SRX for beginners

23 Replies
I was thinking if I should write a short article for beginners to quickly configure an SRX firewall.
I dont know how many people will find it useful but I hope it will be for those who use SRX for
the first time in their life. Lets get started.
Our topology in this tutorial is below;

We will configure the followings from scratch:

1. Loading default config and setting the root password
2. Configuring interfaces and default route
3. Configuring security zones
4. Configuring address book entries
5. Creating security policies
6. Creating source nat for internal clients

Loading default config and setting the root password

I assume you are connected to the SRX device via console

[edit]
root# load factory-default
w arning: activating factory con

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

[edit]
root# load factory-default
warning: activating factory configuration
[edit]
root# set system root-authentication plain-text-password
New password:
Retype new password:
[edit]
root# set system host-name srx220
[edit]
root# commit
commit complete
[edit]
root@srx220#
Once we commit the changes, we should see the new hostname srx220 in the prompt.
Commit is required to save and activate your changes.

Configuring interfaces and default route

Interfaces

es ge-0/0/0
es ge-0/0/1
ge-0/0/0 unit 0 family inet address 192.168.100.38/24
ge-0/0/1 unit 0 family inet address 192.168.239.1/24

1
2
3
4

#delete interfaces ge-0/0/0

#delete interfaces ge-0/0/1
#set interfaces ge-0/0/0 unit 0 family inet address 192.168.100.38/24
#set interfaces ge-0/0/1 unit 0 family inet address 192.168.239.1/24
Default route

#set routing-options static route

1 #set routing-options static route 0.0.0.0/0 next-hop 192.168.100.1

Configuring security zones

SRX is a zone based firewall hence you have to assign each interface to a zone to be able to pass
traffic through and into it. There may be two default zones trust and untrust coming with the
factory-default config but we will delete them and configure our own zones. Following will be
our zone configuration;

Our zone facing pc clients is named internal

zone facing internet is named internet

Internal clients will be able to reach SRX (i.e ping and ssh service will be enabled)
towards SRX

#set security zones security-zo

#set security zones security-zo
#set security zones security-zo

#set security zones security-zone internal interfaces ge-0/0/1.0 host-inbound-traffic system1 services ping
2 #set security zones security-zone internal interfaces ge-0/0/1.0 host-inbound-traffic system3 services ssh
#set security zones security-zone internet interfaces ge-0/0/0.0
Now we have assigned interfaces to each zone. To mention again, if you dont add the services
e.g ssh&ping under internal zone, you can neither connect to the box via ssh nor ping its internal
interface IP.

Configuring address book entries

If you want to configure a security policy you must create an address book entry for the network
ranges you would like to use. We will create one address book entry for our internal network
block 192.168.239.0/24 as follows;

#set security zones security-zo

#set security zones security-zone internal address-book address network_239

192.168.239.0/24
Our address book entry is also ready for security policy. Now it is time to enforce the security
policy to allow internal users to access outside networks.
Note: Address book configuration has evolved over several releases. To better understand the
address book concept on SRX, you can take a look at my other post about address books once
you finish this post.

Creating security policies

As this is a firewall, if you dont create a security policy allowing traffic from one zone to the
other one, dont expect your transit traffic to work. Here, we first start by deleting already
existing policies to make sure no other policies exist.
#delete security policies
#set security policies from-zone
#set security policies from-zone
#set security policies from-zone

#delete security policies

#set security policies from-zone internal to-zone internet policy allow-internal-clients match
1 source-address network_239
2 #set security policies from-zone internal to-zone internet policy allow-internal-clients match
3 destination-address any
4 #set security policies from-zone internal to-zone internet policy allow-internal-clients match
5 application any
#set security policies from-zone internal to-zone internet policy allow-internal-clients then
permit
A security policy is created within a context. What does this mean? It means the context defines
the direction. For example, policy we have created named allow-internal-clients is only
matching any traffic from internal zone to internet zone. As our action is permit, we allow
traffic from network_239 address book network i.e 192.168.239.0/24 towards any address.

Creating source nat for internal clients

You may also need to source NAT internal clients with your outside interface IP address. Here is
how we configure source nat in SRX:
First start deleting previous left over nat rules.
#set security nat source rule-se
#set security nat source rule-se
#set security nat source rule-se
#commit

#delete security nat

#set security nat source rule-set internal-to-internet from zone internal
1
#set security nat source rule-set internal-to-internet to zone internet
2
#set security nat source rule-set internal-to-internet rule internet-access match source-address
3
192.168.239.0/24
4
#set security nat source rule-set internal-to-internet rule internet-access match destination5
address 0.0.0.0/0
6
#set security nat source rule-set internal-to-internet rule internet-access then source-nat
7
interface
#commit
For simplicity we use interface based nat which means if an internal client has an IP address on
192.168.239.0/24 range, its IP packets source addresses will be replaced by the interface IP
address 192.168.100.38 when the client wants to reach Internet.
As you can see source NAT is also a context based configuration. You define from which zone
you are coming and to which zone you are heading.After these configuration your internal clients
whose gateway is 192.168.239.1 should be able to reach Internet if I havent made any mistake
so far.
To see the next SRX for beginners post SRX for beginners #2