04-27-2012 06:50 AM
There’s seemingly two ways to do “global policy” on SRX.
- One method comes from what NSM pushes out when you create a Global Policy from the policy tabs.
- The other method comes from a Juniper PDF and also in the docs in juniper.net/techpubs (link to PDF).
I’d be tempted to go with the version specified in the PDF as I trust it more than NSM, but when you use it in JUNOS CLI it doesn’t import into NSM on device import, so is a bit useless!
Versions in question:
- JUNOS 11.4r2.14 on SRX1400
- NSM2010.3s4 on NSMXpress with DMI Schema 228
1) What NSM sets when you create and push a Global Policy to SRX...
set security zones security-zone global address-book address p1 192.168.1.13/32
set security zones security-zone global address-book address p2 192.168.1.14/32
set security zones security-zone global address-book address h1 192.168.1.11/32
set security zones security-zone global address-book address h2 192.168.1.12/32
set security zones security-zone global address-book address-set p-bgp-router address p1
set security zones security-zone global address-book address-set p-bgp-router address p2
set security zones security-zone global address-book address-set h-bgp-router address h1
set security zones security-zone global address-book address-set h-bgp-router address h2
set security policies from-zone global to-zone global policy 15 match source-address p-bgp-router
set security policies from-zone global to-zone global policy 15 match destination-address h-bgp-router
set security policies from-zone global to-zone global policy 15 match application junos-bgp
set security policies from-zone global to-zone global policy 15 then permit
2) What the PDF and docs tell you to do (NSM seems unaware of this method, as when you configure this I the JUNOS CLI and import to NSM, nothing is imported for policy) ...
set security address-book global address p1 192.168.1.13/32
set security address-book global address p2 192.168.1.14/32
set security address-book global address h1 192.168.1.11/32
set security address-book global address h2 192.168.1.12/32
set security address-book global address-set p-router address p1
set security address-book global address-set p-router address p2
set security address-book global address-set h-router address h1
set security address-book global address-set h-router address h2
set security policies global policy 14 match source-address p-router
set security policies global policy 14 match destination-address p-router
set security policies global policy 14 match application junos-bgp
set security policies global policy 14 then permit
So... Is one preferable to the other?
04-27-2012 05:07 PM - edited 04-27-2012 05:09 PM
tested your CLI´s (NSM) on my SRX210
1.) NSM seams to be right ...
you can test it....
do the following on the SRX1400
request system configuration rescue save
do a push with nsm...
if something goes wrong...., on the SRX1400....
set security zones security-zone xyz address-book address host-xyzs 220.127.116.11/32
set security policies from-zone xyz to-zone svm policy vzzz then permit
set security policies default-policy deny-all
Software version: 10.4R9.2
04-29-2012 09:17 PM
Global security policy was introduced in 11.4r1, and is certainly not "from-zone global to-zone global." The PDF is accurate, and neither NSM nor JWeb currently support a Global security policy. The global security policy is less specific than a contextual policy (from-zone to-zone), and is thus evaluated after any other contextual policy that may be more specific. A global policy, once evaluated, is irrespective of the source or destination zone, and relies upon the global address-book for its address-book/set entries, rather than a separate address-book per zone.
05-08-2012 07:00 PM
It weird if it not supported on JWeb while documentation state:
NOTE: We recommend using global policies whenever possible. Global policies provide you with the flexibility to perform actions on traffic without the restrictions of zone specifications.
Go you guys know what is preferred policy option for upcoming JunOS Space 12.1 Security Design tool?
Have you also tried Global Policy feature with Tufin SecureTrack?
05-08-2012 11:03 PM
Global policy, in addition to contextual policies, will be available in 12.1 Junos Space + Security Design. At least that's what I've been told...
I have been told the same!
07-05-2012 06:02 PM - edited 07-05-2012 06:34 PM
And it looks like to me when you import a device config in Space it doesn't grab the global objects on the box like it does the zones, you have to create all objects for policy by hand on the appliance? You can't import? :-/
Actually... It does both, if used in policy...
07-12-2013 10:58 AM
So are global policies not going to be offerred on the NSM platform period? Just so you all know. I built out the global policies via NSM and they no workie. NSM pretty much pushes the From-zone To-zone policies and they are usually. But they look good from the NSM gui.
So I'm going to test adding the globals via cli and see if nsm see's them as deltas.