Change Details

Unlike standard SRX security policies `security policies from-zone x to-zone y` that have a default and implicit deny. The policies with `security policies from-zone x to-zone junos-host` -for traffic toward the device itself- is a default and implicit **permit**. I noticed that while looking at log and noticed on mr1-codfw: `SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 52.73.169.169 to 208.80.153.196 (public)` `zone junos-host` is only used on the mgmt routers (mr1*) and not on the payment firewalls. We need to add: ```lang=diff [edit security policies from-zone untrust to-zone junos-host] policy any--traceroute { ... } + /* to-zone junos-host has an implicit default permit */ + policy default-deny { + match { + source-address any; + destination-address any; + application any; + } + then { + deny; + } + } ``` Progressively, one router at a time, with a `commit confirmed` to ensure no legitimate traffic is being blocked. This was not caught by diffscan as the external security zone only host an IP outside our ranges (OOB). No other service than SNMP has been wrongly exposed.

Unlike standard SRX security policies `security policies from-zone x to-zone y` that have a default and implicit deny. The policies with `security policies from-zone x to-zone junos-host` -for traffic toward the device itself- is a default and implicit **permit**. I noticed that while looking at log and noticed on mr1-codfw: `SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 52.73.169.169 to 208.80.153.196 (public)` `zone junos-host` is only used on the mgmt routers (mr1*) and not on the payment firewalls. We need to add: ```lang=diff [edit security policies from-zone untrust to-zone junos-host] policy any--traceroute { ... } + /* T218234 - to-zone junos-host has an implicit default permit */ + policy default-deny { + match { + source-address any; + destination-address any; + application any; + } + then { + deny; + } + } ``` Progressively, one router at a time, with a `commit confirmed` to ensure no legitimate traffic is being blocked. This was not caught by diffscan as the external security zone only host an IP outside our ranges (OOB). No other service than SNMP has been wrongly exposed.

Unlike standard SRX security policies `security policies from-zone x to-zone y` that have a default and implicit deny. The policies with `security policies from-zone x to-zone junos-host` -for traffic toward the device itself- is a default and implicit **permit**. I noticed that while looking at log and noticed on mr1-codfw: `SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 52.73.169.169 to 208.80.153.196 (public)` `zone junos-host` is only used on the mgmt routers (mr1*) and not on the payment firewalls. We need to add: ```lang=diff [edit security policies from-zone untrust to-zone junos-host] policy any--traceroute { ... } + /* T218234 - to-zone junos-host has an implicit default permit */ + policy default-deny { + match { + source-address any; + destination-address any; + application any; + } + then { + deny; + } + } ``` Progressively, one router at a time, with a `commit confirmed` to ensure no legitimate traffic is being blocked. This was not caught by diffscan as the external security zone only host an IP outside our ranges (OOB). No other service than SNMP has been wrongly exposed.