SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Netscreen Global Policies Migration to SRX Configuration

    Posted 02-09-2014 04:23

    Hi,

     

    I am migrating Netscreen to SRX Firewall. I am facing issue to migrate configuration of Global Policy.

     

    In Netscreen we have few policies from (Specific Zone) to Global Zone.

     

    set policy id 100 from "Trust" to "Global"  "x.x.x.x" "Any-IPv4" "HTTP" permit log
    set policy id 100
    set service "HTTPS"
    exit

    I have configure same in SRX under GROUP hierarchy.

     

    groups {
        node0 {
            security {
                policies {
                    from-zone Trust to-zone <*> {
                        policy test {
                            match {
                                source-address x.x.x.x;
                                destination-address any;
                                application [junos-http junos-https];                        }
                            then {
                                permit;
                            }
                        }
                    }
                }
            }
        }
        node1 {
            security {
                policies {
                    from-zone Trust  to-zone <*> {
                        policy test {
                            match {
                                source-address x.x.x.x;
                                destination-address any;
                                application [junos-http junos-https];
                            }
                            then {
                                permit;
                            }
                        }
                    }
                }
            }
        }
    }
    apply-groups "${node}";

     

    Similar I have few more policies from different specific zones to Global.

     

    My question is that will I migrated this part correctly or not. If this is not correct, kindly let me know correct way to configure similar to netscreen policy.



  • 2.  RE: Netscreen Global Policies Migration to SRX Configuration
    Best Answer

     
    Posted 02-10-2014 06:47

    Hello.

     

    Security policies are not typically configured under

     

    groups {
        node0 {
            security {
                policies {

     

    But under

     

    security {
        policies {

     

     

    The groups/node0 and groups/node1 are configs that need to be different between the 2 nodes, such as hostnames, fxp0 (mgmt) IP addresses.  Security policies should be common between the 2 nodes in the cluster so should be configured as part of the security heiarchy.

     

    Global policies are configured as such:

     

    set security policies global policy default-deny match source-address any
set security policies global policy default-deny match destination-address any
set security policies global policy default-deny match application any
set security policies global policy default-deny then deny
set security policies global policy default-deny then log session-init
set security policies global policy default-deny then log session-close
set security policies global policy default-deny then count

     

     

     

    Hope this helps.

     

    Regards,

    Sam