Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J Series/SRX] How to restrict management access to specific IP addresses in Junos

0

0

Article ID: KB21265 KB Last Updated: 11 Jul 2016Version: 9.0
Summary:

Restrict specific IP addresses that can manage the J Series/SRX device.

Symptoms:
  • Restricting which IP address can manage the device
  • Junos equivalent to Manager-IP feature found in ScreenOS 
Solution:

To restrict which IP address can manage the J Series/SRX device:

  • Use a firewall filter, OR
  • Use a security policy.

These two approaches are described below.

1: Use a firewall filter to allow/deny packets before coming into flow.

The logic is to configure a firewall filter to deny everything, with the exception of the IPs, that you want to manage the device.

First, configure a prefix-list called manager-ip, as shown below:

policy-options {
    prefix-list manager-ip {
        10.1.1.0/24;
        1.1.1.1/32;
        172.16.10.0/24;
        192.168.10.0/24;
        192.168.100.0/24;
    }
}

Next, configure a firewall filter to specify all, 0.0.0.0/0, with the exception of the manager-ip list, then discard those packets. This is a reverse match, so that only the list in manager-ip prefix-list is able to manage the device. Special considerations will need to be made for DHCP. In this example, we add a term for dhcp, so that DHCP discover and offer packets can traverse between the Routing Engine and the interfaces:

firewall {
    filter lo-filter {
       term limited-ip {          <=== term to accept only "manager-ip" defined as a prefix-list
            from {
                source-prefix-list {
                    manager-ip;
                }
            }
            then accept;
       }
       term dhcp {                <=== term added as needed when DHCP is required
           from {
               protocol udp;
               source-port [ 67 68 ];
               destination-port [ 67 68 ];
           }
           then accept;
       }
    }
}

Next, apply this filter to the loopback interface. Any time a packet hits any of the interfaces on the box, the loopback interface will apply the filter lo-filter.

interfaces {
    lo0 {
        unit 0 {
            family inet {
                filter {
                    input lo-filter;  <=== specify the "lo-filter" as an input filter on lo0 interface
                }
            }
        }
    }
}

2: Use a security policy from incoming zone to junos-host zone.

Starting with Junos OS Release 11.4, users can apply security services to the self traffic by referring to the junos-host zone in the Security Policies.

To do this, make a security policy from mgmt zone to junos-host zone, allow all management service to manager-ip, and deny it for all other users.

[edit security policies]

root@SRX-1# show
from-zone mgmt to-zone junos-host {
    policy MgmtAccess {
        match {
            source-address manager-ip;
            destination-address any;
            application any;
        }
        then {
            permit;
        }
    }
    policy denyall {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
        }
    }
}
default-policy {
    deny-all;
}
[edit security zones]
root@SRX-1# show
security-zone mgmt {
    address-book {
        address 10.1.1.0/24 10.1.1.0/24;
        address 1.1.1.1/32 1.1.1.1/32;
        address 172.16.10.0/24 172.16.10.0/24;
        address 192.168.10.0/24 192.168.10.0/24;
        address 192.168.100.0/24 192.168.100.0/24;
        address-set manager-ip {
            address 10.1.1.0/24;
            address 1.1.1.1/32;
            address 172.16.10.0/24;
            address 192.168.10.0/24;
            address 192.168.100.0/24;
        }
    }
    host-inbound-traffic {
        system-services {
            all;
        }
        protocols {
            all;
        }
    }
    interfaces {
        lo0.0;
    }
}

Note: This solution applies to traffic terminating at the device itself. If you have IPsec traffic, or OSPF/RIP/BGP, or any other traffic that terminates at the interface of the device itself, you will need to add that IP to the manager-ip prefix-list.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search