vSRX
Highlighted
vSRX

Security Question - default-policy

‎07-30-2019 09:21 AM

Hey,

 

Hopefully a basic question here!

 

I have a server (172.16.5.10) in a trusted zone which is unable to pass traffic (ICMP) to hosts in the untrusted zone/WAN (8.8.8.8).

 

I've configured policies as such:

 

----

from-zone trust to-zone untrust {

    policy trust-to-untrust-all-allow {

        description "Trust to Untrust - Allow All";

        match {

            source-address any;

            destination-address any;

            application any;

            source-identity any;

            dynamic-application any;

        }

        then {

            permit;

        }

    }

}

from-zone trust to-zone trust {

    policy trust-to-trust-allow-all {

        description "Trust to Trust - Allow All";

        match {

            source-address any;

            destination-address any;

            application any;

            dynamic-application any;

        }

        then {

            permit;

        }

    }

}

---

 

Even with the above, it seems the traffic is being blocked by the default-policy:

Jul 30 14:39:57 14:39:57.668100:CID-0:RT: denied by policy default-policy-logical-system-00(2), dropping pkt

 

If I set the default-policy to permit-all, the traffic flows and I receive ICMP responses on the host. 

 

From what I've read, default-policy should only apply in the instance that no other policies match (as you would expect). So I assume I'm missing something basic here. Could anybody point me in the right direction please?

 

Thanks!

 

Joe

 

 

 

3 REPLIES 3
vSRX

Re: Security Question - default-policy

‎07-30-2019 09:27 AM
Remove match condition dynamic application from the policy or configure it to "none"
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Security Question - default-policy

‎07-30-2019 11:34 AM
Hi Joe,

I would suggest you to try 2 things.

1. Remove "dynamic-application any" from the security policy and test the traffic.

2. If the above didn't resolve the issue, then most probably the issue might reside in policy ordering.

Do you have any other policy from trust to untrust zone? It can be determined by the following command:

>show configuration security policies | display set

If your policy "trust-to-untrust-all-allow" is at the bottom, try to place it on the top.

#insert security policies from-zone <zone> to-zone <zone> policy <policy-name> before policy <policy-name>
#commit

Looking forward to hear from you.


Thanks,
π00bm@$t€®.
Please, Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
vSRX

Re: Security Question - default-policy

‎07-30-2019 02:46 PM

Joe,

 

Get rid of the ' dynamic-application any;' snippet and that should do it.

 

Cheers

Pooja

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!