SRX Services Gateway
Reply
Contributor
jamoi
Posts: 25
Registered: ‎01-15-2008

SRX Global Policy

There’s seemingly two ways to do “global policy” on SRX.

- One method comes from what NSM pushes out when you create a Global Policy from the policy tabs.

- The other method comes from a Juniper PDF and also in the docs in juniper.net/techpubs (link to PDF).

 

I’d be tempted to go with the version specified in the PDF as I trust it more than NSM, but when you use it in JUNOS CLI it doesn’t import into NSM on device import, so is a bit useless!


Versions in question:

- JUNOS 11.4r2.14 on SRX1400
- NSM2010.3s4 on NSMXpress with DMI Schema 228

 

1) What NSM sets when you create and push a Global Policy to SRX...


set security zones security-zone global address-book address p1 192.168.1.13/32
set security zones security-zone global address-book address p2 192.168.1.14/32
set security zones security-zone global address-book address h1 192.168.1.11/32
set security zones security-zone global address-book address h2 192.168.1.12/32
set security zones security-zone global address-book address-set p-bgp-router address p1
set security zones security-zone global address-book address-set p-bgp-router address p2
set security zones security-zone global address-book address-set h-bgp-router address h1
set security zones security-zone global address-book address-set h-bgp-router address h2
set security policies from-zone global to-zone global policy 15 match source-address p-bgp-router
set security policies from-zone global to-zone global policy 15 match destination-address h-bgp-router
set security policies from-zone global to-zone global policy 15 match application junos-bgp
set security policies from-zone global to-zone global policy 15 then permit


2) What the PDF and docs tell you to do (NSM seems unaware of this method, as when you configure this I the JUNOS CLI and import to NSM, nothing is imported for policy) ...


set security address-book global address p1 192.168.1.13/32
set security address-book global address p2 192.168.1.14/32
set security address-book global address h1 192.168.1.11/32
set security address-book global address h2 192.168.1.12/32
set security address-book global address-set p-router address p1
set security address-book global address-set p-router address p2
set security address-book global address-set h-router address h1
set security address-book global address-set h-router address h2
set security policies global policy 14 match source-address p-router
set security policies global policy 14 match destination-address p-router
set security policies global policy 14 match application junos-bgp
set security policies global policy 14 then permit

 

 

So... Is one preferable to the other?

Trusted Contributor
piccolo78
Posts: 108
Registered: ‎09-13-2009
0

Re: SRX Global Policy

[ Edited ]

Hi,

tested your CLI´s (NSM) on my SRX210

1.) NSM seams to be right ...

you can test it....

do the following on the SRX1400

request system configuration rescue save

do a push with nsm...

if something goes wrong...., on the SRX1400....

configure
rollback rescue
commit

IMHO:
CLI

set security zones security-zone xyz address-book address host-xyzs 111.111.111.111/32
set security policies from-zone xyz to-zone svm policy vzzz then permit
set security policies default-policy deny-all

 

Software version:       10.4R9.2

-PIccolo
Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Re: SRX Global Policy

Global security policy was introduced in 11.4r1, and is certainly not "from-zone global to-zone global."  The PDF is accurate, and neither NSM nor JWeb currently support a Global security policy.  The global security policy is less specific than a contextual policy (from-zone to-zone), and is thus evaluated after any other contextual policy that may be more specific.  A global policy, once evaluated, is irrespective of the source or destination zone, and relies upon the global address-book for its address-book/set entries, rather than a separate address-book per zone.

 

HTH

Visitor
New User
Posts: 3
Registered: ‎04-20-2012
0

Re: SRX Global Policy

It weird if it not supported on JWeb while documentation state:

 

NOTE: We recommend using global policies whenever possible. Global policies provide you with the flexibility to perform actions on traffic without the restrictions of zone specifications.

 

Go you guys know what is preferred policy option for upcoming JunOS Space 12.1 Security Design tool?

Have you also tried Global Policy feature with Tufin SecureTrack?

 

Best Regards

 

Contributor
ecables
Posts: 39
Registered: ‎07-25-2011
0

Re: SRX Global Policy

Global policy, in addition to contextual policies, will be available in 12.1 Junos Space + Security Design.  At least that's what I've been told...

Contributor
MarcTB
Posts: 59
Registered: ‎10-18-2009
0

Re: SRX Global Policy

 


ecables wrote:

Global policy, in addition to contextual policies, will be available in 12.1 Junos Space + Security Design.  At least that's what I've been told...



I have been told the same!

Marc

Technical Consultant
Telindus-ISIT B.V.

Super Contributor
colemtb
Posts: 313
Registered: ‎09-30-2009
0

Re: SRX Global Policy

Anymore information on this?

 

I have to do global objects to support space SD right?  12.1 I don't think supports network objects on a zone level, or so I've been told, anyone know?

 

Super Contributor
colemtb
Posts: 313
Registered: ‎09-30-2009
0

Re: SRX Global Policy

[ Edited ]

And it looks like to me when you import a device config in Space it doesn't grab the global objects on the box like it does the zones, you have to create all objects for policy by hand on the appliance?  You can't import?  :-/

 

Applications too?

 

Actually... It does both, if used in policy...

 

 

Contributor
cpezie
Posts: 16
Registered: ‎12-28-2009
0

Re: SRX Global Policy

So are global policies not going to be offerred on the NSM platform period?  Just so you all know.  I built out the global policies via NSM and they no workie.  NSM pretty much pushes the From-zone To-zone policies and they are usually.  But they look good from the NSM gui.

 

So I'm going to test adding the globals via cli and see if nsm see's them as deltas.

 

nsm2010.3s4

srx3600 11.4r7.5

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.