SRX

Expand all | Collapse all

SRX and NCP client security policy

  • 1.  SRX and NCP client security policy

    Posted 01-13-2021 16:52
    Hi all,

    I'd like to configure a dynamic VPN on SRX while using NCP client (https://kb.juniper.net/InfoCenter/index?page=content&id=KB32418) but reading through the example in the link I read this:

    set security policies from-zone untrust to-zone trust policy test match source-address any
    set security policies from-zone untrust to-zone trust policy test match destination-address any
    set security policies from-zone untrust to-zone trust policy test match application any
    set security policies from-zone untrust to-zone trust policy test then permit​

    Doesn't this "test" policy allow all connections from the untrust/Internet zone to the trust zone? Isn't this dangerous?

    Thank you in advance.
    Best regards


  • 2.  RE: SRX and NCP client security policy

    Posted 01-14-2021 07:43
    Hi,

    On that KB it's just example only. U can fine tune based  on your requirement.

    Thanks


  • 3.  RE: SRX and NCP client security policy

    Posted 01-14-2021 09:39
    Thanks kronicklez. I guess I can put specific destination IP subnets but it is still open to any source IP from the Internet.

    Unless I am wrong, for example, Cisco AnyConnect configuration links the VPN access to a specific ACL and I don't see a policy linked in Juniper in the same way.
    Thanks.

    Best regards


  • 4.  RE: SRX and NCP client security policy

    Posted 01-14-2021 10:04
    You can define your source ip and only allow them to connect.

    ------------------------------
    ANKUR
    ------------------------------



  • 5.  RE: SRX and NCP client security policy

    Posted 01-15-2021 08:43
    Thanks Ankur.

    Several users need access from different locations so it would be very difficult to know their IP addresses in advance and configure them as source in the policy.