The SRX uses the concept of nested Security Zones. Security zones are used to group logical interfaces having same or similar security requirements. By default, no traffic can traverse in or out of SRX box until the security zones are configured on the SRX interfaces.
A scenario will be created to further familiarise with basic configuration of Security Zone on Juniper SRX allowing only selective traffic to pass through –
CONFIGURING UNTRUSTED ZONE TO ALLOW ONLY “PING” UNDER “HOST-INBOUND-TRAFFIC” –
CONFIGURING UNTRUSTED ZONE TO ALLOW ONLY “PING” & “HTTP” UNDER “HOST-INBOUND-TRAFFIC” –
set security zones security-zone trust interfaces fe-0/0/1 host-inbound-traffic system-services pingset security zones security-zone trust interfaces fe-0/0/1 host-inbound-traffic system-services http
Additionally , there are additional options under service name apart from “ping” and “http” as below –
- service-name —System-service for which traffic is allowed. The following system services are supported:• all—Enable traffic from the defined system services available on the Routing Engine (RE). Use the except option to disallow specific system services.
- any-service—Enable all system services on entire port range including the system services that are not defined.
- bootp—Enable traffic destined to BOOTP and DHCP relay agents.
- dhcp—Enable incoming DHCP requests.
- dhcpv6—Enable incoming DHCP requests for IPv6.
- dns—Enable incoming DNS services.
- finger—Enable incoming finger traffic.
- ftp—Enable incoming FTP traffic.
- http—Enable incoming J-Web or clear-text Web authentication traffic.
- https—Enable incoming J-Web or Web authentication traffic over Secure Sockets Layer (SSL).
- ident-reset—Enable the access that has been blocked by an unacknowledged identification request.
- ike—Enable Internet Key Exchange traffic.
- lsping—Enable label switched path ping service.
- netconf—Enable incoming NETCONF service.
- ntp—Enable incoming Network Time Protocol (NTP) traffic.
- ping—Allow the device to respond to ICMP echo requests.
- r2cp—Enable incoming Radio Router Control Protocol traffic.
- reverse-ssh—Reverse SSH traffic.
- reverse-telnet—Reverse Telnet traffic.
- rlogin—Enable incoming rlogin (remote login) traffic.
- rpm—Enable incoming Real-time performance monitoring (RPM) traffic.
- rsh—Enable incoming Remote Shell (rsh) traffic.
- snmp—Enable incoming SNMP traffic (UDP port 161).
- snmp-trap—Enable incoming SNMP traps (UDP port 162).
- ssh—Enable incoming SSH traffic.
- telnet—Enable incoming Telnet traffic.
- tftp—Enable TFTP services.
- traceroute—Enable incoming traceroute traffic (UDP port 33434).
- xnm-clear-text—Enable incoming Junos XML protocol traffic for all specified interfaces.
- xnm-ssl— Enable incoming Junos XML protocol-over-SSL traffic for all specified interfaces.
- except—(Optional) Enable specific incoming system service traffic but only when the all option has been defined . For example, to enable all but FTP and HTTP system service traffic:
Required Privilege Level
- security—To view this statement in the configuration.
- security-control—To add this statement to the configuration.