We have a strange problem with a policy rule that is not matching on our SRX340 (software version 20.2R3-S2.5).
We have several zones, and traffic from zone intern to zone trust is denied somehow. Despite there existing a rule that explicitly allows that traffic.
The rule in question is this:
> show security policies detail from-zone intern to-zone trust
Policy: allow-intern-to-trust, action-type: permit, State: enabled, Index: 29, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: intern, To zone: trust
Source vrf group:
any
Destination vrf group:
any
Source addresses:
Intern_MGMT: 10.1.10.0/24
Destination addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination ports: [0-0]
Dynamic Application:
any: 0
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
Policy statistics:
Input bytes : 0 0 bps
Initial direction: 0 0 bps
Reply direction : 0 0 bps
Output bytes : 0 0 bps
Initial direction: 0 0 bps
Reply direction : 0 0 bps
Input packets : 0 0 pps
Initial direction: 0 0 pps
Reply direction : 0 0 pps
Output packets : 0 0 pps
Initial direction: 0 0 pps
Reply direction : 0 0 pps
Session rate : 0 0 sps
Active sessions : 0
Session deletions : 0
Policy lookups : 0
# show security policies from-zone intern to-zone trust
policy allow-intern-to-trust {
match {
source-address Intern_MGMT;
destination-address any;
application any;
dynamic-application any;
}
then {
permit;
count;
}
}
# show security zones security-zone intern
address-book {
address Intern_MGMT 10.1.10.0/24;
}
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.2;
}
# show security zones security-zone trust
screen Block-DoS-Attack;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
irb.0;
ge-0/0/7.0;
}
Now when I run match-policies, the system reports that it matches on the fallback rule instead of our allow rule:
# run show security match-policies from-zone intern to-zone trust source-ip 10.1.10.21 destination-ip A.B.C.44 source-port 1 destination-port 80 protocol tcp
Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2
Sequence number: 2
asdf
------------------------------
DAAN DE WIT
------------------------------