SRX

Expand all | Collapse all

Security Policies Between Routing Instance

Jump to Best Answer
  • 1.  Security Policies Between Routing Instance

    Posted 02-22-2021 19:35
    Hello,

    I am trying to learn how security policies work between different routing instances.

    I have 3 routing instances:
    LAN-FIXED
    LAN-WIRELESS
    INTERNET-BREAKOUT

    LAN-FIXED and LAN-WIRELESS NAT to the INTERNET-BREAKOUT routing instance to reach the internet. There are also static routes in the INTERNET-BREAKOUT instance so that traffic can reach both LAN routing instances. Connectivity is working and I have created security zones inside each routing instance with the same name.

    If I have a flow destined for the internet, will the security policy need to be:

    from zone LAN-FIXED to zone INTERNET-BREAKOUT
    from zone LAN-WIRELESS to zone INTERNET-BREAKOUT

    or have I misunderstood this?

    Thanks.

    ------------------------------
    Jack
    ------------------------------


  • 2.  RE: Security Policies Between Routing Instance

     
    Posted 02-23-2021 05:13
    Hi
    Yes, as you already described. A security policy going to the Internet. As example below;

    set security policies from-zone LAN-FIXED to-zone INTERNET-BREAKOUT policy POLICY1 match source-address any
    set security policies from-zone LAN-FIXED to-zone INTERNET-BREAKOUT policy POLICY1 match destination-address any
    set security policies from-zone LAN-FIXED to-zone INTERNET-BREAKOUT policy POLICY1 match application any
    set security policies from-zone LAN-FIXED to-zone INTERNET-BREAKOUT policy POLICY1 then permit

    set security policies from-zone LAN-WIRELESS to-zone INTERNET-BREAKOUT policy POLICY2 match source-address any
    set security policies from-zone LAN-WIRELESS to-zone INTERNET-BREAKOUT policy POLICY2 match destination-address any
    set security policies from-zone LAN-WIRELESS to-zone INTERNET-BREAKOUT policy POLICY2 match application any
    set security policies from-zone LAN-WIRELESS to-zone INTERNET-BREAKOUT policy POLICY2 then permit

    ------------------------------
    Maxwell Tsu
    ------------------------------



  • 3.  RE: Security Policies Between Routing Instance
    Best Answer

     
    Posted 02-23-2021 05:40
    Policy is written from zone to zone which are only indirectly related to routing instances via the interface assignments and how the routing tables are seen by the actual traffic.

    Security policies are tied to zones configured under
    security zones security-zone

    zones contain interfaces to the sub-interface level
    security zones security-zone MY_ZONE_NAME interfaces ge-0/0/0.0

    The interface can be assigned to a routing-instance thus the indirect association from zone name to sub-interface to routing instance.

    Policy is chosen then based on routing from the ingress sub-interface to the routing selected egress sub-interface.
    The zone that these interfaces are assigned to become the from-zone & to-zone match where we look for a security policy.

    So for the policy to apply the interface must be assigned to the zone and the routing instance desired.
    And if they are crossing routing instances then some method of exchanging or connecting the routes from the separate instances must be in place.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------