SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series.
  • 1.  REST api on SRX 300 does not work

    Posted 12-28-2022 09:17
    Hello, I'm trying to use the REST API on a SRX 300.

    I followed the official documentation and also this simple howto Working with REST API on Junos OS

    The source IP from I try to connect is in a security zone with host-inbound-traffic system-services all enabled.
    I tried to telnet from SRX itself and it's open.
    From outside (from my LAN), the port it is closed.

    I found also this PR, but seems already fixed on the release I'm using (JUNOS 21.2R3)
    https://prsearch.juniper.net/problemreport/PR1590810

    What do you suggest me to check? thanks!




    ------------------------------
    MATTEO SGALABERNI
    ------------------------------


  • 2.  RE: REST api on SRX 300 does not work

    Posted 29 days ago

    Hello,

    Looking through the article that you provided, it does not mention the use of the 'address' stanza for the REST API configuration.

    set system services rest http addresses [203.0.113.0 203.0.113.1]


    This command instructs the device to enable listening on the specified IPs.

    Also, if you are looking to use this for experimenting I highly recommend enabling the API Explorer...

    set system services rest enable-explorer
    


    Kind Regards,
    Gavin White



    ------------------------------
    GAVIN WHITE
    ------------------------------



  • 3.  RE: REST api on SRX 300 does not work

    Posted 27 days ago
    Hi! thanks for your reply! here my conf:
    sgala@# show system services rest

    http {

    port 3001;

    addresses 172.16.60.1;

    }

    enable-explorer;

    I did further test...seems an issue with the security policy

    host-inbound-traffic system-services all is not sufficient.

    with host-inbound-traffic system-services any-service the port 3001 is reacheable!!

    But I don't want to open all ports... probably the rest service is not fired by any default system-services! I can't find any info about it...

    Do you have an idea how to open that service correctly without opening all ports?

    thanks

    Matteo

    ------------------------------
    Matteo Sgalaberni
    ------------------------------



  • 4.  RE: REST api on SRX 300 does not work

    Posted 26 days ago

    Hi Matteo,

    My understanding is that the REST config stanza should open the required ports on the listening IP. 

    I will have to do some tests to verify this in the lab once I'm back next week. In a working environment [20.2R3], I have the following Zone configuration...

            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }


    Some things to check in your configuration that could still block access would be...
     1. Any Firewall Filters configured on the Loopback, limiting RE traffic.
     2. Any Security policy configured to the Junos-Host Zone. By default (not configured), this will allow all and only host-inbound-traffic is checked. 

    Regards,



    ------------------------------
    GAVIN WHITE
    ------------------------------



  • 5.  RE: REST api on SRX 300 does not work

    Posted 15 days ago

    Hi Matteo,

    I hope you are doing well?

    I have been able to perform some testing in my lab and came to the following conclusions...
    Configuring a custom port on any SRX and EX Series device for the REST API sets the listening port for lighttpd service to the specified port.
    EX Switches do not have these zone/interface filters and the REST API Works as expected. SRX Devices filter Zone traffic through host-inbound-traffic configuration and there is limited flexibility to what protocols and system services (ports) can be opened.

    TCP Port 3000 is not available as one of the system service ports and so I would recommend using a port for the REST API that is listed under the host-inbound-traffic system-services configuration branch.  For Example: 'webapi-clear-text' (TCP 8080) and 'webapi-ssl' (TCP 8443) can be used for this scenario.  See the config example below...

    system {
        services {
            rest {
                http {
                    port 8080;
                    addresses 10.1.7.254;
                }
                control {
                    allowed-sources [ 10.1.7.8 10.1.7.31 ];
                }
                enable-explorer;
            }
        }
    }
    security {
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        ssh;
                        webapi-clear-text;
                        ...
                    }
                    protocols {
                        ospf;
                        ...
                    }
                }
            }
        }
    }
    


    Understandably 8080 is a common port so make sure to lock it down as specific as possible, allowing only in the zones required and using the `allowed-sources` config option for the rest-api etc

    Kind regards,
    Gavin White



    ------------------------------
    GAVIN WHITE
    ------------------------------



  • 6.  RE: REST api on SRX 300 does not work

    Posted 15 days ago
    Hi Gavin! thanks! The trick works well!! ;)

    Thanks!

    Matteo

    ------------------------------
    Matteo Sgalaberni
    ------------------------------