17/02/2023, 16:22 SRX Getting Started - Configure Interfaces and Security Zones

Home Knowledge Quick Links Log in

SRX Getting Started - Configure Interfaces and Security Zones

Article ID KB16556 Created 2010-01-25

Last Updated 2020-04-22

Description

This article provides an example of configuring an interface and security zone on an SRX Series device.
For other topics, go to the SRX Getting Started main page.

Symptoms

Configure interfaces and security zones.

Solution

This section contains the following:

Network Interface Naming
Security Zone
Configure Interface and Security Zone
Verification

Network Interface Naming

Junos uses the following interface naming conventions:
The show interface terse command displays a list of the interfaces. 

user@host> show interfaces terse

Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up 
ge-0/0/0.0              up    up   inet     10.85.49.150/24
gr-0/0/0                up    up 
ip-0/0/0                up    up 
lsq-0/0/0               up    up 
lt-0/0/0                up    up 
mt-0/0/0                up    up 
pd-0/0/0                up    up 
pe-0/0/0                up    up 

The syntax for the interface name, such as ge-0/0/0, is as follows:

https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Interfaces-and-Security-Zones?language=en_US 1/4
17/02/2023, 16:22 SRX Getting Started - Configure Interfaces and Security Zones

Interface Type - Slot / Module / Port . Logical number   

For information about interface name syntax, see Interface Naming Conventions .

For information about slot numbering for SRX Series devices, see Network Interfaces .

For example :
ge-0/0/0 = First onboard Gigabit Interface
st0.0 = First Secure Tunnel Interface (VPN Tunnel)
lo0 = First loopback interface
All numbers for the slot, module, and port start with 0.

For example:
show interfaces ge-0/0/*
Wildcards--Many commands accept wildcards in the interface names.

 
Security Zone
A security zone is a collection of interfaces that define a security boundary. Internal network interfaces may be
assigned to a security zone named "trust," and external network interfaces may be assigned to a security zone
named "untrust." Security policies are then used to control transit traffic between security zones. For more
information about security zones, see Understanding Security Zones .

Note: For SRX Branch devices, interfaces are assigned to a default security zone in the factory-default settings.
See the device's Getting Started Guide for interface and zone assignments, as they vary by platform.

The Getting Started Guide can be located as follows:

Go to Juniper Networks Devices Processing Overview
Click the applicable platform link.
Click the Getting Started Guide link.

Restrictions:
You can assign one or more logical interfaces to a zone.
You can also assign one or more logical interfaces to a routing instance.
You cannot assign a logical interface to multiple zones or multiple routing instances.
You must also ensure that all a zone's logical interfaces are in a single routing instance.
Violating any of these restrictions results in a configuration error.

Security policies are associated with zones. A packet’s incoming zone, as determined by the interface through
which it arrived, and its outgoing zone, as determined by the forwarding lookup, together determine which
policy is used for packets of the flow. For information about zones and policies, refer to Security Policies
Feature Guide for Security Devices .
Configure Interface and Security Zone
J-Web

The following example configures a security zone with one interface:

1. Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.
a. Select Configure>Interfaces>Ports and click the ge-0/0/1 interface to edit.
b. Click '+' icon next to 'Global Settings' and select ' Logical Interface'
c. Under 'IPv4 Address' tab check 'IPv4 Address/DHCP configuration' and make sure 'Enable address
configuration' is selected.
d. Add the  IP address and prefix , by clicking the '+'  icon i.e. 192.168.120.2/24 and click OK.

https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Interfaces-and-Security-Zones?language=en_US 2/4
17/02/2023, 16:22 SRX Getting Started - Configure Interfaces and Security Zones

e. Click OK .
f. Click Commit.  

For more information about configuring an interface, see Technical Documentation .

2. Configure a security zone, and then assign the ge-0/0/1.0 interface to the security zone.
a. Select Configure>Security>Objects>Zones/Screens . If a security zone name does not exist, click ' +'
icon under the the Security Zone section, and enter the zone name. If the security zone name does
exist, click the zone name.
b. Go to the Interfaces Configuration section.
c. In the Interfaces out of the zone list, select the ge-0/0/1.0 interface.
d. Click the left arrow to move the interface from 'Available'  to 'Selected'  list/
e. Click OK .
f. Click Commit .

For more information about configuring a security zone, see Technical Documentation .

CLI

The following example configures a security zone with one interface:

user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24
For more information about configuring an interface, see Technical Documentation .
user@host# set security zones security-zone trust
user@host# set security zones security-zone trust interfaces ge-0/0/1.0

For more information about configuring a security zone, see Technical Documentation .
1. Verify existing security zones, and verify which interfaces have been assigned to the security zones by
using one of the following commands:
user@host> show security zones
user@host> show interfaces
2. Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.
3. If a security zone name does not exist, configure a security zone:
4. Assign the ge-0/0/1.0 interface to the trust security zone.
 
Technical Documentation
Security Zones and Interfaces Overview
 
Verification
To verify interface and security zone configuration, use the following operational commands:
show interfaces terse
show interfaces
show security zones

 
Troubleshooting
Interfaces
 
Use the show interface command to display information about the interface.For more information, see
show interface .

Use the monitor interface command to display . For more information, see monitor interface .

https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Interfaces-and-Security-Zones?language=en_US 3/4
17/02/2023, 16:22 SRX Getting Started - Configure Interfaces and Security Zones

[edit interfaces]
user@host# set traceoptions flag ?
Possible completions:
all Enable all configuration logging
change-events Log changes that produce configuration events
config-states Log the configuration state machine changes
kernel Log configuration IPC messages to kernel
kernel-detail Log details of configuration messages to kernel

A specific interface:
[edit interfaces ge-11/1/0]
user@host# set traceoptions flag ?
Possible completions:
all Enable all interface trace flags
event Trace interface events
ipc Trace interface IPC messages
media Trace interface media changes

For information about configuring traceoptions for debugging and trimming output, see KB16108 - SRX
Getting Started -- Configuring Traceoptions for Debugging and Trimming Output .
Configure traceoptions to troubleshoot interface issues. The following traceoption flags are applicable:  
All interfaces:
Use the packet capture feature to snoop packets. For more information, see KB15779 - SRX Getting
Started - Troubleshooting Commands .

Zones
Configure traceoptions to troubleshoot security zones. The following traceoptions are applicable:
[edit security]
user@host# set traceoptions flag ?
Possible completions:
all Trace everything
compilation Trace compilation events
configuration Trace configuration events
routing-socket Trace routing socket events

For information about configuring traceoptions for debugging and trimming output, see KB16108 - SRX
Getting Started -- Configuring Traceoptions for Debugging and Trimming Output .

Modification History
2020-04-17: Article reviewed for accuracy; minor changes done to steps in J-Web

AFFECTED PRODUCT SERIES / FEATURES

People also viewed

https://supportportal.juniper.net/s/article/SRX-Getting-Started-Configure-Interfaces-and-Security-Zones?language=en_US 4/4