Day One Tips
Highlighted
Day One Tips

Hardening Junos Devices - SNMP traffic filtering contradiction

‎12-02-2015 07:43 AM

I've been going throught the Hardening Junos Devices, 2nd Edition docuement and found something a bit contradictory.

In the Management Services in Section 4 under the SNMP v2 configuration says to use "set clients default restrict", which of course inserts the following into your SNMP configuration:

community blah {
    authorization read-only;
    clients {
        <permitted ip address 1>
        <permitted ip address 2>
        0.0.0.0/0 restrict;
    }
}


However, in the section on Protecting the Routing Engine, it mentions only allowing the SNMP servers that are configured by utilizing the following:

prefix-list snmp-servers {
  apply-path "snmp community <*> clients <*>";


What this winds up doing is inserting the 0.0.0.0/0 in the allowed addressing:

[edit policy-options]
+   prefix-list snmp-servers {
       ##
       ## apply-path was expanded to:
       ##     <permitted ip address 1>;
       ##     <permitted ip address 2>;
       ##     0.0.0.0/0;
       ##
+       apply-path "snmp community <*> clients <*>";
+   }


I realize that the SNMP configuration section will protect it from the restricted default set, however the whole point of the filter is to not let the traffic get to the RE in the first place.  Utilizing the apply-path statement as it is written will let any address send SNMP traffic.  Is there a way to rewrite the apply-path statement to ignore the default restrict?