Juniper Basic ZONE Configuration

  • by

At first you must declare ZONE information at any Juniper firewall device. Here I describe two types of ZONE with simpleast way. Trust and Untrust.

Basically TRUST zone is your LAN SIDE
And UNTRUST zone is your WAN SIDE.

First, you need to configure permission level from TRUST to UNTRUST. That mean from LAN to WAN Network.
Here I use source and destination address are any and application also any.
You can configure seperate policy with fixed source and destination address also application.

Here policy name: “trust-to-untrust” you can give this name anything

# set security policies from-zone trust to-zone untrust policy trust-to-untrust match source-address any

# set security policies from-zone trust to-zone untrust policy trust-to-untrust match destination-address any
# set security policies from-zone trust to-zone untrust policy trust-to-untrust match application any
# set security policies from-zone trust to-zone untrust policy trust-to-untrust then permit

Second, you need to configure permission level from TRUST to TRUST. That mean from LAN to LAN Network.
Here I use source and destination address are any and application also any.
You can configure separate policy with fixed source and destination address also application.

Here policy name: “trust-to-trust” you can give this name anything

# set security policies from-zone trust to-zone trust policy trust-to-trust match source-address any
# set security policies from-zone trust to-zone trust policy trust-to-trust match destination-address any
# set security policies from-zone trust to-zone trust policy trust-to-trust match application any

# set security policies from-zone trust to-zone trust policy trust-to-trust then permit

Third, you need to configure permission level from UNTRUST to TRUST. That mean from WAN to LAN Network.
Here I use source and destination address are any and application also any.
You can configure separate policy with fixed source and destination address also application.

Here policy name: “untrust-to-trust” you can give this name anything

# set security policies from-zone untrust to-zone trust policy untrust-to-trust match source-address any
# set security policies from-zone untrust to-zone trust policy untrust-to-trust match destination-address any
# set security policies from-zone untrust to-zone trust policy untrust-to-trust match application any

# set security policies from-zone untrust to-zone trust policy untrust-to-trust then permit

Now you need to configure Security Zone TRUST and allowed interface.
Here declare TRUST zone for inbound traffic with system service all and protocol all
You can declare your desire services and protocols.

I allowed interface ge-0/0/0 with TRUST zone

# set security zones security-zone trust host-inbound-traffic system-services all
# set security zones security-zone trust host-inbound-traffic protocols all

# set security zones security-zone trust interfaces ge-0/0/0

You need to configure Security Zone UNTRUST and allowed interface.
Here declare UNTRUST zone for inbound traffic with system service all and protocol all
You can declare your desire services and protocols.

I allowed interface ge-0/0/3 with UNTRUST zone

# set security zones security-zone untrust host-inbound-traffic system-services all
# set security zones security-zone untrust host-inbound-traffic protocols all

# set security zones security-zone untrust interfaces ge-0/0/3

Configuration look like this:

# show security
zones {
    security-zone trust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/0;
        }
    }
    security-zone untrust {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/3;
        }
    }
}
policies {
    from-zone trust to-zone untrust {
        policy trust-to-untrust {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone trust to-zone trust {
        policy trust-to-trust {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone untrust to-zone trust {
        policy untrust-to-trust {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }

}

Leave a Reply