Juniper SRX

Ouverture de flux

Ouverture de flux, zone untrust (WAN) vers trust (LAN) port 2222 vers l’ip 10.0.0.2 :

set applications application custom-TCP-2222 protocol tcp
set applications application custom-TCP-2222 destination-port 2222

set security policies from-zone untrust to-zone trust policy UNTRUST-TO-TRUST-TCP2222 match source-address any
set security policies from-zone untrust to-zone trust policy UNTRUST-TO-TRUST-TCP2222 match destination-address 10-0-0-2
set security policies from-zone untrust to-zone trust policy UNTRUST-TO-TRUST-TCP2222 match application custom-TCP-2222
set security policies from-zone untrust to-zone trust policy UNTRUST-TO-TRUST-TCP2222 then permit

Permet de tester la policy mise en place :

run show security match-policies destination-ip 10.0.0.2 destination-port 22222 source-ip any source-port 22222 from-zone untrust to-zone trust protocol tcp

SNMP SRX

Déclaration d’une communauté SNMP RO, accessible depuis l’ip 10.230.2.11 :

set snmp location "Marseille, France"
set snmp community 'community_name' authorization read-only
set snmp community 'community_name' client-list-name SNMP-CUST
set policy-options prefix-list SNMP-CUST 10.230.2.11/32

En flow base il faut autoriser l’accès en SNMP sur la protect routing engine:

set firewall family inet filter PROTECT-ROUTING-ENGINE term SNMP from protocol udp
set firewall family inet filter PROTECT-ROUTING-ENGINE term SNMP from port snmp
set firewall family inet filter PROTECT-ROUTING-ENGINE term SNMP then accept
insert firewall family inet filter PROTECT-ROUTING-ENGINE term SNMP before term TELNET

Si une VRF est configuré sur le juniper, le nom de la communauté à rentrer côté serveur SNMP :

nomvrf@communauté