Junos
Highlighted
Junos

Firewall filter to block https not working

‎03-23-2017 08:01 AM

Hello all... 

 

I seem to be struggling with a simple basic firewall filter. New to Junos in a working enviorment and plan to implement firewall filters in the near future. So..starting basic with this: All I want to do is block https to my esxi hosts from all but selected subnets. When I apply the filter inbound to the IRB for that vlan at the core switch, there is no effect, I can still access https on the hosts on other subnets. I've triple checked my syntax and addressing.

 

Please see the attached diagram - makes it all pretty clear - I hope!

 

Thanks allFirewall-Filter (1).png

 

Attachments

3 REPLIES 3
Junos

Re: Firewall filter to block https not working

‎03-23-2017 09:07 AM

I added some counters - as shown below- and ALL trafffic skips terms 1-3  and hits term 4 - wether from the defined MANAGEMENT nets or not! 

 

Filter: RESTRICT-ESXI
Counters:
Name Bytes Packets
TERM-1 0 0
TERM-2 0 0
TERM-4 22044616 16053

 

 

prefix-list MANAGEMENT {
10.1.2.0/24;
10.2.12.0/24;

 

 

}
filter RESTRICT-ESXI {
term 1 {
from {
source-prefix-list {
MANAGEMENT;
}
}
then {
count TERM-1;
accept;
}
}
term 2 {
from {
destination-address {
10.2.222.12/32;
}
destination-port https;
}
then {
count TERM-2;
discard;
}
}
term 3 {
from {
destination-address {
10.2.222.11/32;
}
destination-port https;
}
then {
discard;
}
}
term 4 {
then {
count TERM-4;
accept;

Junos

Re: Firewall filter to block https not working

‎03-23-2017 05:27 PM

I suspect you may be applying the filter to the incorrect interface for the traffic flow.  You can verify this by following the procedure in this kb to create a simple count only filter for each one of your test traffic terms one at a time.  then verify that the count works.

 

The problem with the count on your final accept term is you don't really know if the packets you are interested in are indeed counted.  I suspect they don't hit your interface at all.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB26488

 

If they don't, then start at the physical sub-interface closest to your servers, apply these count only filters and verify the traffic.  then you can step it back one hop at a time till you are seeing the traffic at the desired point in the network for your filter and then apply it there.

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Junos

Re: Firewall filter to block https not working

‎03-23-2017 07:54 PM

Hi Folks,

I doubt the term 1 is allowing all the traffic; so please swap the term 1 and 2 ;provided you are trying to control the traffic from pool MANAGEMENT from accesing the ESXI server https is the requirement in the input direction of the irb.

 

term 1 { <<<< allowing all traffic based on source-prefix-list MANAGEMENT
from {
source-prefix-list {
MANAGEMENT;
}
}
then {
count TERM-1;
accept;
}
}
term 2 {
from {
destination-address {
10.2.222.12/32;
}
destination-port https;
}

-Python JNCIE 3X [SP|DC|ENT] JNCIP-SEC JNCDS 3X [ WAN | DC|SEC] JNCIS-Cloud JNCIS-DevOps CCIP ITIL
#Please mark my solution as accepted if it helped, Kudos are appreciated as well.