A J-series or SRX-series device secures a network by inspecting, and then allowing or denying, all connection attempts that require passage from one security zone to another.
By default, a device denies all traffic in all directions. Through the creation of policies, you can control the traffic flow from zone to zone by defining the kinds of traffic permitted to pass from specified sources to specified destinations at scheduled times. At the broadest level, you can allow all kinds of traffic from any source in one zone to any destination in all other zones without any scheduling restrictions. At the narrowest level, you can create a policy that allows only one kind of traffic between a specified host in one zone and another specified host in another zone during a scheduled interval of time. See Figure 133.
Figure 133: Default Policy
Every time a packet attempts to pass from one zone to another or between two interfaces bound to the same zone, the device checks for a policy that permits such traffic (see Policy Application Sets Overview). To allow traffic to pass from one security zone to another—for example, from zone A to zone B—you must configure a policy that permits zone A to send traffic to zone B. To allow traffic to flow the other way, you must configure another policy permitting traffic from zone B to zone A.
To allow data traffic to pass between zones, you must configure firewall policies.
This topic covers:
 | Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |