Security Zones for Tenant Systems
Security zones can be configured with tenant systems. For more information see the following topics:
Understanding Zones for Tenant Systems
Security zones are logical entities to which one or more interfaces are bound. Security zones can be configured on the tenant systems by the administrator. On a tenant system, the administrator can configure multiple security zones, dividing the network into network segments to which various security options can be applied.
The primary administrator configures the maximum
and reserved numbers of security zones for the tenant system. Then
the administrator for the tenant system can create the security zones
in the tenant system and assign interfaces to each security zone.
The number of zones configured in the tenant system count toward the
maximum number of zones available on the device. The show system
security-profile zones command is used to view the number of
security zones allocated to the tenant system and the show interfaces command to view the interfaces assigned to the tenant system.
You can configure the following features in a tenant system security zone:
Interfaces that are part of a security zone.
Screen options—For every security zone, you can enable a set of predefined screen options that detect and block various kinds of traffic that the device determines as potentially harmful.
TCP-Reset—When this feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the synchronize flag set.
Host inbound traffic—This feature specifies the kinds of traffic that can reach the device from systems that are directly connected to its interfaces. You can configure these parameters at the zone level, in which case they affect all interfaces of the zone, or at the interface level. Interface configuration overrides that of the zone.
There are no preconfigured security zones in the tenant system.
The management functional zone (MGT) can be configured for the tenant system. There is the management interface per device that is allocated to the tenant system.
The administrator for the tenant system can configure and view all attributes for a security zone in a tenant system. All security zone attributes in a tenant system are also visible to the primary administrator.
Example: Configuring Zones in the Tenant System
This example shows how to configure the zones for the tenant system.
Requirements
Before you begin the configuration:
Configure the interfaces created by the primary administrator. See Example: Configuring Interfaces and Routing Instances for a Tenant System.
Overview
In this example, you can configure zones for the tenant systems.
Security zones are the building blocks for policies; they are logical
entities to which one or more interfaces are bound. The [edit
tenants tenant-name security zones] hierarchy level is used
to configure the security zones. This example configures the security
policies and zones described in Table 1.
Feature |
Configuration Parameters |
|---|---|
Zones 1 |
|
Zone 2 |
|
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set tenants TN1 security zones security-zone trust host-inbound-traffic system-services any-service set tenants TN1 security zones security-zone trust interfaces xe-0/0/1.0 set tenants TN1 security zones security-zone untrust host-inbound-traffic system-services any-service set tenants TN1 security zones security-zone untrust interfaces xe-0/0/3.0
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure security zones in the tenant system:
Define the tenant system name as TN1.
[edit] user@host# set tenants TN1
Configure a security zone as trust that permits traffic from zone trust and assign it to an interface.
[edit tenants TN1 security zones security-zone trust] user@host# set host-inbound-traffic system-services any-service user@host# set interfaces xe-0/0/1.0
Configure a security zone as untrust that permits traffic from zone untrust and assign it to an interface.
[edit tenants TN1 security zones security-zone untrust] user@host# set host-inbound-traffic system-services any-service user@host# set interfaces xe-0/0/3.0
Results
From configuration mode, confirm your configuration
by entering the show tenants tenant-name security policies and show tenants tenant-name security zones command.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
user@host# show tenants TN1 security zones
security-zone trust {
host-inbound-traffic {
system-services {
any-service;
}
}
interfaces {
xe-0/0/1.0;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
any-service;
}
}
interfaces {
xe-0/0/3.0;
}
}
Verification
To confirm that the configuration is working properly, perform the following task:
Verifying Zone Configuration
Purpose
Verify the information about security zones.
Action
To verify the configuration is working properly, enter
the show security zones tenant all command from operational
mode.
user@host> show security zones tenant all
Tenant: TN1 Security zone: Host Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces: Security zone: abc Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 0 Interfaces:xe-0/0/1.0 Security zone: def Send reset for non-SYN session TCP packets: Off Policy configurable: Yes Interfaces bound: 1 Interfaces:xe-0/0/3.0
Meaning
The output displays the information of security zones configured on the tenant system.