Category: policies

Global policy count in SRX

As far as I know there is no single command to enable policy count option globally but you can do it via a group statement. Be aware that policy count is a performance affecting feature, so think twice if your traffic volume is high. Here is how we can do it; groups { policy_count {
Read More »

SRX for beginners

I was thinking if I should write a short article for beginners to quickly configure an SRX firewall. I don’t know how many people will find it useful but I hope it will be for those who use SRX for the first time in their life. Let’s get started. Our topology in this tutorial is
Read More »

Bypassing flow daemon in SRX

Under normal circumstances if you have a policy from trust zone to transit zone in a network like in the diagram and if you create traffic, packets have to be processed by flow daemon after which a session is created. What if you want to bypass this daemon and only use the packet mode for
Read More »

allow traceroute in SRX or not

If you have a restricted policy that you have enforced for your internal clients but you want to allow traceroute requests from your internal clients towards another network you can do it as follows I suppose. You can create the following application and apply it on your security policy. [edit applications] root@srx100-1# application custom-traceroute {
Read More »

some things about policies/sessions

1) ¬†An ICMP packet occupies a session entry in SRX 2) There is an intra-zone policy applied by default so packets belonging to the same zone but in different interfaces cannot traverse unless there is a intra-zone policy permitting them. 3) If the policy doesn’t allow a packet, it cannot be seen in monitor traffic
Read More »