Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Creating Security Zones

    This example shows how to configure zones and assign interfaces to them. When you configure a security zone, you can specify many of its parameters at the same time.

    Requirements

    Before you begin, configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices PDF Document.

    Overview

    An interface for a security zone can be thought of as a doorway through which TCP/IP traffic can pass between that zone and any other zone.

    Note: By default, interfaces are in the null zone. The interfaces will not pass traffic until they have been assigned to a zone.

    Note: You can configure 2000 interfaces within a security zone on SRX3400, SRX3600, SRX5600, and SRX5800 devices.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set interfaces ge-0/0/1 unit 0 family inet address 10.12.12.1/24set interfaces ge-0/0/1 unit 0 family inet6 address fa:43::21/96set security security-zone ABC interfaces ge-0/0/1.0

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To create zones and assign interfaces to them:

    1. Configure an Ethernet interface and assign an IPv4 address to it.
      [edit]
      user@host# set interfaces ge-0/0/1 unit 0 family inet address 10.12.12.1/24
    2. Configure an Ethernet interface and assign an IPv6 address to it.
      user@host# set interfaces ge-0/0/1 unit 0 family inet6 address fa:43::21/96
    3. Configure a security zone and assign it to an Ethernet interface.
      user@host# set security security-zone ABC interfaces ge-0/0/1.0

    Results

    From configuration mode, confirm your configuration by entering the show security zones security-zone ABC and show interfaces ge-0/0/1 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    For brevity, this show output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).

    [edit]
    user@host# show security zones security-zone ABC
    ...
    interfaces {
        ge-0/0/1.0 {
            ...
        }
    }
    [edit]
    user@host# show interfaces ge-0/0/1
    ...
        unit 0 {
        family inet {
            address 10.12.12.1/24;
        }
        family inet6 {
            address fe:43::21/96;
        }
    }

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Troubleshooting with Logs

    Purpose

    Use these logs to identify any issues.

    Action

    From operational mode, enter the show log messages command and the show log dcd command.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page