1 Reply Latest reply on Jul 16, 2018 4:35 AM by jawwad05

    SNMP Unknown Ports 50,000 - 65,000

    jawwad05

      Hi,

       

      We are shifting our Core WAN firewall wall segment from Juniper ISG 1000 to Juniper SRX 5400, mentioned issue has been arrived while limiting the policies of SRX 5400 as on ISG 1000 we use allow any port policy for Branches SNMP i.e. we are getting UDP port hits from the direction branches towards NMS Server in the range of 50000 to 65000 and if we are not allowing this we are unable to pool the branches on SNMP.  i.e. The point is we allowed the port 161 and 162 it will not work i.e. branch router behind firewall not responding on SNMP and test failed. But as we allow port 50000 till port 65000 its work and branch router starting responding on SNMP.

       

      Below is the polices and the flow session ready reference. As for allow of ports we need justification for Network Security demand and Audit requirement,

       

       

      Policy on WAN firewall SRX 5400:

       

       

      set security policies from-zone trust-VPN to-zone trust-BLUE policy NMS match source-address ALL-BRANCHES

      set security policies from-zone trust-VPN to-zone trust-BLUE policy NMS match destination-address 10.1.107.150/32 (NMS server)

      set security policies from-zone trust-VPN to-zone trust-BLUE policy NMS match application UDP-161-162 (routine)

      set security policies from-zone trust-VPN to-zone trust-BLUE policy NMS match application UDP-50000-65000 (Additional on this work)

      set security policies from-zone trust-VPN to-zone trust-BLUE policy NMS then permit

       

      Flow session on WAN firewall SRX 5400:

       

      PR-AGG-FW-A> show security flow session policy-id 152

      node0:

      --------------------------------------------------------------------------

       

      Flow Sessions on FPC0 PIC1:

       

      Session ID: 10034489, Policy name: NMS/152, State: Active, Timeout: 54, Valid

      In: 10.36.156.2/161 --> 10.1.107.150/59028;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 1, Bytes: 80, CP Session ID: 16268284

      Out: 10.1.107.150/59028 --> 10.36.156.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16268284

       

      Session ID: 10035240, Policy name: NMS/152, State: Active, Timeout: 54, Valid

      In: 10.38.22.2/161 --> 10.1.107.150/59028;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 1, Bytes: 80, CP Session ID: 16434842

      Out: 10.1.107.150/59028 --> 10.38.22.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16434842

       

      Session ID: 15599400, Policy name: NMS/152, State: Active, Timeout: 34, Valid

      In: 10.38.26.2/161 --> 10.1.107.150/57672;udp, Conn Tag: 0x0, If: st0.1272, Pkts: 7, Bytes: 1046, CP Session ID: 16238875

      Out: 10.1.107.150/57672 --> 10.38.26.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16238875

       

      Session ID: 15748000, Policy name: NMS/152, State: Active, Timeout: 32, Valid

      In: 10.38.94.2/161 --> 10.1.107.150/57672;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 7, Bytes: 1082, CP Session ID: 16090750

      Out: 10.1.107.150/57672 --> 10.38.94.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16090750

       

      Session ID: 15825490, Policy name: NMS/152, State: Active, Timeout: 16, Valid

      In: 10.37.50.2/161 --> 10.1.107.150/57672;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 7, Bytes: 1058, CP Session ID: 16356558

      Out: 10.1.107.150/57672 --> 10.37.50.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16356558

       

      Session ID: 16069823, Policy name: NMS/152, State: Active, Timeout: 8, Valid

      In: 10.36.172.2/161 --> 10.1.107.150/57672;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 15, Bytes: 2043, CP Session ID: 16216814

      Out: 10.1.107.150/57672 --> 10.36.172.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16216814

       

      Session ID: 16126142, Policy name: NMS/152, State: Active, Timeout: 16, Valid

      In: 10.37.72.2/161 --> 10.1.107.150/57672;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 7, Bytes: 1083, CP Session ID: 16358271

      Out: 10.1.107.150/57672 --> 10.37.72.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 16358271

       

      Session ID: 16269963, Policy name: NMS/152, State: Active, Timeout: 32, Valid

      In: 10.36.172.2/161 --> 10.1.107.150/59028;udp, Conn Tag: 0x0, If: st0.1271, Pkts: 1, Bytes: 79, CP Session ID: 15614150

      Out: 10.1.107.150/59028 --> 10.36.172.2/161;udp, Conn Tag: 0x0, If: reth1.0, Pkts: 0, Bytes: 0, CP Session ID: 15614150

      Total sessions: 8

       

      Please have a look, Share your feedback or ask a feedback from TAC to have a justification for allow mention ports.