SRX

Expand all | Collapse all

View system connection detail.

Jump to Best Answer
  • 1.  View system connection detail.

    Posted 05-16-2017 14:40

    Dears, 

     

    I need help to understand a particular active connection in a SRX220h:

     

    admin@CPE-CONICETRIV# run show system connections              
    Active Internet connections (including servers)
    Proto Recv-Q Send-Q  Local Address                                 Foreign Address                               (state)
    tcp4       0      0  168.96.250.10.23                              110.82.104.170.40116                          ESTABLISHED
    

     

    As i see, its a attemp to connect through telnet. I understand that the traffic of services running on the device, such as telnet, can be controlled using firewall filters on loopback interface, so:

     

    admin@CPE# show interfaces lo0 | display set 
    set interfaces lo0 unit 0 family inet filter input acl-l0
    
    admin@CPE# show firewall family inet filter acl-l0 | display set   
    set firewall family inet filter acl-l0 term ssh-telnet-OK from source-prefix-list pl-GESTION-OK
    set firewall family inet filter acl-l0 term ssh-telnet-OK from protocol tcp
    set firewall family inet filter acl-l0 term ssh-telnet-OK from destination-port ssh
    set firewall family inet filter acl-l0 term ssh-telnet-OK from destination-port telnet
    set firewall family inet filter acl-l0 term ssh-telnet-OK then accept
    set firewall family inet filter acl-l0 term ssh-telnet-DENY from protocol tcp
    set firewall family inet filter acl-l0 term ssh-telnet-DENY from destination-port ssh
    set firewall family inet filter acl-l0 term ssh-telnet-DENY from destination-port telnet
    set firewall family inet filter acl-l0 term ssh-telnet-DENY then log
    set firewall family inet filter acl-l0 term ssh-telnet-DENY then reject
    ...
    ## other terms related to SNMP, BGP, and so on. ... set firewall family inet filter acl-l0 term default-term then accept admin@CPE# show policy-options prefix-list pl-GESTION-OK | display set set policy-options prefix-list pl-GESTION-OK 10.0.0.0/8 set policy-options prefix-list pl-GESTION-OK 168.96.0.0/16 set policy-options prefix-list pl-GESTION-OK 200.10.202.0/24

    As you can see, the IP 110.82.104.170 is not in pl-GESTION-OK, the prefix list with trusted networks., but still appears as a ESTABLISHED telnet connection. There is some wrong configuration or i'm understanding incorrectly the output of "show system connection" command?

     

    Many thanks!

    Regards,

    Marcelo.

     

     



  • 2.  RE: View system connection detail.

    Posted 05-17-2017 01:45

    Hi Marcelo,

     

    Thanks for posting your query here.

     

    I looked through teh snippet of your configruation and it looks fine and should work as you expect it i.e. block the telnet connection from a soure not mentioned in the firewall filter.

     

    But somehow this seems to be not working in your case and to investigate on this could you please provide the below information-

     

    • What is the software version running on SRX
    • Configruation form the SRX (if possible)
    • Flow traceoptions for the traffic which should not be working.

    Configruation for Flow traceoptions:-

    set security flow traceoptions file Telnet-test size 1m files 5

    set security flow traceoptions flag basic-datapath

    set security flow traceoptions flag packet-drops

    set security flow traceoptions packet-filter pf1 source-address <source_ip> destiantion-address<dest_ip>

    set security flow traceoptions packet-filter pf2 source-address <source_ip> destiantion-address<dest_ip> ----- > (This is for tracting the revers traffic so please use NATed Ip addersses for source and destiantion if any)

     

    You can view the above logs with the help of the command "show log Telnet-test".

     

    Awaiting your response.

     

    Thanks and Regards,
    Pulkit Bhandari

     



  • 3.  RE: View system connection detail.

     
    Posted 05-18-2017 18:14

    Hi, 

     

    Just wondering if unit 0 is the only logical unit configured on loopback.

    If additional logical units are configured on loopback and used in different routing-instances, each of the logical units should have an equivalent protection firewall filter to protect the RE.

     

    Cheers,

    Ashvin



  • 4.  RE: View system connection detail.

    Posted 05-22-2017 08:15

    Dears,

     

    Thanks a lot for your replies.

     

    One day after that applie the changes, i stop seeing this entry on "system connections", neither any other entry that were in conflict with the defined firewall filter. However, this is the current config:

     

    set version 12.1X44.3
    set system host-name CPE
    set system domain-name IRED-red.net
    set system time-zone America/Buenos_Aires
    set system root-authentication encrypted-password "$1$HQmnl5eZ$/CPQPTtXxyufs1abUgwalh0"
    set system name-server 172.16.20..3
    set system login user admin uid 2002
    set system login user admin class super-user
    set system login user admin authentication encrypted-password "$1$Nxg546oG$Q.hdXn8Y3.qqurrxeCG5LT1"
    set system services ssh connection-limit 2
    set system services ssh rate-limit 1
    set system services telnet connection-limit 5
    set system syslog archive size 100k
    set system syslog archive files 3
    set system syslog user * any emergency
    set system syslog host 192.168.1.2 any info
    set system syslog host 192.168.1.2 source-address 10.0.199.5
    set system syslog file messages any critical
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands error
    set system archival configuration transfer-on-commit
    set system archival configuration archive-sites "ftp://user:pass@192.168.1.2:21/CPE"
    set interfaces ge-0/0/0 description TRUNK-PROVB-ESMD
    set interfaces ge-0/0/0 unit 0 description TRUNK-PROVB-ESMD
    set interfaces ge-0/0/0 unit 0 family ethernet-switching port-mode trunk
    set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CTE-I1-RI
    set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members CTE-QINQ0
    set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members WAN-GL-BACK
    set interfaces ge-0/0/1 description TRUNK-PROVA-GL
    set interfaces ge-0/0/1 unit 0 description TRUNK-PROVA-GL
    set interfaces ge-0/0/1 unit 0 family ethernet-switching port-mode trunk
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members WAN-GL-BACK
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members GESTION
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CTE-I1-RI
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members PRUEBA
    set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members CTE-QINQ0
    set interfaces ge-0/0/2 description LAN-CTE
    set interfaces ge-0/0/2 unit 0 description LAN-CTE
    set interfaces ge-0/0/2 unit 0 family inet filter input Pmode
    set interfaces ge-0/0/2 unit 0 family inet filter output Pmode
    set interfaces ge-0/0/2 unit 0 family inet policer input rl-35m
    set interfaces ge-0/0/2 unit 0 family inet policer output rl-35m
    set interfaces ge-0/0/2 unit 0 family inet address 192.168.250.10/27
    set interfaces ge-0/0/3 description PaP-RVD-GL
    set interfaces ge-0/0/3 unit 0 description PaP-RVD-GL
    set interfaces ge-0/0/3 unit 0 family ethernet-switching port-mode trunk
    set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members CTE-QINQ0
    set interfaces ge-0/0/3 unit 0 family ethernet-switching native-vlan-id 720
    set interfaces ge-0/0/4 description PaP-CTE-MCTCBA-1Mbps
    set interfaces ge-0/0/4 unit 0 description PaP-CTE-MCTCBA-1Mbps
    set interfaces ge-0/0/4 unit 0 family ethernet-switching port-mode access
    set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members CTE-MCTCBA
    set interfaces ge-0/0/5 unit 0
    set interfaces ge-0/0/6 disable
    set interfaces ge-0/0/6 unit 0
    set interfaces ge-0/0/7 unit 0
    set interfaces lo0 unit 0 family inet filter input acl-l0
    set interfaces lo0 unit 0 family inet address 10.0.199.4/32
    set interfaces vlan unit 502 family inet address 10.0.10.250/29
    set interfaces vlan unit 800 family inet filter input-list Pmode
    set interfaces vlan unit 800 family inet address 10.0.10.3/29
    set snmp community publ1c authorization read-only
    set routing-options static route 192.168.1.15/32 next-hop 10.0.10.1
    set protocols rsvp disable
    set protocols bgp family inet unicast
    set protocols bgp local-as 65001
    set protocols bgp group IRED type external
    set protocols bgp group IRED family inet unicast
    set protocols bgp group BBONE type internal
    set protocols bgp group BBONE family inet unicast
    set protocols bgp group BBONE neighbor 10.0.10.1 description PEER-RI
    set protocols bgp group BBONE neighbor 10.0.10.1 local-address 10.0.10.3
    set protocols bgp group BBONE neighbor 10.0.10.1 export CTE-export-bgp
    set protocols bgp group BBONE neighbor 10.0.10.1 peer-as 65001
    set protocols bgp group BBONE neighbor 10.0.10.2 description PEER-INTNET
    set protocols bgp group BBONE neighbor 10.0.10.2 local-address 10.0.10.3
    set protocols bgp group BBONE neighbor 10.0.10.2 export CTE-export-bgp
    set protocols bgp group BBONE neighbor 10.0.10.2 peer-as 65001
    set protocols bgp group GL type internal
    set protocols bgp group GL family inet unicast
    set protocols stp disable
    set protocols rstp bridge-priority 8k
    set protocols rstp interface ge-0/0/0.0 cost 100
    set protocols rstp interface ge-0/0/1.0 cost 150
    set protocols rstp interface ge-0/0/3.0 edge
    set protocols rstp interface ge-0/0/4.0 edge
    set policy-options prefix-list pl-BGP-OK 10.0.0.0/8
    set policy-options prefix-list pl-BGP-OK 192.168.0.0/16
    set policy-options prefix-list pl-BGP-OK 172.16.20.0/24
    set policy-options prefix-list pl-GESTION-OK 10.0.0.0/8
    set policy-options prefix-list pl-GESTION-OK 192.168.0.0/16
    set policy-options prefix-list pl-GESTION-OK 172.16.20..0/24
    set policy-options prefix-list pl-SNMP-OK 192.168.1.0/26
    set policy-options prefix-list pl-SNMP-OK 172.16.20..0/26
    set policy-options policy-statement CTE-export-bgp term 1 from route-filter 192.168.250.0/27 exact
    set policy-options policy-statement CTE-export-bgp term 1 then accept
    set policy-options policy-statement CTE-export-bgp term 2 from protocol direct
    set policy-options policy-statement CTE-export-bgp term 2 from route-filter 10.0.199.4/32 exact
    set policy-options policy-statement CTE-export-bgp term 2 then accept
    set policy-options policy-statement CTE-export-bgp then reject
    set policy-options policy-statement rm-nada term unico then reject
    set security forwarding-options family mpls mode packet-based
    set firewall family inet filter Pmode term main then packet-mode
    set firewall family inet filter Pmode term main then accept
    set firewall family inet filter 97-VTY term T1 from source-address 192.168.1.0/26
    set firewall family inet filter 97-VTY term T1 from protocol tcp
    set firewall family inet filter 97-VTY term T1 from destination-port telnet
    set firewall family inet filter 97-VTY term T1 from destination-port ssh
    set firewall family inet filter 97-VTY term T1 then accept
    set firewall family inet filter acl-l0 term ssh-telnet-OK from source-prefix-list pl-GESTION-OK
    set firewall family inet filter acl-l0 term ssh-telnet-OK from protocol tcp
    set firewall family inet filter acl-l0 term ssh-telnet-OK from destination-port ssh
    set firewall family inet filter acl-l0 term ssh-telnet-OK from destination-port telnet
    set firewall family inet filter acl-l0 term ssh-telnet-OK then accept
    set firewall family inet filter acl-l0 term ssh-telnet-DENY from protocol tcp
    set firewall family inet filter acl-l0 term ssh-telnet-DENY from destination-port ssh
    set firewall family inet filter acl-l0 term ssh-telnet-DENY from destination-port telnet
    set firewall family inet filter acl-l0 term ssh-telnet-DENY then log
    set firewall family inet filter acl-l0 term ssh-telnet-DENY then reject
    set firewall family inet filter acl-l0 term snmp-OK from source-prefix-list pl-SNMP-OK
    set firewall family inet filter acl-l0 term snmp-OK from protocol udp
    set firewall family inet filter acl-l0 term snmp-OK from port 161
    set firewall family inet filter acl-l0 term snmp-OK from port 162
    set firewall family inet filter acl-l0 term snmp-DENY from protocol udp
    set firewall family inet filter acl-l0 term snmp-DENY from port 161
    set firewall family inet filter acl-l0 term snmp-DENY from port 162
    set firewall family inet filter acl-l0 term snmp-DENY then reject
    set firewall family inet filter acl-l0 term bgp-OK from source-prefix-list pl-BGP-OK
    set firewall family inet filter acl-l0 term bgp-OK from destination-prefix-list pl-BGP-OK
    set firewall family inet filter acl-l0 term bgp-OK from protocol tcp
    set firewall family inet filter acl-l0 term bgp-OK from port 179
    set firewall family inet filter acl-l0 term bgp-OK then accept
    set firewall family inet filter acl-l0 term bgp-DENY from protocol tcp
    set firewall family inet filter acl-l0 term bgp-DENY from port 179
    set firewall family inet filter acl-l0 term bgp-DENY then log
    set firewall family inet filter acl-l0 term bgp-DENY then reject
    set firewall family inet filter acl-l0 term default-term then accept
    set firewall policer rl-35m if-exceeding bandwidth-limit 35m
    set firewall policer rl-35m if-exceeding burst-size-limit 46437500
    set firewall policer rl-35m then discard
    set firewall policer rl-100m if-exceeding bandwidth-limit 100m
    set firewall policer rl-100m if-exceeding burst-size-limit 18750000
    set firewall policer rl-100m then discard
    set vlans CTE-I1-RI vlan-id 800
    set vlans CTE-I1-RI l3-interface vlan.800
    set vlans CTE-MCTCBA vlan-id 725
    set vlans CTE-QINQ0 vlan-id 720
    set vlans GESTION vlan-id 378
    set vlans PRUEBA vlan-id 17
    set vlans PRUEBA2 vlan-id 18
    set vlans WAN-GL-BACK vlan-id 502
    set vlans WAN-GL-BACK l3-interface vlan.502
    set vlans WAN-GL-PRIM vlan-id 501

    *I changed the real IP's and ASN; where says 192.168.xx.xx actually is a IP or Subnet of a public /16, and where says 172.16.20.xx, an IP or subnet of a public /24.

     

    I think that maybe, these connection were established before the filter application, that's why he remained active, that makes sense?

     

    I will consider your suggestions of trace the data flow, thanks!

     

    Regards,

    Marcelo.



  • 5.  RE: View system connection detail.
    Best Answer

     
    Posted 05-28-2017 05:01

    Yes, likely the connection was before the filter application.

     

    You may also find this free publication helpful.  Chapter 5 reviews all the recommended security settings on a Junos device.

     

    http://forums.juniper.net/t5/Day-One-Books/Day-One-Finishing-Junos-Deployments/ba-p/272763