How can we know if our policies are being hit or if traffic is getting to the firewall?
* SETUP
The policy in question for all the below work is just the default trust to untrust policy on the SRX. The source IP on trust is 192.168.56.50 and the destination on IP on untrust is 172.20.123.2
blogger@LEFTY> show configuration security policies from-zone trust to-zone untrust
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
* LOGGING
First lets look at logging. Lets add logging to the policy. If your going to have logging you must choose session-init or session-close or both. From my perspective session-init is way more useful as if you have very long lasting sessions you may never know that you got a policy hit. Sure you might want to know when a session ends but at the very least you would want to know when and if your policy even got hit so make sure you at least use session-init.
DHCP server (SRX)
Just a quick one today about setting up an SRX as a DHCP server.
First you need to define the DHCP parameters..
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
default-lease-time 3600;
domain-name blogger.net.au;
name-server {
192.168.1.1;
}
}
}
First you need to define the DHCP parameters..
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
default-lease-time 3600;
domain-name blogger.net.au;
name-server {
192.168.1.1;
}
}
}
Login timeout (SRX and Olive) - updated
Juniper states that by default there is no idle-timout. That applies for my olive and my SRXs.
Indeed when I do check out the cli parameters on the olive after login I see..
user@olive-core> show cli
CLI complete-on-space set to on
CLI idle-timeout disabled
CLI restart-on-upgrade set to on
CLI screen-length set to 51
CLI screen-width set to 136
CLI terminal is 'vt100'
CLI is operating in enhanced mode
CLI timestamp disabled
CLI working directory is '/var/home/user'
And indeed I can confirm that my ssh session to olive-core never times out.
That's fine for the lab but in the real world corporate environment not so good. So what do we do to fix that? Define a login class.
Indeed when I do check out the cli parameters on the olive after login I see..
user@olive-core> show cli
CLI complete-on-space set to on
CLI idle-timeout disabled
CLI restart-on-upgrade set to on
CLI screen-length set to 51
CLI screen-width set to 136
CLI terminal is 'vt100'
CLI is operating in enhanced mode
CLI timestamp disabled
CLI working directory is '/var/home/user'
And indeed I can confirm that my ssh session to olive-core never times out.
That's fine for the lab but in the real world corporate environment not so good. So what do we do to fix that? Define a login class.
Subscribe to:
Posts (Atom)