SRX

Expand all | Collapse all

Traffic hitting wrong policy

Jump to Best Answer
  • 1.  Traffic hitting wrong policy

    Posted 01-12-2021 01:02
    Hello guys,

    I hope everyone is doing well. I need help on srx 5400 configuration. I have 3 zones (DMZ, UNTRUST and TRUST), my goal is to pass traffic from a dmz host to specific host in the trust zone. To achieve this I have configured a security policy from-zone DMZ to-zone TRUST but the traffic keeps on hitting from-zone DMZ to-zone UNTRUST which should not be.  I moved the policy before from-zone DMZ to-zone UNTRUST.

    DMZ - 10.20.20.X/24
    TRUST - 172.16.X.X/24

    from-zone DMZ to-zone TRUST {
    policy allow-api-to-DB {
    match {
    source-address [ ap-api1-pw ap-api2-pw ];
    destination-address ap-db-lb1;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone DMZ to-zone UNTRUST {
    policy PERMIT-DMZ-INTERNET {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }

    Session lookup when pinging from DMZ to TRUST:

    Flow Sessions on FPC0 PIC1:
    Total sessions: 0

    Flow Sessions on FPC0 PIC2:

    Session ID: 137650544, Policy name: PERMIT-DMZ-INTERNET/9, State: Active, Timeout: 54, Valid
    In: 10.20.20.1/1 --> 172.16.6.216/2870;icmp, Conn Tag: 0x0, If: reth1.0, Pkts: 1, Bytes: 84, CP Session ID: 3515766
    Out: 172.16.6.216/2870 --> 112.199.XX.X/41547;icmp, Conn Tag: 0x0, If: reth2.10, Pkts: 0, Bytes: 0, CP Session ID: 3515766




    Hope someone can help me as I am running out of ideas and i have tried many configuration and troubleshooting but to no avail..

    Thank you!

    ------------------------------
    Kevin Pentason
    ------------------------------


  • 2.  RE: Traffic hitting wrong policy

     
    Posted 01-12-2021 03:12
    Hi,
    (if no NAT were involved, but it is!) routing determines the destination zone (Traffic Processing on SRX Series Devices Overview - TechLibrary - Juniper Networks) so please check your NAT config first why it matches this traffic which according to your description it should probably not.
    Regards
    Ulf

    ------------------------------
    Ulf Bremer
    ------------------------------



  • 3.  RE: Traffic hitting wrong policy

    Posted 01-12-2021 03:26
    Hi,

    I defined a rule to turn off NAT for the flow DMZ->TRUST but still the traffic hits the DMZ to UNTRUST policy. This is my Source NAT configuration.

    rule-set DMZ-to-UNTRUST-INTERNET {
    from zone DMZ;
    to zone UNTRUST;
    rule DMZ-NO-NAT-TOTRUST {
    match {
    destination-address-name TRUST-SEGMENT-ALL;
    }
    then {
    source-nat {
    off;
    }
    }
    }
    rule DMZ-SERVER-ALL {
    match {
    source-address-name DMZ;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }

    ------------------------------
    Kevin Pentason
    ------------------------------



  • 4.  RE: Traffic hitting wrong policy
    Best Answer

     
    Posted 01-12-2021 03:36
    Hi,
    right, the flow indicates source NAT which comes after route and zone lookup so shouldn't play a role anyway, sorry.
    Any static NAT configured?
    Can you please (double-/tripple) check  "show route 172.16.6.216" and to which zone that interface belongs?
    Regards
    Ulf


    ------------------------------
    Ulf Bremer
    ------------------------------



  • 5.  RE: Traffic hitting wrong policy

    Posted 01-12-2021 04:19
    Hi Ulf,

    I got it now thanks to you! I haven't suspected and checked the routing table but it is indeed the culprit. I have 3 rib groups in our srx, the inet.0 and two more for isp1 and isp2. The inet.0 has complete local and static routes while the isp1/2 rib was missing route to trust zone making the traffic go to the internet because of the default route (0.0.0.0/0). Solved it by adding static route for the trust on isp1/2 rib group. Reminder and lesson for me, to double check all possible areas.

    Again thanks a ton! :)

    ------------------------------
    Kevin Pentason
    ------------------------------



  • 6.  RE: Traffic hitting wrong policy

     
    Posted 01-12-2021 04:59
    My pleasure Kevin. In case you find the right button in this new UI you might want to mark the pointer to routing as the "solution" or however it's called.  Ulf

    ------------------------------
    Ulf Bremer
    ------------------------------