SRX

default policy  on the FW 

set groups global-policy security policies from-zone <*> to-zone <*> policy Default-Log-Drop match source-address any
set groups global-policy security policies from-zone <*> to-zone <*> policy Default-Log-Drop match destination-address any
set groups global-policy security policies from-zone <*> to-zone <*> policy Default-Log-Drop match application any
set groups global-policy security policies from-zone <*> to-zone <*> policy Default-Log-Drop then deny
set groups global-policy security policies from-zone <*> to-zone <*> policy Default-Log-Drop then log session-init.

but when i check the session flow , i can see that there still traffic permitted by default policy , why . and how can i fix it 



show security flow session destination-prefix A.A.A.A source-prefix B.B.B.B  
node0:
--------------------------------------------------------------------------

Flow Sessions on FPC1 PIC0:

Session ID: 20004368, Policy name: default-policy-00/2, State: Active, Timeout: 2, Valid
  In: B.B.B.B/19 --> A.A.A.A/30794;icmp, If: reth0.902, Pkts: 1, Bytes: 100
  Out: A.A.A.A/30794 --> B.B.B.B/19;icmp, If: reth1.802, Pkts: 1, Bytes: 100

Session ID: 20104835, Policy name: default-policy-00/2, State: Active, Timeout: 2, Valid
  In: B.B.B.B/18 --> A.A.A.A/30794;icmp, If: reth0.902, Pkts: 1, Bytes: 100
  Out: A.A.A.A/30794 --> B.B.B.B/18;icmp, If: reth1.802, Pkts: 1, Bytes: 100

Session ID: 20235181, Policy name: default-policy-00/2, State: Active, Timeout: 4, Valid
  In: B.B.B.B/20 --> A.A.A.A/30794;icmp, If: reth0.902, Pkts: 1, Bytes: 100
  Out: A.A.A.A/30794 --> B.B.B.B/20;icmp, If: reth1.802, Pkts: 1, Bytes: 100

Session ID: 20245902, Policy name: default-policy-00/2, State: Active, Timeout: 2, Valid
  In: B.B.B.B/17 --> A.A.A.A/30794;icmp, If: reth0.902, Pkts: 1, Bytes: 100
  Out: A.A.A.A/30794 --> B.B.B.B/17;icmp, If: reth1.802, Pkts: 1, Bytes: 100

Hey,

1- Try to run this command: show security policies detail

2- Try to disable any filter enabled of the SRX

3- Check if you're crossing zones when you try to ping from source to destination .

4- If you're trying to ping after a factory default reset to the chassis , then it will allow all outgoing traffic initiated from inside and block all incoming initiated from outside .

5- Check the host-inbound-traffic > system-services , if there is services like ping enabled . you might trying to ping your self.

6- Check if you're trying to ping from the interface it self . and that also depends on the host-inbound-traffic .

1. show security policy detail command output below . so that means default policy is permit all ? but i have configure deny all , how come ?

2. there is no filter on Firewall 

3.ping  across zones 

4. the destionation ip is behind the FW , not an interface of FW .  and the source is in the internet 

show security policy detail  first few lines output :
Default policy: permit-all
Policy: Gi-to-WebDNS, action-type: permit, State: enabled, Index: 4, Scope Policy: 0
  Policy Type: Configured
  Sequence number: 1
  From zone: Zone-Gi-Network, To zone: Zone-DMZ-DNS-Ext

so that means the default policy on FW is permit all ? but i already configure deny all . how come?

. 

I believe you have "set security policies default-policy permit-all" configured.

Default setting is "set security policies default-policy deny-all".

Can you try making this config change? And give it another try?

Regards,

Sam

Also, I believe you need to apply the config: 

set security policies apply-groups global-policy 

to enable the policies you created.

Regards,

Sam

it is the problem you said . some else configure this command , and   i didn't see it until you tell me . thank you for all of you 

Hi,

You have shown a group configuration with wildcards but not the apply group to confirm that it is actually applied.

Tim

i apply the group configuration the node . here is the compete configuration of default policy 


set groups node0 system host-name INTFW01
set groups node0 interfaces fxp0 disable
set groups node1 system host-name INTFW02
set groups node1 interfaces fxp0 disable
set groups global-policy security policies from-zone <*> to-zone <*> policy Default-Log-Drop match source-address any
set groups global-policy security policies from-zone <*> to-zone <*> policy Default-Log-Drop match destination-address any
set groups global-policy security policies from-zone <*> to-zone <*> policy Default-Log-Drop match application any
set groups global-policy security policies from-zone <*> to-zone <*> policy Default-Log-Drop then deny
set groups global-policy security policies from-zone <*> to-zone <*> policy Default-Log-Drop then log session-init
set apply-groups "${node}"

Hi,

As I suspected you do not have the group configuration applied.

The ${node} entry only selects node0 and node1 group configuration.

Add the configuration that samc provided and you should be good to go.

Tim