Ethernet Switching
Highlighted
Ethernet Switching

ACL ( Firewall Filter to allow SFTP ) on EX-3400

‎05-17-2019 07:23 AM

Hi 

 

    Server A---->(EX-3400-1 )--------(QFX-5100) -----(Ex-3400-2) ----Server B (My SFTP Server)

 

I have two servers connected with each other via 3  switches. They are in same vlan . Server A is my source server and it sends request to Server B ( Which is my SFTP Server ) . I have configured an ACL on my (EX-3400-1) Switch  to allow Server A to communicate with Server B via port 22  but the communication is not working between these two servers . Below mentioned is my config of ACL .  Kindly let me know how i can fix it .

 

set firewall family ethernet-switching filter local_acl term Term1 from source-address 10.55.249.100/32
set firewall family ethernet-switching filter local_acl term Term1 from destination-port 22
set firewall family ethernet-switching filter local_acl term Term1 from ip-protocol tcp
set firewall family ethernet-switching filter local_acl term Term1 from ip-protocol icmp
set firewall family ethernet-switching filter local_acl term Term1 then accept
set firewall family ethernet-switching filter local_acl term Term2 then discard
set firewall family ethernet-switching filter local_acl term Term2 then log

6 REPLIES 6
Highlighted
Ethernet Switching

Re: ACL ( Firewall Filter to allow SFTP ) on EX-3400

‎05-17-2019 07:37 AM
Is SFTP working without applying firewall filter?
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
Ethernet Switching

Re: ACL ( Firewall Filter to allow SFTP ) on EX-3400

‎05-17-2019 07:40 AM

Yes , It is working without applying that flter on switch .

 

Thanks

 

Highlighted
Ethernet Switching
Solution
Accepted by topic author jsnow_0445
‎05-22-2019 07:32 AM

Re: ACL ( Firewall Filter to allow SFTP ) on EX-3400

‎05-17-2019 07:41 AM

You will also need to allow arp.

 

set firewall family ethernet-switching filter local_acl term Term1.5 from ether-type arp
set firewall family ethernet-switching filter local_acl term Term1.5 then accept

Highlighted
Ethernet Switching

Re: ACL ( Firewall Filter to allow SFTP ) on EX-3400

‎05-18-2019 05:53 PM

That's very interesting.

Let's try to rule out,

1-Remove ip-protocol icmp , tcp.

2-if that does not work, try to check in last term if it's been logged or not.

3-Add another term as ether-type in above term1 , in this case term0 and accept it.

4-is the filter allowed in the switchport or inside vlan stanza, try both combinations.

5-try to add two IP addresses - source and destination.

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too! 🙂

Highlighted
Ethernet Switching

Re: ACL ( Firewall Filter to allow SFTP ) on EX-3400

‎05-19-2019 12:22 PM

Unless you want to write a conprehensive filter for all RE traffic possible you need to have a final accept all term and have two terms, one allowing your specific traffic and the second blocking any other of the same traffic.

 

You may also need to move the icmp to a separate pair of terms as well.

 

set firewall family ethernet-switching filter local_acl term AllowTerm from source-address 10.55.249.100/32
set firewall family ethernet-switching filter local_acl termAllowTerm from destination-port 22
set firewall family ethernet-switching filter local_acl termAllowTerm from ip-protocol tcp
set firewall family ethernet-switching filter local_acl termAllowTerm from ip-protocol icmp
set firewall family ethernet-switching filter local_acl termAllowTerm then accept

set firewall family ethernet-switching filter local_acl term BlockTerm from destination-port 22
set firewall family ethernet-switching filter local_acl term BlockTerm from ip-protocol tcp
set firewall family ethernet-switching filter local_acl term BlockTerm from ip-protocol icmp
set firewall family ethernet-switching filter local_acl term BlockTerm then discard


set firewall family ethernet-switching filter local_acl term FinalTerm then accept
set firewall family ethernet-switching filter local_acl term FinalTerm then log

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Ethernet Switching

Re: ACL ( Firewall Filter to allow SFTP ) on EX-3400

‎05-22-2019 07:33 AM

Thanks everyone for the help. Really appreciate it  🙂

Feedback