Junos OS

Expand all | Collapse all

Device Hardening, [snmp interface] hierarchy

  • 1.  Device Hardening, [snmp interface] hierarchy

    Posted 01-22-2021 15:13
    I'm in the process of hardening my SRX firewall in my environment and I'm required to limit the ability to poll via SNMP to loopback interface only. I was able to create a client list to limit only requests coming from my monitoring server. I also have a complex community string and v3 enabled. My security policies also limit the connection this way as well. However when I commit "set snmp interface lo0.0" I lose SNMP connectivity. I read through the documentation and realized that its referenced in a way that limits SNMP requests to devices connected to the specified interface rather than limit polling only to the specified interface. If this is a remote address that does not have dedicated management hardware/OOB is it even possible to use the snmp interface command?

    ------------------------------
    Thomas Anderson
    ------------------------------


  • 2.  RE: Device Hardening, [snmp interface] hierarchy

    Posted 01-23-2021 13:29
    The "snmp interface" command limits inbound snap requests to an interface. This is useful for a management interface. If the traffic is in-band, you can filter source addresses to snmp in the firewall filter applied to the loopback interface.

    ------------------------------
    Brian Johnson
    ------------------------------



  • 3.  RE: Device Hardening, [snmp interface] hierarchy

    Posted 01-25-2021 11:06
    Thanks for the clarification! I assumed that is was primarily something for management interfaces when I was testing it but wanted to make sure that I was not messing up the syntax or using the command incorrectly. I have a client list already configured restricting SNMP from only the monitoring server we use and I will go ahead and apply that snmp term to my firewall filter for the lo0.0

    ------------------------------
    Thomas Anderson
    ------------------------------



  • 4.  RE: Device Hardening, [snmp interface] hierarchy

     
    Posted 01-25-2021 02:37
    Hi,
    like Brian says you anyway would want to have a firewall filter ingress on the lo0 interface like described in RFC 6192 - Protecting the Router Control Plane (ietf.org) and then just expand the SNMP term with a "from destination-address <lo-IP>" statement.
    Regards
    Ulf


  • 5.  RE: Device Hardening, [snmp interface] hierarchy

    Posted 01-25-2021 11:07
    Thanks for the link! I'm going to be implementing this today.

    ------------------------------
    Thomas Anderson
    ------------------------------