Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Integrated User Firewall for Tenant Systems

 

Integrated User Firewall for Tenant System Overview

Tenant system supports the user firewall authentication in shared and active mode.

Starting in Junos OS Release 19.1R1, user firewall authentication is supported on tenant systems using a shared model. In this model, the master logical system shares the user firewall configuration and authentication entries with the tenant system. The master logical system shares the authentication data with the tenant system, which is collected from the Local authentication, Active Directory (AD) authentication, firewall authentication, Juniper Identity Management Service (JIMS), and ClearPass authentication.

In the shared model, user firewall related configuration is configured under the master logical system, such as authentication source, authentication source priority, authentication entries timeout, and IP query or individual query and so on. The user firewall provides user information service for an application on the SRX Series device, such as policy and logging. Traffic from a tenant system queries the authentication tables from the master logical system.

The authentication tables are managed by a master logical system. The tenant systems share the authentication tables. Traffic from the master logical system and the tenant systems query the same authentication table. Tenant systems enable the use of the source-identity in security policy.

For example, if the master logical system is configured with employee and the tenant system is configured with the source-identity manager, then the reference group of this authentication entry includes employee and manager. This reference group contains the same authentication entries from master logical system and tenant system.

Starting in Junos OS Release 19.3R1, support for user firewall authentication is enhanced by using a customized model through integrated JIMS with active mode. In this model, the tenant system extracts the authentication entries from the root level. The master logical system is configured to the JIMS server based on the logical system and tenant system name. In active mode the SRX series device actively queries the authenticaton entries received from the JIMS server through HTTPs protocol. To reduce the data exchange, firewall filters are applied.

The user firewall uses the tenant system name as a diffrentiator and is consistent between the JIMS server and SRX series device. The JIMS server sends the diffrentiator which is included in the authentication entry. The authentication entries are distributed into the root logical system, when the diffrentiator is set as default for the master logical system.

The user firewall support In-service software upgrade (ISSU) for tenant systems, as user firewall changes the internal database table format from Junos OS Release 19.2R1 onwards. Prior to Junos OS Release 19.2R1, the ISSU is not supported for tenant systems.

Limitation of Using User Firewall Authentication in Tenant Systems

Using user firewall authentication on tenant systems has the following limitation:

  • The IP addresses under different tenant systems must not overlap. If the address overlap, then the authentication entry is changed when different users log in under different tenant systems.

Limitation of Using User Firewall Authentication in Customized Model on Tenant Systems

Using user firewall authentication in customized model on tenant systems has the following limitation:

  • The JIMS server configurations to be configured under the root logical systems.

  • The tenant system name should be consistent and unique between the JIMS server and the SRX series device.

Example: Configure Integrated User Firewall in Customized Model for Tenant System

This example shows how to configure the integrated user firewall by using a customized model through the Juniper Identity Management Service (JIMS) server with active mode for a tenant system. The master logical systems does not share the authentication entries with the tenant systems. The SRX series device queries the authentication entries received from the JIMS server through HTTPs protocol in active mode.

In this example following configurations are performed:

  • Active JIMS Server Configuration

  • Tenant System IP Query Configuration

  • Tenant System Authentication Entry Configuration

  • Tenant System Security Policy Configuration

Requirements

This example uses the following hardware and software components:

  • JIMS server version 2.0

  • Junos OS Release 19.3 R1

Before you begin, be sure you have following information:

  • The IP address of the JIMS server.

  • The port number on the JIMS server for receiving HTTPs requests.

  • The client ID from the JIMS server for active query server.

  • The client secret from the JIMS server for active query server.

Overview

In this example, you can configure JIMS with HTTPs connection on port 443 and primary server with IPv4 address on the master logical system, policy p2 with source-identity "group1" on tenant system TSYS1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the[edit] hierarchy level, and then enter commit from configuration mode.

Configuring Integrated User Firewall in Customized Model:

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure Integrated User Firewall in Customized Model:

  1. Configure JIMS as the authentication source for advanced query requests with the primary address. The SRX Series device requires this information to contact the server.
  2. Configure the IP query delay time for TSYS1.
  3. Configure the authentication entry attributes for TSYS1.
  4. Configure the security policy p2 that permits traffic from-zone untrust to-zone trust for TSYS1.

Results

From configuration mode, confirm your configuration by entering the show services user-identification logical-domain-identity-management and show tenants TSYS1 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform the below tasks:

Verifying the User Identification Identity Management status

Purpose

Verify the user identification status for identity-management as the authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification logical-domain-identity-management status command.

user@host>show services user-identification logical-domain-identity-management status

Meaning

The output displays the statistical data about the advanced user query function batch queries and IP queries, or show status on the Juniper Identity Management Service servers.

Verifying the User Identification Identity Management status counters

Purpose

Verify the user identification counters for identity-management as the authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification logical-domain-identity-management counters command.

user@host>show services user-identification logical-domain-identity-management counters

Meaning

The output displays the statistical data about the advanced user query function batch queries and IP queries, or show counters on the Juniper Identity Management Service servers.

Verifying the User Identification Authentication Table

Purpose

Verify the user identity information authentication table entries for the specified authentication source.

Action

To verify the configuration is working properly, enter the show services user-identification authentication-table authentication-source all tenant TSYS1 command.

user@host>show services user-identification authentication-table authentication-source all tenant TSYS1

Meaning

The output displays the entire content of the specified authentication source’s authentication table, or a specific domain, group, or user based on the user name. Display the identity information for a user based on the IP address of the user’s device.

Release History Table
Release
Description
Starting in Junos OS Release 19.1R1, user firewall authentication is supported on tenant systems using a shared model. In this model, the master logical system shares the user firewall configuration and authentication entries with the tenant system. The master logical system shares the authentication data with the tenant system, which is collected from the Local authentication, Active Directory (AD) authentication, firewall authentication, Juniper Identity Management Service (JIMS), and ClearPass authentication.