SSG5 - tunnels, zones and VPN

Hi Experts,

I'm new to Juniper firewalls and am having a hard time wrapping my brain around how tunnels and zones are used, does anyone know a good link to good documentation on these topics.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This is a good start to get info regarding VPNs

Another good link to have os for the Juniper technical publications

From there you can get detailed docs on doing pretty much all that you want to do wit juniper boxes. is also a great resource for researching basic info.  Note some solutions will require a valid login for the site but there are still quite a lot of articles open to the public.

The idea behind the zones is  allowing us to group similar networks and interfaces with similar security requirements into one logical unit.  We can then use this to assign specific levels of security and policies.

Screenos (and now junos) use a pair of zones to display the directionality of the traffic, ie from trust to untrust or from untrust to dmz etc.

This is different from otehr firewalls in that if we need 2 way traffic on a particular set of paramaters we MUST have 2 rules, ie from trust to untrust any any any permit and from untrust to trust any any any permit (the reverse), rather than have the same source and destination nets in each source and dest window - like Check Point)

Although it can add to the number of rules you have overall, because the unit will only ever look at policies assigned for the specific zonal direction, the actual policy look up for the traffic is generally quicker than other vendors as there are fewer matching policies to go through.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Zones are well explained by deimark. You can group several interfaces into the same zone, and no policies will be applied between the interfaces. As he said, zones need to be crossed for policies to be applied.

About tunnels: There are two kind of tunnels on ScreenOS - tunnel interfaces, which are statically defined virtual interfaces for VPN, or dynamic tunnels, which are created as soon as a VPN is connected. That makes it a bit more complicated to understand, but you need not to know the tunnel interfaces for starter, as long as you do not have special requirements.
Dynamic tunnels are created if you use policy based VPN. That is, you define your VPN paramters in a policy only - no routing info is needed, it is all done by the policy. That VPNs are the easier one, as you can visually see what they have defined.

Tunnels can be imagined as pipes in pipes. There is always something wrapped about the contents, to hide it from the public; like an envelope in another envelope. The simplest tunnel just wraps another protocol around the packet, e.g. IP with embedded IP, to be able to pass packets addressed from and to private addresses over a public media (Internet). Usually you want to encrypt the contents, especially when using Internet for carrying the tunnel, and that is what you define in VPN settings. There are more VPN settings for securing the authenticity, encryption key (re)negotiation aso., which make them much more secure.

I recommend to read the corresponding volumes of the Concepts & Examples of Juniper ScreenOS. They are covering the basics well, and allow for specific reading if needed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.