Juniper Security Zones
The SRX uses the concept of nested Security Zones. Security zones are used to group logical interfaces having same or similar security requirements. By default, no traffic can traverse in or out of SRX box until the security zones are configured on the SRX interfaces.
A scenario will be created to further familiarise with basic configuration of Security Zone on Juniper SRX allowing only selective traffic to pass through –
Configuring Untrusted Zone to allow only “ping” under “host-inbound-traffic”
Configuring Untrusted Zone to allow only “ping” & “http” under “host-inbound-traffic”
Additionally , there are more options under service name apart from “ping” and “http” as below –
service-name
System-service for which traffic is allowed. The following system services are supported:
- all—Enable traffic from the defined system services available on the Routing Engine (RE). Use the except option to disallow specific system services.
- any-service—Enable all system services on entire port range including the system services that are not defined.
- bootp—Enable traffic destined to BOOTP and DHCP relay agents.
- dhcp—Enable incoming DHCP requests.
- dhcpv6—Enable incoming DHCP requests for IPv6.
- dns—Enable incoming DNS services.
- finger—Enable incoming finger traffic.
- FTP—Enable incoming FTP traffic.
- http—Enable incoming J-Web or clear-text Web authentication traffic.
- https—Enable incoming J-Web or Web authentication traffic over Secure Sockets Layer (SSL).
- ident-reset—Enable the access that has been blocked by an unacknowledged identification request.
- ike—Enable Internet Key Exchange traffic.
- lsping—Enable label switched path ping service.
- netconf—Enable incoming NETCONF service.
- ntp—Enable incoming Network Time Protocol (NTP) traffic.
- ping—Allow the device to respond to ICMP echo requests.
- r2cp—Enable incoming Radio Router Control Protocol traffic.
- reverse-ssh—Reverse SSH traffic.
- reverse-telnet—Reverse Telnet traffic.
- rlogin—Enable incoming rlogin (remote login) traffic.
- rpm—Enable incoming Real-time performance monitoring (RPM) traffic.
- rsh—Enable incoming Remote Shell (rsh) traffic.
- snmp—Enable incoming SNMP traffic (UDP port 161).
- snmp-trap—Enable incoming SNMP traps (UDP port 162).
- ssh—Enable incoming SSH traffic.
- telnet—Enable incoming Telnet traffic.
- tftp—Enable TFTP services.
- traceroute—Enable incoming traceroute traffic (UDP port 33434).
- xnm-clear-text—Enable incoming Junos XML protocol traffic for all specified interfaces.
- xnm-ssl— Enable incoming Junos XML protocol-over-SSL traffic for all specified interfaces.
- except—(Optional) Enable specific incoming system service traffic but only when the all option has been defined . For example, to enable all but FTP and HTTP system service traffic:
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic system-services ftp except
set security zones security-zone trust host-inbound-traffic system-services http except
Required Privilege Level
- security—To view this statement in the configuration.
- security-control—To add this statement to the configuration.
Continue Reading:
Enable Jumbo Frame on Juniper ScreenOS Firewall
Useful Juniper Netscreen Commands
ABOUT THE AUTHOR
I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”
I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.
I am a strong believer of the fact that “learning is a constant process of discovering yourself.”
– Rashmi Bhardwaj (Author/Editor)
