SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Visitor
Posts: 3
Registered: ‎04-05-2011
0

PIX TO Junos SRX translation

 

Hello Guys, 
We are having a plan to swap cisco firewalls by Juniper SRX. As matter of fact, we need to define policies for the traffic flowing from higher security zone to lower security zones. is it possible to write a security policy in Junos as the following.
This would be an example of traffic flowing from the higher security level  called blue ( Cisco terminology ) to the rest lower security levels.
 set security policies from-zone blue to-zone any policy default-permit match source-address any
 set security policies from-zone blue to-zone any policy default-permit match destination-address any
 set security policies from-zone blue to-zone any policy default-permit match application any
 set security policies from-zone blue to-zone any policy default-permit then permit
thanks for the help!

 

 

 

Super Contributor
Posts: 353
Registered: ‎04-30-2010
0

Re: PIX TO Junos SRX translation

You'll have to break this out zone-by-zone. There is no such thing as an "any" zone. If you are thinking about the "global" zone, that is not used in security policies.

 

Visitor
Posts: 8
Registered: ‎04-05-2011
0

Re: PIX TO Junos SRX translation

what about the fix-up protocol commands?

 

does Junos take care of the inspection automatically  ( e.g ftp ) ? 

Trusted Contributor
Posts: 89
Registered: ‎03-18-2010

Re: PIX TO Junos SRX translation

I use groups to apply between zone policies, then you can have one policy and apply it to multiple zones.

 

Example:

 

set groups to-lower-policy security policies from-zone <*> to-zone <*> policy default-permit match source-address any
set groups to-lower-policy security policies from-zone <*> to-zone <*> policy default-permit match destination-address any
set groups to-lower-policy security policies from-zone <*> to-zone <*> policy default-permit match application any
set groups to-lower-policy security policies from-zone <*> to-zone <*> policy default-permit then permit

set security policies from-zone blue to-zone DMZ apply-groups to-lower-policy
set security policies from-zone blue to-zone untrust apply-groups to-lower-policy

 

 

Trusted Contributor
Posts: 89
Registered: ‎03-18-2010
0

Re: PIX TO Junos SRX translation

You can also specify multiple groups, just make sure you put them in the right order (most permissive policy last).

 

set security policies from-zone blue to-zone DMZ apply-groups [deny-smtp-policy to-lower-policy]

To show the final policy configuration:

show security policies from-zone blue to-zone DMZ |display inheritance

 

Visitor
Posts: 8
Registered: ‎04-05-2011
0

Re: PIX TO Junos SRX translation

ok thanks for the hint!

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009
0

Re: PIX TO Junos SRX translation

In Juniper terminology, fix-ups are known as ALG (Application Layer Gateway).

 

You can find the section on ALGs in the Junos Security Configuration Guide.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Visitor
Posts: 3
Registered: ‎04-05-2011
0

Re: PIX TO Junos SRX translation

ok but is the ALG pertaining also to Junos ?  as per my understanding, its seems to be related to screenos only right?

Distinguished Expert
Posts: 979
Registered: ‎09-10-2009

Re: PIX TO Junos SRX translation

ScreenOS and Junos both use ALGs.

 

See section 4 of the Junos Security Configuration Guide

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Juniper Employee
Posts: 6
Registered: ‎11-23-2009
0

Re: PIX TO Junos SRX translation

[ Edited ]

Also, please be advised that you can look into hiring Juniper Networks Professional Services - Americas as we are able to migrate from various firewall platforms such as Check Point, Cisco PIX, ASA (Single/Multi), FWSM (Single/Multi) and ScreenOS.  We've also done some Cyberguards in the past if that's of interest.  If this interests you or any of our customers out there, please reach out to your Juniper sales reps who will reach back into Juniper Networks Professional Services.

- PM
New User
Posts: 2
Registered: ‎04-12-2011
0

Re: PIX TO Junos SRX translation

Just until you get to use the craptacular traceoptions to try and troubleshoot traffic going through the firewall.

I die a little inside every time I have to do this.