Configuring SRX Firewall

PPS can utilize a SRX device as a policy enforcement point to work as a Layer 3 Enforcer. When the SRX is configured to work as an enforcer with PPS, the following takes place:

PPS provisions resource access policies.

SRX gets the user's role membership information from authentication table entries that are sent by PPS when the user authenticates with the PPS or when the user tries to access resources through SRX.

SRX does a policy lookup in resource access policies, which is sent by PPS and accordingly takes allow/deny decisions.

For the SRX to perform a PPS policy lookup, the uac-policy application service needs to be turned on in the SRX firewall rule and the firewall rule's action should be set to permit. The SRX security policies have to be manually configured on SRX.

Configuring SRX as an Enforcer

The SRX enforcer works with the PPS device for Layer 3 connectivity. You can connect with source IP or IPsec. For the initial setup, you must specify the PPS device name, IP address, port number over which the Junos Enforcer and PPS device will connect, the interface, the password (the same password as entered on the PPS device), and, optionally, the CA profile and server certificate subject. Use the Junos CLI to add this information.

You can configure the SRX device in "test only" mode. In test only mode, the SRX device does not enforce PPS policies and allows all traffic to pass. However, all policy decisions are logged. This allows you to set up the devices before actual deployment and determine how the PPS solution works using different configuration options. For example, the PPS device and endpoints can reside on different physical interfaces of the Junos Enforcer or on the same interface.

PPS device policies are role based. Each policy specifies a destination (the resources that are being protected), a set of roles, and an action (allow or deny). To determine the roles for users, an auth table maps source IP addresses to roles. When an endpoint accesses the PPS device, the PPS device populates the Junos Enforcer with an auth table entry mapping the endpoint's IP address to the endpoint's set of roles. When evaluating a flow, the source IP address of the initial packet is used to look up the roles. Then the first policy that matches both the destination (resource) and the roles is used to determine whether to permit or deny the flow.

To use IPsec with the SRX device, you must enable IKE services for the gateway. If you have multiple IPsec tunnels with multiple gateways, the hostname for each gateway must be unique.

SRX Series communication to PPS is not supported on an interface that is in a routing instance or VRF instance.

To configure the Junos Enforcer:

1.Set up the trusted interface. The trusted interface connects to the protected resource. The untrusted interface connects to PPS.

2.Ensure that the DHCP server is disabled or enabled as required for the deployment.

3.Create a PPS configuration on the Junos security device, and provide the network information required for connecting using the CLI. This information includes PPS host name, the IP address, and the interface to which the device will connect. The default port for communication with PPS is 11123, you cannot change the port. You must also specify a password, that matches the password configured on PPS.

4.For complete CLI instructions and syntax, see the Junos Software CLI Reference.

Specify PPS hostname:
user@host# set services unified-access-control infranet-controller hostname

Specify PPS IP address:
user@host# set services unified-access-control infranet-controller hostname address ip-address

Specify the Junos interface to which PPS should connect:
user@host# set services unified-access-control infranet-controller hostname interface interface-name

Specify the password that the SRX Series or J Series device should use to initiate secure communications with PPS:
user@host# set services unified-access-control infranet-controller hostname password password

5.Set the appropriate timeout and interval values, and specify a timeout action. The timeout that you set specifies the elapsed time beyond which the Junos Enforcer attempts to reconnect with PPS if no communication is received. The interval specifies how often PPS sends a heartbeat to the Junos Enforcer.

6.(Optional) Verify that the certificate of the CA that signed PPS's server certificate is loaded in the Junos Enforcer and that the path to the certificate is specified.

Although certificate verification is optional, there are three different certificate options on the Junos Enforcer that will produce different results.

If certificate-verification is set to required, it is required that the device verify any PPS server certificate. If any PPS ca-profile is not configured, the commit check fails.

If certificate-verification is set to warning (the default), and PPS ca-profile is not configured, the commit check displays a warning about the security risk with a similar warning in the syslog.

If certificate-verification is set to optional, there is no warning.

7.Verify routing from PPS to the untrusted interface.

8.Ensure that both the Junos Enforcer and PPS are set to the correct time. If possible, use a Network Time Protocol (NTP) Server to set the date and time of both appliances.

When you finish configuring PPS instance, the Junos Enforcer can initiate the connection with PPS. The Junos Enforcer optionally validates PPS server certificate if so configured. The device sends the serial number to authenticate with PPS.

For the Junos Enforcer to establish communication, you must configure the Junos Enforcer on PPS.