This article describes the security policy lookup behavior for traffic terminated on loopback interface.
Traffic is dropped when attempting to communicate to the SRX via loopback interface.
When the SRX receives host-inbound traffic to the loopback interface IP, the traffic is traversing from ingress interface to loopback interface. Based on this traffic flow, there are 2 policy lookups requiring security policies to allow traffic:
- Ingress interface zone --> Loopback zone
- Loopback zone --> junos-host
The following examples show policy lookup behavior for host-bound-traffic based on various configurations. IPSec traffic was used here.
SRX as VPN Initiator
Traffic generated from SRX is allowed by default using "self-traffic-policy":
Jun 22 13:54:57 13:54:56.998719:CID-0:RT: routed (x_dst_ip 2.2.2.2) from junos-host (.local..0 in 0) to ge-0/0/2.0, Next-hop: 10.10.10.2
Jun 22 13:54:57 13:54:56.998719:CID-0:RT:flow_first_policy_search: policy search from zone junos-host-> zone untrust (0x0,0x1f401f4,0x1f4)
Jun 22 13:54:57 13:54:56.998719:CID-0:RT:Policy lkup: vsys 0 zone(2:junos-host) -> zone(6:untrust) scope:0
Jun 22 13:54:57 13:54:56.998719:CID-0:RT: 1.1.1.1/500 -> 2.2.2.2/500 proto 17
Jun 22 13:54:57 13:54:56.998719:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 13:54:57 13:54:56.998719:CID-0:RT: permitted by policy self-traffic-policy(1)
Jun 22 13:54:57 13:54:56.998719:CID-0:RT: packet passed, Permitted by policy.
Note: If traffic to the box or from the box needs to be blocked, then policy can be created from/to "junos-host". For example, the following policy denies all traffic to Junos-host. Even though lo0 is part of untrust, second policy lookup is done to allow the traffic to the RE. If there is any explicit policy defined to deny the packet, then during second lookup packet will be dropped as below:
set security policies from-zone untrust to-zone junos-host policy untrust-to-junos match source-address any
set security policies from-zone untrust to-zone junos-host policy untrust-to-junos match destination-address any
set security policies from-zone untrust to-zone junos-host policy untrust-to-junos match application any
set security policies from-zone untrust to-zone junos-host policy untrust-to-junos then deny
Jun 22 16:23:24 16:23:24.644809:CID-0:RT: routed (x_dst_ip 1.1.1.1) from untrust (lo0.1 in 0) to .local..0, Next-hop: 1.1.1.1
Jun 22 16:23:24 16:23:24.644809:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone junos-host (0x0,0x1f401f4,0x1f4)
Jun 22 16:23:24 16:23:24.644809:CID-0:RT:Policy lkup: vsys 0 zone(6:untrust) -> zone(2:junos-host) scope:0
Jun 22 16:23:24 16:23:24.644809:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 16:23:24 16:23:24.645300:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 16:23:24 16:23:24.645300:CID-0:RT: packet dropped, denied by policy
Jun 22 16:23:24 16:23:24.645300:CID-0:RT: denied by policy untrust-to-junos(7), dropping pkt
Jun 22 16:23:24 16:23:24.645300:CID-0:RT: packet dropped, policy deny.
SRX as Responder
VPN Egress Interface = lo0.1
Physical Egress Inerface = ge-0/0/1.0
ge-0/0/1 and lo0 are part of same security zone "untrust"
set security zones security-zone untrust interfaces ge-0/0/1.0
set security zones security-zone untrust interfaces lo0.1
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match source-address any
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match destination-address any
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust match application any
set security policies from-zone untrust to-zone untrust policy untrust-to-untrust then permit
First policy loopkup from untrust to untrust
Jun 22 13:59:21 13:59:21.038488:CID-0:RT: routed (x_dst_ip 1.1.1.1) from untrust (ge-0/0/2.0 in 0) to lo0.1, Next-hop: 1.1.1.1
Jun 22 13:59:21 13:59:21.038488:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone untrust (0x0,0x1f401f4,0x1f4)
Jun 22 13:59:21 13:59:21.038488:CID-0:RT:Policy lkup: vsys 0 zone(6:untrust) -> zone(6:untrust) scope:0
Jun 22 13:59:21 13:59:21.038488:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 13:59:21 13:59:21.038488:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 13:59:21 13:59:21.038488:CID-0:RT: permitted by policy untrust-to-untrust(6)
Jun 22 13:59:21 13:59:21.038488:CID-0:RT: packet passed, Permitted by policy.
Second policy lookup from untrust to junos-host
Jun 22 13:59:21 13:59:21.038983:CID-0:RT: routed (x_dst_ip 1.1.1.1) from untrust (lo0.1 in 0) to .local..0, Next-hop: 1.1.1.1
Jun 22 13:59:21 13:59:21.038983:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone junos-host (0x0,0x1f401f4,0x1f4)
Jun 22 13:59:21 13:59:21.038983:CID-0:RT:Policy lkup: vsys 0 zone(6:untrust) -> zone(2:junos-host) scope:0
Jun 22 13:59:21 13:59:21.038983:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 13:59:21 13:59:21.038983:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 13:59:21 13:59:21.038983:CID-0:RT: permitted by policy self-traffic-policy(1)
Jun 22 13:59:21 13:59:21.038983:CID-0:RT: packet passed, Permitted by policy.
Restricting inbound traffic via policies
You may use host-bound-traffic with an exlicit policy to deny traffic from one zone to another zone, or use global policies to deny traffic.
Zone based policies will take higher precedence over the global policies.
Example:
Use of a global deny policy with no explicit policy configured for untrust to untrust zone.
set security policies global policy global_deny match source-address any
set security policies global policy global_deny match destination-address any
set security policies global policy global_deny match application any
set security policies global policy global_deny then deny
Jun 22 14:03:30 14:03:30.316873:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone intrust (0x0,0x1f401f4,0x1f4)
Jun 22 14:03:30 14:03:30.316873:CID-0:RT:Policy lkup: vsys 0 zone(6:untrust) -> zone(6:untrust) scope:0
Jun 22 14:03:30 14:03:30.316873:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 14:03:30 14:03:30.316873:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0
Jun 22 14:03:30 14:03:30.317249:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 14:03:30 14:03:30.317249:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 14:03:30 14:03:30.317249:CID-0:RT: packet dropped, denied by policy
Jun 22 14:03:30 14:03:30.317249:CID-0:RT: denied by policy global_deny(7), dropping pkt
Jun 22 14:03:30 14:03:30.317249:CID-0:RT: packet dropped, policy deny
Default Deny
SRX devices, by deafult, deny all the traffic requiring explicit policies to allow the traffic based on zones or global policy.
If there are no explicit policies defined to allow the traffic, the policy lookup process will fail resulting in packet drops.
Jun 22 14:09:43 14:09:43.500445:CID-0:RT: routed (x_dst_ip 1.1.1.1) from untrust (ge-0/0/2.0 in 0) to lo0.1, Next-hop: 1.1.1.1
Jun 22 14:09:43 14:09:43.500445:CID-0:RT:flow_first_policy_search: policy search from zone untrust-> zone vpn (0x0,0x1f401f4,0x1f4)
Jun 22 14:09:43 14:09:43.500445:CID-0:RT:Policy lkup: vsys 0 zone(6:untrust) -> zone(10:vpn) scope:0
Jun 22 14:09:43 14:09:43.500445:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 14:09:43 14:09:43.500445:CID-0:RT:Policy lkup: vsys 0 zone(5:Unknown) -> zone(5:Unknown) scope:0
Jun 22 14:09:43 14:09:43.500445:CID-0:RT: 2.2.2.2/500 -> 1.1.1.1/500 proto 17
Jun 22 14:09:43 14:09:43.500445:CID-0:RT: app 54, timeout 60s, curr ageout 60s
Jun 22 14:09:43 14:09:43.500445:CID-0:RT: packet dropped, denied by policy
Jun 22 14:09:43 14:09:43.500939:CID-0:RT: denied by policy default-policy-00(2), dropping pkt
Jun 22 14:09:43 14:09:43.500939:CID-0:RT: packet dropped, policy deny.
Reference Configuration
set security ike policy ike-pol mode main
set security ike policy ike-pol proposal-set standard
set security ike policy ike-pol pre-shared-key ascii-text "$9$Z9DH.QF/0BEP5BEcyW8ZUj"
set security ike gateway ike-gw ike-policy ike-pol
set security ike gateway ike-gw address 1.1.1.1
set security ike gateway ike-gw dead-peer-detection
set security ike gateway ike-gw external-interface lo0.1
set security ike gateway ike-gw version v1-only
set security ipsec policy vpn-policy perfect-forward-secrecy keys group2
set security ipsec policy vpn-policy proposal-set standard
set security ipsec vpn ipsec-vpn bind-interface st0.1
set security ipsec vpn ipsec-vpn ike gateway ike-gw
set security ipsec vpn ipsec-vpn ike ipsec-policy vpn-policy