SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  RPM probe udp-ping

    Posted 09-27-2011 03:19

    Hello All!

     

    I'm trying to set up RPM probe on SRXs with probe-type udp-ping. And I have a problem on the probe-server side: to make it work, I had to enable all host-inbound-services in the corresponding interface's security zone. It ok in lab, but no way in production. I have no idea how to enable only one udp port as allowed incoming service on a SRX device. I need an advice how to make it all work securely.

    Please, help!

     



  • 2.  RE: RPM probe udp-ping

     
    Posted 10-02-2011 17:13

    Hi,

     

    Unfortunately, there is no way to customize the applications listed under the host-inboud traffic settings. Fortunately, Junos 11.2 introduced a more flexible way to apply policies to host-bound traffic. 

     

    On the in ingress zone of your RPM server, allow any host-bound traffic as you have, but configure a host-bound security policy to restrict which traffic will be allowed. The order to evaluation is Zone-based setting followed by the host-policy setting.

     

    The junos-host zone is a special predefined zone that is assigned as the destination zone for all host-inbound traffic (or source zone for host-outbound), allowing you to configure a normal security policy to control which traffic is allowed or denied. 

     

    For example, say that you are sending UDP probes to port 50000 and that the server is listening on an interface bound to the untrust zone. They configuration would be something like this

     

    [edit applications]
application rpm {
    protocol udp;
    destination-port 50000;
}

[edit security policies from-zone untrust to-zone junos-host]
policy allow-RPM-probes {
    match {
        source-address any;
        destination-address any;
        application rpm;
    }
    then {
        permit;
    }
}
policy deny-other {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        deny;
    }
}

     

    I didn't test this config so It is possible that I made a mistake somewhere, but hopefully you get the idea.

     

    As a byproduct of this, host-bound policies allow you to generate session logs for host-bound traffic, which is particularly useful when used in conjunction with a global policy (to log all host-bound packets, or all denied host-bound traffic). 



  • 3.  RE: RPM probe udp-ping

    Posted 10-03-2011 00:38

    Hi Pato,

     

    If I'm not mistaken, the feature is not available in 11.2 yet

     

    lab@srxC-1# set security policies from-zone trust to-zone junos-host policy p1 match source-address any destination-address any application junos-telnet   
    error: cannot use reserved identifier: junos-host



  • 4.  RE: RPM probe udp-ping

    Posted 10-03-2011 03:41

    Hello pk!

     

    Thanks for your reply!

     



  • 5.  RE: RPM probe udp-ping
    Best Answer

    Posted 10-03-2011 03:49

    Btw, with currently available  Junos versions, you should be able to do what you want with an input

    firewall filter applied to the loopback (lo0.0) interface.



  • 6.  RE: RPM probe udp-ping

    Posted 10-04-2011 06:48

    Hello All!

     

    I've got the straightforward solution with the help of JTAC:

     

    host-inbound-traffic {
        system-services {
            rpm;
        }
    }