Traffic Flow Management for Internal Traffic in Juniper SRX 650

aclfirewalljunipersrx

I would like to know whether the Juniper SRX by default allows all the source and destination ports if all the devices are from the internal networking range.

For eg, Src-10.10.x.x SrcPrt-any Des-10.20.x.x DesPrt-23 would be allowed by default or we require ACL policies for allowing the traffic in the Juniper SRX series firewalls.

Best Answer

As per Juniper you can actually check the defaults by:

Log in as the root user and provide your credentials.
In shell mode, navigate to the /etc/config folder. (% cd /etc/config)
Use ls to list which files are available, there should be something similar to srx650-factory.conf or srx650-defaults.conf
Use vi filename to view contents

Steps taken from SRX650 Services Gateway Hardware Guide, you can also see the sampling of the above steps if in doubt.

System default security

Deny all transit traffic.

By default, the Junos OS denies all traffic through an SRX Series device. In fact, an implicit default security policy exists that denies all packets. You can change this behavior by configuring a standard security policy that permits certain types of traffic, or by configuring the default policy to permit all traffic.

Factory default security policies

Trust to trust permit, trust to untrust permit, untrust to trust deny

Trust-to-trust zone policy: Permits all intrazone traffic within the trust zone;

Trust-to-untrust zone policy: Permits all traffic from the trust zone to the untrust zone; and

Untrust-to-trust zone policy: Denies all traffic from the untrust zone to the trust zone.

*quotes taken from JNCIS-SEC Study Guide- Part 1, Ch 3:Security Policies

Best Answer

Related Solutions

Cisco – How to i make Public IP of this ISP given information

DMZ Implementation – Sharing Data from Private Network

Related Topic