SRX

 View Only
last person joined: 10 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Firewall filter assistance

     
    Posted 11-12-2018 07:14

    I have the following 2 firewall filters; how can the config. below be corrected to allow the second filter to work?

     

    firewall {
    filter VPN {
        term VPN {
            from {
                source-address {
                    #SECRET#;
                }
                destination-port 500;
            }
            then accept;
        }
        term IKE-BLOCK {
            from {
                destination-port 500;
            }
            then {
                reject;
            }
        }
        term else {
            then accept;
        }
    }
    filter External-HTTPS {
        term Whitelist {
            from {
                source-prefix-list {
                    whitelist;
                }
                destination-port 443;
            }
            then accept;
        }
    }
}

     



  • 2.  RE: Firewall filter assistance

    Posted 11-12-2018 16:46

    You can only apply one filter per interface.  So you would need to combine the terms into a single filter to apply both to the same interface.

     

    Insert the term whitelist and add a reject https term after it before the term else in the VPN filter.

     

     



  • 3.  RE: Firewall filter assistance

     
    Posted 11-13-2018 01:04

    Hi Steve,

     

    Thank you for your reply. I don't fully understand your instructions. How does the following look? Can you modify/correct please?

     

    firewall {
    filter VPN {
        term VPN {
            from {
                source-address {
                    #SECRET#;
                }
                destination-port 500;
            }
            then accept;
        }
        term IKE-BLOCK {
            from {
                destination-port 500;
            }
            then {
                reject;
            }
        }
        term Whitelist {
            from {
                source-prefix-list {
                    whitelist;
                }
                destination-port 443;
            }
            then accept;
        }
        term else {
            then accept;
        }
    }
}


  • 4.  RE: Firewall filter assistance
    Best Answer

    Posted 11-13-2018 01:46

    Something like this:

     

    firewall {
    filter VPN {
        term VPN {
            from {
                source-address {
                    #SECRET#;
                }
                destination-port 500;
            }
            then accept;
        }
        term IKE-BLOCK {
            from {
                destination-port 500;
            }
            then {
                reject;
            }
        }
        term Whitelist {
            from {
                source-prefix-list {
                    whitelist;
                }
                destination-port 443;
            }
            then accept;
        }
        term block-https {
            from {
                destination-port 443;
            }
            then reject;
        }
        term else {
            then accept;
        }
    }
}


  • 5.  RE: Firewall filter assistance

     
    Posted 11-13-2018 06:44

    Thank you Jonas and Steve!