Logging User Identity Information Based on Zones
The integrated user firewall zone-based feature directs the system to log the user identify information based on the source zone configured in the security policy. The log information includes all users who belong to the zone and their traffic matches the security policy.
Understanding How to Include User Identity Information in the Session Log File Based on the Source Zone
This topic covers the integrated user firewall feature that allows you to configure the system to write to the session log the user’s identity by user name or group name without having to use the source identity (source-identity) tuple in the security policy. Knowing the user’s identity by name, as written to the log, not just by the IP address of the user’s device, gives you clearer visibility into their activity and allows you to resolve security problems faster and more easily. Relying on the source zone (from-zone) to trigger user identity logging rather than on the source identity widens the scope of users whose source identity is logged.
Typically, for each security policy, you must specify in the policy the source and destination IP addresses and the zones against which traffic is matched. You must also specify an application that the traffic is matched to. If traffic matches these criteria, then the security policy’s action is applied to the traffic issued from the user’s device. However, no user identity information is written to the session log.
Optionally, instead of relying exclusively on the IP address of the user’s device to identify the source of the traffic, you can specify the user identity—that is, the user name or the group name—in the source-identity tuple of a security policy. This approach gives you greater control over resource access by narrowing down application of the security policy’s actions to a single, identified user or a group of users, if other security policy matching conditions are met. However, use of the source-identity tuple constrains application of the policy to traffic from a single user or user group.
It may happen that you want the system to write to the session log the user identity for all users from whom traffic originated based on the zone to which they belong (from-zone). In this case, you do not want to narrow the traffic match and security policy application to a single user or a user group, which configuring the source-identity tuple would do.
The zone-based user identity feature allows you to direct the system to write to the log user identity information for any user who belongs to a zone that is configured with the source-identity-log statement when that zone is used as the source zone in a matching security policy.
For the source-identity-log feature to take effect, you must also configure logging of the session initialize (session-init) and session end (session-close) events as part of the security policy’s actions.
Table 1 identifies the platforms that support this feature.
Supported SRX Series Firewall Platforms |
|---|
SRX320 |
SRX380 |
SRX550M |
SRX1500 series |
SRX500 series |
Example: Configuring Integrated User Firewall to Write User Identity to the Session Log Based On the Source Zone
This example shows how to configure the integrated user firewall zone-based user identity feature that directs the system to log user identity information based on the source zone (from-zone) configured in the security policy. The zone-based user identity feature widens the scope of users whose identity information is written to the log to include all users who belong to the zone whose traffic matches the security policy.
Requirements
This feature is supported starting with Junos OS 15.1X49-D60 and Junos OS Release 17.3R1. You can configure and run this feature on any of the currently supported SRX Series Firewalls beginning with Junos OS 15.1X49-D60.
Overview
This example shows how to configure integrated user firewall to log user identity information in the session log based on the source zone in the security policy. For this to occur, the zone specified as the source zone must be configured for source identity logging. For zone-based user identity logging, the security policy’s actions must include session create (session-init) and session close (session-close) events.
When all conditions are met, the user’s name is written to the log at the beginning of the session (or session initialization) and at the beginning of the close of the session (or session tear-down). Note that if a security policy denies the user access to the resource, an entry identifying the user by name is written to the log, that is, if session close is configured.
When you use the zone-based user identity feature, it is the source zone (from-zone) in the security policy that initiates the user identity logging event.
Prior to introduction of this feature, it was necessary to include the source identity tuple (source-identity) in a security policy to direct the system to write user identity information to the log—that is, the user name or the group name. The user identity was written to the log if the source-identity tuple was configured in any of the policies in a zone pair that matched the user’s traffic and the session close log was configured.
However, the source identity feature is specific to an individual user or a group of users, and it constrains application of the security policy in that regard.
It is the user name that is stored in the local Active Directory table which the system writes to the log when the policy’s source zone is configured for user-identity logging. The SRX Series Firewall previously obtained the user identity information by reading the domain controller event log. The SRX Series Firewall stored that information in its Active Directory table.
You can use the source-identity tuple in a security policy that also specifies as its source zone a zone that was configured for user identity logging. Because integrated user firewall collects the names of the groups that a user belongs to from Microsoft Domain Controllers only when integrated user firewall relies on the source identity tuple, if you use the zone-based user identity logging feature without also configuring source-identity, the log will contain only the name of the user requesting access and not the groups that the user belongs to.
After you configure a zone to support source identity logging, the zone is reusable as the from-zone specification in any security policy for which you want user identity information logged.
To summarize, the user’s name is written to the log if:
The user belongs to the zone configured for source identity logging.
The user Issues a resource access request whose generated traffic matches a security policy whose source zone (from-zone) tuple specifies a qualifying zone.
The security policy includes as part of its actions the session initialize (session-init) and session end (session-close) events.
The source identity log function benefits include the ability to:
Cover a wide range of users in a single specification—that is, all users who belong to a zone that is configured for source identity logging.
Continue to use an address range for the source address in a security policy without forfeiting user identity logging.
Reuse a zone that is configured for source identity logging in more than one security policy.
Because it is configured independent of the security policy, you can specify the zone as the source zone in one or more policies.
The user identity is not logged if you specify a zone configured for zone-based user identity logging as the destination zone rather than as the source zone.
For this function to work, you must configure the following information:
The source identity log statement configured for a zone that is used as the source zone (from-zone) in the intended security policy.
A security policy that specifies:
A qualifying zone as its source zone.
The session-init and the session-close events as part of its actions.
Configuration
To configure the source identity logging feature, perform these tasks:
- CLI Quick Configuration
- Configuring a Zone to Support Source Identity Logging and Using It in a Security Policy
- Results
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security zones security-zone trust source-identity-log set security policies from-zone trust to-zone untrust policy appfw-policy1 match source-address any destination-address any application junos-ftp set security policies from-zone trust to-zone untrust policy appfw-policy1 then permit set security policies from-zone trust to-zone untrust policy appfw-policy1 then log session-init set security policies from-zone trust to-zone untrust policy appfw-policy1 then log session-close
Configuring a Zone to Support Source Identity Logging and Using It in a Security Policy
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
Configure source identity logging for the trust zone. When this zone is used as the source zone in a security policy, the system writes the user identity information to the session log for all users to whom the security policy applies.
[edit security] user@host# set zones security-zone trust source-identity-log
Configure a security policy called appfw-policy1 that specifies the zone trust as the term for its source zone. Source identity logging is applied to any user whose traffic matches the security policy’s tuples.
This security policy allows the user to access the junos-ftp service. When the session is established for the user, the user’s identity is logged. It is also logged at the close of the session.
[edit security] user@host# set policies from-zone trust to-zone untrust policy appfw-policy1 match source-address any destination-address any application junos-ftp user@host# set policies from-zone trust to-zone untrust policy appfw-policy1 then permit
Configure the appfw-policy1 security policy’s actions to include logging of the session initiation and session close events.
Note:You must configure the security policy to log session initiation and session close events for the source identity log function to take effect. The user identity information is written to the log in conjunction with these events.
[edit security] user@host# set policies from-zone trust to-zone untrust policy appfw-policy1 then log session-init user@host# set policies from-zone trust to-zone untrust policy appfw-policy1 then log session-close
Results
From configuration mode, confirm your configuration
by entering the show security zones command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
Verification
This section shows the session log generated for the user session. The log output:
Shows the user name, user1, which appears at the outset of session open and then again at the outset of session close.
The security policy configuration that caused the user name to be written to the log specifies the zone trust as its source zone. The zone trust was configured for source identity logging.
Includes information obtained from the user’s request traffic, the policy matching criteria, and the NAT setup.
Contains identity information about the user, which is obtained from the Active Directory database. That information includes the role parameter for “MyCompany/Administrator”, which shows the groups that the user belongs to.
In this scenario, the user requested access to the Juniper Networks junos-ftp service, which the log also records. Table 2 calls out the parts of the log that are specific to the source identity log function configuration:
session create This is the session initiation which begins the first section of the log that records the session setup information. The user’s name, user1, is displayed at the beginning of the session create log recording. |
user1 RT_FLOW_SESSION_CREATE |
Session create is followed by standard information that defines the session based on the user’s traffic that matches security policy tuples. |
|
source address, the source port, the destination address, the destination port. |
source-address="198.51.100.13/24" source-port="635" destination-address="198.51.100.10/24" destination-port="51" |
application service This is the application service that the user requested access to and which the security policy permitted. |
service-name="junos-ftp" |
source zone, destination zone Further down the log are the zone specifications which show trust as the source zone and untrust as the destination zone as defined. |
source-zone-name="trust" destination-zone-name="untrust" |
session close This is the session close initiation, which begins the second part of the log record that covers session tear-down and close. The user’s name, user1, is displayed at the beginning of the session close record. |
user1 RT_FLOW - RT_FLOW_SESSION_CLOSE |
Verify that the User Identity Information Was Logged
Purpose
Note that integrated user firewall collects groups configured as the source-identity only from Microsoft Domain Controllers. If you use the zone-based user-identity feature without configuring source-identity, the log will contain only the user’s name, that is, no group informations is recorded. In that case, the “roles=” section of the log will show “N/A”. In the following example, it is assumed that the source-identity tuple was used and the “roles=” section shows a long list of the groups that the user “Administrator” belongs to.
Action
Display the log information.
Sample Output
command-name
<14>1 2015-01-19T15:03:40.482+08:00 user1 RT_FLOW - RT_FLOW_SESSION_CREATE [user@host2636 192.0.2.123 source-address=”198.51.100.13“ source-port=”635” destination-address=”198.51.100.10” destination-port=”51” service-name=”junos-ftp” nat-source-address=”203.0.113.10” nat-source-port=”12349” nat-destination-address ="198.51.100.13" nat-destination-port="3522" nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="appfw-policy1" source-zone-name="trust" destination-zone-name="untrust" session-id-22="12245" username="MyCompany/Administrator " roles="administrators, Users, Enterprise Admins, Schema Admins, ad, Domain Users, Group Policy Creator Owners, example-team, Domain Admins" packet-incoming-interface="ge-0/0/0.1" application="UNKNOWN" nested-application="UNKNOWN" encrypted="UNKNOWN"] session created 192.0.2.1/21 junos-ftp 10.1.1.12/32898->10.3.1.10/21 junos-ftp 10.1.1.1/547798->10.1.2.10/21 None None 6 appfw-policy1 trust untrust 20000025 MyCompany/Administrator (administrators, Users, Enterprise Admins, Schema Admins, ad, Domain Users, Group Policy Creator Ownersexample-team, Domain Admins) ge-0/0/0.0 UNKNOWN UNKNOWN UNKNOWN <14>1 2015-01-19T15:03:59.427+08:00 user1 RT_FLOW - RT_FLOW_SESSION_CLOSE [user@host2636 192.0.2.123 reason="idle Timeout” source-address=”198.51.100.13“ source-port=”635”" destination-address=”198.51.100.10” destination-port=”51" service-name="junos-ftp" nat-source-address="203.0.113.10" nat-source-port="12349" nat-destination-address ="198.51.100.13" "nat-destination-port="3522" src-nat-rule-name="None" dst-nat-rule-name="None" protocol-id="6" policy-name="appfw-policy1" source-zone-name="trust" destination-zone-name="untrust"session-id-32="20000025" packets-from-client="3" bytes-from-client="180" packets-from-server="0" bytes-from-server="0" elapsed-time="19" application="INCONCLUSIVE" nested-application="INCONCLUSIVE" username=" J “MyCompany /Administrator” roles="administrators, Users, Enterprise Admins, Schema Admins, ad, Domain Users, Group Policy Creator Owners, example-team, Domain Admins" packet-incoming-interface="ge-0/0/0.1" encrypted="UNKNOWN"] session closed idle Timeout: 111.1.1.10/1234>10.1.1.11/21 junos-ftp 10.1.1.12/32898->10.3.1.10/21 1 None None 6 appfw-policy1 trust untrust 20000025 3(180) 0(0) 19 INCONCLUSIVE INCONCLUSIVE MyCompany/Administrator (administrators, Users, Enterprise Admins, Schema Admins, ad, Domain Users, Group Policy Creator Owners, example-team, Domain Admins) ge-0/0/0.1 UNKNOWN