SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  REST api on SRX 300 does not work

    Posted 12-28-2022 09:17
    Hello, I'm trying to use the REST API on a SRX 300.

    I followed the official documentation and also this simple howto Working with REST API on Junos OS

    The source IP from I try to connect is in a security zone with host-inbound-traffic system-services all enabled.
    I tried to telnet from SRX itself and it's open.
    From outside (from my LAN), the port it is closed.

    I found also this PR, but seems already fixed on the release I'm using (JUNOS 21.2R3)
    https://prsearch.juniper.net/problemreport/PR1590810

    What do you suggest me to check? thanks!




    ------------------------------
    MATTEO SGALABERNI
    ------------------------------


  • 2.  RE: REST api on SRX 300 does not work

    Posted 12-31-2022 09:20

    Hello,

    Looking through the article that you provided, it does not mention the use of the 'address' stanza for the REST API configuration.

    set system services rest http addresses [203.0.113.0 203.0.113.1]


    This command instructs the device to enable listening on the specified IPs.

    Also, if you are looking to use this for experimenting I highly recommend enabling the API Explorer...

    set system services rest enable-explorer
    


    Kind Regards,
    Gavin White



    ------------------------------
    GAVIN WHITE
    ------------------------------



  • 3.  RE: REST api on SRX 300 does not work

    Posted 01-02-2023 04:46
    Hi! thanks for your reply! here my conf:
    sgala@# show system services rest

    http {

    port 3001;

    addresses 172.16.60.1;

    }

    enable-explorer;

    I did further test...seems an issue with the security policy

    host-inbound-traffic system-services all is not sufficient.

    with host-inbound-traffic system-services any-service the port 3001 is reacheable!!

    But I don't want to open all ports... probably the rest service is not fired by any default system-services! I can't find any info about it...

    Do you have an idea how to open that service correctly without opening all ports?

    thanks

    Matteo

    ------------------------------
    Matteo Sgalaberni
    ------------------------------



  • 4.  RE: REST api on SRX 300 does not work

    Posted 01-03-2023 09:59

    Hi Matteo,

    My understanding is that the REST config stanza should open the required ports on the listening IP. 

    I will have to do some tests to verify this in the lab once I'm back next week. In a working environment [20.2R3], I have the following Zone configuration...

            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                    protocols {
                        all;
                    }
                }


    Some things to check in your configuration that could still block access would be...
     1. Any Firewall Filters configured on the Loopback, limiting RE traffic.
     2. Any Security policy configured to the Junos-Host Zone. By default (not configured), this will allow all and only host-inbound-traffic is checked. 

    Regards,



    ------------------------------
    GAVIN WHITE
    ------------------------------



  • 5.  RE: REST api on SRX 300 does not work

    Posted 01-13-2023 21:08

    Hi Matteo,

    I hope you are doing well?

    I have been able to perform some testing in my lab and came to the following conclusions...
    Configuring a custom port on any SRX and EX Series device for the REST API sets the listening port for lighttpd service to the specified port.
    EX Switches do not have these zone/interface filters and the REST API Works as expected. SRX Devices filter Zone traffic through host-inbound-traffic configuration and there is limited flexibility to what protocols and system services (ports) can be opened.

    TCP Port 3000 is not available as one of the system service ports and so I would recommend using a port for the REST API that is listed under the host-inbound-traffic system-services configuration branch.  For Example: 'webapi-clear-text' (TCP 8080) and 'webapi-ssl' (TCP 8443) can be used for this scenario.  See the config example below...

    system {
        services {
            rest {
                http {
                    port 8080;
                    addresses 10.1.7.254;
                }
                control {
                    allowed-sources [ 10.1.7.8 10.1.7.31 ];
                }
                enable-explorer;
            }
        }
    }
    security {
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        ssh;
                        webapi-clear-text;
                        ...
                    }
                    protocols {
                        ospf;
                        ...
                    }
                }
            }
        }
    }
    


    Understandably 8080 is a common port so make sure to lock it down as specific as possible, allowing only in the zones required and using the `allowed-sources` config option for the rest-api etc

    Kind regards,
    Gavin White



    ------------------------------
    GAVIN WHITE
    ------------------------------



  • 6.  RE: REST api on SRX 300 does not work

    Posted 01-14-2023 06:39
    Hi Gavin! thanks! The trick works well!! ;)

    Thanks!

    Matteo

    ------------------------------
    Matteo Sgalaberni
    ------------------------------



  • 7.  RE: REST api on SRX 300 does not work

    Posted 01-31-2023 04:33
    Edited by sgala 01-31-2023 04:33
    I did some tests today and each request I execute the REST api respond with a 500 internal server error...;(

    Tried to enable traceoption all on rest service but after enabling it the port 8080 is closed with conn refused...

    I think that the universe does not want that I use REST API;(

    Am I the alone with that issue? probably is the 21.2R3-S2.9 with some bugs, but on PR there are no known open bugs ...;(

    M

    ------------------------------
    Matteo Sgalaberni
    ------------------------------



  • 8.  RE: REST api on SRX 300 does not work

    Posted 02-01-2023 00:12

    Hi Matteo,

    There used to  be a bug producing the same results but I believe it was related to vSRX v2.0 devices. 

    Have you tried restarting the web-management process? 

    Have a look through the httpd log file for any suggestions on the cause of the issue. 

    Also, try performing the same API call via the NetConf XML interface and see if the Call is processed. This will help isolate/find the issue.

    Gav



    ------------------------------
    GAVIN WHITE
    ------------------------------