SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Restricting Ping

    Posted 11-01-2024 15:18

    Gooooood Afternoon.

    We're currently looking to restrict ping replies to only authorized IPs (our HQ and monitoring services) so that the firewall will not reply to ICMP echo requests from any other sources.  I've applied the following config as a candidate config, and the commit check shows it's good.  However, when applying in Juniper Mist, it gives me a syntax error for the interface line.  The config seems to be applied, however, I'm still able to get ping replies even from a non-authorized sources.  I'm certain I'm missing something and was hoping someone could point out where I went wrong.  IPs and names changed for anonymity 

    set policy-options prefix-list example 22.142.71.128/29        
    set policy-options prefix-list example 54.44.122.132/32 
    set policy-options prefix-list example 102.29.71.32/28  

    set firewall family inet filter icmprestrict term 1 from prefix-list example
    set firewall family inet filter icmprestrict term 1 from protocol icmp
    set firewall family inet filter icmprestrict term 1 from icmp-type echo-request
    set firewall family inet filter icmprestrict term 1 then accept 

    set firewall family inet filter icmprestrict term 2 from protocol icmp
    set firewall family inet filter icmprestrict term 2 from icmp-type echo-request
    set firewall family inet filter icmprestrict term 2 then discard

    set interface ge-0/0/1 unit 0 family inet filter input exampl



    ------------------------------
    NICHOLAS MARSZALKOWSKI
    ------------------------------


  • 2.  RE: Restricting Ping

    Posted 11-02-2024 13:29

    This may be just an artefact of the name substitution, but just in case, the interface line should include icmprestrict, not example.

    On a separate note, you should include a third term stating what should happen to all other traffic. Otherwise, headache. (I'm pretty sure the default action is discard.)



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 3.  RE: Restricting Ping

    Posted 30 days ago
    Edited by NICHOLAS MARSZALKOWSKI 30 days ago

    That was simply a mistake in my transposing it for this message.  Good catch!  In my configuration the last line is:

    set interface ge-0/0/1 unit 0 family inet filter input icmprestrict

    I left the firewall filter without a next term thinking that i want it to be discarding any inbound traffic anyway.  I'm guessing since this is being used on a stateful firewall that internally initiated outbound sessions should be exempt from that explicit deny/discard



    ------------------------------
    NICHOLAS MARSZALKOWSKI
    ------------------------------



  • 4.  RE: Restricting Ping

    Posted 30 days ago

    I don't think that's a safe guess.  I don't believe stateless firewall filters are influenced by established sessions.

    As for your original question, I really don't know why exactly Mist is complaining. It's possible that the actual name you're using contains some pattern of characters that's been programmed in Mist to be disallowed.

    Also, now that I read your first post again, let's be pedantic for fun. You say "I'm still able to get ping replies even from a non-authorized sources." The firewall filter is written to block ping requests from non-authorized sources. I.e. you're trying to prevent non-authorized devices from pinging your SRX. If, on the other hand, you want to prevent the SRX from pinging non-authorized devices, then you have to change the filter terms accordingly. But you called them sources, so I'm guessing that indeed you wanted to block requests from them and not replies from them.

    In other words, I'm out of ideas.



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 5.  RE: Restricting Ping

    Posted 30 days ago

    I appreciate the help. 

    "I.e. you're trying to prevent non-authorized devices from pinging your SRX."  This statement is accurate.

    "On a separate note, you should include a third term stating what should happen to all other traffic"  Do you have any suggestions?  My biggest concern is that if i put a blanket "then accept" it'll essentially allow all traffic from the internet through my firewall interface.



    ------------------------------
    NICHOLAS MARSZALKOWSKI
    ------------------------------



  • 6.  RE: Restricting Ping

    Posted 30 days ago

    Run show security flow status. Towards the top, it will say whether the firewall is processing stuff in flow mode (the default) or packet mode.

    In packet mode, you'd be correct that a blanket "then accept" allows traffic through.

    However, in flow mode, after the firewall filter with a "then accept" term allow the traffic, processing of the traffic gets handed off to the flow module. See the processing diagram here: https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-srx-devices-processing-overview.html#id-understanding-traffic-processing-on-security-devices

    The per-packet filter is only the second step in the beginning. You'll still have screening, sessions, policies, etc. apply to that traffic, so it won't be a free-for-all open door into your network (unless, of course, your policies say so on purpose).



    ------------------------------
    Nikolay Semov
    ------------------------------



  • 7.  RE: Restricting Ping

    Posted 29 days ago

    Soooo, it was something incredibly simple.

    I had this. 

    set interface ge-0/0/1 unit 0 family inet filter input example

    The command is set interfaces, not set interface.  When i tab through CLI, it filled it in correctly.  When I put the CLI into Mist, it errored out because set interface is not a valid command haha.



    ------------------------------
    NICHOLAS MARSZALKOWSKI
    ------------------------------