SRX for beginners

I was thinking if I should write a short article for beginners to quickly configure an SRX firewall. I don’t know how many people will find it useful but I hope it will be for those who use SRX for the first time in their life. Let’s get started.

Our topology in this tutorial is below;

srx_beginner
We will configure the followings from scratch:

  1. Loading default config and setting the root password
  2. Configuring interfaces and default route
  3. Configuring security zones
  4. Configuring address book entries
  5. Creating security policies
  6. Creating source nat for internal clients

Loading default config and setting the root password

I assume you are connected to the SRX device via console

First a bit of information for the SRX novice. As SRX is running Junos, it has two modes

  1. Operational mode and this mode has the prompt > on the CLI
  2. Configuration mode and this mode has the prompt # on the cli

When you login to a Junos device, you might also see the prompt % which is the root shell and it doesn’t belong to any of those aforementioned modes and this is the lowest mode on the hierarchy and you can switch between these modes. Quickly, I can show you how to switch between these modes with an example:

Now we can move to the configuration:

Once we commit the changes, we should see the new hostname srx220 in the prompt.
Commit is required to save and activate your changes.

Configuring interfaces and default route

Interfaces

Default route

Configuring security zones

SRX is a zone based firewall hence you have to assign each interface to a zone to be able to pass traffic through and into it. There may be two default zones trust and untrust coming with the factory-default config but we will delete them and configure our own zones. Following will be our zone configuration;

  • Our zone facing pc clients is named internal
  • zone facing internet is named internet
  • Internal clients will be able to reach SRX (i.e ping and ssh service will be enabled) towards SRX

Now we have assigned interfaces to each zone. To mention again, if you don’t add the services e.g ssh&ping under internal zone, you can neither connect to the box via ssh nor ping its internal interface IP.

Configuring address book entries

If you want to configure a security policy you must create an address book entry for the network ranges you would like to use. We will create one address book entry for our internal network block 192.168.239.0/24 as follows;

Our address book entry is also ready for security policy. Now it is time to enforce the security policy to allow internal users to access outside networks.

Note: Address book configuration has evolved over several releases. To better understand the address book concept on SRX, you can take a look at my other post about address books once you finish this post.

Creating security policies

As this is a firewall, if you don’t create a security policy allowing traffic from one zone to the other one, don’t expect your transit traffic to work. Here, we first start by deleting already existing policies to make sure no other policies exist.

A security policy is created within a context. What does this mean? It means the context defines the direction. For example, policy we have created named “allow-internal-clients” is only matching any traffic from internal zone to internet zone. As our action is “permit”, we allow traffic from “network_239” address book network i.e 192.168.239.0/24 towards any address.

Creating source nat for internal clients

You may also need to source NAT internal clients with your outside interface IP address. Here is how we configure source nat in SRX:

First start deleting previous left over nat rules.

For simplicity we use interface based nat which means if an internal client has an IP address on 192.168.239.0/24 range, its IP packets’ source addresses will be replaced by the interface IP address 192.168.100.38 when the client wants to reach Internet.

As you can see source NAT is also a context based configuration. You define from which zone you are coming and to which zone you are heading.After these configuration your internal clients whose gateway is 192.168.239.1 should be able to reach Internet if I haven’t made any mistake so far.

To see the next SRX for beginners post SRX for beginners #2

33 thoughts on “SRX for beginners

  1. nikhilvolga

    Hi , Perfect one !….. How to configure nat rules and default route for dynamic IP address which we are receiving from isp through PPOE/PPOA ?

    Reply
      1. Werner

        Hello rtoodtoo

        I like your blog. Useful things! πŸ™‚

        In that case, of PPPoE, is it necessary to commit this as different interface? Can you use your modem/router default gateway in a ge 0/0/0 interface?

        Reply
      1. rtoodtoo Post author

        You’re welcome Sriminant. I hope I will write another one for beginners soon.

        Reply
  2. Neo

    Hi, Perfect documentation for starters with SRX. I am working with Netscreen FW for 7 years but no experience on SRX so far. Your simple writing is a very helpful for me. By the way, in the NAT section there is no rule about to which IP the translation will occur? Would you please enlighten on that?

    Thanks again for the great post.

    Reply
    1. rtoodtoo Post author

      Hi Neo,
      Source NAT is done on the interface IP. So you don’t have to specify an IP address and in our example external source IP will be 192.168.100.38

      Genco.

      Reply
  3. Aaron

    Hi,

    What do you think about the web interface configuration? Do you think that it’s a good idea to setup everything through web interface and then play with the console? I have to do the basic setup for the production environment with DMZ etc. and I’m beginners with juniper – before I was working on sonicwalls firewall.

    Thanks

    Reply
    1. rtoodtoo Post author

      It isn’t an easy question actually. I do always prefer CLI as I can see what I configure. WEB interface is easier for beginners of course but if you would like to learn
      JUNOS, better to use CLI.

      Reply
  4. Raul Von Chong Perez

    Hi, i configure my srx201he2, but i want a list of commands to learn do my job.

    Reply
  5. Mike

    Thanks alot, I’m also a beginer and this article just made my day. I have an srx110 and I’ve been struggling to join it on the network. I followed this article and managed to join the srx on the network and now I’m able to manage it remotely.

    KEEP UP THE GOOD WORK.

    Reply
  6. Joe G

    Thanks. Having just downloaded vSRX this provides a nice place to start.
    Note – Console of VMware started me at a kernel shell prompt and I had to issue the ‘CLI’ command to enter the Junos CLI shell.

    Reply
    1. Marc S

      Life saver – I had the same problem on a live box when connected via console – I think it was due to the previous login issuing the “exit” command. Anyway – thanks for the comment – would be nice to add this to the overview above.

      Reply
      1. rtoodtoo Post author

        Hi Marc and Joe,
        I have updated the post as per your feedback to cover the cli command as well. Thank you.

        Reply
  7. farouk

    Thank you for the post. I dont seem to understand the nat process. The second to the last command that ends with “then source-nat interface”.

    Please help release another post on vlans, vpn and other aspects. Thanks so much

    Reply
  8. Kenneth

    I tried connecting a cisco switch to the srx internal interface, client connected to the switch could not ping to the srx internal interface but able to ping if I connect client directly to srx internal interface. Is there a need to assign vlan to srx internal interface?

    Reply
    1. farouk

      Hello Kenneth, I think the srx has the capability to also act as a switch beside the routing. I will suggest checking the default gateway on the switch and make sure it point to the router. Another area might be the ip address. Make sure it is on the same subnet with the srx

      Reply
  9. Nils

    Excellent article for beginners like me. I worked on SSG series , just started learning on SRX and found this article. Thanks buddy.

    I ll ask many queries in future πŸ™‚ Thanks again

    Reply

You have a feedback?