SRX

Expand all | Collapse all

system-services (Security Zones Host Inbound Traffic) for custom services

Jump to Best Answer
  • 1.  system-services (Security Zones Host Inbound Traffic) for custom services

    Posted 05-09-2019 06:07

    Hi,

    If i have allowed traffic for some custom tcp port from security policy but that port/service is not available under - host-inbound-traffic system-services then how that tcp traffic will pass through that security zone.

     

    Thank you

     


    #firewallzone


  • 2.  RE: system-services (Security Zones Host Inbound Traffic) for custom services

     
    Posted 05-09-2019 06:17
    host-inbound-traffic system-services is checked only when the traffic destination is SRX, this wont be checked if the traffic is a passthrough for SRX.

    For example, if you do telnet/SSH to the SRX, it checks host-inbound-traffic system-services.

    If you do telnet/SSH to another device connected through SRX, host-inbound-traffic system-services will not be checked, but policy is checked.


  • 3.  RE: system-services (Security Zones Host Inbound Traffic) for custom services

    Posted 05-09-2019 10:24
    Thank you Suraj.
    If I configured custom port for untrust interface web access and trying to access from outside network then can I access the firewall web interface on custom port.
    I simply want to know, if the services is not available under host-inbound services then what will be solution.

    Thank you


  • 4.  RE: system-services (Security Zones Host Inbound Traffic) for custom services

     
    Posted 05-09-2019 11:01

    You need a security policy. 

     

    Say you have this topology: 

    ZONES.png

     

    Configure this: 

     

    set security-zone OUTSIDE interfaces ge-0/0/1.0

    set security-zone WEB interfaces ge-0/0/2.0

     

    set from-zone OUTSIDE to-zone WEB policy 1 match source-address any

    set from-zone OUTSIDE to-zone WEB policy 1 match destination-address WEB SERVER

    set from-zone OUTSIDE to-zone WEB policy 1 match application CUSTOM-WEB

    set from-zone OUTSIDE to-zone WEB policy 1 then permit

     

    set security address-book global address WEB-SERVER 10.1.1.1  

    set applications application CUSTOM-WEB protocols  tcp

    set applications application CUSTOM-WEB destination port 8080 

    set applications application CUSTOM-WEB application-protocol http

     

    HTH,



  • 5.  RE: system-services (Security Zones Host Inbound Traffic) for custom services

     
    Posted 05-09-2019 11:19

    WAIT!   Maybe I misunderstood the question.

    Are you trying to access j-web on your SRX using a port other than 80?  Something like this? 

    WEB ACCESS.png

    if so, this is what you need:

     

    [edit system services web-management]
    root@R1# show | display set relative
    set http port 8080


    [edit security zones security-zone OUTSIDE]
    root@R1# show | display set relative
    set host-inbound-traffic system-services http    <= you still need this! 

     



  • 6.  RE: system-services (Security Zones Host Inbound Traffic) for custom services

    Posted 05-10-2019 02:03

    Hi,

    QUE :-

    If I configured custom port for untrust interface web access and trying to access from outside network then can I access the firewall web interface on custom port.
    I simply want to know, if the services is not available under host-inbound services then what will be solution.

     

    ANS :-

    Service (http-custom)* has to be enabled on the outside interface zone.

    https access wont work if http service is not available under host-inbound services.

     

    * - Needs to be defined

    Regards,

     

    Rahul



  • 7.  RE: system-services (Security Zones Host Inbound Traffic) for custom services
    Best Answer

     
    Posted 05-10-2019 02:36
      |   view attached

    Hi,

    You do not need to allow any custom port explicitly. You just need to allow system-services http. Automatically, the custom port is allowed.

    root@srx# show system services web-management
    http {
    port 8080;
    }

    root@srx# show security zones functional-zone management
    interfaces {
    ge-0/0/0.0;
    }
    host-inbound-traffic {
    system-services {
    ping;
    ssh;
    telnet;
    http; <<< I only have http allowed
    https;
    snmp;
    ntp;
    ftp;
    }
    }

    root@srx# run show system connections | grep 8080
    tcp46 0 0 *.8080 *.* LISTEN
    tcp4 0 0 *.8080 *.* LISTEN

     

    J-WEB on port 8080 works with the above configuration (Screen-shot attached).

     

    I hope this helps.

     

    Regards,

     

    Vikas