Adding a Security Zone
A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic through policies. Security zones are logical entities to which one or more interfaces are bound. You can define multiple security zones, the exact number of which you determine based on your network needs.
An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between that zone and any other zone. Through the policies you define, you can permit traffic between zones to flow in one direction or in both. With the routes that you define, you specify the interfaces that traffic from one zone to another must use. Because you can bind multiple interfaces to a zone, the routes you chart are important for directing traffic to the interfaces of your choice. An interface can be configured with an IPv4 address, IPv6 address, or both.
Security zones have the following properties:
Policies—Active security policies that enforce rules for the transit traffic, in terms of what traffic can pass through the firewall, and the actions that need to take place on the traffic as it passes through the firewall.
Screens—A Juniper Networks stateful firewall secures a network by inspecting, and then allowing or denying, all connection attempts that require passage from one security zone to another. For every security zone, you can enable a set of predefined screen options that detect and block various kinds of traffic that the device determines as potentially harmful.
TCP-RST—When this feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the SYNchronize flag set.
Interfaces—List of interfaces in the zone.
Use this page to configure zones and assign interfaces to them.
To create a security zone:
Field |
Description |
|---|---|
| General Information | |
Name |
Enter a unique string of alphanumeric characters, and some special characters, such as dashes, and underscores.The maximum length is 31 characters. |
Description |
Enter a description for the zone; the maximum length is 900 characters. |
Application Tracking |
Select the checkbox to maintain application usage statistics on a device. |
| Interfaces | From the list of interfaces in the Available column, select the interfaces that you want to include in the new zone and click the greater-than icon (>). The selected interfaces are moved to the Selected column. |
| System Services | From the list of system services in the Available column, select the system services that you want to include in the new zone and click the greater-than icon (>). The selected system services are moved to the Selected column. |
Is Except |
Select the checkbox to disable specific incoming system service traffic, only when all system services option is defined. |
| Protocols | From the list of protocols in the Available column, select the protocols that you want to include in the new zone and click the greater-than icon (>). The selected protocols are moved to the Selected column. |
Is Except |
Select this option to disable specific incoming protocol traffic, only when all protocols option is defined. |
| Traffic Control Options | |
TCP RST |
Select the checkbox to enable sending TCP packets with the RST (reset) flag set to 1 in response to TCP packets with any flag other than SYN set and that do not belong to an existing session. |
Screen |
Enter a predefined security screen for a security zone to detect and block various kinds of traffic that the device determines as potentially harmful. |
| Interface Services and Protocols | View the summary of interface, services and protocols for your device. |