Just struggled with this one and thought that this might be helpful.

To log every denied packet on my SRX-100 (Living-Room and HomeOffice-Room) I use groups so I don’t accidentally forget to set the “log session-init” at the bottom of each zone.
But today I wondered why my Traffic that was passing from Zone1 to Zone2 didn’t show up in the logs – there was no configuration at all for this Zones and here’s the tricky part, that you find when searching extremely careful in the Juniper Docs:

set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match source-address any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match destination-address any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny match application any
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then deny
set groups default-deny-group security policies from-zone <*> to-zone <*> policy defult-deny then log session-init
set apply-groups default-deny-group

This will only work if any Rule has been defined under the [security policies] section – if there is no Rule, the “Group-Rule” will not be created and therefore the traffic will not be visible.

If the above group is applied to the [security policies] hierarchy, it will not automatically populate the required policies; but will populate policies only for the zones that have security policies already configured. (http://kb.juniper.net/InfoCenter/index?page=content&id=KB25700&actp=search)

Today I’ve learned something new and this shows that you can never learn enough 😉