SRX

I have a policie like this:

security policies from-zone trust to-zone untrust policy trust-to-untrust-common 
match {
    source-address any;
    destination-address any;
    application any;
}
then {
    permit {
        application-services {
            application-firewall {
                rule-set common-customers;
            }
        }
    }
}

I want to exclude one destination IP.  I tried to set:

address-book address source-nat-ip 1.1.1.1/32
.........
destination-address [ filter-exceptions source-nat-ip ];

 But it breaks down all traffic.

Where am I wrong?

Thanks!

By the looks of what you have set, you will just only allow traffic to the two destination addresses called "filter-exceptions" and "source-nat-ip"

You could just add another policy above that one to simple block the IP you want.  Something like.

policy block-nat-ip {
match {
    source-address any;
    destination-address source-nat-ip;
    application any;
}
then {
    deny;
        log {
            session-init;
        }
}
policy trust-to-untrust-common {
match {
    source-address any;
    destination-address any;
    application any;
}
then {
    permit {
        application-services {
            application-firewall {
                rule-set common-customers;
            }
        }
    }
}

I want to pass all traffic through  application-firewall rule, except for one destination IP in one rule, if possible.

The above will deny the the traffic and drop it, however if you change the above to accept on the first rule, then traffic destined to source-nat-ip will not be passed to the app-firewall as it will match on the first policy.