Navigation Back up to About Overview

Understanding Security Zones and Policies for SRX Series

This topic includes the following sections:


A zone is a collection of one or more network segments sharing identical security requirements. To group network segments within a zone, you must assign logical interfaces from the device to a zone.

Security zones are used to identify traffic flow direction in security policies to control traffic. On a single device, you can configure multiple security zones and at a minimum, you must define two security zones, basically to protect one area of the network from the other.

To configure the security zones, you must:

  • Define zone (security or functional)
  • Add logical interfaces to the zone
  • Define permitted services (example: Telnet, SSH) and protocols (example: OSPF) destined to device itself.

Default configuration of the branch SRX Series includes two security zones--trust and untrust. The vlan.0 belongs to the trust zone and ge-0/0/0 belongs to the untrust zone.

For more details on security zones, see Security Zones and Interfaces Feature Guide for Security Devices.

Security Policy

A security policy is a set of statements that controls traffic from a specified source to a specified destination using a specified service.

If the SRX Series receives a packet that matches those specifications, it performs the action specified in the policy. Actions for traffic matching the specified criteria include permit, deny, reject, log, or count.

Security policies enforce a set of rules for transit traffic, identifying which traffic can pass through the firewall and the actions taken on the traffic as it passes through the firewall.

The factory default security policy permits all traffic from the trust zone to the untrust zone and denies all traffic from the untrust zone to the trust zone.

For more details on security policies, see Security Policies Feature Guide for Security Devices.

Published: 2013-06-11