Expand all | Collapse all

Security policy bypass

Jump to Best Answer
  • 1.  Security policy bypass

    Posted 05-06-2017 08:34

    If the incomming packet destination address is the receiving interface, SRX will not check Security policy it will check the host-inbound traffic !!!!


    >> would someone please explain why this behavior ??????


  • 2.  RE: Security policy bypass

    Posted 05-06-2017 09:59

    Originally on the SRX the security policies only applied to transit traffic only.


    Traffic destined to the SRX is known as "self traffic".  The host inbound traffic is the basic method to restrict overall what protocols can connect to the SRX assigned addresses.  This is still frequently used as the only restrictions applied to self traffic.


    But later a specific zone for self traffic was added to the SRX junos-host zone.  Using this zone you can then write more specific security policies for traffic destined to the SRX itself as needed.

  • 3.  RE: Security policy bypass

    Posted 05-06-2017 11:07

    eng/ spuluka, please correct my understanding,

    based on what i understood from your writting: If traffic destination is an IP address belongs to one of the SRX interfaces it will not get effected by security policy because it didnt goes out from the device ( not transit traffic ) and the solution is to use junos-host-zone which represent the device its self ?????



  • 4.  RE: Security policy bypass

    Posted 05-06-2017 11:36

    Correct the junos-host zone is the one to use for security policies that affect traffic destined to the SRX itself.

  • 5.  RE: Security policy bypass

    Posted 05-06-2017 14:27


    please i have one last question,

    i tried a Lab and i found every thing is correct except one thing, traffics destined to device trust-zone interface doesnt match the self-host policy!!!!

    For example i have :

    GE-0/0/0 (Trust-zone)   SRX-1 ---------------------------------- SRX-2 

    i tried to ping from SRX-2 to the ge-0/0/0 ip address and i found that it match a normal security policy (from zone-untrust to zone-trust)


  • 6.  RE: Security policy bypass
    Best Answer

    Posted 05-06-2017 15:07

    Hi Ahmed,


    The reason it checks the normal security  policy is that becasue the traffic is not destined to the interface where the traffic is first received and in this case it is the untrust zone interface.


    You are trying to ping Trust zone interface from a device connected to untrust zone interface and hence traffic has to traverse the two zones though the ping is destined to the trust zone interface itself. Hence it will first check for the normal security policy check and then check if it is allowed as host inbound traffic for the trust zone interface or not or it will check if there is any policy to the junos-host zone.


    To summarize normal security policies come into the picture whenever the traffic has to traverse from one zone to the other zone irrespective of the fact that the destionation is on the SRX itself or not. If the traffic is not destined to SRX then nothing else will be checked and the traffic will be permitted or dropped as configured but if the traffic is destined to SRX then it will check for the host-inbound services for the destination interface or junos-host zone policy if any configured.


    Hope this helps to answer your queries 🙂


    Pulkit Bhandari
    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy 


  • 7.  RE: Security policy bypass

    Posted 05-06-2017 15:27

    thx pulkit, you have been a great help for me this week 🙂

    It was a little confusing because i found if i ping to a device with source-interface ( trust ge-0/0/0) it will be considered self originating and it will match the self policy (in this scenario im the one sending packets) ,, but if the opposite if the packet is comming to the trust-zone interface it will be considered transit (in this scenario im receiving packets) ....

  • 8.  RE: Security policy bypass

    Posted 05-06-2017 23:13

    Hi Ahmed,



    It was a pleasure answering your queries as they also helped me to gain in knowledge. 🙂


    Coming back to your last post, The reason SRX checks for self policy when you initiate the ping from SRX sourcing from an interface is that by default everything is allowed to be initiated from the SRX interface and since it iriginates from the interface is is from junos-host zone which is part of self traffic policy.


    Hope this Helps. 🙂


    Thanks and Regards,

    Pulkit Bhandari