Hi Suraj,
Last question to explain everything please:
If I write a policy and further down the road we add new equipment to the network and that policy needs updating. Let's say I add a new DNS server and want to add that in to the existing policy. So, I create a new address and I create a new rule within the policy because I only want certain systems added. Let's take the following as an example:
I want the whole internet to be able to access anycast 1 and 2 but not 3 and 4 and I want subscribers to be able to access all 4 addresses. So I write the following:
set security address-book global address anycast1 192.168.10.1/32
set security address-book global address anycast2 192.168.10.2/32
set security address-book global address anycast3 192.168.10.3/32
set security address-book global address anycast4 192.168.10.4/32
set security address-book global address customers 192.168.100.0/24
set security address-book global address-set anyone address anycast1
set security address-book global address-set anyone address anycast 2
set security address-book global address-set subscribers address anycast1
set security address-book global address-set subscribers address anycast2
set security address-book global address-set subscribers address anycast3
set security address-book global address-set subscribers address anycast4
So, I complete the following policy based on the above:
[edit security policies from-zone dns to-zone dns policy anycast-subscriber]
set match source-address Customers
set match destination-address subscribers
set match application junos-dns-udp
set then permit
set then log session-init
[edit security policies from-zone dns to-zone dns policy anycast-subscriber-1]
set match source-address subscribers
set match destination-address Customers
set match application junos-dns-udp
set then permit
set then log session-init
[edit security policies from-zone dns to-zone dns policy anycast-subscriber-2]
set match source-address any
set match destination-address any
set match application any
set then deny
set then log session-init
Okay, so that should work for the subscribers. But then I notice that I have forgotten to add the internet queries that could occur from any source. So, if I add them in and I want a readable order in the policy, I then insert them where they need to be inserted so that they become readable and the packets are queried when they should be there are two possible results according to the statment you made:
1: It does not matter where I insert the new section of the policy as it will always be executed first?
2: It does insert where you want it to and it will be read within the policy in the correct, logical, order?
Thanks