SRX Services Gateway
SRX Services Gateway

Enabling web authentication allows J-web access

a week ago

We use the web-authentication portal for vendors to log in. After log in the vendor can access internal systems as defined by our security policies and destination NAT rules. This works flawlessly except for one detail. resolves to a.b.c.d(below).

Going to takes one to the Firewall User Web-Authentication Login page.


But, if one goes to (or any other random letters) the J-Web login is presented.


Is it possible to use web-authentication without exposing J-web on the same interface?


We have an SRX-300 running 18.2R3.4.

# show system services web-management 
management-url admin;
https {
    pki-local-certificate webauth-cert;
    interface [ ge-0/0/0.0 ge-0/0/1.0 ge-0/0/5.0 ];
session {
    idle-timeout 60;

# show interfaces ge-0/0/5 unit 0 family inet address a.b.c.d/28    
web-authentication https;

# show security zones security-zone Internet 
screen untrust-screen;
interfaces {
    ge-0/0/5.0 {
        host-inbound-traffic {
            system-services {


SRX Services Gateway

Re: Enabling web authentication allows J-web access

[ Edited ]
a week ago


Basically because you have configured WebAuth and JWeb on the same interface WebAuth Passthrough Authentication takes presidence by default, however when errors happen in the WebAuth (aka adding unexpected letters at the end of the URL Path) it defaults to Direct Authentication (to the SRX300) which is why J-Web is displayed.

Is there a reason or usecase as to why you are using GE5 instead of the default FXP0 interface for this? Also the JTAC recommended version is 18.2R3-S2 so you are running two sub-releases above the recommended.

KR Adam

- Please Kudos if you found my response helpful
- Please accept my response as a 'Accepted Solution' if it solved your query
SRX Services Gateway

Re: Enabling web authentication allows J-web access


Hi Adam,

Thanks for the reply.  How would I enable web-authentication via HTTPS on the interface without also enabling web management on it? They seem to be linked to me: one can only cofigure a certificate for HTTPS using the system/services/web-management options and then this certificate is also used for web-authentication.


This was also a problem on 15.1X49-D45 that I was using prior to recently upgrading.


The use of 18.2R3.4 is an oversight on my part. I can downgrade to 18.2R3-S2 but I'd like to focus on my initial inquiry first.


This is not a clustered firewall so there is no fxp interface.