SRX

I am trying to block both inbound and outbound attempts from and to a given public IP address, and have used the following 2 articles to attempt this:-

https://supportportal.juniper.net/s/article/How-to-block-traffic-from-a-Source-IP-using-firewall-filters-on-SRX

https://supportportal.juniper.net/s/article/How-to-block-traffic-to-a-destination-IP-using-firewall-filters-on-SRX

Whilst the inbound rule appears to be working, the outbound does not.

I have tried potentially correcting the suspect config in the second article to apply the filter in the output direction as opposed to the prescribed input.

Here's my config:-

set interfaces ge-0/0/1 unit 0 family inet filter output Block_IP
set interfaces ge-0/0/1 unit 0 family inet filter input IP_Block

set firewall family inet filter Block_IP term 1 from destination-address x.195.169.202/32
set firewall family inet filter Block_IP term 1 then count attempt-to-IP
set firewall family inet filter Block_IP term 1 then discard
set firewall family inet filter Block_IP term 2 then accept

set firewall family inet filter IP_Block term 1 from source-address x.195.169.202/32
set firewall family inet filter IP_Block term 1 then count attempt-from-IP
set firewall family inet filter IP_Block term 1 then discard
set firewall family inet filter IP_Block term 2 then accept

In addition to using the suggested counters to verify each rule's effectiveness (which they both do), I am also using:  monitor security packet-drop  . This command showed the inbound rule to be effective, in that entries were no longer appearing for the given IP address for the inbound direction, but they have remained for the outbound direction. Perhaps I am misusing or misunderstanding this particular command.

Can anyone assist please?

-------------------------------------------

You have to consider the order of operations:

(Diagram source: https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-srx-devices-processing-overview.html)

The outbound firewall filter (per packet filter) is one of the last things to be applied. If you see the traffic of interest in the packet-drop log, it means the flow module is dropping the packets before the output firewall filter gets a chance to do its thing. If you want to offload that particular traffic from the flow module, you'd have to move the Block_IP firewall filter to the input side for the ingress interface(s) of the outbound direction.

------------------------------
Nikolay Semov

Original Message:
Sent: 08-11-2025 09:48
From: EMTSU
Subject: Help with blocking a given external IP Address

I am trying to block both inbound and outbound attempts from and to a given public IP address, and have used the following 2 articles to attempt this:-

https://supportportal.juniper.net/s/article/How-to-block-traffic-from-a-Source-IP-using-firewall-filters-on-SRX

https://supportportal.juniper.net/s/article/How-to-block-traffic-to-a-destination-IP-using-firewall-filters-on-SRX

Whilst the inbound rule appears to be working, the outbound does not.

I have tried potentially correcting the suspect config in the second article to apply the filter in the output direction as opposed to the prescribed input.

Here's my config:-

set interfaces ge-0/0/1 unit 0 family inet filter output Block_IP
set interfaces ge-0/0/1 unit 0 family inet filter input IP_Block

set firewall family inet filter Block_IP term 1 from destination-address x.195.169.202/32
set firewall family inet filter Block_IP term 1 then count attempt-to-IP
set firewall family inet filter Block_IP term 1 then discard
set firewall family inet filter Block_IP term 2 then accept

set firewall family inet filter IP_Block term 1 from source-address x.195.169.202/32
set firewall family inet filter IP_Block term 1 then count attempt-from-IP
set firewall family inet filter IP_Block term 1 then discard
set firewall family inet filter IP_Block term 2 then accept

In addition to using the suggested counters to verify each rule's effectiveness (which they both do), I am also using:  monitor security packet-drop  . This command showed the inbound rule to be effective, in that entries were no longer appearing for the given IP address for the inbound direction, but they have remained for the outbound direction. Perhaps I am misusing or misunderstanding this particular command.

Can anyone assist please?

-------------------------------------------

Thank you for your reply @Nikolay Semov 

Are you essentially saying, as per the relevant article noted above, that I should change the following config and the highlighted section to input? If so, I have already tried this, but when it didn't appear to work, I tried changing it as mentioned.

set interfaces ge-0/0/1 unit 0 family inet filter output Block_IP

Original Message:
Sent: 08-11-2025 10:03
From: Nikolay Semov
Subject: Help with blocking a given external IP Address

You have to consider the order of operations:

(Diagram source: https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-srx-devices-processing-overview.html)

The outbound firewall filter (per packet filter) is one of the last things to be applied. If you see the traffic of interest in the packet-drop log, it means the flow module is dropping the packets before the output firewall filter gets a chance to do its thing. If you want to offload that particular traffic from the flow module, you'd have to move the Block_IP firewall filter to the input side for the ingress interface(s) of the outbound direction.

------------------------------
Nikolay Semov

Original Message:
Sent: 08-11-2025 09:48
From: EMTSU
Subject: Help with blocking a given external IP Address

I am trying to block both inbound and outbound attempts from and to a given public IP address, and have used the following 2 articles to attempt this:-

https://supportportal.juniper.net/s/article/How-to-block-traffic-from-a-Source-IP-using-firewall-filters-on-SRX

https://supportportal.juniper.net/s/article/How-to-block-traffic-to-a-destination-IP-using-firewall-filters-on-SRX

Whilst the inbound rule appears to be working, the outbound does not.

I have tried potentially correcting the suspect config in the second article to apply the filter in the output direction as opposed to the prescribed input.

Here's my config:-

set interfaces ge-0/0/1 unit 0 family inet filter output Block_IP
set interfaces ge-0/0/1 unit 0 family inet filter input IP_Block

set firewall family inet filter Block_IP term 1 from destination-address x.195.169.202/32
set firewall family inet filter Block_IP term 1 then count attempt-to-IP
set firewall family inet filter Block_IP term 1 then discard
set firewall family inet filter Block_IP term 2 then accept

set firewall family inet filter IP_Block term 1 from source-address x.195.169.202/32
set firewall family inet filter IP_Block term 1 then count attempt-from-IP
set firewall family inet filter IP_Block term 1 then discard
set firewall family inet filter IP_Block term 2 then accept

In addition to using the suggested counters to verify each rule's effectiveness (which they both do), I am also using:  monitor security packet-drop  . This command showed the inbound rule to be effective, in that entries were no longer appearing for the given IP address for the inbound direction, but they have remained for the outbound direction. Perhaps I am misusing or misunderstanding this particular command.

Can anyone assist please?

-------------------------------------------

No, you need it as input filter for the *ingress* interface of the outbound direction. From your post I gather that ge-0/0/1 is the egress interface of the outbound direction (and ingress interface for the inbound direction).

Thank you for your reply @Nikolay Semov 

Are you essentially saying, as per the relevant article noted above, that I should change the following config and the highlighted section to input? If so, I have already tried this, but when it didn't appear to work, I tried changing it as mentioned.

set interfaces ge-0/0/1 unit 0 family inet filter output Block_IP

Original Message:
Sent: 08-11-2025 10:03
From: Nikolay Semov
Subject: Help with blocking a given external IP Address

You have to consider the order of operations:

(Diagram source: https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-srx-devices-processing-overview.html)

The outbound firewall filter (per packet filter) is one of the last things to be applied. If you see the traffic of interest in the packet-drop log, it means the flow module is dropping the packets before the output firewall filter gets a chance to do its thing. If you want to offload that particular traffic from the flow module, you'd have to move the Block_IP firewall filter to the input side for the ingress interface(s) of the outbound direction.

------------------------------
Nikolay Semov

Original Message:
Sent: 08-11-2025 09:48
From: EMTSU
Subject: Help with blocking a given external IP Address

I am trying to block both inbound and outbound attempts from and to a given public IP address, and have used the following 2 articles to attempt this:-

https://supportportal.juniper.net/s/article/How-to-block-traffic-from-a-Source-IP-using-firewall-filters-on-SRX

https://supportportal.juniper.net/s/article/How-to-block-traffic-to-a-destination-IP-using-firewall-filters-on-SRX

Whilst the inbound rule appears to be working, the outbound does not.

I have tried potentially correcting the suspect config in the second article to apply the filter in the output direction as opposed to the prescribed input.

Here's my config:-

set interfaces ge-0/0/1 unit 0 family inet filter output Block_IP
set interfaces ge-0/0/1 unit 0 family inet filter input IP_Block

set firewall family inet filter Block_IP term 1 from destination-address x.195.169.202/32
set firewall family inet filter Block_IP term 1 then count attempt-to-IP
set firewall family inet filter Block_IP term 1 then discard
set firewall family inet filter Block_IP term 2 then accept

set firewall family inet filter IP_Block term 1 from source-address x.195.169.202/32
set firewall family inet filter IP_Block term 1 then count attempt-from-IP
set firewall family inet filter IP_Block term 1 then discard
set firewall family inet filter IP_Block term 2 then accept

In addition to using the suggested counters to verify each rule's effectiveness (which they both do), I am also using:  monitor security packet-drop  . This command showed the inbound rule to be effective, in that entries were no longer appearing for the given IP address for the inbound direction, but they have remained for the outbound direction. Perhaps I am misusing or misunderstanding this particular command.

Can anyone assist please?

-------------------------------------------

@Nikolay Semov Aren't the interfaces one and the same? I don't have a separate 'ingress' interface for the outbound direction, all traffic comes and goes from ge-0/0/1.0 

No, you need it as input filter for the *ingress* interface of the outbound direction. From your post I gather that ge-0/0/1 is the egress interface of the outbound direction (and ingress interface for the inbound direction).

Thank you for your reply @Nikolay Semov 

Are you essentially saying, as per the relevant article noted above, that I should change the following config and the highlighted section to input? If so, I have already tried this, but when it didn't appear to work, I tried changing it as mentioned.

set interfaces ge-0/0/1 unit 0 family inet filter output Block_IP

Original Message:
Sent: 08-11-2025 10:03
From: Nikolay Semov
Subject: Help with blocking a given external IP Address

You have to consider the order of operations:

(Diagram source: https://www.juniper.net/documentation/us/en/software/junos/flow-packet-processing/topics/topic-map/security-srx-devices-processing-overview.html)

The outbound firewall filter (per packet filter) is one of the last things to be applied. If you see the traffic of interest in the packet-drop log, it means the flow module is dropping the packets before the output firewall filter gets a chance to do its thing. If you want to offload that particular traffic from the flow module, you'd have to move the Block_IP firewall filter to the input side for the ingress interface(s) of the outbound direction.

------------------------------
Nikolay Semov

Original Message:
Sent: 08-11-2025 09:48
From: EMTSU
Subject: Help with blocking a given external IP Address

I am trying to block both inbound and outbound attempts from and to a given public IP address, and have used the following 2 articles to attempt this:-

https://supportportal.juniper.net/s/article/How-to-block-traffic-from-a-Source-IP-using-firewall-filters-on-SRX

https://supportportal.juniper.net/s/article/How-to-block-traffic-to-a-destination-IP-using-firewall-filters-on-SRX

Whilst the inbound rule appears to be working, the outbound does not.

I have tried potentially correcting the suspect config in the second article to apply the filter in the output direction as opposed to the prescribed input.

Here's my config:-

set interfaces ge-0/0/1 unit 0 family inet filter output Block_IP
set interfaces ge-0/0/1 unit 0 family inet filter input IP_Block

set firewall family inet filter Block_IP term 1 from destination-address x.195.169.202/32
set firewall family inet filter Block_IP term 1 then count attempt-to-IP
set firewall family inet filter Block_IP term 1 then discard
set firewall family inet filter Block_IP term 2 then accept

set firewall family inet filter IP_Block term 1 from source-address x.195.169.202/32
set firewall family inet filter IP_Block term 1 then count attempt-from-IP
set firewall family inet filter IP_Block term 1 then discard
set firewall family inet filter IP_Block term 2 then accept

In addition to using the suggested counters to verify each rule's effectiveness (which they both do), I am also using:  monitor security packet-drop  . This command showed the inbound rule to be effective, in that entries were no longer appearing for the given IP address for the inbound direction, but they have remained for the outbound direction. Perhaps I am misusing or misunderstanding this particular command.

Can anyone assist please?

-------------------------------------------