another update.....
further testing brought up further limitations of the above example in which any additional servers behind the L3 DMZ zone wouldn't work. Not sure what was wrong and we were running out of time.
So now we have ultimately gone back to a mixed-mode setup in which we still have a L3 zone/interface combo for the untrust zone and trust zone while also having 2 switchports on the SRX configured in the same access vlan in the SRX and each physical interface in a layer2 zone. The uplink to the physical switchports for the L2 interfaces are configured in different access vlans as well.
This configuration required 4 interfaces on the SRX, with one in each zone. 2 L3 interfaces/zones (untrust/trust) and 2 L2 interfaces/zones (untrust-L2 and dmz-L2) The servers in our L2DMZ zone are in the same subnet as the SRX interface configured in our L3 zone.
We can create security policies referencing the L2 zones and then separate policies referencing the L3 zones. Note: you cannot have security policies between a L2 and L3 zone. If you attempt to configure policies btw L2 and L3 zones you will get the following message on commit: "from-zone (dmz-L2) and to-zone (untrust) must be both L2 or L3 zones"
Since the layer2 zones/interfaces couldn't do any routing and we didn't want to dual home the DMZ servers, we had to configure static host routes on the DMZ servers to the untrust interface IP for some ancillary services that resided behind the trust zone. The default gateway for the DMZ servers was the upstream router provided by the ISP. Note: because of the above limitation with security policies btw L2 and L3 zones, for DMZ server communication to a service on the trusted zone security policies must be configured from untrust-to-trust
With the below mock config, you can create a similar setup to the Sonicwall L2 to L3 bridging interfaces/zones feature.
user@srx300> show configuration protocols l2-learning
global-mode transparent-bridge;
user@srx300> show configuration interfaces
ge-0/0/0 {
unit 0 {
family inet {
address x.x.x.x/x;
}
}
}
ge-0/0/1 {
flexible-vlan-tagging;
native-vlan-id 1;
unit 0 {
disable;
vlan-id 3967;
family inet;
}
unit 40 {
vlan-id 40;
family inet {
address x.x.x.x/x;
}
}
unit 45 {
vlan-id 45;
family inet {
address x.x.x.x/x;
}
}
}
ge-0/0/2 {
description "L2 WAN Uplink";
enable;
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members dmzvlan;
}
}
}
}
ge-0/0/3 {
description "L2 DMZ Uplink";
enable;
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members dmzvlan;
}
}
}
}
ge-0/0/4 {
disable;
}
user@srx300> show configuration security zones
security-zone untrust {
screen untrust-screen;
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
snmp;
}
}
}
}
}
security-zone trust {
interfaces {
ge-0/0/1.45 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
}
}
}
}
}
security-zone untrust-L2 {
screen untrust-screen;
interfaces {
ge-0/0/2.0;
}
}
security-zone dmz-L2 {
interfaces {
ge-0/0/3.0;
}
}
user@srx300> show configuration security policies
from-zone untrust to-zone trust {
policy untrust-to-trust-allow {
match {
source-address dmzserver;
destination-address trustserver;
application trustserverapp;
}
then {
permit;
log {
session-close;
}
}
}
policy untrust-to-trust-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
from-zone trust to-zone untrust {
policy trust-to-untrust-Allow {
match {
source-address trustallow;
destination-address untrustPermittedDests;
application untrustPermittedApps;
}
then {
permit;
log {
session-close;
}
}
}
policy trust-to-untrust-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
from-zone untrust-L2 to-zone dmz-L2 {
policy untrust-to-dmz-allow{
match {
source-address untrustSourceAllow;
destination-address dmzserver;
application permittedDMZApps;
}
then {
permit;
log {
session-close;
}
}
}
policy untrustL2-to-dmzL2-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
from-zone dmz-L2 to-zone untrust-L2 {
policy dmzL2-to-untrustL2-allow {
match {
source-address dmzserver;
destination-address permittedUntrustDests;
application permittedUntrustApps;
}
then {
permit;
log {
session-close;
}
}
}
policy dmzL2-to-untrustL2-deny {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
log {
session-init;
}
}
}
}
default-policy {
deny-all;
}
user@srx300> show configuration routing-options static
route 0.0.0.0/0 next-hop 1.1.1.1;
DMZ Server example:
IP 1.1.1.3
GW: 1.1.1.1
Route: trustednetwork next-hop 1.1.1.2