Juniper Security Policies User Manual

Junos® OS

Security Policies User Guide for Security Devices

Published

2021-04-18

ii

Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA

408-745-2000 www.juniper.net

Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right

to change, modify, transfer, or otherwise revise this b c		n without n c
Junos® OS Security Policies User Guide for Security Devices
Copyright © 2021 Juniper Networks, Inc. All rights reserved.
The n rm	n in this document is current as of the date on the		page.

YEAR 2000 NOTICE

Juniper Networks hardware and s ftw r products are Year 2000 compliant. Junos OS has no known m r

m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical						c m n	n consists of (or is intended for use
with) Juniper Networks s ftw r	Use of such s		ftw r	is subject to the terms and c n				ns of the End User License
Agreement ("EULA") posted at	s s	r	n r n	s	r	. By downloading, installing or using such
s ftw r you agree to the terms and c n		ns of that EULA.

iii

Table of Contents

1

2

About This Guide | xviii

Overview

Security Basics Overview | 2

Security Policies Overview | 2

Security Zones

Security Zones | 7

Security Zones Overview | 7

Example: Cr			n Security Zones | 9
	Requirements | 10
	Overview | 10
	C n	r	n | 10
	V r	c	n | 12
Supported System Services for Host Inbound							r	c | 13
Understanding How to Control Inbound						r	c Based on		r c Types | 14
Example: Controlling Inbound				r	c Based on r			c Types | 15
	Requirements | 15
	Overview | 15
	C n	r	n | 15
	V r	c	n | 18
Understanding How to Control Inbound						r	c Based on Protocols | 18
Example: Controlling Inbound				r	c Based on Protocols				| 20
	Requirements | 20
	Overview | 20
	C n	r	n | 20
	V r	c	n | 22
Example: C n			r n the TCP-Reset Parameter | 23
	Requirements | 23

3

4

iv

Overview | 23

C	n	r	n | 23
V	r	c	n | 24

Address Books and Address Sets

Address Books and Address Sets | 26

Understanding Address Books | 26

Understanding Global Address Books | 28

Understanding Address Sets | 29

mns of Addresses and Address Sets in a Security Policy | 29

C n r n Addresses and Address Sets | 30

Example: C n			r n	Address Books and Address Sets | 36
	Requirements | 36
	Overview | 37
	C n	r	n | 39
	V r c	n | 42
Excluding Addresses from Policies | 44
Example: Excluding Addresses from Policies | 45
	Requirements | 45
	Overview | 46
	C n	r	n | 46
	V r c	n | 50
Security Policy				c	ns and		c	n Sets
Security Policy			c		ns and	c	n Sets | 54
Security Policy			c		ns Overview | 54
Security Policy			c		n Sets Overview | 55
Example: C		n	r n	Security Policy		c	ns and		c n Sets | 55
	Requirements | 56
	Overview | 56
	C n	r	n | 57
	V r c	n | 57

v

	Understanding Policy					c	n Timeout C n	r	n and Lookup | 58
	Understanding Policy					c	n Timeouts C n	n	nc s | 59
	Example: S			n	a Policy	c	n Timeout | 59
		Requirements | 60
		Overview | 60
		C n		r	n | 60
		V r	c	n | 61
r		n	Policy		c	ns | 61

Understanding Internet-Related

r

n

Policy

c

ns | 62

Understanding M cr

s ft

r

n

Policy

c

ns | 64

Understanding Dynamic R

n

Protocols

r

n

Policy

c ns | 66

Understanding Streaming Video

r

n

Policy

c

ns | 67

Understanding Sun RPC r

n

Policy

c

ns | 68

Understanding Security and Tunnel

r

n

Policy

c

ns | 69

Understanding IP-Related

r

n

Policy

c

ns | 70

Understanding Instant Messaging

r

n

Policy

c

ns | 71

Understanding Management r

n

Policy

c

ns | 72

Understanding Mail

r

n

Policy

c

ns | 74

Understanding UNIX

r

n

Policy

c

ns | 75

Understanding Miscellaneous

r

n

Policy

c

ns | 75

Understanding ICMP

r

n

Policy

c

ns | 77

Example:

n n a Custom ICMP

c

n | 84

Requirements | 85

Overview | 85

C n

r

n | 86

V r

c

n | 87

Custom Policy

c

ns | 87

Understanding Custom Policy

c ns | 87

vi

Custom		c n Mappings | 88
Example: Adding and Modifying Custom Policy					c	ns | 88
	Requirements | 89
	Overview | 89
	C n	r	n | 89
	V r	c	n | 90
Example: C n			r n Custom Policy	c	n Term	ns | 92
	Requirements | 92
	Overview | 92
	C n	r	n | 93
	V r	c	n | 95

5Security Policies

C n r n Security Policies | 98

Understanding Security Policy Elements | 98

Understanding Security Policy Rules | 99

Understanding Security Policies for Self r c | 103

Security Policies C n					r	n Overview | 104
Best r c c s for					n n	Policies on SRX Series Devices | 105
C n		r n	Policies Using the Firewall Wizard | 109
Example: C			n	r n	a Security Policy to Permit or Deny All r c | 109
	Requirements | 109
	Overview | 110
	C n		r	n | 112
	V r	c		n | 115
Example: C			n	r n	a Security Policy to Permit or Deny Selected r c | 115
	Requirements | 116
	Overview | 116
	C n		r	n | 118
	V r	c		n | 121
Example: C			n	r n	a Security Policy to Permit or Deny Wildcard Address r c | 122

vii

	Requirements | 122
	Overview | 122
	C n	r	n | 123
	V r	c	n | 126
Example: C n			r n a Security Policy to Redirect r c Logs to an External System Log
	Server | 126
	Requirements | 127
	Overview | 127
	C n	r	n | 128
	V r	c	n | 130

TAP Mode for Security Zones and Policies | 131

	Understanding TAP Mode Support for Security Zones and Policies | 131
	Example: C			n r n Security Zones and Policies in TAP mode | 132
Dynamic Address Groups in Security Policies | 137
C n		r	Security Policies for VXLAN | 145
	Requirements | 145
	Overview | 145
	C n		r	n | 146
	V r	c	n | 150

nSecurity Policies | 156

nPolicies Overview | 157

n		Policies C			n	r	n Overview | 158
Example: C			n	r	a	n	Policy Using a Redirect Message r	| 167
	Requirements | 167
	Overview | 167
	C n		r	n | 168
	V r	c		n | 170

C	n	r a URL Category with				n	Policies | 173
		Understanding URL Category with					n	Policies | 173
		Example: C	n	r n a	n	Policy Using URL Category | 174
C	n	r	c	ns in	n	Policies | 179

viii

	c	ns in	n		Policies		| 179
	Example: C n		r	a	n	Policy Using Dynamic		c ns | 179
C n r		M cr	c		ns in	n	Policies | 184

Global Security Policies | 186

Global Policy Overview | 187

Example: C			n	r n a Global Policy with No Zone R s r c				ns | 189
	Requirements | 190
	Overview | 190
	C n		r	n | 191
	V r	c		n | 194
Example: C			n	r n a Global Policy with M			Zones | 195
	Requirements | 195
	Overview | 195
	C n		r	n | 196
	V r	c		n | 198
User Role Firewall Security Policies | 198
Understanding User Role Firewalls | 199
User Role Retrieval and the Policy Lookup Process | 200
Understanding the User n c					n Table | 203
Obtaining Username and Role n					rm	n Through Firewall		n c n | 209
C n		r n	a User Role Firewall For C			v	Portal R r c	n | 211
Example: C			n	r n a User Role Firewall on an SRX Series Device | 213
	Requirements | 213
	Overview | 213
	C n		r	n | 215
C n		r n	Resource Policies Using UAC | 222

Reordering Security Policies | 226

Understanding Security Policy Ordering | 226

Example: Reordering Security Policies | 228

Requirements | 229

ix

Overview | 229

C	n	r	n | 229
V	r	c	n | 230

Scheduling Security Policies | 230

Security Policy Schedulers Overview | 230

Example: C n				r n Schedulers for a Daily Schedule Excluding One Day | 231
		Requirements | 232
		Overview | 232
		C n	r	n | 232
		V r	c	n | 235
Verifying Scheduled Policies | 236
Threat		r	n	Support in Security Policy | 237
C n		r n	Security Policies for a VRF R		n Instance | 238
Overview | 239
Understanding Security Policy Rules | 241
Example: C n				r n a Security Policy to Permit or Deny VRF-Based r c from MPLS
		Network to an IP Network | 242
		Requirements | 242
		Overview | 243
		C n	r	n | 243

Example: C		n	r n a Security Policy to Permit VRF-Based	r	c from an IP Network to an
	MPLS Network | 248
	Requirements | 249
	Overview | 249
	C n	r	n | 249
Example: C		n	r n a Security Policy to Permit VRF-Based	r	c from an MPLS Network to
	an MPLS Network over GRE without NAT | 254
	Requirements | 255
	Overview | 255
	C n	r	n | 255
Example: C		n	r n Security Policies Using VRF R n Instances in an MPLS Network | 261

x

Requirements | 261

Overview | 261

MPLS Network to Private IP Network | 262

Global IP Network to an MPLS Network | 265

C n	r n Security Policies Using VRF Group | 271
Overview | 272
Example: C		n	r n a Security Policy to Permit or Deny VRF-Based			r	c from MPLS
	Network to an IP Network using Source VRF Group | 273
	Requirements | 273
	Overview | 274
	C n	r	n | 274
Example: C		n	r n a Security Policy to Permit or Deny VRF-Based			r	c from an IP Network
	to MPLS Network using			s n n VRF Group | 278
	Requirements | 279
	Overview | 279
	C n	r	n | 280
Managing Overlapping VPN using VRF group | 284
Monitoring and r			b s	n Security Policies | 285
Understanding Security Alarms | 285
Example: G n r			n a Security Alarm in Response to Policy V		ns		| 286
	Requirements | 286
	Overview | 287
	C n	r	n | 287
	V r c	n | 289

Matching Security Policies | 289

Tracking Policy Hit Counts | 291

Checking Memory Usage on SRX Series Devices | 291

Monitoring Security Policy S s cs | 293

Verifying Shadow Policies | 294

Verifying All Shadow Policies | 295

Verifying a Policy Shadows One or More Policies | 296

xi

Verifying a Policy Is Shadowed by One or More Policies | 296

rb s n Security Policies | 298

Synchronizing Policies Between R n Engine and Packet Forwarding Engine | 298

Checking a Security Policy Commit Failure | 299

Verifying a Security Policy Commit | 300

Debugging Policy Lookup | 301

High Availability (HA) Sync r n z n of Address Name Resolving Cache | 301

6	C n	r		n Statements
	address (Security Address Book) | 308
	address-book | 310
	address-set | 312
	alarms (Security) | 314
	alarm-threshold | 316
	alarm-without-drop | 318
	c	n (		c	ns) | 319
	c	n (Security Alarms) | 323
	c	n (Security Policies) | 325
	c	n	r	c	(	c	ns) | 328
	c	n s		rv c s (Security Policies) | 331
	c	n	r c n		(Security Zones) | 334
	c	n	r	c c	n r	(	c n Services) | 335

c| 337

audible (Security Alarms) | 339

n c	n (Security Alarms) | 340
c v	r (Services UAC Policy) | 342

count (Security Policies) | 344

xii

default-policy | 345

deny (Security Policies) | 347

scr		n (		c		ns) | 348
scr		n (Security Address Book) | 350
scr		n (Security Zone) | 352
s	n	n		r	ss (Security Policies) | 353
s	n	n		r	ss (Security Policies Flag) | 355
s	n	n		r ss		xc	| 357
s	n	n	(Security Alarms) | 358
s	n	n	r	(		c	ns) | 360
dns-cache | 366
dns-proxy | 368
yn m c			c		n (Security) | 370
yn m c			c		n (Security Policies) | 372
dynamic-dns | 374
exclude (Schedulers) | 376
r w			n	c		n (Security Policies) | 378

forward-only (DNS) | 381 from-zone (Security Policies) | 382

from-zone (Security Policies Global) | 386

nc n z n | 388

global (Security Policies) | 390

s nb n r		c | 394
icmp-code (	c	ns) | 395
icmp-type (	c	ns) | 397

xiii

n c v y m ( c ns) | 399

interfaces (Security Zones) | 400

nc mss | 402

ipsec-group-vpn (Security Policies) | 404 ipsec-vpn (Security Policies) | 405

log (Security Policies) | 407 management (Security Zones) | 409 match (Security Policies) | 411 match (Security Policies Global) | 413

ncy max-lookups | 416

n	cy c	sync	r n z	n | 417
pair-policy | 419
pass-through | 420
permit (Security Policies) | 423
policies | 426
policy (Security Alarms) | 436
policy (Security Policies) |				438
policy-match | 442
policy-rematch | 444
policy-stats | 446
n	v	n | 448
pre-id-default-policy | 451
r	( yn m c		c	n) | 454
protocol (		c	ns) | 457

protocols (Security Zones Host Inbound r c) | 459

xiv

protocols (Security Zones Interfaces) | 462

range-address | 465
redirect-wx (	c n Services) | 466
reject (Security)	| 468
report-skip | 470
reverse-tcp-mss | 471
rpc-program-number (		c	ns) | 473
scheduler (Security Policies) | 474
scheduler-name | 477
schedulers (Security Policies) | 478
screen (Security Zones) | 480
secure-neighbor-discovery | 481
security-intelligence | 483
security-zone | 485
sequence-check-required | 488
s rv c s ffl	(Security)	|	489

session-close | 491

session-init | 492 simple-mail-client-service | 494 source-address (Security Policies) | 495 source-address-excluded | 497

s rc	n	y | 498
source-ip (Security Alarms) | 501
source-port (		c	ns) | 503
ssl-proxy (		c	n Services) | 505

xv

ss	rm n	n r	| 506
start-date | 508
s r	m	(Schedulers) | 510
stop-date | 512

sm | 513

syn-check-required | 515

system-services (Security Zones Host Inbound r c) | 517 system-services (Security Zones Interfaces) | 520

c		ns (Security Policies) | 523
tcp-rst | 526
term (			c	ns) | 528
then (Security Policies) | 529
to-zone (Security Policies) | 533
to-zone (Security Policies Global) | 536
r c			ns (	yn m c		c		n) | 538
r	c		ns (Security Policies) |					541
r c			ns (Security User				n	c n) | 544
r c			ns (System Services DNS) | 547
tunnel (Security Policies) | 550
nn		ns	c	n | 552
uac-policy (				c	n Services) | 554
n	r c		n	s ss	n r	r s	n	| 555
n			cy	x	c m	c	| 557
s r		r w	| 558
s r		n	c	n | 560

xvi

utm-policy | 562

uuid (

c

ns) | 565

vrrp | 566

w b

n

c

n | 568

web-redirect | 570

zones | 571

7

r

n

Commands

clear security alarms | 577

clear security policies hit-count | 581

clear security policies s

s

cs

| 583

clear system services dns dns-proxy

| 584

request security policies check | 586

request security policies resync | 589

request security

s

r

n

c

n

c

r z

n

b

add | 592

request security

s

r

n

c

n

c

n c

n

b

delete | 595

show security alarms | 597

show security

r w

n

c

n users address | 603

show security

r w

n

c

n users auth-type | 608

show security fl

w session

c

n | 611

show security match-policies | 617

show security policies | 627

show security policies checksum | 650

show security policies hit-count | 653

show security policies n rm

n | 658

show security policies

n n

wn s

rc

n

y | 667

xvii

show security policies zone-context | 669
show security policy-report | 673
show security shadow-policies | 677
show security	s r		n	c	n	c	n	c	n	b | 681
show security	s	r	n	c	n role-provision all | 685
show security	s	r	n	c	n s	rc	n	y	r v s	n all | 687
show security	s	r	n	c	n user-provision all | 689

show security zones | 691 show security zones type | 700

show system services dns dns-proxy | 705 show system services dynamic-dns | 709

xviii

About This Guide

Use this guide to c n			r security zones, address books and address sets, security policy	c	ns
and	c	n sets, and security policies in Junos OS on the SRX Series devices.

1

CHAPTER

Overview

Security Basics Overview | 2

Security Policies Overview | 2

2

Security Basics Overview

This guide provides n	rm	n about the security basics used to c n	r features for security devices.
• A security zone is a c		c n of one or more network segments requiring the r			n of inbound
and outbound r	c through policies. Security zones are logical n		s to which one or more
interfaces are bound. With many types of Juniper Networks devices, you can				n m	security
zones, the exact number of which you determine based on your network needs.
• An address book is a c		c n of addresses and address sets. Junos OS allows you to c n r

maddress books. Address books are like components, or building blocks, that are referenced in

other c n	r	ns such as security policies or NAT. You can add addresses to address books or use
the r	n addresses available to each address book by default.

• An	c	n set is a group of
manage a small number of			c
entries. The		c n (or	c
packets n		n sessions.

cns Junos OS s m s the process by allowing you to

n sets, rather than a large number of individual c n n set) is referred to by security policies as match criteria for

• A security policy is a stateful r w		policy that provides a set of tools to network administrators,
enabling them to implement network security for their r n z			ns Security policies enforce rules
for transit r	c in terms of what r	c can pass through the	r w and the c ns that need to
take place on	r c as it passes through the r w

RELATED DOCUMENTATION

Gn Started Guide for Junos OS

Security Policies Overview

To secure their business, r n z ns must control access to their LAN and their resources. Security policies are commonly used for this purpose. Secure access is required both within the company across

the LAN and in its n	r c ns with external networks such as the Internet. Junos OS provides powerful
network security features through its stateful			r w	c	n	r w	and user n y	r w	All
three types of r w	enforcement are implemented through security policies. The stateful							r w
policy syntax is widened to include		n	tuples for the		c	n	r w and the user	n	y
r w

3

In a Junos OS stateful r w		the security policies enforce rules for transit r							c in terms of what
r c can pass through the		r w		and the c		ns that need to take place on			r c as it passes
through the r w From the			rs	c v	of security policies, the r			c enters one security zone and
exits another security zone. This c				mb n	n of a from-zone and to-zone is called a context. Each
context contains an ordered list of policies. Each policy is processed in the order that it is										n	within
a context.
A security policy, which can be c			n	r from the user interface, controls the					r c fl w from one
zone to another zone by		n n	the kind(s) of r			c rm	from s	c	IP sources to s c		IP
s n	ns at scheduled	m s

Policies allow you to deny, permit, reject (deny and send a TCP RST or ICMP port unreachable message

to the source host), encrypt and decrypt,			n	c	r r z schedule,	r and monitor the		r c
	m	n to cross from one security zone to another. You decide which users and what data can enter
and exit, and when and where they can go.
	NOTE: For an SRX Series device that supports virtual systems, policies set in the root system do
	not	c policies set in virtual systems.
An SRX Series device secures a network by ns				c n	and then allowing or denying, all c nn c			n
	m s that require passage from one security zone to another.
Logging capability can also be enabled with security policies during session n						z	n (session-init) or
session close (session-close) stage.
•	To view logs from denied c nn c ns enable log on session-init.
•	To log sessions ft r their conclusion/tear-down, enable log on session-close.
	NOTE: Session log is enabled at real m		in the fl		w code which impacts the user performance.
	If both session-close and session-init are enabled, performance is further degraded as compared
	to enabling session-init only.

For SRX300, SRX320, SRX340, SRX345, SRX380, and SRX550M devices, a factory-default security policy is provided that:

•Allows all r c from the trust zone to the untrust zone.

•Allows all r c between trusted zones, that is from the trust zone to intrazone trusted zones.

•Denies all r c from the untrust zone to the trust zone.

4

Through the cr	n of policies, you can control the r				c fl w from zone to zone by		n n	the kinds
of r c rm	to pass from s c	sources to s c			s n	ns at scheduled	m s
At the broadest level, you can allow all kinds of				r c from any source in one zone to any			s	n	n in
all other zones without any scheduling r s r c				ns At the narrowest level, you can create a policy that
allows only one kind of r c between a s			c	host in one zone and another s c			host in
another zone during a scheduled interval of			m	See Figure 1 on page 4.

Figure 1: Security Policy

Every	m	a packet		m s to pass from one zone to another or between two interfaces bound to the
same zone, the device checks for a policy that permits such r							c (see "Understanding Security Zones"
on page 7 and "Example: C n r n Security Policy						c	ns and	c	n Sets" on page 55).
To allow r		c to pass from one security zone to another—for example, from zone A to zone B—you
must c	n	r	a policy that permits zone A to send		r	c to zone B. To allow r			c to fl w the other
way, you must c n				r another policy rm n	r	c from zone B to zone A.
To allow data r			c to pass between zones, you must c			n	r r w	policies.

5

RELATED DOCUMENTATION

C n r n Security Policies | 98

2

CHAPTER

Security Zones

Security Zones | 7

7

Security Zones

IN THIS SECTION
	Security Zones Overview | 7
	Example: Cr	n Security Zones | 9			c | 13
	Supported System Services for Host Inbound			r		r c Types | 14
	Understanding How to Control Inbound r			c Based on
	Example: Controlling Inbound r		c Based on r		c Types | 15
	Understanding How to Control Inbound r			c Based on Protocols | 18
	Example: Controlling Inbound r		c Based on Protocols			| 20
	Example: C n	r n the TCP-Reset Parameter | 23

A security zone is a c		c	n of one or more network segments requiring the r		n of inbound and
outbound r c through policies. Security zones are logical n				s to which one or more interfaces are
bound. You can	n	m	security zones, the exact number of which you determine based on your
network needs.

Security Zones Overview

IN THIS SECTION

Understanding Security Zone Interfaces | 8

Understanding F nc n Zones | 8

Understanding Security Zones | 9

Interfaces act as a doorway through which r c enters and exits a Juniper Networks device. Many

interfaces can share exactly the same security requirements; however,	r n interfaces can also have
r n security requirements for inbound and outbound data packets. Interfaces with		n c
security requirements can be grouped together into a single security zone.

8

A security zone is a c			c n of one or more network segments requiring the r								n of inbound and
outbound r		c through policies.
Security zones are logical n				s to which one or more interfaces are bound. With many types of
Juniper Networks devices, you can						n	m	security zones, the exact number of which you
determine based on your network needs.
On a single device, you can c				n	r	m	security zones, dividing the network into segments to
which you can apply various security							ns to s		s y the needs of each segment. At a minimum, you
must	n	two security zones, basically to protect one area of the network from the other. On some
security		rms you can		n many security zones, bringing						n r granularity to your network
security design—and without deploying m								security appliances to do so.
From the		rs c v	of security policies,				r c enters into one security zone and goes out on another
security zone. This c			mb n	n of a from-zone and a to-zone is						n as a context. Each context
contains an ordered list of policies. For more n								rm	n on policies, see Security Policies Overview.
This topic includes the following s					c	ns

Understanding Security Zone Interfaces

An interface for a security zone can be thought of as a doorway through which TCP/IP				r	c can pass
between that zone and any other zone.
Through the policies you	n	you can permit r c between zones to fl w in one		r c	n or in
both. With the routes that you		n	you specify the interfaces that r c from one zone to another
must use. Because you can bind m			interfaces to a zone, the routes you chart are important for
r c n r c to the interfaces of your choice.
An interface can be c n	r	with an IPv4 address, IPv6 address, or both.

Understanding F nc n Zones

A nc		n zone is used for special purposes, like management interfaces. Currently, only the
management (MGT) zone is supported. Management zones have the following			r r s
•	Management zones host management interfaces.
•	r	c entering management zones does not match policies; therefore, r	c cannot transit out of
	any other interface if it was received in the management interface.

• Management zones can only be used for dedicated management interfaces.

9

Understanding Security Zones

Security zones are the building blocks for policies; they are logical

n

s to which one or more

interfaces are bound. Security zones provide a means of s n

s

n

groups of hosts (user systems

and other hosts, such as servers) and their resources from one another in order to apply

r n

security measures to them.

Security zones have the following

r

r

s

•

c

s—

c v security policies that enforce rules for the transit r

c in terms of what r

c can

pass through the

r w

and the

c

ns that need to take place on the

r c as it passes through

the

r w

For more n

rm

n see Security Policies Overview.

• Screens—A Juniper Networks stateful

r w

secures a network by ns

c n

and then allowing or

denying, all c nn

c n

m s that require passage from one security zone to another. For every

security zone, you can enable a set of

r

n

screen

ns that detect and block various kinds

of

r

c that the device determines as

n

y harmful. For more n

rm

n see

Reconnaissance Deterrence Overview.

• Address books—IP addresses and address sets that make up an address book to

n

y its members

so that you can apply policies to them. Address book entries can include any c

mb n

n of IPv4

addresses, IPv6 addresses, and Domain Name System (DNS) names. For more n

rm

n see

Example: C n

r n Address Books and Address Sets.

• TCP-RST—When this feature is enabled, the system sends a TCP segment with the RESET fl

set

when

r

c arrives that does not match an

x s

n session and does not have the SYNchronize fl

set.

• Interfaces—List of interfaces in the zone.

Security zones have the following	r c n	r	zone:
• Trust zone—Available only in the factory c n			r	n and is used for n	c nn c n to the
device. ft r you commit a c n	r	n the trust zone can be overridden.

Example: Cr

n Security Zones

IN THIS SECTION

Requirements | 10

Overview | 10

10

	C	n	r	n | 10
	V	r	c	n | 12

This example shows how to c n r zones and assign interfaces to them. When you c n r a security zone, you can specify many of its parameters at the same m

Requirements

Before you begin, c n r network interfaces. See the Interfaces User Guide for Security Devices.

Overview

An interface for a security zone can be thought of as a doorway through which TCP/IP	r	c can pass
between that zone and any other zone.
NOTE: By default, interfaces are in the null zone. The interfaces will not pass r c	n	they
have been assigned to a zone.

NOTE: You can c n r 2000 interfaces within a security zone on SRX3400, SRX3600, SRX4600, SRX5400, SRX5600, or SRX5800 devices, depending on the Junos OS release in your ns n

C n r n

IN THIS SECTION

Procedure | 11

11

Procedure

CLI Quick C n		r	n
To quickly c n		r this example, copy the following commands, paste them into a text					remove any
line breaks, change any details necessary to match your network c				n	r	n copy and paste the
commands into the CLI at the [edit] hierarchy level, and then enter commit from c n r							n mode.
set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.1/24
set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db8:1::1/64
set security zones security-zone ABC interfaces ge-0/0/1.0
Step-by-Step Procedure
The following example requires you to navigate various levels in the c					n r	n hierarchy. For
ns r c	ns on how to do that, see Using the CLI Editor in C n			r	n Mode in the CLI User guide.
To create zones and assign interfaces to them:
1. C n	r an Ethernet interface and assign an IPv4 address to it.

[edit]

user@host# set interfaces ge-0/0/1 unit 0 family inet address 203.0.113.1/24

2. C n

r an Ethernet interface and assign an IPv6 address to it.

[edit]

user@host# set interfaces ge-0/0/1 unit 0 family inet6 address 2001:db8::1/32

3. C n

r a security zone and assign it to an Ethernet interface.

[edit]

user@host# set security zones security-zone ABC interfaces ge-0/0/1.0

12

Results

From c		n	r n mode, c n	rm your c n	r	n by entering the show security zones security-zone
ABC and show interfaces ge-0/0/1 commands. If the output does not display the intended
c	n	r	n repeat the c n	r n ns r	c	ns in this example to correct it.
For brevity, this show output includes only the c						n r n that is relevant to this example. Any other
c	n	r	n on the system has been replaced with ellipses (...).

[edit]

user@host# show security zones security-zone ABC

...

interfaces { ge-0/0/1.0 {

...

}

}

[edit]

user@host# show interfaces ge-0/0/1

...

unit 0 { family inet {

address 203.0.113.1/24;

}

family inet6 {

address 2001:db8:1::1/64;

}

}

If you are done c n r n the device, enter commit from c n r n mode.

r c n

IN THIS SECTION

r b s

n with Logs | 13