SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  how to limit ip to access Web-Management?

    Posted 10-30-2011 23:50

    Hello!

    I've done web-management to my SRXes using

    set system services web-management https interface fe-0/0/0

    set security zones security-zone untrust interfaces fe-0/0/0 host-inbound-traffic system-services https

     

    but how to allow only some public IP's to connect instead of all? 😃

     

    thanks for advice!

     


    #web-management


  • 2.  RE: how to limit ip to access Web-Management?
    Best Answer

    Posted 10-31-2011 01:49

    You need to use a firewall filter and apply it to the fe-0/0/0 interface.  You could also apply this to the loopback interface to apply it across all ports.

     

    Firstly create a prefix list to store all the IPs you want to have access to the box.

     

    policy-options {
    
        prefix-list trusted-ips {
    
            111.xxx.xxx.xxx/32;
    
            222.xxx.xxx.xxx/32;
    
        }
    
    }

     Create a filter and reference the prefix list with your trusted IPs.

     

    firewall {
    
        filter trusted-ips {
    
            term block_non_trusted {
    
                from {
    
                    source-address {
    
                        0.0.0.0/0;
    
                    }
    
                    source-prefix-list {
    
                        trusted-ips except;
    
                    }
    
                    protocol tcp;
    
                    destination-port [ ssh https ];
    
                }
    
                then {
    
                    discard;
    
                }
    
            }
    
            term accept_all {
    
                then accept;
    
            }
    
        }
    
    }

     



  • 3.  RE: how to limit ip to access Web-Management?

    Posted 10-31-2011 02:07
    thank you!


  • 4.  RE: how to limit ip to access Web-Management?

    Posted 11-02-2011 15:00

    I would actually work with something similar to this below, because if you use a default deny all it will block any return traffic sourced from the srx because this is a stateless filter...websense, dns, ntp, etc will all be blocked by using this type of filter. My filter below permits only what you want on the services running on the unit, and blocks those same services from anywhere else, while permitting the rest. Make sure to update the permit/deny list with the extra services you need on the router/switch/firewall etc. This filter should be good for almost any JunOS device out there.

     

    firewall {
        family inet {
            filter Management_ipv4 {
                term 1 {
                    from {
                        prefix-list {
                            Management_ipv4;
                        }
                        destination-port [ http https telnet snmp ftp ssh ];
                    }
                    then {
                        log;
                        accept;
                    }
                }
                term 2 {
                    from {
                        prefix-list {
                            BGP-Neighbors;
                        }
                        destination-port bgp;
                    }
                    then accept;
                }
                term 3 {
                    from {
                        destination-port [ http https telnet snmp bgp ftp ssh ];
                    }
                    then {
                        discard;
                    }
                }
                term default-permit {
                    then accept;
                }
            }
        }
        family inet6 {
            filter Management_ipv6 {
                term 1 {
                    from {
                        prefix-list {
                            Management_ipv6;
                        }
                        destination-port [ ssh http https telnet snmp ftp ];
                    }
                    then {
                        log;
                        accept;
                    }
                }
                term 2 {
                    from {
                        prefix-list {
                            BGP-Neighbors;
                        }
                        destination-port bgp;
                    }
                    then accept;
                }
                term 3 {
                    from {
                        destination-port [ ssh http https telnet snmp bgp ftp ];
                    }
                    then discard;
                }
                term default-permit {
                    then accept;
                }
            }
        }
    }

    policy-options {
        prefix-list Management_ipv4 {
            192.168.0.0/24;
        }
        prefix-list Management_ipv6 {
            2001:470::/64;
        }
        prefix-list BGP-Neighbors {
            apply-path "protocols bgp group <*> neighbor <*>";
        }
    }