go-junos: Junos Space Security Director

In my last article, I wrote about how you can use the go-junos library to interact with Junos Space to add devices, upgrade software, amongst other features. With the recent update, there now is support for the Security Director application, which allows you to do the following:

  • Add/remove address and service objects/groups.
  • Modify objects (e.g. add/remove objects from groups, and delete objects).
  • View all policies managed by Junos Space.
  • Publish policies and update devices.

In this post, I'll briefly highlight these features.

Establish Connectivity

We first need to connect to the Junos Space server, and we do that by using the following code:

space := junos.NewServer("space.server.com", "user", "password")

Viewing Security Devices

Security Director devices cosist of anything security-related, such as the SRX, J-series, etc. They have a few different attributes when viewing them vs viewing all devices managed by Junos Space as we did here in my previous post:

devices, err := space.SecurityDevices()
if err != nil {
	fmt.Println(err)
}

for _, device := range devices.Devices {
	fmt.Printf("%+v\n", device)
}

Viewing Objects

Let's take a look at how we can get a list of all our address and services that Space manages. We do this with the Addresses() and Services() functions. Both of them take a filter parameter, which you can use to search for specific objects.

If you specify "all", then the full list is returned.

// Address objects
addresses, err := space.Addresses("all")
if err != nil {
	fmt.Println(err)
}

for _, address := range addresses.Addresses {
	fmt.Printf("%+v\n", address)
}

// Service objects
services, err := space.Services("all")
if err != nil {
	fmt.Println(err)
}

for _, service := range services.Services {
	fmt.Printf("%+v\n", service)
}

Adding & Modifying Objects

Now we'll add a few objects, as well as modify them. First, let's search for any address object containing "sdubs":

Before

Right now, this comes up empty as we don't have any. Let's add them by using the AddAddress() and AddGroup() functions:

space.AddAddress("sdubs-fw", "10.160.1.1/32", "SRX100")
space.AddAddress("sdubs-ap", "10.160.1.2/32", "CISCO1242")
space.AddGroup("address", "sdubs-AddressGroup", "My personal addresses")

We can also add services in the same way:

space.AddService("tcp", "custom-ssh", 22, 22, "SSH with inactivity timeout", 1800)
space.AddService("udp", "udp-high-ports", 40000, 60000, "UDP high ports" 0)
space.AddGroup("service", "sdubs-ServiceGroup", "Custom services")

You might be wondering why we have our SSH port (22) defined twice. This is because we have a low and a high parameter in case you want to have a port range. The first value is the low, and the second the high. If you just want a single port, then put the same number twice.

Here's what our address search looks like after:

After

Here's an example of how to modify objects, such as renaming them, adding/removing them from a group, and deleting them entirely:

// Add a service to a group
space.ModifyObject("service", "add", "sdubs-ServiceGroup", "custom-ssh")

// Remove an address object from a group
space.ModifyObject("address", "remove", "sdubs-AddressGroup", "sdubs-ap")

// Rename an object
space.ModifyObject("address", "rename", "sdubs-ap", "home-access-point")

// Delete an object
space.ModifyObject("address", "delete", "sdubs-fw")

Working with Policies

In order to publish policies, we need to first see what policies our Junos Space server manages. We can get a list of them like so:

policies, err := space.Policies()
if err != nil {
	fmt.Println(err)
}

for _, policy := range policies.Policies {
	fmt.Printf("%s\n", policy.Name)
}

Assuming that we have a firewall policy called "sdubs-Home-Firewall" that references our "sdubs-AddressGroup" object that we modified earlier, let's publish and update the device that is assigned to it:

job, err := space.PublishPolicy("sdubs-Home-Firewall", true)
if err != nil {
	fmt.Println(err)
}

fmt.Printf("Job ID: %d\n", job)

The true parameter tells Junos Space to also update the device, instead of simply publishing (false) the policy to be updated at a later time.

If you have a device with pending services, and want to update it, then you can do that with the following code:

job, err := space.UpdateDevice("sdubs-fw")
if err != nil {
	fmt.Println(err)
}

fmt.Printf("Job ID: %d\n", job)

I hope you enjoyed this article, and can see how powerful this can be when working with Junos Space. For complete documentation, please visit the official GoDoc page, as well as the Github repo.