JUNIPER SRX ZONE HOST-INBOUND SERVICES CONFIGURATION

The SRX uses the concept of nested Security ZonesSecurity zones are used to group logical interfaces having same or similar security requirements. By default, no traffic can traverse in or out of SRX box until the security zones are configured on the SRX interfaces.

A scenario will be created to further familiarise with basic configuration of Security Zone on Juniper SRX allowing only selective traffic to pass through –


juniper-srx-zone-host-inbound-services-configuration

CONFIGURING UNTRUSTED ZONE TO ALLOW ONLY “PING” UNDER “HOST-INBOUND-TRAFFIC” –

security zones security-zone untrust interfaces fe-0/0/0 host-inbound-traffic system-services ping

 

CONFIGURING UNTRUSTED ZONE TO ALLOW ONLY “PING” & “HTTP” UNDER “HOST-INBOUND-TRAFFIC” –

set security zones security-zone trust interfaces fe-0/0/1 host-inbound-traffic system-services pingset security zones security-zone trust interfaces fe-0/0/1 host-inbound-traffic system-services http

 

Additionally , there are additional options under service name apart from “ping” and “http” as below –

  • service-name —System-service for which traffic is allowed. The following system services are supported:• all—Enable traffic from the defined system services available on the Routing Engine (RE). Use the except option to disallow specific system services.
    • any-service—Enable all system services on entire port range including the system services that are not defined.
    • bootp—Enable traffic destined to BOOTP and DHCP relay agents.
    • dhcp—Enable incoming DHCP requests.
    • dhcpv6—Enable incoming DHCP requests for IPv6.
    • dns—Enable incoming DNS services.
    • finger—Enable incoming finger traffic.
    • ftp—Enable incoming FTP traffic.
    • http—Enable incoming J-Web or clear-text Web authentication traffic.
    • https—Enable incoming J-Web or Web authentication traffic over Secure Sockets Layer (SSL).
    • ident-reset—Enable the access that has been blocked by an unacknowledged identification request.
    • ike—Enable Internet Key Exchange traffic.
    • lsping—Enable label switched path ping service.
    • netconf—Enable incoming NETCONF service.
    • ntp—Enable incoming Network Time Protocol (NTP) traffic.
    • ping—Allow the device to respond to ICMP echo requests.
    • r2cp—Enable incoming Radio Router Control Protocol traffic.
    • reverse-ssh—Reverse SSH traffic.
    • reverse-telnet—Reverse Telnet traffic.
    • rlogin—Enable incoming rlogin (remote login) traffic.
    • rpm—Enable incoming Real-time performance monitoring (RPM) traffic.
    • rsh—Enable incoming Remote Shell (rsh) traffic.
    • snmp—Enable incoming SNMP traffic (UDP port 161).
    • snmp-trap—Enable incoming SNMP traps (UDP port 162).
    • ssh—Enable incoming SSH traffic.
    • telnet—Enable incoming Telnet traffic.
    • tftp—Enable TFTP services.
    • traceroute—Enable incoming traceroute traffic (UDP port 33434).
    • xnm-clear-text—Enable incoming Junos XML protocol traffic for all specified interfaces.
    • xnm-ssl— Enable incoming Junos XML protocol-over-SSL traffic for all specified interfaces.
    • except—(Optional) Enable specific incoming system service traffic but only when the all option has been defined . For example, to enable all but FTP and HTTP system service traffic:

Required Privilege Level

  • security—To view this statement in the configuration.
  • security-control—To add this statement to the configuration.
Please follow and like us:
error

Related Posts

Add Comment

Social Media Auto Publish Powered By : XYZScripts.com
Select your currency
USD United States (US) dollar

Checkout : E-STORE for latest release "Desktop Support Engineer Interview Q&A " Dismiss