안녕하세요.
이번에는 [2024][Juniper SRX #14] firewall policy 순서 변경입니다.
방화벽 정책이 여러 개가 있으면 항상 맨 위에서부터 아래로 정책 허용/차단을 확인합니다.
그래서 방화벽 정책 순서는 매우 중요합니다.
추가적으로 방화벽 정책을 변경하지 않으면 새로운 방화벽 정책은 맨 아래에 추가됩니다.
우선 테스트를 하면서 자세히 설명하도록 하겠습니다.
*** 중요 ***
1. Juniper SRX stateful 방화벽입니다
나가는 Traffic을 허용하는 방화벽 정책이 있으면 Return 되는 Traffic은 자동으로 허용됩니다.
자세한 내용은 나중에 다른 강좌에서 설명하겠습니다.
2. 방화벽이 정책이 여러 개가 있다면 맨 위에서부터 아래로 차근차근 방화벽 정책을 확인합니다.
3. 맨 아래 deny 정책이 없어도 default로 모든 traffic은 차단됩니다. - 즉 default deny all이라는 정책이 있습니다.
4. 방화벽 정책을 만들 때에는,
4-1 match
4-1-1 source-ip
4-1-2 destination-ip
4-1-3 destination application
위에 조건문을 입력하고 어떻게 처리할 것인지 정의 ㅎ합니다
4-2 action
4-2-1 permit - 허용
4-2-2 reject - 차단
4-2-3 log - 로그 생성 - 꼭 하위옵션 session-init/close 명령어를 추가로 입력해야 합니다.
4-2-3-1 session-init - 세션이 시작될 때 로그 생성
4-2-3-2 session-close - 세션이 종료될 때 로그 생성
4-2-4 count - 해당조건 트래픽 누적 치 사용량 정보 제공
permit, log, count를 동시에 설정 가능 합니다.
토폴로지는 아래와 같습니다.
SRX
ge-0/0/0 - dhcp - untrust
ge-0/0/1 - 192.168.1.1/24 - trust
ge-0/0/2 - 172.16.1.1/24 - dmz
SW01
gi0/0 - 192.168.1.2/24
SW02
gi0/0 - 172.16.1.2/24
그리고 아래 서비스를 enable 합니다.
http
https
telnet
ssh
방화벽 정책 1)
192.168.1.2 -> 172.16.1.2 http 허용
방화벽 정책 2)
192.168.1.2 -> 172.16.1.2 https 허용
방화벽 정책 3)
192.168.1.2 -> 172.16.1.2 ssh 허용
기존 방화벽 설정값 삭제
| root# delete This will delete the entire configuration Delete everything under this level? [yes,no] (no) yes [edit] root# set system root-authentication plain-text-password New password: Retype new password: [edit] root# commit commit complete |
2. Inteface에 IP주소를 설정합니다.
| root# set interfaces ge-0/0/0 unit 0 family inet dhcp [edit] root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24 [edit] root# set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.1/24 [edit] root# commit |
그리고 Interface에 IP주소를 확인합니다.
| root# set security zones security-zone unturst root# set security zones security-zone untrust interfaces ge-0/0/0 root# set security zones security-zone trust root# set security zones security-zone trust interfaces ge-0/0/1 root# set security zones security-zone dmz root# set security zones security-zone dmz interfaces ge-0/0/2 root# commit commit complete root> show security zones terse Zone Type dmz Security trust Security untrust Security junos-host Security root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 192.168.10.105/24 untrust sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null ge-0/0/1.0 up up inet 192.168.1.1/24 trust ge-0/0/2.0 up up inet 172.16.1.1/24 dmz lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null root> |
Interface에 IP주소를 확인합니다.
저희가 ge-0/0/0 dhcp 설정하였으나 IP주소가 없습니다.
그 이유는 Juniper SRX은 ge-0/0/0 dhcp 기능을 허용해 주어야지 IP주소를 DHCP에서 받아 올 수 있습니다.
| root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up |
ge-0/0/0 dhcp 기능받아오기 위해서 zone에 system-services에서 dhcp기능 그리고 ping테스트를 위해서 ping를 허용합니다.
| set security zones security-zone untrust host-inbound-traffic system-services dhcp set security zones security-zone untrust host-inbound-traffic system-services ping |
그리고 show interface terse을 이용해서 ge-0/0/0 IP주소를 확인합니다.
DHCP로부터 192.168.10.105/24 IP주소를 받았습니다.
| root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 192.168.10.105/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 192.168.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 172.16.1.1/24 dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down root> |
ge-0/0/1 그리고 ge-0/0/2 ping도 허용해 줍니다.
| set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone dmz host-inbound-traffic system-services ping |
그리고 SW01 - Gi0/0 192.168.1.2/24 설정하고 SRX ge-0/0/1 192.168.1.1 ping를 시도합니다.
| Switch> Switch>en Switch#conf t Switch(config)#ho SW01 SW01(config)#int gigabitEthernet 0/0 SW01(config-if)#no switchport SW01(config-if)#ip add 192.168.1.2 255.255.255.0 SW01(config-if)#no sh SW01(config-if)#end SW01#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 2/40/155 ms SW01# |
그리고 Default Gatway 설정
| SW01(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1 SW01(config)#end SW01# SW01#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 192.168.1.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 192.168.1.1 192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks C 192.168.1.0/24 is directly connected, GigabitEthernet0/0 L 192.168.1.2/32 is directly connected, GigabitEthernet0/0 SW01# |
SW02 - Gi0/0 172.16.1.2/24 설정하고 SRX ge-0/0/2 172.16.1.1 ping를 시도합니다.
| Switch>en Switch#conf t Switch(config)#ho SW02 SW02(config)#int gigabitEthernet 0/0 SW02(config-if)#no sw SW02(config-if)#ip add 172.16.1.2 255.255.255.0 SW02(config-if)#no shutdown SW02(config-if)#end SW02# SW02#ping 172.16.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms SW02# |
그리고 Default Gateway 설정
| SW02(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1 SW02(config)# SW02#show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP a - application route + - replicated route, % - next hop override Gateway of last resort is 172.16.1.1 to network 0.0.0.0 S* 0.0.0.0/0 [1/0] via 172.16.1.1 172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks C 172.16.1.0/24 is directly connected, GigabitEthernet0/0 L 172.16.1.2/32 is directly connected, GigabitEthernet0/0 SW02# |
SW02에 http, https, telnet 그리고 ssh서비스를 Enable 합니다.
| SW02#conf t SW02(config)#ip http server SW02(config)#ip http secure-server % Generating 1024 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 1 seconds) Failed to generate persistent self-signed certificate. Secure server will use temporary self-signed certificate. SW02(config)#ip domain-name cisco SW02(config)#crypto key generate rsa The name for the keys will be: SW02.cisco Choose the size of the key modulus in the range of 360 to 4096 for your General Purpose Keys. Choosing a key modulus greater than 512 may take a few minutes. How many bits in the modulus [512]: % Generating 512 bit RSA keys, keys will be non-exportable... [OK] (elapsed time was 0 seconds) SW02(config)#username cisco privilege 15 password cisco SW02(config)#line vty 0 15 SW02(config-line)#login local SW02(config-line)#transport input all SW02(config-line)# |
Juniper SRX에서 방화벽 정책을 생성하겠습니다.
방화벽 정책 1)
192.168.1.2 -> 172.16.1.2 http 허용
방화벽 정책 2)
192.168.1.2 -> 172.16.1.2 https 허용
방화벽 정책 3)
192.168.1.2 -> 172.16.1.2 ssh 허용
Address-book이랑 application 정
| set security address-book global address H-192.168.1.2/32 192.168.1.2/32 set security address-book global address H-172.16.1.2/32 172.16.1.2/32 set applications application T-443 protocol tcp set applications application T-443 source-port 0-65535 set applications application T-443 destination-port 443 set applications application T-443 inactivity-timeout 20 set applications application T-80 protocol tcp set applications application T-80 source-port 0-65535 set applications application T-80 destination-port 80 set applications application T-80 inactivity-timeout 20 set applications application T-22 protocol tcp set applications application T-22 source-port 0-65535 set applications application T-22 destination-port 22 set applications application T-22 inactivity-timeout 20 |
정책 생성
| set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match application T-80 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then count set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then count set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match application T-22 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then count |
Firewall 정책 순서 확인
| root> show configuration security policies from-zone trust to-zone dmz | display set | no-more set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match application T-80 set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then count set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match application T-443 set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then count set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match application T-22 set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then count |
방화벽 정책 순서 확인 하는 방법
순서는 방화벽 정책을 생성한 순서입니다.
그리고 default 정책은 deny-all인데 순서는 안 보이지만 default policy:에 보시면 deny-all이라고 표시됩니다.
위에서부터 아래까지 방화벽 정책을 확인 후 아무것도 match 되지 않으면 default policy 즉 deny-all이 적용됩니다.
| root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count |
SW01에서 SW02로 테스트해 보겠습니다.
192.168.1.2 -> 172.16.1.2 http - 성공
192.168.1.2 -> 172.16.1.2 https - 성공
192.168.1.2 -> 172.16.1.2 ssh - 성공
192.168.1.2 -> 172.16.1.2 telnet - 실패 방화벽 정책이 없어서 default policy - deny-all 적
| SW01#telnet 172.16.1.2 80 Trying 172.16.1.2, 80 ... Open ^C HTTP/1.1 400 Bad Request Date: Sun, 23 Jun 2024 09:04:47 GMT Server: cisco-IOS Accept-Ranges: none 400 Bad Request [Connection to 172.16.1.2 closed by foreign host] SW01#telnet 172.16.1.2 443 Trying 172.16.1.2, 443 ... Open ^C ^C [Connection to 172.16.1.2 closed by foreign host] SW01#ssh -l cisco 172.16.1.2 ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** Password: ************************************************************************** * IOSv is strictly limited to use for evaluation, demonstration and IOS * * education. IOSv is provided as-is and is not supported by Cisco's * * Technical Advisory Center. Any use or disclosure, in whole or in part, * * of the IOSv Software or Documentation to any third party for any * * purposes is expressly prohibited except as otherwise authorized by * * Cisco in writing. * ************************************************************************** SW02#exit [Connection to 172.16.1.2 closed by foreign host] SW01# SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... % Connection timed out; remote host not responding |
hit-count 확인 - 여기에서 index번호는 방화벽 순서를 나타내지 않습니다. 주의 바랍니다.
| root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust dmz trust-to-dmz-ssh 1 Permit 2 trust dmz trust-to-dmz-http 1 Permit 3 trust dmz trust-to-dmz-https 1 Permit |
방화벽 순서 확인 하기 위해서 deny-any 정책을 생성하겠습니다. 가시성 있게 deny-all 정책을 만들고 count랑 log를 생성하게 설정하겠습니다.
| set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match source-address any set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match destination-address any set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match application any set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then deny set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then count |
방화벽 정책 순서 확인- 특정 명령어 없이 방화벽 정책을 생성하면 맨 아래에 생성됩니다.
| root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: deny, log, count root> |
이 상태에서 추가적으로 다른 방화벽 정책을 생성하게 되면 Deny 밑에 방화벽 정책이 생성 되게 됩니다.
우선 테스트를 위해서 192.168.1.2 -> 172.16.1.2 telnet를 허용하는 방화벽 정책을 생성하겠습니다.
| set applications application T-22 protocol tcp set applications application T-22 source-port 0-65535 set applications application T-22 destination-port 22 set applications application T-22 inactivity-timeout 20 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then count commit |
telnet 허용 정책이 deny-any 정책 밑에 생성되었습니다.
| root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: deny, log, count Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-23 Source identity feeds: any Destination identity feeds: any Action: permit, log, count root> |
SW01에서 SW02 telnet 시도 - 실패했습니다.
이유는 Deny-all이 telnet 허용 정책보다 위에 있기 때문입니다.
| SW01#telnet 172.16.1.2 Trying 172.16.1.2 ... % Connection timed out; remote host not responding SW01# |
deny-all 정책에 telnet 트래픽이 차단되어서 count가 증가하였습니다.
| root> show security policies hit-count Logical system: root-logical-system Index From zone To zone Name Policy count Action 1 trust dmz trust-to-dmz-https 1 Permit 2 trust dmz trust-to-dmz-telnet 0 Permit 3 trust dmz trust-to-dmz-deny-all 4 Deny 4 trust dmz trust-to-dmz-ssh 1 Permit 5 trust dmz trust-to-dmz-http 1 Permit 6 dmz trust trsut-to-dmz 8 Permit Number of policy: 6 |
trust-to-dmz-telnet 정책을 trust-to-dmz-deny-all 보다 위에 생성하게 설정해 보겠습니다.
| delete security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet commit set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match source-address H-192.168.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match destination-address H-172.16.1.2/32 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match application T-23 set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then permit set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then log session-init set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then count |
after - 특정 정책 다음에 새로운 방화벽 정책을 생성합니다.
before - 특정 정책 이전에 새로운 방화벽 정책을 생성합니다.
trust-to-dmz-deny-all 이전에 생성해 보겠습니다.
| insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet ? Possible completions: after Insert after given data element + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups before Insert before given data element > match Specify security policy match-criteria > then Specify policy action to take when packet match criteria insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet before policy trust-to-dmz-deny-all commit |
방화벽 정책 순서 확인
Deny-all 정책 이전에 telnet허용 정책이 생성되었습니다.
| root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-23 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: deny, log, count root> |
또는 insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet after policy trust-to-dmz-ssh
이렇게 사용해도 똑같은 의미를 가집니다.
이번에는 기존에 있는 firewall rule 순서를 변경해 보겠습니다. trust-to-dmz-telnet 정책을 trust-to-dmz-http 밑으로 이동해 보겠습니다.
기존에 있는 방화벽 정책을 삭제 후 새로 생성하고 insert명령어로 이용해서 수정해도 됩니다.
하지만 기존 방화벽 정책을 삭제하지 않고 insert명령어로 곧바로 방화벽 정책 순서를 변경할 수 있습니다.
| insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet after policy trust-to-dmz-http commit |
방화벽 정책 순서 확인 아래 빨간색 보시면 telnet 정책이 이동되었습니다.
| root> show security policies Default policy: deny-all Default policy log Profile ID: 0 Pre ID default policy: permit-all From zone: trust, To zone: dmz Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-80 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-23 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-443 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: H-192.168.1.2/32 Destination addresses: H-172.16.1.2/32 Applications: T-22 Source identity feeds: any Destination identity feeds: any Action: permit, log, count Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0 Source vrf group: any Destination vrf group: any Source addresses: any Destination addresses: any Applications: any Source identity feeds: any Destination identity feeds: any Action: deny, log, count |
지금까지 [2024][Juniper SRX #14] firewall policy 순서 변경 글을 읽어주셔서 감사합니다.
'JUNIPER > SRX 방화벽' 카테고리의 다른 글
| [2024][Juniper SRX #16] password recovery (0) | 2024.07.28 |
|---|---|
| [2024][Juniper SRX #15] commit and rollback (0) | 2024.07.27 |
| [2024][Juniper SRX #13] firewall policy (0) | 2024.07.25 |
| [2024][Juniper SRX #12] application and application-set (2) | 2024.07.24 |
| [2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0) | 2024.07.22 |