SRX Services Gateway
Highlighted
SRX Services Gateway

system-services (Security Zones Host Inbound Traffic) for custom services

‎05-09-2019 06:07 AM

Hi,

If i have allowed traffic for some custom tcp port from security policy but that port/service is not available under - host-inbound-traffic system-services then how that tcp traffic will pass through that security zone.

 

Thank you

 

6 REPLIES 6
SRX Services Gateway

Re: system-services (Security Zones Host Inbound Traffic) for custom services

‎05-09-2019 06:16 AM
host-inbound-traffic system-services is checked only when the traffic destination is SRX, this wont be checked if the traffic is a passthrough for SRX.

For example, if you do telnet/SSH to the SRX, it checks host-inbound-traffic system-services.

If you do telnet/SSH to another device connected through SRX, host-inbound-traffic system-services will not be checked, but policy is checked.
Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
SRX Services Gateway

Re: system-services (Security Zones Host Inbound Traffic) for custom services

‎05-09-2019 10:23 AM
Thank you Suraj.
If I configured custom port for untrust interface web access and trying to access from outside network then can I access the firewall web interface on custom port.
I simply want to know, if the services is not available under host-inbound services then what will be solution.

Thank you
SRX Services Gateway

Re: system-services (Security Zones Host Inbound Traffic) for custom services

‎05-09-2019 11:01 AM

You need a security policy. 

 

Say you have this topology: 

ZONES.png

 

Configure this: 

 

set security-zone OUTSIDE interfaces ge-0/0/1.0

set security-zone WEB interfaces ge-0/0/2.0

 

set from-zone OUTSIDE to-zone WEB policy 1 match source-address any

set from-zone OUTSIDE to-zone WEB policy 1 match destination-address WEB SERVER

set from-zone OUTSIDE to-zone WEB policy 1 match application CUSTOM-WEB

set from-zone OUTSIDE to-zone WEB policy 1 then permit

 

set security address-book global address WEB-SERVER 10.1.1.1  

set applications application CUSTOM-WEB protocols  tcp

set applications application CUSTOM-WEB destination port 8080 

set applications application CUSTOM-WEB application-protocol http

 

HTH,

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: system-services (Security Zones Host Inbound Traffic) for custom services

‎05-09-2019 11:19 AM

WAIT!   Maybe I misunderstood the question.

Are you trying to access j-web on your SRX using a port other than 80?  Something like this? 

WEB ACCESS.png

if so, this is what you need:

 

[edit system services web-management]
root@R1# show | display set relative
set http port 8080


[edit security zones security-zone OUTSIDE]
root@R1# show | display set relative
set host-inbound-traffic system-services http    <= you still need this! 

 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
SRX Services Gateway

Re: system-services (Security Zones Host Inbound Traffic) for custom services

‎05-10-2019 02:02 AM

Hi,

QUE :-

If I configured custom port for untrust interface web access and trying to access from outside network then can I access the firewall web interface on custom port.
I simply want to know, if the services is not available under host-inbound services then what will be solution.

 

ANS :-

Service (http-custom)* has to be enabled on the outside interface zone.

https access wont work if http service is not available under host-inbound services.

 

* - Needs to be defined

Regards,

 

Rahul

Regards,
Rahul
SRX Services Gateway
Solution
Accepted by topic author Nik_MH
‎05-10-2019 06:00 AM

Re: system-services (Security Zones Host Inbound Traffic) for custom services

‎05-10-2019 02:36 AM

Hi,

You do not need to allow any custom port explicitly. You just need to allow system-services http. Automatically, the custom port is allowed.

root@srx# show system services web-management
http {
port 8080;
}

root@srx# show security zones functional-zone management
interfaces {
ge-0/0/0.0;
}
host-inbound-traffic {
system-services {
ping;
ssh;
telnet;
http; <<< I only have http allowed
https;
snmp;
ntp;
ftp;
}
}

root@srx# run show system connections | grep 8080
tcp46 0 0 *.8080 *.* LISTEN
tcp4 0 0 *.8080 *.* LISTEN

 

J-WEB on port 8080 works with the above configuration (Screen-shot attached).

 

I hope this helps.

 

Regards,

 

Vikas

 

Attachments