SRX

Hello,

I have a SRX Cluster where I am trying to SSH / HTTP it to via an internal interface. At the moment I do not have zones defined and maybe that's the reason why I see that connection gets terminated.

reth0.0 ----------- [SRX Cluster] ----------- reth1 (ISP)

                                            |------------------ reth2 (DMZ)

Already have system services defined:

set system services web-management http interface reth0.0
set system services ssh root-login allow

Would I need to define zones? if so - is this syntax correct?

set security zones security-zone trust interfaces reth0.0
set security zones security-zone untrust interfaces reth1.0
set security zones security-zone untrust interfaces reth2.0

is there anything else that i may need to add to access the firewall via reth0.0 (trust)

Also - is there a document that explains zones.

Thank you

You'll need to add SSH to "host-inbound-traffic" on that interface in that zone...

set security zones security-zone Home interfaces reth1.100 host-inbound-traffic system-services ssh

Corret me - if am wrong - but you meant:

set security zones security-zone trust interfaces reth0.0 host-inbound-traffic system-services ssh
set security zones security-zone trust interfaces reth0.0 host-inbound-traffic system-services http

yep, that would do it.... i was just giving you the syntax. 🙂

You have to put that interface into a zone!

even if they are set at system services?

set system services web-management http interface reth0.0 port 80
set system services ssh root-login allow
		

I thought you do not need to define zones if you have it defined at the system services level since systerm takes precendence over zones

---

@learning01 wrote:

even if they are set at system services?

 

set system services web-management http interface reth0.0 port 80
set system services ssh root-login allow
		

 

I thought you do not need to define zones if you have it defined at the system services level since systerm takes precendence over zones

---

If that were the case you'd not only be able to access the device internally but from your untrusted interfaces as well.

You define your management options under system services. You then define what interfaces through which you will allow management traffic under zones. Syntax wise you can define allowed traffic for the entire zone, or for specific interface(s) in the zone.

user@host# set security zones security-zone trust host-inbound traffic system-services http

user@host# set security zones security-zone trust interfaces ge-0/0/1 host-inbound traffic system-services https

https will be the host-inbound traffic that will be allowed on ge-0/0/1 (Only https, not http - no inheritence)

Any other I/F's in the zone will allow http management traffic. 

Also note that if you want to allow management or other system services to be done "cross zone" you will need a security policy - IE you want to allow a ping to be done from the "hr" zone to an interface in the "finance" zone. You allow ping on the finance zone I/F. You will then of course need a policy to allow the ping to traverse from the hr zone to finance.