Assuming you have the default internet security policy which is:
set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit
To restrict this you would need to remove the "application any" then add the list of all those you want to permit as such:
delete security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-http
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-https
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ftp
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-ssh
I assume you first pass did not work because most web traffic now is https and not http alone so would be blocked.
Be prepared for some sites to have issues with this restricted list. I supported these port limited internet connections about 10 years ago and there were a surprisingly large number of protocols added over time as site functions failed and we had to discover what additional protocols were needed for the calls to work. It was a real pain to maintain.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home------------------------------
Original Message:
Sent: 04-12-2024 04:04
From: Tokumasa Sanada
Subject: The configuration for SRX300
Hi all,
I am new to Juniper firewall.
I would like to configure my SRX300 for blocking all ports but allowing to access few specific outgoing ports such as 80, 443, 21 and 22 so on.
Could someone instruct how to set the configuration?
I tried to configure to access outgoing port 80 only but after I configured it, my computer is unable to access internet.
Much appreciative if there is someone who can help.
------------------------------
Tokumasa Sanada
------------------------------