SRX

 View Only
last person joined: 14 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX Security Processing and PPPOE & CHAP authentication

    Posted 01-03-2021 02:34
    I'm doing some more work with Juniper SRX's recently and I've done some reading on Traffic Processing on SRX Series Devices Overview and I have a query that I can't really find an exact answer to in the Juniper documentation.

    If we have an SRX where for example Ge-0/0/0.0 is being utilized with a security zone (eg OUTSIDE) to connect to an Internet link via an ISP that utilizes PPPOE with CHAP authentication how do security rules/policies work with outbound services which are enabled/originating from the SRX's interface within that zone?

    When a PPPOE setup is enable on an SRX Zone/Interface does the SRX automatically permit the PPPOE traffic via a hidden policy specific to that interface/zone or do you need to configured a security policy/rule for that zone to that zone permitting PPPOE or from "junos-host" to the "OUTSIDE" zone for example?

    Alternatively is there a configuration setup like the below which permits an inbound service (eg SSH) but the reverse which permits outbound system service on that interface?

    set security zones security-zone INSIDE-LAN interfaces irb.20 host-inbound-traffic system-services ssh​


    Thanks.



    ------------------------------
    Dave
    ------------------------------


  • 2.  RE: SRX Security Processing and PPPOE & CHAP authentication
    Best Answer

    Posted 01-03-2021 11:00
    By default outbound connections from the SRX are allowed and inbound connections to the SRX are denied.

    Adding the zone or interface specific host-inbound-traffic will permit any connection on that allowed protocol/port to that zone or interface.

    The junos-host zone comes into play if you want more control than these two options above.  You can then write security policies from or to the junos-host zone and more finely control the traffic that is permitted for the SRX host itself.

    Obviously with all these options be sure you don't lock yourself out.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------