Hi,
thanks for your answer.
Though, it's not the information I'm looking for 😉
Say, I've defined the following group:
show configuration groups global_outbound_policies_to_internet
security {
policies {
from-zone <*> to-zone internet {
policy block-specific-addresses {
match {
source-address any;
destination-address addresses_to_block;
application any;
}
then {
deny;
log {
session-init;
session-close;
}
}
}
}
}
}
And have defined the following security policy:
show configuration security policies from-zone gtc to-zone internet
apply-groups global_outbound_policies_to_internet;
policy gtc2internet {
match {
source-address gtc;
destination-address any;
application any;
}
then {
permit;
}
}
The resulting security policy, with inheritance, is the following:
show configuration security policies from-zone gtc to-zone internet | display inheritance
policy gtc2internet {
match {
source-address gtc;
destination-address any;
application any;
}
then {
permit;
}
}
##
## 'block-specific-addresses' was inherited from group 'global_outbound_policies_to_internet'
##
policy block-specific-addresses {
##
## 'match' was inherited from group 'global_outbound_policies_to_internet'
##
match {
##
## 'any' was inherited from group 'global_outbound_policies_to_internet'
##
source-address any;
##
## 'addresses_to_block' was inherited from group 'global_outbound_policies_to_internet'
##
destination-address addresses_to_block;
##
## 'any' was inherited from group 'global_outbound_policies_to_internet'
## Warning: application or application-set must be defined
##
application any;
}
##
## 'then' was inherited from group 'global_outbound_policies_to_internet'
##
then {
##
## 'deny' was inherited from group 'global_outbound_policies_to_internet'
##
deny;
##
## 'log' was inherited from group 'global_outbound_policies_to_internet'
##
log {
##
## 'session-init' was inherited from group 'global_outbound_policies_to_internet'
##
session-init;
##
## 'session-close' was inherited from group 'global_outbound_policies_to_internet'
##
session-close;
}
}
}
Which is obviously not my goal.
I would like to know if it's possible to insert the inherited policy "block-specific-addresses" before the specific policy "gtc2internet".
Best regards,
Cyrille