SRX self-traffic-policy doubt

  • 1.  SRX self-traffic-policy doubt

    Posted 12-11-2020 01:37

    I am confused by this "self-traffic-policy", hope experts can help clarify what is going on:

    I have this SRX-1400-cluster with reth0.0 connecting to a pair of EX-4300 which act as the default gateway to Internet, reth0.0 is in security zone "untrust", this security zone's host-inbound-traffic only allows ping and traceroute, and I don't have intra "untrust" zone security policy to allow hair-pin traffic from Internet, and I am not using junos-host security zone.

    Yet, I still see the following session created, so somebody from Internet with source IP is trying snmp (which is denied by snmp-client-list"), my question is
     how the traffic even get to this far to have Junos create a session for it? none of the security policy is allowing this traffic. Although the attacker did not get anything back, they can potentially DDoS this box to exhaust sessions.

    SRX-1400-cluster> show security flow session source-prefix node 0
    Flow Sessions on FPC1 PIC0:
    Session ID: 20613712, Policy name: self-traffic-policy/1, State: Active, Timeout: 1780, Valid
    In: /56949 -->;udp, If: reth0.0, Pkts: 0, Bytes: 0
    Out: --> /56949;udp, If: .local..0, Pkts: 0, Bytes: 0
    Total sessions: 1

    BTW is not a physical interface IP, it is configured to be proxy-ARP'd on reth0.0, and there is no static NAT or NAT pool configured for, if that makes a difference.

    John Gerro