IT BLOG(KR)

안녕하세요.

이번에는 [2024][Juniper SRX #14] firewall policy 순서 변경입니다.

방화벽 정책이 여러 개가 있으면 항상 맨 위에서부터 아래로 정책 허용/차단을 확인합니다.

그래서 방화벽 정책 순서는 매우 중요합니다.

추가적으로 방화벽 정책을 변경하지 않으면 새로운 방화벽 정책은 맨 아래에 추가됩니다.

우선 테스트를 하면서 자세히 설명하도록 하겠습니다.

*** 중요 ***

1. Juniper SRX stateful 방화벽입니다

나가는 Traffic을 허용하는 방화벽 정책이 있으면 Return 되는 Traffic은 자동으로 허용됩니다.

자세한 내용은 나중에 다른 강좌에서 설명하겠습니다.

2. 방화벽이 정책이 여러 개가 있다면 맨 위에서부터 아래로 차근차근 방화벽 정책을 확인합니다.

3. 맨 아래 deny 정책이 없어도 default로 모든 traffic은 차단됩니다. - 즉 default deny all이라는 정책이 있습니다.

4. 방화벽 정책을 만들 때에는,

4-1 match

4-1-1 source-ip

4-1-2 destination-ip

4-1-3 destination application

위에 조건문을 입력하고 어떻게 처리할 것인지 정의 ㅎ합니다

4-2 action

4-2-1 permit - 허용

4-2-2 reject - 차단

4-2-3 log - 로그 생성 - 꼭 하위옵션 session-init/close 명령어를 추가로 입력해야 합니다.

4-2-3-1 session-init - 세션이 시작될 때 로그 생성

4-2-3-2 session-close - 세션이 종료될 때 로그 생성

4-2-4 count - 해당조건 트래픽 누적 치 사용량 정보 제공

permit, log, count를 동시에 설정 가능 합니다.

토폴로지는 아래와 같습니다.

SRX

ge-0/0/0 - dhcp - untrust

ge-0/0/1 - 192.168.1.1/24 - trust

ge-0/0/2 - 172.16.1.1/24 - dmz

SW01

gi0/0 - 192.168.1.2/24

SW02

gi0/0 - 172.16.1.2/24

그리고 아래 서비스를 enable 합니다.

http

https

telnet

ssh

방화벽 정책 1)

192.168.1.2 -> 172.16.1.2 http 허용

방화벽 정책 2)

192.168.1.2 -> 172.16.1.2 https 허용

방화벽 정책 3)

192.168.1.2 -> 172.16.1.2 ssh 허용

기존 방화벽 설정값 삭제

root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit
commit complete

2. Inteface에 IP주소를 설정합니다.

root# set interfaces ge-0/0/0 unit 0 family inet dhcp

[edit]
root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24

[edit]
root# set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.1/24

[edit]
root# commit

그리고 Interface에 IP주소를 확인합니다.

root# set security zones security-zone unturst
root# set security zones security-zone untrust interfaces ge-0/0/0

root# set security zones security-zone trust
root# set security zones security-zone trust interfaces ge-0/0/1

root# set security zones security-zone dmz
root# set security zones security-zone dmz interfaces ge-0/0/2

root# commit
commit complete

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show interfaces zone terse
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     192.168.10.105/24
                                                                                        untrust
sp-0/0/0.0              up    up   inet
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
ge-0/0/1.0              up    up   inet     192.168.1.1/24
                                                                                        trust
ge-0/0/2.0              up    up   inet     172.16.1.1/24
                                                                                        dmz
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
                                                                                        Null
lo0.32768               up    up                                                        Null

root>

Interface에 IP주소를 확인합니다.

저희가 ge-0/0/0 dhcp 설정하였으나 IP주소가 없습니다.

그 이유는 Juniper SRX은 ge-0/0/0 dhcp 기능을 허용해 주어야지 IP주소를 DHCP에서 받아 올 수 있습니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     172.16.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up

ge-0/0/0 dhcp 기능받아오기 위해서 zone에 system-services에서 dhcp기능 그리고 ping테스트를 위해서 ping를 허용합니다.

set security zones security-zone untrust host-inbound-traffic system-services dhcp
set security zones security-zone untrust host-inbound-traffic system-services ping

그리고 show interface terse을 이용해서 ge-0/0/0 IP주소를 확인합니다.

DHCP로부터 192.168.10.105/24 IP주소를 받았습니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.105/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     172.16.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

ge-0/0/1 그리고 ge-0/0/2 ping도 허용해 줍니다.

set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone dmz host-inbound-traffic system-services ping

그리고 SW01 - Gi0/0 192.168.1.2/24 설정하고 SRX ge-0/0/1 192.168.1.1 ping를 시도합니다.

Switch>
Switch>en
Switch#conf t
Switch(config)#ho SW01
SW01(config)#int gigabitEthernet 0/0
SW01(config-if)#no switchport
SW01(config-if)#ip add 192.168.1.2 255.255.255.0
SW01(config-if)#no sh
SW01(config-if)#end
SW01#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/40/155 ms
SW01#

그리고 Default Gatway 설정

SW01(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
SW01(config)#end
SW01#

SW01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.1.1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
L        192.168.1.2/32 is directly connected, GigabitEthernet0/0
SW01#

SW02 - Gi0/0 172.16.1.2/24 설정하고 SRX ge-0/0/2 172.16.1.1 ping를 시도합니다.

Switch>en
Switch#conf t
Switch(config)#ho SW02
SW02(config)#int gigabitEthernet 0/0
SW02(config-if)#no sw
SW02(config-if)#ip add 172.16.1.2 255.255.255.0
SW02(config-if)#no shutdown
SW02(config-if)#end
SW02#
SW02#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
SW02#

그리고 Default Gateway 설정

SW02(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1
SW02(config)#
SW02#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.1.1
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.1.0/24 is directly connected, GigabitEthernet0/0
L        172.16.1.2/32 is directly connected, GigabitEthernet0/0
SW02#

SW02에 http, https, telnet 그리고 ssh서비스를 Enable 합니다.

SW02#conf t
SW02(config)#ip http server
SW02(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
Failed to generate persistent self-signed certificate.
    Secure server will use temporary self-signed certificate.

SW02(config)#ip domain-name cisco
SW02(config)#crypto key generate rsa
The name for the keys will be: SW02.cisco
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

SW02(config)#username cisco privilege 15 password cisco
SW02(config)#line vty 0 15
SW02(config-line)#login local
SW02(config-line)#transport input all
SW02(config-line)#

Juniper SRX에서 방화벽 정책을 생성하겠습니다.

방화벽 정책 1)

192.168.1.2 -> 172.16.1.2 http 허용

방화벽 정책 2)

192.168.1.2 -> 172.16.1.2 https 허용

방화벽 정책 3)

192.168.1.2 -> 172.16.1.2 ssh 허용

Address-book이랑 application 정

set security address-book global address H-192.168.1.2/32 192.168.1.2/32
set security address-book global address H-172.16.1.2/32 172.16.1.2/32

set applications application T-443 protocol tcp
set applications application T-443 source-port 0-65535
set applications application T-443 destination-port 443
set applications application T-443 inactivity-timeout 20

set applications application T-80 protocol tcp
set applications application T-80 source-port 0-65535
set applications application T-80 destination-port 80
set applications application T-80 inactivity-timeout 20

set applications application T-22 protocol tcp
set applications application T-22 source-port 0-65535
set applications application T-22 destination-port 22
set applications application T-22 inactivity-timeout 20

정책 생성

set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match application T-80
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then count

set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match application T-443
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then count

set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match application T-22
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then count

Firewall 정책 순서 확인

root> show configuration security policies from-zone trust to-zone dmz | display set | no-more

set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http match application T-80
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-http then count
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https match application T-443
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-https then count
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh match application T-22
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-ssh then count

방화벽 정책 순서 확인 하는 방법

순서는 방화벽 정책을 생성한 순서입니다.

그리고 default 정책은 deny-all인데 순서는 안 보이지만 default policy:에 보시면 deny-all이라고 표시됩니다.

위에서부터 아래까지 방화벽 정책을 확인 후 아무것도 match 되지 않으면 default policy 즉 deny-all이 적용됩니다.

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: dmz
  Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-80
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-22
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count

SW01에서 SW02로 테스트해 보겠습니다.

192.168.1.2 -> 172.16.1.2 http - 성공

192.168.1.2 -> 172.16.1.2 https - 성공

192.168.1.2 -> 172.16.1.2 ssh - 성공

192.168.1.2 -> 172.16.1.2 telnet - 실패 방화벽 정책이 없어서 default policy - deny-all 적

SW01#telnet 172.16.1.2 80
Trying 172.16.1.2, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Sun, 23 Jun 2024 09:04:47 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 172.16.1.2 closed by foreign host]
SW01#telnet 172.16.1.2 443
Trying 172.16.1.2, 443 ... Open
^C
^C
[Connection to 172.16.1.2 closed by foreign host]
SW01#ssh -l cisco 172.16.1.2

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
Password:

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW02#exit

[Connection to 172.16.1.2 closed by foreign host]
SW01#
SW01#telnet 172.16.1.2
Trying 172.16.1.2 ...
% Connection timed out; remote host not responding

hit-count 확인 - 여기에서 index번호는 방화벽 순서를 나타내지 않습니다. 주의 바랍니다.

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            dmz               trust-to-dmz-ssh 1           Permit
2       trust            dmz               trust-to-dmz-http 1          Permit
3       trust            dmz               trust-to-dmz-https 1         Permit

방화벽 순서 확인 하기 위해서 deny-any 정책을 생성하겠습니다. 가시성 있게 deny-all 정책을 만들고 count랑 log를 생성하게 설정하겠습니다.

set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match source-address any
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match destination-address any
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all match application any
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then deny
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-deny-all then count

방화벽 정책 순서 확인- 특정 명령어 없이 방화벽 정책을 생성하면 맨 아래에 생성됩니다.

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: dmz
  Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-80
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-22
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: deny, log, count

root>

이 상태에서 추가적으로 다른 방화벽 정책을 생성하게 되면 Deny 밑에 방화벽 정책이 생성 되게 됩니다.

우선 테스트를 위해서 192.168.1.2 -> 172.16.1.2 telnet를 허용하는 방화벽 정책을 생성하겠습니다.

set applications application T-22 protocol tcp
set applications application T-22 source-port 0-65535
set applications application T-22 destination-port 22
set applications application T-22 inactivity-timeout 20

set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match application T-23
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then count

commit

telnet 허용 정책이 deny-any 정책 밑에 생성되었습니다.

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: dmz
  Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-80
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-22
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: deny, log, count
  Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-23
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count

root>

SW01에서 SW02 telnet 시도 - 실패했습니다.

이유는 Deny-all이 telnet 허용 정책보다 위에 있기 때문입니다.

SW01#telnet 172.16.1.2
Trying 172.16.1.2 ...
% Connection timed out; remote host not responding

SW01#

deny-all 정책에 telnet 트래픽이 차단되어서 count가 증가하였습니다.

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            dmz               trust-to-dmz-https 1         Permit
2       trust            dmz               trust-to-dmz-telnet 0        Permit
3       trust            dmz               trust-to-dmz-deny-all 4      Deny
4       trust            dmz               trust-to-dmz-ssh 1           Permit
5       trust            dmz               trust-to-dmz-http 1          Permit
6       dmz              trust             trsut-to-dmz   8             Permit

Number of policy: 6

trust-to-dmz-telnet 정책을 trust-to-dmz-deny-all 보다 위에 생성하게 설정해 보겠습니다.

delete security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet
commit

set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet match application T-23
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet then count

after - 특정 정책 다음에 새로운 방화벽 정책을 생성합니다.

before - 특정 정책 이전에 새로운 방화벽 정책을 생성합니다.

trust-to-dmz-deny-all 이전에 생성해 보겠습니다.

insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet ?
Possible completions:
  after                Insert after given data element
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  before               Insert before given data element
> match                Specify security policy match-criteria
> then                 Specify policy action to take when packet match criteria

insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet before policy trust-to-dmz-deny-all

commit

방화벽 정책 순서 확인

Deny-all 정책 이전에 telnet허용 정책이 생성되었습니다.

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: dmz
  Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-80
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-22
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-23
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: deny, log, count

root>

또는 insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet after policy trust-to-dmz-ssh

이렇게 사용해도 똑같은 의미를 가집니다.

이번에는 기존에 있는 firewall rule 순서를 변경해 보겠습니다. trust-to-dmz-telnet 정책을 trust-to-dmz-http 밑으로 이동해 보겠습니다.

기존에 있는 방화벽 정책을 삭제 후 새로 생성하고 insert명령어로 이용해서 수정해도 됩니다.

하지만 기존 방화벽 정책을 삭제하지 않고 insert명령어로 곧바로 방화벽 정책 순서를 변경할 수 있습니다.

insert security policies from-zone trust to-zone dmz policy trust-to-dmz-telnet after policy trust-to-dmz-http
commit

방화벽 정책 순서 확인 아래 빨간색 보시면 telnet 정책이 이동되었습니다.

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: trust, To zone: dmz
  Policy: trust-to-dmz-http, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-80
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-telnet, State: enabled, Index: 9, Scope Policy: 0, Sequence number: 2, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-23
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-https, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 3, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-ssh, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 4, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-22
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
  Policy: trust-to-dmz-deny-all, State: enabled, Index: 8, Scope Policy: 0, Sequence number: 5, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: deny, log, count

지금까지 [2024][Juniper SRX #14] firewall policy 순서 변경 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #16] password recovery (0)	2024.07.28
[2024][Juniper SRX #15] commit and rollback (0)	2024.07.27
[2024][Juniper SRX #13] firewall policy (0)	2024.07.25
[2024][Juniper SRX #12] application and application-set (2)	2024.07.24
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0)	2024.07.22

안녕하세요.

이번에는 [2024][Juniper SRX #13] firewall policy입니다.

토폴로지는 아래와 같습니다.

SRX

ge-0/0/0 - dhcp - untrust

ge-0/0/1 - 192.168.1.1/24 - trust

ge-0/0/2 - 172.16.1.1/24 - dmz

SW01

gi0/0 - 192.168.1.2/24

그리고 아래 서비스를 enable 합니다.

http

https

telnet

ssh

SW02

gi0/0 - 172.16.1.2/24

그리고 아래 서비스를 enable합니다.

http

https

telnet

ssh

*** 중요 ***

1. Juniper SRX stateful 방화벽입니다

나가는 Traffic을 허용하는 방화벽 정책이 있으면 Return되는 Traffic은 자동으로 허용됩니다.

자세한 내용은 나중에 다른 강좌에서 설명 하겠습니다.

2. 방화벽이 정책이 여러개가 있다면 맨 위에서부터 아래로 차근차근 방화벽 정책을 확인합니다.

3. 맨 아래 deny 정책이 없어도 default로 모든 traffic은 차단됩니다. - 즉 default deny all이라는 정책이 있습니다.

4. 방화벽 정책을 만들 때에는,

4-1 match

4-1-1 source-ip

4-1-2 destination-ip

4-1-3 destination application

위에 조건문을 입력하고 어떻게 처리할 것인지 정의 ㅎ합니다

4-2 action

4-2-1 permit - 허용

4-2-2 reject - 차단

4-2-3 log - 로그 생성 - 꼭 하위옵션 session-init/close 명령어를 추가로 입력해야 합니다.

4-2-3-1 session-init - 세션이 시작될 때 로그 생성

4-2-3-2 session-close - 세션이 종료될 때 로그 생성

4-2-4 count - 해당조건 트래픽 누적 치 사용량 정보 제공

permit, log, count를 동시에 설정 가능 합니다.

SRX side

1. 기존 설정값을 다 삭제합니다.

root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit
commit complete

2. Inteface에 IP주소를 설정합니다.

root# set interfaces ge-0/0/0 unit 0 family inet dhcp

[edit]
root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.1/24

[edit]
root# set interfaces ge-0/0/2 unit 0 family inet address 172.16.1.1/24

[edit]
root# commit

그리고 Interface에 IP주소를 확인합니다.

root# set security zones security-zone unturst
root# set security zones security-zone untrust interfaces ge-0/0/0

root# set security zones security-zone trust
root# set security zones security-zone trust interfaces ge-0/0/1

root# set security zones security-zone dmz
root# set security zones security-zone dmz interfaces ge-0/0/2

root# commit
commit complete

root> show security zones terse
Zone                        Type
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root> show interfaces zone terse
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     192.168.10.105/24
                                                                                        untrust
sp-0/0/0.0              up    up   inet
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
ge-0/0/1.0              up    up   inet     192.168.1.1/24
                                                                                        trust
ge-0/0/2.0              up    up   inet     172.16.1.1/24
                                                                                        dmz
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
                                                                                        Null
lo0.32768               up    up                                                        Null

root>

Interface에 IP주소를 확인합니다.

저희가 ge-0/0/0 dhcp 설정하였으나 IP주소가 없습니다.

그 이유는 Juniper SRX은 ge-0/0/0 dhcp 기능을 허용해 주어야지 IP주소를 DHCP에서 받아 올 수 있습니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     172.16.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up

ge-0/0/0 dhcp 기능받아오기 위해서 zone에 system-services에서 dhcp기능 그리고 ping테스트를 위해서 ping를 허용합니다.

set security zones security-zone untrust host-inbound-traffic system-services dhcp
set security zones security-zone untrust host-inbound-traffic system-services ping

그리고 show interface terse을 이용해서 ge-0/0/0 IP주소를 확인합니다.

DHCP로부터 192.168.10.105/24 IP주소를 받았습니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     192.168.10.105/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     192.168.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     172.16.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

ge-0/0/1 그리고 ge-0/0/2 ping도 허용해 줍니다.

set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone dmz host-inbound-traffic system-services ping

그리고 SW01 - Gi0/0 192.168.1.2/24 설정하고 SRX ge-0/0/1 192.168.1.1 ping를 시도합니다.

Switch>
Switch>en
Switch#conf t
Switch(config)#ho SW01
SW01(config)#int gigabitEthernet 0/0
SW01(config-if)#no switchport
SW01(config-if)#ip add 192.168.1.2 255.255.255.0
SW01(config-if)#no sh
SW01(config-if)#end
SW01#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/40/155 ms
SW01#

그리고 Default Gatway 설정

SW01(config)#ip route 0.0.0.0 0.0.0.0 192.168.1.1
SW01(config)#end
SW01#

SW01#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 192.168.1.1
      192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.1.0/24 is directly connected, GigabitEthernet0/0
L        192.168.1.2/32 is directly connected, GigabitEthernet0/0
SW01#

그리고 SW02 - Gi0/0 172.16.1.2/24 설정하고 SRX ge-0/0/2 172.16.1.1 ping를 시도합니다.

Switch>en
Switch#conf t
Switch(config)#ho SW02
SW02(config)#int gigabitEthernet 0/0
SW02(config-if)#no sw
SW02(config-if)#ip add 172.16.1.2 255.255.255.0
SW02(config-if)#no shutdown
SW02(config-if)#end
SW02#
SW02#ping 172.16.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
SW02#

그리고 Default Gateway 설정

SW02(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1
SW02(config)#
SW02#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 172.16.1.1 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 172.16.1.1
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.1.0/24 is directly connected, GigabitEthernet0/0
L        172.16.1.2/32 is directly connected, GigabitEthernet0/0
SW02#

방화벽 정책을 테스트하기 위해서 SW01과 SW02를 http, https, telnet, ssh를 Enable 합니다.

SW01(config)#ip http server
SW01(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)
Failed to generate persistent self-signed certificate.
    Secure server will use temporary self-signed certificate.

SW01(config)#ip domain-name cisco
SW01(config)#crypto key generate rsa
The name for the keys will be: SW01.cisco
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

SW01(config)#username cisco privilege 15 password cisco
SW01(config)#

SW01(config)#line vty 0 15
SW01(config-line)#login local
SW01(config-line)#transport input all

SW02에서도 똑같이 설정합니다.

SW02#conf t
SW02(config)#ip http server
SW02(config)#ip http secure-server
% Generating 1024 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 1 seconds)
Failed to generate persistent self-signed certificate.
    Secure server will use temporary self-signed certificate.

SW02(config)#ip domain-name cisco
SW02(config)#crypto key generate rsa
The name for the keys will be: SW02.cisco
Choose the size of the key modulus in the range of 360 to 4096 for your
  General Purpose Keys. Choosing a key modulus greater than 512 may take
  a few minutes.

How many bits in the modulus [512]:
% Generating 512 bit RSA keys, keys will be non-exportable...
[OK] (elapsed time was 0 seconds)

SW02(config)#username cisco privilege 15 password cisco
SW02(config)#line vty 0 15
SW02(config-line)#login local
SW02(config-line)#transport input all
SW02(config-line)#

우선 http, https, telnet, ssh가 제대로 동작하는지 확인하기 위해서 Juniper SRX 방화벽 정책을 Any Any로 먼저 설정하고 테스트를 진행합니다.

turst zone에서 dmz zone으로 가는 Traffic은 모두 허용합니다.

set security policies from-zone trust to-zone dmz policy trsut-to-dmz match source-address any
set security policies from-zone trust to-zone dmz policy trsut-to-dmz match destination-address any
set security policies from-zone trust to-zone dmz policy trsut-to-dmz match application any
set security policies from-zone trust to-zone dmz policy trsut-to-dmz then permit
set security policies from-zone trust to-zone dmz policy trsut-to-dmz then log session-init
set security policies from-zone trust to-zone dmz policy trsut-to-dmz then count

SW01 in trust zone에서 SW02 in dmz zone에 Ping시도

SW01#ping 172.16.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/28/126 ms
SW01#

SW01 in trust zone에서 SW02 in dmz zone에 http, https, telnet, ssh 시도

telnet 172.16.1.2 80 - http 성공

telnet 172.16.1.2 443 - https 성공

telnet 172.16.1.2 23 - telnet 성공

ssh -l cisco 172.16.1.2 - ssh 성공

SW01#telnet 172.16.1.2 80
Trying 172.16.1.2, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Sun, 23 Jun 2024 07:37:36 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 172.16.1.2 closed by foreign host]
SW01#
SW01#
SW01#telnet 172.16.1.2 443
Trying 172.16.1.2, 443 ... Open

[Connection to 172.16.1.2 closed by foreign host]
SW01#
SW01#
SW01#

SW01#telnet 172.16.1.2
Trying 172.16.1.2 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Username: cisco
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW02#

SW01#
SW01#ssh -l cisco 172.16.1.2

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
Password:

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************SW02#
SW02#
SW02#

SW02 in dmz zone에서 SW01 in trust zone으로 Ping 시도합니다.

Juniper SRX에서 dmz zone에서 trust zone에 방화벽 정책이 없기 때문에 실패합니다.

SW02#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
SW02#

테스트를 위해서 dmz zone에서 trust zone에 방화벽 정책 any를 설정합니다.

set security policies from-zone dmz to-zone trust policy dmz-to-trust  match source-address any
set security policies from-zone dmz to-zone trust  policy dmz-to-trust match destination-address any
set security policies from-zone dmz to-zone trust  policy dmz-to-trust  match application any
set security policies from-zone dmz to-zone trust  policy dmz-to-trust  then permit
set security policies from-zone dmz to-zone trust  policy dmz-to-trust  then log session-init
set security policies from-zone dmz to-zone trust  policy dmz-to-trust  then count

SW02 in dmz zone에서 SW01 in trust zone으로 Ping 시도합니다.

SW02#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/15 ms
SW02#

SW02 in trust zone에서 SW01 in dmz zone에 http, https, telnet, ssh 시도

telnet 192.168.1.2 80 - http 성공

telnet 192.168.1.2 443 - https 성공

telnet 192.168.1.2 23 - telnet 성공

ssh -l cisco 192.168.1.2 - ssh 성공

SW02#telnet 192.168.1.2 80
Trying 192.168.1.2, 80 ... Open
^C
HTTP/1.1 400 Bad Request
Date: Sun, 23 Jun 2024 07:49:11 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 192.168.1.2 closed by foreign host]
SW02#telnet 192.168.1.2 443
Trying 192.168.1.2, 443 ... Open

^C^[[A
[Connection to 192.168.1.2 closed by foreign host]
SW02#telnet 192.168.1.2
Trying 192.168.1.2 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Username: cisco
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW01#

SW01#ssh -l cisco 192.168.1.2

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
Password:

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW01#exit

[Connection to 192.168.1.2 closed by foreign host]
SW01#

Juniper SRX방화벽 정책에서 Hit-Count 확인하는 방법

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            dmz               trsut-to-dmz   9             Permit
2       dmz              trust             trsut-to-dmz   8             Permit

Number of policy: 2

root>

trust zone - SW01에서 dmz zone -SW02에 방화벽 정책

1. 192.168.1.2 -> 172.16.1.2 https 허용

2. 192.168.1.2 -> 172.16.1.2 telnet 허용

나머지는 모두 차단

address-book name

H-192.168.1.2/32 - SW01

H-172.16.1.2/32 - SW02

application은 custom으로 설정

T-23 -> T는 tcp를 의미 23은 포트 번호 의미

T-443

기존 trust zone에서 dmz zone으로 가는 Any 정책 삭제

root# delete security policies from-zone trust to-zone dmz

[edit]
root# commit
commit complete

address-book과 application를 정의합니다.

set security address-book global address H-192.168.1.2/32 192.168.1.2/32
set security address-book global address H-172.16.1.2/32 172.16.1.2/32

set applications application T-23 protocol tcp
set applications application T-23 source-port 0-65535
set applications application T-23 destination-port 23
set applications application T-23 inactivity-timeout 20

set applications application T-443 protocol tcp
set applications application T-443 source-port 0-65535
set applications application T-443 destination-port 443
set applications application T-443 inactivity-timeout 20

방화벽 정책을 생성합니다.

set security policies from-zone dmz to-zone trust policy trsut-to-dmz match source-address any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match destination-address any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match application any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then permit
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then log session-init
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then count

commit

방화벽 정책 확인하는 방법

root> show security policies
Default policy: deny-all
Default policy log Profile ID: 0
Pre ID default policy: permit-all
From zone: dmz, To zone: trust
  Policy: trsut-to-dmz, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count
From zone: trust, To zone: dmz
  Policy: trust-to-dmz, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: H-192.168.1.2/32
    Destination addresses: H-172.16.1.2/32
    Applications: T-23, T-443
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log, count

root>

방화벽 정책 설정값 확인 방법 - 전체

root> show configuration security | display set | no-more
set security address-book global address H-192.168.1.2/32 192.168.1.2/32
set security address-book global address H-172.16.1.2/32 172.16.1.2/32
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match source-address any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match destination-address any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz match application any
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then permit
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then log session-init
set security policies from-zone dmz to-zone trust policy trsut-to-dmz then count
set security policies from-zone trust to-zone dmz policy trust-to-dmz match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-23
set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-443
set security policies from-zone trust to-zone dmz policy trust-to-dmz then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz then count
set security zones security-zone untrust host-inbound-traffic system-services dhcp
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.0
set security zones security-zone dmz host-inbound-traffic system-services ping
set security zones security-zone dmz interfaces ge-0/0/2.0

root>

방화벽 정책 trust zone에서 dmz zone만 확인 하는 방법

root> show configuration security policies from-zone trust to-zone dmz | display set | no-more
set security policies from-zone trust to-zone dmz policy trust-to-dmz match source-address H-192.168.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz match destination-address H-172.16.1.2/32
set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-23
set security policies from-zone trust to-zone dmz policy trust-to-dmz match application T-443
set security policies from-zone trust to-zone dmz policy trust-to-dmz then permit
set security policies from-zone trust to-zone dmz policy trust-to-dmz then log session-init
set security policies from-zone trust to-zone dmz policy trust-to-dmz then count

테스트해보겠습니다.

trust zone - SW01에서 dmz zone -SW02에 방화벽 정책

1. 192.168.1.2 -> 172.16.1.2 https 허용

2. 192.168.1.2 -> 172.16.1.2 telnet 허용

3. 192.168.1.2 -> 172.16.1.2 http 차단

4. 192.168.1.2 -> 172.16.1.2 ssh 차단

나머지는 모두 차단

SW01#telnet 172.16.1.2 443
Trying 172.16.1.2, 443 ... Open
^C
^^
v
[Connection to 172.16.1.2 closed by foreign host]
SW01#
SW01#telnet 172.16.1.2
Trying 172.16.1.2 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Username: cisco
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW02#exit

Telnet이랑 SSH는 접속 실패 하였습니다. 방화벽 정책이 없기 때문입니다.

SW01#telnet 172.16.1.2 80
Trying 172.16.1.2, 80 ...
% Connection timed out; remote host not responding

SW01#ssh -l cisco 172.16.1.2
SW01#

방화벽 정책 hit count를 확인해 보겠습니다.

root> show security policies hit-count
Logical system: root-logical-system
Index   From zone        To zone           Name           Policy count  Action
1       trust            dmz               trust-to-dmz   2             Permit
2       dmz              trust             trsut-to-dmz   8             Permit

현재 방화벽 flow session를 확인하는 방법

SW01 -> SW02 telnet 시도

SW01#telnet 172.16.1.2
Trying 172.16.1.2 ... Open

**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************

User Access Verification

Username: cisco
Password:
**************************************************************************
* IOSv is strictly limited to use for evaluation, demonstration and IOS  *
* education. IOSv is provided as-is and is not supported by Cisco's      *
* Technical Advisory Center. Any use or disclosure, in whole or in part, *
* of the IOSv Software or Documentation to any third party for any       *
* purposes is expressly prohibited except as otherwise authorized by     *
* Cisco in writing.                                                      *
**************************************************************************
SW02#

Juniper SRX에서 show security flow session으로 세션 상태 확인

root> show security flow session
Session ID: 1641, Policy name: trust-to-dmz/4, State: Stand-alone, Timeout: 16, Valid
  In: 192.168.1.2/59113 --> 172.16.1.2/23;tcp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 24, Bytes: 1108,
  Out: 172.16.1.2/23 --> 192.168.1.2/59113;tcp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 20, Bytes: 2171,
Total sessions: 1

지금까지 [2024][Juniper SRX #13] firewall policy 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #15] commit and rollback (0)	2024.07.27
[2024][Juniper SRX #14] firewall policy 순서 변경 (0)	2024.07.26
[2024][Juniper SRX #12] application and application-set (2)	2024.07.24
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0)	2024.07.22
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0)	2024.07.21

안녕하세요.

오늘은 [2024][Juniper SRX #12] application and application-set입니다.

Juniper 방화벽 정책을 설정 시 Source port 또는 Destination port에 TCP/UDP, 또는 port number를 지정할 때 사용 합니다.

자세한 내용은 Juniper SRX 공식 홈페이지를 참조 바랍니다.

https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/policy-application-sets-configuration.html

Security Policy Applications and Application Sets | Junos OS | Juniper Networks

When you create a policy, you must specify an application, or service, for it to indicate that the policy applies to traffic of that type. Sometimes the same applications or a subset of them can be present in multiple policies, making it difficult to manag

www.juniper.net

Applications은 두 가지로 분류됩니다.

1. standard

2. custom applications

standard way는 이미 Juniper SRX에서 정의된 포트를 말합니다. 주로 well-known port를 의미합니다.

set applications application standard-way application-protocol http

root# set applications application KK application-protocol ?
Possible completions:
  dns                  Domain Name Service
  ftp                  File Transfer Protocol
  ftp-data             File Transfer Protocol Data Session
  gprs-gtp-c           GPRS Tunneling Control Plane
  gprs-gtp-u           GPRS Tunneling User Plane
  gprs-gtp-v0          GPRS Tunneling Version 0
  gprs-sctp            GPRS Stream Control Protocol
  http                 Hypertext Transfer Protocol
  https                Hypertext Transfer Protocol
  ignore               Ignore application type
  ike-esp-nat          IKE/ESP with NAT
  imap                 Internet Mail Access Protocol
  imaps                Internet Mail Access Protocol Over TLS
  mgcp-ca              MGCP-CA
  mgcp-ua              MGCP-UA
  ms-rpc               Microsoft RPC
  none                 None
  pop3                 Post Office Protocol 3 Protocol
  pop3s                Post Office Protocol 3 Protocol Over TLS
  pptp                 Point-to-Point Tunneling Protocol
  q931                 Q.931
  ras                  RAS
  realaudio            RealAudio
  rsh                  Remote Shell
  rtsp                 Real Time Streaming Protocol
  sccp                 Skinny Client Control Protocol
  sip                  Session Initiation Protocol
  smtp                 Simple Mail Transfer Protocol
  smtps                Simple Mail Transfer Protocol Over TLS
  sqlnet-v2            Oracle SQL*Net Version 2
  ssh                  Secure Shell Protocol
  sun-rpc              Sun Microsystems RPC
  talk                 Talk Program
  telnet               Telnet Protocol
  tftp                 Trivial File Transfer Protocol
  twamp                Two Way Active Meaurement Protocol
[edit]

이번에는 custom 방식에 대해서 알아보겠습니다.

Protocol -> tcp

Source-port - 0-65535 -> source port는 랜덤으로 선택됩니다. 특정 Application은 source-port가 특정 포트로 동작하는 APP도 있습니다

Destination-port - 23

inactivity-timeout - 20초

set applications application telnet-1 protocol tcp
set applications application telnet-1 source-port 0-65535
set applications application telnet-1 destination-port 23
set applications application telnet-1 inactivity-timeout 20

방화벽 정책 설정 시 application를 아래처럼 불러와서 사용 가능 합니다.

set security policies from-zone trust to-zone untrust policy p1 match application telnet-1

만약에 하나에 방화벽 정책에 여러 개 application를 사용하고 싶으면 아래와 같이 설정 가능 합니다

set applications application http-1 protocol tcp
set applications application http-1 source-port 0-65535
set applications application http-1 destination-port 80
set applications application http-1 inactivity-timeout 20

아래처럼 application 정책을 계속 추가해야 합니다.

set security policies from-zone trust to-zone untrust policy p1 match application telnet-1
set security policies from-zone trust to-zone untrust policy p1 match application http-1

하지만 application-set을 이용하면 하나에 정책에 많은 application 추가해서 사용할 수 있습니다.

application-set에 http-1이랑 telnet-1을 할당합니다.

set applications application-set app-group application http-1
set applications application-set app-group application telnet-1

그리고 방화벽 정책에 application-set를 설정합니다.

set security policies from-zone trust to-zone untrust policy p1 match application-set app-group

application 설정값 확인 하는 명령어

root> show configuration applications | display set
set applications application standard-way application-protocol http
set applications application http-1 protocol tcp
set applications application http-1 source-port 0-65535
set applications application http-1 destination-port 80
set applications application http-1 inactivity-timeout 20
set applications application telnet-1 protocol tcp
set applications application telnet-1 source-port 0-65535
set applications application telnet-1 destination-port 23
set applications application telnet-1 inactivity-timeout 20
set applications application-set app-group application http-1
set applications application-set app-group application telnet-1

root>

지금까지 [2024][Juniper SRX #12] application and application-set 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #14] firewall policy 순서 변경 (0)	2024.07.26
[2024][Juniper SRX #13] firewall policy (0)	2024.07.25
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0)	2024.07.22
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0)	2024.07.21
[2024][Juniper SRX #8] Zone configuration (1)	2024.07.20

안녕하세요.

오늘은 [2024][Juniper SRX #11] address book and address set에 대해서 알아보겠습니다.

Juniper SRX방화벽은 정책을 만들 때 곧바로 IP주소를 입력할 수 없고 Address book를 만들어서 IP주소를 정의해야 합니다.

그래야지 방화벽 정책에서 address book 이름을 불러올 수 있습니다.

자세한 내용은 Juniper 공식 address book이랑 address set에 대한 내용은 확인 부탁드립니다.

https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-address-books-sets.html

Address Books and Address Sets | Junos OS | Juniper Networks

In this example, you create source and destination address books, SOUR-ADDR and DES-ADDR, and add source and destination addresses to it. You create source and destination address sets, as1 and as2, and group source and destination addresses to them. Then

www.juniper.net

Address-book은 크게 두 가지로 나누어집니다.

1. global(default) - 모든 zone에서 address book를 불러올 수 있습니다

2. custorm(Must be binded to a zone) - address-book이 특정 Zone에서만 사용할 수 있습니다.

address-book를 정의할 때는 아래와 같이 5가지 사용 가능 합니다.

1. Prefix - EX) 192.168.10.0/24

2. address-range - EX) 192.168.11.10 to 192.168.11.199

3. wildcard_address - EX) 10.0.10.0/255.7.255.0 -

4. DNS_name - EX) cisco.com

5. Any - 모든 트래픽

그럼 Juniper SRX에서 address-book를 설정해 보겠습니다.

1. Prefix를 이용하는 방법

global - global address book 정의

N-192.168.1.0/24 - address book이름

192.168.1.0/24 - Prefix Target IP 정의

set security address-book global address N-192.168.1.0/24 192.168.1.0/24

2. address-range 이용하는 방법

global - global address book 정의

H-192.168.1.0-to-10 - adress book 이름 정의

192.168.1.0 to 192.168.1.10 - 실제 Target IP정의

set security address-book global address H-192.168.1.0-to-10 range-address 192.168.1.0 to 192.168.1.10

3. Wildcard_address 이용하는 방법

global - global address book 정의

wildcard - adress book 이름 정의

192.168.0.11/255.255.0.255 - 192.168.*. 11을 의미 - 즉 192.168.1.11 , 192.168.3.11 - 3번째 octoc은 아무 숫자나 허

set security address-book global address wildcard wildcard-address 192.168.0.11/255.255.0.255

4. dns_name를 이용하는 방법

global - global address book 정의

dns_filter - adress book 이름 정의

cisco.com - dns name이 cisco.com를 정의함.

set security address-book global address dns_filter dns-name cisco.com

이번에는 address-set에 대해서 정의해 보겠습니다.

만약에 위에 모든 정책을 destination IP에 정의를 한다고 하면 똑같은 설정을 4번을 해야 합니다.

방화벽 정책 설정은 추후 강일에서 진행하겠습니다. 아래 설정값은 이해하는 용도로 사용됩니다.

set security policies from-zone trust to-zone untrust policy p1 match destination-address N-192.168.1.0/24
set security policies from-zone trust to-zone untrust policy p1 match destination-address H-192.168.1.0-to-10
set security policies from-zone trust to-zone untrust policy p1 match destination-address wildcard
set security policies from-zone trust to-zone untrust policy p1 match destination-address dns_filter

방화벽 정책 숫자가 적고 source address book과 destination address book이 조금 이면 이렇게 설정해도 상관없지만, adress book수가 많으면, 추후에 정책 설정값을 보거나 show 커맨드로 사용해서 특정값을 출력할 때도 너무 많은 정도들이 올라와서 불편합니다.

address-set를 하나 만들고 여기에 address-book를 포함하면 위에 설정값이 한 줄로 줄어듭니다.

global - global address book 정의

destination-group - adress-set 이름 정의

address N-192.168.1.0/24, H-192.168.1.0-to-10, wildcard 그리고 dns_filter를 address-set destination-group에 포함시킵니다.

set security address-book global address-set destination-group address N-192.168.1.0/24
set security address-book global address-set destination-group address H-192.168.1.0-to-10
set security address-book global address-set destination-group address wildcard
set security address-book global address-set destination-group address dns_filter

그리고 방화벽 정책에서 destination를 정의할 때 한 줄로 사용 가능 합니다.

destination-address에서 destination-group를 불러오면 위에 정의한 address-book 4개를 정의할 수 있습니다.

set security policies from-zone trust to-zone untrust policy p1 match destination-address destination-group

여기까지 Global Address-book에 대해서 설명했습니다. Global address-book은 아무 zone에서 address-book를 불러올 수 있습니다.

trust_zone - global address book이 아닌 name를 정의합니다.

N-10.1.1.0/8 - address book이름 정의

10.1.1.0/8 - 실제 IP대역 target ip address

그리고 trust_zone를 trust zone에게 attach 하면 이 address-book은 turst zone만 사용 가능 하게 됩니다.

set security address-book trust_zone address N-10.1.1.0/8 10.1.1.0/8
set security address-book trust_zone attach zone trust

지금까지 설정한 address-book 출력하기

주의 사항: root> 여기에서는 show security address-book 커맨드가 없기 때문에 확인 불가능 합니다.

꼭 configuration mode에서 확인하시길 바랍니다.

root# show security address-book | display set | no-more
set security address-book global address N-192.168.1.0/24 192.168.1.0/24
set security address-book global address H-192.168.1.0-to-10 range-address 192.168.1.0 to 192.168.1.10
set security address-book global address wildcard wildcard-address 192.168.0.11/255.255.0.255
set security address-book global address dns_filter dns-name cisco.com
set security address-book global address-set destination-group address N-192.168.1.0/24
set security address-book global address-set destination-group address H-192.168.1.0-to-10
set security address-book global address-set destination-group address wildcard
set security address-book global address-set destination-group address dns_filter
set security address-book trust_zone address N-10.1.1.0/8 10.1.1.0/8

또는

root> show configuration security address-book | display set
set security address-book global address N-192.168.1.0/24 192.168.1.0/24
set security address-book global address H-192.168.1.0-to-10 range-address 192.168.1.0 to 192.168.1.10
set security address-book global address wildcard wildcard-address 192.168.0.11/255.255.0.255
set security address-book global address dns_filter dns-name cisco.com
set security address-book global address-set destination-group address N-192.168.1.0/24
set security address-book global address-set destination-group address H-192.168.1.0-to-10
set security address-book global address-set destination-group address wildcard
set security address-book global address-set destination-group address dns_filter

root>

지금까지 [2024][Juniper SRX #11] address book and address set 글을 읽어주셔서 감사합니다.

저작자표시

안녕하세요.

[2024][Juniper SRX #10] Administrator access restriction settings for MGMT입니다.

Juniper SRX에 SSH 또는 Telnet 또는 J-web를 설정하여 Juniper SRX 관리할 수 있지만 보안 설정을 안 하면 모든 IP대역이 Juniper SRX를 SSH 또는 Telent 또는 J-web를 접속하여 로그인할 수 있습니다.

회사에서 보안상 특정 IP대역만 Juniper SRX MGMT IP를 통하여 주니퍼 방화벽을 관리해야 하는 경우에는 아래와 같이 설정 가능 합니다.

토폴로지

Juniper SRX 기본 설정은 아래와 같습니다.

root> show configuration | display set | no-more
set version 21.3R1.9
set system root-authentication encrypted-password "$6$Ea7ce5UJ$33Cef6CXrDrf7O1iHX0Skwii8sjgCAeFvM5CXzEbX3/5QyNQxTMpRtregTUO/84DdvZhnEXel5WPvXKOu0hyx1"
set system login user juniper uid 2000
set system login user juniper class super-user
set system login user juniper authentication encrypted-password "$6$.zIMNUej$r05Ie68YwDsLLShNbIIYdL.TjI9p/ndcvxF0YOuOAbD.OlQWmgaABWskuOtmcU9ZRhp.VqM/tVcA2.tZMwc.W/"
set system services ssh root-login allow
set system services telnet
set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0
set interfaces fxp0 unit 0 family inet address 192.168.10.220/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

Cisco 스위치 기본 설정입니다.

Switch#conf t
Switch(config)#hostname SW1
SW1(config)#int g0/0
SW1(config-if)#no sw
SW1(config-if)#ip add dhcp
SW1(config-if)#no sh

Juniper Interface를 상태를 확인합니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.220/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

Cisco Interface를 확인합니다.

SW1#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  up                    up
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet0/0     192.168.10.104  YES DHCP   up                    up
GigabitEthernet1/0     unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  up                    up
SW1#

Juniper SRX fxp0 IP: 192.168.10.220

Cisco Gi0/0 IP: 192.168.10.104

Cisco에서 Juniper fxp0로 Ping를 시도합니다

SW1#ping 192.168.10.220
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.220, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
SW1#

Telnet Test - 정상적으로 동작합니다.

SW1#telnet 192.168.10.220
Trying 192.168.10.220 ... Open
login: juniper
Password:
Last login: Thu Jun 20 09:49:37 from 172.16.10.15

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
juniper>

SSH Test - 정상적으로 동작합니다.

SW1#ssh -l root 192.168.10.220
Password:
Last login: Sat Jun 22 06:12:39 2024
--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ #

현재 Cisco IP주소는 192.168.10.104인데, 보안 설정을 192.168.10.105만 Juniper SRX로 접속 가능 하게 설정해 보겠습니다.

1. IP 대상을 입력합니다. 여러 IP를 허용하면 여러 개를 입력합니다.

set policy-options prefix-list manager-ip 192.168.10.105/32

2. IP를 이용해서 Filter 정책을 만듭니다.

IP: 192.168.10.105

Protocol: tcp

Destination port: telnet https ssh

만 허용합니다. 그리고 나머지는 차단합니다.

set firewall filter manager-ip term accept_manager from prefix-list manager-ip
set firewall filter manager-ip term accept_manager from protocol tcp
set firewall filter manager-ip term accept_manager from destination-port telnet
set firewall filter manager-ip term accept_manager from destination-port https
set firewall filter manager-ip term accept_manager from destination-port ssh
set firewall filter manager-ip term accept_manager then accept
set firewall filter manager-ip term block_non_manager then discard

3. MGMT interface fxp0에 filter를 적용합니다.

set interfaces fxp0 unit 0 family inet filter input manager-ip

commit

그리고 설정을 적용합니다.

Cisco Side

Telent를 시도합니다. Juniper Filter정책 때문에 Telnet 접속이 실패합니다.

SW1#telnet 192.168.10.220
Trying 192.168.10.220 ...
% Connection timed out; remote host not responding

SW1#

SSH를 시도합니다. Juniper Filter정책 때문에 SSH 접속이 실패합니다.

SW1#ssh -l root 192.168.10.220
SW1#

Cisco Switch에서 IP주소를 192.168.10.105로 변경 후 Telnet과 SSH를 시도해 보겠습니다.

SW1(config)#int g0/0
SW1(config-if)#ip add 192.168.10.105 255.255.255.0
SW1(config-if)#no sh

SW1#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  up                    up
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet0/0     192.168.10.105  YES manual up                    up
GigabitEthernet1/0     unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  up                    up
SW1#

Telnet 시도 - 허용된 IP이기 때문에 telnet이 성공합니다.

SW1#telnet 192.168.10.220
Trying 192.168.10.220 ... Open
login: juniper
Password:
Last login: Sat Jun 22 06:19:21 from 192.168.10.104

--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
juniper>

SSH 시도 - 허용된 IP이기 때문에 ssh가 성공합니다.

SW1#ssh -l root 192.168.10.220
Password:

Last login: Sat Jun 22 06:20:40 2024 from 192.168.10.104
--- JUNOS 21.3R1.9 Kernel 64-bit XEN JNPR-12.1-20210828.6e5b1bf_buil
root@:~ #

지금까지 [2024][Juniper SRX #10] Administrator access restriction settings for MGMT글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #13] firewall policy (0)	2024.07.25
[2024][Juniper SRX #12] application and application-set (2)	2024.07.24
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0)	2024.07.21
[2024][Juniper SRX #8] Zone configuration (1)	2024.07.20
[2024][Juniper SRX #7] host-inbound-traffic (0)	2024.07.19

안녕하세요.

[2024][Juniper SRX #9] SSH and Telnet 설정하기입니다.

Juniper SRX은 fxp0이 MGMT interface입니다. 여기에 IP주소를 설정하고 외부에서 SSH나 Telent를 통해서 접속해 보겠습니다.

토폴로지는 아래와 같습니다.

기본적으로 설정값들을 지웁니다.

root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

root# set system root-authentication plain-text-password
New password:
Retype new password:

root# commit
commit complete

[edit]
root# commit
commit complete

fxp0에 IP주소를 할당합니다.

DHCP기능이 동작하면 자동으로 IP주소를 받을 수 있고 또는 수동으로 설정 가능 합니다.

DHCP로 IP주소 받기

root# set interfaces fxp0 unit 0 family inet dhcp

[edit]
root# commit

Interface에 IP 확인하기

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.220/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

수동으로 IP주소 설정하기

delete interfaces fxp0 unit 0 family inet dhcp
commit

root# set interfaces fxp0 unit 0 family inet address 192.168.10.104/24
root# set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

[edit]
root# commit

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.220/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

Juniper SRX에 SSH 설정합니다.

root# set system services ssh root-login allow

[edit]
root# commit
commit complete

노트북에서 putty 또는 CRT를 이용해서 접속을 테스트합니다.

정상적으로 동작합니다.

이번에는 Telent를 설정합니다.

root# set system services telnet

[edit]
root# commit
commit complete

telnet은 기본적으로 root를 허용하지 않습니다. root계정으로 로그인을 시도해도 실패합니다.

만약에 telnet를 사용해야 하는 경우에는 user를 따로 생성합니다.

root# set system login user juniper class super-user

[edit]
root# set system login user juniper authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit
commit complete

juniper 계정을 새로 생성하였고 로그인을 시도합니다.

성공적으로 로그인됩니다.

Juniper SRX는 Web 기반에 방화벽에 설정을 지원합니다. 이번에는 j-web를 설정해 보겠습니다.

set system services web-management https system-generated-certificate
set system services web-management https interface fxp0.0

테스트를 위해서 fxp0 ip를 입력합니다.

지금까지 [2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 글을 읽어주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #12] application and application-set (2)	2024.07.24
[2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0)	2024.07.22
[2024][Juniper SRX #8] Zone configuration (1)	2024.07.20
[2024][Juniper SRX #7] host-inbound-traffic (0)	2024.07.19
[2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode (0)	2024.07.17

안녕하세요.

오늘은 [2024][Juniper SRX #8] Zone에 대해서 알아보겠습니다.

Juniper SRX는 Zone base Firewall입니다. Interface가 독자적으로 동작하지 못하고 interface는 하나에 Zone에 포함되어야 하고 방화벽 정책은 Zone를 기반으로 허용 또는 차단이 가능합니다.

이 부분은 추후에 방화벽 정책을 테스트할 때 좀 더 자세히 진행하겠습니다.

테스트 토폴로지는 아래와 같습니다.

1.vIOS Switch

2.vSRX를 사용 하였습니다.

IP정보는 아래와 같습니다

SRX:

ge-0/0/0 - 10.1.1.1/24 untrust zone

ge-0/0/1 - 172.16.1.1/24 dmz zone

ge-0/0/2 - 192.168.1.1/24 trust zone

fxp0 - dhcp - management zone

SW1

gi0/0 - 10.1.1.2/24

SW2

gi0/0 - 172.16.1.2/24

SW3

gi0/0 - 192.168.1.2/24

Juniper SRX Zone Types

1. fuctional zone (management Zone) - dedicate an interface just for the purpose of management

일반적으로 fxp0이 management 인터페이스인데, data interface를 MGMT로 사용할 때 이 명령어를 사용하여

MGMT역활한 할 수 있게 설정할 수 있습니다.

2. Security zone - to control traffic between different security zone

3. junos-host - control traffic between security zone and juniper device itself

4. null - discard traffic

현재 생성된 zone 리스트를 출력 하는 명령어

show security zones terse

root> show security zones terse
Zone                        Type
junos-host                  Security

아래 interface를 보면 fxp0이 SRX management interface입니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

fxp0 인터페이스에 IP주소를 DHCP 통해서 할당 받겠습니다.

간단하게 제 테스트랩을 설명하겠습니다

1. 제 노트북에서 Global Protect(VPN agent)로 팔로알토에 접속합니다.

2. EVE-NG는 VMware ESXi안에 설치되어 있스비다.

3. 팔로알토가 DHCP기능을 수행합니다.

그래서 fxp0 인터페이스는 자동으로 팔로알토로부터 IP를 받을 수 있습니다.

아니면 수동으로 설정하셔도 됩니다.

root# set interfaces fxp0 unit 0 family inet dhcp

[edit]
root# commit
commit complete

그리고 Interface에 IP주소를 확인합니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.104/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0

제 PC에서 SRX fxp0 192.168.10.104 ping 테스트입니다.

핑이 성공합니다.

C:\Users\admin>ping 192.168.10.104

Pinging 192.168.10.104 with 32 bytes of data:
Reply from 192.168.10.104: bytes=32 time=4ms TTL=63
Reply from 192.168.10.104: bytes=32 time=5ms TTL=63
Reply from 192.168.10.104: bytes=32 time=7ms TTL=63
Reply from 192.168.10.104: bytes=32 time=14ms TTL=63

Ping statistics for 192.168.10.104:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 14ms, Average = 7ms

C:\Users\admin>

fxp0를 수동으로 IP주소를 설정하기.

set interfaces fxp0 unit 0 family inet address 192.168.10.104/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253

PC에서 PIng테스트

C:\Users\admin>ping 192.168.10.104

Pinging 192.168.10.104 with 32 bytes of data:
Reply from 192.168.10.104: bytes=32 time=5ms TTL=63
Reply from 192.168.10.104: bytes=32 time=6ms TTL=63
Reply from 192.168.10.104: bytes=32 time=6ms TTL=63
Reply from 192.168.10.104: bytes=32 time=13ms TTL=63

Ping statistics for 192.168.10.104:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 5ms, Maximum = 13ms, Average = 7ms

어떤 Interface가 어떤 Zone에 할당되었는지 확인하는 명령어입니다.

show interfaces zone terse

root> show interfaces zone terse
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     10.1.1.1/24
Null
sp-0/0/0.0              up    up   inet
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
fxp0.0                  up    up   inet     192.168.10.104/24
                                                                                        Null
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
                                                                                        Null
lo0.32768               up    up                                                        Null

fxp0는 기본적으로 null zone에 할당되어 있습니다.

일반적은 data용 interface를 MGMT interface로 사용할 때 사용 됩니다.

테스트를 위해서 ge-0/0/0를 MGMT interface로 만들어 보겠습니다.

root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24

[edit]
root# set security zones functional-zone management interfaces ge-0/0/0

[edit]
root# commit
commit complete

root> show security zones terse
Zone                        Type
management                  Functional
junos-host                  Security

root>

Zone를 확인하고 Interface 할당된 Zone도 확인합니다.

root> show security zones terse
Zone                        Type
management                  Functional
junos-host                  Security

root>

root> show interfaces zone terse
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     10.1.1.1/24
                                                                                        Management
sp-0/0/0.0              up    up   inet
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
fxp0.0                  up    up   inet     192.168.10.104/24
                                                                                        Null
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
                                                                                        Null
lo0.32768               up    up                                                        Null

root>

테스트를 위해서 기존에 Ge-0/0/0 zone를 삭제합니다.

delete security zones functional-zone management interfaces ge-0/0/0.0
commit

root> show interfaces zone terse
Interface               Admin Link Proto    Local                 Remote                Zone
ge-0/0/0.0              up    up   inet     10.1.1.1/24
                                                                                        Null
sp-0/0/0.0              up    up   inet
                                   inet6                                                Null
sp-0/0/0.16383          up    up   inet                                                 Null
fxp0.0                  up    up   inet     192.168.10.104/24
                                                                                        Null
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
                                                                                        Null
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
                                                                                        Null
lo0.32768               up    up                                                        Null

root>

2

2. Security zone - to control traffic between different security zone

테스트를 위해서 IP를 설정합니다.

set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.1/24

commit

인터페이스를 확인합니다.

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     10.1.1.1/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/1.0              up    up   inet     172.16.1.1/24
ge-0/0/2                up    up
ge-0/0/2.0              up    up   inet     192.168.1.1/24
dsc                     up    up
fti0                    up    up
fxp0                    up    up
fxp0.0                  up    up   inet     192.168.10.104/24
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

Zone를 생성합니다.

set security zones security-zone trust
set security zones security-zone untrust
set security zones security-zone dmz

commit

Zone를 생성을 확인합니다.

root> show security zones terse
Zone                        Type
management                  Functional
dmz                         Security
trust                       Security
untrust                     Security
junos-host                  Security

root>

Interface를 Zone에 할당합니다.

set security zones security-zone trust interfaces ge-0/0/2.0
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone dmz interfaces ge-0/0/1.0

commit

Zone에 할당된 interface를 확인합니다.

root> show interfaces zone terse | match ge-
ge-0/0/0.0              up    up   inet     10.1.1.1/24
ge-0/0/1.0              up    up   inet     172.16.1.1/24
ge-0/0/2.0              up    up   inet     192.168.1.1/24

root>

Ping 테스트를 위해서 각 Zone에 PING를 허용합니다.

set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone dmz host-inbound-traffic system-services ping

SW1 gi0/0 IP를 설정하고 SRX ge-0/0/0 10.1.1.1로 PIng를 시도합니다.

Switch(config)#int g0/0
Switch(config-if)#no sw
Switch(config-if)#ip add 10.1.1.2 255.255.255.0
Switch(config-if)#no sh

Switch(config-if)#end
Switch# ping 10.1.1.1
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/146/579 ms
Switch#

SW2 gi0/0 IP를 설정하고 SRX ge-0/0/0 172.16.1.1로 PIng를 시도합니다.

Switch(config)#int g0/0
Switch(config-if)#no sw
Switch(config-if)#ip add 172.16.1.2 255.255.255.0
Switch(config-if)#no sh
Switch(config-if)#end
Switch#
Switch#ping 172.16.1.1
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 2/3/4 ms
Switch#

SW3 gi0/0 IP를 설정하고 SRX ge-0/0/0 192.168.1.1로 PIng를 시도합니다.

Switch#conf t
Switch(config)#int g0/0
Switch(config-if)#no sw
Switch(config-if)#ip add 192.168.1.2 255.255.255.0
Switch(config-if)#no sh
Switch(config-if)#end
Switch#ping 192.168.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:

*Jun 20 08:56:02.421: %SYS-5-CONFIG_I: Configured from console by console
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms
Switch#

서로 다른 Zone끼리 방화벽 정책이 없기 때문에 서로 간에 통신은 불가능합니다.

지금까지 [2024][Juniper SRX #8] Zone configuration 글을 읽어주셔서 감사합니다.

다음 강좌를 address-book에 대해서 알아보도록 하겠습니다.

감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0)	2024.07.22
[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0)	2024.07.21
[2024][Juniper SRX #7] host-inbound-traffic (0)	2024.07.19
[2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode (0)	2024.07.17
[2024][Juniper SRX #5] Interface 설정 - RVI - access mode (0)	2024.07.16

안녕하세요.

오늘은 [2024][Juniper SRX #7] host-inbound-traffic입니다.

주니퍼 SRX장비는 방화벽(보안) 장비이기 때문에, SRX에 interface가 목적지인 경우에는 기본적으로 패킷이 차단됩니다.

방법은 2가지입니다.

1. zone에서 host-inbound-traffic를 허용하는 방법 - Zone안에 있는 Interface에 일괄적으로 적용

2. Interface별로 host-inbound-trafic를 허용하는 방법 - Interface별로 개별 적용.

root# ...rity-zone trust host-inbound-traffic ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> protocols            Protocol type of incoming traffic to accept
> system-services      Type of incoming system-service traffic to accept

Protocols를 선택하면 아래와 같습니다.

root# ...rity-zone trust host-inbound-traffic protocols ?
Possible completions:
  all                  All protocols
  bfd                  Bidirectional Forwarding Detection
  bgp                  Border Gateway Protocol
  dvmrp                Distance Vector Multicast Routing Protocol
  igmp                 Internet Group Management Protocol
  ldp                  Label Distribution Protocol
  msdp                 Multicast Source Discovery Protocol
  nhrp                 Next Hop Resolution Protocol
  ospf                 Open Shortest Path First
  ospf3                Open Shortest Path First version 3
  pgm                  Pragmatic General Multicast
  pim                  Protocol Independent Multicast
  rip                  Routing Information Protocol
  ripng                Routing Information Protocol next generation
  router-discovery     Router Discovery
  rsvp                 Resource Reservation Protocol
  sap                  Session Announcement Protocol
  vrrp                 Virtual Router Redundancy Protocol
[edit]

System-services를 선택하면 아래와 같습니다.

root# ...rity-zone trust host-inbound-traffic system-services ?
Possible completions:
  all                  All system services
  any-service          Enable services on entire port range
  appqoe               APPQOE active probe service
  bootp                Bootp and dhcp relay-agent service
  dhcp                 Dynamic Host Configuration Protocol
  dhcpv6               Enable Dynamic Host Configuration Protocol for IPv6
  dns                  DNS service
  finger               Finger service
  ftp                  FTP
  high-availability    High Availability service
  http                 Web management service using HTTP
  https                Web management service using HTTP secured by SSL
  ident-reset          Send back TCP RST to IDENT request for port 113
  ike                  Internet Key Exchange
  lsping               Label Switched Path ping service
  netconf              NETCONF service
  ntp                  Network Time Protocol service
  ping                 Internet Control Message Protocol echo requests
  r2cp                 Enable Radio-Router Control Protocol service
  reverse-ssh          Reverse SSH service
  reverse-telnet       Reverse telnet service
  rlogin               Rlogin service
  rpm                  Real-time performance monitoring
  rsh                  Rsh service
  snmp                 Simple Network Management Protocol service
  snmp-trap            Simple Network Management Protocol traps
  ssh                  SSH service
  tcp-encap            Tcp encapsulation service
  telnet               Telnet service
  tftp                 TFTP
  traceroute           Traceroute service
  webapi-clear-text    Webapi service using http
  webapi-ssl           Webapi service using HTTP secured by SSL
  xnm-clear-text       JUNOScript API for unencrypted traffic over TCP
  xnm-ssl              JUNOScript API service over SSL
[edit]

테스트를 해보겠습니다.

토폴로지 아래와 같습니다.

Juniper

1. Ge-0/0/0 - 10.1.1.1/24

2. Zone Trust 생성

3. Ge-0/0/0를 Zone Trust 할당

4. OSPF 설정

Cisco

1. g0/0 - 10.1.1.2/24 설정

2. lo0 - 192.168.1.1/24 설정

3. OSPF 설정

테스트

1. Juniper랑 Cisco랑 OSPF 네이버 확인

2. Juniper라우팅 테이블에 192.168.1.0/24 확인

2. Cisco에서 Juniper Interface ge-0/0/0 10.1.1.1로 PIng 시도

위에 테스트를 하기 위해서는 주니퍼에 host-inbound-traffic 기능이 필요합니다.

Juniper Side

1. 설정값을 초기화합니다.

root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

2. Juniper Ge-0/0/0에 10.1.1.1/24 IP 할

root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24

3. Zone Trust 생성

[edit]
root# set security zones security-zone Trust

[edit]
root# set security zones security-zone Trust interfaces ge-0/0/0

4. Ospf 설정

root# set routing-options router-id 10.1.1.1
root# set protocols ospf area 0.0.0.0 interface ge-0/0/0

Cisco Side

1. Interface에 IP 할당하기

Switch>enable
Switch#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#interface gigabitEthernet 0/0
Switch(config-if)#no sw
Switch(config-if)#no switchport
Switch(config-if)#ip address 10.1.1.2 255.255.255.0
Switch(config-if)#no shutdown

Switch(config)#interface loopback 1
Switch(config-if)#ip address 192.168.1.1 255.255.255.0
Switch(config-if)#ip ospf network point-to-point

2. OSPF 설정

Switch(config)#router ospf 1
Switch(config-router)#router-id 10.1.1.2
Switch(config-router)#network 0.0.0.0 0.0.0.0 area 0

테스트

Cisco에서 Juniper Ge-0/0/0 10.1.1.1로 PIng 테스

Switch#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Switch#

Cisco랑 Juniper Interface 상태 확인

Switch#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     10.1.1.2        YES manual up                    up
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  up                    up
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet1/0     unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  up                    up
Loopback0              unassigned      YES unset  up                    up
Loopback1              192.168.1.1     YES manual up                    up
Switch#

root> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   inet     10.1.1.1/24
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down

root>

Interface상태가 모두 다 up인데도 Ping 실패

Juniper Side

Zone에서 ping를 허용하는 host-inbound-traffic system-service 커맨드를 사용하여 허용하겠습니다.

root# set security zones security-zone Trust host-inbound-traffic system-services ping

[edit]
root# commit

Cisco에서 다시 Ping 테스트 시도 합니다

Switch#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/94 ms
Switch#

이번에는 Cisco에서 ospf 네이버를 확인하겠습니다. 네이버가 Full 상태가 아니라 INIT상태입니다.

Cisco랑 Juniper 사이에 네이버가 생성되지 않습니다.

Switch#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.1.1.1 128 INIT/DROTHER 00:00:38 10.1.1.1 GigabitEthernet0/0
Switch#

Juniper Side

Zone에서 host-inbound-traffic protocol 커맨드를 사용하여 ospf를 허용하겠습니다.

root# set security zones security-zone Trust host-inbound-traffic protocols ospf

[edit]
root# commit
commit complete

Cisco에서 네이버를 확인해 보겠습니다.

아래처럼 네이버가 생성되었습니다.

Switch#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.1.1.1 128 INIT/DROTHER 00:00:38 10.1.1.1 GigabitEthernet0/0

Juniper에서 네이버를 확인합니다. 그리고 라우팅 테이블에 192.168.1.0/24를 Cisco에서 받아 왔는지 확인합니다.

root> show ospf neighbor
Address          Interface              State           ID               Pri  Dead
10.1.1.2         ge-0/0/0.0             Full            10.1.1.2           1    33

root> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.1.0/24        *[Direct/0] 00:16:43
                    >  via ge-0/0/0.0
10.1.1.1/32        *[Local/0] 00:16:43
                       Local via ge-0/0/0.0
192.168.1.0/24     *[OSPF/10] 00:00:29, metric 2
                    >  to 10.1.1.2 via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 00:07:06, metric 1
                       MultiRecv

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:44:15
                       MultiRecv

root>

아래처럼 Zone에서 host-inbound-traffic 사용하여 해결합니다.

set security zones security-zone Trust host-inbound-traffic system-services ping
set security zones security-zone Trust host-inbound-traffic protocols ospf

이번에는 Zone에 Interface ge-0/0/0에 host-inbound-traffic 사용하여 해결해 보겠습니다.

Juniper Side

Zone에 설정된 host-inbound-traffic를 삭제합니다.

root#security zones security-zone Trust host-inbound-traffic system-services ping
root#security zones security-zone Trust host-inbound-traffic protocols ospf
root# commit
commit complete

Zone에 Interface ge-0/0/0에 host-inbound-traffic 설정

root#set security zones security-zone Trust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
root#set security zones security-zone Trust interfaces ge-0/0/0.0 host-inbound-traffic protocols ospf
root#commit

Cisco에서 Ping이랑 OSPF 테스트

Switch#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms

Switch#show ip ospf neighbor

Neighbor ID Pri State Dead Time Address Interface
10.1.1.1 128 FULL/DR 00:00:33 10.1.1.1 GigabitEthernet0/0
Switch#

Juniper에서 ospf네이버랑 라우팅 테이블 확인

root> show ospf neighbor
Address          Interface              State           ID               Pri  Dead
10.1.1.2         ge-0/0/0.0             Full            10.1.1.2           1    36

root> show route

inet.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.1.1.0/24        *[Direct/0] 00:22:05
                    >  via ge-0/0/0.0
10.1.1.1/32        *[Local/0] 00:22:05
                       Local via ge-0/0/0.0
192.168.1.0/24     *[OSPF/10] 00:05:51, metric 2
                    >  to 10.1.1.2 via ge-0/0/0.0
224.0.0.5/32       *[OSPF/10] 00:12:28, metric 1
                       MultiRecv

inet6.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

ff02::2/128        *[INET6/0] 00:49:37
                       MultiRecv

root>

모두 다 정상적으로 동작합니다.

지금까지 [2024][Juniper SRX #7] host-inbound-traffic 글을 읽어 주셔서 감사합니다.

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0)	2024.07.21
[2024][Juniper SRX #8] Zone configuration (1)	2024.07.20
[2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode (0)	2024.07.17
[2024][Juniper SRX #5] Interface 설정 - RVI - access mode (0)	2024.07.16
[2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface (0)	2024.07.15

안녕하세요.

오늘은 [2024][EVE-NG #17] Upgrade EVE-NG version입니다.

1. 공식 홈페이지입니다.

https://www.eve-ng.net/index.php/how-to-upgrade-eve-community-to-the-newest-version/

How to upgrade EVE Community to the newest version -

How to update EVE CE Community Edition to the newest version Steps how to update your EVE-NG Community to the newest version Internet and DNS resolve the name is a must for your EVE before …

www.eve-ng.net

현재 EVE-NG community 최신 version은 6.2.0-3입니다.

2. 현재 사용 중인 EVE-NG Community version 확인하기

root@eve-ng:~# dpkg -l eve-ng
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-==============================================
ii eve-ng 6.2.0-2 amd64 A new generation software for networking labs.
root@eve-ng:~#

3. Update/Upgrade steps

3-1 필요 없는 Package를 삭제합니다.

root@eve-ng:~# apt autoremove
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@eve-ng:~#

3-2 Disk 용량을 확인합니다.

root@eve-ng:~# df -h
Filesystem                         Size  Used Avail Use% Mounted on
tmpfs                               13G  1.5M   13G   1% /run
/dev/mapper/ubuntu--vg-ubuntu--lv  244G   15G  218G   7% /
tmpfs                               63G     0   63G   0% /dev/shm
tmpfs                              5.0M     0  5.0M   0% /run/lock
tmpfs                               63G     0   63G   0% /run/qemu
/dev/sda2                          2.0G  286M  1.6G  16% /boot
tmpfs                               13G  4.0K   13G   1% /run/user/0
root@eve-ng:~#

3-3 인터넷 통신이 되는지 확인합니다.

root@eve-ng:~# ping google.com
PING google.com (74.125.130.101) 56(84) bytes of data.
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=1 ttl=57 time=2.01 ms
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=2 ttl=57 time=2.10 ms
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=3 ttl=57 time=2.06 ms
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=4 ttl=57 time=2.16 ms
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=5 ttl=57 time=2.33 ms
64 bytes from sb-in-f101.1e100.net (74.125.130.101): icmp_seq=6 ttl=57 time=2.17 ms
^C
--- google.com ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5009ms
rtt min/avg/max/mdev = 2.005/2.138/2.334/0.104 ms
root@eve-ng:~#

3-4 업데이트 항목을 확인하고 다운로드합니다.

root@eve-ng:~# apt update
Get:1 http://security.ubuntu.com/ubuntu jammy-security InRelease [129 kB]
Get:2 http://archive.ubuntu.com/ubuntu jammy InRelease [270 kB]
Get:3 http://www.eve-ng.net/jammy jammy InRelease [1,456 B]
Get:4 http://www.eve-ng.net/jammy jammy/main amd64 Packages [10.9 kB]
Get:5 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages [1,525 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates InRelease [128 kB]
Get:7 http://security.ubuntu.com/ubuntu jammy-security/main Translation-en [261 kB]
Get:8 http://security.ubuntu.com/ubuntu jammy-security/main amd64 c-n-f Metadata [11.4 kB]
Get:9 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 Packages [1,937 kB]
Get:10 http://security.ubuntu.com/ubuntu jammy-security/restricted Translation-en [330 kB]
Get:11 http://security.ubuntu.com/ubuntu jammy-security/restricted amd64 c-n-f Metadata [520 B]
Get:12 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 Packages [859 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy-backports InRelease [127 kB]
Get:14 http://security.ubuntu.com/ubuntu jammy-security/universe Translation-en [166 kB]
Get:15 http://security.ubuntu.com/ubuntu jammy-security/universe amd64 c-n-f Metadata [16.8 kB]
Get:16 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 Packages [37.2 kB]
Get:17 http://security.ubuntu.com/ubuntu jammy-security/multiverse Translation-en [7,588 B]
Get:18 http://security.ubuntu.com/ubuntu jammy-security/multiverse amd64 c-n-f Metadata [260 B]
Get:19 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages [1,395 kB]
Get:20 http://archive.ubuntu.com/ubuntu jammy/main Translation-en [510 kB]
Get:21 http://archive.ubuntu.com/ubuntu jammy/main amd64 c-n-f Metadata [30.3 kB]
Get:22 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 Packages [129 kB]
Get:23 http://archive.ubuntu.com/ubuntu jammy/restricted Translation-en [18.6 kB]
Get:24 http://archive.ubuntu.com/ubuntu jammy/restricted amd64 c-n-f Metadata [488 B]
Get:25 http://archive.ubuntu.com/ubuntu jammy/universe amd64 Packages [14.1 MB]
Get:26 http://archive.ubuntu.com/ubuntu jammy/universe Translation-en [5,652 kB]
Get:27 http://archive.ubuntu.com/ubuntu jammy/universe amd64 c-n-f Metadata [286 kB]
Get:28 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 Packages [217 kB]
Get:29 http://archive.ubuntu.com/ubuntu jammy/multiverse Translation-en [112 kB]
Get:30 http://archive.ubuntu.com/ubuntu jammy/multiverse amd64 c-n-f Metadata [8,372 B]
Get:31 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages [1,734 kB]
Get:32 http://archive.ubuntu.com/ubuntu jammy-updates/main Translation-en [319 kB]
Get:33 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 c-n-f Metadata [16.1 kB]
Get:34 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 Packages [1,993 kB]
Get:35 http://archive.ubuntu.com/ubuntu jammy-updates/restricted Translation-en [339 kB]
Get:36 http://archive.ubuntu.com/ubuntu jammy-updates/restricted amd64 c-n-f Metadata [520 B]
Get:37 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 Packages [1,087 kB]
Get:38 http://archive.ubuntu.com/ubuntu jammy-updates/universe Translation-en [251 kB]
Get:39 http://archive.ubuntu.com/ubuntu jammy-updates/universe amd64 c-n-f Metadata [22.1 kB]
Get:40 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 Packages [43.2 kB]
Get:41 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse Translation-en [10.8 kB]
Get:42 http://archive.ubuntu.com/ubuntu jammy-updates/multiverse amd64 c-n-f Metadata [472 B]
Get:43 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 Packages [67.1 kB]
Get:44 http://archive.ubuntu.com/ubuntu jammy-backports/main Translation-en [11.0 kB]
Get:45 http://archive.ubuntu.com/ubuntu jammy-backports/main amd64 c-n-f Metadata [388 B]
Get:46 http://archive.ubuntu.com/ubuntu jammy-backports/restricted amd64 c-n-f Metadata [116 B]
Get:47 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 Packages [27.2 kB]
Get:48 http://archive.ubuntu.com/ubuntu jammy-backports/universe Translation-en [16.3 kB]
Get:49 http://archive.ubuntu.com/ubuntu jammy-backports/universe amd64 c-n-f Metadata [644 B]
Get:50 http://archive.ubuntu.com/ubuntu jammy-backports/multiverse amd64 c-n-f Metadata [116 B]
Fetched 34.2 MB in 31s (1,094 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
118 packages can be upgraded. Run 'apt list --upgradable' to see them.
root@eve-ng:~#

3-5 업그레이드를 시작합니다.

Do you want to contunue? [Y/n] Y를 선택합니다.

root@eve-ng:~# apt upgrade
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
Get more security updates through Ubuntu Pro with 'esm-apps' enabled:
  libavcodec58 libmagickwand-6.q16-6 libavutil56 libswscale5
  libmagickcore-6.q16-6 libswresample3 imagemagick-6-common libavformat58
  libde265-0
Learn more about Ubuntu Pro at https://ubuntu.com/pro
The following NEW packages will be installed:
  linux-headers-5.15.0-112 linux-headers-5.15.0-112-generic linux-image-5.15.0-112-generic
  linux-modules-5.15.0-112-generic linux-modules-extra-5.15.0-112-generic ubuntu-pro-client
The following packages have been kept back:
  python3-update-manager update-manager-core
The following packages will be upgraded:
  apt apt-utils bash bind9-dnsutils bind9-host bind9-libs binutils binutils-common binutils-x86-64-linux-gnu
  bsdextrautils bsdutils cloud-init coreutils cpio curl distro-info-data dpkg eject ethtool eve-ng fdisk
  firmware-sof-signed ghostscript git git-man intel-microcode klibc-utils landscape-common less libapt-pkg6.0
  libarchive13 libbinutils libblkid1 libc-bin libctf-nobfd0 libctf0 libcurl3-gnutls libcurl4 libexpat1 libfdisk1
  libgdk-pixbuf-2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libgif7 libglib2.0-0 libglib2.0-bin
  libglib2.0-data libgnutls30 libgpgme11 libgs9 libgs9-common libklibc libldap-2.5-0 libldap-common libmount1
  libnghttp2-14 libnspr4 libnss3 libsmartcols1 libssl3 libtiff5 libtss2-esys-3.0.2-0 libtss2-mu0 libtss2-sys1
  libtss2-tcti-cmd0 libtss2-tcti-device0 libtss2-tcti-mssim0 libtss2-tcti-swtpm0 libuuid1 libuv1 libvpx7
  libvte-2.91-0 libvte-2.91-common libxml2 linux-firmware linux-generic linux-headers-generic linux-image-generic
  linux-libc-dev locales mount mysql-client-8.0 mysql-client-core-8.0 mysql-server mysql-server-8.0
  mysql-server-core-8.0 openjdk-11-jdk openjdk-11-jdk-headless openjdk-11-jre openjdk-11-jre-headless openssh-client
  openssh-server openssh-sftp-server openssl python3-cryptography python3-idna python3-jinja2 qemu-block-extra
  qemu-system-common qemu-system-data qemu-system-gui qemu-system-x86 qemu-utils snapd tcpdump tzdata
  ubuntu-advantage-tools ubuntu-pro-client-l10n update-notifier-common util-linux uuid-runtime vim vim-common
  vim-runtime vim-tiny xxd
116 upgraded, 6 newly installed, 0 to remove and 2 not upgraded.
86 standard LTS security updates
Need to get 648 MB of archives.
After this operation, 589 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Y를 선택하면 업그레이드를 진행합니다

Get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 bash amd64 5.1-6ubuntu1.1 [769 kB]
Get:2 http://www.eve-ng.net/jammy jammy/main amd64 eve-ng amd64 6.2.0-3 [26.3 MB]
Get:3 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 bsdutils amd64 1:2.37.2-4ubuntu3.4 [80.9 kB]
Get:4 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 coreutils amd64 8.32-4.1ubuntu1.2 [1,437 kB]
Get:5 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libapt-pkg6.0 amd64 2.4.12 [912 kB]
Get:6 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 dpkg amd64 1.21.1ubuntu2.3 [1,239 kB]
Get:7 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 util-linux amd64 2.37.2-4ubuntu3.4 [1,063 kB]
Get:8 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libc-bin amd64 2.35-0ubuntu3.8 [706 kB]
Get:9 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 apt amd64 2.4.12 [1,363 kB]
Get:10 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 apt-utils amd64 2.4.12 [211 kB]
Get:11 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libgnutls30 amd64 3.7.3-4ubuntu1.5 [966 kB]
Get:12 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 mount amd64 2.37.2-4ubuntu3.4 [114 kB]
Get:13 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libsmartcols1 amd64 2.37.2-4ubuntu3.4 [50.9 kB]
Get:14 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libuuid1 amd64 2.37.2-4ubuntu3.4 [23.8 kB]
Get:15 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 uuid-runtime amd64 2.37.2-4ubuntu3.4 [32.0 kB]
Get:16 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libssl3 amd64 3.0.2-0ubuntu1.15 [1,905 kB]
Get:17 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 tcpdump amd64 4.99.1-3ubuntu0.2 [501 kB]
Get:18 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 mysql-client-core-8.0 amd64 8.0.37-0ubuntu0.22.04.3 [2,762 kB]
Get:19 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 mysql-client-8.0 amd64 8.0.37-0ubuntu0.22.04.3 [22.7 kB]
Get:20 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 mysql-server-8.0 amd64 8.0.37-0ubuntu0.22.04.3 [1,438 kB]
Get:21 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 mysql-server-core-8.0 amd64 8.0.37-0ubuntu0.22.04.3 [17.6 MB]
5% [21 mysql-server-core-8.0 2,495 kB/17.6 MB 14%] [2 eve-ng 133 kB/26.3 MB 1%]

설치가 완료되면, Ok버튼을 클릭합니다.

3-6. EVE-NG Community를 재시작합니다.

부팅이 완료될 때까지 기다립니다.

root@eve-ng:~# reboot

3-7 장비에 접속해서 버전을 확인합니다.

root@eve-ng:~# dpkg -l eve-ng
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============-============-==============================================
ii eve-ng 6.2.0-3 amd64 A new generation software for networking labs.
root@eve-ng:~#

버전이 6.2.0-2에서 6.2.0-3으로 업그레이드되었습니다.

3-8 EVE-NG 잘 접속되는지 확인합니다.

지금까지 [2024][EVE-NG #17] Upgrade EVE-NG version 글을 읽어주셔서 감사합니다.

저작자표시

'EVE-NG' 카테고리의 다른 글

[2024][EVE-NG #18] Virtual PC(VPCS) (0)	2024.11.06
[2024][EVE-NG #18] EVE-NG에 C9800CL Install (2)	2024.10.07
[2024][EVE-NG #16] Juniper QFX 스위치 설치하기 (0)	2024.07.12
[2024][EVE-NG #15] Juniper MX 라우터 설치하기 (0)	2024.07.11
[2024][EVE-NG #14] Juniper SRX 방화벽 설치하기 (0)	2024.07.09

안녕하세요.

오늘은 [2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode - L2기반에서 동작하는 Layer3 Interface에 대해서 확인해 보겠습니다.

1. Layer3 Physical Interface - access mode

2. Layer3 Logical Interface - trunk mode

3. RVI IRB - access mode - L2기반에서 동작하는 Layer3 Interface

4. RVI IRB - trunk mode - L2기번에서 동작하는 Layer3 Interface

테스트를 위해서 아래처럼 Node 2개를 생성하고 케이블을 연결합니다

1. vSRX - ge-0/0/0

2. vIOS Switch - G0/0

1. Layer3 Physical Interface 테스트해 보겠습니다.

vSRX Side -

delete 디폴트 설정값을 지웁니다.

set system root-authentication plain-text-password : root 패스워드를 입력합니다.

commit : 설정값을 적용 및 저장합니다.

root@:~ # cli
root> configure
Entering configuration mode

[edit]
root# delete
This will delete the entire configuration
Delete everything under this level? [yes,no] (no) yes

[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:

[edit]
root# commit

commit complete

[edit]
root#

2. vSRX side

vlan을 생성합니다.

vlan name: VL10, VL20, V30

vlan-id: 10, 20, 30

그리고 vlan를 확인합니다.

root# set vlans VL10 vlan-id 10

[edit]
root# set vlans VL20 vlan-id 20

[edit]
root# set vlans VL30 vlan-id 30

[edit]
root# commit
commit complete

[edit]
root# exit
Exiting configuration mode

root> show vlans brief

Routing instance        VLAN name             Tag          Interfaces
default-switch          VL10                  10

default-switch          VL20                  20

default-switch          VL30                  30

default-switch          default               1


root>

Interface ge-0/0/0를 Trunk mode를 설정합니다.

그리고 VL10, VL20, VL30만 사용할 수 있도록 설정합니다.

root# set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode trunk
root# set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members VL10 members VL20 members VL30

IRB를 설정합니다.

IRB10 - 10.1.1.1/24

IRB20 - 20.1.1.1/24

IRB30 - 30.1.1.1/24

root# set interfaces irb unit 10 family inet address 10.1.1.1/24

[edit]
root# set interfaces irb unit 20 family inet address 20.1.1.1/24

[edit]
root# set interfaces irb unit 30 family inet address 30.1.1.1/24

[edit]
root# commit
commit complete

[edit]
root#

IRB interface를 VLAN이랑 mapping를 합니다.

root# set vlans VL10 l3-interface irb.10

[edit]
root# set vlans VL20 l3-interface irb.20

[edit]
root# set vlans VL30 l3-interface irb.30

[edit]
root# commit
commit complete

[edit]

Interface 상태를 확인합니다.

root> show interfaces terse | no-more
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up
ge-0/0/0.0              up    up   eth-switch
gr-0/0/0                up    up
ip-0/0/0                up    up
lsq-0/0/0               up    up
lt-0/0/0                up    up
mt-0/0/0                up    up
sp-0/0/0                up    up
sp-0/0/0.0              up    up   inet
                                   inet6
sp-0/0/0.16383          up    up   inet
ge-0/0/1                up    up
ge-0/0/2                up    up
dsc                     up    up
fti0                    up    up
fxp0                    up    up
gre                     up    up
ipip                    up    up
irb                     up    up
irb.10                  up    up   inet     10.1.1.1/24
irb.20                  up    up   inet     20.1.1.1/24
irb.30                  up    up   inet     30.1.1.1/24
lo0                     up    up
lo0.16384               up    up   inet     127.0.0.1           --> 0/0
lo0.16385               up    up   inet     10.0.0.1            --> 0/0
                                            10.0.0.16           --> 0/0
                                            128.0.0.1           --> 0/0
                                            128.0.0.4           --> 0/0
                                            128.0.1.16          --> 0/0
lo0.32768               up    up
lsi                     up    up
mtun                    up    up
pimd                    up    up
pime                    up    up
pp0                     up    up
ppd0                    up    up
ppe0                    up    up
st0                     up    up
tap                     up    up
vlan                    up    down
vtep                    up    up

Cisco Side

Vlan를 생성합니다.

Vlan 10

Vlan 20

vlan 30

그리고 VLAN를 확인합니다.

Switch(config)#vlan 10
Switch(config-vlan)#vlan 20
Switch(config-vlan)#vlan 30
Switch(config-vlan)#end
Switch#show vlan brie

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/3, Gi1/0
                                                Gi1/1, Gi1/2, Gi1/3
10   VLAN0010                         active    Gi0/0
20   VLAN0020                         active
30   VLAN0030                         active
1002 fddi-default                     act/unsup
1003 token-ring-default               act/unsup
1004 fddinet-default                  act/unsup
1005 trnet-default                    act/unsup
Switch#

Interface gi0/0를 Trunk mode로 설정합니다.

그리고 VLAN 10,20,30만 사용 가능 하게 설정합니다.

Switch(config)#interface gigabitEthernet 0/0
Switch(config-if)#switchport trunk encapsulation dot1q
Switch(config-if)#switchport mode trunk
Switch(config-if)#switchport trunk allowed vlan 10,20,30
Switch(config-if)#

SVI를 생성합니다.

SVI 10 - 10.1.1.2/24

SVI 20 - 20.1.1.2/24

SVI 30 - 30.1.1.2/24

Switch(config)#interface vlan 10
Switch(config-if)#ip address 10.1.1.2 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#interface vlan 20
Switch(config-if)#ip address 20.1.1.2 255.255.255.0
Switch(config-if)#no shutdown
Switch(config-if)#interface vlan 30
Switch(config-if)#ip address 30.1.1.2 255.255.255.0
Switch(config-if)#no shutdown

Interface 상태를 확인합니다.

Switch#show ip int brie
Interface              IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0     unassigned      YES unset  up                    up
GigabitEthernet0/1     unassigned      YES unset  up                    up
GigabitEthernet0/2     unassigned      YES unset  up                    up
GigabitEthernet0/3     unassigned      YES unset  up                    up
GigabitEthernet1/0     unassigned      YES unset  up                    up
GigabitEthernet1/1     unassigned      YES unset  up                    up
GigabitEthernet1/2     unassigned      YES unset  up                    up
GigabitEthernet1/3     unassigned      YES unset  up                    up
Vlan10                 10.1.1.2        YES manual up                    up
Vlan20                 20.1.1.2        YES manual up                    up
Vlan30                 30.1.1.2        YES manual up                    up
Switch#

Cisco Switch에서 vSRX로 ping를 시도합니다.

vSRX는 보안 장비이기 때문에 기본적으로 icmp 패킷을 차단합니다.

Switch#ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Switch#

vSRX side

Juniper SRX은 Zone Base Firewall입니다. 인터페이스를 사용하기 위해서 Zone 생성하고 Interface를 Zone안에 할당해주어야 합니다.

irb.10 -> trust_vl10

irb.20 -> trust_vl20

irb.30 -> trust_vl30

set security zones security-zone trust_vl10 interfaces irb.10
set security zones security-zone trust_vl10 host-inbound-traffic system-services ping
set security zones security-zone trust_vl20 interfaces irb.20
set security zones security-zone trust_vl20 host-inbound-traffic system-services ping

set security zones security-zone trust_vl30 interfaces irb.30
set security zones security-zone trust_vl30 host-inbound-traffic system-services ping

저작자표시

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #8] Zone configuration (1)	2024.07.20
[2024][Juniper SRX #7] host-inbound-traffic (0)	2024.07.19
[2024][Juniper SRX #5] Interface 설정 - RVI - access mode (0)	2024.07.16
[2024][Juniper SRX #4] Interface 설정 - Layer3 Logical Interface (0)	2024.07.15
[2024][Juniper SRX #3] Interface 설정 - Layer3 Physical Interface (0)	2024.07.14

IT BLOG(KR)

전체 글

[2024][Juniper SRX #14] firewall policy 순서 변경

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #13] firewall policy

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #12] application and application-set

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #11] address book and address set

[2024][Juniper SRX #10] Administrator access restriction settings for MGMT

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #8] Zone configuration

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][Juniper SRX #7] host-inbound-traffic

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

[2024][EVE-NG #17] Upgrade EVE-NG version

'EVE-NG' 카테고리의 다른 글

[2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode

'JUNIPER > SRX 방화벽' 카테고리의 다른 글

+ Recent posts

티스토리툴바