SRX

Expand all | Collapse all

Firewall filter assistance

Jump to Best Answer
  • 1.  Firewall filter assistance

     
    Posted 11-12-2018 07:14

    I have the following 2 firewall filters; how can the config. below be corrected to allow the second filter to work?

     

    firewall {
        filter VPN {
            term VPN {
                from {
                    source-address {
                        #SECRET#;
                    }
                    destination-port 500;
                }
                then accept;
            }
            term IKE-BLOCK {
                from {
                    destination-port 500;
                }
                then {
                    reject;
                }
            }
            term else {
                then accept;
            }
        }
        filter External-HTTPS {
            term Whitelist {
                from {
                    source-prefix-list {
                        whitelist;
                    }
                    destination-port 443;
                }
                then accept;
            }
        }
    }

     



  • 2.  RE: Firewall filter assistance

     
    Posted 11-12-2018 16:46

    You can only apply one filter per interface.  So you would need to combine the terms into a single filter to apply both to the same interface.

     

    Insert the term whitelist and add a reject https term after it before the term else in the VPN filter.

     

     



  • 3.  RE: Firewall filter assistance

     
    Posted 11-13-2018 01:04

    Hi Steve,

     

    Thank you for your reply. I don't fully understand your instructions. How does the following look? Can you modify/correct please?

     

    firewall {
        filter VPN {
            term VPN {
                from {
                    source-address {
                        #SECRET#;
                    }
                    destination-port 500;
                }
                then accept;
            }
            term IKE-BLOCK {
                from {
                    destination-port 500;
                }
                then {
                    reject;
                }
            }
            term Whitelist {
                from {
                    source-prefix-list {
                        whitelist;
                    }
                    destination-port 443;
                }
                then accept;
            }
            term else {
                then accept;
            }
        }
    } 


  • 4.  RE: Firewall filter assistance
    Best Answer

    Posted 11-13-2018 01:46

    Something like this:

     

    firewall {
        filter VPN {
            term VPN {
                from {
                    source-address {
                        #SECRET#;
                    }
                    destination-port 500;
                }
                then accept;
            }
            term IKE-BLOCK {
                from {
                    destination-port 500;
                }
                then {
                    reject;
                }
            }
            term Whitelist {
                from {
                    source-prefix-list {
                        whitelist;
                    }
                    destination-port 443;
                }
                then accept;
            }
            term block-https {
                from {
                    destination-port 443;
                }
                then reject;
            }
            term else {
                then accept;
            }
        }
    } 


  • 5.  RE: Firewall filter assistance

     
    Posted 11-13-2018 06:44

    Thank you Jonas and Steve!