Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Disable ping between IP's - Juniper SRX

Posted on 2014-02-14
3
Medium Priority
?
889 Views
Last Modified: 2014-02-14
Hi Folks,

 
I would like to a partcular ip not to be pinged by other zones . So just to make it simple, if i just say source and destination with ping to deny, will it allow other services

-----------------------------------------
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match source-address SZ-Y-BFLY
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match destination-address any
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match application junos-icmp-all
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT then deny

Regards,

SID
0
Comment
Question by:infiniti7181
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 2000 total points
ID: 39858981
Hi Sid, as long as you have a policy below the ones that block PING to allow other traffic, other services will run. Juniper processes policy in order so a block policy before an allow policy will take precedence.
0
 

Author Comment

by:infiniti7181
ID: 39859322
Hi,
Just to confirm what i typed the command earlier

Source A with Desitnation B with application ICMP to be denied . This means Source A with Destination  B will allow other services . Correct me if i am wrong.

Thanks for your help and support.

Regards,
SID
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 39859367
You need:
#1 source A to Destination B, ICMP deny.

and after that you still need:
#2 source A to destination B 'other traffic' allow

when and ICMP packet matching #1 hits the juniper it will be dropped. If it does not match #1, it will traverse the device using rule #2

Note rule #2 may be covered by other rules like zone trust to zone untrust allow.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question