안녕하세요.
오늘은 [2024][Juniper SRX #12] application and application-set입니다.
Juniper 방화벽 정책을 설정 시 Source port 또는 Destination port에 TCP/UDP, 또는 port number를 지정할 때 사용 합니다.
자세한 내용은 Juniper SRX 공식 홈페이지를 참조 바랍니다.
Security Policy Applications and Application Sets | Junos OS | Juniper Networks
When you create a policy, you must specify an application, or service, for it to indicate that the policy applies to traffic of that type. Sometimes the same applications or a subset of them can be present in multiple policies, making it difficult to manag
www.juniper.net
Applications은 두 가지로 분류됩니다.
1. standard
2. custom applications
standard way는 이미 Juniper SRX에서 정의된 포트를 말합니다. 주로 well-known port를 의미합니다.
| set applications application standard-way application-protocol http root# set applications application KK application-protocol ? Possible completions: dns Domain Name Service ftp File Transfer Protocol ftp-data File Transfer Protocol Data Session gprs-gtp-c GPRS Tunneling Control Plane gprs-gtp-u GPRS Tunneling User Plane gprs-gtp-v0 GPRS Tunneling Version 0 gprs-sctp GPRS Stream Control Protocol http Hypertext Transfer Protocol https Hypertext Transfer Protocol ignore Ignore application type ike-esp-nat IKE/ESP with NAT imap Internet Mail Access Protocol imaps Internet Mail Access Protocol Over TLS mgcp-ca MGCP-CA mgcp-ua MGCP-UA ms-rpc Microsoft RPC none None pop3 Post Office Protocol 3 Protocol pop3s Post Office Protocol 3 Protocol Over TLS pptp Point-to-Point Tunneling Protocol q931 Q.931 ras RAS realaudio RealAudio rsh Remote Shell rtsp Real Time Streaming Protocol sccp Skinny Client Control Protocol sip Session Initiation Protocol smtp Simple Mail Transfer Protocol smtps Simple Mail Transfer Protocol Over TLS sqlnet-v2 Oracle SQL*Net Version 2 ssh Secure Shell Protocol sun-rpc Sun Microsystems RPC talk Talk Program telnet Telnet Protocol tftp Trivial File Transfer Protocol twamp Two Way Active Meaurement Protocol [edit] |
이번에는 custom 방식에 대해서 알아보겠습니다.
Protocol -> tcp
Source-port - 0-65535 -> source port는 랜덤으로 선택됩니다. 특정 Application은 source-port가 특정 포트로 동작하는 APP도 있습니다
Destination-port - 23
inactivity-timeout - 20초
| set applications application telnet-1 protocol tcp set applications application telnet-1 source-port 0-65535 set applications application telnet-1 destination-port 23 set applications application telnet-1 inactivity-timeout 20 |
방화벽 정책 설정 시 application를 아래처럼 불러와서 사용 가능 합니다.
| set security policies from-zone trust to-zone untrust policy p1 match application telnet-1 |
만약에 하나에 방화벽 정책에 여러 개 application를 사용하고 싶으면 아래와 같이 설정 가능 합니다
| set applications application http-1 protocol tcp set applications application http-1 source-port 0-65535 set applications application http-1 destination-port 80 set applications application http-1 inactivity-timeout 20 |
아래처럼 application 정책을 계속 추가해야 합니다.
| set security policies from-zone trust to-zone untrust policy p1 match application telnet-1 set security policies from-zone trust to-zone untrust policy p1 match application http-1 |
하지만 application-set을 이용하면 하나에 정책에 많은 application 추가해서 사용할 수 있습니다.
application-set에 http-1이랑 telnet-1을 할당합니다.
| set applications application-set app-group application http-1 set applications application-set app-group application telnet-1 |
그리고 방화벽 정책에 application-set를 설정합니다.
| set security policies from-zone trust to-zone untrust policy p1 match application-set app-group |
application 설정값 확인 하는 명령어
| root> show configuration applications | display set set applications application standard-way application-protocol http set applications application http-1 protocol tcp set applications application http-1 source-port 0-65535 set applications application http-1 destination-port 80 set applications application http-1 inactivity-timeout 20 set applications application telnet-1 protocol tcp set applications application telnet-1 source-port 0-65535 set applications application telnet-1 destination-port 23 set applications application telnet-1 inactivity-timeout 20 set applications application-set app-group application http-1 set applications application-set app-group application telnet-1 root> |
지금까지 [2024][Juniper SRX #12] application and application-set 글을 읽어주셔서 감사합니다.
'JUNIPER > SRX 방화벽' 카테고리의 다른 글
| [2024][Juniper SRX #14] firewall policy 순서 변경 (0) | 2024.07.26 |
|---|---|
| [2024][Juniper SRX #13] firewall policy (0) | 2024.07.25 |
| [2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0) | 2024.07.22 |
| [2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0) | 2024.07.21 |
| [2024][Juniper SRX #8] Zone configuration (1) | 2024.07.20 |