Unlike standard SRX security policies security policies from-zone x to-zone y that have a default and implicit deny.
The policies with security policies from-zone x to-zone junos-host -for traffic toward the device itself- is a default and implicit permit.
I noticed that while looking at log and noticed on mr1-codfw:
SNMPD_AUTH_FAILURE: nsa_log_community: unauthorized SNMP community from 52.73.169.169 to 208.80.153.196 (public)
zone junos-host is only used on the mgmt routers (mr1*) and not on the payment firewalls.
We need to add:
[edit applications application icmp-app1] term t1 { ... } + term t2 protocol icmp6; [edit security policies from-zone untrust to-zone junos-host] policy any--traceroute { ... } + /* T218234 - to-zone junos-host has an implicit default permit */ + policy default-deny { + match { + source-address any; + destination-address any; + application any; + } + then { + deny; + } + }
Progressively, one router at a time, with a commit confirmed to ensure no legitimate traffic is being blocked.
This was not caught by diffscan as the external security zone only host an IP outside our ranges (OOB).
No other service than SNMP has been wrongly exposed.