SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  address book

    This message was posted by a user wishing to remain anonymous
    Posted 10-07-2022 14:24
    This message was posted by a user wishing to remain anonymous

    Hi everyone!

    Could you please explain to me when we use the address book and what is it exactly, i can't imagine it , like what is it used for.
    For example, I did my source NAT policy in the sense that my pc can access to internet and then, i was told to create an address book for my pc network, so that only my pc can access to internet with my Ethernet cable and not another user pc, but i can't understand why we did it and how it works with my nat policy.
    Here is the configuration: 

    set security address-book global address HQ_net 192.168.2.0/24

    set security nat source rule-set source_nat from zone hq
    set security nat source rule-set source_nat to zone internet
    set security nat source rule-set source_nat rule r1 match source-address 192.168.2.0/24
    set security nat source rule-set source_nat rule r1 match destination-address 172.16.254.0/24
    set security nat source rule-set source_nat rule r1 then source-nat interface

    set security policies from-zone hq to-zone internet policy hq_internet_permit match source-address hq_net
    set security policies from-zone hq to-zone internet policy hq_internet_permit match destination-address hq_net
    set security policies from-zone hq to-zone internet policy hq_internet_permit match application junos-http
    set security policies from-zone hq to-zone internet policy hq_internet_permit then permit
    set security policies from-zone hq to-zone internet policy hq_internet_permit then log session-close

    set security policies from-zone hq to-zone internet policy hq_internet_deny match source-address any
    set security policies from-zone hq to-zone internet policy hq_internet_deny match destination-address any
    set security policies from-zone hq to-zone internet policy hq_internet_deny match application any
    set security policies from-zone hq to-zone internet policy hq_internet_deny then deny
    set security policies from-zone hq to-zone internet policy hq_internet_deny then log session-init


  • 2.  RE: address book

    Posted 10-08-2022 06:23
    The security policy seems in correct.
    set security policies from-zone hq to-zone internet policy hq_internet_permit match source-address hq_net
    set security policies from-zone hq to-zone internet policy hq_internet_permit match destination-address hq_net

    should be

    set security policies from-zone hq to-zone internet policy hq_internet_permit match source-address hq_net
    set security policies from-zone hq to-zone internet policy hq_internet_permit match destination-address any

    The address book and address set items are used in security policy but NOT in nat policy.  They are created per zone to identify which devices would be affected by the policy created.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: address book

    Posted 10-10-2022 08:36
    Edited by itsuki kamado 10-10-2022 10:19
    Helloo,

    If I understood well, we use address book just to identify which policy will be applied on which devices.

    Can you please explain to me each policy his utility so that I can understand it well 

    Thank you very much


    ------------------------------
    sakura aiss
    ------------------------------



  • 4.  RE: address book

    Posted 10-10-2022 08:41
    The policy is written from the perspective of the device that starts a network connection.

    From zone is the security zone where the source of the initial communications happens.  In this case the hq zone and subnet of computers accessing the internet.

    To zone is the security zone where the destination address exists that the  hq subnet is trying to reach.  This needs to be any if you want the entire internet to be usable for http in the policy.  Likely you also want https here as well since most web sites use this protocol now.

    The to zone address will NOT be the hq subnet since that subnet does not exist on the internet but only on the hq zone.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: address book

    Posted 10-10-2022 10:19
    Thank you very much !

    ------------------------------
    sakura aiss
    ------------------------------



  • 6.  RE: address book

    Posted 10-15-2022 06:09
    Hi, 

    Thanks for your quick reply !

    I have bove interfaces in the Trust zone ( I needed to put the Internet Zone as trust to allow me to ssh to the device. ) there is no HQ zone ( this is purely a learning / Test device )john@JohnSRX# show security zones security-zone trust ?
    Possible completions:
    <[Enter]> Execute this command
    > address-book Address book entries
    > advance-policy-based-routing-profile Enable Advance Policy Based Routing on this zone
    application-tracking Enable Application tracking support for this zone
    + apply-groups Groups from which to inherit configuration data
    + apply-groups-except Don't inherit configuration data from these groups
    description Text description of zone
    enable-reverse-reroute Enable Reverse route lookup when there is change in ingress interface
    > host-inbound-traffic Allowed system services & protocols
    > interfaces Interfaces that are part of this zone
    screen Name of ids option object applied to the zone
    source-identity-log Show user and group info in session log for this zone
    tcp-rst Send RST for NON-SYN packet not matching TCP session
    | Pipe through a command
    [edit]
    john@JohnSRX# show security zones security-zone trust address-book
    address network_100 192.168.10.0/24;

    [edit]
    john@JohnSRX# show security zones
    security-zone trust {
    address-book {
    address network_100 192.168.10.0/24;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.0;
    ge-0/0/6.0 {
    host-inbound-traffic {
    system-services {
    all;
    }
    }
    }
    ge-0/0/1.0;
    lo0.0;
    ge-0/0/0.0;
    }
    }
    security-zone untrust {
    screen untrust-screen;
    interfaces {
    ge-0/0/7.0 {
    host-inbound-traffic {
    system-services {
    dhcp;
    tftp;
    }
    }
    }
    dl0.0 {
    host-inbound-traffic {
    system-services {
    tftp;
    }
    }
    }
    }
    }

    [edit]
    john@JohnSRX# show security zones security-zone trust address-book
    address network_100 192.168.10.0/24;

    [edit]
    john@JohnSRX# show security address-book

    [edit]
    john@JohnSRX#
    Do I need to add my Home network 192.168.0.0 /24 to the address book ?
    I spent a fair bit of time thinking NAT wasn't working, only when I put a Laptop on to do a Traceroute I found it does work just not from the SVI 192.168.10.1

    I can console on if I need to move the internet port to untrusted
    Internet port ge-0/0/0.0
    Lan Port           ge-0/0/1.0



    ------------------------------
    John Kinnaird
    ------------------------------



  • 7.  RE: address book

    Posted 10-15-2022 07:19
    Edited by spuluka 10-15-2022 07:21
    ssh to an Junos interface
    SSH being allowed in SRX firewall is based on the zone configuration itself allowing ssh (or all) under system services 

    security zones security-zone trust host-inbound-traffic system-services

    So you could just add ssh here in the untrust zone to permit that process instead of moving the interface from one zone to another.

    Naturally being a security person one would never turn on ssh access to a device open to all on the public internet only in our labs.

    Self Traffic concept
    Traffic that either terminates to the SRX or originates from the SRX is assigned to the junos-host zone.  So any policy that would be created (security or nat) would be to this zone.  

    Typically security just uses the host-inbound-traffic in general to permit what is needed but security policy would be created to narrow that using junos-host.

    Typically nat is not needed.  When requesting outbound connections on the SRX you simply make the ping/trace/ssh request and the SRX will automatically select the interface on the SRX facing that traffic as the source address and no nat is needed.

    https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-zone-configuration.html



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 8.  RE: address book

    Posted 10-16-2022 07:13
    Steve,

    "Typically nat is not needed.  When requesting outbound connections on the SRX you simply make the ping/trace/ssh request and the SRX will automatically select the interface on the SRX facing that traffic as the source address and no nat is needed."


    I tried that initially but as my home router doesn't know about the 192.168.10.0 network I had assumed that NAT was needed. I can't remember if I tried it with a laptop connected but I assume that would not be the case for the Junos Host interface 192.168.10.1 

    There was no way of adding a Next hop' address to the 192.168.10.0 network on my home router ! so It may just drop the ICMP reply

    I may blow this config away and start again from Scratch ! I only put OSPF on as we.had a customer that was getting a line upgrade and I wanted to check the SFP's and cable  were working before I got to site so I thought I'd try setting up OSPF to verify they worked and learn a bit about Junos OSPF

    Thanks again for all your help - I know a little more about Junos now !

    ------------------------------
    John Kinnaird
    ------------------------------



  • 9.  RE: address book

    Posted 10-16-2022 14:48
    If you had the SRX connected to a home router with internet access then I assume one interface (probably untrusted one) was connected to the internal lan of the home router and getting dhcp.

    If so, when you make the public ping request on the SRX without any source the SRX would select the interface ip connected to your home router as the source since the default route points there and it would be the egress interface.  So no NAT would be needed.

    It would NOT select the downstream 192.168.10.1/24 interface for source unless specifically told to use that one.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 10.  RE: address book

    Posted 10-17-2022 06:48

    Yes - That's correct I used a Static address mask and gateway as that's probably what is more likely to be the case in the real world !

    That's when I tried to get the other interfaces to be able to access the internet which I now know were i the Junos Host zone !

    I'm a field engineer and often have to install routers, sometimes if they don't work I can use teams to get one of the Network engineers to access it but sometimes there's no WiFi it's phone mobile broadband ( Which is sometimes problematic ) on one occasion there was no signal at all !

    Hence the reason I'm trying to learn a bit about Junipers ! more often than not it's a line issue  but we have to prove that to the Telco ( some are better than others )

    Thanks again for your help though

    ------------------------------
    John Kinnaird
    ------------------------------