One nice feature of using a Juniper SRX firewall is that this is a full-featured Junos device, with a rich feature set inherited from the routing and switching world. While there are many obvious benefits of this, like running OSPF, BFD or LACP, there are some less obvious ones as well. One simple, but helpful feature is the option to enable the SRX to serve files over SCP or FTP. Now, I'm not saying that the SRX is the right place to host files for general use, in fact I'd strongly recommend against it, but sometimes you need to serve something in a pinch. It may be much easier and quicker to use your SRX, rather than set up dedicated server and open up firewall rules to make that happen.

 

Recently I performed an upgrade on some Netoptics Taps that we deployed several years ago. These were largely a set and forget type of device and they've been quietly working away in that corner of the DC. As we prepped for an upgrade and began looking at the procedure, the taps' only option was to download the file over FTP. This was a problem because we've long since banished any type of FTP server in our network, we only allow secure protocols. The taps were managed in a secure VLAN, with no option to quickly attach an FTP server. Fortunately the security device there was a Juniper SRX 3600. It was easy enough to upload the Netoptics tap firmware to the SRX and enable FTP for 5-10 minutes on the SRX interface.

 

I'll show you how to do that in 3 easy parts, this example uses FTP**, but should be the same for SCP/SSH.

 

1. Upload the file to the SRX. You'll want to place the file in the home directory for the SCP/FTP username you'll be using to download the files. The FTP client will use the user's directory as the root directory for FTP.  The user directory is located at /var/home/$USERNAME/. That is also the default directory any time you connect to the SRX.

 

2. Enable the services in the security zone.

 # set security zones security-zones ZONENAME host-inbound-traffic system-services ftp

Or, if you have multiple interfaces in the zone,  you may have to apply that command specifically to the interface. Remember though,  the most specific config is applied, so if you apply any service to the interface, it overrides what is applied to the zone (so don't apply something to just the interface if you aren't expecting existing services on the zone to be deactivated!).

#set security zones security-zones ZONENAME interfaces ge-x-x-x.x host-inbound-traffic system-services FTP

 

3. Enable the service at the system level and commit the changes. 

# set system services ftp

# commit

 

That's it, you can now connect via FTP with your client. 

 

I alway appreciate flexibility in my devices, and very few devices have the flexibility of the SRX platform. Hope this helps if you ever need an FTP or SCP server in a pinch. 

 

**One word of warning, FTP uses no encryption, so any credentials you pass are in the clear, so be warned. In this case, my client was in the same VLAN as the firewall, with a single switch in the middle. I control the switch as well, so to me the risk of someone intercepting that traffic was pretty low, but it is definitely something that you should be aware of

Posted
AuthorKelly McDowell