Security

Hi folks,

While testing firewall policies in isolated environment, I faced with a very strange behavior of the firewall.

So, when a traditional security policy is created, from-zone and to-zone is specified. When it is checked with "show security match-policies", it shows that it is working.

But when the same policy is moved to global context (with addition of from-zone and to-zone), it matches to default deny policy, not global policy.

Here is how zone-based policy looks like.

set security address-book global address private-corp 172.16.0.0/16

set security policies from-zone TRUST to-zone UNTRUST policy trust-to-corp match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-corp match destination-address private-corp
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-corp match application any
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-corp then permit
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-internet match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-internet match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-internet match application junos-http
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-internet match application junos-https
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-internet then permit

And this is how it looks when it is moved to global context.

set security policies global policy trust-to-corp match source-address any
set security policies global policy trust-to-corp match destination-address private-corp
set security policies global policy trust-to-corp match application any
set security policies global policy trust-to-corp match from-zone TRUST
set security policies global policy trust-to-corp match to-zone UNTRUST
set security policies global policy trust-to-corp then permit
set security policies global policy trust-to-internet match source-address any
set security policies global policy trust-to-internet match destination-address any
set security policies global policy trust-to-internet match application junos-http
set security policies global policy trust-to-internet match application junos-https
set security policies global policy trust-to-internet match from-zone TRUST
set security policies global policy trust-to-internet match to-zone UNTRUST
set security policies global policy trust-to-internet then permit

==============================================================================

And below is the output of "show security match-policies from-zone TRUST to-zone UNTRUST source-ip 192.168.10.1 destination-ip 172.16.100.1 protocol tcp source-port 80 destination-port 80"

Policy: trust-to-corp, action-type: permit, services-offload:not-configured , State: enabled, Index: 4
0
  Policy Type: Configured
  Sequence number: 1
  From zone: TRUST, To zone: UNTRUST
  Source vrf group:
    any
  Destination vrf group:
    any
  Source addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Destination addresses:
    private-corp(global): 172.16.0.0/16
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination ports: [0-0]
  Source identity feeds:
    any
  Destination identity feeds:
    any
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

==========================================================================

Same input, but now with global policy.

Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2
  Sequence number: 2

Any ideas, what could be wrong?

For your global policies to work there has to be zero potential matches in standard zone to zone policies.  If any existing standard zone to zone policy is possible they take priority.  So you need to remove all the standard zone to zone matches to avoid hitting that default deny rule.

Note this paragraph from the Global policy documentation:

When policy lookup is performed, policies are checked in the following order: intra-zone (trust-to-trust), inter-zone (trust-to-untrust), then global. Similar to regular policies, global policies in a context are ordered, such that the first matched policy is applied to the traffic.

https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-global-policies.html

Hi folks,

While testing firewall policies in isolated environment, I faced with a very strange behavior of the firewall.

So, when a traditional security policy is created, from-zone and to-zone is specified. When it is checked with "show security match-policies", it shows that it is working.

But when the same policy is moved to global context (with addition of from-zone and to-zone), it matches to default deny policy, not global policy.

Here is how zone-based policy looks like.

set security address-book global address private-corp 172.16.0.0/16

set security policies from-zone TRUST to-zone UNTRUST policy trust-to-corp match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-corp match destination-address private-corp
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-corp match application any
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-corp then permit
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-internet match source-address any
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-internet match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-internet match application junos-http
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-internet match application junos-https
set security policies from-zone TRUST to-zone UNTRUST policy trust-to-internet then permit

And this is how it looks when it is moved to global context.

set security policies global policy trust-to-corp match source-address any
set security policies global policy trust-to-corp match destination-address private-corp
set security policies global policy trust-to-corp match application any
set security policies global policy trust-to-corp match from-zone TRUST
set security policies global policy trust-to-corp match to-zone UNTRUST
set security policies global policy trust-to-corp then permit
set security policies global policy trust-to-internet match source-address any
set security policies global policy trust-to-internet match destination-address any
set security policies global policy trust-to-internet match application junos-http
set security policies global policy trust-to-internet match application junos-https
set security policies global policy trust-to-internet match from-zone TRUST
set security policies global policy trust-to-internet match to-zone UNTRUST
set security policies global policy trust-to-internet then permit

==============================================================================

And below is the output of "show security match-policies from-zone TRUST to-zone UNTRUST source-ip 192.168.10.1 destination-ip 172.16.100.1 protocol tcp source-port 80 destination-port 80"

Policy: trust-to-corp, action-type: permit, services-offload:not-configured , State: enabled, Index: 4
0
  Policy Type: Configured
  Sequence number: 1
  From zone: TRUST, To zone: UNTRUST
  Source vrf group:
    any
  Destination vrf group:
    any
  Source addresses:
    any-ipv4(global): 0.0.0.0/0 
    any-ipv6(global): ::/0
  Destination addresses:
    private-corp(global): 172.16.0.0/16
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0] 
      Destination ports: [0-0]
  Source identity feeds:
    any
  Destination identity feeds:
    any
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No

==========================================================================

Same input, but now with global policy.

Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2
  Sequence number: 2

Any ideas, what could be wrong?