SRX

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Do I always need to create two-way security policies in order to communicate?

    Posted 12-21-2022 06:48
    Do I always need to create two security policies in order to communicate from two zones? i read some articles that for flow-based, not necessary.

    ------------------------------
    Wilson Cheng
    ------------------------------


  • 2.  RE: Do I always need to create two-way security policies in order to communicate?

    Posted 12-21-2022 06:52
    Security policy allow two way traffic for the direction of the first speaker in the network conversation.

    When the initial request is seen it is evaluated a entry for the return traffic is also created in the  flow table to allow the replies.

    The key is setting up the policy in the correct direction on where the first traffic is sent from.

    Should you have issues with traffic matching check out this troubleshooting process.
    https://supportportal.juniper.net/s/article/SRX-How-to-troubleshoot-a-security-policy-that-is-not-passing-data

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Do I always need to create two-way security policies in order to communicate?

    Posted 12-21-2022 07:42
    Thanks for your response. We are experiencing below technical issues. Hope you can provide some insight :)

    https://community.juniper.net/discussion/whenever-manual-failover-from-srx-345-node0-to-node1-node1-created-duplicate-double-multicast-outbound-packets#bm712b65a8-1f40-46ef-a067-10b7460d6051

    ------------------------------
    Wilson Cheng
    ------------------------------



  • 4.  RE: Do I always need to create two-way security policies in order to communicate?

    Posted 12-22-2022 11:02
    Sorry, I've not deployed multicast on srx so don't have an answer for that one.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------