Table of Contents
Advertisement
CHAPTER 10
Understanding Stateful Firewall, IPsec
VPN, and Chassis Cluster for Branch SRX
Series
Understanding Branch SRX Series Stateful Firewall Functionality
Related
Documentation
Copyright © 2016, Juniper Networks, Inc.
Understanding Branch SRX Series Stateful Firewall Functionality on page 71
Understanding IPsec VPN for SRX Series on page 72
Understanding Chassis Cluster for SRX Series on page 72
Your branch SRX Series includes a stateful firewall, which tracks the state of each traffic
flow or stream and uses dynamic packet inspection to identify patterns in data packets
that might represent a threat to your network. This feature protects hosts from
communicating with compromised or malicious users or applications.
The branch SRX Series uses zones and policies to provide firewall configuration.
Although zones and policies can have user-defined configurations, the factory-default
configuration contains, at a minimum, a "trust" and "untrust" zone. The trust zone is used
for configuration and attaching the internal LAN to the branch SRX Series. The untrust
zone is commonly used for the WAN or untrusted Internet interface.
To simplify installation and make configuration easier, a default policy is in place that
allows traffic originating from the trust zone to the untrust zone. You are not required to
configure a deny policy from the untrust zone to any other zones, because the device
drops the traffic by default if there is no policy defined for any traffic.
By using the J-Web interface or CLI, you can create a series of security policies that can
control the traffic from within and in between zones by defining policies.
Understanding Security Zones and Policies for SRX Series on page 31
Example: Configuring Security Zones and Policies for SRX Series on page 32
71
Advertisement
Table of Contents
