SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  SRX240 Self-traffic-policy

    Posted 05-19-2015 01:22

    Hi everyone !

    I just created address book based security policies allowing only specific subnets from my SRX240 and denying all other via the defaul policy deny-all. But the problem is i still can ping other networks which are not allowed in the policy. When looked at the policy that was allowing the traffic using " show security flow sessions" i saw the "self-traffic-policy" as reproduced below..

     

    Session ID: 25063, Policy name: self-traffic-policy/1, Timeout: 4, Valid
    In: 192.168.1.2/6 --> 172.16.20.2/1720;icmp, If: .local..0, Pkts: 1, Bytes: 84
    Out: 172.16.20.2/1720 --> 192.168.1.2/6;icmp, If: st0.0, Pkts: 1, Bytes: 84     Smiley Mad

     

    This is my first ever post and your help and support is anticipated and will be appreciated. Smiley Happy



  • 2.  RE: SRX240 Self-traffic-policy

     
    Posted 05-19-2015 01:31

    Hello ,

     

    The Security Policy is for transit traffic traversing the SRX firewall ,  As per the session details I see that you are initiating the traffic from the device , for which the normal security policy does not apply and it will take the self generated traffic policy ( by default )  since this is host genetared traffic or system generated traffic . 

     

     

     



  • 3.  RE: SRX240 Self-traffic-policy

    Posted 05-19-2015 02:17
      |   view attached

    Joses, Thank u very much for ur quick response !

     

    You are right i generated the traffic from the device but while pinging the remote server i chose the l3  gateway of LAN devices attached to SRX240 as source i.e "ping 172.16.20.2 source 192.168.1.2 (l3 gateway of LAN PCs)". If it is accessible from the gateway it will be surely accessible from the PCs as well ???. Attached is the pic showing the layout of network. further clarification and solution will be appreciated ..

     

     



  • 4.  RE: SRX240 Self-traffic-policy
    Best Answer

     
    Posted 05-19-2015 02:48

    Hello ,

     

    Thanks for the update . Even if you source the packet originated from the device with Trust Interface IP , it will take the self traffic policy since the packet is generated from RE . Only the source Ip changes from  Untrust Interface IP to Trust IP.

     

    But this is not the case if the packet is generated from the LAN host machine. It will do an actual policy lookup and will be blocked as per the security policy rule .

     

    Please test the same from a host machine and check if its getting blocked . If not let us know.



  • 5.  RE: SRX240 Self-traffic-policy

    Posted 05-19-2015 03:18

    Thanks man !

    Your answer makes sense. Smiley Wink I will confirm it by pinging the server from a LAN device and mark ur reply as accepted solution. In the mean time if u have link to some study material regarding this self-traffic-policy for my own learning, will be appreciated..

    Regards

     

     

     



  • 6.  RE: SRX240 Self-traffic-policy

     


  • 7.  RE: SRX240 Self-traffic-policy

    Posted 05-19-2015 04:04

    Thanks man Smiley Happy

     

    You were right, security policy are applied to the transient traffice through the firewall not the traffic generated on the firewall. Cat Very Happy