How to Configure SRX Security Zones with Junos

By Walter J. Goralski, Cathy Gadecki, Michael Bushong

You cannot manage the SRX Services Gateway as you would a router. The SRX is a locked-down device. You can’t even ping an interface on the SRX initially, even if it has a valid IP address. The SRX uses the concept of nested security zones. Zones are a critical concept in SRX configuration. No traffic goes in or out unless the security zones are configured properly on the SRX interfaces.

To configure a security zone, you need to associate the interface with a security zone, and then the security zones need to be bound with a routing instance (if there are multiple routing instances).


It sounds complicated, but it’s not. First, you configure the zones and then you associate the interfaces with the zones. Here, we’re assuming that you’re using only one routing instance. You can configure a zone with more than one interface. However, each interface can belong to only one zone.

Now, establish two security zones for a simple SRX configuration. One zone is for a local LAN called admins (administration) on interface ge-0/0/0.0, and the other zone is for two links to the Internet called untrust with interfaces ge-0/0/1.0 and ge-0/0/2.0:

root# edit security zones
[edit security zones]
root# set security zone admins
root# set security zone untrust
root# set security zone admins interfaces ge-0/0/0.0
root# set security zone untrust interfaces ge-0/0/1.0
root# set security zone untrust interfaces ge-0/0/2.0

Always configure zones from the perspective of the SRX you are configuring. Many other zones may be on the LAN (trust, accounting, and so on). But this SRX only links to admins and untrust.

Now you can add services to the zones you just configured. Assume that inbound ssh, ftp, and ping traffic is permitted from the untrusted zone.

This is just an example. Before you enable any services at all on your SRX, make sure you truly need them. FTP in particular is often considered risky because FTP has no real security, and you just punched a big hole for it in your security zone.

[edit security zones]
root# set security zone untrust host-inbound-traffic ssh
root# set security zone untrust host-inbound-traffic ftp
root# set security zone untrust host-inbound-traffic ping

Your configuration now looks like this:

[edit security]
zones {
  security-zone untrust {
   host-inbound-traffic {
     system-services {
   interfaces {
  security-zone admins {
   interfaces {

If you haven’t yet configured routing and applied licensing to your SRX, you will get a fetch error message when you try and commit the security configuration. This error will go away when configuration is complete.