SRX Services Gateway
Highlighted
SRX Services Gateway

Policy based on specific device signature

‎01-18-2019 01:02 AM

Hi,

I am not an expert on the SRX240 so maybe this is a weird question.. We need to configure a firewall rule on our SRX240 to allow a specific device. Unfortunately we can not do this based on IP address because it will always change. Does anyone have experience with that? Is this possible at all?

 

Thanks!!

Wouter

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Policy based on specific device signature

‎01-18-2019 01:59 AM

Hi

in that case I would suggest to use Dynamic-DNS-Server which always has the correct ip-address and on the srx use the dns-name for selection.

 

regards

 

alexander

Highlighted
SRX Services Gateway

Re: Policy based on specific device signature

‎01-18-2019 02:45 AM

Another option is to have your dhcp server setup a "reserved" ip address for that device so that it won't change any more but is still delivered dhcp.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Policy based on specific device signature

[ Edited ]
‎01-18-2019 03:40 AM

Thanks very much for your reply. It's a VOIP phone we want users exernaly connect to our internal PBX voip server through the firewall. So, the device will be used on different home networks with different IP addresses which I have no influence on.  If I open the Juniper firewall for all IP addresses on the SIP 5060 port, my VOIP server is flooded with connection attemps from hackers. 

Highlighted
SRX Services Gateway

Re: Policy based on specific device signature

‎01-18-2019 11:51 PM

Hi, 

 

If you cant filter based on source IP address then it seems like the only option you have is DDNS. You could have the users using a DDNS free service like NO-IP (first result I got in google):

 

  https://www.noip.com/free?gclid=Cj0KCQiAj4biBRC-ARIsAA4WaFhqZKEgiZ9ZvQyCini7yFPk7S0aV_yIRsPJyxKkqrEd...

 

If the users provide you with their DDNS (they need to provide this info only once) you can configure your security policy to use their domain names to permit the traffic:

 

  https://kb.juniper.net/InfoCenter/index?page=content&id=KB20994&actp=METADATA

 

The hacker's traffic will continue to reach the external IP address of your SRX but shouldnt be able to get in to your network.

 

You could often check the logs from the SRX and identify the offending IP addresses and block them with a firewall filter:

 

  https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-t...

 

 

Pura Vida from Costa Rica - Mark as Resolved if it applies.
Kudos are appreciated too!