SRX Services Gateway
SRX Services Gateway

Restrict access with junos-host zone

[ Edited ]
‎03-03-2019 10:59 AM

I am trying to restrict management access with the junos-host zone but it doesn't appear to be working. All traffic still seems to be allowed, even though I have tied it down to one IP and only ssh. Any help appreciated, config below;

 

vsrx> show configuration security zones security-zone mgmt | display set
set security zones security-zone mgmt address-book address mgt-server 192.168.10.133/32
set security zones security-zone mgmt address-book address-set manager-ip address mgt-server
set security zones security-zone mgmt host-inbound-traffic system-services all
set security zones security-zone mgmt host-inbound-traffic protocols all
set security zones security-zone mgmt interfaces lo0.0

 

vsrx> show configuration security policies | display set
set security policies from-zone mgmt to-zone junos-host policy management-access match source-address manager-ip
set security policies from-zone mgmt to-zone junos-host policy management-access match destination-address any
set security policies from-zone mgmt to-zone junos-host policy management-access match application junos-ssh
set security policies from-zone mgmt to-zone junos-host policy management-access match application junos-http
set security policies from-zone mgmt to-zone junos-host policy management-access then permit
set security policies from-zone mgmt to-zone junos-host policy denyall match source-address any
set security policies from-zone mgmt to-zone junos-host policy denyall match destination-address any
set security policies from-zone mgmt to-zone junos-host policy denyall match application any
set security policies from-zone mgmt to-zone junos-host policy denyall then deny

 

There are no other security policies on the device other than the ones above (so it's not hitting another policy) When I ssh from another IP in the 192.168.10.x range, it is permitted. 

 

Thanks

11 REPLIES 11
SRX Services Gateway

Re: Restrict access with junos-host zone

‎03-03-2019 11:30 AM
Remove lo0.0 interface from mgmt zone.
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Restrict access with junos-host zone

[ Edited ]
‎03-03-2019 11:37 AM

Thanks for the response. I had tried that also but it doesn't make any difference. I was copying an example off the Juniper website which is why I put the Loopback in there in the first place. 

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB21265&cat=JUNOS&actp=LIST

 

Thanks

SRX Services Gateway

Re: Restrict access with junos-host zone

‎03-03-2019 11:50 AM
Is incoming traffic interface also part of mgmt zone? Or different zone? I hope you are trying to access lo0 ip from your pc.
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Restrict access with junos-host zone

‎03-03-2019 12:37 PM

Incoming traffic is coming in via fxp0 so it's not part of a zone as such.

SRX Services Gateway

Re: Restrict access with junos-host zone

‎03-03-2019 04:31 PM
You have to use option 1 mentioned in the above KB to restrict the access since the traffic is coming via fxp0 interface. junos-host is used when you want to restrict the traffic coming in or going out via revenue interfaces which are part of a security zone . fxp0 is out of band management interface and it is not a part of any security zone.

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Restrict access with junos-host zone

[ Edited ]
‎03-03-2019 11:05 PM
Thanks, that is how I set it up before but the problem is firewall filters are not stateful so you can't ping (monitor) the firewall after applying the firewall filter (return pings are dropped) I tried to also allow icmp in a separate filter and apply it outbound but it didn't seem to work. This is why I started looking into doing it a different way (firewall policy which is stateful)

Any idea how to get around that?
SRX Services Gateway
Solution
Accepted by topic author tars01
‎03-04-2019 09:20 AM

Re: Restrict access with junos-host zone

‎03-03-2019 11:29 PM

You are right. Firewall filters are stateless. But it will work as expected if you configure it properly. Please try below config and let me know:

set firewall filter lo-filter term 10 from source-address 192.168.10.133/32
set firewall filter lo-filter term 10 from port ssh
set firewall filter lo-filter term 10 from port http
set firewall filter lo-filter term 10 from port https
set firewall filter lo-filter term 20 from source-address 192.168.10.133/32
set firewall filter lo-filter term 20 from protocol icmp
set firewall filter lo-filter term 20 then accept

 

Try to ping from 192.168.10.133 ip after applying the filter in inbound direction. 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Restrict access with junos-host zone

‎03-03-2019 11:33 PM

Forgot to mention. Apply the filter to lo0 interface in inbound direction:

set interfaces lo0 unit 0 family inet filter input lo-filter

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Restrict access with junos-host zone

‎03-04-2019 01:15 AM

Thanks, that's almost exactly how I had it but it doesn't work like that. I have just tried your exact config and it doesn't work either.  You can SSH etc but can't ping, I think its dropping the response icmp packet.

 

Thanks

SRX Services Gateway

Re: Restrict access with junos-host zone

‎03-04-2019 01:25 AM

Interesting! Please modify existing filter and add count and log option for icmp and share output of belowmentioned commands

 

set firewall filter lo-filter term 20 then count  ALLOW_ICMP

set firewall filter lo-filter term 20 then log

set firewall filter lo-filter term 30 from protocol icmp

set firewall filter lo-filter term 30 then discard

set firewall filter lo-filter term 30 then count DENY_ICMP

set firewall filter lo-filter term 30 then log

 

show system statistics icmp

show firewall

show firewall log

show interface filters | no-more

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: Restrict access with junos-host zone

‎03-04-2019 09:21 AM

Nellikka, this does actually work so thank you. I had a typo in my policy.

 

Thanks for all your help.