SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Disabling PING between two subnets and also within same subnets too

    Posted 02-14-2014 00:22

    Hi Folks,

     

    I would like to a partcular ip not to be pinged by other zones . So just to make it simple, if i just say source and destination with ping to deny, will it allow other services

    -----------------------------------------

     

    set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match source-address SZ-Y-BFLY
    set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match destination-address any
    set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match application junos-icmp-all
    set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT then deny

    -----------------------

     

    BR,

    SID

     



  • 2.  RE: Disabling PING between two subnets and also within same subnets too

    Posted 02-14-2014 08:13

    Hi

     

    Apologize, if i didnt make the subject clear . 🙂

     

    Just to confirm what i typed the command earlier

    Source A with Desitnation B with application ICMP to be denied . This means Source A with Destination  B will allow other services . Correct me if i am wrong.

     

    -----------------------------------------

     

    set security policies from-zone A  to-zone B policy Y-BFLY-OUT match source-address A
    set security policies from-zone A to-zone B policy Y-BFLY-OUT match destination-address any
    set security policies from-zone A to-zone B policy Y-BFLY-OUT match application junos-icmp-all
    set security policies from-zone A to-zone B policy Y-BFLY-OUT then deny

    -----------------------



    Thanks for your help and support.

    Regards,
    SID



  • 3.  RE: Disabling PING between two subnets and also within same subnets too
    Best Answer

     
    Posted 02-14-2014 21:30

    Hello SID,

     

    Yes, policy that you have written is correct for transit traffic.

    In Junos default policy is to deny all traffic, I believe you have another policy to allow all other traffic like below:

     

    ---------------

    set security policies from-zone A  to-zone B policy Y-BFLY-OUT match source-address A
    set security policies from-zone A to-zone B policy Y-BFLY-OUT match destination-address any
    set security policies from-zone A to-zone B policy Y-BFLY-OUT match application junos-icmp-all
    set security policies from-zone A to-zone B policy Y-BFLY-OUT then deny

     

    set security policies from-zone A  to-zone B policy Y-BFLY-OUT-1 match source-address A
    set security policies from-zone A to-zone B policy Y-BFLY-OUT-1 match destination-address any
    set security policies from-zone A to-zone B policy Y-BFLY-OUT-1 match application any

    set security policies from-zone A to-zone B policy Y-BFLY-OUT-1 then permit

     ----------------

     

     

    Regards,

    Raveen