Security

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  default secuirty policies

    Posted 12-27-2021 06:58
      |   view attached
    Hello Everyone 
    i m new to Juniper and working on configuring NAT rules.I have configured the SRX300 with setup wizard and i noticed there are none security policy ,is that a normal ?Because my NAT doesn't work that is what made to look on each place to make sure everything is ok .Otherwise the srx300 is working ok because all the devices are connected ok ,like computers,Xbox,IPTVs and stuff.

    Attachment(s)

    txt
    tempSRX300.txt   8 KB 1 version


  • 2.  RE: default secuirty policies

    Posted 12-28-2021 05:31
    you always need a security policy to allow traffic through the zones.
    Is Dnat not working?  if so and you have  the destination ip address x.x.x.x/32   different of the ip address of your untrusted interface, you need to configure the "proxy arp" under the [secuirty nat ] instance. 
     
    I hope this helped.

    ------------------------------
    Salvatore Colimoro
    ------------------------------



  • 3.  RE: default secuirty policies

    Posted 12-28-2021 11:35
    Hello Salvatore Colimoro
    Thanks for your reply .Could you please see this and tell which one is deafult security policy ,i see there is two commads that say deafult and says deny-all and premit -all ,Is that the deafult policy which i can not see in GUI .?If yes than why i  don't see in GUI ?Any idea ?and also my NAT has started working .

    root@SRX300> show security policies
    Default policy: deny-all
    Default policy log Profile ID: 0
    Pre ID default policy: permit-all
    From zone: trust, To zone: trust
    Policy: trust-to-trust, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit
    From zone: trust, To zone: untrust
    Policy: trust-to-untrust, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: any
    Applications: any
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit, log
    From zone: untrust, To zone: trust
    Policy: RDP, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1, Log Profile ID: 0
    Source vrf group: any
    Destination vrf group: any
    Source addresses: any
    Destination addresses: RDP13
    Applications: RDP13-TCP
    Source identity feeds: any
    Destination identity feeds: any
    Action: permit

    root@SRX300>


  • 4.  RE: default secuirty policies

    Posted 12-29-2021 05:39
    Hi,

    JWEB has some limitation compare to CLI.


    Thanks


  • 5.  RE: default secuirty policies

    Posted 12-29-2021 05:39

    By default, Junos denies all traffic through an SRX Series device.  Actually an implicit default security policy exists that denies all packets.

    Default policy: deny-all

    You can modify this behavior to permit-all (not suggested) doing:

    [edit security policies]

    set permit-all

    The other reference  "Pre ID default policy:permit-all" is related to the APPid process. If you don't have the license for download the  Appid database, don't consider it yet for now.    https://www.juniper.net/documentation/us/en/software/junos/appaware-services/topics/concept/appid-overview.html.
    Before an application is identified by Application Identification (AppID), the pre-ID-default-policy options are applied to the session.



    ------------------------------
    Salvatore Colimoro
    ------------------------------