The SRX uses the concept of nested Security Zones. Security zones are used to group logical interfaces having same or similar security requirements. By default, no traffic can traverse in or out of SRX box until the security zones are configured on the SRX interfaces.
A scenario will be created to further familiarise with basic configuration of Security Zone on Juniper SRX allowing only selective traffic to pass through –
Configuring Untrusted Zone to allow only “ping” under “host-inbound-traffic”
security zones security-zone untrust interfaces fe-0/0/0 host-inbound-traffic system-services ping
Configuring Untrusted Zone to allow only “ping” & “http” under “host-inbound-traffic”
set security zones security-zone trust interfaces fe-0/0/1 host-inbound-traffic system-services pingset security zones security-zone trust interfaces fe-0/0/1 host-inbound-traffic system-services http
Additionally , there are more options under service name apart from “ping” and “http” as below –
System-service for which traffic is allowed. The following system services are supported:
all—Enable traffic from the defined system services available on the Routing Engine (RE). Use the except option to disallow specific system services.
any-service—Enable all system services on entire port range including the system services that are not defined.
bootp—Enable traffic destined to BOOTP and DHCP relay agents.
I am here to share my knowledge and experience in the field of networking with the goal being - "The more you share, the more you learn."
I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.
I am a strong believer of the fact that "learning is a constant process of discovering yourself."
- Rashmi Bhardwaj (Author/Editor)