SRX Services Gateway
Highlighted
SRX Services Gateway

Firewall rules for security director

‎04-22-2019 10:18 AM
Hi,

Will be installing Juniper Security Director soon and wanted to know what TCP/UDP ports are required to make it integrate with SRX firewalls?

Do I need to add a rule on the SRX so it comes from the relevant zone to the Junos-host in the policy base?

Thanks
4 REPLIES 4
SRX Services Gateway

Re: Firewall rules for security director

‎04-22-2019 12:59 PM

In general Security Director relies on the ports needed for Junos Space. The required ports are listed in https://kb.juniper.net/InfoCenter/index?page=content&id=kb18148

 

In summary only ssh from Space/SD towards the SRX gateways is needed. SD does netconf via ssh.

Ping and snmp-read (udp/161) are optional but nice to have available.

 

 


--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC DATACOM A/S (Denmark)
SRX Services Gateway

Re: Firewall rules for security director

‎04-22-2019 01:11 PM
Thanks,

Just to clarify; do I need the rule to be from the zone SD sits in towards the Junos-host zone on each SRX?
SRX Services Gateway
Solution
Accepted by topic author oban3jimmy
‎04-22-2019 01:49 PM

Re: Firewall rules for security director

‎04-22-2019 01:28 PM

In general your assumption is correct... but it depends on your setup.

 

It could also be that you only allow ssh as host-inbound-service system-services on the relevant zone/interface and then have a RE protection firewall filter to handle which IPs can access via ssh on this zone.

 

Alternative could also be a global policy which allows management across all zones to avoid doing multiple src-zoneX/Y/Z to junos-host policies (if ssh access is needed from multiple different zones)

 

Junos provides you many ways to accomplish the same goal :-)


--
Best regards,

Jonas Hauge Jensen
Systems Engineer, SEC DATACOM A/S (Denmark)
SRX Services Gateway

Re: Firewall rules for security director

‎04-22-2019 01:49 PM
That’s great - thanks