Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuration for Junos with Enhanced Services to behave as Junos in Router Context.

0

0

Article ID: KB11963 KB Last Updated: 04 Mar 2017Version: 4.0
Summary:

Configuration for Junos with Enhanced Services to behave as Junos in Router Context.

Symptoms:

Junos with Enhanced Services integrates the security and routing features together in one software platform.  A J-Series Services Router running on Junos with Enhanced Services by default doesn't allow any services or protocol traffic to pass across any of the interfaces.  Interfaces in security zones and security policies are required to permit traffic. This is referred to as Security Context.

There may be requirement where the Security Context is not desired and the need is to simply permit all traffic across all interfaces as with normal Junos. This is referred to as Router Context or Packet-based.

Solution:

The below configuration allows the J-Series Services Router to accept all the protocols and services across all the interfaces and hence the router behaves in Router Context.

security {
    flow {
        allow-dns-reply;
        tcp-session {
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;
        }
    }
    forwarding-options {
        family {
            inet6 {
                mode packet-based;
            }
            mpls {
                mode packet-based;
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    any-service;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                all;
            }
        }
    }
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        real disable;
        rsh disable;
        rtsp disable;
        sccp disable;
        sip disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
        msrpc disable;
        sunrpc disable;
    }
}


Here a security-zone named "trust" is created where all the services and protocols are allowed with all interfaces belonging to the "trust" zone. Then the default policy is configured to permit-all. In addition, there are additional TCP packet checks as well as ALG applications which need to be disabled and forwarding options for all families must be configured for packet-based.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search