SRX Services Gateway
SRX Services Gateway

SRX 320 Policy

a month ago

Im Having a Problem with my Policy

I can ping our server (116.214.107.139) with this policy 
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-TRUST match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-TRUST match destination-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-TRUST match application any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-TRUST then permit

But problem arise when i change 
"set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-TRUST match source-address NOC_GROUP"

our network was added on NOC_GROUP
set security zones security-zone UNTRUST address-book address AUTOZAB 13.250.194.139/32
set security zones security-zone UNTRUST address-book address NOC_SG 116.214.100.0/24
set security zones security-zone UNTRUST address-book address NOC_96 116.214.96.0/24
set security zones security-zone UNTRUST address-book address NOC_97 116.214.97.0/24
set security zones security-zone UNTRUST address-book address NOC_107 116.214.107.0/24
set security zones security-zone UNTRUST address-book address NOC_104 116.214.104.0/24
set security zones security-zone UNTRUST address-book address-set NOC_GROUP address NOC_SG
set security zones security-zone UNTRUST address-book address-set NOC_GROUP address NOC_96
set security zones security-zone UNTRUST address-book address-set NOC_GROUP address NOC_97
set security zones security-zone UNTRUST address-book address-set NOC_GROUP address AUTOZAB
set security zones security-zone UNTRUST address-book address-set NOC_GROUP address NOC_107
set security zones security-zone UNTRUST address-book address-set NOC_GROUP address NOC_104

Interface.PNGNat.PNGPolicy.PNGSecurit Zone.PNG

8 REPLIES 8
SRX Services Gateway

Re: SRX 320 Policy

[ Edited ]
a month ago

Hi Bouya,

 

There are 2 mistakes I observed from your configuration.

 

  • When you're changing the source-address of the security policy, you've created the address-book for the destination - 116.214.107.0/24(NOC_107) and calling it under the source.  It should've been under the destination.
  • When the traffic is originating from the UNTRUST  to TRUST  zone, where you've Static NAT in place. As per the Junos flow, Policy lookup happens post changing the NAT header. So, you need to create the security policies for Private IP not for Public IP.  In your case, Source - Any, Destination - 172.16.0.254/32, Application - Any.

Please provide me the below command outputs for confirmation:

user@host> show security flow session source-prefix <source IP> destination-prefix 116.214.107.139

user@host> show security match-policies from-zone UNTRUST to-zone TRUST source-ip <source IP> destination-ip 116.214.107.139 source-port 12345 destination-port 1 protocol icmp


Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX 320 Policy

a month ago

I deleted the NOC_107

show.PNGping.PNG

 

 

SRX Services Gateway

Re: SRX 320 Policy

a month ago

Hi Bouya,

 

Please configure security flow traceoptions and let us see.

 

set security flow traceoptions file FLOW-TRACE
set security flow traceoptions file size 10m
set security flow traceoptions file files 5
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions packet-filter FORWARD source-prefix 116.214.104.231/32
set security flow traceoptions packet-filter FORWARD destination-prefix 116.214.107.139/32
set security flow traceoptions packet-filter REVERSE source-prefix 172.16.0.254/32
set security flow traceoptions packet-filter REVERSE destination-prefix 116.214.104.231/32



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX 320 Policy

a month ago

can you explain to me why it fall to deny all policy?

 

deny.PNG

SRX Services Gateway

Re: SRX 320 Policy

[ Edited ]
a month ago

Hi Bouya,

 

It is hitting the default policy because for this particular traffic the policy isn't matching any context or the policy which you've created may be placed at the bottom of the policy chain after this default policy.

 

I would suggest you re-order the security policies - https://kb.juniper.net/InfoCenter/index?page=content&id=KB10120&actp=METADATA

 

Also, How come the traffic was matched earlier and now it isn't? Did you make any changes?



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX 320 Policy

a month ago

i tried again. this is the outcome. i only deleted the NOC_107

traceoption is supposed to be for t-shoot right?
11.PNG

SRX Services Gateway

Re: SRX 320 Policy

a month ago

Correct, Traceoptions are for troubleshooting. Using that we can determine, where the packets are getting dropped in Junos flow.



Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
SRX Services Gateway

Re: SRX 320 Policy

[ Edited ]
4 weeks ago

Bouya,

 

Your Static NAT configuration looks correct along with the Proxy-arp. Make sure your security-policy looks like this:

 

set security zones security-zone TRUST address-book address NOC_107 116.214.107.0/24
set security zones security-zone TRUST address-book address-set NOC_GROUP address NOC_107

set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-TRUST match source-address any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-TRUST match destination-address NOC_GROUP
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-TRUST match application any
set security policies from-zone UNTRUST to-zone TRUST policy UNTRUST-TRUST then permit

 

The security-policy lookup will happen after the static NAT processing hence the traffic will be destined to 116.214.107.139 by the time it is evaluated by your security-policy.

 

Please mark my answer as the Solution if it applies.