SRX Services Gateway
Reply
Visitor
kevinheart
Posts: 3
Registered: ‎06-03-2011
0

Globe policy for SRX (Juno 10.4R6.5)

Hi ,

 

Can we create customized globe security policy in SRX 5800 ( Junos 10.4 R6.5 ) ?

 

appricated if anyone can help

 

 

cheers

 

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: Globe policy for SRX (Juno 10.4R6.5)

[ Edited ]

Depends on your requirement. Full global policy is available in 11.2 and up iirc.

policies {
    global {
        policy log_denies {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                deny;
                log {
                    session-init;
                }
            }
        }
    }
}

 

In earlier releases you might be able to solve your requirements with configuration groups - a typical use case is adding a default deny with log between all from/to zones which have policies.

 

groups {
    log_all_denies {
        security {
            policies {
                from-zone <*> to-zone <*> {
                    policy log_all_denies {
                        match {
                            source-address any;
                            destination-address any;
                            application any;
                        }
                        then {
                            deny;
                            log {
                                session-init;
                            }
                        }
                    }
                }
            }
        }
    }
}

 and then apply-groups log_all_denies

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Visitor
kevinheart
Posts: 3
Registered: ‎06-03-2011
0

Re: Globe policy for SRX (Juno 10.4R6.5)

Thanks Adam, fantastic !

 

Good to know SRX support Globle policy from 11.2R . 

 

However , currently we use 10.4R6.5 , the group config is a good work-around as we might not upgrade the Junos to 11.2 in near future . but the new issue is , we are only allow to config SRX 5800 through NSM  , not CLI ...

 

 

Does NSM can do the Group ?

 

Cheers 

Super Contributor
AdamLin
Posts: 167
Registered: ‎08-02-2010
0

Re: Globe policy for SRX (Juno 10.4R6.5)

I've tried my best to stay away from NSM, last I heard it couldn't do it, but I do know Junos Space Security Design 12.x can do it.

Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.