SRX Services Gateway
Highlighted
SRX Services Gateway

Ping and NTP on all interfaces

‎09-23-2019 04:07 PM

I would like to allow ping and ntp on all interfaces on my SRX 340.  I have a bunch of VLANs and other interfaces and about 20 zones.

 

Can I enable a service or protocol for all zones/interfaces, or do I need to have a separate rule for each zone?

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: Ping and NTP on all interfaces

‎09-23-2019 04:29 PM
Enable host-inbound-traffic on all security zones. Security rule for host inbound traffic is required only when the incoming interface is not the destination of the traffic. I.e you are trying to ping B zone interface but the traffic is coming via A zone interface. In this case you need security policy from A zone to B which allows the traffic and host-inbound-traffic on B zone also should be allowed.
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Highlighted
SRX Services Gateway

Re: Ping and NTP on all interfaces

‎09-26-2019 05:52 AM

You can use the groups and apply-groups function to apply the configuration to all zones with a few lines.

 

set groups ZoneServices zones security-zones zone * host-inbound-traffic system-services ntp

set groups ZoneServices zones security-zones zone * host-inbound-traffic system-services ping

set apply-groups ZoneServices

 

Once commited you can see the added configuration by adding the | display inheritance to your show commands

 

show security zones | display inheritance

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: Ping and NTP on all interfaces

‎09-29-2019 09:00 AM

Just modifying Steve's answer to exact syntax:-

 

set groups ZoneServices security zones security-zone <*> host-inbound-traffic system-services ping

set groups ZoneServices security zones security-zone <*> host-inbound-traffic system-services ntp

set apply-groups ZoneServices

 

To verify : -

 

> show security zones |display inheritance

 

Thanks!