Got the latest vSRX 19.1 trial running on Esxi.
It's a real basic setup - trust zine with Ubuntu VM, untrust towards internet gateway.
vSRX can reach the internet no problem, but Linux client in the trust zone can only reach the DG interface IP on vSRX, not further.
I got the policies configured, NAT, Zone permissions...
I have a feeling it's something basic, but haven't touched SRX in a while so - did they change behaviour after introuducing L7 app stanza in sec policies?
Confg below
show configuration
## Last commit: 2019-06-24 10:20:12 UTC by root
version 20190319.203446_builder.r1013243;
system {
root-authentication {
encrypted-password "$6$wtwr2/1x$OlvHWP89e5/3wrAIcsEuy1EJk9eYb6g7XPVRQwiqWv6PReZq3gL/4.4JHA6HpExlhaWX6V9i2rVFY91H.0cRh/"; ## SECRET-DATA
}
services {
ssh {
root-login allow;
}
web-management {
http {
interface fxp0.0;
}
https {
system-generated-certificate;
interface fxp0.0;
}
}
}
host-name Bishop;
backup-router 10.193.60.1;
name-server {
8.8.8.8;
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
file policy_session {
user info;
match RT_FLOW;
archive size 1000k world-readable;
structured-data;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
services {
application-identification {
download {
automatic {
start-time 06-14.12:00;
interval 6;
}
}
}
}
security {
log {
mode event;
report;
}
idp {
security-package {
automatic {
start-time "2019-6-17.13:50:09 +0000";
interval 1;
enable;
}
}
}
application-tracking;
utm {
default-configuration {
anti-spam {
type sbl;
}
}
utm-policy UTM_basic {
anti-virus {
http-profile junos-sophos-av-defaults;
ftp {
upload-profile junos-sophos-av-defaults;
download-profile junos-sophos-av-defaults;
}
smtp-profile junos-sophos-av-defaults;
pop3-profile junos-sophos-av-defaults;
imap-profile junos-sophos-av-defaults;
}
web-filtering {
http-profile junos-wf-enhanced-log-only;
}
anti-spam {
smtp-profile junos-as-defaults;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set NAT {
from zone trust;
to zone untrust;
rule NAT {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy LAN-to-WAN {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
permit {
application-services {
utm-policy UTM_basic;
}
}
log {
session-init;
session-close;
}
count;
}
}
policy Deny_log {
match {
source-address any;
destination-address any;
application any;
dynamic-application any;
}
then {
deny;
log {
session-init;
session-close;
}
}
}
}
}
zones {
security-zone trust {
tcp-rst;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
application-tracking;
source-identity-log;
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
description WAN;
family inet {
address 10.193.60.40/24;
}
}
}
ge-0/0/1 {
unit 0 {
description LAN;
family inet {
address 192.168.35.40/24;
}
}
}
fxp0 {
unit 0 {
family inet {
address 10.193.60.45/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 10.193.60.1;
}
}