Skip to main content

Juniper SRX with Allowlist

Background

Knocknoc's Allowlist features provides a very powerful integration with firewalls that support a Dynamic Address Lists.  This feature pulls from the Knocknoc server a list of IPs of authenticated users, in the correct group/for the assigned firewall policy. The drawback of this feature is that the list can only be fetched every 30 seconds or slower.

This guide explains how to use the provided script and Junos configuration snippet to automate the process of updating dynamic addresses on a Juniper SRX device. The script is designed to securely execute the request security dynamic-address update command through SSH, leveraging predefined credentials and key-based authentication.

By just triggering a refresh of the allow list, we can beat the 30 second penalty, allowing the login process to be smooth for users, and also nonot changing the configuration of the firewall. Given a refresh of the dynamic list doesn't actually change the on disk config of the device, no 'commit' command is required. This should satisfy security teams that require change control for config changes to the firewalls, and allows for a fast but least privilege way of dynamic allow-listing.

Full Configuration Flow

  1. Configure the Knocknoc Server: Set up Allowlist and script ACLs
  2. Dynamic Address Feed Configuration: Set up the feed-server and associate the feed with a dynamic address name.
  3. Security Policy Configuration: Create a policy referencing the dynamic address and other relevant parameters.
  4. Configure Knocknoc SSH user: an SRX user with least privilege and the correct key.
  5. Allocate ACLs: Associate users and groups to ACLs, then test.

Configure Knocknoc Server

  1. Agent Setup: Install an agent on a machine that can SSH to the Junos SRX management IP.
  2. Add Allowlist Backend: Setup an Allowlist backend in Backends -> Create Backend -> Type Allowlist and give it a name. 
  3. Add Agent Backend: Create another Backend, Type Script, choose your Agent from Step 1,  and enter /opt/knocknoc-agent/scripts/junos-reload-list.sh as the script name.
  4. Create Allowlist ACL: ACLs -> Create ACL and select the Allowlist backend from Step 2. Give it a name and a URL. The users will see this name and URL.
  5. Create Agent ACL: ACLs -> Create ACL and select the Agent backend from Step 3. The ACL name is important - it will be the name of your SRX dynamic address name later.
  6. Allocate ACLs: Go to Groups, and create a group that contains both ACLs from step 4 and 5. Include any local users, SAML users will get included automatically if the group name matches.
  7. API Key: Go to API Keys and click Create API Key. Enter a name and make sure to select the allowlists.read capabilty. Be sure to securely save the API key presented as it will only be displayed once. You can click the little copy icon to copy it into your password manager.

Junos Configuration

Configuring the Dynamic Address Feed and Feed-Server

set security dynamic-address feed-server knocknoc url "https://apikey:<api_key>@<knocknoc_server>:<knocknoc_port>"
set security dynamic-address feed-server knocknoc update-interval 30
set security dynamic-address feed-server knocknoc feed-name knocknoc_feed path /api/v1/allowlists/xxxxxx/yyyyy.txt

set security dynamic-address address-name knocknoc_allow profile feed-name knocknoc_feed

  1. Feed-Server Configuration:

    • knocknoc: The name of the feed server.
    • url: URL for the dynamic address feed, including authentication details. Use the key you saved in Step 7 above.
    • update-interval: Frequency (in seconds) for fetching updates. (30 through 4294967295)
    • feed-name and path: Specify the name of the feed and the exact API path to retrieve the address list.

  2. Dynamic Address Profile:

    • knocknoc_allow: Dynamic address name associated with the knocknoc_feed.

More detail on these options can be found in the Juniper documentation.

Configure Least Privilege Junos User

login {
    class knocknoc {
        permissions [ security security-control ];
        allow-commands "(request security dynamic-address update address-name knocknoc_allow)|(quit)";
    }
    user knocknoc {
        uid 2000;
        class knocknoc;
        authentication {
            ssh-rsa "<public-key>";
        }
    }
}

  1. Custom Login Class:

    • Name: knocknoc
    • Permissions: security and security-control
    • Allowed Commands: Restricts the user to only execute the request security dynamic-address update command for a specific address name (knocknoc_allow) and quit the session.

  2. User Account:

    • Username: knocknoc
    • UID: 2000 (arbitrary; adjust as needed)
    • Authentication: Configured for SSH key-based authentication.

Replace <public-key> with the public key corresponding to the private key stored in /opt/knocknoc-agent/privkey.

Using the Dynamic Address in Firewall Rules

The dynamic list fetched using the knocknoc_allow dynamic address name can be integrated into a security policy to allow specific traffic. Below is a configuration example based on a practical implementation.

Configuring Security Policies

set security policies from-zone Outside to-zone Inside policy knocknoctest match source-address knocknoc_allow
set security policies from-zone Outside to-zone Inside policy knocknoctest match destination-address knocknoc_192.168.84.18
set security policies from-zone Outside to-zone Inside policy knocknoctest match application junos-ping
set security policies from-zone Outside to-zone Inside policy knocknoctest then permit
  1. Source Address: Matches the dynamic address knocknoc_allow.
  2. Destination Address: Matches a specific address (e.g., knocknoc_192.168.84.18) configured separately in the address-book.
  3. Application: Specifies the type of traffic (e.g., junos-ping).
  4. Action: Permits the traffic matching the policy.

Defining the Destination Address in Address-Book

set security address-book global address knocknoc_192.168.84.18 192.168.84.18/32
  • Replace 192.168.84.18 with the actual IP address of your resource (e.g., VPN appliance).

Script on Agent Setup

  1. Script Location: Check the script at /opt/knocknoc-agent/scripts/junos-reload-list.sh. Knocknoc-agent includes the script from version 7.2.
  2. Secrets File: Create a secrets file at /opt/knocknoc-agent/.junossecrets with the following format: 
    <username>
<hostname>
    Ensure the file is secured with appropriate permissions (e.g., chmod 600).
  3. Private Key: Store the SSH private key at /opt/knocknoc-agent/privkey and secure it (e.g., chmod 600).
  4. Junos Configuration: Ensure the Junos device is configured to accept the request security dynamic-address update command with appropriate permissions. 

Security Considerations

  • Secure the secrets file and private key with proper file permissions.
  • Restrict the knocknoc user's permissions to only the necessary commands.
  • Regularly rotate keys and update the secrets file accordingly.

By following this guide, you can automate dynamic address updates on a Junos SRX securely and efficiently.

Back to top