Solved

Disable ping between IP's - Juniper SRX

Posted on 2014-02-14
3
818 Views
Last Modified: 2014-02-14
Hi Folks,

 
I would like to a partcular ip not to be pinged by other zones . So just to make it simple, if i just say source and destination with ping to deny, will it allow other services

-----------------------------------------
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match source-address SZ-Y-BFLY
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match destination-address any
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match application junos-icmp-all
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT then deny

Regards,

SID
0
Comment
Question by:infiniti7181
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 39858981
Hi Sid, as long as you have a policy below the ones that block PING to allow other traffic, other services will run. Juniper processes policy in order so a block policy before an allow policy will take precedence.
0
 

Author Comment

by:infiniti7181
ID: 39859322
Hi,
Just to confirm what i typed the command earlier

Source A with Desitnation B with application ICMP to be denied . This means Source A with Destination  B will allow other services . Correct me if i am wrong.

Thanks for your help and support.

Regards,
SID
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 39859367
You need:
#1 source A to Destination B, ICMP deny.

and after that you still need:
#2 source A to destination B 'other traffic' allow

when and ICMP packet matching #1 hits the juniper it will be dropped. If it does not match #1, it will traverse the device using rule #2

Note rule #2 may be covered by other rules like zone trust to zone untrust allow.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
md5 password 3 87
Allow IP range in sonicwall 1 32
VOIP gateways - feedback 23 74
best firewall for packet filtering 5 39
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question