05

    With the newer software version, the address/address sets are configured under the global address hierarchy and then attached to the relevant zone. That could be the issue. It does support dns- address.



  • 5.  RE: addresses set by dns-name & security policy

    Posted 09-20-2017 08:50

    Dear lyndidon,

     

    Global Address book, maybe, but we're still using zone-based address books.

     



  • 6.  RE: addresses set by dns-name & security policy

    Posted 09-20-2017 09:07

    Dear All,

     

    We found solution, or rather Juniper done it Smiley Wink in the newest Junos 15.1X49-D110, who was released just in this month.

     

    "On SRX Series devices, DNS cache is not getting populated in multiple virtual router (VR) environments. When doing recursive route lookup in different routing instances, the route to the DNS server would be ignored in one of the following scenarios: If the route points to an interface not in the same routing instance or the route points to another routing instance. Conversely if one of the VRs has a route for the DNS, pointing to a wrong interface in the same routing instance, further lookup in other routing instances would not occur."

     

    -> https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1275792

     

    Anyway, thank You both for interest, suggestions and willingness to help



  • 7.  RE: addresses set by dns-name & security policy

    Posted 09-20-2017 11:46

    Good job. Thank you updatting the solution. Mark your as the resolution.