This post is intended to introduce you to the concept of apply-groups and how it can be used to enable logging in a Juniper SRX firewall security policy if a flow matches.
This post doesn't show how to create a security policy but it does show how to enable security policy logging on SRX firewalls via CLI for those with thousands of security policies.
1) set and the group name
[edit]
root@homefwsrx210# edit groups session-init-close
2) Under the "edit groups session-init-close" hierarchy, set the necessary policy actions as show below
[edit groups session-init-close]
~# set security policies from-zone <*> to-zone <*> policy <*> then log session-init
~# set security policies from-zone <*> to-zone <*> policy <*> then log session-close
~# top
~#...
The <*> is a wildcard that matches any. So this means that the above 2 commands in #2 above will match any source, any destination zone and any policy, then will insert the "log session-init and log session-close" action at the end of any policy.
3) Apply the configured group settings under the "edit security policies" hierarchy
[edit security policies]
~# set apply-groups session-init-close
~# commit
**** For JUNOS CLI experts, only these 2 commands are needed from the configuration mode****
#set groups session-init-close security policies from-zone <*> to-zone <*> policy <*> then log session-init session-close
#set security policies apply-groups session-init-close
#commit
After the configuration commits, use the following command to verify
#show security policies | display inheritance
Before the apply-groups configuration
After the apply-groups configuration
Conclusion:
The apply-groups in JUNOS is a very powerful arsenal for grouping together configuration objects and can be applied to different hierarchy depending on the administrator's preference.
I hope this has been informative for you.
No comments:
Post a Comment