O'Reilly logo

Junos Security by James Quinn, Timothy Eberhard, Patricio Giecco, Brad Woodberg, Rob Cameron

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Policy Schedulers

Policy schedulers are rules that you can enable or disable based on time and date. Schedulers are configured on a per-policy basis and only one scheduler can be configured per policy. However, multiple policies can reference a single scheduler.

You can use schedulers in a number of different situations and for several different purposes:

Internet browsing access

You can write a scheduler to allow Internet access from the employees’ network only during nonbusiness hours. For example, from 5:00 p.m. to 8:00 a.m. and from noon to 1:00 p.m. (lunch hour) employees are allowed to access the Internet via HTTP as this is during nonbusiness hours.

Access to payroll systems

You can write a scheduler to allow the HR department to access the payroll system only during business hours—for example, from 8:00 a.m. to 6:00 p.m. This can prevent rogue access when nobody is on-site or in the office.

In both of the preceding examples, you can use schedules to restrict or permit access based on the time or date. Schedulers can assist in enforcing company policies and in increasing security, and you can be quite creative based on the habits of typical network users.

You can enable schedules by first creating the scheduler and then applying it to the policy.

Let’s create a few sample schedulers and then discuss what was done.

juniper@SRX5800# set schedulers scheduler deny-web daily start-time 08:00
stop-time 17:00
[edit]

In the preceding output, a scheduler was created called deny-web that is enforced daily from 8:00 a.m. to 5:00 p.m., thus applying this scheduler to anything that you do not want done during office hours.

Now, let’s apply that scheduler to a policy that denies access to HTTP:

juniper@SRX5800# edit security policies from-zone trust to-zone Internet
[edit security policies from-zone trust to-zone Internet]
juniper@SRX5800# set policy deny_daytime_websurfing match source-address any
destination-address any application junos-http
[edit security policies from-zone trust to-zone Internet]
juniper@SRX5800# set Internet policy deny_daytime_websurfing then deny
[edit security policies from-zone trust to-zone Internet]
juniper@SRX5800# set policy deny_daytime_websurfing scheduler-name deny-web

In the preceding output, a security policy was written from the Trust zone going to the Internet zone for any HTTP traffic. Then an action of deny was applied, and finally the scheduler deny-web was configured to be active during those time frames in deny-web.

It is also possible to add days to exclude, as in the following:

juniper@SRX5800# edit schedulers scheduler
[edit schedulers scheduler]
juniper@SRX5800# set network-access daily start-time 09:00 stop-time 20:00
[edit schedulers scheduler]
juniper@SRX5800# set network-access saturday exclude
[edit schedulers scheduler]
juniper@SRX5800# set network-access sunday exclude

The scheduler called network-access runs daily from 9:00 a.m. to 8:00 p.m. (This scheduler might be used to control remote access into the network.) Notice that two additional lines were configured for both Saturday and Sunday to be excluded. In other words, remote users will not be able to access the network on weekends once this scheduler is applied to the proper policy.

Just like the first policy, let’s configure this setup to allow the contractor subnet access to everything on the web-dmz zone during the defined times in network-access:

juniper@SRX5800#set security zones security-zone trust address-book address
contractor_subnet 10.3.0.0/24
[edit]
juniper@SRX5800# edit security policies from-zone trust to-zone web-dmz
[edit security policies from-zone trust to-zone web-dmz]
juniper@SRX5800# set policy contractor_access match source-address
contractor_subnet destination-address any application any

[edit security policies from-zone trust to-zone web-dmz]
juniper@SRX5800# set policy contractor_access then permit

[edit security policies from-zone trust to-zone web-dmz]
juniper@SRX5800# set policy contractor_access scheduler-name network-access

Now look at the configuration to check that everything is in order:

juniper@SRX5800# show security policies from-zone trust to-zone web-dmz policy
contractor_access
match {
    source-address contractor_subnet;
    destination-address any;
    application any;
}
then {
    permit;
}
scheduler-name network-access;
[edit]

One-Time Schedulers

One-time schedulers can also be configured to run for a predefined period of time. After that period of time, the scheduler becomes inactive and does not activate the policy. You can use this in situations where access should be granted on a temporary basis or something needs to be blocked for a period of time.

An example of a one-time scheduler is a scheduler that grants access to a vendor for a window of time to troubleshoot or fix a problem. If the web servers we configured earlier were having problems, we could configure a policy that allowed Microsoft to access them remotely. The security department should have a problem with granting this type of access permanently, so we would use a scheduler to ensure that access is removed after a previously agreed upon time frame. Here’s a one-time scheduler granting temporary access into the network:

[edit]
juniper@SRX5800# set schedulers scheduler microsoft_remote_access
start-date 2010-02-14.09:00 stop-date 2010-02-15.09:00
[edit]
juniper@SRX5800#

This one-time scheduler is called microsoft_remote_access and is set to enable on February 14, 2010 at 9:00 a.m. It will end 24 hours later. Here is the permit that will no longer apply after 24 hours:

juniper@SRX5800# edit
[edit]
juniper@SRX5800# set security zones security-zone Internet address-book address
ms_support 207.46.197.32

[edit]
juniper@SRX5800# set security policies from-zone Internet to-zone web-dmz

[edit security policies from-zone Internet to-zone web-dmz]
juniper@SRX5800# set policy temp_ms_access match source-address ms_support
destination-address web1 application any
[edit security policies from-zone Internet to-zone web-dmz]
juniper@SRX5800# set policy temp_ms_access scheduler-name microsoft_remote_access

[edit security policies from-zone Internet to-zone web-dmz]
juniper@SRX5800# set policy temp_ms_access then permit
[edit security policies from-zone Internet to-zone web-dmz]
juniper@SRX5800#

In the preceding output, a new address book was created for Microsoft’s source IP address. Then a policy was written to allow that IP access to the web1 server via any application. The third item configured was the scheduler microsoft_remote_access that was applied. Now, this scheduler will be active from February 14 until February 15 to allow Microsoft to remotely access the server.

Let’s look at the configuration as a whole:

juniper@SRX5800# show security policies from-zone Internet to-zone web-dmz
policy temp_ms_access
match {
    source-address ms_support;
    destination-address web1;
    application any;
}
then {
    permit;
}
scheduler-name microsoft_remote_access;
[edit]

You can view configured schedulers with the show schedulers command. Here is the output from the three already configured schedulers. Right now it appears that there are two active schedulers and one inactive scheduler. The output will also list the next time a scheduler is set to turn on or off.

juniper@SRX5800> show schedulers
Scheduler name: deny-web, State: active
  Next deactivation: Fri Jan 22 17:00:00 2010
Scheduler name: microsoft_remote_access, State: inactive
  Next activation: Sun Feb 14 09:00:00 2010
Scheduler name: network-access, State: active
  Next deactivation: Fri Jan 22 20:00:00 2010

Let’s look at a detailed policy output to confirm that the schedule is applied and it is active (the state should show enabled):

juniper@SRX5800> show security policies from-zone trust to-zone web-dmz
policy-name contractor_access detail
Policy: contractor_access, action-type: permit, State: enabled, Index: 14
  Sequence number: 3
  From zone: trust, To zone: web-dmz
  Source addresses:
    contractor_subnet: 10.3.0.0/24
  Destination addresses:
    any: 0.0.0.0/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Scheduler name: network-access

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required