SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Dynamic VPN - Security Setup + Filter

    Posted 08-31-2011 08:44

    Hi,

     

    I am currently in the process of setting up Dynamic VPN access for home users.  I am however, a bit weary of allowing the front end of the SRX to be open to the world.

     

    As most users are in Uk and Ireland, i can limit it to these ISP ranges which are available mostly.

     

    Just wondering of anyone else has ever set up such a scenario and if anyone has opinions as to the most secure way to set this up, with limited brute force attacks on the dynamic-vpn login page.

     

    Cheers,

    M



  • 2.  RE: Dynamic VPN - Security Setup + Filter
    Best Answer

    Posted 08-31-2011 23:43

    I think that firewall filter applied on the public interface specifically permitting the IPs you know are legitimate for http and denying all other http requests then permit all other traffic should do it.

     

    set firewall family inet filter test term 1 from source-address <IP address of legit hosts>

    set firewall family inet filter test term 1 from destination-address <IP address of the firewall>
    set firewall family inet filter test term 1 from protocol tcp
    set firewall family inet filter test term 1 from destination-port 80
    set firewall family inet filter test term 1 then accept
    set firewall family inet filter test term 2 from destination-address<IP address of the firewall>

    set firewall family inet filter test term 2 from protocol tcp

    set firewall family inet filter test term 2 from destination-port 80
    set firewall family inet filter test term 2 then deny
    set firewall family inet filter test term 3 then accept