SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX300 security policy

    Posted 02-16-2023 11:12

    Hi!

    On my SRX, I've opened port 2222/SSH on a public IP address for a git server. I think it is secure - only ssh keys are accepted. But the number of login attempts is annoying. So I want to restrict the IP addresses to my provider's subnet.

    I have tried to do this in a security policy from zone untrust to zone xyz with source address 1.1.0.0/16, but it doesn't work. Why is this? Is the source address at this point the interface address of the untrust zone?

    policy devops {
        match {
            source-address provider-subnet;
            destination-address HAProxy-B1W63;
            application cust-ssh;
        }
        then {
            permit;
            log {
                session-init;
                session-close;
            }
        }
    }

    Is a firewall filter or a global policy a better place to do this?



    ------------------------------
    Thanks!
    ------------------------------


  • 2.  RE: SRX300 security policy

    Posted 02-16-2023 20:22

    Have you removed or deactivated the original security policy that allows the inbound connections to the server?

    You would need to have only the restricted policy in place.

    Also note that the policy would be written to the post destination nat address and not the public address of the server as well.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------