ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Unexpected traffic getting through SSG-350M to DMZ

‎12-21-2018 06:59 AM

I have had very little experience with Junipers and inherited my firewall from my predecessor.  I have a server in my DMZ that has been responding to port requests to 445, when I expected it to be blocking that traffic. 

 My concern is that I am making some false assumptions and am allowing traffic through that I am not aware of and am looking for some guidance on whether that concern is valid as well as the reason the traffic was going through. 

 

 My guess is that this should be done with a VIP instead of MIP.

 

MIP interface:

set interface "loopback.1" mip 100.101.102.103 host 10.9.8.7 netmask 255.255.255.255 vr "trust-vr"

 

Service setup:

set service "microsoft-ds" protocol tcp src-port 0-65535 dst-port 445-445

 

Policy (that was allowing TCP/445):

set policy id 362 name "UBNT" from "Untrust" to "DMZ"  "Any" "MIP(100.101.102.103)" "ICMP-ANY" permit log

set policy id 362

set service "TCP/5067"

set service "TCP/8267"

exit

 

Policy that blocked 445 (above previous policy):

set policy id 370 name "UBNT" from "Untrust" to "DMZ"  "Any" "MIP(100.101.102.103)" "microsoft-ds" deny log

set policy id 370

exit

 

My assumption was, before this hole was found, only those ports that were named in policy 362 would be allowed (false assumptoin).   I have a good number of other MIPs setup and want to make sure that the system secure.

 

Any suggestions and/or thoughts are apreciated.

 

5 REPLIES 5
ScreenOS Firewalls (NOT SRX)

Re: Unexpected traffic getting through SSG-350M to DMZ

‎12-21-2018 09:44 AM

It is possible that the traffic is hitting a different policy.  Can you provide the output of "debug flow basic"?

 

set ff dst-ip 10.9.8.7 dst-port 445

set ff dst-ip 100.101.102.103 dst-port 445

set ff src-ip 10.9.8.7 src-port 445

set ff src-ip 100.101.102.103 dst-port 445

debug flow basic

 

Wait for traffic...

 

undebug all

get db str

ScreenOS Firewalls (NOT SRX)

Re: Unexpected traffic getting through SSG-350M to DMZ

‎12-21-2018 11:44 AM

Hoping this gives the answer.

 

 

Attachments

ScreenOS Firewalls (NOT SRX)
Solution
Accepted by topic author DMalt
‎12-22-2018 07:27 AM

Re: Unexpected traffic getting through SSG-350M to DMZ

‎12-21-2018 01:46 PM

It shows that the traffic is being permitted by policy 362.  Can you provide the output of

 

get config | inc "TCP/5067"

get config | inc "TCP/8267"

get config | inc "microsoft-ds"

 

ScreenOS Firewalls (NOT SRX)

Re: Unexpected traffic getting through SSG-350M to DMZ

‎12-21-2018 04:59 PM

The difference between VIP and MIP:

 

VIP is flexible port forwarding only sending the specified ports in the configuration and only in the direction configured.

 

MIP is for Mapped IP meaning a one-to-one bidirectional mapping of the outside ip address.   These simplify configurations because you don't need to create both an inbound policy plus and outbound source nat policy.

 

What traffic is permitted is further controlled by the security policy on top of these nat objects.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
ScreenOS Firewalls (NOT SRX)

Re: Unexpected traffic getting through SSG-350M to DMZ

‎12-22-2018 07:26 AM

That looks like the answer.  Whoever created the rule apparently got it "a bit" wrong for TCP/5067.  Already tested and it works as it should.  THANKS!



Here is the output you asked for:

 

Remote Management Console
COFW1-> get config | inc "TCP/5067"
set service "TCP/5067" protocol tcp src-port 0-65535 dst-port 0-5067
set service "TCP/5067"
COFW1-> get config | inc "TCP/8267"
set service "TCP/8267" protocol tcp src-port 0-65535 dst-port 8267-8267
set service "TCP/8267"
COFW1-> get config | inc "microsoft-ds"
set service "microsoft-ds" protocol tcp src-port 0-65535 dst-port 445-445
set policy id 370 name "UBNT" from "Untrust" to "DMZ" "Any" "MIP(205.219.98.89)" "microsoft-ds" deny log
COFW1->