Supported Platforms
Related Documentation
- SRX Series
- Understanding Security Zones and Policies for SRX Series
- Understanding Factory Default Configuration Settings of an SRX Series Appliance
- Additional Information
- Connecting Your SRX Series Appliance for the First Time
Example: Configuring Security Zones and Policies for SRX Series
This example shows how to set up a new zone and add three servers to that zone. Then you provide communication between a host (PC) in the trust zone to the servers in the newly created zone and also facilitate communication between two servers within the zone.
To meet this requirement, you need an interzone security policy to allow traffic between two zones and an intrazone policy to allow traffic between servers within a zone.
Requirements
This example uses the following hardware and software components:
- An SRX210
- Junos OS Release 12.1X44-D10
Overview
This example uses the network topology shown in Figure 1.
Figure 1: Topology for Security Policy Configuration
In this example, you perform the following tasks:
- Move the ge-0/0/1.0 interface, which was part of trust zone, to the DMZ zone and assign IP address 192.168.2.1/24. Change ge-0/0/1 from family ethernet-switching (factory configuration setting) to family inet.
- Assign IP address 192.168.1.2/24 to the host connected to the fe-0/0/2.0 interface in the trust zone.
- Set up two HTTP servers (Server-HTTP-1 and Server-HTTP-2) and one SMTP server and assign IP addresses 192.168.2.2/24 ,192.168.2.3/24, and 192.168.2.4/24 respectively in the DMZ zone.
- Configure an address book and create addresses for use
in the policy as shown in Table 1.
Table 1: Address Books Configuration
Zones
Address Book
Server IP Address-
DMZ
Server-HTTP-1
192.168.2.2/24
Server-HTTP-2
192.168.2.3/24
Server-SMTP
192.168.2.4/24
Trust
PC-Trust
192.168.1.2/24
- Create security policies as shown in Table 2.
Table 2: Security Policy Configuration
Policy Name
From Zone
To Zone
Action
permit-mail-trust-DMZ
Trust
DMZ
Permit SMTP traffic
permit-http-in-DMZ
DMZ
DMZ
Permit HTTP traffic
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
.
To configure security zones and policies:
Delete the interface ge-0/0/1 from family ethernet-switching (factory configuration) and assign an IP address.
[edit]user@srx210-host# delete interfaces ge-0/0/1 unit 0 family ethernet-switchinguser@srx210-host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24- Configure a new security zone (DMZ) and assign interfaces.[edit]user@srx210-host# set security zones security-zone DMZ interfaces ge-0/0/1 host-inbound-traffic system-services all
- Create address books in the DMZ zone.[edit]user@srx210-host# set security zones security-zone DMZ address-book address Server-HTTP-1 192.168.2.2/32 user@srx210-host# set security zones security-zone DMZ address-book address Server-HTTP-2 192.168.2.3/32 user@srx210-host# set security zones security-zone DMZ address-book address Server-SMTP 192.168.2.4/32
- Create address sets in the DMZ zone to group HTTP server
addresses together.[edit]user@srx210-host# set security zones security-zone DMZ address-book address-set DMZ-address-set-http address Server-HTTP-1user@srx210-host# set security zones security-zone DMZ address-book address-set DMZ-address-set-http address Server-HTTP-2
- Create address books in the trust zone.[edit]user@srx210-host# set security zones security-zone trust address-book address PC-Trust 192.168.1.2/32
- Create an interzone policy to permit SMTP traffic from
the trust zone to the DMZ zone.[edit]user@srx210-host# set security policies from-zone trust to-zone DMZ policy permit-mail-trust-DMZ match source-address PC-Trustuser@srx210-host# set security policies from-zone trust to-zone DMZ policy permit-mail-trust-DMZ match destination-address Server-SMTPuser@srx210-host# set security policies from-zone trust to-zone DMZ policy permit-mail-trust-DMZ match application junos-smtp user@srx210-host# set security policies from-zone trust to-zone DMZ policy permit-mail-trust-DMZ then permit
- Create an intrazone policy to permit HTTP traffic between
the two servers in the DMZ zone.[edit]user@srx210-host# set security policies from-zone DMZ to-zone DMZ policy permit-http-in-DMZ match source-address DMZ-address-set-httpuser@srx210-host# set security policies from-zone DMZ to-zone DMZ policy permit-http-in-DMZ match destination-address DMZ-address-set-httpuser@srx210-host# set security policies from-zone DMZ to-zone DMZ policy permit-http-in-DMZ match application junos-httpuser@srx210-host# set security policies from-zone DMZ to-zone DMZ policy permit-http-in-DMZ then permit
Results
From configuration mode, confirm your configuration by entering the show security zones and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Policy Configuration
Purpose
Verify information about security policies.
Action
You can pass traffic between servers in different zones and verify the traffic data by using the show security flow session command from operational mode.
For samples of the show security flow session command output, see show security flow session.
Related Documentation
- SRX Series
- Understanding Security Zones and Policies for SRX Series
- Understanding Factory Default Configuration Settings of an SRX Series Appliance
- Additional Information
- Connecting Your SRX Series Appliance for the First Time
Modified: 2016-05-23
Supported Platforms
Related Documentation
- SRX Series
- Understanding Security Zones and Policies for SRX Series
- Understanding Factory Default Configuration Settings of an SRX Series Appliance
- Additional Information
- Connecting Your SRX Series Appliance for the First Time
