SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX 240H - Block access to the host within one vlan

    Posted 10-21-2020 23:33

    Hi,

    I have vlan (WIFI) 192.168.20.0/24 and in it a lot of wifi user devices (phones, laptops, etc.) in the same network there is a wifi controller with the address: 192.168.20.x.

    Clients are connected to one SRX port (0/13)
    The controller is on the SRX port (0/14)
    Is it possible to block communication so that clients cannot access from the WIFI network to the address of the controller (managing) on port 443 and 8443?



  • 2.  Re: SRX 240H - Block access to the host within one vlan

    Posted 10-22-2020 00:18

    Hello,

     

    Check this one: https://forums.juniper.net/t5/SRX-Services-Gateway/SRX-in-transparent-mode/td-p/307896

     

    BR

    Andrei



  • 3.  Re: SRX 240H - Block access to the host within one vlan

    Posted 10-22-2020 01:55

    I believe you can create a security policy for this since the two devices connect to different ports.  The policy will be from and to the zone you have assigned to WiFi.

    • Substitute zone name
    • Change the desired ip addresses
    • Insert the policy before the "allow all" policy for the zone if one exists

     

    set security zones security-zone trust address-book address controller 192.168.20.20/32 
set security zones security-zone trust address-book address controller 192.168.20.0/24 

set security policies from-zone WiFi to-zone WiFi policy trust-to-untrust match source-address Controller
set security policies from-zone WiFi to-zone WiFi policy trust-to-untrust match destination-address Users
set security policies from-zone WiFi to-zone WiFi policy trust-to-untrust match application any
set security policies from-zone WiFi to-zone WiFi policy trust-to-untrust then deny