SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Security Policy not Matching on SRX340

    Posted 12-07-2022 10:28
    We have a strange problem with a policy rule that is not matching on our SRX340 (software version 20.2R3-S2.5).

    We have several zones, and traffic from zone intern to zone trust is denied somehow. Despite there existing a rule that explicitly allows that traffic.

    The rule in question is this:
    > show security policies detail from-zone intern to-zone trust
    Policy: allow-intern-to-trust, action-type: permit, State: enabled, Index: 29, Scope Policy: 0
    Policy Type: Configured
    Sequence number: 1
    From zone: intern, To zone: trust
    Source vrf group:
    any
    Destination vrf group:
    any
    Source addresses:
    Intern_MGMT: 10.1.10.0/24
    Destination addresses:
    any-ipv4: 0.0.0.0/0
    any-ipv6: ::/0
    Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
    Source port range: [0-0]
    Destination ports: [0-0]
    Dynamic Application:
    any: 0
    Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
    Policy statistics:
    Input bytes : 0 0 bps
    Initial direction: 0 0 bps
    Reply direction : 0 0 bps
    Output bytes : 0 0 bps
    Initial direction: 0 0 bps
    Reply direction : 0 0 bps
    Input packets : 0 0 pps
    Initial direction: 0 0 pps
    Reply direction : 0 0 pps
    Output packets : 0 0 pps
    Initial direction: 0 0 pps
    Reply direction : 0 0 pps
    Session rate : 0 0 sps
    Active sessions : 0
    Session deletions : 0
    Policy lookups : 0

    # show security policies from-zone intern to-zone trust
    policy allow-intern-to-trust {
    match {
    source-address Intern_MGMT;
    destination-address any;
    application any;
    dynamic-application any;
    }
    then {
    permit;
    count;
    }
    }

    # show security zones security-zone intern
    address-book {
    address Intern_MGMT 10.1.10.0/24;
    }
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.2;
    }

    # show security zones security-zone trust
    screen Block-DoS-Attack;
    host-inbound-traffic {
    system-services {
    all;
    }
    protocols {
    all;
    }
    }
    interfaces {
    irb.0;
    ge-0/0/7.0;
    }
    Now when I run match-policies, the system reports that it matches on the fallback rule instead of our allow rule:
    # run show security match-policies from-zone intern to-zone trust source-ip 10.1.10.21 destination-ip A.B.C.44 source-port 1 destination-port 80 protocol tcp
    Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2
    Sequence number: 2
    asdf


    ------------------------------
    DAAN DE WIT
    ------------------------------


  • 2.  RE: Security Policy not Matching on SRX340

    Posted 12-08-2022 02:59


    If you positive its the firewall dropping your traffic, run this command:

    show security match-policy from-zone [you source zone] to-zone [your destination zone] source-ip [your source ip] destination-ip [your dest ip] source-port 12345 destination-port [your dest port] protocol [udp or tcp or icmp]

    This will tell what policy is matching and acting taking action on your traffic




    ------------------------------
    -Slicerpro
    ------------------------------



  • 3.  RE: Security Policy not Matching on SRX340

    Posted 12-09-2022 06:48
    If you positive its the firewall dropping your traffic, run this command:

    show security match-policy from-zone [you source zone] to-zone [your destination zone] source-ip [your source ip] destination-ip [your dest ip] source-port 12345 destination-port [your dest port] protocol [udp or tcp or icmp]

    This will tell what policy is matching and acting taking action on your traffic

    As I mention in my original post, I already ran that command, and it matches on the internal fall-back rule.


    ------------------------------
    DAAN DE WIT
    ------------------------------



  • 4.  RE: Security Policy not Matching on SRX340
    Best Answer

    Posted 12-09-2022 06:48
    Edited by spuluka 12-09-2022 06:48
    First of all try to delete dynamic-application any in your policy from intern to trust. Because if you have both type of policies in your srx -  unified (its standart policies with dynamic-application) and standart, unified policies will not worked.
    And give all you security policies list

    show configuration security policies | display set


    ------------------------------
    andrii furdyha
    ------------------------------



  • 5.  RE: Security Policy not Matching on SRX340

    Posted 12-09-2022 06:48
    Thanks andrii that solved it!

    The dynamic-application was indeed the issue. That line was added by J-Web, and I didn't think it would hurt.

    ------------------------------
    DAAN DE WIT
    ------------------------------