Just wanna add my 2cts, i think if the interface does not have any host-inbound-traffic declaration,
it will honour the declaration at the zone level.
For example, if the below config, does not have ping at the vlan.4 host-inbound-traffic hierachy,
it would not allow icmp echo requests, despite that being allowed at
the zone host-inbound-traffice hierachy, because there an existing declaration for dhcp.
[edit security zones security-zone guest]
root@srx240-29LK# show
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
vlan.4 {
host-inbound-traffic {
system-services {
ping;
dhcp;
}
}
}
}