SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Security policy between routing instances

     
    Posted 11-17-2015 05:07

    SRX following a strict hierachy hen it comes to working with routing instances. 

     

    You can assign one or more logical interfaces to a zone.

    You can also assign one or more logical interfaces to a routing instance.
    You cannot assign a logical interface to multiple zones or multiple routing instances. You must also ensure that all of a zone’s
    logical interfaces are in a single routing instance

     

    What I'd like to know is, if it's possible to create a security policy where one zone belongs to one routinng instance and another zone belonging to a different routing instances?



  • 2.  RE: Security policy between routing instances

    Posted 11-17-2015 06:28

    Good question.  I haven't run into this situation yet, but would like to know.



  • 3.  RE: Security policy between routing instances
    Best Answer

     
    Posted 11-17-2015 06:49

    Yes, we can.

     

    Ge-0/0/0 is in default routing instance and ge-0/0/3 is in Test-VR, the policy TEST is allowing communication between them.

    root> show configuration | display set | match ge-0/0/0.0                    
    set security zones security-zone trust interfaces ge-0/0/0.0

    root> show configuration | display set | match ge-0/0/3.0    
    set security zones security-zone TEST interfaces ge-0/0/3.0
    set routing-instances Test-VR interface ge-0/0/3.0

     

    root> show configuration security policies | display set
    set security policies from-zone trust to-zone TEST policy TEST match source-address any
    set security policies from-zone trust to-zone TEST policy TEST match destination-address any
    set security policies from-zone trust to-zone TEST policy TEST match application any
    set security policies from-zone trust to-zone TEST policy TEST then permit