services allowed defined in interface or zone?

paulkil · ‎11-05-2010

Hi there,

I'm new to the SRX and JunOS, so trying to get my head around it.

In my company there are a number of SRX240s in production and I'm seeing some discrepencies in config.

My question is should services allowed such as ssh, ftp, http be defined on the interface or at the zone level?

Like this:

set security zones security-zone untrust interfaces reth2.0 host-inbound-traffic system-services https

or like this:

set security zones security-zone untrust host-inbound-traffic system-services https

and what is the difference if any?

Many thanks,

Paul

mawr · ‎06-11-2010

It's really up to personal preference and configuration requirements. For example, if you only wanted to allow one interface in a zone to connect to a device with SSH you'd apply it as such. The exception to the rule is DHCP and BOOTP which need to be applied on the interface level if all protocols and services are not explicitly allowed.

http://www.juniper.net/techpubs/en_US/junos10.3/information-products/topic-collections/security/soft...

mawr

paulkil · ‎11-05-2010

Hey Mawr,

thanks for the great reply. I hadn't considered multiple interfaces in a zone.

Regards,

Paul

services allowed defined in interface or zone?

Re: services allowed defined in interface or zone?

Re: services allowed defined in interface or zone?