SRX

last person joined: 18 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  APPLICATION (TCP/UDP ports) TO OPEN IN POLICY FOR ACCESSING WEB PAGE ON INTERNET

    Posted 02-11-2012 10:17
      |   view attached

    I would be glad if someone could answer this,

     

    Assuming that if traffic is initiated from the trust zone & it’s from the inside-users segment & is destined via Internet zone eventually it has to go to a any destination address on Internet say juniper.net/google.com, in order to the permits the traffic WHAT SERVICE/APPLICATION ( in short TCP/UDP ports) TO BE OPENED IN SECURITY POLICY FOR ACCESSING WEB PAGE ON INTERNET.Two mandatory ports: HTTP (TCP port 80), DNS (UDP port 53),,, WHAT ELSE ???

     

    Sample SECURITY POLICY configuration on SRX for reference:

    set security policies from-zone trust to-zone Internet policy allow-users match source-address inside-users;

    set security policies from-zone trust to-zone Internet policy allow-users match destination-address any;

    set security policies from-zone trust to-zone Internet policy allow-users match application ??? ??? ???

     

    Do I need the revese policy as well??? WHAT TCP/UDP PORTS  to be Blocked in order to protect the inside-users segment from Internet users???

     

    many many thanks: saurabh!!!



  • 2.  RE: APPLICATION (TCP/UDP ports) TO OPEN IN POLICY FOR ACCESSING WEB PAGE ON INTERNET

    Posted 02-11-2012 11:03

    Hi Saurabh,

     

    You are correct,For web-browsing you only need to permit junos-http(80) and junos-https(443) in the application. For DNS resolution you need the port 53 traffic in the application. But you donot require any reverse policy as the return traffic will match only the session and not the policy.

    For protection from Internet-Users you can make sure there are no security policies configured from Internet to inside-segment. The default action of the srx is to drop any packet if you donot explicity permit it using security policies.

     

    Hope this helps.

    Regards,

    Visitor

    --------------------------------------------------​--------------------------------------------------​---

    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!



  • 3.  RE: APPLICATION (TCP/UDP ports) TO OPEN IN POLICY FOR ACCESSING WEB PAGE ON INTERNET

    Posted 02-11-2012 12:01

    Hey, thanks for your reply.

     

    I agree that port 80 for HTTP & port 443 for HTTPS are now being opened for web browsing. My question is what if the inside users wants to download/upload a file via FTP from Internet, or wants to download a file from Torrent owhat if the inside users wants to connect to remote PC on internet via teamviewer. Do i need to open the FTP, Teamviewer, Torrent (to N no. of application) port for this outgoing connection??? & but what about the incoming connection that is  PC on internet wants to connect to inside user's PC via teamviewer ???

     

    I need to know generic as well as some specific & common TCP/UDP PORTS which i should open for not only internet accessibility, but also other applications like torrent in order to solve the all & fundamenta purpose from end-user (like u & me) prespective,... Hope I am able to simplify my requirement.

     

    many many thanks.




  • 4.  RE: APPLICATION (TCP/UDP ports) TO OPEN IN POLICY FOR ACCESSING WEB PAGE ON INTERNET

    Posted 02-11-2012 18:15

    Hi Saurabh,

     


    For all the traffic that is initiated from inside towards the internet ,the policies should be permitting the same application like ftp.
    The return traffic the traffic will map the same traffic session and will be passed towards the inside-users.
    If you donot want to restrict any of the users from accessing any thing specific. You can add 'any' in the application for the security policies and this won't
    trade off with the security requirement as the traffic from the internet to inside will be still blocked and only those matching the previous session will be permitted,which off course will be sessions
    initiated by the internal users.

     

    Hope this helps.

    Regards,

    Visitor

    --------------------------------------------------​--------------------------------------------------​---

    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!



  • 5.  RE: APPLICATION (TCP/UDP ports) TO OPEN IN POLICY FOR ACCESSING WEB PAGE ON INTERNET

    Posted 02-11-2012 20:19

    Your reply is absolutely fine that i put "Any" in the policy from Trust zone to Internet zone but on the other hand what about traffic coming from Internet to inside-users. Say client on Internet wants to access a inside-user's PC, how will they communicate. Firstly, Temme is this a valid case & are there any other cases as well???  Are there any generic TCP/UDP PORTS which i should open for such common Internet accessibility.

     

    many many thanks



  • 6.  RE: APPLICATION (TCP/UDP ports) TO OPEN IN POLICY FOR ACCESSING WEB PAGE ON INTERNET

    Posted 02-11-2012 20:32

    Hi Saurabh,

     

    For traffic to be reached from internet to inside users ,you need to have a public ip and then you need to create a static nat/destination nat rule depending on your requirement  to map the public ip to the private ip..

     

    Static NAT - Is bi-directional

    Destination Nat is uni-directional

     

    e.g You host a web-server internally and you want the internet users to acces that ,

    Then either you can configure static nat/destination nat rule and permit the http/https traffic from internet zone to internal zone with application as http/https.With the destination as the inside users private ip addess.

    The Nat conversion will be first in the flow and then the security policies.

    The port opened will be as per the applications that you host on the internal web-server. e.g FTP,Http,Https,SIP.

     

    Hope this helps.

    Regards,

    Visitor

    --------------------------------------------------​--------------------------------------------------​---

    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!



  • 7.  RE: APPLICATION (TCP/UDP ports) TO OPEN IN POLICY FOR ACCESSING WEB PAGE ON INTERNET

    Posted 02-11-2012 20:53

    I am having a pool of Public IP address, so i dn't need NAT but my que is IN a general scenario AND no HTTP or FTP services running on the inside-user PC's . Are we still obliged to open any ports for such communication on Internet likeTeamViewer, Torrent or any generic application which I hv missed out 

     

    Thx a lot



  • 8.  RE: APPLICATION (TCP/UDP ports) TO OPEN IN POLICY FOR ACCESSING WEB PAGE ON INTERNET
    Best Answer

    Posted 02-11-2012 21:04

    Hi Saurabh,

     

    For the team viewer and torrents download, I donot think you will require any policies from Internet to inside.

    The policies will only be required when you want the internet users to access some applications towards the inside for the servers hosting some particular applications. For the rest of the applications the traffic always be initiated from internal segment and the return traffic will match the sesison.

     

     

    Hope this helps.

    Regards,

    Visitor

    --------------------------------------------------​--------------------------------------------------​---

    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!



  • 9.  RE: APPLICATION (TCP/UDP ports) TO OPEN IN POLICY FOR ACCESSING WEB PAGE ON INTERNET

    Posted 02-11-2012 21:09

    many many thanks for the reply. Kudos for you Smiley Happy