SRX Services Gateway
Highlighted
SRX Services Gateway

Limiting J-Web access

‎02-14-2019 07:03 AM

Hi guys,

I would like to limit the J-web access to only two interfaces ge-0/0/1.0 and ge-0/0/6.0. 

 

Below is the zone wise mapping of interfaces:

0/0

UNTRUST-INT (UNTRUST)

0/1

(TRUST)

0/2

(TRUST)

0/3

(TRUST)

0/4

(Library)

0/5

(TMS)

0/6

(TRUST)

 

Below is the set config for the web-management :

 


set system services web-management http interface ge-0/0/1.0
set system services web-management https system-generated-certificate
set system services web-management https interface ge-0/0/1.0
set system services web-management https interface ge-0/0/6.0
set system services web-management https interface all

 

 

It looks like the SRX is allowing J-web access to all the interfaces in trust. Can anyone shed some light on how to limit J-Web access to particular interface and not to a particular zone ?

 

Thanking you.

Regards,

Pavan 

8 REPLIES 8
Highlighted
SRX Services Gateway

Re: Limiting J-Web access

‎02-14-2019 07:13 AM
Remove interface all statement:
delete system services web-management https interface all

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Limiting J-Web access

‎02-14-2019 07:19 AM

Hey Nelikka,

 

If I remove that statement it doesn't work from the allowed interface too...lol.

 

I get this error message when I remove that command :

 

This page isn’t working

199.166.213.1 redirected you too many times.

ERR_TOO_MANY_REDIRECTS
Highlighted
SRX Services Gateway

Re: Limiting J-Web access

‎02-14-2019 07:35 AM

Please disable phone-home feature if it is enabled:

delete system phone-home

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Limiting J-Web access

‎02-14-2019 07:41 AM

Hello,

 

Are you tring to access J-Web from machines that come to the vSRX on untrust (ge-0/0/0)?

If that is the case, in addition to removing the 'interface all' command, also add 'interface ge-0/0/0' command.

Once done, you can make use of firewall filter to allow J-Web access to the box on destination IPs belonging to ge-0/0/1 and ge-0/0/6 while blocking J-Web access on the IP of ge-0/0/0.

 

Regards,

 

Rushi

Highlighted
SRX Services Gateway

Re: Limiting J-Web access

‎02-14-2019 07:48 AM

Phone-home is not enabled. 

Highlighted
SRX Services Gateway

Re: Limiting J-Web access

‎02-14-2019 08:02 AM

Is is possible to share the configuration? You may change/remove sensitive info.

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Limiting J-Web access

‎02-14-2019 10:27 AM

My guess is that your trust interfaces are switchports and you should there define your irb-interface instead of the physical interfaces:

 

set system services web-management https interface irb.xxx

You will not be able to limit it to the only two of the four ports in trust without using alternate method as firewall filters on switchports or similar.

 

But please share your configuration if possible to make it easier to figure out what's going on and make it easier to help you solve this.


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
SRX Services Gateway

Re: Limiting J-Web access

‎02-14-2019 03:05 PM

The interface in the allow command should be the one with the actual ip address you are connecting to.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home