Search

1 to 10 of 21
Sort by

Discussion Post
Firewall Security Policies. Unified Security Policies and Advanced Security Services

Hi Everyone, May I ask the exact flow or prioritization of security policies?


Discussion Thread 3
Firewall Security Policies. Unified Security Policies and Advanced Security Services

Focus Search - However, the policy that I created were not getting hits even it is placed at top. Also, I'm getting confused how Juniper SRX process it's security rules if unified security policy is placed at the rule #1 (top rule) then advanced security services (UTM, SSL Proxy) is placed at rule #2


Discussion Post
reordering security policy's in different configuration groups

Hi i have two two security policies currently configured under the same from and to zones, for example trust-zone and untrust-zone. one of the policies is attached to a group for example "3rdparty" the other has no group attached to it when i try to use the "insert before" option when im editing the config under the group "3rdparty" it does not show the policy not within the group and vice versa https://www.juniper.net/documentation/en US/junos/topics/topic-map/security-reordering-policies.html my question: is there an option for re ordering policys in different groups or a policy not in a group for that matter. root> show security policies Default policy: deny-all From zone: trust, To zone: untrust Policy: deny-all-log, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1 Source addresses: any Destination addresses: any Applications: any Action: deny, log Policy: basic-permit, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 2 Source addresses: any Destination addresses: any Applications: junos-icmp-ping Action: permit, log set groups lab security policies from-zone trust to-zone untrust policy basic-permit match source-address any set groups lab security policies from-zone trust to-zone untrust policy basic-permit match destination-address any set groups lab security policies from-zone trust to-zone untrust policy basic-permit match application junos-icmp-ping set groups lab security policies from-zone trust to-zone untrust policy basic-permit then permit set groups lab security policies from-zone trust to-zone untrust policy basic-permit then log session-init set security policies from-zone trust to-zone untrust policy deny-all-log match source-address any set security policies from-zone trust to-zone untrust policy deny-all-log match destination-address any set security policies from-zone trust to-zone untrust policy deny-all-log match application any set security policies from-zone trust to-zone untrust policy deny-all-log then deny set security policies from-zone trust to-zone untrust policy deny-all-log then log session-init #groups #securitypolicy #reorder #sequence #SRX


Blog Entry
How-To: Configuring Integrated User Firewall Using Security Director

As part of this feature, an administrator will be able to define policies and permit/deny based on the user logging into the network. This article explains how Junos Space Security Director is used to configure user firewall in security policies


Blog Entry
Scripting How-To: Move 'any/any' reject or deny term to the last term

Many security policy lists have a blanket reject/deny term as their last term, so that if nothing matches the previous terms, it's not allowed



Blog Entry
How do I enforce a login-based CLI access from an authorized subnet only?

The check-cli-acl script restricts the CLI access to logins from an authorized subnet only. This can be easily extended to multiple subnets to use 0.0.0.0/32 to deny any access. It uses jcs:parse-ip extension function. Read the document: check-cli-acl #security #How-To #cli ...


Discussion Post
IPSEC between SRX and Fortinet not coming up

Please help set system root-authentication encrypted-password "$1$CBYD0bv7$aJZtFlHQHZcjMDDi5F9ab1" set system services ssh set system services web-management http interface ge-0/0/0.0 set system services web-management http interface ge-0/0/1.0 set system services web-management https pki-local-certificate 12345 set system services web-management https interface ge-0/0/1.0 set system syslog user * any emergency set system syslog file messages any any set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system license autoupdate url https://ae1.juniper.net/junos/key retrieval set interfaces ge-0/0/0 unit 0 set interfaces ge-0/0/1 description TO FORTINET set interfaces ge-0/0/1 unit 0 family inet address 192.168.86.3/24 set interfaces ge-0/0/2 description TO R4 set interfaces ge-0/0/2 unit 0 family inet address 23.0.0.1/24 set interfaces st0 unit 0 family inet set routing-options static route 2.2.2.2/32 next-hop 23.0.0.2 set security ike traceoptions file IKE set security ike traceoptions file size 10k set security ike traceoptions file files 2 set security ike traceoptions flag all set security ike proposal AES256-SHA256-DH2 authentication-method pre-shared-keys set security ike proposal AES256-SHA256-DH2 dh-group group2 set security ike proposal AES256-SHA256-DH2 authentication-algorithm sha-256 set security ike proposal AES256-SHA256-DH2 encryption-algorithm des-cbc set security ike proposal AES256-SHA256-DH2 lifetime-seconds 28800 set security ike policy ike01-DUB-Three mode aggressive set security ike policy ike01-DUB-Three proposals AES256-SHA256-DH2 set security ike policy ike01-DUB-Three pre-shared-key ascii-text "$9$b9soJUjHm5QDjp01RSyoJZGqm69At0B" set security ike gateway ike01-DUB-Three ike-policy ike01-DUB-Three set security ike gateway ike01-DUB-Three address 192.168.86.4 set security ike gateway ike01-DUB-Three local-identity inet 192.168.86.3 set security ike gateway ike01-DUB-Three external-interface ge-0/0/1.0 set security ike gateway ike01-DUB-Three version v2-only set security ipsec proposal AES256-SHA256-PFS protocol esp set security ipsec proposal AES256-SHA256-PFS authentication-algorithm hmac-sha1-96 set security ipsec proposal AES256-SHA256-PFS encryption-algorithm des-cbc set security ipsec proposal AES256-SHA256-PFS lifetime-seconds 3600 set security ipsec policy ipsec01-DUB-Three perfect-forward-secrecy keys group2 set security ipsec policy ipsec01-DUB-Three proposals AES256-SHA256-PFS set security ipsec vpn vpn01-DUB-Three bind-interface st0.0 set security ipsec vpn vpn01-DUB-Three df-bit clear set security ipsec vpn vpn01-DUB-Three ike gateway ike01-DUB-Three set security ipsec vpn vpn01-DUB-Three ike proxy-identity local 1.1.1.1/32 set security ipsec vpn vpn01-DUB-Three ike proxy-identity service any set security ipsec vpn vpn01-DUB-Three ike ipsec-policy ipsec01-DUB-Three set security screen ids-option untrust-screen icmp ping-death set security screen ids-option untrust-screen ip source-route-option set security screen ids-option untrust-screen ip tear-drop set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200 set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024 set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048 set security screen ids-option untrust-screen tcp syn-flood queue-size 2000 set security screen ids-option untrust-screen tcp syn-flood timeout 20 set security screen ids-option untrust-screen tcp land set security policies from-zone trust to-zone trust policy default-permit match source-address any set security policies from-zone trust to-zone trust policy default-permit match destination-address any set security policies from-zone trust to-zone trust policy default-permit match application any set security policies from-zone trust to-zone trust policy default-permit then permit set security zones security-zone trust tcp-rst set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services ping set security zones security-zone untrust screen untrust-screen set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services http set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services https set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services snmp set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ike config vpn ipsec phase1-interface edit "ike01-DUB-Three" set interface "port2" set ike-version 2 set local-gw 192.168.86.4 set keylife 28800 set peertype any set net-device disable set proposal des-md5 des-sha256 set comments "ike01-DUB-Three" set dhgrp 2 set remote-gw 192.168.86.3 set psksecret ENC aGBmGGUZbROTSqjPLFzg6E5DGdFjhYuySFrv99s0NsQ3cJvYzW9sjkEANCZ22HyyNTLY+qnDMWxuE6xPKKu8FAnCO11UggEOQWKSH4gfZIl8jEl8u/dZ1Xc/ChSPaGXT7Ch/mFpQwkoR/HX/2CpOc8IDiQ806LhcyQ4edqlLrzTm+A+G/02qHXipb+bYiUUwA7uhpg== next end FORTINET # show vpn ipsec phase2-interface config vpn ipsec phase2-interface edit "ike01-DUB-Three" set phase1name "ike01-DUB-Three" set proposal des-md5 des-sha1 set pfs disable set comments "ike01-DUB-Three" set src-addr-type ip set dst-addr-type ip set keylifeseconds 3600 set src-start-ip 1.1.1.1 set dst-start-ip 2.2.2.2 next end #SRX #ospf #ike #IPSec #ISIS #security


Discussion Post
Firewall rules for security director

Do I need to add a rule on the SRX so it comes from the relevant zone to the Junos-host in the policy base?


Discussion Post
Backup Security Director installation?

I do this at the moment with Checkpoint - the primary and secondary servers have a heart beat link ... if primary goes down then the secondary realises and makes itself the primary to push out firewall policies to the gateways