SRX

 View Only
last person joined: 22 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  The configuration for SRX300

    Posted 04-12-2024 09:12

    Hi all,

    I am new to Juniper firewall.

    I would like to configure my SRX300 for blocking all ports but allowing to access few specific outgoing ports such as 80, 443, 21 and 22 so on.

    Could someone instruct how to set the configuration?

    I tried to configure to access outgoing port 80 only but after I configured it, my computer is unable to access internet.

    Much appreciative if there is someone who can help.



    ------------------------------
    Tokumasa Sanada
    ------------------------------


  • 2.  RE: The configuration for SRX300

    Posted 04-12-2024 20:26

    Assuming you have the default internet security policy which is:

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

    set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

    To restrict this you would need to remove the "application any" then add the list of all those you want to permit as such:

    delete security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-http

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-https

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ftp

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ssh

    I assume you first pass did not work because most web traffic now is https and not http alone so would be blocked.

    Be prepared for some sites to have issues with this restricted list.  I supported these port limited internet connections about 10 years ago and there were a surprisingly large number of protocols added over time as site functions failed and we had to discover what additional protocols were needed for the calls to work.  It was a real pain to maintain.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: The configuration for SRX300

    Posted 04-15-2024 04:16

    Hi Steve,

    Thanks for your reply.

    I follow your instruction but my computer is unable to access internet after I committed the below scripts.

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-http

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-https

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ftp

    set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ssh

    The screenshot is the rules after the above scripts were committed.

    Are there any sections that I configure wrong?



    ------------------------------
    Tokumasa Sanada
    ------------------------------



  • 4.  RE: The configuration for SRX300

    Posted 04-15-2024 04:59
    Edited by bkamen 04-15-2024 04:59

    Can you show the security -> zones -> trusted configuration?


    If it's set for factory defaults, then it's probably wide open - but let's make sure. 



  • 5.  RE: The configuration for SRX300

    Posted 04-15-2024 22:19

    Hi,

    Cannot see the path on my SRX300 which you mentions. Could you show me the screenshot or commands which can display trusted configuration?

    Thanks.



    ------------------------------
    Tokumasa Sanada
    ------------------------------