labunix's blog

labunixのラボUnix

vSRXで address-set,application-set を設定してみる。 

■vSRX-HAのバージョン

labunix@vSRX-node0> show version           
node0:
--------------------------------------------------------------------------
Hostname: vSRX-node0
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D20.7]

node1:
--------------------------------------------------------------------------
Hostname: vSRX-node1
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D20.7]

{primary:node0}

■アドレスグループ(address-set)を設定する。

configure
set security zones security-zone L2-Trust address-book address vmnet8.host 192.168.152.1/32
set security zones security-zone L2-Trust address-book address vmnet8.dns 192.168.152.2/32
set security zones security-zone L2-Trust address-book address-set vmnet8 address vmnet8.host
set security zones security-zone L2-Trust address-book address-set vmnet8 address vmnet8.dns
commit and-quit

labunix@vSRX-node0> show configuration security zones security-zone L2-Trust address-book
address vmnet8.100 192.168.152.100/32;
address vmnet8.host 192.168.152.1/32;
address vmnet8.dns 192.168.152.2/32;
address-set vmnet8 {
    address vmnet8.host;
    address vmnet8.dns;
}

{primary:node0}

■アプリケーショングループ(application-set)を設定する。

configure
set applications application-set from-proxy application junos-http
set applications application-set from-proxy application junos-https
set applications application-set from-proxy application junos-ftp
set applications application-set from-proxy application junos-dns-tcp
set applications application-set from-proxy application junos-dns-udp
set applications application-set from-proxy application junos-ntp
set applications application-set from-proxy application junos-whois
commit and-quit

labunix@vSRX-node0> show configuration applications 
application proxy_3128 {
    application-protocol http;
    protocol tcp;
    destination-port 3128;
    inactivity-timeout 1800;
}
application proxy_8080 {
    application-protocol http;
    protocol tcp;
    destination-port 8080;
    inactivity-timeout 1800;
}
application-set from-proxy {
    application junos-http;
    application junos-https;
    application junos-ftp;
    application junos-dns-tcp;
    application junos-dns-udp;
    application junos-ntp;
    application junos-whois;
}

{primary:node0}

■ポリシーの作成

configure
set security policies from-zone L2-Trust to-zone L3-Untrust policy pass_from_proxy match source-address vmnet8.100
set security policies from-zone L2-Trust to-zone L3-Untrust policy pass_from_proxy match destination-address any
set security policies from-zone L2-Trust to-zone L3-Untrust policy pass_from_proxy match application from-proxy
set security policies from-zone L2-Trust to-zone L3-Untrust policy pass_from_proxy then permit
set security policies from-zone L2-Trust to-zone L3-Untrust policy pass_from_proxy then log session-init
commit and-quit

labunix@vSRX-node0> show configuration security policies from-zone L2-Trust to-zone L3-Untrust policy pass_from_proxy 
match {
    source-address vmnet8.100;
    destination-address any;
    application from-proxy;
}
then {
    permit;
    log {
        session-init;
    }
}

{primary:node0}