Juniper SRX – Securing Management Access

Juniper SRX – Securing Management Access | Juniper – SRX Series Gateway.

Configure Addresses

First of all the addresses that are allowed management access to the device are configured

set policy-options prefix-list permitted-ips [IP ADDRESS]/[SUBNET MASK]

Configure System Services

Next each of the system services that will be allowed inbound to the nessecary interfaces are defined.

set security zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services dhcp
set security zones security-zone trust host-inbound-traffic system-services https
set security zones security-zone trust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services traceroute
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services dns
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services http

Configure Filter

Next we will define which IP`s are allowed access to which services.

set firewall filter admin-services-in term established from tcp-established
set firewall filter admin-services-in term established then accept
set firewall filter admin-services-in term allow_in from protocol udp
set firewall filter admin-services-in term allow_in from protocol tcp
set firewall filter admin-services-in term allow_in from protocol esp
set firewall filter admin-services-in term allow_in from port 500
set firewall filter admin-services-in term allow_in from port 4500
set firewall filter admin-services-in term allow_in from port 443
set firewall filter admin-services-in term allow_in from port dhcp
set firewall filter admin-services-in term allow_in then accept
set firewall filter admin-services-in term deny_in from source-address 0.0.0.0/0
set firewall filter admin-services-in term deny_in from source-prefix-list permitted-ips except
set firewall filter admin-services-in term deny_in then count deny_count
set firewall filter admin-services-in term deny_in then syslog
set firewall filter admin-services-in term deny_in then discard
set firewall filter admin-services-in term accept_everything_else then accept
set firewall filter admin-services-out term established from tcp-established
set firewall filter admin-services-out term established then accept
set firewall filter admin-services-out term allow_out from protocol udp
set firewall filter admin-services-out term allow_out from protocol icmp
set firewall filter admin-services-out term allow_out from protocol tcp
set firewall filter admin-services-out term allow_out from destination-port 53
set firewall filter admin-services-out term allow_out from destination-port 123
set firewall filter admin-services-out term allow_out from destination-port dhcp
set firewall filter admin-services-out term allow_out from destination-port 80
set firewall filter admin-services-out term allow_out then accept
set firewall filter admin-services-out term deny_in then count deny_count
set firewall filter admin-services-out term deny_in then syslog
set firewall filter admin-services-out term deny_in then discard

Assign Filter

Finally the filter is assigned to the loopback interface.

set interfaces lo0 unit 0 family inet filter input admin-services-in
set interfaces lo0 unit 0 family inet filter output admin-services-out

Troubleshooting

Configure the log file

set system syslog file firewall firewall info

View Log

root@srx240l> show log firewall
Sep 1 22:30:14 srx240 clear-log[15397]: logfile cleared
Sep  2 01:51:44  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 176.20.7.244 94.15.8.26 57837 34105 (1 packets)
Sep  2 01:51:53  srx240l last message repeated 2 times
Sep  2 12:35:06  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 8.2.13.83 4.15.26.70 18978    22 (2 packets)
Sep  2 12:35:08  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 82.132.19.83 94.15.26.70 18978    22 (2 packets)
Sep  2 12:35:11  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.2.39.83 94.15.26.70 18978    22 (2 packets)
Sep  2 12:35:14  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.12.19.83 94.1.2.70 18978    22 (1 packets)
Sep  2 12:35:16  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.132.19.83 94.1.2.70 18978    22 (1 packets)
Sep  2 12:35:19  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.132.13.206 94.1.26.70 21438    22 (3 packets)

This entry was posted in Juniper SRX. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s