Versions Compared

Old Version 9

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version Current

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Overview In this lab, you will implement features of the AppSecure suite.
You will begin by configuring AppID and AppFW features to protect the server against Application Layer attacks.
Then, you will configure a custom application signature to restrict access to certain sections of the server.
Next, you will configure AppTrack to monitor FTP exchanges between the client and the server.
Finally, you will configure APBR to route traffic based on the application in use.

By completing this lab, you will perform the following tasks:
• Configure and monitor AppID and AppFW features.
• Configure and use custom application signatures.
• Configure and monitor AppTrack.
• Configure and monitor APBR.




Configure and monitor AppID and AppFW features.

allow traffic IN (to local server): http 80 and 8080  + DNS: TCP and UDP


Configure and use custom application signatures.
Configure and monitor AppTrack.Monitor FTP traffic
Configure and monitor APBR.


show


Part 1:


Code Block
titlelab config
collapsetrue
lab@vSRX-1# show | display set    
set version 15.1X49-D90.7
set system host-name vSRX-1
set system root-authentication encrypted-password "$5$wLJg.4U3$CKyEttCSIQEJMc65XcP1VS
eqM.tFF5yOxs6oQpxsy0."
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password "$5$s6Wv7AVW$eNGzs/eoTLe6
mr7/tZhlRpTSShhqcWav5uHO1/oWWW6"
set system services ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file AppSecure-log any any
set system syslog file AppSecure-log match RT_FLOW
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security policies global policy Untrust-HTTP match source-address any
set security policies global policy Untrust-HTTP match destination-address any
set security policies global policy Untrust-HTTP match application junos-http
set security policies global policy Untrust-HTTP match application custom-http-8080
set security policies global policy Untrust-HTTP match from-zone Untrust
set security policies global policy Untrust-HTTP match to-zone Server
set security policies global policy Untrust-HTTP then permit
set security policies global policy Untrust-DNS match source-address any
set security policies global policy Untrust-DNS match destination-address any
set security policies global policy Untrust-DNS match application junos-dns-tcp
set security policies global policy Untrust-DNS match application junos-dns-udp
set security policies global policy Untrust-DNS match from-zone Untrust
set security policies global policy Untrust-DNS match to-zone Server
set security policies global policy Untrust-DNS then permit
set security zones security-zone Server host-inbound-traffic system-services any-serv
iceservice
set security zones security-zone Server interfaces ge-0/0/4.0
set security zones security-zone Server interfaces ge-0/0/2.0
set security zones security-zone Untrust interfaces ge-0/0/3.0
set interfaces ge-0/0/1 unit 0 family inet address 10.0.100.1/24
set interfaces ge-0/0/2 unit 0 family inet address 10.0.1.1/24
set interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30
set interfaces ge-0/0/4 unit 0 family inet policer input RL
set interfaces ge-0/0/4 unit 0 family inet address 172.16.10.1/24
set interfaces fxp0 unit 0 family inet address 172.25.11.1/24
set interfaces lo0 unit 0 family inet address 192.168.1.1/32
set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1
set firewall policer RL if-exceeding bandwidth-limit 1m
set firewall policer RL if-exceeding burst-size-limit 20k
set firewall policer RL then discard
set applications application custom-http-8080 protocol tcp
set applications application custom-http-8080 destination-port 8080


lab@vSRX-2# show | display set    
set version 15.1X49-D70.3
set system host-name vSRX-2
set system root-authentication encrypted-password "$5$wLJg.4U3$CKyEttCSIQEJMc65XcP1VS
eqM.tFF5yOxs6oQpxsy0."
set system login user lab uid 2000
set system login user lab class super-user
set system login user lab authentication encrypted-password "$5$s6Wv7AVW$eNGzs/eoTLe6
mr7eoTLe6mr7/tZhlRpTSShhqcWav5uHO1/oWWW6"
set system services ssh
set system services web-management http interface fxp0.0
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security forwarding-options family mpls mode packet-based
set security zones security-zone all host-inbound-traffic system-services any-service
set security zones security-zone all host-inbound-traffic protocols all
set security zones security-zone all interfaces all
deactivate security zones
set interfaces ge-0/0/1 unit 0 family inet address 10.0.100.2/24
set interfaces ge-0/0/2 unit 0 family inet address 10.0.1.2/24
set interfaces ge-0/0/2 unit 0 family iso
set interfaces ge-0/0/3 unit 0 family inet address 172.18.2.2/30
set interfaces ge-0/0/6 unit 0 family inet address 172.16.10.200/24
set interfaces fxp0 unit 0 family inet address 172.25.11.2/24
set interfaces lo0 unit 0 family inet address 192.168.1.2/32
set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.1002.00
set routing-options static route 0.0.0.0/0 next-hop 172.18.2.1
set routing-options static route 172.16.1.100/32 next-hop 172.18.2.1
set protocols isis interface ge-0/0/2.0 level 1 disable
set protocols isis interface lo0.0 level 1 disable
deactivate protocols


Part 2:

AppFW and AppID


Code Block
titlepart 2
collapsetrue
show configuration security application-firewall
show configuration security policies global policy Untrust-HTTP
show configuration system syslog

[edit]
lab@vSRX-1# show security application-firewall | display set 
set security application-firewall rule-sets protect-server rule HTTP match dynamic-application junos:HTTP
set security application-firewall rule-sets protect-server rule HTTP then permit
set security application-firewall rule-sets protect-server default-rule deny

[edit]
lab@vSRX-1# show security policies global policy Untrust-HTTP | display set  
set security policies global policy Untrust-HTTP match source-address any
set security policies global policy Untrust-HTTP match destination-address any
set security policies global policy Untrust-HTTP match application junos-http
set security policies global policy Untrust-HTTP match application custom-http-8080
set security policies global policy Untrust-HTTP match from-zone Untrust
set security policies global policy Untrust-HTTP match to-zone Server
set security policies global policy Untrust-HTTP then permit application-services application-firewall rule-set protect-server
set security policies global policy Untrust-HTTP then log session-init
set security policies global policy Untrust-HTTP then log session-close

[edit]
lab@vSRX-1# show system syslog | display set 
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system syslog file AppSecure-log any any
set system syslog file AppSecure-log match RT_FLOW


Part 3:

Custom Application Signature


Code Block
titlepart 3
collapsetrue
show configuration services application-identification
show configuration security application-firewall

lab@vSRX-1> show configuration services application-identification | display set 
set services application-identification no-application-system-cache
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 context http-header-host
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 pattern "(.*\.)?(ajsecserver.ajsec.juniper.net)"
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 direction client-to-server
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 context http-url-parsed
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 pattern /files/
set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 direction client-to-server

lab@vSRX-1> show configuration security application-firewall | display set 
set security application-firewall rule-sets protect-server rule AJSEC-FILES match dynamic-application AJSEC-FILES
set security application-firewall rule-sets protect-server rule AJSEC-FILES then deny
set security application-firewall rule-sets protect-server rule HTTP match dynamic-application junos:HTTP
set security application-firewall rule-sets protect-server rule HTTP then permit
set security application-firewall rule-sets protect-server default-rule deny


Part 4:

AppTrack


Code Block
titleApptrack
collapsetrue
show configuration firewall 
show configuration interfaces ge-0/0/4 
show configuration security application-tracking 
show configuration security zones security-zone Server 
show configuration security policies global policy FTP-Unstrust


lab@vSRX-1> show configuration firewall | display set 
set firewall policer RL if-exceeding bandwidth-limit 1m
set firewall policer RL if-exceeding burst-size-limit 20k
set firewall policer RL then discard
set firewall policer ftp-policer if-exceeding bandwidth-limit 1m
set firewall policer ftp-policer if-exceeding burst-size-limit 20k
set firewall policer ftp-policer then discard

lab@vSRX-1> show configuration interfaces ge-0/0/4 | display set 
set interfaces ge-0/0/4 unit 0 family inet policer input ftp-policer
set interfaces ge-0/0/4 unit 0 family inet address 172.16.10.1/24

lab@vSRX-1> show configuration security application-tracking | display set 
set security application-tracking first-update
set security application-tracking session-update-interval 2

lab@vSRX-1> show configuration security zones security-zone Server | display set 
set security zones security-zone Server host-inbound-traffic system-services any-service
set security zones security-zone Server interfaces ge-0/0/4.0
set security zones security-zone Server interfaces ge-0/0/2.0
set security zones security-zone Server application-tracking

lab@vSRX-1> show configuration security policies global policy FTP-Unstrust | display set 
set security policies global policy FTP-Unstrust match source-address any
set security policies global policy FTP-Unstrust match destination-address any
set security policies global policy FTP-Unstrust match application junos-ftp
set security policies global policy FTP-Unstrust match from-zone Untrust
set security policies global policy FTP-Unstrust match to-zone Server
set security policies global policy FTP-Unstrust then permit


Part 5:

APBR


Code Block
titleAPBR configuration
collapsetrue
lab@vSRX-1> show configuration security policies global policy Untrust-SSH | display set 
set security policies global policy Untrust-SSH match source-address any
set security policies global policy Untrust-SSH match destination-address any
set security policies global policy Untrust-SSH match application junos-ssh
set security policies global policy Untrust-SSH match from-zone Untrust
set security policies global policy Untrust-SSH match
from-zone Untrust set security policies global policy Untrust-SSH match to-zone Server set security policies global policy Untrust-SSH then permit
 to-zone Server
set security policies global policy Untrust-SSH then permit

lab@vSRX-1> show configuration routing-instances APBR | display set 
set routing-instances APBR instance-type forwarding
set routing-instances APBR routing-options static route 0.0.0.0/0 next-hop 10.0.1.2

lab@vSRX-1> show configuration routing-
instances
options
APBR
rib-groups | display set 
set routing-
instances
options rib-groups APBR
instance
import-
type
rib
forwarding
inet.0
set routing
-instances APBR
-options rib-groups APBR import-rib APBR.inet.0
set routing-options
static
rib-groups
route 0.0.0.0/0 next-hop 10.0.1.2
APBR import-policy block-rts   ## add this one

lab@vSRX-1> show configuration routing-options
rib
interface-
groups
routes | display set 
set routing-options interface-routes rib-
groups
group inet APBR
import-rib inet.0 set routing-options rib-groups APBR import-rib APBR.inet.0 set routing-options rib-groups APBR import-policy block-rts lab@vSRX-1> show configuration routing-options interface-routes | display set set routing-options interface-routes rib-group inet APBR
Code Block
titleAPBR show commands
collapsetrue


lab@vSRX-1> show configuration security advance-policy-based-routing | display set 
set security advance-policy-based-routing profile SSH-APBR rule 1 match dynamic-application junos:SSH
set security advance-policy-based-routing profile SSH-APBR rule 1 then routing-instance APBR

# Delete: no-application-system-cache
#
#lab@vSRX-1> show configuration services application-identification | display set 
#set services application-identification application
-system-cache show security advance-policy-based-routing statistics show security flow session [edit routing-options] lab@vSRX-1# run show security flow session Session ID: 46634, Policy name: Untrust-SSH/7, Timeout: 1202, Valid In: 172.16.1.100/41256 --> 172.16.10.100/22;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 20, Bytes: 2764, Out: 172.16.10.100/22 --> 172.16.1.100/41256;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 20, Bytes: 4436, Total sessions: 1 [edit routing-options] lab@vSRX-1# run show security flow session Session ID: 46798, Policy name: Untrust-SSH/7, Timeout: 1796, Valid In: 172.16.1.100/41005 --> 172.16.10.100/22;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 20, Bytes: 2764, Out: 172.16.10.100/22 --> 172.16.1.100/41005;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 20, Bytes: 4436, Total sessions: 1
 AJSEC-FILES over HTTP signature s-01 member m01 context http-header-host
#set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 pattern "(.*\.)?(ajsecserver.ajsec.juniper.net)"
#set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 direction client-to-server
#set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 context http-url-parsed
#set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 pattern /files/
#set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 direction client-to-server


lab@vSRX-1> show configuration policy-options | display set 
set policy-options policy-statement block-rts term 1 from interface ge-0/0/2.0
set policy-options policy-statement block-rts term 1 to rib APBR.inet.0
set policy-options policy-statement block-rts term 1 then accept
set policy-options policy-statement block-rts term 2 then reject


Code Block
titleAPBR show commands
collapsetrue
show services application-identification application-system-cache
show security advance-policy-based-routing statistics
show security flow session

[edit routing-options]
lab@vSRX-1# run show security
advance-policy-based-routing stat ^ 'stat' is ambiguous. Possible completions: statistics Show advance-policy-based-routing statistics status Show advance-policy-based-routing status [edit routing-options]
 flow session 
Session ID: 46634, Policy name: Untrust-SSH/7, Timeout: 1202, Valid
  In: 172.16.1.100/41256 --> 172.16.10.100/22;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 20, Bytes: 2764, 
  Out: 172.16.10.100/22 --> 172.16.1.100/41256;tcp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 20, Bytes: 4436, 
Total sessions: 1

[edit routing-options]
lab@vSRX-1# run show security flow session    
Session ID: 46798, Policy name: Untrust-SSH/7, Timeout: 1796, Valid
  In: 172.16.1.100/41005 --> 172.16.10.100/22;tcp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 20, Bytes: 2764, 
  Out: 172.16.10.100/22 --> 172.16.1.100/41005;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 20, Bytes: 4436, 
Total sessions: 1


lab@vSRX-1# run show security advance-policy-based-routing statistics  
Advance Profile Based Routing statistics:
  Session Processed:                     214
  ASC Success:                           2
  Rule match success:                    2
  Route  modified:                       2
  AppID Requested:                       158

[edit routing-options]
lab@vSRX-1#