This article provides an example of configuring an interface and security zone on an SRX Series device.
For other topics, go to the SRX Getting Started main page.
Configure interfaces and security zones.
This section contains the following:
Network Interface Naming
Junos uses the following interface naming conventions:
- The
show interface terse
command displays a list of the interfaces.
user@host> show interfaces terse
Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 10.85.49.150/24
gr-0/0/0 up up
ip-0/0/0 up up
lsq-0/0/0 up up
lt-0/0/0 up up
mt-0/0/0 up up
pd-0/0/0 up up
pe-0/0/0 up up
- The syntax for the interface name, such as ge-0/0/0, is as follows:
For example :
ge-0/0/0 = First onboard Gigabit Interface
st0.0 = First Secure Tunnel Interface (VPN Tunnel)
lo0 = First loopback interface
- All numbers for the slot, module, and port start with 0.
For example:
show interfaces ge-0/0/*
- Wildcards--Many commands accept wildcards in the interface names.
Security Zone
A security zone is a collection of interfaces that define a security boundary. Internal network interfaces may be assigned to a security zone named "trust," and external network interfaces may be assigned to a security zone named "untrust." Security policies are then used to control transit traffic between security zones. For more information about security zones, see Understanding Security Zones.
Note: For SRX Branch devices, interfaces are assigned to a default security zone in the factory-default settings. See the device's Getting Started Guide for interface and zone assignments, as they vary by platform.
The Getting Started Guide can be located as follows:
Restrictions:
- You can assign one or more logical interfaces to a zone.
- You can also assign one or more logical interfaces to a routing instance.
- You cannot assign a logical interface to multiple zones or multiple routing instances.
- You must also ensure that all a zone's logical interfaces are in a single routing instance.
- Violating any of these restrictions results in a configuration error.
Security policies are associated with zones. A packet’s incoming zone, as determined by the interface through which it arrived, and its outgoing zone, as determined by the forwarding lookup, together determine which policy is used for packets of the flow. For information about zones and policies, refer to Security Policies Feature Guide for Security Devices.
Configure Interface and Security Zone
J-Web
The following example configures a security zone with one interface:
- Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.
- Select Configure>Interfaces>Ports and click the ge-0/0/1 interface to edit.
- Click '+' icon next to 'Global Settings' and select 'Logical Interface'
- Under 'IPv4 Address' tab check 'IPv4 Address/DHCP configuration' and make sure 'Enable address configuration' is selected.
- Add the IP address and prefix, by clicking the '+' icon i.e. 192.168.120.2/24 and click OK.
- Click OK.
- Click Commit.
For more information about configuring an interface, see Technical Documentation.
- Configure a security zone, and then assign the ge-0/0/1.0 interface to the security zone.
- Select Configure>Security>Objects>Zones/Screens. If a security zone name does not exist, click '+' icon under the the Security Zone section, and enter the zone name. If the security zone name does exist, click the zone name.
- Go to the Interfaces Configuration section.
- In the Interfaces out of the zone list, select the ge-0/0/1.0 interface.
- Click the left arrow to move the interface from 'Available' to 'Selected' list/
- Click OK.
- Click Commit.
For more information about configuring a security zone, see Technical Documentation.
CLI
The following example configures a security zone with one interface:
user@host#
set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24
For more information about configuring an interface, see Technical Documentation.
user@host#
set security zones security-zone trust
user@host#
set security zones security-zone trust interfaces ge-0/0/1.0
For more information about configuring a security zone, see Technical Documentation.
- Verify existing security zones, and verify which interfaces have been assigned to the security zones by using one of the following commands:
user@host> show security zones
user@host>
show interfaces
-
Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.
-
If a security zone name does not exist, configure a security zone:
-
Assign the ge-0/0/1.0 interface to the trust security zone.
Technical Documentation
Security Zones and Interfaces Overview
Verification
To verify interface and security zone configuration, use the following operational commands:
show interfaces terse
show interfaces
show security zones
Troubleshooting
Interfaces
- Use the
show interface
command to display information about the interface.For more information, see show interface.
- Use the
monitor interface
command to display . For more information, see monitor interface.
[edit interfaces]
user@host# set traceoptions flag ?
Possible completions:
all Enable all configuration logging
change-events Log changes that produce configuration events
config-states Log the configuration state machine changes
kernel Log configuration IPC messages to kernel
kernel-detail Log details of configuration messages to kernel
A specific interface:
[edit interfaces ge-11/1/0]
user@host# set traceoptions flag ?
Possible completions:
all Enable all interface trace flags
event Trace interface events
ipc Trace interface IPC messages
media Trace interface media changes
For information about configuring traceoptions for debugging and trimming output, see KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output.
Zones
- Configure traceoptions to troubleshoot security zones. The following traceoptions are applicable:
[edit security]
user@host# set traceoptions flag ?
Possible completions:
all Trace everything
compilation Trace compilation events
configuration Trace configuration events
routing-socket Trace routing socket events
For information about configuring traceoptions for debugging and trimming output, see KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output.
2020-04-17: Article reviewed for accuracy; minor changes done to steps in J-Web