Juniper SRX: Customize “Default-Deny” policy to allow Dropped Sessions Logging.

In JunOS traffic which doesn’t match an explicitly defined security policy matches against the default-deny policy.

Administrators who would track (LOG) denied sessions, will simply choose to create their own deny policies with the desired options and place this deny policy as the last policy for traffic going from one zone to another.
While working with instances where many zones have been configured, it might be very time-consuming to manually configure this to accommodate all zones.

It is possible to use apply-groups to our benefit, this time to create an explicitly defined deny policy which will be inherited at the tail-end of all security policies defined within the configuration.

Assuming UNTRUSTED and TRUSTED zone are defined, with a defined policy to access via SSH the defined ‘SSH_SERVER’ in the address-book:

twister@gw-srx# show security policies
from-zone TRUSTED to-zone UNTRUSTED {
    policy ALLOW_OUTBOUND_ALL {
        match {
            source-address Users-subnet;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
}
from-zone UNTRUSTED to-zone TRUSTED {
    policy ALLOW_SSH {
        match {
            source-address any;
            destination-address SSH_SERVER;
            application junos-ssh;
        }
        then {
            permit;
        }
    }
}

If administrator wants to log everything that would normally hit the default-deny policy, applied by default after the ‘ALLOW_SSH’ policy, it is possible to use an apply-group to inherit a new policy at the tail-end of all previously defined policies, as follows:

groups {
    DEFAULT_DENY_AND_LOG {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy DENY_AND_LOG {
                        match {
                            source-address any;
                            destination-address any;
                            application any;
                        }
                        then {
                            deny;
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
}

To apply the configuration only to the selected policy:

twister@gw-srx# set security policies from-zone UNTRUSTED to-zone TRUSTED apply-groups DEFAULT_DENY_AND_LOG

To examine results of the application of the apply-group to security policies, simply display the inherited configuration:

twister@gw-srx# show security policies from-zone UNTRUSTED to-zone TRUSTED | display inheritance
policy ALLOW_SSH {
    match {
        source-address any;
        destination-address SSH_SERVER;
        application junos-ssh;
    }
    then {
        permit;
    }
}
##
## 'DENY_AND_LOG' was inherited from group 'DEFAULT_DENY_AND_LOG'
##
policy DENY_AND_LOG {
    ##
    ## 'match' was inherited from group 'DEFAULT_DENY_AND_LOG'
    ##
    match {
        ##
        ## 'any' was inherited from group 'DEFAULT_DENY_AND_LOG'
        ##
        source-address any;
        ##
        ## 'any' was inherited from group 'DEFAULT_DENY_AND_LOG'
        ##
        destination-address any;
        ##
        ## 'any' was inherited from group 'DEFAULT_DENY_AND_LOG'
        ##
        application any;
    }
    ##
    ## 'then' was inherited from group 'DEFAULT_DENY_AND_LOG'
    ##
    then {
        ##
        ## 'deny' was inherited from group 'DEFAULT_DENY_AND_LOG'
        ##
        deny;
        ##
        ## 'log' was inherited from group 'DEFAULT_DENY_AND_LOG'
        ##
        log {
            ##
            ## 'session-init' was inherited from group 'DEFAULT_DENY_AND_LOG'
            ##
            session-init;
        }
    }
}

if a commentless version is preferred, let’s use:

twister@gw-srx# show security policies from-zone UNTRUSTED to-zone TRUSTED | display inheritance | except ##
policy ALLOW_SSH {
    match {
        source-address any;
        destination-address SSH_SERVER;
        application junos-ssh;
    }
    then {
        permit;
    }
}
policy DENY_AND_LOG {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        deny;
        log {
            session-init;
        }
    }
}

At this point (if not yet defined) it is time do set a syslog file to keep track of all denied sessions:

file session-deny-log {
    any any;
    match RT_FLOW_SESSION_DENY;
    structured-data;
}

Note: Archive and LOG-Optimization settings are recommended in this section and “match” regexp should be optimized. These settings are missing in this configuration example.

Starting with this configuration, by monitoring or showing “session-deny-log” file, administrator will be able to see all RT_FLOW_SESSION_DENY entries intercepted by UNTRUSTED-to-TRUSTED defined policy.


Comments are closed.