SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Default Deny on SRX240

    Posted 03-26-2012 16:37

    I have several policies from my untrust zone to my dmz zone that all look something like this.

     

     from-zone untrust to-zone dmz {
            policy nat-colo-10 {
                match {
                    source-address COLO;
                    destination-address HST-ASQL01;
                    application [ junos-icmp-ping junos-http junos-https junos-ms-sql ];
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;

     Do I need to configure a deny policy at the bottom to kill everything else. I'm asking because when I ran nmap on this server I'm getting a host of ports when I'm only expecting 4.  I'm running 10.4r5.5

    -Joshua

     



  • 2.  RE: Default Deny on SRX240

    Posted 03-26-2012 23:35

    Hi Joshua,

     

    There is and implicit deny by default. But you can deny everything explicitly with default policy command to be more sure i-e

     

     set security policies default-policy deny-all;

     

    Regards,

    Hassan



  • 3.  RE: Default Deny on SRX240

    Posted 03-27-2012 08:18

    found the default-policy deny-all and it was already set. So my question is why I'm able to see multiple ports when I run a NMAP scan when I should only be seeing 4.

    -J

     



  • 4.  RE: Default Deny on SRX240
    Best Answer

    Posted 03-27-2012 09:01

    Hi

     

    If you have a syn-flood screen protection enabled, then this is expected. Starting

    from the configured threshold, TCP sessions get proxied on SRX. Instead of being

    forwarded to backend servers, every SYN from your nmap host will get a SYN/ACK

    in response, regardless of port, and it does not depend on the actual state of this port

    on the server (open/closed). Nmap will see all these ports as open just because

    it receives a SYN/ACK.

     

    This is how this protection work, it is not a security hole, but a security feature 🙂

    For details, see doc, e.g.

    http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-43941.html



  • 5.  RE: Default Deny on SRX240

    Posted 03-27-2012 09:09

    Looky looky, I forgot I enabled that! Thanks for the info.



  • 6.  RE: Default Deny on SRX240

     
    Posted 03-29-2012 05:22

    Just a reminder, the implicit default-deny does not result in logs, so you might still want to create explicit policies for the zones, easily done with configuration groups (so you don't have to create one policy for each zone->zone context), or a global policy if you're planning to upgrade.



  • 7.  RE: Default Deny on SRX240

    Posted 03-26-2012 23:43

    The default policy action between zones if no matching exist in any other policy is deny-all you could change the default action by this command

     

    # set security policies default-policy (deny-all | permit-all)

     

    Regards,

     

    Mohamed Elhariry

     

    JNCIE-M/T # 1059, CCNP & CCIP

     

    ----------------------------------------------------------------------------------------------------------------------------------------

    If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!