SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Firewall filter not working

    Posted 03-13-2013 18:28

    I have a firewall filter that I was trying to clean up:

    set firewall filter isp1-in term 1 from source-prefix-list blocked-access
set firewall filter isp1-in term 1 then discard
set firewall filter isp1-in term 2 from destination-address 12.13.200.20/32
set firewall filter isp1-in term 2 from source-prefix-list mgmnt-access
set firewall filter isp1-in term 2 from protocol tcp
set firewall filter isp1-in term 2 from destination-port 22
set firewall filter isp1-in term 2 from destination-port 443
set firewall filter isp1-in term 2 then accept
set firewall filter isp1-in term 3 from destination-address 12.13.200.20/32
set firewall filter isp1-in term 3 from protocol tcp
set firewall filter isp1-in term 3 from destination-port 22
set firewall filter isp1-in term 3 from destination-port 443
set firewall filter isp1-in term 3 then discard
set firewall filter isp1-in term 4 then accept

     Which works fine (only IP's defined in mgmnt-access can access the ssh/https ports at 12.13.200.20).

     

    When I tried the method below, term 2 never worked and everyone (mgmnt IP's and anyone else) was still able to access ssh/https to 12.13.200.20.  Is there something I missed?

     

    set firewall filter isp1-in term 1 from source-prefix-list blocked-access
set firewall filter isp1-in term 1 then discard
set firewall filter isp1-in term 2 from destination-address 12.13.200.20/32
set firewall filter isp1-in term 2 from source-prefix-list mgmnt-access except
set firewall filter isp1-in term 2 from protocol tcp
set firewall filter isp1-in term 2 from destination-port 22
set firewall filter isp1-in term 2 from destination-port 443
set firewall filter isp1-in term 2 then discard
set firewall filter isp1-in term 3 then accept

     



  • 2.  RE: Firewall filter not working

    Posted 03-13-2013 19:15

    Hi Nick,

     

    Looking at the config below.

     

    set firewall filter isp1-in term 2 from source-prefix-list mgmnt-access except<<<<<<<<Except configured.

    Except is for

    except               Match addresses not in this prefix list<<<<<<<<<<<<

     

    For term 2 lets say the host is mgmnt-access and trying to create session on 22/443, term 2 will not match and evulated, it will go to term3 default so it will be permitted.

     

    Remove teh except configuration and try.

     

    If not then let me know the exact requirement with complete details, i will answer your queries.



  • 3.  RE: Firewall filter not working

    Posted 03-13-2013 20:01

    Not sure how to explain this any further...  My requirements are the same as the filter that is working (the first code I pasted in).

     

    Basically drop any traffic to that specific IP on ports 22 and 443 if its NOT in the mgmnt-access list.

     

    But what's happening is nothing gets dropped (including IP's that are not in the mgmnt-access list).  Everyone seems to be able to access 22 and 443.

     

     



  • 4.  RE: Firewall filter not working
    Best Answer

    Posted 03-14-2013 01:52

    Hello,

    Please add 1 more line to Your 2nd filter

     

    set firewall filter isp1-in term 2 from source-address 0.0.0.0/0

     

    HTH

    Thanks

    Alex



  • 5.  RE: Firewall filter not working

    Posted 03-15-2013 19:14
    @aarseniev wrote:

     

    set firewall filter isp1-in term 2 from source-address 0.0.0.0/0

     

     

    That did the trick!  Thanks much.