SRX

Expand all | Collapse all

SRX 240H - Block access to the host within one vlan

  • 1.  SRX 240H - Block access to the host within one vlan

    Posted 10-21-2020 23:33

    Hi,

    I have vlan (WIFI) 192.168.20.0/24 and in it a lot of wifi user devices (phones, laptops, etc.) in the same network there is a wifi controller with the address: 192.168.20.x.

    Clients are connected to one SRX port (0/13)
    The controller is on the SRX port (0/14)
    Is it possible to block communication so that clients cannot access from the WIFI network to the address of the controller (managing) on port 443 and 8443?



  • 2.  Re: SRX 240H - Block access to the host within one vlan

    Posted 10-22-2020 00:18


  • 3.  Re: SRX 240H - Block access to the host within one vlan

     
    Posted 10-22-2020 01:55

    I believe you can create a security policy for this since the two devices connect to different ports.  The policy will be from and to the zone you have assigned to WiFi.

    • Substitute zone name
    • Change the desired ip addresses
    • Insert the policy before the "allow all" policy for the zone if one exists

     

    set security zones security-zone trust address-book address controller 192.168.20.20/32 
    set security zones security-zone trust address-book address controller 192.168.20.0/24 
    
    set security policies from-zone WiFi to-zone WiFi policy trust-to-untrust match source-address Controller
    set security policies from-zone WiFi to-zone WiFi policy trust-to-untrust match destination-address Users
    set security policies from-zone WiFi to-zone WiFi policy trust-to-untrust match application any
    set security policies from-zone WiFi to-zone WiFi policy trust-to-untrust then deny