SRX Services Gateway
SRX Services Gateway

"manager-ip" solution on srx

06.03.10   |  
‎06-03-2010 01:15 AM

Hi, I wrote something about controling management access to a SRX (or J-serie of course) what might be usefull to to other memebers of this forum:

 

Introduction.

 

A lot of engineers who switch from ScreenOS to JUNOS are missing the manager-ip functionality found in ScreenOS. This technote gives a similar functionality for a srx or J-series.

 

Solution.

 

The solution found here is described is many documents, but I tried to make a small summary. Look for “protecting the Routing Engine” when looking for background information.

 

 The srx does not have the manager-ip build-in. Coming from the packetbased JUNOS version something can be build to achieve the same functionality. The core of this are stateless firewall filters. This filters can be applied to interfaces. But instead of applying it to all interfaces it’s applied between the PFE (packet forwarding engine) and the RE (Routing Engine). Consider that as at the point traffic enters the SRX itself instead of being forwarded. They way to do this is to apply a filter to the loopback interface. The loopback stack is used in sending traffic from PFE to RE.

On packetbased JUNOS you have to write rather complex filters, but for the SRX most for the work is already done in zone or interface host-inbound-traffic settings.

The add-on done here is to filter on prefixes.

 

The first step in the config is to create a list of networks (or hosts) allowed to manage. For this you can use a prefix-list:

 

 

 

 

policy-options {

    prefix-list manager-ip {

        10.0.0.0/8;

        192.168.4.254/32;

    }

}

 

This list is referenced in the actual filter, so this is where you can change your manager-ip’s!

 

The next step is to write a filter. On tricky thing here is you have to include all your management services in the first term! (Don’t forget NSM when you use it)

 

firewall {

    filter manager-ip {

        term block_non_manager {

            from {

                source-address {

                    0.0.0.0/0;

                }

                source-prefix-list {

                    manager-ip except;

                }

                protocol tcp;

                destination-port [ ssh https telnet http ];

            }

            then {

                discard;

            }

        }

        term accept_everything_else {

            then accept;

        }

    }

}

 

As you can see management traffic (when using a port listed in destination port) is rejected except when coming from an address listed in the prefix-list “manager-ip”.

 

 

Finally we have to apply this filter to the loopback interface:

 

interfaces {

        lo0 {

        unit 0 {

            family inet {

                filter {

                    input manager-ip;

                }

            }

        }

    }

}

 

And don’t forget to commit confirmed when trying this on a remote system…….

 

For those of you who want to copy the code with copy paste into the config: (You should start reading on load terminal, but this is maybe easier)

 

set policy-options prefix-list manager-ip 192.168.4.254/32

set policy-options prefix-list manager-ip 10.0.0.0/8

set firewall filter manager-ip term block_non_manager from source-address 0.0.0.0/0

set firewall filter manager-ip term block_non_manager from source-prefix-list manager-ip except

set firewall filter manager-ip term block_non_manager from protocol tcp

set firewall filter manager-ip term block_non_manager from destination-port ssh

set firewall filter manager-ip term block_non_manager from destination-port https

set firewall filter manager-ip term block_non_manager from destination-port telnet

set firewall filter manager-ip term block_non_manager from destination-port http

set firewall filter manager-ip term block_non_manager then discard

set firewall filter manager-ip term accept_everything_else then accept

set interfaces lo0 unit 0 family inet filter input manager-ip

 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
17 REPLIES
SRX Services Gateway

Re: "manager-ip" solution on srx

06.04.10   |  
‎06-04-2010 09:30 AM

Hey Screenie - sweet! Nice work.

Kevin Barker
JNCIP-SEC
JNCIS-ENT, FWV, SSL, WLAN
JNCIA-ER, EX, IDP, UAC, WX
Juniper Networks Certified Instructor
Juniper Networks Ambassador

Juniper Elite Reseller
J-Partner Service Specialist - Implementation

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
SRX Services Gateway

Re: "manager-ip" solution on srx

06.12.10   |  
‎06-12-2010 09:19 AM

Thanks for the information Screenie!

SRX Services Gateway

Re: "manager-ip" solution on srx

06.12.10   |  
‎06-12-2010 11:02 AM

Yeah, very nice example; thanks!

SRX Services Gateway

Re: "manager-ip" solution on srx

09.04.10   |  
‎09-04-2010 12:55 AM

I actually thought you would do it on the fxp.

Anyway I read the same in a JUNOS book that you should just protect the RE/Control Plane.

When you look at how juniper converts from ScreenOS to JUNOS Security it would put a filter on EACH interface.

This way is much nicer and you do not have to 'pollute' the configuration as much.

 

Thanks for the insightful information Screenie.

 

Cheers


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
SRX Services Gateway

Re: "manager-ip" solution on srx

09.04.10   |  
‎09-04-2010 01:07 AM

Does not seem to work for me on SRX 210 runnin 10.2R2.

Created it likes this:

 

filter manager-ip {
    term block_non_manager {
        from {
            source-address {
                0.0.0.0/0;
            }
            source-prefix-list {
                manager-ip except;
            }
            protocol [ tcp icmp ];
            icmp-type echo-request;
            destination-port [ ssh https ];
        }
        then {
            discard;
        }
    }
    term accept_everything_else {
        then accept;
    }
}

--------------------------------------

 

I can connect from an IP not in my list :s

 

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
SRX Services Gateway

Re: "manager-ip" solution on srx

09.04.10   |  
‎09-04-2010 01:13 AM

Shouldn't you put some policying to avoid downing theRE if you allow management from the outside ?

 

 


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
SRX Services Gateway

Re: "manager-ip" solution on srx

09.04.10   |  
‎09-04-2010 01:19 AM

My apologies.

It DOES work.

 

I need some time to get used to that after successfull commit it still takes a few minutes for the SRX 210 to actually active the changes.

 

Cheers :-)


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
SRX Services Gateway

Re: "manager-ip" solution on srx

09.04.10   |  
‎09-04-2010 09:12 AM

TRK-NKA wrote:

My apologies.

It DOES work.

 

I need some time to get used to that after successfull commit it still takes a few minutes for the SRX 210 to actually active the changes.

 

Cheers :-)


This should NOT be the case.  If you continue experiencing problems please open a case with JTAC so that the bug can be resolved.

SRX Services Gateway

Re: "manager-ip" solution on srx

09.05.10   |  
‎09-05-2010 01:52 AM

I guess the delay in activation confused me.

It actually does not work.

I can see that in messages

ppl trying to get in :<

 

Cheers


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
SRX Services Gateway

Re: "manager-ip" solution on srx

12.09.10   |  
‎12-09-2010 03:01 PM

Hi,

Please excuse my ignorance, I am still trying to learn JUNOS.  Base on what your described, wouldn't the https traffic from lets say 192.168.1.1 bound for the Internet be blocked as well?  I mean 192.168.1.1 is not part of the manager-ip and according you by applying the filter to loopback interface, it will take care of all traffic enter SRX.

 

I guess I don't understand how the traffic flows in and out of the filter.  could you explain, let say, 192.168.1.1 is part of the trust zone and it is trying to reach some https site on the Internet through the untrust zone.

 

Thanks

SRX Services Gateway

Re: "manager-ip" solution on srx

[ Edited ]
12.09.10   |  
‎12-09-2010 03:32 PM

 


misconfig wrote:

Hi,

Please excuse my ignorance, I am still trying to learn JUNOS.  Base on what your described, wouldn't the https traffic from lets say 192.168.1.1 bound for the Internet be blocked as well?  I mean 192.168.1.1 is not part of the manager-ip and according you by applying the filter to loopback interface, it will take care of all traffic enter SRX.

 

I guess I don't understand how the traffic flows in and out of the filter.  could you explain, let say, 192.168.1.1 is part of the trust zone and it is trying to reach some https site on the Internet through the untrust zone.

 

Thanks


 

No question is a bad question.  The filter only intercepts traffic destined to the SRX, not through the SRX.  For transit traffic you'd most often use security flows.  Filters are really only for restricting management traffic and CoS in my opinion.

 

mawr

SRX Services Gateway
Solution
Accepted by Automate (Trusted Expert)
‎08-26-2015 01:27 AM

Re: "manager-ip" solution on srx

12.09.10   |  
‎12-09-2010 11:43 PM

Hi Guys,

 

I'm happy to see I didn't put the effort is for nothing. I really like to read the discussions that follow. And nawr you're right  twice. There indeed is no such thing as a bad question. And yes you're right about  the difference between transit traffic and exception traffic.  The filter on the loopback only affects traffic to the device self!

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
SRX Services Gateway

Re: "manager-ip" solution on srx

12.10.10   |  
‎12-10-2010 05:19 AM

Hi,

 

How could we do when accessing from untrust? Do we also need to specify some IP from untrust?

 

Actually, I have:

 

 

filter input-untrust {
    term allow-ssh {
        from {
            source-address {
                home.158.31/32;
            }
            destination-address {
                pulic.143.2/32;
            }
            protocol tcp;
            destination-port ssh;
        }
        then accept;
    }
    term block-ssh-from-others {
        from {
            protocol tcp;
            destination-port ssh;
        }
        then {
            count discardSSH;
            discard;
        }
    }
    term allow-https {
        from {
            source-address {
                home.158.31/32;
            }
            destination-address {
                public.143.2/32;
            }
            protocol tcp;
            destination-port https;
        }
        then accept;
    }
     term pass-to-flow-policies {
        then accept;
    }
}

 

reth0 {
    redundant-ether-options {
        redundancy-group 1;
    }
    unit 0 {
        family inet {
            filter {
                input input-untrust;
            }
            address public.143.2/29;
        }
    }
}

 

 

 

 

SRX Services Gateway

Re: "manager-ip" solution on srx

12.10.10   |  
‎12-10-2010 05:25 AM

Have an IP whitelist makes sure that only known IP adresses can connect to the control plane, at least if you apply the filter the loopback interface. That is easier than having to put filters and all your interfaces.

Also you can control the services on the interfaces in the security zone context.


Best Regards

Tom Roholm
JNCIS-ENT, FWV, SEC, SA, WLAN
SRX Services Gateway

Re: "manager-ip" solution on srx

12.10.10   |  
‎12-10-2010 05:40 AM

Team Cymru has some great resources on restricting access to the SRX (and JUNOS as a whole).  They provide filters and policers to minimize a DoS on the management interfaces as well.

 

 

http://www.cymru.com/gillsr/documents/junos-template.htm

---
JNCIE-SEC #69, JNCIE-ENT #492, JNCSP-SEC, JNCSP-ENT, JNCIS-SP, JNCDS-DC, JNCDS-SEC
SRX Services Gateway

Re: "manager-ip" solution on srx

04.17.17   |  
‎04-17-2017 01:22 PM

How do you do this in J-Web. I've been cracking on this one and I can't put a finger on it.

Highlighted
SRX Services Gateway

Re: "manager-ip" solution on srx

05.18.17   |  
‎05-18-2017 07:05 AM

Totaly missed the reply on this old post, sorry! You can configure things like I described and use point-and-click cli to manage the list. Or use the technique not available when I wrote the article: junos-host policy. On SRX device you now can write a policy from a zone to junos-host and list in that policy who get access. This policy you can manage in the gui ofcourse! 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.