Ask the Expert

  • 1.  SRX320 can't ping DMZ zone

    Posted 02-26-2021 07:09
    Hello everybody,

    I'm pretty new in Juniper and having trouble with SRX320 firewall routing.
    I am migrating from SSG5 to SRX320 in our network and can't get the ping to the zones. I have simulated our production network in test environment. 
    I have now 3 different zones (untrust-zone binded to ge-0/0/0 with IP 192.168.8.189 (connects to another srx320 (.8.190) by network 192.168.8.0/24 with host 192.168.8.187 behind it), trust-zone binded to irb.0 with IP 192.168.20.1 (host connected via ge-0/0/4 with IP 192.168.20.2) and DMZ binded to ge-0/0/1 with IP 10.0.0.1 and host with ip 10.0.0.3 as well). 
    So now I get ping from DMZ zone to all IPs in this environment. However I can't ping DMZ host or interface from anywhere and can't ping trust zone from untrust zone. Policies must be okay, but not sure about routing-options. 
    Here is some entries from config (deleted unused entries):
    version 15.1X49-D170.4;
    system {
        root-authentication {
            encrypted-password "$5$vfvJZ1R9$ZTaCeMwIl1U7pkwI22msSLKNu7Ns2V5ALPOkuj4u/89"; ## SECRET-DATA
        }
        name-server {
            8.8.8.8;
            8.8.4.4;
        }
        services {
            ssh;
            netconf {
                ssh;
            }
            dns {
                dns-proxy {
                    cache {
                        FWB-SRX inet 192.168.8.189;
                    }
                }
            }
            web-management {
                http;
                https {
                    system-generated-certificate;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 15;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    security {
        log {
            mode stream;
            report;
        }
        screen {
            ids-option DMZ-screen {
                tcp {
                    syn-flood {
                        alarm-threshold 512;
                        attack-threshold 200;
                        source-threshold 512;
                        destination-threshold 512;
                        timeout 20;
                    }
                    land;
                }
            }
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        timeout 20;
                    }
                    land;
                }
            }
        }
        nat {
            source {
                rule-set trust-to-untrust {
                    from zone [ DMZ trust untrust ];
                    to zone [ DMZ trust untrust ];
                    rule source-nat-rule {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                    rule DMZNAT {
                        match {
                            source-address 10.0.0.0/24;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy dbs-to-upd {
                    match {
                        source-address DBGroup;
                        destination-address UdpSRV;
                        application [ ESET junos-smtp WSUS junos-http junos-https ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
                policy dbs-to-pci_ext {
                    match {
                        source-address DBGroup;
                        destination-address PCI-Ext-NET;
                        application junos-ping;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
            }
            from-zone DMZ to-zone trust {
                policy LEM-to-pci_int {
                    match {
                        source-address LOGLEM;
                        destination-address DB-Servers;
                        application [ Traffic_to_LEM junos-ping ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
            }
            from-zone DMZ to-zone untrust {
                policy LEM-to-pci_ext {
                    match {
                        source-address LOGLEM;
                        destination-address PCI-Ext-NET;
                        application [ Traffic_to_LEM junos-ping ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
                policy LEM-to-Upd {
                    match {
                        source-address LOGLEM;
                        destination-address UdpSRV;
                        application [ junos-ping junos-smb junos-smtp ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
            }
            from-zone untrust to-zone DMZ {
                policy FWA-to-LEM {
                    match {
                        source-address FWA;
                        destination-address LOGLEM;
                        application [ junos-rsh junos-syslog ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
                policy Access-to-LEM {
                    match {
                        source-address AccessSRV;
                        destination-address LOGLEM;
                        application [ LEM_Console LEM_Reports ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
                policy Ext_SRVs-to-LEM {
                    match {
                        source-address Ext_SRVs;
                        destination-address LOGLEM;
                        application Traffic_from_LEM;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
                policy Upd-to-LEM {
                    match {
                        source-address UdpSRV;
                        destination-address LOGLEM;
                        application [ LEM_Console LEM_Reports junos-echo LEM_SSH junos-ping ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
                policy Upd-to-LOGSRV {
                    match {
                        source-address UdpSRV;
                        destination-address LOGSRV;
                        application any;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
            }
            from-zone trust to-zone DMZ {
                policy DBs-to-LEM {
                    match {
                        source-address DBGroup;
                        destination-address LOGLEM;
                        application Traffic_from_LEM;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
                policy FWB-to-LEM {
                    match {
                        source-address FWB_private;
                        destination-address LOGLEM;
                        application [ junos-rsh junos-syslog ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
            }
            from-zone untrust to-zone trust {
                policy Upd-to-DBs {
                    match {
                        source-address UdpSRV;
                        destination-address DBGroup;
                        application [ junos-ms-sql junos-ping junos-vnc ];
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
                policy Access-to-DBs {
                    match {
                        source-address UdpSRV;
                        destination-address DBGroup;
                        application junos-vnc;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
                policy PCI_ext-to-PCI_int {
                    match {
                        source-address PCI-Ext-NET;
                        destination-address DB-Servers;
                        application junos-ping;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
                policy AppSRVs-to-DBSRVs {
                    match {
                        source-address [ APPSRV APPSRVRES ];
                        destination-address DBGroup;
                        application junos-ms-sql;
                    }
                    then {
                        permit;
                        log {
                            session-init;
                        }
                    }
                }
            }
        }
        zones {
            security-zone trust {
                address-book {
                    address DB-Servers 192.168.20.0/24;
                    address DBSRV 192.168.20.2/32;
                    address DBSRVRES 192.168.20.3/32;
                    address FWB_private 192.168.20.1/32;
                    address-set DBGroup {
                        address DBSRV;
                        address DBSRVRES;
                    }
                }
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }
                interfaces {
                    irb.0;
                }
            }
            security-zone untrust {
                address-book {
                    address AccessSRV 192.168.8.186/32;
                    address APPSRV 192.168.8.188/32;
                    address APPSRVRES 192.168.8.185/32;
                    address FWA 192.168.8.190/32;
                    address FWB-EXT 192.168.8.189/32;
                    address PCI-Ext-NET 192.168.8.0/24;
                    address UdpSRV 192.168.8.187/32;
                    address-set Ext_SRVs {
                        address AccessSRV;
                        address APPSRV;
                        address APPSRVRES;
                        address UdpSRV;
                    }
                }
                screen untrust-screen;
                host-inbound-traffic {
                    system-services {
                        http;
                        https;
                        ping;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                tftp;
                                https;
                                http;
                                ping;
                            }
                        }
                    }
                    ge-0/0/7.0 {
                        host-inbound-traffic {
                            system-services {
                                tftp;
                            }
                        }
                }
            }
            security-zone DMZ {
                address-book {
                    address LOGNET 10.0.0.0/24;
                    address LOGSRV 10.0.0.2/32;
                    address LOGLEM 10.0.0.3/32;
                    address LOGGW 10.0.0.1/32;
                    address-set LOG {
                        address LOGNET;
                        address LOGSRV;
                        address LOGLEM;
                        address LOGGW;
                    }
                }
                screen DMZ-screen;
                host-inbound-traffic {
                    system-services {
                        dns;
                        ntp;
                        ping;
                    }
                }
                interfaces {
                    ge-0/0/1.0;
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 192.168.8.189/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 10.0.0.1/24;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family ethernet-switching {
                    interface-mode access;
                    vlan {
                        members vlan-trust;
                    }
                }
            }
        }
        irb {
            unit 0 {
                family inet {
                    address 192.168.20.1/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 192.168.8.189;
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    firewall {
        filter strict-ssh {
            term 1 {
                from {
                    source-address {
                        0.0.0.0/0;
                        192.168.8.186/32 except;
                        192.168.8.187/32 except;
                    }
                    destination-port ssh;
                }
                then {
                    log;
                    discard;
                }
            }
            term 2 {
                then accept;
            }
        }
    }
    vlans {
        vlan-trust {
            vlan-id 3;
            l3-interface irb.0;
        }
        vlan-untrust {
            vlan-id 33;
            l3-interface irb.1;
        }
    }
    ​
    any help will be highly appreciated! 
    P.S sorry if in wrong thread :)

    ------------------------------
    Ivan Roots
    ------------------------------


  • 2.  RE: SRX320 can't ping DMZ zone

    Posted 02-28-2021 12:34
    First make sure the dmz server itself has the host firewall set to all icmp from the outside or turned off.

    Another note is that policy statements from zone to zone are for transit traffic only.
    Self traffic (traffic that stops or initiates from the SRX itself like interface gateway ip addresses) is controlled by the security zone settings on what protocols are permitted as a whole.  More specific polices are optional and can be created using a from or to zone of junos-host.

    So looking at your config the gateway addresses all seem to have icmp permitted by security zone settings.

    Your to-zone DMZ policies appear to be in place from both untrust and trust assuming you are sourcing the ping from the server called out in the policy.
    Since this is not working (assuming host firewall is off) you can confirm that the SRX is correctly classifying the traffic by initiating the ping and looking at the resulting session table.
    show security flow session source-prefix x.x.x.x/32 destination-prefix y.y.y.y/32
    ​

    This will display the sessions and byte counts between those two devices so you can confirm which policy is being used.  Policy order is the same as in ScreenOS, first match and out.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: SRX320 can't ping DMZ zone

    Posted 03-01-2021 10:54
    Edited by Ivan Roots 03-01-2021 10:57
    Hi spuluka, thanks for your reply!

    So I tried different ways and now I can  ping from DMZ host any other hosts in network and also from trust-zone to others hosts (hosts are all windows machines with firewall off - just for tests). Not really sure what caused connectivity cause I didn't changed config much, just deleted some unused entries, maybe rebooting SRX helped.. :D 
    Anyway now I am at the point that I can ping almost all the hosts, but still can't ping from untrusted host to trusted or DMZ hosts.. If I launch ping 10.0.0.3 -t from untrusted host (192.168.8.187) and issue a show security flow session -command in SRX there is no sessions (Total sessions: 0) same with pinging 192.168.20.2 (request time out on the host machine and no sessions in SRX320).  Show arp command shows all connected hosts and another fw correctly..
    Here is the topology of the situation now if it helps with investigation. Also config.txt attached. 
    I'll update SRX firmware tonight if this helps, but you will make me very happy if you can take a look and give comments of my config 
    BR


    ------------------------------
    Ivan Roots
    ------------------------------



  • 4.  RE: SRX320 can't ping DMZ zone

    Posted 03-01-2021 17:26
    The security policies look correct.

    Is the default gateway on the untrust device set to the SRX interface 192.168.8.189?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 5.  RE: SRX320 can't ping DMZ zone

    Posted 03-02-2021 03:48
    There is another router between untrusted host and SRX - we have 2 firewalls to trusted and DMZ zone in production environment and I was trying to simulate this in tests. So the hosts default gateway is set to this router (teltonika rut 240 - 192.168.8.190). But I got your point and connected untrusted host straight to the srx with default gateway 192.168.8.189. Still no ping. And then I noticed that host connects to wifi network automatically so I turned wifi adapter off and this works! I imagine that windows can't understand to which network adapter packet must be sent without priority/route in it and uses wifi adapter as there is internet connection...
    After that I connected host thru teltonika again and ping says destination net unreachable, but I believe it is because teltonikas routing and it is not necessary to fix now. Main thing that I have now connectivity between zones and need just to change IPs to meet production requirements and test it in real environment. 
    As I mentioned above you made me very happy, thank you a lot! I will back if there is problems in production network :)

    ------------------------------
    Ivan Roots
    ------------------------------



  • 6.  RE: SRX320 can't ping DMZ zone

    Posted 03-02-2021 05:59
    Glad you are ready for the next steps.  Hope all goes well.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------