Have you removed or deactivated the original security policy that allows the inbound connections to the server?
You would need to have only the restricted policy in place.
Also note that the policy would be written to the post destination nat address and not the public address of the server as well.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home------------------------------
Original Message:
Sent: 02-16-2023 11:12
From: mlauth
Subject: SRX300 security policy
Hi!
On my SRX, I've opened port 2222/SSH on a public IP address for a git server. I think it is secure - only ssh keys are accepted. But the number of login attempts is annoying. So I want to restrict the IP addresses to my provider's subnet.
I have tried to do this in a security policy from zone untrust to zone xyz with source address 1.1.0.0/16, but it doesn't work. Why is this? Is the source address at this point the interface address of the untrust zone?
policy devops { match { source-address provider-subnet; destination-address HAProxy-B1W63; application cust-ssh; } then { permit; log { session-init; session-close; } }}
Is a firewall filter or a global policy a better place to do this?
------------------------------
Thanks!
------------------------------