TechLibrary

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Example: Configuring Security Features for the Master Logical System

This example shows how to configure security features, such as zones, policies, and firewall authentication, for the master logical system.

Requirements

Before you begin:

Log in to the master logical system as the master administrator. See Example: Configuring a Root Password for the Device.
Use the show system security-profile command to see the resources allocated to the master logical system. See the Junos OS CLI Reference .
Configure logical interfaces for the master logical system. See Example: Configuring Interfaces, Routing Instances, and Static Routes for the Master and Interconnect Logical Systems and Logical Tunnel Interfaces for User Logical Systems .
Configure the access profile ldap1 in the master logical system. The ldap1 access profile is used for Web authentication of firewall users. See Example: Configuring Access Profiles.

Overview

In this example, you configure security features for the master logical system, called root-logical-system, shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System. This example configures the security features described in Table 1.

Table 1: root-logical-system Security Feature Configuration

Feature	Name	Configuration Parameter
Zones	ls-root-trust	Bind to interface ge-0/0/4.0.
	ls-root-untrust	Bind to interface lt-0/0/0.1
Address books	root-internal	Address masters: 12.12.1.0/24 Attach to zone ls-root-trust
	root-external	Address design: 12.1.1.0/24 Address accounting: 14.1.1.0/24 Address marketing: 13.1.1.0/24 Address set userlsys: design, accounting, marketing Attach to zone ls-root-untrust
Security policies	permit-to-userlsys	Permit the following traffic: From zone: ls-root-trust To zone: ls-root-untrust Source address: masters Destination address: userlsys Application: any
	permit-authorized-users	Permit the following traffic: From zone: ls-root-untrust To zone: ls-root-trust Source address: userlsys Destination address: masters Application: junos-http, junos-https
Firewall authentication		Web authentication Authentication success banner “WEB AUTH LOGIN SUCCESS” Default access profile ldap1
HTTP daemon		Activate on interface ge-0/0/4.0

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security address-book root-internal address masters 12.12.1.0/24 set security address-book root-internal attach zone ls-root-trust set security address-book root-external address design 12.1.1.0/24 set security address-book root-external address accounting 14.1.1.0/24 set security address-book root-external address marketing 13.1.1.0/24 set security address-book root-external address-set userlsys address design set security address-book root-external address-set userlsys address accounting set security address-book root-external address-set userlsys address marketing set security address-book root-external attach zone ls-root-untrust set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match source-address masters set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match destination-address userlsys set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match application any set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys then permit set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match source-address userlsys set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match destination-address masters set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match application junos-http set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match application junos-https set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users then permit firewall-authentication web-authenticationset security zones security-zone ls-root-trust interfaces ge-0/0/4.0 set security zones security-zone ls-root-untrust interfaces lt-0/0/0.1set system services web-management http interface ge-0/0/4.0set access firewall-authentication web-authentication default-profile ldap1 set access firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To configure zones and policies for the master logical system:

Log in to the master logical system as the master administrator and enter configuration mode.
admin@host> configureadmin@host#
Create security zones and assign interfaces to each zone.
[edit security zones]admin@host# set security-zone ls-root-trust interfaces ge-0/0/4.0admin@host# set security-zone ls-root-untrust interfaces lt-0/0/0.1
Create address book entries.
[edit security]admin@host# set address-book root-internal address masters 12.12.1.0/24admin@host# set address-book root-external address design 12.1.1.0/24admin@host# set address-book root-external address accounting 14.1.1.0/24admin@host# set address-book root-external address marketing 13.1.1.0/24admin@host# set address-book root-external address-set userlsys address designadmin@host# set address-book root-external address-set userlsys address accountingadmin@host# set address-book root-external address-set userlsys address marketing
Attach address books to zones.
[edit security]admin@host# set address-book root-internal attach zone ls-root-trustadmin@host# set address-book root-external attach zone ls-root-untrust
Configure a security policy that permits traffic from the ls-root-trust zone to the ls-root-untrust zone.
[edit security policies from-zone ls-root-trust to-zone ls-root-untrust]admin@host# set policy permit-to-userlsys match source-address mastersadmin@host# set policy permit-to-userlsys match destination-address userlsysadmin@host# set policy permit-to-userlsys match application anyadmin@host# set policy permit-to-userlsys then permit
Configure a security policy that authenticates traffic from the ls-root-untrust zone to the ls-root-trust zone.
[edit security policies from-zone ls-root-untrust to-zone ls-root-trust]admin@host# set policy permit-authorized-users match source-address userlsysadmin@host# set policy permit-authorized-users match destination-address mastersadmin@host# set policy permit-authorized-users match application junos-httpadmin@host# set policy permit-authorized-users match application junos-httpsadmin@host# set policy permit-authorized-users then permit firewall-authentication web-authentication
Configure the Web authentication access profile and define a success banner.
[edit access]admin@host# set firewall-authentication web-authentication default-profile ldap1admin@host# set firewall-authentication web-authentication banner success “WEB AUTH LOGIN SUCCESS”
Activate the HTTP daemon on the device.
[edit system]admin@host# set services web-management http interface ge-0/0/4.0

Results

From configuration mode, confirm your configuration by entering the show security, show access, and show system services commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

[edit]admin@host# show security...address-book {root-internal {address masters 12.12.1.0/24;attach {zone ls-root-trust;}}root-external {address design 12.1.1.0/24;address accounting 14.1.1.0/24;address marketing 13.1.1.0/24;address-set userlsys {address design;address accounting;address marketing;}attach {zone ls-root-untrust;}}}policies {from-zone ls-root-trust to-zone ls-root-untrust {policy permit-to-userlsys {match {source-address masters;destination-address userlsys;application any;}then {permit;}}}from-zone ls-root-untrust to-zone ls-root-trust {policy permit-authorized-users {match {source-address userlsys;destination-address masters;application [ junos-http junos-https ];}then {permit {firewall-authentication {web-authentication;}}}}}}zones {security-zone ls-root-trust {interfaces {ge-0/0/4.0;}}security-zone ls-root-untrust {interfaces {lt-0/0/0.1;}}}[edit]admin@host# show access...firewall-authentication {web-authentication {default-profile ldap1;banner {success "WEB AUTH LOGIN SUCCESS";}}}[edit]admin@host# show system servicesweb-management {http {interface ge-0/0/4.0;}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying Policy Configuration

Verifying Policy Configuration

Purpose

Verify information about policies and rules.

Action

From operational mode, enter the show security policies detail command to display a summary of all policies configured on the logical system.