Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Logical Systems Security Profiles

    This example shows how a master administrator configures three logical system security profiles to assign to user logical systems and the master logical system to provision them with security resources.

    Requirements

    The example uses an SRX5600 device running Junos OS with logical systems.

    Before you begin, read SRX Series Logical System Master Administrator Configuration Tasks Overview to understand how this task fits into the overall configuration process.

    Overview

    This example shows how to configure security profiles for the following logical systems:

    • The root-logical-system logical system. The security profile master-profile is assigned to the master, or root, logical system.
    • The ls-product-design logical system. The security profile ls-design-profile is assigned to the logical system.
    • The ls-marketing-dept logical system. The security profile ls-accnt-mrkt-profile is assigned to the logical system.
    • The ls-accounting-dept logical system. The security profile ls-accnt-mrkt-profile is assigned to the logical system.
    • The interconnect-logical-system, if you use one. You must assign a dummy, or null, security profile to it.

    This configuration relies on the deployment shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

    Configuration

    Configuring Logical System Security Profiles

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set system security-profile master-profile policy maximum 65set system security-profile master-profile policy reserved 60 set system security-profile master-profile zone maximum 22 set system security-profile master-profile zone reserved 17set system security-profile master-profile flow-session maximum 3000 set system security-profile master-profile flow-session reserved 2100 set system security-profile master-profile nat-nopat-address maximum 115 set system security-profile master-profile nat-nopat-address reserved 100 set system security-profile master-profile nat-static-rule maximum 125 set system security-profile master-profile nat-static-rule reserved 100 set system security-profile master-profile idpset system security-profile master-profile logical-system root-logical-systemset system security-profile ls-accnt-mrkt-profile policy maximum 65 set system security-profile ls-accnt-mrkt-profile policy reserved 60 set system security-profile ls-accnt-mrkt-profile zone maximum 22 set system security-profile ls-accnt-mrkt-profile zone reserved 17 set system security-profile ls-accnt-mrkt-profile flow-session maximum 2500 set system security-profile ls-accnt-mrkt-profile flow-session reserved 2000 set system security-profile ls-accnt-mrkt-profile nat-nopat-address maximum 125 set system security-profile ls-accnt-mrkt-profile nat-nopat-address reserved 100 set system security-profile ls-accnt-mrkt-profile nat-static-rule maximum 125 set system security-profile ls-accnt-mrkt-profile nat-static-rule reserved 100 set system security-profile ls-accnt-mrkt-profile logical-system ls-marketing-deptset system security-profile ls-accnt-mrkt-profile logical-system ls-accounting-deptset system security-profile ls-design-profile policy maximum 50 set system security-profile ls-design-profile policy reserved 40 set system security-profile ls-design-profile zone maximum 10 set system security-profile ls-design-profile zone reserved 5 set system security-profile ls-design-profile flow-session maximum 2500 set system security-profile ls-design-profile flow-session reserved 2000 set system security-profile ls-design-profile nat-nopat-address maximum 120 set system security-profile ls-design-profile nat-nopat-address reserved 100set system security-profile ls-design-profile logical-system ls-product-designset system security-profile interconnect-profile logical-system interconnect-logical-system

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    Create three security profiles.

    1. Create the first security profile.

      Step-by-Step Procedure

      1. Specify the number of maximum and reserved policies.
        [edit system security-profile]user@host# set master-profile policy maximum 65 reserved 60
      2. Specify the number of maximum and reserved zones.
        [edit system security-profile]user@host# set master-profile zone maximum 22 reserved 17
      3. Specify the number of maximum and reserved sessions.
        [edit system security-profile]user@host# set master-profile flow-session maximum 3000 reserved 2100
      4. Specify the number of maximum and reserved source NAT no-PAT addresses and static NAT rules.
        [edit system security-profile]user@host# set master-profile nat-nopat-address maximum 115 reserved 100user@host# set master-profile nat-static-rule maximum 125 reserved 100
      5. Enable intrusion detection and prevention (IIDP). You can enable IDP only for the master (root) logical system.
        [edit system security-profile]user@host# set idp
      6. Bind the security profile to the logical system.
        [edit system security-profile]user@host# set master-profile logical-system root-logical-system
    2. Create the second security profile.

      Step-by-Step Procedure

      1. Specify the number of maximum and reserved policies.
        [edit system security-profile]user@host# set ls-accnt-mrkt-profile policy maximum 65 reserved 60
      2. Specify the number of maximum and reserved zones.
        [edit system security-profile]user@host# set ls-accnt-mrkt-profile zone maximum 22 reserved 17
      3. Specify the number of maximum and reserved sessions.
        [edit system security-profile]user@host# set ls-accnt-mrkt-profile flow-session maximum 2500 reserved 2000
      4. Specify the number of maximum and reserved source NAT no-PAT addresses.
        [edit system security-profile]user@host# set ls-accnt-mrkt-profile nat-nopat-address maximum 125 reserved 100
      5. Specify the number of maximum and reserved static NAT rules.
        [edit system security-profile]user@host# set ls-accnt-mrkt-profile nat-static-rule maximum 125 reserved 100
      6. Bind the security profile to two logical systems.
        [edit system]user@host# set security-profile ls-accnt-mrkt-profile logical-system ls-marketing-deptuser@host# set security-profile ls-accnt-mrkt-profile logical-system ls-accounting-dept
    3. Create the third security profile.

      Step-by-Step Procedure

      1. Specify the number of maximum and reserved policies.
        [edit system security-profile]user@host# set ls-design-profile policy maximum 50 reserved 40
      2. Specify the number of maximum and reserved zones.
        [edit system security-profile]user@host# set ls-design-profile zone maximum 10 reserved 5
      3. Specify the number of maximum and reserved sessions.
        [edit system security-profile]user@host# set ls-design-profile flow-session maximum 2500 reserved 2000
      4. Specify the number of maximum and reserved source NAT no-PAT addresses.
        [edit system security-profile]user@host# set ls-design-profile nat-nopat-address maximum 120 reserved 100
    4. Bind the security profile to a logical system.
      user@host# set system security-profile ls-design-profile logical-system ls-product-design
    5. Bind a null security profile to the interconnect logical system.
      user@host# set system security-profile interconnect-profile logical-system interconnect-logical-system

    Results

    From configuration mode, confirm your configuration by entering the show system security-profile command to see all security profiles configured.

    To see individual security profiles, enter the show system security-profile master-profile, the show system security-profile ls-accnt-mrkt-profile and, the show system security-profile ls-design-profile commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    user@host# show system security-profileinterconnect-profile {logical-system interconnect-logical-system;}ls-accnt-mrkt-profile {policy {maximum 65;reserved 60;}zone {maximum 22;reserved 17;}flow-session {maximum 2500;reserved 2000;}nat-nopat-address {maximum 125;reserved 100;}nat-static-rule {maximum 125;reserved 100;}logical-system [ ls-marketing-dept ls-accounting-dept ];}ls-design-profile {policy {maximum 50;reserved 40;}zone {maximum 10;reserved 5;}flow-session {maximum 2500;reserved 2000;}nat-nopat-address {maximum 120;reserved 100;}nat-static-rule {maximum 125;reserved 100;}logical-system ls-product-design;}master-profile {policy {maximum 65;reserved 60;}zone {maximum 22;reserved 17;}flow-session {maximum 3000;reserved 2100;}nat-nopat-address {maximum 115;reserved 100;}nat-static-rule {maximum 125;reserved 100;}root-logical-system;}
    user@host# show system security-profile master-profile policy {maximum 65;reserved 60;}zone {maximum 22;reserved 17;}flow-session {maximum 3000;reserved 2100;}nat-nopat-address {maximum 115;reserved 100;}nat-static-rule {maximum 125;reserved 100;}root-logical-system;
    user@host# show system security-profile ls-accnt-mrkt-profilepolicy {maximum 65;reserved 60;}zone {maximum 22;reserved 17;}flow-session {maximum 2500;reserved 2000;}nat-nopat-address {maximum 125;reserved 100;}nat-static-rule {maximum 125;reserved 100;}logical-system [ ls-accounting-dept ls-marketing-dept ];
    user@host# show system security-profile ls-design-profilepolicy {maximum 50;reserved 40;}zone {maximum 10;reserved 5;}flow-session {maximum 2500;reserved 2000;}nat-nopat-address {maximum 120;reserved 100;}nat-static-rule {maximum 125;reserved 100;}logical-system ls-product-design;

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the security resources that you allocated for logical systems have been assigned to them, follow this procedure for each logical system and for all its resources.

    Verifying That Security Profile Resources Are Effectively Allocated for Logical Systems

    Purpose

    Verify security resources for each logical system. Follow this process for all configured logical systems.

    Action

    1. Use Telnet to log into each user logical system as its user logical system administrator.

      Run Telnet, specifying the IP address of your SRX Series device. For example:

      telnet 10.11.11.19
    2. Enter the login ID and password for one of the user logical systems that you created
      login: lsmarketingadmin1password: Talk2345 lsmarketingadmin1@host:ls-marketing-dept>
    3. Enter the following statement to Identify the resources configured for the profile.
      lsmarketingadmin1@host:ls-marketing-dept> show system security-profile ?
    4. Enter the following command at the resulting prompt. Do this for each feature configured for the profile.
      lsmarketingadmin1@host:ls-marketing-dept> show system security-profile zone detaillogical system name : ls-marketing-deptsecurity profile name : ls-accnt-mrkt-profile used amount : 0 reserved amount : 17 maximum quota : 22
     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page