I have had very little experience with Junipers and inherited my firewall from my predecessor. I have a server in my DMZ that has been responding to port requests to 445, when I expected it to be blocking that traffic.
My concern is that I am making some false assumptions and am allowing traffic through that I am not aware of and am looking for some guidance on whether that concern is valid as well as the reason the traffic was going through.
My guess is that this should be done with a VIP instead of MIP.
MIP interface:
set interface "loopback.1" mip 100.101.102.103 host 10.9.8.7 netmask 255.255.255.255 vr "trust-vr"
Service setup:
set service "microsoft-ds" protocol tcp src-port 0-65535 dst-port 445-445
Policy (that was allowing TCP/445):
set policy id 362 name "UBNT" from "Untrust" to "DMZ" "Any" "MIP(100.101.102.103)" "ICMP-ANY" permit log
set policy id 362
set service "TCP/5067"
set service "TCP/8267"
exit
Policy that blocked 445 (above previous policy):
set policy id 370 name "UBNT" from "Untrust" to "DMZ" "Any" "MIP(100.101.102.103)" "microsoft-ds" deny log
set policy id 370
exit
My assumption was, before this hole was found, only those ports that were named in policy 362 would be allowed (false assumptoin). I have a good number of other MIPs setup and want to make sure that the system secure.
Any suggestions and/or thoughts are apreciated.
#DMZ#vip#MIP#SSG-320M