?
Solved

Disable ping between IP's - Juniper SRX

Posted on 2014-02-14
3
Medium Priority
?
854 Views
Last Modified: 2014-02-14
Hi Folks,

 
I would like to a partcular ip not to be pinged by other zones . So just to make it simple, if i just say source and destination with ping to deny, will it allow other services

-----------------------------------------
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match source-address SZ-Y-BFLY
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match destination-address any
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT match application junos-icmp-all
set security policies from-zone Y-BFLY to-zone MGMT-IN policy Y-BFLY-OUT then deny

Regards,

SID
0
Comment
Question by:infiniti7181
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 2000 total points
ID: 39858981
Hi Sid, as long as you have a policy below the ones that block PING to allow other traffic, other services will run. Juniper processes policy in order so a block policy before an allow policy will take precedence.
0
 

Author Comment

by:infiniti7181
ID: 39859322
Hi,
Just to confirm what i typed the command earlier

Source A with Desitnation B with application ICMP to be denied . This means Source A with Destination  B will allow other services . Correct me if i am wrong.

Thanks for your help and support.

Regards,
SID
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 39859367
You need:
#1 source A to Destination B, ICMP deny.

and after that you still need:
#2 source A to destination B 'other traffic' allow

when and ICMP packet matching #1 hits the juniper it will be dropped. If it does not match #1, it will traverse the device using rule #2

Note rule #2 may be covered by other rules like zone trust to zone untrust allow.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question