- Create address book entries for the source and destination addresses.
- Create the custom application if no pre-defined applications encompass the protocol or ports needed.
- Create a security policy to permit the traffic using the custom application.
1. Create the address book entries for the source and destination addresses
From J-Web:- Go to Configuration >Security > Policy Elements.
- To add an address book entry for each zone, click on Address Books.
- Click on the zone for which you would like to add an address book entry (example: zone
trust
). - If address book entry required does not exist, then click Add....
- In the Address Name field specify a name (example:
local- net
).
Note: The name must be a string beginning with a letter and consisting of letters, numbers, dashes and underscores. - In IP Address/Prefix, enter the IP address/subnet mask (example:
192.168.10.0/24
). or
in DNS Name, specify a fully qualified domain name.
Note: The J Series or SRX Series device must have a working DNS server configured to resolve the domain name. - Click OK.
- Repeat steps 3-7 for zone
untrust
, Address Book entryremote-net
. Click OK again to return to the Security Policies screen.
set security zones security-zone trust address-book address local-net 192.168.10.0/24
set security zones security-zone untrust address-book address remote-net 192.168.20.0/24
2. Create a custom application
From J-Web:- From Configuration > Security > Policy Elements screen, click on Applications.
- Select Custom-Applications tab.
- Click Add...
- Specify Application Name (example:
tcp1500
), then click (plus box) for Configure top level options. - Click on Match IP protocol, pull down, and choose
tcp
. - Enter
1500
in the free-form field for Destination port (not the pull-down field). Click OK.
Note: Since the application can use any source port, it is not necessary to also specify a source port for the application. - Click OK again to return to the Security Policies screen.
set applications application tcp1500 protocol tcp
set applications application tcp1500 destination-port 1500
3. Create a security policy to permit the traffic, using the custom application
From J-Web:- From Configuration > Security > Policy screen, click Apply Policy.
- In
Zone Direction
, select From Zonetrust
and To Zoneuntrust.
- Click Add a Policy.
- Specify Policy Name (example:
policy-tr-unt
), then click (plus box) for Match Criteria. - Select Source Address Book
local-net
object on the right side and click (left arrow) to add to the Matched list. - Select Destination Address Book
remote-net
object and click (left arrow) to add to the Matched list. - Select Application
tcp1500
and click (left arrow) to add to the Matched list. - For
Policy Action
, select Permit from the pull-down menu. - Click OK to commit changes. Then click OK again to return to main policy configuration screen.
set security policies from-zone trust to-zone untrust policy policy-tr-unt match source-address local-net
set security policies from-zone trust to-zone untrust policy policy-tr-unt match destination-address remote-net
set security policies from-zone trust to-zone untrust policy policy-tr-unt match application tcp1500
set security policies from-zone trust to-zone untrust policy policy-tr-unt then permit
deny all
policy exists, then be sure that the policy created is above the deny all
policy. If not, then the policy will never be reached. To re-arrange policy order, use the Move up or down option in the Security Policies screen in J-Web or the insert
command in CLI. Examples:
Here are two custom applications created for TCP ports 5000 and 5001:
applications {
application tcp_port_5000 {
protocol tcp;
destination-port 5000;
}
application tcp_port_5001 {
protocol tcp;
destination-port 5001;
}
}
A security policy to and from the desired security zones is created. Below, we can see the custom application used:
[security policies]
from-zone inside to-zone outside {
policy telnet_100 {
match {
source-address any;
destination-address host_public;
application tcp_port_5000;
}
then {
permit
}
}
policy telnet_101 {
match {
source-address any;
destination-address host_public;
application tcp_port_5001;
}
then {
permit
}
}
}