Policy Options

4-1
Copyright 2005 Juniper Networks, Inc.

Proprietary and Confidential

www.juniper.net

Policy OptionsMain Screen WebUI

Attack
preventio
n and
content
filtering
VPNs
Options

2008 Juniper Networks, Inc. All rights reserved.

Advanced Policy OptionsWebUI (1 of 2)

Policy > Policies > Edit Rule > Advanced

2008 Juniper Networks, Inc. All rights reserved.

Advanced Policy OptionsWebUI (2 of 2)

Policy > Policies > Edit Rule > Advanced

2008 Juniper Networks, Inc. All rights reserved.

Traffic Logs

WebUI: Reports > Policies > Traffic Log

Log session start time, duration, addressing (including

translation), and service

2008 Juniper Networks, Inc. All rights reserved.

Configuring Traffic Logs (1 of 2)

Configuration
CLI

set policy (from zone to zone sa da service action)

logging [session-init]
- OR
set log
FW-> set policy id 1
FW(policy:1)-> set logging [session-init]
FW(policy:1)-> exit
FW-> save

WebUI
Securit
y
Manag
er

Policy > Policies > Edit Rule

Security Policies > policy, then Rule Options >
Log/Count

2008 Juniper Networks, Inc. All rights reserved.

Configuring Traffic Logs (2 of 2)

WebUI: Policy > Policies >

Edit Rule

2008 Juniper Networks, Inc. All rights reserved.

Verifying and Accessing Logging

WebUI: Policy > Policies

WebUI: Reports > Policies

get log traffic

2008 Juniper Networks, Inc. All rights reserved.

Traffic Counters
Graphical
view of
traffic
matching
policy

WebUI: Reports > Policies > Traffic Counting Graph

2008 Juniper Networks, Inc. All rights reserved.

Configuring Traffic Counters (1 of 2)

Configuration
CLI

set policy (from zone to zone sa da service action) count

-ORset count
set count alarm bytes/sec kbytes/min
FW-> set policy id 1
FW(policy:1)-> set count
FW(policy:1)-> exit
FW-> save

WebUI Policy > Policies > Edit Rule > Advanced

Securit Security Policies > policy
Right-click Rule Options > Log/Count
y
Manag
er
2008 Juniper Networks, Inc. All rights reserved.

10

Configuring Traffic Counters (2 of 2)

WebUI: Policy > Policies > Edit Rule > Advanced

2008 Juniper Networks, Inc. All rights reserved.

11

Verifying and Accessing Traffic Counters

WebUI: Policy > Policies

WebUI: Reports > Policies

get counter policy id time parameters

2008 Juniper Networks, Inc. All rights reserved.

12

Policy Scheduling
Allows you to enable or disable policy based
on time
Two options:
Recurring times
Two windows per day
Weekly schedule
Once only

Recommend configuring NTP for clock accuracy

2008 Juniper Networks, Inc. All rights reserved.

13

Configuring Policy Scheduling

Follow these steps to configure policy
scheduling:
1. Create schedule
2. Apply schedule to policy

2008 Juniper Networks, Inc. All rights reserved.

14

Creating a ScheduleCLI
set scheduler name recurrent day start time stop time [start
time stop time]
FW-> set scheduler NoICQ recurrent mon start 7:00 stop 12:00
start 13:00 stop 18:00
FW-> set scheduler NoICQ recurrent tues start 7:00 stop 12:00
13:00 stop 18:00
(etc.)
set scheduler name once start mm/dd/yyyy stop mm/dd/yyyy
FW-> set scheduler Y2K once start 01/01/2000 stop 01/02/2000

2008 Juniper Networks, Inc. All rights reserved.

15

Creating a ScheduleWebUI

Policy > Policy Elements >Schedules > New

2008 Juniper Networks, Inc. All rights reserved.

16

Applying a Schedule to a Policy

Configuration
CLI

set policy (from zone to zone sa da service action)

schedule name

WebUI

Policy> Policies > Edit Rule > Advanced

2008 Juniper Networks, Inc. All rights reserved.

17

Verifying Scheduling
Gray background in policy indicates that a
schedule is applied
Must view schedule to see when policy is active or
inactive

2008 Juniper Networks, Inc. All rights reserved.

18

User Authentication
Requires users to enter username and password
before traffic is permitted through ScreenOS device
Can be used in conjunction with NS-Remote device
Can be used between LANs as an additional check of user
ID
Two options:
Firewall authentication requires that traffic match the policy to
trigger login dialogue
Policy must permit Telnet, FTP, or HTTP
WebAuth requires user to browse to dedicated WebAuth address to
trigger login dialogue

Once authenticated, all traffic matching the policy passes

2008 Juniper Networks, Inc. All rights reserved.

19

Firewall Authentication

DA: 172.16.1.99, service HTTP

Auth
Policy

Web Server
172.16.1.99

Username?
Password?
Username: JoeUser
Password: XXXX
Authenticated!
DA: 172.16.1.99, service HTTP

All traffic permitted by policy

2008 Juniper Networks, Inc. All rights reserved.

20

WebAuth Authentication
WebAuth address
10.1.1.42

DA: 10.1.1.42, service HTTP

Web
Auth

Web Server
172.16.1.99

Username?
Password?
Username: JoeUser
Password: XXXX
Authenticated!

All traffic permitted by policy

2008 Juniper Networks, Inc. All rights reserved.

21

What the User Sees

WebAuth example:

Firewall authentication depends on triggering protocol

HTTP displays similar dialogue
FTP and Telnet display text-based prompts
2008 Juniper Networks, Inc. All rights reserved.

22

Authentication Configuration Steps

Steps:
1. Create user database
2. Configure authentication policy
3. Configure WebAuth address (WebAuth only)

2008 Juniper Networks, Inc. All rights reserved.

23

Step 1: Creating a User Database

Configuration
CLI

set user name password password

FW-> set user JoeUser password XXXX

WebUI Objects > Users > Local > Edit

Securit Object Manager > User Objects > Local Users >
New Local
y
Manag
er

2008 Juniper Networks, Inc. All rights reserved.

24

Step 1: Creating a User Database

WebUI

Objects > Users > Local > Edit

2008 Juniper Networks, Inc. All rights reserved.

25

Step 2: Configuring an
Authentication Policy
Configuration
CLI

set policy (from zone to zone sa da service action) auth

set policy (from zone to zone sa da service action) webauth

WebUI Policy > Policies > Edit Rule > Advanced

Securit Security Policies > policy, then Rule Options >
Authentication
y
Manag
er

2008 Juniper Networks, Inc. All rights reserved.

26

Step 2: Configuring an Authentication

PolicyWebUI and Security Manager

WebUI: Policy > Policies > Edit Rule > Advanced

2008 Juniper Networks, Inc. All rights reserved.

27

Step 3: Configuring a WebAuth Address

Configuration
CLI

set interface name webauth

set interface name webauth ssl-only
set interface name webauth-ip ip

WebUI

Network > Interfaces > Edit

Security Edit Device > Network > Interface > Edit >
Manage Advanced Properties
r

2008 Juniper Networks, Inc. All rights reserved.

28

Step 3: Configuring a WebAuth Address

WebUI

WebUI: Network > Interfaces > Edit

2008 Juniper Networks, Inc. All rights reserved.

29

Verifying Authentication

FW-> get user all

Total users: 1
Id
User name
Enable
Type ID-type Identity
Belongs to groups
----- --------------- ------ ------- ------- ---------- ----------------1 JoeUser
Yes
auth
FW-> get auth table
Total users in table:
1
Successful:
1, Failed:
0
Pending
:
0, Others:
0
Col T: Used: D = Default settings, W = WebAuth, A = Auth server in policy
id src
user
group
age status
server T srczone dstzone
1 192.168.1.33
JoeUser
5 Success Local W N/A
N/A

2008 Juniper Networks, Inc. All rights reserved.

30