SRX

Hi everyone,

Please help me this problem, it has made me to be crazy. Here is my configuration

 - Create application and application-set

set applications application AD-CLT-DC-UDP-DOMAIN protocol udp
set applications application AD-CLT-DC-UDP-DOMAIN destination-port domain
set applications application-set AD-CLT-DC-UDP application AD-CLT-DC-UDP-DOMAIN

 - Create global address book include address and address-set

set security address-book global address BR-GR-WTD-01 10.130.72.0/22
set security address-book global address-set BR-GR-WTD address BR-GR-WTD-01

set security address-book global address HQ-GR-DC-01 10.0.36.0/24
set security address-book global address HQ-GR-DC-02 10.4.36.0/24
set security address-book global address-set HQ-GR-DC address HQ-GR-DC-01
set security address-book global address-set HQ-GR-DC address HQ-GR-DC-02

 - Create security policies

set security policies from-zone trust to-zone untrust policy AD-CLT-DC-UDP match source-address BR-GR-WTD
set security policies from-zone trust to-zone untrust policy AD-CLT-DC-UDP match destination-address HQ-GR-DC
set security policies from-zone trust to-zone untrust policy AD-CLT-DC-UDP match application AD-CLT-DC-UDP
set security policies from-zone trust to-zone untrust policy AD-CLT-DC-UDP then permit
set security policies from-zone trust to-zone untrust policy AD-CLT-DC-UDP then log session-close

set security policies from-zone untrust to-zone trust policy PermitAll match source-address any
set security policies from-zone untrust to-zone trust policy PermitAll match destination-address any
set security policies from-zone untrust to-zone trust policy PermitAll match application any
set security policies from-zone untrust to-zone trust policy PermitAll then permit
set security policies from-zone untrust to-zone trust policy PermitAll then log session-close

- Here is the log file

Apr 11 01:44:06  R903-PGD-ThaoDien RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 10.143.72.70/49857->10.0.36.34/53 junos-dns-udp 10.143.72.70/49857->10.0.36.34/53 None None 17 PermitAll trust untrust 19134 2(144) 1(83) 11 UNKNOWN UNKNOWN N/A(N/A) vlan.0
Apr 11 01:44:06  R903-PGD-ThaoDien RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 10.143.72.75/52918->10.4.36.31/53 junos-dns-udp 10.143.72.75/52918->10.4.36.31/53 None None 17 PermitAll trust untrust 19123 2(144) 1(94) 10 UNKNOWN UNKNOWN N/A(N/A) vlan.0
Apr 11 01:44:06  R903-PGD-ThaoDien RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 10.143.72.75/52918->10.4.36.32/53 junos-dns-udp 10.143.72.75/52918->10.4.36.32/53 None None 17 PermitAll trust untrust 19125 2(144) 1(83) 9 UNKNOWN UNKNOWN N/A(N/A) vlan.0
Apr 11 01:44:08  R903-PGD-ThaoDien RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 10.143.72.70/49857->10.4.36.33/53 junos-dns-udp 10.143.72.70/49857->10.4.36.33/53 None None 17 PermitAll trust untrust 19113 2(144) 1(83) 13 UNKNOWN UNKNOWN N/A(N/A) vlan.0

 That's my problem, I don't understand why the first policy is not match. Does anyone give me any ideas?

If we look at the flow

Apr 11 01:44:06  R903-PGD-ThaoDien RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed unset: 10.143.72.70/49857->10.0.36.34/53 junos-dns-udp 10.143.72.70/49857->10.0.36.34/53 None None 17 PermitAll trust untrust 19134 2(144) 1(83) 11 UNKNOWN UNKNOWN N/A(N/A) vlan.0

Couple of points

1. The source ip 10.143.72.70 does not match the AD-CLT-DC-UDP policy.

2. This flow is from which zone to which zone?

3. In the below, mentioned two policies

AD-CLT-DC-UDP ----> is from trust to untrust zone

PermitAll  ----> is from untrust to trust zone

so, we need to look at the flow direction which zone it come in and which zone it should go out and policies between these zones accordingly.

Thanks,

SHKM

1. IP address 10.143.72.70 does not fall within subnet 10.130.72.0/22.
Hence you are not matching first policy.

2. Also as Suresh highlighted, configured policy is between untrust and trust zone.
But in logs, packets are flowing between trust and untrust zone.

Regards,
Raveen