SRX

SRX self-traffic-policy doubt

  • 1.  SRX self-traffic-policy doubt

    Posted 12-11-2020 01:37
    Hi, 

    I am confused by this "self-traffic-policy", hope experts can help clarify what is going on:

    I have this SRX-1400-cluster with reth0.0 connecting to a pair of EX-4300 which act as the default gateway to Internet, reth0.0 is in security zone "untrust", this security zone's host-inbound-traffic only allows ping and traceroute, and I don't have intra "untrust" zone security policy to allow hair-pin traffic from Internet, and I am not using junos-host security zone.

    Yet, I still see the following session created, so somebody from Internet with source IP 96.25.4.12 is trying snmp (which is denied by snmp-client-list"), my question is
     how the traffic even get to this far to have Junos create a session for it? none of the security policy is allowing this traffic. Although the attacker did not get anything back, they can potentially DDoS this box to exhaust sessions.

    SRX-1400-cluster> show security flow session source-prefix 96.25.4.12 node 0
    node0:
    --------------------------------------------------------------------------
    Flow Sessions on FPC1 PIC0:
    Session ID: 20613712, Policy name: self-traffic-policy/1, State: Active, Timeout: 1780, Valid
    In: 96.25.4.12 /56949 --> 20.1.218.33/161;udp, If: reth0.0, Pkts: 0, Bytes: 0
    Out: 20.1.218.33/161 --> 96.25.4.12 /56949;udp, If: .local..0, Pkts: 0, Bytes: 0
    Total sessions: 1

    BTW 20.1.218.33 is not a physical interface IP, it is configured to be proxy-ARP'd on reth0.0, and there is no static NAT or NAT pool configured for 20.1.218.33, if that makes a difference.

    ------------------------------
    John Gerro
    ------------------------------