SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  security zone junos-host allow ike

    Posted 02-02-2014 03:00

    How can I allow ike(dynamic vpn) in the junos-host security zone? I will try to secure the system services. I have used KB http://kb.juniper.net/InfoCenter/index?page=content&id=KB24227

     

    from-zone wan to-zone junos-host { 
                policy selfpolicy {           
                    match {
                        source-address any;
                        destination-address any;
                        application [ junos-ssh junos-https ];          
                    }
                    then {
                        permit;  
                    }
                }
                policy denyall {
                   match {
                          source-address any;
                          destination-address any;
                          application any;
                         }
                    then {
                           reject;
                          }
                }
          
    }

     

    Or is there a better way to secure the system services?

     



  • 2.  RE: security zone junos-host allow ike

    Posted 02-02-2014 05:00
    I would look at creating a firewall filter on lo0 to allow ike similar to what is described here:

    http://forums.juniper.net/t5/blogs/mobileblogarticlepage/blog-id/Day1Books/article-id/97

    This will protect your routing engine.


  • 3.  RE: security zone junos-host allow ike
    Best Answer

    Posted 02-02-2014 05:05

    Hi

     

    If you just need to limit some services on the interface (zone), you do not need junos-host zone. For example, to allow ike, ssh, https services on a zone (this is for local, not transit traffic!):

     

    security-zone ZZZ {
    host-inbound-traffic {
        system-services {
            ike;
            ssh;
            https;
        }
    }
    interfaces {
        ge-0/0/1.300;
    }
}

     

    Policies for junos-host zone are needed if you need a more granular filtering (for example, allow not just ssh, but ssh only from particular hosts). In this case such a policy will do additional (to host-inbound-traffic) filtering.



  • 4.  RE: security zone junos-host allow ike

    Posted 02-03-2014 02:14

    Hi pk,

     

    Thanks for your explanation! I have limit the system services and use the junos-host for granular filtering of these services.



  • 5.  RE: security zone junos-host allow ike

    Posted 02-03-2014 04:47

    Hi

     

    Good to know it works for you. Please mark my post as accepted solution then.

     

    Also the other option that has been mentioned here is lo0 interface filter, it can be used as well. But the way you do it now is just more natural for security device.