SRX

Is there any way to deactivate several policies at once instead of one at a time?  I have about 5 remote access policies for some servers that I want to activate only when I need to access those servers and then deactivate the rules when done.  But going through each rule one at a time sucks.  Any way I can do them all at once?

JamesNT

Hi James,

Not sure that there is a command to deactivate multiple policies in one cli command. However you can use groups to change all the policies from say 'then permit' to 'then deny', which would produce the same result that you are trying to achieve.

The group configuration

groups {
    www-servers {
        security {
            policies {
                from-zone trust to-zone untrust {
                    policy <www-prod*> {
                        then {
                            permit;
                        }
                    }
                }
            }
        }
    }
}

Apply the group

security {
    policies {
        apply-groups [ www-servers ];
    }
}

The policies then need to start with "www-prod" and the group configuration will be applied

security {
    policies {
        from-zone trust to-zone untrust {
            policy www-prod-server1 {
                match {
                    source-address prod-s1;
                    destination-address any;
                    application www-prod;
                }
            }
            policy www-prod-server2 {
                match {
                    source-address prod-s2;
                    destination-address any;
                    application www-prod;
                }
            }
        }
    }
}

Notice there is no then statement configured, it will be inherited from the group. So then when I want to block the servers I can just change the group configuration

set groups www-servers security policies from-zone trust to-zone untrust <www-prod*> then deny

Tim