Home‎ > ‎Juniper‎ > ‎Basic JunOS Configs‎ > ‎

Zones, Policies, and ACL's




1. Security Zones: 


set security zones security-zone newzone host-inbound-traffic system-services ping
set security zones security-zone newzone interfaces ge-0/0/5.0
set security zones security-zone newzone interfaces ge-0/0/6.0
or 
security {
    zones {
        security-zone newzone {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/5.0;
                ge-0/0/6.0;
            }
        }
    }
}

where
  • host-inbound-traffic: says what kind of traffic is allowed TO (not though) this device

2. Address Book: 

set security zones security-zone untrust address-book address office1 5.5.5.5/32
set security zones security-zone untrust address-book address dc1 8.1.1.0/24
set security zones security-zone untrust address-book address-set friendlys address office1
set security zones security-zone untrust address-book address-set friendlys address dc1
or
security {
    zones {
        security-zone untrust {
            address-book {
                address office1 5.5.5.5/32;
                address dc1 8.1.1.0/24;
                address-set friendlys {
                    address office1;
                    address dc1;
                }
            }
        }
    }
}

where 
  • "friendlys" is an alias to 5.5.5.5/32 and 8.1.1.0/24   

set security zones security-zone newzone address-book address web1 10.0.0.1/32
set security zones security-zone newzone address-book address web2 10.0.0.2/32
set security zones security-zone newzone address-book address app1 10.0.1.1/32
set security zones security-zone newzone address-book address app2 10.0.1.2/32
set security zones security-zone newzone address-book address-set webTier address web1
set security zones security-zone newzone address-book address-set webTier address web2
set security zones security-zone newzone address-book address-set appTier address app1
set security zones security-zone newzone address-book address-set appTier address app2

or
security {
    zones {
        security-zone newzone {
            address-book {
                address web1 10.0.0.1/32;
                address web2 10.0.0.2/32;
                address app1 10.0.1.1/32;
                address app2 10.0.1.2/32;
                address-set webTier {
                    address web1;
                    address web2;
                }
                address-set appTier {
                    address app1;
                    address app2;
                }
            }
    }
}

where 
  • "webTier" is an alias to 10.0.0.1 and 2.

3. Application Policy: 

Combining current applications into a single one: 

set applications application-set webStuff application junos-ping
set applications application-set webStuff application junos-http
set applications application-set webStuff application junos-https
or 
applications {
    application-set webStuff {
        application junos-ping;
        application junos-http;
    }
}

  • where the "junos-" applications are pre-canned and grouped into a new service called "webStuff"


Creating your own application:

set applications application gate-app protocol tcp
set applications application gate-app source-port 1024-65535
set applications application gate-app destination-port 8443
or 
applications {
    application gate-app {
        protocol tcp;
        source-port 1024-65535;
        destination-port 8443;
    }
}

  • where "gate-app" is a flow over tcp from ports 1024-65535 to port 8443


4. Policy: 


set security policies from-zone untrust to-zone newzone policy allowUsers match source-address friendlys
set security policies from-zone untrust to-zone newzone policy allowUsers match destination-address webTier
set security policies from-zone untrust to-zone newzone policy allowUsers match application webStuff
set security policies from-zone untrust to-zone newzone policy allowUsers then permit
set security policies from-zone untrust to-zone newzone policy allowUsers then count
and

set security policies from-zone newzone to-zone newzone policy backend match source-address webTier
set security policies from-zone newzone to-zone newzone policy backend match destination-address appTier
set security policies from-zone newzone to-zone newzone policy backend match application gate-app
set security policies from-zone newzone to-zone newzone policy backend then permit
set security policies from-zone newzone to-zone newzone policy backend then count
or
security {
    policies {
        from-zone untrust to-zone newzone {
            policy allowUsers {
                match {
                    source-address friendlys;
                    destination-address webTier;
                    application webStuff;
                }
                then {
                    permit;
                    count;
                }
            }
        }
        from-zone newzone to-zone newzone {
            policy backend {
                match {
                    source-address webTier;
                    destination-address appTier;
                    application gate-app;
                }
                then {
                    permit;
                    count;
                }
            }
        }
    }
}

References: 


Comments