SRX

last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  host-inbound-traffic

    Posted 04-12-2012 13:41

    The SRX100 comes with the trust zone set up in the following default config:

     

    Security-zone trust {

      host-inbound-traffic {

        system-services {

        all; 

        }

        protocols {

        all; 

        }

      }

      interfaces {

        vlan.0;

        fe-0/0/0.2

      }

    }

     

    For the system services and protocols, am I choosing what services and protocols to allow through this zone?  Isn't that what policies are for?  Or is this what I am allowing the SRX to see? 

     

    JamesNT


    #host.inbound.traffic
    #basics


  • 2.  RE: host-inbound-traffic
    Best Answer

     
    Posted 04-12-2012 14:21
    Hi James, as you wrote, security policies are used to specify which traffic can transit the SRX, passing from a zone to another. The host inbound traffic, on the other hand, define the traffic that can reach the device itself (the destination ip is the address of one interface of the SRX). You can configure it at a zone level (and it will be applied to all the interfaces belonging to that zone), or for specific interfaces within a zone (thus overriding the generic host-inbound configuration of the zone). You can find a more detailed explanation here: http://www.juniper.net/techpubs/software/junos-es/junos-es93/junos-es-swconfig-security/configuring-host-inbound-traffic.html


  • 3.  RE: host-inbound-traffic

    Posted 04-12-2012 20:21

    Hello,

     

    Thank you for your response.  Based on what you are saying, I would think it prudent to allow only telnet and http to access the machine instead of all services and all protocols since those are the two I use to manage the device.

     

    Opinion?

     

    JamesNT



  • 4.  RE: host-inbound-traffic

     
    Posted 04-13-2012 01:31

    Yes, if you don't need to enable any protocol or service (I'm not sure if the dhcp service is configured in the factory default configuration) on the interfaces of that zone, but only the management, it seems a good option; you may also configure a firewall filter to apply more restrictive policies to telnet and http traffic (here it is the related KB).



  • 5.  RE: host-inbound-traffic

    Posted 04-17-2012 09:09

    on a related question, if you set to allow only ssh/telnet to reach the device, would it be able to pass through normal http/ftp traffics on port 80/21 even if you set trust to untrust to permit all? or host-inbound-traffic is specifically for traffics going to the SRX and not the traffic passing through?



  • 6.  RE: host-inbound-traffic

    Posted 04-18-2012 04:09

    Yes. Allowing host-inbound-traffic for services/protocols on the zone only affects the access to the device it self.

     

    If you want to limit the traffic going between zones (i.e. passing through) you apply this as security policies.

     

    regards

    Karl