Understanding Logical System Firewall Authentication

A firewall user is a network user who must provide a username and password for authentication when initiating a connection across the firewall. Junos OS enables administrators to restrict and permit firewall users to access protected resources (different zones) behind a firewall based on their source IP address and other credentials.

Access profiles store usernames and passwords of users or point to external authentication servers where such information is stored. The master administrator is responsible for configuring access profiles in the master logical system. Access profiles configured in the master logical system are available to all user logical systems.

To configure an access profile, the master administrator uses the profile configuration statement at the [edit access] hierarchy level in the master logical system. The access profile can also include the order of authentication methods, LDAP or RADIUS server options, and session options.

• With pass-through authentication, a host or a user from one zone tries to access resources on another zone using an FTP, a Telnet, or an HTTP client. The device uses FTP, Telnet, or HTTP to collect username and password information, and subsequent traffic from the user or host is allowed or denied based on the result of this authentication.
• With Web authentication, users use HTTP to connect to an IP address on the device that is enabled for Web authentication and are prompted for the username and password. Subsequent traffic from the user or host to the protected resource is allowed or denied based on the result of this authentication.

• Security policy that specifies firewall authentication for matching traffic. Firewall authentication is specified with the firewall-authentication configuration statement at the [edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit] hierarchy level.

  Users or user groups in an access profile who are allowed access by the policy can optionally be specified with the client-match configuration statement. (If no users or user groups are specified, any user who is successfully authenticated is allowed access.)

  For pass-through authentication, the access profile can optionally be specified and Web redirect (redirecting the client system to a webpage for authentication) can be enabled.

• Type of authentication (pass-through or Web authentication), default access profile, and success banner for the FTP, Telnet, or HTTP session. These properties are configured with the firewall-authentication configuration statement at the [edit access] hierarchy level.
• Host inbound traffic. Protocols, services, or both are allowed to access the logical system. The types of traffic are configured with the host-inbound-traffic configuration statement at either the [edit security zones security-zone zone-name] or the [edit security zones security-zone zone-name interfaces interface-name] hierarchy level.

The master administrator configures the maximum and reserved numbers of firewall authentications for each user logical system. The user logical system administrator can then create firewall authentications in the user logical system. From a user logical system, the user logical system administrator can use the show system security-profile auth-entry command to view the number of authentication resources allocated to the user logical system.

From a user logical system, the user logical system administrator can use either the show security firewall-authentication users or the show security firewall-authentication history command to view the information about firewall users and the history for the user logical system. From the master logical system, the master administrator can use the same commands to view information for the master logical system, a specific user logical system, or all logical systems.