Juniper SRX default action for zone pair with no explicit deny as a final policy?

If the last security policy in a zone pair on a Juniper SRX is a permit - is traffic between those zones still DENIED by default?
e.g. if the policy below was the last and only policy for the zone-pair - would all other traffic between those zones get denied?
-
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match source-address td-edgenode01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match destination-address felinni01
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-21300
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 match application tcp-22217
set security policies from-zone trustzone to-zone trustzoneapp policy td-to-felinni01 then permit
LVL 2
amigan_99Network EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JustInCaseCommented:
If the last security policy in a zone pair on a Juniper SRX is a permit - is traffic between those zones still DENIED by default?
Yes.
Default policy is deny all, but it is just not written explicitly.  If packet did not match any of configured policies it will match default policy and will be dropped. It is the same as with ACLs, implicit deny is always present. If you don't want traffic to be dropped you need to configure permit any as the last statement or change default policy to permit any (it would defeat purpose of firewall implementation)

Just imagine that last policy between any zones created is (it is just not explicitly written):

set security policies from-zone A to-zone B policy Default-Policy match source-address any
set security policies from-zone A to-zone B policy Default-Policy match destination-address any
set security policies from-zone A to-zone B policy Default-Policy then deny


additionally you can check which statement is matching specific traffic command is:

show security match-policies from-zone trustzone to-zone trustzoneapp source-ip <src-ip> destination-ip <dst-ip> source-port <x> destination-port <y> protocol <protocol>

examples:
show security match-policies from-zone trust to-zone untrust source-ip 192.168.0.1 destination-ip 8.8.8.8 source-port 4000 destination-port 443 protocol tcp

Policy: trust-to-untrust, action-type: permit, State: enabled, Index: 4
0
  Policy Type: Configured
  Sequence number: 1
  From zone: trust, To zone: untrust
  Source addresses:
    any-ipv4(global): 0.0.0.0/0
    any-ipv6(global): ::/0
  Destination addresses:
    any-ipv4(global): 0.0.0.0/0
    any-ipv6(global): ::/0
  Application: any
    IP protocol: 0, ALG: 0, Inactivity timeout: 0
      Source port range: [0-0]
      Destination port range: [0-0]
  Per policy TCP Options: SYN check: No, SEQ check: No

Traffic that is matching default policy example:

show security match-policies from-zone SERVER to-zone junos-host source-ip 192.168.0.1 destination-ip 10.0.10.1 source-port 4000 destination-port 443 protocol tcp

Policy: Default-Policy, action-type: deny-all, State: enabled, Index: 2
  Sequence number: 2
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
amigan_99Network EngineerAuthor Commented:
This is most excellent solution because you go onto the next logical point. That is - if you don't have an explicit deny at the end of your policy you aren't logging the denies. So then if someone complains about not being able to get from x to y how can you know? And you put in the "show security match-policies" which answers precisely that.

Most of the zone pairs in these firewalls I inherited have explicit denies at the end. Just one or two do not and I always turn to logging to determine whether the firewall is blocking or not.

THANK YOU
0
JustInCaseCommented:
You're welcome.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.