I'm wondering is there the capacity on the srx platform to self generate traffic to test a policy rule?
The Cisco ASA can do it using the following commands:
acket-tracer input public rawip 18.104.22.168 51 22.214.171.124Phase: 1Type: ROUTE-LOOKUPSubtype: inputResult: ALLOWConfig:Additional Information:in 126.96.36.199 255.255.255.255 identityPhase: 2Type: ACCESS-LISTSubtype:Result: ALLOWConfig:Implicit RuleAdditional Information:Phase: 3Type: IP-OPTIONSSubtype:Result: ALLOWConfig:Additional Information:Result:input-interface: publicinput-status: upinput-line-status: upoutput-interface: NP Identity Ifcoutput-status: upoutput-line-status: upAction: dropDrop-reason: (np-sp-invalid-spi) Invalid SPI
I don't know wether is possible to generate traffic from the SRX, but a nice tool I use to check which policy will be matched by a flow is the op script "policy-test.slax", you can find here the code and an explanation.
@paulkil wrote: I'm wondering is there the capacity on the srx platform to self generate traffic to test a policy rule?... acket-tracer input public rawip 188.8.131.52 51 184.108.40.206
acket-tracer input public rawip 220.127.116.11 51 18.104.22.168
"packet-tracer" on the ASA does not actually "generate traffic" -- it simulates the path & processing that the packet would take and shows you the results.
You can do the same thing with "show security match-policies <...>" available on Junos 10.3 and newer.
that's exactly what I was looking for. Also thanks to the first replyer, sounds like a good script.
Actually it's not quite the same as on the ASA as on the SRX you have to specify the source and destination zones.
@paulkil wrote:Actually it's not quite the same as on the ASA as on the SRX you have to specify the source and destination zones.
Yes, but when you're looking to test the results of what a packet would do through an SRX, that is important information to define.
Since the ASA is not a zone-based firewall, it's going to operate differently than a SRX which is a zone-based firewall.