Allow PING, TRACEROUTE:
//define apps and groups
set applications application traceroute protocol udp
set applications application traceroute destination-port 33434-33534
set applications application traceroute-linux protocol udp
set applications application traceroute-linux destination-port 44450-44566
set applications application-set g-net-trace application traceroute
set applications application-set g-net-trace application junos-icmp-ping
set applications application-set g-net-trace application traceroute-linux
//create security rule
set security policies from-zone Zone_1 to-zone Zone_2 policy Policy_1 match source-address <SRC_IP>
set security policies from-zone Zone_1 to-zone Zone_2 policy Policy_1 match destination-address <DST_IP>
set security policies from-zone Zone_1 to-zone Zone_2 policy Policy_1 match application g-net-trace
set security policies from-zone Zone_1 to-zone Zone_2 policy Policy_1 then permit
set security policies from-zone Zone_1 to-zone Zone_2 policy Policy_1 then log session-init