Juniper SRX

This source type uses SSH with a username and password to connect to a Juniper SRX firewall. It only runs ‘show’ commands, so read-only access is adequate.

Setup

Install fwunit with the srx tag:

pip install fwunit[aws]

Add a source to your fwunit.yaml looking like this:

myfirewall:
    type: srx
    output: myfirewall.pkl
    firewall: fw1.releng.scl3.mozilla.com
    ssh_username: fwunit
    ssh_password: sekr!t

The firewall config gives a hostname (or IP) of the firewall that accepts SSH connections. ssh_username and ssh_password are the credentials for the account.

The process of downloading and processing policies can be very slow, depending on the complexity of your policies.

Assumptions

This processing makes the following assumptions about your network

  • Rule IPs are limited by the to- and from-zones of the original policy, so given a “from any” policy with from-zone ABC, the resulting rule’s src will be ABC’s IP space, not 0.0.0.0/0. Zone spaces are determined from the route table, and thus assume symmetrical forwarding.
  • All directly-connected networks are considered to permit all traffic within those networks, on the assumption that the network is an open L2 subnet.
  • Policies allowing application “any” are expanded to include every application mentioned in any policy.