Home
Computers & Networking
Initial Software Configuration on SRX100

Performing Initial Software Configuration on SRX100 Services Gateway Using CLI

8. Configure basic security zones

Security zones are the building blocks for policies; they are logical entities to which one or more interfaces are bound. Security zones provide a means of distinguishing groups of hosts (user systems and other hosts, such as servers) and their resources from one another in order to apply different security measures to them.

Security zones have the following properties:

Policies - Active security policies that enforce rules for the transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on the traffic as it passes through the firewall.
Screens - A Juniper Networks stateful firewall secures a network by inspecting, and then allowing or denying, all connection attempts that require passage from one security zone to another. For every security zone, you can enable a set of predefined screen options that detect and block various kinds of traffic that the device determines as potentially harmful.
Address books - IP addresses and address sets that make up an address book to identify its members so that you can apply policies to them. Address book entries can include any combination of IPv4 addresses, IPv6 addresses, and Domain Name System (DNS) names.
TCP-RST - When this feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the SYNchronize flag set.

Interfaces - List of interfaces in the zone.

Security zones have the following preconfigured zone:

Trust zone - Available only in the factory configuration and is used for initial connection to the device. After you commit a configuration, the trust zone can be overridden.

[edit]
admin@#set security zones security-zone <name of the zone> interfaces <interface-name>

Example :

[edit]
admin@#set security zones security-zone untrust interfaces fe-0/0/1

NOTE: By default, interfaces are in the null zone. The interfaces will not pass traffic until they have been assigned to a zone.

Specify allowed system services for the security zone, host inbound services for each interface in the zone.

Specify the types of incoming system service traffic that can reach the device for all interfaces in a zone. You can do this in one of several ways:

You can enable traffic from each system service individually.
You can enable traffic from all system services.
You can enable traffic from all but some system services.

[edit]
admin@#set security zones security-zone <name of the zone> interfaces <interface-name> host-inbound-traffic system-services <service-name>

service-name - System-service for which traffic is allowed.

Examples :

[edit]
admin@#set security zones security-zone trust interfaces fe-0/0/1 host-inbound-traffic system-services ping

ping - Allow the device to respond to ICMP echo requests.

[edit]
admin@#set security zones security-zone trust interfaces fe-0/0/1 host-inbound-traffic system-services telnet

telnet - Enable incoming Telnet traffic.

[edit]
admin@#set security zones security-zone trust interfaces fe-0/0/1 host-inbound-traffic system-services ssh

ssh - Enable incoming SSH traffic.

The sample show output is shown below