Configuring SRX Firewall

Ivanti Policy Secure can utilize a SRX device as a policy enforcement point to work as a Layer 3 Enforcer. When the SRX is configured to work as an enforcer with Ivanti Policy Secure, the following takes place:

  • Ivanti Policy Secure provisions resource access policies.

  • SRX gets the user's role membership information from authentication table entries that are sent by Ivanti Policy Secure when the user authenticates with the Ivanti Policy Secure or when the user tries to access resources through SRX.

  • SRX does a policy lookup in resource access policies, which is sent by Ivanti Policy Secure and accordingly takes allow/deny decisions.

For the SRX to perform a Ivanti Policy Secure policy lookup, the uac-policy application service needs to be turned on in the SRX firewall rule and the firewall rule's action should be set to permit. The SRX security policies have to be manually configured on SRX.

Configuring SRX as an Enforcer

The SRX enforcer works with the Ivanti Policy Secure device for Layer 3 connectivity. You can connect with source IP or IPsec. For the initial setup, you must specify the Ivanti Policy Secure device name, IP address, port number over which the Junos Enforcer and Ivanti Policy Secure device will connect, the interface, the password (the same password as entered on the Ivanti Policy Secure device), and, optionally, the CA profile and server certificate subject. Use the Junos CLI to add this information.

You can configure the SRX device in "test only" mode. In test only mode, the SRX device does not enforce Ivanti Policy Secure policies and allows all traffic to pass. However, all policy decisions are logged. This allows you to set up the devices before actual deployment and determine how the Ivanti Policy Secure solution works using different configuration options. For example, the Ivanti Policy Secure device and endpoints can reside on different physical interfaces of the Junos Enforcer or on the same interface.

Ivanti Policy Secure device policies are role based. Each policy specifies a destination (the resources that are being protected), a set of roles, and an action (allow or deny). To determine the roles for users, an auth table maps source IP addresses to roles. When an endpoint accesses the Ivanti Policy Secure device, the Ivanti Policy Secure device populates the Junos Enforcer with an auth table entry mapping the endpoint's IP address to the endpoint's set of roles. When evaluating a flow, the source IP address of the initial packet is used to look up the roles. Then the first policy that matches both the destination (resource) and the roles is used to determine whether to permit or deny the flow.

To use IPsec with the SRX device, you must enable IKE services for the gateway. If you have multiple IPsec tunnels with multiple gateways, the hostname for each gateway must be unique.

SRX Series communication to Ivanti Policy Secure is not supported on an interface that is in a routing instance or VRF instance.

To configure the Junos Enforcer:

  1. Set up the trusted interface. The trusted interface connects to the protected resource. The untrusted interface connects to Ivanti Policy Secure.

  2. Ensure that the DHCP server is disabled or enabled as required for the deployment.

  3. Create a Ivanti Policy Secure configuration on the Junos security device, and provide the network information required for connecting using the CLI. This information includes Ivanti Policy Secure host name, the IP address, and the interface to which the device will connect. The default port for communication with Ivanti Policy Secure is 11123, you cannot change the port. You must also specify a password, that matches the password configured on Ivanti Policy Secure.

  4. For complete CLI instructions and syntax, see the Junos Software CLI Reference.

    • Specify Ivanti Policy Secure hostname:
      user@host# set services unified-access-control infranet-controller hostname

    • Specify Ivanti Policy Secure IP address:
      user@host# set services unified-access-control infranet-controller hostname address ip-address

    • Specify the Junos interface to which Ivanti Policy Secure should connect:
      user@host# set services unified-access-control infranet-controller hostname interface interface-name

    • Specify the password that the SRX Series or J Series device should use to initiate secure communications with Ivanti Policy Secure:
      user@host# set services unified-access-control infranet-controller hostname password password

  5. Set the appropriate timeout and interval values, and specify a timeout action. The timeout that you set specifies the elapsed time beyond which the Junos Enforcer attempts to reconnect with Ivanti Policy Secure if no communication is received. The interval specifies how often Ivanti Policy Secure sends a heartbeat to the Junos Enforcer.

  6. (Optional) Verify that the certificate of the CA that signed Ivanti Policy Secure's server certificate is loaded in the Junos Enforcer and that the path to the certificate is specified.

    Although certificate verification is optional, there are three different certificate options on the Junos Enforcer that will produce different results.

    • If certificate-verification is set to required, it is required that the device verify any Ivanti Policy Secure server certificate. If any Ivanti Policy Secure ca-profile is not configured, the commit check fails.

    • If certificate-verification is set to warning (the default), and Ivanti Policy Secure ca-profile is not configured, the commit check displays a warning about the security risk with a similar warning in the syslog.

    • If certificate-verification is set to optional, there is no warning.

  7. Verify routing from Ivanti Policy Secure to the untrusted interface.

  8. Ensure that both the Junos Enforcer and Ivanti Policy Secure are set to the correct time. If possible, use a Network Time Protocol (NTP) Server to set the date and time of both appliances.

When you finish configuring Ivanti Policy Secure instance, the Junos Enforcer can initiate the connection with Ivanti Policy Secure. The Junos Enforcer optionally validates Ivanti Policy Secure server certificate if so configured. The device sends the serial number to authenticate with Ivanti Policy Secure.

For the Junos Enforcer to establish communication, you must configure the Junos Enforcer on Ivanti Policy Secure.