SRX Services Gateway
Reply
Trusted Contributor
kronicklez
Posts: 466
Registered: ‎08-10-2010
0

Help ...How i can allowed SAP services in SRX?

Hi All,

 

 

Is there any one can tell me how i can allowed SAP services in SRX. FYI i'm user SRX3600 cluster and Junos ver 10.2. Currently i do command as per below but not found related to SAP application. Do i need to create a new application name such as as per below KB http://kb.juniper.net/InfoCenter/index?page=content&id=KB10140

 

 

set security policies from-zone trust to-zone untrust policy policy-tr-unt match application ?

 

 

Hope can someone help me. Thanks appreciate someone feedback.

Recognized Expert
JunOS_Fan
Posts: 241
Registered: ‎02-13-2012
0

Re: Help ...How i can allowed SAP services in SRX?

Hi,

 

If you don't see any predefined applications (names starting with junos-) for SAP ,we have to create custom applications and reference them in the security policies. (currently I don't have access to a device to check if one is available or not ) . 

 

In custom applications ,you can even define the port ranges. 

 

For your reday reference - here's the listing of TCP/IP ports used by different SAP applications . 

 

http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/4e515a43-0e01-0010-2da1-9bcc452c2...

 

 

Best regards
Pradeep (JNCIP-SEC,ENT,SP)
www.networker.co.in
Trusted Contributor
kronicklez
Posts: 466
Registered: ‎08-10-2010
0

Re: Help ...How i can allowed SAP services in SRX?

Hi Junos_Fan,

 

 

I look at url that u given and see port for SAP is too much. I think port from 10001-->65535 is for torrent. Is there any easy way to make sure if i block that toorent port will not effect the SAP port. Thanks and appreciate some one feedback.

Distinguished Expert
dfex
Posts: 708
Registered: ‎04-17-2008
0

Re: Help ...How i can allowed SAP services in SRX?

Hi kronicklez,

 

If you're only firewalling between the SAPgui client application and the application server, you should be able to do the following:

 

 

set applications application SAP term DISPATCHER protocol tcp
set applications application SAP term DISPATCHER destination-port 3200-3299
set applications application SAP term MESSAGE-SERVER protocol tcp
set applications application SAP term MESSAGE-SERVER destination-port 3600-3699

Then:

 

 

set security policies from-zone CLIENTS to-zone SERVERS policy SAPGUI-ACCESS match source-address SAP-CLIENTS
set security policies from-zone CLIENTS to-zone SERVERS policy SAPGUI-ACCESS match destination-address SAP-APP-SERVER
set security policies from-zone CLIENTS to-zone SERVERS policy SAPGUI-ACCESS match application SAP
set security policies from-zone CLIENTS to-zone SERVERS policy SAPGUI-ACCESS then permit

 

If you can find out the SAP instance number your clients are connecting to from your SAP Admin team, you can limit these port numbers even further eg: SAP instance 00 = Dispatcher TCP Port 3200 & Message Server Port 3600, instance 01 = Dispatcher TCP PORT 3201 & Message Server Port 3601 etc.

 

Cheers,

 

Ben

Ben Dale
JNCIP-ENT, JNCIS-SP, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
Trusted Contributor
kronicklez
Posts: 466
Registered: ‎08-10-2010
0

Re: Help ...How i can allowed SAP services in SRX?

HI Dfex,

 

 

Thanks for your advise. I test the port that u given but still no luck. Last i just put port 3000-4000 and it works. Don't know what the exact port for SAP.

 

 

But i very2 appreciate for your kindness to give me some idea to solve it. Thanks again.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.