Application Firewall Support for Tenant System
Understanding Application Firewall Services for Tenant Systems
Application firewall is a group of fine-grained application control policies that allow or deny the traffic based on the dynamic application name or the group names. It enhances the security policy creation and enforcement based on the applications rather than the traditional port and protocol analysis.
An application firewall enables administrators of tenant systems to create security policies for traffic, based on application identification defined by application signatures. The application firewall provides additional security protection against the dynamic-application traffic that might not be adequately controlled by the standard network firewall policies. The application firewall controls information transmission by allowing or blocking traffic originating from certain applications.
The application firewall (AppFW) functionality is deprecated—rather than immediately removed—to provide backward compatibility and an opportunity to bring your configuration into compliance with the new configuration. All the legacy AppFW features are supported on the tenant systems. The [edit security application-firewall] hierarchy and all the configuration options under this hierarchy are deprecated on SRX Series devices.
To configure an application firewall, you define a rule set that contains rules specifying the action to be taken on the identified dynamic applications. The rule set is configured independently and assigned to a security policy. Each ruleset contains at least two rules, a matched rule (consisting of match criteria and action) and a default rule.
Following are the available rules with application firewall:
A matched rule defines the action to be taken on matching traffic. When the traffic matches an application and other criteria specified in the rule, the traffic is allowed or blocked based on the action specified in the rule.
A default rule is applied when the traffic does not match any other rule in the rule set.
Configuring an application firewall on a tenant system is similar to configuring an application firewall on a device that is not configured with tenant systems. The application firewall applies only to the tenant system for which it is configured.
Starting in Junos OS Release 18.4R1, the tenant system administrator can configure the application firewall profile, trace options, and resources (appfw-rule-set and appfw-rule) in a tenant system.The appfw rules can be reordered using the insert tenants tenant-id security application-firewall rule-sets ruleset-name rule rule-name1 after rule rule-name2 command.
Example: Configuring Application Firewall Services for a Tenant System
This example shows how to configure application firewall ruleset, rules, and the profile. After configuring the application firewall rulesets and rules, the application firewall ruleset information is added to the security policy in the tenant system.
This example uses the following hardware and software components:
An SRX1500 device
Junos OS Release 18.4R1 or later
Evasive applications could remain undetected with a standard firewall that functions at Layer 3 or Layer 4 by transmitting other protocols over these well-known ports that are usually open by a firewall. AppFW enforces protocol and policy control at Layer 7. It inspects the actual content of the payload and ensures that it conforms to the policy, rather than identifying the application based on Layer 3 and Layer 4 information.
Additionally, with the growing popularity of Web applications and the shift from traditional full client-based applications to the Web, more and more traffic is being transmitted over HTTP. An application firewall identifies not only HTTP but also any application running on top of it, letting you properly enforce the policies.
The tenant administrator can configure an application firewall rule set and create different rules to permit, reject, or deny traffic based on the application ID on a tenant system. The application firewall traffic control rule is configured for junos:HTTP . The security policy match condition is applied for any dynamic application to permit the traffic.
Create application an firewall services on the tenant system called TSYS1 and the rule set called ruleset1. The rule set ruleset1 has a rule defined to permit traffic. A default rule is also created to specify the action that is specified opposite to the other rules in the rule set.
CLI Quick Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure application firewall for a tenant system:
- Define a security profile and assign a security profile
to a tenant system. [edit system security-profile SP1]user@host# set appfw-rule-set maximum 100user@host# set appfw-rule-set reserved 50user@host# set appfw-rule maximum 100user@host# set appfw-rule reserved 50user@host# set appfw-profile maximum 100user@host# set appfw-profile reserved 50user@host# set tenant TSYS1
- Configure the routing instances and add interfaces to
routing instances.[edit tenants TSYS1 routing-instances VR1]user@host# set instance-type virtual-routeruser@host# set interface ge-0/0/1.0user@host# set interface ge-0/0/2.0
- Configure the interfaces for the tenant.[edit tenants TSYS1]user@host# set interfaces ge-0/0/1 unit 0 family inet address 172.16.0.18/16user@host# set interfaces ge-0/0/2 unit 0 family inet address 172.17.0.19/16
- Define the profile to send the notification to the clients
when HTTP or HTTPS traffic is blocked by a reject or deny action from
an application firewall.[edit tenants TSYS1 security application-firewall profile]user@host# set appfw_profile1 block-message type custom-redirect-url content http://www.juniper.net
- Configure an application firewall rule set for the tenant
system and create a rule for this rule set and specify which dynamic
application and dynamic application groups that the rule should match. [edit tenants TSYS1 security application-firewall rule-sets ruleset1]user@host# set rule rule1 match dynamic-application junos:HTTPuser@host# set rule rule1 then permituser@host# set profile appfw_profile1
- Configure the default rule for this rule set and specify
the action when the identified dynamic application is not specified
in any rules of the rule set.[edit tenants TSYS1 security application-firewall rule-sets ruleset1]user@host# set default-rule permit
- Configure a policy p1 to process the traffic that pass
through the HTTP static ports with the application firewall rule set
ruleset1.[edit tenants TSYS1 security policies]user@host# set from-zone TN1-trust to-zone TN1-untrust policy p1 match source-address anyuser@host# set from-zone TN1-trust to-zone TN1-untrust policy p1 match destination-address anyuser@host# set from-zone TN1-trust to-zone TN1-untrust policy p1 match application anyuser@host# set from-zone TN1-trust to-zone TN1-untrust policy p1 match dynamic-application noneuser@host# set from-zone TN1-trust to-zone TN1-untrust policy p1 then permit application-services application-firewall rule-set ruleset1user@host# set default-policy deny-all
- Configure the security zones.[edit tenants TSYS1 security zones]user@host# set security-zone TN1-trust host-inbound-traffic system-services alluser@host# set security-zone TN1-trust host-inbound-traffic protocols alluser@host# set security-zone TN1-trust interfaces ge-0/0/1.0user@host# set security-zone TN1-untrust interfaces ge-0/0/2.0user@host# set security-zone TN1-untrust host-inbound-traffic system-services alluser@host# set security-zone TN1-untrust host-inbound-traffic protocols all
From configuration mode, confirm your policy configuration by entering the show tenants TSYS1 security application-firewall, show tenants, and show security policies command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
If you are done configuring the device, enter commit from configuration mode.
Confirm that the configuration is working properly.
Verifying Application Firewall
View the application firewall configuration on the tenant system.
From operational mode, enter the show security application-firewall rule-set ruleset1 tenant TSYS1 command.
user@host> show security application-firewall rule-set ruleset1 tenant TSYS1
Rule-set: ruleset1 Logical system: root-logical-system Tenant: TSYS1 Profile: appfw_profile1 Rule: rule1 Dynamic Applications: junos:HTTP Action:permit Number of sessions matched: 0 Number of sessions redirected: 0 Default rule:permit Number of sessions matched: 0 Number of sessions redirected: 0 Number of sessions with appid pending: 0
From operational mode, enter the show security flow session application-firewall extensive command.
user@host> show security flow session application-firewall extensive
Total sessions: 0
The output displays information about the current active sessions on the device.