Can telnet everywhere from the appliance without any traffic / event logs. It seems to disregard the global policy we have set for blocking all traffic unless specifically permitted.
Asked
Active
Viewed 472 times
0
-
The appliance itself is not governed by the traffic rules, I'm pretty sure. – SpacemanSpiff Aug 08 '12 at 15:32
-
@SpacemanSpiff then what is "Self" zone? – Alex Aug 09 '12 at 09:50
-
Ok, time to stop guessing, just call Juniper and ask them. – SpacemanSpiff Aug 09 '12 at 12:51
2 Answers
1
Is this for traffic originating from the firewall appliance itself?
My guess is that your firewall rules are set on one your "internal" interfaces, and as such aren't being applied to traffic that originates from the firewall itself, as the traffic doesn't pass through that interface.
EEAA
- 108,414
- 18
- 172
- 242
-
Yes, from the firewall appliance itself. Our default Global to Global rule is to block Any-Any Any-Any so I do not see what should be related to particular interfaces - documentation says Global applies to everything as it's a special zone. – Alex Aug 08 '12 at 03:53
-
1I'm pretty sure that the zones, global included, only restrict traffic transiting the firewall (in one interface and out another), not traffic that is sourced from the firewall's management. – SpacemanSpiff Aug 09 '12 at 12:54
1
Telnet from the device does come from the routing engine. You should apply a frirewall filter to lo0.x denying tcp packets with destinantion port 23.
rhasti
- 477
- 3
- 9