Got a Juniper SSG140 Firewall. Need some help for simple setup. Appreciate any help or feedback.
Q1. Basically I've got a switch, with servers connected to this switch. So servers are being accessed directly by the dedicated IP.
But currently I'm adding this firewall. By default it comes with 3 port setup, (trusted, DMZ and untrusted), the rest are or NULLS.
So I'm adding this Firewall on the edge, between the INTERNET and the SWITCH.
To my understanding, the network port from the INTERNET should be plugged into the untrusted port, and then the switch should be connected to the firewall port which is setup as trusted zone. Am I right?
Because I want the initial setup to be free flowing, from external Internet traffic to internal network and from internal to the Internet without restriction, is that okay? Anything else I need to do?
Q2. And another question is with the assigning of IPs (whether static or DCHP) when doing the initial setup. Basically I need to assign IPs to 3 default port with trusted, DMZ and untrusted.
-> Should I set DHCP option for all of them? Or assign static IP for them? What are the advantage/disadvantage of the 2?
-> If setting them with static IPs, should public IP or private IP be used instead?
I wouldn't recommend any NAT for a hosting environment. Get a few different IP blocks from your hosting provider and do a "public" zone so servers will have a public IP but still be protected by the SSG.
If you're looking to do NAT you'll configure VIP (virtual IPs) for each of the WAN IPs and map specific ports to the internal IPs. You'll then need to create a policy from ANY to the VIP interface and allow specific traffic.
If you're looking for routing this too can be done in ScreenOS. You will configure this with policies and would need your provider to route your IPs to a single address on their network. For example if you had a /29 or larger block they can route this to you on a single IP they will provide you. You can then use the IPs on any internal interfaces and filter traffic as it passes between zones.
If you plan to use this as a switch too (there are a lot of ports on the SSG140 for a firewall) you can create a "bgroup" and add the physical ports.