Hi,
I am confused by this "self-traffic-policy", hope experts can help clarify what is going on:
I have this SRX-1400-cluster with reth0.0 connecting to a pair of EX-4300 which act as the default gateway to Internet, reth0.0 is in security zone "untrust", this security zone's host-inbound-traffic only allows ping and traceroute, and I don't have intra "untrust" zone security policy to allow hair-pin traffic from Internet, and I am not using junos-host security zone.
Yet, I still see the following session created, so somebody from Internet with source IP 96.25.4.12 is trying snmp (which is denied by snmp-client-list"), my question is
how the traffic even get to this far to have Junos create a session for it? none of the security policy is allowing this traffic. Although the attacker did not get anything back, they can potentially DDoS this box to exhaust sessions.
SRX-1400-cluster> show security flow session source-prefix 96.25.4.12 node 0
node0:
--------------------------------------------------------------------------
Flow Sessions on FPC1 PIC0:
Session ID: 20613712, Policy name: self-traffic-policy/1, State: Active, Timeout: 1780, Valid
In: 96.25.4.12 /56949 --> 20.1.218.33/161;udp, If: reth0.0, Pkts: 0, Bytes: 0
Out: 20.1.218.33/161 --> 96.25.4.12 /56949;udp, If: .local..0, Pkts: 0, Bytes: 0
Total sessions: 1
BTW 20.1.218.33 is not a physical interface IP, it is configured to be proxy-ARP'd on reth0.0, and there is no static NAT or NAT pool configured for 20.1.218.33, if that makes a difference.
------------------------------
John Gerro
------------------------------