SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Block outbound / inbound GRE

    Posted 03-07-2017 10:33

    Hi experts,

    I have two cisco routers and one Juniper SRX.  The topology goes as such with no nat just routing but the SRX still in security mode and everything from untrust to wan goes through the SRX and vice versa.

     

    Cisco Router <--untrust-zone--> Juniper SRX <---wan-zone-> Cisco router

     

    One zone is called untrust and the other zone is called wan-zone

     

    I'm only allowing junos-ping from untrust to wan and from wan to untrust. 

    Somehow I can still establish  GRE tunnel from Cisco to Cisco no problem.

    I have created a custom application with protocol GRE and add it to a policy as deny and re-ordered the policy to the top without much luck.

     

    I just want to know how to block this protocol with a security policy.

     



  • 2.  RE: Block outbound / inbound GRE

     
    Posted 03-07-2017 13:13

    Hello , 

     

    could you please share the current security policies & zones configuration 

     

    Regards



  • 3.  RE: Block outbound / inbound GRE

    Posted 03-08-2017 13:50

    After a hard reboot its not passing but here is what I have

    !

    !

    root@SRX1> ...ation security zones security-zone untrust
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            ospf;
        }
    }
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
        }
    }

    root@SRX1> show configuration security zones security-zone wan-zone
    host-inbound-traffic {
        protocols {
            ospf;
        }
    }
    interfaces {
        ge-0/0/3.0 {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
        }
    }

    !

    root@SRX1> ...rity policies from-zone wan-zone to-zone untrust
    policy 2 {
        match {
            source-address any;
            destination-address any;
            application [ junos-gre gre-custom ];
        }
        then {
            deny;
            count;
        }
    }
    policy 1 {
        match {
            source-address any;
            destination-address any;
            application junos-ping;
        }
        then {
            permit;
        }
    }

    !

    !

    !

    root@SRX1> ...from-zone wan-zone to-zone untrust policy-name 2 detail
    Policy: 2, action-type: deny, State: enabled, Index: 6, Scope Policy: 0
      Policy Type: Configured
      Sequence number: 1
      From zone: wan-zone, To zone: untrust
      Source addresses:
        any-ipv4(global): 0.0.0.0/0
        any-ipv6(global): ::/0
      Destination addresses:
        any-ipv4(global): 0.0.0.0/0
        any-ipv6(global): ::/0
      Application: junos-gre
        IP protocol: 47, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0]
          Destination port range: [0-0]
      Application: gre-custom
        IP protocol: gre, ALG: 0, Inactivity timeout: 0
          Source port range: [0-0]
          Destination port range: [0-0]
      Per policy TCP Options: SYN check: No, SEQ check: No
      Policy statistics:
        Input  bytes       :                30924                   72 bps
          Initial direction:                30924                   72 bps
          Reply direction  :                    0                    0 bps
        Output bytes       :                    0                    0 bps
          Initial direction:                    0                    0 bps
          Reply direction  :                    0                    0 bps
        Input  packets     :                  295                    0 pps
          Initial direction:                  295                    0 bps
          Reply direction  :                    0                    0 bps
        Output packets     :                    0                    0 pps
          Initial direction:                    0                    0 bps
          Reply direction  :                    0                    0 bps
        Session rate       :                    0                    0 sps
        Active sessions    :                    0
        Session deletions  :                    0
        Policy lookups     :                  295



  • 4.  RE: Block outbound / inbound GRE
    Best Answer

     
    Posted 03-08-2017 19:01

    Your confiig looks fine and I expect it to block GRE traffic. If reboot fixed the issue the most possible reason could be policy sync issue between RE and PFE. Are you running any older Junos version?

     

    Also can you try deleting "policy 2" and check the issue, I expect SRX to block gre without this policy as the other policy is allowing only "ICMP".

    If the issue reoccurs we have better chance of finding the cause.



  • 5.  RE: Block outbound / inbound GRE

    Posted 03-09-2017 07:10

    Hi Thanks all for the replies.

    I think I know what happened.

    I had an any any policy applied and the GRE session was established then I created the deny policy and I removed the any any but the session was still active and I kept the session active and naturally the reboot cleared the session.  I re-created the any any and removed it and sure enough the session was still active then I manually cleared it and the policy took effect.



  • 6.  RE: Block outbound / inbound GRE

     
    Posted 03-08-2017 00:07

    Can you share the session entry for this?

     

    srx> show security flow session protocol gre

     



  • 7.  RE: Block outbound / inbound GRE

    Posted 03-08-2017 13:45

    At this time there is no active sesions but I had to hard shut both the SRX to get this.  At this time it doesnt appear to be passing

     

    root@SRX1> show security flow session protocol gre
    Total sessions: 0