SRX

Hello,

i would like to just permit to allow Google and Gmail domain for 192.168.90.0/24(trust-wireless). but both doen'st come out. my configuration here as follows;

-----------------------------

Apply Policy

policy trust-wireless-to-limitedWebsite {
match {
source-address any;
destination-address [ Google-5 Google-4 Google-3 www.gmail.com www.google.com www.google.com.mm www.google.com.sg www.google.com.hk googlemail.l.google.com Google-1 Google-2 ocsp.thawte.com ocsp.verisign.net chatenabled.mail.google.com etherx.jabber.org filetransferenabled.mail.google.com talkgadget.google.com talk.google.com talkx.l.google.com mail-attachement.googleusercontent.com Google-6 Gtalk Google-DNS01 ];
application any;
source-identity any;
}
then {
permit;
}
}

------------------------------

address and address-set

security-zone untrust {
address-book {
address Google-DNS02 8.8.8.4/32;
address Google-DNS01 8.8.8.8/32;
}
}
address www.gmail.com {
dns-name www.gmail.com {
ipv4-only;
}
}
address mail.google.com {
dns-name mail.google.com {
ipv4-only;
}
}
address www.google.com {
dns-name www.google.com {
ipv4-only;
}
}
address www.google.com.mm {
dns-name www.google.com.mm {
ipv4-only;
}
}
address www.google.com.sg {
dns-name www.google.com.sg {
ipv4-only;
}
}
address www.google.com.hk {
dns-name www.google.com.hk {
ipv4-only;
}
}
address googlemail.l.google.com {
dns-name googlemail.l.google.com {
ipv4-only;
}
}
address Google-1 74.125.71.0/24;
address Google-2 74.125.236.0/24;
address ocsp.thawte.com {
dns-name ocsp.thawte.com {
ipv4-only;
}
}
address Google-3 74.125.235.0/24;
address chatenabled.mail.google.com {
dns-name chatenabled.mail.google.com {
ipv4-only;
}
}
address etherx.jabber.org {
dns-name etherx.jabber.org {
ipv4-only;
}
}
address filetransferenabled.mail.google.com {
dns-name filetransferenabled.mail.google.com {
ipv4-only;
}
}
address talkgadget.google.com {
dns-name talkgadget.google.com {
ipv4-only;
}
}
address talk.google.com {
dns-name talk.google.com {
ipv4-only;
}
}
address talkx.l.google.com {
dns-name talkx.l.google.com {
ipv4-only;
}
}
address Google-4 209.85.148.0/24;
address mail-attachement.googleusercontent.com {
dns-name mail-attachment.googleusercontent.com {
ipv4-only;
}
}
address Google-5 64.233.183.0/24;
address intranet.ttinteractive.com {
dns-name intranet.ttinteractive.com {
ipv4-only;
}
}
address tropicalstormrisk.com {
dns-name tropicalstormrisk.com {
ipv4-only;
}
}
address www.intellicast.com {
dns-name www.intellicast.com {
ipv4-only;
}
}
address www.tmd.go.th.com {
dns-name www.tmd.go.th {
ipv4-only;
}
}
address www.tmd.go.th {
dns-name www.tmd.go.th {
ipv4-only;
}
}
address www.hko.gov.hk {
dns-name www.hko.gov.hk {
ipv4-only;
}
}
address Google-6 173.194.38.0/24;
}
address-set DNS-Servers {
address Google-DNS01;
address Google-DNS02;
}
address-set Gtalk {
address talkx.l.google.com;
address talkgadget.google.com;
address talk.google.com;
address filetransferenabled.mail.google.com;
address etherx.jabber.org;
address chatenabled.mail.google.com;
}
address-set Weather-websites {
address tropicalstormrisk.com;
address www.intellicast.com;
address www.tmd.go.th;
address www.hko.gov.hk;
address www.aviationweather.gov;
}

thanks,

George

Hello

Check if the policy  element  ( DNS name ) is resolving the URL to IP  :

> show security policy trust-wireless-to-limitedWebsite

Also please check the session in the firewall  :

> show security flow session  source-prefix  < client machine IP >

Make sure NAT are in Place .

Hello,

I have been checked NAT is okey.

please check followings;

root@GW-01> ... policy-name trust-wireless-to-limitedWebsite
From zone: trust-wireless, To zone: untrust
Policy: trust-wireless-to-limitedWebsite, State: enabled, Index: 9, Scope P olicy: 0, Sequence number: 1
Source addresses: any
Destination addresses: TTI, Weather-websites, Google-5, Google-4,
Google-3, www.gmail.com, www.google.com, www.google.com.mm,
www.google.com.sg, www.google.com.hk, googlemail.l.google.com, Google-1,
Google-2, ocsp.thawte.com, ocsp.verisign.net, www.airmandalay.com,
chatenabled.mail.google.com, etherx.jabber.org,
filetransferenabled.mail.google.com, talkgadget.google.com,
talk.google.com, talkx.l.google.com,
mail-attachement.googleusercontent.com, Google-6, Gtalk, Google-DNS01
Applications: any
Source identities: any
Action: permit

------------

root@GW-01> show security flow session source-prefix 192.168.90.11
Session ID: 54651, Policy name: trust-wireless-to-server/14, Timeout: 32, Valid
In: 192.168.90.11/137 --> 192.1.254.251/137;udp, If: vlan.90, Pkts: 21, Bytes: 1800
Out: 192.1.254.251/137 --> 192.168.90.11/137;udp, If: vlan.254, Pkts: 0, Bytes: 0

Session ID: 116312, Policy name: trust-wireless-to-server/14, Timeout: 38, Valid
In: 192.168.90.11/137 --> 192.1.254.100/137;udp, If: vlan.90, Pkts: 17, Bytes: 1488
Out: 192.1.254.100/137 --> 192.168.90.11/137;udp, If: vlan.254, Pkts: 0, Bytes: 0
Total sessions: 2

thanks,

George

Hello ,

Please provide :

> show security policy trust-wireless-to-limitedWebsite detail .

Also initiate a web session and try the session command again to check if the web traffic is working or creating the session .

Else we need to creat a flow traceoption and check .

hello;

pls check....

root@GW-01> show security policies policy-name trust-wireless-to-limitedWebsite detail
Policy: trust-wireless-to-limitedWebsite, action-type: permit, State: enabled, Index: 9, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: trust-wireless, To zone: untrust
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
Google-DNS01: 8.8.8.8/32
chatenabled.mail.google.com: 216.58.196.39/32
etherx.jabber.org: 64.49.234.240/32
talk.google.com: 74.125.68.125/32
talkgadget.google.com: 1.9.57.168/32
talkgadget.google.com: 1.9.57.158/32
talkgadget.google.com: 1.9.57.162/32
talkgadget.google.com: 1.9.57.153/32
talkgadget.google.com: 1.9.57.152/32
talkgadget.google.com: 1.9.57.157/32
talkgadget.google.com: 1.9.57.177/32
talkgadget.google.com: 1.9.57.178/32
talkgadget.google.com: 1.9.57.172/32
talkgadget.google.com: 1.9.57.148/32
talkgadget.google.com: 1.9.57.163/32
talkgadget.google.com: 1.9.57.187/32
talkgadget.google.com: 1.9.57.182/32
talkgadget.google.com: 1.9.57.173/32
talkgadget.google.com: 1.9.57.183/32
talkgadget.google.com: 1.9.57.167/32
talkx.l.google.com: 173.194.72.125/32
Google-6: 173.194.38.0/24
mail-attachement.googleusercontent.com: 173.194.126.43/32
mail-attachement.googleusercontent.com: 173.194.126.42/32
mail-attachement.googleusercontent.com: 173.194.126.44/32
www.airmandalay.com: 192.185.57.150/32
ocsp.verisign.net: 23.41.75.27/32
Google-2: 74.125.236.0/24
Google-1: 74.125.71.0/24
googlemail.l.google.com: 173.194.126.54/32
googlemail.l.google.com: 173.194.126.53/32
www.google.com.hk: 1.9.57.50/32
www.google.com.hk: 1.9.57.55/32
www.google.com.hk: 1.9.57.39/32
www.google.com.hk: 1.9.57.25/32
www.google.com.hk: 1.9.57.34/32
www.google.com.hk: 1.9.57.59/32
www.google.com.hk: 1.9.57.35/32
www.google.com.hk: 1.9.57.30/32
www.google.com.hk: 1.9.57.24/32
www.google.com.hk: 1.9.57.49/32
www.google.com.hk: 1.9.57.44/32
www.google.com.hk: 1.9.57.45/32
www.google.com.hk: 1.9.57.29/32
www.google.com.hk: 1.9.57.20/32
www.google.com.hk: 1.9.57.40/32
www.google.com.hk: 1.9.57.54/32
www.google.com.sg: 1.9.24.59/32
www.google.com.sg: 1.9.24.20/32
www.google.com.sg: 1.9.24.44/32
www.google.com.sg: 1.9.24.25/32
www.google.com.sg: 1.9.24.39/32
www.google.com.sg: 1.9.24.29/32
www.google.com.sg: 1.9.24.30/32
www.google.com.sg: 1.9.24.49/32
www.google.com.sg: 1.9.24.34/32
www.google.com.sg: 1.9.24.50/32
www.google.com.sg: 1.9.24.55/32
www.google.com.sg: 1.9.24.40/32
www.google.com.sg: 1.9.24.35/32
www.google.com.sg: 1.9.24.24/32
www.google.com.sg: 1.9.24.45/32
www.google.com.sg: 1.9.24.54/32
www.google.com.mm: 210.187.25.242/32
www.google.com.mm: 210.187.25.212/32
www.google.com.mm: 210.187.25.226/32
www.google.com.mm: 210.187.25.227/32
www.google.com.mm: 210.187.25.222/32
www.google.com.mm: 210.187.25.241/32
www.google.com.mm: 210.187.25.251/32
www.google.com.mm: 210.187.25.246/32
www.google.com.mm: 210.187.25.247/32
www.google.com.mm: 210.187.25.236/32
www.google.com.mm: 210.187.25.237/32
www.google.com.mm: 210.187.25.216/32
www.google.com.mm: 210.187.25.221/32
www.google.com.mm: 210.187.25.217/32
www.google.com.mm: 210.187.25.231/32
www.google.com.mm: 210.187.25.232/32
www.google.com: 1.9.131.24/32
www.google.com: 1.9.131.45/32
www.google.com: 1.9.131.29/32
www.google.com: 1.9.131.40/32
www.google.com: 1.9.131.34/32
www.google.com: 1.9.131.30/32
www.google.com: 1.9.131.25/32
www.google.com: 1.9.131.44/32
www.google.com: 1.9.131.59/32
www.google.com: 1.9.131.54/32
www.google.com: 1.9.131.20/32
www.google.com: 1.9.131.35/32
www.google.com: 1.9.131.55/32
www.google.com: 1.9.131.39/32
www.google.com: 1.9.131.50/32
www.google.com: 1.9.131.49/32
www.gmail.com: 173.194.126.85/32
www.gmail.com: 173.194.126.86/32
Google-3: 74.125.235.0/24
Google-4: 209.85.148.0/24
Google-5: 64.233.183.0/24
www.aviationweather.gov: 140.90.200.191/32
www.aviationweather.gov: 129.15.96.191/32
www.aviationweather.gov: 140.172.17.191/32
www.hko.gov.hk: 103.30.69.149/32
www.tmd.go.th: 119.46.126.1/32
www.intellicast.com: 96.8.93.198/32
tropicalstormrisk.com: 85.13.204.214/32
smartclient.ttinteractive.com: 178.170.71.101/32
training.ttinteractive.com: 178.170.71.58/32
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Source identities:
any
Per policy TCP Options: SYN check: No, SEQ check: No

thanks,

George

Hello ,

Can you try  to initiate a web traffic to google and gmail and do the session output again to see if see traffic on HTTP/HTTPS .

hello;

pls check;

root@GW-01> show security flow session source-prefix 192.168.90.11
Session ID: 101769, Policy name: trust-wireless-to-server/14, Timeout: 34, Valid
In: 192.168.90.11/137 --> 192.1.254.251/137;udp, If: vlan.90, Pkts: 3, Bytes: 288
Out: 192.1.254.251/137 --> 192.168.90.11/137;udp, If: vlan.254, Pkts: 0, Bytes: 0
Total sessions: 1

thanks,

George

Hello ,

So I do not see any traffic with Web ports hitting the firewall . So lets create the traceoption and see where the packet is getting dropped .

set security flow traceoptions file traffic_trace
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions packet-filter pf1 source-prefix < source IP > 
set security flow traceoptions packet-filter pf1 destination-port 443

set security flow traceoptions packet-filter pf2 destination-prifix  < NAT public IP >
set security flow traceoptions packet-filter pf2 source-port 443 

Now close all the session from that test machine and try to access google using HTTPS in a single window . Please do not use any other application or service from that machine on port 443 . Now check the file for any traffic drops .

> show log traffic_trace  | match drop

>  show log traffic_trace  | match pf1

Attach the complete log file if possible .

hello;

pls see followings my output.

root@GW-01> show log traffic_trace | match pf1
Aug 4 10:03:53 10:03:53.905577:CID-0:RT:<192.168.90.11/53422->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:03:54 10:03:54.171639:CID-0:RT:<192.168.90.11/53423->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:03:56 10:03:56.898224:CID-0:RT:<192.168.90.11/53422->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:03:57 10:03:57.178953:CID-0:RT:<192.168.90.11/53423->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:04:03 10:04:02.904151:CID-0:RT:<192.168.90.11/53422->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:04:03 10:04:03.184927:CID-0:RT:<192.168.90.11/53423->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:04:15 10:04:14.901467:CID-0:RT:<192.168.90.11/53425->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:04:15 10:04:15.197860:CID-0:RT:<192.168.90.11/53426->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:04:18 10:04:17.911366:CID-0:RT:<192.168.90.11/53425->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:04:18 10:04:18.207760:CID-0:RT:<192.168.90.11/53426->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:04:23 10:04:23.917405:CID-0:RT:<192.168.90.11/53425->216.58.220.196/443;6> matched filter pf1:
Aug 4 10:04:24 10:04:24.213806:CID-0:RT:<192.168.90.11/53426->216.58.220.196/443;6> matched filter pf1:

root@GW-01> show log traffic_trace | match drop
Aug 4 10:03:53 10:03:53.906072:CID-0:RT: packet dropped, denied by pol icy
Aug 4 10:03:53 10:03:53.906072:CID-0:RT: denied by policy default-poli cy-00(2), dropping pkt
Aug 4 10:03:53 10:03:53.906072:CID-0:RT: packet dropped, policy deny.
Aug 4 10:03:54 10:03:54.171909:CID-0:RT: packet dropped, denied by pol icy
Aug 4 10:03:54 10:03:54.171909:CID-0:RT: denied by policy default-poli cy-00(2), dropping pkt
Aug 4 10:03:54 10:03:54.171909:CID-0:RT: packet dropped, policy deny.
Aug 4 10:03:56 10:03:56.898705:CID-0:RT: packet dropped, denied by pol icy
Aug 4 10:03:56 10:03:56.898705:CID-0:RT: denied by policy default-poli cy-00(2), dropping pkt
Aug 4 10:03:56 10:03:56.898769:CID-0:RT: packet dropped, policy deny.
Aug 4 10:03:57 10:03:57.179238:CID-0:RT: packet dropped, denied by pol icy
Aug 4 10:03:57 10:03:57.179238:CID-0:RT: denied by policy default-poli cy-00(2), dropping pkt
Aug 4 10:03:57 10:03:57.179238:CID-0:RT: packet dropped, policy deny.

thanks,

George

Hello ,

It looks like the traffic is dropped due to policy issue I guess . Can you attach the complete log file so that I can corelate the traffic with drops .

It seems to hit the default deny policy .

Hello

To add to my above point , the DNS name of google  that your machine is resolving  (216.58.220.196 )  and the SRX is different . There is no entry for DNS name with IP 216.58.220.196  in SRX policy .

So either you machine is using a different DNS server than the DNS server used by SRX .  The entry may be different .

Hello Sam,

thanks, appreciate your kindess. we got it.

thanks,

Geroge

Hello George ,

Thanks for the update . Glad it worked .