Port Opening and Blocking on Juniper SRX Firewall

Port Opening and Blocking on Juniper SRX Firewall

Share!

Juniper SRX uses Zone to Zone based policy in port opening and blocking. Each interface has a zone Network and Zone:

Below is a step by step guide on port/service firewall blocking. You can refer to the image above which shows a sample of a firewall and multiple zone setup.

  1. Address/Address group object creation – for SRX Juniper firewall device, before setting up an address group, single address object must be first declared. Below is the command used to create address object.

<Address Name> <IP Address>
Set security address-book global address <H_x.x.x.x/y> <x.x.x.x/y>

Set security address-book global address H_10.256.3.9/32 10.256.3.9/32

Set security address-book global address H_192.168.1.2/24 192.168.1.2/24

Set security address-book global address N_10.0.0.3/8 10.0.0.3/8

 

NOTE: For SRX, an address object is created globally unlike Netscreen that is based on a security zone.

 

After creating an address object, an address group can now be declared. For address group creation “ADMIN_IP”:

 

Set security address-book global address-set <address group name> address <address-object>

Set security address-book global address-set ADMIN_IP address H_10.256.3.9/32

Set security address-book global address-set ADMIN_IP address H_192.168.1.2/24

Set security address-book global address-set ADMIN_IP address N_10.0.0.3/8

 

  1. Service/Service group object creation – for configuration guide, the command below is used:

 

Set applications application <tcp/udp/ip>- protocol udp/ip> destination-port

Set applications application <tcp/udp/ip>– protocol udp/ip> destination-port –

Set applications application tcp-80 protocol tcp destination-port 80

Set applications application tcp-25 protocol tcp destination port 25

Set applications application udp-21 protocol udp destination port 21

Set applications application udp-3389-3390 protocol udp destination 3389-3390

 

After declaring the service object, a service group object can now be declared. The syntax below is used:

 

Set applications application-set <service-group-name> application <service-object>

Set applications application-set SAMPLE_PORTS application tcp-80

Set applications application-set SAMPLE_PORTS application tcp-25

Set applications application-set SAMPLE_PORTS application udp-21

Set applications application-set SAMPLE_PORTS application udp-3389-3390

 

  1. Policy creation – policy can now be declared after setting up an address/address group object and service/service group object.

Set security policies from-zone <src-zone> to-zone <dst-zone> policy <policy-name> match source-address <source address/address group>

Set security policies from-zone <src-zone> to-zone <dst-zone> policy <policy-name> match destination-address <destination address/address group>

Set security policies from-zone <src-zone> to-zone <dst-zone> policy <policy-name> match application <service/service group>

Set security policies from-zone <src-zone> to-zone <dst-zone> policy <policy-name> then {permit/deny}

Set security policies from-zone <src-zone> to-zone <dst-zone> policy <policy-name> then log session-close

Set security policies from-zone FILE SERVERS to-zone APPLICATION_SERVER policy APPLICATION_ACCESS match source-address ADMIN_IP

Set security policies from-zone FILE SERVERS to-zone APPLICATION_SERVER policy APPLICATION_ACCESS match destination-address SECURED_APP

Set security policies from-zone FILE SERVERS to-zone APPLICATION_SERVER policy APPLICATION_ACCESS match application SAMPLE_PORTS

Set security policies from-zone FILE SERVERS to-zone APPLICATION_SERVER policy APPLICATION_ACCESS then permit

Set security policies from-zone FILE SERVERS to-zone APPLICATION_SERVER policy APPLICATION_ACCESS then log session-close

 

NOTE: The created address object/ address group object, service object/ service group object and policy are based from the image above (Firewall port opening/blocking). This is an example of zone based policy to open ports (80, 21, 25, and 3389) from specific admin user to server (application server).

 

For global policy creation in SRX Juniper firewall and other related topics that you would like us to explore, contact us at ask@mynetworkdojo.com.


Share!

Leave a Reply