To configure security zones and policies:
1.
Delete the interface ge-0/0/1 from family ethernet-switching (factory configuration)
and assign an IP address.
[edit]
user@srx210-host# delete interfaces ge-0/0/1 unit 0 family ethernet-switching
user@srx210-host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
2. Configure a new security zone (DMZ) and assign interfaces.
[edit]
user@srx210-host# set security zones security-zone DMZ interfaces ge-0/0/1
host-inbound-traffic system-services all
3. Create address books in the DMZ zone.
[edit]
user@srx210-host# set security zones security-zone DMZ address-book address
Server-HTTP-1 192.168.2.2/32
user@srx210-host# set security zones security-zone DMZ address-book address
Server-HTTP-2 192.168.2.3/32
user@srx210-host# set security zones security-zone DMZ address-book address
Server-SMTP 192.168.2.4/32
4. Create address sets in the DMZ zone to group HTTP server addresses together.
[edit]
user@srx210-host# set security zones security-zone DMZ address-book address-set
DMZ-address-set-http address Server-HTTP-1
user@srx210-host# set security zones security-zone DMZ address-book address-set
DMZ-address-set-http address Server-HTTP-2
5. Create address books in the trust zone.
[edit]
user@srx210-host# set security zones security-zone trust address-book address
PC-Trust 192.168.1.2/32
6. Create an interzone policy to permit SMTP traffic from the trust zone to the DMZ zone.
[edit]
user@srx210-host# set security policies from-zone trust to-zone DMZ policy
permit-mail-trust-DMZ match source-address PC-Trust
user@srx210-host# set security policies from-zone trust to-zone DMZ policy
permit-mail-trust-DMZ match destination-address Server-SMTP
user@srx210-host# set security policies from-zone trust to-zone DMZ policy
permit-mail-trust-DMZ match application junos-smtp
user@srx210-host# set security policies from-zone trust to-zone DMZ policy
permit-mail-trust-DMZ then permit
7. Create an intrazone policy to permit HTTP traffic between the two servers in the DMZ
zone.
[edit]
user@srx210-host# set security policies from-zone DMZ to-zone DMZ policy
permit-http-in-DMZ match source-address DMZ-address-set-http
user@srx210-host# set security policies from-zone DMZ to-zone DMZ policy
permit-http-in-DMZ match destination-address DMZ-address-set-http
35Copyright © 2016, Juniper Networks, Inc.
Chapter 5: Configuring Security Zones and Policies for SRX Series
To Next Page
Loading...
Need help?
General
