Hi there,
The
source-address-exclude
command is quite limited - you'd be better off creating an explicit
permit rule for the 20 hosts you wish to allow, and then follow it with a
deny
rule. I would also advise using an address-set so that you can add and remove hosts from your permit list without having to change the policy. eg:
## First, create an address-set AS-DENY-SSH containing the servers you wish to deny SSH for:
set security address-book global address SERVER1 192.168.1.11/32
set security address-book global address SERVER2 192.168.1.12/32
set security address-book global address SERVER3 192.168.1.13/32
set security address-book global address SERVER4 192.168.1.14/32
set security address-book global address SERVER5 192.168.1.15/32
set security address-book global address-set AS-SRV_LIST address SERVER1
set security address-book global address-set AS-SRV_LIST address SERVER2
set security address-book global address-set AS-SRV_LIST address SERVER3
set security address-book global address-set AS-SRV_LIST address SERVER4
set security address-book global address-set AS-SRV_LIST address SERVER5
set security address-book global address-set AS-DENY-SSH address SERVER1
set security address-book global address-set AS-DENY-SSH address SERVER3
set security address-book global address-set AS-DENY-SSH address SERVER5
## Now create your security policies - always make sure you place any DENY rules first
set security policies from-zone trust to-zone srv-frm policy DENY-SSH match source-address srv_admin_list
set security policies from-zone trust to-zone srv-frm policy DENY-SSH match destination-address AS-DENY-SSH
set security policies from-zone trust to-zone srv-frm policy DENY-SSH match application junos-ssh
set security policies from-zone trust to-zone srv-frm policy DENY-SSH then deny
set security policies from-zone trust to-zone srv-frm policy DENY-SSH then log session-init
## Tip: there is no need to log session-close for a DENY policy, as the session will never be allowed to establish (and so there will never be a session-close event generated)
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH match source-address srv_admin_list
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH match destination-address AS-SRV_LIST
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH match application junos-ssh
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH then permit
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH then log session-init
set security policies from-zone trust to-zone srv-frm policy PERMIT-SSH then log session-close
------------------------------
Cheers,
Ben Dale
JNCIE-SEC #63
JNCIP-SP
JNCIP-ENT
JNCIP-DC
------------------------------
Original Message:
Sent: 11-01-2020 03:40
From: Elevate Member
Subject: Re: 10 maximum source-address in policy match
Hi,
What should i do, when i need to permit ssh access to 20nos of random ip's from a huge segment.And deny everything else.
set security policies from-zone trust to-zone srv-frm policy srv-access match source-address srv_admin_list
set security policies from-zone trust to-zone srv-frm policy srv-access match destination-address srv_list
set security policies from-zone trust to-zone srv-frm policy srv-access match source-address-excluded
set security policies from-zone trust to-zone srv-frm policy srv-access match application junos-ssh
set security policies from-zone trust to-zone srv-frm policy srv-access then deny
set security policies from-zone trust to-zone srv-frm policy srv-access then log session-init
set security policies from-zone trust to-zone srv-frm policy srv-access then log session-close
In the "srv_admin_list" i have 10 random ip's.And these are allowed to connect.And they are working fine.But when I add more than ten it refuces to add the ip's.And getting the message the limit of source-address are 10Nos.I need 20 random IP's to be added.I was forced to use "source-address-excluded" because there is a "permit any any" statement which is used by some traffic which I dont want to disrupt.
Best Regards,
S.Syed