SRX Services Gateway
Highlighted
SRX Services Gateway

lo0 filter friendly for UTM

09.01.10   |  
‎09-01-2010 06:51 AM

Hi All,

 

      Does anyone know what exception should be created in order to have a filter on lo0 ( For security and managment access) and still have the UTM get all its updates and jazz.

 

Here is my current filter on lo0 that kills all UTM functions

 

Family inet

   filter conf-services

       term routing

          from

                protocol ospf

         then

                accept

      term admin-allow

          from 

             source-prefix-list  permited-IP's

          then

             accept

      term  everythingelse

           then

              discard

 

Thanks!

4 REPLIES
SRX Services Gateway

Re: lo0 filter friendly for UTM

09.01.10   |  
‎09-01-2010 07:12 AM

Is this with multiple or single routing instances?  And is this in a cluster?  If the destination UTM server is not in the default routing instance, that may be part of the problem. 

SRX Services Gateway

Re: lo0 filter friendly for UTM

09.01.10   |  
‎09-01-2010 07:28 AM

single box, single routing instance.

SRX Services Gateway

Re: lo0 filter friendly for UTM

09.01.10   |  
‎09-01-2010 07:34 AM

You'll have to allow 9020 UDP for Surf Control Integrated.  I'm not sure about the other services though.

SRX Services Gateway
Solution
Accepted by topic author ttl_expired
‎08-26-2015 01:27 AM

Re: lo0 filter friendly for UTM

09.01.10   |  
‎09-01-2010 08:34 AM

You have a few ways to handle this.

 

One of the easiest is to change your last term to an "accept all" instead of "deny all", and have two terms before it: ssh and https accept from certain source IPs; ssh and https deny from all; followed by allow all. This avoids needing to know each port you need to open up. It also means you'd trust the SRX to be secure.

 

If you do want to explicitly allow, you could remove the filter, run a monitor traffic, run UTM updates, then go through the capture file to see what protocols are being used.