SRX

Expand all | Collapse all

SRX Security Processing and PPPOE & CHAP authentication

Jump to Best Answer
  • 1.  SRX Security Processing and PPPOE & CHAP authentication

    Posted 17 days ago
    I'm doing some more work with Juniper SRX's recently and I've done some reading on Traffic Processing on SRX Series Devices Overview and I have a query that I can't really find an exact answer to in the Juniper documentation.

    If we have an SRX where for example Ge-0/0/0.0 is being utilized with a security zone (eg OUTSIDE) to connect to an Internet link via an ISP that utilizes PPPOE with CHAP authentication how do security rules/policies work with outbound services which are enabled/originating from the SRX's interface within that zone?

    When a PPPOE setup is enable on an SRX Zone/Interface does the SRX automatically permit the PPPOE traffic via a hidden policy specific to that interface/zone or do you need to configured a security policy/rule for that zone to that zone permitting PPPOE or from "junos-host" to the "OUTSIDE" zone for example?

    Alternatively is there a configuration setup like the below which permits an inbound service (eg SSH) but the reverse which permits outbound system service on that interface?

    set security zones security-zone INSIDE-LAN interfaces irb.20 host-inbound-traffic system-services ssh​


    Thanks.



    ------------------------------
    Dave
    ------------------------------


  • 2.  RE: SRX Security Processing and PPPOE & CHAP authentication
    Best Answer

     
    Posted 16 days ago
    By default outbound connections from the SRX are allowed and inbound connections to the SRX are denied.

    Adding the zone or interface specific host-inbound-traffic will permit any connection on that allowed protocol/port to that zone or interface.

    The junos-host zone comes into play if you want more control than these two options above.  You can then write security policies from or to the junos-host zone and more finely control the traffic that is permitted for the SRX host itself.

    Obviously with all these options be sure you don't lock yourself out.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------