Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Security Policies for Logical Systems

 

Security policies are used to secure business and control access to LAN resources. Secure access is required both within the company across the LAN and in its interactions with external networks such as the Internet. Junos OS provides powerful network security features through its stateful firewall, application firewall, and user identity firewall. All three types of firewall enforcement are implemented through security policies. For more information, see the following topics:

Understanding Logical Systems Security Policies

Security Policies in Logical Systems

Security policies enforce rules for what traffic can pass through the firewall and actions that need to take place on the traffic as it passes through the firewall. From the perspective of security policies, traffic enters one security zone and exits another security zone.

By default, a logical system denies all traffic in all directions, including intra-zone and inter-zone directions. Through the creation of security policies, the logical system administrator can control the traffic flow from zone to zone by defining the kinds of traffic permitted to pass from specified sources to specified destinations.

Security policies can be configured in the master logical system and in user logical systems. Configuring a security policy in a logical system is the same as configuring a security policy on a device that is not configured for logical systems. Any security policies, policy rules, address books, applications and application sets, and schedulers created within a logical system are only applicable to that logical system. Only predefined applications and application sets, such as junos-ftp, can be shared between logical systems.

Note

In a logical system, you cannot specify global as either the from-zone or the to-zone in a security policy.

The user logical system administrator can configure and view all attributes for security policies in a user logical system. All attributes of a security policy in a user logical system are also visible to the master administrator.

Starting in Junos OS Release 18.4R1, the user can create dynamic address within a logical system. A dynamic address entry contains IP addresses and prefixes extracted from external sources. The security policies use the dynamic address in the source-address field or destination-address field.

A dynamic address entry (DAE) is a group of IP addresses that can be entered manually or imported from external sources within logical systems. The DAE feature allows feed-based IP objects to be used in security policies to either deny or allow traffic based on either source or destination IP criteria.

Note

The maximum number of DAE depends on the dynamic-addresses assigned to the logical systems. Starting in Junos 18.4R1, the set security dynamic-address feed-server command can be configured under the logical systems.

Application Timeouts

The application timeout value set for an application determines the session timeout. Application timeout behavior is the same in a logical system as at the root level. However, user logical system administrators can use predefined applications in security policies but cannot modify the timeout value of predefined applications. This is because the predefined applications are shared by the master logical system and all user logical systems, so the user logical system administrator is not allowed to change its behavior. Application timeout values are stored in the application entry database and in the corresponding logical system TCP and UDP port-based timeout tables.

If the application that is matched for the traffic has a timeout value, that timeout value is used. Otherwise, the lookup proceeds in the following order until an application timeout value is found:

  1. The logical system TCP and UDP port-based timeout table is searched for a timeout value.
  2. The root TCP and UDP port-based timeout table is searched for a timeout value.
  3. The protocol-based default timeout table is searched for a timeout value.

Security Policy Allocation

The master administrator configures the maximum and reserved numbers of security policies for each user logical system. The user logical system administrator can then create security policies in the user logical system. From a user logical system, the user logical system administrator can use the show system security-profile policy command to view the number of security policies allocated to the user logical system.

Note

The master administrator can configure a security profile for the master logical system that specifies the maximum and reserved numbers of security policies applied to the master logical system. The number of policies configured in the master logical system count toward the maximum number of policies available on the device.

Example: Configuring Security Policies in a User Logical Systems

This example shows how to configure security policies for a user logical system.

Requirements

Before you begin:

Overview

This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

This example configures the security policies described in Table 1.

Table 1: User Logical System Security Policies Configuration

Name

Configuration Parameters

permit-all-to-otherlsys

Permit the following traffic:

  • From zone: ls-product-design-trust

  • To zone: ls-product-design-untrust

  • Source address: product-designers

  • Destination address: otherlsys

  • Application: any

permit-all-from-otherlsys

Permit the following traffic:

  • From zone: ls-product-design-untrust

  • To zone: ls-product-design-trust

  • Source address: otherlsys

  • Destination address: product-designers

  • Application: any

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure security policies in a user logical system:

  1. Log in to the user logical system as the logical system administrator and enter configuration mode.
  2. Configure a security policy that permits traffic from the ls-product-design-trust zone to the ls-product-design-untrust zone.
  3. Configure a security policy that permits traffic from the ls-product-design-untrust zone to the ls-product-design-trust zone.

Results

From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Policy Configuration

Purpose

Verify information about policies and rules.

Action

From operational mode, enter the show security policies detail command to display a summary of all policies configured on the logical system.

Configuring Dynamic Address for Logical Systems

A dynamic address entry in logical systems provides dynamic IP address information to security policies. To use dynamic address, you must specify basic information of dynamic address including their names, feeds and properties for a logical system.

To configure dynamic address in IPv4 networks within a logical system:

  1. Define the logical system name as LSYS1.
  2. Create dynamic address within a logical system.
  3. Confirm your configuration by entering the show logical-systems LSYS1 security dynamic-address command.
  • To configure the security policies in the logical system:

    1. Define the logical system name as LSYS1.
    2. Create a security policy as p1 that permits traffic from zone trust to zone untrust and configure the match condition.
    3. Confirm your configuration by entering the show logical-systems LSYS1 security policies command.