안녕하세요.
오늘은 [2024][Juniper SRX #8] Zone에 대해서 알아보겠습니다.
Juniper SRX는 Zone base Firewall입니다. Interface가 독자적으로 동작하지 못하고 interface는 하나에 Zone에 포함되어야 하고 방화벽 정책은 Zone를 기반으로 허용 또는 차단이 가능합니다.
이 부분은 추후에 방화벽 정책을 테스트할 때 좀 더 자세히 진행하겠습니다.
테스트 토폴로지는 아래와 같습니다.
1.vIOS Switch
2.vSRX를 사용 하였습니다.
IP정보는 아래와 같습니다
SRX:
ge-0/0/0 - 10.1.1.1/24 untrust zone
ge-0/0/1 - 172.16.1.1/24 dmz zone
ge-0/0/2 - 192.168.1.1/24 trust zone
fxp0 - dhcp - management zone
SW1
gi0/0 - 10.1.1.2/24
SW2
gi0/0 - 172.16.1.2/24
SW3
gi0/0 - 192.168.1.2/24
Juniper SRX Zone Types
1. fuctional zone (management Zone) - dedicate an interface just for the purpose of management
일반적으로 fxp0이 management 인터페이스인데, data interface를 MGMT로 사용할 때 이 명령어를 사용하여
MGMT역활한 할 수 있게 설정할 수 있습니다.
2. Security zone - to control traffic between different security zone
3. junos-host - control traffic between security zone and juniper device itself
4. null - discard traffic
현재 생성된 zone 리스트를 출력 하는 명령어
show security zones terse
| root> show security zones terse Zone Type junos-host Security |
아래 interface를 보면 fxp0이 SRX management interface입니다.
| root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down root> |
fxp0 인터페이스에 IP주소를 DHCP 통해서 할당 받겠습니다.
간단하게 제 테스트랩을 설명하겠습니다
1. 제 노트북에서 Global Protect(VPN agent)로 팔로알토에 접속합니다.
2. EVE-NG는 VMware ESXi안에 설치되어 있스비다.
3. 팔로알토가 DHCP기능을 수행합니다.
그래서 fxp0 인터페이스는 자동으로 팔로알토로부터 IP를 받을 수 있습니다.
아니면 수동으로 설정하셔도 됩니다.
| root# set interfaces fxp0 unit 0 family inet dhcp [edit] root# commit commit complete |
그리고 Interface에 IP주소를 확인합니다.
| root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/2 up up dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.104/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 |
제 PC에서 SRX fxp0 192.168.10.104 ping 테스트입니다.
핑이 성공합니다.
| C:\Users\admin>ping 192.168.10.104 Pinging 192.168.10.104 with 32 bytes of data: Reply from 192.168.10.104: bytes=32 time=4ms TTL=63 Reply from 192.168.10.104: bytes=32 time=5ms TTL=63 Reply from 192.168.10.104: bytes=32 time=7ms TTL=63 Reply from 192.168.10.104: bytes=32 time=14ms TTL=63 Ping statistics for 192.168.10.104: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 4ms, Maximum = 14ms, Average = 7ms C:\Users\admin> |
fxp0를 수동으로 IP주소를 설정하기.
| set interfaces fxp0 unit 0 family inet address 192.168.10.104/24 set routing-options static route 0.0.0.0/0 next-hop 192.168.10.253 |
PC에서 PIng테스트
| C:\Users\admin>ping 192.168.10.104 Pinging 192.168.10.104 with 32 bytes of data: Reply from 192.168.10.104: bytes=32 time=5ms TTL=63 Reply from 192.168.10.104: bytes=32 time=6ms TTL=63 Reply from 192.168.10.104: bytes=32 time=6ms TTL=63 Reply from 192.168.10.104: bytes=32 time=13ms TTL=63 Ping statistics for 192.168.10.104: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 13ms, Average = 7ms |
어떤 Interface가 어떤 Zone에 할당되었는지 확인하는 명령어입니다.
show interfaces zone terse
| root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 10.1.1.1/24 Null sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null fxp0.0 up up inet 192.168.10.104/24 Null lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null |
fxp0는 기본적으로 null zone에 할당되어 있습니다.
일반적은 data용 interface를 MGMT interface로 사용할 때 사용 됩니다.
테스트를 위해서 ge-0/0/0를 MGMT interface로 만들어 보겠습니다.
| root# set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 [edit] root# set security zones functional-zone management interfaces ge-0/0/0 [edit] root# commit commit complete root> show security zones terse Zone Type management Functional junos-host Security root> |
Zone를 확인하고 Interface 할당된 Zone도 확인합니다.
| root> show security zones terse Zone Type management Functional junos-host Security root> root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 10.1.1.1/24 Management sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null fxp0.0 up up inet 192.168.10.104/24 Null lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null root> |
테스트를 위해서 기존에 Ge-0/0/0 zone를 삭제합니다.
| delete security zones functional-zone management interfaces ge-0/0/0.0 commit root> show interfaces zone terse Interface Admin Link Proto Local Remote Zone ge-0/0/0.0 up up inet 10.1.1.1/24 Null sp-0/0/0.0 up up inet inet6 Null sp-0/0/0.16383 up up inet Null fxp0.0 up up inet 192.168.10.104/24 Null lo0.16384 up up inet 127.0.0.1 --> 0/0 Null lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 Null lo0.32768 up up Null root> |
2
2. Security zone - to control traffic between different security zone
테스트를 위해서 IP를 설정합니다.
| set interfaces ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set interfaces ge-0/0/1 unit 0 family inet address 172.16.1.1/24 set interfaces ge-0/0/2 unit 0 family inet address 192.168.1.1/24 commit |
인터페이스를 확인합니다.
root> show interfaces terse Interface Admin Link Proto Local Remote ge-0/0/0 up up ge-0/0/0.0 up up inet 10.1.1.1/24 gr-0/0/0 up up ip-0/0/0 up up lsq-0/0/0 up up lt-0/0/0 up up mt-0/0/0 up up sp-0/0/0 up up sp-0/0/0.0 up up inet inet6 sp-0/0/0.16383 up up inet ge-0/0/1 up up ge-0/0/1.0 up up inet 172.16.1.1/24 ge-0/0/2 up up ge-0/0/2.0 up up inet 192.168.1.1/24 dsc up up fti0 up up fxp0 up up fxp0.0 up up inet 192.168.10.104/24 gre up up ipip up up irb up up lo0 up up lo0.16384 up up inet 127.0.0.1 --> 0/0 lo0.16385 up up inet 10.0.0.1 --> 0/0 10.0.0.16 --> 0/0 128.0.0.1 --> 0/0 128.0.0.4 --> 0/0 128.0.1.16 --> 0/0 lo0.32768 up up lsi up up mtun up up pimd up up pime up up pp0 up up ppd0 up up ppe0 up up st0 up up tap up up vlan up down root> |
Zone를 생성합니다.
| set security zones security-zone trust set security zones security-zone untrust set security zones security-zone dmz commit |
Zone를 생성을 확인합니다.
| root> show security zones terse Zone Type management Functional dmz Security trust Security untrust Security junos-host Security root> |
Interface를 Zone에 할당합니다.
| set security zones security-zone trust interfaces ge-0/0/2.0 set security zones security-zone untrust interfaces ge-0/0/0.0 set security zones security-zone dmz interfaces ge-0/0/1.0 commit |
Zone에 할당된 interface를 확인합니다.
| root> show interfaces zone terse | match ge- ge-0/0/0.0 up up inet 10.1.1.1/24 ge-0/0/1.0 up up inet 172.16.1.1/24 ge-0/0/2.0 up up inet 192.168.1.1/24 root> |
Ping 테스트를 위해서 각 Zone에 PING를 허용합니다.
| set security zones security-zone trust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone dmz host-inbound-traffic system-services ping |
SW1 gi0/0 IP를 설정하고 SRX ge-0/0/0 10.1.1.1로 PIng를 시도합니다.
| Switch(config)#int g0/0 Switch(config-if)#no sw Switch(config-if)#ip add 10.1.1.2 255.255.255.0 Switch(config-if)#no sh Switch(config-if)#end Switch# ping 10.1.1.1 Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/146/579 ms Switch# |
SW2 gi0/0 IP를 설정하고 SRX ge-0/0/0 172.16.1.1로 PIng를 시도합니다.
| Switch(config)#int g0/0 Switch(config-if)#no sw Switch(config-if)#ip add 172.16.1.2 255.255.255.0 Switch(config-if)#no sh Switch(config-if)#end Switch# Switch#ping 172.16.1.1 Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 2/3/4 ms Switch# |
SW3 gi0/0 IP를 설정하고 SRX ge-0/0/0 192.168.1.1로 PIng를 시도합니다.
| Switch#conf t Switch(config)#int g0/0 Switch(config-if)#no sw Switch(config-if)#ip add 192.168.1.2 255.255.255.0 Switch(config-if)#no sh Switch(config-if)#end Switch#ping 192.168.1.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds: *Jun 20 08:56:02.421: %SYS-5-CONFIG_I: Configured from console by console .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/2 ms Switch# |
서로 다른 Zone끼리 방화벽 정책이 없기 때문에 서로 간에 통신은 불가능합니다.
지금까지 [2024][Juniper SRX #8] Zone configuration 글을 읽어주셔서 감사합니다.
다음 강좌를 address-book에 대해서 알아보도록 하겠습니다.
감사합니다.
'JUNIPER > SRX 방화벽' 카테고리의 다른 글
| [2024][Juniper SRX #10] Administrator access restriction settings for MGMT (0) | 2024.07.22 |
|---|---|
| [2024][Juniper SRX #9] SSH, Telnet and web-management 설정하기 (0) | 2024.07.21 |
| [2024][Juniper SRX #7] host-inbound-traffic (0) | 2024.07.19 |
| [2024][Juniper SRX #6] Interface 설정 - RVI - Trunk mode (0) | 2024.07.17 |
| [2024][Juniper SRX #5] Interface 설정 - RVI - access mode (0) | 2024.07.16 |