Often there are instances where we want to affect all security policies configured on an SRX device.
For example, let's say that we have thousands of policies configured on our firewall, and we want to enable logging for every single policy.
Obviously this would take some time if we were to do this manually on each and every individual policy, so an easier way is desired.
In ScreenOS we have the concept of a Global zone which acts as a container encompassing all zones, but to date, Junos does not support a similar functionality on the SRX.
Furthermore, the Global zone doesn't affect existing policies but rather is way to apply a consistent policy to all Inter-zone and Intra-zone traffic that doesn't match any of the existing policies.
However, despite all of this, there is in fact a methodology we can use to uniformly modify all of the existing security policies on our box, in a manner that is actually much more powerful than what is accomplished in ScreenOS with the Global zone.
Let's take a look. First, let's say we have some policies that we would like to enable logging on:
root@ce-1# show security policies
from-zone Trust to-zone Untrust {
policy allow-outbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Untrust to-zone Trust {
policy allow-web {
match {
source-address any;
destination-address web-server;
application junos-http;
}
then {
permit;
}
}
}
Here you can see we have a policy allowing all traffic outbound from Trust to Untrust, and another policy allowing inbound HTTP traffic from the Untrust zone towards the Web Server in the Trust zone. Now, let's enable logging for all of our policies by using an apply-group and matching on all policies from any zone to any other zone. Note that this will encompass both Inter-zone as well as Intra-zone traffic:
groups {
global-logging {
security {
policies {
from-zone <*> to-zone <*> {
policy <*> {
then {
log {
session-init;
}
}
}
}
}
}
}
}
Finally, let's apply our apply-group at the [security policies] stanza within our configuration:
root@ce-1# set security policies apply-groups global-logging
Now that we've completed the configuration, let's examine the results of the application of our apply-group by taking a look at our security policies, this time by displaying the inherited configuration:
root@ce-1# show security policies | display inheritance
apply-groups global-logging
from-zone Trust to-zone Untrust {
policy allow-outbound {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
##
## 'log' was inherited from group 'global-logging'
##
log {
##
## 'session-init' was inherited from group 'global-logging'
##
session-init;
}
}
}
}
from-zone Untrust to-zone Trust {
policy allow-web {
match {
source-address any;
destination-address web-server;
application junos-http;
}
then {
permit;
##
## 'log' was inherited from group 'global-logging'
##
log {
##
## 'session-init' was inherited from group 'global-logging'
##
session-init;
}
}
}
}
As you can see, with a couple of lines of code we can alter all of the existing policies on our device without having to resort to manual configuration of each and every one. This type of functionality is perfect when we want to have a singular set of configuration elements apply to all of our policies uniformly.
On the other hand, if there are certain policies that we don't want to inherit these settings, we can simply utilize the apply-group-except statement for each of those respective policies.
In our next article we will examine how to change the default-deny behavior on the SRX to also including logging of denied packets.
Cross-posted from Shortest Path First - Follow me on Twitter!