SRX Services Gateway
SRX Services Gateway

Security policy bypass

05.06.17   |  
‎05-06-2017 08:34 AM

If the incomming packet destination address is the receiving interface, SRX will not check Security policy it will check the host-inbound traffic !!!!

 

>> would someone please explain why this behavior ??????

7 REPLIES
SRX Services Gateway

Re: Security policy bypass

05.06.17   |  
‎05-06-2017 09:59 AM

Originally on the SRX the security policies only applied to transit traffic only.

 

Traffic destined to the SRX is known as "self traffic".  The host inbound traffic is the basic method to restrict overall what protocols can connect to the SRX assigned addresses.  This is still frequently used as the only restrictions applied to self traffic.

 

But later a specific zone for self traffic was added to the SRX junos-host zone.  Using this zone you can then write more specific security policies for traffic destined to the SRX itself as needed.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
SRX Services Gateway

Re: Security policy bypass

05.06.17   |  
‎05-06-2017 11:06 AM

eng/ spuluka, please correct my understanding,

based on what i understood from your writting: If traffic destination is an IP address belongs to one of the SRX interfaces it will not get effected by security policy because it didnt goes out from the device ( not transit traffic ) and the solution is to use junos-host-zone which represent the device its self ?????

 

 

SRX Services Gateway

Re: Security policy bypass

05.06.17   |  
‎05-06-2017 11:36 AM

Correct the junos-host zone is the one to use for security policies that affect traffic destined to the SRX itself.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
SRX Services Gateway

Re: Security policy bypass

05.06.17   |  
‎05-06-2017 02:27 PM

Spuluka.

please i have one last question,

i tried a Lab and i found every thing is correct except one thing, traffics destined to device trust-zone interface doesnt match the self-host policy!!!!

For example i have :

GE-0/0/0 (Trust-zone)   SRX-1 ---------------------------------- SRX-2 

i tried to ping from SRX-2 to the ge-0/0/0 ip address and i found that it match a normal security policy (from zone-untrust to zone-trust)

 

SRX Services Gateway

Re: Security policy bypass

[ Edited ]
05.06.17   |  
‎05-06-2017 03:06 PM

Hi Ahmed,

 

The reason it checks the normal security  policy is that becasue the traffic is not destined to the interface where the traffic is first received and in this case it is the untrust zone interface.

 

You are trying to ping Trust zone interface from a device connected to untrust zone interface and hence traffic has to traverse the two zones though the ping is destined to the trust zone interface itself. Hence it will first check for the normal security policy check and then check if it is allowed as host inbound traffic for the trust zone interface or not or it will check if there is any policy to the junos-host zone.

 

To summarize normal security policies come into the picture whenever the traffic has to traverse from one zone to the other zone irrespective of the fact that the destionation is on the SRX itself or not. If the traffic is not destined to SRX then nothing else will be checked and the traffic will be permitted or dropped as configured but if the traffic is destined to SRX then it will check for the host-inbound services for the destination interface or junos-host zone policy if any configured.

 

Hope this helps to answer your queries Smiley Happy

 

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy 

 

SRX Services Gateway

Re: Security policy bypass

05.06.17   |  
‎05-06-2017 03:26 PM

thx pulkit, you have been a great help for me this week Smiley Happy

It was a little confusing because i found if i ping to a device with source-interface ( trust ge-0/0/0) it will be considered self originating and it will match the self policy (in this scenario im the one sending packets) ,, but if the opposite if the packet is comming to the trust-zone interface it will be considered transit (in this scenario im receiving packets) ....

Highlighted
SRX Services Gateway

Re: Security policy bypass

05.06.17   |  
‎05-06-2017 11:13 PM

Hi Ahmed,

 

 

It was a pleasure answering your queries as they also helped me to gain in knowledge. Smiley Happy

 

Coming back to your last post, The reason SRX checks for self policy when you initiate the ping from SRX sourcing from an interface is that by default everything is allowed to be initiated from the SRX interface and since it iriginates from the interface is is from junos-host zone which is part of self traffic policy.

 

Hope this Helps. Smiley Happy

 

Thanks and Regards,

Pulkit Bhandari