Restrict specific IP addresses that can manage the J Series/SRX device.
To restrict which IP address can manage the J Series/SRX device:
- Use a firewall filter, OR
- Use a security policy.
These two approaches are described below.
1: Use a firewall filter to allow/deny packets before coming into flow.
The logic is to configure a firewall filter to deny everything, with the exception of the IPs, that you want to manage the device.
First, configure a prefix-list called manager-ip, as shown below:
policy-options {
prefix-list manager-ip {
10.1.1.0/24;
1.1.1.1/32;
172.16.10.0/24;
192.168.10.0/24;
192.168.100.0/24;
}
}
Next, configure a firewall filter to specify all, 0.0.0.0/0, with the exception of the manager-ip list, then discard those packets. This is a reverse match, so that only the list in manager-ip prefix-list is able to manage the device. Special considerations will need to be made for DHCP. In this example, we add a term for dhcp, so that DHCP discover and offer packets can traverse between the Routing Engine and the interfaces:
firewall {
filter lo-filter {
term limited-ip { <=== term to accept only "manager-ip" defined as a prefix-list
from {
source-prefix-list {
manager-ip;
}
}
then accept;
}
term dhcp { <=== term added as needed when DHCP is required
from {
protocol udp;
source-port [ 67 68 ];
destination-port [ 67 68 ];
}
then accept;
}
}
}
Next, apply this filter to the loopback interface. Any time a packet hits any of the interfaces on the box, the loopback interface will apply the filter lo-filter.
interfaces {
lo0 {
unit 0 {
family inet {
filter {
input lo-filter; <=== specify the "lo-filter" as an input filter on lo0 interface
}
}
}
}
}
2: Use a security policy from incoming zone to junos-host zone.
Starting with Junos OS Release 11.4, users can apply security services to the self traffic by referring to the junos-host zone in the Security Policies.
To do this, make a security policy from mgmt zone to junos-host zone, allow all management service to manager-ip, and deny it for all other users.
[edit security policies]
root@SRX-1# show
from-zone mgmt to-zone junos-host {
policy MgmtAccess {
match {
source-address manager-ip;
destination-address any;
application any;
}
then {
permit;
}
}
policy denyall {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
default-policy {
deny-all;
}
[edit security zones]
root@SRX-1# show
security-zone mgmt {
address-book {
address 10.1.1.0/24 10.1.1.0/24;
address 1.1.1.1/32 1.1.1.1/32;
address 172.16.10.0/24 172.16.10.0/24;
address 192.168.10.0/24 192.168.10.0/24;
address 192.168.100.0/24 192.168.100.0/24;
address-set manager-ip {
address 10.1.1.0/24;
address 1.1.1.1/32;
address 172.16.10.0/24;
address 192.168.10.0/24;
address 192.168.100.0/24;
}
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
lo0.0;
}
}
Note: This solution applies to traffic terminating at the device itself. If you have IPsec traffic, or OSPF/RIP/BGP, or any other traffic that terminates at the interface of the device itself, you will need to add that IP to the manager-ip prefix-list.