Skip to main content

Juniper SRX with Allowlist

Knocknoc's Allowlist features provides a very powerful integration with firewalls that support a Dynamic address list feature.  This feature pulls from the Knocknoc server a list of IPs for authenticated users (in the correct group). The drawback of this feature is that the list can only be fetched every 30 seconds or slower. This page and script documents a solution to combine Knocknoc ACLs to make the process faster for the user, by publishing the Allowlist, but then having a script prompt the firewall to refresh it on login. This allows for a Least Privilege approach to your Knocknoc implementation.

This guide explains how to use the provided script and Junos configuration snippet to automate the process of updating dynamic addresses on a Juniper SRX device. The script is designed to securely execute the request security dynamic-address update command through SSH, leveraging predefined credentials and key-based authentication.

Purpose of the Script

The junos-reload-list.sh script serves as a wrapper to safely parse typical ipset-like arguments while ultimately triggering the request security dynamic-address update command on a Junos SRX. This is useful when the actual logic for adding, deleting, or flushing IPs is handled elsewhere, and the SRX only needs to fetch the updated list from its configured source.

How the Script Works

  1. Secrets File: The script reads the Junos username and hostname from a secrets file (/opt/knocknoc-agent/.junossecrets).
    • Line 1: Username
    • Line 2: Hostname
  2. Validation: The script validates the operation (add, del, or flush), dynamic address name, and optional IP address provided as arguments.
  3. SSH Execution: Using key-based SSH authentication, the script securely executes the request security dynamic-address update command on the SRX device for the specified address name.

Prerequisites

  1. Script Location: Place the script at /opt/knocknoc-agent/scripts/junos-reload-list.sh.
  2. Secrets File: Create a secrets file at /opt/knocknoc-agent/.junossecrets with the following format:
    <username>
    <hostname>
    
    Ensure the file is secured with appropriate permissions (e.g., chmod 600).
  3. Private Key: Store the SSH private key at /opt/knocknoc-agent/privkey and secure it (e.g., chmod 600).
  4. Junos Configuration: Ensure the Junos device is configured to accept the request security dynamic-address update command with appropriate permissions.

Junos Configuration

The following configuration snippet defines a custom login class and user account with restricted permissions to execute the required command.

Configuration Snippet

login {
    class knocknoc {
        permissions [ security security-control ];
        allow-commands "(request security dynamic-address update address-name testaddress)|(quit)";
    }
    user knocknoc {
        uid 2000;
        class knocknoc;
        authentication {
            ssh-rsa "<public-key>";
        }
    }
}
  1. Custom Login Class:

    • Name: knocknoc
    • Permissions: security and security-control
    • Allowed Commands: Restricts the user to only execute the request security dynamic-address update command for a specific address name (testaddress) and quit the session.
  2. User Account:

    • Username: knocknoc
    • UID: 2000 (arbitrary; adjust as needed)
    • Authentication: Configured for SSH key-based authentication.

Replace <public-key> with the public key corresponding to the private key stored in /opt/knocknoc-agent/privkey.

Script Usage

The script accepts three arguments:

  1. Operation: The action to perform (add, del, or flush).
  2. Dynamic Address Name: The name of the dynamic address.
  3. IP Address (Optional): An IP address to validate positional consistency.

Example Command

/opt/knocknoc-agent/scripts/junos-reload-list.sh add testaddress 192.168.1.1

Steps to Configure and Use

  1. Prepare the Environment:

    • Upload the script to /opt/knocknoc-agent/scripts/.
    • Create and secure the secrets file at /opt/knocknoc-agent/.junossecrets.
    • Store the SSH private key at /opt/knocknoc-agent/privkey.
  2. Configure the Junos Device:

    • Apply the provided configuration snippet.
    • Test the user login with the private key to ensure access.
  3. Test the Script:

    • Execute the script with appropriate arguments to validate functionality.
  4. Automation:

    • Integrate the script into your existing automation or orchestration workflows to trigger updates as needed.

Security Considerations

  • Secure the secrets file and private key with proper file permissions.
  • Restrict the knocknoc user's permissions to only the necessary commands.
  • Regularly rotate keys and update the secrets file accordingly.

By following this guide, you can automate dynamic address updates on a Junos SRX securely and efficiently.