Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Default behavior of zones and virtual routers

0

0

Article ID: KB5714 KB Last Updated: 02 May 2018Version: 5.0
Summary:
This article lists the default behavior of zones and virtual routers (VRs) in ScreenOS 6.3.0 and later, including what can or cannot be done with VRs.
Symptoms:

Environment:

  • Default behavior of VRs in ScreenOS 6.3.0 and later

  • Trust, Untrust, and DMZ zones

  • Trust and Untrust VRs

  • Shareable zones

Solution:

The following is a list of what can or cannot be done with VRs in ScreenOS 6.3.0 and later:

  • Untrust and Trust VRs cannot be deleted.

  • Trust and Untrust VR shareability cannot be disabled.

  • Predefined zones cannot be deleted.

  • Sec (L3) zones can change their virtual router (VR) bindings.

  • Sec (L2) and Functional zones cannot change their VR bindings; the default VR for these zones is Trust VR.

  • A shared zone cannot be bound with a non-shareable VR.

  • The default VR in root is Trust VR and it is changeable to any VR.

  • Interfaces that are defined or created in a Virtual System (VSYS) are not visible to other VSYS or root systems. Only interfaces that are defined under root can be shared by other VSYS, except for tunnel interfaces.

  • Routes that are defined in one VSYS will not be shown in another VSYS. The root's routes that are in the shared VR will be shown in the VSYS.

  • VSYS can use Untrust, Trust, and newly created VSYS VRs as their own default VRs.

  • Only custom zones can be made shareable, and may also be changed back to non-shareable.

  • VRs can be made shareable back and forth as desired. However, to change a VR from shared to unshared, the following is required:

    • Cannot have any shared zones in the VR

    • Cannot have any VSYS defined

  • In a brand new box, which is fresh from the factory, the Trust VR is shared by default. The Untrust, Trust, and DMZ zones are bound to a Trust VR by default.

  • A box with a configuration from an earlier release will have the Trust VR unshared. The Untrust and DMZ zones are bound to the Untrust VR. The Trust zone is bound to the Trust VR.

Modification History:
05/03/2018: Default behavior of zones and virtual routers updated for ScreenOS 6.3.0 and later
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search