SRX Security Policy at Group-Level – Careful what you wish for…

Just struggled with this one and thought that this might be helpful.

To log every denied packet on my SRX-100 (Living-Room and HomeOffice-Room) I use groups so I don’t accidentally forget to set the “log session-init” at the bottom of each zone.
But today I wondered why my Traffic that was passing from Zone1 to Zone2 didn’t show up in the logs – there was no configuration at all for this Zones and here’s the tricky part, that you find when searching extremely careful in the Juniper Docs:

This will only work if any Rule has been defined under the [security policies] section – if there is no Rule, the “Group-Rule” will not be created and therefore the traffic will not be visible.

If the above group is applied to the [security policies] hierarchy, it will not automatically populate the required policies; but will populate policies only for the zones that have security policies already configured. (

Today I’ve learned something new and this shows that you can never learn enough 😉

Juniper Login Banner Generator

Check out my new Script on

I designed it basically for my Home-Lab but then i thought that i share it with the World.

Since the “translating” process from ASCII-Art to Juniper can be frustrating (/n // /t etc.) you simply put your Text, ASCII Art or whatever into the Generator and let the fun begin 😉

Hope you enjoy this