Hi VMCOps,
Did you copy this output from SRX? I dont see an option to specify the Address after "source-address-excluded" command.
root@srx# ...ock-Access match source-address-excluded ?
Possible completions:
<[Enter]> Execute this command
+ application Port-based application
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
+ destination-address Match destination address
destination-address-excluded Exclude destination addresses
+ source-address Match source address
> source-end-user-profile Match source end user profile
+ source-identity Match source identity
| Pipe through a command
[edit]
root@srx#
Below URL explains how to configure source-address-excluded and I can see its working.
https://www.juniper.net/documentation/en_US/junos/topics/example/security-policy-negated-address-configuring.html
Step 1. Create address book entry that you need to exclude (It can be zone based or global)
set security zones security-zone TRUST address-book address My-PC 10.10.10.1/32
Step 2.
Create secuirty policy with this address as Source/Destination and include source-address-excluded /destination-address-excluded
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match source-address My-PC
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match source-address-excluded
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match application any
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access then deny
Step 3.
Run "show security policy detail" to make sure the address is showing as excluded
root@srx> ...from-zone TRUST to-zone UNTRUST detail
Policy: Block-Access, action-type: deny, State: enabled, Index: 5, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: TRUST, To zone: UNTRUST
Source addresses(excluded):
My-PC: 10.10.10.1/32
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No