When administrators keep
adding new application signatures to the application firewall ruleset or
rules, over time, this makes the ruleset very bulky. Many individual
signatures added may already be a part of a dynamic-application-group on
the device configuration. This article describes how to evaluate the
configuration and make appropriate modifications to keep it slim and
optimized.
Symptoms:
Example Scenario
A user has the following configuration for application-firewall ruleset on their SRX firewall:
set security application-firewall rule-sets 1 rule 1 match dynamic-application junos:YOUTUBE-COMMENT
set security application-firewall rule-sets 1 rule 1 match dynamic-application-group junos:web
set security application-firewall rule-sets 1 rule 1 then deny
set security application-firewall rule-sets 1 default-rule deny
In this case, the user has a signature group
junos:web configured, which has
YOUTUBE related signatures in it. He needs to identify such redundant configurations and improve the APPFW rulesets.
Cause:
Solution:
Run the following commands on the device:
labroot# run show security application-firewall shadow-rules rule-set 1
Dynamic Application: junos:YOUTUBE-COMMENT
Logical system: root-logical-system
Non-SSL-Encrypted rules:
Matching rule:
Rule: 1
Dynamic Applications: junos:YOUTUBE-COMMENT
Dynamic Application Groups: junos:web
SSL-Encryption: any
Action: deny
SSL-Encrypted rules:
Matching rule:
Rule: 1
Dynamic Applications: junos:YOUTUBE-COMMENT
Dynamic Application Groups: junos:web
SSL-Encryption: any
Action: deny
Number of shadowed dynamic application: 1
Since
junos:YOUTUBE-COMMENT is a part of the dynamic application group
junos:web, we see that the signature application is already shadowed. In this configuration, we can remove the signature for
YOUTUBE-COMMENT from the configuration.
Note: If the Dynamic Application matches any existing rules, then we
would see the rules shown in the output. If there is no match, then
there would be no output for the command.
No comments:
Post a Comment