SRX Services Gateway
Highlighted
SRX Services Gateway

Need help understanding what is different between two security policies.

‎07-02-2014 10:39 AM

I have a J2320 that I am using for a perimeter firewall. Hopefully (though this is SRX forum) I'm in the right place (seems J and SRX are very similar).

 

I recently was troubleshooting connectivety from the outside coming in to my network. I verified the addresses in my address book (although I'm open to problems in my config there as well).

 

Basically I thought I had a rule that would allow everything. Traffic still was not coming in. So I decided (after a lot of head banging) to put a rule in for the specific inbound traffic, and it worked.

 

Could someone please tell me what is wrong with my first rule? I'm just not seeing it.

 

First rule:

show configuration security policies from-zone untrust to-zone xyz policy inet_to_xyz_hosts
match {
    source-address any;
    destination-address XYZ-Non-Juniper;
    application any;
}
then {
    permit;
    log {
        session-init;
        session-close;
    }
}

 

Second rule:

show configuration security policies from-zone untrust to-zone xyz policy XYZ-access-inbound
match {
    source-address [ subnet-1 subnet-2 ];
    destination-address any;
    application junos-sip;
}
then {
    permit;
}

 

Any insight would really help my sanity.


Thanks.

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: Need help understanding what is different between two security policies.

‎07-02-2014 07:16 PM

Hi,

 

Can you please share more details? With source ip, destination ip of the flow and address book entries of

XYZ-Non-Juniper;

subnet-1

subnet-2

 

If the source, destination ips are matching the above address book entries, then it should allow the flow.

 

If permitted can you share the entire config here?

 

Thanks,

SHKM

Highlighted
SRX Services Gateway

Re: Need help understanding what is different between two security policies.

‎07-03-2014 01:05 AM

Hello,

 

 

First security policy has a limit for destination address that are allowed to be accessed: XYZ-Non-Juniper

 

Second security policy does not have any restriction to the destination.

 

so may be connections are intended to a different destination ( not in XYZ-Non-Juniper range).

 

From the Application , second policy has Junos-SIP application . it is related to Voice ove IP so may be Destination for the connections that were failing were not in the XYZ-Non-Juniper range.

 

Regards
rparthi

 

 

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too] .....