SRX APPLICATION FIREWALL

Today we will look at running an Application Firewall (AppFW) on the SRX. 

This is different to the normal firewalling in that we are not filtering based on TCP/UDP ports but instead filtering on application signatures that can detect applications whether or not they are not running on the standard ports expected.Further even when we are running on the standard ports, through the signatures we can detect and block access to specific services without you having to worry about blocking all access to a certain IP on a certain port. Eg. We could block access to Facebook Farmville without having to know the either the IP of Facebook or having to block all of Facebook. I will try and show some examples of this functionality. 

Logging (Olive - Firewall)

Now we can login to the olive, control the login through a firewall filter and see hits on the filter. But that only gives us a packet and byte count. It doesn't tell us when the counts happened or where they were sourced from. For that we need logging.

An easy way to do this is to use the action "log" on the term..

user@olive-core> show configuration firewall
filter ACCESS-CNTRL {
    term TELNET-BLOCK {
        from {
            destination-port telnet;
        }
        then {
            count COUNTER-TELNET-BLOCK;
            log;
            discard;
        }
    }
    term PERMIT-ALL {
        from {
            source-address {
                0.0.0.0/0;
            }
        }
        then {
            count COUNTER-PERMIT-ALL;
            accept;
        }
    }
}

To see the log..(And there must be hits against the term to see the kind of output below)

Access (Olive)

All you need to access the device, an Olive on VirtualBox in this case, is this config.

system {
      services {
        ssh;
        telnet;
    }

This config would allow ssh and telnet access to all interfaces.
Note: Root will not authenticate with telnet.

Now suppose you would like to block access on one or more interfaces.
You need a firewall filter.