Hi,
Even i observed similar issue and created filter similar to below .
This can be applied to loopback interface or to the interface facing Internet.
root@Site-A> show configuration policy-options | display set set policy-options prefix-list Trusted_IP_Address 192.168.1.0/24 set policy-options prefix-list Trusted_IP_Address 192.168.2.0/24 set policy-options prefix-list Trusted_IP_Address 192.168.3.0/24 set policy-options prefix-list Trusted_IP_Address 192.168.4.0/24 root@Site-A> show configuration firewall | display set set firewall family inet filter Trusted_traffic term Allow_SSH from source-prefix-list Trusted_IP_Address set firewall family inet filter Trusted_traffic term Allow_SSH from protocol tcp set firewall family inet filter Trusted_traffic term Allow_SSH from protocol udp set firewall family inet filter Trusted_traffic term Allow_SSH from destination-port ssh set firewall family inet filter Trusted_traffic term Allow_SSH from destination-port http set firewall family inet filter Trusted_traffic term Allow_SSH from destination-port https set firewall family inet filter Trusted_traffic term Allow_SSH from destination-port snmp set firewall family inet filter Trusted_traffic term Allow_SSH from destination-port snmptrap set firewall family inet filter Trusted_traffic term Allow_SSH from destination-port syslog set firewall family inet filter Trusted_traffic term Allow_SSH then accept set firewall family inet filter Trusted_traffic term Reject_unknown_traffic from source-address 0.0.0.0/0 set firewall family inet filter Trusted_traffic term Reject_unknown_traffic from destination-address X.X.X.X/32 << Outside IP of Firewall set firewall family inet filter Trusted_traffic term Reject_unknown_traffic from destination-port ssh set firewall family inet filter Trusted_traffic term Reject_unknown_traffic from destination-port http set firewall family inet filter Trusted_traffic term Reject_unknown_traffic from destination-port https set firewall family inet filter Trusted_traffic term Reject_unknown_traffic from destination-port snmp set firewall family inet filter Trusted_traffic term Reject_unknown_traffic from destination-port snmptrap set firewall family inet filter Trusted_traffic term Reject_unknown_traffic from destination-port syslog set firewall family inet filter Trusted_traffic term Reject_unknown_traffic then discard set firewall family inet filter Trusted_traffic term Allow_Any then accept root@Site-A> show configuration interfaces reth0 | display set set interfaces reth0 description ******UNTRUST****** set interfaces reth0 unit 0 family inet filter input Trusted_traffic set interfaces reth0 unit 0 family inet address X.X.X.X
Hope this helps
Thanks,
Ajay