SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 02-27-2024 11:55
    how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with  Juniper secure Connect 
     
    Hi All, to limit access to J-Web I have specified interfaces under web-management configuration as below:
     
    set system services web-management https interface reth2.4
    set system services web-management https interface reth0.0
     
    however, I have enabled https on untrusted interfaces to allow Juniper Secure Connect remote users  to connect to SRX from outside 
     
    set security zones security-zone Untrusted interfaces rethX.XXX host-inbound-traffic system-services https
    but J-WEB still reachable from outside/untrusted zone .
     
    How can i deny J-WEB access from outside?
    thank you in advance


    ------------------------------
    ANDREA MALACARNE
    ------------------------------


  • 2.  RE: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 02-28-2024 11:13

    Hi Andrea,

    You don't mention what version of Junos you are running but in this configuration Junos version 22.2R3-S2 is jtac recommended. 

    Cheers

    -Tom




  • 3.  RE: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 06-20-2024 12:21

    I noticed the same problem with the currently recommended version 22.4R3-S2.



    ------------------------------
    Alexander Zielke
    ------------------------------



  • 4.  RE: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 18 days ago

    Check this KB out: https://supportportal.juniper.net/s/article/How-to-stop-JWeb-on-the-JSC-interface

    We were kind of involved in this when the bug became apparent but I can't remember the details. If the above will not resolve your problems, please get back here and I can check with a colleague of mine.




  • 5.  RE: how to restrict J-web access fonly from interface configured under system services web-management on firewall configured with Juniper secure Connect

    Posted 14 hours ago

    The problem still persists. Maybe there is some interaction I'm not seeing yet.

    We have jweb configured so it should be accessible only on the trust interface (irb.1 in our case)with url jweb, like so:

    system {
        [...]
        services {
            web-management {
                management-url jweb;
                https {
                    pki-local-certificate juniper;
                    interface irb.1;
                }
            }
        }
    }
    security {
        zones {
            security-zone untrust {
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                                ike;
                                https;
                                ssh;
                                tcp-encap;
                            }
                        }
                    }
                }
            }
        }
    }
    

    jweb is then still accessible via the ge-0/0/0.0 interface.

    We do have an additional security policy from-zone untrust to-zone junos-host to block unwanted ssh traffic.

    This is with 22.4R3-S2.



    ------------------------------
    Alexander Zielke
    ------------------------------