ON THIS PAGE
Data Center Core Firewall for Traffic Flow Control Use Case
Deploy the SRX4700 Firewall at the data center core to enforce compliance and strengthen security as processing demands evolve. Segment your environment into individual server networks and apply traffic controls within each segment to contain risk and satisfy policy requirements. High availability, automation, and high‑performance Layer 3 and Layer 4 services enable a multi-layered firewall architecture that sustains data center throughput while maintaining consistent protection.
Overview
A mid-size enterprise data center with more than 1000 servers must control traffic flow between different parts of the data center network. A typical data center can host multiple departments or tenants. You must maintain clear separation and control over traffic flows to protect workloads from unauthorized access. Switch performance might degrade with large access control lists (ACLs), so use a specialized firewall for scalable, high-performance traffic filtering. This approach provides secure, predictable data center operations.
Deploy the SRX4700 Firewall in enterprise, retail, software-as-a-service (SaaS), and service provider (SP) segments. Use L3 and L4 capabilities and high availability features to secure traffic and maintain uptime.
For more details see, Data Center Next-Generation Firewall Use Case—Juniper Validated Design (JVD).
Benefits
-
Enhances security by providing granular control over network traffic, allowing detailed filtering at both L3 and Layer 4 levels to prevent unauthorized access to specific network segments.
-
Ensures continuous operation and high uptime in data centers through high availability features, which include failover mechanisms and redundancies to minimize the risk of downtime.
-
Improves data center performance by avoiding the degradation associated with large firewall filters on switches, thanks to its scalable and high-performance traffic filtering capabilities.
-
Supports diverse operational environments, such as enterprise, retail, SaaS, and service provider networks, making it a versatile solution for various deployment scenarios.
-
Maintains predictable data center operations by securely managing traffic flows and maintaining separation between multiple departments or tenants, thus ensuring data integrity and operational consistency.
Topology
Baseline Configurations
The baseline configurations in this topic provide a foundational template that helps standardize deployments, improve operational reliability, and accelerate secure onboarding of the SRX4700 Firewall in a data center core architecture.
Security Zones
set security zones security-zone untrust interfaces et-1/0/0.0 set security zones security-zone untrust host-inbound-traffic system-services all set security zones security-zone untrust host-inbound-traffic protocols all set security zones security-zone trust interfaces et-1/1/1.0 set security zones security-zone trust host-inbound-traffic system-services all set security zones security-zone trust host-inbound-traffic protocols all
Default Route
set routing-options static route 0.0.0.0/0 next-hop 192.0.2.1 set routing-options static route 10.90.0.0/16 next-hop 192.168.0.2 set routing-options static route 10.190.0.0/16 next-hop 192.168.30.2
NAT
Outgoing Internet Traffic for source NAT
set security nat source pool abc address 192.168.16.18/24 set security nat source rule-set nat_to_internet from zone services set security nat source rule-set nat_to_internet from zone trust set security nat source rule-set nat_to_internet to zone untrust set security nat source rule-set nat_to_internet rule 1 match source-address 0.0.0.0/0 set security nat source rule-set nat_to_internet rule 1 match destination-address 0.0.0.0/0 set security nat source rule-set nat_to_internet rule 1 match application any set security nat source rule-set nat_to_internet rule 1 then source-nat pool abc
Incoming destination traffic for webserver with destination NAT:
set security nat destination pool web-svr-pool address 192.0.2.2/32 set security nat destination pool web-svr-pool address port 443 set security nat destination rule-set WS-NAT rule 1 match destination-address 10.0.0.100/32 set security nat destination rule-set WS-NAT rule 1 match destination-port 443 set security nat destination rule-set WS-NAT rule 1 then destination-nat pool web-svr-pool
Global Addresses
set security address-book global address WebSvr-Local 192.168.2.10/32 set security address-book global address win-server 172.16.0.10/32 set security address-book global address web-server 172.16.0.11/32 set security address-book global address client1 192.168.10.10/32 Set security address-book global address web-server-ext 10.0.0.100/32
Services
set security screen ids-option test set security screen ids-option test icmp flood threshold 200 set security screen ids-option test udp flood threshold 500 set security screen ids-option test ip bad-option set security screen ids-option test limit-session destination-ip-based 80 set security zones security-zone <zone-name> screen <screen-name> set security zones security-zone <zone-name> interfaces et-1/1/1 host-inbound-traffic system-services ping
set applications application-set Internet-services application junos-http set applications application-set Internet-services application junos-https set applications application-set Internet-services application junos-smtp set applications application-set Internet-services application junos-smtps set applications application-set Internet-services application junos-imap set applications application-set Internet-services application junos-imaps set applications application-set Internet-services application junos-dns-udp set applications application-set Internet-services application junos-dns-tcp set applications application-set Internet-services application junos-icmp-all
Security Policies
Security policies between trust to untrust:
set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule match source-address any set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule match destination-address any set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule match application any set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule match source-identity "domain08.net\ks_windows1_user_1" set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule match source-identity "domain08.net\ks_user1_user_1" set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule match source-identity unknown-user set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule match source-identity unauthenticated-user deactivate security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule match source-identity set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule match dynamic-application any set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule then permit application-services idp-policy Recommended_WithAudit set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule then permit application-services utm-policy junos-default-utm-policy set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule then permit application-services security-intelligence-policy default-secintel set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule then permit application-services advanced-anti-malware-policy default-antimalware set security policies from-zone trust to-zone untrust policy t2u-allow_internet_rule then log session-close set security policies from-zone trust to-zone untrust policy Block_Offending_Apps match source-address any set security policies from-zone trust to-zone untrust policy Block_Offending_Apps match destination-address any set security policies from-zone trust to-zone untrust policy Block_Offending_Apps match application junos-defaults set security policies from-zone trust to-zone untrust policy Block_Offending_Apps match dynamic-application Block_HighBW_Apps set security policies from-zone trust to-zone untrust policy Block_Offending_Apps then deny set security policies from-zone trust to-zone untrust policy Block_Offending_Apps then log session-close set security policies from-zone trust to-zone untrust application-services security-metadata-streaming-policy apt_services
Security policies between services to untrust:
set security policies from-zone services to-zone untrust policy s2u-allow_internet_rule match source-address any set security policies from-zone services to-zone untrust policy s2u-allow_internet_rule match destination-address any set security policies from-zone services to-zone untrust policy s2u-allow_internet_rule match application any set security policies from-zone services to-zone untrust policy s2u-allow_internet_rule match dynamic-application any set security policies from-zone services to-zone untrust policy s2u-allow_internet_rule then permit application-services security-intelligence-policy default-secintel set security policies from-zone services to-zone untrust policy s2u-allow_internet_rule then permit application-services advanced-anti-malware-policy default-antimalware set security policies from-zone services to-zone untrust policy s2u-allow_internet_rule then log session-close Security Policies between trust and services: set security policies from-zone trust to-zone services policy t2s-allow_web_svcs_rule match source-address any set security policies from-zone trust to-zone services policy t2s-allow_web_svcs_rule match destination-address any set security policies from-zone trust to-zone services policy t2s-allow_web_svcs_rule match application junos-http set security policies from-zone trust to-zone services policy t2s-allow_web_svcs_rule match application junos-https set security policies from-zone trust to-zone services policy t2s-allow_web_svcs_rule match dynamic-application junos:HTTP set security policies from-zone trust to-zone services policy t2s-allow_web_svcs_rule match dynamic-application junos:SSL set security policies from-zone trust to-zone services policy t2s-allow_web_svcs_rule then permit application-services idp-policy CS-To-Web-Protection-Rules set security policies from-zone trust to-zone services policy t2s-allow_web_svcs_rule then log session-close Security Policies between untrust to services: set security policies from-zone untrust to-zone services policy u2s-protect_web_svcs match source-address any set security policies from-zone untrust to-zone services policy u2s-protect_web_svcs match destination-address WebSvr-Local set security policies from-zone untrust to-zone services policy u2s-protect_web_svcs match application junos-defaults set security policies from-zone untrust to-zone services policy u2s-protect_web_svcs match dynamic-application junos:HTTP set security policies from-zone untrust to-zone services policy u2s-protect_web_svcs match dynamic-application junos:SSL set security policies from-zone untrust to-zone services policy u2s-protect_web_svcs then permit application-services idp-policy CS-To-Web-Protection-Rules set security policies from-zone untrust to-zone services policy u2s-protect_web_svcs then log session-init set security policies from-zone untrust to-zone services policy u2s-protect_web_svcs then log session-close
NETCONF Service
set system services netconf ssh set system services netconf rfc-compliant set system services web-management https system-generated-certificate set system services web-management session idle-timeout 1440 DNS SERVER: set system name-server 8.8.8.8