http://junosgeek.blogspot.in/2013_08_01_archive.html
The entire line of SRX platforms uses JUNOS, a very powerful networking
platform that consolidates switching, routing, security and applications into a
single OS. JUNOS is very different than ScreenOS and as such, will place a
significant migration burden on Juniper, their customers and their partners.
SRX firewall provide wide verity of services like static packet filtering,
IDS/IPS, Ana moly Detection, VPN service, Dynamic / state full filtering and
proxy server/ ALG (Application layer gateway)
Session Maintenance
When a packet enters the system and does not match any existing sessions,
the Junos OS creates a new sessionbased on routing and security policy
information. Once this new session is created, the software puts it into
asession hash table for further packet matching and processing. Depending
on the protocol and service (TCP or UDP),the session is programmed with a
default timeout. The default TCP timeout is 30 minutes and the UDP default
timeout is 1 minute.
Session Cleanup
If no traffic matches the session during the service timeout, the Junos OS
ages out the session and frees it to a common resource pool for a later
reuse.
Firewall rules or also called security policies are methods of filtering and logging traffic in the network.
Juniper firewalls are capable of filtering traffic based on source/destination IP address and port numbers.
Juniper SRX series firewall products provide firewall solutions from SOHO network to large corporate
networks. SRX firewall inspects each packets passing through the device. You can configure firewall rule
in Juniper SRX using command line or GUI console. Here, I will use command line to demonstrate firewall
rule creation.
Before configuring firewall rules, there are some basic terminologies that are necessary to understand.
Elements of Juniper firewall rules are:
1. Security Zones: Security zones are logical boundary. Each interface is assigned to a
security zone. Interface connected to the Internet is usually named Untrust Zone,
interface connected to the internal network is usually called Trust Zone. These zones
are user defines. You can create zone name as Accounting Zone for firewall interface
connected to accounting switch and so on. Firewall policies (rules) need source zone and
destination zones defined prior defining the firewall rule.
2. Policy: This is a policy name that is used to define the firewall rule (policy). For
example, if I want to allow traffic from Untrust Zone to Trust Zone then I would name
my policy as Internet Rule or Internet Policy. Note: Cisco calls firewall rule, Juniper
calls security policy which is basically the same thing.
3. IP Address: IP address define source network or hosts and destination network or
hosts. These source address and destination address are used to match the condition.
For example, a policy named My Policy matches source address of x.x.x.x/x and
destination address of y.y.y.y/y then we define a condition to allow or block the traffic.
Address book are created in zones to match address in the rule.
4. Application: This is a protocol or service that is allowed/denied by the rule. For
example, http, https, FTP, etc. can be defined as match condition. Source address,
destination address and application are mandatory match conditions.
5. Condition: Conditions are whether to allow/deny the traffic. Various conditions can
be defined like, permit, deny, log, reject and count. For example, if a policy named My
Policy matches source address of x.x.x.x/x and destination address of y.y.y.y/y and
application of FTP then we can define condition to permit and log the traffic.
Type the following command in [edit security zone] hierarchy. We need to assign interface ge-0/0/1
to Untrust-Zone and interface ge-0/0/0 to Trust-Zone. The command is, set security-zone <Zone
Name> interfaces <interface name>.
You can see the configured security zones by typing Show Command under [edit security
zones] hierarchy
Step 2: Create Address Book in Trust Zone
To match source and destination IP address in the firewall rule we need to create an address book. We
cant simply type IP address in the rule. We need to create address book of Mail Server that we have in
the Trusted-Zone. To create address type following command in [edit security zones security-zone Trust-
Zone] hierarchy. Type command, set address-book address <Address-Name> <IP-
Address>.
You can type show command to view the configuration for Trust-Zone till now. We can see the address
book and interface at this zone in screenshot shown below.
Step 4: Create Firewall Rule to Allow Traffic from Internet destined for Mail Server
We need to create firewall rule for traffic coming from Untrust-Zone to Trust-Zone. So we have to be
in, [edit security policies from zone Untrust-Zone to-zone Trust-Zone] hierarchy. Since the traffic is coming
from Untrust-Zone we need to match any source-addres and destination-address of MailServer then
specify the condition.
Now, lets specify the condition. We want to permit the traffic and log each sessions.
To view the firewall rule, type show command in the same hierarchy.
Similarly, you can create firewall rule to pass any traffic from Trust-Zone to Untrust-Zone.
In this way you can configure firewall rule in Juniper SRX firewall. You can configure logs to view traffic
for Mail Server.
[edit]
root@SW1# set interfaces me0 unit 0 family inet address 172.16.22.121/24
[edit]
root@SW1# set system services web-management https interface me0.0
[edit]
root@SW1# set system services web-management https system-generated-
certificate
[edit]
root@SW1# commit and-quit
commit complete
Exiting configuration mode
root@SW1>
Verify access to the Web Manager from your desktop.