Juniper SRX default action for zone pair with no explicit deny as a final policy?

amigan_99
amigan_99 used Ask the Experts™
on
If the last security policy in a zone pair on a Juniper SRX is a permit - is traffic between those zones still DENIED by default?
e.g. if the policy below was the last and only policy for the zone-pair - would all other traffic between those zones get denied?
-
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match source-address td-edgenode01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match destination-address felinni01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-21300
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-22217
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 then permit
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018
Commented:
If the last security policy in a zone pair on a Juniper SRX is a permit - is traffic between those zones still DENIED by default?
Yes.
Default policy is deny all, but it is just not written explicitly.  If packet did not match any of configured policies it will match default policy and will be dropped. It is the same as with ACLs, implicit deny is always present. If you don't want traffic to be dropped you need to configure permit any as the last statement or change default policy to permit any (it would defeat purpose of firewall implementation)

Just imagine that last policy between any zones created is (it is just not explicitly written):

set security policies from-zone A to-zone B policy Default-Policy match source-address any
set security policies from-zone A to-zone B policy Default-Policy match destination-address any
set security policies from-zone A to-zone B policy Default-Policy then deny


additionally you can check which statement is matching specific traffic command is:

show security match-policies from-zone trustzone to-zone trustzoneapp source-ip <src-ip> destination-ip <dst-ip> source-port <x> destination-port <y> protocol <protocol>

examples:
show security match-policies from-zone trust to-zone untrust source-ip 192.168.0.1 destination-ip 8.8.8.8 source-port 4000 destination-port 443 protocol tcp

Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4
0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: untrust
  Source addresses:
    any-ipv4(global): 0.0.0.0/0
    any-ipv6(global): ::/0
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0
    any-ipv6(global): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No

Traffic that is matching default policy example:

show security match-policies from-zone SERVER to-zone junos-host source-ip 192.168.0.1 destination-ip 10.0.10.1 source-port 4000 destination-port 443 protocol tcp

Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2
  Sequence number: 2
amigan_99Network Engineer

Author

Commented:
This is most excellent solution because you go onto the next logical point. That is - if you don't have an explicit deny at the end of your policy you aren't logging the denies. So then if someone complains about not being able to get from x to y how can you know? And you put in the "show security match-policies" which answers precisely that.

Most of the zone pairs in these firewalls I inherited have explicit denies at the end. Just one or two do not and I always turn to logging to determine whether the firewall is blocking or not.

THANK YOU
Distinguished Expert 2018

Commented:
You're welcome.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial