Saturday, 8 April 2017

Configuration Example – Optimizing Application Firewall ruleset on the SRX device

When administrators keep adding new application signatures to the application firewall ruleset or rules, over time, this makes the ruleset very bulky. Many individual signatures added may already be a part of a dynamic-application-group on the device configuration. This article describes how to evaluate the configuration and make appropriate modifications to keep it slim and optimized.
Symptoms:
Example Scenario
A user has the following configuration for application-firewall ruleset on their SRX firewall:

set security application-firewall rule-sets 1 rule 1 match dynamic-application junos:YOUTUBE-COMMENT
set security application-firewall rule-sets 1 rule 1 match dynamic-application-group junos:web
set security application-firewall rule-sets 1 rule 1 then deny
set security application-firewall rule-sets 1 default-rule deny

In this case, the user has a signature group junos:web configured, which has YOUTUBE related signatures in it. He needs to identify such redundant configurations and improve the APPFW rulesets.

Cause:

Solution:
Run the following commands on the device:
labroot# run show security application-firewall shadow-rules rule-set 1
Dynamic Application: junos:YOUTUBE-COMMENT
Logical system: root-logical-system
Non-SSL-Encrypted rules:
Matching rule:
Rule: 1
Dynamic Applications: junos:YOUTUBE-COMMENT
Dynamic Application Groups: junos:web
SSL-Encryption: any
Action: deny
SSL-Encrypted rules:
Matching rule:
Rule: 1
Dynamic Applications: junos:YOUTUBE-COMMENT
Dynamic Application Groups: junos:web
SSL-Encryption: any
Action: deny

Number of shadowed dynamic application: 1

Since junos:YOUTUBE-COMMENT is a part of the dynamic application group junos:web, we see that the signature application is already shadowed.  In this configuration, we can remove the signature for YOUTUBE-COMMENT from the configuration.

Note: If the Dynamic Application matches any existing rules, then we would see the rules shown in the output. If there is no match, then there would be no output for the command.
loading...