SRX

I have SRX240 installed on Edge loc. And SRX3600, Server Iron 450 in my server room. The topology is as

||SRX240||------------------<VPN>--------------------------||SRX3600||------||ServerIron450||

[edit]
root@SRX-240-SW# show security policies from-zone ServerRoom to-zone Vlan-1 | display set
set security policies from-zone ServerRoom to-zone Vlan-1 policy SR-V1 match source-address Websphere
set security policies from-zone ServerRoom to-zone Vlan-1 policy SR-V1 match destination-address Vlan-1-TFC
set security policies from-zone ServerRoom to-zone Vlan-1 policy SR-V1 match application any
set security policies from-zone ServerRoom to-zone Vlan-1 policy SR-V1 then permit

[edit]
root@SRX-8900-SW# show | match Edge-Sw| display set
set security policies from-zone WAN to-zone WSphere policy Edge-Sw-WSphere match source-address Edge-Sw
set security policies from-zone WAN to-zone WSphere policy Edge-Sw-WSphere match destination-address WSphere-Fog-3
set security policies from-zone WAN to-zone WSphere policy Edge-Sw-WSphere match application any
set security policies from-zone WAN to-zone WSphere policy Edge-Sw-WSphere then permit

Note: both are two way policies. i have just showed one side

SRX3600 is my aggrigate firewall

ServerIron 450 is my LBR

The Gateway of my Websphere, Windows and other applications are defined on LBR. Once I ping the Websphere Gateway 10.89.224.254 from Edge is shows normal response. But the problem is it also allows other traffic ping through as

[edit]
root@SRX-240-SW# run ping 10.89.225.254 source 10.91.212.1
PING 10.89.225.254 (10.89.225.254): 56 data bytes
64 bytes from 10.89.225.254: icmp_seq=0 ttl=61 time=4.586 ms
64 bytes from 10.89.225.254: icmp_seq=1 ttl=61 time=3.273 ms
64 bytes from 10.89.225.254: icmp_seq=2 ttl=61 time=6.266 ms
^C
--- 10.89.225.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.273/4.708/6.266/1.225 ms

[edit]
root@SRX-240-SW# run ping 10.89.226.254 source 10.91.212.1
PING 10.89.226.254 (10.89.226.254): 56 data bytes
64 bytes from 10.89.226.254: icmp_seq=0 ttl=62 time=3.539 ms
64 bytes from 10.89.226.254: icmp_seq=1 ttl=62 time=3.633 ms
64 bytes from 10.89.226.254: icmp_seq=2 ttl=62 time=3.813 ms
^C
--- 10.89.226.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.539/3.662/3.813/0.114 ms

[edit]
root@SRX-240-SW# run ping 10.89.227.254 source 10.91.212.1
PING 10.89.227.254 (10.89.227.254): 56 data bytes
64 bytes from 10.89.227.254: icmp_seq=0 ttl=62 time=3.187 ms
64 bytes from 10.89.227.254: icmp_seq=1 ttl=62 time=2.650 ms
64 bytes from 10.89.227.254: icmp_seq=2 ttl=62 time=2.812 ms
^C
--- 10.89.227.254 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 2.650/2.883/3.187/0.225 ms

Can you confirm which policy is hit for this traffic using below steps

1. Initiate Ping " ping 10.89.227.254 source 10.91.212.1"

2.Check the session tabel entry using below command

root@SRX-240-SW> show security flow session source-prefix 10.91.212.1 destination-prefix 10.89.227.254 protocol icmp 

3. Check the " Policy name:" next to Session ID

how dit you put in the address allowed in the address book ? as /32 or as a bigger subnet ?

I'm guessing their is an other policy that is allowing the traffic as  rsuraj suggested or  that the address book entry is faulty

O thanks alot. I had a Default policy of permit all. i missed it completely. now after removing it the issue is resolved. 

Great that you have found your problem 🙂