SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 119
Registered: ‎03-11-2017
0 Kudos

Junos-Host

i need an expert guide regarding Junos-Host zone:

*Would please provide me with examples or cases where you have to use junos-host zone ?????

 

>i figured out that i should use Junos-Host for example to regulate traffic destined to the Routing-engine such as OSPF messages ???

Distinguished Expert
Posts: 4,937
Registered: ‎03-30-2009

Re: Junos-Host

Correct, Junos host is the zone for traffic that is for the SRX itself.

 

You secure basic protocols using the zone configuration by allowing the desired protocols under host-inbound-traffic for the zone.  But this only allows the protocol or service as a whole.

 

If you want to secure the communications to specific addresses or ranges you will need to create security policies using the junos-host zone.  This is optional.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Trusted Contributor
Posts: 52
Registered: ‎08-30-2013

Re: Junos-Host

Another use case would be, say you wanted to SNAT host originated traffic. For example, you could create a source NAT policy from zone  junos-host to zone untrust.

Matt Dinham
Juniper Networks Ambassador

Twitter: @mattdinham
Blog: http://matt.dinham.net

If this worked for you please flag my post as an 'Accepted Solution' so others can benefit. A kudo would be cool if you think I earned it.
Distinguished Expert
Posts: 1,861
Registered: ‎06-06-2011
0 Kudos

Re: Junos-Host

The junos-host zone adds granular control over selftraffic. Check out this link:
https://forums.juniper.net/t5/SRX-Services-Gateway/Junos-host-zone-clarification/td-p/270990

Self-traffic or host traffic, is the host-inbound traffic; that is, the traffic terminating on the device or the host-outbound traffic that is the traffic originating from the device.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
Trusted Contributor
Posts: 87
Registered: ‎07-19-2016

Re: Junos-Host

Hi 

 

Junos-host zone can be used to add an additional check for traffic destined to SRX. if you dont configure any security policy to-zone junos-host, the traffic/packet will be validated based on host-inbound-traffic configured under security zones. If you configure security policy to-zone junos host, that policy check will be done additional to host-inbound-traffic/services specified under zones.

 

For example, if you allow SSH/Telnet/OSPF under interface ge-0/0/0.0, but configure a security policy to-zone junos-host allowing SSH, then Telnet/OSPF wont work. Only SSH will work.

 

Below links can provide some more details.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24227

http://forums.juniper.net/t5/SRX-Services-Gateway/JUNOS-HOST-zone-vs-lo0-filter/td-p/146916

 

Thanks,
Anand
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too