Screen OS

I have a rule to allow network traffic between a host and a subnet as below (I have changed the addresses to protect the innocent):

 

set service "snmp-udp" protocol udp src-port 161-161 dst-port 161-161

set service "snmp-tcp" protocol tcp src-port 161-161 dst-port 161-161

set address "Trust" "host_192.168.115.254" 192.168.115.254 255.255.255.255

set address "PCN-Zone" "BU_Modular_Admin_Net" 10.10.116.0 255.255.252.0

set policy id 26 name "17122008" from "Trust" to "PCN-Zone"  "host_192.168.115.254" "BU_Modular_Admin_Net" "snmp-tcp" permit log
set policy id 26

set service "snmp-udp"

exit

 

The traffic does not pass and the firewall log says that the traffic was dropped as below (the columns don't align, but you will note that the traffic should match the rule):

Log ID Time Received Alert User Flag Src Addr Dst Addr Action Protocol Dst Port Rule # Nat Src Addr Nat Dst Addr Details Category Subcategory Severity Device Comment

 20090417/448129 17/04/2009 15:29 No Alert Unflagged host_192.168.115.254 10.10.116.6 Pckt Dropped UDP 161 41       Traffic Traffic Log Info bufw1  

 

There are no rules with a "Deny" action that come before this permit rule.  The two devices can ping each other (there is a permit rule allowing any devices in any zone to ping through the firewall in question) so there is definitely a route.

 

Are there any other reasons why this traffic might be getting dropped?

I think the fault is in your service settings. You have set the Source port to 161. I think that should be 0-64k.

 

Also, is there a reason why you do not use the predefined SNMP service object?

 

Call me a purist but source ports (even the predefined) should start at 1024 not at 0 in my opinion. But yes Rico is right two times source port should be from 1024  to 65535 abd yes: why not use the predefined?

Thanks that was my problem.  I had used the snmp protocol objects that someone else had created - rather than the Juniper standard ones.