SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  how to use "show security match policies" for icmp or ping traffic

    Posted 07-30-2014 06:54

    these command need information about source-port and destination port but ping is direct encapsulation in L3 ip packet 

     



  • 2.  RE: how to use "show security match policies" for icmp or ping traffic

     
    Posted 07-30-2014 07:00

    Hi sean

     

    You could refer below documentation to have all possible switches for "show security match policies"

     

    http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/command-summary/show-security-match-policies.html

     

    http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/operational/policy-security-matching.html

     

    You could use protocol as icmp.

     

    Regards,

    Raveen



  • 3.  RE: how to use "show security match policies" for icmp or ping traffic

    Posted 07-30-2014 07:08

    I want to know if I want to match source A to dest B with ping

     

    why do I need to specify source-port and destination-port ?

     

    show security match-policies from-zoneTrust to-zone Untrust source-ip 172.17.16.xx destination-ip 172.18.xx.xx protocol icmp source-port 1 destination-port 1

     

     



  • 4.  RE: how to use "show security match policies" for icmp or ping traffic

    Posted 08-01-2014 05:46

    Hello Seanmine,

    Since ICMP is layer 3 protocol , there is no source port and destination port.But for a Firewall to install session it needs source port an ddestination port.

    The ICMp hearder has identifier and sequence number.

    The SRX uses identifier as destination and sequence number as source port.

    Hence you may use any random number for source and destination ports usually 1 and 1 would suffice when you use show seurity match policies and protocol as icmp.

     

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too



  • 5.  RE: how to use "show security match policies" for icmp or ping traffic

    Posted 11-05-2019 13:25

    I stumbled on the fix for this while doing a traceoptions on icmp on SRX 550 and via GNS3 SRX image.
    set your source-port 2048

    show security match-policies protocol icmp destination-port 12345 destination-ip <dst-IP> source-port 2048 source-ip <src-IP> from-zone <From-Zone> to-zone <To-Zone>

    2048 only, nothing else will work. Least for the versions of IOS was using.  12.3.xxx and 12.1xxx respectively.