Using apply-path in JUNOS config to create dynamical prefix lists under policy options

Have you faced the problem that you would like to build prefix lists to protect your route engine or CPU in SRX/J-series that consists of elements that also exists elsewhere in the configuration? Would’nt it be nice to actually only have to maintain information in one place? The solution to this problem is apply-path available for instance under prefix-list under policy-option i JUNOS.

So lets get started with an example relating to things you actually might want to do.

I want to create a filter that only let my BGP neighbors, NTP servers, DNS server etc to access my route engine. I also might want to allow some chosen management PCs/Networks be able to access.
So first off lets create some prefix-lists actually fetching information dynamically from other parts of your JUNOS configuration:

set policy-options prefix-list DNSSERVERS apply-path “system name-server <*>”
set policy-options prefix-list NTPSERVERS apply-path “system ntp server <*>”
set policy-options prefix-list SNMPSERVERS apply-path “snmp client-list <*> <*>”
set policy-options prefix-list BGPNEIGHBORS apply-path “protocols bgp group <*> neighbor <*>”
set policy-options prefix-list LOCALIPv4IP apply-path “interfaces <*> unit <*> family inet address <*>”

See how above actually creates lists using reg-exps a from other parts of the JUNOS config?
Then also build a few statically:

set policy-options prefix-list OSPF 224.0.0.5/32
set policy-options prefix-list OSPF 224.0.0.5/32

Also create a list with sources that are supposed to SSH/FTP/TELNET your router:

set policy-options prefix-list MGMT 192.168.142.0/24

Then use these prefix lists in a firewall config, for example:

set firewall filter family inet filter ProtectRE term DNS1 from source-prefix-list DNSSERVERS
set firewall filter family inet filter ProtectRE term DNS1 from destination-prefix-list LOCALIPv4IP
set firewall filter family inet filter ProtectRE term DNS1 from protocol udp
set firewall filter family inet filter ProtectRE term DNS1 from source-port 53
set firewall filter family inet filter ProtectRE term DNS1 then accept

set firewall filter family inet filter ProtectRE term DNS2 from source-prefix-list DNSSERVERS
set firewall filter family inet filter ProtectRE term DNS2 from destination-prefix-list LOCALIPv4IP
set firewall filter family inet filter ProtectRE term DNS2 from protocol tcp
set firewall filter family inet filter ProtectRE term DNS2 from source-port 53
set firewall filter family inet filter ProtectRE term DNS2 then accept

set firewall filter family inet filter ProtectRE term NTP1 from source-prefix-list NTPSERVERS
set firewall filter family inet filter ProtectRE term NTP1 from destination-prefix-list LOCALIPv4IP
set firewall filter family inet filter ProtectRE term NTP1 from protocol udp
set firewall filter family inet filter ProtectRE term NTP1 from port ntp
set firewall filter family inet filter ProtectRE term NTP1 then accept

set firewall filter family inet filter ProtectRE term NTP2 from source-prefix-list NTPSERVERS
set firewall filter family inet filter ProtectRE term NTP2 from destination-prefix-list LOCALIPv4IP
set firewall filter family inet filter ProtectRE term NTP2 from protocol tcp
set firewall filter family inet filter ProtectRE term NTP2 from port ntp
set firewall filter family inet filter ProtectRE term NTP2 then accept

set firewall filter family inet filter ProtectRE term OSPF from source-prefix-list LOCALIPv4IP
set firewall filter family inet filter ProtectRE term OSPF from destination-prefix-list LOCALIPv4IP
set firewall filter family inet filter ProtectRE term OSPF from protocol ospf
set firewall filter family inet filter ProtectRE term OSPF then accept

set firewall filter family inet filter ProtectRE term BGP from source-prefix-list BGPNEIGHBORS
set firewall filter family inet filter ProtectRE term BGP from destination-prefix-list LOCALIPv4IP
set firewall filter family inet filter ProtectRE term BGP from protocol tcp
set firewall filter family inet filter ProtectRE term BGP from port bgp
set firewall filter family inet filter ProtectRE term BGP then accept

set firewall filter family inet filter ProtectRE term SNMP from source-prefix-list SNMPSERVERS
set firewall filter family inet filter ProtectRE term SNMP from destination-prefix-list LOCALIPv4IP
set firewall filter family inet filter ProtectRE term SNMP from protocol udp
set firewall filter family inet filter ProtectRE term SNMP from port snmp
set firewall filter family inet filter ProtectRE term SNMP then accept

set firewall filter family inet filter ProtectRE term SSH from source-prefix-list MGMT
set firewall filter family inet filter ProtectRE term SSH from destination-prefix-list LOCALIPv4IP
set firewall filter family inet filter ProtectRE term SSH from protocol tcp
set firewall filter family inet filter ProtectRE term SSH from port ssh
set firewall filter family inet filter ProtectRE term SSH then accept

set firewall filter family inet filter ProtectRE term ICMP from protocol icmp
set firewall filter family inet filter ProtectRE term ICMP then accept

set firewall filter family inet filter ProtectRE term UDPTracert from destination-prefix-list LOCALIPv4IP
set firewall filter family inet filter ProtectRE term UDPTracert from protocol udp
set firewall filter family inet filter ProtectRE term UDPTracert from destination-port 33435-33450
set firewall filter family inet filter ProtectRE term UDPTracert from ttl 1

set firewall filter family inet filter ProtectRE term DropAll then discard

Apply to loopback:

set interface lo0.0 family inet input filter ProtectRE

The filter above can be expanded with more terms using more prefix lists built by apply path. Also a proper firewall filter for RE/Router protection might want to apply policing to some of the terms. But this was an example of apply-path.

Hope it helps you in yoru day to day JUNOS configuring.

This entry was posted in Device Management, Juniper Networking, Managing Juniper devices, Networking. Bookmark the permalink.

Leave a Reply