fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Juniper SRX - Securing Management Access

Within this article we will show the required commands to restrict and secure management access to your Juniper SRX series gateway.

Note : The following syntax/configuration has been tested with a PPPoE setup.

Configure Addresses

First of all the addresses that are allowed management access to the device are configured. This also includes any DNS servers that your SRX will need use. This will prevent the return reponses from being denied.

set policy-options prefix-list permitted-ips [IP ADDRESS]/[SUBNET MASK]

Configure System Services

Next each of the system services that will be allowed inbound to the nessecary interfaces are defined.

set security zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services dhcp
set security zones security-zone trust host-inbound-traffic system-services https
set security zones security-zone trust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services traceroute
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust host-inbound-traffic system-services dns
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ike
set security zones security-zone untrust host-inbound-traffic system-services http

Configure Filter

Next we will define which IP`s are allowed access to which services.

set firewall filter admin-services-in term established from tcp-established
set firewall filter admin-services-in term established then accept
set firewall filter admin-services-in term allow_in from protocol udp
set firewall filter admin-services-in term allow_in from protocol tcp
set firewall filter admin-services-in term allow_in from protocol esp
set firewall filter admin-services-in term allow_in from port 500
set firewall filter admin-services-in term allow_in from port 4500
set firewall filter admin-services-in term allow_in from port 443
set firewall filter admin-services-in term allow_in from port dhcp
set firewall filter admin-services-in term allow_in then accept
set firewall filter admin-services-in term allow_in_ipv4_ping from protocol icmp
set firewall filter admin-services-in term allow_in_ipv4_ping from icmp-type echo-reply
set firewall filter admin-services-in term allow_in_ipv6_ping from protocol icmpv6
set firewall filter admin-services-in term allow_in_ipv6_ping from icmp-type echo-reply
set firewall filter admin-services-in term allow_ntp from destination-port 123
set firewall filter admin-services-in term deny_in from source-address 0.0.0.0/0
set firewall filter admin-services-in term deny_in from source-prefix-list permitted-ips except
set firewall filter admin-services-in term deny_in then count deny_count
set firewall filter admin-services-in term deny_in then syslog
set firewall filter admin-services-in term deny_in then discard
set firewall filter admin-services-in term accept_everything_else then accept
set firewall filter admin-services-out term allow-all then accept

Assign Filter

Finally the filter is assigned to the loopback interface.

Note : Each filter is assigned to the loopback address as this ensures that only management traffic (traffic to the box) is filtered.

set interfaces lo0 unit 0 family inet filter input admin-services-in
set interfaces lo0 unit 0 family inet filter output admin-services-out

Troubleshooting

Configure the log file

set system syslog file firewall firewall info

View Log

root@srx240l> show log firewall
Sep 1 22:30:14 srx240 clear-log[15397]: logfile cleared
Sep  2 01:51:44  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 176.20.7.244 94.15.8.26 57837 34105 (1 packets)
Sep  2 01:51:53  srx240l last message repeated 2 times
Sep  2 12:35:06  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 8.2.13.83 4.15.26.70 18978    22 (2 packets)
Sep  2 12:35:08  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 82.132.19.83 94.15.26.70 18978    22 (2 packets)
Sep  2 12:35:11  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.2.39.83 94.15.26.70 18978    22 (2 packets)
Sep  2 12:35:14  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.12.19.83 94.1.2.70 18978    22 (1 packets)
Sep  2 12:35:16  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.132.19.83 94.1.2.70 18978    22 (1 packets)
Sep  2 12:35:19  srx240l srx240l PFE_FW_SYSLOG_IP: FW: pp0.0        D  tcp 2.132.13.206 94.1.26.70 21438    22 (3 packets)


About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001