ON THIS PAGE
Unified Policies for SSL Proxy
Application Security Services with SSL Proxy
With the implementation of SSL proxy, AppID can identify applications encrypted in SSL. SSL proxy can be enabled as an application service in a regular firewall policy rule. Intrusion Detection and Prevention (IDP), application firewall (AppFW), application tracking (AppTrack), advanced policy-based routing (APBR) services, Content Security, ATP Cloud, and Security Intelligence (SecIntel) can use the decrypted content from SSL proxy.
To determine if a feature is supported by a specific platform or Junos OS release, refer Feature Explorer
On the SSL payload, IDP can inspect attacks and anomalies; for example, HTTP chunk length overflow on HTTPS. On encrypted applications, such as Facebook, AppFW can enforce policies and AppTrack (when configured in the from and to zones) can report logging issues based on dynamic applications.
If none of the services (AppFW, IDP, or AppTrack) are configured, then SSL proxy services are bypassed even if an SSL proxy is attached to a firewall policy.
The IDP module will not perform an SSL inspection on a session if an SSL proxy is enabled for that session. That is, if both SSL inspection and SSL proxy are enabled on a session, SSL proxy will always take precedence.
Leveraging Dynamic Application Identification
SSL proxy uses application identification services to dynamically detect if a particular session is SSL encrypted. SSL proxies are allowed only if a session is SSL encrypted. The following rules apply for a session:
Session is marked Encrypted=Yes in the application system cache. If the session is marked Encrypted=Yes, it indicates that the final match from application identification for that session is SSL encrypted, and SSL proxy transitions to a state where proxy functionality can be initiated.
Session is marked Encrypted=No in the application system cache. If a non-SSL entry is found in the application system cache, it indicates that the final match from application identification for that session is non-SSL and SSL proxy ignores the session.
An entry is not found in the application system cache. This can happen on the first session, or when the application system cache has been cleaned or has expired. In such a scenario, SSL proxy cannot wait for the final match (requires traffic in both directions). In SSL proxy, traffic in reverse direction happens only if SSL proxy has initiated an SSL handshake. Initially, for such a scenario SSL proxy tries to leverage prematch or aggressive match results from application identification , and if the results indicate SSL, SSL proxy will go ahead with the handshake.
Application identification fails due to resource constraints and other errors. Whenever the result from application identification is not available, SSL proxy will assume static port binding and will try to initiate SSL handshake on the session. This will succeed for actual SSL sessions, but it will result in dropped sessions for non SSL sessions.
See Also
SSL Proxy Support for Unified Policies
Starting from Junos OS Release 18.2R1, unified policies are supported on SRX Series Firewalls, allowing granular control and enforcement of dynamic Layer 7 applications, within the traditional security policy.
Unified policies are the security policies that enable you to use dynamic applications as match conditions as part of the existing 5-tuple or 6-tuple (5-tuple with user firewall) match conditions to detect application changes over time.
SSL proxy functionality is supported when the device is configured with unified policies. As a part of this enhancement, you can configure a default SSL proxy profile.
During the initial policy lookup phase, which occurs prior to a dynamic application being identified, if there are multiple policies present in the potential policy list which contains different SSL proxy profiles, the SRX Series Firewall applies the default SSL proxy profile until a more explicit match has occurred.
We recommend that you create a default SSL proxy profile. The sessions are dropped in case of policy conflicts, if there is no default SSL proxy profile available.
You can configure an SSL proxy profile under the [edit
services ssl proxy] hierarchy level, and then apply it as a
default SSL proxy profile under the [edit security ngfw] hierarchy level. This configuration does not impact the existing
SSL service configuration.
Configuring a default SSL proxy profile is supported for both SSL forward and reverse proxy.
Understanding How SSL Proxy Default Profile Works
Table 1 summarizes the default SSL proxy profile behavior in unified policies.
Application Identification Status |
SSL Proxy Profile Usage |
Action |
|---|---|---|
No security policy conflict |
SSL proxy profile is applied when traffic matches the security policy. |
SSL proxy profile is applied. |
Security policy conflict (conflicting polices have distinct SSL proxy profiles) |
Default SSL proxy profile is not configured or not found. |
Session is terminated, because the default SSL proxy profile is not configured. |
Default SSL proxy profile is configured. |
Default SSL proxy profile is applied. |
|
Final application is identified |
Matching security policy has a SSL proxy profile that is same as default SSL proxy profile. |
Default SSL proxy profile is applied. |
Matching security policy does not have a SSL proxy profile. |
Default SSL proxy profile is applied. |
|
Matching security policy has a SSL proxy profile that is different from the default SSL proxy profile that is already applied. |
Default SSL proxy profile that is already applied, continues remain as applied. |
A security policy can have either an SSL reverse proxy profile or an SSL forward proxy profile configured at a time.
If a security policy has an SSL forward proxy profile and another security policy has an SSL reverse proxy profile, in such case, a default profile—either from SSL reverse proxy profile or from SSL forward proxy profile is considered.
We recommend creating default SSL proxy profile because sessions are dropped in case of policy conflicts, when there is no default SSL proxy profile available. A system log message is generated to log the event.
Example of the system log message:
"<14>1 2018-03-07T03:18:33.374-08:00 4.0.0.254 kurinji junos-ssl-proxy - SSL_PROXY_SSL_SESSION_DROP [junos@2636.1.1.1.2.105 logical-system-name="root-logical-system" session-id="15" source-address="4.0.0.1" source-port="37010" destination-address="5.0.0.1" destination-port="443" nat-source-address="4.0.0.1" nat-source-port="37010" nat-destination-address="5.0.0.1" nat-destination-port="443" profile-name="(null)" source-zone-name="untrust" source-interface-name="xe-2/2/1.0" destination-zone-name="trust" destination-interface-name="xe-2/2/2.0" message="default ssl-proxy profile is not configured"]
Default SSL Proxy Profiles in Different Scenarios
- No Policy Conflict—All Policies Have Same SSL Proxy Profile
- No Policy Conflict—All Policies Have Same SSL Proxy Profile and Final Policy Has No SSL Profile
- Policy Conflict—No SSL Profile Configured for Final Policy
- Policy Conflict–Default SSL Proxy Profile and Different SSL Proxy Profile for Final Policy
- Limitations of SSL Proxy with Unified Policies
No Policy Conflict—All Policies Have Same SSL Proxy Profile
All matching policies have same SSL proxy profile as shown in Table 2.
Security Policy |
Source Zone |
Source IP Address |
Destination Zone |
Destination IP Address |
Port Number |
Protocol |
Dynamic Application |
Service |
Default SSL Proxy Profile |
|---|---|---|---|---|---|---|---|---|---|
Policy-P1 |
S1 |
Any |
D1 |
Any |
Any |
Any |
SSL Proxy |
SSL-1 |
|
Policy-P2 |
S1 |
Any |
D1 |
Any |
Any |
Any |
SSL Proxy |
SSL-1 |
In this case, both Policy-P1 and Policy-P2 have the same SSL proxy profile (SSL-1). Because there is no conflict, the profile SSL-1 is applied.
If you have configured a default SSL proxy profile (SSL-2), it is not applied. Because there is no conflict in the policies (Policy-P1 and Policy-P2).
No Policy Conflict—All Policies Have Same SSL Proxy Profile and Final Policy Has No SSL Profile
Policy-P1 and Policy-P2 have same SSL proxy profile and the Policy-3 has no SSL profile as shown in Table 3.
Security Policy |
Source Zone |
Source IP Address |
Destination Zone |
Destination IP Address |
Port Number |
Protocol |
Dynamic Application |
Service |
Default SSL Proxy Profile |
|---|---|---|---|---|---|---|---|---|---|
Policy-P1 |
S1 |
Any |
D1 |
Any |
Any |
Any |
SSL Proxy |
SSL-1 |
|
Policy-P3 |
S1 |
50.1.1.1 |
D1 |
Any |
Any |
Any |
YouTube |
SSL Proxy |
SSL-1 |
Policy-P2 |
S1 |
Any |
D1 |
Any |
Any |
Any |
Other |
None |
In this scenario, both Policy-P1 and Policy-P2 have the same SSL proxy profile (SSL-1). Because there is no conflict, the profile SSL-1 is applied before the final policy match.
When the final application is identified, the security policy matching with the final application, that is, Policy-P3 is applied. Because the Policy-P3 has no SSL proxy profile, the already applied profile SSL-1 remains applied. This is because, the SSL proxy profile is already applied on the traffic.
Policy Conflict—No SSL Profile Configured for Final Policy
The default SSL proxy profile is applied during potential match as shown in Table 4. The final policy, Policy-P3 does not have any SSL proxy profile.
Security Policy |
Source Zone |
Source IP Address |
Destination Zone |
Destination IP Address |
Port Number |
Protocol |
Dynamic Application |
Service |
Default SSL Proxy Profile |
|---|---|---|---|---|---|---|---|---|---|
Policy-P1 |
S1 |
50.1.1.1 |
D1 |
Any |
Any |
Any |
SSL Proxy |
SSL-1 |
|
Policy-P2 |
S1 |
50.1.1.1 |
D1 |
Any |
Any |
Any |
SSL Proxy |
SSL-2 |
|
Policy-P3 |
S1 |
50.1.1.1 |
D1 |
Any |
Any |
Any |
YouTube |
Other |
NA |
In this example, SSL proxy profile SSL-1 is configured as default SSL proxy profile. During the policy conflict for Policy-P1 and Policy-P2, the default profile SSL-1 is applied.
When the final application is identified, the security policy matching with the final application, that is, Policy-P3 is applied. Because the Policy-P3 has no SSL proxy profile, the already applied profile SSL-1 continues to remain as applied. This is because, the SSL proxy profile is applied on the traffic.
Policy Conflict–Default SSL Proxy Profile and Different SSL Proxy Profile for Final Policy
The SSL proxy profile SSL-1 is configured as a default SSL proxy profile and is already applied before the final policy is matched. Refer Table 5.
Security Policy |
Source Zone |
Source IP Address |
Destination Zone |
Destination IP Address |
Port Number |
Protocol |
Dynamic Application |
Service |
Default SSL Proxy Profile |
|---|---|---|---|---|---|---|---|---|---|
Policy-P1 |
S1 |
50.1.1.1 |
D1 |
Any |
Any |
Any |
SSL Proxy |
SSL-1 |
|
Policy-P2 |
S1 |
50.1.1.1 |
D1 |
Any |
Any |
Any |
SSL Proxy |
SSL-2 |
|
Policy-P3 |
S1 |
50.1.1.1 |
D1 |
Any |
Any |
Any |
YouTube |
SSL Proxy |
SSL-3 |
When the final application is identified, the security policy matching with the final application, that is, Policy-P3 is applied. The SSL profile for the Policy-P3, that is, SSL-3 is not applied. Instead, the SSL proxy profile SSL-2 configured and applied as default profile, continues to remain as applied.
Switching from the default SSL proxy profile that is already applied to the traffic, to another SSL proxy profile is not supported.
Limitations of SSL Proxy with Unified Policies
When a default SSL proxy profile is enabled, it cannot be disabled even if the final security policy does not have SSL proxy configured.
When a default SSL proxy profile is enabled and applied on the traffic and the final security policy has a different SSL proxy profile configured other than default profile, switching from the default SSL proxy profile to the SSL proxy profile in the security policy is not supported.
Configuring Default SSL Proxy Profiles
SSL proxy is enabled as an application service
within a security policy. In a security policy, specify the match
criteria for the traffic that must be SSL proxy enabled. Next, specify
the SSL proxy profile to be applied to the traffic. When configuring
unified policies, the steps include defining the SSL profile, then
adding the SSL profile as default profile under the [edit security
ngfw] hierarchy level, and then including to it in the desired
security policy.
- Configuring Default Profile for SSL Forward Proxy
- Configuring Default Profile for SSL Reverse Proxy
- Configuring Default SSL Profiles for Logical System
Configuring Default Profile for SSL Forward Proxy
In this procedure, you configure an SSL forward proxy profile, and specify the profile as the default profile.
Configuring Default Profile for SSL Reverse Proxy
In this procedure, you configure an SSL reverse proxy profile and specify the profile as the default profile.
Configuring Default SSL Profiles for Logical System
In this procedure, you assign the SSL forward proxy profile or the SSL reverse proxy profile as the default profile in logical system configurations. In this case, one profile can be a default profile either from the SSL forward proxy or from the SSL reverse proxy.
Example: Configuring Default SSL Proxy Profile for Unified Policy
This example shows how to configure a default SSL proxy profile and apply it in a unified policy.
Configuration
Step-by-Step Procedure
To configure a default SSL proxy profile and apply it in a unified policy:
Create an SSL profile and attach the CA profile group to the SSL proxy profile.
user@host#set services ssl proxy profile SSL-FP-PROFILE-1 trusted-ca allApply the signing certificate as root-ca in the SSL proxy profile.
user@host#set services ssl proxy profile SSL-FP-PROFILE-1 root-ca ssl-inspect-caDefine the SSL proxy profile as the default profile.
user@host#set security ngfw default-profile ssl-proxy profile-name SSL-FP-PROFILE-1Create a unified policy and specify the dynamic application as the match criteria.
user@host#set security policies from-zone untrust to-zone trust policy from_internet match source-address anyuser@host#set security policies from-zone untrust to-zone trust policy from_internet match destination-address anyuser@host#set security policies from-zone untrust to-zone trust policy from_internet match application anyuser@host#set security policies from-zone untrust to-zone trust policy from_internet match dynamic-application junos:webApply the SSL proxy profile to the permitted traffic in the security policy.
user@host#set security policies from-zone untrust to-zone trust policy from_internet then permit application-services ssl-proxy profile-name SSL-FP-PROFILE-1
Requirements
This example uses the following hardware and software components:
SRX Series Firewall with Junos OS Release 18.2R1 or later. This configuration example is tested for Junos OS Release 18.2R1.
No special configuration beyond device initialization is required before configuring this feature.
Overview
In this example, you configure an SSL forward proxy profile by specifying the root CA certificate. Next, configure the profile as default SSL proxy profile. Now, you create a unified policy and invoke the SSL proxy as application services on the permitted traffic.
Verification
Verify SSL Proxy Configuration
Purpose
Confirm that the configuration is working properly by displaying the SSL proxy statistics.
Action
From operational mode, enter the show services
ssl proxy statistics command.
user@host> show services ssl proxy statistics
PIC:fwdd0 fpc[0] pic[0]
sessions matched 0
sessions bypassed:non-ssl 0
sessions bypassed:mem overflow 0
sessions bypassed:low memory 0
sessions created 0
sessions ignored 0
sessions active 0
sessions dropped 0
sessions whitelisted 0
whitelisted url category match 0
default profile hit 0
session dropped no default profile 0
policy hit no profile configured 0 Meaning
The command output displays the following information:
Details about the sessions matched for the SSL proxy.
Details about the default SSL proxy profile such as the sessions where the default profile is applied and the sessions that are dropped due to the absence of the default profile.
SNI-Based Dynamic Application Information for SSL Proxy Profile
Starting in Junos OS Release 20.4R1, we’ve enhanced SSL proxy profile selection mechanism by utilizing Server name Indication(SNI) TLS extensions to identify dynamic applications.
SSL proxy module defers SSL profile selection until the dynamic application is detected in a client hello message based on the SNI. After detecting dynamic application, SSL proxy module does a firewall rule lookup based on the identified application and selects an appropriate SSL proxy profile.
Utilizing the SNI-based dynamic application information for SSL proxy profile results in more accurate SSL proxy profile selection for the session. By default, the SNI-based dynamic application information for SSL proxy profile is enabled on the SRX Series Firewall. See show services ssl proxy counters to check counters for SSL proxy.