Step by Step Juniper SRX Security Zone

I just little add for previous posting about Firewall Juniper SRX Implicit Deny. Sometime you rush to configure the SRX and forget to add policy permit in security zone. Lets remember again about OSI 7 layer and zoom in layer 2, layer 3 and layer 4 if working with firewall.

The scenario is JunOSRX (192.168.1.1/24) and XYZ server (192.168.1.11/24)

#### Layer 1 Connect physical cable between JunOSRX and XYZ

#### Layer 2 Check mac address XYZ in JunOSRX
#### If we can see XYZ mac address, it's mean Layer 1 and layer 2 is pass
user@JunOSRX> show arp 
MAC Address       Address         Name                      Interface     Flags
aa:bb:cc:dd:ee:01 192.168.1.11     192.168.1.11               ge-0/0/1.0    none
Total entries: 1

#### Layer 3 for XYZ in JunOSRX
user@JunOSRX> show configuration interfaces ge-0/0/1  
unit 0 {
    description "to XYZ";
    family inet {
        address 192.168.1.1/24;
    }
}

#### Sometime for fast, we skip check/define layer 4 and continue to check application layer with ping
#### Remember again, If play with firewall, layer 2, layer 3 and layer 4 should be pass

#### Verify Application Layer
user@JunOSRX> ping 192.168.1.11 source 192.168.1.1 rapid
PING 192.168.1.11 (192.168.1.11): 56 data bytes
.....
--- 192.168.1.11 ping statistics ---
5 packets transmitted, 0 packets received, 100% packet loss

#### Layer 4 Define Firewall Security/Rule/Policy
user@JunOSRX# show security zones security-zone TrustServer
interfaces {
    ge-0/0/1.0 {
        host-inbound-traffic {
            system-services {
                all;
            }
            protocols {
                all;
            }
        }
    }
}

#### Repeat verify Application Layer
user@JunOSRX> ping 192.168.1.11 source 192.168.1.1 rapid   
PING 192.168.1.11 (192.168.1.11): 56 data bytes
!!!!!
--- 192.168.1.11 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.002/3.867/4.676/0.686 ms