Consider the following policy:
security {
policies {
from-zone untrust to-zone junos-host {
policy pub-ping {
match {
source-address any;
destination-address any;
application junos-icmp-ping;
}
then {
permit;
}
}
}
}
}
Security policy details:
Policy: pub-ping, action-type: permit, State: enabled, Index: 20, Scope Policy: 0
Policy Type: Configured
Sequence number: 1
From zone: untrust, To zone: junos-host
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: junos-icmp-ping
IP protocol: icmp, ALG: 0, Inactivity timeout: 60
ICMP Information: type=8, code=0
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
When using match-policies in Junos, a match for icmp ping is not found unless the source-port is 2048
.
Example matching for source-port 2049 (or any other port):
spiderpig@vsrx-lab> show security match-policies from-zone untrust to-zone junos-host source-ip 1.2.3.4 destination-ip 3.4.5.6 source-port 2049 destination-port 1234 protocol icmp
Policy: deny-all, action-type: deny, State: enabled, Index: 19
0
Policy Type: Configured
Sequence number: 4
From zone: untrust, To zone: junos-host
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: any
IP protocol: 0, ALG: 0, Inactivity timeout: 0
Source port range: [0-0]
Destination port range: [0-0]
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
The above result matches the last policy in the sequence, not the one permitting icmp ping
Example matching for source-port 2048:
spiderpig@vsrx-lab> show security match-policies from-zone untrust to-zone junos-host source-ip 1.2.3.4 destination-ip 3.4.5.6 source-port 2048 destination-port 1234 protocol icmp
Policy: pub-ping, action-type: permit, State: enabled, Index: 20
0
Policy Type: Configured
Sequence number: 1
From zone: untrust, To zone: junos-host
Source addresses:
any-ipv4: 0.0.0.0/0
any-ipv6: ::/0
Destination addresses:
any-ipv4(global): 0.0.0.0/0
any-ipv6(global): ::/0
Application: junos-icmp-ping
IP protocol: icmp, ALG: 0, Inactivity timeout: 60
ICMP Information: type=8, code=0
Per policy TCP Options: SYN check: No, SEQ check: No, Window scale: No
The above example matches the policy permitting icmp ping.
Junos version: 18.3R1.9