SRX

First::: Nothing is broken

On an SRX240H, I have 6 security zones with rules from zone to zone, and as such we number/name security policies based upon DESTINATION zone.  This seemed to work great until recently, when we added a few new rules and the ordering of those rules no longer seemed to follow suit.

Here's a snippet of my policies with zone names sanitized & source/dest/app removed:::

set security policies from-zone ddd to-zone aaa policy 100
set security policies from-zone ccc to-zone aaa policy 101
set security policies from-zone bbb to-zone aaa policy 102
set security policies from-zone ddd to-zone bbb policy 200
set security policies from-zone ccc to-zone bbb policy 201
set security policies from-zone aaa to-zone bbb policy 202
set security policies from-zone ddd to-zone ccc policy 300
set security policies from-zone bbb to-zone ccc policy 301
set security policies from-zone aaa to-zone ccc policy 302
set security policies from-zone ccc to-zone ddd policy 400
set security policies from-zone bbb to-zone ddd policy 401
set security policies from-zone aaa to-zone ddd policy 402
set security policies from-zone ddd to-zone eee policy 500
set security policies from-zone fff to-zone eee policy 501
set security policies from-zone eee to-zone fff policy 600
set security policies from-zone eee to-zone ddd policy 403
set security policies from-zone ddd to-zone fff policy 601
set security policies from-zone fff to-zone ddd policy 404

so suddenly, policy 403 is listed below 600;  Trying an INSERT doesn't work  {INSERT after 402} as it's not the same source-zone/dest-zone combo.

Again, the traffic is properly allowed/denied;  it's simply a visual thing...but with 40 or 50 rules per src-zone/dst-zone combo it'd be nice to re-arrange the policies so that all DST-ZONE rules are together.

Thoughts?

Does anyone know the logic used of ordering src-zone/dst-zone ?

Thanks,

TroyC

Hi TroyC,

Policy ordering in the config is going to be top down (the order created), within each context.  A context is the combination of 'from-zone aaaa to-zone bbbb'.  I don't see the term used much in the documentation other than the product sheet, where it lists the number of 'contexts' supported per platform. 

Context order within the configuration is going to be the order in which it was created as well.  They can also be re-ordered with insert.  Using an example similar to yours:

[Ignore the 'groups' part. I just used the group as an example to keep this example configuration seperate from the rest my config]

[edit groups forum]
joel@chilis220# show | display set
set groups forum security policies from-zone aaa to-zone bbb policy 100 match source-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match destination-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match application any
set groups forum security policies from-zone aaa to-zone bbb policy 100 then permit
set groups forum security policies from-zone aaa to-zone ccc policy 101 match source-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match destination-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match application any
set groups forum security policies from-zone aaa to-zone ccc policy 101 then permit
set groups forum security policies from-zone aaa to-zone ddd policy 102 match source-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match destination-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match application any
set groups forum security policies from-zone aaa to-zone ddd policy 102 then permit
set groups forum security policies from-zone bbb to-zone ddd policy 103 match source-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match destination-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match application any
set groups forum security policies from-zone bbb to-zone ddd policy 103 then permit

I then create another policy in a new context (from-zone bbb to-zone ccc)

joel@chilis220# set groups forum security policies from-zone bbb to-zone ccc policy 104 match source-address any

[edit]
joel@chilis220# set groups forum security policies from-zone bbb to-zone ccc policy 104 match destination-address any

[edit]
joel@chilis220# set groups forum security policies from-zone bbb to-zone ccc policy 104 match application any

[edit]
joel@chilis220# set groups forum security policies from-zone bbb to-zone ccc policy 104 then permit

Which results in the following config:

joel@chilis220# show | display set
set groups forum security policies from-zone aaa to-zone bbb policy 100 match source-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match destination-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match application any
set groups forum security policies from-zone aaa to-zone bbb policy 100 then permit
set groups forum security policies from-zone aaa to-zone ccc policy 101 match source-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match destination-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match application any
set groups forum security policies from-zone aaa to-zone ccc policy 101 then permit
set groups forum security policies from-zone aaa to-zone ddd policy 102 match source-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match destination-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match application any
set groups forum security policies from-zone aaa to-zone ddd policy 102 then permit
set groups forum security policies from-zone bbb to-zone ddd policy 103 match source-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match destination-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match application any
set groups forum security policies from-zone bbb to-zone ddd policy 103 then permit
set groups forum security policies from-zone bbb to-zone ccc policy 104 match source-address any
set groups forum security policies from-zone bbb to-zone ccc policy 104 match destination-address any
set groups forum security policies from-zone bbb to-zone ccc policy 104 match application any
set groups forum security policies from-zone bbb to-zone ccc policy 104 then permit

If I want to to move this new context (bbb to ccc) to be with the other (to ccc) contexts, I can do this with:

joel@chilis220# insert security policies from-zone bbb to-zone ccc after from-zone aaa to-zone ccc

Which gives me the following config:

[edit groups forum]
joel@chilis220# show | display set
set groups forum security policies from-zone aaa to-zone bbb policy 100 match source-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match destination-address any
set groups forum security policies from-zone aaa to-zone bbb policy 100 match application any
set groups forum security policies from-zone aaa to-zone bbb policy 100 then permit
set groups forum security policies from-zone aaa to-zone ccc policy 101 match source-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match destination-address any
set groups forum security policies from-zone aaa to-zone ccc policy 101 match application any
set groups forum security policies from-zone aaa to-zone ccc policy 101 then permit
set groups forum security policies from-zone bbb to-zone ccc policy 104 match source-address any
set groups forum security policies from-zone bbb to-zone ccc policy 104 match destination-address any
set groups forum security policies from-zone bbb to-zone ccc policy 104 match application any
set groups forum security policies from-zone bbb to-zone ccc policy 104 then permit
set groups forum security policies from-zone aaa to-zone ddd policy 102 match source-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match destination-address any
set groups forum security policies from-zone aaa to-zone ddd policy 102 match application any
set groups forum security policies from-zone aaa to-zone ddd policy 102 then permit
set groups forum security policies from-zone bbb to-zone ddd policy 103 match source-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match destination-address any
set groups forum security policies from-zone bbb to-zone ddd policy 103 match application any
set groups forum security policies from-zone bbb to-zone ddd policy 103 then permit

Voila!  the policies from 'bbb' to 'ccc' now appear in the config where we want.

As you already know, this has nothing to do with performance / policy processing / etc.  This is just how they show up in the configuration if you look at it in its entirety. 

A related command to 'contexts' is 'show security policies zone-context', which lists the number of policies in every context.  Now you can rest assured I did not invent the term 'context' 🙂

Hope this helps,

Joel

Joel,

I swear I tried that & it didn't take... but sure enough re-ordering the zone to zone did/does work [just like re-ordering policies].

Many thanks!

TroyC

Hi TroyC,

You're quite welcome; glad I could help 🙂

When you tried it before, you might have not spelled out the to-zone completely.  For reasons unknown to me, you can tab-complete the from-zone but not the to-zone. 

Joel

That lack of tab completion of the to-zone is something I would very much like to understand/see fixed.

Richard

Awesome explaination - I teach security classes and will be stealing your example.