I just setup an srx1500 cluster and issued "show system connections" and noticed that foreign IP addresses are connected to the IP's associated with em0.0. Is this normal? If not can I disable this interface?
Thank you in advanced.
Hello! What are the addresses you see? It is common to see addresses that are internal to the OS being used for internal communications to the RE. Common addresses include 127.0.0.0/8 and 126.96.36.199/24. Here is an example snippet from a production MX104.
If you're interested in understanding the open ports and what processes are holding them, you may wish to jump in to shell and run 'netstat -Aa'. You can find more information here.
If you see addresses that are of concern, you can always apply a firewall filter to the Loopback interface which filters all traffic destined to the RE. More information here.
Please let me know if you have any questions. I hope this helps!
Thank you so much for your response. As I understand it em0.0 is the logical interface of em0 which is supposed to be management interface. I did not change anything out of the box regarding this interface. Its factory configured with the ips:
Not sure how to paste images inline but attached the screenshot.
tcp4 0 0 188.8.131.52.6080 184.108.40.206.65044 ESTABLISHEDtcp4 0 0 220.127.116.11.6021 18.104.22.168.40720 ESTABLISHEDtcp4 0 0 22.214.171.124.6033 126.96.36.199.59880 ESTABLISHEDtcp4 0 0 188.8.131.52.59880 184.108.40.206.6033 ESTABLISHEDtcp4 0 0 220.127.116.11.33180 18.104.22.168.58041 ESTABLISHEDtcp4 0 0 22.214.171.124.33180 126.96.36.199.45090 ESTABLISHED
Can I just disable this interface?
edit -- apparently not because it is assigned as the HA control interface
Control link status: Up
Control interfaces: Index Interface Monitored-Status Internal-SA Security 0 em0 Up Disabled Disabled
I'm now really confused as to why there's external connections to it...
It sounds like there may be some confusion. The "show system connections" command provides a list of listening ports and connections to the RE. This is essentially a formatted netstat output. The RE can have IPs on multiple interfaces and communications can flow through them. This is not limited to the em0 interface. For example, you could see SNMP polls and SSH connections off of the lo0 interface within this output.
Ultimately, if you're trying to control traffic destined to the device itself you are better off writing firewall policy. You can either do a zone-based policy written on interface zones through the "set security policies" stanza or through the "set firewall filter" stanza. If you have a specific list of IPs or services you would like to be capable of terminating to the device I would be happy to assist in writing the specific policy. I hope this helps!
Thank you so much. This makes sense. I will go ahead and configure ip blocking.