SRX

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  system-services (Security Zones Host Inbound Traffic) for custom services

    Posted 05-09-2019 06:07

    Hi,

    If i have allowed traffic for some custom tcp port from security policy but that port/service is not available under - host-inbound-traffic system-services then how that tcp traffic will pass through that security zone.

     

    Thank you

     


    #firewallzone


  • 2.  RE: system-services (Security Zones Host Inbound Traffic) for custom services

     
    Posted 05-09-2019 06:17
    host-inbound-traffic system-services is checked only when the traffic destination is SRX, this wont be checked if the traffic is a passthrough for SRX.

    For example, if you do telnet/SSH to the SRX, it checks host-inbound-traffic system-services.

    If you do telnet/SSH to another device connected through SRX, host-inbound-traffic system-services will not be checked, but policy is checked.


  • 3.  RE: system-services (Security Zones Host Inbound Traffic) for custom services

    Posted 05-09-2019 10:24
    Thank you Suraj.
    If I configured custom port for untrust interface web access and trying to access from outside network then can I access the firewall web interface on custom port.
    I simply want to know, if the services is not available under host-inbound services then what will be solution.

    Thank you


  • 4.  RE: system-services (Security Zones Host Inbound Traffic) for custom services

    Posted 05-09-2019 11:01

    You need a security policy. 

     

    Say you have this topology: 

    ZONES.png

     

    Configure this: 

     

    set security-zone OUTSIDE interfaces ge-0/0/1.0

    set security-zone WEB interfaces ge-0/0/2.0

     

    set from-zone OUTSIDE to-zone WEB policy 1 match source-address any

    set from-zone OUTSIDE to-zone WEB policy 1 match destination-address WEB SERVER

    set from-zone OUTSIDE to-zone WEB policy 1 match application CUSTOM-WEB

    set from-zone OUTSIDE to-zone WEB policy 1 then permit

     

    set security address-book global address WEB-SERVER 10.1.1.1  

    set applications application CUSTOM-WEB protocols  tcp

    set applications application CUSTOM-WEB destination port 8080 

    set applications application CUSTOM-WEB application-protocol http

     

    HTH,



  • 5.  RE: system-services (Security Zones Host Inbound Traffic) for custom services

    Posted 05-09-2019 11:19

    WAIT!   Maybe I misunderstood the question.

    Are you trying to access j-web on your SRX using a port other than 80?  Something like this? 

    WEB ACCESS.png

    if so, this is what you need:

     

    [edit system services web-management]
    root@R1# show | display set relative
    set http port 8080


    [edit security zones security-zone OUTSIDE]
    root@R1# show | display set relative
    set host-inbound-traffic system-services http    <= you still need this! 

     



  • 6.  RE: system-services (Security Zones Host Inbound Traffic) for custom services

    Posted 05-10-2019 02:03

    Hi,

    QUE :-

    If I configured custom port for untrust interface web access and trying to access from outside network then can I access the firewall web interface on custom port.
    I simply want to know, if the services is not available under host-inbound services then what will be solution.

     

    ANS :-

    Service (http-custom)* has to be enabled on the outside interface zone.

    https access wont work if http service is not available under host-inbound services.

     

    * - Needs to be defined

    Regards,

     

    Rahul



  • 7.  RE: system-services (Security Zones Host Inbound Traffic) for custom services
    Best Answer

     
    Posted 05-10-2019 02:36
      |   view attached

    Hi,

    You do not need to allow any custom port explicitly. You just need to allow system-services http. Automatically, the custom port is allowed.

    root@srx# show system services web-management
    http {
    port 8080;
    }

    root@srx# show security zones functional-zone management
    interfaces {
    ge-0/0/0.0;
    }
    host-inbound-traffic {
    system-services {
    ping;
    ssh;
    telnet;
    http; <<< I only have http allowed
    https;
    snmp;
    ntp;
    ftp;
    }
    }

    root@srx# run show system connections | grep 8080
    tcp46 0 0 *.8080 *.* LISTEN
    tcp4 0 0 *.8080 *.* LISTEN

     

    J-WEB on port 8080 works with the above configuration (Screen-shot attached).

     

    I hope this helps.

     

    Regards,

     

    Vikas