Understanding a Security Flow Policy on a Device Running Junos OS
You can define a security flow policy on a device running Junos OS to inspect and process network packets. The device can permit, deny, and log operations to be associated with each policy. Each of these policies are associated to zones on which distinct network interfaces are bound.
The following modes can be defined for a security flow policy to determine how a device directs traffic:
Bypass—The
Permitoption directs the traffic traversing the device through the stateful firewall inspection, but not through the IPsec VPN tunnel.Discard—The
Denyoption inspects and drops all packets that do not match anyPermitpolicies.Protect—The traffic is routed through an IPsec tunnel based on the combination of route lookup and
Permitpolicy inspection.Log—This option logs traffic and session information for all the modes mentioned above.
The following sections describe how to configure a security policy for each of these modes:
Configuring a Security Flow Policy in Firewall Bypass Mode
To configure a security flow policy for firewall bypass mode:
Configure the security policies.
[edit security policies] user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLan user@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLan user@host# set from-zone trustZone to-zone untrustZone policy policy1 match application any user@host# set from-zone trustZone to-zone untrustZone policy policy1 then permit user@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-init user@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close
Note:Here,
trustZoneanduntrustZoneare preconfigured security zones andtrustLananduntrustLanare preconfigured network addresses.junos-sshis an example of a Junos OS default predefined application that can be configured in a security policy to enforce SSH traffic.
Configuring a Security Policy in Firewall Discard Mode
To configure a security flow policy for firewall discard mode:
Configure the security policies.
[edit security policies] user@host# set from-zone untrustZone to-zone trustZone policy policy1 match source-address untrustLan user@host# set from-zone untrustZone to-zone trustZone policy policy1 match destination-address trustLan user@host# set from-zone untrustZone to-zone trustZone policy policy1 match application junos-telnet user@host# set from-zone untrustZone to-zone trustZone policy policy1 then deny user@host# set from-zone untrustZone to-zone trustZone policy policy1 then log session-init user@host# set from-zone untrustZone to-zone trustZone policy policy1 then session-close
Note:Here,
trustZoneanduntrustZoneare the preconfigured security zones andtrustLananduntrustLanare preconfigured network addresses.junos-telnetis an example of a Junos OS default predefined application that can be configured in a security policy to enforce Telnet traffic.
Configuring a Security Flow Policy in IPsec Protect Mode
To configure a security flow policy for IPSec protect mode:
Configure the VPN.
[edit] user@host# set security ipsec vpn vpn1 ike gateway gw1 user@host# set security ipsec vpn vpn1 ike ipsec-policy ipsec-policy1 user@host# set security ipsec vpn vpn1 bind-interface st0.0 user@host# set routing-options static route 198.51.100.14/24 qualified-next-hop st0.0 preference 1
Note:Here,
gw1andipsec-policy1are preconfigured IKE and IPsec policies.Configure the security policies.
[edit security policies] user@host# set from-zone trustZone to-zone untrustZone policy policy1 match source-address trustLan user@host# set from-zone trustZone to-zone untrustZone policy policy1 match destination-address untrustLan user@host# set from-zone trustZone to-zone untrustZone policy policy1 match application any user@host# set from-zone trustZone to-zone untrustZone policy policy1 then permit user@host# set from-zone trustZone to-zone untrustZone policy policy1 then log session-init user@host# set from-zone trustZone to-zone untrustZone policy policy1 then session-close
Note:Here,
trustZoneanduntrustZoneare preconfigured security zones andtrustLananduntrustLanare preconfigured network addresses.