SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 02-27-2024 11:55
    how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with  Juniper secure Connect 
     
    Hi All, to limit access to J-Web I have specified interfaces under web-management configuration as below:
     
    set system services web-management https interface reth2.4
    set system services web-management https interface reth0.0
     
    however, I have enabled https on untrusted interfaces to allow Juniper Secure Connect remote users  to connect to SRX from outside 
     
    set security zones security-zone Untrusted interfaces rethX.XXX host-inbound-traffic system-services https
    but J-WEB still reachable from outside/untrusted zone .
     
    How can i deny J-WEB access from outside?
    thank you in advance


    ------------------------------
    ANDREA MALACARNE
    ------------------------------


  • 2.  RE: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 02-28-2024 11:13

    Hi Andrea,

    You don't mention what version of Junos you are running but in this configuration Junos version 22.2R3-S2 is jtac recommended. 

    Cheers

    -Tom




  • 3.  RE: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 06-20-2024 12:21

    I noticed the same problem with the currently recommended version 22.4R3-S2.



    ------------------------------
    Alexander Zielke
    ------------------------------



  • 4.  RE: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 07-05-2024 05:49

    Check this KB out: https://supportportal.juniper.net/s/article/How-to-stop-JWeb-on-the-JSC-interface

    We were kind of involved in this when the bug became apparent but I can't remember the details. If the above will not resolve your problems, please get back here and I can check with a colleague of mine.




  • 5.  RE: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 07-23-2024 09:35

    The problem still persists. Maybe there is some interaction I'm not seeing yet.

    We have jweb configured so it should be accessible only on the trust interface (irb.1 in our case)with url jweb, like so:

    system {
        [...]
        services {
            web-management {
                management-url jweb;
                https {
                    pki-local-certificate juniper;
                    interface irb.1;
                }
            }
        }
    }
    security {
        zones {
            security-zone untrust {
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ike;
                                https;
                                ssh;
                                tcp-encap;
                            }
                        }
                    }
                }
            }
        }
    }
    

    jweb is then still accessible via the ge-0/0/0.0 interface.

    We do have an additional security policy from-zone untrust to-zone junos-host to block unwanted ssh traffic.

    This is with 22.4R3-S2.



    ------------------------------
    Alexander Zielke
    ------------------------------



  • 6.  RE: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 07-31-2024 09:39

    Just to add to this thread, I found a solution for the Problem, which is in KB33505: https://supportportal.juniper.net/s/article/SRX-Stopping-J-Web-login-from-External-Untrust-interface-when-dynamic-VPN-is-in-use?language=en_US

    When using jweb and JSC, you MUST NOT set "system services web-management management-url". Removing this solved the problem for me on 22.4R3.

    Versions before 22.4R3 and 23.2R1-S2 might still be affected by KB77716 I've posted above, so for older versions an upgrade might be neccessary.



    ------------------------------
    Alexander Zielke
    ------------------------------