SRX

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  set admin manager-ip on SRX

    Posted 05-12-2010 02:09

    Hi,

     

    How to implement "set admin manager-ip" on SRX?

     

    Many thanks.

     

    Regards,

    Pawel



  • 2.  RE: set admin manager-ip on SRX

    Posted 05-12-2010 03:42

    Hi,

     

    there is no 1 to 1 correspondence of this ScreenOS feature in JUNOS. You have to write a firewall filter and bind it to the loopback interface (lo0.0). You don't have to assign an IP address to the loopback interface.

     

    In the firewall filter you could have terms like accept all incoming SSH connections from a specific prefix list and in the next term, you could drop SSH from all sources.

     

    Be careful if you don't allow all other traffic at the end because every host inbound traffic (like ICMP, OSPF, etc.) runs through this filter. So it is not uncommon to have an allow all term at the end although this is usually not best practice in IT security.

     

    Kind regards,

    Dominik



  • 3.  RE: set admin manager-ip on SRX

    Posted 05-12-2010 11:26

    Hi !

     

    Little bit OT. Your nicks sounds familiar... Are you from Poland ? Maybe, polish sub-forum on J-Net ? 😉

     

    Best Regards



  • 4.  RE: set admin manager-ip on SRX
    Best Answer

    Posted 05-12-2010 11:53

    Here is a short example to illustrate this procedure:

     

    [edit interfaces]
    +   lo0 {
    +       unit 0 {
    +           family inet {
    +               filter {
    +                   input protect_routing_engine;
    +               }
    +           }
    +       }
    +   }
    [edit policy-options]
    +   prefix-list allowed_ssh_hosts {
    +       10.0.0.0/8;
    +   }
    [edit]
    +  firewall {
    +      family inet {
    +          filter protect_routing_engine {
    +              term allow_ssh_from_allowed_hosts {
    +                  from {
    +                      source-prefix-list {
    +                          allowed_ssh_hosts;
    +                      }
    +                      protocol tcp;
    +                      port ssh;
    +                  }
    +                  then accept;
    +              }
    +              term discard_ssh_from_all_other_hosts {
    +                  from {
    +                      protocol tcp;
    +                      port ssh;
    +                  }
    +                  then {
    +                      discard;
    +                  }
    +              }
    +              term allow_all_other_traffic {
    +                  then accept;
    +              }
    +          }
    +      }
    +  }

     

    Regards,

    Dominik



  • 5.  RE: set admin manager-ip on SRX

    Posted 05-13-2010 08:48

    Hi,

     

    Thanks Dominik!

    Works fine:-)

     

    Regards,

    Pawel

     

     



  • 6.  RE: set admin manager-ip on SRX

    Posted 05-13-2010 13:21

    On a side note, the loopback interface with no IP Address does break NTP on the SRX-650.  The fix from support was adding an IP address.