I think UDP 500 is IKE rather than SNMP. Other than that, I agree with Gavin -- either a firewall filter, or make sure "ike" is not listed under host-inbound-traffic system-services for the Untrust zone.
If you have multiple interfaces in Untrust (since you mentioned "Untrust to Untrust") and you're talking about transit traffic, then you can configure regular Untrust intra-zone policies to control what's allowed and what's not.
------------------------------
Nikolay Semov
------------------------------
Original Message:
Sent: 05-28-2024 22:45
From: GAVIN WHITE
Subject: Block all UDP 500 and allow certain IP only
Hi,
If I'm understanding right, you have SNMP available on the untrust zone/interface of the SRX via host-inbound-traffic
. You are trying to monitor the SRX from an external source. Not reach another device connected to the SRX via the same Security Zone?
There are two way you can do this...
- Configuration in the SNMP can be set to respond to only specified IPs through the clients statement...
https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/clients-edit-snmp.html - Configure a firewall filter to restrict IPs to specified IP addresses and apply that filet to your external interface. Be cautious as the filters are default deny, so you can easily lock yourself out. I have Juniper guide and an example I created (see allow_snmp_clients) for reference.
https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-simple-example.html
https://github.com/thewhitehouse007/junos-config-templates/blob/main/protect_re.j2
Kind Regards,
Gavin White
------------------------------
GAVIN WHITE
Original Message:
Sent: 05-27-2024 12:09
From: Anonymous
Subject: Block all UDP 500 and allow certain IP only
This message was posted by a user wishing to remain anonymous
Hi Mates,
Is it possible to block all UDP 500 and allow certain IP only (Untrust to Untrust)? If not possible, to turn off listening port.
Note : It does not pass through the firewall as the listening port is at external facing interface.
Thanks in advance.