SRX

Expand all | Collapse all

SRX traffic processing order for System-Services and Security Policies.

Jump to Best Answer
  • 1.  SRX traffic processing order for System-Services and Security Policies.

    Posted 12-04-2020 01:10
    I'm doing some more work with Juniper SRX's recently and I've done some reading on Junos SRX host inbound system-services such as the below example and I wanted to check my understanding:

    set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services https
    set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services dhcp
    ​

    Could anyone help to clarify if my understanding of the below is correct or any caveats around it:

    1) "host-inbound-traffic system-services" are basically used to enable/permit services to that SRX interfaces that enable the SRX to provide services to clients/sources requesting services from the SRX?

    2) For "host-inbound-traffic system-services" does the SRX process this traffic from a security perspective before or after the interfaces security policies?
    - For example if you had "host-inbound-traffic system-services ntp" enabled on an interface but had security policies with a source and destination being the security zone associate with that interface and those security policies only permitted 4 source hosts from the subnet in the security zone to query NTP how does the SRX process that?

    eg. (Assume associated NTP configuration is setup on the SRX and working and there is a global deny):

    set security zones security-zone trust interfaces irb.0 host-inbound-traffic system-services NTP
    
    set security zones security-zone INSIDE address-book address IRB-0_IP 192.168.1.1/32
    set security zones security-zone INSIDE address-book address NTP_PERMIT 192.168.1.8/30
    
    set security policies from-zone INSIDE to-zone Internet policy INSIDE-Internet match source-address NTP_PERMIT
    set security policies from-zone INSIDE to-zone Internet policy INSIDE-Internet match destination-address IRB-0_IP
    set security policies from-zone INSIDE to-zone Internet policy INSIDE-Internet match application ntp​


    3) If you have the reverse and an "Outside" interface eg for an Internet link which is needing to communicate with the ISP via "Chap" is the most secure/appropriate way to do this via Security Policies or is there another way for interface level services via "host-outbound-traffic system-service"?


    Thanks.

    ------------------------------
    Dave N
    ------------------------------


  • 2.  RE: SRX traffic processing order for System-Services and Security Policies.
    Best Answer

     
    Posted 12-04-2020 01:59
    Hi Dave,

    to your questions:

    1. yes

    2. if you want to protect the SRX with security policies similar to what you do for transit traffic then please have a look at Configuring Security Policies - TechLibrary - Juniper Networks  and [SRX] Configuration Example - How to limit self traffic using Security Policies - Juniper Networks And yes, policy comes first and what's left will then be processed according to host inbound.

    3. egress traffic from the SRX itself is always permitted as it's assumed this is legit (no need for host outbound or policy)

    Regards

    ------------------------------
    Ulf Bremer
    ------------------------------