SRX

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Can an address be excluded from matching in a subnet?

    Posted 01-17-2023 17:18
    If I have a policy built like this:

    set security policy from-zone untrusted to-zone trusted policy MINE match source-address safe_subnet destination-address my-server application junos-https
    set security policy from-zone untrusted to-zone trusted policy MINE then permit

    If there's 2 IP#s in safe_subnet that I want to exclude from that, how can I do it?

    I have looked at source-address-excluded but that doesn't provide capability to subtract from safe_subnet, rather it becomes "everything minus source-address-excluded".

    I have tried using a separately policy like this:

    set security policy from-zone untrusted to-zone trusted policy NOT_MINE match source-address bad_servers destination-address my-server application junos-https
    set security policy from-zone untrusted to-zone trusted policy NOT_MINE then deny

    but when I use "show security match-policies", the result ignores "NOT_MINE".

    Help?


  • 2.  RE: Can an address be excluded from matching in a subnet?

    Posted 01-17-2023 17:59
    For the 2 policy solution, perhaps there is a policy order issue, where NOT_MINE is after MINE thus it is shadowed and never hit.

    ------------------------------
    David Divins
    ------------------------------



  • 3.  RE: Can an address be excluded from matching in a subnet?
    Best Answer

     
    Posted 01-17-2023 23:00
    Hello,  

    You can insert the policy on top and give it a try. 

    #insert security policies from-zone untrusted to-zone trusted policy NOT_MINE before policy MINE 

    ​Regards,

    ------------------------------
    Brijil R
    ------------------------------