In my previous Junos Basics post I covered automatic configuration archiving. In this post we’ll step through a solution to prevent unauthorised access to the J-Web GUI on EX Series switches. This solution could be modified to also restrict access on other management ports such as SSH and SNMP.
First of all we need to define our list of hosts that are allowed to access the switch via J-Web:
set policy-options prefix-list NetManagement 10.0.0.1/32 set policy-options prefix-list NetManagement 10.0.0.2/32 set policy-options prefix-list NetManagement 192.168.10.2/32 set policy-options prefix-list NetManagement 172.16.3.6/32
Next, we create a Firewall Filter that does the following:
- first, accepts connections on any service from addresses on the NetManagement prefix list
- then, discards all other HTTPS traffic
- finally, accepts all other traffic
Here’s the code for this:
set firewall family inet filter J-Web term AllowedIPAnyService from source-prefix-list NetManagement set firewall family inet filter J-Web term AllowedIPAnyService then accept set firewall family inet filter J-Web term BlockOtherHTTPS from destination-port https set firewall family inet filter J-Web term BlockOtherHTTPS then discard set firewall family inet filter J-Web term default then accept
Finally, apply the filter inbound to the loopback 0 interface (if you apply a firewall filter inbound on the loopback of a Juniper device, this will be applied to all traffic processed by the routing-engine. This includes traffic with a destination address of a physical interface (i.e. not the loopback):
set interfaces lo0 unit 0 family inet filter input J-Web
I hope this has been a useful explanation.
Thanks for reading.
Follow Rich on Twitter
I didn’t :-(I just edit my hosts file manually once in a while. It doesn’t raelly break anything unless you connect from a network that has an unreachable IP for the VPN machine (for example, internal network then internet).It’s just messy