SRX

Expand all | Collapse all

SRX and NCP client security policy

  • 1.  SRX and NCP client security policy

    Posted 6 days ago
    Hi all,

    I'd like to configure a dynamic VPN on SRX while using NCP client (https://kb.juniper.net/InfoCenter/index?page=content&id=KB32418) but reading through the example in the link I read this:

    set security policies from-zone untrust to-zone trust policy test match source-address any
    set security policies from-zone untrust to-zone trust policy test match destination-address any
    set security policies from-zone untrust to-zone trust policy test match application any
    set security policies from-zone untrust to-zone trust policy test then permit​

    Doesn't this "test" policy allow all connections from the untrust/Internet zone to the trust zone? Isn't this dangerous?

    Thank you in advance.
    Best regards


  • 2.  RE: SRX and NCP client security policy

    Posted 5 days ago
    Hi,

    On that KB it's just example only. U can fine tune based  on your requirement.

    Thanks


  • 3.  RE: SRX and NCP client security policy

    Posted 5 days ago
    Thanks kronicklez. I guess I can put specific destination IP subnets but it is still open to any source IP from the Internet.

    Unless I am wrong, for example, Cisco AnyConnect configuration links the VPN access to a specific ACL and I don't see a policy linked in Juniper in the same way.
    Thanks.

    Best regards


  • 4.  RE: SRX and NCP client security policy

    Posted 5 days ago
    You can define your source ip and only allow them to connect.

    ------------------------------
    ANKUR
    ------------------------------



  • 5.  RE: SRX and NCP client security policy

    Posted 4 days ago
    Thanks Ankur.

    Several users need access from different locations so it would be very difficult to know their IP addresses in advance and configure them as source in the policy.