Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Controlling Management Access on SRX Series Devices

 

This example shows how to limit the management access to the specific IP addresses on an SRX Series devices to manage the device.

Requirements

No special configuration beyond device initialization is required before configuring this feature.

Overview

To limit the IP addresses that can manage a device, you can configure a firewall filter. This firewall filters must include a term to deny all traffic except the IP address that you allow to manage the device. You must apply the firewall filter to the loopback interface (lo0) as this ensures that only management traffic (traffic to the device) is filtered.

In this example you:

  • Configure a prefix-list called manager-ip. This list defines a set of IP addresses that are allowed to manage the SRX Series device.

  • Configure a firewall filter FILTER1 that rejects all requesters except IP addresses available in the manager-ip prefix list. In this way, you are ensuring that IP address list specified in the prefix list can manage the device.

  • Apply FILTER1 filter to the loopback interface. Any time a packet hits any of the interfaces on the device, the loopback interface applies the filter FILTER1 .

Configuration

Configuring an IP Address List to Restrict Management Access to a Device

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

  1. Define a set of allowed host addresses in the prefix list.
    Note

    The configured list is referenced in the actual filter, where you can change your defined set of addresses.

  2. Configure a firewall filter to deny traffic from all IP addresses except the IP addresses defined in the prefix list.

    Management traffic that uses any of the listed destination ports is rejected when the traffic comes from an address in the list.

  3. Configure a default term that accepts all other traffic.
  4. Apply stateless firewall filters to the loopback interface to filter the packets originating from the hosts to which you are granting management access.

    This configuration applies to traffic terminating at the device itself. If you have IPsec traffic, or OSPF, RIP, BGP, or any other traffic that terminates at the interface of the device, then you must add the IP address of the interface to the prefix list.

Results

From configuration mode, confirm your configuration by entering show configuration command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Interfaces

Purpose

Verify if the interfaces are configured correctly.

Action

From operational mode, enter the following commands:

  • show policy-options

  • show firewall

  • show interfaces