SRX Services Gateway
SRX Services Gateway

Junos-Host

06.22.17   |  
‎06-22-2017 02:42 AM

i need an expert guide regarding Junos-Host zone:

*Would please provide me with examples or cases where you have to use junos-host zone ?????

 

>i figured out that i should use Junos-Host for example to regulate traffic destined to the Routing-engine such as OSPF messages ???

4 REPLIES
SRX Services Gateway

Re: Junos-Host

06.22.17   |  
‎06-22-2017 02:59 AM

Correct, Junos host is the zone for traffic that is for the SRX itself.

 

You secure basic protocols using the zone configuration by allowing the desired protocols under host-inbound-traffic for the zone.  But this only allows the protocol or service as a whole.

 

If you want to secure the communications to specific addresses or ranges you will need to create security policies using the junos-host zone.  This is optional.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
SRX Services Gateway

Re: Junos-Host

06.22.17   |  
‎06-22-2017 07:25 AM

Another use case would be, say you wanted to SNAT host originated traffic. For example, you could create a source NAT policy from zone  junos-host to zone untrust.

Matt Dinham
Juniper Networks Ambassador

Twitter: @mattdinham
Blog: http://matt.dinham.net

If this worked for you please flag my post as an 'Accepted Solution' so others can benefit. A kudo would be cool if you think I earned it.
SRX Services Gateway

Re: Junos-Host

06.22.17   |  
‎06-22-2017 02:13 PM

The junos-host zone adds granular control over selftraffic. Check out this link:
https://forums.juniper.net/t5/SRX-Services-Gateway/Junos-host-zone-clarification/td-p/270990

Self-traffic or host traffic, is the host-inbound traffic; that is, the traffic terminating on the device or the host-outbound traffic that is the traffic originating from the device.

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
SRX Services Gateway

Re: Junos-Host

06.22.17   |  
‎06-22-2017 08:18 PM

Hi 

 

Junos-host zone can be used to add an additional check for traffic destined to SRX. if you dont configure any security policy to-zone junos-host, the traffic/packet will be validated based on host-inbound-traffic configured under security zones. If you configure security policy to-zone junos host, that policy check will be done additional to host-inbound-traffic/services specified under zones.

 

For example, if you allow SSH/Telnet/OSPF under interface ge-0/0/0.0, but configure a security policy to-zone junos-host allowing SSH, then Telnet/OSPF wont work. Only SSH will work.

 

Below links can provide some more details.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB24227

http://forums.juniper.net/t5/SRX-Services-Gateway/JUNOS-HOST-zone-vs-lo0-filter/td-p/146916

 

Thanks,
Anand
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too