From Huh to Learning: October 2024

29 October 2024

SRX Fun with Tap Mode and Logging

To do a tap mode on the SRX is more than just what is in the user guide for security policies. I had to use this site to find out more.

First, set up your interface for promiscuity.

set interfaces ge-0/0/10 promiscuous-mode

Next setup the tap mode under security forwarding-options

set security forwarding-options mode tap interface ge-0/0/0

You can then setup a routing instance if you need but I didn't worry about that. I set up my flow and log settings

set security flow tcp-session no-syn-check
set security flow tcp-session no-sequence-check
set security log mode stream
set security log report

After that was setting up the zone configuration

set security zones security-zone tap-zone interfaces ge-0/0/10.0
set security zones security-zone tap-zone application-tracking

Finally I setup the policy for testing.

set security policies from-zone tap-zone to-zone tap-zone policy tap-policy match source-address any
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy match destination -address any
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy match application any
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy then permit
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy then log session-init
set security policies from-zone tap-zone to-zone tap-zone policy tap-policy then log session-close

The switch was easier to setup for SPAN.

set forwarding-options analyzer SRX_SPAN input ingress interface xe-0/0/10.0
set forwarding-options analyzer SRX_SPAN input ingress interface xe-0/0/6.0
set forwarding-options analyzer SRX_SPAN input egress interface xe-0/0/6.0
set forwarding-options analyzer SRX_SPAN output interface xe-0/0/5.0

To verify TAP mode, use run show security flow status.

root@SRX03> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
MPLS forwarding mode: drop
ISO forwarding mode: drop
Tap mode: enabled
Enhanced services mode: Disabled
Flow trace status
Flow tracing status: off
Flow session distribution
Distribution mode: Hash-based
GTP-U distribution: Disabled
SCTP distribution: Enabled
Flow ipsec performance acceleration: off
Flow gre performance acceleration: off
Flow packet ordering
Ordering mode: Hardware
Flow power mode: Enabled
Flow power mode IPsec: Enabled
Flow power mode IPsec QAT: Disabled
Fat core group status: off
Flow inline fpga crypto: Disabled
root@SRX03>

And to verify the flow is being seen with policies

root@SRX03> show security flow session
Session ID: 1389, Policy name: tap-policy/5, Timeout: 60, Session State: Valid
In: 172.18.33.33/514 --> 10.1.1.100/514;udp, Conn Tag: 0x0, If: ge-0/0/10.0, Pkts: 3, Bytes: 3422,
Out: 10.1.1.100/514 --> 172.18.33.33/514;udp, Conn Tag: 0x0, If: ge-0/0/10.0, Pkts: 0, Bytes: 0,

Session ID: 1390, Policy name: tap-policy/5, Timeout: 4, Session State: Valid
In: 192.168.1.100/24 --> 10.1.1.10/12044;icmp, Conn Tag: 0x0, If: ge-0/0/10.0, Pkts: 1, Bytes: 84,
Out: 10.1.1.10/12044 --> 192.168.1.100/24;icmp, Conn Tag: 0x0, If: ge-0/0/10.0, Pkts: 0, Bytes: 0,

Now logging was not right either in the user guide. It missed the part of seeting the mode. After playing this was my final security log config.

set security log mode stream
set security log format sd-syslog
set security log report
set security log source-address 172.18.33.33
set security log stream trafficlogs severity debug
set security log stream trafficlogs host 10.1.1.100

28 October 2024

Security Policies

So I learned something interesting. Sounds fundamental but just never really thought about it.

I was trying to ping from an SRX loopback to another. I had ping allowed on the zone host-inbound-traffic but it would not ping. Interfaces were in the correct zone. I could see the traffic going to the firewall on a packet capture but could not ping.

Finally after playing and playing I found out that what I had to do was allow the traffic to go from zone UNTRUST to zone UNTRUST. I had it already in UNTRUST to junos-host so that was not an issue. I was under the impression that since my external interface and my loopback were in UNTRUST and I was allowing it from UNTRUST to junos-host, it would be good. Boy was I wrong.

Which after I got it working it made since. I was going from UNTRUST to UNTRUST to junos-host. Explained why my VPN was not working as well.

Anyways, live and learn. Time for more labbing.

22 October 2024

SRX Flow Logging

So I am loving me some Juniper over Cisco for sure. But there are a lot of things to get used to anymore as well. One is logging. How does it work? What happened to seeing stuff fly across the screen and lock my console up? Ah the fun old days.

So trying to troubleshoot some BGP on the SRX I had to play with logging. I tried and tried to make it work and well kept falling flat. That is because I was in the wrong dang area. I was trying to look at flows coming across the device and tried doing traceoptions in security and in policies. Both did not work. To make this work I found an article on what i was missing.

Basically I had to enable logging under security flow. Some people are probably reading that and going duh but these are my notes so whatever.

Anyways I didn't do a packet filter because I am on a small home grown network but I did play around and found what I wanted and more.

Below is my setup for a quick logging setup to see what is passing through the firewall

jmctsm@srx05# show security flow

traceoptions {

file flow_log size 1m files 100;

flag basic-datapath;

}

That way all I had to do was run a show log flow_log to see what was passing. That showed me what I wanted to see and more. That BGP to my device didn't work as I wanted it not to but BGP from the device to an outside device did work.

And on to other things.

Firewall Filters vs Host Inbound Services vs Junos-Host Zone

So many ways to block traffic with Juniper SRX. So you can either do a firewall filter (think ACL), allow or deny a service on host-inbound, and also control it via the junos-host zone. Time to see how they all play together.

Based on this topology I have the CORE and the SRX05 doing BGP with each other. I have both ge-0/0/0 and ge-0/0/1 in security zone UNTRUST. Actually before I mention that, let's not forget that if an interface is not in a security zone, it is in the NULL zone and that means it accepts nothing. It does nothing. It just sits there and tells things to go away.

I started out with allowing only specific traffic in on my zone and then said I am testing to screw it.

jmctsm@srx05# show security zones security-zone UNTRUST
host-inbound-traffic {
system-services {
ping;
all;
}
protocols {
bgp;
all;
}
}
interfaces {
ge-0/0/0.0;
ge-0/0/1.0;
}

That allowed BGP to come up on both sides (skipping BGP configuration). So that worked. But what happens if I put a filter in place. Hmmmm

jmctsm@srx05# show firewall

filter INCOMING_UNTRUST {

term DENY_BGP {

from {

protocol tcp;

port bgp;

}

then {

reject;

}

term ALLOW_ALL {

then accept;

}

jmctsm@srx05# show interfaces ge-0/0/0

unit 0 {

family inet {

filter {

input INCOMING_UNTRUST;

}

address 172.16.5.5/24;

}

[edit]

jmctsm@srx05# run show bgp summary

Threading mode: BGP I/O

Default eBGP mode: advertise - accept, receive - accept

Groups: 1 Peers: 2 Down peers: 1

Table Tot Paths Act Paths Suppressed History Damp State Pending

inet.0

0 0 0 0 0 0

Peer AS InPkt OutPkt OutQ Flaps Last Up/Dwn State|#Active/Received/Accepted/Damped...

172.16.5.1 65000 0 0 0 3 26:56 Connect

172.16.55.1 65000 62 61 0 2 26:53 Establ

inet.0: 0/0/0/0

So a firewall filter blocked my BGP. So that tells me it is

firewall filter -> host-inbound

So now let's play with the junos-host zone. I created a policy of

from-zone UNTRUST to-zone junos-host {

policy DENY_BGP {

match {

source-address any;

destination-address any;

application junos-bgp;

}

then {

deny;

}

policy ALLOW_ALL {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

default-policy {

deny-all;

}

That did nothing. BGP still formed for my 55.1 neighbor. So what happens if I remove the host-inbound services? Nothing changed yet again. The BGP session still came back up. So starting over from scratch I then removed the interface from the UNTRUST zone and now BGP drops. Time to figure this out more.

So even with no host-inbound and no junos-host security policy, BGP still forms to the neighbor on the UNTRUST interface. Just freaking weird.

And I think that I found my issue. BGP is allowed to connect no matter if I have host-inbound-traffic on or not or allowed in a policy for junos-host.

So let's try something easier. Ping. Without a host-inbound policy I cannot ping. Easy enough. But let's allow that there and deny it on the junos-host policy and see what happens.

[edit security policies from-zone UNTRUST to-zone junos-host]

jmctsm@srx05# show

policy DENY_BGP {

match {

source-address BGP_PEER_05;

destination-address any;

application junos-bgp;

}

then {

deny;

}

policy DENY_PING_FROM_5_1 {

match {

source-address BGP_PEER_05;

destination-address any;

application junos-ping;

}

then {

deny;

}

policy ALLOW_ALL {

match {

source-address any;

destination-address any;

application any;

}

then {

permit;

}

That blocks traffic from 172.16.5.1 as expected. So again this is good to find out that apparently some traffic is allowed through always and some can be denied. Interesting.

Also even if the policy is there for zone junos-host but no host-inbound-traffic, the traffic can be denied.

So what we have is a firewall filter will block before any policies then if no junos-host zone is used and only host-inbound-traffic, all things allowed by host-inbound-traffic can come into the firewall. To be specific you can use either a firewall filter (which has to be applied at all possible interfaces) or use the junos-host zone.

Fun time with SRX.

UPDATE:

I figured out finally why BGP would still come up from a neighbor even if BGP is not allowed via junos-host zone or host-inbound-traffic. BGP is a TCP server client protocol that either side can initiate from. Looking at the logs, when the CORE device tries to initiate to the SRX, the SRX denies the traffic. BUT if the SRX initiates the traffic to the CORE it works. The policy is not blocking that by any outside method and since the SRX is stateful it allows all communications back in from the "server".

To SRX from CORE = BAD

From SRX to CORE = Established

14 October 2024

My Path to JNCIE-SEC

On Friday (11 Oct 2024), I passed my JCNIP-SEC. That was 13 Juniper certifications in less than 12 months. I have done in no particular order.

JNCIA-JUNOS/DEVOPS/DC/SEC/MISTAI

JNCIS-ENT/SP/DC/SEC/DEVOPS

JNCIP-ENT/DC/SEC

I started down the path of Juniper certifications because I wanted to do something new. I wanted to try and learn something else beside Cisco. I didn't know where to start so I started with JNCIA-JUNOS. I used the Open Learning and Eve-NG to watch the videos and then get hands-on with what I was seeing. I fell in love with the command line syntax of Juniper and their way of displaying the configurations. That lead to following the path of more free learning to see what parts I like of Juniper.

After I started to get some Juniper under my belt my company reached out to see about doing certain tests for partner requirements, so I did things like DC and Devops (wasn't going to do them but they paid so away I go to learn). I also did JNCIS-SEC for that reason. That brought back my love of security. So I figured then that is where I want to go for my JNCIE. But first I had some other personal goals like the 5A-3S-1P and 5S Credly badges because I wanted them.

Security for me has always been fun because there is always someone out there smarter than you so it keeps you having to learn. It means you have to keep pushing to know what is happening. Learn the new bad techniques and the new good techniques. So I said heck with it and did the JNCIP-SEC, got my 3P along the way as well, and said time for the JNCIE-SEC.

Having a CCIE I know that there is more than hands on for an Expert level test. There is understanding other ways of doing things, what happens if I do something over here, and the understanding of what in the crap is going on behind the scenes. Those pieces are what made me miss my first attempts at my CCIE and once I had them down I was more prepared and could pass. So for this Expert level test I have a reading list already planned that will grow and grow I am sure. I am starting with

Juniper SRX Series: A Comprehensive Guide to Security Services on the SRX Series

Juniper Day One: SRX Series Up and Running with Advanced Security Services

SRX Getting Started - Configuration Examples & Troubleshooting (JumpStation)

The Unofficial JNCIE-ENT Prep Guide

The last one I know is for JNCIE-ENT but Jeff has some really good info in it for configurations so I am going to read through it. Combine these four things with all the docs that I can get my hands on from Juniper and any blog posts as well, I am hoping to go into this with as much as I can from more than just configuration but theory. We will see what happens.

For the hands on I have an Eve-NG lab that I use as well as the Study Bundle from Juniper. I also signed up for some classes from them for ATP and just other pieces again to make sure that I cover all that I can. I am expecting this test to be rough. My goal is 6 to 8 months that I sit for it but we will see.

I am using this blog as nothing more than a note place for me. It may or may not have pretty pictures. It will be more on my thoughts of what I learned that day more than likely so probably incoherent. But we will see what comes from it.