SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Juniper SRX Security Policy Question

    Posted 08-12-2015 01:31
    Hello, I'm currently migrating a main firewall from a SSG to a SRX. I'm just about to add the security policy's on the SRX but there something I need some advice with. We have policy's on the SSG from Untrust to Untrust that use destination NAT to forward traffic onto internal servers. Therefore, on the SRX will the security policy be defined from zone Untrust to Untrust also ? Or will it be from Untrust to Trust as the destination NAT is taking the traffic to internal servers within the Trust zone ? Many Thanks,


  • 2.  RE: Juniper SRX Security Policy Question
    Best Answer

     
    Posted 08-12-2015 01:34

    Hi Gunner247,

     

    The policy will have to be from Untrust to Trust as the destination NAT is hit before the policy lookup happens.

    Hence, the ips will be changed (via NAT ) by the time it hits the policy.

     

     



  • 3.  RE: Juniper SRX Security Policy Question

     
    Posted 08-12-2015 01:35

    Hello ,

     

    First of all , in SRX the Security Policy and the Destination NAT are 2 different components unlike SSG where they are intergrated .

     

    In SRX the Destination NAT rule hits first and the destination IP will be getting conversted to the Configured LAN IP .

     

    So the security policy Should be from Zone "Untrust " and to zone " Trust " if the LAN IP falls on the trust  zone .

     

    I hope you got what need to be done .



  • 4.  RE: Juniper SRX Security Policy Question

    Posted 08-12-2015 01:42
    Ok great, many thanks for your help both of you 🙂