Screen OS

I have had very little experience with Junipers and inherited my firewall from my predecessor.  I have a server in my DMZ that has been responding to port requests to 445, when I expected it to be blocking that traffic. 

 My concern is that I am making some false assumptions and am allowing traffic through that I am not aware of and am looking for some guidance on whether that concern is valid as well as the reason the traffic was going through. 

 My guess is that this should be done with a VIP instead of MIP.

MIP interface:

set interface "loopback.1" mip 100.101.102.103 host 10.9.8.7 netmask 255.255.255.255 vr "trust-vr"

Service setup:

set service "microsoft-ds" protocol tcp src-port 0-65535 dst-port 445-445

Policy (that was allowing TCP/445):

set policy id 362 name "UBNT" from "Untrust" to "DMZ"  "Any" "MIP(100.101.102.103)" "ICMP-ANY" permit log

set policy id 362

set service "TCP/5067"

set service "TCP/8267"

exit

Policy that blocked 445 (above previous policy):

set policy id 370 name "UBNT" from "Untrust" to "DMZ"  "Any" "MIP(100.101.102.103)" "microsoft-ds" deny log

set policy id 370

exit

My assumption was, before this hole was found, only those ports that were named in policy 362 would be allowed (false assumptoin).   I have a good number of other MIPs setup and want to make sure that the system secure.

Any suggestions and/or thoughts are apreciated.

It is possible that the traffic is hitting a different policy.  Can you provide the output of "debug flow basic"?

set ff dst-ip 10.9.8.7 dst-port 445

set ff dst-ip 100.101.102.103 dst-port 445

set ff src-ip 10.9.8.7 src-port 445

set ff src-ip 100.101.102.103 dst-port 445

debug flow basic

Wait for traffic...

undebug all

get db str

Hoping this gives the answer.

Attachment(s)

port445test.txt   9 KB 1 version

It shows that the traffic is being permitted by policy 362.  Can you provide the output of

get config | inc "TCP/5067"

get config | inc "TCP/8267"

get config | inc "microsoft-ds"

That looks like the answer.  Whoever created the rule apparently got it "a bit" wrong for TCP/5067.  Already tested and it works as it should.  THANKS!

Here is the output you asked for:

Remote Management Console
COFW1-> get config | inc "TCP/5067"
set service "TCP/5067" protocol tcp src-port 0-65535 dst-port 0-5067
set service "TCP/5067"
COFW1-> get config | inc "TCP/8267"
set service "TCP/8267" protocol tcp src-port 0-65535 dst-port 8267-8267
set service "TCP/8267"
COFW1-> get config | inc "microsoft-ds"
set service "microsoft-ds" protocol tcp src-port 0-65535 dst-port 445-445
set policy id 370 name "UBNT" from "Untrust" to "DMZ" "Any" "MIP(205.219.98.89)" "microsoft-ds" deny log
COFW1->

The difference between VIP and MIP:

VIP is flexible port forwarding only sending the specified ports in the configuration and only in the direction configured.

MIP is for Mapped IP meaning a one-to-one bidirectional mapping of the outside ip address.   These simplify configurations because you don't need to create both an inbound policy plus and outbound source nat policy.

What traffic is permitted is further controlled by the security policy on top of these nat objects.