Configuring SRX Firewall

IPS can utilize a SRX device as a policy enforcement point to work as a Layer 3 Enforcer. When the SRX is configured to work as an enforcer with IPS, the following takes place:

  • IPS provisions resource access policies.

  • SRX gets the user's role membership information from authentication table entries that are sent by IPS when the user authenticates with the IPS or when the user tries to access resources through SRX.

  • SRX does a policy lookup in resource access policies, which is sent by IPS and accordingly takes allow/deny decisions.

For the SRX to perform a IPS policy lookup, the uac-policy application service needs to be turned on in the SRX firewall rule and the firewall rule's action should be set to permit. The SRX security policies have to be manually configured on SRX.

Configuring SRX as an Enforcer

The SRX enforcer works with the IPS device for Layer 3 connectivity. You can connect with source IP or IPsec. For the initial setup, you must specify the IPS device name, IP address, port number over which the Junos Enforcer and IPS device will connect, the interface, the password (the same password as entered on the IPS device), and, optionally, the CA profile and server certificate subject. Use the Junos CLI to add this information.

You can configure the SRX device in "test only" mode. In test only mode, the SRX device does not enforce IPS policies and allows all traffic to pass. However, all policy decisions are logged. This allows you to set up the devices before actual deployment and determine how the IPS solution works using different configuration options. For example, the IPS device and endpoints can reside on different physical interfaces of the Junos Enforcer or on the same interface.

IPS device policies are role based. Each policy specifies a destination (the resources that are being protected), a set of roles, and an action (allow or deny). To determine the roles for users, an auth table maps source IP addresses to roles. When an endpoint accesses the IPS device, the IPS device populates the Junos Enforcer with an auth table entry mapping the endpoint's IP address to the endpoint's set of roles. When evaluating a flow, the source IP address of the initial packet is used to look up the roles. Then the first policy that matches both the destination (resource) and the roles is used to determine whether to permit or deny the flow.

To use IPsec with the SRX device, you must enable IKE services for the gateway. If you have multiple IPsec tunnels with multiple gateways, the hostname for each gateway must be unique.

SRX Series communication to IPS is not supported on an interface that is in a routing instance or VRF instance.

To configure the Junos Enforcer:

  1. Set up the trusted interface. The trusted interface connects to the protected resource. The untrusted interface connects to IPS.

  2. Ensure that the DHCP server is disabled or enabled as required for the deployment.

  3. Create a IPS configuration on the Junos security device, and provide the network information required for connecting using the CLI. This information includes IPS host name, the IP address, and the interface to which the device will connect. The default port for communication with IPS is 11123, you cannot change the port. You must also specify a password, that matches the password configured on IPS.

  4. For complete CLI instructions and syntax, see the Junos Software CLI Reference.

    • Specify IPS hostname:
      user@host# set services unified-access-control infranet-controller hostname

    • Specify IPS IP address:
      user@host# set services unified-access-control infranet-controller hostname address ip-address

    • Specify the Junos interface to which IPS should connect:
      user@host# set services unified-access-control infranet-controller hostname interface interface-name

    • Specify the password that the SRX Series or J Series device should use to initiate secure communications with IPS:
      user@host# set services unified-access-control infranet-controller hostname password password

  5. Set the appropriate timeout and interval values, and specify a timeout action. The timeout that you set specifies the elapsed time beyond which the Junos Enforcer attempts to reconnect with IPS if no communication is received. The interval specifies how often IPS sends a heartbeat to the Junos Enforcer.

  6. (Optional) Verify that the certificate of the CA that signed IPS's server certificate is loaded in the Junos Enforcer and that the path to the certificate is specified.

    Although certificate verification is optional, there are three different certificate options on the Junos Enforcer that will produce different results.

    • If certificate-verification is set to required, it is required that the device verify any IPS server certificate. If any IPS ca-profile is not configured, the commit check fails.

    • If certificate-verification is set to warning (the default), and IPS ca-profile is not configured, the commit check displays a warning about the security risk with a similar warning in the syslog.

    • If certificate-verification is set to optional, there is no warning.

  7. Verify routing from IPS to the untrusted interface.

  8. Ensure that both the Junos Enforcer and IPS are set to the correct time. If possible, use a Network Time Protocol (NTP) Server to set the date and time of both appliances.

When you finish configuring IPS instance, the Junos Enforcer can initiate the connection with IPS. The Junos Enforcer optionally validates IPS server certificate if so configured. The device sends the serial number to authenticate with IPS.

For the Junos Enforcer to establish communication, you must configure the Junos Enforcer on IPS.