SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  FBF doesn't work after I add icmp protocol

    Posted 09-19-2023 06:20

    Hi Everyone,

    I'm doing a lab on vSRX. I'm wondering that webFilter doesn't work if I add protocol icmp.  Here is the command it was.

    set firewall family inet filter webFilter term 1 from protocol icmp

    I tried to create an other filter to blind the interface. but one interface only can blind one filter. so I have to find a way to fill it in the webfilter.

    I want the http/https/icmp from Linux they all go to ge 0/0/2.

    Here is official example Example: Configuring Filter-Based Forwarding | Junos OS | Juniper Networks

    root# show |display set|no-more
    set version 20200609.165031.6_builder.r1115480
    set system root-authentication encrypted-password "$6$B9YQiKf1$yhnHl12FwXj0RMWzQRVzh44AonO9wPz.695e02PMGZFQLwdH6U5rB.W/eOCz78gd8LNboG9LMg8KHomdlsI4i/"
    set system services ssh
    set system services web-management http interface fxp0.0
    set system services web-management https system-generated-certificate
    set system services web-management https interface fxp0.0
    set system syslog user * any emergency
    set system syslog file messages any any
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
    set security address-book Lan address vPC 172.16.1.11/32
    set security address-book Lan address Linux-PC 172.16.1.12/32
    set security address-book Lan attach zone trust
    set security address-book Wan address Linux-Nat 172.16.2.12/32
    set security address-book Wan attach zone untrust
    set security flow traceoptions file kk.log
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter f1 source-prefix 192.168.175.166/32
    set security flow traceoptions packet-filter f1 destination-prefix 172.16.2.12/32
    set security screen ids-option untrust-screen icmp ping-death
    set security screen ids-option untrust-screen ip source-route-option
    set security screen ids-option untrust-screen ip tear-drop
    set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
    set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
    set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
    set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
    set security screen ids-option untrust-screen tcp syn-flood timeout 20
    set security screen ids-option untrust-screen tcp land
    set security nat source rule-set trust-to-untrust from zone trust
    set security nat source rule-set trust-to-untrust to zone untrust
    set security nat source rule-set trust-to-untrust rule 1 match destination-address 0.0.0.0/0
    set security nat source rule-set trust-to-untrust rule 1 then source-nat interface
    set security nat destination pool Linux address 172.16.1.12/32
    set security nat destination rule-set untrust-to-trust from zone untrust
    set security nat destination rule-set untrust-to-trust rule 1 match destination-address 172.16.2.12/32
    set security nat destination rule-set untrust-to-trust rule 1 then destination-nat pool Linux
    set security nat proxy-arp interface ge-0/0/2.0 address 172.16.2.12/32
    set security policies from-zone trust to-zone trust policy default-permit match source-address any
    set security policies from-zone trust to-zone trust policy default-permit match destination-address any
    set security policies from-zone trust to-zone trust policy default-permit match application any
    set security policies from-zone trust to-zone trust policy default-permit then permit
    set security policies from-zone trust to-zone untrust policy default-permit match source-address any
    set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy default-permit match application any
    set security policies from-zone trust to-zone untrust policy default-permit then permit
    set security policies from-zone untrust to-zone trust policy Linux-PC match source-address any
    set security policies from-zone untrust to-zone trust policy Linux-PC match destination-address Linux-PC
    set security policies from-zone untrust to-zone trust policy Linux-PC match application junos-ssh
    set security policies from-zone untrust to-zone trust policy Linux-PC match application junos-icmp-all
    set security policies from-zone untrust to-zone trust policy Linux-PC then permit
    set security policies from-zone untrust to-zone trust policy vPC match source-address any
    set security policies from-zone untrust to-zone trust policy vPC match destination-address vPC
    set security policies from-zone untrust to-zone trust policy vPC match application junos-icmp-all
    set security policies from-zone untrust to-zone trust policy vPC then deny
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
    set security zones security-zone untrust screen untrust-screen
    set security zones security-zone untrust host-inbound-traffic system-services all
    set security zones security-zone untrust interfaces ge-0/0/0.0
    set security zones security-zone untrust interfaces ge-0/0/2.0
    set interfaces ge-0/0/0 unit 0 family inet address 192.168.175.230/25
    set interfaces ge-0/0/1 unit 0 family inet filter input webFilter
    set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24
    set interfaces ge-0/0/2 unit 0 family inet address 172.16.2.1/24
    set interfaces fxp0 unit 0
    set firewall family inet filter webFilter term 1 from source-address 172.16.1.12/32
    set firewall family inet filter webFilter term 1 from destination-port http
    set firewall family inet filter webFilter term 1 from destination-port https
    set firewall family inet filter webFilter term 1 then routing-instance webtraffic
    set firewall family inet filter webFilter term 2 then accept
    set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 172.16.2.2
    set routing-instances webtraffic instance-type virtual-router
    set routing-options static route 0.0.0.0/0 next-hop 192.168.175.254
    set routing-options interface-routes rib-group inet FBF-rib
    set routing-options rib-groups FBF-rib import-rib inet.0
    set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0



    ------------------------------
    POHUI HUANG
    ------------------------------


  • 2.  RE: FBF doesn't work after I add icmp protocol

    Posted 09-21-2023 09:07
    Edited by joaov 09-21-2023 09:10

    Hi Pohui,

    did you tried include a new term? 

    i mean:
    #Rename the term 2 to "term 100" 
    rename firewall family inet filter webFilter term 100 to term 1
    #create term 2 entry
    set firewall family inet filter webFilter term 2 from protocol icmp
    set firewall family inet filter webFilter term 2 then routing-instance webtraffic
    #put the term 2 before term 100
    insert firewall family inet filter webFilter term 2 before term 100

    Also, the instance-type recomended by juniper is "forwarding".  Your routing-instance is configured as "virtual-router".



    ------------------------------
    João Victor
    ------------------------------



  • 3.  RE: FBF doesn't work after I add icmp protocol

    Posted 09-21-2023 21:53

    Hi Victor,

    I changed it to "virtual-router" because this article. but you are right. It doesn't help. It's fine to use "forwarding"

    Juniper SRX FBF NAT issues | SRX

    I'm new in the community. My post was delayed because it needed to be checked by Juniper.

    Thank you for your help. It works in a new term. 



    ------------------------------
    POHUI HUANG
    ------------------------------



  • 4.  RE: FBF doesn't work after I add icmp protocol

    Posted 09-21-2023 10:34

    Hi Everyone,

    I solve it by my self.

    The commands are changed as below

    set firewall family inet filter webFilter term 1 from source-address 172.16.1.12/32
    set firewall family inet filter webFilter term 1 from destination-port http
    set firewall family inet filter webFilter term 1 from destination-port https
    set firewall family inet filter webFilter term 1 then routing-instance webtraffic
    set firewall family inet filter webFilter term 2 from source-address 172.16.1.12/32
    set firewall family inet filter webFilter term 2 from protocol icmp
    set firewall family inet filter webFilter term 2 from icmp-type echo-request
    set firewall family inet filter webFilter term 2 from icmp-type echo-reply
    set firewall family inet filter webFilter term 2 then routing-instance webtraffic
    set firewall family inet filter webFilter term 3 then accept



    ------------------------------
    POHUI HUANG
    ------------------------------