Juniper SRX data center firewall default security policy

Being a routing and switching guy (mostly service provider stuff), I don’t deal with firewalls very often, because I am far from a security expert and I would be doing a disservice to my clients. However, this week, I was tasked with getting two brand new Juniper SRX1400s setup and updated I learned three things during this process: 1) unlike the branch-series SRXs, the data-center series comes with very little configuration and no security configuration whatsoever; 2) the default policy if no policy is to deny, and; 3) there’s a difference between inbound host packets and transit packets, and at the very least, the inbound host configuration must be set before you can do anything to the firewall. Example below:

Show

zones {
    security-zone untrust {
        interfaces {
            xe-0/0/7.0 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
            }
        }
    }
}

Display set

set security zones security-zone untrust interfaces xe-0/0/7.0 host-inbound-traffic system-services all

A couple caveats:

First, if this is the only policy you add, you’ll probably find people trying to brute force any services you have running on the firewall within minutes, such as SSHD.

Second, the statement must be applied to a logical interface and not a physical interface (xe-0/0/7.0 vs. xe-0/0/7) in order for it to work.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.