I´m migrating the Rules from ASA to vSRX and I have the follow doubt. In the ASA Rules there are a lot Rules between Servers, Tenants and ISPs. Then, in the vSRX each Zones I associate it to each RETH Interface (there are two RETH Interfaces with a Logical Interface per VLAN) , like Server Zones, Tenant Zones and ISP Zones. My question is, can I configure all the Zones with all Permit and then in each Rule, I perform the permit or deny? what do you think?
Welcome to the SRX.
Policies are in the format between zones From zone NAME1 to zone NAME2, with the direction being the device zone that initiates the traffic.
Zones can have multiple interfaces. So you could have all three ISP in a single zone Internet if the policies you need are not ISP specific anyway. You add the interface with sub-interface unit to the desired zone name in the configuration.
You could identify all the direction of flows you need traffic and create an initial "allow all" policy from / to that zone pair. Then you are up and running.
When there are multiple policies in a from/to zone list the FIRST policy that matches the traffic is used. That means when you are adding more specific policies to permit or deny traffic after your initial "allow all" policy, you will need to move that new policy from last (default position) to before your allow all policy using the "insert" command after creation.
Excellent tips, are very helpful. I'll configure only two Zones. This help me to do more easy the Rules configuration.
I would recommend you go through the book for details SRX config, most features are the same on vSRX and SRX and the configuration part can be understood from this book. Day One: Migrate Cisco ASA to Juniper SRX Series by Martin : https://www.goodreads.com/book/show/32200689-day-one
Hope this helps.
Please mark "Accept as solution" if this answers your query.
Kudos are appreciated too!