SRX

Expand all | Collapse all

Firewall Security Policies. Unified Security Policies and Advanced Security Services

  • 1.  Firewall Security Policies. Unified Security Policies and Advanced Security Services

    Posted 22 days ago

    Hi Everyone,

     

    May I ask the exact flow or prioritization of security policies? I'm trying to allow anydesk in SRX320 of our customer. However, the policy that I created were not getting hits even it is placed at top. Also, I'm getting confused how Juniper SRX process it's security rules if unified security policy is placed at the rule #1 (top rule) then advanced security services (UTM, SSL Proxy) is placed at rule #2.

    Regards,
    Mike


    #securitypolicies


  • 2.  Re: Firewall Security Policies. Unified Security Policies and Advanced Security Services

     
    Posted 22 days ago

    Only one policy will be used for any single flow.

     

    The first policy that matches the flow will be the one used.

     

    So if your first policy is not used then some element of the match criteria is not valid for the flow.

     

    You can use this to see the details of the flow with your ip addresses so you can confirm the match conditions for the rule not being used.

    show security flow session source-prefix 10.1.1.1/32 destination-prefix 10.1.10.2/32

     



  • 3.  Re: Firewall Security Policies. Unified Security Policies and Advanced Security Services

    Posted 22 days ago

    Also be aware that "classic" Layer4* security policies will be evaluated *before* any rules with dynamic-application(s) configured.

    That also goes for Layer4 global policies. Those will also be evaluated before policies with dynamic-applications.

     

    Priority is:

    L4 zone-based

    L4 global

    Layer7 (dynamic-application) zone-based

    Layer7 (dynamic-application) global

     

    So that will give you the experience of some L4 zone-based rules being used even you have rules with dynamic-applications listed earlier in the rule-set.

    As a workaround to this, you can keep your L4 security policies and just add "dynamic-application any" to all of them. Then all rules will be evaluated as you are used to and make it possible to firewall based on applications.

     

    Bonus note: Dynamic-applications are not supported in both zone-based and global context. It either in your zone policies or in the global policies.