Junos OS

last person joined: 20 hours ago 

Ask questions and share experiences about Junos OS.

  • 1.  If there are NO interfaces in the Zone (untrusted) ?

    Posted 12-02-2014 10:46

    I am running Junos version 9.6R1.13 and have a question in need of an answer:

     

    In looking at a Zone configuration (let's say "untrusted") and see that there are NO "interfaces in the zone", wouldn't that indicate that any existing FW policies that have the "untrusted" zone in either the source or destination are basically useless and of no meaning ?

     

    Thanks for any info on this.

     

    Steve



  • 2.  RE: If there are NO interfaces in the Zone (untrusted) ?

     
    Posted 12-02-2014 12:09

    Yes, you are absolutely correct.

     

    If there is no interface configured in the 'untrust' zone, then any rules referencing the 'untrust' zone is not doing anything.

     

    Regards,

    Sam



  • 3.  RE: If there are NO interfaces in the Zone (untrusted) ?

    Posted 12-09-2014 13:42

    So here is my situation:

    The following policies where left in place

     

    Factory-Default Security Policies

    1. Trust-to-trust zone policy: Denies all intrazone traffic within the trust zone This was changed to a PERMIT
    2. Trust-to-untrust zone policy: Permits all traffic from the trust zone to the untrust zone
    3. Untrust-to-trust zone policy: Denies all traffic from the untrust zone to the trust zone.

    NO interfaces assigned to the untrust zone

     

    Several other zones created and have interfaces and policies assigned to them.

    for example

    Zone test-1

    Zone test-2

     

     

    Lets say I have several policies that represent the following, that are immediately below the Factory-Default policies, I list above that were left in place:

     

    Zone test-1 (Source) 192.168.77.0/24 to Zone test-2 192.168.55.0/24 (destination) tcp-123 Permit

    Zone test-1 (Source) 192.168.77.0/24 to Zone test-2 192.168.55.0/24 (destination) tcp-456 Permit

    Zone test-1 (Source) 192.168.77.0/24 to Zone test-2 192.168.55.0/24 (destination) tcp-789 Permit

    Zone test-1 (Source) 192.168.77.0/24 to Zone test-2 192.168.55.0/24 (destination) tcp-101 Permit

    Zone test-2 (Source) 192.168.55.0/24 to Zone test-1 192.168.77.0/24 (destination) tcp-123 Permit

    Zone test-2 (Source) 192.168.55.0/24 to Zone test-1 192.168.77.0/24 (destination) tcp-456 Permit

    Zone test-2 (Source) 192.168.55.0/24 to Zone test-1 192.168.77.0/24 (destination) tcp-789 Permit

    Zone test-2 (Source) 192.168.55.0/24 to Zone test-1 192.168.77.0/24 (destination) tcp-101 Permit

     

    As you can see there are NO deny's referencing any of the newly created zones (test-1, test-2 ...etc)

    Would this not indicate that Any and ALL traffic to and from the interfaces assigned in the zones are PERMITTED ?
    Thanks Steve



  • 4.  RE: If there are NO interfaces in the Zone (untrusted) ?
    Best Answer

    Posted 12-15-2014 13:17

    Would this not indicate that Any and ALL traffic to and from the interfaces assigned in the zones are PERMITTED ?

    NO. Only the traffic you have defined now will be permited. You hsould be able to test the scenario as shown. Once you start managing any traffic with polices, then any traffic that does not match will be dropped. Without any polices configured then the default allowing all traffic will be observed.