Solved

Disable ping between IP's - Juniper SRX

Posted on 2014-02-14
3
812 Views
Last Modified: 2014-02-14
Hi Folks,

 
I would like to a partcular ip not to be pinged by other zones . So just to make it simple, if i just say source and destination with ping to deny, will it allow other services

-----------------------------------------
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match source-address SZ-Y-BFLY
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match destination-address any
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match application junos-icmp-all
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT then deny

Regards,

SID
0
Comment
Question by:infiniti7181
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 500 total points
ID: 39858981
Hi Sid, as long as you have a policy below the ones that block PING to allow other traffic, other services will run. Juniper processes policy in order so a block policy before an allow policy will take precedence.
0
 

Author Comment

by:infiniti7181
ID: 39859322
Hi,
Just to confirm what i typed the command earlier

Source A with Desitnation B with application ICMP to be denied . This means Source A with Destination  B will allow other services . Correct me if i am wrong.

Thanks for your help and support.

Regards,
SID
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 39859367
You need:
#1 source A to Destination B, ICMP deny.

and after that you still need:
#2 source A to destination B 'other traffic' allow

when and ICMP packet matching #1 hits the juniper it will be dropped. If it does not match #1, it will traverse the device using rule #2

Note rule #2 may be covered by other rules like zone trust to zone untrust allow.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question