MMcD, thanks for your fast reply, but ...
@MMcD wrote:
To log traffic denied by System Default Policy have a read of this kb:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20778
I did exactly that.
I meant this when saying "Each of these zones have a final policy to deny everything and log it at the end using apply-groups", but maybe I was not clear enough.
This solution works fine as long as you have a policy for that traffic.
E.g. if you have at least defined one policy in "from-zone Zone-A to-zone Zone-B" and the denied traffic wants to flow from Zone-A to Zone-B.
But if I have traffic that wants to traverse from Zone-B to Zone-C and I have no policies defined "from-zone Zone-B to-zone Zone-C", the packets will be dropped but the will be no log of that event.
If you have only 3 zones, it is easy to define a policy for each relation (A->B, A->C, B->A, B->C, C->A, C->B) and put a deny in those policies that do not need a permit. But if you have 5 zones you'll need 5*4=20 policies, and with 10 zones 10*90=90 policies. That won't scale well.
We usually have 8 to 10 zones per SRX240 and configs will look complex that way.
So I am looking for somthing that logs dropped traffic that is dropped because of the lack of a policy between the involved zone.
- Steffen