SRX Services Gateway
Highlighted
SRX Services Gateway

Dynamic VPN with Filter to Protect RE from SSH attacks

‎08-26-2015 04:12 PM

Dilema...

 

Recently swapped out some WatchGuard Firewalls for SRX240. Setup Dynamic VPN and it works great. Noticed SSH attacks on the firewall and created standard filter for lo.0 interface to protect against SSH, NTP, HTTPS, SNMP, etc. Oce doing so, the VPN is broken. Are there any other recommendations on how to protect against attacks and still have a functional VPN that can be used by employees who connect all over the US? 

JNCIA, JNCIS-ENT-SEC
2 REPLIES 2
Highlighted
SRX Services Gateway

Re: Dynamic VPN with Filter to Protect RE from SSH attacks

‎08-26-2015 08:30 PM

Hi,

 

If the VPN stopped working I would say that the filter has blocked some protocols required for the VPN connectivity. 

 

If you have a default term at the bottom with discard, change it to accept with log. Monitor the log and add some additional terms to cover the known good traffic and then revert to a discard term.

 

Tim

Highlighted
SRX Services Gateway

Re: Dynamic VPN with Filter to Protect RE from SSH attacks

[ Edited ]
‎08-28-2015 06:33 AM

try to allow in the firewall the peers of the vpn, this is what I did, the vpns came up again

 

set policy-options prefix-list p-router-interfaces4 apply-path "interfaces <*> unit <*> family inet address <*>"

set policy-options prefix-list p-ipsec-neighbors a.a.a.a/32
set policy-options prefix-list p-ipsec-neighbors b.b.b.b/32
set policy-options prefix-list p-ipsec-neighbors c.c.c.c/32

set firewall family inet filter pm-copp-in term copp-critical-ipsec from source-prefix-list p-ipsec-neighbors
set firewall family inet filter pm-copp-in term copp-critical-ipsec from destination-prefix-list p-router-interfaces4
set firewall family inet filter pm-copp-in term copp-critical-ipsec then accept

pm-copp-in is applied on lo0.0

Feedback