- Created by Jean-luc KRIKER, last modified on Mar 12, 2019
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 8 Next »
Part 1: |
lab config Expand source
lab@vSRX-1# show | display set set version 15.1X49-D90.7 set system host-name vSRX-1 set system root-authentication encrypted-password "$5$wLJg.4U3$CKyEttCSIQEJMc65XcP1VS eqM.tFF5yOxs6oQpxsy0." set system login user lab uid 2000 set system login user lab class super-user set system login user lab authentication encrypted-password "$5$s6Wv7AVW$eNGzs/eoTLe6 mr7/tZhlRpTSShhqcWav5uHO1/oWWW6" set system services ssh set system services web-management http interface fxp0.0 set system syslog user * any emergency set system syslog file messages any any set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system syslog file AppSecure-log any any set system syslog file AppSecure-log match RT_FLOW set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security policies global policy Untrust-HTTP match source-address any set security policies global policy Untrust-HTTP match destination-address any set security policies global policy Untrust-HTTP match application junos-http set security policies global policy Untrust-HTTP match application custom-http-8080 set security policies global policy Untrust-HTTP match from-zone Untrust set security policies global policy Untrust-HTTP match to-zone Server set security policies global policy Untrust-HTTP then permit set security policies global policy Untrust-DNS match source-address any set security policies global policy Untrust-DNS match destination-address any set security policies global policy Untrust-DNS match application junos-dns-tcp set security policies global policy Untrust-DNS match application junos-dns-udp set security policies global policy Untrust-DNS match from-zone Untrust set security policies global policy Untrust-DNS match to-zone Server set security policies global policy Untrust-DNS then permit set security zones security-zone Server host-inbound-traffic system-services any-serv ice set security zones security-zone Server interfaces ge-0/0/4.0 set security zones security-zone Server interfaces ge-0/0/2.0 set security zones security-zone Untrust interfaces ge-0/0/3.0 set interfaces ge-0/0/1 unit 0 family inet address 10.0.100.1/24 set interfaces ge-0/0/2 unit 0 family inet address 10.0.1.1/24 set interfaces ge-0/0/3 unit 0 family inet address 172.18.1.2/30 set interfaces ge-0/0/4 unit 0 family inet policer input RL set interfaces ge-0/0/4 unit 0 family inet address 172.16.10.1/24 set interfaces fxp0 unit 0 family inet address 172.25.11.1/24 set interfaces lo0 unit 0 family inet address 192.168.1.1/32 set routing-options static route 0.0.0.0/0 next-hop 172.18.1.1 set firewall policer RL if-exceeding bandwidth-limit 1m set firewall policer RL if-exceeding burst-size-limit 20k set firewall policer RL then discard set applications application custom-http-8080 protocol tcp set applications application custom-http-8080 destination-port 8080 lab@vSRX-2# show | display set set version 15.1X49-D70.3 set system host-name vSRX-2 set system root-authentication encrypted-password "$5$wLJg.4U3$CKyEttCSIQEJMc65XcP1VS eqM.tFF5yOxs6oQpxsy0." set system login user lab uid 2000 set system login user lab class super-user set system login user lab authentication encrypted-password "$5$s6Wv7AVW$eNGzs/eoTLe6 mr7/tZhlRpTSShhqcWav5uHO1/oWWW6" set system services ssh set system services web-management http interface fxp0.0 set system syslog user * any emergency set system syslog file messages any any set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval set security forwarding-options family mpls mode packet-based set security zones security-zone all host-inbound-traffic system-services any-service set security zones security-zone all host-inbound-traffic protocols all set security zones security-zone all interfaces all deactivate security zones set interfaces ge-0/0/1 unit 0 family inet address 10.0.100.2/24 set interfaces ge-0/0/2 unit 0 family inet address 10.0.1.2/24 set interfaces ge-0/0/2 unit 0 family iso set interfaces ge-0/0/3 unit 0 family inet address 172.18.2.2/30 set interfaces ge-0/0/6 unit 0 family inet address 172.16.10.200/24 set interfaces fxp0 unit 0 family inet address 172.25.11.2/24 set interfaces lo0 unit 0 family inet address 192.168.1.2/32 set interfaces lo0 unit 0 family iso address 49.0001.1921.6800.1002.00 set routing-options static route 0.0.0.0/0 next-hop 172.18.2.1 set routing-options static route 172.16.1.100/32 next-hop 172.18.2.1 set protocols isis interface ge-0/0/2.0 level 1 disable set protocols isis interface lo0.0 level 1 disable deactivate protocols |
Part 2: AppFW and AppID |
part 2 Expand source
show configuration security application-firewall show configuration security policies global policy Untrust-HTTP show configuration system syslog [edit] lab@vSRX-1# show security application-firewall | display set set security application-firewall rule-sets protect-server rule HTTP match dynamic-application junos:HTTP set security application-firewall rule-sets protect-server rule HTTP then permit set security application-firewall rule-sets protect-server default-rule deny [edit] lab@vSRX-1# show security policies global policy Untrust-HTTP | display set set security policies global policy Untrust-HTTP match source-address any set security policies global policy Untrust-HTTP match destination-address any set security policies global policy Untrust-HTTP match application junos-http set security policies global policy Untrust-HTTP match application custom-http-8080 set security policies global policy Untrust-HTTP match from-zone Untrust set security policies global policy Untrust-HTTP match to-zone Server set security policies global policy Untrust-HTTP then permit application-services application-firewall rule-set protect-server set security policies global policy Untrust-HTTP then log session-init set security policies global policy Untrust-HTTP then log session-close [edit] lab@vSRX-1# show system syslog | display set set system syslog user * any emergency set system syslog file messages any any set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set system syslog file AppSecure-log any any set system syslog file AppSecure-log match RT_FLOW |
Part 3: Custom Application Signature |
part 3 Expand source
show configuration services application-identification show configuration security application-firewall lab@vSRX-1> show configuration services application-identification | display set set services application-identification no-application-system-cache set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 context http-header-host set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 pattern "(.*\.)?(ajsecserver.ajsec.juniper.net)" set services application-identification application AJSEC-FILES over HTTP signature s-01 member m01 direction client-to-server set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 context http-url-parsed set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 pattern /files/ set services application-identification application AJSEC-FILES over HTTP signature s-01 member m02 direction client-to-server lab@vSRX-1> show configuration security application-firewall | display set set security application-firewall rule-sets protect-server rule AJSEC-FILES match dynamic-application AJSEC-FILES set security application-firewall rule-sets protect-server rule AJSEC-FILES then deny set security application-firewall rule-sets protect-server rule HTTP match dynamic-application junos:HTTP set security application-firewall rule-sets protect-server rule HTTP then permit set security application-firewall rule-sets protect-server default-rule deny |
Part 4: AppTrack |
Apptrack Expand source
show configuration firewall show configuration interfaces ge-0/0/4 show configuration security application-tracking show configuration security zones security-zone Server show configuration security policies global policy FTP-Unstrust lab@vSRX-1> show configuration firewall | display set set firewall policer RL if-exceeding bandwidth-limit 1m set firewall policer RL if-exceeding burst-size-limit 20k set firewall policer RL then discard set firewall policer ftp-policer if-exceeding bandwidth-limit 1m set firewall policer ftp-policer if-exceeding burst-size-limit 20k set firewall policer ftp-policer then discard lab@vSRX-1> show configuration interfaces ge-0/0/4 | display set set interfaces ge-0/0/4 unit 0 family inet policer input ftp-policer set interfaces ge-0/0/4 unit 0 family inet address 172.16.10.1/24 lab@vSRX-1> show configuration security application-tracking | display set set security application-tracking first-update set security application-tracking session-update-interval 2 lab@vSRX-1> show configuration security zones security-zone Server | display set set security zones security-zone Server host-inbound-traffic system-services any-service set security zones security-zone Server interfaces ge-0/0/4.0 set security zones security-zone Server interfaces ge-0/0/2.0 set security zones security-zone Server application-tracking lab@vSRX-1> show configuration security policies global policy FTP-Unstrust | display set set security policies global policy FTP-Unstrust match source-address any set security policies global policy FTP-Unstrust match destination-address any set security policies global policy FTP-Unstrust match application junos-ftp set security policies global policy FTP-Unstrust match from-zone Untrust set security policies global policy FTP-Unstrust match to-zone Server set security policies global policy FTP-Unstrust then permit |
Part 5: APBR | |
- No labels