SRX Security Policy at Group-Level – Careful what you wish for…

Just struggled with this one and thought that this might be helpful.

To log every denied packet on my SRX-100 (Living-Room and HomeOffice-Room) I use groups so I don’t accidentally forget to set the “log session-init” at the bottom of each zone.
But today I wondered why my Traffic that was passing from Zone1 to Zone2 didn’t show up in the logs – there was no configuration at all for this Zones and here’s the tricky part, that you find when searching extremely careful in the Juniper Docs:

This will only work if any Rule has been defined under the [security policies] section – if there is no Rule, the “Group-Rule” will not be created and therefore the traffic will not be visible.

If the above group is applied to the [security policies] hierarchy, it will not automatically populate the required policies; but will populate policies only for the zones that have security policies already configured. (

Today I’ve learned something new and this shows that you can never learn enough 😉

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha * Time limit is exhausted. Please reload CAPTCHA.