Screen OS

 View Only
last person joined: 6 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Unexpected traffic getting through SSG-350M to DMZ

    Posted 12-21-2018 07:00

    I have had very little experience with Junipers and inherited my firewall from my predecessor.  I have a server in my DMZ that has been responding to port requests to 445, when I expected it to be blocking that traffic. 

     My concern is that I am making some false assumptions and am allowing traffic through that I am not aware of and am looking for some guidance on whether that concern is valid as well as the reason the traffic was going through. 

     

     My guess is that this should be done with a VIP instead of MIP.

     

    MIP interface:

    set interface "loopback.1" mip 100.101.102.103 host 10.9.8.7 netmask 255.255.255.255 vr "trust-vr"

     

    Service setup:

    set service "microsoft-ds" protocol tcp src-port 0-65535 dst-port 445-445

     

    Policy (that was allowing TCP/445):

    set policy id 362 name "UBNT" from "Untrust" to "DMZ"  "Any" "MIP(100.101.102.103)" "ICMP-ANY" permit log

    set policy id 362

    set service "TCP/5067"

    set service "TCP/8267"

    exit

     

    Policy that blocked 445 (above previous policy):

    set policy id 370 name "UBNT" from "Untrust" to "DMZ"  "Any" "MIP(100.101.102.103)" "microsoft-ds" deny log

    set policy id 370

    exit

     

    My assumption was, before this hole was found, only those ports that were named in policy 362 would be allowed (false assumptoin).   I have a good number of other MIPs setup and want to make sure that the system secure.

     

    Any suggestions and/or thoughts are apreciated.

     


    #DMZ
    #vip
    #MIP
    #SSG-320M


  • 2.  RE: Unexpected traffic getting through SSG-350M to DMZ

    Posted 12-21-2018 09:45

    It is possible that the traffic is hitting a different policy.  Can you provide the output of "debug flow basic"?

     

    set ff dst-ip 10.9.8.7 dst-port 445

    set ff dst-ip 100.101.102.103 dst-port 445

    set ff src-ip 10.9.8.7 src-port 445

    set ff src-ip 100.101.102.103 dst-port 445

    debug flow basic

     

    Wait for traffic...

     

    undebug all

    get db str



  • 3.  RE: Unexpected traffic getting through SSG-350M to DMZ

    Posted 12-21-2018 11:44
      |   view attached

    Hoping this gives the answer.

     

     

    Attachment(s)

    txt
    port445test.txt   9 KB 1 version


  • 4.  RE: Unexpected traffic getting through SSG-350M to DMZ
    Best Answer

    Posted 12-21-2018 13:47

    It shows that the traffic is being permitted by policy 362.  Can you provide the output of

     

    get config | inc "TCP/5067"

    get config | inc "TCP/8267"

    get config | inc "microsoft-ds"

     



  • 5.  RE: Unexpected traffic getting through SSG-350M to DMZ

    Posted 12-22-2018 07:27

    That looks like the answer.  Whoever created the rule apparently got it "a bit" wrong for TCP/5067.  Already tested and it works as it should.  THANKS!



    Here is the output you asked for:

     

    Remote Management Console
    COFW1-> get config | inc "TCP/5067"
    set service "TCP/5067" protocol tcp src-port 0-65535 dst-port 0-5067
    set service "TCP/5067"
    COFW1-> get config | inc "TCP/8267"
    set service "TCP/8267" protocol tcp src-port 0-65535 dst-port 8267-8267
    set service "TCP/8267"
    COFW1-> get config | inc "microsoft-ds"
    set service "microsoft-ds" protocol tcp src-port 0-65535 dst-port 445-445
    set policy id 370 name "UBNT" from "Untrust" to "DMZ" "Any" "MIP(205.219.98.89)" "microsoft-ds" deny log
    COFW1->



  • 6.  RE: Unexpected traffic getting through SSG-350M to DMZ

    Posted 12-21-2018 16:59

    The difference between VIP and MIP:

     

    VIP is flexible port forwarding only sending the specified ports in the configuration and only in the direction configured.

     

    MIP is for Mapped IP meaning a one-to-one bidirectional mapping of the outside ip address.   These simplify configurations because you don't need to create both an inbound policy plus and outbound source nat policy.

     

    What traffic is permitted is further controlled by the security policy on top of these nat objects.