TL;DR: Don’t name a zone “management” on a Juniper SRX (11.4R7.5).
One of my on again, off again projects involves moving a datacenter management network with devices on public IP space with ACLs for protection to private IP space with a zone-based firewall (Juniper SRX240).
When I last touched it I ran into a problem where one zone would not pass traffic even though it had identical rules to a different zone that worked. It happens that the zone that didn’t work was named “management”.
Earlier today I was browsing around and found a article that mentioned the management functional zone which got me wondering if there was something special with naming a zone “management”. I thought that didn’t make sense since the functionality comes from the functional-zone tag not the zone name. Cue more unsuccessful searching for any mention of reserved zone names. Eventually I decided to just rename the zone and see what happened. One quick rename statement and “management” became “dcn-mgmt” and everything started to work.
What?
Then I came across a post to J-NSP that mentions management being a reserved keyword for zones. Oh. That explains it.