• State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 38 subscribers
  • Views 1276 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

SNMP Unknown Ports 50,000 - 65,000

jawwad05

Hi,

We are shifting our Core WAN firewall wall segment from Juniper ISG 1000 to Juniper SRX 5400, mentioned issue has been arrived while limiting the policies of SRX 5400 as on ISG 1000 we use allow any port policy for Branches SNMP i.e. we are getting UDP port hits from the direction branches towards NMS Server in the range of 50000 to 65000 and if we are not allowing this we are unable to pool the branches on SNMP.  i.e. The point is we allowed the port 161 and 162 it will not work i.e. branch router behind firewall not responding on SNMP and test failed. But as we allow port 50000 till port 65000 its work and branch router starting responding on SNMP.

Below is the polices and the flow session ready reference. As for allow of ports we need justification for Network Security demand and Audit requirement,

Policy on WAN firewall SRX 5400:

set security policies from-zone trust-VPN to-zone trust-BLUE policy NMS match source-address ALL-BRANCHES

set security policies from-zone trust-VPN to-zone trust-BLUE policy NMS match destination-address 10.1.107.150/32 (NMS server)

set security policies from-zone trust-VPN to-zone trust-BLUE policy NMS match application UDP-161-162 (routine)

set security policies from-zone trust-VPN to-zone trust-BLUE policy NMS match application UDP-50000-65000 (Additional on this work)

set security policies from-zone trust-VPN to-zone trust-BLUE policy NMS then permit

Flow session on WAN firewall SRX 5400:

PR-AGG-FW-A> show security flow session policy-id 152

node0:

--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:

Session ID: 10034489, Policy name: NMS/152, State: Active, Timeout: 54, Valid

In: 10.36.156.2/161 --> 10.1.107.150/59028;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 1, Bytes: 80, CP Session ID: 16268284

Out: 10.1.107.150/59028 --> 10.36.156.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16268284

Session ID: 10035240, Policy name: NMS/152, State: Active, Timeout: 54, Valid

In: 10.38.22.2/161 --> 10.1.107.150/59028;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 1, Bytes: 80, CP Session ID: 16434842

Out: 10.1.107.150/59028 --> 10.38.22.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16434842

Session ID: 15599400, Policy name: NMS/152, State: Active, Timeout: 34, Valid

In: 10.38.26.2/161 --> 10.1.107.150/57672;udp, Conn Tag: 0x0, If: st0.1272, Pkts: 7, Bytes: 1046, CP Session ID: 16238875

Out: 10.1.107.150/57672 --> 10.38.26.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16238875

Session ID: 15748000, Policy name: NMS/152, State: Active, Timeout: 32, Valid

In: 10.38.94.2/161 --> 10.1.107.150/57672;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 7, Bytes: 1082, CP Session ID: 16090750

Out: 10.1.107.150/57672 --> 10.38.94.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16090750

Session ID: 15825490, Policy name: NMS/152, State: Active, Timeout: 16, Valid

In: 10.37.50.2/161 --> 10.1.107.150/57672;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 7, Bytes: 1058, CP Session ID: 16356558

Out: 10.1.107.150/57672 --> 10.37.50.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16356558

Session ID: 16069823, Policy name: NMS/152, State: Active, Timeout: 8, Valid

In: 10.36.172.2/161 --> 10.1.107.150/57672;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 15, Bytes: 2043, CP Session ID: 16216814

Out: 10.1.107.150/57672 --> 10.36.172.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16216814

Session ID: 16126142, Policy name: NMS/152, State: Active, Timeout: 16, Valid

In: 10.37.72.2/161 --> 10.1.107.150/57672;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 7, Bytes: 1083, CP Session ID: 16358271

Out: 10.1.107.150/57672 --> 10.37.72.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16358271

Session ID: 16269963, Policy name: NMS/152, State: Active, Timeout: 32, Valid

In: 10.36.172.2/161 --> 10.1.107.150/59028;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 1, Bytes: 79, CP Session ID: 15614150

Out: 10.1.107.150/59028 --> 10.36.172.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 15614150

Total sessions: 8

Please have a look, Share your feedback or ask a feedback from TAC to have a justification for allow mention ports.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.