Understanding a Security Flow Policy on a Device Running Junos OS
You can define a security flow policy on a device running Junos OS to inspect and process network packets. The device can permit, deny, and log operations to be associated with each policy. Each of these policies are associated to zones on which distinct network interfaces are bound.
The following modes can be defined for a security flow policy to determine how a device directs traffic:
Bypass—The Permit option directs the traffic traversing the device through the stateful firewall inspection, but not through the IPsec VPN tunnel.
Discard—The Deny option inspects and drops all packets that do not match any Permit policies.
Protect—The traffic is routed through an IPsec tunnel based on the combination of route lookup and Permit policy inspection.
Log—This option logs traffic and session information for all the modes mentioned above.
The following sections describe how to configure a security policy for each of these modes:
Configuring a Security Flow Policy in Firewall Bypass Mode
To configure a security flow policy for firewall bypass mode:
- Configure the security policies.[edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close
Note Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses. junos-ssh is an example of a Junos OS default predefined application that can be configured in a security policy to enforce SSH traffic.
Configuring a Security Policy in Firewall Discard Mode
To configure a security flow policy for firewall discard mode:
- Configure the security policies.[edit security policies]user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLanuser@host# set from-zone untrustZone to-zone trustZone policy policy1 match application junos-telnetuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then denyuser@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-inituser@host# set from-zone untrustZone to-zone trustZone policy policy1 then session-close
Note Here, trustZone and untrustZone are the preconfigured security zones and trustLan and untrustLan are preconfigured network addresses. junos-telnet is an example of a Junos OS default predefined application that can be configured in a security policy to enforce Telnet traffic.
Configuring a Security Flow Policy in IPsec Protect Mode
To configure a security flow policy for IPSec protect mode:
- Configure the VPN.[edit]user@host# set security ipsec vpn vpn1 ike gateway gw1user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1user@host# set security ipsec vpn vpn1 bind-interface st0.0user@host# set routing-options static route 198.51.100.14/24 qualified-next-hop st0.0 preference 1
Note Here, gw1 and ipsec-policy1 are preconfigured IKE and IPsec policies.
- Configure the security policies.[edit security policies]user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLanuser@host# set from-zone trustZone to-zone untrustZone policy policy1 match application anyuser@host# set from-zone trustZone to-zone untrustZone policy policy1 then permituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-inituser@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close
Note Here, trustZone and untrustZone are preconfigured security zones and trustLan and untrustLan are preconfigured network addresses.