Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

why deny policy doesn't stop the packet destined to MIP address

0

0

Article ID: KB7953 KB Last Updated: 22 Feb 2012Version: 4.0
Summary:

network topology:

Internet --- (untrust) FW (trust) ---- server

the following policy is configured

set policy from untrust to trust any any any deny

set policy from untrust any MIP(x.x.x.x) any permit

the traffic from internet could still reach the server even with the 'deny' policy configured on top of the MIP policy.

Symptoms:

This is by design.

the MIP belongs to the global zone. so the first policy will not match the packet that is sent to the MIP address.

Solution:

2 options

1) create another policy on top of the original MIP policy to deny the more specific service to reach the MIP, in this case

set policy from untrust to trust any MIP (x.x.x.x) <service or service group name> deny

2) create a global policy to deny the particular service and place it on top so the policy look up will match this policy before it hit the MIP policy

set policy top from untrust to global any any <service or service group name> deny

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search