Overview
How to set a policy to trigger on a specific IP address.
Description
In some scenarios, you may need to set a policy for a specific IP address. For example, it is possible to set a policy to allow connection from 172.16.25.13 to 172.16.30.7 but reject a connection to 172.16.30.6. Similarly, you could allow a connection from 172.16.25.3 to 172.16.30.6 but reject a connection to 172.16.30.7.
Guidelines
In this scenario, you want to be aware of the following issues when configuring your policies:
- Use a specific /32 IP address in the policy configuration to control a single host. For example:
- set address Trust "test" 172.16.30.0/24 <-- this is for the entire /24 subnet
- set address Trust "test/32" 172.16.30.7/32 <-- this is for /32 or for single IP address 172.16.30.7
- Ensure that your specific policies are listed above of any generic policies. For example, policies listed in this order:
- policy 1 which is for 192.168.0.0/24 <===>192.168.1.0/24 will trigger first
- policy 2 which is for 192.168.0.1/32 <===>192.168.1.1/32 will be ignored, though it has more specific IP addresses. Move policy 2 on top of policy 1 to trigger this more specific policy.
Further Reading
https://kb.juniper.net/InfoCenter/index?page=content&id=KB15074&actp=search