SRX

I'm unclear on how to exclude a single IP from a security policy (without creating a duplicate policy with reject). How do I match any IP except for one in a security policy?

Is this the correct way to get this working?:

policy my-security-policy {
  match {
    source-address any;
    source-address-excluded block-this-ip;
    destination-address endpoint1;
    application [ http https ];
  }
  then {
    accept;
    count;
  }
}

Yes that sees to be correct. I had not noticed this feature in security polices before. I have used similar in ACLs which use the word except. 

But go for it and test an IP on a test workstation. Also

BE SURE TO USE: commit confirmed <time_value in minutes>

If you are remote, ask someone on the network whom you can test it with.

Unfortunately I do not know if there is a GUI option to test firewall polices, but I dont know of one from the cli. There is a est policy for routing polices. I think this is a major utility that they do not seem to have considered. But it is extremely useful. I know other security firewalls with a built in utility to test all kinds of security polices.

Hi VMCOps,

Did you copy this output from SRX? I dont see an option to specify the Address after "source-address-excluded" command.

root@srx# ...ock-Access match source-address-excluded ?         
Possible completions:
  <[Enter]>            Execute this command
+ application          Port-based application
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
+ destination-address  Match destination address
  destination-address-excluded  Exclude destination addresses
+ source-address       Match source address
> source-end-user-profile  Match source end user profile
+ source-identity      Match source identity
  |                    Pipe through a command
[edit]
root@srx#

Below URL explains how to configure source-address-excluded and I can see its working.

https://www.juniper.net/documentation/en_US/junos/topics/example/security-policy-negated-address-configuring.html

Step 1. Create address book entry that you need to exclude (It can be zone based or global)

set security zones security-zone TRUST address-book address My-PC 10.10.10.1/32

Step 2.

Create secuirty policy with this address as Source/Destination and include source-address-excluded /destination-address-excluded

set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match source-address My-PC
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match destination-address any
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match source-address-excluded
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access match application any
set security policies from-zone TRUST to-zone UNTRUST policy Block-Access then deny

Step 3.

Run "show security policy detail" to make sure the address is showing as excluded

root@srx> ...from-zone TRUST to-zone UNTRUST detail            
Policy: Block-Access, action-type: deny, State: enabled, Index: 5, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: TRUST, To zone: UNTRUST
  Source addresses(excluded):
    My-PC: 10.10.10.1/32
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0
    any-ipv6(global): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No