SRX

I am new in Juniper world. I am trying to deploy dell powerconnect j-srx240h which basically running Juniper OS. 

I am trying to block all traffic from "untrust zone" ( g0/0/15) to "trust zone" (g0/0/14) . But after many hours work can't able to 

get the result. Can anyone point me what I am doing wrong ? 

My running configuration in attachment.

Thanks in advance.

Attachment(s)

srx.txt   6 KB 1 version

Your policies are fine!

The problem is that you have put int ge-0/0/15 into zone untrust. If you look at the interface config itself it should be in the trust zone.

security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/15.0;
            }
        }
    }

ge-0/0/15 {
        unit 0 {
            family ethernet-switching {
                vlan {
                    members vlan-trust;
                }
            }
        }
    }

If i look right you have to put interface : ge-0/0/0 into zone untrust and remove interface ge-0/0/15.

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }

Thanks for your reply. 

But I dont understand your answer properly. I dont understand why I have to remove ge0/0/15 from 'untrust zone' ? what is the relation between 'vlan-trust' and 'trust-zone'? would appereciate further clarification 

Let me explain... You have put interface ge-0/0/15.0 into zone untrust.  ge-0/0/15.0 should be in zone trust. If you look

at the config of that interface it has famliy ethernet switching configured with vlan trust ( vlan trust hasbeen assigned as your internal vlan) and is assigned to zone trust (you internal zone)

zone untrust is your "external / internet zone"

As I look at you config interface ge-0/0/0 looks like to be your interface connecting to the "world / internet" so what you need  to do is the following

when you are in config mode:

delete zone untrust interfaces

delete zone untrust interfaces ge-/0/0/15.0

#put ge-0/0/15.0 into zone trust
set zone trust interfaces ge-0/0/15.0

#put your external interface into zone untrust
set zone untrust interfaces ge-0/0/0.0

Hi,

Both interfaces ge-0/0/14 and ge-0/0/15 under same VLAN (vlan-trust). As the firewall is working as L3 firewall so it will look for the IP address which is vlan.0.

I mean both interfaces carry vlan.0 IP address so both in trust vlan. you have three options

1- either convert the FW to work as transperant L2 FW

2- configure new VLAN.1 interface with different IP address and put interface ge-0/0/15 in that VLAN.

3- using normal IP configuration with family inet under interfaces ge-0/0/14 and ge-0/0/15 directly instead of ethernet-switching

I missed something in the first line after seeing that just now I have to agree with mhariry

I would go for one of the two solutions he mentioned

2- configure new VLAN.1 interface with different IP address and put interface ge-0/0/15 in that VLAN.

3- using normal IP configuration with family inet under interfaces ge-0/0/14 and ge-0/0/15 directly instead of ethernet-switching

Personaly I would go for solution 3

mhariry , MarcTB , thanks guys for help !