SRX Services Gateway
SRX Services Gateway

Is Junos Policy is bi-directional?

‎01-10-2019 08:22 PM

I have a SRX with policy "from-zone TRUST to-zone UNTRUST" which allow any source-address, desination-address and application.


Now I have initiated a ping from TRUST zone to UNTRUST zone.


My doubt is why ping is successfully happening?


My expectation is that as there is not policy that allows traffic from UNTRUST to TRUST. ICMP reply message from UNTRUST zone should be dropped by SRX.


Correct me if my understanding is wrong.



SRX Services Gateway

Re: Is Junos Policy is bi-directional?

‎01-10-2019 09:22 PM



SRX device is stateful. Which means the Trust to Untrust ICMP permit policy will allow the ICMP request from Trust to Untrust and a session would be created. This session would contain the state of traffic, that is source/destination IPs and ports, protocol, policy, routes, incoming and outgoing interfaces and a timer. As long as the session timer has not expired, any traffic matching the parameters from the session will be permitted without the need of a policy lookup. Thus, ICMP reply packet is passed matching the session and does not need any specific policy from Untrust to Trust.


However, if you initiate ICMP from Untrust to Trust side, in that case you would need one. Again, once the session is created for the ICMP request from Untrust to Trust, the reply (from Trust to Untrust) would not need any explicit policy from Trust to Untrust.


Hope this answers your question.