Hello Suli,
The SRX series devices ships with the factory default configuration which contains DHCP, Auto-installation, Basic security policies etc.
Most of them will delete the default configuration and add their own configuration or configure it as per their requirement.
in my company we are using srx340, does this means that we do not have to add the security policy for trust-zone-to-untrust, and untrust-zone-to-trust. Because SRX already has a default preconfigured security policy?. and if this security policies are not setup that means i need to add them manualy?. is this correct?.
A: You can either alter the existing factory default configuration or configure it as per your requirement.
1. I would like the test/production application to have access to the internet
A: I believe below is the security policy for production -> internet zone. This is configured with ANY ANY ANY which means any source from production can access any destination over the internet with any service.
from-zone Production-application to-zone untrust {
policy PROD-application-to-Untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
2. i would also like to have inside to have acces to the internet.
A: I'm not sure which is your inside zone, so I can't comment about it. However, you can follow the same as the above-mentioned security policies to access the internet from inside to outside. But I have a concern regarding one of our policies where you have allowed anyone from the Internet can access your Trust side. This means you're exposing your trust side all over the internet.
The appropriate configuration would be,
policies {
from-zone trust to-zone untrust {
policy allow-all {
match {
source-address any;
destination-address any;
application any;
}
then {
permit
3. Do i really need to enable intra zone policy (Test-application to-zone Test-application or Production-application to-zone Production-application). As i understand if test-application or production-application are in the same vlan and try to communicate with each other inside the vlan/ broadcast domain, then intra zone policy is not needed?.
A: If you've had 2 VLANS configured under the same security zone then Intra-zone policy is required.