SRX

Expand all | Collapse all

Firewall rules for security director

Jump to Best Answer
  • 1.  Firewall rules for security director

    Posted 04-22-2019 10:19
    Hi,

    Will be installing Juniper Security Director soon and wanted to know what TCP/UDP ports are required to make it integrate with SRX firewalls?

    Do I need to add a rule on the SRX so it comes from the relevant zone to the Junos-host in the policy base?

    Thanks
    #SRX
    #director
    #security


  • 2.  RE: Firewall rules for security director

     
    Posted 04-22-2019 12:59

    In general Security Director relies on the ports needed for Junos Space. The required ports are listed in https://kb.juniper.net/InfoCenter/index?page=content&id=kb18148

     

    In summary only ssh from Space/SD towards the SRX gateways is needed. SD does netconf via ssh.

    Ping and snmp-read (udp/161) are optional but nice to have available.

     

     



  • 3.  RE: Firewall rules for security director

    Posted 04-22-2019 13:12
    Thanks,

    Just to clarify; do I need the rule to be from the zone SD sits in towards the Junos-host zone on each SRX?


  • 4.  RE: Firewall rules for security director
    Best Answer

     
    Posted 04-22-2019 13:28

    In general your assumption is correct... but it depends on your setup.

     

    It could also be that you only allow ssh as host-inbound-service system-services on the relevant zone/interface and then have a RE protection firewall filter to handle which IPs can access via ssh on this zone.

     

    Alternative could also be a global policy which allows management across all zones to avoid doing multiple src-zoneX/Y/Z to junos-host policies (if ssh access is needed from multiple different zones)

     

    Junos provides you many ways to accomplish the same goal 🙂



  • 5.  RE: Firewall rules for security director

    Posted 04-22-2019 13:50
    That’s great - thanks