JUNOS AppSecure now on Branch SRXs

So application identification / firewall / secure has made it way to the branch. This is awesome news. So I have managed to obtain a 30 day trial to see how it performs on my home SRX100. With ym simple rule base I have seen 1ms increase in my latency!!

After adding the license you can now perform the following:

Install Application identification

request services application-identification download

Check the status:

  • request services application-identification download status
    Application package 1980 is installed successfully.

Create a Application Ruleset

All that is ahppening here is youtube is BLOCKED, everything else is allowed.

[plain]
set security application-firewall rule-sets block-webtraffic rule youtube match dynamic-application junos:YOUTUBE
set security application-firewall rule-sets block-webtraffic rule youtube then deny
set security application-firewall rule-sets block-webtraffic default-rule permit
[/plain]

Add to a security policy:

There is now the 'application-firewall' settings to apply to policies ...

cooper@noona-gw# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services ?
Possible completions:
> application-firewall  Application firewall services
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
gprs-gtp-profile     Specify GPRS Tunneling Protocol profile name
gprs-sctp-profile    Specify GPRS stream control protocol profile name
idp                  Intrusion detection and prevention
redirect-wx          Set WX redirection
reverse-redirect-wx  Set WX reverse redirection
> uac-policy           Enable unified access control enforcement of policy
utm-policy           Specify utm policy name

Example Policy:

[plain]
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services application-firewall rule-set block-webtraffic
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
[/plain]

TODO: Play with 'application-tracking'. Will update blog post once I have.

So it's that simple ... Application firewalling is now accross the whole SRX range ... win.

Related Posts

Stop IPv4 Point-To-Point Addressing your Networks

IPv4 addressing on links is no longer required to route IPv4. What you say?? Yes, you can stop IPv4 addressing your point to point links with Legacy…

NAT64: Using `jool` on Ubuntu 20.04

I found that jool has very good tutorials, but all the commands to get going are hidden in these large tutorials. Here are the steps I took…

Raspberry Pi Powered Fireplace

Mr Aijay Adams and I am back making my Fireplace Internet / Smart device controllable. Now, via a very sexy Web UI, when I’m heading back to…

nftables

Are you using the latest Linux kernel firewall?. Here are some notes I’ve saved that I use and forget all the time. I plan to add to…

RPM vs OPKG Cheat Sheet

Recently in the Terragraph project I work on we changed from RPM to OPKG to removes some dependencies (e.g. perl) and make our overall image size smaller….

Ansible + Handy PyPI CLI Tools

I often use a lot of PyPI CLI tools. Here is an example of how to get them easily installed and kept up to date via Ansible…

This Post Has 2 Comments

  1. AWSOME !!!

    But im trying to install the appsec database and it is not working for me.

    Any ideias ?

    Do you need to configure something in EDIT SERVICES ? Do you need to add some specific URL ?

    Thanks a lot

  2. hi cooper
    In SRX Service gateway series ex:1400, i can’t see application-firewall command or dynamic application Tab in policy configuration in J-web.
    i have license for appsecure
    should i update my junos to version 11? currently im using 10.4

Leave a Reply

Your email address will not be published.