These are packet access control filters that get applied to the interface on the protected device to restrict access per protocol. Similar to a policy but these have no session table or awareness just a straight packet filter.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home
I understand that I must use firewall filters and apply it to the interfaces. So basically there is no other option then apply filter(s) to all interfaces?
The reason why I am asking this is because I have a loopback interface on which a firewall filter is applied, so that I can only reach/SSH the switch(loopback interface) from my management network. However, SSH(and such) is still open to the box on my WAN/ LAN interfaces.
That means I need to apply filters to those interfaces also, which seems a bit off when you compare it to ,for example, a SRX where you allow it with something like:
"security zones security-zone MANAGEMENT interfaces vlan.20 host-inbound-traffic system-services ssh"
But from what I understand, there is no such option and the only possibility is with multiple firewall filters/ filters for to-the-box traffic per interface.
Usually, its the loopback address that's the most routed & advertised IP address on the router/switch (towards its known peers) thus the filter is applied commonly onto router/switch loopback. If your uplinks/downlinks (such as accessLink/wanLink) is IP routable from far remote end outside your network, then yes, you may wanna apply filters on them but again that depends from setup to setup, a firewall node should block such unauthorized access.
Security zone configuration set is specfic to SRX/vSRX Series and unfortunately doesn't apply to our subjected node, EX2200.