SRX

Hi 

i have two two security policies currently configured under the same from and to zones, for example trust-zone and untrust-zone. one of the policies is attached to a group for example "3rdparty" the other has no group attached to it 

when i try to use the "insert before"  option when im editing the config under the group "3rdparty" it does not show the policy not within the group and vice versa 

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-reordering-policies.html

my question: is there an option for re ordering policys in different groups or a policy not in a group for that matter.

root> show security policies 
Default policy: deny-all
From zone: trust, To zone: untrust
  Policy: deny-all-log, State: enabled, Index: 5, Scope Policy: 0, Sequence number: 1
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: deny, log
  Policy: basic-permit, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 2
    Source addresses: any
    Destination addresses: any
    Applications: junos-icmp-ping
    Action: permit, log

set groups lab security policies from-zone trust to-zone untrust policy basic-permit match source-address any
set groups lab security policies from-zone trust to-zone untrust policy basic-permit match destination-address any
set groups lab security policies from-zone trust to-zone untrust policy basic-permit match application junos-icmp-ping
set groups lab security policies from-zone trust to-zone untrust policy basic-permit then permit
set groups lab security policies from-zone trust to-zone untrust policy basic-permit then log session-init


set security policies from-zone trust to-zone untrust policy deny-all-log match source-address any
set security policies from-zone trust to-zone untrust policy deny-all-log match destination-address any
set security policies from-zone trust to-zone untrust policy deny-all-log match application any
set security policies from-zone trust to-zone untrust policy deny-all-log then deny
set security policies from-zone trust to-zone untrust policy deny-all-log then log session-init

The use of groups and apply-groups will always put those security policies on the bottom of the list of specific configured policies.  So you won't be able to manipulate their order as you can the explict configured list.

Your option is to move either all the policy into the group for that zone pair or all the policy into the explict area.

Or use the group for the final default deny and have the other policies explict configured.

Hi PCAP,

There are some important tips to remember while trying to reorder security policies.

• As new security policies are added at the bottom of the list, they might require re-ordering by moving the security policy above or below other policies.

• It is not possible to place a particular security policy at the bottom of the policy list statically.

• It is not possible to place a security policy in a specific order permanently, because the rearrangement of policies impacts all policies.

The below KB document gives explains how to reorder security policies from CLI and J-Web interface:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB10120&actp=METADATA

For more information about security policies and security policy ordering, refer the below documents:

 https://www.juniper.net/documentation/en_US/junos/information-products/pathway-pages/security/security-policies-feature-guide.html

https://www.juniper.net/documentation/en_US/junos-space16.1/topics/concept/junos-space-policy-overview-ordering.html

Hope this helps 🙂

Please mark this "Accepted Solution" if this helps you solve your queries.

Kudos are much appreciated too 🙂

Hello PCAP,

Group configuration is designed to share a common configuration across the multiple objects of same type.  

Hence all the examples would typically  include one or more wildcard characters.

In your case, groups configuration is an exact statement and has no variable. IMHO, this is not a correct usage of group.

Also as others have highighted, the group configuration always gets added at the end of the context , therefore, group policy will be placed after the configured deny policy.

Adding to my observation,  the deny policy within the policy context appears to be present to log all denied packets.

My suggestion is to reverse your policies in the following way:- 

1.  Configure the allow policy in the exact context. 

2. Create a generic group policy to deny & log.

When written this way, you would now not need to re-arrange the order and also you will not be required to write deny policy to log in each context.

Note that the default policy is anyways denying any unmatched traffic if logging is not needed.

I hope this helps.

Thanks!