SRX Services Gateway
Highlighted
SRX Services Gateway

how to use "show security match policies" for icmp or ping traffic

‎07-30-2014 06:53 AM

these command need information about source-port and destination port but ping is direct encapsulation in L3 ip packet 

 

-------------------------------------------------------------------------------------------------
4 REPLIES 4
Highlighted
SRX Services Gateway

Re: how to use "show security match policies" for icmp or ping traffic

‎07-30-2014 06:59 AM

Hi sean

 

You could refer below documentation to have all possible switches for "show security match policies"

 

http://www.juniper.net/techpubs/en_US/junos12.1/topics/reference/command-summary/show-security-match...

 

http://www.juniper.net/techpubs/en_US/junos12.1/topics/task/operational/policy-security-matching.htm...

 

You could use protocol as icmp.

 

Regards,

Raveen

Note: If this answers your question, you could mark this post as accepted solution, that way it helps others as well. Kudos will be cool if I earned it!
Highlighted
SRX Services Gateway

Re: how to use "show security match policies" for icmp or ping traffic

‎07-30-2014 07:08 AM

I want to know if I want to match source A to dest B with ping

 

why do I need to specify source-port and destination-port ?

 

show security match-policies from-zoneTrust to-zone Untrust source-ip 172.17.16.xx destination-ip 172.18.xx.xx protocol icmp source-port 1 destination-port 1

 

 

-------------------------------------------------------------------------------------------------
SRX Services Gateway

Re: how to use "show security match policies" for icmp or ping traffic

‎08-01-2014 05:45 AM

Hello Seanmine,

Since ICMP is layer 3 protocol , there is no source port and destination port.But for a Firewall to install session it needs source port an ddestination port.

The ICMp hearder has identifier and sequence number.

The SRX uses identifier as destination and sequence number as source port.

Hence you may use any random number for source and destination ports usually 1 and 1 would suffice when you use show seurity match policies and protocol as icmp.

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Highlighted
SRX Services Gateway

Re: how to use "show security match policies" for icmp or ping traffic

‎11-05-2019 01:25 PM

I stumbled on the fix for this while doing a traceoptions on icmp on SRX 550 and via GNS3 SRX image.
set your source-port 2048

show security match-policies protocol icmp destination-port 12345 destination-ip <dst-IP> source-port 2048 source-ip <src-IP> from-zone <From-Zone> to-zone <To-Zone>

2048 only, nothing else will work. Least for the versions of IOS was using.  12.3.xxx and 12.1xxx respectively.

 

 

Feedback