SRX

Hi all,

I am new to Juniper firewall.

I would like to configure my SRX300 for blocking all ports but allowing to access few specific outgoing ports such as 80, 443, 21 and 22 so on.

Could someone instruct how to set the configuration?

I tried to configure to access outgoing port 80 only but after I configured it, my computer is unable to access internet.

Much appreciative if there is someone who can help.

------------------------------
Tokumasa Sanada
------------------------------

Assuming you have the default internet security policy which is:

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

To restrict this you would need to remove the "application any" then add the list of all those you want to permit as such:

delete security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-http

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-https

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ftp

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ssh

I assume you first pass did not work because most web traffic now is https and not http alone so would be blocked.

Be prepared for some sites to have issues with this restricted list.  I supported these port limited internet connections about 10 years ago and there were a surprisingly large number of protocols added over time as site functions failed and we had to discover what additional protocols were needed for the calls to work.  It was a real pain to maintain.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
------------------------------

Original Message:
Sent: 04-12-2024 04:04
From: Tokumasa Sanada
Subject: The configuration for SRX300

Hi all,

I am new to Juniper firewall.

I would like to configure my SRX300 for blocking all ports but allowing to access few specific outgoing ports such as 80, 443, 21 and 22 so on.

Could someone instruct how to set the configuration?

I tried to configure to access outgoing port 80 only but after I configured it, my computer is unable to access internet.

Much appreciative if there is someone who can help.

------------------------------
Tokumasa Sanada
------------------------------

Hi Steve,

Thanks for your reply.

I follow your instruction but my computer is unable to access internet after I committed the below scripts.

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-http

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-https

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ftp

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ssh

The screenshot is the rules after the above scripts were committed.

Are there any sections that I configure wrong?

------------------------------
Tokumasa Sanada
------------------------------

Original Message:
Sent: 04-12-2024 20:26
From: spuluka
Subject: The configuration for SRX300

Assuming you have the default internet security policy which is:

set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

To restrict this you would need to remove the "application any" then add the list of all those you want to permit as such:

delete security policies from-zone trust to-zone untrust policy trust-to-untrust match application any

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-http

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-https

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ftp

set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ssh

I assume you first pass did not work because most web traffic now is https and not http alone so would be blocked.

Be prepared for some sites to have issues with this restricted list.  I supported these port limited internet connections about 10 years ago and there were a surprisingly large number of protocols added over time as site functions failed and we had to discover what additional protocols were needed for the calls to work.  It was a real pain to maintain.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 04-12-2024 04:04
From: Tokumasa Sanada
Subject: The configuration for SRX300

Hi all,

I am new to Juniper firewall.

I would like to configure my SRX300 for blocking all ports but allowing to access few specific outgoing ports such as 80, 443, 21 and 22 so on.

Could someone instruct how to set the configuration?

I tried to configure to access outgoing port 80 only but after I configured it, my computer is unable to access internet.

Much appreciative if there is someone who can help.

------------------------------
Tokumasa Sanada
------------------------------

Can you show the security -> zones -> trusted configuration?


If it's set for factory defaults, then it's probably wide open - but let's make sure. 

Hi,

Cannot see the path on my SRX300 which you mentions. Could you show me the screenshot or commands which can display trusted configuration?

Thanks.

------------------------------
Tokumasa Sanada
------------------------------

Original Message:
Sent: 04-15-2024 04:58
From: bkamen
Subject: The configuration for SRX300

Can you show the security -> zones -> trusted configuration?


If it's set for factory defaults, then it's probably wide open - but let's make sure.