SRX

Hello,

Our external interface is configured for ip 198.27.134.230/28

ge-0/0/0 {
    unit 0 {
        family inet {
            address 198.27.134.230/28;
        }
    }
}

I'm trying to ping our external interface. When I try to whitelist my external IP, as follows

filter ICMP_Whitelist {
    term term_1 {
        from {
            source-address {
                0.0.0.0/0;
            }
            destination-address {
                198.27.134.230/28;
            }
            protocol icmp;
        }
        then accept;
    }
    term term_2 {
        then accept;
    }
}

I get the error message 

'198.27.134.230/28' has non-zero bits where bits in mask are zero

My Juniper is happy if I give it 198.27.134.230/32 instead, which makes sense in terms of the error message. 

However, why do I get this error message at all for setting firewall filers, especially when I don't get this error message for setting my external IP address to an interface?

I apologize if this is a basic question. 

Thank you,

When doing firewall filters or address objects for a subnet, you need to declare the subnet using the base address.  In your case 198.27.134.224/28.

When you include a mask in a filter or a rule you are saying any address in this subnet.

What you more likely want this filter for is just the interface ip address and not the entire subnet.  In that case you would use 198.27.134.230/32 meaning only packets with this specific destination address will match the filter.

BUT, what you actually probably want is to set the host-inbound-traffic for the interface on the zone to allow ping.  since you are setting up the filter to allow ping from any source, this is covered when you allow the ping on the zone or the interface in the zone.

http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/reference/configuration-statement/security-edit-system-service-zone-host-inbound-traffic.html