Juniper SRX with Allowlist
Background
Knocknoc's Allowlist features provides a very powerful integration with firewalls that support a Dynamic Address Lists. This feature pulls from the Knocknoc server a list of IPs of authenticated users, in the correct group. The drawback of this feature is that the list can only be fetched every 30 seconds or slower.
This guide explains how to use the provided script and Junos configuration snippet to automate the process of updating dynamic addresses on a Juniper SRX device. The script is designed to securely execute the request security dynamic-address update
command through SSH, leveraging predefined credentials and key-based authentication.
Full Configuration Flow
- Configure the Knocknoc Server: Set up Allowlist and script ACLs
- Dynamic Address Feed Configuration: Set up the feed-server and associate the feed with a dynamic address name.
- Security Policy Configuration: Create a policy referencing the dynamic address and other relevant parameters.
- Configure Knocknoc SSH user: an SRX user with least privilege and the correct key.
- Allocate ACLs: Associate users and groups to ACLs, then test.
Configure Knocknoc Server
- Agent Setup: Install an agent on a machine that can SSH to the Junos SRX management IP.
- Add Allowlist Backend: Setup an Allowlist backend in Backends -> Create Backend -> Type Allowlist and give it a name.
- Add Agent Backend: Create another Backend, Type Script, choose your Agent from Step 1, and enter
/opt/knocknoc-agent/scripts/junos-reload-list.sh
as the script name. - Create Allowlist ACL: ACLs -> Create ACL and select the Allowlist backend from Step 2. Give it a name and a URL. The users will see this name and URL.
- Create Agent ACL: ACLs -> Create ACL and select the Agent backend from Step 3. The ACL name is important - it will be the name of your SRX dynamic address name later.
- Allocate ACLs: Go to Groups, and create a group that contains both ACLs from step 4 and 5. Include any local users, SAML users will get included automatically if the group name matches.
- API Key: Go to API Keys and click Create API Key. Enter a name and make sure to select the allowlists.read capabilty. Be sure to securely save the API key presented as it will only be displayed once. You can click the little copy icon to copy it into your password manager.
Junos Configuration
Configuring the Dynamic Address Feed and Feed-Server
set security dynamic-address feed-server knocknoc url "https://apikey:<api_key>@<knocknoc_server>:<knocknoc_port>"
set security dynamic-address feed-server knocknoc update-interval 30
set security dynamic-address feed-server knocknoc feed-name knocknoc_feed path /api/v1/allowlists/xxxxxx/yyyyy.txt
set security dynamic-address address-name knocknoc_allow profile feed-name knocknoc_feed
-
Feed-Server Configuration:
knocknoc2
: The name of the feed server.url
: URL for the dynamic address feed, including authentication details.update-interval
: Frequency (in minutes) for fetching updates.feed-name
andpath
: Specify the name of the feed and the exact API path to retrieve the address list.
-
Dynamic Address Profile:
knocknoc_address
: Dynamic address name associated with theknocknoc_feed
.
The following configuration snippet defines a custom login class and user account with restricted permissions to execute the required command.
Configuration Snippet
login {
class knocknoc {
permissions [ security security-control ];
allow-commands "(request security dynamic-address update address-name testaddress)|(quit)";
}
user knocknoc {
uid 2000;
class knocknoc;
authentication {
ssh-rsa "<public-key>";
}
}
}
-
Custom Login Class:
- Name:
knocknoc
- Permissions:
security
andsecurity-control
- Allowed Commands: Restricts the user to only execute the
request security dynamic-address update
command for a specific address name (testaddress
) and quit the session.
- Name:
-
User Account:
- Username:
knocknoc
- UID:
2000
(arbitrary; adjust as needed) - Authentication: Configured for SSH key-based authentication.
- Username:
Replace <public-key>
with the public key corresponding to the private key stored in /opt/knocknoc-agent/privkey
.
Using the Dynamic Address in Firewall Rules
The dynamic list fetched using the testaddress
dynamic address name can be integrated into a security policy to allow specific traffic. Below is a configuration example based on a practical implementation.
Configuring Security Policies
set security policies from-zone Outside to-zone Inside policy knocknoctest1 match source-address knocknoc_address
set security policies from-zone Outside to-zone Inside policy knocknoctest1 match destination-address knocknoc_192.168.84.18
set security policies from-zone Outside to-zone Inside policy knocknoctest1 match application junos-ping
set security policies from-zone Outside to-zone Inside policy knocknoctest1 then permit
- Source Address: Matches the dynamic address
knocknoc_address
. - Destination Address: Matches a specific address (e.g.,
knocknoc_192.168.84.18
) configured separately in the address-book. - Application: Specifies the type of traffic (e.g.,
junos-ping
). - Action: Permits the traffic matching the policy.
Defining the Destination Address in Address-Book
set security address-book global address knocknoc_192.168.84.18 192.168.84.18/32
- Replace
192.168.84.18
with the actual IP address of your resource (e.g., VPN appliance).
Purpose of the Script
The junos-reload-list.sh
script serves as a wrapper to safely parse typical ipset-like arguments while ultimately triggering the request security dynamic-address update
command on a Junos SRX. This is useful when the actual logic for adding, deleting, or flushing IPs is handled elsewhere, and the SRX only needs to fetch the updated list from its configured source.
How the Script Works
- Secrets File: The script reads the Junos username and hostname from a secrets file (
/opt/knocknoc-agent/.junossecrets
).- Line 1: Username
- Line 2: Hostname
- Validation: The script validates the operation (
add
,del
, orflush
), dynamic address name, and optional IP address provided as arguments. - SSH Execution: Using key-based SSH authentication, the script securely executes the
request security dynamic-address update
command on the SRX device for the specified address name.
Prerequisites
- Script Location: Check the script at
/opt/knocknoc-agent/scripts/junos-reload-list.sh
. Knocknoc-agent includes the script from version 7.2. - Secrets File: Create a secrets file at
/opt/knocknoc-agent/.junossecrets
with the following format:
Ensure the file is secured with appropriate permissions (e.g.,<username> <hostname>
chmod 600
). - Private Key: Store the SSH private key at
/opt/knocknoc-agent/privkey
and secure it (e.g.,chmod 600
). - Junos Configuration: Ensure the Junos device is configured to accept the
request security dynamic-address update
command with appropriate permissions.
Script Usage
The script accepts three arguments:
- Operation: The action to perform (
add
,del
, orflush
). - Dynamic Address Name: The name of the dynamic address.
- IP Address (Optional): An IP address to validate positional consistency.
Example Command
/opt/knocknoc-agent/scripts/junos-reload-list.sh add testaddress 192.168.1.1
Steps to Configure and Use
-
Prepare the Environment:
- Upload the script to
/opt/knocknoc-agent/scripts/
. - Create and secure the secrets file at
/opt/knocknoc-agent/.junossecrets
. - Store the SSH private key at
/opt/knocknoc-agent/privkey
.
- Upload the script to
-
Configure the Junos Device:
- Apply the provided configuration snippet.
- Configure the dynamic address feed, feed-server, address-sets, and security policies.
- Test the user login with the private key to ensure access.
-
Test the Script:
- Execute the script with appropriate arguments to validate functionality.
-
Automation:
- Integrate the script into your existing automation or orchestration workflows to trigger updates as needed.
Security Considerations
- Secure the secrets file and private key with proper file permissions.
- Restrict the
knocknoc
user's permissions to only the necessary commands. - Regularly rotate keys and update the secrets file accordingly.
By following this guide, you can automate dynamic address updates on a Junos SRX securely and efficiently.