Juniper Routing Engine Firewall Templates

The following firewalls can be applied to the lo0 interfaces for Juniper devices to secure access to the routing engine. The firewall will drop all traffic that is not specifically allowed.

The firewalls make extensive use of apply-path, this is used so that common operations such as adding BGP peers doesn’t require prefix lists to be updated when making changes.

These firewalls are provided in the standard configuration format which can be loaded by using the load command.

As features for some device families differ the firewalls themselves have been split into separate posts. The firewalls themselves have not been tested for every available model so some tweaking may be required if certain features are not available.

Important – Read First

  • Rules for various protocols are added but by default are not active. Please review each rule and activate the rules for any protocols that are in use. As an example, for BGP you will need to run the following commands
## For IPv4
activate firewall family inet filter In:Routing-Engine:IPv4 term Protocols:BGP-Connect:Accept
activate firewall family inet filter In:Routing-Engine:IPv4 term Protocols:BGP-Reply:Accept
## For IPv6
activate firewall family inet filter In:Routing-Engine:IPv6 term Protocols:BGP-Connect:Accept
activate firewall family inet filter In:Routing-Engine:IPv6 term Protocols:BGP-Reply:Accept
## If using BFD
activate firewall family inet filter In:Routing-Engine:IPv4 term Protocols:BGP-BFD:Accept
activate firewall family inet filter In:Routing-Engine:IPv6 term Protocols:BGP-BFD:Accept
  • The default policy has been set to accept and log. Please review the logs before changing the policy to drop. This is to ensure you don’t lock yourself out of the device.
  • Some devices have limited TCAM entries available. This can be a problem if there is a large number of BGP peers; a rule will be added for each individual IP. As there are multiple rules for BGP this can eat up the available TCAM entries fast. If this is the case, create a prefix list and aggregate the allowed sources as much as possible.
  • Always apply the changes with commit confirmed!
  • I am not responsible if you blow up your device or lose access. Bugs happen, make sure you have planned appropriately before applying. I have had cases in which even an automatic rollback did not restore access after a bad rule addition.
  • You may get errors when loading and/or committing the configuration to certain devices. Some devices within the same family may not have features available for the devices I use. If you encounter this please leave a comment on the post or contact me and I will add a note.
  • These firewalls are created to suite my environment. I may not be using the same protocols/features as you and as such may be missing rules that are required for your environment. If you do add rules for missing protocols/features I would be very grateful if you could leave a comment or contact me so that I can add it to the main template.

Prefix Lists

The following prefix lists are common to all device families and are required for the firewall rules to work.

Static Prefix Lists

These prefix lists will need to be edited to suite your environment. These prefix lists are used for restricting management and SNMP access.

policy-options {
  /* These IPv4 prefixes are allowed management access to the device - This includes SSH and netconf. */
  prefix-list Firewall:Routing-Engine:Static:Management:IPv4 {
    /* Local network */
    192.168.0.0/16;
  }
  /* These IPv6 prefixes are allowed management access to the device - This includes SSH and netconf. */
  prefix-list Firewall:Routing-Engine:Static:Management:IPv6 {
    /* Local network */
    ffff:1234:5678::/48;
  }
  /* These IPv4 prefixes are allowed SNMP access to the device. You do not need to add prefixes into this prefix list if they are already configured under the SNMP configuration stanza. */
  prefix-list Firewall:Routing-Engine:Static:SNMP:IPv4 {
    /* SNMP monitoring server */
    10.1.1.1/32;
  }
  /* These IPv6 prefixes are allowed SNMP access to the device. You do not need to add prefixes into this prefix list if they are already configured under the SNMP configuration stanza. */
  prefix-list Firewall:Routing-Engine:Static:SNMP:IPv6 {
    /* SNMP monitoring server */
    ffff:1234:5678::1/128;
  }
}

Dynamic Prefix Lists

The following prefix lists are dynamically generated by using apply-path – a pattern match is done against the configuration on the device and any values that match the pattern are automatically inserted. As an example, the prefix list Firewall:Dynamic:BGP:IPv4 will contain all IPv4 BGP peer addresses.

You can verify the contents of the prefix list by running the command show configuration policy-options prefix-list PREFIX-LIST-NAME | display inheritance.

policy-options {
	/* This prefix list has a list of all IPv4 BGP neighbors configured in the main routing instance. */
	prefix-list Firewall:Routing-Engine:Dynamic:BGP:IPv4 {
		apply-path "protocols bgp group <*> neighbor <*.*>";
	}
	/* This prefix list has a list of all IPv6 BGP neighbors configured in the main routing instance. */
	prefix-list Firewall:Routing-Engine:Dynamic:BGP:IPv6 {
		apply-path "protocols bgp group <*> neighbor <*:*>";
	}
	/* This prefix list has a list of all IPv4 BGP neighbors configured in any other configured routing instances. */
	prefix-list Firewall:Routing-Engine:Dynamic:BGP-RI:IPv4 {
		apply-path "routing-instances <*> protocols bgp group <*> neighbor <*.*>";
	}
	/* This prefix list has a list of all IPv6 BGP neighbors configured in any other configured routing instances. */
	prefix-list Firewall:Routing-Engine:Dynamic:BGP-RI:IPv6 {
		apply-path "routing-instances <*> protocols bgp group <*> neighbor <*:*>";
	}
	/* This prefix list has a list of all configured IPv4 DNS resolvers that the system uses for name resolution. */
	prefix-list Firewall:Routing-Engine:Dynamic:DNS:IPv4 {
		apply-path "system name-server <*.*>";
	}
	/* This prefix list has a list of all configured IPv6 DNS resolvers that the system uses for name resolution. */
	prefix-list Firewall:Routing-Engine:Dynamic:DNS:IPv6 {
		apply-path "system name-server <*:*>";
	}
	/* This prefix list has a list of all configured IPv4 NTP servers that the system uses for time updates. */
	prefix-list Firewall:Routing-Engine:Dynamic:NTP:IPv4 {
		apply-path "system ntp server <*.*>";
	}
	/* This prefix list has a list of all configured IPv6 NTP servers that the system uses for time updates. */
	prefix-list Firewall:Routing-Engine:Dynamic:NTP:IPv6 {
		apply-path "system ntp server <*:*>";
	}
	/* This prefix list has a list of IPv4 IP's configured on the loopback interface (any units). */
	prefix-list Firewall:Routing-Engine:Dynamic:Loopbacks:IPv4 {
		apply-path "interfaces lo0 unit <*> family inet address <*>";
	}
	/* This prefix list has a list of IPv6 IP's configured on the loopback interface (any units). */
	prefix-list Firewall:Routing-Engine:Dynamic:Loopbacks:IPv6 {
		apply-path "interfaces lo0 unit <*> family inet6 address <*>";
	}
	/* This prefix list has a list of all configured IPv4 SNMP clients configured for any communities. */
	prefix-list Firewall:Routing-Engine:Dynamic:SNMP:IPv4 {
		apply-path "snmp community <*> clients <*.*>";
	}
	/* This prefix list has a list of all configured IPv6 SNMP clients configured for any communities. */
	prefix-list Firewall:Routing-Engine:Dynamic:SNMP:IPv6 {
		apply-path "snmp community <*> clients <*:*>";
	}
	/* This prefix list has a list of all configured IPv4 RADIUS servers. */
	prefix-list Firewall:Routing-Engine:Dynamic:RADIUS:IPv4 {
		apply-path "system radius-server <*.*>";
	}
	/* This prefix list has a list of all configured IPv6 RADIUS servers. */
	prefix-list Firewall:Routing-Engine:Dynamic:RADIUS:IPv6 {
		apply-path "system radius-server <*:*>";
	}
	/* This prefix list has a list of all configured DHCP relay servers (IPv4) */
	prefix-list Firewall:Routing-Engine:Dynamic:DHCP-Relay:IPv4 {
		apply-path "forwarding-options dhcp-relay server-group <*> <*.*.*.*>";
	}
	/* This prefix list has a list of all configured DHCP relay servers (IPv6) */
	prefix-list Firewall:Routing-Engine:Dynamic:DHCP-Relay:IPv6 {
		apply-path "forwarding-options dhcp-relay dhcpv6 server-group <*> <*:*>";
	}
	/* This prefix list has a list of all configured IPv4 DHCP relay servers in any other configured routing instances. */
	prefix-list Firewall:Routing-Engine:Dynamic:DHCP-Relay-RI:IPv4 {
		apply-path "routing-instances <*> forwarding-options dhcp-relay server-group <*> <*.*.*.*>";
	}
	/* This prefix list has a list of all configured IPv6 DHCP relay servers in any other configured routing instances. */
	prefix-list Firewall:Routing-Engine:Dynamic:DHCP-Relay-RI:IPv6 {
		apply-path "routing-instances <*> forwarding-options dhcp-relay dhcpv6 server-group <*> <*:*>";
	}
}

Firewalls

The actual firewalls are available here:

Leave a Reply

Your email address will not be published. Required fields are marked *