The problem still persists. Maybe there is some interaction I'm not seeing yet.
We have jweb configured so it should be accessible only on the trust interface (irb.1 in our case)with url jweb, like so:
system {
[...]
services {
web-management {
management-url jweb;
https {
pki-local-certificate juniper;
interface irb.1;
}
}
}
}
security {
zones {
security-zone untrust {
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
ike;
https;
ssh;
tcp-encap;
}
}
}
}
}
}
}
jweb is then still accessible via the ge-0/0/0.0 interface.
We do have an additional security policy from-zone untrust to-zone junos-host to block unwanted ssh traffic.
This is with 22.4R3-S2.
------------------------------
Alexander Zielke
------------------------------
Original Message:
Sent: 07-05-2024 05:48
From: fb35523
Subject: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect
Check this KB out: https://supportportal.juniper.net/s/article/How-to-stop-JWeb-on-the-JSC-interface
We were kind of involved in this when the bug became apparent but I can't remember the details. If the above will not resolve your problems, please get back here and I can check with a colleague of mine.
Original Message:
Sent: 06-20-2024 06:18
From: azielke
Subject: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect
I noticed the same problem with the currently recommended version 22.4R3-S2.
------------------------------
Alexander Zielke
Original Message:
Sent: 02-28-2024 09:14
From: tcalarco
Subject: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect
Hi Andrea,
You don't mention what version of Junos you are running but in this configuration Junos version 22.2R3-S2 is jtac recommended.
Cheers
-Tom
Original Message:
Sent: 02-27-2024 11:07
From: bigwave75
Subject: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect
how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect
Hi All, to limit access to J-Web I have specified interfaces under web-management configuration as below:
set system services web-management https interface reth2.4
set system services web-management https interface reth0.0
however, I have enabled https on untrusted interfaces to allow Juniper Secure Connect remote users to connect to SRX from outside
set security zones security-zone Untrusted interfaces rethX.XXX host-inbound-traffic system-services https
but J-WEB still reachable from outside/untrusted zone .
How can i deny J-WEB access from outside?
thank you in advance
------------------------------
ANDREA MALACARNE
------------------------------