05-16-2012 09:07 AM
Is there any one can tell me how i can allowed SAP services in SRX. FYI i'm user SRX3600 cluster and Junos ver 10.2. Currently i do command as per below but not found related to SAP application. Do i need to create a new application name such as as per below KB http://kb.juniper.net/InfoCenter/index?page=conten
set security policies from-zone trust to-zone untrust policy policy-tr-unt match application ?
Hope can someone help me. Thanks appreciate someone feedback.
05-16-2012 09:41 AM
If you don't see any predefined applications (names starting with junos-) for SAP ,we have to create custom applications and reference them in the security policies. (currently I don't have access to a device to check if one is available or not ) .
In custom applications ,you can even define the port ranges.
For your reday reference - here's the listing of TCP/IP ports used by different SAP applications .
05-16-2012 05:20 PM
I look at url that u given and see port for SAP is too much. I think port from 10001-->65535 is for torrent. Is there any easy way to make sure if i block that toorent port will not effect the SAP port. Thanks and appreciate some one feedback.
05-16-2012 09:31 PM
If you're only firewalling between the SAPgui client application and the application server, you should be able to do the following:
set applications application SAP term DISPATCHER protocol tcp set applications application SAP term DISPATCHER destination-port 3200-3299 set applications application SAP term MESSAGE-SERVER protocol tcp set applications application SAP term MESSAGE-SERVER destination-port 3600-3699
set security policies from-zone CLIENTS to-zone SERVERS policy SAPGUI-ACCESS match source-address SAP-CLIENTS set security policies from-zone CLIENTS to-zone SERVERS policy SAPGUI-ACCESS match destination-address SAP-APP-SERVER set security policies from-zone CLIENTS to-zone SERVERS policy SAPGUI-ACCESS match application SAP set security policies from-zone CLIENTS to-zone SERVERS policy SAPGUI-ACCESS then permit
If you can find out the SAP instance number your clients are connecting to from your SAP Admin team, you can limit these port numbers even further eg: SAP instance 00 = Dispatcher TCP Port 3200 & Message Server Port 3600, instance 01 = Dispatcher TCP PORT 3201 & Message Server Port 3601 etc.
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Follow me @labelswitcher
05-17-2012 07:34 AM
Thanks for your advise. I test the port that u given but still no luck. Last i just put port 3000-4000 and it works. Don't know what the exact port for SAP.
But i very2 appreciate for your kindness to give me some idea to solve it. Thanks again.