Screen OS

My question is along the lines of this one in the forum, however, it is a little different.

Say I have this:

Untrust to Trust

Source address: Any

Destination address; MIP

Service: LDAP

Action: Permit

MIP works fine, nothing of note there.

All of our MIP setups are used with apps that initiate from Untrust to Trust.

We have an app where the Trust host (the destination of the MIP) would need/want to initiate a connection to the Untrust/Internet on an ad hoc basis.

Am I right to think that this will happen via the MIP without the need for me to put in any sort of Trust to Untrust rule?

In other words, a MIP is reflexive in that I can go Untrust to Trust with service X and Trust to Untrust with service X with just the single policy (?)

Maybe I'm overthinking this...

Policy is one way from a flow initiation perspective. So flows that initiate from the trust zone must pass a trust-to-untrust policy. Obviously a flow initiated from untrust-to-trust allows egress or return traffic to go out, but not a new flow without a correponding policy entry.

Hi!

The bidirectional nature of the MIP has nothing to do with the security policy. It determines how all outgoing connections are NATted if they are established from a trusted host that has a MIP on the untrusted interface. These connections are source NATted to the related MIP independent on the trust interface mode (NAT or route) and if the policy is configured with a src-NAT or not. Even when an explixit policy-based NAT is configured (f.i. to the interface IP) it will be ignored for the given host.

Sure, you need a policy that allows the Trust-to-Untrust access from the ORIGINAL IP.

Kind regards

Edouard

That makes sense, thank you very much.