SRX Services Gateway
SRX Services Gateway

Firewall filter assistance

[ Edited ]
‎11-12-2018 07:13 AM

I have the following 2 firewall filters; how can the config. below be corrected to allow the second filter to work?

 

firewall {
    filter VPN {
        term VPN {
            from {
                source-address {
                    #SECRET#;
                }
                destination-port 500;
            }
            then accept;
        }
        term IKE-BLOCK {
            from {
                destination-port 500;
            }
            then {
                reject;
            }
        }
        term else {
            then accept;
        }
    }
    filter External-HTTPS {
        term Whitelist {
            from {
                source-prefix-list {
                    whitelist;
                }
                destination-port 443;
            }
            then accept;
        }
    }
}

 

1 ACCEPTED SOLUTION

Accepted Solutions
SRX Services Gateway
Solution
Accepted by topic author EMTSU
‎11-13-2018 06:43 AM

Re: Firewall filter assistance

‎11-13-2018 01:46 AM

Something like this:

 

firewall {
    filter VPN {
        term VPN {
            from {
                source-address {
                    #SECRET#;
                }
                destination-port 500;
            }
            then accept;
        }
        term IKE-BLOCK {
            from {
                destination-port 500;
            }
            then {
                reject;
            }
        }
        term Whitelist {
            from {
                source-prefix-list {
                    whitelist;
                }
                destination-port 443;
            }
            then accept;
        }
        term block-https {
            from {
                destination-port 443;
            }
            then reject;
        }
        term else {
            then accept;
        }
    }
} 

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC DATACOM A/S (Denmark)
4 REPLIES 4
SRX Services Gateway

Re: Firewall filter assistance

‎11-12-2018 04:45 PM

You can only apply one filter per interface.  So you would need to combine the terms into a single filter to apply both to the same interface.

 

Insert the term whitelist and add a reject https term after it before the term else in the VPN filter.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
SRX Services Gateway

Re: Firewall filter assistance

‎11-13-2018 01:03 AM

Hi Steve,

 

Thank you for your reply. I don't fully understand your instructions. How does the following look? Can you modify/correct please?

 

firewall {
    filter VPN {
        term VPN {
            from {
                source-address {
                    #SECRET#;
                }
                destination-port 500;
            }
            then accept;
        }
        term IKE-BLOCK {
            from {
                destination-port 500;
            }
            then {
                reject;
            }
        }
        term Whitelist {
            from {
                source-prefix-list {
                    whitelist;
                }
                destination-port 443;
            }
            then accept;
        }
        term else {
            then accept;
        }
    }
} 
SRX Services Gateway
Solution
Accepted by topic author EMTSU
‎11-13-2018 06:43 AM

Re: Firewall filter assistance

‎11-13-2018 01:46 AM

Something like this:

 

firewall {
    filter VPN {
        term VPN {
            from {
                source-address {
                    #SECRET#;
                }
                destination-port 500;
            }
            then accept;
        }
        term IKE-BLOCK {
            from {
                destination-port 500;
            }
            then {
                reject;
            }
        }
        term Whitelist {
            from {
                source-prefix-list {
                    whitelist;
                }
                destination-port 443;
            }
            then accept;
        }
        term block-https {
            from {
                destination-port 443;
            }
            then reject;
        }
        term else {
            then accept;
        }
    }
} 

--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC DATACOM A/S (Denmark)
SRX Services Gateway

Re: Firewall filter assistance

‎11-13-2018 06:43 AM

Thank you Jonas and Steve!