Hey Guys,
I am doing some initial tests before deploying out some new SRX firewalls.
Model: srx1400
JUNOS Software Release [12.1X44-D35.5]
While setting up some external monitoring (ping to our untrusted interface), I found that the global policy was not taking effect on traffic destined to the junos-host zone.
From my readings, it looks like the precedence is to apply the intrazone/interzone rules (respectively), then global, then act on the default action.
I tried a few different ways and have it working how I would like, but not knowing why its not working as expected is killing me. Also, it has changed how I will be creating my policies.
So I have the following configuration in place:
(192.168.0.25 is the IP of the reth interface on the untrust zone)
{primary:node0}[edit]
root@juniper# show security
address-book {
global {
address 192.168.0.0/24 192.168.0.0/24;
address 192.168.0.25/32 192.168.0.25/32;
}
}
policies {
from-zone untrust to-zone junos-host {
policy inet-icmp-to-juniper {
match {
source-address 192.168.0.0/24 ;
destination-address 192.168.0.25/32 ;
application junos-icmp-ping;
}
then {
permit;
}
}
}
global {
policy deny-all {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
}
}
interfaces {
reth0.10;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
ping;
ssh;
https;
}
}
interfaces {
reth0.20;
}
}
}
From my readings I would expect that any icmp echo coming from 192.168.0.0/24 (to 192.168.0.25) via untrust zone would be accepted and everything else will be denied (from the global policy). Well, turns out that everything under the sun, including what is permitted through the rule, is capable of pinging that specific destination address (192.168.0.25).
Only when adding a second policy denying all traffic under the permit will I get my desired results.
policies {
from-zone untrust to-zone junos-host {
policy inet-icmp-to-juniper {
match {
source-address 192.168.0.0/24;
destination-address 192.168.0.25/32;
application junos-icmp-all;
}
then {
permit;
}
}
policy deny-everything-else {
match {
source-address any;
destination-address any;
application any;
}
then {
deny;
}
}
}
Can someone shed some light into why the global policy, or even the default action, is not working? I havent tested this between the untrust and trust zone, so I am hoping it is specific to the junos-host zone. Otherwise, I suppose I will have to update so i can take advantage of the source-address-edcluded and destination-address-excluded that was included in Junos 12.1X45.
Would appreciate any feedback..
Thanks
GMH.