RANCID with Junos Read-Only User

Here is the setting for a Junos device to create a user with read only privileges to allow RANCID to work.

[plain]
set system login class RANCID permissions access
set system login class RANCID permissions admin
set system login class RANCID permissions firewall
set system login class RANCID permissions flow-tap
set system login class RANCID permissions interface
set system login class RANCID permissions network
set system login class RANCID permissions routing
set system login class RANCID permissions secret
set system login class RANCID permissions security
set system login class RANCID permissions snmp
set system login class RANCID permissions storage
set system login class RANCID permissions system
set system login class RANCID permissions trace
set system login class RANCID permissions view
set system login class RANCID permissions view-configuration

set system login user rancid full-name RANCID
set system login user rancid class RANCID
set system login user rancid authentication encrypted-password “xxx”
[/plain]

Backup your Junos configs TODAY !

Cooper’s tip of the moment, ALWAYS backup your Junos configurations. Hate when a customer does not, your router does not have raid (unless it has redundant REs, VC or is in a Chassis Cluster :)). It’s a built in feature of Junos so use it! It even allows multiple sites, so if you have DR site with storage – Push it there too!

Here is the conf:

[plain]
set system archival configuration transfer-on-commit
set system archival configuration archive-sites "scp://junos@x.x.x.x/data/configs/DEVICE" password "bla"
set system archival configuration archive-sites "scp://junos@y.y.y.y/data/configs/DEVICE" password "bla"
[/plain]

More info: http://www.juniper.net/techpubs/en_US/junos9.5/information-products/topic-collections/swconfig-system-basics/junos-software-system-management-router-configuration-archiving.html

JUNOS AppSecure now on Branch SRXs

So application identification / firewall / secure has made it way to the branch. This is awesome news. So I have managed to obtain a 30 day trial to see how it performs on my home SRX100. With ym simple rule base I have seen 1ms increase in my latency!!

After adding the license you can now perform the following:

Install Application identification

request services application-identification download

Check the status:

  • request services application-identification download status
    Application package 1980 is installed successfully.

Create a Application Ruleset

All that is ahppening here is youtube is BLOCKED, everything else is allowed.

[plain]
set security application-firewall rule-sets block-webtraffic rule youtube match dynamic-application junos:YOUTUBE
set security application-firewall rule-sets block-webtraffic rule youtube then deny
set security application-firewall rule-sets block-webtraffic default-rule permit
[/plain]

Add to a security policy:

There is now the ‘application-firewall’ settings to apply to policies …

cooper@noona-gw# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services ?
Possible completions:
> application-firewall  Application firewall services
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don’t inherit configuration data from these groups
gprs-gtp-profile     Specify GPRS Tunneling Protocol profile name
gprs-sctp-profile    Specify GPRS stream control protocol profile name
idp                  Intrusion detection and prevention
redirect-wx          Set WX redirection
reverse-redirect-wx  Set WX reverse redirection
> uac-policy           Enable unified access control enforcement of policy
utm-policy           Specify utm policy name

Example Policy:

[plain]
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit application-services application-firewall rule-set block-webtraffic
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-init
set security policies from-zone trust to-zone untrust policy trust-to-untrust then log session-close
[/plain]

TODO: Play with ‘application-tracking’. Will update blog post once I have.

So it’s that simple … Application firewalling is now accross the whole SRX range … win.