Suli,
Lets start troubleshooting from ot-application to Internet first; I checked the config of the SRX and confirmed the following:
Topology
"OT-application vlan 30" "untrust"
---------(reth1.30: 172.22.2.1/24)-SRX-(ge-0/0/7:192.168.150.30/30)----------------INTERNET
|
|--(ge-5/0/7:192.168.250.30/30)----------------INTERNET
Default route is present
routing-options {
rib inet.0 {
static {
route 0.0.0.0/0 next-hop [ 192.168.150.29 192.168.250.29 ];
Sec-policy is allowing the traffic
from-zone ot-application to-zone untrust {
policy OT-application-to-Untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
Proper NAT is configured for reaching the Internet
security {
nat {
source {
rule-set otapplication-to-internet {
from zone ot-application;
to zone untrust;
rule internet-access {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
The config looks correct to me. Can you try pining 8.8.8.8 from a host within ot-application zone and check if there is a session created:
> show security flow session source-prefix [PC_Address] destination-prefix 8.8.8.8 protocol icmp
If you dont see any session then try running flow traceoptions to confirm if the SRX is dropping the packets:
# set security flow traceoptions file TRACE
# set security flow traceoptions flag basic-datapath
# set security flow traceoptions packet-filter TEST source-prefix [PC_Address]
# set security flow traceoptions packet-filter TEST destination-prefix 8.8.8.8
# commit
[try the ping]
> show log TRACE