SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

Can you disable/remove the default DynamicVPN Web page since PulseSecure can't be directly downloaded?

  • 1.  Can you disable/remove the default DynamicVPN Web page since PulseSecure can't be directly downloaded?

    Posted 11-27-2022 19:50
    Since PulseSecure is no longer distributed from SRX platforms in newer firmware versions, is there a way to disable to webpage that comes up when the public IP/URL is typed in for the public/untrust facing interface.  Note, Dynamic IPSec VPN is being used on the box, and the JWeb interface has been put on a custom URL location. Instead of the webage that comes up for dynamic-vpn, I want to disable that webpage so nothing is served up when the public IP/URL is used.  I am trying to reduce the visible surface areas available to attack and don't like that this page tells someone that the FW is a Juniper Junos box.  Thanks I just want the default webpage that comes up to not respond/return nothing:

        https://PublicIP returns: https://X.X.X.X/dynamic-vpn/index.php


    ------------------------------
    JEFF KANE
    ------------------------------


  • 2.  RE: Can you disable/remove the default DynamicVPN Web page since PulseSecure can't be directly downloaded?

     
    Posted 12-01-2022 04:13
    turn off http/https on the security zones. If you aren't managing the device with web, or using the client VPN functionality then http/https is not needed on the security zone. This will cause the SRX to reject http/https traffic destined to itself. You could even go a step further and create a firewall filter for 80 & 443 on input lo0 for the devices control plane which would also solve your issue. The second step is obviously more difficult.

    Dynamic VPN is part of the web management system that is configured under system services web-management (https). If you delete this configuration block, all SSL-based services (at least that I can think of) should be disabled.

    Juniper configs are entirely explicit. You should be able to look through the configuration and see anything related to https/ssl and just delete those blocks and it will go away. There is definitely nothing SSL-related enabled by default on these boxes.

    If all else fails, you can always address this with a to-zone "junos-host" security policy, host-inbound-traffic or firewall filter on the lo0 interface to filter the traffic before it gets to the RE.

    Dynamic VPN itself is pure IKE/IPsec, the web portal just gives you a place to download the client.



    ------------------------------
    Marcel ten Berg
    ------------------------------