SRX

I am looking to configure a Interface bridge on an SRX by bridging the WAN interface in the untrust zone to another physical interface in a DMZ zone. We are currently performing this on a SonicWall which allows us to physically assign the servers in the DMZ zone a public IP address and still have zone based rules, dpi, ips, etc. There will be no NAT in this scenario. The applications on the servers in this DMZ do not function properly with NAT hence the bridge requirement.

I belive I have found the equivalent in Juniper by specifying "family bridge" for each interface in the bridge along with an irb interface as well as specifying the specific interface in each zone.  Am I on the right track here?  I am about to test this on a SRX branch series before moving to a SRX 1500.

ge-0/0/1 {
    unit 0 {
        family bridge {
            interface-mode access;
            vlan-id 110;
        }
    }
}
ge-0/0/2 {
    unit 0 {
        family bridge {
            interface-mode access;
            vlan-id 110;
        }
    }
}
irb {
    unit 1 {
        family inet {
            address x.x.x.x/x;
        }
    }
}

security-zone untrust {
    host-inbound-traffic {
        system-services {
            ssh;
            ping;
        }
    }
    interfaces {
        ge-0/0/0.0;
    }

security-zone DMZ {
    host-inbound-traffic {
        system-services {
            ssh;
        }
    }
    interfaces {
        ge-0/0/2.0;
    }
}

I forgot to mention I am running 17.4R1 on the SRX Branch device. 

Upon further inspection it appears those commands above are missing in this OS version. The Junos feature explore seems to point it is available and that it is supported on the Branch SRX. However the below config hiearchy is not available.

[edit]

   bridge-domains {

                bridge-domain-name {
                        domain-type bridge:
                        interface interface-name;
                        routing-interface routing-interface-name;
                        vlan-id (none | all | number);
                        vlan-id-list [ vlan-id-numbers ];
                        vlan-tags outer number inner number);

                }

   }

I expect you are using a new SRX300 series running Junos 15.1X49 software.

The configuration has changed from 15.1X49 and onwards: https://kb.juniper.net/InfoCenter/index?page=content&id=KB31147

...and remember to upgrade to latest recommended release as the initial releases had lots of different issues. Latest recommended version i 15.1X49-D140.

yes it is a SRX 300 series running Junos 17.4R1 for testing in a lab. We are wanting to implement this into a brand srx 1500 for production. 

Thanks for the KB link. I have a question about that though. Does this force the entire SRX into transparent mode? Will I still be able to have other interfaces in IP mode? 

Currently on the Sonicwall we have the interface in the untrust zone bridged to the interface in the DMZ zone while also having the interface in the trust zone in IP mode. Is this feasible in the SRX?

You're welcome 🙂

Since 17.3R1 mixed mode has been supported. Please see link below which describes possibilities and limitations.

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-mixed-mode-understanding.html

I hope this clarifies your possibilities.

Just to provide an update. I think we have figured out a way to accomplish what we were looking to do.

We attempted the suggestions above but the routing and security limitations were an issue for us being in mixed mode with L2 and L3 zones. These limitations were not present with the current Sonicwall. We also looked at other options such as SecureWire.

We submitted the question to our SE and he came back with the following article: https://www.juniper.net/documentation/en_US/junos/topics/example/security-mixed-mode-configuring.html

The diagram in the article lead us to how we wanted to do our implementation.

However we decided not to go mixed mode but still do a sort of L3 bridged. Essentialy we configured an L3 interface in the DMZ zone that was in the same subnet as the interface in the untrust zone and segmented them via VLANs. It seems to allow us to still perform the necessary routing and implement the required security features between the zones as needed.

another update.....

further testing brought up further limitations of the above example in which any additional servers behind the L3 DMZ zone wouldn't work. Not sure what was wrong and we were running out of time.

So now we have ultimately gone back to a mixed-mode setup in which we still have a L3 zone/interface combo for the untrust zone and trust zone while also having 2 switchports on the SRX configured in the same access vlan in the SRX and each physical interface in a layer2 zone. The uplink to the physical switchports for the L2 interfaces are configured in different access vlans as well. 

This configuration required 4 interfaces on the SRX, with one in each zone. 2 L3 interfaces/zones (untrust/trust) and 2 L2 interfaces/zones (untrust-L2 and dmz-L2) The servers in our L2DMZ zone are in the same subnet as the SRX interface configured in our L3 zone.

We can create security policies referencing the L2 zones and then separate policies referencing the L3 zones. Note: you cannot have security policies between a L2 and L3 zone. If you attempt to configure policies btw L2 and L3 zones you will get the following message on commit: "from-zone (dmz-L2) and to-zone (untrust) must be both L2 or L3 zones"

Since the layer2 zones/interfaces couldn't do any routing and we didn't want to dual home the DMZ servers, we had to configure static host routes on the DMZ servers to the untrust interface IP for some ancillary services that resided behind the trust zone. The default gateway for the DMZ servers was the upstream router provided by the ISP. Note: because of the above limitation with security policies btw L2 and L3 zones, for DMZ server communication to a service on the trusted zone security policies must be configured from untrust-to-trust

With the below mock config, you can create a similar setup to the Sonicwall L2 to L3 bridging interfaces/zones feature.

user@srx300> show configuration protocols l2-learning 
global-mode transparent-bridge;



user@srx300> show configuration interfaces 
ge-0/0/0 {
    unit 0 {
        family inet {
            address x.x.x.x/x;
        }
    }
}
ge-0/0/1 {
    flexible-vlan-tagging;
    native-vlan-id 1;
    unit 0 {
        disable;
        vlan-id 3967;
        family inet;
    }
    unit 40 {
        vlan-id 40;
        family inet {
            address x.x.x.x/x;
        }
    }
    unit 45 {
        vlan-id 45;
        family inet {
            address x.x.x.x/x;
        }
    }
}
ge-0/0/2 {
    description "L2 WAN Uplink";
    enable;
    unit 0 {
        family ethernet-switching {
            interface-mode access;
            vlan {
                members dmzvlan;
            }
        }
    }
}
ge-0/0/3 {
    description "L2 DMZ Uplink";
    enable;
    unit 0 {
        family ethernet-switching {
            interface-mode access;
            vlan {
                members dmzvlan;
            }
        }
    }
}
ge-0/0/4 {
    disable;
}




user@srx300> show configuration security zones 
security-zone untrust {
    screen untrust-screen;
    interfaces {
        ge-0/0/0.0 {
            host-inbound-traffic {
                system-services {
                    ping;
                    https;
                    ssh;
                    snmp;
                }
            }
        }
    }
    
}
security-zone trust {
    interfaces {
        ge-0/0/1.45 {
            host-inbound-traffic {
                system-services {
                    ping;
                    https;
                    ssh;
                }
            }
        }
    }
    
}
security-zone untrust-L2 {
    screen untrust-screen;
    interfaces {
        ge-0/0/2.0;
    }
    
}
security-zone dmz-L2 {
    interfaces {
        ge-0/0/3.0;
    }
    
}






user@srx300> show configuration security policies 
from-zone untrust to-zone trust {
    policy untrust-to-trust-allow {
        match {
            source-address dmzserver;
            destination-address trustserver;
            application trustserverapp;
        }
        then {
            permit;
            log {
                session-close;
            }
        }
    }
    policy untrust-to-trust-deny {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
            log {
                session-init;
            }
        }
    }
}
from-zone trust to-zone untrust {
    policy trust-to-untrust-Allow {
        match {
            source-address trustallow;
            destination-address untrustPermittedDests;
            application untrustPermittedApps;
        }
        then {                          
            permit;
            log {
                session-close;
            }
        }
    }
    policy trust-to-untrust-deny {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
            log {
                session-init;
            }
        }
    }
}

from-zone untrust-L2 to-zone dmz-L2 {
    policy untrust-to-dmz-allow{
        match {
            source-address untrustSourceAllow;
            destination-address dmzserver;
            application permittedDMZApps;
        }
        then {
            permit;
            log {
                session-close;
            }
        }
    }
    policy untrustL2-to-dmzL2-deny {
        match {
            source-address any;
            destination-address any;    
            application any;
        }
        then {
            deny;
            log {
                session-init;
            }
        }
    }
}
from-zone dmz-L2 to-zone untrust-L2 {
    policy dmzL2-to-untrustL2-allow {
        match {
            source-address dmzserver;
            destination-address permittedUntrustDests;
            application permittedUntrustApps;
        }
        then {
            permit;
            log {
                session-close;
            }
        }
    }
    policy dmzL2-to-untrustL2-deny {
        match {
            source-address any;
            destination-address any;
            application any;
        }
        then {
            deny;
            log {
                session-init;
            }
        }
    }
}
default-policy {
    deny-all;
}





user@srx300> show configuration routing-options static 
route 0.0.0.0/0 next-hop 1.1.1.1;









DMZ Server example:
IP 1.1.1.3
GW: 1.1.1.1
Route: trustednetwork next-hop 1.1.1.2