Hi TroyC,
Policy ordering in the config is going to be top down (the order created), within each context. A context is the combination of 'from-zone aaaa to-zone bbbb'. I don't see the term used much in the documentation other than the product sheet, where it lists the number of 'contexts' supported per platform.
Context order within the configuration is going to be the order in which it was created as well. They can also be re-ordered with insert. Using an example similar to yours:
[Ignore the 'groups' part. I just used the group as an example to keep this example configuration seperate from the rest my config]
[edit groups forum]
joel@chilis220# show | display set
set groups forum security policies from-zone aaa to-zone bbb policy 100 match source-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match destination-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match application any
set groups forum security policies from-zone aaa to-zone bbb policy 100 then permit
set groups forum security policies from-zone aaa to-zone ccc policy 101 match source-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match destination-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match application any
set groups forum security policies from-zone aaa to-zone ccc policy 101 then permit
set groups forum security policies from-zone aaa to-zone ddd policy 102 match source-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match destination-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match application any
set groups forum security policies from-zone aaa to-zone ddd policy 102 then permit
set groups forum security policies from-zone bbb to-zone ddd policy 103 match source-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match destination-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match application any
set groups forum security policies from-zone bbb to-zone ddd policy 103 then permit
I then create another policy in a new context (from-zone bbb to-zone ccc)
joel@chilis220# set groups forum security policies from-zone bbb to-zone ccc policy 104 match source-address any
[edit]
joel@chilis220# set groups forum security policies from-zone bbb to-zone ccc policy 104 match destination-address any
[edit]
joel@chilis220# set groups forum security policies from-zone bbb to-zone ccc policy 104 match application any
[edit]
joel@chilis220# set groups forum security policies from-zone bbb to-zone ccc policy 104 then permit
Which results in the following config:
joel@chilis220# show | display set
set groups forum security policies from-zone aaa to-zone bbb policy 100 match source-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match destination-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match application any
set groups forum security policies from-zone aaa to-zone bbb policy 100 then permit
set groups forum security policies from-zone aaa to-zone ccc policy 101 match source-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match destination-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match application any
set groups forum security policies from-zone aaa to-zone ccc policy 101 then permit
set groups forum security policies from-zone aaa to-zone ddd policy 102 match source-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match destination-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match application any
set groups forum security policies from-zone aaa to-zone ddd policy 102 then permit
set groups forum security policies from-zone bbb to-zone ddd policy 103 match source-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match destination-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match application any
set groups forum security policies from-zone bbb to-zone ddd policy 103 then permit
set groups forum security policies from-zone bbb to-zone ccc policy 104 match source-address any
set groups forum security policies from-zone bbb to-zone ccc policy 104 match destination-address any
set groups forum security policies from-zone bbb to-zone ccc policy 104 match application any
set groups forum security policies from-zone bbb to-zone ccc policy 104 then permit
If I want to to move this new context (bbb to ccc) to be with the other (to ccc) contexts, I can do this with:
joel@chilis220# insert security policies from-zone bbb to-zone ccc after from-zone aaa to-zone ccc
Which gives me the following config:
[edit groups forum]
joel@chilis220# show | display set
set groups forum security policies from-zone aaa to-zone bbb policy 100 match source-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match destination-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match application any
set groups forum security policies from-zone aaa to-zone bbb policy 100 then permit
set groups forum security policies from-zone aaa to-zone ccc policy 101 match source-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match destination-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match application any
set groups forum security policies from-zone aaa to-zone ccc policy 101 then permit
set groups forum security policies from-zone bbb to-zone ccc policy 104 match source-address any
set groups forum security policies from-zone bbb to-zone ccc policy 104 match destination-address any
set groups forum security policies from-zone bbb to-zone ccc policy 104 match application any
set groups forum security policies from-zone bbb to-zone ccc policy 104 then permit
set groups forum security policies from-zone aaa to-zone ddd policy 102 match source-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match destination-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match application any
set groups forum security policies from-zone aaa to-zone ddd policy 102 then permit
set groups forum security policies from-zone bbb to-zone ddd policy 103 match source-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match destination-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match application any
set groups forum security policies from-zone bbb to-zone ddd policy 103 then permit
Voila! the policies from 'bbb' to 'ccc' now appear in the config where we want.
As you already know, this has nothing to do with performance / policy processing / etc. This is just how they show up in the configuration if you look at it in its entirety.
A related command to 'contexts' is 'show security policies zone-context', which lists the number of policies in every context. Now you can rest assured I did not invent the term 'context' 🙂
Hope this helps,
Joel