Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Security Features for the Master Logical System

    This example shows how to configure security features, such as zones, policies, and firewall authentication, for the master logical system.

    Requirements

    Before you begin:

    Overview

    In this example, you configure security features for the master logical system, called root-logical-system, shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System. This example configures the security features described in Table 1.

    Table 1: root-logical-system Security Feature Configuration

    Feature

    Name

    Configuration Parameter

    Zones

    ls-root-trust

    Bind to interface ge-0/0/4.0.

    ls-root-untrust

    Bind to interface lt-0/0/0.1

    Address books

    root-internal

    • Address masters: 12.12.1.0/24
    • Attach to zone ls-root-trust

    root-external

    • Address design: 12.1.1.0/24
    • Address accounting: 14.1.1.0/24
    • Address marketing: 13.1.1.0/24
    • Address set userlsys: design, accounting, marketing
    • Attach to zone ls-root-untrust

    Security policies

    permit-to-userlsys

    Permit the following traffic:

    • From zone: ls-root-trust
    • To zone: ls-root-untrust
    • Source address: masters
    • Destination address: userlsys
    • Application: any

    permit-authorized-users

    Permit the following traffic:

    • From zone: ls-root-untrust
    • To zone: ls-root-trust
    • Source address: userlsys
    • Destination address: masters
    • Application: junos-http, junos-https

    Firewall authentication

    • Web authentication
    • Authentication success banner “WEB AUTH LOGIN SUCCESS”
    • Default access profile ldap1

    HTTP daemon

    Activate on interface ge-0/0/4.0

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security address-book root-internal address masters 12.12.1.0/24 set security address-book root-internal attach zone ls-root-trust set security address-book root-external address design 12.1.1.0/24 set security address-book root-external address accounting 14.1.1.0/24 set security address-book root-external address marketing 13.1.1.0/24 set security address-book root-external address-set userlsys address design set security address-book root-external address-set userlsys address accounting set security address-book root-external address-set userlsys address marketing set security address-book root-external attach zone ls-root-untrust set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match source-address masters set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match destination-address userlsys set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match application any set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys then permit set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match source-address userlsys set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match destination-address masters set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match application junos-http set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match application junos-https set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users then permit firewall-authentication web-authenticationset security zones security-zone ls-root-trust interfaces ge-0/0/4.0 set security zones security-zone ls-root-untrust interfaces lt-0/0/0.1set system services web-management http interface ge-0/0/4.0set access firewall-authentication web-authentication default-profile ldap1 set access firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure zones and policies for the master logical system:

    1. Log in to the master logical system as the master administrator and enter configuration mode.
      admin@host> configureadmin@host#
    2. Create security zones and assign interfaces to each zone.
      [edit security zones]admin@host# set security-zone ls-root-trust interfaces ge-0/0/4.0admin@host# set security-zone ls-root-untrust interfaces lt-0/0/0.1
    3. Create address book entries.
      [edit security]admin@host# set address-book root-internal address masters 12.12.1.0/24admin@host# set address-book root-external address design 12.1.1.0/24admin@host# set address-book root-external address accounting 14.1.1.0/24admin@host# set address-book root-external address marketing 13.1.1.0/24admin@host# set address-book root-external address-set userlsys address designadmin@host# set address-book root-external address-set userlsys address accountingadmin@host# set address-book root-external address-set userlsys address marketing
    4. Attach address books to zones.
      [edit security]admin@host# set address-book root-internal attach zone ls-root-trustadmin@host# set address-book root-external attach zone ls-root-untrust
    5. Configure a security policy that permits traffic from the ls-root-trust zone to the ls-root-untrust zone.
      [edit security policies from-zone ls-root-trust to-zone ls-root-untrust]admin@host# set policy permit-to-userlsys match source-address mastersadmin@host# set policy permit-to-userlsys match destination-address userlsysadmin@host# set policy permit-to-userlsys match application anyadmin@host# set policy permit-to-userlsys then permit
    6. Configure a security policy that authenticates traffic from the ls-root-untrust zone to the ls-root-trust zone.
      [edit security policies from-zone ls-root-untrust to-zone ls-root-trust]admin@host# set policy permit-authorized-users match source-address userlsysadmin@host# set policy permit-authorized-users match destination-address mastersadmin@host# set policy permit-authorized-users match application junos-httpadmin@host# set policy permit-authorized-users match application junos-httpsadmin@host# set policy permit-authorized-users then permit firewall-authentication web-authentication
    7. Configure the Web authentication access profile and define a success banner.
      [edit access]admin@host# set firewall-authentication web-authentication default-profile ldap1admin@host# set firewall-authentication web-authentication banner success “WEB AUTH LOGIN SUCCESS”
    8. Activate the HTTP daemon on the device.
      [edit system]admin@host# set services web-management http interface ge-0/0/4.0

    Results

    From configuration mode, confirm your configuration by entering the show security, show access, and show system services commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

    [edit]admin@host# show security...address-book {root-internal {address masters 12.12.1.0/24;attach {zone ls-root-trust;}}root-external {address design 12.1.1.0/24;address accounting 14.1.1.0/24;address marketing 13.1.1.0/24;address-set userlsys {address design;address accounting;address marketing;}attach {zone ls-root-untrust;}}}policies {from-zone ls-root-trust to-zone ls-root-untrust {policy permit-to-userlsys {match {source-address masters;destination-address userlsys;application any;}then {permit;}}}from-zone ls-root-untrust to-zone ls-root-trust {policy permit-authorized-users {match {source-address userlsys;destination-address masters;application [ junos-http junos-https ];}then {permit {firewall-authentication {web-authentication;}}}}}}zones {security-zone ls-root-trust {interfaces {ge-0/0/4.0;}}security-zone ls-root-untrust {interfaces {lt-0/0/0.1;}}}[edit]admin@host# show access...firewall-authentication {web-authentication {default-profile ldap1;banner {success "WEB AUTH LOGIN SUCCESS";}}}[edit]admin@host# show system servicesweb-management {http {interface ge-0/0/4.0;}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform these tasks:

    Verifying Policy Configuration

    Purpose

    Verify information about policies and rules.

    Action

    From operational mode, enter the show security policies detail command to display a summary of all policies configured on the logical system.

    Published: 2012-06-29