SRX

 View Only
last person joined: 12 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Some statically routed traffic bypassing security policies?

    This message was posted by a user wishing to remain anonymous
    Posted 09-29-2022 17:03
    This message was posted by a user wishing to remain anonymous

    I have an SRX340 with a simple setup: all traffic interfaces are in the global zone, all security policies apply to that zone, and all security policies are set to log. I have static routes to a couple of gateways for destinations outside my networks. I have a number of static NATs too. I have no DHCP, no dynamic routing, no firewall filters.

    Traffic that matches the default route hits my security policies and gets logged, as expected; traffic that matches static routes to specific IPs (/32) also hits the policies as expected. BUT traffic that matches static routes to whole subnets, in my case a couple of /16s, does NOT seem to go through my security policies: nothing is logged. Nevertheless, it does transit my device! I want that traffic to go through my security policies!

    What could be going on??? Thanks!


  • 2.  RE: Some statically routed traffic bypassing security policies?

    Posted 10-02-2022 11:59
    We would need to confirm what policy would apply to the traffic that is allowed.  You can look for the active session for that traffic to the /16 when it is permitted and see what policy and details are seen for the session.

    show security flow session

    This can be limited by source, destination, or port if the session table is large.  Just use the ? to add one or more restrictions.

    Once you see the interfaces and policy hit you can confirm what is allowing the traffic outside your expectations.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------