SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Block all UDP 500 and allow certain IP only

    This message was posted by a user wishing to remain anonymous
    Posted 24 days ago
    This message was posted by a user wishing to remain anonymous

    Hi Mates,

    Is it possible to block all UDP 500 and allow certain IP only (Untrust to Untrust)? If not possible, to turn off listening port.

    Note :  It does not pass through the firewall as the listening port is at external facing interface.

    Thanks in advance.



  • 2.  RE: Block all UDP 500 and allow certain IP only

    Posted 23 days ago

    Hi, 

    If I'm understanding right, you have SNMP available on the untrust zone/interface of the SRX via host-inbound-traffic. You are trying to monitor the SRX from an external source. Not reach another device connected to the SRX via the same Security Zone?

    There are two way you can do this...

    1. Configuration in the SNMP can be set to respond to only specified IPs through the clients statement...
      https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/clients-edit-snmp.html
    2. Configure a firewall filter to restrict IPs to specified IP addresses and apply that filet to your external interface. Be cautious as the filters are default deny, so you can easily lock yourself out. I have Juniper guide and an example I created (see allow_snmp_clients) for reference.
      https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-simple-example.html
      https://github.com/thewhitehouse007/junos-config-templates/blob/main/protect_re.j2

    Kind Regards,

    Gavin White



    ------------------------------
    GAVIN WHITE
    ------------------------------



  • 3.  RE: Block all UDP 500 and allow certain IP only

    Posted 9 days ago

    I think UDP 500 is IKE rather than SNMP. Other than that, I agree with Gavin -- either a firewall filter, or make sure "ike" is not listed under host-inbound-traffic system-services for the Untrust zone.

    If you have multiple interfaces in Untrust (since you mentioned "Untrust to Untrust") and you're talking about transit traffic, then you can configure regular Untrust intra-zone policies to control what's allowed and what's not.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 4.  RE: Block all UDP 500 and allow certain IP only

    Posted 9 days ago

    Thank you Nikolay for the correction. Honestly, I don't know how I got on the SNMP train. My apologies to the OP. 



    ------------------------------
    GAVIN WHITE
    ------------------------------