SRX

Expand all | Collapse all

Traffic hitting wrong policy

Jump to Best Answer
  • 1.  Traffic hitting wrong policy

    Posted 5 days ago
    Hello guys,

    I hope everyone is doing well. I need help on srx 5400 configuration. I have 3 zones (DMZ, UNTRUST and TRUST), my goal is to pass traffic from a dmz host to specific host in the trust zone. To achieve this I have configured a security policy from-zone DMZ to-zone TRUST but the traffic keeps on hitting from-zone DMZ to-zone UNTRUST which should not be.  I moved the policy before from-zone DMZ to-zone UNTRUST.

    DMZ - 10.20.20.X/24
    TRUST - 172.16.X.X/24

    from-zone DMZ to-zone TRUST {
    policy allow-api-to-DB {
    match {
    source-address [ ap-api1-pw ap-api2-pw ];
    destination-address ap-db-lb1;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone DMZ to-zone UNTRUST {
    policy PERMIT-DMZ-INTERNET {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }

    Session lookup when pinging from DMZ to TRUST:

    Flow Sessions on FPC0 PIC1:
    Total sessions: 0

    Flow Sessions on FPC0 PIC2:

    Session ID: 137650544, Policy name: PERMIT-DMZ-INTERNET/9, State: Active, Timeout: 54, Valid
    In: 10.20.20.1/1 --> 172.16.6.216/2870;icmp, Conn Tag: 0x0, If: reth1.0, Pkts: 1, Bytes: 84, CP Session ID: 3515766
    Out: 172.16.6.216/2870 --> 112.199.XX.X/41547;icmp, Conn Tag: 0x0, If: reth2.10, Pkts: 0, Bytes: 0, CP Session ID: 3515766




    Hope someone can help me as I am running out of ideas and i have tried many configuration and troubleshooting but to no avail..

    Thank you!

    ------------------------------
    Kevin Pentason
    ------------------------------


  • 2.  RE: Traffic hitting wrong policy

     
    Posted 5 days ago
    Hi,
    (if no NAT were involved, but it is!) routing determines the destination zone (Traffic Processing on SRX Series Devices Overview - TechLibrary - Juniper Networks) so please check your NAT config first why it matches this traffic which according to your description it should probably not.
    Regards
    Ulf

    ------------------------------
    Ulf Bremer
    ------------------------------



  • 3.  RE: Traffic hitting wrong policy

    Posted 5 days ago
    Hi,

    I defined a rule to turn off NAT for the flow DMZ->TRUST but still the traffic hits the DMZ to UNTRUST policy. This is my Source NAT configuration.

    rule-set DMZ-to-UNTRUST-INTERNET {
    from zone DMZ;
    to zone UNTRUST;
    rule DMZ-NO-NAT-TOTRUST {
    match {
    destination-address-name TRUST-SEGMENT-ALL;
    }
    then {
    source-nat {
    off;
    }
    }
    }
    rule DMZ-SERVER-ALL {
    match {
    source-address-name DMZ;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }

    ------------------------------
    Kevin Pentason
    ------------------------------



  • 4.  RE: Traffic hitting wrong policy
    Best Answer

     
    Posted 5 days ago
    Hi,
    right, the flow indicates source NAT which comes after route and zone lookup so shouldn't play a role anyway, sorry.
    Any static NAT configured?
    Can you please (double-/tripple) check  "show route 172.16.6.216" and to which zone that interface belongs?
    Regards
    Ulf


    ------------------------------
    Ulf Bremer
    ------------------------------



  • 5.  RE: Traffic hitting wrong policy

    Posted 5 days ago
    Hi Ulf,

    I got it now thanks to you! I haven't suspected and checked the routing table but it is indeed the culprit. I have 3 rib groups in our srx, the inet.0 and two more for isp1 and isp2. The inet.0 has complete local and static routes while the isp1/2 rib was missing route to trust zone making the traffic go to the internet because of the default route (0.0.0.0/0). Solved it by adding static route for the trust on isp1/2 rib group. Reminder and lesson for me, to double check all possible areas.

    Again thanks a ton! :)

    ------------------------------
    Kevin Pentason
    ------------------------------



  • 6.  RE: Traffic hitting wrong policy

     
    Posted 5 days ago
    My pleasure Kevin. In case you find the right button in this new UI you might want to mark the pointer to routing as the "solution" or however it's called.  Ulf

    ------------------------------
    Ulf Bremer
    ------------------------------