Professional Documents
Culture Documents
SRX Getting Started - Configure Interfaces and Security Zones
SRX Getting Started - Configure Interfaces and Security Zones
Description
This article provides an example of configuring an interface and security zone on an SRX Series device.
For other topics, go to the SRX Getting Started main page.
Symptoms
Solution
https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Interfaces-and-Security-Zones?language=en_US 1/4
17/02/2023, 16:22 SRX Getting Started - Configure Interfaces and Security Zones
For information about interface name syntax, see Interface Naming Conventions .
For information about slot numbering for SRX Series devices, see Network Interfaces .
For example :
ge-0/0/0 = First onboard Gigabit Interface
st0.0 = First Secure Tunnel Interface (VPN Tunnel)
lo0 = First loopback interface
All numbers for the slot, module, and port start with 0.
For example:
show interfaces ge-0/0/*
Wildcards--Many commands accept wildcards in the interface names.
Security Zone
A security zone is a collection of interfaces that define a security boundary. Internal network interfaces may be
assigned to a security zone named "trust," and external network interfaces may be assigned to a security zone
named "untrust." Security policies are then used to control transit traffic between security zones. For more
information about security zones, see Understanding Security Zones .
Note: For SRX Branch devices, interfaces are assigned to a default security zone in the factory-default settings.
See the device's Getting Started Guide for interface and zone assignments, as they vary by platform.
Restrictions:
You can assign one or more logical interfaces to a zone.
You can also assign one or more logical interfaces to a routing instance.
You cannot assign a logical interface to multiple zones or multiple routing instances.
You must also ensure that all a zone's logical interfaces are in a single routing instance.
Violating any of these restrictions results in a configuration error.
Security policies are associated with zones. A packet’s incoming zone, as determined by the interface through
which it arrived, and its outgoing zone, as determined by the forwarding lookup, together determine which
policy is used for packets of the flow. For information about zones and policies, refer to Security Policies
Feature Guide for Security Devices .
Configure Interface and Security Zone
J-Web
https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Interfaces-and-Security-Zones?language=en_US 2/4
17/02/2023, 16:22 SRX Getting Started - Configure Interfaces and Security Zones
e. Click OK .
f. Click Commit.
For more information about configuring a security zone, see Technical Documentation .
CLI
For more information about configuring a security zone, see Technical Documentation .
1. Verify existing security zones, and verify which interfaces have been assigned to the security zones by
using one of the following commands:
user@host> show security zones
user@host> show interfaces
2. Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.
3. If a security zone name does not exist, configure a security zone:
4. Assign the ge-0/0/1.0 interface to the trust security zone.
Technical Documentation
Security Zones and Interfaces Overview
Verification
To verify interface and security zone configuration, use the following operational commands:
show interfaces terse
show interfaces
show security zones
Troubleshooting
Interfaces
Use the show interface command to display information about the interface.For more information, see
show interface .
Use the monitor interface command to display . For more information, see monitor interface .
https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Interfaces-and-Security-Zones?language=en_US 3/4
17/02/2023, 16:22 SRX Getting Started - Configure Interfaces and Security Zones
[edit interfaces]
user@host# set traceoptions flag ?
Possible completions:
all Enable all configuration logging
change-events Log changes that produce configuration events
config-states Log the configuration state machine changes
kernel Log configuration IPC messages to kernel
kernel-detail Log details of configuration messages to kernel
A specific interface:
[edit interfaces ge-11/1/0]
user@host# set traceoptions flag ?
Possible completions:
all Enable all interface trace flags
event Trace interface events
ipc Trace interface IPC messages
media Trace interface media changes
For information about configuring traceoptions for debugging and trimming output, see KB16108 - SRX
Getting Started -- Configuring Traceoptions for Debugging and Trimming Output .
Configure traceoptions to troubleshoot interface issues. The following traceoption flags are applicable:
All interfaces:
Use the packet capture feature to snoop packets. For more information, see KB15779 - SRX Getting
Started - Troubleshooting Commands .
Zones
Configure traceoptions to troubleshoot security zones. The following traceoptions are applicable:
[edit security]
user@host# set traceoptions flag ?
Possible completions:
all Trace everything
compilation Trace compilation events
configuration Trace configuration events
routing-socket Trace routing socket events
For information about configuring traceoptions for debugging and trimming output, see KB16108 - SRX
Getting Started -- Configuring Traceoptions for Debugging and Trimming Output .
Modification History
2020-04-17: Article reviewed for accuracy; minor changes done to steps in J-Web
https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Interfaces-and-Security-Zones?language=en_US 4/4