06-22-2017 02:42 AM
i need an expert guide regarding Junos-Host zone:
*Would please provide me with examples or cases where you have to use junos-host zone ?????
>i figured out that i should use Junos-Host for example to regulate traffic destined to the Routing-engine such as OSPF messages ???
06-22-2017 02:59 AM
Correct, Junos host is the zone for traffic that is for the SRX itself.
You secure basic protocols using the zone configuration by allowing the desired protocols under host-inbound-traffic for the zone. But this only allows the protocol or service as a whole.
If you want to secure the communications to specific addresses or ranges you will need to create security policies using the junos-host zone. This is optional.
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6 ACE PanOS 7
06-22-2017 07:25 AM
Another use case would be, say you wanted to SNAT host originated traffic. For example, you could create a source NAT policy from zone junos-host to zone untrust.
Juniper Networks Ambassador
If this worked for you please flag my post as an 'Accepted Solution' so others can benefit. A kudo would be cool if you think I earned it.
06-22-2017 02:13 PM
The junos-host zone adds granular control over selftraffic. Check out this link:
Self-traffic or host traffic, is the host-inbound traffic; that is, the traffic terminating on the device or the host-outbound traffic that is the traffic originating from the device.
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
06-22-2017 08:18 PM
Junos-host zone can be used to add an additional check for traffic destined to SRX. if you dont configure any security policy to-zone junos-host, the traffic/packet will be validated based on host-inbound-traffic configured under security zones. If you configure security policy to-zone junos host, that policy check will be done additional to host-inbound-traffic/services specified under zones.
For example, if you allow SSH/Telnet/OSPF under interface ge-0/0/0.0, but configure a security policy to-zone junos-host allowing SSH, then Telnet/OSPF wont work. Only SSH will work.
Below links can provide some more details.
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too