SRX Services Gateway
Reply
Trusted Contributor
ttl_expired
Posts: 438
Registered: ‎11-11-2008
0
Accepted Solution

lo0 filter friendly for UTM

Hi All,

 

      Does anyone know what exception should be created in order to have a filter on lo0 ( For security and managment access) and still have the UTM get all its updates and jazz.

 

Here is my current filter on lo0 that kills all UTM functions

 

Family inet

   filter conf-services

       term routing

          from

                protocol ospf

         then

                accept

      term admin-allow

          from 

             source-prefix-list  permited-IP's

          then

             accept

      term  everythingelse

           then

              discard

 

Thanks!

Super Contributor
oldtimer
Posts: 227
Registered: ‎11-06-2007
0

Re: lo0 filter friendly for UTM

Is this with multiple or single routing instances?  And is this in a cluster?  If the destination UTM server is not in the default routing instance, that may be part of the problem. 

Trusted Contributor
ttl_expired
Posts: 438
Registered: ‎11-11-2008
0

Re: lo0 filter friendly for UTM

single box, single routing instance.

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010

Re: lo0 filter friendly for UTM

You'll have to allow 9020 UDP for Surf Control Integrated.  I'm not sure about the other services though.

Super Contributor
tbehrens
Posts: 348
Registered: ‎04-30-2010

Re: lo0 filter friendly for UTM

You have a few ways to handle this.

 

One of the easiest is to change your last term to an "accept all" instead of "deny all", and have two terms before it: ssh and https accept from certain source IPs; ssh and https deny from all; followed by allow all. This avoids needing to know each port you need to open up. It also means you'd trust the SRX to be secure.

 

If you do want to explicitly allow, you could remove the filter, run a monitor traffic, run UTM updates, then go through the capture file to see what protocols are being used.

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.