SRX

Expand all | Collapse all

reordering security policy's in different configuration groups

Jump to Best Answer
  • 1.  reordering security policy's in different configuration groups

    Posted 05-09-2020 11:07

    Hi 

     

    i have two two security policies currently configured under the same from and to zones, for example trust-zone and untrust-zone. one of the policies is attached to a group for example "3rdparty" the other has no group attached to it 

     

    when i try to use the "insert before"  option when im editing the config under the group "3rdparty" it does not show the policy not within the group and vice versa 

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-reordering-policies.html

     

    my question: is there an option for re ordering policys in different groups or a policy not in a group for that matter.

     

    root> show security policies 
    Default policy: deny-all
    From zone: trust, To zone: untrust
      Policy: deny-all-log, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
        Source addresses: any
        Destination addresses: any
        Applications: any
        Action: deny, log
      Policy: basic-permit, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 2
        Source addresses: any
        Destination addresses: any
        Applications: junos-icmp-ping
        Action: permit, log
    set groups lab security policies from-zone trust to-zone untrust policy basic-permit match source-address any
    set groups lab security policies from-zone trust to-zone untrust policy basic-permit match destination-address any
    set groups lab security policies from-zone trust to-zone untrust policy basic-permit match application junos-icmp-ping
    set groups lab security policies from-zone trust to-zone untrust policy basic-permit then permit
    set groups lab security policies from-zone trust to-zone untrust policy basic-permit then log session-init
    
    
    set security policies from-zone trust to-zone untrust policy deny-all-log match source-address any
    set security policies from-zone trust to-zone untrust policy deny-all-log match destination-address any
    set security policies from-zone trust to-zone untrust policy deny-all-log match application any
    set security policies from-zone trust to-zone untrust policy deny-all-log then deny
    set security policies from-zone trust to-zone untrust policy deny-all-log then log session-init

     

     


    #groups
    #securitypolicy
    #reorder
    #sequence
    #SRX


  • 2.  RE: reordering security policy's in different configuration groups
    Best Answer

     
    Posted 05-10-2020 14:48

    The use of groups and apply-groups will always put those security policies on the bottom of the list of specific configured policies.  So you won't be able to manipulate their order as you can the explict configured list.

     

    Your option is to move either all the policy into the group for that zone pair or all the policy into the explict area.

    Or use the group for the final default deny and have the other policies explict configured.

     



  • 3.  RE: reordering security policy's in different configuration groups

    Posted 05-10-2020 20:48

    Hi PCAP,

     

    There are some important tips to remember while trying to reorder security policies.

    • As new security policies are added at the bottom of the list, they might require re-ordering by moving the security policy above or below other policies.
    • It is not possible to place a particular security policy at the bottom of the policy list statically.

    • It is not possible to place a security policy in a specific order permanently, because the rearrangement of policies impacts all policies.

    The below KB document gives explains how to reorder security policies from CLI and J-Web interface:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB10120&actp=METADATA

     

    For more information about security policies and security policy ordering, refer the below documents:

     https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-policies-feature-guide.html

    https://www.juniper.net/documentation/en_US/junos-space16.1/topics/concept/junos-space-policy-overview-ordering.html

     

    Hope this helps 🙂

     

    Please mark this "Accepted Solution" if this helps you solve your queries.

    Kudos are much appreciated too 🙂



  • 4.  RE: reordering security policy's in different configuration groups

    Posted 05-12-2020 10:06

    Hello PCAP,

     

    Group configuration is designed to share a common configuration across the multiple objects of same type.  

    Hence all the examples would typically  include one or more wildcard characters.

     

    In your case, groups configuration is an exact statement and has no variable. IMHO, this is not a correct usage of group.

     

    Also as others have highighted, the group configuration always gets added at the end of the context , therefore, group policy will be placed after the configured deny policy.

     

    Adding to my observation,  the deny policy within the policy context appears to be present to log all denied packets.

     

    My suggestion is to reverse your policies in the following way:- 

     

     

    1.  Configure the allow policy in the exact context. 

     

     

    Spoiler
    set security policies from-zone trust to-zone untrust policy basic-permit match source-address any
    set security policies from-zone trust to-zone untrust policy basic-permit match destination-address any
    set security policies from-zone trust to-zone untrust policy basic-permit match application junos-icmp-ping
    set security policies from-zone trust to-zone untrust policy basic-permit then permit
    set security policies from-zone trust to-zone untrust policy basic-permit then log session-init

     

     

    2. Create a generic group policy to deny & log.

    Spoiler
    set groups lab security policies from-zone <*> to-zone <*> policy deny-all-log match source-address any
    set groups lab security policies from-zone <*> to-zone <*> policy deny-all-log match destination-address any
    set groups lab security policies from-zone <*> to-zone <*> policy deny-all-log match application any
    set groups lab security policies from-zone <*> to-zone <*> policy deny-all-log then deny
    set groups lab security policies from-zone <*> to-zone <*> policy deny-all-log then log session-init

    When written this way, you would now not need to re-arrange the order and also you will not be required to write deny policy to log in each context.

     

    Note that the default policy is anyways denying any unmatched traffic if logging is not needed.

     

    I hope this helps.

     

    Thanks!