SRX1400 hit-counts and security policies bug?

Hi,

For the past few hours I've been struggling with a weird issue in my SRX1400 cluster (running Junos 12.1X46-D40.2) and now I think I've found a bug in Junos. I'd be grateful if someone could confirm this, or show me what I did wrong. :-)

The scenario is really simple. I have a bunch of Windows desktops in one firewall zone, and a Microsoft Active Directoy server in another zone. I only want to permit Active Directoy traffic (Microsoft has a few really good KB articles about this - this is not the issue). So I built an application-set that matches everything that Microsoft wants you to permit between your desktop computers and your Active Directory server. I applied the changes and watched the hit-counts after 1 hour had passed:

> show security policies hit-count from-zone desktops to-zone servers
node0:
--------------------------------------------------------------------------
Logical system: root-logical-system
 Index   From zone        To zone           Name           Policy count
 1       desktops         servers           permit-msad    164931
 2       desktops         servers           permit-all     24

Great! Almost no hits on the permit-all policy, so almost everything is actually hitting my Active Directory policy (permit-msad). This is what the rest of the relevant config looks like:

> show configuration security policies from-zone desktops to-zone servers
policy permit-msad {
    match {
        source-address any;
        destination-address [ microsoft-dc-server ];
        application jd-msad-combined;
    }
    then {
        permit;
    }
}
policy permit-all {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
        log {
            session-init;
        }
    }
}

> show configuration applications application-set jd-msad-combined
application jd-msad-ntp;
application jd-msad-kerberosauth;
application jd-msad-dcops;
application jd-msad-netbios;
application jd-msad-ldap;
application jd-msad-smb;
application jd-msad-kerberospasswd;
application jd-msad-gc;
application jd-msad-dynamic-rpc;
application jd-msad-dns;

> show configuration applications application jd-msad-dynamic-rpc
term t1 protocol tcp destination-port 49152-65535;
term t2 protocol udp destination-port 49152-65535;

So, lots of hits on the policy which permits active directory traffic, but almost no traffic hits the permit-all rule. This is good, so my active directory rules is probably working and I can probably disable the permit-all rule soon.

Just to be safe though, let's check the log server. I log everything that hits the permit-all policy. So I should see 24 hits on the log server.

On the log server, which is running Logstash+Kibana+Elasticsearch, I searched for "permit-all" and I got 1708 matching logs during the last hour when the actual count should be only 24. Hm. Weird. What did I do wrong? Let's check the actual 1708 log entries:

Time				src-ip  	dst-ip  	dst-port
April 29th 2016, 12:32:45.474	10.33.50.34	10.33.12.8	49155
April 29th 2016, 12:32:39.358	10.33.51.241	10.33.12.8	49155
April 29th 2016, 12:32:38.125	10.33.51.69	10.33.12.9	49155
April 29th 2016, 12:32:37.813	10.33.51.165	10.33.12.8	49155
April 29th 2016, 12:32:30.328	10.33.50.152	10.33.12.8	49155
April 29th 2016, 12:32:29.935	10.33.51.148	10.33.12.8	49155
April 29th 2016, 12:32:28.004	10.33.51.122	10.33.12.8	49155
April 29th 2016, 12:32:26.966	10.33.50.134	10.33.12.9	49155
April 29th 2016, 12:32:24.547	10.33.50.245	10.33.12.9	49159
April 29th 2016, 12:32:23.747	10.33.50.197	10.33.12.9	49155
April 29th 2016, 12:32:23.582	10.33.50.215	10.33.12.8	49155
April 29th 2016, 12:32:22.718	10.33.50.239	10.33.12.8	49155
April 29th 2016, 12:32:22.048	10.33.50.82	10.33.12.9	49155
April 29th 2016, 12:32:21.287	10.33.50.62	10.33.12.8	49155
April 29th 2016, 12:32:19.503	10.33.50.194	10.33.12.8	49155
April 29th 2016, 12:32:16.256	10.33.50.214	10.33.12.8	49155
April 29th 2016, 12:32:15.899	10.33.51.240	10.33.12.8	49155
April 29th 2016, 12:32:15.390	10.33.51.45	10.33.12.9	49155
April 29th 2016, 12:32:10.835	10.33.50.207	10.33.12.8	49155
April 29th 2016, 12:32:08.696	10.33.50.87	10.33.12.8	49155
April 29th 2016, 12:32:06.246	10.33.50.156	10.33.12.16	27422
April 29th 2016, 12:32:06.172	10.33.50.156	10.33.12.16	27422
April 29th 2016, 12:32:04.661	10.33.50.64	10.33.12.9	49155
April 29th 2016, 12:31:59.535	10.33.50.138	10.33.12.9	49155
April 29th 2016, 12:31:52.091	10.33.50.73	10.33.12.9	49155
April 29th 2016, 12:31:47.407	10.33.50.105	10.33.12.9	49155
April 29th 2016, 12:31:46.582	10.33.50.97	10.33.12.8	49155
April 29th 2016, 12:31:46.573	10.33.50.97	10.33.12.8	49159
April 29th 2016, 12:31:46.571	10.33.50.97	10.33.12.8	49155
...
LOTS MORE
...<SNIP>

Woah. What is this? Port 49155 and 49159? Those ports are allowed by the jd-msad-dynamic-rpc application and should never hit the permit-all policy.

So I re-did the search again, this time removing all matching entries with dst-ports in the 49152-65535 range. The number of matching sessions I got now was 24, which is exactly what the permit-all policy hit-count was reporting.

So, something is very wrong here. Hit-counts is reporting one number, but the log server is seeing something else. I see at least two possible bug scenarios:

1. The permit-msad policy isn't working and the traffic is actually hitting the permit-all policy but for some reason the hit-count isn't updated.

2. The permit-msad policy is working and the permit-all hit-count is correct, but for some reason the box sends out logs for sessions in the 49152-65535 range hitting the permit-all policy even though they never really exist.

Please ask if somehing isn't clear. I tried to make this as simple to understand as possible.

Comments appreciated!