set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-dns-tcp
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-dns-udp
set system services dns forwarders 8.8.8.8
set system services dns forwarders 8.8.4.4
set system services dns dns-proxy interface irb.0
Original Message:
Sent: 04-17-2024 08:24
From: PAUL PETERSON
Subject: The configuration for SRX300
Sorry, here is the correct syntax:
set access address-assignment pool junosDHCPPool family inet dhcp-attributes name-server 10.10.10.1
------------------------------
PAUL PETERSON
Original Message:
Sent: 04-17-2024 05:37
From: Tokumasa Sanada
Subject: The configuration for SRX300
Hi Paul,
When I added set access address-assignment pool junosDHCPpool dhcp-attributes name-server 10.10.10.1, it showed the below error.
It seems that I have not the configuration?
------------------------------
Tokumasa Sanada
Original Message:
Sent: 04-16-2024 08:22
From: PAUL PETERSON
Subject: The configuration for SRX300
Your configuration looks fine, identical to what I have in my lab. A couple things to add:
The following should set your SRX as the DNS server for your clients:
set access address-assignment pool junosDHCPpool dhcp-attributes name-server 10.10.10.1
I also think at a minimum you need to add the following to allow DNS requests outbound:
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-dns-tcp
set security policies from-zone trust to-zone untrust policy trust-to-untrust match application junos-dns-udp
I did some testing in my lab yesterday. My SRX was on 19.x software. With the default configuration, it did not pass traffic. I think it is a DNS issue but I will do more testing today and respond with the results. Maybe someone else smarter than me will chime in on this.
------------------------------
PAUL PETERSON
Original Message:
Sent: 04-15-2024 20:37
From: Tokumasa Sanada
Subject: The configuration for SRX300
Hi Paul,
The entire configuration is below.
Thanks.
# Last changed: 2024-04-15 15:50:20 UTC
version 20200407.122723_builder.r1099298;
system {
host-name 300;
root-authentication {
encrypted-password "$6$OZstb35m$oHdSCX01vm2AewKZdd.HpsWP1LEGXbHzTti1ldFkMqGvyVclvwc4FRk7EVsgXPR85tP7lqHdaKLEAzbExWrI40";
}
services {
ssh;
netconf {
ssh;
}
dhcp-local-server {
group jdhcp-group {
interface irb.0;
}
}
web-management {
https {
system-generated-certificate;
}
}
}
time-zone UTC;
name-server {
8.8.8.8;
8.8.4.4;
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy trust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application [ junos-http junos-https junos-ftp junos-ssh ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
https;
}
}
}
ge-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
tftp;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp {
update-server;
}
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
ge-0/0/7 {
unit 0 {
family inet {
dhcp {
update-server;
}
}
}
}
irb {
unit 0 {
family inet {
address 10.10.10.1/24;
}
}
}
}
access {
address-assignment {
pool junosDHCPPool {
family inet {
network 10.10.10.0/24;
range junosDHCPPool_range {
low 10.10.10.2;
high 10.10.10.254;
}
dhcp-attributes {
router {
10.10.10.1;
}
propagate-settings ge-0/0/0.0;
}
}
}
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface irb.0;
}
}
protocols {
l2-learning {
global-mode switching;
}
rstp {
interface all;
}
}
------------------------------
Tokumasa Sanada
Original Message:
Sent: 04-15-2024 08:54
From: PAUL PETERSON
Subject: The configuration for SRX300
Kindly post the entire configuration. There are more components than just the security zone that could affect outbound access. I have an SRX 300 in my lab right now so I can reference it if need be.
------------------------------
PAUL PETERSON
Original Message:
Sent: 04-15-2024 04:23
From: Tokumasa Sanada
Subject: The configuration for SRX300
Hi Paul,
I want to allow 80, 443, 21 and 22 ports only for SRX300 but after I saved the policy, my computer is unable to access internet. Are there any sections that I configure wrong?
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application [ junos-http junos-https junos-ftp junos-ssh ];
}
then {
permit;
log {
session-init;
session-close;
}
}
}
}
}
The attachment is my configuration. Please kindly assist to check whether I configure wrong for my configuration.
Thank you.
------------------------------
Tokumasa Sanada
Original Message:
Sent: 04-12-2024 09:30
From: PAUL PETERSON
Subject: The configuration for SRX300
I would start with the factory default configuration. It will allow the access you are looking to provide. Then, copy the default configuration to a text editor and review it. If you need to restrict outbound port access further, you can from here. It is nice to have the factory configuration to refer back to, especially if you are new to the SRX.
------------------------------
PAUL PETERSON
Original Message:
Sent: 04-12-2024 04:18
From: Tokumasa Sanada
Subject: The configuration for SRX300
Hi all,
I am new to Juniper firewall.
I would like to configure my SRX300 for blocking all ports but allowing to access few specific outgoing ports such as 80, 443, 21 and 22 so on.
Could someone instruct how to set the configuration?
I tried to configure to access outgoing port 80 only but after I configured it, my computer is unable to access internet.
Much appreciative if there is someone who can help.
------------------------------
Tokumasa Sanada
------------------------------