Juniper firewall external publish not working

Paul Walsh
Paul Walsh used Ask the Experts™
on
Hi All,

We are trying to help an external company who wish to publish their Juniper Firewall for remote management. We can ping the external address quite happily, however we cannot connect to the web ui over http. On the untrusted interface under management services / other services, ping and web ui are ticked. If we untick the ping we can see that external pings do drop off, so this works. I have confirmed with the ISP that there is nothing their end that would block the connection.

Any suggestions?

Thanks for your help.
Paul
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Check the permitted IPs config. Usually they are configured to only permit management from the trust subnet. You can add your public IP to the list to allow management.
Distinguished Expert 2018
Commented:
I would strongly recommend not to use http for firewall management.

https://kb.juniper.net/InfoCenter/index?page=content&id=KB16647&actp=METADATA#cli_config

set system services web-management https system-generated-certificate
set system services web-management https interface <untrust_interface>

# to limit access from specific IP addresses (it will block all management except from specified IP addresses/networks configured as exception)
Example: Controlling Management Access on SRX Series Devices

set interfaces  <untrust_interface> unit 0 family inet filter input FILTER1

set firewall filter FILTER1 term block_non_manager from source-address 0.0.0.0/0
set firewall filter FILTER1 term block_non_manager from source-prefix-list manager-ip except
set firewall filter FILTER1 term block_non_manager from protocol tcp
set firewall filter FILTER1 term block_non_manager from destination-port ssh
set firewall filter FILTER1 term block_non_manager from destination-port https
set firewall filter FILTER1 term block_non_manager then discard
set firewall filter FILTER1 term accept_everything_else then accept

set policy-options prefix-list manager-ip <soource_IP_address1>
set policy-options prefix-list manager-ip <soource_IP_address2>
set policy-options prefix-list manager-ip <soource_IP_network1>
set policy-options prefix-list manager-ip <soource_IP_network2>

set security zones security-zone untrust interfaces <untrust_interface> host-inbound-traffic system-services https
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015
Commented:
ScreenOS or JunOS?
Paul WalshSystem Administrator

Author

Commented:
Hi guys,

Thanks for your help. The company that put them in place is going to install a couple of drayteks instead. Thanks again

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial