SRX

Expand all | Collapse all

Loopback in Security zone on SRX

Jump to Best Answer
  • 1.  Loopback in Security zone on SRX

    Posted 01-09-2019 18:26

    Hi everybody

    Please consider the following example:

    Case:1

    PC--199.199.199.10-----199.199.199.1 F1 SRX

    F1: Zone A, host inbound ssh

    Lo0:0 1.1.1.1 , Zone B host inbound ssh

     

    I observed following:

    1) In order to for PC to be able to SSH into using lo0 ( 1.1.1.1), we need to define  Policy to allow such traffic. Even though this is not a transit traffic as it is destined to SRX, but PC is not able to SSH using lo0 unless we have policy to allow ssh traffic.

    Is it expected behavior?

     

    Case :2

    PC--199.199.199.10-----199.199.199.1 F1 SRX

    F1: Zone A, host inbound ssh

    Lo0:0 1.1.1.1 ,  management zone ( functional zone) host inbound ssh

     

    We can not use managemnet zone in secuity policies. should we still be able to SSH into SRX using 1.1.1.1 from PC?

    I understand the whole point of using managemnet zone is to use physiacl port for MGMT access as branch SRX does not have dedicated MGMT port.

     

    Appreciated and have a good day!!

     

     

     

     

     



  • 2.  RE: Loopback in Security zone on SRX
    Best Answer

     
    Posted 01-09-2019 18:36

    Hello 

     

    Case 1:

    Yes, this is expected behavior. While it is to the box traffic it is still subjected to flow processing. Hence the security policy will be checked.

     

    Case 2:

    We cannot ssh to the lo0 in a functional zone, since traffic cannot flow between security and fucntional zones by design

     

    Regards,

     

    Vikas



  • 3.  RE: Loopback in Security zone on SRX

     
    Posted 01-09-2019 18:38
    Q1. Yes this is expected behavior. We need policies for traffic between 2 security zones .

    Q2. AFAIK, You will not be able to SSH to loopback when its placed in Management zone because traffic to management zone should land in that zone directly and cannot be traversing any other zones.

    Ref https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-management.html
    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-zone-configuration.html#UnderstandingFunctionalZones-C3987B0A

    “Because this zone cannot be specified in policies, traffic entering from this zone can only be traffic originating from the device itself and cannot originate from any other zone.”
    “Traffic entering management zones does not match policies; therefore, traffic cannot transit out of any other interface if it was received in the management interface.”