SRX

last person joined: 19 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX100H2 - Why Does SRX need Firewall Filters Configured when Policies are already present

    Posted 12-14-2014 15:14

    Hi 

     

    I was having difficulty getting DHCP addresses assigned to clients from SRX. The KB told me to create a firewall filter to allow DHCP in. I did and it started working. 

     

    What's the function of firewall filters in SRX when polices are already there? 

     

    Thanks.



  • 2.  RE: SRX100H2 - Why Does SRX need Firewall Filters Configured when Policies are already present
    Best Answer

     
    Posted 12-15-2014 03:04

    Stateless firewall filters on SRX serve at least a few purposes: 

     

    First, they can be a good first line of defense on your SRX for common types of traffic that perhaps you do not want your SRX wasting valuable session table space for.  The stateless filter is processed prior to any screens, NAT, or security policies.  I use firewall filters on some of our SRX devices to block blacklisted IP addresses or common ports used by script kiddies for worm propagation (SQL, Netbios, etc.).

     

    Second, they can and should be used to protect the routing engine from unauthorized access.  Even though you may have defined certain protocols and services to run on your SRX, you still need to prevent unauthorized access from non-permitted IP addresses.  In addition, the security policies on the SRX only work on transit traffic, not traffic that terminates on the SRX device itself.  Therefore, a routing engine firewall filter that is applied to the loopback interface is a necessity for a fully secure configuration.

     

    The third most common use of stateless firewall filters is for multifield classification, which is used in class of service for traffic identification.

     

    There are certainly other reasons for using firewall filters, but I'd say these are the most common.

     

     



  • 3.  RE: SRX100H2 - Why Does SRX need Firewall Filters Configured when Policies are already present

    Posted 12-15-2014 05:12

    Did you allow the DHCP system-service under the host-inbound-traffic stanza for that security zone?

     

    Example:

    m289@SRX> show configuration security zones security-zone corporate    
interfaces {
    vlan.700 {
        host-inbound-traffic {
            system-services {
                dhcp;
                dns;
                ntp;
                ping;
                traceroute;
            }
        }
    }
}

     
    When using the DHCP service on the SRX (either old-style "dhcp" or new-style "dhcp-local-server") you need to allow inbound DHCP traffic from the zone to the SRX.
    You do so by enabling the related "system-service" under the "host-inbound-traffic" stanza for that zone.

     

    Let me know if that solves your problem.

    I think a firewall-filter is not required for this to work, at least I never needed one.