Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

SRX Getting Started - Configure Interfaces and Security Zones

0

0
Article ID: KB16556 KB Last Updated: 22 Apr 2020Version: 5.0 Summary:

This article provides an example of configuring an interface and security zone on an SRX Series device.

For other topics, go to the SRX Getting Started main page.

Symptoms:

Configure interfaces and security zones.

Solution:

This section contains the following:

Network Interface Naming

Junos uses the following interface naming conventions:

  • The show interface terse command displays a list of the interfaces. 
user@host> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up 
ge-0/0/0.0              up    up   inet     10.85.49.150/24
gr-0/0/0                up    up 
ip-0/0/0                up    up 
lsq-0/0/0               up    up 
lt-0/0/0                up    up 
mt-0/0/0                up    up 
pd-0/0/0                up    up 
pe-0/0/0                up    up 
  • The syntax for the interface name, such as ge-0/0/0, is as follows:
Interface Type - Slot / Module / Port . Logical number  

For information about interface name syntax, see Interface Naming Conventions.

For information about slot numbering for SRX Series devices, see Network Interfaces.

For example :

ge-0/0/0 = First onboard Gigabit Interface
st0.0 = First Secure Tunnel Interface (VPN Tunnel)
lo0 = First loopback interface

  • All numbers for the slot, module, and port start with 0.

For example:

show interfaces ge-0/0/*

  • Wildcards--Many commands accept wildcards in the interface names.

 

Security Zone

A security zone is a collection of interfaces that define a security boundary. Internal network interfaces may be assigned to a security zone named "trust," and external network interfaces may be assigned to a security zone named "untrust." Security policies are then used to control transit traffic between security zones. For more information about security zones, see Understanding Security Zones.

Note: For SRX Branch devices, interfaces are assigned to a default security zone in the factory-default settings. See the device's Getting Started Guide for interface and zone assignments, as they vary by platform.

The Getting Started Guide can be located as follows:

Restrictions:

  • You can assign one or more logical interfaces to a zone.
  • You can also assign one or more logical interfaces to a routing instance.
  • You cannot assign a logical interface to multiple zones or multiple routing instances.
  • You must also ensure that all a zone's logical interfaces are in a single routing instance.
  • Violating any of these restrictions results in a configuration error.

Security policies are associated with zones. A packet’s incoming zone, as determined by the interface through which it arrived, and its outgoing zone, as determined by the forwarding lookup, together determine which policy is used for packets of the flow. For information about zones and policies, refer to Security Policies Feature Guide for Security Devices.

Configure Interface and Security Zone

J-Web

The following example configures a security zone with one interface:

  1. Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.
    1. Select Configure>Interfaces>Ports and click the ge-0/0/1 interface to edit.
    2. Click '+' icon next to 'Global Settings' and select 'Logical Interface'
    3. Under 'IPv4 Address' tab check 'IPv4 Address/DHCP configuration' and make sure 'Enable address configuration' is selected.
    4. Add the IP address and prefix, by clicking the '+'  icon i.e. 192.168.120.2/24 and click OK.
    5. Click OK.
    6. Click Commit. 

    For more information about configuring an interface, see Technical Documentation.

  2. Configure a security zone, and then assign the ge-0/0/1.0 interface to the security zone.
    1. Select Configure>Security>Objects>Zones/Screens. If a security zone name does not exist, click '+' icon under the the Security Zone section, and enter the zone name. If the security zone name does exist, click the zone name.
    2. Go to the Interfaces Configuration section.
    3. In the Interfaces out of the zone list, select the ge-0/0/1.0 interface.
    4. Click the left arrow to move the interface from 'Available' to 'Selected' list/
    5. Click OK.
    6. Click Commit.

    For more information about configuring a security zone, see Technical Documentation.


CLI

The following example configures a security zone with one interface:

user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24

For more information about configuring an interface, see Technical Documentation.

user@host# set security zones security-zone trust

user@host# set security zones security-zone trust interfaces ge-0/0/1.0


For more information about configuring a security zone, see Technical Documentation.

  1. Verify existing security zones, and verify which interfaces have been assigned to the security zones by using one of the following commands:

    user@host> show security zones
    user@host>     show interfaces

  2. Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.

  3. If a security zone name does not exist, configure a security zone:

  4. Assign the ge-0/0/1.0 interface to the trust security zone.

 

Technical Documentation

Security Zones and Interfaces Overview
 

Verification

To verify interface and security zone configuration, use the following operational commands:

  • show interfaces terse
  • show interfaces
  • show security zones

 

Troubleshooting

Interfaces
 

  • Use the show interface command to display information about the interface.For more information, see show interface.
  • Use the monitor interface command to display . For more information, see monitor interface.

[edit interfaces]
user@host# set traceoptions flag ?
Possible completions:
all Enable all configuration logging
change-events Log changes that produce configuration events
config-states Log the configuration state machine changes
kernel Log configuration IPC messages to kernel
kernel-detail Log details of configuration messages to kernel


A specific interface:

[edit interfaces ge-11/1/0]
user@host# set traceoptions flag ?
Possible completions:
all Enable all interface trace flags
event Trace interface events
ipc Trace interface IPC messages
media Trace interface media changes


For information about configuring traceoptions for debugging and trimming output, see KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output.


Zones

  • Configure traceoptions to troubleshoot security zones. The following traceoptions are applicable:

  • [edit security]
    user@host# set traceoptions flag ?
    Possible completions:
    all Trace everything
    compilation Trace compilation events
    configuration Trace configuration events
    routing-socket Trace routing socket events

    For information about configuring traceoptions for debugging and trimming output, see KB16108 - SRX Getting Started -- Configuring Traceoptions for Debugging and Trimming Output.
Modification History:
2020-04-17: Article reviewed for accuracy; minor changes done to steps in J-Web
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search