SRX Services Gateway
Reply
Contributor
paulkil
Posts: 127
Registered: ‎11-05-2010
0

services allowed defined in interface or zone?

Hi there,

I'm new to the SRX and JunOS, so trying to get my head around it.

 

In my company there are a number of SRX240s in production and I'm seeing some discrepencies in config.

 

My question is should services allowed such as ssh, ftp, http be defined on the interface or at the zone level?

 

Like this:

 

set security zones security-zone untrust interfaces reth2.0 host-inbound-traffic system-services https

 

or like this:

 

set security zones security-zone untrust host-inbound-traffic system-services https

 

and what is the difference if any?

 

Many thanks,

 

Paul

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: services allowed defined in interface or zone?

[ Edited ]

It's really up to personal preference and configuration requirements.  For example, if you only wanted to allow one interface in a zone to connect to a device with SSH you'd apply it as such.  The exception to the rule is DHCP and BOOTP which need to be applied on the interface level if all protocols and services are not explicitly allowed.

 

http://www.juniper.net/techpubs/en_US/junos10.3/information-products/topic-collections/security/soft...

 

mawr

Contributor
paulkil
Posts: 127
Registered: ‎11-05-2010
0

Re: services allowed defined in interface or zone?

Hey Mawr,

thanks for the great reply. I hadn't considered multiple interfaces in a zone.

 

Regards,

 

Paul

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.