AJSEC Lab8 Integrated User Firewall
- Jean-luc KRIKER
Owned by Jean-luc KRIKER
code Expand source
Part 2: show services user-identification active-directory-access domain-controller status show services user-identification authentication-table authentication-source all show services user-identification device-information table all show services user-identification active-directory-access statistics ip-user-mapping lab@vSRX-1> show configuration services user-identification | display set set services user-identification active-directory-access domain juniper.net user administrator set services user-identification active-directory-access domain juniper.net user password "$9$tIX5pBEcSeMWxEhVwg4ZGUDiHm5Qz6CA0" set services user-identification active-directory-access domain juniper.net domain-controller DC1 address 172.16.1.253 set services user-identification active-directory-access domain juniper.net ip-user-mapping discovery-method wmi event-log-scanning-interval 10 set services user-identification active-directory-access domain juniper.net ip-user-mapping discovery-method wmi initial-event-log-timespan 1 set services user-identification active-directory-access domain juniper.net user-group-mapping ldap authentication-algorithm simple set services user-identification active-directory-access domain juniper.net user-group-mapping ldap base DC=juniper,DC=net set services user-identification active-directory-access authentication-entry-timeout 30 set services user-identification active-directory-access wmi-timeout 10 Part 3: SD: Configure / Firewall Policy / Policies workspace. >> Create a Fw Policy / secu policy >> Add Rule to policy lab@vSRX-1> show configuration security policies | display set set security policies from-zone Trust to-zone Server policy UserFW match source-address any set security policies from-zone Trust to-zone Server policy UserFW match destination-address any set security policies from-zone Trust to-zone Server policy UserFW match application any set security policies from-zone Trust to-zone Server policy UserFW match source-identity authenticated-user set security policies from-zone Trust to-zone Server policy UserFW then permit !!! Hiden command: clear services user-identification active-directory-access active-directory-authentication-table show services user-identification active-directory-access active-directory-authentication-table al jim/lab123@Lab Part 4: SD: Configure / User Firewall Management / Access Profile workspa ce. >> Create an Access profile set access profile AD-Profile authentication-order ldap set access profile AD-Profile authentication-order password set access profile AD-Profile ldap-options base-distinguished-name CN=Users,DC=juniper,DC=net set access profile AD-Profile ldap-options search search-filter sAMAccountName= set access profile AD-Profile ldap-options search admin-search distinguished-name CN=administrator,CN=Users,DC=juniper,DC=net set access profile AD-Profile ldap-options search admin-search password lab123@Lab set access profile AD-Profile ldap-server 172.15.1.253 port 389 Same but from the vSRX: lab@vSRX-1> show configuration access | display set set access profile AD-Profile authentication-order ldap set access profile AD-Profile authentication-order password set access profile AD-Profile ldap-options base-distinguished-name CN=Users,DC=juniper,DC=net set access profile AD-Profile ldap-options search search-filter sAMAccountName= set access profile AD-Profile ldap-options search admin-search distinguished-name CN=administrator,CN=Users,DC=juniper,DC=net set access profile AD-Profile ldap-options search admin-search password "$9$Ef0hrvW87dVYvMaZji.mPfTQn9AtOIRS" set access profile AD-Profile ldap-server 172.15.1.253 port 389 Part 5: SD: Configure / Firewall Policy / Policies workspace. >> Add a rule to the policy Pushed by the Security Director: set security policies from-zone Trust to-zone Server policy userFW-unauth match application any set security policies from-zone Trust to-zone Server policy userFW-unauth match destination-address any set security policies from-zone Trust to-zone Server policy userFW-unauth match source-address any set security policies from-zone Trust to-zone Server policy userFW-unauth match source-identity unauthenticated-user set security policies from-zone Trust to-zone Server policy userFW-unauth match source-identity unknown-user set security policies from-zone Trust to-zone Server policy userFW-unauth then permit firewall-authentication user-firewall access-profile AD-Profile set security policies from-zone Trust to-zone Server policy userFW-unauth then permit firewall-authentication user-firewall domain juniper.net lab@vSRX-1> show configuration security policies | display set set security policies from-zone Trust to-zone Server policy UserFW match source-address any set security policies from-zone Trust to-zone Server policy UserFW match destination-address any set security policies from-zone Trust to-zone Server policy UserFW match application any set security policies from-zone Trust to-zone Server policy UserFW match source-identity authenticated-user set security policies from-zone Trust to-zone Server policy UserFW then permit set security policies from-zone Trust to-zone Server policy userFW-unauth match source-address any set security policies from-zone Trust to-zone Server policy userFW-unauth match destination-address any set security policies from-zone Trust to-zone Server policy userFW-unauth match application any set security policies from-zone Trust to-zone Server policy userFW-unauth match source-identity unauthenticated-user set security policies from-zone Trust to-zone Server policy userFW-unauth match source-identity unknown-user set security policies from-zone Trust to-zone Server policy userFW-unauth then permit firewall-authentication user-firewall access-profile AD-Profile set security policies from-zone Trust to-zone Server policy userFW-unauth then permit firewall-authentication user-firewall domain juniper.net lab / lab123 jum / lab123 ( domain: juniper ) | |