[j-nsp] Configuring policies on SRX Cluster

fahad zaheer fahad.zaheer at yahoo.com
Thu Aug 9 14:16:25 EDT 2012


Hi Shombra,

I am afraid I may not able to understand your question, but in case of SRX you have to create security policy with "permit action" for every traffic which crossing "security zone". In simple words every traffic (regardless of ports) which is traversing from one security zone to another security zone needs to have a security policy with "permit action". If you have several clients and want to access similar destination then you can group those clients in address-group instead of implementing their access through address-book. 


Regards,

Fahad



________________________________
 From: Shombra  Shombra <shombra at shombra.com.br>
To: juniper-nsp at puck.nether.net 
Sent: Thursday, August 9, 2012 6:40 PM
Subject: [j-nsp] Configuring policies on SRX Cluster
 
Hello, First sorry for my english. I have many clients, one client and services per VLAN. On SRX I try to configure 7 clients and 3 services and 1 WAN, who some client and service has one VLAN and one ZONE. eg: Clients: Client 1 - VLAN 10 - Zone v10-Client-1 Client 2 - VLAN 20 - Zone v20-Client-2 Client 3 - VLAN 30 - Zone v30-Client-3 .... Client 6 - VLAN 60 - Zone v60-Client-6 Client 7 - VLAN 70 - Zone v70-Client-7 and Services: E-mail - VLAN 100 zone v100-EMAIL DNS - VLAN 200 - zone v200-DNS WEB - VLAN 300 - zone v300-WEB and WAN - reth1.0 - zone WAN if some client need access my e-mail i have to create a policy from v10-Client-1 to v100-EMAIL , if Client-2 need share the e-mail port to the word, I need open 25 for WAN, but if Client-3 have to send a e-mail for Client-2 i need create a policy from zone v30-Client-3 to zone v20-Client-2. if I have 1000 clients, this policies had became a mess. 


Someone has a solution for my policies to do not get messy? Best regards Carlos A. Bernardi F. 
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list