SRX

Hi Mates,

Is it possible to block all UDP 500 and allow certain IP only (Untrust to Untrust)? If not possible, to turn off listening port.

Note :  It does not pass through the firewall as the listening port is at external facing interface.

Thanks in advance.

Hi, 

If I'm understanding right, you have SNMP available on the untrust zone/interface of the SRX via host-inbound-traffic. You are trying to monitor the SRX from an external source. Not reach another device connected to the SRX via the same Security Zone?

There are two way you can do this...

1. Configuration in the SNMP can be set to respond to only specified IPs through the clients statement...
   https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/clients-edit-snmp.html
2. Configure a firewall filter to restrict IPs to specified IP addresses and apply that filet to your external interface. Be cautious as the filters are default deny, so you can easily lock yourself out. I have Juniper guide and an example I created (see allow_snmp_clients) for reference.
   https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-simple-example.html
   https://github.com/thewhitehouse007/junos-config-templates/blob/main/protect_re.j2

Kind Regards,

Gavin White

Hi Mates,

Is it possible to block all UDP 500 and allow certain IP only (Untrust to Untrust)? If not possible, to turn off listening port.

Note :  It does not pass through the firewall as the listening port is at external facing interface.

Thanks in advance.

I think UDP 500 is IKE rather than SNMP. Other than that, I agree with Gavin -- either a firewall filter, or make sure "ike" is not listed under host-inbound-traffic system-services for the Untrust zone.

If you have multiple interfaces in Untrust (since you mentioned "Untrust to Untrust") and you're talking about transit traffic, then you can configure regular Untrust intra-zone policies to control what's allowed and what's not.

Hi, 

If I'm understanding right, you have SNMP available on the untrust zone/interface of the SRX via host-inbound-traffic. You are trying to monitor the SRX from an external source. Not reach another device connected to the SRX via the same Security Zone?

There are two way you can do this...

1. Configuration in the SNMP can be set to respond to only specified IPs through the clients statement...
   https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/clients-edit-snmp.html
2. Configure a firewall filter to restrict IPs to specified IP addresses and apply that filet to your external interface. Be cautious as the filters are default deny, so you can easily lock yourself out. I have Juniper guide and an example I created (see allow_snmp_clients) for reference.
   https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/example/firewall-filter-simple-example.html
   https://github.com/thewhitehouse007/junos-config-templates/blob/main/protect_re.j2

Kind Regards,

Gavin White

Hi Mates,

Is it possible to block all UDP 500 and allow certain IP only (Untrust to Untrust)? If not possible, to turn off listening port.

Note :  It does not pass through the firewall as the listening port is at external facing interface.

Thanks in advance.