Skip to main content

Juniper SRX with Allowlist

Background

Knocknoc's Allowlist features provides a very powerful integration with firewalls that support a Dynamic Address Lists.  This feature pulls from the Knocknoc server a list of IPs of authenticated users, in the correct group. The drawback of this feature is that the list can only be fetched every 30 seconds or slower.

This guide explains how to use the provided script and Junos configuration snippet to automate the process of updating dynamic addresses on a Juniper SRX device. The script is designed to securely execute the request security dynamic-address update command through SSH, leveraging predefined credentials and key-based authentication.

Full Configuration Flow

  1. Configure the Knocknoc Server: Set up Allowlist and script ACLs
  2. Dynamic Address Feed Configuration: Set up the feed-server and associate the feed with a dynamic address name.
  3. Security Policy Configuration: Create a policy referencing the dynamic address and other relevant parameters.
  4. Configure Knocknoc SSH user: an SRX user with least privilege and the correct key.
  5. Allocate ACLs: Associate users and groups to ACLs, then test.

Configure Knocknoc Server

  1. Agent Setup: Install an agent on a machine that can SSH to the Junos SRX management IP.
  2. Add Allowlist Backend: Setup an Allowlist backend in Backends -> Create Backend -> Type Allowlist and give it a name. 
  3. Add Agent Backend: Create another Backend, Type Script, choose your Agent from Step 1,  and enter /opt/knocknoc-agent/scripts/junos-reload-list.sh as the script name.

 

 

Purpose of the Script

The junos-reload-list.sh script serves as a wrapper to safely parse typical ipset-like arguments while ultimately triggering the request security dynamic-address update command on a Junos SRX. This is useful when the actual logic for adding, deleting, or flushing IPs is handled elsewhere, and the SRX only needs to fetch the updated list from its configured source.

How the Script Works

  1. Secrets File: The script reads the Junos username and hostname from a secrets file (/opt/knocknoc-agent/.junossecrets).
    • Line 1: Username
    • Line 2: Hostname
  2. Validation: The script validates the operation (add, del, or flush), dynamic address name, and optional IP address provided as arguments.
  3. SSH Execution: Using key-based SSH authentication, the script securely executes the request security dynamic-address update command on the SRX device for the specified address name.

Prerequisites

  1. Script Location: Check the script at /opt/knocknoc-agent/scripts/junos-reload-list.sh. Knocknoc-agent includes the script from version 7.2.
  2. Secrets File: Create a secrets file at /opt/knocknoc-agent/.junossecrets with the following format: 
    <username>
<hostname>
    Ensure the file is secured with appropriate permissions (e.g., chmod 600).
  3. Private Key: Store the SSH private key at /opt/knocknoc-agent/privkey and secure it (e.g., chmod 600).
  4. Junos Configuration: Ensure the Junos device is configured to accept the request security dynamic-address update command with appropriate permissions.

Junos Configuration

The following configuration snippet defines a custom login class and user account with restricted permissions to execute the required command.

Configuration Snippet

login {
    class knocknoc {
        permissions [ security security-control ];
        allow-commands "(request security dynamic-address update address-name testaddress)|(quit)";
    }
    user knocknoc {
        uid 2000;
        class knocknoc;
        authentication {
            ssh-rsa "<public-key>";
        }
    }
}

  1. Custom Login Class:

    • Name: knocknoc
    • Permissions: security and security-control
    • Allowed Commands: Restricts the user to only execute the request security dynamic-address update command for a specific address name (testaddress) and quit the session.

  2. User Account:

    • Username: knocknoc
    • UID: 2000 (arbitrary; adjust as needed)
    • Authentication: Configured for SSH key-based authentication.

Replace <public-key> with the public key corresponding to the private key stored in /opt/knocknoc-agent/privkey.

Using the Dynamic Address in Firewall Rules

The dynamic list fetched using the testaddress dynamic address name can be integrated into a security policy to allow specific traffic. Below is a configuration example based on a practical implementation.

Configuring the Dynamic Address Feed and Feed-Server

set sjknocknoc2 url "https://apikey:knakpo33gNHoR7G5vmsuTo88bJL46WZSDNdjjEDwhmvz@192.168.84.18:8756"
set security dynamic-address feed-server knocknoc2 update-interval 30
set security dynamic-address feed-server knocknoc2 feed-name knocknoc_feed path /api/v1/allowlists/0193e60f-3243-7818-9f86-78774e4d4394/XtN9cmItoqsce6t3.txt

set security dynamic-address address-name knocknoc_address profile feed-name knocknoc_feeduniper

  1. Feed-Server Configuration:

    • knocknoc2: The name of the feed server.
    • url: URL for the dynamic address feed, including authentication details.
    • update-interval: Frequency (in minutes) for fetching updates.
    • feed-name and path: Specify the name of the feed and the exact API path to retrieve the address list.

  2. Dynamic Address Profile:

    • knocknoc_address: Dynamic address name associated with the knocknoc_feed.

Configuring Security Policies

set security policies from-zone Outside to-zone Inside policy knocknoctest1 match source-address knocknoc_address
set security policies from-zone Outside to-zone Inside policy knocknoctest1 match destination-address knocknoc_192.168.84.18
set security policies from-zone Outside to-zone Inside policy knocknoctest1 match application junos-ping
set security policies from-zone Outside to-zone Inside policy knocknoctest1 then permit
  1. Source Address: Matches the dynamic address knocknoc_address.
  2. Destination Address: Matches a specific address (e.g., knocknoc_192.168.84.18) configured separately in the address-book.
  3. Application: Specifies the type of traffic (e.g., junos-ping).
  4. Action: Permits the traffic matching the policy.

Defining the Destination Address in Address-Book

set security address-book global address knocknoc_192.168.84.18 192.168.84.18/32
  • Replace 192.168.84.18 with the actual IP address of your resource (e.g., VPN appliance).

Script Usage

The script accepts three arguments:

  1. Operation: The action to perform (add, del, or flush).
  2. Dynamic Address Name: The name of the dynamic address.
  3. IP Address (Optional): An IP address to validate positional consistency.

Example Command

/opt/knocknoc-agent/scripts/junos-reload-list.sh add testaddress 192.168.1.1

Steps to Configure and Use

  1. Prepare the Environment:

    • Upload the script to /opt/knocknoc-agent/scripts/.
    • Create and secure the secrets file at /opt/knocknoc-agent/.junossecrets.
    • Store the SSH private key at /opt/knocknoc-agent/privkey.

  2. Configure the Junos Device:

    • Apply the provided configuration snippet.
    • Configure the dynamic address feed, feed-server, address-sets, and security policies.
    • Test the user login with the private key to ensure access.

  3. Test the Script:

    • Execute the script with appropriate arguments to validate functionality.

  4. Automation:

    • Integrate the script into your existing automation or orchestration workflows to trigger updates as needed.

Security Considerations

  • Secure the secrets file and private key with proper file permissions.
  • Restrict the knocknoc user's permissions to only the necessary commands.
  • Regularly rotate keys and update the secrets file accordingly.

By following this guide, you can automate dynamic address updates on a Junos SRX securely and efficiently.

Back to top