SRX

Expand all | Collapse all

Restrict access with junos-host zone

Jump to Best Answer
  • 1.  Restrict access with junos-host zone

    Posted 03-03-2019 10:59

    I am trying to restrict management access with the junos-host zone but it doesn't appear to be working. All traffic still seems to be allowed, even though I have tied it down to one IP and only ssh. Any help appreciated, config below;

     

    vsrx> show configuration security zones security-zone mgmt | display set
    set security zones security-zone mgmt address-book address mgt-server 192.168.10.133/32
    set security zones security-zone mgmt address-book address-set manager-ip address mgt-server
    set security zones security-zone mgmt host-inbound-traffic system-services all
    set security zones security-zone mgmt host-inbound-traffic protocols all
    set security zones security-zone mgmt interfaces lo0.0

     

    vsrx> show configuration security policies | display set
    set security policies from-zone mgmt to-zone junos-host policy management-access match source-address manager-ip
    set security policies from-zone mgmt to-zone junos-host policy management-access match destination-address any
    set security policies from-zone mgmt to-zone junos-host policy management-access match application junos-ssh
    set security policies from-zone mgmt to-zone junos-host policy management-access match application junos-http
    set security policies from-zone mgmt to-zone junos-host policy management-access then permit
    set security policies from-zone mgmt to-zone junos-host policy denyall match source-address any
    set security policies from-zone mgmt to-zone junos-host policy denyall match destination-address any
    set security policies from-zone mgmt to-zone junos-host policy denyall match application any
    set security policies from-zone mgmt to-zone junos-host policy denyall then deny

     

    There are no other security policies on the device other than the ones above (so it's not hitting another policy) When I ssh from another IP in the 192.168.10.x range, it is permitted. 

     

    Thanks



  • 2.  RE: Restrict access with junos-host zone

    Posted 03-03-2019 11:30
    Remove lo0.0 interface from mgmt zone.


  • 3.  RE: Restrict access with junos-host zone

    Posted 03-03-2019 11:37

    Thanks for the response. I had tried that also but it doesn't make any difference. I was copying an example off the Juniper website which is why I put the Loopback in there in the first place. 

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB21265&cat=JUNOS&actp=LIST

     

    Thanks



  • 4.  RE: Restrict access with junos-host zone

    Posted 03-03-2019 11:50
    Is incoming traffic interface also part of mgmt zone? Or different zone? I hope you are trying to access lo0 ip from your pc.


  • 5.  RE: Restrict access with junos-host zone

    Posted 03-03-2019 12:38

    Incoming traffic is coming in via fxp0 so it's not part of a zone as such.



  • 6.  RE: Restrict access with junos-host zone

    Posted 03-03-2019 16:31
    You have to use option 1 mentioned in the above KB to restrict the access since the traffic is coming via fxp0 interface. junos-host is used when you want to restrict the traffic coming in or going out via revenue interfaces which are part of a security zone . fxp0 is out of band management interface and it is not a part of any security zone.



  • 7.  RE: Restrict access with junos-host zone

    Posted 03-03-2019 23:05
    Thanks, that is how I set it up before but the problem is firewall filters are not stateful so you can't ping (monitor) the firewall after applying the firewall filter (return pings are dropped) I tried to also allow icmp in a separate filter and apply it outbound but it didn't seem to work. This is why I started looking into doing it a different way (firewall policy which is stateful)

    Any idea how to get around that?


  • 8.  RE: Restrict access with junos-host zone
    Best Answer

    Posted 03-03-2019 23:30

    You are right. Firewall filters are stateless. But it will work as expected if you configure it properly. Please try below config and let me know:

    set firewall filter lo-filter term 10 from source-address 192.168.10.133/32
    set firewall filter lo-filter term 10 from port ssh
    set firewall filter lo-filter term 10 from port http
    set firewall filter lo-filter term 10 from port https
    set firewall filter lo-filter term 20 from source-address 192.168.10.133/32
    set firewall filter lo-filter term 20 from protocol icmp
    set firewall filter lo-filter term 20 then accept

     

    Try to ping from 192.168.10.133 ip after applying the filter in inbound direction. 

     



  • 9.  RE: Restrict access with junos-host zone

    Posted 03-03-2019 23:34

    Forgot to mention. Apply the filter to lo0 interface in inbound direction:

    set interfaces lo0 unit 0 family inet filter input lo-filter



  • 10.  RE: Restrict access with junos-host zone

    Posted 03-04-2019 01:15

    Thanks, that's almost exactly how I had it but it doesn't work like that. I have just tried your exact config and it doesn't work either.  You can SSH etc but can't ping, I think its dropping the response icmp packet.

     

    Thanks



  • 11.  RE: Restrict access with junos-host zone

    Posted 03-04-2019 01:25

    Interesting! Please modify existing filter and add count and log option for icmp and share output of belowmentioned commands

     

    set firewall filter lo-filter term 20 then count  ALLOW_ICMP

    set firewall filter lo-filter term 20 then log

    set firewall filter lo-filter term 30 from protocol icmp

    set firewall filter lo-filter term 30 then discard

    set firewall filter lo-filter term 30 then count DENY_ICMP

    set firewall filter lo-filter term 30 then log

     

    show system statistics icmp

    show firewall

    show firewall log

    show interface filters | no-more

     



  • 12.  RE: Restrict access with junos-host zone

    Posted 03-04-2019 09:21

    Nellikka, this does actually work so thank you. I had a typo in my policy.

     

    Thanks for all your help.