Destination NAT config:
===============================================
destination {
pool 192_168_1_2_22 {
address 192.168.1.2/32 port 22;
}
rule-set nsw_destnat {
from zone Internet;
rule 0_File_Transfer--Internal_22 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
destination-port 2222;
then {
destination-nat pool 192_168_1_2_22;
}
}
}
}
===============================================
Lets take an example of below 2 flow
1. 173.242.121.58/22989->1.1.1.1/2222
2. 173.242.121.58/22989->1.1.1.1/80
When the first packet hits SRX it matches the destination NAT rule and the traffic becomes this 173.242.121.58/22989->192.168.1.2/22 . The destination become 192.168.1.2 and this become a non-host-inbound traffic. Thus it hits seurity policy deny-internet and gets logged.
With second packet/stream, when it reach SRX it wont match the Destination NAT rule as the port number is not 2222 (specified on rule), and the traffic will continue as a host-inbound-traffic . This will hit the default "self-traffic-" policy and there is no logging on these.
And if we create a Junos-host policy we will be able to see the logs as this policy will take preferenc over junos-self-traffic policy. Below given is configuration you can try
set security policies from-zone Internet to-zone junos-host policy lab-test match source-address any
set security policies from-zone Internet to-zone junos-host policy lab-test match destination-address any
set security policies from-zone Internet to-zone junos-host policy lab-test match application any
set security policies from-zone Internet to-zone junos-host policy lab-test then deny
set security policies from-zone Internet to-zone junos-host policy lab-test then log session-close
set security policies from-zone Internet to-zone junos-host policy lab-test then log session-init
You may add below line for testing to make sure all ports are accepted under host-inbound-services.
set security zones security-zone Internet host-inbound-traffic system-services any-service
I hope this helps.