Firewall rules or also called security policies are methods of filtering and logging traffic in the network. Juniper firewalls are capable of filtering traffic based on source/destination IP address and port numbers. Juniper SRX series firewall products provide firewall solutions from SOHO network to large corporate networks. SRX firewall inspects each packets passing through the device. You can configure firewall rule in Juniper SRX using command line or GUI console. Here, I will use command line to demonstrate firewall rule creation.
Before configuring firewall rules, there are some basic terminologies that are necessary to understand. Elements of Juniper firewall rules are: –
- Security Zones: Security zones are logical boundary. Each interface is assigned to a security zone. Interface connected to the Internet is usually named Untrust Zone, interface connected to the internal network is usually called Trust Zone. These zones are user defines. You can create zone name as Accounting Zone for firewall interface connected to accounting switch and so on. Firewall policies (rules) need source zone and destination zones defined prior defining the firewall rule.
- Policy: This is a policy name that is used to define the firewall rule (policy). For example, if I want to allow traffic from Untrust Zone to Trust Zone then I would name my policy as Internet Rule or Internet Policy. Note: – Cisco calls firewall rule, Juniper calls security policy which is basically the same thing.
- IP Address: IP address define source network or hosts and destination network or hosts. These source address and destination address are used to match the condition. For example, a policy named My Policy matches source address of x.x.x.x/x and destination address of y.y.y.y/y then we define a condition to allow or block the traffic. Address book are created in zones to match address in the rule.
- Application: This is a protocol or service that is allowed/denied by the rule. For example, http, https, FTP, etc. can be defined as match condition. Source address, destination address and application are mandatory match conditions.
- Condition: Conditions are whether to allow/deny the traffic. Various conditions can be defined like, permit, deny, log, reject and count. For example, if a policy named My Policy matches source address of x.x.x.x/x and destination address of y.y.y.y/y and application of FTP then we can define condition to permit and log the traffic.
Configure Firewall Rule in Juniper SRX
We have a scenario as shown in the diagram below. We have a Mail Server hosted in the internal network or the trust-zone. We want users from Internet to be able to access the Mail Server. We want mail traffic to flow in and out of two security zones, untrust and trust. So, let’s configure this in SRX 240. We will assume that in the following scenario NAT (Network Address Translation) has been configured properly.
Step 1: Assign Interface to Security Zone
Type the following command in [edit security zone] hierarchy. We need to assign interface ge-0/0/1 to Untrust-Zone and interface ge-0/0/0 to Trust-Zone. The command is, set security-zone <Zone Name> interfaces <interface name>.
You can see the configured security zones by typing Show Command under [edit security zones] hierarchy
Step 2: Create Address Book in Trust Zone
To match source and destination IP address in the firewall rule we need to create an address book. We can’t simply type IP address in the rule. We need to create address book of Mail Server that we have in the Trusted-Zone. To create address type following command in [edit security zones security-zone Trust-Zone] hierarchy. Type command, set address-book address <Address-Name> <IP-Address>.
You can type show command to view the configuration for Trust-Zone till now. We can see the address book and interface at this zone in screenshot shown below.
Step 4: Create Firewall Rule to Allow Traffic from Internet destined for Mail Server
We need to create firewall rule for traffic coming from Untrust-Zone to Trust-Zone. So we have to be in, [edit security policies from zone Untrust-Zone to-zone Trust-Zone] hierarchy. Since the traffic is coming from Untrust-Zone we need to match any source-addres and destination-address of MailServer then specify the condition.
Now, let’s specify the condition. We want to permit the traffic and log each sessions.
To view the firewall rule, type show command in the same hierarchy.
Similarly, you can create firewall rule to pass any traffic from Trust-Zone to Untrust-Zone.
In this way you can configure firewall rule in Juniper SRX firewall. You can configure logs to view traffic for Mail Server.