Security

 View Only
last person joined: yesterday 

Ask questions and share experiences with Juniper Connected Security. Discuss Advanced Threat Protection, SecIntel, Secure Analytics, Secure Connect, Security Director, and all things related to Juniper security technologies.
  • 1.  Hardening SRX240 Edge Device

    Posted 05-10-2021 16:42
      |   view attached
    Hello - I was hoping to get some help hardening my SRX240 which I use as an edge device (internet facing firewall and edge router).  I currently use Xfinity/Comcast as my ISP.  They have given me a DHCP address on my SRX which has been the same for years.  I don't want to allow any inbound connections at all, except for the VPN port 4656 as can be seen in the configuration below which I forward to an internal server on a separate VLAN from all other devices and this box just forwards traffic outbound for devices connecting via VPN.   The only other inbound connections maybe would be DHCP but i think my SRX would be asking for an IP address via DHCP so could i just use firewall filters to block everything inbound except the traffic destined for 4656?  I currently have security policies in place to block any internet to internal VLAN traffic but see that firewall filters block the connections from the initial connection attempt and the security policies get further along in processing.  To further harden my network against the "internet" I was wondering how to set up a firewall filter for inbound traffic.  All my attempts at doing so have resulted in preventing outbound traffic also. 

    Can someone please review my configuration and let me know if I am doing anything wrong from a security/hardening perspective?

    1. Do I have to have system services DHCP specificed on my ge - 0 / 0 / 0.0 interface (this is the one connected to my ISP)
    2. How do i set up a firewall filter to prevent all inbound traffic not initiated from internal devices except the VPN destination port and apply to the right interface?
    3. Am I missing anything else from a security perspective?
    4. Do i have to do anything more to prevent IPv6 from getting out from internal networks?
    5. Do i have to do anything more to "disable" IPv6 on the SRX?

    I have replaced my external IP address with Y.Y.Y.Y in the configuration.  I do want to block all inter-VLAN traffic and I know i might have gone overboard on the security policies preventing inter-VLAN traffic and junos-host traffic.

    I have also attached an image that shows the config formatted in an easier way to read.

    # Last changed: 2021 - 05 - 05 10: 25: 12 GMT - 6version 12.3X48 - D105.4;
    groups {
    jweb - security - logging {
    system {
    syslog {
    inactive: file loooooooggger {
    any any;
    archive files 1;
    structured - data;
    }
    file logadog {
    any any;
    archive files 1;
    structured - data;
    }
    }
    }
    }
    }
    system {
    host - name SCRUBBED;
    time - zone GMT - 6;
    root - authentication {
    encrypted - password "SCRUBBED";
    }
    name - server {
    208.67.222.222;
    208.67.220.220;
    }
    name - resolution {
    no - resolve - on - input;
    }
    services {
    ssh;
    web - management {
    https {
    system - generated - certificate;
    interface vlan.4;
    }
    session {
    idle - timeout 60;
    }
    }
    dhcp {
    pool 192.168.1.0 / 24 {
    address - range low 192.168.1.2 high 192.168.1.254;
    name - server {
    208.67.222.222;
    208.67.220.220;
    }
    router {
    192.168.1.1;
    }
    }
    pool 192.168.2.0 / 24 {
    address - range low 192.168.2.2 high 192.168.2.254;
    name - server {
    208.67.220.220;
    208.67.222.222;
    }
    router {
    192.168.2.1;
    }
    }
    pool 192.168.3.0 / 24 {
    address - range low 192.168.3.2 high 192.168.3.254;
    name - server {
    208.67.220.220;
    208.67.222.222;
    }
    router {
    192.168.3.1;
    }
    }
    pool 172.16.234.0 / 24 {
    address - range low 172.16.234.2 high 172.16.234.2;
    name - server {
    208.67.222.222;
    208.67.220.220;
    }
    router {
    172.16.234.1;
    }
    }
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive - commands {
    interactive - commands error;
    }
    file policy_session {
    user info;
    match RT_FLOW;
    archive size 1000k world - readable;
    structured - data;
    }
    inactive: file logadog {
    any any;
    archive files 1;
    structured - data;
    }
    }
    max - configurations - on - flash 5;
    max - configuration - rollbacks 5;
    license {
    autoupdate {
    url https: //ae1.juniper.net/junos/key_retrieval;
    }
    }
    ntp {
    server us.ntp.pool.org;
    }
    }
    security {
    utm {
    feature - profile {
    anti - spam {
    sbl {
    profile junos - as - defaults {
    spam - action tag - subject;
    }
    }
    }
    }
    utm - policy junos - av - policy {
    traffic - options {
    sessions - per - client {
    over - limit log - and - permit;
    }
    }
    }
    utm - policy junos - wf - policy {
    traffic - options {
    sessions - per - client {
    over - limit log - and - permit;
    }
    }
    }
    utm - policy junos - av - wf - policy {
    traffic - options {
    sessions - per - client {
    over - limit log - and - permit;
    }
    }
    }
    }
    screen {
    ids - option untrust - screen {
    alarm - without - drop;
    icmp {
    ip - sweep;
    fragment;
    large;
    flood;
    ping - death;
    icmpv6 - malformed;
    }
    ip {
    bad - option;
    record - route - option;
    timestamp - option;
    security - option;
    stream - option;
    spoofing;
    source - route - option;
    loose - source - route - option;
    strict - source - route - option;
    unknown - protocol;
    block - frag;
    tear - drop;
    ipv6 - malformed - header;
    }
    tcp {
    syn - fin;
    fin - no - ack;
    tcp - no - flag;
    syn - frag;
    port - scan;
    syn - flood {
    alarm - threshold 1024;
    attack - threshold 200;
    source - threshold 1024;
    destination - threshold 2048;
    timeout 20;
    }
    land;
    winnuke;
    }
    udp {
    flood;
    }
    }
    }
    nat {
    source {
    rule - set nsw_srcnat {
    from zone[Home VPN Work Work - Mgmnt];
    to zone Internet;
    rule nsw - src - interface {
    match {
    source - address 0.0.0.0 / 0;
    destination - address 0.0.0.0 / 0;
    }
    then {
    source - nat {
    interface;
    }
    }
    }
    }
    }
    destination {
    pool dst - nat - pool - vpn {
    routing - instance {
    default ;
    }
    address 172.16.234.2 / 32 port 4656;
    }
    pool dst - nat - pool - ptest {
    routing - instance {
    default ;
    }
    address 192.168.2.42 / 32;
    }
    rule - set rs - vpn {
    from interface ge - 0 / 0 / 0.0;
    rule r - vpn - 1 {
    match {
    destination - address Y.Y.Y.Y / 32;
    destination - port {
    4656;
    }
    protocol udp;
    }
    then {
    destination - nat {
    pool {
    dst - nat - pool - vpn;
    }
    }
    }
    }
    }
    }
    proxy - arp {
    interface ge - 0 / 0 / 0.0 {
    address {
    Y.Y.Y.Y / 32;
    }
    }
    }
    }
    policies {
    from - zone Home to - zone Internet {
    policy home - internet {
    match {
    source - address any - ipv4;
    destination - address any - ipv4;
    application any;
    source - identity any;
    }
    then {
    permit;
    }
    }
    }
    from - zone Internet to - zone Home {
    policy internet - home {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work to - zone Internet {
    policy work - internet {
    match {
    source - address any - ipv4;
    destination - address any - ipv4;
    application any;
    source - identity any;
    }
    then {
    permit;
    }
    }
    }
    from - zone Internet to - zone Work {
    policy internet - work - deny {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone VPN to - zone Internet {
    policy vpn - internet {
    match {
    source - address any - ipv4;
    destination - address any - ipv4;
    application any;
    source - identity any;
    }
    then {
    permit;
    }
    }
    }
    from - zone Internet to - zone VPN {
    policy internet - vpn - allow {
    match {
    source - address any - ipv4;
    destination - address any - ipv4;
    application custom1 - vpn;
    source - identity any;
    }
    then {
    permit;
    }
    }
    policy internet - vpn - deny {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work to - zone Home {
    policy work - home {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Home to - zone Work {
    policy home - work {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work to - zone VPN {
    policy work - vpn {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone VPN to - zone Work {
    policy vpn - work {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone VPN to - zone Home {
    policy vpn - home {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Home to - zone VPN {
    policy home - vpn {
    match {
    source - address any;
    destination - address any;
    application any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work - Mgmnt to - zone Internet {
    policy block_new_nas_out {
    match {
    source - address new - nas - temp - block;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    policy work - mgmnt - internet {
    match {
    source - address any - ipv4;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    permit;
    }
    }
    }
    from - zone Internet to - zone Work - Mgmnt {
    policy internet - work - mgmnt {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work - Mgmnt to - zone Home {
    policy work - mgnt - home {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Home to - zone Work - Mgmnt {
    policy home - work - mgnt {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work to - zone Work - Mgmnt {
    policy work - work - mgmnt {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work - Mgmnt to - zone Work {
    policy work - mgmnt - work - vnc - rdp {
    match {
    source - address work - mgmnt - pool;
    destination - address work - pool;
    application[rdp vnc - tcp vnc - udp];
    source - identity any;
    }
    then {
    permit;
    }
    }
    policy work - mgmnt - work {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone VPN to - zone Work - Mgmnt {
    policy vpn - work - mgmnt {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work - Mgmnt to - zone VPN {
    policy work - mgmnt - vpn {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work - Mgmnt to - zone junos - host {
    policy work - mgmnt - junos - host {
    match {
    source - address work - mgmnt - pool;
    destination - address any - ipv4;
    application[junos - ssh junos - https];
    source - identity any;
    }
    then {
    permit;
    }
    }
    policy deny - junos - host {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Work to - zone junos - host {
    policy deny - work - junoshost {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone VPN to - zone junos - host {
    policy deny - vpn - junoshost {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Home to - zone junos - host {
    policy deny - home - junoshost {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    from - zone Internet to - zone junos - host {
    policy internet - junos - deny - all {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    global {
    policy denyall {
    match {
    source - address any;
    destination - address any;
    application any;
    source - identity any;
    }
    then {
    deny;
    }
    }
    }
    default - policy {
    deny - all;
    }
    }
    zones {
    security - zone Home {
    interfaces {
    vlan.1 {
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge - 0 / 0 / 1.0;
    ge - 0 / 0 / 2.0;
    ge - 0 / 0 / 3.0;
    ge - 0 / 0 / 4.0;
    ge - 0 / 0 / 5.0;
    ge - 0 / 0 / 6.0;
    ge - 0 / 0 / 7.0;
    }
    }
    security - zone VPN {
    interfaces {
    vlan.2 {
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge - 0 / 0 / 15.0 {
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    }
    }
    security - zone Work {
    address - book {
    address work - pool {
    range - address 192.168.2.2 {
    to {
    192.168.2.254;
    }
    }
    }
    }
    interfaces {
    vlan.3 {
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge - 0 / 0 / 14.0;
    ge - 0 / 0 / 13.0;
    ge - 0 / 0 / 12.0;
    }
    }
    security - zone Work - Mgmnt {
    address - book {
    address work - mgmnt - pool {
    range - address 192.168.3.2 {
    to {
    192.168.3.254;
    }
    }
    }
    address new - nas - temp - block 192.168.3.88 / 32;
    }
    interfaces {
    vlan.4 {
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    }
    ge - 0 / 0 / 11.0;
    ge - 0 / 0 / 10.0;
    ge - 0 / 0 / 9.0;
    ge - 0 / 0 / 8.0;
    }
    }
    security - zone Internet {
    address - book {
    }
    screen untrust - screen;
    host - inbound - traffic {
    system - services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    ge - 0 / 0 / 0.0 {
    host - inbound - traffic {
    system - services {
    dhcp;
    }
    }
    }
    }
    }
    }
    }
    interfaces {
    ge - 0 / 0 / 0 {
    unit 0 {
    family inet {
    dhcp;
    }
    }
    }
    ge - 0 / 0 / 1 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 2 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 3 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 4 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 5 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 6 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 7 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan1;
    }
    }
    }
    }
    ge - 0 / 0 / 8 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan4;
    }
    }
    }
    }
    ge - 0 / 0 / 9 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan4;
    }
    }
    }
    }
    ge - 0 / 0 / 10 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan4;
    }
    }
    }
    }
    ge - 0 / 0 / 11 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan4;
    }
    }
    }
    }
    ge - 0 / 0 / 12 {
    unit 0 {
    family ethernet - switching {
    vlan {
    members vlan3;
    }
    }
    }
    }
    ge - 0 / 0 / 13 {
    unit 0 {
    family ethernet - switching {
    port - mode trunk;
    vlan {
    members[vlan1 vlan3];
    }
    }
    }
    }
    ge - 0 / 0 / 14 {
    unit 0 {
    family ethernet - switching {
    port - mode access;
    vlan {
    members vlan3;
    }
    }
    }
    }
    ge - 0 / 0 / 15 {
    unit 0 {
    family ethernet - switching {
    port - mode access;
    vlan {
    members vlan2;
    }
    }
    }
    }
    vlan {
    unit 1 {
    family inet {
    address 192.168.1.1 / 24;
    }
    }
    unit 2 {
    family inet {
    address 172.16.234.1 / 24;
    }
    }
    unit 3 {
    family inet {
    address 192.168.2.1 / 24;
    }
    }
    unit 4 {
    family inet {
    address 192.168.3.1 / 24;
    }
    }
    }
    }
    protocols {
    stp {
    disable;
    }
    }
    firewall {
    family inet {
    filter deny - all - inbound - internet {
    term "deny all inbound internet" {
    from {
    interface ge - 0 / 0 / 0;
    }
    then {
    discard;
    }
    }
    }
    }
    }
    applications {
    application custom1 - vpn {
    protocol udp;
    destination - port 4656;
    }
    application rdp {
    protocol tcp;
    destination - port 3389;
    }
    application vnc - udp {
    protocol udp;
    destination - port 2500;
    }
    application vnc - tcp {
    protocol tcp;
    destination - port 2500;
    }
    }
    wlan {
    admin - authentication {
    encrypted - password "SCRUBBED";
    }
    }
    vlans {
    vlan1 {
    description Home;
    vlan - id 3;
    interface {
    ge - 0 / 0 / 2.0;
    }
    l3 - interface vlan.1;
    }
    vlan2 {
    description VPN;
    vlan - id 2;
    interface {
    ge - 0 / 0 / 15.0;
    }
    l3 - interface vlan.2;
    }
    vlan3 {
    description Work;
    vlan - id 4;
    interface {
    ge - 0 / 0 / 13.0;
    }
    l3 - interface vlan.3;
    }
    vlan4 {
    description Work - Mgmnt;
    vlan - id 5;
    interface {
    ge - 0 / 0 / 8.0;
    }
    l3 - interface vlan.4;
    }

    ------------------------------
    Kenny
    ------------------------------


  • 2.  RE: Hardening SRX240 Edge Device

    Posted 05-15-2021 02:23
    Hi Kenny,

    1. Do I have to have system services DHCP specified on my ge - 0 / 0 / 0.0 interface (this is the one connected to my ISP)
    Yes, because if you don't specify DHCP as host-inbound-traffic your SRX will never get an IP Address via DHCP

    2. How do i set up a firewall filter to prevent all inbound traffic not initiated from internal devices except the VPN destination port and apply to the right interface?
    The easiest way is a "lo0-Filter" (even if no lo0 is used, lo0 filters are valid for ALL RE Traffic) - often referred to as "Protect-RE". There are many Articles covering it - and it's extremely granular :)


    set firewall family inet filter protect-RE term tcp-connection-term from source-prefix-list trusted-addresses
    set firewall family inet filter protect-RE term tcp-connection-term from protocol tcp
    set firewall family inet filter protect-RE term tcp-connection-term from tcp-established
    set firewall family inet filter protect-RE term tcp-connection-term then policer tcp-connection-policer
    set firewall family inet filter protect-RE term tcp-connection-term then accept
    set firewall family inet filter protect-RE term icmp-term from source-prefix-list trusted-addresses
    set firewall family inet filter protect-RE term icmp-term from protocol icmp
    set firewall family inet filter protect-RE term icmp-term then policer icmp-policer
    set firewall family inet filter protect-RE term icmp-term then count icmp-counter
    set firewall family inet filter protect-RE term icmp-term then accept​
    set interfaces lo0 unit 0 family inet filter input protect-RE

    A good starting point would be:
    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-stateless-example-rate-limits-based-on-packets-per-second.html

    3. Am I missing anything else from a security perspective?
    I noticed, that you have a lot of policies with just "deny" - you don't really need that, it only makes your ruleset more big and complex.
    The SRX denies everything by default. The only reason why you would need a "deny" additionally to the explicit deny is if you use the option "log".

    4. Do i have to do anything more to prevent IPv6 from getting out from internal networks?
    5. Do i have to do anything more to "disable" IPv6 on the SRX?
    If you haven't enabled flow-mode for ipv6 or packet-based-mode for IPv6 your SRX will not use IPv6.
    Have a look at "show security flow status" - it will tell you if ipv6 is "disabled" or not :)

    Hope this helps. If you need anything else feel free to reach out to me :)
    Christian



    ------------------------------
    Christian Scholz
    Juniper Networks Ambassador | JNCIE-SEC #374
    Mail: chs@ip4.de
    Blog: jncie.eu | Twitter: @chsjuniper | YT-Channel: netchron
    ------------------------------



  • 3.  RE: Hardening SRX240 Edge Device

    Posted 05-16-2021 06:06
    Just a note to expand on #2 with the Protect RE filter.  MX routers run the internet and are protected by this feature.  There is a Juniper free Day One book that goes over the process of hardening using protect re for MX here.

    https://www.juniper.net/documentation/en_US/day-one-books/TW_HardeningJunosDevices_2ndEd.zip​

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 4.  RE: Hardening SRX240 Edge Device

    Posted 05-17-2021 15:11
    Thank you for the additional information, it looks like when clicking that link it leads to a 404

    ------------------------------
    Kenny
    ------------------------------



  • 5.  RE: Hardening SRX240 Edge Device

    Posted 05-17-2021 15:20
    Found it thanks!

    ------------------------------
    Kenny
    ------------------------------



  • 6.  RE: Hardening SRX240 Edge Device

    Posted 05-17-2021 16:16
    Edited by Kenny 05-17-2021 16:35
    Hello, thank you for the detailed information.  However, I'm wondering if this is unnecessarily over complicated (I am not looking for something so granular).  Is there a reason that i can't just have a deny-all firewall input filter set on the ge 0/0/0 interface which is my internet facing port, then set up an explicit allow for the VPN traffic and have it come before the deny?  Is it because it won't honor the stateful sessions currently traversing the device and any of those inbound packets on that interface or am I missing something else?  I see in the documentation what you are saying about the loopback but isn't that making things more complicated as inbound can be in both directsion from my internal network to external and vice versa?

    I guess my confusion could be handled with my just asking, is there any reasons security policies wouldn't be enough for an internet facing device where you want all outbound traffic allowed, and anything inbound from the internet which is unsolicited is just ignored.

    ------------------------------
    Kenny
    ------------------------------



  • 7.  RE: Hardening SRX240 Edge Device
    Best Answer

    Posted 05-20-2021 05:33
    In Junos there is the concept of two traffic types:
    Transit traffic - this enters one port and via routing or ethernet configuration exits on another port
    Self traffic - traffic generated by the device or terminating on the device.

    If I follow your topology correctly the vpn traffic you want to allow while preventing other connections will terminate on the mx and not the SRX.  Thus it will be transit traffic.

    By design transit traffic controls on the SRX are done using security policy.  Without any configuration the default security policy from zone to zone is deny so that rule does not need to be created.  You would only need to create the rule allowing the vpn traffic from the internet zone to the MX zone for the specified vpn port.

    Firewall filters on the SRX are typically only used for granular protection of self traffic.  But the SRX also has other self traffic controls under the security zone for host inbound traffic and the optional creation of security policy using zone junos-host. 

    We brought up firewall filters mainly to apply to protect self traffic on the MX device because there is no flow engine there and firewall filters are the only option to protect self traffic typically applied to the loopback address and not any of the interfaces.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 8.  RE: Hardening SRX240 Edge Device

    Posted 05-27-2021 14:04
    Thank you sooooo much, that is EXACTLY what I was looking for in navigating where I am currently and whether or not I should pursue firewall filters.  You saved me so much time, really appreciate it!!!

    ------------------------------
    Kenny
    ------------------------------