Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »


https://www.juniper.net/techpubs/en_US/vsrx15.1x49/topics/task/configuration/security-vsrx-cli-configuring.html





3 interfaces:


1- management usually fxp0 ( in this case ge-0/0/2)  192.168.70.21/24

2- trusted zone: ge-0/0/1     10.0.0.21/24

3- untrusted zone: ge-0/0/0         1.2.3.21/24




Basic Configuration for management in vSRX1:



set system host-name vsrx1

set system services web-management http interface ge-0/0/2.0


#Add the IP@:

set interfaces ge-0/0/0 description "to unstrusted zone"

set interfaces ge-0/0/0 gigether-options no-auto-negotiation

set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.21/24

set interfaces ge-0/0/1 description "to trusted zone"

set interfaces ge-0/0/1 gigether-options no-auto-negotiation

set interfaces ge-0/0/1 unit 0 family inet address 11.0.0.21/24


set interfaces ge-0/0/2 description "to management"

set interfaces ge-0/0/2 gigether-options no-auto-negotiation

set interfaces ge-0/0/2 unit 0 family inet address 192.168.70.21/24


#Create the management zone:

set security zones functional-zone management interfaces ge-0/0/2.0

set security zones functional-zone management host-inbound-traffic system-services all


#Add the interface to the trusted zone:

set security zones security-zone trust interfaces ge-0/0/1.0

#Allow ping in the trust zone:

set security zones security-zone trust host-inbound-traffic system-services ping




Basic Configuration for management in vSRX2:


root@vsrx2> show configuration | display set


set system host-name vsrx2

set system services web-management http interface ge-0/0/2.0


#Add the IP@:

set interfaces ge-0/0/0 description "to unstrusted zone"

set interfaces ge-0/0/0 gigether-options no-auto-negotiation

set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.22/24

set interfaces ge-0/0/1 description "to trusted zone"

set interfaces ge-0/0/1 gigether-options no-auto-negotiation

set interfaces ge-0/0/1 unit 0 family inet address 11.0.0.22/24

set interfaces ge-0/0/2 description "to management"

set interfaces ge-0/0/2 gigether-options no-auto-negotiation

set interfaces ge-0/0/2 unit 0 family inet address 192.168.70.22/24


#Create the management zone:

set security zones functional-zone management interfaces ge-0/0/2.0

set security zones functional-zone management host-inbound-traffic system-services all


#Add the interface to the trusted zone:

set security zones security-zone trust interfaces ge-0/0/1.0

#Allow ping in the trust zone:

set security zones security-zone trust host-inbound-traffic system-services ping






Default configuration:


root@vsrx2> show configuration | display set

set version 12.1X47-D20.7

set system host-name vsrx2

set system root-authentication encrypted-password "$1$JiD7jjwf$/5KgbA8NQrjJILjRt40Cq0"

set system services ssh

set system services web-management http interface ge-0/0/2.0

set system syslog user * any emergency

set system syslog file messages any any

set system syslog file messages authorization info

set system syslog file interactive-commands interactive-commands any

set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval

set interfaces ge-0/0/0 description "to unstrusted zone"

set interfaces ge-0/0/0 gigether-options no-auto-negotiation

set interfaces ge-0/0/0 unit 0 family inet address 1.2.3.22/24

set interfaces ge-0/0/1 description "to trusted zone"

set interfaces ge-0/0/1 gigether-options no-auto-negotiation

set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.22/24

set interfaces ge-0/0/2 description "to management"

set interfaces ge-0/0/2 gigether-options no-auto-negotiation

set interfaces ge-0/0/2 unit 0 family inet address 192.168.70.22/24

set security log file name seclogs

set security screen ids-option untrust-screen icmp ping-death

set security screen ids-option untrust-screen ip source-route-option

set security screen ids-option untrust-screen ip tear-drop

set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200

set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024

set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048

set security screen ids-option untrust-screen tcp syn-flood queue-size 2000

set security screen ids-option untrust-screen tcp syn-flood timeout 20

set security screen ids-option untrust-screen tcp land

set security policies from-zone trust to-zone trust policy default-permit match source-address any

set security policies from-zone trust to-zone trust policy default-permit match destination-address any

set security policies from-zone trust to-zone trust policy default-permit match application any

set security policies from-zone trust to-zone trust policy default-permit then permit

set security policies from-zone trust to-zone untrust policy default-permit match source-address any

set security policies from-zone trust to-zone untrust policy default-permit match destination-address any

set security policies from-zone trust to-zone untrust policy default-permit match application any

set security policies from-zone trust to-zone untrust policy default-permit then permit

set security policies from-zone untrust to-zone trust policy default-deny match source-address any

set security policies from-zone untrust to-zone trust policy default-deny match destination-address any

set security policies from-zone untrust to-zone trust policy default-deny match application any

set security policies from-zone untrust to-zone trust policy default-deny then deny

set security zones functional-zone management interfaces ge-0/0/2.0

set security zones functional-zone management host-inbound-traffic system-services ssh

set security zones functional-zone management host-inbound-traffic system-services http

set security zones functional-zone management host-inbound-traffic system-services ping

set security zones functional-zone management host-inbound-traffic system-services all

set security zones security-zone trust tcp-rst

set security zones security-zone trust interfaces ge-0/0/1.0

set security zones security-zone untrust screen untrust-screen

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet

set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp

  • No labels