SRX

Hi Everyone,

May I ask the exact flow or prioritization of security policies? I'm trying to allow anydesk in SRX320 of our customer. However, the policy that I created were not getting hits even it is placed at top. Also, I'm getting confused how Juniper SRX process it's security rules if unified security policy is placed at the rule #1 (top rule) then advanced security services (UTM, SSL Proxy) is placed at rule #2.

Regards,
Mike

Only one policy will be used for any single flow.

The first policy that matches the flow will be the one used.

So if your first policy is not used then some element of the match criteria is not valid for the flow.

You can use this to see the details of the flow with your ip addresses so you can confirm the match conditions for the rule not being used.

show security flow session source-prefix 10.1.1.1/32 destination-prefix 10.1.10.2/32

Also be aware that "classic" Layer4* security policies will be evaluated *before* any rules with dynamic-application(s) configured.

That also goes for Layer4 global policies. Those will also be evaluated before policies with dynamic-applications.

Priority is:

L4 zone-based

L4 global

Layer7 (dynamic-application) zone-based

Layer7 (dynamic-application) global

So that will give you the experience of some L4 zone-based rules being used even you have rules with dynamic-applications listed earlier in the rule-set.

As a workaround to this, you can keep your L4 security policies and just add "dynamic-application any" to all of them. Then all rules will be evaluated as you are used to and make it possible to firewall based on applications.

Bonus note: Dynamic-applications are not supported in both zone-based and global context. It either in your zone policies or in the global policies.