Managing the System
The SRX uses the concept of nested security zones. Zones are a critical concept in SRX configuration. The SRX is not the same as a router, and that point is immediately obvious after initial configuration of users and interfaces. Unlike routers, the SRX is a locked-down device. You can't even ping an interface on the SRX initially, even if it has a valid IP address. No traffic goes in or out unless the security zones are configured properly on the SRX interfaces.
Security zones
To configure a security zone, you need to associate the interface with a security zone, and then the security zones need to be bound with a routing instance (if there are multiple routing instances). Figure 12-2 shows the relationship between interfaces and zones on the SRX.
It sounds complicated, but it's not. First, you configure the zones and then you associate the interfaces with the zones. Here, we're assuming that you're using only one routing instance. You can configure a zone with more than one interface. However, each interface can belong to only one zone.
Figure 12-2: SRX interfaces and zones.
Security zones and interfaces
Now, establish two security zones for a simple SRX configuration. One zone is for a local LAN called admins (administration) on interface ge-0/0/0.0, and the other zone is for two links to the Internet called untrust with interfaces ge-0/0/1.0 and ge-0/0/2.0 ...
Get Junos® OS For Dummies®, 2nd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
