ON THIS PAGE
Example: Configuring Access Profiles (Primary Administrators Only)
Example: Configuring Security Features for the Primary Logical Systems
Example: Configuring Firewall Authentication for a User Logical System
Understanding Integrated User Firewall support in a Logical System
Example: Configuring Integrated User Firewall Identification Management for a User Logical System
Example: Configure Integrated User Firewall in Customized Model for Logical System
User Authentication for Logical Systems
User authentication for logical systems enables you to define firewall users and create policies that require the users to authenticate themselves through one of two authentication schemes: pass-through authentication or web authentication. For more information, see the following topics:
Example: Configuring Access Profiles (Primary Administrators Only)
The primary administrator is responsible for configuring access profiles in the primary logical system. This example shows how to configure access profiles.
Requirements
Before you begin:
Log in to the primary logical system as the primary administrator. See Understanding the Primary Logical Systems and the Primary Administrator Role.
Overview
This example configures an access profile for LDAP authentication for logical system users. This example creates the access profile described in Table 1.
The primary administrator creates the access profile.
Name |
Configuration Parameters |
|---|---|
ldap1 |
|
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
You must be logged in as the primary administrator.
set access profile ldap1 authentication-order ldap set access profile ldap1 ldap-options base-distinguished-name ou=people,dc=example,dc=com set access profile ldap1 ldap-options assemble common-name uid set access profile ldap1 ldap-server 10.155.26.104 port 389
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure an access profile in the primary logical system:
Log in to the primary logical system as the primary administrator and enter configuration mode.
admin@host> configure admin@host#
Configure an access profile and set the authentication order.
[edit access profile ldap1] admin@host# set authentication-order ldap
Configure LDAP options.
[edit access profile ldap1] admin@host# set ldap-options base-distinguished-name ou=people,dc=example,dc=com admin@host# set ldap-options assemble common-name uid
Configure the LDAP server.
[edit access profile ldap1] admin@host# set ldap-server 10.155.26.104 port 389
Results
From configuration mode, confirm your configuration
by entering the show access profile profile-name command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
admin@host# show access profile ldap1
authentication-order ldap;
ldap-options {
base-distinguished-name ou=people,dc=example,dc=com;
assemble {
common-name uid;
}
}
ldap-server {
10.155.26.104 port 389;
}
If you are done configuring the device, enter commit from configuration mode.
Example: Configuring Security Features for the Primary Logical Systems
This example shows how to configure security features, such as zones, policies, and firewall authentication, for the primary logical system.
Requirements
Before you begin:
-
Log in to the primary logical system as the primary administrator. See Example: Configuring Root Password for Logical Systems.
-
Use the
show system security-profilecommand to see the resources allocated to the primary logical system. -
Configure logical interfaces for the primary logical system. See Example: Configuring Interfaces, Routing Instances, and Static Routes for the Primary and Interconnect Logical Systems and Logical Tunnel Interfaces for the User Logical Systems (Primary Administrators Only).
-
Configure the access profile ldap1 in the primary logical system. The ldap1 access profile is used for Web authentication of firewall users.
Overview
In this example, you configure security features for the primary logical system, called root-logical-system, shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System. This example configures the security features described in Table 2.
|
Feature |
Name |
Configuration Parameter |
|---|---|---|
|
Zones |
ls-root-trust |
Bind to interface ge-0/0/4.0. |
|
ls-root-untrust |
Bind to interface lt-0/0/0.1 |
|
|
Address books |
root-internal |
|
|
root-external |
|
|
|
Security policies |
permit-to-userlsys |
Permit the following traffic:
|
|
permit-authorized-users |
Permit the following traffic:
|
|
|
Firewall authentication |
|
|
|
HTTP daemon |
Activate on interface ge-0/0/4.0 |
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them
into a text file, remove any line breaks, change any details necessary to
match your network configuration, copy and paste the commands into the CLI
at the [edit] hierarchy level, and then enter
commit from configuration mode.
set security address-book root-internal address masters 10.12.12.0/24 set security address-book root-internal attach zone ls-root-trust set security address-book root-external address design 10.12.1.0/24 set security address-book root-external address accounting 10.14.1.0/24 set security address-book root-external address marketing 10.13.1.0/24 set security address-book root-external address-set userlsys address design set security address-book root-external address-set userlsys address accounting set security address-book root-external address-set userlsys address marketing set security address-book root-external attach zone ls-root-untrust set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match source-address masters set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match destination-address userlsys set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys match application any set security policies from-zone ls-root-trust to-zone ls-root-untrust policy permit-to-userlsys then permit set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match source-address userlsys set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match destination-address masters set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match application junos-http set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users match application junos-https set security policies from-zone ls-root-untrust to-zone ls-root-trust policy permit-authorized-users then permit firewall-authentication web-authentication set security zones security-zone ls-root-trust interfaces ge-0/0/4.0 set security zones security-zone ls-root-untrust interfaces lt-0/0/0.1 set system services web-management http interface ge-0/0/4.0 set access firewall-authentication web-authentication default-profile ldap1 set access firewall-authentication web-authentication banner success "WEB AUTH LOGIN SUCCESS"
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure zones and policies for the primary logical system:
-
Log in to the primary logical system as the primary administrator and enter configuration mode.
admin@host> configure admin@host#
-
Create security zones and assign interfaces to each zone.
[edit security zones] admin@host# set security-zone ls-root-trust interfaces ge-0/0/4.0 admin@host# set security-zone ls-root-untrust interfaces lt-0/0/0.1
-
Create address book entries.
[edit security] admin@host# set address-book root-internal address masters 10.12.12.0/24 admin@host# set address-book root-external address design 10.12.1.0/24 admin@host# set address-book root-external address accounting 10.14.1.0/24 admin@host# set address-book root-external address marketing 10.13.1.0/24 admin@host# set address-book root-external address-set userlsys address design admin@host# set address-book root-external address-set userlsys address accounting admin@host# set address-book root-external address-set userlsys address marketing
-
Attach address books to zones.
[edit security] admin@host# set address-book root-internal attach zone ls-root-trust admin@host# set address-book root-external attach zone ls-root-untrust
-
Configure a security policy that permits traffic from the ls-root-trust zone to the ls-root-untrust zone.
[edit security policies from-zone ls-root-trust to-zone ls-root-untrust] admin@host# set policy permit-to-userlsys match source-address masters admin@host# set policy permit-to-userlsys match destination-address userlsys admin@host# set policy permit-to-userlsys match application any admin@host# set policy permit-to-userlsys then permit
-
Configure a security policy that authenticates traffic from the ls-root-untrust zone to the ls-root-trust zone.
[edit security policies from-zone ls-root-untrust to-zone ls-root-trust] admin@host# set policy permit-authorized-users match source-address userlsys admin@host# set policy permit-authorized-users match destination-address masters admin@host# set policy permit-authorized-users match application junos-http admin@host# set policy permit-authorized-users match application junos-https admin@host# set policy permit-authorized-users then permit firewall-authentication web-authentication
-
Configure the Web authentication access profile and define a success banner.
[edit access] admin@host# set firewall-authentication web-authentication default-profile ldap1 admin@host# set firewall-authentication web-authentication banner success “WEB AUTH LOGIN SUCCESS”
-
Activate the HTTP daemon on the device.
[edit system] admin@host# set services web-management http interface ge-0/0/4.0
Results
From configuration mode, confirm your configuration by entering the
show security, show access, and
show system services commands. If the output does not
display the intended configuration, repeat the configuration instructions in
this example to correct it.
For brevity, this show command output includes only the
configuration that is relevant to this example. Any other configuration on
the system has been replaced with ellipses (...).
[edit]
admin@host# show security
...
address-book {
root-internal {
address masters 10.12.12.0/24;
attach {
zone ls-root-trust;
}
}
root-external {
address design 10.12.1.0/24;
address accounting 10.14.1.0/24;
address marketing 10.13.1.0/24;
address-set userlsys {
address design;
address accounting;
address marketing;
}
attach {
zone ls-root-untrust;
}
}
}
policies {
from-zone ls-root-trust to-zone ls-root-untrust {
policy permit-to-userlsys {
match {
source-address masters;
destination-address userlsys;
application any;
}
then {
permit;
}
}
}
from-zone ls-root-untrust to-zone ls-root-trust {
policy permit-authorized-users {
match {
source-address userlsys;
destination-address masters;
application [ junos-http junos-https ];
}
then {
permit {
firewall-authentication {
web-authentication;
}
}
}
}
}
}
zones {
security-zone ls-root-trust {
interfaces {
ge-0/0/4.0;
}
}
security-zone ls-root-untrust {
interfaces {
lt-0/0/0.1;
}
}
}
[edit]
admin@host# show access
...
firewall-authentication {
web-authentication {
default-profile ldap1;
banner {
success "WEB AUTH LOGIN SUCCESS";
}
}
}
[edit]
admin@host# show system services
web-management {
http {
interface ge-0/0/4.0;
}
}
If you are done configuring the device, enter commit from
configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Understanding Logical System Firewall Authentication
A firewall user is a network user who must provide a username and password for authentication when initiating a connection across the firewall. Junos OS enables administrators to restrict and permit firewall users to access protected resources (different zones) behind a firewall based on their source IP address and other credentials.
The primary administrator is responsible for configuring access profiles in the primary logical system. Access profiles store usernames and passwords of users or point to external authentication servers where such information is stored. Access profiles configured at the primary logical system are available to all user logical systems.
The primary administrator configures the maximum
and reserved numbers of firewall authentications for each user logical
system. The user logical system administrator can then create firewall
authentications in the user logical system. From a user logical system,
the user logical system administrator can use the show system
security-profile auth-entry command to view the number of authentication
resources allocated to the user logical system.
To configure the access profile, the primary administrator uses
the profile configuration statement at the [edit access] hierarchy level in the primary logical
system. The access profile can also include the order of authentication
methods, LDAP or RADIUS server options, and session options.
The user logical system administrator can then associate the access profile with a security policy in the user logical system. The user logical system administrator also specifies the type of authentication:
With pass-through authentication, a host or a user from one zone tries to access resources on another zone using an FTP, a telnet, or an HTTP client. The device uses FTP, Telnet, or HTTP to collect username and password information, and subsequent traffic from the user or host is allowed or denied based on the result of this authentication.
With Web authentication, users use HTTP to connect to an IP address on the device that is enabled for Web authentication and are prompted for the username and password. Subsequent traffic from the user or host to the protected resource is allowed or denied based on the result of this authentication.
The user logical system administrator configures the following properties for firewall authentication in the user logical system:
Security policy that specifies firewall authentication for matching traffic. Firewall authentication is specified with the
firewall-authenticationconfiguration statement at the [edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit] hierarchy level.Users or user groups in an access profile who are allowed access by the policy can optionally be specified with the client-match configuration statement. (If no users or user groups are specified, any user who is successfully authenticated is allowed access.)
For pass-through authentication, the access profile can optionally be specified and Web redirect (redirecting the client system to a webpage for authentication) can be enabled.
Type of authentication (pass-through or Web authentication), default access profile, and success banner for the FTP, Telnet, or HTTP session. These properties are configured with the
firewall-authenticationconfiguration statement at the [edit access] hierarchy level.Host inbound traffic. Protocols, services, or both are allowed to access the logical system. The types of traffic are configured with the
host-inbound-trafficconfiguration statement at the [edit security zones security-zone zone-name] or [edit security zones security-zone zone-name interfaces interface-name] hierarchy levels.
From a user logical system, the user logical system
administrator can use the show security firewall-authentication
users or show security firewall-authentication history commands to view the information about firewall users and history
for the user logical system. From the primary logical system, the
primary administrator can use the same commands to view information
for the primary logical system, a specific user logical system, or
all logical systems.
See Also
Example: Configuring Firewall Authentication for a User Logical System
This example shows how to configure firewall authentication for a user logical system.
Requirements
Before you begin:
Log in to the user logical system as the logical system administrator. See User Logical Systems Configuration Overview.
Use the
show system security-profiles auth-entrycommand to see the firewall authentication entries allocated to the logical system.Access profiles must be configured in the primary logical system by the primary administrator.
Overview
This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
In this example, users in the ls-marketing-dept and ls-accounting-dept logical systems are required to authenticate when initiating certain connections to the product designers subnet. This example configures the firewall authentication described in Table 3.
This example uses the access profile configured and address book entries configured in Example: Configuring Security Zones for a User Logical Systems.
Feature |
Name |
Configuration Parameters |
|---|---|---|
Security policy |
permit-authorized-users Note:
Policy lookup is performed in the order that the policies
are configured. The first policy that matches the traffic is used.
If you have previously configured a policy that permits traffic for
the same from-zone, to-zone, source address, and destination address
but with application |
Permit firewall authentication for the following traffic:
The ldap1 access profile is used for pass-through authentication. |
Firewall authentication |
|
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users match source-address otherlsys set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users match destination-address product-designers set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users match application junos-h323 set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users then permit firewall-authentication pass-through access-profile ldap1 set access firewall-authentication pass-through default-profile ldap1 set access firewall-authentication pass-through http banner login “welcome”
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure firewall authentication in a user logical system:
Log in to the user logical system as the logical system administrator and enter configuration mode.
lsdesignadmin1@host:ls-product-design> configure lsdesignadmin1@host:ls-product-design#
Configure a security policy that permits firewall authentication.
[edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust] lsdesignadmin1@host:ls-product-design# set policy permit-authorized-users match source-address otherlsys lsdesignadmin1@host:ls-product-design# set policy permit-authorized-users match destination -address product-designers lsdesignadmin1@host:ls-product-design# set policy permit-authorized-users match application junos-h323 lsdesignadmin1@host:ls-product-design# set policy permit-authorized-users then permit firewall-authentication pass-through access-profile ldap1
Reorder the security policies.
[edit] lsdesignadmin1@host:ls-product-design# insert security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy permit-authorized-users before policy permit-all-from-otherlsys
Configure firewall authentication.
[edit access firewall-authentication] lsdesignadmin1@host:ls-product-design# set pass-through http banner login "welcome" lsdesignadmin1@host:ls-product-design# set pass-through default-profile ldap1
Results
From configuration mode, confirm your configuration
by entering the show security policies and show access
firewall-authentication commands. If the output does not display
the intended configuration, repeat the configuration instructions
in this example to correct it.
lsdesignadmin1@host:ls-product-design# show security policies
from-zone ls-product-design-trust to-zone ls-product-design-untrust {
policy permit-all-to-otherlsys {
match {
source-address product-designers;
destination-address otherlsys;
application any;
}
then {
permit;
}
}
}
from-zone ls-product-design-untrust to-zone ls-product-design-trust {
policy permit-authorized-users {
match {
source-address otherlsys;
destination-address product-designers;
application junos-h323;
}
then {
permit {
firewall-authentication {
pass-through {
access-profile ldap1;
}
}
}
}
}
policy permit-all-from-otherlsys {
match {
source-address otherlsys;
destination-address product-designers;
application any;
}
then {
permit;
}
}
}
lsdesignadmin1@host:ls-product-design# show access firewall-authentication
pass-through {
default-profile ldap1;
http {
banner {
login welcome;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying Firewall User Authentication and Monitoring Users and IP Addresses
Purpose
Display firewall authentication user history and verify the number of firewall users who successfully authenticated and firewall users who failed to log in.
Action
From operational mode, enter these show commands.
lsdesignadmin1@host:ls-product-design> show security firewall-authentication history lsdesignadmin1@host:ls-product-design> show security firewall-authentication history identifier id lsdesignadmin1@host:ls-product-design> show security firewall-authentication users lsdesignadmin1@host:ls-product-design> show security firewall-authentication users identifier id
Understanding Integrated User Firewall support in a Logical System
Starting in Junos OS Release 18.3R1, the support for authentication sources is extended to include Local authentication, Active Directory (AD) authentication, and firewall authentication in addition to the existing support for authentication sources Juniper Identity Management Service (JIMS) and ClearPass authentication.
Starting in Junos OS Release 18.2R1, the support for user firewall authentication is enhanced using a shared model. In this model, user logical systems share user firewall configuration and authentication entries with the primary logical system and the integrated user firewall authentication is supported in a user logical system.
In the shared model, user firewall related configuration is configured under the primary logical system, such as authentication source, authentication source priority, authentication entries timeout, and IP query or Individual query and so on. The user firewall provides user information service for an application in the SRX Series Firewall, such as policy and logging. Traffic from a user logical system queries authentication tables from the primary logical system.
The authentication tables are managed by a primary logical system. The user logical systems share the authentication tables. Traffic from the primary logical system and the user logical systems query the same authentication table. User logical systems enable the use of the source-identity in security policy.
For example, if the primary logical system is configured with employee and the user logical system is configured with the source-identity manager, then the reference group of this authentication entry includes employee and manager. This reference group contains the same authentication entries from primary logical system and user logical system.
Starting in Junos OS Release 19.3R1, support for user firewall authentication is enhanced by using a customized model through integrated JIMS with active mode. In this model, the logical system extracts the authentication entries from the root level. The primary logical system is configured to the JIMS server based on the logical system and tenant system name. In active mode the SRX Series Firewall actively queries the authenticaton entries received from the JIMS server through HTTPs protocol. To reduce the data exchange, firewall filters are applied.
The user firewall uses the logical system name as a differentiator and is consistent between the JIMS server and SRX Series Firewall. The JIMS server sends the differentiator which is included in the authentication entry. The authentication entries are distributed into the root logical system, when the differentiator is set as default for primary logical system.
The user firewall supports In-service software upgrade (ISSU) for logical systems, as user firewall changes the internal database table format from Junos OS Release 19.2R1 onwards. Prior to Junos OS Release 19.2R1, ISSU is not supported for logical systems.
- Limitation of Using User Firewall Authentication
- Limitation of Using User Firewall Authentication in Customized Model on Logical Systems
Limitation of Using User Firewall Authentication
Using user firewall authentication on tenant systems has the following limitation:
The authentication entries are collected by the JIMS server based on the IP address from the customer network. If the IP addresses overlap, then the authentication entry changes when users log in under different user logical systems.
Limitation of Using User Firewall Authentication in Customized Model on Logical Systems
Using user firewall authentication in customized model on logical systems has the following limitation:
The JIMS server configurations to be configured under the root logical systems.
The logical system name should be consistent and unique between the JIMS server and the SRX Series Firewall.
See Also
Example: Configuring Integrated User Firewall Identification Management for a User Logical System
This example shows how to configure the SRX Series Firewall's advanced query feature for obtaining user identity information from the Juniper Identity Management Service (JIMS) and the security policy to match the source identity for a user logical system. In the root logical system, user firewall is configured with JIMS, and then the root logical system manages all of authentication entries coming from JIMS. In this example, all of user logical systems share their authentication entries with the root logical system.
Requirements
This example uses the following hardware and software components:
SRX1500 devices operating in chassis clustering
JIMS server
Junos OS Release 18.2 R1
Before you begin:
Log in to the user logical system as the logical system administrator. See User Logical Systems Overview
Configure user logical systems lsys1 and lsys2. See Example: Configuring User Logical Systems
Configure security profile on primary logical system and assign it to user logical systems lsys1 and lsys2. See Example: Configuring Logical Systems Security Profiles (Primary Administrators Only)
Configure interfaces and routing options on logical systems root logical system, user logical systems lsys1, and lsys2. See Example: Configuring Interfaces, Routing Instances, and Static Routes for the Primary and Interconnect Logical Systems and Logical Tunnel Interfaces for the User Logical Systems (Primary Administrators Only) and Example: Configuring Interfaces and Routing Instances for a User Logical Systems
Configure security policies for a user logical systems. See Example: Configuring Security Policies in a User Logical Systems
Configure zones for a user logical system. See Example: Configuring Security Zones for a User Logical Systems
Configure logical systems in a basic active/passive chassis cluster. See Example: Configuring Logical Systems in an Active/Passive Chassis Cluster (Primary Administrators Only)
Overview
In this example, you can configure JIMS with HTTPs connection on port 443 and primary server with IPv4 address on primary logical system, policy p1 with source-identity "group1" of dc0 domain on logical system lsys1, policy p1 with source-identity "group1" of dc0 domain on logical system lsys2, and send traffic from and through logical system lsys1 to logical system lsys2. You can view the authentication entries on primary logical system and user logical systems (lsys1 and lsys2) even after rebooting the primary node.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match source-address any set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match destination-address any set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match application any set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 then permit set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match source-identity "example.com\group1" set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 then permit set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match source-address any set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match destination-address any set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match application any set logical-systems lsys1 security policies from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 then permit set logical-systems lsys1 security policies from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match source-address any set logical-systems lsys1 security policies from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match destination-address any set logical-systems lsys1 security policies from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match application any set logical-systems lsys1 security policies from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 then permit set logical-systems lsys1 security policies policy-rematch set logical-systems lsys2 security policies from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match source-address any set logical-systems lsys2 security policies from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match destination-address any set logical-systems lsys2 security policies from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match application any set logical-systems lsys2 security policies from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match source-identity "example.com\group2" set logical-systems lsys2 security policies from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 then permit set logical-systems lsys2 security policies policy-rematch set services user-identification identity-management connection connect-method https set services user-identification identity-management connection port 443 set services user-identification identity-management connection primary address 192.0.2.5 set services user-identification identity-management connection primary client-id otest set services user-identification identity-management connection primary client-secret "$ABC123" set security policies from-zone root_trust to-zone root_trust policy root_policy1 match source-address any set security policies from-zone root_trust to-zone root_trust policy root_policy1 match destination-address any set security policies from-zone root_trust to-zone root_trust policy root_policy1 match application any set security policies from-zone root_trust to-zone root_trust policy root_policy1 then permit set security policies policy-rematch set security zones security-zone root_trust interfaces reth1.0 host-inbound-traffic system-services all set security zones security-zone root_trust interfaces reth1.0 host-inbound-traffic protocols all set security zones security-zone root_trust interfaces lt-0/0/0.1 host-inbound-traffic system-services all set security zones security-zone root_trust interfaces lt-0/0/0.1 host-inbound-traffic protocols all set firewall family inet filter impair-ldap term allow_all then accept
Configuring user firewall identification management
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure user firewall identification management:
Log in to the primary logical system as the primary administrator and enter configuration mode.
user@host> configure user@host#
Create logical systems.
[edit logical-systems] user@host#set LSYS0 user@host#set LSYS1 user@host#set LSYS2
Configure a security policy lsys1_policy1 with source-identity group1 on logical system lsys1 that permits traffic from lsys1_trust to lsys1_trust.
[edit security policies] user@host#set from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match source-address any user@host#set from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match destination-address any user@host#set from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match application any user@host#set from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 match source-identity "example.com\group1" user@host#set from-zone lsys1_trust to-zone lsys1_trust policy lsys1_policy1 then permit
Configure a security policy lsys1_policy2 that permits traffic from lsys1_trust to lsys1_untrust.
[edit security policies] user@host#set from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match source-address any user@host#set from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match destination-address any user@host#set from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 match application any user@host#set from-zone lsys1_trust to-zone lsys1_untrust policy lsys1_policy2 then permit
Configure a security policy lsys1_policy3 that permits traffic from lsys1_untrust to lsys1_trust.
[edit security policies] user@host#set from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match source-address any user@host#set from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match destination-address any user@host#set from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 match application any user@host#set from-zone lsys1_untrust to-zone lsys1_trust policy lsys1_policy3 then permit user@host#set policy-rematch
Configure security zone and assign interfaces to each zone.
[edit security zones] user@host#set security-zone lsys1_trust interfaces reth2.0 host-inbound-traffic system-services all user@host#set security-zone lsys1_trust interfaces reth2.0 host-inbound-traffic protocols all user@host#set security-zone lsys1_trust interfaces lt-0/0/0.11 host-inbound-traffic system-services all user@host#set security-zone lsys1_trust interfaces lt-0/0/0.11 host-inbound-traffic protocols all user@host#set security-zone lsys1_untrust interfaces reth3.0 host-inbound-traffic system-services all user@host#set security-zone lsys1_untrust interfaces reth3.0 host-inbound-traffic protocols all
Configure a security policy lsys2_policy1 with source-identity group1 that permits traffic from lsys2_untrust to lsys2_untrust on lsys2.
[edit security policies] user@host#set from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match source-address any user@host#set from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match destination-address any user@host#set from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match application any user@host#set from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 match source-identity "example.com\group2" user@host#set from-zone lsys2_untrust to-zone lsys2_untrust policy lsys2_policy1 then permit user@host#set policy-rematch
Configure security zones and assign interfaces to each zone on lsys2.
[edit security zones] user@host#set security-zone lsys2_untrust interfaces reth4.0 host-inbound-traffic system-services all user@host#set security-zone lsys2_untrust interfaces reth4.0 host-inbound-traffic protocols all user@host#set security-zone lsys2_untrust interfaces lt-0/0/0.21 host-inbound-traffic system-services all user@host#set security-zone lsys2_untrust interfaces lt-0/0/0.21 host-inbound-traffic protocols all
-
Configure JIMS as the authentication source for advanced query requests with the primary address. The SRX Series Firewall requires this information to contact the server.
[edit services user-identification identity-management] user@host#set connection port 443 user@host#set connection connect-method https user@host#set connection primary address 192.0.2.5 user@host#set connection primary client-id otest user@host#set connection primary client-secret test user@host#set authentication-entry-timeout 0
Configure security policies and zones on primary logical system.
[edit security policies] user@host#set from-zone root_trust to-zone root_trust policy root_policy1 match source-address any user@host#set from-zone root_trust to-zone root_trust policy root_policy1 match destination-address any user@host#set from-zone root_trust to-zone root_trust policy root_policy1 match application any user@host#set from-zone root_trust to-zone root_trust policy root_policy1 then permit user@host#set policy-rematch
Configure security zones and assign interfaces to each zone on primary logical system.
[edit security zones] user@host#set security-zone root_trust interfaces reth1.0 host-inbound-traffic system-services all user@host#set security-zone root_trust interfaces reth1.0 host-inbound-traffic protocols all user@host#set security-zone root_trust interfaces lt-0/0/0.1 host-inbound-traffic system-services all user@host#set security-zone root_trust interfaces lt-0/0/0.1 host-inbound-traffic protocols all user@host#set firewall family inet filter impair-ldap term allow_all then accept
Results
From configuration mode, confirm your configuration
by entering the show services user-identification identity-management show chassis cluster command. If the output does not
display the intended configuration, repeat the configuration instructions
in this example to correct it.
user@host# show services user-identification identity-management
connection {
connect-method https;
port 443;
primary {
address 192.0.2.5;
client-id otest;
client-secret "$ABC123"; ## SECRET-DATA
}
}
user@host# show chassis cluster
reth-count 5;
control-ports {
fpc 3 port 0;
fpc 9 port 0;
}
redundancy-group 0 {
node 0 priority 200;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 2 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 3 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 4 {
node 0 priority 100;
node 1 priority 1;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform the below tasks:
Verifying chassis cluster status and authentication entries
Purpose
To verify authentication entries in a logical system.
Action
To verify the configuration is working properly, enter the show services
user-identification authentication-table authentication-source
identity-management logical-system all command.
user@host> show services user-identification authentication-table authentication-source identity-management logical-system all
node0:
--------------------------------------------------------------------------
Logical System: root-logical-system
Domain: ad2012.jims.com
Total entries: 3
Source IP Username groups(Ref by policy) state
2001:db8:aaaa: N/A Valid
2001:db8:aaaa: administrator Valid
203.0.113.50 administrator Valid
node1:
--------------------------------------------------------------------------
Logical System: root-logical-system
Domain: ad2012.jims.com
Total entries: 3
Source IP Username groups(Ref by policy) state
2001:db8:aaaa: N/A Valid
2001:db8:aaaa: administrator Valid
203.0.113.50 administrator Valid
Meaning
The output displays the authentication entries that are shared from user logical system to root logical system.
Verifying chassis cluster status
Purpose
Verify chassis cluster status after rebooting the primary node.
Action
To verify the configuration is working properly, enter
the show chassis cluster status command.
user@host> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring RE Relinquish monitoring
Cluster ID: 6
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 0
node0 200 hold no no None
node1 1 secondary no no None
Redundancy group: 1 , Failover count: 0
node0 0 hold no no CS
node1 1 secondary no no None
Redundancy group: 2 , Failover count: 0
node0 0 hold no no CS
node1 1 secondary no no None
Redundancy group: 3 , Failover count: 0
node0 0 hold no no CS
node1 1 secondary no no None
Redundancy group: 4 , Failover count: 0
node0 0 hold no no CS
node1 1 secondary no no NoneMeaning
The output displays user identification management session existing on lsys1 and lsys2 after rebooting the primary node.
Example: Configure Integrated User Firewall in Customized Model for Logical System
This example shows how to configure the integrated user firewall by using a customized model through the Juniper Identity Management Service (JIMS) server with active mode for a logical system. The primary logical systems does not share the authentication entries with the logical system. The SRX Series Firewall queries the authentication entries received from the JIMS server through HTTPs protocol in active mode.
In this example following configurations are performed:
-
Active JIMS Server Configuration
-
Logical System IP Query Configuration
-
Logical System Authentication Entry Configuration
-
Logical System Security Policy Configuration
Requirements
This example uses the following hardware and software components:
-
JIMS server version 2.0
-
Junos OS Release 19.3R1
Before you begin, be sure you have following information:
-
The IP address of the JIMS server.
-
The port number on the JIMS server for receiving HTTPs requests.
-
The client ID from the JIMS server for active query server.
-
The client secret from the JIMS server for active query server.
Overview
In this example, you can configure JIMS with HTTPs connection on port 443 and
primary server with IPv4 address on the primary logical system, policy p2 with
source-identity group1 on logical system
LSYS1.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set services user-identification logical-domain-identity-management active query-server jims1 connection connect-method https set services user-identification logical-domain-identity-management active query-server jims1 connection port 443 set services user-identification logical-domain-identity-management active query-server jims1 connection primary address 192.0.2.5 set services user-identification logical-domain-identity-management active query-server jims1 connection primary client-id otest set services user-identification logical-domain-identity-management active query-server jims1 connection primary client-secret "$ABC123" set logical-systems LSYS1 services user-identification logical-domain-identity-management active ip-query query-delay-time 30 set logical-systems LSYS1 services user-identification logical-domain-identity-management active invalid-authentication-entry-timeout 1 set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match source-address any set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match destination-address any set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match application any set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match source-identity "example.com\group1" set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 then permit
Configuring Integrated User Firewall in Customized Model:
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configuring Integrated User Firewall in Customized Model:
-
Configure JIMS as the authentication source for advanced query requests with the primary address. The SRX Series Firewall requires this information to contact the server.
user@host# set services user-identification logical-domain-identity-management active query-server jims1 connection connect-method https user@host# set services user-identification logical-domain-identity-management active query-server jims1 connection port 443 user@host# set services user-identification logical-domain-identity-management active query-server jims1 connection primary address 192.0.2.5 user@host# set services user-identification logical-domain-identity-management active query-server jims1 connection primary client-id otest user@host# set services user-identification logical-domain-identity-management active query-server jims1 connection primary client-secret "$ABC123"
-
Configure the IP query delay time for LSYS1.
user@host# set logical-systems LSYS1 services user-identification logical-domain-identity-management active ip-query query-delay-time 30
-
Configure the authentication entry attributes for LSYS1.
user@host# set logical-systems LSYS1 services user-identification logical-domain-identity-management active invalid-authentication-entry-timeout 1
-
Configure the security policy p2 that permits traffic from-zone untrust to-zone trust for LSYS1.
user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match source-address any user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match destination-address any user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match application any user@host# set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 match source-identity "example.com\group1" user@host#set logical-systems LSYS1 security policies from-zone untrust to-zone trust policy p2 then permit
Results
From configuration mode, confirm your configuration by entering the
show services user-identification
logical-domain-identity-management and show
logical-systems LSYS1 commands. If the output does not display
the intended configuration, repeat the configuration instructions in this
example to correct it.
user@host# show services user-identification logical-domain-identity-management
active {
query-server jims1 {
connection {
connect-method https;
port 443;
primary {
address 192.0.2.5;
client-id otest;
client-secret "$ABC123"; ## SECRET-DATA
}
}
}
}
user@host# show logical-systems LSYS1
security {
policies {
from-zone untrust to-zone trust {
policy p2 {
match {
source-address any;
destination-address any;
application any;
source-identity "example.com\group1";
}
then {
permit;
}
}
}
}
}
services {
user-identification {
logical-domain-identity-management {
active {
invalid-authentication-entry-timeout 1;
ip-query {
query-delay-time 30;
}
}
}
}
}
If you are done configuring the device, enter commit from
configuration mode.
Verification
- Verifying the User Identification Identity Management status
- Verifying the User Identification Identity Management status counters
- Verifying the User Identification Authentication Table
Verifying the User Identification Identity Management status
Purpose
Verify the user identification status for identity-management as the authentication source.
Action
To verify the configuration is working properly, enter the show
services user-identification logical-domain-identity-management
status command.
user@host> show services user-identification logical-domain-identity-management status
node0:
--------------------------------------------------------------------------
Query server name :jims1
Primary server :
Address : 192.0.2.5
Port : 443
Connection method : HTTPS
Connection status : Online
Last received status message : OK (200)
Access token : isdHIbl8BXwxFftMRubGVsELRukYXtW3rtKmHiL
Token expire time : 2017-11-27 23:45:22
Secondary server :
Address : Not configured
Meaning
The output displays the statistical data about the advanced user query function batch queries and IP queries, or show status on the Juniper Identity Management Service servers.
Verifying the User Identification Identity Management status counters
Purpose
Verify the user identification counters for identity-management as the authentication source.
Action
To verify the configuration is working properly, enter the show
services user-identification logical-domain-identity-management
counters command.
user@host> show services user-identification logical-domain-identity-management counters
node0:
--------------------------------------------------------------------------
Query server name :jims1
Primary server :
Address : 192.0.2.5
Batch query sent number : 65381
Batch query total response number : 64930
Batch query error response number : 38
Batch query last response time : 2018-08-14 15:10:52
IP query sent number : 10
IP query total response number : 10
IP query error response number : 0
IP query last response time : 2018-08-13 12:41:56
Secondary server :
Address : Not configured
Meaning
The output displays the statistical data about the advanced user query function batch queries and IP queries, or show counters on the Juniper Identity Management Service servers.
Verifying the User Identification Authentication Table
Purpose
Verify the user identity information authentication table entries for the specified authentication source.
Action
To verify the configuration is working properly, enter the show
services user-identification authentication-table
authentication-source all logical-system LSYS1 command.
user@host> show services user-identification authentication-table authentication-source all logical-system LSYS1
node0:
--------------------------------------------------------------------------
Logical System: LSYS1
Domain: example.com
Total entries: 4
Source IP Username groups(Ref by policy) state
10.12.0.2 administrator posture-healthy Valid
10.12.0.15 administrator posture-healthy Valid
2001:db8::5 N/A posture-healthy Valid
2001:db8::342c:302b N/A posture-healthy Valid
Meaning
The output displays the entire content of the specified authentication source’s authentication table, or a specific domain, group, or user based on the user name. Display the identity information for a user based on the IP address of the user’s device.