destination-address (Security Policies Flag)
Syntax
destination-address {
drop-translated;
drop-untranslated;
}
Hierarchy Level
[edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit]
Description
Specify whether the traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule or to packets where the destination IP address has not been translated.
On Juniper Networks security devices, destination NAT rules
are processed before security policy lookup. Therefore, it is possible
for a security policy to permit traffic from a source S to a destination D (where no destination NAT is performed)
and also to permit traffic from the source S to the destination d (where d has been translated to D).
Options
drop-translated—Drop packets with translated destination IP addresses. Traffic permitted by the security policy is limited to packets where the destination IP address has not been translated.drop-untranslated—Drop packets without translated destination IP addresses. Traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 9.2.