JunOS : How to add a dedicated security zone on Juniper SRX firewall

By | March 13, 2020

This article will explain how to add a security zone with a dedicated VLan, DHCP scope and DNS proxy rule.

For the purpose of this example, we will add a guest zone with the following parameters :

  • VLan ID : 40
  • Subnet : 10.10.40.0/24
  • Gateway IP (layer 3 interface) : 10.10.40.1
  • DHCP Scope : 10.10.40.128/25
  • Policy : Allow http, https, ping, traceroute, dns, dhcp
  • Allowed interface : ge-0/0/2

1. Define the VLan :

2. Define the layer 3 interface and gateway IP on VLan 40 :

3. Configure the DHCP server and scope :

4. Configure the DNS proxy :

5. Configure the security zone and allow all outbound traffic :

6. Add the desired interface to VLan 40 :

Note : Add as many interface as needed, also make sure that all interface either have the proper mode (access, trunk), and additionally, native-vlan-id if required.

7. Define the allowed outbound services for the security zone :

Note : You may also allow all services for some specific cases, but not recommended for a guest zone :